«ProvingProgramInvarianceand TerminationbyParametric Abstraction,LagrangianRelaxation andsemidefiniteprogramming»

Size: px

Start display at page:

Download "«ProvingProgramInvarianceand TerminationbyParametric Abstraction,LagrangianRelaxation andsemidefiniteprogramming»"

Sharyl Lawson
5 years ago
Views:

1 «ProvingProgramInvarianceand TerminationbyParametric Abstraction,LagrangianRelaxation andsemidefiniteprogramming» Patrick Cousot École normale supérieure 45rued Ulm,75230Pariscedex05,France VMCAI 05 Paris,France 17Jan.2005 VMCAI 05,Paris,France,17Jan.2005 J 1 [] I ľp.cousot

2 Overviewofthe TerminationAnalysisMethod x x x x x VMCAI 05,Paris,France,17Jan.2005 J 2 [] I ľp.cousot

3 Proving Termination of a Loop Themainpointinthistalkis(4). VMCAI 05,Paris,France,17Jan.2005 J 3 [] I ľp.cousot

4 Proving Termination of a Loop 1. Perform an iterated forward/backward relational static analysis of the loop with termination hypothesis to determine a necessary proper termination precondition 2. Assuming the termination precondition, perform an forward relational static analysis of the loop to determine the loop invariant 3. Assuming the loop invariant, perform an forward relational staticanalysisoftheloopbodytodeterminetheloopabstract operational semantics 4. Assuming the loop semantics, use an abstraction of Floyd s ranking function method to prove termination of the loop VMCAI 05,Paris,France,17Jan.2005 J 4 [] I ľp.cousot

5 Arithmetic Mean Example while (x <> y) do x := x - 1; y := y + 1 od The polyhedral abstraction used for the static analysis of the examples is implemented using Bertrand Jeannet s NewPolka library. VMCAI 05,Paris,France,17Jan.2005 J 5 [] I ľp.cousot

6 Arithmetic Mean Example 1. Perform an iterated forward/backward relational static analysis of the loop with termination hypothesis to determine a necessary proper termination precondition 2. Assuming the termination precondition, perform an forward relational static analysis of the loop to determine the loop invariant 3. Assuming the loop invariant, perform an forward relational staticanalysisoftheloopbodytodeterminetheloopabstract operational semantics 4. Assuming the loop semantics, use an abstraction of Floyd s ranking function method to prove termination of the loop VMCAI 05,Paris,France,17Jan.2005 J 6 [] I ľp.cousot

7 Forward/reachability properties I Example: partial correctness(must stay into safe states) VMCAI 05,Paris,France,17Jan.2005 J 7 [] I ľp.cousot

8 Backward/ancestry properties I F Example: termination(must reach final states) VMCAI 05,Paris,France,17Jan.2005 J 8 [] I ľp.cousot

9 Forward/backward properties I F Example: total correctness(stay safe while reaching final states) VMCAI 05,Paris,France,17Jan.2005 J 9 [] I ľp.cousot

10 Principle of the iterated forward/backward iteration-based approximate analysis Overapproximate lfpfu lfpb by overapproximations of the decreasing sequence X 0 = > ::: X 2n+1 = lfp Y.X 2n uf(y) X 2n+2 = lfp Y.X 2n+1 ub(y) ::: VMCAI 05,Paris,France,17Jan.2005 J 10 [] I ľp.cousot

11 {x>=y} while (x <> y) do {x>=y+2} x := x - 1; {x>=y+1} y := y + 1 {x>=y} od {x=y} Arithmetic Mean Example: Termination Precondition(1) VMCAI 05,Paris,France,17Jan.2005 J 11 [] I ľp.cousot

12 Idea1 The auxiliary termination counter method VMCAI 05,Paris,France,17Jan.2005 J 12 [] I ľp.cousot

13 {x=y+2k,x>=y} while (x <> y) do {x=y+2k,x>=y+2} k := k - 1; {x=y+2k+2,x>=y+2} x := x - 1; {x=y+2k+1,x>=y+1} y := y + 1 {x=y+2k,x>=y} od {x=y,k=0} assume (k = 0) {x=y,k=0} Arithmetic Mean Example: Termination Precondition(2) Add an auxiliary termination counter to enforce (bounded) termination in the backward analysis! VMCAI 05,Paris,France,17Jan.2005 J 13 [] I ľp.cousot

