Michael Carbin Deokhwan Kim Sasa Misailovic and Martin Rinard Research Focus NonTraditional Program Transformation Program Repair Eliminate memory leaks Eliminate memory errors buffer overflows ID: 385556
Download Presentation The PPT/PDF document "Reasoning about Relaxed Programs" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Reasoning about Relaxed Programs
Michael
Carbin
Deokhwan
Kim,
Sasa
Misailovic
, and Martin
RinardSlide2
Research Focus
Non-Traditional Program Transformation
Program Repair
Eliminate memory leaks
Eliminate memory errors (buffer overflows,
segfaults
)
Escape from infinite loops
Accuracy-Aware Program Optimization
Trade accuracy of result for performanceSlide3
Traditional Program Transformation
Transformation
≡
.c
.cSlide4
Non-Traditional Program Transformation
≅
Transformation
.c
.cSlide5
Loop Perforation of Motion Estimation in x264 (
Misailovic
,
etal
)
Reference
Frame
Current
Frame
?Slide6
Loop Perforation
int
motion_estimation
(
block_t
[] blocks,
int n)
{
int
idx = 0, best = INT_MAX, num_iters
= 0, i = 0;
while (i < n) { int
cur = compute_distance(blocks[i]);
if (cur < best) { idx
= i; best = cur;
} num_iters
= num_iters + 1;
i = i + 1; } assert (0 <=
idx < n); return idx
; }Slide7
Loop Perforation
int
motion_estimation
(
block_t
[] blocks,
int n)
{
int
idx = 0, best = INT_MAX, num_iters
= 0, i = 0;
while (i < n) { int
cur = compute_distance(blocks[i]);
if (cur < best) { idx
= i; best = cur;
} num_iters
= num_iters + 1;
i = i + 2; }
assert (0 <= idx < n);
return idx;
}Slide8
Loop Perforation
int
motion_estimation
(
block_t
[] blocks,
int n)
{
int
idx = 0, best = INT_MAX, num_iters
= 0, i = 0;
while (i < n) { int
cur = compute_distance(blocks[i]);
if (cur < best) { idx
= i; best = cur;
} num_iters
= num_iters + 1;
i = i + 4; }
assert (0 <= idx < n);
return idx;
}Slide9
Quality of Service Profiling
Automatically
explore alternate
versions
QoS model
Program
Input(s)
Time Profiler
Subcomputation
Transformation
Quality of Service profiler
timing info
performance
vs
QoS info
Transformation
EvaluationSlide10
Research Questions
Is it possible to write an implementation and specify flexibility at the same time?
Or write program and later
relax
its semantics
?What can we say
about the correctness of the resulting program?Slide11
Loop Perforation Example
int
motion_estimation
(
block_t
[] blocks,
int n)
{
int
idx = 0, best = INT_MAX, step = 1,
num_iters = 0, i = 0;
while (i < n) {
int cur = compute_distance(blocks[i]);
if (cur < best) {
idx = i; best = cur;
} num_iters
= num_iters + 1;
relax (step) st step == 1 || step == 2;
i = i + step; } assert (0 <=
idx < n); accept (
num_iters<o> / 2 <= num_iters
<r>); return idx;
}Slide12
Relaxed Program
Single Program Text, Two Semantics
One interpretation with the
original semantics
(ignore
relax
statements)One interpretation with the relaxed semantics (include
relax statements)Two semantics are related by nondeterministic transformations of the program state:
relax (step)
st step == 1 || step == 2;Slide13
Relaxed Programming Assertions
accept (P*)
R
elational assertion – relates both semantics.
a
ssert (P)
Non
-relational assertion - holds for
individually.assume (P)Non-relational
assumption - like admit
in Coq.
assert (0 <=
idx < n);Slide14
Program Semantics Formalization
Dynamic Semantics
One for original semantics :
original execution
.
One for relaxed semantics :
relaxed execution.Axiomatic Semantics for VerificationVariant of Relational Hoare Logic.Slide15
Axiomatic Semantics
≅
accept (
num_iters
<o> / 2 <=
num_iters
<r>);
Input
Original Execution
Relaxed ExecutionSlide16
Verification Guarantees
Acceptability
An original execution and relaxed execution on the same input satisfy
accept
statements.
Non-interference
with assert and
assumeStill valid for relaxed executions.Slide17
Coq Development
About 6000 lines of code and
proof.
Some automation, but mostly
manual.
Coq instructed the proof
strategy.Chose big-step dynamic semantics.Small-step proofs were very complicated. More difficult in general, but amplified by Coq.Majority of work in
relational assertion logic.Substitution lemmas, etc.Slide18
Coq Experience
“Most complicated system I’ve ever seen.”
“Very powerful – you can express anything you want.”
“Difficult to navigate multiple layers of abstractions/automations.”Slide19
Conclusion
Relaxed Programming in Coq
Work in progress (in submission).
A
sk me
after class if
you have more questions.Is Coq useful?A natural discussion if you bring up Coq.Utility = benefit / costSlide20
Conclusion (cont.)
A lot of research on lowering costs
Better abstractions
More Automation
But less
research on benefits
Correctness... but, software can always be better.Is there a system we can build with Coq that is impossible to build with traditional methods?Slide21
The End