Concurrent program extraction Ulrich Berger and Hideki Tsuiki CCC - - PowerPoint PPT Presentation

concurrent program extraction
SMART_READER_LITE
LIVE PREVIEW

Concurrent program extraction Ulrich Berger and Hideki Tsuiki CCC - - PowerPoint PPT Presentation

Dec 13, 2023 425 likes •823 views

Concurrent program extraction Ulrich Berger and Hideki Tsuiki CCC 2017, June 26-30, 2030, Loria, Nancy 1 / 25 Question? There are two doors. You know that you can get a treasure from at least one of the doors, but do not know which

slide-1
SLIDE 1

Concurrent program extraction

Ulrich Berger and Hideki Tsuiki CCC 2017, June 26-30, 2030, Loria, Nancy

1 / 25

slide-2
SLIDE 2

Question?

?

◮ There are two doors. ◮ You know that you can get a

treasure from at least one of the doors, but do not know which

  • ne.

◮ If you find a treasure, you can

return with it. Otherwise, you have to search for it eternally, and no return.

◮ What shall you do?

2 / 25

slide-3
SLIDE 3

Solution!

◮ Duplicate yourself!

3 / 25

slide-4
SLIDE 4

Solution!

◮ Duplicate yourself! ◮ Search concurrently.

3 / 25

slide-5
SLIDE 5

Solution!

◮ Duplicate yourself! ◮ Search concurrently. ◮ If one of them finds a

treasure,

3 / 25

slide-6
SLIDE 6

Solution!

◮ Duplicate yourself! ◮ Search concurrently. ◮ If one of them finds a

treasure, Kill the other.

3 / 25

slide-7
SLIDE 7

Solution!

ARRGH!

◮ Duplicate yourself! ◮ Search concurrently. ◮ If one of them finds a

treasure, Kill the other.

3 / 25

slide-8
SLIDE 8

Continue with the treasure

4 / 25

slide-9
SLIDE 9

Continue with the treasure

We study this kind of concurrent computation. How can we implement it in programming languages?

4 / 25

slide-10
SLIDE 10

Amb: Bottom-avoiding choice operator

◮ Amb: McCarthy’s nondeterministic bottom-avoiding choice operator. ◮ Amb x y =

   x if x = ⊥ y if y = ⊥ ⊥ if x = y = ⊥.

◮ Here, ⊥ means that computation does not terminate. ◮ It returns x when y = ⊥. ◮ It returns y when x = ⊥. ◮ It may return x or y nondeterministically when both x and y are not

⊥.

◮ Compute x and y in parallel, and return the one obtained first. ◮ We want to extract a program that uses the Amb operator from a

proof that at least one of x or y has a value and therefore Amb x y terminates.

5 / 25

slide-11
SLIDE 11

The realizability theory with start with

◮ We extend the realizability theory IFP(Intuitionistic Fixed Point Logic)

[B 2010], which is an extension and variation of Kreisel’s modified realizability.

◮ TCF and Minlog [Schwichtenberg 1991]. ◮ q-realizability of [Tatsuta 1998]

◮ Logic: Extension of first-order predicate logic by least and greatest

fixed points. Note that it is not based on type theory.

◮ Program: Untyped programs. We allow unrestricted recursion and

non-termination. Prove termination through adequacy.

◮ As the space of programs, consider the Scott domain D defined by a

recursive domain equation of the form D = Nil + Left D + Right D + Pair (D × D) + Fun (D → D) + ...

◮ + : separated sum. ◮ Nil, Left, Right, . . . : constructors. ◮ All the elements except for ⊥ are constructor terms like

Left..., Pair(..., ...), Fun(λd....).

◮ We write Def(b) to express that b is not ⊥. 6 / 25

slide-12
SLIDE 12

The realizability theory with start with (cont.)

◮ Formulae are divided into two categories: computational and

non-computational (nc). Computational means that it contains ∨.

◮ For a formula A and c ∈ D, we define the predicate c r A, which

means that c is a “computational meaning” of A. Roughly speaking, c computes Left or Right for each ∨ in a computational formula.

◮ c r A Def

= (c = Nil) ∧ A, for a nc formula A.

◮ c r (A ∨ B) Def

= ∃a (c = Left(a) ∧ a r A) ∨ ∃b (c = Right(b) ∧ b r B).

