mechanized verifjcationof the correctness and asymptotic
play

Mechanized Verifjcationof the Correctness and Asymptotic Complexity - PowerPoint PPT Presentation

Dec 04, 2022 •252 likes •1.45k views

Mechanized Verifjcationof the Correctness and Asymptotic Complexity of Programs Armal Guneau under the supervision of Arthur Charguraud and Franois Pottier Computerprograms: cooking recipes,but forcomputers? Momseasy apple pie 3/4T

  1. Howdo we specify a program’srunningtime? Option 1: as an upper bound on the wall-clock time. Useful for embedded systems, but not realistic for commodity hardware. Option 2: as a number of cycles for an idealized machine model. Knuth: “Merge sort runs in . [This bound] can be re- duced to at the expense of a somewhat longer program.” Option 3: as a number of function calls in a high-level language. More abstract, but still has modularity issues. 11/40

  2. Howdo we specify a program’srunningtime? Option 1: as an upper bound on the wall-clock time. Useful for embedded systems, but not realistic for commodity hardware. Option 2: as a number of cycles for an idealized machine model. Knuth: Option 3: as a number of function calls in a high-level language. More abstract, but still has modularity issues. 11/40 “Merge sort runs in 10 N log N ` 4 . 92 N . [This bound] can be re- duced to 9 N log N at the expense of a somewhat longer program.”

  3. Howdo we specify a program’srunningtime? Option 1: as an upper bound on the wall-clock time. Useful for embedded systems, but not realistic for commodity hardware. Option 2: as a number of cycles for an idealized machine model. Knuth: Option 3: as a number of function calls in a high-level language. More abstract, but still has modularity issues. 11/40 “Merge sort runs in 10 N log N ` 4 . 92 N . [This bound] can be re- duced to 9 N log N at the expense of a somewhat longer program.”

  4. Howdo we specify a program’srunningtime? Describe the “order of growth” of the running time as inputs grow large Less precise, but informative enough in many cases. 11/40 Option 4: specify the running time using asymptotic complexity. e.g. O p log n q , O p n q , O p n log n q , O p n 2 q , ….

  5. Advantagesof asymptotic complexityspecifjcations Specifjcations capturing asymptotic costs: algorithms; the implementation; 12/40 • have been widely applied to a large class of programs and • are independent of the machine, runtime system and the details of • allow modular reasoning . Abstract over implementation details.

  6. A step forward for the verifjcation of the correctnessandcomplexity of at a reasonable cost . Inthis thesis Goal: specify and prove that programs compute a correct result with a bounded asymptotic runtime. Proofs should be: Contribution: imperative,higher-order programs with subtle invariantsandanalysis , 13/40 • static; • machine-checked; • hardware- and runtime- independent; • modular.

  7. Inthis thesis Goal: specify and prove that programs compute a correct result with a bounded asymptotic runtime. Proofs should be: Contribution: imperative,higher-order programs with subtle invariantsand analysis , 13/40 • static; • machine-checked; • hardware- and runtime- independent; • modular. A step forward for the verifjcation of the correctnessand complexity of at a reasonable cost .

  8. Details of the contribution 1. A formal account of O () Existing: Contributed: with lemmas useful for program analysis 14/40 single-variate O (math, programs), multi-variate O on paper Coq library for single and multi-variate O ,

  9. Contributions 2. A methodology for complexity proofs Existing: Contributed: (Separation Logic framework in Coq) 15/40 • manual verifjcation without O pq abstraction • automated analysis restricted to polynomial bounds • general asymptotic bounds • with semi-automated cost inference • implemented as an extension of CFML

  10. Contributions 3. Case studies Existing: polynomial or logarithmic bounds, simple algorithms (quicksort), or Contributed: several algorithms, including a state-of-the-art graph algorithm with nontrivial correctness and complexity 16/40 interactive verifjcation without O

  11. Outline of the rest of the talk Reasoning with abstract cost functions Semi-automatic inference of cost functions Separation Logic with Time Credits Case study—an Incremental Cycle Detection Algorithm 17/40

