# Equivalence Checking for Prepack

### By Ben and Suhail
#### November 29, 2017


# What is Prepack?

Prepack is a tool developed by Facebook for "making JavaScript code run faster". 
 
> Prepack is a tool that optimizes JavaScript source code: Computations that can be done at compile-time instead of run-time get eliminated. Prepack replaces the global code of a JavaScript bundle with equivalent code that is a simple sequence of assignments. This gets rid of most intermediate computations and object allocations. 


 
# Python Z3-based Equivalence Checker

* SMT-based verfier implemented using Z3

* Assumes source code has a general form
    * Finite set of global variables
    * Sequence of operations that potentially modify state of global variables
    * Ignore handling of tricky pointers/memory implementation

* Supports only a subset of Javascript syntax

* Declarations: `var x`, `var y = 1`, and `function myFunc(x, y) { ... }`

* Statements: `while (cond) { ... }` and `if ... [else if] ... [else]` 

* Expressions: Assignment, binary, unary, and function calls `x = -10 + myFunc(123)`

# How does it work?

* Generate AST using `Esprima`

* Construct SMT by traversing AST in recursive manner

* Bind the variable from both programs

* Pass ouput SMT to Z3

* If unsat, then programs equivalent

* Else, return mismatched variables

# Limitations

As with most SMT-based equivalence checker, our implementation does not handle recursion and complex loops that involve `break` and `continue` statements.  We found the exhaustive natural of IC3 and similar techniques for handling loops inelegant.  Currently we can handle loops by unrolling, and iteratively double the unroll depth in case if we didn't unroll far enough.  Clearly, this approach cannot handle infinite loops -- Thankfully (or unfortunately) Python limits the stack for scopes very conservatively, so the checker will hit a "Parser stack overflow - Memory Error" relatively soon.  We can workaround this problem if we don't allow loops inside functions, i.e. loops can only happen in the global scope.

The correctness of the checker depends on the correctness of `Esprima`.  In addition, since the analysis is static, we implemented our own checks for handling run-time errors such as referencing undefined variables.  Many of these checks can be buggy due to lack of refinement.


# Future Work

The entirety of checker code is spaghetti held together by bubble gum and coffee.  Up until now, we are mostly focused on getting the formal verification aspect to work -- In particular, given a piece of JavaScript code, how do we construct the SMT statement?  To make the code more extensible, we need to come up with more rigorous way of translating JavaScript into SMT for equivalence checking.