◮ c r (A → B) Def

=    ∀a (a r A → (c a) r B) if A is computational. A → c r B if A is nc.

◮ From a derivation of a formula A in IFP, one can extract a program

term M and a derivation of M r A (Soundness Theorem).

7 / 25

slide-13
SLIDE 13

Our extension

◮ We add a new formula Sn(A) which means that the computational

meaning of A is obtained through n parallel threads of computation.

◮ We consider a new constructor Amb which means the Amb operator

with n arguments. We add to D the branch D = ... + Amb([D]). Here, [D] is the domain of lists of D.

◮ Note: We do not consider a power domain. Amb([d1, . . . , dn]) is a

list of values obtained by each computation.

8 / 25

slide-14
SLIDE 14

How can we derive that at least one of a or b terminate?

◮ First candidate (it is not valid):

B → A C → A ¬¬(B ∨ C) S2(A) B, C : nc b r (B → A) c r (C → A) ¬¬(B ∨ C) Amb([b, c]) r S2(A) B, C : nc B → b r A C → c r A ¬¬(B ∨ C) Amb([b, c]) r S2(A) B, C : nc

◮ If B holds, b will produce A. ◮ If C holds, c will produce A. ◮ If B or C holds. ◮ Therefore, by executing b and c in parallel, we obtain A. ◮ However, this reasoning is not valid.

9 / 25

slide-15
SLIDE 15

The case C holds: c

B → b r A C → c r A ¬¬(B ∨ C) Amb([b, c]) r S2(A)

◮ c returns with a treasure.

10 / 25

slide-16
SLIDE 16

The case B holds: b

B → b r A C → c r A ¬¬(B ∨ C) Amb([b, c]) r S2(C)

◮ b returns with a treasure. ◮ ◮ ◮ ◮

11 / 25

slide-17
SLIDE 17

The case B holds: b

B → b r A C → c r A ¬¬(B ∨ C) Amb([b, c]) r S2(C)

◮ b returns with a treasure. ◮ No information about C.

Therefore, c may or may not return.

◮ ◮ ◮

11 / 25

slide-18
SLIDE 18

The case B holds: b c

B → b r A C → c r A ¬¬(B ∨ C) Amb([b, c]) r S2(C)

◮ b returns with a treasure. ◮ No information about C.

Therefore, c may or may not return.

◮ c may return with a

treasure.

◮ ◮

11 / 25

slide-19
SLIDE 19

The case B holds: c

B → b r A C → c r A ¬¬(B ∨ C) Amb([b, c]) r S2(C)

◮ b returns with a treasure. ◮ No information about C.

Therefore, c may or may not return.

◮ c may return with a

treasure.

◮ However, c may return

with something else.

11 / 25

slide-20
SLIDE 20

The case B holds: c

B → b r A C → c r A ¬¬(B ∨ C) Amb([b, c]) r S2(C)

◮ b returns with a treasure. ◮ No information about C.

Therefore, c may or may not return.

◮ c may return with a

treasure.

◮ However, c may return

with something else.

◮ If c returns fast,...

11 / 25

slide-21
SLIDE 21

The case B holds:

Wait!, That’s fake treasure! I can find... ARRGH!

B → b r A C → c r A ¬¬(B ∨ C) Amb([b, c]) r S2(C)

◮ b returns with a treasure. ◮ No information about C.

Therefore, c may or may not return.

◮ c may return with a

treasure.

◮ However, c may return

with something else.

◮ If c returns fast,...

11 / 25

slide-22
SLIDE 22

New connectives.

◮ Sn(A)

(Concurrently A)

◮ a r Sn(A)

Def

= ∃m (1 ≤ m ≤ n ∧ a = Amb([a1, . . . , am])∧ ∃i ≤ m (Def(ai))∧ ∀i ≤ m (Def(ai) → ai r A)) .

◮ A |

| B (A if B)

◮ a r (A |

| B)

Def

= (B → Def(a)) ∧ (Def(a) → a r A).

◮ (We only consider the case B is nc.)

◮ Bounded non-determinism and restriction:

A | | B A | | C ¬¬(B ∨ C) S2(A) nondet-class-orelim

12 / 25

slide-23
SLIDE 23

Realizable rules for Sn :

A Sn(A) return, realized by λa Amb([a]) for strict A, that is, for a formula for which ⊥ rA does not hold.

