[PPT] - On Formal Verification in Imperative Multivalued Programming over PowerPoint Presentation

SLIDE 1

On Formal Verification in Imperative Multivalued Programming over Continuous Data Types

Gyesik Lee, Norbert M¨ uller, Eike Neumann, Sewon Park, Norbert Preining, Martin Ziegler November 29, 2017

1

SLIDE 2

1. Motivation

◮ Recursive Analysis [Turing’37, Braverman’13]: sequence of

dyadic rational approximations (ap · 2p), ap ∈ Z, such that |x − ap · 2p| ≤ 2p → 0 for p → −∞

2

SLIDE 3

1. Motivation

◮ Recursive Analysis [Turing’37, Braverman’13]: sequence of

dyadic rational approximations (ap · 2p), ap ∈ Z, such that |x − ap · 2p| ≤ 2p → 0 for p → −∞

◮ test for equality is equivalent to (the complement of) the

Halting problem [Specker’49, Boldi&Vigna’99]

2

SLIDE 4

1. Motivation

◮ Recursive Analysis [Turing’37, Braverman’13]: sequence of

dyadic rational approximations (ap · 2p), ap ∈ Z, such that |x − ap · 2p| ≤ 2p → 0 for p → −∞

◮ test for equality is equivalent to (the complement of) the

Halting problem [Specker’49, Boldi&Vigna’99]

◮ Algebraic model (aka real-RAM) represent and manipulate a

real number as entity, with exact arithmetic and comparisons:

Z ∋ round(R ∋ x); Z ∋ j := 0; while x > j + 1

2 do j := j + 1 end while

while x ≤ j − 1

2 do j := j − 1 end while

Exponentially faster: determine x’s truncated binary expansion

2

SLIDE 5

1. Motivation

◮ feasible Real-RAM [V. Brattka & P.Hertling ’96] was

suggested.

3

SLIDE 6

1. Motivation

◮ feasible Real-RAM [V. Brattka & P.Hertling ’96] was

suggested.

◮ C++ library iRRAM [N. M¨

uller ’01] provides, via

bject-oriented overloading, a data type REAL for real

numbers: with simultaneously exact and computable primitives by introducing a modified semantics of comparisons.

3

SLIDE 7

1. Motivation

Figure: Implementation of (Soft) Pellet test in C. Yap et al.’s soft subdivision algorithm of root clustering in iRRAM.

4

SLIDE 8

1. Motivation

5

SLIDE 9

1. Motivation

5

SLIDE 10

1. Motivation

Test is only partially defined!

5

SLIDE 11

1. Motivation

How can we “verify” this program?

6

SLIDE 12

1. Motivation

How can we “verify” this program? The present work

◮ formalizes a simple imperative programming language

ver two Abstract Data Types, Z and R

◮ demonstrates its practical use and applicability, ◮ introduces a complete logic for expressing such computations, ◮ and formally verifies trisection root-finding as example in Coq. 6

SLIDE 13

2. Exact Real Computation (ERC)

ERC is a WHILE program (c ::= ε|x := e|c1; c2|if b...|while b...)

7

SLIDE 14

2. Exact Real Computation (ERC)

ERC is a WHILE program (c ::= ε|x := e|c1; c2|if b...|while b...)

1. two datatypes: Z, R

Z–expressions : x | 0 | 1 | e(Z)

1

p(Z) e(Z)

2

,

p(Z) ∈ {+, −}

R–expressions: (ι : Z ∋ p → 2p ∈ R) x | 0 | 1 | ι(e(Z)) | e(R)

1

p(R) e(R)

2

,

p(R) ∈ {+, −, ×, ÷}

7

SLIDE 15

2. Exact Real Computation (ERC)

ERC is a WHILE program (c ::= ε|x := e|c1; c2|if b...|while b...)

1. two datatypes: Z, R

Z–expressions : x | 0 | 1 | e(Z)

1

p(Z) e(Z)

2

,

p(Z) ∈ {+, −}

R–expressions: (ι : Z ∋ p → 2p ∈ R) x | 0 | 1 | ι(e(Z)) | e(R)

1

p(R) e(R)

2

,

p(R) ∈ {+, −, ×, ÷}
2. where a function f :⊆ Rd × Z → R is computed by a program

g :⊆ Z × Rd × Z → R such that |f (x1, . . . , xd, j) − g(p, x1, . . . , xd, j)| ≤ 2p

7

SLIDE 16

2. Exact Real Computation (ERC)

ERC is a WHILE program (c ::= ε|x := e|c1; c2|if b...|while b...)

