Symbolic Derivatives in CF-GKAT

• The paper introduces symbolic derivatives for CF-GKAT to validate control-flow transformations with correctness-preserving, on-the-fly automata construction.
• It details a systematic approach using SAT-based decision procedures, union-find caching, and incremental SAT queries to optimize state-space exploration.
• The methodology scales efficiently in practice, detecting transformation bugs in industrial tools like Ghidra while handling non-local jumps and loop constructs.

Symbolic derivatives for CF-GKAT are a foundational construct enabling the efficient, correctness-preserving validation of control-flow program transformations. CF-GKAT (Control-flow Guarded Kleene Algebra with Tests) extends Guarded Kleene Algebra with Tests by incorporating non-local jumps, loop-specific constructs, and indicator variables. Derivatives in this context refer to the systematic symbolic computation of state transitions within CF-GKAT programs, facilitating both automata-based program analysis and fast trace-equivalence checking via SAT-based decision procedures (Zhang et al., 15 Jan 2026).

1. Formal Structure of CF-GKAT

CF-GKAT builds upon the restricted syntax of GKAT. In GKAT, choices and iterations are reified as conditional ($e+_b f$) and while-loop ($e^{(b)}$) constructs. CF-GKAT extends this foundation by allowing:

• Non-local jumps ($\mathtt{goto}\,l$), labeled locations ($\mathtt{label}\,l$)
• Loop control operators ($\mathtt{break}$, $\mathtt{continue}$, $\mathtt{return}$)
• Indicator variables $x\in X$ over finite domains $I$

The grammar for Boolean tests and program constructs is:

$\begin{array}{rcll} b,c\;\;::=&0\mid 1\mid t\in T\mid x=i\;(i\in I)\mid b\land c\mid b\lor c\mid\neg b &\text{(Boolean tests)}\ e,f\;\;::=&b\mid p\in\Sigma\mid x:=i\;(i\in I)\mid e\,f\mid e+_b f\mid e^{(b)}\mid\break\mid\continue\mid\return\mid\goto l\mid\lbl{l}\,e &\text{(CF-GKAT programs)} \end{array}$

A CF-GKAT program is interpreted as a symbolic automaton whose states are indicator-expression pairs $(\pi, e)$, with transitions governed by Boolean conditions. Well-formedness mandates unique labels for jumps and proper nesting/placement of loop control constructs.

2. Construction of Symbolic Derivatives

A symbolic CF-GKAT automaton is a tuple $(S, s_0, \varepsilon, \delta)$ with

$$\varepsilon: S \rightarrow \mathcal{P}(BExp \times C), \quad \delta: S \rightarrow \mathcal{P}(BExp \times S \times \Sigma)$$

where $BExp$ contains Boolean tests and $C$ encodes indicator assignment, return, break, and labeled jumps. State evolution relies on resolving tests under a given indicator assignment, with transitions and outputs computed on-the-fly. The construction proceeds by specialized rules for program primitives, sequencing, loops, and conditionals, all symbolically:

• For assertion: $(\pi, \assert b)\;\xOut{b[\pi]}{\pi}$
• For action: $$(\pi, p)\;\xrightarrow{1 \mid p} (\pi, \mathit{skip})$$
• For sequencing: combinations of primitive outputs/transitions feed into the next subexpression
• For loops: symbolic unrolling with tracked break and continue
• Conditionals: outcomes depend on symbolic evaluation of test guards under $\pi$

These rules admit only the states accessed during equivalence checks, reducing the state-space explosion typical of explicit atom enumeration.

3. Symbolic Trace-Equivalence Algorithm

Verification of finite-trace equivalence between two CF-GKAT programs proceeds via on-the-fly symbolic automata construction and a bisimulation up to dead-states and union-find reduction. The algorithm initializes a union-find structure to merge equivalent state-pairs and caches discovered dead-states for rapid accessibility.

