VP_TT: A value propagation based equivalence checker for testability transformations

DST, Government of India, Grant/Award Number: CRG/2019/001300 Abstract Testability transformation (TT) is a source‐to‐source programme transformation that aims to improve the ability of a given test generation method to generate test data for the original programme. Herein, the correctness of testability transformations is shown. Translation validation is the process of proving that the transformed programme is a correct translation of the source programme being compiled. It is widely used to verify the correctness of various compiler optimizations and transformations during scheduling. The value propagation based equivalence checking (VP) method is an efficient translation validation approach proposed to verify the correctness of various compiler optimization applied during scheduling in high‐level synthesis. VP‐based translation validation of testability transformations is proposed. In particular, it is identified that the existing VP method fails to show the equivalence for some of the TTs. A dynamic cutpoint selection scheme and an enhancement to the VP method to overcome these limitations are shown. The enhanced VP method, called VP_TT, successfully shows the equivalence for the TTs where the VP method fails. Experimental results confirm the usefulness of VP_TT in the verification of testability transformations.


| INTRODUCTION
Testability transformations (TTs) [1][2][3][4][5][6][7] are applied in software testing to improve the test data generation. TTs are a set of programme transformation techniques applied to improve the original programme's 'testability'. Testability transformation has been demonstrated to be viable at improving coverage for search-based test data generation. It has been used to tackle problems such as flag variables, unstructured control flow, data flow testing, state-based testing, and nesting to enhance the original programme so that it becomes easier for the generation of adequate test data. Though the test data is to be applied to the original programme, it is generated from the transformed version. Therefore, it is important that the transformed programme must preserve the semantic equivalence against the original programme. Semantic equivalence ensures that the atomic tests are free of side effects and prevent the target programme to perform redundant or useless evaluations of tests. The correctness by construction cannot be expected from a testability transformation tool with several hundred thousand code lines. Therefore, it is important to verify whether the transformed programme is semantically equivalent to the original programme.
Herein, we plan to develop a translation validation framework for checking the correctness of testability transformations. Translation validation [8] is a popular approach for the verification of compiler optimizations. Translation validation is a formal verification approach for compilers whereby each translation is followed by a validation phase which verifies that the transformed behaviour generated by compiler correctly implements the source behaviour. Path-based equivalence checking (PBEC) [9][10][11][12][13][14], a popular translation validation approach, has made significant progress in the verification of the compiler optimizations applied during scheduling in High-level Synthesis (HLS). The PBEC approaches model the input and the transformed behaviours as a finite state machine with datapaths (FSMDs). In general, PBEC approaches decompose each FSMD into a set of finite paths, and the equivalence of FSMDs is established by showing path level equivalence between two FSMDs using a symbolic bi-simulation approach. The value propagation based equivalence checking (VP) method proposed in Ref. [9] is a powerful PBEC method that can handle code motion across loops along with all the compiler optimizations supported by [10][11][12][13][14]. We explored the applicability of the VP method in the verification of TTs. We found that the VP can handle most of the TTs. The equivalence problem of two behaviours is, however, an undecidable problem in general. Therefore, it is possible that the VP method may produce a falsenegative result. In fact, the VP method fails to show the equivalence for TTs which involves removal of flag variables [2] and exit statements [15] from the original programme. Thus, the VP method produces false-negative results in these cases.
We investigated the limitations of the VP method in handling flag variables and exit statements removal during TTs. We have identified two limitations in the VP methods. Specifically, in flag removal, multiple conditional blocks are merged into one. The VP method fails to handle this type of scenario due to its static cutpoint selection scheme (Limitation 1). The exit statements create multiple exit paths from the loop body which cannot handle by the VP method (Limitation 2). We then proposed two enhancements in the VP method to overcome the above limitations to handle two most common TTs: that is removal of flag variables and exit statements. Specifically, we proposed (i) a dynamic cutpoint selection scheme to handle flag variable removal and (ii) a loop invariant checking at all loop exit points to handle exit statement removal. With these two enhancements, we showed that the VP method can handle both flag variables and exit statements removals. To the best of our knowledge, this is the first method proposed for verification of testability transformations. The contributions of this work can be summarised as follows: � We model the equivalence checking of the testability transformations problem as the equivalence checking of two FSMDs. � We propose an equivalence checker, called value propagation based equivalence of testability transformation (VP_TT), for the verification of TTs. The method overcomes the limitations of the existing VP method to handle the removal of flag variables and exit statements in TTs. � Experimental results show that the proposed VP_TT method successfully establishes the equivalence for TTs.
The rest is organised as follows. The related works are briefly discussed in Section 2. The FSMD model and the VPbased method are briefly explained in Section 3. The limitations of the VP method are highlighted in Section 4. A solution to overcome the limitations of the VP method is presented in Section 5. The VP_TT method is presented in Section 6. The correctness and complexity of the proposed method are discussed in Section 7. Experimental results are given in Section 8. Section 9 gives the conclusion.

