Mechanized Verifjcationof the Correctness and Asymptotic Complexity - - PowerPoint PPT Presentation
Mechanized Verifjcationof the Correctness and Asymptotic Complexity of Programs Armal Guneau under the supervision of Arthur Charguraud and Franois Pottier Computerprograms: cooking recipes,but forcomputers? Momseasy apple pie 3/4T
Mechanized Verifjcationof the Correctness and Asymptotic Complexity of Programs
Armaël Guéneau under the supervision of Arthur Charguéraud and François Pottier
Computerprograms: cooking recipes,but forcomputers?
Mom’seasy apple pie
3/4T cinnamon, 1T lemon juice
Computing the lengths of two lists
let length_sum l1 l2 = let x = length l1 in let y = length l2 in x + y 1/40
Computerprograms: cooking recipes,but forcomputers?
Mom’seasy apple pie
3/4T cinnamon, 1T lemon juice
Computing the lengths of two lists
let length_sum l1 l2 = let x = length l1 in let y = length l2 in x + y 1/40
Computer: cooking recipes,but forcomputers? (2)
Real-world programs are usually very large. Can one trust the execution of that code to “do the right thing”? What does it mean to do the right thing? “The right thing”: a specifjcation, written in a formal language.
2/40
Computer: cooking recipes,but forcomputers? (2)
Real-world programs are usually very large. Can one trust the execution of that code to “do the right thing”? What does it mean to do the right thing? “The right thing”: a specifjcation, written in a formal language.
2/40
Computer: cooking recipes,but forcomputers? (2)
Real-world programs are usually very large. Can one trust the execution of that code to “do the right thing”? What does it mean to do the right thing? “The right thing”: a specifjcation, written in a formal language.
2/40
Computer: cooking recipes,but forcomputers? (2)
Real-world programs are usually very large. Can one trust the execution of that code to “do the right thing”? What does it mean to do the right thing? “The right thing”: a specifjcation, written in a formal language.
2/40
less confidence more confidence
Whatdo we expect froma program?
Safety (does not crash) Partial correctness (returns a correct result; might not terminate) Total correctness (always returns a correct result) Complexity bound (runs in a predictable amount of time) Real-time bound (runs within a precise time budget) Security (e.g. timing side channel) Fault tolerant (resists to hardware faults)
in this work
3/40
less confidence more confidence
Whatdo we expect froma program?
Safety (does not crash) Partial correctness (returns a correct result; might not terminate) Total correctness (always returns a correct result) Complexity bound (runs in a predictable amount of time) Real-time bound (runs within a precise time budget) Security (e.g. timing side channel) Fault tolerant (resists to hardware faults)
in this work
3/40
less confidence more confidence
Whatdo we expect froma program?
Safety (does not crash) Partial correctness (returns a correct result; might not terminate) Total correctness (always returns a correct result) Complexity bound (runs in a predictable amount of time) Real-time bound (runs within a precise time budget) Security (e.g. timing side channel) Fault tolerant (resists to hardware faults)
in this work
3/40
less confidence more confidence
Whatdo we expect froma program?
Safety (does not crash) Partial correctness (returns a correct result; might not terminate) Total correctness (always returns a correct result) Complexity bound (runs in a predictable amount of time) Real-time bound (runs within a precise time budget) Security (e.g. timing side channel) Fault tolerant (resists to hardware faults)
in this work
3/40
less confidence more confidence
Whatdo we expect froma program?
Safety (does not crash) Partial correctness (returns a correct result; might not terminate) Total correctness (always returns a correct result) Complexity bound (runs in a predictable amount of time) Real-time bound (runs within a precise time budget) Security (e.g. timing side channel) Fault tolerant (resists to hardware faults)
in this work
3/40
less confidence more confidence
Whatdo we expect froma program?
Safety (does not crash) Partial correctness (returns a correct result; might not terminate) Total correctness (always returns a correct result) Complexity bound (runs in a predictable amount of time) Real-time bound (runs within a precise time budget) Security (e.g. timing side channel) Fault tolerant (resists to hardware faults)
in this work
3/40
less confidence more confidence
Whatdo we expect froma program?
