On Formal Verification in Imperative Multivalued Programming over - PowerPoint PPT Presentation

On Formal Verification in Imperative Multivalued Programming over Continuous Data Types Gyesik Lee, Norbert M¨ uller, Eike Neumann, Sewon Park, Norbert Preining, Martin Ziegler November 29, 2017 1

1. Motivation ◮ Recursive Analysis [Turing’37, Braverman’13]: sequence of dyadic rational approximations ( a p · 2 p ), a p ∈ Z , such that | x − a p · 2 p | ≤ 2 p → 0 for p → −∞ 2

1. Motivation ◮ Recursive Analysis [Turing’37, Braverman’13]: sequence of dyadic rational approximations ( a p · 2 p ), a p ∈ Z , such that | x − a p · 2 p | ≤ 2 p → 0 for p → −∞ ◮ test for equality is equivalent to (the complement of) the Halting problem [Specker’49, Boldi&Vigna’99] 2

1. Motivation ◮ Recursive Analysis [Turing’37, Braverman’13]: sequence of dyadic rational approximations ( a p · 2 p ), a p ∈ Z , such that | x − a p · 2 p | ≤ 2 p → 0 for p → −∞ ◮ test for equality is equivalent to (the complement of) the Halting problem [Specker’49, Boldi&Vigna’99] ◮ Algebraic model (aka real-RAM) represent and manipulate a real number as entity, with exact arithmetic and comparisons: Z ∋ round( R ∋ x ); Z ∋ j := 0; while x > j + 1 2 do j := j + 1 end while while x ≤ j − 1 2 do j := j − 1 end while Exponentially faster: determine x ’s truncated binary expansion 2

1. Motivation ◮ feasible Real-RAM [V. Brattka & P.Hertling ’96] was suggested. 3

1. Motivation ◮ feasible Real-RAM [V. Brattka & P.Hertling ’96] was suggested. ◮ C++ library iRRAM [N. M¨ uller ’01] provides, via object-oriented overloading, a data type REAL for real numbers: with simultaneously exact and computable primitives by introducing a modified semantics of comparisons. 3

1. Motivation Figure: Implementation of (Soft) Pellet test in C. Yap et al.’s soft subdivision algorithm of root clustering in iRRAM. 4

1. Motivation 5

1. Motivation 5

1. Motivation Test is only partially defined! 5

1. Motivation How can we “verify” this program? 6

1. Motivation How can we “verify” this program? The present work ◮ formalizes a simple imperative programming language over two Abstract Data Types, Z and R ◮ demonstrates its practical use and applicability, ◮ introduces a complete logic for expressing such computations, ◮ and formally verifies trisection root-finding as example in Coq. 6

2. Exact Real Computation (ERC) ERC is a WHILE program ( c ::= ε | x := e | c 1 ; c 2 | if b ... | while b ... ) 7

2. Exact Real Computation (ERC) ERC is a WHILE program ( c ::= ε | x := e | c 1 ; c 2 | if b ... | while b ... ) 1. two datatypes: Z , R Z –expressions : op ( Z ) e ( Z ) op ( Z ) ∈ { + , −} x | 0 | 1 | e ( Z ) , 1 2 R –expressions: ( ι : Z ∋ p �→ 2 p ∈ R ) x | 0 | 1 | ι ( e ( Z ) ) | e ( R ) op ( R ) e ( R ) op ( R ) ∈ { + , − , × , ÷} , 1 2 7

2. Exact Real Computation (ERC) ERC is a WHILE program ( c ::= ε | x := e | c 1 ; c 2 | if b ... | while b ... ) 1. two datatypes: Z , R Z –expressions : op ( Z ) e ( Z ) op ( Z ) ∈ { + , −} x | 0 | 1 | e ( Z ) , 1 2 R –expressions: ( ι : Z ∋ p �→ 2 p ∈ R ) x | 0 | 1 | ι ( e ( Z ) ) | e ( R ) op ( R ) e ( R ) op ( R ) ∈ { + , − , × , ÷} , 1 2 2. where a function f : ⊆ R d × Z → R is computed by a program g : ⊆ Z × R d × Z → R such that | f ( x 1 , . . . , x d , j ) − g ( p , x 1 , . . . , x d , j ) | ≤ 2 p 7

2. Exact Real Computation (ERC) ERC is a WHILE program ( c ::= ε | x := e | c 1 ; c 2 | if b ... | while b ... ) 1. two datatypes: Z , R Z –expressions : op ( Z ) e ( Z ) op ( Z ) ∈ { + , −} x | 0 | 1 | e ( Z ) , 1 2 R –expressions: ( ι : Z ∋ p �→ 2 p ∈ R ) x | 0 | 1 | ι ( e ( Z ) ) | e ( R ) op ( R ) e ( R ) op ( R ) ∈ { + , − , × , ÷} , 1 2 2. where a function f : ⊆ R d × Z → R is computed by a program g : ⊆ Z × R d × Z → R such that | f ( x 1 , . . . , x d , j ) − g ( p , x 1 , . . . , x d , j ) | ≤ 2 p 3. where a boolean expression has partial or multivalued meaning:   1 : x > y , 0 : a = true ,   ( x > y ) = 0 : x < y , choose ( a , b ) = 1 : b = true , ⊥ : x = y ⊥ : otherwise   7

