Automatic equivalence checking of programs with uninterpreted functions and integer arithmetic

Abstract

Proving equivalence of programs has several important applications, including algorithm recognition, regression checking, compiler optimization verification and validation, and information flow checking. Despite being a topic with so many important applications, program equivalence checking has seen little advances over the past decades due to its inherent (high) complexity. In this paper, we propose, to the best of our knowledge, the first semi-algorithm for the automatic verification of partial equivalence of two programs over the combined theory of uninterpreted function symbols and integer arithmetic (UF+IA). The proposed algorithm supports, in particular, programs with nested loops. The crux of the technique is a transformation of uninterpreted functions (UFs) applications into integer polynomials, which enables the precise summarization of loops with UF applications using recurrences. The equivalence checking algorithm then proceeds on loop-free, integer only programs. We implemented the proposed technique in CORK, a tool that automatically verifies the correctness of compiler optimizations, and we show that it can prove more optimizations correct than state-of-the-art techniques.

Appendices

Appendix A: Proof of soundness and completeness

Let \({\mathsf {S}}^{P}(\sigma _{})\) be a copy of state \(\sigma _{}\) where the interpretation of every uninterpreted function (UF) symbol is replaced with values for variables \(f_i\) used in Sect. 4.2.2. Moreover, the values for variables \(f_i\) and the initial variables values \(v_0\) are chosen such that for every boolean expression \(b\) appearing in program \(P_{}\), it is guaranteed that \(\sigma _{}(b) = {\mathsf {S}}^{P}(\sigma _{})({\mathsf {T}}(b))\). The justification of the existence of such an assignment is given in Theorem 1.

In this section, we use the term free variable to denote logic or program variables (depending on the context) that are not constrained and, therefore, can take any value. In particular, a free program variable is never assigned to and cannot be constrained in any program path.

Let \({\mathbb {Q}}\), \({\mathbb {R}}\), and \({\mathbb {C}}\) be, respectively, the set of rational, real, and complex numbers.

Lemma 1

(Solution for nested \(f(x)\)). For a function \(f(x)=a_n\,x^n+\cdots +a_1\,x+a_0\), an arbitrary number of nested applications of \(f\) to \(x\) can take any value in the codomain (\({\mathbb {R}}\) or \({\mathbb {C}}\)) if \(x\) and \(a_n\) are free, i.e., \(f(f(\cdots f(x)\cdots ))=b\) always has a solution for fixed \(a_{n-1},\ldots ,a_0,b\) and free \(a_n\) and \(x\).

Proof

The maximum degree of the polynomial given by \(p=f(f(\cdots f(x)\cdots ))-b\) in \(x\) is \(n^k\), where \(k > 0\) is the number of applications of \(f\). If \(n\) (the degree of \(x\) in \(f(x)\)) is odd, then \(n^k\) will be odd as well. Therefore, if \(n\) is odd, it follows from the intermediate value theorem [67] that there always exists a value for \(x\) for arbitrary \(a_n,\ldots ,a_0,b\) such that \(p=0\).

The maximum degree of \(a_n\) in \(p\) is given by the following recurrence: \(d(k)=n\,d(k-1)+1\) and \(d(0)=0\). The closed-form solution for this recurrence is \(d(k)=\frac{n^k-1}{n-1}\). Now assume that \(n\) is even, since we already proved the lemma for \(n\) odd. We can then conclude that \(d(k)\) is odd for any nonnegative \(k\) and, therefore, there exists \(a_n\) for arbitrary \(a_{n-1},\ldots ,a_0,b,x\) such that \(p=0\). \(\square \)

Lemma 2

(Solution for conjunction of nested \(f(x)\)). For a function \(f(x)=a_n\,x^n+\cdots +a_1\,x+a_0\), a conjunction of nested applications of \(f\) of the form \(f(f(\cdots f(x_1)\cdots ))=b_1 \mathrel {\wedge }\cdots \mathrel {\wedge }f(f(\cdots f(x_q)\cdots ))=b_q\) is satisfiable if any of the following statements holds:

1. 1.

   Coefficients \(a_i\) range over \({\mathbb {C}}\) and at least \(q \le n+1\) of those are free.

2. 2.

   Variables \(x_i\) range over \({\mathbb {C}}\) and are free.

3. 3.

   \(n\) is odd and variables \(x_i\) range over \({\mathbb {R}}\) and are free.

4. 4.

   \(q=1\) and \(a_n\) and \(x_1\) range over \({\mathbb {R}}\) and are free.

