How to get an efficient yet verified arbitrary-precision integer library

Size: px

Start display at page:

Download "How to get an efficient yet verified arbitrary-precision integer library"

Elfrieda Webb
5 years ago
Views:

1 How to get an efficient yet verified arbitrary-precision integer library Raphaël Rieu-Helft TrustInSoft Inria March 13, 2018 March 13, / 36

2 Context, motivation, goals goal: efficient and formally verified large-integer library GMP: widely-used, high-performance library safety-critical tested, but hard to ensure good coverage (unlikely branches) correctness bugs have been found in the past idea: 1 formally verify GMP algorithms with Why3 2 extract efficient C code March 13, / 36

3 Outline 1 Reimplementing GMP using Why3 2 Extracting to idiomatic C code 3 An example: schoolbook multiplication 4 Computational reflection in Why3 5 Impure programs as decision procedures 6 Benchmarks, conclusions March 13, / 36

4 Reimplementing GMP using Why3 Reimplementing GMP using Why3 March 13, / 36

5 Reimplementing GMP using Why3 Tool: the Why3 platform file.mlw Why3 file.ml file.c Alt-Ergo CVC4 Z3 etc. approach: implement the GMP algorithms in WhyML verify them with Why3 extract to C difficulties: preserve all GMP implementation tricks prove them correct extract to efficient C code March 13, / 36

6 Reimplementing GMP using Why3 An example: comparison large integer pointer to array of unsigned integers a 0... a n 1 called limbs value(a, n) = n 1 a i β i usually β = 2 64 i=0 type ptr a =... exception Return32 int32 let wmpn_cmp (x y: ptr uint64) (sz: int32): int32 = let i = ref sz in try while!i 1 do i :=!i - 1; let lx = x[!i] in let ly = y[!i] in if lx ly then if lx > ly then raise (Return32 1) else raise (Return32 (-1)) done; 0 with Return32 r r end March 13, / 36

7 Reimplementing GMP using Why3 Memory model simple memory model, more restrictive than C type ptr a = abstract { mutable data: array a ; offset: int } predicate valid (p:ptr a) (sz:int) = 0 sz 0 p.offset p.offset + sz plength p p.data p.offset }{{} valid(p,5) val malloc (sz:uint32) : ptr a (* malloc(sz * sizeof( a)) *)... val free (p:ptr a) : unit (* free(p) *)... no explicit address for pointers March 13, / 36

8 Reimplementing GMP using Why3 Alias control aliased C pointers point to the same memory object aliased Why3 pointers same data field only way to get aliased pointers: incr type ptr a = abstract { mutable data: array a ; offset: int } val incr (p:ptr a) (ofs:int32): ptr a (* p+ofs *) alias { result.data with p.data } ensures { result.offset = p.offset + ofs }... val free (p:ptr a) : unit requires { p.offset = 0 } writes { p.data } ensures { p.data.length = 0 } Why3 type system: all aliases are known statically no need to prove non-aliasing hypotheses March 13, / 36

9 Reimplementing GMP using Why3 Example specification: long multiplication specifications are defined in terms of value (** [wmpn_mul r x y sx sy] multiplies [(x, sx)] and [(y,sy)] and writes the result in [(r, sx+sy)]. [sx] must be greater than or equal to [sy]. Corresponds to [mpn_mul]. *) let wmpn_mul (r x y: ptr uint64) (sx sy: int32) : unit requires { 0 < sy sx } requires { valid x sx } requires { valid y sy } requires { valid r (sy + sx) } writes { r.data.elts } ensures { value r (sy + sx) = value x sx * value y sy } Why3 typing constraint: r cannot be aliased to x or y simplifies proofs : aliases are known statically we need another function for in-place multiplication March 13, / 36

10 Extracting to idiomatic C code Extracting to idiomatic C code March 13, / 36

11 Extracting to idiomatic C code Extraction mechanism goals: simple, straightforward extraction (trusted) performance: no added complexity, no closures or indirections inefficiencies caused by extraction must be optimizable by the compiler tradeoff: handle only a small, C-like fragment of WhyML loops references machine integers manual memory management polymorphism, abstract types higher order mathematical integers garbage collection March 13, / 36