14 {x=y+2k,x>=y} while (x <> y) do {x=y+2k,x>=y+2} k := k - 1; {x=y+2k+2,x>=y+2} x := x - 1; {x=y+2k+1,x>=y+1} y := y + 1 {x=y+2k,x>=y} od {x=y,k=0} assume (k = 0) {x=y,k=0} Arithmetic Mean Example: Termination Precondition(2) Add an auxiliary termination counter to enforce (bounded) termination in the backward analysis! VMCAI 05,Paris,France,17Jan.2005 J 13 [] I ľp.cousot

15 Arithmetic Mean Example 1. Perform an iterated forward/backward relational static analysis of the loop with termination hypothesis to determine a necessary proper termination precondition 2. Assuming the termination precondition, perform an forward relational static analysis of the loop to determine the loop invariant 3. Assuming the loop invariant, perform an forward relational staticanalysisoftheloopbodytodeterminetheloopabstract operational semantics 4. Assuming the loop semantics, use an abstraction of Floyd s ranking function method to prove termination of the loop VMCAI 05,Paris,France,17Jan.2005 J 14 [] I ľp.cousot

16 assume ((x=y+2*k) & (x>=y)); {x=y+2k,x>=y} while (x <> y) do {x=y+2k,x>=y+2} k := k - 1; {x=y+2k+2,x>=y+2} x := x - 1; {x=y+2k+1,x>=y+1} y := y + 1 {x=y+2k,x>=y} od {k=0,x=y} Arithmetic Mean Example: Loop Invariant VMCAI 05,Paris,France,17Jan.2005 J 15 [] I ľp.cousot

17 assume ((x=y+2*k) & (x>=y)); {x=y+2k,x>=y} while (x <> y) do {x=y+2k,x>=y+2} k := k - 1; {x=y+2k+2,x>=y+2} x := x - 1; {x=y+2k+1,x>=y+1} y := y + 1 {x=y+2k,x>=y} od {k=0,x=y} Arithmetic Mean Example: Loop Invariant VMCAI 05,Paris,France,17Jan.2005 J 15 [] I ľp.cousot

18 Arithmetic Mean Example 1. Perform an iterated forward/backward relational static analysis of the loop with termination hypothesis to determine a necessary proper termination precondition 2. Assuming the termination precondition, perform an forward relational static analysis of the loop to determine the loop invariant 3. Assuming the loop invariant, perform an forward relational staticanalysisoftheloopbodytodeterminetheloopabstract operational semantics 4. Assuming the loop semantics, use an abstraction of Floyd s ranking function method to prove termination of the loop VMCAI 05,Paris,France,17Jan.2005 J 16 [] I ľp.cousot

19 Case x < y: assume (x=y+2*k)&(x>=y+2); {x=y+2k,x>=y+2} assume (x < y); empty(6) assume (x0=x)&(y0=y)&(k0=k); empty(6) k := k - 1; x := x - 1; y := y + 1 empty(6) Arithmetic Mean Example: Body Relational Semantics Case x > y: assume (x=y+2*k)&(x>=y+2); {x=y+2k,x>=y+2} assume (x > y); {x=y+2k,x>=y+2} assume (x0=x)&(y0=y)&(k0=k); {x=y+2k0,y=y0,x=x0,x=y+2k, x>=y+2} k := k - 1; x := x - 1; y := y + 1 {x+2=y+2k0,y=y0+1,x+1=x0, x=y+2k,x>=y} VMCAI 05,Paris,France,17Jan.2005 J 17 [] I ľp.cousot

20 Case x < y: assume (x=y+2*k)&(x>=y+2); {x=y+2k,x>=y+2} assume (x < y); empty(6) assume (x0=x)&(y0=y)&(k0=k); empty(6) k := k - 1; x := x - 1; y := y + 1 empty(6) Arithmetic Mean Example: Body Relational Semantics Case x > y: assume (x=y+2*k)&(x>=y+2); {x=y+2k,x>=y+2} assume (x > y); {x=y+2k,x>=y+2} assume (x0=x)&(y0=y)&(k0=k); {x=y+2k0,y=y0,x=x0,x=y+2k, x>=y+2} k := k - 1; x := x - 1; y := y + 1 {x+2=y+2k0,y=y0+1,x+1=x0, x=y+2k,x>=y} VMCAI 05,Paris,France,17Jan.2005 J 17 [] I ľp.cousot

21 Arithmetic Mean Example 1. Perform an iterated forward/backward relational static analysis of the loop with termination hypothesis to determine a necessary proper termination precondition 2. Assuming the termination precondition, perform an forward relational static analysis of the loop to determine the loop invariant 3. Assuming the loop invariant, perform an forward relational staticanalysisoftheloopbodytodeterminetheloopabstract operational semantics 4. Assuming the loop semantics, use an abstraction of Floyd s ranking function method to prove termination of the loop VMCAI 05,Paris,France,17Jan.2005 J 18 [] I ľp.cousot

