Theoretical Program CheckingTheoretical Program Checking

Greg Bronevetsky

BackgroundBackground

• The field of Program Checking is about 13 years old.

• Pioneered by Manuel Blum, Hal Wasserman, Sampath Kanaan and others.

• Branch of Theoretical Computer Science that deals with

• probabilistic verification of whether a particular implementation solves a given problem.

• probabilistic fixing of program errors (if possible).

Simple CheckerSimple Checker

• A simple checker C for problem f:• Accepts a pair <x,y> where x is the input and y is the

output produced by a given program.• If y=f(x) then return ACCEPT with probability ≥P

C

Else, return REJECT with probability ≥PC

,Where P

C is a constant close to 1.

• If the original program runs in time O(T(n)),the checker must run in asymptotically less time o(T(n)).

Simple Checker ExampleSimple Checker Example

• For example, a simple checker for sorting• Verifies that the sorted list of elements is a

permutation of the original one.• Ensures that the sorted elements appear in a non-

decreasing order.• Checking is certain, so P

C=1.

• Runtime of checker = O(n) vs. O(n log n) for the original program.

Complex CheckerComplex Checker

• A complex checker is just like a simple checker, except that

• It is given P, a program that computes the problem f with low probability of error =p.

• Time Bound: If the original program runs in time O(T(n)), the complex checker must run in time o(T(n)), counting calls to P as one step.

Self-CorrectorSelf-Corrector

• A self-corrector for problem f:• Accepts x, an input to f, along with the program P

that computes f with a low probability of error =p.• Outputs the correct value of f(x) with probability ≥P

C,

where PC is a constant close to 1.• If the original program runs in time O(T(n)), the self-

corrector must also run in O(T(n))-time, counting calls to P as one step.(ie. Must remain in the same time class as original program.)

Uses for CheckersUses for Checkers

• Checkers and Self-Correctors are intended to protect systems against software bugs and failures.

• Because of their speed, simple checkers can be run on each input, raising alarms about bad computations.

• When alarms are raised a self-corrector can try to fix the output.

• Because checkers and self-correctors are written differently from the original program, errors should not be correlated. (ex: SCCM)

Sample Checkers: EquationsSample Checkers: Equations

• A simple checker for programs that compute equations:

• A program that claims to solve a given equation can be checked by taking the solutions and plugging them back into the equation.

• In fact we can do this any time the program purports to produce objects that satisfy given constraints: just verify the constraints.

Simple Checkers: IntegralsSimple Checkers: Integrals

• Given a program to compute definite integral, we can check it by approximating the area under the curve by using a small number of rectangles.

• Given a formula and a program to compute its integral, we can verify the results by differentiating the output (usually easier than integration).

• Also, can pick a random range, and compute the area under the curve using the purported integral vs. using original formula with a lot of rectangles.

Simple Checking MultiplicationSimple Checking Multiplication

• Simple Checker for Multiplication of integers and the mantissas of floating point numbers.

• Assumption: addition is fast and reliable.• Checking that A•B=C.• Procedure:

• Generate a random r• Compute A (mod r) and B (mod r)• Compute [A (mod r) • B (mod r)] (mod r)• Compare result to C (mod r).

• Note: [A (mod r) • B (mod r)] (mod r) = A•B (mod r) = C(mod r)

Simple Checking MultiplicationSimple Checking Multiplication

• A (mod r) and B (mod r) are O(log n)-bits long.Multiplying them takes O((log n)2)-time.

• To get the modulus, need 4 divisions by a small r.Such divisions take O(n log n)-time.

• Total checker time = O(n log n).

• Most processors compute multiplication in O(n2) time (n-length numbers).

Multiplication Self-CorrectorMultiplication Self-Corrector

• Self-Corrector for Multiplication• Procedure:

• Generate random R1 and R

2.

• Compute

• Note: Above equals

• Self-Corrector works by sampling the space of 4 points around A and B and working with them in the case where A•B doesn't work.