  12. Reasoningwith abstractcost functions

  13. 18/40 1 …but which statement are we proving? . : • . : • : By induction on Proof: Claim: 8 7 6 5 4 3 2 Informal reasoningprincipleson O canbe abused let rec bsearch a x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = a.(k) then k else if x < a.(k) then bsearch a x i j costs O p 1 q . bsearch a x i k else bsearch a x (k+1) j

  14. 18/40 . • 8 1 7 : 6 5 Proof: • 4 : 3 . 2 …but which statement are we proving? Claim: Informal reasoningprincipleson O canbe abused let rec bsearch a x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = a.(k) then k else if x < a.(k) then bsearch a x i j costs O p 1 q . bsearch a x i k else bsearch a x (k+1) j By induction on j ´ i :

  15. 18/40 8 …but which statement are we proving? 2 . 3 : 4 • 5 Proof: 6 Claim: 7 1 Informal reasoningprincipleson O canbe abused let rec bsearch a x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = a.(k) then k else if x < a.(k) then bsearch a x i j costs O p 1 q . bsearch a x i k else bsearch a x (k+1) j By induction on j ´ i : • j ´ i ď 0 : O p 1 q .

  16. 18/40 5 …but which statement are we proving? Proof: Claim: 8 1 6 7 4 2 3 Informal reasoningprincipleson O canbe abused let rec bsearch a x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = a.(k) then k else if x < a.(k) then bsearch a x i j costs O p 1 q . bsearch a x i k else bsearch a x (k+1) j By induction on j ´ i : • j ´ i ď 0 : O p 1 q . • j ´ i ą 0 : O p 1 q ` O p 1 q ` O p 1 q “ O p 1 q .

  17. 18/40 7 …but which statement are we proving? 2 Where is the catch? 3 Proof: 4 Claim: 5 8 6 1 Informal reasoningprincipleson O canbe abused let rec bsearch a x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = a.(k) then k else if x < a.(k) then bsearch a x i j costs O p 1 q . bsearch a x i k else bsearch a x (k+1) j By induction on j ´ i : • j ´ i ď 0 : O p 1 q . • j ´ i ą 0 : O p 1 q ` O p 1 q ` O p 1 q “ O p 1 q .

  18. 18/40 5 …but which statement are we proving? Proof: Claim: 8 1 6 7 4 2 3 Informal reasoningprincipleson O canbe abused let rec bsearch a x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = a.(k) then k else if x < a.(k) then bsearch a x i j costs O p 1 q . bsearch a x i k else bsearch a x (k+1) j By induction on j ´ i : • j ´ i ď 0 : O p 1 q . • j ´ i ą 0 : O p 1 q ` O p 1 q ` O p 1 q “ O p 1 q .

  19. bsearch a x i j ” performs at most function calls What we just proved: What “ ” means: 19/40 Meaningof O p 1 q @ i j , D c , “ bsearch a x i j ” performs at most c function calls

  20. What we just proved: 19/40 Meaningof O p 1 q @ i j , D c , “ bsearch a x i j ” performs at most c function calls What “ O p 1 q ” means: D c , @ i j , “ bsearch a x i j ” performs at most c function calls

  21. • for every a , x , i , j , “ bsearch a x i j ” performs at most Meaning: there exists a cost function such that, function calls • . 20/40 Meaningof O p log n q Informal specifjcation: “ bsearch a x i j ” runs in O p log p j ´ i qq .

  22. 20/40 function calls Meaningof O p log n q Informal specifjcation: “ bsearch a x i j ” runs in O p log p j ´ i qq . Meaning: there exists a cost function f such that, • for every a , x , i , j , “ bsearch a x i j ” performs at most f p j ´ i q • f P O p λn. log n q .

