Trace Equivalence in GKAT Automata

• Trace equivalence of GKAT automata is defined as the equality of observable trace sets, ensuring identical program behavior under guarded test conditions.
• Symbolic on-the-fly bisimulation leverages Boolean formulas and SAT checks to efficiently validate trace equivalence without full state space enumeration.
• Extensions like CF-GKAT handle non-local control transfers to enhance compiler validation and decompiler testing through improved control-flow analysis.

Trace equivalence of GKAT automata concerns the comparison of program behaviors specified via Guarded Kleene Algebra with Tests (GKAT) by checking whether their sets of observable traces coincide. GKAT is a substructural variant of Kleene Algebra with Tests (KAT), restricting program constructs to guarded forms that naturally correspond to structured “if/while” control flow, hence enabling efficient automata-theoretic reasoning. The study of trace equivalence is fundamental to program analysis, compiler validation, and the automation of formal verification tasks.

1. Formal Foundations of GKAT Automata and Their Traces

Let $T$ denote a finite set of primitive tests. An atom $\alpha\in\mathrm{At}$ is a total Boolean assignment to all tests in $T$, written as

$$\mathrm{At} = \{\tau_1\,\tau_2\cdots\tau_n \mid \tau_i\in\{t_i,\bar t_i\}\}.$$

Let $\Sigma$ be a finite set of primitive actions. A (concrete) GKAT automaton is a triple

$A = (S, s_0, \zeta)$

where $S$ is a finite set of states, $s_0\in S$ is the initial state, and $$\zeta\colon S\to\mathrm{At}\to(\{\perp,\checkmark\} \cup (S\times \Sigma))$$ is a total transition function. For state $s$ and atom $\alpha\colon T\to\{\mathtt{true},\mathtt{false}\}$:

• $s\xrightarrow{\alpha}\checkmark$ denotes immediate acceptance,
• $s\xrightarrow{\alpha}\perp$ denotes immediate rejection,
• $s\xrightarrow{\alpha|p}s'$ denotes performing action $p$ under $\alpha$ and transitioning to $s'$.

Trace semantics are defined recursively. Let $Tr(s)\subseteq(\mathrm{At}\cdot\Sigma)^*$ denote the set of traces from $s$:

• If $s\xrightarrow{\alpha}\checkmark$, then $\alpha\in Tr(s)$.
• If $s\xrightarrow{\alpha|p} s'$ and $w\in Tr(s')$, then $\alpha p w\in Tr(s)$. All other cases (dead transitions) yield no trace (Zhang et al., 15 Jan 2026).

2. The Problem of Trace Equivalence

Given $A=(S, s_0, \zeta)$ and $B=(U, u_0, \xi)$, two states $s_0$ and $u_0$ are trace equivalent iff $Tr(s_0)=Tr(u_0)$. For automata, the question is whether the initial states generate the same set of finite traces. Coalgebraically, this reduces to the existence of a bisimulation between the start states relating their observable traces (Schmid et al., 2021). Trace equivalence is stricter than language equivalence in standard automata, as GKAT traces encode the precise alternation of tests and actions at every step.

3. Coalgebraic and Syntactic Characterization

GKAT automata are deterministic coalgebras for the functor $(2+\Sigma\times X)^{\mathrm{At}}$ on sets, reflecting branching on complete test assignments and actions. Standard GKAT expressions—compiled via Brzozowski derivatives—yield a syntactic automaton where each state encodes a residual program and each transition is induced by a test-action pair. Not all automata arise from expressions: only “well-nested” ones, constructed by coproducts and uniform continuation, admit compact expression forms (Schmid et al., 2021, Smolka et al., 2019).

The behaviors of GKAT expressions are characterized by a coequation—$\operatorname{coeq} W$—which is the smallest set of behavior trees closed under

• discrete tests,
• sequential composition,
• and a continuation/looping operator (Schmid et al., 2021).