Proof

For condition 1, we note that there is at least one free coefficient \(a_i\) for each polynomial in the conjunction. Then it follows from the fundamental theorem of algebra [67] that it is always possible to find values for the free \(a_i\) that satisfy the equalities. Similar reasoning apply for condition 2, where each equality can be solved in order of its respective \(x_i\).

Conditions 3 and 4 follow directly from Lemma 1. \(\square \)

We now state under which conditions the transformation \({\mathsf {T}}\) as given in Sect. 4.2.2 is sound and complete, which we will use later to prove Theorems 1 and 2.

Definition 1

\({\mathsf {T}}\) is sound and complete if one of the following statements holds:

1. 1.

   There are no nested applications of UFs in loops and program variables range over \({\mathbb {Q}}\), \({\mathbb {R}}\), or \({\mathbb {C}}\).

2. 2.

   Variables \(f_i\) range over \({\mathbb {C}}\).

3. 3.

   There is only one nested UF application produced by a loop, say \(f(f(\cdots f(x)\cdots ))\), with \(x\) being free, and variables \(f_i\) and \(x\) ranging over \({\mathbb {R}}\).

4. 4.

   \({\mathsf {u}}(f)\) is odd for all \(f\) appearing in nested applications in loops, and the input to these applications are variables that are free and range over \({\mathbb {R}}\).

We note that \({\mathsf {u}}(f)\) can always be arbitrarily increased (to, e.g., become odd) if need be. Also, to guarantee soundness, program variables and polynomial coefficients can be changed to take values in larger domains (say, convert from \({\mathbb {Z}}\) to \({\mathbb {R}}\)), by giving up on completeness. With such a change, the algorithm remains sound, i.e., if it proves that two programs are equivalent then they are. However, losing completeness means that the algorithm may fail to prove equivalence of two equivalent programs because a larger variable domain may increase the set of possible behaviors/outcomes of a program, which can lead to the loss of equivalence.

Definition 2

We define statically implied equalities of UF symbols as the set of all equalities involving applications of UFs that are implied by any static path in a given program (e.g., \(f(x) = 3\)). Nested applications of UFs arising from loops are not unfolded. For example, for a program “\(\mathbf{while }\ \ldots \ \mathbf{do }\ x :=f(x)\)” and a path that traverses the loop three times, we only consider the equality \(x=f(f(f(x_0)))\).

Theorem 1

(Existence of \({\mathsf {S}}^{P}(\sigma _{0})\)). For every program \(P_{}\) respecting Definition 1, \(\sigma _{0}\) is a possible initial state of \(P_{}\) iff \({\mathsf {S}}^{P}(\sigma _{0})\) also is.

Proof

If \(P\) does not contain any application of UF symbols, then the statement is trivially correct, since \(P = {\mathsf {T}}(P_{})\) and therefore \(\sigma _{0}={\mathsf {S}}^{P}(\sigma _{0})\).

Otherwise, we consider the set of statically implied equalities of UF symbols. Let \(c\) be the conjunction of the elements of said set that refer only to non-nested UF applications, and \(r\) the conjunction of the remaining elements (arbitrarily nested applications from loops). Moreover, we trivially have that \(\sigma _{0}(b) = \sigma _{0}(c \mathrel {\wedge }r)\).

We now assume that all UFs have only one input parameter and that there is only one UF symbol \(f\). Therefore, \({\mathsf {T}}(c)\) can be seen as a linear system \(Ax = b\), where \(A\) is a square matrix of size \(n \times n\) with the powers \(0\) to \((n-1)\) of the input parameters of the UF applications, and \(x\) is a vector with fresh variables \(f_i\). Moreover, \(A\) is a Vandermonde matrix [67].

For example, for \(c = f(x_1) = b_1 \mathrel {\wedge }\cdots \mathrel {\wedge }f(x_n) = b_n\), \({\mathsf {T}}(c)\) results in the following linear system:

$$\begin{aligned} \begin{bmatrix} 1&\quad x_1^1&\quad \cdots&\quad x_1^{n-1}\\ 1&\quad \vdots&\quad \ddots&\quad \vdots \\ 1&\quad x_n^1&\quad \cdots&\quad x_n^{n-1} \end{bmatrix} \begin{bmatrix} f_1\\ \vdots \\ f_n \end{bmatrix} = \begin{bmatrix} b_1\\ \vdots \\ b_n \end{bmatrix} \end{aligned}$$

If \(x_i \ne x_j\) for all \(i \ne j\), then \(c\) is satisfiable. Moreover, the lines and the columns of the coefficient matrix \(A\) are linearly independent, which guarantees that the system has a solution (by the unisolvence theorem [67]). Therefore, \({\mathsf {T}}(c)\) is also satisfiable.