A → B Sn(A) → Sn(B) mon, by λf λa case a of {Amb(b) → Amb(map f b)} for strict B.

S1(A) A

  • ne, by λa case a of {Amb(a1 : b) → a1}.

Sn(A) A nc, by λa Nil where A is nc.

13 / 25

slide-24
SLIDE 24

Realizable rules for | |

A A | | B return, by λa a.

A | | B A → (A′ | | B) A′ | | B bind, by λa λf f ↓a. (↓: strict application.)

A | | B B′ → B A | | B′ antimon, by λa λf a

A | | B A | | ¬¬B | | stab, realized classically by the identity.

◮ A |

| False restriction-efq, by ⊥

A | | B B A restriction-mp, by λa λ b a

B → A0 ∨ A1 ¬B → A0 ∧ A1 A0 ∨ A1 | | B | | I, by λa case a of {Left b → Left b ; Right b → Right b} where A0, A1, B must be nc.

14 / 25

slide-25
SLIDE 25

B → A0 ∨ A1 ¬B → A0 ∧ A1 A0 ∨ A1 | | B | | I, where A0, A1, B must be nc. by λa case a of {Left b → Left Nil ; Right b → Right Nil} a r (A | | B) Def = (B → Def(a)) ∧ (Def(a) → a r A). Suppose that a r B → A0 ∨ A1. That is, B → a r A0 ∨ A1.

◮ If B holds, a r A0 ∨ A1 and obviously a r A0 ∨ A1 |

| B. Since A0 and A1 are nc, a should be Left Nil or Right Nil.

◮ If B does not hold, then a may be anything.

◮ If a does not have the form Left b or Right b, then ⊥ r A0 ∨ A1 |

| B.

◮ if a has the form Left b or Right b, then LeftNil or RightNil realizes

A0 ∨ A1 because A0 and A1 are both true.

15 / 25

slide-26
SLIDE 26

Realizable rules for the combination of Sn and | |

A | | B A | | ¬B S2(A) nondet-lem, by λ a λ b amb([a, b])

¬¬(B ∨ C) A | | B A | | C S2(A) nondet-class-orelim, by λ a λ b amb([a, b]) We call the extended system CFP (Concurrent Fixedpoint Logic).

16 / 25

slide-27
SLIDE 27

Soundness, Adequacy, Program Extraction Theorem

◮ A (closed) value is an intro program (i.e., weak head normal form).

Amb[bot, 1, 2] is a value. (bot = rec x.x)

◮ We define a bigstep reduction relation M → v between (closed)

program M and values v. We have [ [M] ] = [ [v] ] and such a v is unique if it exists.

◮ A data is a term defined inductively only with Nil, Left, Right, Pair. ◮ The printing relation M =

⇒ d between program M and data d. (Evaluating deeply, and expanding Amb.)

◮ It is a multi-valued relation. Amb[bot, 1, 2] =

⇒ 1, Amb[bot, 1, 2] = ⇒ 2

◮ We define data(a) for a ∈ D as the set of values obtained by

expanding Amb for non-bottom components. data(Amb[⊥, 1, 2]) = {1, 2}.

◮ [Computational Adequacy] For every closed term M,

d ∈ data([ [M] ]) iff M = ⇒ d.

17 / 25

slide-28
SLIDE 28

Program Extraction

◮ For any formula A of CFP without restriction(|

|), we define a formula A− of IFP obtained by deleting all Sn.

◮ A data formula is a formula without implications. ◮ If A is a realizable data formula of CFP, A− is realizable in IFP though

  • ne cannot compute a realizer of A− from a realizer of A in a

continuous way in general.

◮ [Program Extraction] From a proof of A in CFP, one can extract a

terminating program M such that whenever M = ⇒ d then d realizes A− in IFP.

18 / 25

slide-29
SLIDE 29

Haskell implementation

Program Value (w.h.n.f) bigstep reduction Data printing relation Amb([1, 2, 3]) 1 2 3 M

◮ data D = Nil + Left D + . . . + Amb([D]) is a Haskell datatype. ◮ Our realizers are Haskell programs. ◮ From a proof, we hand-extract a haskell program of type D. ◮ “Value” is a weak head normal form and our bigstep reduction is

compatible with the evaluation of haskell.