| RELATED WORK
Translation validation is a well-known technique for the verification of programme transformations. Translation validations aimed to check that each translation performed by the compiler preserves the semantics of the input programme.
Translation validation for variety of real-world compilers on large and complex programs has been reported in literature. Translation validation infrastructure (TVI) [16] for GCC demonstrated the validation of the gcc-2.91 compiler and the Linux-2.2 kernel, across five IR passes in GCC, namely branch optimization, common sub-expression elimination, loop unrolling and inversion, register allocation, and instruction scheduling. A value graph translation validator [17,18] to validate the various optimizations of the LLVM compiler is available. The work in Ref. [18] can verify constant propagation, dead-code elimination, global value numbering, loopinvariant code motion, loop deletion, loop un-switching, and dead-store elimination. In a recent work, Dahiya et al. [19] offers a novel black-box equivalence checking algorithm which can perform black-box checking across almost all the composed transformations produced by modern compilers. Some other notable translation validation works for compiler transformations are Refs. [20]- [22].
Translation validation is also commonly used to verify the correctness of scheduling transformation during HLS. A formal verification of the scheduling phase of HLS using the FSMD model is reported in Ref. [23]. The method presented herein fails if the scheduler applies the non-uniform code motion transformations. Karfa et al. proposed an equivalence checking method for verification of scheduling in Ref. [11]. This method works only for uniform code motion techniques. The study by Karfa et al. [13] improved the equivalence checking method presented in Ref. [11] to handle both uniform and non-uniform code motions applied during the scheduling phase of HLS. The study by Banerjee et al. [9] introduces a notion of value propagation and widen the scope of the path-based mechanism to handle code motion across loops. This VP method is also capable of handling control structure modification of input behaviour and uniform and non-uniform code motion. The VP method is enhanced in Ref. [24] to handle code motion involving loops. An counter example generation process using SMT solver in case of nonequivalence shown by VP method is shown in Ref. [25]. Recently, the scheduling of conditional behaviours is verified using an translation validation approach in Ref. [26].
A number of testability theories have been published in the literature. Voas and Miller [27] defined the testability as the probability that a piece of software will fail on its next execution during testing, provided it contains a fault. McGregor and Srinivas [28] attempted to determine the testability of an objectoriented system. Harman et al. [1] remove flag variables from branch predicates, replacing them with the expression that led to their determination. In the transformed version of the programme is flag-free. Baresel and Sthamer [29] introduced a new approach for solving evolutionary testing problems with flag conditions. The study by Gong and Yao [5] uses genetic algorithm to tackle the flag problem in testability transformation. Testability transformations have also been applied to unstructured programs for branch coverage [15]. The exit statements removal for test data generation is also discussed herein. Harman et al. [2] focuses on ameliorating problems for automated test data generation techniques. The studies by Ramshaw and Ward [30,31] focus on the goto removal problem.
As discussed above, translation validation is commonly used for verification of compiler transformations. On the other hand, testabililty transformations are popular programme transformation approaches in software testing applied to improve the test data generation. To the best of the authors' knowledge none of the existing works targets verification of testability transformations. We target the translation validation of TTs. Specifically, we consider a robust VP-based translation validation approach [9] proposed originally for scheduling transformation and enhance it to verify testability transformations.

| FSMD MODEL AND THE VP METHOD
In this section, the FSMD model and the VP method are briefly explained. The details can be found in Ref. [9].

| FSMD model
For verification of testability transformations, the input and the transformed programs need to be represented formally. We model the programs using a finite state machine with data paths (FSMDs) [32]. Although FSMD was initially proposed by Gajski et al. [32] to model hardware designs, it has been used to model sequential programs in the verification of scheduling transformations [9,11]. In fact, the FSMD models the sequential programme efficiently by capturing both control and data flow of the behaviours. The control flow is captured by the state transitions and the data flow is implicitly maintained by the sequence of states in the FSMD. The control and data flow graph (CDFG) is the other widely used model to represent programs. We developed a path-based equivalence checking (PBEC) method on the FSMD model for verification of testability transformations. It may be noted that a similar PBEC approach can also be developed on other programme model like CDFG. Formally, the FSMD is defined as follows: Any sequential programme can be model as an FSMD. A programme has a set of inputs, a set of outputs, a set of variables, and a set of assignment operations of variables and outputs. The programme also consists of control flow statements like conditional and loop statements. The FSMD consists of a set of states and transitions among states. Each transition of an FSMD is guarded by condition over variables and constants. A set of assignment operations are also associated with each transition of an FSMD. Therefore, the transitions of an FSMD capture the control flow and also associated assignment operations. It is important to ensure that the inherent data dependencies among the assignment operations within a basic block of a programme are not violated during FSMD-based modelling of programme. In FSMD, operations associated in a transition are assumed to execute in parallel. Therefore, a sequence of assignment operations of a basic block is placed sequentially one in each state to maintain the data dependencies. A sample sequential statement, if-else block and while loop is shown in Figure 1(a), 1(c) and 1(e), respectively and its corresponding FSMD is shown in Figure 1 (b), 1(d), and 1(f), respectively. The study by Karfa et al. [13] discusses in detail how the FSMD models can be constructed from the high-level representations of the input and the transformed behaviours.
A walk from a state q i to a state q j is a sequence of state transitions of the form ⟨q i ⇒ walk where all the states are different, except the end state q j may be the same as the start state q i . The condition of execution R β of a path β is a logical expression over I ∪ V, which must be satisfied by initial data state to traverse the path α. The data transformation (s β ) represents an updated variables vector s β ¼ 〈e 1 , e 2 , …, e k 〉, where k ¼ |V 0 ∪ V 1 | and e i is the symbolic value obtained by the variable v i ∈ V 0 ∪ V 1 at the end state of β. For a path β, R β , and s β are computed by forward or backward substitution based on symbolic execution. Figure 2(a) and its corresponding FSMDs in 2(b). The behaviour checks whether a number n is perfect number or not. If n is a perfect number then it sets the value of the variable out to one otherwise 0. Let consider the path