12 Extracting to idiomatic C code Exceptions and return/break statements return and break are emulated by exceptions in WhyML recognize the patterns, extract as native return/break reject all other exceptions let f (args) =... ; try (* tail position *)... raise (R e)... with R v v end f ( args ) {...;...; return e;... } try while... do... raise B... done with B () end while... {... break ;... } March 13, / 36

13 Extracting to idiomatic C code Multiple return values WhyML uses tuples for functions that return multiple values extra pointer parameters for these functions, write the results there let f (a: int32) : (int32,int32) = let b = a+a in (a,b) let g () : int32 = let x = Int32.of_int 42 in let (y,z) = f x in z - y void f( int32_t * result, int32_t * result1, int32_t a) { int32_t b; b = (a + a); (* result ) = a; (* result1 ) = b; return ; } int32_t g() { int32_t y, z; f(&y, &z, 42); return (z - y); } March 13, / 36

14 Extracting to idiomatic C code Comparison: extracted C code let wmpn_cmp (x y: ptr uint64) (sz: int32): int32 = let i = ref sz in try while!i 1 do i :=!i - 1; let lx = x[!i] in let ly = y[!i] in if lx ly then if lx > ly then raise (Return32 1) else raise (Return32 (-1)) done; 0 with Return32 r r end int32_t wmpn_cmp ( uint64_t * x, uint64_t * y, int32_t sz) { int32_t i, o; uint64_t lx, ly; i = (sz ); while (i >= 1) { o = (i - 1); i = o; lx = (*( x+(i ))); ly = (*( y+(i ))); if (lx!= ly) { if ( lx > ly) return (1); else return ( -(1)); } } return (0); } March 13, / 36

15 An example: schoolbook multiplication An example: schoolbook multiplication March 13, / 36

16 An example: schoolbook multiplication Schoolbook multiplication simple algorithm, optimal for smaller sizes GMP switches to divide-and-conquer algorithms at 20 words mp_limb_t mpn_mul ( mp_ptr rp, mp_srcptr up, mp_size_t un, mp_srcptr vp, mp_size_t vn) { /* We first multiply by the low order limb. This result can be stored, not added, to rp. We also avoid a loop for zeroing this way. */ rp[ un] = mpn_mul_1 ( rp, up, un, vp [0]); /* Now accumulate the product of up [] and the next higher limb from vp []. */ } while (--vn >= 1) { rp += 1, vp += 1; rp[ un] = mpn_addmul_1 ( rp, up, un, vp [0]); } return rp[ un ]; March 13, / 36

17 An example: schoolbook multiplication Why3 implementation while!i < sy do invariant { value r (!i + sx) = value x sx * value y!i } ly := get_ofs y!i; let c = addmul_limb!rp x!ly sx in set_ofs!rp sx c; i :=!i + 1;!rp := C.incr!rp 1; done;... March 13, / 36

18 An example: schoolbook multiplication Why3 implementation while!i < sy do invariant { 0!i sy } invariant { value r (!i + sx) = value x sx * value y!i } invariant { (!rp).offset = r.offset +!i } invariant { plength!rp = plength r } invariant { pelts!rp = pelts r } variant { sy -!i } ly := get_ofs y!i; let c = addmul_limb!rp x!ly sx in value_sub_update_no_change (pelts r) ((!rp).offset + sx) r.offset (r.offset +!i) c; set_ofs!rp sx c; i :=!i + 1; value_sub_tail (pelts r) r.offset (r.offset + sx + k); value_sub_tail (pelts y) y.offset (y.offset + k); value_sub_concat (pelts r) r.offset (r.offset + k) (r.offset + k + sx); assert { value r (!i + sx) = value x sx * value y!i by... so... so... (* 20+ subgoals *) };!rp := C.incr!rp 1; done;... March 13, / 36

