Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors

Size: px

Start display at page:

Download "Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors"

Walter Wilkerson
5 years ago
Views:

1 ESOP 2004 Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors Antoine Miné École Normale Supérieure Paris FRANCE This work was partially supported by the ASTRÉE RNTL project

2 Introduction Faults in critical embedded software can cause human and financial cost! Example Ariane 5 launcher failure in June The first property one would expect is: absence of run-time error. Floating-Point Nowadays, embedded software use floating-point numbers instead of fixed-point. Floating-point numbers are complex, not always understood by programmers. Floating-point numbers are wrongly mistaken for perfect real numbers R. = it introduces new classes of run-time errors! What This Talk is About: static detection of floating-point run-time errors We want to be sound and efficient, and as precise as possible. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 1/22

3 A Few Words on Floating-Point Arithmetics

4 Floating-Point Numbers We consider the IEEE norm because: it is widely implemented in today s hardware (Intel, Motorola); it is supported by the C language (and many others). 32-bit single precision float numbers F Sign Exponent e Fraction b s e 8 e 1 b 1 b 23 The set F of float is composed of: normalized numbers: ( 1) s 2 e b 1 b 23 (1 e 254); But also: denormalized numbers: ( 1) s b 1 b 23 (e = 0, b 0) zeros: +0 and 0 (if e = 0, b = 0); infinities: + and (if e = 255, b = 0); error codes: NaN (if e = 255, b 0). Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 2/22

5 Floating-Point Computations Floating-Point Expressions E V = {V 1,..., V n } is a finite set of variables. E :== V i variable V i V c constant in F E 1 E 2 binary operator {,,, } E opposite Floating-Point Arithmetics Floating-point computation differs from real arithmetics +,,, /: rounding to a representable float occurs; large numbers, division by 0 generate + or (overflow); small numbers round to +0 or 0 (underflow); invalid operations (0/0,(+ ) + ( ), etc.) generate NaN. Several types of rounding: towards +,, 0 or to nearest. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 3/22

6 Our Floating-Point Semantics We consider programs that use F as approximated reals: rounding and underflow are benign; overflow and invalid operations result in a run-time error Ω; error-free computation live in F F R, assimilated to a finite part of R. Expression Semantics Let ρ (V F ) be a concrete environment. Let e E be a floating-point expression. e evaluated in ρ is denoted by: e (ρ) F {Ω} e (ρ) can be defined by structural induction on e Problem Formalization We wish to know if Ω can be computed by the program. This is a reachability problem. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 4/22

7 Abstract Interpretation

8 Abstract Reachability Problem: our space state is finite but huge! Solution: we use the Abstract Interpretation framework [Cousot 77]. An abstract domain is defined by: a computer-representable set D that represent elements of P(V F ); sound abstract counterparts in D of all semantics building blocks: assignments: V i e, e E; tests: e 0?, e E; control-flow joins. We perform reachability analysis in D instead of P(V F ). By construction, it computes an over-approximation of the set of concrete reachable states. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 5/22

9 Already Existing Abstract Domains Classical abstract domains abstract P(V Z) or P(V Q). Intervals Polyhedra Octagons [Cousot 76] [Cousot Halbwachs 78] [Miné 01] Vi [ci; di] i α ivi βi ±Vi ± Vj c Problem: how to adapt them to P(V F )? Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 6/22

10 Interval Domain Adapted to Floating-Point Classical Interval Domain d D associates to each variable an upper and a lower bound; Using interval arithmetics +,,, /, we can define the abstract value e (d ) of an expression in an environment d D. e.g. [a; b]+ [a ; b ] def = [a+a ; b+b ] Abstract assignments and tests are derived from e. Adaptation to Floating-Point Numbers [Goubault 01] Adapting the interval domain to P(V F ) is easy. d now associates to each variable an upper and a lower bound in F. When performing interval arithmetics,,,, we round lower bounds toward and upper bounds toward +. { e.g. [a; b] [a ; b ] = def [a a ; b + b ] if a a Ω and b + b Ω Ω otherwise The interval domain is fast but not very precise. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 7/22

11 Where Intervals Fail Rate Limiter RLim (in X, in D, out Y) { static S=Y; (last output) R=X S; (actual rate) Y=X; if (R D) Y=S D; (upper clamp) if (R D) Y=S D; (lower clamp) } X RLim D Y We suppose that: the main entry X stays in [ 128; 128]; the rate maximum D stays in [0; 16]. The interval domain finds that, after n calls to RLim, Y [ n; n]. Actually, Y [ 128; 128] independently from n and there is no overflow! To prove this, one would have to be able to: represent the relational invariants R = X S and R D; combine them to deduce X S D, so Y = S D X. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 8/22