| Equivalence of FSMDs
Let consider the source behaviour is formally represented by the FSMD M 0 ¼〈Q 0 , q 00 , I, O, V 0 , f 0 , h 0 〉 and the behaviour CHOUKSEY ET AL.
-149 after testability transformation is formally represented by the FSMD M 1 ¼ 〈Q 1 , q 10 , I, O, V 1 , f 1 , h 1 〉 . Note that these two FSMDs have the same input(s)/output(s) represented by I and V. However, these two FSMDs differ in the number of states, internal variables, state transition function, and the update function. In the following, we discuss how to define the equivalence of these two FSMDs M 0 and M 1 formally. A computation of an FSMD is a finite walk from the reset state to itself, and the reset state should not occur in between. The equivalence of computations of two FSMDs are defined as follows.
The M 1 is transformed programme derived from M 0 through testability transformations. Our goal is to verify whether M 0 behaves exactly as M 1 . This means that for all possible input sequences, M 0 and M 1 produce the same sequences of output values and eventually, when the respective reset states are revisited, they are visited with the same storage element values. In other words, for every computation from the reset state back to itself of one FSMD, there exists an equivalent computation from the reset state back to itself in the other FSMD and vice versa. The equivalence of two FSMDs M 0 and M 1 is captured in the following two definitions. the end state of β n ; β i 's may not all be distinct. The objective is to find a finite set of paths in an FSMD M so that any computation in M can be represented by the concatenation of paths from that set. With this observation, the equivalence checking of two FSMDs will reduce to checking equivalence between finite set of paths to two FSMDs. Hence, we have the following definition.
Definition 6 (Path cover of an FSMD). A finite set of paths P ¼ {β 0 , β 1 , …, β k } is said to be a path cover of an FSMD M if any computation μ of M can be looked upon as a concatenation of paths from P.
To obtain a path cover for an FSMD model each loop is cut at atleast one cutpoint. The set of all paths from a cutpoint to another cutpoint without any intermediary occurrence of a cutpoint is a path cover of the FSMD. This is based on the Floyd-Hoare method of programme verification [33].
A PBEC approach inserts cutpoints into FSMDs M 0 and M 1 , identifies the path covers P 0 and P 1 in M 0 and M 1 , respectively, and then tries to find the equivalence of the paths between P 0 and P 1 using a symbolic bi-simulationbased approach [34]. The reset states q 00 and q 10 of M 0 and M 1 , respectively, are corresponding states. The states q 0k ∈ Q 0 and q 1l ∈ Q 1 are corresponding states if the state q 0i ∈ Q 0 and q 1j ∈ Q 1 are corresponding states and there exists paths β from q 0i to q 0k and α from q 1j to q 1l , such that β ≃ α. Since, the data transformations of the subsequent paths from 〈q 0k , q 1l 〉 are computed using initial symbolic values of the variables, it does not matter what symbolic values it considers as long as it is the same in both FSMDs. Therefore, at corresponding states〈q 0k , q 1l 〉 , all the values of variables are reset. The data dependencies are not lost due to this. The idea is inherited from the Flyod-Hoare method of programme verification. The equivalence between paths of P 0 and P 1 may not always exist due to the application of code optimizations. Therefore, the PBEC approaches come up with ideas like path extension [11] or value propagation [9] to show the equivalence in such case.
The correspondence of states between M 0 and M 1 are defined as follow.
1. The reset states q 00 and q 10 are corresponding states. 2. The states q 0k ∈ Q 0 and q 1l ∈ Q 1 are corresponding states if the state q 0i ∈ Q 0 and q 1j ∈ Q 1 are corresponding states and there exists paths β from q 0i to q 0k and α from q 1j to q 1l , such that β ≃ α.
The following theorem can be concluded from the above discussion.
Proof. M 0 ⊑ M 1 if, for any computation μ 0 of M 0 , there exists a computation μ 1 of M 1 such that μ 0 and μ 1 are computationally equivalent [by Definition 3]. Now, let there exists a path cover P 0 ¼ {β 00 , β 01 , …, β 0k } of M 0 . Corresponding to P 0 , let a set P 1 ¼ {α 10 Since P 0 covers M 0 , any computation μ 0 of M 0 can be looked upon as a concatenated path ½β 0i 1 ; β 0i 2 ; …; β 0i n � from P 0 starting from the reset state (q 00 ) and ending again at the reset state of M 0 . From above, it follows that there exists a sequence Π 1 of paths Therefore, in order that Π 1 represents a computation of M 1 , it is required to prove that Π 1 is a concatenated path of M 1 from its reset state q 10 back to itself. Now, let β 0i 1 : ½q 00 ⇒ q 0f 1 �. Since β 0i 1 ≃ α 1j 1 , from the definition of corresponding states, α 1j 1 must be of the form ½q 10 ⇒ q 1f 1 �, where 〈q 00 , q 10 〉 and ⟨q 0f 1 ; q 1f 1 ⟩ are corresponding states. Thus, by repetitive application of the above argument, it follows that if β 0i 1 :

