low level code and high level theorems
play

Low-Level Code and High-Level Theorems Sascha Bhme Technische - PowerPoint PPT Presentation

Aug 31, 2023 •136 likes •717 views

Low-Level Code and High-Level Theorems Sascha Bhme Technische Universitt Mnchen, Germany Joint work with Eyad Alkassar 1 , Ernie Cohen 2 , Kurt Mehlhorn 3 and Christine Rizkallah 3 1 Universitt des Saarlandes, Germany 2 European Microsoft

  1. Low-Level Code and High-Level Theorems Sascha Böhme Technische Universität München, Germany Joint work with Eyad Alkassar 1 , Ernie Cohen 2 , Kurt Mehlhorn 3 and Christine Rizkallah 3 1 Universität des Saarlandes, Germany 2 European Microsoft Innovation Center, Aachen, Germany 3 Max-Planck-Institut für Informatik, Saarbrücken, Germany 1

  2. C code 2

  3. program C code verification 2

  4. theorem program C code verification 2

  5. interactive theorem theorem prover program C code verification 2

  6. interactive theorem theorem prover program C code verification 2

  7. Isabelle/HOL interactive theorem theorem prover program C code verification VCC 2

  8. VCC: ◮ assertional verifier for full C ◮ first-order logic as specification language ◮ fully automatic thanks to Boogie and Z3 ◮ specification by code annotations ◮ function contracts, object invariants ◮ ghost code, ghost functions 3

  9. VCC: ◮ assertional verifier for full C ◮ first-order logic as specification language ◮ fully automatic thanks to Boogie and Z3 ◮ specification by code annotations ◮ function contracts, object invariants ◮ ghost code, ghost functions Isabelle/HOL: ◮ interactive theorem prover for higher-order logic ◮ rich set of formalized mathematics ◮ various automated provers 3

  10. Isabelle/HOL interactive theorem theorem prover program C code verification VCC 4

  11. Isabelle/HOL interactive theorem theorem prover LEDA graph algorithms program C code verification VCC 4

  12. LEDA graph algorithms 4

  13. 5

  14. Programmers 5

  15. Social programmers Graph 5

  16. Pair programming Matching 5

  17. Optimal pair programming Maximum cardinality matching 5

  18. Definitions Matching: ◮ a graph ◮ no edge is incident to another edge 6

  19. Definitions Matching: ◮ a graph ◮ no edge is incident to another edge Odd-set cover: ◮ labeling of nodes ◮ every edge is incident to a node labeled 1 or connects two nodes labeled i (with i ≥ 2) 6

  20. Optimal pair programming Maximum cardinality matching 7

  21. Certificate Odd-set cover 1 0 1 0 2 2 1 2 0 7

  22. Theorem The maximum cardinality of a graph matching is � ⌊ n i / 2 ⌋ n 1 + i ≥ 2 where n i is the number of nodes labeled i by an odd-set cover. 8

  23. LEDA graph algorithms 9

  24. Isabelle/HOL interactive theorem theorem prover LEDA graph algorithms program C code verification VCC 9

  25. LEDA graph algorithms program C code verification VCC 9

  26. Maximum Cardinality Matching Checker C Code 10

  27. Maximum Cardinality Matching Checker C Code Given: ◮ graph G ◮ graph M (maximum cardinality matching) ◮ labeling OSC (odd-set cover) 10

  28. Maximum Cardinality Matching Checker C Code Given: ◮ graph G ◮ graph M (maximum cardinality matching) ◮ labeling OSC (odd-set cover) Check: ◮ M is a matching ◮ M is a subset of G ◮ OSC is an odd-set cover of G ◮ M is maximal wrt. G and OSC 10

  29. Maximum Cardinality Matching Checker C Code Given: ◮ graph G ◮ graph M (maximum cardinality matching) ◮ labeling OSC (odd-set cover) Check: ◮ M is a matching ◮ M is a subset of G ◮ OSC is an odd-set cover of G ◮ M is maximal wrt. G and OSC Implementation: ◮ straightforward 10