◮ “Printing relation” on Amb is implemented in (concurrent) haskell

[Jones,Gordon,Finne,96].

◮ It uses forkIO (spawn a concurrent process) and MVar (mutable

variable with blocking).

19 / 25

slide-30
SLIDE 30

Haskell implementation of Amb

ambL :: [D] −> IO D ambL xs = do – xs is a list of (possibly nonterm.) computations. m <− newEmptyMVar – m is a MVar to put the result. acts <− sequence [forkIO $ evaluate x > >= putMVar m | x <− xs] – create a process for each x ∈ xs and compute x in parallel to whnf. – Place the result in m. At most one of the processes succeed. z <− takeMVar m – take the content of m. sequence (map killThread acts) – kill the processes which are still running. return z – With ambL, we define the printing relation printing :: D −> IO D printing (Amb d) = ambL d > >= printing ...

20 / 25

slide-31
SLIDE 31

Example1: Gray → Signed Digit Conversion

◮ Gray-code of real number (on the unit interval [-1, 1]) is a

non-redundant code of real number as {0, 1, ⊥}-sequences.

◮ At most one ⊥ is included in each code. ◮ It is equivalent to signed digit. ◮ Let ONEBOT be the set of {0, 1, ⊥}-sequences with at most one ⊥. ◮ SDtoGRAY : {−1, 0, 1}ω → ONEBOT. ◮ GRAYtoSD : ONEBOT → {−1, 0, 1}ω. ◮ SDtoGRAY can be written in Haskell. (Haskell list type contain partial

infinite sequence like [0, 1, ⊥, 1, 0, 0, . . .]).

◮ For GRAYtoSD, we need to read in a one-bottom sequence. ◮ To read a one-bottom sequence, one needs to evaluate two cells in

parallel because a computation of a cell may not terminate. The code of −1/4 is 1 ⊥ 1 0 . . .

21 / 25

slide-32
SLIDE 32

Gray → Signed Digit Conversion (2)

◮ SD Def

= {−1, 0, 1}

◮ I

Id

Def

= [d/1 − 1/2, d/2 + 1/2]

◮ C(x) ν

= ∃d ∈ SD (x ∈ I Id ∧ C(2x − d)) x has a signed digit representation. Defined coinductively.

◮ C2(x) ν

= S2(∃d ∈ SD (x ∈ I Id ∧ C2(2x − d))) x has a signed digit representation, computed concurrently.

◮ D(x) Def

= x = 0 → x ≤ 0 ∨ x ≥ 0 If x = 0, then it is computable whether x ≤ 0 or x ≥ 0.

◮ G(x) ν

= D(x) ∧ G(t(x)) x has a Gray-code.

◮ We proved ∀x(C(x) → G(x)). The extracted program is a Haskell

program.

◮ We proved ∀x(G(x) → C2(x)). The extracted program produces a

Haskell program with the Amb constructor. Signed digit represesentation is obtained with printing.

22 / 25

slide-33
SLIDE 33

Result of computation of gc(⊥10ω)

Gray code of −1/4 is 01⊥10ω. gc(0 : 1 : ⊥ : 1 : [0, 0..]) = Amb(Mi(A), Le(B)) (A) = (Amb(Le(C), ⊥) (B) = (Amb(Ri(D), ⊥) (C) ... ⇑ ⇑ start Head 0 Head 1 printing(takeD 5(gc(0 : 1 : ⊥ : 1 : [0, 0..]))) = Mi(Ri(Mi(Mi(MiNil)))) printing(takeD 5(gc(0 : 1 : ⊥ : 1 : [0, 0..]))) = Le(Ri(Mi(Mi(MiNil))))23 / 25

slide-34
SLIDE 34

Result of computation of gc(⊥10ω)

Gray code of −1/4 is 01⊥10ω. gc(0 : 1 : ⊥ : 1 : [0, 0..]) = Amb(Mi(A), Le(B)) (A) = (Amb(Le(C), ⊥) (B) = (Amb(Ri(D), ⊥) (C) ... ⇑ ⇑ start Mi ·1 Le Head 0 Head 1 printing(takeD 5(gc(0 : 1 : ⊥ : 1 : [0, 0..]))) = Mi(Ri(Mi(Mi(MiNil)))) printing(takeD 5(gc(0 : 1 : ⊥ : 1 : [0, 0..]))) = Le(Ri(Mi(Mi(MiNil))))23 / 25

slide-35
SLIDE 35

Result of computation of gc(⊥10ω)