22 Floyd smethodforterminationof while B do C Given a loop invariant I, find an R=Q=Z-valued unkown rank function r such that: The rank is nonnegative: 8x 0 ;x:i(x 0 )^ B;C (x 0 ;x))r(x 0 ) 0 The rank is strictly decreasing: 8x 0 ;x:i(x 0 )^ B;C (x 0 ;x))r(x)»r(x 0 )` 1forZ, >0forR=QtoavoidZeno 1 2,1 4, VMCAI 05,Paris,France,17Jan.2005 J 19 [] I ľp.cousot

23 » clear all; [v0,v] = variables( x, y, k ) % linear inequalities % x0 y0 k0 Ai = [ 0 0 0]; % x y k Ai_ = [ 1-1 0]; % x0 - y0 >= 0 bi = [0]; [N Mk(:,:,:)]=linToMk(Ai,Ai_,bi); % linear equalities % x0 y0 k0 Ae = [ 0 0-2; 0-1 0; ; 0 0 0]; % x y k Ae_ = [ 1-1 0; % x - y - 2*k0-2 = ; % y - y0-1 = ; % x - x0 + 1 = ]; % x - y - 2*k = 0 be = [2; -1; 1; 0]; [M Mk(:,:,N+1:N+M)]=linToMk(Ae,Ae_,be); Arithmetic Mean Example: Ranking Function Input the loop abstract semantics VMCAI 05,Paris,France,17Jan.2005 J 20 [] I ľp.cousot

24 » display_mk(mk, N, v0, v); x -1.y >= 0-2.k0 +1.x -1.y +2 = 0-1.y0 +1.y -1 = 0-1.x0 +1.x +1 = 0 +1.x -1.y -2.k = 0... Display the abstract semantics of the loop while B do C compute ranking function,ifany» [diagnostic,r] = termination(v0, v, Mk, N, integer, linear );» disp(diagnostic) feasible (bnb)» intrank(r, v) r(x,y,k) = +4.k -2 VMCAI 05,Paris,France,17Jan.2005 J 21 [] I ľp.cousot

25 ProvingTerminationby ParametricAbstraction, LagrangianRelaxationand SemidefiniteProgramming VMCAI 05,Paris,France,17Jan.2005 J 22 [] I ľp.cousot

26 Idea2 Express the loop invariant and relational semantics as numerical positivity constraints VMCAI 05,Paris,France,17Jan.2005 J 23 [] I ľp.cousot

27 Relationalsemanticsof while B do C odloops x 0 2R=Q=Z:valuesoftheloopvariablesbeforealoop iteration x2r=q=z: valuesoftheloopvariablesafteraloop iteration I(x 0 ): loopinvariant, B;C (x 0 ;x): relationalsemanticsofoneiterationoftheloopbody I(x 0 )^ B;C (x 0 ;x)= N^ i=1 not a restriction for numerical programs ff i (x 0 ;x)> i 0 (> i 2f>; ;=g) VMCAI 05,Paris,France,17Jan.2005 J 24 [] I ľp.cousot

28 Example of linear program(arithmetic mean) [AA 0 ][x 0 x] > >b {x=y+2k,x>=y} while (x <> y) do k := k - 1; x := x - 1; y := y + 1 od x -1.y >= 0-2.k0 +1.x -1.y +2 = 0-1.y0 +1.y -1 = 0-1.x0 +1.x +1 = 0 +1.x -1.y -2.k = ` `21`1 0 0 ` ` `1` x 0 y 0 k 0 x y k = = = = `2 1 ` VMCAI 05,Paris,France,17Jan.2005 J 25 [] I ľp.cousot

29 Example of quadratic form program(factorial) [xx 0 ]A[xx 0 ] > +2[xx 0 ]q+r>0 n := 0; f := 1; while (f <= N) do n := n + 1; f := n * f od 2 [n 0 f 0 N 0 nfn] ` ` n 0 f 0 N 0 n f N -1.f0 +1.N0 >= 0 +1.n0 >= 0 +1.f0-1 >= 0-1.n0 +1.n -1 = 0 +1.N0-1.N = 0-1.f0.n +1.f = [n 0 f 0 N 0 nfn] VMCAI 05,Paris,France,17Jan.2005 J 26 [] I ľp.cousot =0 7 5

30 Example of semialgebraic program (logistic map) eps = 1.0e-9; while (0 <= a) & (a <= 1 - eps) & (eps <= x) & (x <= 1) do x := a*x*(1-x) od VMCAI 05,Paris,France,17Jan.2005 J 27 [] I ľp.cousot