  23. Construction of the cost function Option 2: Semi-automatically construct the cost function as the proof progresses. Option 3: The cost function is automatically inferred by some clever algorithm... Restricted to specifjc classes of programs. 21/40 Option 1: The user somehow guesses a suitable cost function. Here, “ λn. 3 log n ` 4 ” works.

  24. Construction of the cost function Option 2: Semi-automatically construct the cost function as the proof progresses. Option 3: The cost function is automatically inferred by some clever algorithm... Restricted to specifjc classes of programs. 21/40 Option 1: The user somehow guesses a suitable cost function. Here, “ λn. 3 log n ` 4 ” works.

  25. Construction of the cost function Option 2: Semi-automatically construct the cost function as the proof progresses. Option 3: The cost function is automatically inferred by some clever algorithm... Restricted to specifjc classes of programs. 21/40 Option 1: The user somehow guesses a suitable cost function. Here, “ λn. 3 log n ` 4 ” works.

  26. Semi-automatic synthesis of cost functions

  27. Ourapproachto this problem Part 1: Part 2: 22/40 • Synthesize a cost function with the same structure as the code • For recursive functions, recurrence equations are synthesized • Accounting details are automatically synthesized • User input is requested when some over-approximation is required • In a second step, prove a O pq bound for the inferred cost function

  28. Constraintinferredon the cost functionf 23/40 let rec bsearch a x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f n >= 1 + ( where n = j-i if n <= 0 then 0 else 0 + 1 + max 0 ( 1 + max (f (n/2)) (f (n - n/2 - 1)) ) )

  29. Interactive construction of the cost functionf 24/40 if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + … a hole (“ … ”) is implemented as an evar in Coq

  30. 24/40 Interactive construction of the cost functionf if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + (if j <= i then … else …)

  31. 24/40 Interactive construction of the cost functionf if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + (if j <= i then … else …)

  32. 24/40 Interactive construction of the cost functionf if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + (if (j-i) <= 0 then … else …)

  33. 24/40 Interactive construction of the cost functionf if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + (if (j-i) <= 0 then 0 else …)

  34. Interactive construction of the cost functionf 24/40 if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + … )

  35. Interactive construction of the cost functionf 24/40 if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + … )

  36. Interactive construction of the cost functionf 24/40 if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max … … )

  37. Interactive construction of the cost functionf 24/40 if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max 0 … )

  38. Interactive construction of the cost functionf 24/40 if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max 0 (1 + …) )

  39. Interactive construction of the cost functionf 24/40 if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max 0 (1 + max … …) )

  40. Interactive construction of the cost functionf 24/40 if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max 0 ( 1 + max (f ((j-i)/2)) … ) )

  41. 24/40 Interactive construction of the cost functionf if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max 0 ( 1 + max (f ((j-i)/2)) (f ((j-i) - (j-i)/2 - 1)) ) )

  42. Interactive construction of the cost functionf 24/40 if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f n >= 1 + ( if n <= 0 then 0 else 0 + 1 + max 0 ( 1 + max (f (n/2)) (f (n - n/2 - 1)) ) )

  43. • Use the “Master Theorem”, when applicable • Substitution method: guess that there is a solution of the form Fromcost equation to asymptotic bound (available in Isabelle/HOL, not yet in Coq) , inject it and resolve. 25/40 For bsearch , there remains to fjnd a f P O p λn. log n q such that: # 0 if n ď 0 @ n. f p n q ě 1 ` 1 ` max p 0 , 1 ` max p f p n 2 q , f p n ´ n 2 ´ 1 qqq

  44. (available in Isabelle/HOL, not yet in Coq) Fromcost equation to asymptotic bound 25/40 For bsearch , there remains to fjnd a f P O p λn. log n q such that: # 0 if n ď 0 @ n. f p n q ě 1 ` 1 ` max p 0 , 1 ` max p f p n 2 q , f p n ´ n 2 ´ 1 qqq • Use the “Master Theorem”, when applicable • Substitution method: guess that there is a solution of the form a log n ` b , inject it and resolve.

