Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Abstractions Eric Feron Outline • • • • • • Principles of abstraction Motivating example Abstracting variables Abstracting functions Abstracting operators Recommended readings Principles of abstractions • We consider software or hardware objects which are too complicated to describe exactly. • We approximate them by embedding them into larger objects, but whose description is simpler. • If the original objects are subject to manipulations, we are able to manipulate their abstractions at comparable computational cost. • Hopefully we learn something useful. Example • Prototype program [1] while x> 1000 do [2] x:=x+y ; [3] od; [4] (x,y) in [-b-1;b] integer b is overflow limit. Program characteristics: Program terminates without error iff (x>0, y0<0). Execution never terminates iff (1000< x0<b)(y0=0). Execution leads to run-time error (by overflow) iff (x0>1000)(y0>0). These are desirable characteristics to be found Where can the states of a program go? [1] while x> 1000 do [2] x:=x+y ; [3] od; [4] 1 if x<1000 if x> 1000 2 4 <x,y> < <x+y,y> if x>1000 if x<1000 3 (x,y) in I =[-b;b] integer Representation of program behavior by means of automaton possible but not really compact. Reachable states Reachable states • Order relation is that of inclusion: A set is smaller than another if it is included in it • Forms a complete lattice: Any finite set of sets has a least upper bound and a greatest lower bound. • Reachable set always grows with iterations • Basic theorem: A sequence of sets that always grows ends up converging. • But convergence can take a very long time Example of complete lattice Set L of subsets of states in a state-space S: Partial order is traditional inclusion H = {H1,H2} L H1 U H2 is the least upper bound for H. H1 H2 is the greatest lower bound for H. H1 H2 Obviously these exist for any H. L has an infimum: The empty set L has a supremum: S. Problem: Arbitrary sets are often not computer-representable, thus hard to do computations with them. (Discrete) Complete Lattices A Some element in the set A Least upper bound Greatest lower bound For our purposes, each element is a set. So A is a set of sets. Back to our program Assume y <0, x>0. Clearly insufficient to identify what will happen to program states 1 if x<1000 if x> 1000 2 4 <x,y> <x+y,y> if x>1000 if x<1000 3 Could use abstraction by means of intervals: eg: x in [200;2000], y in [-2 -1] Can extract "propagation laws" for intervals rather than numbers. Lattice of Intervals In one dimension least upper bound (lub) greatest lower bound (glb) In two dimensions Least upper bound Greatest lower bound From program on variables to abstracted program on abstracted variables 1 (X1,Y1) if x<1000 if x> 1000 1 if x<1000 if x> 1000 4 2 2 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) <x,y> <x+y,y> if x>1000 (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) if x>1000 if x<1000 3 4 <x,y> <x+y,y> if x<1000 (X3,Y3) = (X2+Y2,Y2) 3 Step 1 1 X1 = [200;2000], Y1 = [-2 -1] if x<1000 if x> 1000 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) X2= , 2 Y2 = 4 if x>1000 if x<1000 3 X3= , Y3 = (X3,Y3) = (X2+Y2,Y2) x= , y= (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) Step 2 1 X1 =[200;2000], Y1 = [-2 -1] if x<1000 if x> 1000 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) if x>1000 2 X2 = [1000;2000] Y2 = [-2 -1] <x,y> <x+y,y> if x<1000 X3= , Y3 = 3 (X3,Y3) = (X2+Y2,Y2) 4 X4= , Y4= (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) Step 3 1 X1 =[200;2000], Y1 = [-2 -1] if x<1000 if x> 1000 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) if x>1000 2 X2 = [1000;2000] Y2 = [-2 -1] <x,y> <x+y,y> if x<1000 3 X3= [998,1999], Y3 = [-2-1] (X3,Y3) = (X2+Y2,Y2) 4 X4= , Y4= (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) Step 4 1 X1 =[200;2000], Y1 = [-2 -1] if x<1000 if x> 1000 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) if x>1000 2 X2 = [1000;2000] Y2 = [-2 -1] <x,y> <x+y,y> if x<1000 3 X3= [998,1999], Y3 = [-2;-1] 4 X4= [200,999], Y4= [-2;-1] (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2) Any further iteration would not yield any change to the values of (Xi, Yi)s: We have reached a fixed point. New initial conditions Step 1 1 X1 = [1200;2000], Y1 = [-2 -1] if x<1000 if x> 1000 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) X2= , 2 Y2 = 4 if x>1000 if x<1000 3 X3= , Y3 = (X3,Y3) = (X2+Y2,Y2) x= , y= (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) Step 2 1 X1 =[1200;2000], Y1 = [-2 -1] if x<1000 if x> 1000 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) 2 X2 = [1200;2000] 4 X4= , Y4= Y2 = [-2 -1] if x>1000 <x,y> <x+y,y> if x<1000 X3= , Y3 = 3 (X3,Y3) = (X2+Y2,Y2) (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) Step 3 1 X1 =[1200;2000], Y1 = [-2 -1] if x<1000 if x> 1000 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) if x>1000 2 X2 = [1200;2000] Y2 = [-2 -1] <x,y> <x+y,y> if x<1000 3 X3= [1198,1999], Y3 = [-2-1] (X3,Y3) = (X2+Y2,Y2) 4 