Andrew Santosa Research Fellow Department of Computer Science National University of Singapore Computing 1 #02-15, 13 Computing Drive, Singapore 117417 Republic of Singapore Phone: +65-6516-2792, Mobile: +65-9482-7396 FAX: +65-6779-4580 (Attn: Andrew E. Santosa/RF) E-Mail:

---

Contents

• Brief Bio
• Research
  • Program Reasoning in CLP
  • Declarative Concurrent Programming
  • Selected Other Work
• Liveness is Reachability, and Definitely not Safety
• Weakest Precondition and Pre-Image Demystified (2 Oct. 2009)
• CLP(R) Bag of Tricks
• VNC through SSH Tunneling with PuTTY (Very Old) In case you are on a Windows machine and want to access VNC server on a UNIX machine with only SSH port (typically 22) open.

Brief Bio

I am working towards achieving the goal of industrial production of dependable software. In particular, I am currently working on verification and analysis of programs (in general, anything that can be specified as recursive function or relation, both deterministic (sequential) or nondeterministic (concurrent), even with fairness requirement) by means of symbolic execution, especially using constraint logic programming (CLP). The basic approach is to invent novel non-heuristic techniques for search algorithms. The application area currently being targeted at encompasses the analysis of C source code, verification of real-time systems, and reasoning about omega automata (for which live sequence charts are instances).

I am also tuning in to the developments in programming language technology and software engineering.

In my computer science work, I frequently deal with fixpoint computation. Now, fixpoint computation is founded upon semantics, and therefore we need to look up the dictionary, say, the Oxford English dictionary, where you can find recursive definitions, such as:

• lustre (n) a gentle sheen or soft glow.
• sheen (n) a soft lustre on a surface.

My degrees are Doctor of Philosophy (Computer Science, National University of Singapore, Singapore, 2008), Master of Engineering (Graduate School of Information Systems, University of Electro-Communications (UEC), Tokyo, Japan, 1999), Bachelor of Engineering (Computer Science and Information Mathematics, UEC, Tokyo, Japan, 1997).

Research

Here are some of the fruits of research projects led by Professor Joxan Jaffar and with the collaboration of Dr. Razvan Voicu in which I am a member. It resulted in my PhD thesis mentioned below.

• J. Jaffar, A. E. Santosa. Recursive Abstractions for Parameterized Systems. In A. Cavalcanti and D. Dams Eds. FM 2009: Formal Methods, Second World Congress, Eindhoven, The Netherlands, November 2009, Proceedings. pp. 72-88, LNCS 5850, Springer, 2009. DOI Talk slides
• J. Jaffar, A. E. Santosa, and R. Voicu. An Interpolation Method for CLP Traversal. In I. P. Gent, ed. Principles and Practice of Constraint Programming - CP 2009. 15th International Conference, CP 2009, Lisbon, Portugal, September 2009, Proceedings. pp. 454-469, LNCS 5732, Springer, 2009. DOI Talk slides
• J. Jaffar, A. E. Santosa, and R. Voicu. A Coinduction Rule for Entailment of Recursively-Defined Properties. In P. J. Stuckey, ed. Constraint Programming: Proceedings of the 14th International Conference on Principles and Practice of Constraint Programming, Sydney, Australia, 14-18 September 2008. pp. 493-508, LNCS 5202, Springer, 2008. DOI Slides PDF

  Oct. 2008 First Automatic Prover! The above paper presents an idea of an automated inductive prover of recursive assertions based on search. The paper did not discuss an implementation, but as a proof of concept we have worked on a runnable prototype given here. The engine is the CLP(R) program datastruct.clpr. A sample problem is encoded in the file idempotent.clpr, which specifies the function idempotence proof problem presented in the paper. For the constraint solving part, the above engine provides solving using congruence closure and simple arithmetic sanity test to check that there are no different numeric constants in the same equivalence class. This solver is enough for the proof of the above problem. The constraint solving is implemented as a separate predicate constraintproof_aux, which is independent of the unfolding part, such that variety of solvers can be accommodated in the future. We are especially aiming for application in data structure verification, for which solver for the array theory would be needed. To run, put both CLP(R) files in the same directory, and execute CLP(R) with clpr idempotent.clpr. Then at the CLP(R) prompt, say run. When the program stops for input, simply press Ctrl-D to continue. The resulting messages would not be easily comprehensible, but it shows that the engine searches for, and finds the proof that is presented in the paper. Followings are some complete examples of manual data structure property proofs using our proof method: List reset (my thesis advisor Joxan Jaffar's original example) List reverse (from Reynold's LICS '02 paper on separation logic) Binary search tree insertion AVL tree (from a paper by Rugina) Errata The algorithm on the paper requires some amendments, assuming the top-level bullets are executed in order. Memoization has to be done after the left unfold has been decided. That is, "Memoize (G|=H) as an assumption" should be indented, right after "case: Left: (LU+I)" and before "choose and atom ..." There should be another bullet after, and at a similar level with "Unfold:" to handle the case when none of the proof steps are applicable. In this case, the statement should just be "return false." And therefore "otherwise return false" should be removed from within the paragraph for "Constraint Proof," since although constraint proof fails, other proofs may succeed.

