1 / 17

CAUCHY

CAUCHY. Continuity analysis of programs. Uncertainty and robustness . Trends: cyber-physical systems, integration of computation and science, … Uncertainty: stale satellite data, erroneous sensor measurements, … Does your program handle uncertainty robustly?

burke
Download Presentation

CAUCHY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CAUCHY Continuity analysis of programs

  2. Uncertainty and robustness • Trends: cyber-physical systems, integration of computation and science, … • Uncertainty: stale satellite data, erroneous sensor measurements, … • Does your program handle uncertainty robustly? • Correctness in settings without uncertainty does not imply correctness in uncertain environments.

  3. Robustness analysis of programs • Robustness: small perturbations to a program’s operating conditions do not change its behavior significantly. • Continuity: Infinitesimal changes to inputs only cause infinitesimal changes to outputs. • Discrete continuity: Similar, except for non-infinitesimalchanges to discrete numbers. • Derivative has low complexity. • Asymptotic stability • Verify these! P

  4. First step: Continuity analysis of programs • Continuity of mathematical functions: • definition. • Equivalently, infinitesimal changes in inputs only cause infinitesimal changes in outputs. • Continuity of programs • Associate metric spaces with types, lift it into a metric over states. • Same question. Do infinitesimal changes in program inputs only cause infinitesimal changes to outputs? This paper: structural analysis of continuity. P

  5. Example: an implementation of Dijkstra’s algorithm • procedure Dijkstra(G: graph, src: node): • for each node v in G: { d[v] := Infinity } • d[src] := 0; Worklist := set of all nodes in G; • whileWorklist is not empty { • Remove node w from Worklists.t. d[w] is minimal; • for each neighbor v of w: { • z := d[w] + G[w,v]; • if (z < d[v]) { d[v] := z; prev[v] := w; } } } • Small change to real array: each element changes at most by a small amount. • Small change to graph with real edge weight: each edge weight changes at most by a small amount. • Is this program continuous?

  6. Example: Dijkstra’s algorithm • procedure Dijkstra(G: graph, src: node): • for each node v in G: { d[v] := Infinity } • d[src] := 0; Worklist := set of all nodes in G; • whileWorklist is not empty { • Remove node w from Worklists.t. d[w] is minimal; • for each neighbor v of w: { • z := d[w] + G[w,v]; • if (z < d[v]) { d[v] := z; prev[v] := w; } } } • Small change to real array: each element changes at most by a small amount. • Small change to graph with real edge weight: each edge weight changes at most by a small amount. • Is this program continuous? • Depends on what is observable. • At point of output, d is a continuous function of G, but prev is not.

  7. Continuity at work! • Sorting algorithms are continuous … but only if output = array of keys. • Minimum spanning tree algorithms are continuous… but only if the output is the weight of the tree. • Integer knapsack is continuous in values of items but not in their weights. • Fractional knapsack is continuous in values and weights. 2.0 3.0 4.0 2.0 3.0 4.0 3.0 2.99 2.0 3.0 3.0 4.0 2.0 2.99 3.0 4.0

  8. Challenge #1: Control flow P ifb • Key Idea: Prove branch-equivalence at the zeroes of b—i.e., conditions under which guard can flip onsmallchanges. • Example: d[v] is continuous after if (d[v] < z) d[v] := z. The guard (d[v] < z) flips (under small changes) only when d[v] = z. Then, d[v] has similar values on both branches. • Automate using an SMT-solver. (cf. Translation validation) 1. P1 and P2 are continuous. P is continuous P2 P1

  9. Challenge #2: Noninductiveness • whileWorklist is not empty { • Remove node w from Worklists.t. d[w] is minimal; • for each neighbor v of w: { • z := d[w] + G[w,v]; • if (z < d[v]) { d[v] := z; prev[v] := w; } } } • Small change to d at iteration-entry can completely change the value of d at the end. • Thus, continuity is not inductive. u1 d[u1] = 2.00 u2 d[u2] = 2.00 u3 d[u2] = 4.00

  10. Key idea: Induction over epochs • whileWorklist is not empty { • Remove node w from Worklists.t. d[w] is minimal; • To be reordered, iterations must be approximately tied on selection criterion. Epoch = cluster of such iterations. • Prove that iterations within epochs are commutative. • Proof can be discharged using an SMT-solver. u1 d[u1] = 2.00 u2 d[u2] = 2.00 u3 d[u2] = 4.00 u3 d[u2] = 4.02 u2 d[u1] = 2.00 u1 d[u2] = 2.01

  11. Key idea: Induction over epochs • whileWorklist is not empty { • Remove node w from Worklists.t. d[w] is minimal; Now do induction over epochs. Perturbed u3 d[u2] = 4.00 u1 d[u1] = 2.00 u2 d[u2] = 2.00 Original u2 d[u1] = 2.00 u3 d[u2] = 4.02 u1 d[u2] = 2.01

  12. But often, simple induction is enough • fork := 1 to N • for i, j := 1 to N: • ifG[i, j] > G[i, k] + G [k, j] • G[i, j] := G[i, k] + G[k. j]; Floyd-Warshall shortest path algorithm

  13. Challenge #3: Early or late termination • Key Idea: Prove idempotence under conditions when guard can flip. • Example: while (z > 0) { x := x + z; z := z * w; } If z = 0, then loop body is idempotent. whileb P Perturbed Original

  14. Results • Soundness with respect to definition. (Tricky!) • Proof rules discharged using Z3 SMT solver. • Able to prove 11 of the 13 continuous algorithms targeted: • Sorting (Merge sort, Bubble sort, Insertion sort, Selection sort). • Minimum Spanning Tree (Prim’s and Kruskal’s) • Shortest Paths (Floyd-Warshall, Bellman-Ford, Dijkstra) • Knapsack (Fractional and integer) • Epoch induction needed in 5/13 cases. • Early termination check needed in 3/13 cases. • Current work exploring “real” applications (embedded medical devices and GPS apps).

  15. Ongoing work: discrete derivatives of programs • Instead of infinitesimal changes to real variables, consider unit changes to finite-precision variables. • More natural in the quantitative setting. • Changes the game somewhat: • E.g., Addition is not continuous. • But most of the rules/insights still apply. • Goal: Mechanically generate discrete derivatives of programs: • E.g., Discrete derivative of Dijkstra’s algorithm in O(n). P

  16. The Cauchy challenge Develop an analytical calculus of computation (Discrete)derivativesof programs Continuity analysis Cauchy Analytic approximations ofprograms Limits of programs Hybrid representations Fourier analysis of programs Applications in cyber-physical systems, approximate computation. Also, pedagogical value.

  17. Conclusion • Robustness is an important correctness property for programs operating under uncertainty. • Continuity is one, but by no means the only, robustness property. • This paper offers one, but by no means the only, continuity analysis. • First step towards an analytical calculus of computation.

More Related