Reasoning about Relaxed Programs

Approximate program transformations such as task skipping [27, 28], loop perforation [20, 21, 32], multiple selectable implementations [3, 4, 15], approximate function memoization [10], and approximate data types [31] produce programs that can execute at a variety of points in an underlying performance versus accuracy tradeoff space. Namely, these transformed programs trade accuracy of their results for increased performance by dynamically and nondeterministically modifying variables that control their execution. We call such transformed programs relaxed programs — they have been extended with additional nondeterminism to relax their semantics and enable greater flexibility in their execution. We present programming language constructs for developing and specifying relaxed programs. We also present proof rules for reasoning about properties of relaxed programs. Our proof rules enable programmers to directly specify and verify acceptability properties that characterize the desired correctness relationships between the values of variables in a program’s original semantics (before the transformation) and its relaxed semantics. Our proof rules also support the verification of safety properties (which characterize desirable properties involving values in only the current execution). The rules are designed to support a reasoning approach in which the majority of the reasoning effort uses the original semantics. This effort is then reused to establish the desired properties of the program under the relaxed semantics. We have formalized the dynamic semantics of our target programming language and the proof rules in Coq, and verified that the proof rules are sound with respect to the dynamic semantics. Our Coq implementation enables developers to obtain fully machine checked verifications of their relaxed programs.