• J. Jaffar, A. E. Santosa, and R. Voicu. Efficient Memoization for Dynamic Programming with Ad-Hoc Constraints. In the Proceedings of AAAI '08. Pages 297-303. PDF copyrighted by AAAI. Follow this link to obtain AAAI '08 proceedings. Also available are the talk slides at AAAI '08. Better slides are from my CS Seminar talk at NUS, 26 September 2008.

  This paper details the summarization technique presented in the thesis, with emphasis on the use of Craig interpolants to solve resource-constrained shortest path (RCSP) problems more efficiently. Notes We expect that memoing more solutions would enhance reusability such that the number of nodes traversed decreases as k increases, however, in the experiments reported in Table 1 where DP+I, with k=1 column is sometimes better than k=2. This can be explained as follows: Look at the picture to the left, which illustrates a hypothetical search tree. The search is done in depth-first manner left-to-right. The horizontal arrows represent potential subsumption of nodes in the search tree, where both the graph vertices are the same, and the resource consumption of the potentially subsumed node implies the resource consumption of the potentially subsuming node. When k=1, the algorithm only stores 1st optimal in the constraint store (represented with thick solid lines). In this case, A' is not subsumed by A due to having different optimal than A (that is, A's second optimal). In the subtree of A', B' is visited. Here, B' is not subsumed by B, due to again, having different optimal than B' (B's 3rd optimal). In another part of the search tree, B'' is subsumed by B' by inheriting the optimal. When k=2, the algorithm stores both 1st and 2nd optimal. Here. A' is subsumed by A, since the 2nd optimal of A is the best solution of A'. However, we no longer visit B' and therefore it is no longer tabled. B'' now can no longer be subsumed by the memo table (also since B only stores 1st and 2nd, but not 3rd optimal). The algorithm then expands the potentially large subtree of B''. The story does not end here: If B'' has a context that is equivalent to B', then we can expect that the tree size stays the same or even less due to more successful memoing within subtree of B'' with k=2 than the same within subtree of B' with k=1. However, B'' can have a strictly less solutions than B', and the algorithm's efficiency is also dependent on how early/late we discover nodes with general context, where the earlier the smaller the resulting search tree. Errata On Page 3, third paragraph of "The Basic Idea" section, the first sentence which reads "In order to reuse the solution of (α) at (β), we also require that the context upon reaching (β) be subsumed by the generalized context inferred for (α)," should instead read: "In order to reuse the solution of (α) at (β), we also require that the recorded optimal solution of (α) be applicable for (β)." In the third paragraph of "The Algorithm" section, R ≤ 10 must be R' ≤ 10, as in the given example. Initial state trivially satisfies the constraint.

• A. E. Santosa. A Framework for Program Reasoning Based on Constraint Traces. PhD Thesis. National University of Singapore, 2008. Download PDF version of the thesis or my thesis defense slides of which a shorter version has been presented at USI-CMU 2007 Lugano Summer School on Dependable Computer Systems.

