Abstraction techniques for Floating-Point Arithmetic

Transcription

1 Abstraction techniques for Floating-Point Arithmetic Angelo Brillout 1, Daniel Kroening 2 and Thomas Wahl 2 1 ETH Zurich, 2 Oxford University ETH Zürich

2 Floating-Point Arithmetic (FPA) Used for embedded and safety critical systems Finite representation of real numbers Rounding Deviation causes unintuitive results Deviation can change control flow Behavior of floating-point programs hard to predict 2

3 Contributions New effective approximation techniques Over- and underapproximation for FPA Bit-precise Precise and sound decision procedure for FPA: Based on CBMC model checking engine SAT solver as the back-end 3

4 Floating-Point Arithmetic (FPA) Numerical representation of a subset of the reals Floating-point format: IEEE-754 standard Triple (s; e; f) stands for the number ( 1) s f 2 e Represented by a bit-vector s e r 1 e 0 f 0 f p 1 Ã! Ã! Ã! 1 r p F p Representable numbers Floating-point operations ª Differ from real arithmetic. E.g.: (a b) c 6= a (b c) 4

5 Floating-Point Arithmetic (FPA) Result of FP-operation not always representable Approximations: bxc p := maxff 2 F p : f xg ; and dxe p := minff 2 F p : f xg : bxc p Rounding function: x dxe p rd p (x) 2 fbxc p ; dxe p g Rounding based on least significant bits of fraction

6 Floating-Point Arithmetic (FPA) Floating-point operations defined as: x } p y := rd p (x ± y) Verification of FPA programs: Naïve method: Bit-vector model of an FPU and bitblasting BMC (Unrolling, Bit-blasting, SAT-solving) Does not scale for FPA 6

7 FPA Verification FPU-Implementation of Add/Sub Align: mantissa shifted, rendering exponents equal Add/Sub: resulting mantissas are added/subtracted Round: shortening mantissa to obtain a number in F p 7

8 FPA Verification FPU-Implementation of Add/Sub Precision Align Add/Sub Round Total p = p = p =

9 FPA Verification FPU-Implementation of Mul/Div Add/Sub: exponents added/subtracted (Mul/Div) Mul/Div: mantissas multiplied/divided (Mul/Div) 9

10 FPA Verification FPU-Implementation of Mul/Div Precision Mul/Div Add/Sub Round Total p = p = p =

11 FPA Verification Need for approximate FP-operations Can we approximate FP-operations by reducing the precision p? 11

12 Approximation techniques Reducing the precision p 0 < p Least significant bits are lost Overapproximation by open rounding: rd p;p 0(X) := [ bxc p 0; dxe p 0 ] \ F p New FP-operations X } p;p 0 Y := rd p;p 0(X ± Y ) Replace } p by } p;p 0 for some precision p 0 < p 12

13 Approximation techniques Overapproximation: visualization rd p;p 0(fxg) = [ bxc p 0; dxe p 0 ] \ F p bxc p 0 dxe p 0 precision p 0 < p x rd p;p 0(fxg) = f ; ; ; ; g 13

14 Approximation techniques Reducing the precision p 0 < p Least significant bits are lost Underapproximation by inhibiting rounding: rd p;p 0(X) := X \ F p 0 New FP-operations X } p;p 0 Y := rd p;p 0(X ± Y ) Replace } p by } p;p 0 for some precision p 0 < p 14

15 Approximation techniques Underapproximation: visualization rd p;p 0(fxg) = fxg \ F p 0 precision p 0 < p x rd p;p 0(fxg) = fxg if x 2 F p 0, ; otherwise 15

16 Alternating abstractions for FPA Over-approximation Permits more execution traces than original program SAT: no conclusion, UNSAT: assertions OK Under-approximation Permits less execution traces than original program SAT: assertion violated, UNSAT: no conclusion Refinement: increase p Alternation yields complete procedure 16

17 Alternating abstractions for FPA Á Select small precision p Á Generate Underapproximation (increase p using ) Á SAT? yes SAT, ass. yes satisfies Á? no (proof P ) yes (ass. ) P valid for Á? UNSAT, proof P no SAT? no Generate Overrapproximation (increase p using P ) Á 17

18 Alternating abstractions for FPA Refinement for FPA: Spuriously SAT: r } p;p 0 r 6= } p result of. If then increase precision Spuriously UNSAT: Recall: rd p;p 0(X) := X \ F p 0 X \ F p 0 If the constraint occurs in, then increase precision P 18

19 Summary Model Checking with FPA Effective over- and underapproximation hard to find Slow (model checking) Fully automatic Provides counterexample Implemented in CBMC 19

20 State of the Art Proof assistants Very powerful Require interaction No counterexample Interval arithmetic Fully automated Too coarse No counterexample [1; 2] + [4; 6] = [5; 8] 20

21 Issues E.g. the formula (a b) c 6= a (b c) is SAT Every overapproximation based on } is SAT } Every underapproximation based on is UNSAT Some formulae do not have effective over- or underapproximations 21

22 Conclusion New algorithm for iteratively approximating complex FPA formulae New under- and over-approximations for FPoperations Ability to generate counterexamples Debugging Automated test-vector generation Promising experiments, future work Thank you! 22