Safety (does not crash) Partial correctness (returns a correct result; might not terminate) Total correctness (always returns a correct result) Complexity bound (runs in a predictable amount of time) Real-time bound (runs within a precise time budget) Security (e.g. timing side channel) Fault tolerant (resists to hardware faults)
in this work
3/40
less confidence more confidence
Whatdo we expect froma program?
Safety (does not crash) Partial correctness (returns a correct result; might not terminate) Total correctness (always returns a correct result) Complexity bound (runs in a predictable amount of time) Real-time bound (runs within a precise time budget) Security (e.g. timing side channel) Fault tolerant (resists to hardware faults)
in this work
3/40
less confidence more confidence
Whatdo we expect froma program?
Safety (does not crash) Partial correctness (returns a correct result; might not terminate) Total correctness (always returns a correct result) Complexity bound (runs in a predictable amount of time) Real-time bound (runs within a precise time budget) Security (e.g. timing side channel) Fault tolerant (resists to hardware faults)
in this work
3/40
Anillustrative example: Binary Search
Consider a sorted array of integers: Question: is 27 in the array? If so, at which index?
4/40
Anillustrative example: Binary Search(2)
At each step, reduce by half the segment to search by comparing 27 with the middle element.
5/40
Atentative binary searchimplementation
(* search in array a for x, in the range [i, j) *) (* returns the index of x, or -1 if not found *) let rec bsearch (a: int array) x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = a.(k) then k else if x < a.(k) then bsearch a x i k else bsearch a x (i+1) j
6/40
Atentative binary searchimplementation
(* search in array a for x, in the range [i, j) *) (* returns the index of x, or -1 if not found *) let rec bsearch (a: int array) x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = a.(k) then k else if x < a.(k) then bsearch a x i k else bsearch a x (i+1) j
6/40
Atentative binary searchimplementation(2)
On an array containaing 1 billion elements:
(230 » 1 billion)
7/40
Atentative binary searchimplementation(3)
(* search in array a for x, in the range [i, j) *) (* returns the index of x, or -1 if not found *) let rec bsearch (a: int array) x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = a.(k) then k else if x < a.(k) then bsearch a x i k else bsearch a x (i+1) j
buggy, should be k+1
8/40
Atentative binary searchimplementation(4)
In summary, on an array of size n:
9/40
Atentative binary searchimplementation(4)
In summary, on an array of size n:
9/40
Formal verifjcation of correctnessandcomplexityof a program
Step1 State a programspecifjcation that characterizes the intended behavior: functional correctness and runtime complexity Step2 Prove a theorem relating concrete code to the specifjcation Two kinds of possible human mistakes:
Use a proofassistant (Coq) to mechanically check every step of the proof
10/40
Formal verifjcation of correctnessandcomplexityof a program
Step1 State a programspecifjcation that characterizes the intended behavior: functional correctness and runtime complexity Step2 Prove a theorem relating concrete code to the specifjcation Two kinds of possible human mistakes:
Use a proofassistant (Coq) to mechanically check every step of the proof
10/40
Formal verifjcation of correctnessandcomplexityof a program
Step1 State a programspecifjcation that characterizes the intended behavior: functional correctness and runtime complexity Step2 Prove a theorem relating concrete code to the specifjcation Two kinds of possible human mistakes:
Use a proofassistant (Coq) to mechanically check every step of the proof
10/40
Howdo we specify a program’srunningtime?
Option 1: as an upper bound on the wall-clock time. Useful for embedded systems, but not realistic for commodity hardware. Option 2: as a number of cycles for an idealized machine model. Knuth: “Merge sort runs in . [This bound] can be re- duced to at the expense of a somewhat longer program.” Option 3: as a number of function calls in a high-level language. More abstract, but still has modularity issues.
11/40
Howdo we specify a program’srunningtime?
Option 1: as an upper bound on the wall-clock time. Useful for embedded systems, but not realistic for commodity hardware. Option 2: as a number of cycles for an idealized machine model. Knuth: “Merge sort runs in 10N log N ` 4.92N. [This bound] can be re- duced to 9N log N at the expense of a somewhat longer program.” Option 3: as a number of function calls in a high-level language. More abstract, but still has modularity issues.
11/40
Howdo we specify a program’srunningtime?
Option 1: as an upper bound on the wall-clock time. Useful for embedded systems, but not realistic for commodity hardware. Option 2: as a number of cycles for an idealized machine model. Knuth: “Merge sort runs in 10N log N ` 4.92N. [This bound] can be re- duced to 9N log N at the expense of a somewhat longer program.” Option 3: as a number of function calls in a high-level language. More abstract, but still has modularity issues.