| Overview of the VP method
A propagated vector for a path β is an ordered pair 〈R β , s β 〉, where the R β is the condition of execution and the s β is an updated variable vector representing the value obtained by the variables at the end state of β, detailed can be found in Ref. [11].
The VP method [9] finds the path cover in both the behaviours by selecting all the branching states as cutpoint (static cutpoint selection strategy). The VP method of FSMDs consists in propagating the mismatched values of live variables (as propagated vectors) through all the subsequent path segments until the values match or the final path segment ending in the reset state is reached. It may be noted that in the VP method the mismatched values are propagated in subsequent paths in depth first search (DFS) manner.
In the course of equivalence checking of two FSMDs, two paths, β and α say (one from each FSMD), are compared with respect to their corresponding propagated vectors for finding a path equivalence. If R β ≡ R α and s β ¼ s α , then these paths are CHOUKSEY ET AL. declared as unconditionally equivalent (U-equivalent in short, denoted by β ≃ α). If some mismatch in data transformation is detected, then they are declared to be conditionally equivalent (C-equivalent in short, denoted by β ≃ c α) provided their final state-pairs eventually lead to some U-equivalent paths; otherwise, these two paths and, therefore, two FSMDs are declared to be not equivalent. The working of VP is explained in Example 3.

| MOTIVATING EXAMPLES
Test data generation by hand is a difficult, expensive, and error-prone task, yet testing is a necessary part of the development process. A programme that has unstructured control flow creates problems in generation of test data. Testability transformation transforms such programs to make it easier for generation of test data (by improving the original programme's 'testability') [1,2]. The presence of flag variables in a programme greatly reduces the effectiveness of the search. The removal of flag variables improves the performance of evolutionary test data generation. An exit statement inside a loop for example leads to more than one way in which the flow of control may leave the loop. Removing the exit statement from an unstructured programme creates single-entry and single-exit control flow structure and make the programme easier to understand. In this section, one example with flag removal and one example with exit removal are presented. The flag removal example is formed based the method presented in Refs. [1] and [2] and the exit statement removal example is presented based on the method [15]. The limitations of the VP method are identified with these two examples. We primarily targeted the flag and exit statements removal methods presented in Refs. [1], [2], and [15]. Since, the equivalence of programs is in general undecidable problem, our proposed method may also produce false-negative results for certain cases of testability transformations.

| Testability transformation for flag variables
The source and transformed C codes snippet of a flag removal example is given in Figure 3(a) and 3(b). Note that the original programme (Figure 3(a)) contains a flag variable and it has been removed in its equivalent transformed code is shown in Figure 3(b). However, the VP method fails to show the equivalence for these behaviours, as shown in Example 3. In the equivalence checking, the VP method finds that q 00 , q 01 , q 02 , q 04 of M 0 and q 10 , q 11 , q 13 of M 1 are cutpoints. Let the variable ordering is 〈P0, num, out, flag〉 . The propagated vector at the reset state q 00 (q 10 ) is ϑ 00 (ϑ 10 ) ¼〈T,〈P0, num, out, flag〉 〉 where T stands for True. Note that flag variable is uncommon variable that is flag variable is defined in M 0 but not in M 1 . Therefore, flag variable retains its symbolic value in the propagated vectors of M 1 throughout a computation of M 1 . For the path β 1 ¼ q 00 ⇒ q 01 of M 0 and the path α 1 ¼ q 10 ⇒ q 11 of M 1 , the propagated vector at q 01 and q 11 are ϑ 01 ¼〈T,〈num, num, out, flag〉 〉 and ϑ 11 ¼〈T,〈num, num, out, flag〉 〉 , respectively. The propagated vector ϑ 01 and ϑ 11 are the same at q 01 and q 11 . Therefore, the path β 1 is said to be U-equivalent to the path α 1 . Note that ϑ 01 and ϑ 11 are the same, so there is no need to propagate the propagated vector for the path emanating from q 01 and q 11 . Therefore, all variables in the propagated vector associated with the states q 01 and q 10 will be reverted back to their symbolic value. Thus, the updated propagated vector at q 01 and q 10 will be ϑ 01 (ϑ 11 ) ¼〈T, 〈P0, num, out, flag〉 〉 . For the path β 2 ¼ q 01 ⇒ q 02 of M 0 and the path α 2 ¼ q 11 ⇒ q 13 of M 1 , the propagated vector at q 02 and q 13 are ϑ 02 ¼〈P0%2 ¼ ¼ 0, 〈P0, num, out, 1〉 〉 and ϑ 13 ¼〈P0%2 ¼ ¼ 0,〈P0, num, 1, flag〉 〉 , respectively. The propagated vectors ϑ 02 and ϑ 13 are not the same since there is a mismatch in the values of the variable out. Therefore, value propagation is required and β 2 is said to be candidate C-equivalent (i.e. condition of execution matches but data transformations do not match) to the path α 2 . As a result, mismatched values need to be propagated in the subsequent path from the state q 02 of M 0 and q 13 of M 1 . However, there is no path emanating from the state q 13 of M 1 . Thus, the VP method fails to show the equivalence and reports that behaviours 'may not be equivalent'.

