Embed Size (px)
Citation preview
Theoretical Program CheckingTheoretical Program Checking
Greg Bronevetsky
BackgroundBackground
• The field of Program Checking is about 13 years old.
• Pioneered by Manuel Blum, Hal Wasserman, Sampath Kanaan and others.
• Branch of Theoretical Computer Science that deals with
• probabilistic verification of whether a particular implementation solves a given problem.
• probabilistic fixing of program errors (if possible).
Simple CheckerSimple Checker
• A simple checker C for problem f:• Accepts a pair <x,y> where x is the input and y is the
output produced by a given program.• If y=f(x) then return ACCEPT with probability ≥P
C
Else, return REJECT with probability ≥PC
,Where P
C is a constant close to 1.
• If the original program runs in time O(T(n)),the checker must run in asymptotically less time o(T(n)).
Simple Checker ExampleSimple Checker Example
• For example, a simple checker for sorting• Verifies that the sorted list of elements is a
permutation of the original one.• Ensures that the sorted elements appear in a non-
decreasing order.• Checking is certain, so P
C=1.
• Runtime of checker = O(n) vs. O(n log n) for the original program.
Complex CheckerComplex Checker
• A complex checker is just like a simple checker, except that
• It is given P, a program that computes the problem f with low probability of error =p.
• Time Bound: If the original program runs in time O(T(n)), the complex checker must run in time o(T(n)), counting calls to P as one step.
Self-CorrectorSelf-Corrector
• A self-corrector for problem f:• Accepts x, an input to f, along with the program P
that computes f with a low probability of error =p.• Outputs the correct value of f(x) with probability ≥P
C,
where PC is a constant close to 1.• If the original program runs in time O(T(n)), the self-
corrector must also run in O(T(n))-time, counting calls to P as one step.(ie. Must remain in the same time class as original program.)
Uses for CheckersUses for Checkers
• Checkers and Self-Correctors are intended to protect systems against software bugs and failures.
• Because of their speed, simple checkers can be run on each input, raising alarms about bad computations.
• When alarms are raised a self-corrector can try to fix the output.
• Because checkers and self-correctors are written differently from the original program, errors should not be correlated. (ex: SCCM)
Sample Checkers: EquationsSample Checkers: Equations
• A simple checker for programs that compute equations:
• A program that claims to solve a given equation can be checked by taking the solutions and plugging them back into the equation.
• In fact we can do this any time the program purports to produce objects that satisfy given constraints: just verify the constraints.
Simple Checkers: IntegralsSimple Checkers: Integrals
• Given a program to compute definite integral, we can check it by approximating the area under the curve by using a small number of rectangles.
• Given a formula and a program to compute its integral, we can verify the results by differentiating the output (usually easier than integration).
• Also, can pick a random range, and compute the area under the curve using the purported integral vs. using original formula with a lot of rectangles.
Simple Checking MultiplicationSimple Checking Multiplication
• Simple Checker for Multiplication of integers and the mantissas of floating point numbers.
• Assumption: addition is fast and reliable.• Checking that A•B=C.• Procedure:
• Generate a random r• Compute A (mod r) and B (mod r)• Compute [A (mod r) • B (mod r)] (mod r)• Compare result to C (mod r).
• Note: [A (mod r) • B (mod r)] (mod r) = A•B (mod r) = C(mod r)
Simple Checking MultiplicationSimple Checking Multiplication
• A (mod r) and B (mod r) are O(log n)-bits long.Multiplying them takes O((log n)2)-time.
• To get the modulus, need 4 divisions by a small r.Such divisions take O(n log n)-time.
• Total checker time = O(n log n).
• Most processors compute multiplication in O(n2) time (n-length numbers).
Multiplication Self-CorrectorMultiplication Self-Corrector
• Self-Corrector for Multiplication• Procedure:
• Generate random R1 and R
2.
• Compute
• Note: Above equals
• Self-Corrector works by sampling the space of 4 points around A and B and working with them in the case where A•B doesn't work.