11/40
Howdo we specify a program’srunningtime?
Option 4: specify the running time using asymptotic complexity. Describe the “order of growth” of the running time as inputs grow large e.g. Oplog nq, Opnq, Opn log nq, Opn2q, …. Less precise, but informative enough in many cases.
11/40
Advantagesof asymptotic complexityspecifjcations
Specifjcations capturing asymptotic costs:
algorithms;
the implementation;
12/40
Inthis thesis
Goal: specify and prove that programs compute a correct result with a bounded asymptotic runtime. Proofs should be:
Contribution: A step forward for the verifjcation of the correctnessandcomplexity of imperative,higher-order programs with subtle invariantsandanalysis, at a reasonable cost.
13/40
Inthis thesis
Goal: specify and prove that programs compute a correct result with a bounded asymptotic runtime. Proofs should be:
Contribution: A step forward for the verifjcation of the correctnessand complexity of imperative,higher-order programs with subtle invariantsand analysis, at a reasonable cost.
13/40
Details of the contribution
Existing: single-variate O (math, programs), multi-variate O on paper Contributed: Coq library for single and multi-variate O, with lemmas useful for program analysis
14/40
Contributions
Existing:
Contributed:
(Separation Logic framework in Coq)
15/40
Contributions
Existing: polynomial or logarithmic bounds, simple algorithms (quicksort), or interactive verifjcation without O Contributed: several algorithms, including a state-of-the-art graph algorithm with nontrivial correctness and complexity
16/40
Outline of the rest of the talk
Reasoning with abstract cost functions Semi-automatic inference of cost functions Separation Logic with Time Credits Case study—an Incremental Cycle Detection Algorithm
17/40
Reasoningwith abstractcost functions
Informal reasoningprinciplesonO canbe abused
1
let rec bsearch a x i j =
2
if j <= i then -1 else
3
let k = i + (j - i) / 2 in
4
if x = a.(k) then k
5
else if x < a.(k) then
6
bsearch a x i k
7
else
8
bsearch a x (k+1) j
Claim:
bsearch a x i j costs Op1q.
Proof: By induction on :
.
. …but which statement are we proving?
18/40
Informal reasoningprinciplesonO canbe abused
1
let rec bsearch a x i j =
2
if j <= i then -1 else
3
let k = i + (j - i) / 2 in
4
if x = a.(k) then k
5
else if x < a.(k) then
6
bsearch a x i k
7
else
8
bsearch a x (k+1) j
Claim:
bsearch a x i j costs Op1q.
Proof: By induction on j ´ i:
.
. …but which statement are we proving?
18/40
Informal reasoningprinciplesonO canbe abused
1
let rec bsearch a x i j =
2
if j <= i then -1 else
3
let k = i + (j - i) / 2 in
4
if x = a.(k) then k
5
else if x < a.(k) then
6
bsearch a x i k
7
else
8
bsearch a x (k+1) j
Claim:
bsearch a x i j costs Op1q.
Proof: By induction on j ´ i:
Op1q.
. …but which statement are we proving?
18/40
Informal reasoningprinciplesonO canbe abused
1
let rec bsearch a x i j =
2
if j <= i then -1 else
3
let k = i + (j - i) / 2 in
4
if x = a.(k) then k
5
else if x < a.(k) then
6
bsearch a x i k
7
else
8
bsearch a x (k+1) j
Claim:
bsearch a x i j costs Op1q.
Proof: By induction on j ´ i:
Op1q.
Op1q ` Op1q ` Op1q “ Op1q. …but which statement are we proving?
18/40
Informal reasoningprinciplesonO canbe abused
1
let rec bsearch a x i j =
2
if j <= i then -1 else
3
let k = i + (j - i) / 2 in
4
if x = a.(k) then k
5
else if x < a.(k) then
6
bsearch a x i k
7
else
8
bsearch a x (k+1) j
Claim:
bsearch a x i j costs Op1q.
Proof: By induction on j ´ i:
Op1q.
Op1q ` Op1q ` Op1q “ Op1q. Where is the catch? …but which statement are we proving?