19 An example: schoolbook multiplication Building block: addmul_limb (** [addmul_limb r x y sz] multiplies [(x, sz)] by [y], adds the [sz] least significant limbs to [(r, sz)] and writes the result in [(r,sz)]. Returns the most significant limb of the product plus the carry of the addition. Corresponds to [mpn_addmul_1].*) let addmul_limb (r x: ptr uint64) (y: uint64) (sz: int32): uint64 requires { valid x sz } requires { valid r sz } ensures { value r sz + (power radix sz) * result = value (old r) sz + value x sz * y } writes { r.data.elts } ensures { forall j. j < r.offset r.offset + sz j r[j] = (old r)[j] } adds y x to r does not change the contents of r outside the first sz cells called on r + i, x and y i for 0 i sy March 13, / 36

20 An example: schoolbook multiplication Extracted code void mul ( uint64_t * r12, uint64_t * x15, uint64_t * y13, int32_t sx4, int32_t sy4 ) { uint64_t ly9, c8, res16 ; uint64_t * rp3 ; int32_t i16, o28 ; uint64_t * o29 ; ly9 = (*( y13 )); c8 = ( mul_limb (r12, x15, ly9, sx4 )); *( r12 +( sx4 )) = c8; rp3 = ( r12 +(1)); i16 = (1); while ( i16 < sy4 ) { ly9 = *( y13 +( i16 )); res16 = ( addmul_limb ( rp3, x15, ly9, sx4 )); *( rp3 +( sx4 )) = res16 ; o28 = ( i16 + 1); i16 = o28 ; o29 = ( rp3 +(1)); ( rp3 ) = o29 ; } return (*( rp3 +( sx4-1))); } not as concise as GMP, but close enough to be optimized by the compiler March 13, / 36

21 Computational reflection in Why3 Computational reflection in Why3 March 13, / 36

22 Computational reflection in Why3 Motivation proof effort: 6000 lines of Why3 code 1350 of programs 4650 of specifications and (mostly) assertions 4200 subgoals, around two thirds are for division large proof contexts, nonlinear arithmetic many long assertions are needed even for some easy goals March 13, / 36

23 Computational reflection in Why3 Toy example: Strassen s algorithm we need to prove equalities such as M 1,1 = M 1,1 with M 1,1 = A 1,1 B 1,1 + A 1,2 B 2,1 M 1,1 = (A 1,1 + A 2,2 ) (B 1,1 + B 2,2 ) + A 2,2 (B 2,1 B 1,1 ) (A 1,1 + A 1,2 ) B 2,2 + (A 1,2 A 2,2 ) (B 2,1 + B 2,2 ) SMT solvers time out in practice idea: embed terms into the logical language of Why3 type t = Var int Add t t Mul t t Sub t t let rec function interp (x: t) (y: int a) : a = match x with Var n y n Add x1 x2 aplus (interp x1 y) (interp x2 y) Mul x1 x2 atimes (interp x1 y) (interp x2 y) Sub x1 x2 asub (interp x1 y) (interp x2 y) end March 13, / 36

24 Computational reflection in Why3 Normalizing terms define functions over t, compute results with Why3 rewriting engine let rec function norm (x:t) : t ensures { forall y. interp result y = interp x y } = match x with... lemma norm_eq: forall x1 x2 y. norm (Sub x1 x2) = Nil interp x1 y = interp x2 y no need to prove that norm computes a normal form very easy proof problem: how to guess x1, x2, y such that interp x1 y = M 1,1 interp x2 y = M 1,1 March 13, / 36