211
22
121
22
2
24 RR
RA2R–
RB2R–
RBRA
22
11
22
22 R
RBR
RA=BA
How does it work?How does it work?
• Addition, Subtraction and divisions by 2 and 4 assumed to be fast and reliable.
• We're dealing with 4 numbers: • In order to operate on them we need to use n+1
bit operations.• All 4 numbers vary over half the n+1 bit range.• Because in each multiplication both numbers are
independent, their pair varies over a quarter of the range of pairs of n+1 bit numbers.
2
and 2
2121
RBRA
,R,R
• The odds of a multiplication failing are =p.• But all the erroneous inputs may occur in our
quarter of the range. Thus, the odds of failure become ≤4p.
• Thus, the odds that none of the 4 multiplications fail ≤16p.
How does it work?How does it work?
Other Self-CorrectorsOther Self-Correctors
• Note that a similar self-corrector can be used for matrix multiplication:
• Want to compute AB• Generate random matrices R
1 and R
2
• Compute:• By spreading the multiplications over 4 random
matrices, we avoid the problematic input A, B.• If the odds of a matrix multiplication failing =p, then
the self-corrector's odds of failure are =4p.• It has been shown that self-correctors can be
developed for “Robust functional equations”.
)()( 2211 RBRRAR=AB
Simple Checker for DivisionSimple Checker for Division
• Trying to perform division: N/Q• Note: N = D•Q + R
• R = Remainder • D = some integer
• Equivalently: N – R = D•Q
• Checking Division reduces to Checking Multiplication!
Self-Corrector for DivisionSelf-Corrector for Division
• Calculate , where R is random.
• The three multiplications can be checked and corrected (if necessary) using aforementioned method.
• The one division can also be checked as above.• Note that the one division is unlikely to be faulty:
• As R varies over its n-bit range, R•D varies such that a given R maps to ≤ 2 different values of R•D.
• If division's odds of failure =p, then the odds of failure for ≤ 2p, which is about as low as p.
1
DRRN
DR1
Checking Linear TransformationsChecking Linear Transformations
• Given a Linear Transformation A, want to compute
• Given input , want to output .• We wish to check computations on floating point
numbers, so we'll need to tolerate rounding error.• Let be the error vector
.• is definitely correct iff
• is definitely incorrect iff
Axy
y
x
Axy
),,,( 21 n
xy
, ii,
ni, i 6xy
,
Checking SchemeChecking Scheme
• Generate 10 random vectors where each ± is chosen positive or negative with 50/50 odds.
• Goal: Determine whether or not
• For k= 1 to 10• Calculate
• If , REJECT
• If all 10 tests are passed, ACCEPT.
)1,,1,1()( kr
)()( )( kk rAxry
)( )()()( Tkkk Arxry=D
nD k 6)(
Why does this work?Why does this work?
• Where each ± is positive or negative with independent 50/50 probability
n
kk
kk
kkk
Tkkk
,±,,±±=r=D
rAxy=D
rAxry=D
Arxry=D
21)()(
)()(
)()()(
)()()(
)(
)(
)(
Why does this work?Why does this work?
• Working out the probabilities, we can prove:
1,000,000
1rejects mistakenlychecker
,iterations 10 allover together Pulling
10,000,000
16
)(x,ycorrect definitely
)(
Pr
nDPr
Each,
k
i
Why does this work?Why does this work?
• We can also prove the other side:
1,000
12accepts mistakenlychecker
,iterations 10 allover together Pulling
2
16
)6(x,yincorrect definitely
(-10)
)(
Pr
nDPr
nSome,
k
i
ConclusionConclusion
• A number of simple/complex checkers and self-testers have been developed for many problems.
• Those presented here are some of the simplest.• Work has been done on finding general types of
problems for which efficient testers and self-correctors can be created.
• It is not advanced enough to allow automation.• There is some promise in finding techniques to
test simple operations that we can use to build up more complex techniques.
