Theoretical Program Checking

Download Report

Transcript Theoretical Program Checking 

Theoretical Program Checking
Greg Bronevetsky
Background
• The field of Program Checking is about 13 years
old.
• Pioneered by Manuel Blum, Hal Wasserman,
Sampath Kanaan and others.
• Branch of Theoretical Computer Science that
deals with
• probabilistic verification of whether a particular
implementation solves a given problem.
• probabilistic fixing of program errors (if possible).
Simple Checker
• A simple checker C for problem f:
• Accepts a pair <x,y> where x is the input and y is the
output produced by a given program.
• If y=f(x) then return ACCEPT with probability ≥PC
Else, return REJECT with probability ≥PC ,
Where PC is a constant close to 1.
• If the original program runs in time O(T(n)),
the checker must run in asymptotically less time
o(T(n)).
Simple Checker Example
• For example, a simple checker for sorting
• Verifies that the sorted list of elements is a
permutation of the original one.
• Ensures that the sorted elements appear in a nondecreasing order.
• Checking is certain, so PC=1.
• Runtime of checker = O(n) vs. O(n log n) for the
original program.
Complex Checker
• A complex checker is just like a simple checker,
except that
• It is given P, a program that computes the problem f
with low probability of error =p.
• Time Bound: If the original program runs in time
O(T(n)), the complex checker must run in time
o(T(n)), counting calls to P as one step.
Self-Corrector
• A self-corrector for problem f:
• Accepts x, an input to f, along with the program P
that computes f with a low probability of error =p.
• Outputs the correct value of f(x) with probability ≥PC,
where PC is a constant close to 1.
• If the original program runs in time O(T(n)), the selfcorrector must also run in O(T(n))-time, counting
calls to P as one step.
(ie. Must remain in the same time class as original
program.)
Uses for Checkers
• Checkers and Self-Correctors are intended to
protect systems against software bugs and
failures.
• Because of their speed, simple checkers can be
run on each input, raising alarms about bad
computations.
• When alarms are raised a self-corrector can try to
fix the output.
• Because checkers and self-correctors are written
differently from the original program, errors
should not be correlated. (ex: SCCM)
Sample Checkers: Equations
• A simple checker for programs that compute
equations:
• A program that claims to solve a given equation can
be checked by taking the solutions and plugging them
back into the equation.
• In fact we can do this any time the program
purports to produce objects that satisfy given
constraints: just verify the constraints.
Simple Checkers: Integrals
• Given a program to compute definite integral, we
can check it by approximating the area under the
curve by using a small number of rectangles.
• Given a formula and a program to compute its
integral, we can verify the results by
differentiating the output (usually easier than
integration).
• Also, can pick a random range, and compute the
area under the curve using the purported integral
vs. using original formula with a lot of rectangles.
Simple Checking Multiplication
• Simple Checker for Multiplication of integers and
the mantissas of floating point numbers.
• Assumption: addition is fast and reliable.
• Checking that A•B=C.
• Procedure:
•
•
•
•
Generate a random r
Compute A (mod r) and B (mod r)
Compute [A (mod r) • B (mod r)] (mod r)
Compare result to C (mod r).
• Note: [A (mod r) • B (mod r)] (mod r) =
A•B (mod r) = C(mod r)
Simple Checking Multiplication
• A (mod r) and B (mod r) are O(log n)-bits long.
Multiplying them takes O((log n)2)-time.
• To get the modulus, need 4 divisions by a small r.
Such divisions take O(n log n)-time.
• Total checker time = O(n log n).
• Most processors compute multiplication in O(n2)
time (n-length numbers).
Multiplication Self-Corrector
• Self-Corrector for Multiplication
• Procedure:
• Generate random R1 and R2.
• Compute 4 A  R    B  R  – 2R   B  R
1