18/40
Informal reasoningprinciplesonO canbe abused
1
let rec bsearch a x i j =
2
if j <= i then -1 else
3
let k = i + (j - i) / 2 in
4
if x = a.(k) then k
5
else if x < a.(k) then
6
bsearch a x i k
7
else
8
bsearch a x (k+1) j
Claim:
bsearch a x i j costs Op1q.
Proof: By induction on j ´ i:
Op1q.
Op1q ` Op1q ` Op1q “ Op1q. …but which statement are we proving?
18/40
MeaningofOp1q
What we just proved: @i j , D c , “bsearch a x i j” performs at most c function calls What “ ” means:
bsearch a x i j” performs at most function calls
19/40
MeaningofOp1q
What we just proved: @i j , D c , “bsearch a x i j” performs at most c function calls What “Op1q” means: D c , @i j , “bsearch a x i j” performs at most c function calls
19/40
MeaningofOplog nq
Informal specifjcation: “bsearch a x i j” runs in Oplogpj ´ iqq. Meaning: there exists a cost function such that,
function calls
20/40
MeaningofOplog nq
Informal specifjcation: “bsearch a x i j” runs in Oplogpj ´ iqq. Meaning: there exists a cost function f such that,
function calls
20/40
Construction of the cost function
Option 1: The user somehow guesses a suitable cost function. Here, “λn. 3 log n ` 4” works. Option 2: Semi-automatically construct the cost function as the proof progresses. Option 3: The cost function is automatically inferred by some clever algorithm... Restricted to specifjc classes of programs.
21/40
Construction of the cost function
Option 1: The user somehow guesses a suitable cost function. Here, “λn. 3 log n ` 4” works. Option 2: Semi-automatically construct the cost function as the proof progresses. Option 3: The cost function is automatically inferred by some clever algorithm... Restricted to specifjc classes of programs.
21/40
Construction of the cost function
Option 1: The user somehow guesses a suitable cost function. Here, “λn. 3 log n ` 4” works. Option 2: Semi-automatically construct the cost function as the proof progresses. Option 3: The cost function is automatically inferred by some clever algorithm... Restricted to specifjc classes of programs.
21/40
Semi-automatic synthesis of cost functions
Ourapproachto this problem
Part 1:
Part 2:
22/40
Constraintinferredon the cost functionf
let rec bsearch a x i j = if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f n >= 1 + ( where n = j-i if n <= 0 then 0 else 0 + 1 + max 0 ( 1 + max (f (n/2)) (f (n - n/2 - 1)) ) ) 23/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + …
a hole (“…”) is implemented as an evar in Coq
24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + (if j <= i then … else …) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + (if j <= i then … else …) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + (if (j-i) <= 0 then … else …) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + (if (j-i) <= 0 then 0 else …) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + … ) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + … ) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max … … ) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max 0 … ) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max 0 (1 + …) ) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max 0 (1 + max … …) ) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max 0 ( 1 + max (f ((j-i)/2)) … ) ) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f (j-i) >= 1 + ( if (j-i) <= 0 then 0 else 0 + 1 + max 0 ( 1 + max (f ((j-i)/2)) (f ((j-i) - (j-i)/2 - 1)) ) ) 24/40
Interactive construction of the cost functionf
if j <= i then -1 else let k = i + (j - i) / 2 in if x = Array.get a k then k else if x < Array.get a k then bsearch a x i k else bsearch a x (k+1) j f n >= 1 + ( if n <= 0 then 0 else 0 + 1 + max 0 ( 1 + max (f (n/2)) (f (n - n/2 - 1)) ) ) 24/40
Fromcost equation to asymptotic bound
For bsearch, there remains to fjnd a f P Opλn. log nq such that: @n. fpnq ě 1 ` # if n ď 0 1 ` maxp0, 1 ` maxpfpn
2 q, fpn ´ n 2 ´ 1qqq
(available in Isabelle/HOL, not yet in Coq)
, inject it and resolve.
25/40
Fromcost equation to asymptotic bound
For bsearch, there remains to fjnd a f P Opλn. log nq such that: @n. fpnq ě 1 ` # if n ď 0 1 ` maxp0, 1 ` maxpfpn
2 q, fpn ´ n 2 ´ 1qqq
(available in Isabelle/HOL, not yet in Coq)
a log n ` b, inject it and resolve.