  Short Abstract. We propose a CLP-based framework that accommodates both program analysis and program verification approaches. Our framework is centered on a general verification condition computation algorithm which performs abstraction selectively. This allows for compositionality and simpler yet accurate abstraction than abstract interpretation. The algorithm is optimized between the abstraction points using a proof summarization technique. The formal foundations include modeling of programs and high-level specifications in CLP, assertions to specify traditional safety which includes recursive data structure properties, as well as structural properties (e.g., symmetry), and a proof method and techniques for proving the assertions. Our framework handles traditional safety proof, data structure verification which precision is helped by selective abstraction, and reductions using symmetry or other structural properties which can handle more cases than existing approaches. We discuss implementations of variants of our general algorithm in CLP(R) and provide their running results. Errata On Page 127, "Hence a finite refutation of length k implies a corresponding k left unfold LU applications that result in contradiction," should read "Hence a finite refutation of length k implies a corresponding k left unfold (LU) applications that result in contradiction." On Page 127, "G |= H has a finite refutation of length k if and only if ..." should be "G |= H has a finite refutation of length k only if ..." On Page 127, right below point 2, "... G |= H holds if Ai holds for all 1<=i<=n hold ..." should read "... G |= H holds if Ai holds for all 1<=i<=n ..." On Page 129, last sentence of Section 5.7.2. The sentence should read "We provide a detailed comparison to Mesnard et al.'s proof method in Section 5.10.1." (without "of the appendix"). Notes. Some clarification on the finite refutation of length k in the correctness proof (Section 5.7.1). An assertion G |= H has a finite refutation of length k, for some k, if and only if lm(Gamma) does not imply (G |= H), which implies that Tup k does not imply G |= H (hence the errata no. 2 above). The existence of finite refutation here does not mean that we can compute the refutation. This is because in some cases, refutation can only be found at the limit. For example, assume the program P: odd(1). odd(X+2) :- odd(X). even(0). even(X+2) :- even(X). One of the proof obligations obtained after performing left unfold (LU) to odd(X) |= even(X) is true |= even(1). Using our proof method, we cannot refute this last assertion, but at the limit, the assertion is not true, that is, lm(P) does not imply odd(X) |= even(X).

• J. Jaffar, A. E. Santosa, and R. Voicu. Relative Safety. VMCAI 2006. PDF Talk slides PDF

  Notes. Coinduction in what sense? In this paper, in the thesis above, and in our RTSS '04 paper, we have categorized our inductive proof method as coinductive and the induction that we used to be coinduction. Our proof method is coinduction in the sense that a path in the proof tree ends when we encounter a cycle. When our proof method concludes a proof, it is because the proof tree is regular, that is, there is no infinite path with unique assertion at each node (such that it is rational, which means that it has a finite representation). This is typical of coinduction proof. For the discussion below, a useful reference would be Park's 1969 paper Fixpoint induction and proof of program properties, which appeared in Machine Intelligence 5, Edinburgh University Press, 1969. Typically, a coinduction/greatest fixpoint-based proof is used to prove that A is included in B by restricting B into B' (= T^-1(B) for the given monotonic operator T --- since T is monotonic, necessarily B' => B, and T^-1 is also monotonic), until a fixpoint is reached, and demonstrate that A is undeniably in the fixpoint. That is, (A => T(B')) => (A => B') ------------------------- A => gfp(T) This can be derived from the simpler form of greatest (maximal) fixpoint induction which can be inferred from Park's article mentioned above, as follows: B => T^-1(B) ------------- B => gfp(T) On an assertion A (of the form G |= H), we apply any of our proof rules resulting in a set of assertions. For example, using the left unfold LU rule we obtain a set of assertions, each is the result of unfold using a particular CLP clause. This set represents a conjunction of these assertions. Using the right unfold RU rule, we obtain a set containing a single new obligation that replaces the original. Using all applicable rules other than AP we obtain a disjunction of conjunctions of assertions. Each of the disjunct implies the original assertion A, and hence the disjunction implies the original assertion A. Therefore the parallel application our proof rules represents a monotonic operator c* (T^-1 in the above), and its inverse monotonic operator c (T in the above). Our proof method advocates a search strategy to find "inconsistency." Formally, an assertion A is inconsistent, iff, given a program P, lm(P) does not imply A. Our proof method establishes lm(P) => A by coinduction. First, we transform A into a number of conjunctions assertions S1 ... Sn. Now since our proof rules (without AP) represent a monotonic operator, maximal fixpoint induction (a.k.a. coinduction applies). With the application of AP rule, we establish (lm(P) => A) => (lm(P) => (S1 \/ ... \/ Sn)) That is, assuming G |= H "holds" (formally, lm(P) => (G |= H)), we prove that its descendants also hold, and by maximal fixpoint induction rule we can therefore establish that lm(P) => gfp(c). Note that this discussion by no means establishes the soundness of our proof method. First, it simply says that concluding a proof using our proof method is equivalent to an inability to find inconsistency. Second, it also demonstrates the "coinductive" view of our proof method. For the soundness proof, page visitors may refer to the thesis above.

