CertiQ: Contract-based Verification of a Realistic Quantum Compiler Yunong Shi∗ Xupeng Li∗ Runzhou Tao The University of Chicago Columbia University Columbia University [email protected] [email protected] [email protected] Ali Javadi-Abhari Andrew W. Cross Frederic T. Chong IBM T.J. Watson Research center IBM T.J. Watson Research center The University of Chicago [email protected] [email protected] [email protected] Ronghui Gu Columbia University [email protected] Abstract from an academic pursuit to a realistic goal for the real- In this paper, we present CertiQ, a mostly-automated ization of practical quantum applications. NISQ devices verification framework for the Qiskit quantum compiler. like IBM’s quantum machine with 20 qubits and Rigetti’s CertiQ, to our knowledge, is the first effort enabling quantum machine with 19 qubits has led to the emer- the automated verification of a realistic quantum pro- gence of cloud-based quantum services and associated gram compiler. Qiskit is currently the most widely-used computing software stacks [1, 6, 34]. open-source quantum software stack from low-level com- Qiskit [1] is currently the most complete and widely- pilation to high-level quantum algorithms. With growing used open-source software stack. Qiskit lets users design community contributions, the Qiskit compiler is in need and run quantum programs on the IBM Q cloud [20], a of code quality control and verification down to the com- cloud based service for near-term quantum computing pilation level to guarantee reliability of scientific work applications and research. With more than 100K users that uses it. CertiQ is deeply integrated into the Qiskit from 171 countries, Qiskit has accommodated over 5.3M compiler, providing abstract specifications for quantum experimental runs on quantum devices and 12M virtual compiler data structures and offering verifiable contracts simulations to date. Qiskit is also influential in the open- that specify the behaviors of compilation phases with source community: with 180k downloads, 1500 Github heavy optimizations. CertiQ enables the verification of forks (with 2nd place Cirq [6] < 500) and Github “usedby” the current implementation of the Qiskit compiler and of 122 (with 2nd place Qutip [37] with 59). Over 190 aca- future code submissions in a mostly-automated manner demic articles are based on IBM’s cloud service, pushing using invariant-guided contracts to scale the symbolic progress in many different scientific disciplines, including: reasoning. With these CertiQ techniques in place, devel- validation of properties of electron structure [45]; demon- opers need to provide limited inputs only where func- stration of error detection schemes [50]; demonstration tion contracts and loop invariants cannot be inferred of quantum machine learning algorithms [41, 54]. automatically. The CertiQ verification procedure discov- The increasing numbers of quantum computations ers several critical bugs, some of which are unique to have revealed numerous errors at all levels in the Qiskit quantum software. Our extensive case studies on four toolchain, which can corrupt the scientific results per- arXiv:1908.08963v3 [quant-ph] 27 Nov 2019 compiler phases of Qiskit demonstrate that CertiQ is formed with it. Specifically, the different nature of quan- effective for verification of quantum compilers with alow tum computations along with heavy optimizations per- proof burden. formed in the Qiskit compiler (called Qiskit Terra) makes the compilation error-prone. The high number of bug 1 Introduction reports [48] related to the compilation process highlights The development of NISQ [32] (Noisy Intermediate-Scale the crucial need for effective, reliable, and automated Quantum) devices has transformed quantum computing methods to verify the correctness of quantum compilers with heavy optimizations. We introduce CertiQ, a mostly-automated framework for verifying that a quantum compiler is correct, i.e., ∗Both authors contributed equally to this research. the compiled quantum circuits will always be equivalent to the source circuits. To our knowledge, CertiQ is the 2019. 