1. two datatypes: Z, R

Z–expressions : x | 0 | 1 | e(Z)

1

p(Z) e(Z)

2

,

p(Z) ∈ {+, −}

R–expressions: (ι : Z ∋ p → 2p ∈ R) x | 0 | 1 | ι(e(Z)) | e(R)

1

p(R) e(R)

2

,

p(R) ∈ {+, −, ×, ÷}
2. where a function f :⊆ Rd × Z → R is computed by a program

g :⊆ Z × Rd × Z → R such that |f (x1, . . . , xd, j) − g(p, x1, . . . , xd, j)| ≤ 2p

3. where a boolean expression has partial or multivalued

meaning: (x > y) =    1 : x > y, : x < y, ⊥ : x = y choose(a, b) =    : a = true, 1 : b = true, ⊥ : otherwise

7

SLIDE 17

2. Exact Real Computation (ERC)

(x > y) =    1 : x > y, : x < y, ⊥ : x = y choose(a, b) =    : a = true, 1 : b = true, ⊥ : otherwise ◮ “if x > y then · · · else · · ·′′ does not terminate if x, y : R and

x = y.

◮ “if choose(x > y − ı(p), y + ı(p) > x) then · · · else · · · ”

terminates for all x, y ∈ R, p ∈ Z, within potential error (multivalued) of 2p:

8

SLIDE 18

2. Exact Real Computation (ERC)

◮ Like comparing real numbers, rounding down/up or to the

nearest integer is a common but uncomputable operation: extensionally.

◮ The multivalued/non-extensional variant

round : R ∋ x → {k ∈ Z : x − 1 < k < x + 1} ⊆ Z

n the other hand is computable:

9

SLIDE 19

Algorithm (I) INTEGER round(REAL x)

1: INTEGER ∋ b; INTEGER ∋ k := 0; INTEGER ∋ l := 0; REAL ∋ y := x 2: while choose

|y|<1 , |y|> 1

2

do

3: l := l + 1; y := y/2; 4: end while 5: while l > 0 do 6: y := y * 2 7: b := choose( y<0 , −1<y<1 , y>0 ) − 1 8: y := y − b 9: k := k + k + b 10: l := l − 1 11: end while; return k post=

|x − k| < 1
10

SLIDE 20

2. Exact Real Computation (ERC)

Theorem

Every partial function f :⊆ Rd × Z → R computable in the sense of Recursive Analysis can be implemented in Exact Real Computation.

brief Proof.

◮ Exact Real Computation can implement a Counter Machine,

and thus any Turing Machine, on discrete input.

◮ Combining the rounding program with the precision

embedding, an := round

x · ı(n)
∈ Z yields the numerators
f a sequence an/2n of dyadic approximations to x up to

absolute error ≤ 2−n: the way of presenting real argument to a Turing machine computing f (x).

11

SLIDE 21

3. Logic of Exact Real Computation

Consider the two-sorted structure consisting of Presburger Arithmetic (Z, 0, 1, +, >) and real-closed field (R, 0, 1, +, ×, >) of characteristic 0 together with the ‘binary precision’ embedding ı : Z ∋ p → 2p ∈ R in order to express the output error specification.

12

SLIDE 22

3. Logic of Exact Real Computation

Consider the two-sorted structure consisting of Presburger Arithmetic (Z, 0, 1, +, >) and real-closed field (R, 0, 1, +, ×, >) of characteristic 0 together with the ‘binary precision’ embedding ı : Z ∋ p → 2p ∈ R in order to express the output error specification.

Theorem

The first-order theory of the above two-sorted structure is decidable; but not when replacing ı with the ‘unary’ embedding N+ ∋ n → 1/n ∈ R.

12

SLIDE 23

3. Logic of Exact Real Computation

◮ (Floyd-)Hoare Logic is a well-known formal system for

reasoning about partial and total correctness of imperative programs

◮

P
C
Q
: the postcondition Q holds after executing C

whenever the precondition P was met before C, with guaranteed termination.

