automatic equivalence checking of uf+ia programs

technologyfrom seed

Automatic Equivalence Checking of UF+IA ProgramsNuno Lopes and José Monteiro

technologyfrom seed

Automatic Equivalence Checking of UF+IA Programs

• Algorithm recognition• Regression checking• Manual optimization checking• Compiler optimization verification• Information flow (non-interference) proofs

Why Equivalence Checking?

technologyfrom seed


i := 0while i < n do

k := f(k, i)i := i + 1

Example:Are these programs equivalent?

i := nwhile i ≥ 1 do

k := f(k, n - i)i := i - 1

if n ≤ 0 theni := 0

elsei := n

technologyfrom seed


assume v = vi := 0

while i < n dok := f(k, i)i := i + 1


k := f(k, n - i)i := i - 1


elsei := n

assert v = v

Example:Sequential composition is no solution

technologyfrom seed


• Program equivalence• Example• Algorithm• Application to compiler optimizations• Evaluation: CORK

Outline

technologyfrom seed


• Functional equivalence: non-deterministic behavior is not supported

• Partial equivalence: check only terminating paths

Program equivalence

technologyfrom seed


i := 0while i < n do

k := f(k, i)i := i + 1

Running example


k := f(k, n - i)i := i - 1


elsei := n

technologyfrom seed


assume v = vi := 0

while i < n dok := f(k, i)i := i + 1


k := f(k, n - i)i := i - 1


elsei := n

assert v = v

Running example:1) Sequential composition

technologyfrom seed


assume v = vi := 0

while i < n dok := a·k + b·i + ci := i + 1

(…)

assert v = v

Running example:2) Eliminate UFs

f(k, i)

technologyfrom seed


assume v = vi := 0

if i < n thenassume Ri(j-1) < n R∧ i(j) ≥ nk := Rk(j)i := Ri(j)

(…)

assert v = v

Running example:3) Eliminate Loops

𝑅𝑘 ( 𝑗 )=𝑏 (𝑎 𝑗−𝑎𝑗+ 𝑗−1 )+(𝑎−1 ) (𝑎 𝑗 ( (𝑎−1 )𝑘0+𝑐 )−𝑐 )

(𝑎−1 )2

𝑅𝑖 ( 𝑗 )= 𝑗

assume v = vi := 0

while i < n dok := a·k + b·i + ci := i + 1

(…)

assert v = v

Ri(j) = Ri(j-1) + 1Ri(0) = 0Rk(j) = a × Rk(j-1) + b × Ri(j-1) + cRk(0) = k0

technologyfrom seed


assume v = vi := 0

if i < n thenassume Ri(j-1) < n R∧ i(j) ≥ nk := Rk(j)i := Ri(j)

i := nif i ≥ 1 then

assume Vi(j-1) ≥ 1 V∧ i(j) < 1k := Vk(j)i := Vi(j)


elsei := n

assert v = v

Running example:3) Eliminate Loops

technologyfrom seed



Outline

technologyfrom seed


1. Sequential composition2. Replace UFs with polynomials3. Replace loops with recurrences4. Prove safety of resulting program

Algorithm

technologyfrom seed


Algorithm:1) Sequential Composition

assume v = v

P1(v)

P2(v)

assert v = v

technologyfrom seed


• u(f, i) is equal to the maximum number of applications of f with distinct values in the ith parameter in all paths minus one

Algorithm:Function u

if i < n thenk := f(y, 3)elsek := f(z, 3)

if f(x, 3) < 0 k < 0∧ then…

u(f, 1) = 1u(f, 2) = 0

technologyfrom seed


Algorithm:Polynomial Interpolation

-2 -1 0 1 2 3 4 5 6 7 8

-4

-2

0

2

4

6

8

10

12

f(a)

f(b)

f(c) f(d)

technologyfrom seed


• UFs are rewritten to polynomials over its inputs

Algorithm:2) UF -> Polynomial

𝑇 (𝑒 )=∑𝑖=1

𝑛

∑𝑗=0

𝑢 ( UF ,𝑖 )

UFij× (T (e i ))j , if 𝑒=UF (𝑒1 ,… ,𝑒𝑛)

technologyfrom seed


Algorithm:3) Loops -> Recurrences

while b doc

if b thenassume σn-1(b) ∧ σn(¬b) vi := σn(vi)

elseassume n = 0

→

technologyfrom seed


• Resulting program is correct iff the 2 programs are partially equivalent

• Standard model checkers or VC gen + constraint solving can now prove correctness

Algorithm:4) Prove safety of resulting program

technologyfrom seed



Outline

technologyfrom seed


• Compiler optimization– Transformation function– Precondition– Profitability heuristic

Compiler Optimizations

technologyfrom seed


while I < N doSI := I + 1

Loop Unrolling

while (I + 1) < N doSI := I + 1SI := I + 1

if I < N thenSI := I + 1

⇒

Precondition:R(S) = {I, N, c1}W(S) = {c1}

technologyfrom seed


while i < n dox := i + 2i := i + 1

Loop Unrolling:Example instantiation

while (i + 1) < n dox := i + 2i := i + 1x := i + 2i := i + 1

if i < n thenx := i + 2i := i + 1

while I < N doSI := I + 1 ⇒

S ≡ x := i + 2I ≡ iN ≡ n

while (I + 1) < N doSI := I + 1SI := I + 1

if I < N thenSI := I + 1

technologyfrom seed


• Transformation function specified as 2 template programs• Precondition specified as read/write sets for template

statements and expressions plus IA formulas

Compiler Optimizations:Our abstraction

technologyfrom seed


• A transformation function can be written as two UF+IA programs– Template statements are converted to UFs, that read and write

from/to their read/write sets

Transformation function to UF+IA Program

S x,y := Sx(y, z), Sy(y, z)

Precondition:R(S) = {y, z}W(S) = {x, y}

→

technologyfrom seed



Outline

technologyfrom seed


• Implemented in OCaml (~1,100 LoC)• Uses Wolfram Mathematica 8 for constraint and

recurrence solving

CORK: Compiler Optimization Correctness Checker

technologyfrom seed


CORK: Results

Benchmarks available from http://web.ist.utl.pt/nuno.lopes/cork/

technologyfrom seed


• Presented a new algorithm to prove equivalence of UF+IA programs

• Presented CORK, a compiler optimization verifier, that can prove more optimizations correct than others

Conclusion

technologyfrom seed

Título da apresentação

technologyfrom seed

automatic equivalence checking of uf+ia programs

Documents

uf ia programsexample

vautomatic equivalence

corkautomatic equivalence

n thenk

vijif n

n thenassume rij

oneautomatic equivalence

supportedpartial equivalence