2
2
 
2
2

1

2

 A  R1 
 – 2R2  
  R1  R2

 2 
• Note: Above equals
  A  R1 
   B  R2 

A  B = 2

R
 1   2
  R2 

  2 
   2 
• Self-Corrector works by sampling the space of 4
points around A and B and working with them in
the case where A•B doesn't work.
How does it work?
• Addition, Subtraction and divisions by 2 and 4
assumed to be fast and reliable.
• We're dealing with 4 numbers: R , R , A 2 R  and  B 2R 
• In order to operate on them we need to use n+1
bit operations.
• All 4 numbers vary over half the n+1 bit range.
• Because in each multiplication both numbers are
independent, their pair varies over a quarter of the
range of pairs of n+1 bit numbers.
1
1
2
2
How does it work?
• The odds of a multiplication failing are =p.
• But all the erroneous inputs may occur in our
quarter of the range. Thus, the odds of failure
become ≤4p.
• Thus, the odds that none of the 4 multiplications
fail ≤16p.
Other Self-Correctors
• Note that a similar self-corrector can be used for
matrix multiplication:
•
•
•
•
Want to compute AB
Generate random matrices R1 and R2
Compute: AB = R  ( A  R )  R  ( B  R )
1
1
2
2
By spreading the multiplications over 4 random
matrices, we avoid the problematic input A, B.
• If the odds of a matrix multiplication failing =p, then
the self-corrector's odds of failure are =4p.
• It has been shown that self-correctors can be
developed for “Robust functional equations”.
Simple Checker for Division
• Trying to perform division: N/Q
• Note: N = D•Q + R
• R = Remainder
• D = some integer
• Equivalently: N – R = D•Q
• Checking Division reduces to Checking
Multiplication!
Self-Corrector for Division
• Calculate
 1 
N  R 

 RD
, where R is random.
• The three multiplications can be checked and
corrected (if necessary) using aforementioned
method.
• The one division can also be checked as above.
• Note that the one division is unlikely to be faulty:
• As R varies over its n-bit range, R•D varies such that
a given R maps to ≤ 2 different values of R•D.
• If division's odds of failure =p, then the odds of
failure for 1 ≤ 2p, which is about as low as p.
RD
Checking Linear Transformations
• Given a Linear Transformation A, want to
 
compute y  x A


• Given input x , want to output y .
• We wish to check computations on floating point
numbers, so we'll need to tolerate rounding error.

• Let
be the error vector
  (1 ,  2 ,  ,  n )
 
yx A .
 
• y, x is definitely correct iff i,   
i
 
• y, x is definitely incorrect iff i,   6 n
i
Checking Scheme
 (k )
• Generate 10 random vectors r  (1,  1,  ,  1)
where each ± is chosen positive or negative with
  (k )

 (k )
50/50 odds.
y  r  ( x  A)  r
• Goal: Determine whether or not
• For k= 1 to 10
• Calculate D
• If
D
(k )
(k )
  (k )   (k ) T
= y  r  x  (r  A )
 6 n
, REJECT
• If all 10 tests are passed, ACCEPT.
Why does this work?
  (k )   (k ) T
D = y  r  x  (r  A )
  (k ) 
 (k )
(k )
D = y  r  ( x  A)  r
 
 (k )
(k )
D =  y  ( x  A) r

 (k )
(k )
D =   r = ± 1 ,±  2 ,  ,±  n
(k )
• Where each ± is positive or negative with
independent 50/50 probability
Why does this work?
• Working out the probabilities, we can prove:
 
definitely correct y, x ,( Each  i   )

Pr D
(k )
 6 n

1

10,000,000
Pulling together over all 10 iterations ,
Prchecker mistakenly rejects 
1

1,000,000
Why does this work?
• We can also prove the other side:
 
definitely incorrect y, x , ( Some  i  6 n )

Pr D
(k )
 6 n


1
2
Pulling together over all 10 iterations ,
Prchecker mistakenly accepts   2
(-10)
1

1,000
Conclusion
• A number of simple/complex checkers and selftesters have been developed for many problems.
• Those presented here are some of the simplest.
• Work has been done on finding general types of
problems for which efficient testers and selfcorrectors can be created.
• It is not advanced enough to allow automation.
• There is some promise in finding techniques to
test simple operations that we can use to build up
more complex techniques.