• J. Jaffar, A. E. Santosa, and R. Voicu. A CLP Method for Compositional and Intemittent Predicate Abstraction. VMCAI 2006. PDF

• Modeling Systems in CLP slides presented at ICLP '05 with a poster. Here is some notes to it.

  Errata. Unfolding does not corresponds to weakest precondition (what I have in mind here is the weakest liberal precondition of E. W. Dijkstra: A Discipline of Programming, that is, Dijkstra's weakest precondition without the requirement for termination). It is either strongest postcondition of a transition, or the strongest postcondition of its inverse (pre-image), depending on how program transitions are modeled as CLP clauses. See my writeup Weakest Precondition and Pre-Image Demystified.

• J. Jaffar, A. E. Santosa, and R. Voicu. A CLP Proof Method for Timed Automata. RTSS 2004. PDF

  An improved version of the the prototype CLP(R) timed safety automata verifier implementation that we used in the paper is contained in this file. Also included sample bridge crossing, cafe (thanks to Dong Jinsong), dining philosophers, and Fischer's algorithm. To run, first have CLP(R) properly installed in your system, then do: % clpr bridge3.clpr CLP(R) Version 1.2a (c) Copyright International Business Machines Corporation 1989 (1991, 1992) All Rights Reserved ... 1 ?- run(0). Time 0.01 seconds, Unsubsumed 22 nodes, Tried 33 nodes *** Yes 2 ?- To say, run the 3-process bridge crossing problem. Symmetry reduction can be turned on/off by defining have_symmetry(1) or have_symmetry(0) in the source file. Specific files in the zip are as follows: bridge3.clpr 3-process bridge crossing cafe.clpr work-cafe example diners3.clpr 3-persons dining philosophers fischer2.clpr 2-process Fischer's algorithm u28b.clpr the verifier engine

Declarative Concurrent Programming

This work is the result of my collaboration with Professor Rafael Ramirez of Universitat Pompeu Fabra.

• R. Ramirez and A. E. Santosa. Concurrent Programming Made Easy. ICECCS 2000. PDF

• A. E. Santosa and Y. Kawata and M. Maekawa. A Solution to Inheritance Anomaly Based on Reusable Behavior Definitions In PDCS '98. PDF

  Some of my earlier ideas on inheritance anomaly problem in concurrent object-oriented programming languages, put here due to its relation with declarative concurrent programming. I consider inheritance anomaly problem to be solved not by me, but by Crnogorac, Rao and Ramamohanarao in Classifying Inheritance Mechanism in Concurrent Object-Oriented Programming, ECOOP '98, demonstrating the power of solid mathematics to scaffold ideas.

Selected Other Work

• K. Q. Zhu and A. E. Santosa. A Meeting Scheduling System Based on Open Constraint Programming. CAiSE 2002. PDF

• A. E. Santosa: Fast mutual exclusion algorithms: The MPI implementation. 23 October 2000. This is a short survey on fast mutual exclusion algorithms (algorithms with O(1) without contention), either with or without special instructions. MPI implementations included. PDF

Liveness is Reachability, and Definitely not Safety

(Under Construction)

• The Tao of debugging using printf. In the current version, CLP(R) only has rudimentary debugging support using codegen_debug, and spy, trace. These, however, are difficult to use: they tend to produce huge call traces that are difficult to analyze.

  When a programmer suspects that a call to a predicate, say, p(X,Y,Z) does not behave correctly, an easy way to check input-output behavior is to first identify the input variables of the predicate. If uncertain, only pick as input variables conservatively (only those you are certain to be input variables). Suppose that in the call p(X,Y,Z), we know that X and Y are input. Now, before the call, add a printf and a read, resulting in:

  printf("p(%, %, Z)\n", [X, Y]),
  read(_),
  p(X, Y, Z),
  

  instead of the original call. In this way, when it is about to execute the call, the program would first print, say, p(1, [2,3], Z) on the terminal and waits for standard input. Here, the programmer can input something (say x.) on the standard input to continue to the next breakpoint. More importantly, the programmer terminate the program (by Ctrl-C), then copy the output p(1, [2,3], Z) to CLP(R)'s prompt, and execute it in isolation to observe the behavior.