  45. Can be solved automatically. The substitution method in action The user does not have to manually provide values for , , and . 26/40 D f : Z Ñ Z . # 0 if n ď 0 @ n. f p n q ě 1 ` 1 ` max p 0 , 1 ` max p f p n 2 q , f p n ´ n 2 ´ 1 qqq ^ f P O p λn. log n q

  46. Can be solved automatically. The substitution method in action The user does not have to manually provide values for , , and . 26/40 D f : Z Ñ Z . monotonic f ^ @ n. f p n q ě 0 ^ @ n. n ď 0 ù ñ f p n q ě 1 ^ @ n. n ě 1 ù ñ f p n q ě f p n 2 q ` 3 ^ f P O p λn. log n q

  47. The substitution method in action Can be solved automatically. The user does not have to manually provide values for , , and . 26/40 D a b : Z . f p n q “ a log n ` b ^ monotonic f ^ @ n. f p n q ě 0 ^ @ n. n ď 0 ù ñ f p n q ě 1 ^ @ n. n ě 1 ù ñ f p n q ě f p n 2 q ` 3 ^ f P O p λn. log n q

  48. Can be solved automatically. The substitution method in action The user does not have to manually provide values for , , and . 26/40 D a b : Z . f p n q “ a log n ` b (issue when n “ 0 ) ^ monotonic f ^ @ n. f p n q ě 0 ^ @ n. n ď 0 ù ñ f p n q ě 1 ^ @ n. n ě 1 ù ñ f p n q ě f p n 2 q ` 3 ^ f P O p λn. log n q

  49. The substitution method in action Can be solved automatically. The user does not have to manually provide values for , , and . 26/40 D a b c : Z . f p n q “ if n ą 0 then a log n ` b else c ^ monotonic f ^ @ n. f p n q ě 0 ^ @ n. n ď 0 ù ñ f p n q ě 1 ^ @ n. n ě 1 ù ñ f p n q ě f p n 2 q ` 3 ^ f P O p λn. log n q

  50. The substitution method in action Can be solved automatically. The user does not have to manually provide values for , , and . 26/40 D a b c : Z . f p n q “ if n ą 0 then a log n ` b else c ^ monotonic f ^ @ n. f p n q ě 0 ^ @ n. n ď 0 ù ñ f p n q ě 1 ^ @ n. n ě 1 ù ñ f p n q ě f p n 2 q ` 3 ^ True

  51. Can be solved automatically. The substitution method in action The user does not have to manually provide values for , , and . 26/40 D a b c : Z . f p n q “ if n ą 0 then a log n ` b else c ^ a ě 0 ^ b ě c ^ b ě 0 ^ c ě 0 ^ c ě 1 ^ b ě c ` 3 ^ a ě 3 ^ True

  52. The substitution method in action Can be solved automatically. The user does not have to manually provide values for , , and . 26/40 D a b c : Z . ^ a ě 0 ^ b ě c ^ b ě 0 ^ c ě 0 ^ c ě 1 ^ b ě c ` 3 ^ a ě 3 ^ True

  53. The substitution method in action Can be solved automatically. 26/40 D a b c : Z . ^ a ě 0 ^ b ě c ^ b ě 0 ^ c ě 0 ^ c ě 1 ^ b ě c ` 3 ^ a ě 3 ^ True The user does not have to manually provide values for a , b , and c .

  54. SeparationLogic with Time Credits

  55. Linking code to cost assertions Program specifjcations using Separation Logic precondition program postcondition time credits 27/40 t P u t t Q u

  56. Linking code to cost assertions Program specifjcations using Separation Logic with Time Credits precondition program postcondition time credits 27/40 t $ n ‹ P u t t Q u

  57. Linking code to cost assertions Program specifjcations using Separation Logic with Time Credits precondition program postcondition time credits 27/40 t $ n ‹ P u t t Q u

  58. • Credits are not duplicable: • Enable amortized complexity analysis Time Credits: resourcesin separationlogic 28/40 $ n • $ n describes the right to perform n function calls or loop iterations • $ p n ` m q “ $ n ‹ $ m • $0 “ emp