  30. Maximum Cardinality Matching Checker Specification struct graph { edge * es; unsigned n_edges, n_nodes; } 11

  31. Maximum Cardinality Matching Checker Specification struct graph { edge * es; unsigned n_edges, n_nodes; invariant( ∀ (unsigned e; e < n_edges − → es[e].s < n_nodes ∧ es[e].t < n_nodes ∧ es[e].s � = es[e].t)) } 11

  32. Maximum Cardinality Matching Checker Specification struct graph { edge * es; unsigned n_edges, n_nodes; invariant( ∀ (unsigned e; e < n_edges − → es[e].s < n_nodes ∧ es[e].t < n_nodes ∧ es[e].s � = es[e].t)) } spec(bool spec_is_osc(graph * G, unsigned * osc) returns(... ∧ ∀ (unsigned e; e < G->n_edges − → osc[G->es[e].s] = 1 ∨ osc[G->es[e].t] = 1 ∨ (osc[G->es[e].t] = osc[G->es[e].s] ∧ osc[G->es[e].t] > 1)));) 11

  33. What is proved? check(G, M, osc) = true ← → |M| = n 1 + � i ≥ 2 ⌊ n i / 2 ⌋ 12

  34. What is proved? check(G, M, osc) = true ← → |M| = n 1 + � i ≥ 2 ⌊ n i / 2 ⌋ What is missing? |M| = n 1 + � i ≥ 2 ⌊ n i / 2 ⌋ − → ( ∀ M’. is_matching(M’) ∧ is_subset(G,M’) − → |M’| ≤ |M|) 12

  35. What is proved? check(G, M, osc) = true ← → |M| = n 1 + � i ≥ 2 ⌊ n i / 2 ⌋ What is missing? |M| = n 1 + � i ≥ 2 ⌊ n i / 2 ⌋ − → ( ∀ M’. is_matching(M’) ∧ is_subset(G,M’) − → |M’| ≤ |M|) VCC: ◮ good at low-level code verification ◮ not much support for high-level proofs 12

  36. What is proved? check(G, M, osc) = true ← → |M| = n 1 + � i ≥ 2 ⌊ n i / 2 ⌋ What is missing? |M| = n 1 + � i ≥ 2 ⌊ n i / 2 ⌋ − → ( ∀ M’. is_matching(M’) ∧ is_subset(G,M’) − → |M’| ≤ |M|) VCC: ◮ good at low-level code verification ◮ not much support for high-level proofs Requires abstraction! 12

  37. LEDA graph algorithms program C code verification VCC 13

  38. Isabelle/HOL interactive theorem theorem prover LEDA graph algorithms program C code verification VCC 13

  39. Isabelle/HOL interactive theorem theorem prover program C code verification VCC 13

  40. 14

  41. Isabelle/HOL VCC 14

  42. Isabelle/HOL VCC concrete assert(p(x)); property 14

  43. Isabelle/HOL VCC abstract spec(bool P(X) returns(...);) property concrete assert(p(x)); property 14

  44. Isabelle/HOL VCC abstract spec(bool P(X) returns(...);) property spec(void P_equivalence(x) ensures(p(x) ⇐ ⇒ P(abs(x)));) concrete assert(p(x)); property 14

  45. Isabelle/HOL VCC abstract spec(bool P(X) returns(...);) property spec(void P_holds(X) ensures(P(X));) spec(void P_equivalence(x) ensures(p(x) ⇐ ⇒ P(abs(x)));) concrete assert(p(x)); property 14

  46. Isabelle/HOL formal definition P where “P(X) = . . . ” theorem P_holds: “P(X)” � proof � proof VCC abstract spec(bool P(X) returns(...);) property spec(void P_holds(X) ensures(P(X));) spec(void P_equivalence(x) ensures(p(x) ⇐ ⇒ P(abs(x)));) concrete assert(p(x)); property 14

  47. Maximum Cardinality Matching Checker VCC 15

  48. Maximum Cardinality Matching Checker VCC struct abs_graph { abs_edge es[mathint]; mathint n_edges, n_nodes; }; 15

  49. Maximum Cardinality Matching Checker VCC struct abs_graph { abs_edge es[mathint]; mathint n_edges, n_nodes; }; spec(abs_graph abs_g(graph * G) ensures(...);) 15