  Software engineering wise, this allows rapid writing of CLP(R) programs to be debugged later. I need to do more programming myself to confirm that the technique is actually effective for rapid production of CLP(R) programs.

• How to negate constraints. Sometimes negating constraints on a set of variables is necessary, for instance, when proving implication problems dynamically generated during program run (implication of A => B holds iff A and not B is unsatisfiable).

  Suppose that we want to prove X > 2 => X > 0. To negate X > 0, we use the following procedure:

  p(X, X1) :-
      dump([X1], [Y], L), test_cnf(L, X, Y).
  
  test_cnf(L,X,Y) :- negate_cnf(L), X=Y, !, fail.
  test_cnf(L,X,Y).
  
  negate_cnf([]).
  negate_cnf([C|_]) :- negate_constraint(C).
  negate_cnf([_|R]) :- negate_cnf(R).
  
  negate_constraint(quote(A > B)) :- expreval(A), expreval(B), A <= B.
  ...
  
  expreval(X) :- var(A).
  expreval(X) :- atomic(A).
  ...
  expreval(quote(A + B)) :- A + B.
  ...
  

  The main point here is the use of dump/3 to produce the quoted form of the constraint at hand, which we can then negate.

  To prove the implication X > 2 => X > 0, we run

  :- X > 2, X1 > 0, p(X, X1).
  

• Quick tabling. Some technique to implement tabled CLP quickly using assert/rectract. Suppose that we have the predicate p/1 defined as follows:

  p(X) :- X=Y+2, p(Y).
  p(0).
  

  Here we just want to know if there is a solution to the query

  :- p(X).
  

  Obviously there is an answer to the query, but SLD does not terminate on this query, due to the standard top-to-bottom clause selection rule. The way we implement tabling here is closely related to the proof of implication we have given in the previous section. Here a query is tabled if there exists another query previously executed that subsumes the current query. Sumsumption here means logical implication. Some tabling mechanism uses variance instead of subsumption (see e.g. in T Swift, A New Formulation of Tabled Resolution with Delay, EPIA '99, LNCS 1695, Springer, 1999), which requires similarity up to renaming, and which is logically stronger than subsumption but perhaps easier to compute.

  Let us now add a few things to our program, which now looks like:

  :- dynamic(p_t,1).
  
  p(X) :- check(X), X=Y+2, p(Y).
  p(0).
  
  check(X) :- not p_t(X), !, fail.
  check(X) :- dump([X],[Y],L), negate_cnf(L), assert(p_t(Y)), fail.
  check(X).
  
  negate_cnf([]).
  negate_cnf([C|_]) :- negate_constraint(C).
  negate_cnf([_|R]) :- negate_cnf(R).
  
  negate_constraint(quote(A=B)) :- expreval(A), expreval(B), AB.
  negate_constraint(quote(A=B.
  negate_constraint(quote(A>B)) :- expreval(A), expreval(B), A<=B.
  ...
  

  After executing :- p(X), the check/1 will be tested to see if p(X) is already called, if not, p_t(X) is tabled and the query :- X=Y+2, p(Y) is then executed. Notice that this query is logically subsumed by ancestor query p(X). Since both impose no constraint on their arguments. When executing the child query, the CLP(R) will discover that p(X) has been called and fails the first clause, branch, which then makes the second clause p(0). be executed resulting in answer X=2.

  Now a little discussion on how this tabling differs from SLG. SLG is capable of returning all answers of a query since it records all answers to a query. The tabling technique described here only reports some answer. However, if there is some answer, at least one answer will be returned. This kind of tabling is useful for implementing existential query systems, e.g. verification or analysis tools (is there a violation of safety property?).

  This tabling technique can be used to construct a reachability checker, among others. The following is a reachability checker for proving mutual exclusion of Bakery algorithm that uses the technique described here.

  bakery.clpr

• Integer solutions. Given a number of satisfiable inequalites, this program returns an integer solution, if any. Otherwise it fails. The program generates all integer solutions on retrial.

  Sample usage:

  1 ?- X + 2 * Y <= 7, 2*X - Y<=3, X>=0, Y>=0, intsoln([X,Y]).
  
  X=2
  Y=2
  
  *** Retry?