25 Computational reflection in Why3 Reification heuristic approach: invert norm_eq and the body of interp let rec function interp (x: t) (y: int a) : a = match x with Var n y n Add x1 x2 (interp x1 y) + (interp x2 y) Mul x1 x2 (interp x1 y) * (interp x2 y) Sub x1 x2 (interp x1 y) - (interp x2 y) end lemma norm_eq: forall x1 x2 y. norm (Sub x1 x2) = Nil interp x1 y = interp x2 y goal g: foo a + b = c * b [foo a + b = c * b] [foo a + b] = [c * b] Add [foo a] [b] = [c * b] Add (Var 0) (Var 1) = [c * b] Add (Var 0) (Var 1) = Mul [c] [b] Add (Var 0) (Var 1) = Mul (Var 2) (Var 1) x1 = Add (Var 0) (Var 1) x2 = Mul (Var 2) (Var 1) y 0 = foo a y 1 = b y 2 = c interp x1 y = interp x2 y? March 13, / 36

26 Computational reflection in Why3 Extension: reifying the proof context function interp_eq (g:equality) (y:vars) (z:c.cvars) : bool = match g with (g1, g2) interp g1 y z = interp g2 y z end function interp_ctx (l:list equality) (g:equality) (y:vars) (z:c.cvars) : bool = match l with Nil interp_eq g y z (* goal *) Cons h t (interp_eq h y z) (interp_ctx t g y z) end recognize implication and recursive call in the Cons branch heuristic: match all possible hypotheses in the proof context against the left-hand side, build longest possible list in this case, all equalities with the right type March 13, / 36

27 Computational reflection in Why3 Reflection as a Why3 transformation lemma norm_eq: forall x1 x2 y. norm (Sub x1 x2) = Nil interp x1 y = interp x2 y synopsis: take a lemma as parameter, e.g. norm_eq guess appropriate values for parameters using the reification procedure require to prove the premises add the instantiated conclusion, e.g. interp x1 y = interp x2 y to the proof context if we guess wrong, proof probably fails, but no soundness issue no need to trust the reification procedure March 13, / 36

28 Impure programs as decision procedures Impure programs as decision procedures March 13, / 36

29 Impure programs as decision procedures From logic to programs important limitation of logic-based approach: expressiveness no side effects allowed must prove termination with structurally decreasing argument consequence: decision procedures are hard to implement and inefficient idea: write decision procedures as regular, proved Why3 programs use instantiated postcondition as cut indication March 13, / 36

30 Impure programs as decision procedures Interpreter additional step of the reflection transformation: compute the results new interpreter for WhyML programs uses the extraction intermediate language simple, but part of the trusted computing base built-in implementation for arithmetic, arrays... additional debugging built-in: printf val printf (x: a) : unit March 13, / 36

31 Impure programs as decision procedures Example: systems of linear equalities type expr = Term coeff int Add expr expr Cst coeff type equality = (expr, expr) let linear_decision (l: list equality) (g: equality) : bool requires { valid_ctx l valid_eq g } ensures { forall y z. result = True interp_ctx l g y z } raises { Unknown true } = let m = Matrix.make match gauss_jordan m with Some r check_combination l g r None False end given a list l of valid equalities, is the equality g valid? check if g is a linear combination of l by Gaussian elimination if it s not, print a debugging hint proof by certificate: no need to prove Gaussian elimination generic: only requires coeff to provide partial field operations March 13, / 36

32 Impure programs as decision procedures Modularity: specializing the decision procedure to GMP axiom H: value r1 i + (power radix i) * c1 = value x i + value y i 1 axiom H1: res + radix * c = lx + ly + c1 power radix i axiom H2: value r i = value r1 i 1 axiom H3: value x (i+1) = value x i + (power radix i) * lx ( 1) axiom H4: value y (i+1) = value y i + (power radix i) * ly ( 1) axiom H5: value r (i+1) = value r i + (power radix i) * res 1 goal g: value r (i+1) + power radix (i+1) * c = value x (i+1) + value y (i+1) GMP-specific conversion layers, composed with generic procedure: more expressive inductive type for expressions GMP-specialized coefficient field let mp_decision (l: list equality ) (g: equality ) : bool requires { valid_ctx l valid_eq g } ensures { forall y z. result pos_ctx l z pos_eq g z interp_ctx l g y z } raises { Unknown true } = let sl, sg = simp_ctx (m_ctx l) (m_ctx g) in linear_decision sl sg March 13, / 36