| Testability transformation for exit statements
The source and transformed C code snippet of an exit removal example is given in Figure 5(a) and 5(b). The source code ( Figure 5(a)) contains an exit statement at line 7 and it has been removed in the transformed code, as shown in Figure 5(b).
The VP method can handle the scenario which involves code motions across loops. The variables whose values are propagated beyond a loop must be invariant to that loop for valid code motions across loops. To determine the loop invariant of such variables, the VP method invokes the function loopIvariant at the loop header after one traversal of the loop. Loop invariant checking details can be found in Ref. [9]. The VP method checks the loop invariant at the loop header only. For a programme with exit inside a loop has multiple exit points from the loop. The VP method cannot handle this type of scenario and reports that behaviours 'may not be equivalent', as shown in Example 4. Figure 6. Figure 6(a) and 6(b) shows the FSMDs corresponding to the original and transformed programme of Figure 5, respectively. The VP method selects q 00 , q 01 , q 04 of M 0 and q 10 , q 11 , q 13 of M 1 as cutpoint. The path q 00 ⇒ q 01 ⇒ q 02 of M 0 and q 10 ⇒ q 11 ⇒ q 12 of M 1 are U-equivalent since the values of variables P0 and i match. Note that, in original behaviour ( Figure 6(a)) for the loop body q 02 ⇒ q 03 ⇒ q 02 , the states q 02 and q 03 are loop exit points. The FSMD M 0 has two exit points. During equivalence, checking the VP method identifies that the loop body q 02 ⇒ q 03 ⇒ q 02 contains more than one loop exit points. Therefore, the VP method terminates its execution and reports that "behaviours may not be equivalent".

| PROPOSED ENHANCEMENTS
In this section, we propose solutions to overcome the limitations discussed in Section 4.