12 Difficulties in Adapting Relational Domains Relational domains cannot manipulate invariants expressed in (F,,,, ). They use properties of Q not true in floating-point arithmetics! e.g. X + Y c Z Y d = X + Z c + d (Octagon propagation) X Y c Z Y d X Z c d = invariant semantics will be expressed using Q,+,,,/. Transfer functions accept linear expressions: α 0 + i α iv i, α i Q. e is not linear due to rounding! = we introduce a new linearization technique Arbitrary precision rationals traditionally used in domain implementation are costly. We wish to use floating-point arithmetics internally to trade precision for efficiency. = such algorithms will be presented for the Octagon domain Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 9/22

13 Linearization

14 Interval Linear Forms Interval Linear Forms We introduce Interval Linear Forms l L: symbolic expressions of the form l = [a; b] + i [a i; b i ] V i where the program variables V i are free variables. Benefits of This Representation Each l L can be viewed as a function concrete environment real interval. l is defined using only operators on real intervals +,, no rounding is used. Interval coefficient can describe non-deterministic relative and absolute errors. L is a linear space; it is stable by: addition multiplication by a constant substraction division by a constant = we will abstract e as an interval linear form Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 10/22

15 Computations on Interval Linear Forms Internal Representation For efficiency purposes we wish to: use floating-point numbers to represent all bounds a, b, a i, b i ; (maybe another floating-point format than the analyzed expression... ) manipulate interval linear forms using only floating-point computations. Approximated Linear Operators Floating-point interval arithmetics round lower bounds toward and upper bounds toward +. Thus,,,, over-approximate real interval arithmetics. We use this to efficiently over-approximate,, and as,, and. e.g. ([a; b] + i [a i; b i ] V i ) ([a ; b ] + i [a i ; b i ] V i) def = { ([a; b] [a ; b ]) + i ([a i; b i ] [a i ; b i ]) V i if no Ω occurs Ω if an interval evaluates to Ω Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 11/22

16 Computations on Interval Linear Forms Rounding Errors on Linear Forms The magnitude of rounding errors is the maximum of: a relative error ε of amplitude 2 23, expressed as a linear form: ε([a; b] + i [a i; b i ] V i ) (normalized numbers) def = max( a, b ) [ 2 23 ; 2 23 ]+ i (max( a i, b i ) [ 2 23 ; 2 23 ]) V i and an absolute error ω def = [ ; ] (denormalized numbers). We sum these two causes of rounding.! Non-Linear Behaviors We can always abstract further an interval linear form to a plain interval. ι(l, d ) flattens a linear form l into an interval, given an interval environment d : ι([a; b] + i [a i; b i ] V i, d ) def = [a; b] ( i [a i; b i ] d (V i )) (any summation order for is sound!) Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 12/22

17 From Expressions to Interval Linear Forms Given an interval abstract environment d, we abstract expressions as an interval linear form by structural induction: l(e 1 e 2, d ) l(e 1 e 2, d ) l([a; b] e 2, d ) l(e 1 [a; b], d ) l(e 1 e 2, d ) l(e 1 [a; b], d ) l(e 1 e 2, d ) l( e, d ) def = l(e 1, d ) l(e 2, d ) ε(e 1 ) ε(e 2 ) ω def = l(e 1, d ) l(e 2, d ) ε(e 1 ) ε(e 2 ) ω def = ([a; b] l(e 2, d )) ([a; b] ε(e 2 )) ω def = l([a; b] e 1, d ) def = l(ι(e 1, d ) e 2, d ) def = (l(e 1, d ) [a; b]) (ε(e 1 ) [a; b]) ω def = l(e 1 ι(e 2, d )) def = l(e, d ) Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 13/22

18 Main Theorem Theorem soundness of l(e, d ) Let d be an interval abstract environment If e (d ) Ω and l(e, d ) Ω then ρ satisfying d, e (ρ) l(e, d )(ρ) One of the following may happen: e (d ) = Ω: there is a potential RTE and l(e, d ) is not sound. e (d ) Ω, l(e, d ) = Ω: there is no RTE, due to over-approximation in F the linearization fails! e (d ) Ω, l(e, d ) Ω: there is no RTE and we can use l(e, d ). Linearization must work in tandem with the interval domain because: run-time errors are detected using solely the interval domain; interval information is used when computing l(e, d ); when the linearization fails, we must fallback to classical interval analysis. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 14/22

