Proving programs robust

We present a program analysis for verifying quantitative robustness properties of programs, stated generally as: "If the inputs of a program are perturbed by an arbitrary amount epsilon, then its outputs change at most by (K . epsilon), where K can depend on the size of the input but not its value." Robustness properties generalize the analytic notion of continuity---e.g., while the function ex is continuous, it is not robust. Our problem is to verify the robustness of a function P that is coded as an imperative program, and can use diverse data types and features such as branches and loops. Our approach to the problem soundly decomposes it into two subproblems: (a) verifying that the smallest possible perturbations to the inputs of P do not change the corresponding outputs significantly, even if control now flows along a different control path; and (b) verifying the robustness of the computation along each control-flow path of P. To solve the former subproblem, we build on an existing method for verifying that a program encodes a continuous function [5]. The latter is solved using a static analysis that bounds the magnitude of the slope of any function computed by a control flow path of P. The outcome is a sound program analysis for robustness that uses proof obligations which do not refer to epsilon-changes and can often be fully automated using off-the-shelf SMT-solvers. We identify three application domains for our analysis. First, our analysis can be used to guarantee the predictable execution of embedded control software, whose inputs come from physical sources and can suffer from error and uncertainty. A guarantee of robustness ensures that the system does not react disproportionately to such uncertainty. Second, our analysis is directly applicable to approximate computation, and can be used to provide foundations for a recently-proposed program approximation scheme called {loop perforation}. A third application is in database privacy: proofs of robustness of queries are essential to differential privacy, the most popular notion of privacy for statistical databases.

[1]  Daniel M. Roy,et al.  Probabilistically Accurate Program Transformations , 2011, SAS.

[2]  G. Zames Input-output feedback stability and robustness, 1959-85 , 1996 .

[3]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[4]  Ji Wang,et al.  An Abstract Domain to Discover Interval Linear Equalities , 2010, VMCAI.

[5]  Donato Trigiante,et al.  Stability and Conditioning in Numerical Analysis , 2006 .

[6]  Antoine Miné,et al.  Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors , 2004, ESOP.

[7]  Benjamin C. Pierce,et al.  Distance makes the types grow stronger: a calculus for differential privacy , 2010, ICFP '10.

[8]  Dick Hamlet,et al.  Continuity in sofware systems. , 2002 .

[9]  Woongki Baek,et al.  Green: a framework for supporting energy-conscious programming using controlled approximation , 2010, PLDI '10.

[10]  G. Winskel The formal semantics of programming languages , 1993 .

[11]  Uwe Naumann,et al.  Automatic Differentiation: Applications, Theory, and Implementations (Lecture Notes in Computational Science and Engineering) , 2006 .

[12]  Stephen Smale,et al.  On a theory of computation over the real numbers; NP completeness, recursive functions and universal machines , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[13]  Joseph Y. Halpern Reasoning about uncertainty , 2003 .

[14]  Rupak Majumdar,et al.  Systematic testing for control applications , 2010, Eighth ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMOCODE 2010).

[15]  Edward A. Lee Cyber Physical Systems: Design Challenges , 2008, 2008 11th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing (ISORC).

[16]  Henry Hoffmann,et al.  Quality of service profiling , 2010, 2010 ACM/IEEE 32nd International Conference on Software Engineering.

[17]  Glynn Winskel,et al.  The formal semantics of programming languages - an introduction , 1993, Foundation of computing series.

[18]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[19]  S. Pettersson,et al.  Stability and robustness for hybrid systems , 1996, Proceedings of 35th IEEE Conference on Decision and Control.

[20]  Henry Hoffmann,et al.  Managing performance vs. accuracy trade-offs with loop perforation , 2011, ESEC/FSE '11.

[21]  Andreas Podelski,et al.  Model Checking of Hybrid Systems: From Reachability Towards Stability , 2006, HSCC.

[22]  Andreas Haeberlen,et al.  Differential privacy for collaborative security , 2010, EUROSEC '10.

[23]  Rupak Majumdar,et al.  Symbolic Robustness Analysis , 2009, 2009 30th IEEE Real-Time Systems Symposium.

[24]  Dick Hamlet,et al.  Continuity in software systems , 2002, ISSTA '02.

[25]  Sumit Gulwani,et al.  Continuity analysis of programs , 2010, POPL '10.

[26]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[27]  Martin Bücker,et al.  Automatic differentiation : applications, theory, and implementations , 2006 .

[28]  Ji Wang,et al.  Interval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships , 2009, SAS.

[29]  Eric Goubault,et al.  Static Analyses of the Precision of Floating-Point Operations , 2001, SAS.