I solve that with Scalar Evolution (SCEV) analysis. The tool doesn't just hash the AST; it solves the loop math.
You are right that AST hashing is brittle. That is why I wrote an engine that virtually executes the induction variables to determine that a `range` loop, a C-style `for` loop, and a raw `goto` loop are all mathematically performing the same operation (Iterate 0 to N).
I just pushed a proof to the repo that runs those three exact scenarios. They produce the identical SHA-256 fingerprint.
It also handles Control Flow Normalization, so `if a > b { return 1 }` fingerprints identically to `if b <= a { return 1 }` (inverted condition + swapped branches).
It won't catch O(n) vs O(log n) algorithm changes, but it catches the "syntactic sugar" refactors that make up 90% of code churn.
You are right that AST hashing is brittle. That is why I wrote an engine that virtually executes the induction variables to determine that a `range` loop, a C-style `for` loop, and a raw `goto` loop are all mathematically performing the same operation (Iterate 0 to N).
I just pushed a proof to the repo that runs those three exact scenarios. They produce the identical SHA-256 fingerprint.
It also handles Control Flow Normalization, so `if a > b { return 1 }` fingerprints identically to `if b <= a { return 1 }` (inverted condition + swapped branches).
It won't catch O(n) vs O(log n) algorithm changes, but it catches the "syntactic sugar" refactors that make up 90% of code churn.
You can view the proof code here:
https://github.com/BlackVectorOps/semantic_firewall/blob/mai...
Or run it yourself:
go run examples/proof.go