211

22

121

22

2

24 RR

RA2R–

RB2R–

RBRA

22

11

22

22 R

RBR

RA=BA

How does it work?How does it work?

• Addition, Subtraction and divisions by 2 and 4 assumed to be fast and reliable.

• We're dealing with 4 numbers: • In order to operate on them we need to use n+1

bit operations.• All 4 numbers vary over half the n+1 bit range.• Because in each multiplication both numbers are

independent, their pair varies over a quarter of the range of pairs of n+1 bit numbers.

2

and 2

2121

RBRA

,R,R

• The odds of a multiplication failing are =p.• But all the erroneous inputs may occur in our

quarter of the range. Thus, the odds of failure become ≤4p.

• Thus, the odds that none of the 4 multiplications fail ≤16p.

How does it work?How does it work?

Other Self-CorrectorsOther Self-Correctors

• Note that a similar self-corrector can be used for matrix multiplication:

• Want to compute AB• Generate random matrices R

1 and R

2

• Compute:• By spreading the multiplications over 4 random

matrices, we avoid the problematic input A, B.• If the odds of a matrix multiplication failing =p, then

the self-corrector's odds of failure are =4p.• It has been shown that self-correctors can be

developed for “Robust functional equations”.

)()( 2211 RBRRAR=AB

Simple Checker for DivisionSimple Checker for Division

• Trying to perform division: N/Q• Note: N = D•Q + R

• R = Remainder • D = some integer

• Equivalently: N – R = D•Q

• Checking Division reduces to Checking Multiplication!

Self-Corrector for DivisionSelf-Corrector for Division

• Calculate , where R is random.

• The three multiplications can be checked and corrected (if necessary) using aforementioned method.

• The one division can also be checked as above.• Note that the one division is unlikely to be faulty:

• As R varies over its n-bit range, R•D varies such that a given R maps to ≤ 2 different values of R•D.

• If division's odds of failure =p, then the odds of failure for ≤ 2p, which is about as low as p.

1

DRRN

DR1

Checking Linear TransformationsChecking Linear Transformations

• Given a Linear Transformation A, want to compute

• Given input , want to output .• We wish to check computations on floating point

numbers, so we'll need to tolerate rounding error.• Let be the error vector

.• is definitely correct iff

• is definitely incorrect iff

Axy

y

x

Axy

),,,( 21 n

xy

, ii,

ni, i 6xy

,

Checking SchemeChecking Scheme

• Generate 10 random vectors where each ± is chosen positive or negative with 50/50 odds.

• Goal: Determine whether or not

• For k= 1 to 10• Calculate

• If , REJECT

• If all 10 tests are passed, ACCEPT.

)1,,1,1()( kr

)()( )( kk rAxry

)( )()()( Tkkk Arxry=D

nD k 6)(

Why does this work?Why does this work?

• Where each ± is positive or negative with independent 50/50 probability

n

kk

kk

kkk

Tkkk

,±,,±±=r=D

rAxy=D

rAxry=D

Arxry=D

21)()(

)()(

)()()(

)()()(

)(

)(

)(

Why does this work?Why does this work?

• Working out the probabilities, we can prove:

1,000,000

1rejects mistakenlychecker

,iterations 10 allover together Pulling

10,000,000

16

)(x,ycorrect definitely

)(

Pr

nDPr

Each,

k

i

Why does this work?Why does this work?

• We can also prove the other side:

1,000

12accepts mistakenlychecker

,iterations 10 allover together Pulling

2

16

)6(x,yincorrect definitely

(-10)

)(

Pr

nDPr

nSome,

k

i

ConclusionConclusion

• A number of simple/complex checkers and self-testers have been developed for many problems.

• Those presented here are some of the simplest.• Work has been done on finding general types of

problems for which efficient testers and self-correctors can be created.

• It is not advanced enough to allow automation.• There is some promise in finding techniques to

test simple operations that we can use to build up more complex techniques.