31 Floyd smethodforterminationof while B do C FindanR=Q=Z-valuedunkownrankfunctionrand > 0suchthat: The rank is nonnegative: 8x 0 ;x: N^ i=1 ff i (x 0 ;x)> i 0)r(x 0 ) 0 The rank is strictly decreasing: 8x 0 ;x: N^ i=1 ff i (x 0 ;x)> i 0)r(x 0 )`r(x)` 0 VMCAI 05,Paris,France,17Jan.2005 J 28 [] I ľp.cousot

32 Idea3 Eliminatetheconjunction V andimplication)by Lagrangian relaxation VMCAI 05,Paris,France,17Jan.2005 J 29 [] I ľp.cousot

33 Implication(general case) A B, A)B 8x2A:x2B VMCAI 05,Paris,France,17Jan.2005 J 30 [] I ľp.cousot

34 Implication(linear case) A B A)B (assuminga6=;) ((soundness) )(completeness) borderofaparalleltoborderofb VMCAI 05,Paris,France,17Jan.2005 J 31 [] I ľp.cousot

35 Lagrangian relaxation(linear case) A B VMCAI 05,Paris,France,17Jan.2005 J 32 [] I ľp.cousot

36 Lagrangian relaxation, formally LetVbeafinitedimensionallinearvectorspace,N>0 and8k2[0;n]:ff k 2V7!R. 0 1 N^ ff k (x) 0A)(ff 0 (x) 0) k=1 ( soundness(lagrange) ) completeness(lossless) 6) incompleteness(lossy) 9 2[1;N]7!R + :8x2V:ff 0 (x)` NX k ff k (x) 0 k=1 relaxation=approximation, i =Lagrangecoefficients VMCAI 05,Paris,France,17Jan.2005 J 33 [] I ľp.cousot

37 Lagrangian relaxation, equality constraints 0 1 N^ ff k (x)=0a)(ff 0 (x) 0) k=1 ( soundness(lagrange) 9 2[1;N]7!R + :8x2V:ff 0 (x)` NX k ff k (x) 0 k=1 NX ^ 9 0 2[1;N]7!R + :8x2V:ff 0 (x)+ 0 k ff k(x) 0 k=1,( 00 = 0` ) 2 NX [1;N]7!R:8x2V:ff 0 (x)` 00 k ff k(x) 0 k=1 VMCAI 05,Paris,France,17Jan.2005 J 34 [] I ľp.cousot

38 Example: affine Farkas lemma, informally An application of Lagrangian relaxation to the case whenaisapolyhedron B A VMCAI 05,Paris,France,17Jan.2005 J 35 [] I ľp.cousot

39 Example: affine Farkas lemma, formally Formally,ifthesystemAx+b 0isfeasiblethen 8x:Ax+b 0)cx+d 0 ((soundness; Lagrange) )(completeness; Farkas) 9 0:8x:cx+d` (Ax+b) 0: VMCAI 05,Paris,France,17Jan.2005 J 36 [] I ľp.cousot

40 Yakubovich s S-procedure, informally An application of Lagrangian relaxation to the case whenaisaquadraticform A B VMCAI 05,Paris,France,17Jan.2005 J 37 [] I ľp.cousot

41 Incompleteness(convex case) A B VMCAI 05,Paris,France,17Jan.2005 J 38 [] I ľp.cousot

42 Yakubovich s S-procedure, completeness cases Theconstraintff(x) 0isregularifandonlyif9 2 V:ff( )>0. TheS-procedureislosslessinthecaseofoneregular quadratic constraint: 8x2R n :x > P 1 x+2q > 1 x+r 1 0) x > P 0 x+2q > 0 x+r 0 0 ( (Lagrange) ) (Yakubovich) 9 0:8x2R n :x > " # " P 0 q 0 q 0 > r ` 0 P 1 q 1 q > 1 r 1 #! x 0: VMCAI 05,Paris,France,17Jan.2005 J 39 [] I ľp.cousot

43 Floyd smethodforterminationof while B do C Find an R=Q=Z-valued unkown rank function r which is: Nonnegative:9 2[1;N]7!R + i: 8x 0 ;x:r(x 0 )` NX i=1 i ff i (x 0 ;x) 0 Strictlydecreasing:9 >0:9 0 2[1;N]7!R + i: 8x 0 ;x:(r(x 0 )`r(x)` )` NX i=1 0 i ff i(x 0 ;x) 0 VMCAI 05,Paris,France,17Jan.2005 J 40 [] I ľp.cousot

