Aperitif: Relational semantics of loops Automatic program - PowerPoint PPT Presentation

— 1 — Aperitif: Relational semantics of loops « Automatic program verification § § x by Lagrangian relaxation and x � semidefinite programming » Patrick Cousot — 3 — École normale supérieure Relational semantics of loops 45 rue d’Ulm 75230 Paris cedex 05, France while B do C od – x 2 R = Q = Z : values of the loop variables before a loop Patrick.Cousot@ens.fr www.di.ens.fr/~cousot iteration Semantics lunch — Cambridge, UK — Oct. 18 th , 2004 – x 0 2 R = Q = Z : values of the loop variables after a loop iteration – � B ; C � ( x; x 0 ) : relational semantics of one loop iteration N V – � B ; C � ( x; x 0 ) = ff i ( x; x 0 ) > 0 (where > is > , – or = ) i =1 – not a restriction for numerical programs Semantics lunch, Cambridge, UK, Oct. 18 th , 2004 Oct. 18 th , 2004 — 2 — ľ P. Cousot — 4 — ľ P. Cousot

Invariance proof Example of quadratic form program (factorial) [ x x 0 ] A [ x x 0 ] > + 2[ x x 0 ] q + r > 0 Given a loop precondition P , find an unkown loop in- variant I such that: n := 0; -1.f +1.N >= 0 f := 1; +1.n >= 0 – The invariant is initial : while (f <= N) do +1.f -1 >= 0 8 x : P ( x ) ) I ( x ) n := n + 1; -1.n +1.n’ -1 = 0 f := n * f +1.N -1.N’ = 0 od -1.f.n’ +1.f’ = 0 – The invariant is inductive : 2 3 0 0 0 0 0 0 2 3 2 3 n 0 8 x; x 0 : I ( x ) ^ � B ; C � ( x; x 0 ) ) I ( x 0 ) 0 0 0 ` 1 2 0 0 f 0 6 7 6 7 6 7 6 7 6 7 6 7 0 0 0 0 0 0 N 0 6 7 [ nfNn 0 f 0 N 0 ] +2[ nfNn 0 f 0 N 0 ] 6 7 6 7 +0 = 0 6 7 n 0 0 ` 1 6 7 6 7 0 2 0 0 0 0 6 7 6 7 6 7 6 7 f 0 1 6 7 6 7 0 0 0 0 0 0 6 7 4 5 4 2 5 4 5 N 0 — 7 — 0 0 0 0 0 0 0 — 5 — Invariance proof for numerical programs Given a loop precondition P ( x ) > 0 , find an unkown loop invariant I ( x ) > 0 such that: Appetiser: – The invariant is initial : Floyd/Hoare/Naur correctness 8 x : P ( x ) > 0 ) I ( x ) > 0 proof method – The invariant is inductive : 0 N 1 ^ 8 x; x 0 : ff i ( x; x 0 ) > 0 A ) I ( x 0 ) > 0 @ I ( x ) > 0 ^ B C i =1 Semantics lunch, Cambridge, UK, Oct. 18 th , 2004 Oct. 18 th , 2004 — 6 — ľ P. Cousot — 8 — ľ P. Cousot

Termination proof Conditional termination Given a loop invariant I , find an R = Q = Z -valued unkown – In general a loop does not terminate for all initial val- rank function r such that: ues of the variables – The rank is nonnegative : – In that case we can find no rank function! – We must automatically determine a necessary loop 8 x : I ( x ) ) r ( x ) – 0 precondition – We use a iterated forward/backward static analysis . . . – The rank is strictly decreasing : with an auxiliary counter counting the number of re- 8 x; x 0 : I ( x ) ^ � B ; C � ( x; x 0 ) ) r ( x 0 ) » r ( x ) ` ” maining iterations down to zero ” = 1 for Z , ” > 0 for R = Q to avoid Zeno 1 2 , 1 4 , 1 8 . . . — 11 — — 9 — Arithmetic mean example, polyhedral abstraction without auxiliary counter) Wine service: Iterated forward/backward {x>=y} while (x <> y) do static analysis for {x>=y+2} x := x - 1; conditional termination {x>=y+1} y := y + 1 {x>=y} od {x=y} Semantics lunch, Cambridge, UK, Oct. 18 th , 2004 Oct. 18 th , 2004 — 10 — ľ P. Cousot — 12 — ľ P. Cousot

Arithmetic mean example, polyhedral Parametric constraints abstraction with auxiliary counter – Fix the form of the unkown ( I ( x ) > 0 / r ( x ) > 0 ) using parameters a in the form Q ( a; x ) > 0 {x=y+2k,x>=y} while (x <> y) do – This is an abstraction {x=y+2k,x>=y+2} – Examples: k := k - 1; {x=y+2k+2,x>=y+2} - r ( x; y ) = a:x + b:y + c x := x - 1; - I ( x; x 0 ) = a:x 2 + b:x:x 0 + c:x 0 2 + d:x + e:x 0 + f {x=y+2k+1,x>=y+1} y := y + 1 {x=y+2k,x>=y} od — 15 — {x=y,k=0} assume (k = 0) {x=y,k=0} Solving the constraints — 13 — – The invariance [termination] problems have the form: 9 a : 8 x; x 0 : Entrée: 0 n 1 ^ Abstraction to C k ( x; x 0 ) > 0 @ [ Q ( a; x ) > 0 ^ ] B C A parametric constraints k =1 ) Q 0 ( a; x; x 0 ) > 0 – Find an algorithm to effectively compute a ! Semantics lunch, Cambridge, UK, Oct. 18 th , 2004 Oct. 18 th , 2004 — 14 — ľ P. Cousot — 16 — ľ P. Cousot