33 Impure programs as decision procedures Specialized coefficients for GMP goals the (symbolic) powers of radix need to be part of the scalar coefficients type exp = Lit int Var int Plus exp exp Minus exp Sub exp exp type rat = (int, int) type t = (rat, exp) function qinterp (q:rat) : real = match q with (n,d) from_int n /. from_int d end function interp_exp (e:exp) (y:vars) : int = match e with Lit n n Var v y v Plus e1 e2 interp_exp e1 y + interp_exp e2 y... end function interp (t:t) (y:vars) : real = match t with (q,e) qinterp q *. pow radix (from_int (interp_exp e y)) end March 13, / 36

34 Impure programs as decision procedures Assessment user-supplied Why3 programs can be used as decision procedures no need to know the internal workings of Why3 compositionality: existing procedures can be adapted and reused minimal impact on the trusted computing base GMP proof: hundreds of lines of assertions can be deleted limitations: hard to debug when it doesn t work, though printf helps decision procedure performance reload times March 13, / 36

35 Benchmarks, conclusions Benchmarks, conclusions March 13, / 36

36 Benchmarks, conclusions Comparison with GMP we compare with GMP without assembly (option --disable-assembly) we want to evaluate the algorithms, not the compiler we only consider inputs of 20 words or less ( 1300 bits) above that, GMP uses different algorithms multiplication: less than 5% slower than GMP, satisfactory division: 10% slower than GMP except for very small inputs except for sx very close to sy GMP uses a different algorithm for sy > sx/2, to do performances are very dependent on the compiled code of the primitives ongoing: link to GMP to use the exact same primitives March 13, / 36

37 Benchmarks, conclusions Conclusions verified C library, bit-compatible with GMP GMP mpn functions implemented: add, sub, mul, div, shifts GMP implementation tricks preserved satisfactory performances in the handled cases new Why3 features: extraction and memory model for C alias of return value and parameter Why3 framework for proofs by reflection coming soon: divide-and-conquer algorithms for multiplication and division GMP mpz functions extract specifications as well? March 13, / 36

38 Arithmetic primitives: the uint64 type type uint64 val function to_int (n:uint64): int meta coercion function to_int let constant max = 0xffff_ffff_ffff_ffff predicate in_bounds (n:int) = 0 n max axiom to_int_in_bounds: forall n:uint64. in_bounds n val mul (x y:uint64): uint64 (* defensive, no overflow *) requires { in_bounds (x * y) } ensures { result = x * y } val mul_mod (x y:uint64): uint64 (* with overflow *) ensures { result = mod (x * y) (max+1) } val mul_double (x y:uint64): (uint64,uint64) returns { (l,h) l + (max+1) * h = x * y } (* returns two words*) March 13, / 2

39 A more complex algorithm: long division 1: function div_gen(q, a, d, m, n, inv) 2: x a m 1 3: i = m n 4: while i > 0 do 5: i i 1 6: if x = d n 1 and a n+i 1 = d n 2 then unlikely 7: ˆq β 1 8: submul_limb(a + i, d, n, ˆq) we know the result is d n 1 9: x a n+i 1 10: else 11: (ˆq, x, l) div_3by2(x, a n+i 1, a n+i 2, d n 1, d n 2, inv) 12: b submul_limb(a + i, d, n 2, ˆq) 13: b 1 (l < b) 14: a n+i 2 (l b mod β) 15: b 2 (x < b 1 ) 16: x (x b 1 mod β) 17: if b 2 0 then unlikely, and then b 2 = 1 18: ˆq ˆq 1 only one adjustment step 19: c add_in_place(a + i, d, n 1) 20: x x + d n 1 + c 21: q i ˆq 22: a n 1 x March 13, / 2

How to get an efficient yet verified arbitrary-precision integer library

How to get an efficient yet verified arbitrary-precision integer library Raphaël Rieu-Helft (joint work with Guillaume Melquiond and Claude Marché) TrustInSoft Inria May 28, 2018 1/31 Context, motivation,