Q[e/x]
x:=e
Q
(r.as)

(1) p ⇒ p′

p′
c
q′
q′ ⇒ q
p
c
q
(r.cons)

(2)

P ∧ b
C
R
P ∧ ¬b
A
R
P
if b then C else A
R
(r.if )

(3)

I ∧ b ∧ (V = N)
C
I ∧ (V < N)
,

I ∧ (V ≤ 0) ⇒ ¬b

I
while b do C
I ∧ ¬b
(r.w)

(4)

13

SLIDE 24

3. Logic of Exact Real Computation

◮ Note that a singlevalued partial expression b is simply

choose(¬b, b)

P ∧ c
C
R
P ∧ a
A
R
P ∧ (a ∨ c)
if choose(a, c) then Celse A
R
(r.if 2)

(5)

I ∧ c ∧ (V = R)
C
(a ∨ c) ∧ I ∧ (V ≤ R − ε)
,

I ∧ (V ≤ 0) ⇒ ¬c

I ∧ (a ∨ c)
while choose(a, c) do C
I ∧ a
(r.w2)

(6)

14

SLIDE 25

3. Logic of Exact Real Computation

◮ Let f : [0, 1] → R be continuous with a unique and simple root ◮ Bisection proceeds according to the sign of f (1/2); but fails in

Exact Real Computation in case 1/2 already is a root!

◮ Instead, trisection tests the signs of both f (1/3) and f (2/3)

in parallel, knowing from the hypothesis on f that at most

ne of both can be zero:

15

SLIDE 26

Algorithm (III) REAL Trisection(INTEGER p, REAL → REAL f )

1: REAL ∋ x := 0; REAL ∋ y := 1 pre =

uniq(f , 0, 1) ∧ cont(f )
2: while choose
ı(p) > y − x , y − x > ı(p − 1)
do

3: if choose

0 > f ((2x + y)/3) ∗ f (y) , 0 > f (x) ∗ f ((x + 2y)/3)
4:

then b := (x + 2 ∗ y)/3 else x := (2 ∗ x + y)/3 end if 5: end while; return x post =

uniq(f , x, y) ∧ |y − x| ≤ 2p
invar :≡ 0 ≤ x < y ≤ 1 ∧ uniq(f , x, y)

variant :≡ y − x − 2p−1 uniq(f , a, b) :≡

∃!x ∈ [a, b] :

f (x) = 0 ∧ f (a) · f (b) < 0

16

SLIDE 27

3. Logic of Exact Real Computation

˜ a := ı(p) > y − x , ˜ c := y − x > ı(p − 1) a := f 2x+y

3

· f
b
< 0 , c := f
x
· f

x+2y

3

< 0

C1 :≡ x:=0; y:=1 C2 :≡ while choose(˜ a, ˜ c) C3 :≡ if choose(a, c) C5 :≡ y:=(x+2y)/3 C4 :≡ x:=(2x+y)/3 do then else 17

SLIDE 28

3. Logic of Exact Real Computation

Let I :≡ 0 ≤ x < y ≤ 1 ∧ uniq(f , x, y) ∧ cont(f ) V := y − x − 2p−1 ˜ P :≡ I ∧ ˜ c ∧

V = R
˜

Q :≡ (˜ a ∨ ˜ c) ∧ I ∧ (V ≤ R − ε) ε :=

1 3 · 2p−1 r.as

I ∧ (˜

a ∨ ˜ c)

x, 1
y
C1
I ∧ (˜

a ∨ ˜ c)

r.as
˜

Q x+2y

3

y
C5
˜

Q

r.cons
˜

P ∧ c

C5
˜

Q

r.as
˜

Q 2x+y

3

x
C4
˜

Q

r.cons
˜

P ∧ a

C4
˜

Q

r.if2
˜

P ∧ (a ∨ c)

C3
˜

Q

r.cons
˜

P

C3
˜

Q

r.w2
I ∧ (˜

a ∨ ˜ c)

C2
I ∧ ˜

a

r.cons
P
C1; C2
Q
(7)

18

SLIDE 29

3. Logic of Exact Real Computation

◮ With the proof tree of the formal verification, the below

implications need to be proven, as premises of the rule of consequence: ˜ P ∧ a ⇒ ˜ Q 2x+y

3

x
(8)

˜ P ∧ c ⇒ ˜ Q x+2y

3

y
(9)

˜ P ⇒ ˜ P ∧ (a ∨ c) (10) P ⇒

I ∧ (˜

a ∨ ˜ c)

x, 1
y
(11)

I ∧ ˜ a ⇒ Q (12)