  59. 28/40 Time Credits: resourcesin separationlogic $ n • $ n describes the right to perform n function calls or loop iterations • $ p n ` m q “ $ n ‹ $ m • $0 “ emp • Credits are not duplicable: $1 ù ñ { $1 ‹ $1 • Enable amortized complexity analysis

  60. 29/40 Using time creditsin the specifjcationof bsearch Specifjcation of the complexity of bsearch using time credits: D f : Z Ñ Z . # f P O p λn. log n q @ a x i j. t $ p f p j ´ i qq ‹ . . . u p bsearch a x i j q t ... u

  61. Contribution: PossiblyNegative Time Credits Corollary: 30/40 Separation Logic with Time Credits in N : $0 ” emp @ m n P N . $ p m ` n q ” $ m ‹ $ n @ n P N . $ n , emp My extension: Possibly Negative Time Credits in Z : $0 ” emp @ m n P Z . $ p m ` n q ” $ m ‹ $ n @ n P Z . $ n ‹ r n ě 0 s , emp $ n ” $ m ‹ $ p n ´ m q

  62. index_of index_of index_of index_of Possibly Negative Time Creditsenable simpler specifjcations (too coarse) (restrictive?) (too complicated) 31/40 let index_of (v: ’ a) (a: ’ a array ): int = (* returns the index of the first occurrence of v in a *)

  63. index_of index_of index_of Possibly Negative Time Creditsenable simpler specifjcations (too coarse) (restrictive?) (too complicated) 31/40 let index_of (v: ’ a) (a: ’ a array ): int = (* returns the index of the first occurrence of v in a *) @ a. t $ p| a | ` 1 qu index_of v a t λi. emp u

  64. index_of index_of index_of Possibly Negative Time Creditsenable simpler specifjcations (too coarse) (restrictive?) (too complicated) 31/40 let index_of (v: ’ a) (a: ’ a array ): int = (* returns the index of the first occurrence of v in a *) @ a. t $ p| a | ` 1 qu index_of v a t λi. emp u

  65. index_of index_of Possibly Negative Time Creditsenable simpler specifjcations (too coarse) (restrictive?) (too complicated) 31/40 let index_of (v: ’ a) (a: ’ a array ): int = (* returns the index of the first occurrence of v in a *) @ a. t $ p| a | ` 1 qu index_of v a t λi. emp u @ a. t $ p| a | ` 1 qu index_of v a t λi. $ p| a | ´ i qu

  66. index_of index_of Possibly Negative Time Creditsenable simpler specifjcations (too coarse) (restrictive?) (too complicated) 31/40 let index_of (v: ’ a) (a: ’ a array ): int = (* returns the index of the first occurrence of v in a *) @ a. t $ p| a | ` 1 qu index_of v a t λi. emp u @ a. t $ p| a | ` 1 qu index_of v a t λi. $ p| a | ´ i qu

  67. index_of Possibly Negative Time Creditsenable simpler specifjcations (too coarse) (restrictive?) (too complicated) 31/40 let index_of (v: ’ a) (a: ’ a array ): int = (* returns the index of the first occurrence of v in a *) @ a. t $ p| a | ` 1 qu index_of v a t λi. emp u @ a. t $ p| a | ` 1 qu index_of v a t λi. $ p| a | ´ i qu @ a. let k : “ min t i | a. p i q “ v u in t $ p k ` 1 qu index_of v a t λi. r i “ k su

  68. index_of Possibly Negative Time Creditsenable simpler specifjcations (too coarse) (restrictive?) (too complicated) 31/40 let index_of (v: ’ a) (a: ’ a array ): int = (* returns the index of the first occurrence of v in a *) @ a. t $ p| a | ` 1 qu index_of v a t λi. emp u @ a. t $ p| a | ` 1 qu index_of v a t λi. $ p| a | ´ i qu @ a. let k : “ min t i | a. p i q “ v u in t $ p k ` 1 qu index_of v a t λi. r i “ k su