19 Applications of Linearization Improving the Interval Domain Linearization performs simplification. We can replace e (d ) by e (d ) ι(l(e, d ), d ). e.g. l(x (0.25 X), d ) = [0.749 ; ]X [ 1; 1]. when X [ 1; 1], we get [ ; ] instead of [ 1.25 ; 1.25 ] Enabling Relational Analysis To perform relational analysis, we simply need a relational domain that: abstracts P(V F ) as invariants expressed using real arithmetics; has transfer functions for interval linear forms: assignments: V i [a; b] + i [a i; b i ] V i Examples: tests: [a; b] + i [a i; b i ] V i 0? we present next an application to the octagon abstract domain; [Feret 2004] presents an analysis of digital filters. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 15/22

20 Floating-Point Octagons

21 Floating-Point Octagons Classical Octagons: sets of constraints of the form ±V i ± V j c, c Q. Memory Representation [Miné 2001] use a matrix of upper-bounds, in Q {+ }. For each V i, V j V, α, β {1; 1}, we store an upper bound for αv i + βv j Closure Algorithm It propagates and combines all constraints using O( V 3 ) local transformations: (αv i + βv j c) ( βv j + γv k d) = αv i + γv k c + d (αv i + αv i c) (βv j + βv j d) = αv i + βv j (c + d) / 2 Using Floating-Point Bounds Because bounds may be large, we use F {+ } instead of Q {+ }. Soundness of the closure is ensured by rounding bounds towards +. e.g. αv i + βv j c βv j + γv k d = αv i + γv k c + d Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 16/22

22 Interval Linear Transfer Functions Assignment: V j l We replace all constraints about V j by the constraints, V k V j : Test: l 0? V j V k max(ι(l V k, d )) V j + V k max(ι(l V k, d )) V k V j max(ι(v k l, d )) V j V k max(ι( l V k, d )) V j + V j 2 max(ι(l, d )) V j V j 2 max(ι( l, d )) For each V i, V j that appears in l, V i V j we add the constraints: V j V i max(ι(l V j V i, d )) V j + V i max(ι(l V j V i, d )) V j + V i max(ι(l V j V i, d )) V j V i max(ι(l V j V i, d )) V j + V j 2 max(ι(l V j, d )) V j V j 2 max(ι(l V j, d )) We only use interval information d on the right part of inferred constraints. These are not optimal, but give a good time / precision tradeoff. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 17/22

23 Example Revisited Rate Limiter Revisited RLim (in X, in D, out Y) { static S=Y; (last output) R=X S; (actual rate) Y=X; if (R D) Y=S D; (upper clamp) if (R D) Y=S D; (lower clamp) } Where X stays in [ 128; 128] and D in [0; 16]. X RLim D Y The octagon domain is not able to represent exactly R = X S. Nevertheless, it can prove that Y [ 136; 136] independently from n. This is not optimal (Y [ 128; 128]) but it is sufficient to prove that there is no overflow. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 18/22

24 Widenings The analysis of loops requires the computation of a post-fixpoint. Plain iterations converge (our domains are finite) but slowly. We use widenings [Cousot 77] to accelerate the convergence. Staged Widening on the Octagon Domain Let T F be a set of threshold steps. An octagon widening operates point-wise on two matrices m, n of upper-bounds: { def mij if m [m n] ij = ij n ij min{ t T {+ } t n ij } otherwise enlarges unstable bounds to the next step in T. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 19/22

25 Losses of Precision In this work, we made several abstraction choices that incur a loss of precision: the interval linear forms: treat rounding non-deterministically; the octagon abstract domain: limits invariant expressivity; the octagon transfer functions: not optimal; the octagon staged widening: approximates fixpoints. Orthogonally, we chose an implementation using floating-point arithmetics: due to rounding, each abstract computation incurs an extra loss of precision. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 20/22

26 Application

27 Experimental Results ASTRÉE Prototype [Blanchet et al. 2003] OCaml prototype, started in See us at Real-World Example primary flight control software of the Airbus A340 fly-by-wire system, 132, 000-line reactive C program, 10, 000 global variables, 5, 000 of which are 32-bit floating-point, one very large loop executed times. Results, on a 1.6 GHz Intel Centrino domains nb. of nb. of linearize octagons filters time iterations memory alarms (1) 3257 s MB 1785 (2) 2667 s MB 1466 (3) 3010 s MB 1371 (4) 7746 s MB 248 (5) 4363 s MB 0 Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 21/22

28 Conclusion Summary In this work we: proposed a sound and efficient,generic framework to design relational abstract domains on floating-point numbers; fully instantiated the framework to the octagon domain; (it could be instanciated to other domains, such as polyhedra) successfully applied it to the RTE analysis of a real-life application. Relational Abstract Domains for the Detection of Floating-Point RTE Antoine Miné 22/22

Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors

Relational Abstract Domains for the Detection of Floating-Point Run-Time Errors Antoine Miné To cite this version: Antoine Miné. Relational Abstract Domains for the Detection of Floating-Point Run-Time