| Dynamic cutpoint selection
The VP method uses a static cutpoint selection strategy (cutpoint) and selects q 00 , q 01 , q 02 , and q 04 as cutpoints in M 0 (Figure 4(a)) and q 10 , q 11 , and q 13 in M 1 (Figure 4(b)) as cutpoints. Note that there are two conditional blocks in M 0 . The transformed behaviour M 1 generated by TT for flag variables has only one conditional block. The difference in the number of the conditional block between these two behaviours hints -153 that we may avoid the state q 02 as a cutpoint in M 0 . If we avoid the q 02 as cutpoint then the VP method can show the equivalence between these two behaviours. However, the static cutpoint selection strategy also selects q 02 as a cutpoint henceforth, the VP method fails to show the equivalence. We propose a dynamic cutpoint selection scheme, cut-pointSelection (Algorithm 1), to choose the proper cutpoints in both the source (say M 0 ) and transformed (say M 1 ) behaviours. The function cutpointSelection selects all the loop headers in M 0 and M 1 as cutpoints so that each loop is cut in at least one cutpoint [33] (step 1). The rest of the function finds other set of cutpoints. The function cutpointSelection uses the dominator tree concept [35] to find the number of conditional blocks between two states. It computes the immediate dominator and PIDom of each state in steps 1 and 1, respectively. It computes the dominator tree for each FSMD in step 1. Note that in cutpointSelection method, we find the number of conditional block exists between an articulation node and its PIDom in each FSMD. If the number of conditional blocks are the same for both the FSMDs then we declare the all conditional nodes as cutpoint exists between the articulation point and its PIDom in each FSMDs. Otherwise, we do not select any of the nested condition as cutpoint. For each articulation node (say q 0i ) in M 0 , it invokes the function checkCondWithZ3 to find the corresponding state (say q 1j ) in M 1 (step 1). If checkCondWithZ3 succeed (i.e. condition at both states matches) then cutpointSelection invokes the function find-CondBlock to find the number of conditional blocks (say n i ) exists in between the state q 0i and its post immediate dominator (step 1). Similarly, it finds the number of conditional blocks (say n j ) in between the state q 1j and its post immediate dominator (step 1). If n i ¼ n j then it invokes the function makeCutNode to make all the conditional node as cutpoints exist in between q 0i (q 1j ) and its post immediate dominator (steps 1 and 1). Note that the function cutpointSelection finds the cutpoints at step 1 in bi-simulation manner. The function cutpointSelection repeats the steps 1 to 1 for each articulation node present in M 0 . Example 5 shows if the VP method uses the function cutpointSelection to find cutpoints for the behaviours shown in Figure 4 then it can show the equivalence.
Example 5. Consider the original behaviour M 0 and its transformed behaviour M 1 shown in 4. There are two conditional states (q 01 and q 02 ) in the FSMD M 0 while there is only one conditional state (q 11 ) in the FSMD M 1 . For the articulation node q 01 the function cutpointSelection finds the state q 11 in M 1 . The function declares the states q 01 and q 11 as cutpoints. The state q 02 is PIDom of q 01 and the state q 12 is PIDom of q 11 . Note that there is no internal conditional block between the state q 01 (q 11 ) and its PIDom q 02 (q 12 ). So, no further cutpoint is selected inside this conditional block. In the next step, the function cutpointSelection finds the state in M 1 for the articulation point q 02 . However, it does not find any state in M 1 for the state q 02 . So, q 02 is not selected as cutpoint. Thus, the function cutpointSelection (Algorithm 1) selects q 00 , q 01 , q 04 of M 0 and q 10 , q 11 , q 13 of M 1 as cutpoints. Now consider the equivalence checking between these two behaviours. The path q 00 ⇒ q 01 of M 0 is found to be Uequivalent to the path q 10 ⇒ q 11 of M 1 since the value of P0 matches. Note that the state q 02 of M 0 is not selected as cutpoint. Therefore, there are two valid paths from the state q 01 , α 1 : ⟨q 01 ⇒ num%2¼¼0 q 02 ⇒ f lag¼¼1 q 03 ⇒ q 04 ⟩ and α 2 : The path α 1 is U-equivalent to the path q 11 ⇒ num%2¼¼0 q 12 ⇒ q 13 and the path α 2 is Uequivalent to the path q 11 ⇒ !num%2¼¼0 q 12 ⇒ q 13 since the values of all the variables match. Hence, the VP_TT method reports 'M 0 and M 1 are equivalent'.

| Handling multiple exits from loop
As shown in Example 4, the VP method fails if a behaviour has more than one loop exit point. The VP method must also check the loop invariant at all the loop exit points inside the loop. Example 6 shows that if the VP method checks the validity of code motion at all the exit points inside the loop body, then it shows the equivalence for the behaviours shown in Figure 6. Example 6. Consider the original behaviour M 0 and its transformed behaviour M 1 shown in 6. In the course of equivalence checking, the path q 00 ⇒ q 01 ⇒ q 02 of M 0 and q 10 ⇒ q 11 ⇒ q 12 of M 1 found to be U-equivalent since the values of variables P0 and i match. Next, for the path q 02 ⇒ i<num q 03 , there does not exist any equivalent path in M 1 but the condition at the state q 12 implies the condition at the state q 02 , so need to extend the path at the state q 03 . In this case, value propagation is required and need to store the propagated vector (ϑ 03 ) at the state q 03 . Therefore, with respect to ϑ 03 at the state q 03 , there are two paths α 1 ¼ ⟨q 03 ⇒ i<num∧¬num%i¼¼0 q 02 ⟩ and

| OVERALL VERIFICATION METHOD
In this section, we present our VP_TT verification method. Note that we use the functions of the VP method [1] as they are except the function correspondenceChecker and con-tainmentChecker functions. The overall flow of our verification method is given in Figure 7. We start the procedure of equivalence checking of FSMDs M 0 and M 1 by invoking the function containmentChecker (Algorithm 2). The function containmentChecker first invokes the function cutpointSelection to find the appropriate cutpoints and then computes the path cover for both the FSMDs. The function con-tainmentChecker invokes the function correspondenceChecker The function findEquivalentPath returns a 4-tuple 〈β, α, ϑ 0m 0 , ϑ 1n 0 〉 where β and α are corresponding paths as described above, ϑ 0m 0 is the propagated vector at the end state q 0m of β and ϑ 1n 0 is the propagated vector at the end state q 1n of α. If ϑ 0m 0 ≡ ϑ 1n 0 then the path α is U-equivalent to path β. Consequently, the data structure W scp gets updated (line 5.2). If findEquivalentPath does not find any path α in M 1 whose condition of execution R α satisfies either R β ≡ R α , or R β ⇒ R α or R α ⇒ R β , then it returns α ¼ NULL (i.e. M 0 and M 1 may not be equivalent, handled in line 5.2). If α ≠ NULL and ϑ 0m 0 ≢ ϑ 1n 0 , then the path α is candidate C-equivalent to the path β and hence further value propagation is required. However, the Algorithm 3 correspondenceChecker(q 0i , q 1j , P 0 , P 1 , W csp , E u , E c , LIST, ϑ 0i , ϑ 1j ) Algorithm 2 containmentChecker(M 0 , M 1 ) CHOUKSEY ET AL.