  69. Possibly Negative Time Creditsenable simpler specifjcations (too coarse) (restrictive?) (too complicated) 31/40 let index_of (v: ’ a) (a: ’ a array ): int = (* returns the index of the first occurrence of v in a *) @ a. t $ p| a | ` 1 qu index_of v a t λi. emp u @ a. t $ p| a | ` 1 qu index_of v a t λi. $ p| a | ´ i qu @ a. let k : “ min t i | a. p i q “ v u in t $ p k ` 1 qu index_of v a t λi. r i “ k su @ a. t emp u index_of v a t λi. $ p´ i ´ 1 qu

  70. Possibly Negative Time Creditsenable simpler specifjcations (too coarse) (restrictive?) (too complicated) 31/40 let index_of (v: ’ a) (a: ’ a array ): int = (* returns the index of the first occurrence of v in a *) @ a. t $ p| a | ` 1 qu index_of v a t λi. emp u @ a. t $ p| a | ` 1 qu index_of v a t λi. $ p| a | ´ i qu @ a. let k : “ min t i | a. p i q “ v u in t $ p k ` 1 qu index_of v a t λi. r i “ k su @ a. t emp u index_of v a t λi. $ p´ i ´ 1 qu

  71. (when the cost depends on the result) (can accumulate debts and pay them off once at the end) (no need to justify that a number of credits is positive at each step) 32/40 Time Creditsin Z : benefjts • Simpler specifjcations • Signifjcant reduction of the number of intermediate side-conditions • Simpler loop invariants

  72. Case Study: anIncremental Cycle DetectionAlgorithm

  73. Ourmain case study Verifjcation of a state-of-the-art incremental cycle detection algorithm due to Bender, Fineman, Gilbert and Tarjan (2016). The problem: checking for acyclicity of a dynamically constructed graph 33/40

Recommend

Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

3/10/10 Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness: partial correctness + termination Partial correctness: Program implements its specification 1 3/10/10 Proving Partial Correctness

420 views • 13 slides
Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of

Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of

Masters Thesis Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of Freiburg Department of Computer Science Programming Languages Chair September 1, 2019 Hannes Saffrich Mechanized Type

1.03k views • 39 slides
Taking the machine seriously. A study of mechanized mathematics Liesbeth De Mol Centre for

Taking the machine seriously. A study of mechanized mathematics Liesbeth De Mol Centre for

Taking the machine seriously. A study of mechanized mathematics L. De Mol Taking the machine seriously. A study of mechanized mathematics Liesbeth De Mol Centre for Logic and Philosophy of Science, Belgium elizabeth.demol@ugent.be

969 views • 57 slides
Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity

Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity

Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SRI Mechanized Analysis: 1

433 views • 20 slides
On the Asymptotic Variance of the Estimator of Kendalls Tau Barbara Dengler, Uwe Schmock

On the Asymptotic Variance of the Estimator of Kendalls Tau Barbara Dengler, Uwe Schmock

Definitions of dependence measures and basic properties Asymptotic variance of the tau-estimators for copulas Asymptotic variance for elliptical distributions On the Asymptotic Variance of the Estimator of Kendalls Tau Barbara Dengler, Uwe

1.09k views • 44 slides
Logik Cafe, Vienna 23 May 2016 Mechanized Analysis of Reconstructions of Anselms Ontological

Logik Cafe, Vienna 23 May 2016 Mechanized Analysis of Reconstructions of Anselms Ontological

Logik Cafe, Vienna 23 May 2016 Mechanized Analysis of Reconstructions of Anselms Ontological Argument John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Mechanized Ontological Argument

764 views • 42 slides
08Program Verification II CS 5209: Foundation in Logic and AI Martin Henz and Aquinas Hobor

08Program Verification II CS 5209: Foundation in Logic and AI Martin Henz and Aquinas Hobor

