swarat chaudhuri roberto lublinerman pennsylvania state university sumit gulwani microsoft research...
TRANSCRIPT
Swarat ChaudhuriRoberto Lublinerman
Pennsylvania State University
Sumit Gulwani
Microsoft Research
CAUCHY
Continuity analysis of programs
Uncertainty and robustness
• Trends: cyber-physical systems, integration of computation and science, …
• Uncertainty: stale satellite data, erroneous sensor measurements, …
• Does your program handle uncertainty robustly? – Correctness in settings without
uncertainty does not imply correctness in uncertain environments.
Robustness analysis of programs
• Robustness: small perturbations to a program’s operating conditions do not change its behavior significantly.– Continuity:
Infinitesimal changes to inputs only cause infinitesimal changes to outputs.
– Discrete continuity:Similar, except for non-infinitesimalchanges to discrete numbers.
– Derivative has low complexity. – Asymptotic stability
• Verify these!
P
First step: Continuity analysis of programs
• Continuity of mathematical functions:– definition.– Equivalently, infinitesimal changes in
inputs only cause infinitesimal changes in outputs.
• Continuity of programs – Associate metric spaces with types, lift
it into a metric over states. – Same question. Do infinitesimal
changes in program inputs only cause infinitesimal changes to outputs?
This paper: structural analysis of continuity.
P
Example: an implementation of Dijkstra’s algorithm
• Small change to real array: each element changes at most by a small amount.
• Small change to graph with real edge weight: each edge weight changes at most by a small amount.
• Is this program continuous?
procedure Dijkstra (G: graph, src: node):
for each node v in G: { d[v] := Infinity }
d[src] := 0; Worklist := set of all nodes in G;
while Worklist is not empty {
Remove node w from Worklist s.t. d[w] is minimal;
for each neighbor v of w: {
z := d[w] + G[w,v];
if (z < d[v]) { d[v] := z; prev[v] := w; } } }
Example: Dijkstra’s algorithm
• Small change to real array: each element changes at most by a small amount.
• Small change to graph with real edge weight: each edge weight changes at most by a small amount.
• Is this program continuous?
procedure Dijkstra (G: graph, src: node):
for each node v in G: { d[v] := Infinity }
d[src] := 0; Worklist := set of all nodes in G;
while Worklist is not empty {
Remove node w from Worklist s.t. d[w] is minimal;
for each neighbor v of w: {
z := d[w] + G[w,v];
if (z < d[v]) { d[v] := z; prev[v] := w; } } }
• Depends on what is observable.• At point of output, d is a continuous function of G, but prev is not.
• Sorting algorithms are continuous
… but only if output = array of keys.• Minimum spanning tree algorithms are continuous
… but only if the output is the weight of the tree.• Integer knapsack is continuous in values of items but not
in their weights.• Fractional knapsack is continuous in values and weights.
Continuity at work!
2.0 3.0 4.0 3.0
2.0 3.0 3.0 4.0
2.0 3.0 4.0 2.99
2.0 2.99 3.0 4.0
• Key Idea: Prove branch-equivalence at the zeroes of b—i.e., conditions under which guard can flip on small changes.
• Example: d[v] is continuous after if (d[v] < z) d[v] := z.
The guard (d[v] < z) flips (under small changes) only when d[v] = z. Then, d[v] has similar values on both branches.
• Automate using an SMT-solver. (cf. Translation validation)
Challenge #1: Control flow
if b
P1 P2
1. 2. P1 and P2 are continuous. P is continuous
P
Challenge #2: Noninductiveness
while Worklist is not empty {
Remove node w from Worklist s.t. d[w] is minimal;
for each neighbor v of w: {
z := d[w] + G[w,v];
if (z < d[v]) { d[v] := z; prev[v] := w; } } }
• Small change to d at iteration-entry can completely change the value of d at the end.
• Thus, continuity is not inductive.
u1
d[u1] = 2.00u2
d[u2] = 2.00u3
d[u2] = 4.00
u2
d[u2] = 2.00u1
d[u1] = 2.00
Key idea: Induction over epochswhile Worklist is not empty {
Remove node w from Worklist s.t. d[w] is minimal;
• To be reordered, iterations must be approximately tied on selection criterion. Epoch = cluster of such iterations.
• Prove that iterations within epochs are commutative. • Proof can be discharged using an SMT-solver.
u3
d[u2] = 4.00
u1
d[u2] = 2.01u2
d[u1] = 2.00
u3
d[u2] = 4.02
u2
d[u2] = 2.00u1
d[u1] = 2.00
Key idea: Induction over epochs
while Worklist is not empty {
Remove node w from Worklist s.t. d[w] is minimal;
Now do induction over epochs.
u3
d[u2] = 4.00
u1
d[u2] = 2.01u2
d[u1] = 2.00u3
d[u2] = 4.02
Original
Perturbed
But often, simple induction is enough
for k := 1 to N
for i, j := 1 to N:
if G[i, j] > G[i, k] + G [k, j]
G[i, j] := G[i, k] + G[k. j];
Floyd-Warshall shortest path algorithm
Challenge #3: Early or late termination
• Key Idea: Prove idempotence under conditions when guard can flip.
• Example: while (z > 0) { x := x + z; z := z * w; }
If z = 0, then loop body is idempotent.
while b
P
Original
Perturbed
• Soundness with respect to definition. (Tricky!) • Proof rules discharged using Z3 SMT solver.• Able to prove 11 of the 13 continuous algorithms
targeted:– Sorting (Merge sort, Bubble sort, Insertion sort, Selection sort).– Minimum Spanning Tree (Prim’s and Kruskal’s)– Shortest Paths (Floyd-Warshall, Bellman-Ford, Dijkstra)– Knapsack (Fractional and integer)
• Epoch induction needed in 5/13 cases. • Early termination check needed in 3/13 cases.• Current work exploring “real” applications (embedded
medical devices and GPS apps).
Results
Ongoing work: discrete derivatives of programs
• Instead of infinitesimal changes to real variables, consider unit changes to finite-precision variables.
• More natural in the quantitative setting. • Changes the game somewhat:
– E.g., Addition is not continuous. • But most of the rules/insights still apply. • Goal: Mechanically generate discrete
derivatives of programs:– E.g., Discrete derivative of Dijkstra’s
algorithm in O(n).
P
The Cauchy challenge
Cauchy
Develop an analytical calculus of computation
Limits of programs
Hybrid representations
Continuity analysis
Analytic approximations ofprograms
(Discrete) derivatives of programs
Applications in cyber-physical systems, approximate computation. Also, pedagogical value.
Fourier analysis of programs
Conclusion
• Robustness is an important correctness property for programs operating under uncertainty.
• Continuity is one, but by no means the only, robustness property.
• This paper offers one, but by no means the only, continuity analysis.
• First step towards an analytical calculus of computation.