25/40
The substitution method in action
Df : Z Ñ Z. @n. fpnq ě 1 ` # if n ď 0 1 ` maxp0, 1 ` maxpfpn
2 q, fpn ´ n 2 ´ 1qqq
^ f P Opλn. log nq Can be solved automatically. The user does not have to manually provide values for , , and .
26/40
The substitution method in action
Df : Z Ñ Z. monotonic f ^ @n. fpnq ě 0 ^ @n. n ď 0 ù ñ fpnq ě 1 ^ @n. n ě 1 ù ñ fpnq ě fpn
2 q ` 3
^ f P Opλn. log nq Can be solved automatically. The user does not have to manually provide values for , , and .
26/40
The substitution method in action
Da b : Z. fpnq “ a log n ` b ^ monotonic f ^ @n. fpnq ě 0 ^ @n. n ď 0 ù ñ fpnq ě 1 ^ @n. n ě 1 ù ñ fpnq ě fpn
2 q ` 3
^ f P Opλn. log nq Can be solved automatically. The user does not have to manually provide values for , , and .
26/40
The substitution method in action
Da b : Z. fpnq “ a log n ` b (issue when n “ 0) ^ monotonic f ^ @n. fpnq ě 0 ^ @n. n ď 0 ù ñ fpnq ě 1 ^ @n. n ě 1 ù ñ fpnq ě fpn
2 q ` 3
^ f P Opλn. log nq Can be solved automatically. The user does not have to manually provide values for , , and .
26/40
The substitution method in action
Da b c : Z. fpnq “ if n ą 0 then a log n ` b else c ^ monotonic f ^ @n. fpnq ě 0 ^ @n. n ď 0 ù ñ fpnq ě 1 ^ @n. n ě 1 ù ñ fpnq ě fpn
2 q ` 3
^ f P Opλn. log nq Can be solved automatically. The user does not have to manually provide values for , , and .
26/40
The substitution method in action
Da b c : Z. fpnq “ if n ą 0 then a log n ` b else c ^ monotonic f ^ @n. fpnq ě 0 ^ @n. n ď 0 ù ñ fpnq ě 1 ^ @n. n ě 1 ù ñ fpnq ě fpn
2 q ` 3
^ True Can be solved automatically. The user does not have to manually provide values for , , and .
26/40
The substitution method in action
Da b c : Z. fpnq “ if n ą 0 then a log n ` b else c ^ a ě 0 ^ b ě c ^ b ě 0 ^ c ě 0 ^ c ě 1 ^ b ě c ` 3 ^ a ě 3 ^ True Can be solved automatically. The user does not have to manually provide values for , , and .
26/40
The substitution method in action
Da b c : Z. ^ a ě 0 ^ b ě c ^ b ě 0 ^ c ě 0 ^ c ě 1 ^ b ě c ` 3 ^ a ě 3 ^ True Can be solved automatically. The user does not have to manually provide values for , , and .
26/40
The substitution method in action
Da b c : Z. ^ a ě 0 ^ b ě c ^ b ě 0 ^ c ě 0 ^ c ě 1 ^ b ě c ` 3 ^ a ě 3 ^ True Can be solved automatically. The user does not have to manually provide values for a, b, and c.
26/40
SeparationLogic with Time Credits
Linking code to cost assertions
Program specifjcations using Separation Logic precondition program postcondition
time credits
27/40
Linking code to cost assertions
Program specifjcations using Separation Logic with Time Credits precondition program postcondition
time credits
27/40
Linking code to cost assertions
Program specifjcations using Separation Logic with Time Credits precondition program postcondition
time credits
27/40
Time Credits: resourcesin separationlogic
28/40
Time Credits: resourcesin separationlogic
ñ { $1 ‹ $1
28/40
Using time creditsin the specifjcationof bsearch
Specifjcation of the complexity of bsearch using time credits: Df : Z Ñ Z. # f P Opλn. log nq @a x i j. t$pfpj ´ iqq ‹ . . .u pbsearch a x i jq t...u
29/40
Contribution: PossiblyNegative Time Credits
Separation Logic with Time Credits in N: $0 ” emp @m n P N. $pm ` nq ” $m ‹ $n @n P N. $n , emp My extension: Possibly Negative Time Credits in Z: $0 ” emp @m n P Z. $pm ` nq ” $m ‹ $n @n P Z. $n ‹ rn ě 0s , emp Corollary: $n ” $m ‹ $pn ´ mq
30/40
Possibly Negative Time Creditsenable simpler specifjcations
let index_of (v: ’a) (a: ’a array): int = (* returns the index of the first occurrence of v in a *) index_of
(too coarse)
index_of
(restrictive?)