Review Hoare Triples; Partial and Total Correctness Practical Aspects of Correctness Proofs Correctness of the Factorial Function Proof Calculus for Total Correctness 08Program Verification II CS 5209: Foundation in Logic and AI Martin

778 views • 39 slides
Asymptotic behavior of series of multiple integrals. K. K. Kozlowski CNRS, Institut de

Asymptotic behavior of series of multiple integrals. K. K. Kozlowski CNRS, Institut de

Motivations, predictions, setting Typical results for the asymptotic behavior Asymptotic analysis of multidimensional deformations of Fredholm series Conclusion Asymptotic behavior of series of multiple integrals. K. K. Kozlowski CNRS,

462 views • 22 slides
Program Correctness Assert formal correctness statements about

Program Correctness Assert formal correctness statements about

Program Correctness Assert formal correctness statements about cri4cal parts of a program and reason effec4vely A program is intended to carry out a

1.01k views • 57 slides
Mechanized Metatheory Model-Checking WMM 2006 James Cheney 9/21/06 Mechanized Metatheory

Mechanized Metatheory Model-Checking WMM 2006 James Cheney 9/21/06 Mechanized Metatheory

Mechanized Metatheory Model-Checking WMM 2006 James Cheney 9/21/06 Mechanized Metatheory Model-Checking p. 1/25 Mechanized (partial) Metatheory Model-Checking WMM 2006 James Cheney 9/21/06 Mechanized Metatheory Model-Checking p.

516 views • 25 slides
10/6/2016 Give Asymptotic Analyses for the Following g( n ) = 45 n log n + 2 n 2 + 65 1. 2. g( n

10/6/2016 Give Asymptotic Analyses for the Following g( n ) = 45 n log n + 2 n 2 + 65 1. 2. g( n

10/6/2016 Give Asymptotic Analyses for the Following g( n ) = 45 n log n + 2 n 2 + 65 1. 2. g( n ) = 1000000 n + 0.01 2 n CSE373: Data Structures and Algorithms More Asymptotic Analysis 3. int sum = 0; (Examples) for (int i = 0; i &lt;

208 views • 4 slides
GraphCoQL A mechanized formalization of GraphQL in Coq Toms Daz Federico Olmedo ric

GraphCoQL A mechanized formalization of GraphQL in Coq Toms Daz Federico Olmedo ric

GraphCoQL A mechanized formalization of GraphQL in Coq Toms Daz Federico Olmedo ric Tanter Millennium Institute Foundational Research on Data Certified Programs and Proofs New Orleans, USA January 2020 GraphQL Clases de ctedra

640 views • 52 slides
FUNCTORS IN THE ASYMPTOTIC CATEGORIES Mykhailo Zarichnyi Lviv National University and

FUNCTORS IN THE ASYMPTOTIC CATEGORIES Mykhailo Zarichnyi Lviv National University and

FUNCTORS IN THE ASYMPTOTIC CATEGORIES Mykhailo Zarichnyi Lviv National University and University of Rzesz ow Nipissing Topology Workshop 2018 Asymptotic topology The asymptotic topology (coarse geometry) deals with the large scale

441 views • 40 slides
A Mechanized Proof of Type Safety for the Polymorphic -Calculus with References Michalis A.

A Mechanized Proof of Type Safety for the Polymorphic -Calculus with References Michalis A.

A Mechanized Proof of Type Safety for the Polymorphic -Calculus with References Michalis A. Papakyriakou Prodromos E. Gerakios Nikolaos S. Papaspyrou National Technical University of Athens School of Electrical and Computer Engineering

613 views • 39 slides
MECHANIZED SEMANTICS AND VERIFIED COMPILATION FOR A DATAFLOW SYNCHRONOUS LANGUAGE WITH RESET

MECHANIZED SEMANTICS AND VERIFIED COMPILATION FOR A DATAFLOW SYNCHRONOUS LANGUAGE WITH RESET

MECHANIZED SEMANTICS AND VERIFIED COMPILATION FOR A DATAFLOW SYNCHRONOUS LANGUAGE WITH RESET Timothy Bourke 1,2 Llio Brun 1,2 Marc Pouzet 3,2,1 POPL20 January 24, 2020 1 Inria Paris 2 cole normale suprieure PSL University