Problems In order to compute a : – How to handle V ? First main course: – How to get rid of the implication ) ? Lagrangian relaxation ! Lagrangian relaxation for implication elimination – How to get rid of the universal quantification 8 ? – How to handle ^ ? ! quantifier elimination (does not scale up) ! mathematical programming — 17 — — 19 — Algorithmically interesting cases Example of linear Lagrangian relaxation – linear inequalities ! linear programming 1 – linear matrix inequalities (LMI)/quadratic forms – bilinear matrix inequalities (BMI) ! semidefinite programming – semialgebraic sets ! polynomial quantifier elimination, or A ) B (assuming A 6 = ; ) ! relaxation with semidefinite programming ( (soundness) ) (completeness) border of A parallel to border of B 1 Already explored for invariants by Sankaranarayanan, Spima, Manna (CAV’03, SAS’04, heuristic solver) and for termination by Podelski & Rybalchenko (VMCAI’03, Lagrange coefficients eliminated by hand to reduce to linear programming so no disjunctions, no tests, etc). Semantics lunch, Cambridge, UK, Oct. 18 th , 2004 Oct. 18 th , 2004 — 18 — ľ P. Cousot — 20 — ľ P. Cousot

Lagrangian relaxation, formally Lagrangian relaxation of the constraints Let V be a finite dimensional linear vector space, N > 0 n 9 a : 8 x; x 0 : [ Q ( a; x ) > 0 ^ ] and 8 k 2 [1 ; N ] : ff k 2 V 7! R . ^ C k ( x; x 0 ) > 0 k =1 0 1 N ) Q 0 ( a; x; x 0 ) > 0 ^ A ) ( ff 0 ( x ) – 0) 8 x 2 V : ff k ( x ) – 0 @ k =1 ( (is relaxed into) ( soundness (Lagrange) 9 a : [ 9 – > 0] : 9 – k > 0 : 8 x; x 0 : ) completeness ( lossless ) 6) incompleteness ( lossy ) n Q 0 ( a ; x; x 0 )[ ` – X :C k ( x; x 0 ) > 0 :Q ( a; x )] ` – k N X 9 – 2 [1 ; N ] 7! R ˜ : 8 x 2 V : ff 0 ( x ) ` – k ff k ( x ) – 0 k =1 " linear in a " linear in the – k k =1 relaxation = approximation, – i = Lagrange coefficients " bilinear in a & – — 23 — — 21 — Second main course: Lagrangian relaxation, completeness cases Mathematical programming – Linear case for quantifier elimination (affine Farkas’ lemma) – Linear case with at most 2 quadratic constraints (Yakubovich’s S-procedure) Semantics lunch, Cambridge, UK, Oct. 18 th , 2004 Oct. 18 th , 2004 — 22 — ľ P. Cousot — 24 — ľ P. Cousot

Mathematical programming Semidefinite programming, once again Feasibility is: N 0 1 n 9 x 2 R n : ^ 9 x 2 R n : 8 X 2 R N : X > g i ( x ) > 0 X A X – 0 @ M 0 + x k M k i =1 k =1 [Minimizing f ( x )] of the form of the (linear) formulæ we are interested in for programs with linear matricial semantics. feasibility problem : find a solution to the constraints optimization problem : find a solution, minimizing f ( x ) — 27 — — 25 — Semidefinite programming, once again Interior point method for semidefinite programming 9 x 2 R n : M ( x ) < 0 [Minimizing cx ] – Nesterov & Nemirovskii 1988, polynomial in worst case and good in practice (thousands of variables) Where the linear matrix inequality is n X M ( x ) = M 0 + x k M k k =1 with symetric matrices ( M k = M k > and the positive semidefiniteness is x � x – Various path strategies e.g. “stay in the middle” M ( x ) < 0 = 8 X 2 R N : X > M ( x ) X – 0 Semantics lunch, Cambridge, UK, Oct. 18 th , 2004 Oct. 18 th , 2004 — 26 — ľ P. Cousot — 28 — ľ P. Cousot

Semidefinite programming solvers Numerous solvers available under Mathlab ő , a.o.: – lmilab : P. Gahinet, A. Nemirovskii, A.J. Laub, M. Chilali Skipping the cheese . . . – Sdplr : S. Burer, R. Monteiro, C. Choi – Sdpt3 : R. Tütüncü, K. Toh, M. Todd – SeDuMi : J. Sturm – bnb : J. Löfberg (integer semidefinite programming) Common interfaces to these solvers, a.o.: – Yalmip : J. Löfberg Sometime need some help (feasibility radius, shift,. . . ) — 29 — — 31 — Recent generalization to bilinear matrix inequalities Not enough time for . . . – penbmi : M. Kočvara, M. Stingl – Disjunctions in the loop test? Feasibility is: – Conditionals in the loop body? – Nested loops? 9 x 2 R n : 8 X 2 R N : – Concurrency? 0 1 n n n X > x k x ‘ M 0 X X X A X – 0 – Fair parallelism? @ M 0 + x j M j + k‘ – Semi-algebraic/polynomial programs? j =1 k =1 ‘ =1 – Data structures? of the form of the (bilinear) formulæ we are interested in! Semantics lunch, Cambridge, UK, Oct. 18 th , 2004 Oct. 18 th , 2004 — 30 — ľ P. Cousot — 32 — ľ P. Cousot