  50. Maximum Cardinality Matching Checker VCC struct abs_graph { abs_edge es[mathint]; mathint n_edges, n_nodes; }; spec(abs_graph abs_g(graph * G) ensures(...);) spec(bool abs_is_osc(abs_graph G, abs_fun osc) ensures(...);) 15

  51. Maximum Cardinality Matching Checker VCC struct abs_graph { abs_edge es[mathint]; mathint n_edges, n_nodes; }; spec(abs_graph abs_g(graph * G) ensures(...);) spec(bool abs_is_osc(abs_graph G, abs_fun osc) ensures(...);) void is_osc_equivalence(graph * G, unsigned * osc) ensures( spec_is_osc(G, osc) ⇐ ⇒ abs_is_osc(abs_g(G), abs_f(osc))); 15

  52. Maximum Cardinality Matching Checker Isabelle/HOL 16

  53. Maximum Cardinality Matching Checker Isabelle/HOL record abs_graph = es :: int ⇒ abs_edge n_edges, n_nodes :: int 16

  54. Maximum Cardinality Matching Checker Isabelle/HOL record abs_graph = es :: int ⇒ abs_edge n_edges, n_nodes :: int definition abs_is_osc where “abs_is_osc G osc = (. . . ∧ ( ∀ e. 0 ≤ e ∧ e < n_edges G − → osc (s (es G e)) = 1 ∨ osc (t (es G e)) = 1 ∨ (osc (t (es G e)) = osc (s (es G e)) ∧ osc (t (es G e)) > 1)))” 16

  55. Maximum Cardinality Matching Checker Isabelle/HOL record abs_graph = es :: int ⇒ abs_edge n_edges, n_nodes :: int definition abs_is_osc where “abs_is_osc G osc = (. . . ∧ ( ∀ e. 0 ≤ e ∧ e < n_edges G − → osc (s (es G e)) = 1 ∨ osc (t (es G e)) = 1 ∨ (osc (t (es G e)) = osc (s (es G e)) ∧ osc (t (es G e)) > 1)))” theorem “|M| = n 1 + � i ≥ 2 ⌊ n i / 2 ⌋ − → ( ∀ M’. is_matching(M’) ∧ is_subset(G,M’) − → |M’| ≤ |M|)” � proof � 16

  56. Combination of VCC and Isabelle/HOL ◮ combines the best of both worlds ◮ low-level code verification with VCC ◮ high-level mathematical reasoning with Isabelle/HOL ◮ sound combination ◮ clean separation of concepts 17

  57. Isabelle/HOL interactive theorem theorem prover program C code verification VCC 18

  58. Isabelle/HOL interactive theorem theorem prover LEDA graph algorithms program C code verification VCC 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

High-Level Synthesis Creating Custom Circuits from High-Level Code Hao Zheng Comp Sci &amp; Eng

High-Level Synthesis Creating Custom Circuits from High-Level Code Hao Zheng Comp Sci &amp; Eng

High-Level Synthesis Creating Custom Circuits from High-Level Code Hao Zheng Comp Sci &amp; Eng University of South Florida 1 Existing Design Flow Register-transfer (RT) synthesis Specify RT structure (muxes, registers, etc) Allows

1.29k views • 70 slides
High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language

High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language

High-Level Languages Languages Assembly vs Machine Code Assembly vs high-level language Why Learn New Language availability special features porting maintenance more tools required for job cost Why Design a

1.36k views • 54 slides
Reconciling High-Level Optimizations and Low-Level Code in LLVM Juneyoung Lee Seoul National

Reconciling High-Level Optimizations and Low-Level Code in LLVM Juneyoung Lee Seoul National

OOPSLA 18 Boston Reconciling High-Level Optimizations and Low-Level Code in LLVM Juneyoung Lee Seoul National Univ. Chung-Kil Hur MPI-SWS Ralf Jung Zhengyang Liu University of Utah John Regehr Nuno P. Lopes Microsoft Research

1.3k views • 127 slides
The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot;

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot;

The Problem of Temporal Abstraction How do we connect the high level to the low-level? &quot; the human level to the physical level? &quot; the decide level to the action level? MDPs are great, search is great,

676 views • 31 slides
High-level languages High-level languages are not immune to these problems. Actually, the

High-level languages High-level languages are not immune to these problems. Actually, the