1.12k views • 93 slides
mechanized reasoning favonia 1 2 2 2 checked! 2 Peace of Mind 3 *photo credit:

mechanized reasoning favonia 1 2 2 2 checked! 2 Peace of Mind 3 *photo credit:

mechanized reasoning favonia 1 2 2 2 checked! 2 Peace of Mind 3 *photo credit: voltamax@pixabay Dream Everyone can (easily) check their work in computers 4 Notable Projects Four-color theorem

527 views • 37 slides
The Relative Consistency of the Axiom of Choice Mechanized Using Isabelle/ZF Lawrence C. Paulson

The Relative Consistency of the Axiom of Choice Mechanized Using Isabelle/ZF Lawrence C. Paulson

The Relative Consistency of the Axiom of Choice Mechanized Using Isabelle/ZF Lawrence C. Paulson Computer Laboratory Why Do Proofs By Machine? Too many been done already! Gdels incompleteness theorem ( Shankar ) thousands of

327 views • 19 slides
An Introduction to Asymptotic Theory Ping Yu School of Economics and Finance The University of

An Introduction to Asymptotic Theory Ping Yu School of Economics and Finance The University of

An Introduction to Asymptotic Theory Ping Yu School of Economics and Finance The University of Hong Kong Ping Yu (HKU) Asymptotic Theory 1 / 20 Five Weapons in Asymptotic Theory Five Weapons in Asymptotic Theory Ping Yu (HKU) Asymptotic

735 views • 20 slides
A Mechanized Low-Speed Friction Tester for Detection of Pavement Polishing by Sen HAN, Longjia

A Mechanized Low-Speed Friction Tester for Detection of Pavement Polishing by Sen HAN, Longjia

A Mechanized Low-Speed Friction Tester for Detection of Pavement Polishing by Sen HAN, Longjia CHU and T. F. FWA RPUG-PDRG 1st Joint Meeting Introduction The importance of runway low-speed skid resistance Hydroplaning Accidents Long Low

348 views • 20 slides
A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F.

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F.

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F. M ejean, L. Pillard, J. Tharaud National School of Applied Mathematics and Computer Science, ENSIMAG 27 November 2009 P. Cogn ee, D.

591 views • 23 slides
Cut-points in asymptotic cones of groups Mark Sapir With J. Behrstock, C. Drut u, S. Mozes,

Cut-points in asymptotic cones of groups Mark Sapir With J. Behrstock, C. Drut u, S. Mozes,

Cut-points in asymptotic cones of groups Mark Sapir With J. Behrstock, C. Drut u, S. Mozes, A.Olshanskii, D. Osin Asymptotic cones Definition. Asymptotic cones Definition. Let X be a metric space, Asymptotic cones Definition. Let X be a

1.09k views • 106 slides
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno

Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, Ecole Normale Sup erieure, INRIA,

972 views • 78 slides
The Role of Human Creativity in Mechanized Verification J Strother Moore Department of Computer

The Role of Human Creativity in Mechanized Verification J Strother Moore Department of Computer

The Role of Human Creativity in Mechanized Verification J Strother Moore Department of Computer Science University of Texas at Austin 1 John McCarthy (Sep 4, 1927 Oct 23, 2011) 2 Contributions Lisp, mathematical semantics for

1.41k views • 91 slides
Asymptotic Analysis If T ( n ) is some algorithms running time function , i.e., given input of

Asymptotic Analysis If T ( n ) is some algorithms running time function , i.e., given input of

Asymptotic Analysis If T ( n ) is some algorithms running time function , i.e., given input of size n , it runs T ( n ) steps, we are interested in asymptotic behaviour (read: as n approaches infinity) rather than the exact functions . We want

288 views • 15 slides

More recommend