If there are \(i,j\) with \(i \ne j\) such that \(x_i = x_j\), and \(c\) is satisfiable, then \(b_i=b_j\). In this case, the corresponding system of \({\mathsf {T}}(c)\) has infinitely many solutions, and therefore \({\mathsf {T}}(c)\) is satisfiable as well.

Finally, if \(c\) is unsatisfiable, then there are \(i,j\) with \(i \ne j\) such that \(x_i = x_j\) and \(b_i \ne b_j\). The linear system of \({\mathsf {T}}(c)\) has no solution, and therefore \({\mathsf {T}}(c)\) is unsatisfiable as well.

If \(c\) is unsatisfiable, then there is no interpretation for the UF symbols that makes \(c\) be \(\mathsf {true}\), and therefore we have \(\sigma _{0}(c)={\mathsf {S}}^{P}(\sigma _{0})({\mathsf {T}}(c))=\mathsf {false}\). If \(c\) is satisfiable, then \(\sigma _{}(c)\) may or may not be \(\mathsf {true}\) depending on the interpretation of the UFs in \(\sigma _{0}\), but we are always guaranteed to be able to find coefficients for \({\mathsf {S}}^{P}(\sigma _{0})\) either way such that \(\sigma _{0}(c)={\mathsf {S}}^{P}(\sigma _{0})({\mathsf {T}}(c))\).

If \(c\) contains UFs symbols with more than one parameter, then the resulting polynomials in \({\mathsf {T}}(c)\) are more complex. Similar reasoning can be done by using generalized versions of the unisolvence theorem for multivariate polynomial interpolation (cf. [25, 56]).

If \(c\) contains multiple UF symbols, the evaluation of \(c\) can be split in multiple linear systems, one per symbol.

If \(r\) is empty, then the proof is completed.

Otherwise, let \(\#c\) and \(\#r\) be, respectively, the number of equalities in \(c\) and \(r\). By definition of \({\mathsf {u}}\), we have for any \(f\) that \(\#c+\#r \le {\mathsf {u}}(f)\). Moreover, only the first \(f_1,\ldots ,f_{\#c}\) coefficients are defined by \(c\), and the remaining \(f_{\#c+1},\ldots ,f_{{\mathsf {u}}(f)}\) remain free. Therefore, the proof follows immediately from Lemma 2.

For UFs with more than one input parameter, Lemma 2 also applies by observing that the degree of the polynomial obtained by nested applications is dominated by the nested input variable and the coefficient of that parameter. \(\square \)

From Theorem 1, it follows that if \({\mathsf {u}}(f)\) is odd, then \({\mathsf {u}}(f)\) does not need to count with applications with free variables as input. This fact can be used as an optimization to reduce the degree of polynomials to the smallest odd number that is greater than or equal to the number of applications with non-free inputs.

Theorem 2

(Soundness and completeness of \({\mathsf {T}}\)). Transformation \({\mathsf {T}}\) preserves safety of programs, i.e., for any state \(\sigma _{0}\) and program \(P_{}\) respecting Definition 1, the following holds:

$$\begin{aligned} \langle P_{},\ \sigma _{0} \rangle \rightarrow ^* \sigma _{} \iff \langle {\mathsf {T}}(P_{}),\ {\mathsf {S}}^{P}(\sigma _{0}) \rangle \rightarrow ^* \sigma _{}^{\prime } \end{aligned}$$

Proof

The proof goes by structural induction on the syntax of \(P_{}\).

The base cases are: \(P_{}=\mathbf{skip } \), \(P_{}= v :=e\), and \(P_{}=\mathbf{abort } \), which are all trivially correct.

For the induction step, we need to consider three cases. As the induction hypothesis, assume that the theorem holds for commands \(c_1\) and \(c_2\).

For \(P_{} = \mathbf{if }\ b\ \mathbf{do }\ c_1\ \mathbf{else }\ c_2\), we have \({\mathsf {T}}(P_{}) = \mathbf{if }\ {\mathsf {T}}(b)\ \mathbf{do }\ {\mathsf {T}}(c_1)\ \mathbf{else }\ {\mathsf {T}}(c_2)\). By definition of \({\mathsf {S}}^{P}(.)\), we know that \(\sigma _{}(b)={\mathsf {S}}^{P}(\sigma _{})({\mathsf {T}}(b))\) and therefore \(P_{}\) reduces to \(c_1\) (resp. \(c_2\)) iff \({\mathsf {T}}(P_{})\) reduces to \({\mathsf {T}}(c_1)\) (resp. \({\mathsf {T}}(c_2)\)).