| Soundness
The VP_TT enhances the VP method by replacing the static cutpoint selection strategy used by the VP method by the dynamic cutpoint and by calling the function loopInvariant at all loop exit points. Therefore, we have to ensure that our enhancements do not compromise the soundness of the VP method. The function cutpointSelection is used to select cutpoints dynamically. This function selects all loop headers as cutpoints. Therefore, this function selects enough cutpoints to cut all loops in a behaviour. Therefore, the paths between cutpoints are indeed a path cover of an FSMD. Calling the function loopInvariant at all loop exits points the VP_TT method ensures the validity of code motion across the loop body. Hence, both enhancements on the VP method do not affect the soundness of the VP method. In the following the proof of soundness is explained intuitively. After introducing the cutpoints, the verification method constructs the path cover and starts with the reset states. For each path β on M 0 , the verification method searches for corresponding U-or Cequivalence path α in other FSMD M 1 in a depth-first manner. Let suppose that the verification method is not sound that is the algorithm containmentChecker terminates successfully and the path β is C-equivalent path α and the path α leads to the reset state. However, in this case, the function corre-spondeceChecker returns failure to containmentChecker, as shown at step 2; consequently, containmentChecker terminates at step 2, not at step 2. Hence it is a contradiction and the verification method is sound. The soundness proof of the VP method is given in Ref. [9]. Figure 7 represents the overall flow of our verification method. The function loopInvariant always terminates since it involves a comparison of two propagated vectors. The function cut-pointSelection finds the cutpoint in a given FSMD. In worst case, it checks all the states of the FSMD. Since the number of states in an FSMD is finite, Algorithm 1 also terminates. The function findEquivalentPath(β, q 1j , ⋯) tries to find a path α starting from q 1j ∈ M 1 such that β ≃ α or β ≃ c α. It checks all the transitions from q 1j in the worst case. Hence it terminates as well. The function correspondeceChecker tries to find a path α starting from q 1j ∈ M 1 . In worst case, it checks all the paths of P 1 starting from q 1j which is finite. The recursive call of the function correspondeceChecker does not extend beyond the reset state. Therefore, the function correspondeceChecker invokes itself recursively only a finite number of times. Hence, Algorithm 3 also terminates.

| Complexity
Let n be the number of states in an FSMD and k be the maximum number of parallel edges between any two states and x is time taken to check the equivalence of the two formulas.
The maximum possible state transitions from a state is k.n.
In worst case, for a path β in M 0 the function correspondece Checker checks all the transitions from q 1j to find a path α in M 1 such that β ≃ α or β ≃ c α. The complexity of finding the path α is O(x ⋅ k ⋅ n). The number of times corre-spondenceChecker is called from containmentChecker is the same as the size of the set of corresponding states pairs which is O(n). In worst case, all the states of M 0 can be cutpoints and for each path, the mismatched values are propagated in subsequent paths in depth first search (DFS) manner until the reset state is reached. In this case, correspondenceChecker can recursively call itself k ⋅ (nÀ 1) þ k 2 ⋅ (nÀ 1) ⋅ (nÀ 2) þ ⋯ þ k nÀ 1 ⋅ (nÀ 1) ⋅ (nÀ 2)…2 ⋅ 1 ≃ k nÀ 1 ⋅ (nÀ 1) nÀ 1 times.
Therefore, the complexity of the overall verification method is O(x ⋅ k ⋅ n) ⋅ n ⋅ k nÀ 1 ⋅ (n À 1) nÀ 1 ). The worst case complexity of the our verification method is the same as that of the VP method.