High-level languages High-level languages are not immune to these problems. Actually, the situation is even worse: the compiler might reorder/remove/add memory accesses; and then the hardware will do some relaxed execution. p. 1 Constant

512 views • 26 slides
High-level programming on the GPU with Julia Tim Besard (@maleadt) Yet another high-level

High-level programming on the GPU with Julia Tim Besard (@maleadt) Yet another high-level

Just compile it: High-level programming on the GPU with Julia Tim Besard (@maleadt) Yet another high-level language? julia&gt; function mandel(z) c = z Dynamically typed, high-level syntax maxiter = 80 for n = 1:maxiter if abs(z) &gt; 2

953 views • 44 slides
Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

/INFOMOV/ Optimization &amp; Vectorization J. Bikker - Sep-Nov 2015 - Lecture 10: Practical Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and blind stupidity DotCloud: high-level (2)

440 views • 43 slides
Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and

/INFOMOV/ Optimization &amp; Vectorization J. Bikker - Sep-Nov 2016 - Lecture 13: Practical Welcome! Todays Agenda: DotCloud: profiling &amp; high-level (1) DotCloud: low-level and blind stupidity DotCloud: high-level (2)

1.26k views • 51 slides
HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem

HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem

HIGH-LEVEL SEARCH: FROM HYPER- HEURISTICS TO ALGORITHM SELECTION MUSTAFA MISIR HIGH-LEVEL SEARCH Instead of directly solving a High-level Search Methods given probem (~instance), Operates upon perform a search on algorithm space

526 views • 23 slides
Introduction to Coding in Python Fermilab - TARGET 2017 Week 1 Low to High Level Programing

Introduction to Coding in Python Fermilab - TARGET 2017 Week 1 Low to High Level Programing

Introduction to Coding in Python Fermilab - TARGET 2017 Week 1 Low to High Level Programing Languages Machine code - computers hardware understand binary numbers Assembly - 1 to 1 mapping to computer instructions (High level) Programming

731 views • 14 slides
Low-Level Memory Optimisations at the High-Level with Ownership-like Annotations Do you want

Low-Level Memory Optimisations at the High-Level with Ownership-like Annotations Do you want

Juliana Franco Martin Hagelin Tobias Wrigstad Sophia Drossopoulou The OHMM framework Low-Level Memory Optimisations at the High-Level with Ownership-like Annotations Do you want fast programs? More cores? More threads? Write better

330 views • 29 slides
UN High UN High UN High UN High- - - -Level Meeting on TB Level Meeting on TB Level Meeting

UN High UN High UN High UN High- - - -Level Meeting on TB Level Meeting on TB Level Meeting

UN High UN High UN High UN High- - - -Level Meeting on TB Level Meeting on TB Level Meeting on TB Level Meeting on TB Berlin, 18 May 2017 Berlin, 18 May 2017 Berlin, 18 May 2017 Berlin, 18 May 2017 Lucica Ditiu and Greg Paton, Stop TB

668 views • 20 slides
Bridging the gap between low level vision and high level tasks

Bridging the gap between low level vision and high level tasks

Bridging the gap between low level vision and high level tasks VALSE 2019-09-18 1 Outline Gated fusion network for single image dehazing , CVPR18 Benchmarks: RESIDE (dehazing), MPID

1k views • 45 slides
Simple High-Level Code For Cryptographic Arithmetic With Proofs, Without Compromises Andres

Simple High-Level Code For Cryptographic Arithmetic With Proofs, Without Compromises Andres

Simple High-Level Code For Cryptographic Arithmetic With Proofs, Without Compromises Andres Erbsen, Jade Philipoom, Jason Gross, Robert Sloan, Adam Chlipala MIT CSAIL g i t h u b . c o m / m i t - p l v / fi a t - c

655 views • 53 slides
Code Shape More on Three-address Code Generation cs5363 1 Machine Code Translation A

Code Shape More on Three-address Code Generation cs5363 1 Machine Code Translation A

Code Shape More on Three-address Code Generation cs5363 1 Machine Code Translation A single language construct can have many implementations many-to-many mappings from high-level source language to low-level target machine language

560 views • 16 slides
1 A Low-Level IR Example Register Transfer Language (RTL) Source code High-level IR (AST)

