Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Theoretical Program Checking Greg Bronevetsky Background • The field of Program Checking is about 13 years old. • Pioneered by Manuel Blum, Hal Wasserman, Sampath Kanaan and others. • Branch of Theoretical Computer Science that deals with • probabilistic verification of whether a particular implementation solves a given problem. • probabilistic fixing of program errors (if possible). Simple Checker • A simple checker C for problem f: • Accepts a pair <x,y> where x is the input and y is the output produced by a given program. • If y=f(x) then return ACCEPT with probability ≥PC Else, return REJECT with probability ≥PC , Where PC is a constant close to 1. • If the original program runs in time O(T(n)), the checker must run in asymptotically less time o(T(n)). Simple Checker Example • For example, a simple checker for sorting • Verifies that the sorted list of elements is a permutation of the original one. • Ensures that the sorted elements appear in a nondecreasing order. • Checking is certain, so PC=1. • Runtime of checker = O(n) vs. O(n log n) for the original program. Complex Checker • A complex checker is just like a simple checker, except that • It is given P, a program that computes the problem f with low probability of error =p. • Time Bound: If the original program runs in time O(T(n)), the complex checker must run in time o(T(n)), counting calls to P as one step. Self-Corrector • A self-corrector for problem f: • Accepts x, an input to f, along with the program P that computes f with a low probability of error =p. • Outputs the correct value of f(x) with probability ≥PC, where PC is a constant close to 1. • If the original program runs in time O(T(n)), the selfcorrector must also run in O(T(n))-time, counting calls to P as one step. (ie. Must remain in the same time class as original program.) Uses for Checkers • Checkers and Self-Correctors are intended to protect systems against software bugs and failures. • Because of their speed, simple checkers can be run on each input, raising alarms about bad computations. • When alarms are raised a self-corrector can try to fix the output. • Because checkers and self-correctors are written differently from the original program, errors should not be correlated. (ex: SCCM) Sample Checkers: Equations • A simple checker for programs that compute equations: • A program that claims to solve a given equation can be checked by taking the solutions and plugging them back into the equation. • In fact we can do this any time the program purports to produce objects that satisfy given constraints: just verify the constraints. Simple Checkers: Integrals • Given a program to compute definite integral, we can check it by approximating the area under the curve by using a small number of rectangles. • Given a formula and a program to compute its integral, we can verify the results by differentiating the output (usually easier than integration). • Also, can pick a random range, and compute the area under the curve using the purported integral vs. using original formula with a lot of rectangles. Simple Checking Multiplication • Simple Checker for Multiplication of integers and the mantissas of floating point numbers. • Assumption: addition is fast and reliable. • Checking that A•B=C. • Procedure: • • • • Generate a random r Compute A (mod r) and B (mod r) Compute [A (mod r) • B (mod r)] (mod r) Compare result to C (mod r). • Note: [A (mod r) • B (mod r)] (mod r) = A•B (mod r) = C(mod r) Simple Checking Multiplication • A (mod r) and B (mod r) are O(log n)-bits long. Multiplying them takes O((log n)2)-time. • To get the modulus, need 4 divisions by a small r. Such divisions take O(n log n)-time. • Total checker time = O(n log n). • Most processors compute multiplication in O(n2) time (n-length numbers). Multiplication Self-Corrector • Self-Corrector for Multiplication • Procedure: • Generate random R1 and R2. • Compute 4 A R B R – 2R B R 1 2 2 2 2 1 2 A R1 – 2R2 R1 R2 2 • Note: Above equals A R1 B R2 A B = 2 R 1 2 R2 2 2 • Self-Corrector works by sampling the space of 4 points around A and B and working with them in the case where A•B doesn't work. How does it work? • Addition, Subtraction and divisions by 2 and 4 assumed to be fast and reliable. • We're dealing with 4 numbers: R , R , A 2 R and B 2R • In order to operate on them we need to use n+1 bit operations. • All 4 numbers vary over half the n+1 bit range. • Because in each multiplication both numbers are independent, their pair varies over a quarter of the range of pairs of n+1 bit numbers. 1 1 2 2 How does it work? • The odds of a multiplication failing are =p. • But all the erroneous inputs may occur in our quarter of the range. Thus, the odds of failure become ≤4p. • Thus, the odds that none of the 4 multiplications fail ≤16p. Other Self-Correctors • Note that a similar self-corrector can be used for matrix multiplication: • • • • Want to compute AB Generate random matrices R1 and R2 Compute: AB = R ( A R ) R ( B R ) 1 1 2 2 By spreading the multiplications over 4 random matrices, we avoid the problematic input A, B. • If the odds of a matrix multiplication failing =p, then the self-corrector's odds of failure are =4p. • It has been shown that self-correctors can be developed for “Robust functional equations”. Simple Checker for Division • Trying to perform division: N/Q • Note: N = D•Q + R • R = Remainder • D = some integer • Equivalently: N – R = D•Q • Checking Division reduces to Checking Multiplication! Self-Corrector for Division • Calculate 1 N R RD , where R is random. • The three multiplications can be checked and corrected (if necessary) using aforementioned method. • The one division can also be checked as above. • Note that the one division is unlikely to be faulty: • As R varies over its n-bit range, R•D varies such that a given R maps to ≤ 2 different values of R•D. • If division's odds of failure =p, then the odds of failure for 1 ≤ 2p, which is about as low as p. RD Checking Linear Transformations • Given a Linear Transformation A, want to compute y x A • Given input x , want to output y . • We wish to check computations on floating point numbers, so we'll need to tolerate rounding error. • Let be the error vector (1 , 2 , , n ) yx A . • y, x is definitely correct iff i, i • y, x is definitely incorrect iff i, 6 n i Checking Scheme (k ) • Generate 10 random vectors r (1, 1, , 1) where each ± is chosen positive or negative with (k ) (k ) 50/50 odds. y r ( x A) r • Goal: Determine whether or not • For k= 1 to 10 • Calculate D • If D (k ) (k ) (k ) (k ) T = y r x (r A ) 6 n , REJECT • If all 10 tests are passed, ACCEPT. Why does this work? (k ) (k ) T D = y r x (r A ) (k ) (k ) (k ) D = y r ( x A) r (k ) (k ) D = y ( x A) r (k ) (k ) D = r = ± 1 ,± 2 , ,± n (k ) • Where each ± is positive or negative with independent 50/50 probability Why does this work? • Working out the probabilities, we can prove: definitely correct y, x ,( Each i ) Pr D (k ) 6 n 1 10,000,000 Pulling together over all 10 iterations , Prchecker mistakenly rejects 1 1,000,000 Why does this work? • We can also prove the other side: definitely incorrect y, x , ( Some i 6 n ) Pr D (k ) 6 n 1 2 Pulling together over all 10 iterations , Prchecker mistakenly accepts 2 (-10) 1 1,000 Conclusion • A number of simple/complex checkers and selftesters have been developed for many problems. • Those presented here are some of the simplest. • Work has been done on finding general types of problems for which efficient testers and selfcorrectors can be created. • It is not advanced enough to allow automation. • There is some promise in finding techniques to test simple operations that we can use to build up more complex techniques.