Polyhedral Domains and Widening for Verification of Numerical Programs Goran Frehse Verimag Hitashyam Maka and Bruce H. Krogh Carnegie Mellon University 1
Verification of numerical programs • Problem definition • Polyhedral domains • Control flow automata (CFA) • CFA reachability • Widening based on coefficient limiting • CFA reduction • Kahan summation example • Conclusions 2
Design and implementation of numerical programs design model model-based development source code implementation code generation target processor compiler platform implementation 3
Verification of numerical programs design model Need to verify how numerical code will execute on the target code generation processor target processor compiler 4
Verification of numerical programs design model disassembler control flow graph target processor CFA generator error model code generation numerical CFA program PHAVer target processor verifier compiler reachability results 5
Verification of numerical programs design model today’s presentation disassembler control flow graph target processor CFA generator error model code generation CFA PHAVer target processor reachable sets compiler error bounds 6
Scope of this work • instructions of the form • real constants and variables • linear arithmetic • floating point error bounds 7
Polyhedral domains • linear predicates • convex polyhedron: conjunction of linear predicates • polyhedron: disjunction of convex polyhedra • Parma Polyhedra Library (PPL): performs exact computations with non-convex polyhedra • PHAVer: performs reachability for LHA – exact and robust arithmetic with unlimited precision (PPL) – bit-constrained over-approximations for termination heuristics – on-the-fly over-approximation of piecewise affine dynamics – support for compositional and assume-guarantee reasoning. 8
Exact Arithmetic in PHAVer Finite resources require over approximation Semi-bounded exact arithmetic – exact computations that result in finite precision 1. generate time- 2. * compute elapse conservative over- derivative polyhedron approximation initial set * Managing the complexity by over-approximation F 45° 15° E A 109 x 121 y 100 135° y 1. limit the 2. limit the 1 45° number of bits number of B D of coefficients 30° constraints 90° C 2 F 150° 45° A 6 x 6 y 6 4 45° 5 D B 3 0 1 x 30° 1 C 9
Control flow automata (CFA) • same node/transition structure as the control flow graph • instructions replaced by action predicates on the transitions representing the operation error bounds 10
CFA example 11
CFA reachability • CFA state: ( q, x ) – q discrete state, x valuation of variables x • Reachable states: smallest fixed point of where • All sets are polyhedra • In general, the reachability iteration will not terminate 12
Widening for iterative computations • Accelerates convergence to a fixed point. P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the Fourth Annual ACM Symposium on Principles of Programming Languages , pp. 238-252, New York, 1977. ACM Press. 13
Standard widening • defined for convex polyhedra • retains constraints of P 1 also satisfied by P 2 and constraints of P 2 with equivalent constraints in P 1 14
Standard widening: example exact std. widening (nonterimintating) • terminates at iteration 5 • large over approximation 15
Widening based on coefficient limiting (NEW) Preliminaries: • C P : set of linear predicates defining polyhedron P • assume integer coefficients with common divisor 1 • max_coeff ( C P ) : maximum coefficient in C P • coeff_limit ( P,k ) : polyhedron P ′ such that 1) P ⊆ P ′ 2) max_coeff ( C P ′ ) ≤ k NOTE: Such a P ′ is computed by PHAVer 16
Widening based on coefficient limiting (NEW) Proposition 1. is a widening operator. follows from 17
Example 1: Application to Program 1 std. widening coefficient-limiting widening 18
Example 2: Non-convex polyhedra (w/o convex hull) 19
CFA Reduction Objective: Given a set of variables W , reduce the number of transitions and variables in the CFA without affecting the reachable set for the variables in W . 20
Merging transitions Transition condition for merging • applied only to the first transition in a pair of transitions 21
Eliminating irrelevant variables • transition merging increases the number of globally irrelevant variables • retains variables that influence error bounds on variables of interest 22
Precision vs. Efficiency using • Value of k introduces a tradeoff between - accuracy of polyhedral approximations and - complexity of the computations • Smaller k increases the over approximation but doesn’t necessarily make termination faster 23
Example: Kahan summation algorithm adding N numbers: error = N ε • • Kahan algorithm introduces intermediate variables to mitigate the effects of repeated summations: error = 2 ε +O(N ε 2 ) From Wikipedia: function kahanSum(input, n) var sum = input[1] var c = 0.0 // A running compensation for lost low-order bits. for i = 2 to n y = input[i] - c // So far, so good: c is zero. t = sum + y // Alas, sum is big, y small, so low-order digits of y are lost. c = (t - sum) - y //(t - sum) recovers the high-order part of y; // subtracting y recovers -(low part of y) sum = t // Algebraically, c should always be zero. // Beware eagerly optimising compilers! next i // Next time around, the lost low part will // be added to y in a fresh attempt. return sum 24
Our implementation ε = 1.192092896e-7 (i386) x 0 = 1 x i = 0.1249999403953552 N = 8 reduced: 3 locations, 3 transitions, vars y,t eliminated 25
Summary • new widening operator based on bounding coefficients • error-preserving reductions - transition merging - variable elimination • implementation using PHAVer • illustrations on small examples next steps • exercise on benchmarks • integration with standard tools • incorporating other sources of errors (e.g., inf, NaN) 26
Recommend
More recommend
