OOPSLA'22
Basile Clément Inria & ENS, France
Albert Cohen Google, France
Is the one below a refinement (instantiation) of the one above?
Proof obligations:
1 and 2 are checked by an affine solver, and 3 is checked by a general SMT solver.
Challenge for obligation 3: recurrence of loop (a iteration may depend on previous iterations)
Key insight: scheduling compiler could generate prophetic expressions.
The prophetic expression lives in the specification world, and predicts the value that will be written by the assignment in terms of tensors.
This reduces our problem to the translation validation between specifications and prophetic version implementations, both playing with tensors.
SARE is a set of equations
For recurrence indices, the dimension of tensors are extended as follows.
Ex: matrix multiplication
Ex: D(i, 2k) += D(i, k)
An annotated imparative language as target language.
Why update semantics?
1. It's easy to symbolize accumulated updates for sequential loops.
2. A lightweight way to capture semantics of parallel loops. (No data race)
Two entries are collected:
C is a symbolic set of equalities, with affine quantification. It will collect prophetic equality from assignments as VCs.
(S-SeqLoop) requires a inductive checking for each possible iteration.
(S-Assign) checks accesses are in-bound and rhs expression is defined, and, collects VCs and reads.
A symbolic heap is a finite union of symbolic chunks.
Benchmarks from Halide repository:
Compared to unannotated one.
Results:
Considering mathematical integer and real as base type omits:
Assume affine specification results in affine implementation, which is generally not true. For example, to calculate C = aA + bB, an optimized implementation usually checks if a = 0 and ignores aA.
It will be more believable to produce mechanized formal correctness proofs in a proof assistant like Coq.