1 A Low-Level IR Example Register Transfer Language (RTL) Source code High-level IR (AST)

Undergraduate Compilers Review cont... Structure of a Typical Compiler Analysis Synthesis Announcements Advice for the project writeups was posted on the mailing list character stream SVN log will need more than one entry for a one

325 views • 5 slides
Centralizing the Mink Survey at Centralizing the Mink Survey at the National Agricultural

Centralizing the Mink Survey at Centralizing the Mink Survey at the National Agricultural

Centralizing the Mink Survey at Centralizing the Mink Survey at the National Agricultural Statistics S Service i Roger Schou &amp; Emily Caron National Agricultural Statistics Service IBUC XIII IBUC XIII Baltimore, Maryland USA The Ghost

587 views • 20 slides
Serving Two Masters An Empirical Study of Browser API Cooptation Pete Snyder, Chris Kanich

Serving Two Masters An Empirical Study of Browser API Cooptation Pete Snyder, Chris Kanich

Serving Two Masters An Empirical Study of Browser API Cooptation Pete Snyder, Chris Kanich University of Illinois at Chicago Less More Features Features Less More Features Features Managed Pointer Memory Arithmetic

1.18k views • 38 slides
Coulomb gauge and Schwinger-Dyson equations Peter Watson Instit ut f ur Theoretische

Coulomb gauge and Schwinger-Dyson equations Peter Watson Instit ut f ur Theoretische

Coulomb gauge and Schwinger-Dyson equations Peter Watson Instit ut f ur Theoretische Physik Universit at T ubingen (supported by DFG contracts no. Re856/6-1 &amp; Re856/6-2) Collaborator: H. Reinhardt P. W. and H. Reinhardt,

152 views • 14 slides
One-leg off-shell helicity amplitudes in high-energy factorization Piotr Kotko Institute of

One-leg off-shell helicity amplitudes in high-energy factorization Piotr Kotko Institute of

One-leg off-shell helicity amplitudes in high-energy factorization Piotr Kotko Institute of Nuclear Physics (Cracow) supported by LIDER/02/35/L-2/10/NCBiR/2011 based on A. van Hameren, P .K., K. Kutak, JHEP 1212 (2012) 029 Motivation Why

263 views • 12 slides
Enzo-E/Cello astrophysics and cosmology Adaptive mesh refinement astrophysics using Charm++ James

Enzo-E/Cello astrophysics and cosmology Adaptive mesh refinement astrophysics using Charm++ James

Enzo-E/Cello astrophysics and cosmology Adaptive mesh refinement astrophysics using Charm++ James Bordner, Michael L. Norman University of California, San Diego San Diego Supercomputer Center 18th Annual Workshop on Charm ++ and Its

532 views • 49 slides
The boundary Flows-3 conditions A Simple Solver for Variable Density Flow (3 of 3) Gretar

The boundary Flows-3 conditions A Simple Solver for Variable Density Flow (3 of 3) Gretar

DNS of Multiphase Flows DNS of Multiphase Flows Direct Numerical Simulations of Multiphase The boundary Flows-3 conditions A Simple Solver for Variable Density Flow (3 of 3) Gretar Tryggvason DNS of Multiphase Flows DNS of

453 views • 3 slides
Big Data I: Graph Processing, Distributed Machine Learning CS 240: Computing Systems and

Big Data I: Graph Processing, Distributed Machine Learning CS 240: Computing Systems and

Big Data I: Graph Processing, Distributed Machine Learning CS 240: Computing Systems and Concurrency Lecture 21 Marco Canini Credits: Michael Freedman and Kyle Jamieson developed much of the original material. Selected content adapted from J.

959 views • 58 slides
Efciently combining, counting, and iterating W RITIN G EF F ICIEN T P YTH ON CODE Logan

Efciently combining, counting, and iterating W RITIN G EF F ICIEN T P YTH ON CODE Logan

Efciently combining, counting, and iterating W RITIN G EF F ICIEN T P YTH ON CODE Logan Thomas Senior Data Scientist, Protection Engineering Consultants Pokmon Overview Trainers (collect Pokmon) WRITING EFFICIENT PYTHON CODE

714 views • 58 slides

More recommend