◮ Then implications can be formally proven in a Proof Assistant

Coq using its standard library of axiomatized real numbers. The full code in Coq can be found in http://theoryofcomputation.asia/ERC3section.v

19

SLIDE 30

3. Logic of Exact Real Computation

◮ The below formulation of the predicate uniq and lemmas

according to the Intermediate Value Theorem constitutes the core parts of the formal proofs of implications: Definition uniq (f : R → R) (a b : R ) := (∃! z : R, a ≤ z ≤ b ∧ f z = 0) ∧ f a × f b < 0. Lemma g IVT : ∀ (f : R → R) (x y : R), cont f → x < y → (f x) × (f y) < 0 → {z : R | x ≤ z ≤ y ∧ f z = 0}. Lemma uniq refinement : ∀ (f : R → R) (x a b y : R), cont f → uniq f x y → a < b → x ≤ a → b ≤ y → (f a) × (f b) < 0 → uniq f a b.

20

SLIDE 31

3. Logic of Exact Real Computation

We can also formalize weakest precondition according to the inference rules, to automate verification condition extraction: wp(if choose(x2 > y2, x1 > y1) then C1else C2, R) =x1 > y1 ∨ x2 > y2 ∧(x1 > y1 ⇒ wp(C1, R) ∧ x2 > y2 ⇒ wp(C2, R)) wp( while choose(x2 > y2, x1 > y1) do C, R) =I ∧∃c∀a,z

I ∧ x1 > y1 ∧ V = z ⇒ wp(I ∧ V ≤ z − c, C)
∧∃c0∀a
I ∧ V ≤ c0 ⇒ x1 ≤ y1
∧∀a
(I ∧ x2 > y2) ⇒ R
∧∀a
I ⇒ (x1 > y1 ∨ x2 > y2)
∀a is a universal quantifier over all variables whose values get

manipulated in the loop body, C.

21

SLIDE 32

3. Logic of Exact Real Computation

Weakest precondition yields following verification conditions:

uniqe(f , 0, 1) ∧ cont(f )

1. 0 ≤ 0 < 1 ≤ 1 ∧ uniq(f , 0, 1)
2. ∃c∀x,y,z
0 ≤ x < y ≤ 1 ∧ uniq(f , x, y) ∧ y − x > 2p−1 ∧ y − x = z
⇒
f (x)f ( x + 2y

3 ) < 0 ∨ f ( 2x + y 3 )f (y) < 0

∧
f (x)f ( x + 2y

3 ) < 0 ⇒ 0 ≤ x < x + 2y 3 ≤ 1 ∧ uniq(f , x, x + 2y 3 ) ∧ x + 2y 3 − x ≤ z − c ∧

f ( 2x + y

3 )f (y) < 0 ⇒ 0 ≤ 2x + y 3 < y ≤ 1 ∧ uniq(f , 2x + y 3 , b) ∧ y − 2x + y 3 ≤ z − c

3. ∃c0∀x,y
0 ≤ x < y ≤ 1 ∧ uniq(f , x, y) ∧ y − x ≤ c0
⇒ y − x ≤ 2p−1
4. ∀x,y
0 ≤ x < y ≤ 1 ∧ uniq(f , x, y) ∧ y − x < 2p

⇒ ∃!x′ ∈ [0, 1] : f (x′) = 0 ∧ |x′ − x| ≤

5. ∀x,y
0 ≤ x < y ≤ 1 ∧ uniq(f , x, y)
⇒ (y − x > 2p−1 ∨ y − x < 2p)
22

SLIDE 33

4. Conclusion and Perspective

◮ Formalized ERC as imperative programming language with

computable partial comparison and multivalued predicate.

◮ Demonstrated programming in ERC with numerical example

problems.

◮ Introduced and established completeness of a two-sorted logic

for specifying such computations.

◮ Adapted Hoare Logic for formal verification of such programs. ◮ Formally verified trisection root-finding in Coq Proof Assistant 23

SLIDE 34

4. Conclusion and Perspective

◮ Formalized ERC as imperative programming language with

computable partial comparison and multivalued predicate.

◮ Demonstrated programming in ERC with numerical example

problems.

◮ Introduced and established completeness of a two-sorted logic

for specifying such computations.

◮ Adapted Hoare Logic for formal verification of such programs. ◮ Formally verified trisection root-finding in Coq Proof Assistant

Algorithmic foundations of reliable computing with continuous data: Software Engineering in Numerics, mission/life critical applications, computer-assisted proofs.