Gray code of −1/4 is 01⊥10ω. gc(0 : 1 : ⊥ : 1 : [0, 0..]) = Amb(Mi(A), Le(B)) (A) = (Amb(Le(C), ⊥) (B) = (Amb(Ri(D), ⊥) (C) ... ⇑ ⇑ start Mi ·1 Le 01 Le ⊥ 01 Ri ⊥ Head 0 Head 1 1 1 printing(takeD 5(gc(0 : 1 : ⊥ : 1 : [0, 0..]))) = Mi(Ri(Mi(Mi(MiNil)))) printing(takeD 5(gc(0 : 1 : ⊥ : 1 : [0, 0..]))) = Le(Ri(Mi(Mi(MiNil))))23 / 25

slide-36
SLIDE 36

Result of computation of gc(⊥10ω)

Gray code of −1/4 is 01⊥10ω. gc(0 : 1 : ⊥ : 1 : [0, 0..]) = Amb(Mi(A), Le(B)) (A) = (Amb(Le(C), ⊥) (B) = (Amb(Ri(D), ⊥) (C) ... ⇑ ⇑ start Mi ·1 Le 01 Le ⊥ 01 Ri ⊥ ⊥ 01 · 1 Mi ⊥ 01 · 1 Mi ⊥ 01 · 10 Mi ⊥ 01 · 10 Mi ... ... Head 0 Head 1 1 1 1 1 1 1 printing(takeD 5(gc(0 : 1 : ⊥ : 1 : [0, 0..]))) = Mi(Ri(Mi(Mi(MiNil)))) printing(takeD 5(gc(0 : 1 : ⊥ : 1 : [0, 0..]))) = Le(Ri(Mi(Mi(MiNil))))23 / 25

slide-37
SLIDE 37

Example 2: Pivoting and Gaussian Elimination

Cauchy reals are real numbers satisfying the predicate A(x)

Def

= ∀n ∈ N ∃q ∈ Q |x − q| ≤ 2−n where N(x)

µ

= x = 0 ∨ N(x − 1) and the rational numbers, Q, are defined from N in the usual way. n r N(x) ⇔ x is a natural number with unary representation n f r A(x) ⇔ f is a fast rational Cauchy sequence converging to x x = y

Def

= ∃k ∈ N |x − y| ≥ 2−k [Pivoting] ∀n ∈ N∀(x0, . . . , xn) ∈ An+1 \ {0n+1} Sn(∃i ≤ n xi = 0) The extracted program scans (realizers of) Cauchy reals x0, . . . , xn concurrently for evidence of non-zeroness. printing (takeD 30 (pivot 5 (mkD [1/222, 0, 0, 1/25, 0]))) = (1, 24) printing (takeD 30 (pivot 5 (mkD [1/222, 0, 0, 1/25, 0]))) = (4, 7) Can be used to extract a concurrent program for Gaussian elimination.

24 / 25

slide-38
SLIDE 38

References

[B 2016] U. Berger. Extracting Non-Deterministic Concurrent Programs. In 25th EACSL Annual Conference on Computer Science Logic (CSL 2016), volume 62 of LIPIcs, pages 26:126:21, 2016. [B 2010] U. Berger. Realisability for induction and coinduction with applications to constru]ctive analysis. Jour. Universal Comput. Sci., 16(18):2535 2555, 2010. [T 2002] H. Tsuiki. Real Number Computation through Gray Code

  • Embedding. Theoretical Computer Science, 284(2):467485, 2002.

[Tatsuta 1998] M. Tatsuta. Realizability of monotone coinductive definitions and its application to program synthesis. In Mathematics of Program Construction, volume 1422 of Lecture Notes in Mathematics, pages 338364. Springer, 1998. [Schwichtenberg 1991] H. Schwichtenberg. Minimal logic for computable

  • functions. NATO Advanced Study Institute, International Summer School

held in Marktoberdorf, 23.Juli 1991 - 04. August 1991, Marktoberdorf, Germany.

25 / 25