The steps involve:

• SAT solving to check equivalence of output-acceptance conditions
• Incremental SAT queries for transition matching and dead-state determination
• Recursion over successors, where state-pairs are stored only once
• Efficient handling of control constructs and indicator variables using symbolic encoding

This process obviates the need for full automaton enumeration and minimizes unnecessary exploration, leveraging SAT-based pruning and union-find-based structural sharing.

4. Complexity and Performance

Let $|e|$ denote CF-GKAT program size and $n = |T|$ the number of primitive tests. Complexity is summarized as:

Aspect	Complexity Bound	Notes
Derivative step	$O(|e|)$ (syntactic)	Plus constant Boolean operations
State-space	$O(2^{|e|})$ worst-case	Typically much smaller due to program structure
Boolean operations	NP per SAT call	Incremental solving yields practical efficiency
Global space	PSPACE in $n$	Only pairs and formulas held at one time

The purely symbolic method, in contrast to the explicit GKAT algorithm (EXPSPACE in $n$), scales to thousands of tests and actions on commodity hardware. This enabled empirical detection of a program transformation bug in Ghidra, an industry-standard decompiler (Zhang et al., 15 Jan 2026).

5. Canonical Worked Examples

Two representative scenarios illustrate the approach:

Example 1 (Finite-Trace Counterexample):

Given $$e_1 = \mathbf{if}\, t_1 \land t_2 \,\mathbf{then}\, p\,\mathbf{else}\,\mathtt{return}$$ and $$e_2 = \mathbf{if}\, t_1 \,\mathbf{then}\, p\,\mathbf{else}\,\mathtt{return}$$, the symbolic derivatives immediately reveal mismatched accept conditions since SAT($\neg(t_1 \land t_2) \equiv \neg t_1$) is unsatisfiable, exposing a difference on atom $t_1 \land \neg t_2$.

Example 2 (Canonical Loop):

For $$e = \mathtt{while}\,(c)\,\{\mathbf{if}\,(b)\,\{p\}\,\mathbf{else}\,\{\mathtt{assert}\,a;\;q\}\}$$, the symbolic automaton yields a loop-state with transitions by $c \land b$ for action $p$, $c \land \neg b$ for $q$, and output $\neg c$ to the current indicator assignment. Trace equivalence between structurally similar loops is reduced to trivial SAT checks for respective guards.

6. Implementation Strategies and Optimization

Symbolic derivatives for CF-GKAT can be implemented with several domain-specific optimizations:

• Blocked-formula pruning: Transitions with unsatisfiable guards are omitted.
• Union-find caching: All state-pair queries funnel through a union-find structure to eliminate repetition.
• Dead-cache: Dead-state identification is memoized, yielding $O(1)$ future deadness checks.
• Incremental SAT solving: Assumptions for tests and indicators are efficiently pushed/popped to reuse learned clauses.
• Indicator encoding: Each indicator test is mapped to a Boolean variable, enabling substitutions via assignments.
• Solver flexibility: Both BDD (CUDD) and CNF-SAT (MiniSAT) backends are supported, with selection guided by empirical benchmark characteristics.

The Rust implementation described efficiently processes thousands of tests and actions within sub-second runtimes and minimal memory usage, reflecting substantial advances over prior symbolic and non-symbolic GKAT/CF-GKAT decision procedures (Zhang et al., 15 Jan 2026).

7. Conceptual Significance and Applications

Symbolic derivatives for CF-GKAT are pivotal for scalable and sound analysis of control-flow program transformations, especially in contexts necessitating high-assurance correctness such as decompiler validation and optimizing compilers. The approach achieves significant computational efficiency by combining SAT-driven symbolic reasoning, on-the-fly automata construction, and domain-specific optimizations. This architecture demonstrates the feasibility of rigorous program equivalence checking for practical program representations, as well as the real-world utility in uncovering transformation bugs in industrial tools. A plausible implication is broader applicability to additional program analysis domains requiring symbolic reasoning over control flow.