index_of
(too complicated)
index_of
31/40
Possibly Negative Time Creditsenable simpler specifjcations
let index_of (v: ’a) (a: ’a array): int = (* returns the index of the first occurrence of v in a *)
@a. t$p|a| ` 1qu index_of v a tλi. empu (too coarse)
index_of
(restrictive?)
index_of
(too complicated)
index_of
31/40
Possibly Negative Time Creditsenable simpler specifjcations
let index_of (v: ’a) (a: ’a array): int = (* returns the index of the first occurrence of v in a *)
@a. t$p|a| ` 1qu index_of v a tλi. empu (too coarse)
index_of
(restrictive?)
index_of
(too complicated)
index_of
31/40
Possibly Negative Time Creditsenable simpler specifjcations
let index_of (v: ’a) (a: ’a array): int = (* returns the index of the first occurrence of v in a *)
@a. t$p|a| ` 1qu index_of v a tλi. empu (too coarse) @a. t$p|a| ` 1qu index_of v a tλi. $p|a| ´ iqu (restrictive?)
index_of
(too complicated)
index_of
31/40
Possibly Negative Time Creditsenable simpler specifjcations
let index_of (v: ’a) (a: ’a array): int = (* returns the index of the first occurrence of v in a *)
@a. t$p|a| ` 1qu index_of v a tλi. empu (too coarse) @a. t$p|a| ` 1qu index_of v a tλi. $p|a| ´ iqu (restrictive?)
index_of
(too complicated)
index_of
31/40
Possibly Negative Time Creditsenable simpler specifjcations
let index_of (v: ’a) (a: ’a array): int = (* returns the index of the first occurrence of v in a *)
@a. t$p|a| ` 1qu index_of v a tλi. empu (too coarse) @a. t$p|a| ` 1qu index_of v a tλi. $p|a| ´ iqu (restrictive?) @a. let k :“ min ti | a.piq “ vu in t$pk ` 1qu index_of v a tλi. ri “ ksu (too complicated)
index_of
31/40
Possibly Negative Time Creditsenable simpler specifjcations
let index_of (v: ’a) (a: ’a array): int = (* returns the index of the first occurrence of v in a *)
@a. t$p|a| ` 1qu index_of v a tλi. empu (too coarse) @a. t$p|a| ` 1qu index_of v a tλi. $p|a| ´ iqu (restrictive?) @a. let k :“ min ti | a.piq “ vu in t$pk ` 1qu index_of v a tλi. ri “ ksu (too complicated)
index_of
31/40
Possibly Negative Time Creditsenable simpler specifjcations
let index_of (v: ’a) (a: ’a array): int = (* returns the index of the first occurrence of v in a *)
@a. t$p|a| ` 1qu index_of v a tλi. empu (too coarse) @a. t$p|a| ` 1qu index_of v a tλi. $p|a| ´ iqu (restrictive?) @a. let k :“ min ti | a.piq “ vu in t$pk ` 1qu index_of v a tλi. ri “ ksu (too complicated) @a. tempu index_of v a tλi. $p´i ´ 1qu
31/40
Possibly Negative Time Creditsenable simpler specifjcations
let index_of (v: ’a) (a: ’a array): int = (* returns the index of the first occurrence of v in a *)
@a. t$p|a| ` 1qu index_of v a tλi. empu (too coarse) @a. t$p|a| ` 1qu index_of v a tλi. $p|a| ´ iqu (restrictive?) @a. let k :“ min ti | a.piq “ vu in t$pk ` 1qu index_of v a tλi. ri “ ksu (too complicated) @a. tempu index_of v a tλi. $p´i ´ 1qu
31/40
Time Creditsin Z: benefjts
(when the cost depends on the result)
(can accumulate debts and pay them off once at the end)
(no need to justify that a number of credits is positive at each step)
32/40
Case Study: anIncremental Cycle DetectionAlgorithm
Ourmain case study
Verifjcation of a state-of-the-art incremental cycle detection algorithm due to Bender, Fineman, Gilbert and Tarjan (2016). The problem: checking for acyclicity of a dynamically constructed graph
33/40
Ourmain case study
Verifjcation of a state-of-the-art incremental cycle detection algorithm due to Bender, Fineman, Gilbert and Tarjan (2016). The problem: checking for acyclicity of a dynamically constructed graph