44 Idea4 Parametric abstraction of the ranking function r VMCAI 05,Paris,France,17Jan.2005 J 41 [] I ľp.cousot

45 Parametric abstraction Howcanwecomputetherankingfunctionr?! parametric abstraction: 1.Fixtheformr a ofthefunctionrapriori,interm of unkown parameters a 2. Compute the parameters a numerically Examples: r a (x)=a:x > linear r a (x)=a:(x1) > affine r a (x)=(x1):a:(x1) > quadratic VMCAI 05,Paris,France,17Jan.2005 J 42 [] I ľp.cousot

46 Floyd smethodforterminationof while B do C Find R=Q=Z-valued unkown parameters a, such that: Nonnegative:9 2[1;N]7!R + i: 8x 0 ;x:r a (x 0 )` NX i=1 i ff i (x 0 ;x) 0 Strictlydecreasing:9 >0:9 0 2[1;N]7!R + i: 8x 0 ;x:(r a (x 0 )`r a (x)` )` NX i=1 0 i ff i(x 0 ;x) 0 VMCAI 05,Paris,France,17Jan.2005 J 43 [] I ľp.cousot

47 Idea5 Eliminate the universal quantification 8 using linear matrix inequalities(lmis) VMCAI 05,Paris,France,17Jan.2005 J 44 [] I ľp.cousot

48 Mathematical programming 9x2R n : N^ i=1 [Minimizing f(x)] g i (x)>0 feasibility problem: find a solution to the constraints optimization problem: find a solution, minimizing f(x) Example: Linear programming 9x2R n : Ax>b [Minimizing cx] VMCAI 05,Paris,France,17Jan.2005 J 45 [] I ľp.cousot

49 Feasibility i=1 feasibilityproblem:findasolutions2r n totheoptimization program, such that g i N^ (s) 0,ortodetermine that the problem is infeasible feasibleset:fxj V N i=1 g i (x) 0g a feasibility problem can be converted into the optimization program N^ minf`y2rj g i (x)`y 0g i=1 VMCAI 05,Paris,France,17Jan.2005 J 46 [] I ľp.cousot

50 Semidefinite programming, once again 9x2R n : M(x)<0 [Minimizing cx] Where the linear matrix inequality(lmi) is nx M(x)=M 0 + x k M k k=1 withsymetricmatrices(m k =M k > )andthepositive semidefiniteness is M(x)<0=8X2R N :X > M(x)X 0 VMCAI 05,Paris,France,17Jan.2005 J 47 [] I ľp.cousot

51 Semidefinite programming, once again Feasibility is: 9x2R n :8X2R N :X > 0 + nx k=1 1 x k M k AX 0 oftheformoftheformulæweareinterestedinforprograms which semantics can be expressed as LMIs: N^ i=1 ff i (x 0 ;x)> i 0= N^ (x 0 x1)m i (x 0 x1) > > i 0 i=1 VMCAI 05,Paris,France,17Jan.2005 J 48 [] I ľp.cousot

52 Floyd smethodforterminationof while B do C Find R=Q=Z-valued unkown parameters a, such that: Nonnegative:9 2[1;N]7!R + i: 8x 0 ;x:r a (x 0 )` NX i=1 i (x 0 x1)m i (x 0 x1) > 0 Strictlydecreasing:9 >0:9 0 2[1;N]7!R + i: 8x 0 ;x:(r a (x 0 )`r a (x)` )` NX i=1 0 i (x 0x1)M i (x 0 x1) > 0 VMCAI 05,Paris,France,17Jan.2005 J 49 [] I ľp.cousot

53 Idea6 Solve the convex constraints by semidefinite programming VMCAI 05,Paris,France,17Jan.2005 J 50 [] I ľp.cousot

54 The simplex for linear programming y AX b cx c y x Dantzig 1948, exponential in worst case, good in practice VMCAI 05,Paris,France,17Jan.2005 J 51 [] I ľp.cousot

55 Polynomial methods Ellipsoid method: Khachian 1979, polynomial in worst casebutnotgoodinpractice Interior point method: Kamarkar 1984, polynomial in worst case and good in practice(hundreds of thousands of variables) VMCAI 05,Paris,France,17Jan.2005 J 52 [] I ľp.cousot

56 The interior point method y AX b cx c y x VMCAI 05,Paris,France,17Jan.2005 J 53 [] I ľp.cousot

57 Interior point method for semidefinite programming Nesterov& Nemirovskii 1988, polynomial in worst case and good in practice(thousands of variables) y cx c y Various path strategies e.g. stay in the middle x VMCAI 05,Paris,France,17Jan.2005 J 54 [] I ľp.cousot