| EXPERIMENTAL RESULTS
We have enhanced the VP method [9] (VP_TT) by incorporating all proposed solutions discussed in Section 5. The VP_TT method is implemented in C. All the experiments have been conducted on a desktop with 1.8 GHz Intel i5 processor with 8 GB of RAM. The benchmarks listed in rows 1-5 of Table 1 have some exit statements and benchmarks listed in rows 6-10 of Table 1 have some flag variables. The benchmarks PRIME checks whether a number is prime; FACT computes the factorial of given number; REPTD checks the repeated number present in a given list; MAX finds the maximum number in a given series; MAXGCD finds the maximum GCD of series; EVEN checks a number is even or odd; PERF checks a number is perfect or not; MIN and MINMAX find the minimum and maximum number in a given series; and ROTATE rotates the series on a given point. The transformed behaviour (M 1 ) in Table 1 is obtained by applying the TTs for exit and flag on the source behaviour (M 0 ).
In this experiment, we compare the VP_TT with the VP method [9], EVP method [24] and the VP_TT_static method. The EVP method is an enhanced version of the VP method and capable of handling the scenario which involves loop invariant code motion. The VP_TT_static method is another variant of the VP_TT method which uses static cutpoint selection strategy instead dynamic cutpoint selection strategy. The static cutpoint selection strategy is also used by the VP and EVP methods. Note that the VP_TT method uses dynamic cutpoint selection strategy (Algorithm 1). In Table 1, 2nd and 3rd columns represent the number of cutpoints selected by the static cutpoint selection strategy while 10th and 11th columns represent the number of cutpoints selected by the dynamic cutpoint selection strategy (i.e. Algorithm 1) for a given benchmark. This experiment confirms that the VP_TT method shows the equivalence for the benchmarks listed in Table 1. This is reported as 'Eq' in Table 1. However, the VP and EVP method reports 'May Not be Equivalent' in these benchmarks and denoted as 'MNEq' in Table 1. The VP_TT_static method can handle exit statements removal scenario but the fails handle flag variables removal scenario. It is evident from this experiment that the solution proposed reduces the false-negative cases of state-of-the-art PBEC methods. The VP_TT method takes more time in this experiment as compared with the VP and EVP method because these methods do not complete the execution and exits early since it identifies a possible case of non-equivalence. Whereas, our method completes the execution and shows the equivalence. The runtime of both VP_TT_Static and VP_TT are comparable for this experiment.
In the second experiment, we check the effect of our dynamic cutpoint selection on the run time of the equivalence checking procedure. The benchmarks used for this experiment are taken from Ref. [9]. We modify the VP_TT method so that it can use both cutpoint selection strategies in the course of equivalence checking. The result of this experiment is tabulated in Table 2 static and dynamic cutpoint selection methods are tabulated in Table 2. The 4th and 8th columns, 'CC' (i.e. #corre-spondenceChecker) represent the number of times corre-spondanceChecker function is called while using static and dynamic cutpoint selection strategy, respectively. Note that these benchmarks do not contain any exit statements or flag variables. The VP_TT method can show the equivalence with both the cutpoint selection strategies for these benchmarks. The run time comparison between these two schemes depends on two factors. Dynamic cutpoint selection involves some data flow analysis, whereas static cutpoint selection is done by just checking the states of an FSMD. Therefore, dynamic cutpoint selection takes more time as compared to static cutpoint selection. The number of cutpoints selected by dynamic scheme is always less than or equal to that of static scheme. It is evident from both Table 1 and Table 2. Therefore, the number of calls to correspondanceChecker for dynamic scheme is less than or equal to that of static scheme. This improves the runtime of dynamic scheme over static scheme. In case, where CC values are less for dynamic scheme compared with static scheme, the run time of VP_TT improves for dynamic scheme over static scheme. It is evident from the rum time shown in Table 2. Therefore, the VP_TT method takes less time for dynamic cutpoint selection strategy than the static cutpoint selection strategy. It may be noted that the dynamic cutpoint selection strategy also helps the VP_TT method to show the equivalence for flag TT as shown in our previous experiment.
In the next experiment, we analyse the performance of our proposed method with respect to its worst case complexity. As discussed in Section 7.3 the VP_TT takes exponential time in the worst case. Note that, the most dominating factor in the time complexity of VP_TT method is how many times corre-spondenceChecker is called from containmentChecker. In Table 2, we compare the number of times corre-spondenceChecker function is called by VP_TT method in practice (denoted as Actu. #CC in 8th column) against its theoretical estimation in the worst case (denoted as Theo. #CC in 9th column) for each benchmark listed in Table 1. From the results, it is clearly visible that the VP_TT method calls the correspondenceChecker function less number of times as compared with its theoretical estimation for all the benchmarks. Thus, we can conclude that it is unlikely the our proposed method exposes the worst case behaviour for a wider selection of typical programs in practice.

| CONCLUSION
We have presented VP_TT method for the verification of testability transformations. We have shown that the VP method fails to show the equivalence for TTs involving flag and exit removals. We have proposed the solutions and presented the VP_TT method to overcome the limitation of the VP method. Specifically, we have presented a dynamic cutpoint selection strategy to handle flag removal and an enhancement to VP method to handle multiple exits from a loop to handle exit removal. We have performed the experiments on several TT test cases. The results show that VP_TT outperforms the VP method in the verification of testability transformations. The VP_TT method fails for the testability transformation presented in Ref. [36] since it checks the equivalence of loops without unrolling the loops. To handle transformation presented in Ref. [36], checking one iteration of the loop is not sufficient. Rather, one has to identify the loop invariant for loops. In future, we intend to enhance the VP_TT method to validate such testability transformations.
ACKNOWLEDGEMENT C. Karfa was partially supported by the DST, Government of India under Project CRG/2019/001300.