2. Exact Real Computation (ERC)   1 : x > y , 0 : a = true ,   ( x > y ) = 0 : x < y , choose ( a , b ) = 1 : b = true , ⊥ : x = y ⊥ : otherwise   ◮ “ if x > y then · · · else · · · ′′ does not terminate if x , y : R and x = y . ◮ “ if choose ( x > y − ı ( p ) , y + ı ( p ) > x ) then · · · else · · · ” terminates for all x , y ∈ R , p ∈ Z , within potential error (multivalued) of 2 p : 8

2. Exact Real Computation (ERC) ◮ Like comparing real numbers, rounding down/up or to the nearest integer is a common but uncomputable operation: extensionally. ◮ The multivalued/non-extensional variant round : R ∋ x �→ { k ∈ Z : x − 1 < k < x + 1 } ⊆ Z on the other hand is computable: 9

Algorithm (I) INTEGER round( REAL x ) 1: INTEGER ∋ b ; INTEGER ∋ k := 0; INTEGER ∋ l := 0; REAL ∋ y := x | y | < 1 , | y | > 1 2: while choose � � do 2 3: l := l + 1; y := y / 2; 4: end while 5: while l > 0 do 6: y := y * 2 7: b := choose ( y < 0 , − 1 < y < 1 , y > 0 ) − 1 8: y := y − b 9: k := k + k + b 10: l := l − 1 � � � � � � 11: end while ; return k post = | x − k | < 1 10

2. Exact Real Computation (ERC) Theorem Every partial function f : ⊆ R d × Z → R computable in the sense of Recursive Analysis can be implemented in Exact Real Computation. brief Proof. ◮ Exact Real Computation can implement a Counter Machine, and thus any Turing Machine, on discrete input. ◮ Combining the rounding program with the precision � � embedding, a n := round x · ı ( n ) ∈ Z yields the numerators of a sequence a n / 2 n of dyadic approximations to x up to absolute error ≤ 2 − n : the way of presenting real argument to a Turing machine computing f ( x ). 11

3. Logic of Exact Real Computation Consider the two-sorted structure consisting of Presburger Arithmetic ( Z , 0 , 1 , + , > ) and real-closed field ( R , 0 , 1 , + , × , > ) of characteristic 0 together with the ‘binary precision’ embedding ı : Z ∋ p �→ 2 p ∈ R in order to express the output error specification. 12

3. Logic of Exact Real Computation Consider the two-sorted structure consisting of Presburger Arithmetic ( Z , 0 , 1 , + , > ) and real-closed field ( R , 0 , 1 , + , × , > ) of characteristic 0 together with the ‘binary precision’ embedding ı : Z ∋ p �→ 2 p ∈ R in order to express the output error specification. Theorem The first-order theory of the above two-sorted structure is decidable; but not when replacing ı with the ‘unary’ embedding N + ∋ n �→ 1 / n ∈ R . 12

3. Logic of Exact Real Computation ◮ (Floyd-)Hoare Logic is a well-known formal system for reasoning about partial and total correctness of imperative programs � � � � ◮ � � � � � � � � P C Q : the postcondition Q holds after executing C whenever the precondition P was met before C , with guaranteed termination. � ( r . as ) � � � � � � � � � � � Q [ e / x ] x:=e Q (1) q ′ ⇒ q p ⇒ p ′ p ′ � q ′ � � � � � � � � � � � c ( r . cons ) � � � � � � � � � � � � p c q (2) � � � � � � � � � � � � � � � � � � � � � � � � P ∧ b P ∧ ¬ b C R A R ( r . if ) � � � � � � � � � � � � P if b then C else A R (3) � � � � � � � � � � � � I ∧ b ∧ ( V = N ) C I ∧ ( V < N ) , I ∧ ( V ≤ 0) ⇒ ¬ b ( r . w ) � � � � � � � � � � � � while b do C I ∧ ¬ b I (4) 13

3. Logic of Exact Real Computation ◮ Note that a singlevalued partial expression b is simply choose ( ¬ b , b ) � � � � � � � � � � � � � � � � � � � � � � � � P ∧ c C R P ∧ a A R � ( r . if 2 ) � � � � � � � � � � � P ∧ ( a ∨ c ) if choose ( a , c ) then C else A (5) R � � � � � � � � � � � � I ∧ c ∧ ( V = R ) C ( a ∨ c ) ∧ I ∧ ( V ≤ R − ε ) , I ∧ ( V ≤ 0) ⇒ ¬ c ( r . w 2 ) � � � � � � � � � � � � I ∧ ( a ∨ c ) while choose ( a , c ) do C I ∧ a (6) 14

3. Logic of Exact Real Computation ◮ Let f : [0 , 1] → R be continuous with a unique and simple root ◮ Bi section proceeds according to the sign of f (1 / 2); but fails in Exact Real Computation in case 1 / 2 already is a root! ◮ Instead, tri section tests the signs of both f (1 / 3) and f (2 / 3) in parallel, knowing from the hypothesis on f that at most one of both can be zero: 15