X4= , Y4= (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) Step 4 1 X1 =[1200;2000], Y1 = [-2 -1] if x<1000 if x> 1000 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) if x>1000 2 X2 = [1200;2000] Y2 = [-2 -1] <x,y> <x+y,y> if x<1000 3 X3= [1198,1999], Y3 = [-2-1] 4 X4= , Y4= (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2) We are not finished with iterations..... Step 5 1 X1 =[1200;2000], Y1 = [-2 -1] if x<1000 if x> 1000 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) if x>1000 2 X2 = [1198;2000] Y2 = [-2 -1] <x,y> <x+y,y> if x<1000 3 X3= [1198,1999], Y3 = [-2-1] (X3,Y3) = (X2+Y2,Y2) 4 X4= , Y4= (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) Step 6 1 X1 =[1200;2000], Y1 = [-2 -1] if x<1000 if x> 1000 (X2,Y2)= (lub((X1[1000;b]) U (X3 [1000;b])),lub(Y1UY3)) if x>1000 2 X2 = [1198;2000] Y2 = [-2 -1] <x,y> <x+y,y> if x<1000 3 X3= [1196,1999], Y3 = [-2-1] 4 X4= , Y4= (X4,Y4)=(lub((X1[-b;1000]) U(X3 [-b;1000])), lub(Y1UY3) (X3,Y3) = (X2+Y2,Y2) All this is going to take a while to converge towards fixed point... Some interesting questions • How can I speed up the convergence of the computations leading to a fixed point? • Does the order in which I do the computation (the sequence of vertices where reachable sets are computed) have much importance? • How do I automatically write the "abstracted program"? Abstracting state spaces further {Set of all subsets of signed integer numbers between -b and b} + if x = T then x is any value if x = + then 0<x<b if x = 0 then x = 0 if x = - then -b<x<0 if x = then Some Rules: ++-=T but + + + = error - + - = error +U-=T oT=o 0 Effect: Go from huge state-space decompositions to finite and simple state-space decomposition From program on variables to abstracted program on abstracted variables 1 (X1,Y1) if x<1000 if x> 1000 1 if x<1000 if x> 1000 4 2 2 (X2,Y2)=((X3+)U (X1 +),Y1UY3) <x,y> <x+y,y> if x>1000 (X4,Y4)=(X1UX3,Y1UY3) if x>1000 if x<1000 3 <x,y> <x+y,y> if x<1000 3 (X3,Y3) =(X2+Y2,Y2) 4 Step 1 X1= +, Y1 = - 1 if x<1000 if x> 1000 (X4,Y4)=(X1UX3,Y1UY3) (X2,Y2)=((X3+)U (X1 +),Y1UY3) 2 X2= , Y2 = if x>1000 X3= , Y3 = <x,y> <x+y,y> if x<1000 3 (X3,Y3) =(X2+Y2,Y2) 4 X4 = , Y4 = Step 2 X1= +, Y1 = - 1 if x<1000 if x> 1000 (X4,Y4)=(X1UX3,Y1UY3) (X2,Y2)=((X3+)U (X1 +),Y1UY3) 2 X2= +, Y2 = - if x>1000 X3= , Y3 = <x,y> <x+y,y> if x<1000 3 (X3,Y3) =(X2+Y2,Y2) 4 X4 = , Y4 = Step 3 X1= +, Y1 = - 1 if x<1000 if x> 1000 (X4,Y4)=(X1UX3,Y1UY3) (X2,Y2)=((X3+)U (X1 +),Y1UY3) 2 4 X2= +, Y2 = - if x>1000 <x,y> <x+y,y> if x<1000 X3= T, Y3 = - 3 (X3,Y3) =(X2+Y2,Y2) X4 = , Y4 = Step 4 X1= +, Y1 = - 1 if x<1000 if x> 1000 (X4,Y4)=(X1UX3,Y1UY3) (X2,Y2)=((X3+)U (X1 +),Y1UY3) 2 4 X2= +, Y2 = - if x>1000 <x,y> <x+y,y> if x<1000 X3= T, Y3 = - 3 (X3,Y3) =(X2+Y2,Y2) ... and we have reached a fixed point .... X4 = T, Y4 = - Other motivating example In ideal world (real numbers are reals and multiplies are truly working as they should, the sequence converges to 1 for any delta and x0. But real world is populated by, well, floats, and things become more hairy. In particular, system may exhibit disgraceful behaviors, including non convergence to zero (or its vicinity). Assume we would like to “establish good behavior” of the system over a range of possible initial conditions and values of delta. Issue: Exhaustive exploration of state-space is necessary but impossible in current form. Must work at higher abstract level. Abstraction of floats • Float format (figuratively) defined as: • Geometric distribution: 0 f2 f1 How do we prove things work over this range? Possibly LOTS of floats between f1 and f2. Abstraction: Consider the whole real interval between f1 and f2: [f1 f2]. Counterintuitive because reals are not machine representable. Simple object though – the object itself (the interval) is machine-representable. Working with abstractions • Intuitively: • But Must have some machine-representable description of where interval could “land” after “+” operation. Sounds trivial but requires monotonicity properties of ‘+’ operation over floats. In this case it’s OK. So we can write Associativity counts… and + under floats is not associative Back to system Must define interval for xks. Transition rules for intervals: “Abstracted transitions” So in this case we can monitor behavior of entire interval by monitoring bounds. Nonconvergence : Nonconvergence • Would like to “bound” possible behaviors From observations: Looks like it stays around 1. Look at behaviors of intervals in vicinity of 1. Eg pick By induction, true for all following iterations: So we know [.95 1.05] is invariant. Nonconvergence (to 1) maybe, but could that be sufficient level of precision for practical purposes?? Note analysis is for fixed delta (1e-5) – so far. Guaranteed convergence to region of nonconvergence • Fix delta and a for simplicity (you make them live in intervals for HW) Look in more detail at behavior of Need easy to analyze upper bounds for x+ and lower bounds for xRequires abstraction of float operations (+ and x) themselves! Abstraction of float operations Back to problem