4. Decision Procedures for Trace Equivalence

Traditional Approaches

The original decision procedure for trace equivalence of GKAT automata consists of three steps:

1. Compile each expression to its concrete automaton;
2. Normalize by rerouting all dead-state transitions to immediate rejection;
3. Check bisimilarity using partition-refinement (typically via union-find) (Smolka et al., 2019, Schmid et al., 2021).

This procedure is nearly linear time in the size of the derivative graph of the automaton, $O(n\alpha(n))$, where $\alpha(\cdot)$ is the inverse Ackermann function. However, the explicit automaton’s size is exponential in $|T|$ since $\mathrm{At}=2^{|T|}$ (Zhang et al., 15 Jan 2026).

Symbolic On-the-fly Bisimulation

Recent advances replace explicit enumeration with symbolic representations using Boolean formulas over $T$, resulting in symbolic GKAT automata: $(S, s_0, \varepsilon, \delta)$ where

• $\varepsilon: S\to\mathcal{P}(\mathrm{BExp}_T)$ assigns sets of acceptance formulas,
• $$\delta: S\to\mathcal{P}(\mathrm{BExp}_T\times S\times\Sigma)$$ assigns guarded symbolic transitions,

under a disjoint-guards condition. The decision procedure implements on-the-fly symbolic bisimulation using SAT/UNSAT checks to avoid full concretization:

• Acceptance and transitions are checked symbolically; dead-state detection is invoked lazily.
• Recursive calls only compare reachable, distinguishable pairs of states (Zhang et al., 15 Jan 2026).

The worst-case complexity is PSPACE in $|T|$ (one Boolean formula at a time), polynomial in the size of the symbolic automata, avoiding exponential blow-up in primitive actions due to guard-combination (Zhang et al., 15 Jan 2026).

5. Extensions: CF-GKAT and Symbolic Derivatives

CF-GKAT extends GKAT with non-local control transfers: break, continue, return, goto $l$, and indicator variables $x\in X$. The state space for CF-GKAT is lifted to $(\pi, e)$ pairs, where $\pi:X\to I$ and $e$ is a CF-GKAT expression. Transition rules handle guarded choices, loops (with an aggregation/fixpoint operator), and control-flow jumps. After constructing the symbolic automaton, a post-processing phase resolves goto-continuations by syntactically extracting unique subexpressions labeled by $l$ and reconnecting transition targets accordingly (Zhang et al., 15 Jan 2026).

6. Correctness, Complexity, and Implementation

Correctness is established via a coinductive argument, formalizing the bisimulation relation as a progression, and using “up-to” techniques for efficiency. Soundness and completeness are guaranteed: the decision procedure yields true iff the states are trace equivalent. Worst-case complexity is PSPACE in $|T|$ and $|\Sigma|$, though practical performance is linear in the symbolic automata and the number of SAT calls (Zhang et al., 15 Jan 2026).

Prototype implementations hash-cons Boolean formulas, use backend-agnostic SAT/UNSAT solvers (e.g., miniSAT, CUDD), employ union-find for bisimulation classes, and exploit DFS+memoization for dead-state queries. Experimental benchmarks show order-of-magnitude speedups over traditional KAT tools (e.g., SymKAT) and successful application to large-scale decompiler validation (Zhang et al., 15 Jan 2026).

7. Applications, Experiments, and Future Directions

Symbolic trace equivalence for GKAT automata finds direct application in verification of control-flow transformations: CF-GKAT enables the comparison of compiler outputs and reverse-engineered source, revealing issues such as the Ghidra ‘goto’ bug now fixed upstream. On synthetic and real-world programs, the symbolic methodology achieves 10×–100× speedups and substantial reductions in memory use compared to previous KAT/GKAT implementations. Future work includes symbolic partition refinement for weighted and probabilistic GKAT, adapting techniques to NetKAT and variants, and formalizing an end-to-end decompiler testing framework driven by CF-GKAT (Zhang et al., 15 Jan 2026).

---

References:

• (Zhang et al., 15 Jan 2026)
• (Schmid et al., 2021)
• (Smolka et al., 2019)