reasoning about relaxed programs michael carbin deokhwan kim, sasa misailovic, and martin rinard
TRANSCRIPT
![Page 1: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/1.jpg)
Reasoning about Relaxed ProgramsMichael Carbin
Deokhwan Kim, Sasa Misailovic, and Martin Rinard
![Page 2: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/2.jpg)
Research Focus
• Non-Traditional Program Transformation– Program Repair• Eliminate memory leaks• Eliminate memory errors (buffer overflows, segfaults)• Escape from infinite loops
– Accuracy-Aware Program Optimization• Trade accuracy of result for performance
![Page 3: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/3.jpg)
Traditional Program Transformation
Transformation
≡
.c .c
![Page 4: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/4.jpg)
Non-Traditional Program Transformation
≅
Transformation
.c .c
![Page 5: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/5.jpg)
Loop Perforation of Motion Estimation in x264 (Misailovic, etal)
ReferenceFrame
CurrentFrame
?
![Page 6: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/6.jpg)
Loop Perforationint motion_estimation(block_t[] blocks, int n) { int idx = 0, best = INT_MAX, num_iters = 0, i = 0; while (i < n) { int cur = compute_distance(blocks[i]); if (cur < best) { idx = i; best = cur; } num_iters = num_iters + 1;
i = i + 1; } assert (0 <= idx < n); return idx; }
![Page 7: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/7.jpg)
Loop Perforationint motion_estimation(block_t[] blocks, int n) { int idx = 0, best = INT_MAX, num_iters = 0, i = 0; while (i < n) { int cur = compute_distance(blocks[i]); if (cur < best) { idx = i; best = cur; } num_iters = num_iters + 1;
i = i + 2; } assert (0 <= idx < n); return idx; }
![Page 8: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/8.jpg)
Loop Perforationint motion_estimation(block_t[] blocks, int n) { int idx = 0, best = INT_MAX, num_iters = 0, i = 0; while (i < n) { int cur = compute_distance(blocks[i]); if (cur < best) { idx = i; best = cur; } num_iters = num_iters + 1;
i = i + 4; } assert (0 <= idx < n); return idx; }
![Page 9: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/9.jpg)
Quality of Service Profiling
• Automatically explore alternate versionsQoS model
Program
Input(s)
Time Profiler
Subcomputation
Transformation
Quality of Service profiler
timing info performance vs QoS info
TransformationEvaluation
![Page 10: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/10.jpg)
Research Questions
Is it possible to write an implementation and specify flexibility at the same time?
Or write program and later relax its semantics?
What can we say about the correctness of the resulting program?
![Page 11: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/11.jpg)
Loop Perforation Exampleint motion_estimation(block_t[] blocks, int n) { int idx = 0, best = INT_MAX, step = 1, num_iters = 0, i = 0; while (i < n) { int cur = compute_distance(blocks[i]); if (cur < best) { idx = i; best = cur; } num_iters = num_iters + 1; relax (step) st step == 1 || step == 2; i = i + step; } assert (0 <= idx < n); accept (num_iters<o> / 2 <= num_iters<r>); return idx; }
![Page 12: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/12.jpg)
Relaxed Program
• Single Program Text, Two Semantics– One interpretation with the original semantics
(ignore relax statements)– One interpretation with the relaxed semantics
(include relax statements)
Two semantics are related by nondeterministic transformations of the program state:
relax (step) st step == 1 || step == 2;
![Page 13: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/13.jpg)
Relaxed Programming Assertions
• accept (P*)– Relational assertion – relates both semantics.
• assert (P)– Non-relational assertion - holds for individually.
• assume (P)– Non-relational assumption - like admit in Coq.
assert (0 <= idx < n);
![Page 14: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/14.jpg)
Program Semantics Formalization
• Dynamic Semantics – One for original semantics : original execution.– One for relaxed semantics : relaxed execution.
• Axiomatic Semantics for Verification– Variant of Relational Hoare Logic.
![Page 15: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/15.jpg)
Axiomatic Semantics
≅ accept (num_iters<o> / 2 <= num_iters<r>);
Input
Original Execution Relaxed Execution
![Page 16: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/16.jpg)
Verification Guarantees
• Acceptability– An original execution and relaxed execution on the
same input satisfy accept statements.
• Non-interference with assert and assume– Still valid for relaxed executions.
![Page 17: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/17.jpg)
Coq Development
• About 6000 lines of code and proof.• Some automation, but mostly manual.• Coq instructed the proof strategy.– Chose big-step dynamic semantics.– Small-step proofs were very complicated.• More difficult in general, but amplified by Coq.
• Majority of work in relational assertion logic.– Substitution lemmas, etc.
![Page 18: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/18.jpg)
Coq Experience
“Most complicated system I’ve ever seen.”
“Very powerful – you can express anything you want.”
“Difficult to navigate multiple layers of abstractions/automations.”
![Page 19: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/19.jpg)
Conclusion
• Relaxed Programming in Coq– Work in progress (in submission).– Ask me after class if you have more questions.
• Is Coq useful?– A natural discussion if you bring up Coq.– Utility = benefit / cost
![Page 20: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/20.jpg)
Conclusion (cont.)
• A lot of research on lowering costs– Better abstractions– More Automation
• But less research on benefits– Correctness... but, software can always be better.– Is there a system we can build with Coq that is
impossible to build with traditional methods?
![Page 21: Reasoning about Relaxed Programs Michael Carbin Deokhwan Kim, Sasa Misailovic, and Martin Rinard](https://reader035.vdocuments.net/reader035/viewer/2022081418/56649f2f5503460f94c48e2c/html5/thumbnails/21.jpg)
The End