58 Semidefinite programming solvers ő Numerous solvers available under Mathlab,a.o.: lmilab: P. Gahinet, A. Nemirovskii, A.J. Laub, M. Chilali Sdplr: S.Burer,R.Monteiro,C.Choi Sdpt3: R.Tütüncü,K.Toh,M.Todd SeDuMi: J.Sturm bnb: J. Löfberg(integer semidefinite programming) Common interfaces to these solvers, a.o.: Yalmip: J. Löfberg Sometime need some help(feasibility radius, shift,...) VMCAI 05,Paris,France,17Jan.2005 J 55 [] I ľp.cousot

59 Linear program: termination of Euclidean division» clear all % linear inequalities % y0 q0 r0 Ai = [ 0 0 0; 0 0 0; 0 0 0]; % y q r Ai_ = [ 1 0 0; % y - 1 >= ; % q - 1 >= ]; % r >= 0 bi = [-1; -1; 0]; % linear equalities % y0 q0 r0 Ae = [ 0-1 0; % -q0 + q -1 = ; % -y0 + y = ]; % -r0 + y + r = 0 % y q r Ae_ = [ 0 1 0; 1 0 0; 1 0 1]; be = [-1; 0; 0]; Iterated forward/backward polyhedral analysis: {y>=1} q:=0; {q=0,y>=1} r:=x; {x=r,q=0,y>=1} while(y<=r)do {y<=r,q>=0} r:=r-y; {r>=0,q>=0} q:=q+1 {r>=0,q>=1} od {q>=0,y>=r+1} VMCAI 05,Paris,France,17Jan.2005 J 56 [] I ľp.cousot

60 » [N Mk(:,:,:)]=linToMk(Ai, Ai_, bi);» [M Mk(:,:,N+1:N+M)]=linToMk(Ae, Ae_, be);» [v0,v]=variables( y, q, r );» display_mk(mk, N, v0, v); +1.y -1 >= 0 +1.q -1 >= 0 +1.r >= 0-1.q0 +1.q -1 = 0-1.y0 +1.y = 0-1.r0 +1.y +1.r = 0» [diagnostic,r] = termination(v0, v, Mk, N, integer, quadratic );» disp(diagnostic) termination (bnb)» intrank(r, v) r(y,q,r) = -2.y +2.q +6.r Floyd sproposalr(x;y;q;r)=x`qismoreintuitivebutrequirestodiscover thenonlinearloopinvariantx=r+qy. VMCAI 05,Paris,France,17Jan.2005 J 57 [] I ľp.cousot

61 Imposing a feasibility radius y cx c y x VMCAI 05,Paris,France,17Jan.2005 J 58 [] I ľp.cousot

62 Quadratic program: termination of factorial Program: LMI semantics: n := 0; f := 1; while (f <= N) do n := n + 1; f := n * f od -1.f0 +1.N0 >= 0 +1.n0 >= 0 +1.f0-1 >= 0-1.n0 +1.n -1 = 0 +1.N0-1.N = 0-1.f0.n +1.f = 0 r(n,f,n) = e-01.n e-04.f e+02.N e+02 VMCAI 05,Paris,France,17Jan.2005 J 59 [] I ľp.cousot

63 Idea7 Convex abstraction of non-convex constraints VMCAI 05,Paris,France,17Jan.2005 J 60 [] I ľp.cousot

64 Semidefinite programming relaxation for polynomial programs eps = 1.0e-9; while (0 <= a) & (a <= 1 - eps) & (eps <= x) & (x <= 1) do x := a*x*(1-x) od Write the verification conditions in polynomial form, use SOS solver to relax in semidefinite programming form. SOStool+SeDuMi: r(x) = e-13.x e+00 VMCAI 05,Paris,France,17Jan.2005 J 61 [] I ľp.cousot

65 ConsideringMoreGeneral FormsofPrograms VMCAI 05,Paris,France,17Jan.2005 J 62 [] I ľp.cousot

66 Handling disjunctive loop tests and tests in loop body Bycaseanalysis and conditional Lagrangian relaxation (Lagrangian relaxation in each of the cases) VMCAI 05,Paris,France,17Jan.2005 J 63 [] I ľp.cousot

67 Loop body with tests while (x < y) do if (i >= 0) then x := x+i+1 else y := y+i fi od `! case analysis: j i 0 i<0 lmilab: r(i,x,y) = e-09.i e+07.x e+07.y e+08 VMCAI 05,Paris,France,17Jan.2005 J 64 [] I ľp.cousot