1 2 first effort enabling the automated verification ofareal- verified by the CertiQ verifier, CertiQ introduces atrans- world quantum program compiler. The design philosophy lation validator to validate the correctness of each com- underpinning CertiQ is motivated by three practical pilation output at runtime with reasonable overhead. challenges that arise when verifying Qiskit Terra. We verified four compiler phases and seven transpiler The first challenge is that checking the equivalence of pass implementations of Qiskit Terra in four case studies. quantum circuits is generally intractable [21]. To mitigate With these verified CertiQ implementations, we success- this problem, CertiQ introduces the calculus of quantum fully identify three bugs of Qiskit Terra, two of which circuit equivalence such that circuit equivalence and the are unique in quantum software. correctness of compiler transformation can be statically This paper makes the following contributions: and efficiently reasoned about. Our calculus is proven ∙ We introduce the calculus of quantum circuit equiv- to be sound and therefore faithful to the underlying alence such that the semantics-preserving guaran- quantum computation. Based on the calculus, we design, tee of quantum circuit compilations can be stati- specify, and verify a library of functions that perform cally and efficiently verified. primitive circuit transformations that are proved to be ∙ We build a transformation library verified with semantics preserving. Compilation phases implemented respect to its contract, which guarantees that the with this library can be easily verified using symbolic provided circuit transformations preserve the cir- reasoning [12]. cuit equivalence. This library can be used to build The second challenge is that compiler implementations verified quantum compilers. in community code submission can be complicated, mak- ∙ We introduce a contract-based design that specifies ing automated verification intractable due to state explo- the behavior of other functions, thereby facilitating sion. In CertiQ, we developed a novel way of combining efficient symbolic execution and modular verifica- symbolic execution and Design-by-Contract methodol- tion of quantum compiler implementations. ogy to achieve high level of automation and scalable ∙ We used specification refinement to prove the equiv- verification. CertiQ first re-direct the code to be verified alence of quantum data structures and regulates to the verification backend, built upon the push-button the transformation between them. verification framework [31, 44], then uses symbolic exe- ∙ We verify a series of Qiskit Terra compilation cution to generate verification conditions in the form of phases and optimizations, and discover three criti- satisfiability modulo theories (SMT) problems fed intoa cal bugs. Two of these bugs are unique to quantum SMT solver, e.g., Z3 [11]. For more efficient symbolic exe- software. cution, CertiQ offers three Z3 predicates/functions (that The paper is organized as follows: §2 introduces back- return the precondition, postcondition and invariants, ground on quantum computing and Qiskit Terra; §3 respectively) as a contract for each library function and provides an overview of the CertiQ framework; §4 dis- each transpiler pass. During the symbolic execution, invo- cusses technical contributions of CertiQ; §5 presents case cations of functions that have been verified are replaced studies demonstrating how CertiQ works in the realistic by their contracts. In this way, CertiQ is able to greatly settings; §6 evaluates the correctness and performance; speed up the symbolic execution and reduce the size §7 discusses previous work; §8 concludes. of the generated SMT queries. This usage of contracts can be viewed as predicate abstraction [8, 16], where our 2 Background domain knowledge of the quantum data structures is used to simplify concrete predicates. 2.1 Quantum Computing The third challenge is that the different nature of Principle of quantum computation. The qubit (quantum quantum computation can cause unexpected behavior bit) is the basic element of a quantum computing system. of components when interacting with each other in a In contrast to classical bits, qubits are capable of living in large and rapidly growing quantum software. Specifically, a superposition of the logical states |0⟩ = 1, 0푇 and |1⟩ = in Qiskit, there exist multiple quantum data structures 0, 1푇 . The general quantum state of a qubit is represented representing the same underlying quantum object, i.e., as |휓⟩ = 훼 |0⟩ + 훽 |1⟩ (or in its vector form 훼, 훽푇 ), where state vector representation and Bloch sphere representa- 훼, 훽 are complex coefficients with |훼|2 + |훽|2 = 1. When tion of qubits. CertiQ verifies the equivalence of these measured in the 01 basis, the quantum state collapses to quantum data structures through specification refine- |0⟩ or |1⟩ with probability of |훼|2 and |훽|2, respectively. ment and specifies the conditions under which each of The number of quantum logical states grows exponen- these data structures are valid. tially with the number of qubits in a quantum system. For important types of compiler extensions (optimiza- For example, a system with 3 qubits lives in the super- tions), if an implementation by developers cannot be position of 8 logical states: |000⟩, |001⟩, |010⟩, ..., |111⟩. This