33/40
Ourmain case study
Verifjcation of a state-of-the-art incremental cycle detection algorithm due to Bender, Fineman, Gilbert and Tarjan (2016). The problem: checking for acyclicity of a dynamically constructed graph
33/40
Ourmain case study
Verifjcation of a state-of-the-art incremental cycle detection algorithm due to Bender, Fineman, Gilbert and Tarjan (2016). The problem: checking for acyclicity of a dynamically constructed graph
33/40
Ourmain case study
Verifjcation of a state-of-the-art incremental cycle detection algorithm due to Bender, Fineman, Gilbert and Tarjan (2016). The problem: checking for acyclicity of a dynamically constructed graph
33/40
Minimal OCaml interface
type add_edge_result = | EdgeAdded | EdgeCreatesCycle val add_edge_or_detect_cycle : graph -> vertex -> vertex -> add_edge_result
34/40
Ourmain case study (2)
A state-of-the-art algorithm:
35/40
Incremental Cycle Detection: Complexity
Naive algorithm: Opmq traversal at each arc insertion. Inserting m arcs costs Opm2q. Using Bender et al.’s algorithm, inserting m arcs costs: Opm ¨ minp?m, n2{3qq Or:• Opm?mq for sparse graphs;
Specifjes the cost ofa sequence ofoperations. No closed formula for the amortized cost of a single operation.
36/40
Incremental Cycle Detection: Complexity
Naive algorithm: Opmq traversal at each arc insertion. Inserting m arcs costs Opm2q. Using Bender et al.’s algorithm, inserting m arcs costs: Opm ¨ minp?m, n2{3qq Or:• Opm?mq for sparse graphs;
Specifjes the cost ofa sequence ofoperations. No closed formula for the amortized cost of a single operation.
36/40
Toplevel specifjcation (functionalcorrectnessonly)
“IsDAG g G”: a Separation Logic predicate describing the algorithm’s data structure, at address g, representing the graph G.
add_edge_or_detect_cycle 37/40
Toplevel specifjcation (functionalcorrectnessonly)
“IsDAG g G”: a Separation Logic predicate describing the algorithm’s data structure, at address g, representing the graph G.
@g G v w. let m :“ |edges G| in let n :“ |vertices G| in v, w P vertices G ^ pv, wq R edges G ù ñ ! IsDAG g G ) padd_edge_or_detect_cycle g v wq $ ’ & ’ % λ res. match res with | EdgeAdded ñ IsDAG g pG ` pv, wqq | EdgeCreatesCycle ñ rw Ý Ñ˚
G vsq
, / . /
Toplevel specifjcation (correctnessandcomplexity)
“IsDAG g G”: a Separation Logic predicate describing the algorithm’s data structure, at address g, representing the graph G.
Dψ. ψ P Opm ¨ minp?m, n2{3q ` nq ^ @g G v w. let m :“ |edges G| in let n :“ |vertices G| in v, w P vertices G ^ pv, wq R edges G ù ñ ! IsDAG g G ‹ $pψ pm ` 1, nq ´ ψ pm, nqq ) padd_edge_or_detect_cycle g v wq $ ’ & ’ % λ res. match res with | EdgeAdded ñ IsDAG g pG ` pv, wqq | EdgeCreatesCycle ñ rw Ý Ñ˚
G vsq
, / . /
Case Study: Summary
Final result
Contributions
38/40
Conclusion
Summary
In this talk:
More in the manuscript:
39/40
Summary
In this talk:
More in the manuscript:
39/40
Perspectives
Further automation
(master theorem, simplifjcation procedures)
Implement support to allow extracting concrete complexity bounds Even more challenging applications:
40/40
Perspectives
Further automation
(master theorem, simplifjcation procedures)
Implement support to allow extracting concrete complexity bounds Even more challenging applications:
40/40
Perspectives
Further automation
(master theorem, simplifjcation procedures)
Implement support to allow extracting concrete complexity bounds Even more challenging applications:
40/40