68 Quadratic termination of linear loop {n>=0} ` termination precondition i := n; j := n; while (i <> 0) do if (j > 0) then j := j - 1 else j := n; i := i - 1 fi od determined by iterated forward/backward polyhedral analysis VMCAI 05,Paris,France,17Jan.2005 J 65 [] I ľp.cousot

69 sdplr(with feasibility radius of 1.0e+3): r(n,i,j) = e-04.n^ e-05.n.i e-03.n.j e-02.n e-03.i^ e-05.i.j e+01.i e-04.j^ e-01.j e+00 Ranking function Successive values of r(n;i;j)for n=10on loop entry r(10,i,j) i j VMCAI 05,Paris,France,17Jan.2005 J 66 [] I ľp.cousot

70 Handling nested loops byinductionontheloopdepth use an iterated forward/backward symbolic analysis to get a necessary termination precondition useaforwardsymbolicsymbolicanalysistogetthe semanticsofaloopbody use Lagrangian relaxation and semidefinite programming to get the ranking function VMCAI 05,Paris,France,17Jan.2005 J 67 [] I ľp.cousot

71 Example of termination of nested loops: Bubblesort inner loop i -1 >= 0 +1.j -1 >= 0 +1.n0-1.i >= 0-1.j +1.j -1 = 0-1.i +1.i = 0-1.n +1.n0 = 0 +1.n0-1.n0 = 0 +1.n0-1.n = 0... Iterated forward/backward polyhedral analysis followed by forward analysis of the body: assume (n0 = n & j >= 0 & i >= 1 & n0 >= i & j <> i); {n0=n,i>=1,j>=0,n0>=i} assume (n01 = n0 & n1 = n & i1 = i & j1 = j); {j=j1,i=i1,n0=n1,n0=n01,n0=n,i>=1,j>=0,n0>=i} j := j + 1 {j=j1+1,i=i1,n0=n1,n0=n01,n0=n,i>=1,j>=1,n0>=i} termination (lmilab) r(n0,n,i,j) = n n i -2.j VMCAI 05,Paris,France,17Jan.2005 J 68 [] I ľp.cousot

72 Example of termination of nested loops: Bubblesort outer loop i +1 >= 0 +1.n0-1.i -1 >= 0 +1.i -1.j +1 = 0-1.i +1.i +1 = 0-1.n +1.n0 = 0 +1.n0-1.n0 = 0 +1.n0-1.n = 0... Iterated forward/backward polyhedral analysis followed by forward analysis of the body: assume (n0=n & i>=0 & n>=i & i <> 0); {n0=n,i>=0,n0>=i} assume (n01=n0 & n1=n & i1=i & j1=j); {j1=j,i=i1,n0=n1,n0=n01,n0=n,i>=0,n0>=i} j := 0; while (j <> i) do j := j + 1 od; i := i - 1 {i+1=j,i+1=i1,n0=n1,n0=n01,n0=n,i+1>=0,n0>=i+1} termination (lmilab) r(n0,n,i,j) = n n i VMCAI 05,Paris,France,17Jan.2005 J 69 [] I ľp.cousot

73 Bycaseanalysis Handling nondeterminacy Same for concurrency by interleaving Same with fairness by nondeterministic interleaving with encoding of an explicit scheduler VMCAI 05,Paris,France,17Jan.2005 J 70 [] I ľp.cousot

74 Termination of a concurrent program [ 1: while [x+2 < y] do 2: [x := x + 1] od 3: 1: while [x+2 < y] do 2: [y := y - 1] od 3: ] interleaving `! while (x+2 < y) do if?=0 then x := x + 1 else if?=0 then y := y - 1 else x := x + 1; y := y - 1 fi fi od penbmi: r(x,y) = e+00.x e+00.y e-01 VMCAI 05,Paris,France,17Jan.2005 J 71 [] I ľp.cousot

75 Termination of a fair parallel program [[ while [(x>0) (y>0) do x := x - 1] od while [(x>0) (y>0) do y := y - 1] od ]] interleaving +scheduler `! {m>=1} terminationpreconditiondeterminedbyiterated forward/backward polyhedral analysis t :=?; assume (0 <= t & t <= 1); s :=?; assume ((1 <= s) & (s <= m)); while ((x > 0) (y > 0)) do if (t = 1) then x := x - 1 else y := y - 1 fi; s := s - 1; if (s = 0) then if (t = 1) then t := 0 else t := 1 fi; s :=?; assume ((1 <= s) & (s <= m)) else skip fi od;; penbmi: r(x,y,m,s,t) = e+00.x e+00.y e-02.m e-07.s e-06.t e+03 VMCAI 05,Paris,France,17Jan.2005 J 72 [] I ľp.cousot