For \(P_{}= \mathbf{while }\ b\ \mathbf{do }\ c_1\), we note that since \(b\) cannot include nor depend on UF applications (per restriction 4 in Sect. 4.1), then \({\mathsf {T}}(b)=b\), and therefore \({\mathsf {T}}(P_{})= \mathbf{while }\ b\ \mathbf{do }\ {\mathsf {T}}(c_1)\). Moreover, we have that \(\sigma _{1}(b)=\sigma _{1}'(b)\) for every states \(\sigma _{1}\) and \(\sigma _{1}'\) resulting from the reduction of \(c_1\) and \({\mathsf {T}}(c_1)\), respectively, since \(b\) cannot depend on the result of any UF symbol. Therefore we are left to prove that \(\langle c_1\ ;\ \ldots \ ;\ c_1,\ \sigma _{0} \rangle \rightarrow ^* \sigma _{}\) iff \(\langle {\mathsf {T}}(c_1)\ ;\ \ldots \ ;\ {\mathsf {T}}(c_1),\ {\mathsf {S}}^{P}(\sigma _{0}) \rangle \rightarrow ^* \sigma _{}'\), which is covered in the following case.

For \(P_{} = c_1\ ;\ c_2\), assume that \(\langle c_1,\ \sigma _{0} \rangle \rightarrow ^* \sigma _{1}\) and \(\langle {\mathsf {T}}(c_1),\ {\mathsf {S}}^{P}(\sigma _{0}) \rangle \rightarrow ^* \sigma _{1}'\). If \({\mathsf {S}}^{P}(\sigma _{1})=\sigma _{1}'\), then the theorem is trivially correct. Otherwise, and without loss of generality, consider that \({\mathsf {S}}^{P}(\sigma _{1})\) and \(\sigma _{1}'\) differ only in the value of variable \(v\) because \(c_1\) contained an assignment of the form \(v :=f(x)\). Let \(c_2'\) be a copy of \(c_2\) where references to \(v\) were replaced with \(f(x)\). Therefore, our proof goal of \(\langle c_2,\ \sigma _{1} \rangle \rightarrow ^* \sigma _{2} \iff \langle {\mathsf {T}}(c_2),\ \sigma _{1}' \rangle \rightarrow ^* \sigma _{2}'\) is equivalent to \(\langle c_2',\ \sigma _{1} \rangle \rightarrow ^* \sigma _{2}'' \iff \langle {\mathsf {T}}(c_2'),\ {\mathsf {S}}^{c_2'}(\sigma _{1}) \rangle \rightarrow ^* \sigma _{2}'''\), which holds per the induction hypothesis. \(\square \)

We speculate, but leave the proof for future work, that restriction 4 in Sect. 4.1 could be lifted altogether, i.e., it may be possible to allow UFs in loop guards. We believe this could be done by counting UF symbols in loop guards twice when computing \({\mathsf {u}}(f)\) for any symbol \(f\). Intuitively, we may only need to interpolate the values of an UF symbol when the loop guard flips (i.e., when in one iteration it was true and in the following it became false).

Appendix B: Discussion on polynomial interpolation

The polynomial for \({\mathsf {p}}\left( f, e_1,\ldots ,e_n\right) \) given in Sect. 4.2.2 requires coefficients to range over the set of rational \(({\mathbb {Q}})\), real \(({\mathbb {R}})\), or complex numbers \(({\mathbb {C}})\). Therefore, for the domain of integers \(({\mathbb {Z}})\), it is unsound to use the given polynomial, since in general there may not exist integer values for variables \(f_i\) such that Theorem 1 holds.

Integer-valued polynomials are polynomials with coefficients in some domain, whose value for every point (or for every interpolating point) is an integer [16]. In particular, it is possible to interpolate a set of points using integer-valued polynomials with rational coefficients [17, 24]. However, these polynomials can only be used if the verification tool used in the algorithm supports rational numbers and their combined operation with integer variables from the remainder of the program.

There is still ongoing research on interpolation by integer-valued polynomials that may yield interesting results that could be of use for our algorithm. We leave as a conjecture that the following polynomial can interpolate any set of \(n+1\) integer points:

$$\begin{aligned} f(x) = \sum _{i=0}^n \left\lfloor \dfrac{a_i\,x^i}{b_i} \right\rfloor \end{aligned}$$

where \(a_i\) and \(b_i\) are integer coefficients, and \(\left\lfloor \dfrac{x}{y} \right\rfloor \) is the integer division. A drawback of this polynomial is that solving recurrences with integer division is harder than with, say, division in \({\mathbb {Q}}\), because the function may become discontinuous. Moreover, it is unclear whether it would be possible to amend Theorem 1 for such a polynomial.