76 RelaxedParametric InvarianceProofMethod VMCAI 05,Paris,France,17Jan.2005 J 73 [] I ľp.cousot

77 Floyd s method for invariance GivenalooppreconditionP,findanunkownloopinvariant I such that: The invariant is initial: 8x:P(x)) I " The invariant is inductive: (x) 8x;x 0 :I(x)^ B;C (x;x 0 )) I " "??? (x 0 ) VMCAI 05,Paris,France,17Jan.2005 J 74 [] I ľp.cousot

78 Abstraction ExpressloopsemanticsasaconjunctionofLMIconstraints(by relaxation for polynomial semantics) Eliminate the conjunction and implication by Lagrangian relaxation Fixtheformoftheunkowninvariantbyparametric abstraction... weget... VMCAI 05,Paris,France,17Jan.2005 J 75 [] I ľp.cousot

79 Floyd s method for numerical programs Find R=Q=Z-valued unkown parameters a, such that: Theinvariantisinitial:9 2R + : 8x:I a (x)` :P(x) 0 Theinvariantisinductive:9 2[0;N]`!R + : NX 8x;x 0 :I a (x 0 )` 0 :I a (x) ` k :ff k (x;x 0 ) 0 " " k=1 bilinearin 0 anda VMCAI 05,Paris,France,17Jan.2005 J 76 [] I ľp.cousot

80 Idea8 Solve the bilinear matrix inequality(bmi) by semidefinite programming VMCAI 05,Paris,France,17Jan.2005 J 77 [] I ľp.cousot

81 Bilinear matrix inequality(bmi) solvers 9x2R n : m^ i=1 i 0 + n X k=1 [Minimizingx > Qx+cx] x k M i k + n X k=1 ő Two solvers available under Mathlab: PenBMI: M. Kočvara, M. Stingl bmibnb: J. Löfberg Common interfaces to these solvers: Yalmip: J. Löfberg nx =1 1 x k x Nk i <0 A VMCAI 05,Paris,France,17Jan.2005 J 78 [] I ľp.cousot

82 Program: Example: linear invariant Invariant: i := 2; j := 0; while (??) do if (??) then i := i + 4 else i := i + 2; j := j + 1 fi od; e-12*i e-10*j >= 0 Lessnaturalthani`2j`2 0 Alternative: - Determine parameters(a) by other methods (e.g. random interpretation) -UseBMIsolverstocheckforinvariance VMCAI 05,Paris,France,17Jan.2005 J 79 [] I ľp.cousot

83 Conclusion VMCAI 05,Paris,France,17Jan.2005 J 80 [] I ľp.cousot

84 Constraint resolution failure infeasibility of the constraints does not mean non termination or non invariance but simply failure inherent to abstraction! VMCAI 05,Paris,France,17Jan.2005 J 81 [] I ľp.cousot

85 Numerical errors LMI/BMI solvers do numerical computations with rounding errors, shifts, etc ranking function is subject to numerical errors thehardpointistodiscoveracandidatefortheranking function much less difficult, when the ranking function is known, to re-check for satisfaction(e.g. by static analysis) not very satisfactory for invariance(checking only???) VMCAI 05,Paris,France,17Jan.2005 J 82 [] I ľp.cousot

86 Related work Linear case(farkas lemma): - Invariants: Sankaranarayanan, Spima, Manna(CAV 03, SAS 04, heuristic solver) - Termination: Podelski& Rybalchenko(VMCAI 03, Lagrange coefficients eliminated by hand to reduce to linear programming so no disjunctions, no tests, etc) - Parallelization& scheduling: Feautrier, easily generalizable to nonlinear case VMCAI 05,Paris,France,17Jan.2005 J 83 [] I ľp.cousot

87 Seminal work LMI case, Lyapunov 1890, aninvariantsetofadifferential equation is stableinthesensethatitattracts all solutions if one canfindafunctionthatis bounded from below and decreases along all solutions outside the invariant set. VMCAI 05,Paris,France,17Jan.2005 J 84 [] I ľp.cousot

88 THE END, THANK YOU VMCAI 05,Paris,France,17Jan.2005 J 85 [] I ľp.cousot

89 THE END, THANK YOU VMCAI 05,Paris,France,17Jan.2005 J 85 [] I ľp.cousot

«Proving Program Invariance and Termination by Parametric Abstraction, Lagrangian Relaxation and Semidefinite Programming»

«Proving Program Invariance and Termination by Parametric Abstraction, Lagrangian Relaxation and Semidefinite Programming» Patrick Cousot École normale supérieure 45rued Ulm,75230Pariscedex05,France Patrick.Cousot@ens.fr