Formal Verification of Floating-Point programs

Similar documents
Formal Verification of Floating-Point Programs

A Formally-Proved Algorithm to Compute the Correct Average of Decimal Floating-Point Numbers

How to Compute the Area of a Triangle: a Formal Revisit

Combining Coq and Gappa for Certifying FP Programs

Formal Verification of a Floating-Point Elementary Function

Why. an intermediate language for deductive program verification

Numerical Computations and Formal Methods

A Parameterized Floating-Point Formalizaton in HOL Light

A Formally-Proved Algorithm to Compute the Correct Average of Decimal Floating-Point Numbers

A Formally-Proved Algorithm to Compute the Correct Average of Decimal Floating-Point Numbers

When double rounding is odd

Combining Coq and Gappa for Certifying Floating-Point Programs

Verifying Java Programs. Verifying Java Programs. The Krakatoa/Why Tool Suite

Verifying Java Programs

Formal Verification of Programs Computing the Floating-Point Average

Why3 where programs meet provers

Java Modelling Language (JML) References

Flocq: A Unified Library for Proving Floating-point Algorithms in Coq

Some issues related to double roundings

Deductive Program Verification with Why3, Past and Future

Flocq: A Unified Library for Proving Floating-point Algorithms in Coq

When double rounding is odd

Combining Coq and Gappa for Certifying Floating-Point Programs

Formal Verification of MIX Programs

Representing and Manipulating Floating Points. Jo, Heeseung

Representing and Manipulating Floating Points

Generating formally certified bounds on values and round-off errors

Deductive Verification in Frama-C and SPARK2014: Past, Present and Future

Proof of Properties in FP Arithmetic

Past and future formalizations of the IEEE 754, 854 and 754R standards

Representing and Manipulating Floating Points. Computer Systems Laboratory Sungkyunkwan University

Floating-point arithmetic in the Coq system

FLOATING POINT NUMBERS

Representing and Manipulating Floating Points

Verification Condition Generation

Verified Compilation of Floating-Point Computations

Coq, a formal proof development environment combining logic and programming. Hugo Herbelin

Representing and Manipulating Floating Points

Deductive Program Verification with Why3

Java Modelling Language (JML) References

Computing predecessor and successor in rounding to nearest

Floating Point Representation in Computers

Emulation of a FMA and correctly-rounded sums: proved algorithms using rounding to odd

Automating the Verification of Floating-Point Programs

Inf2C - Computer Systems Lecture 2 Data Representation

SIPE: Small Integer Plus Exponent

Lecture Notes: Hoare Logic

Chapter 03: Computer Arithmetic. Lesson 09: Arithmetic using floating point numbers

Table : IEEE Single Format ± a a 2 a 3 :::a 8 b b 2 b 3 :::b 23 If exponent bitstring a :::a 8 is Then numerical value represented is ( ) 2 = (

Floating Point (with contributions from Dr. Bin Ren, William & Mary Computer Science)

ECE232: Hardware Organization and Design

Jessie Plugin Tutorial

Open Floating Point Unit

GNATprove a Spark2014 verifying compiler Florian Schanda, Altran UK

Practical Numerical Methods in Physics and Astronomy. Lecture 1 Intro & IEEE Variable Types and Arithmetic

Floating Point Numbers

Floating Point Numbers

The Design and Implementation of a Rigorous. A Rigorous High Precision Floating Point Arithmetic. for Taylor Models

Floating-Point Data Representation and Manipulation 198:231 Introduction to Computer Organization Lecture 3

Advances in Programming Languages

CS 6210 Fall 2016 Bei Wang. Lecture 4 Floating Point Systems Continued

Jessie Plug-In Tutorial

Numerical computing. How computers store real numbers and the problems that result

Divide: Paper & Pencil

Data Representation Floating Point

Optimized Binary64 and Binary128 Arithmetic with GNU MPFR (common work with Vincent Lefèvre)

Towards an industrial use of FLUCTUAT on safety-critical avionics software

The Krakatoa Verification Tool

Data Representation Floating Point

Review Questions 26 CHAPTER 1. SCIENTIFIC COMPUTING

Foundations of Computer Systems

Floating Point Puzzles The course that gives CMU its Zip! Floating Point Jan 22, IEEE Floating Point. Fractional Binary Numbers.

Lecture 1 Contracts. 1 A Mysterious Program : Principles of Imperative Computation (Spring 2018) Frank Pfenning

Floating Point Arithmetic

Operations On Data CHAPTER 4. (Solutions to Odd-Numbered Problems) Review Questions

COSC 243. Data Representation 3. Lecture 3 - Data Representation 3 1. COSC 243 (Computer Architecture)

Research project proposal ProVal: Proof of Programs

Why3 Where Programs Meet Provers

Strongly Connected Components in graphs, formal proof of Tarjan1972 algorithm

Simple proofs of simple programs in Why3

Floating-Point Arithmetic

CSE 140 Homework One

Hoare Logic: Proving Programs Correct

Computer Architecture, Lecture 14: Does your computer know how to add?

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Outline. software testing: search bugs black-box and white-box testing static and dynamic testing

Binary Search. Roland Backhouse February 5th, 2001

CS321 Introduction To Numerical Methods

Floating-point arithmetic in the Coq system

Refinements for free! 1

Roundoff Errors and Computer Arithmetic

FP-ANR: Another representation format to handle cancellation at run-time. David Defour LAMPS, Univ. de Perpignan (France)

Scientific Computing. Error Analysis

Rigorous Estimation of Floating- point Round- off Errors with Symbolic Taylor Expansions

The Why/Krakatoa/Caduceus Platform for Deductive Program Verication

Floating Point January 24, 2008

Numerical Methods in Physics. Lecture 1 Intro & IEEE Variable Types and Arithmetic

The SMT-LIB 2 Standard: Overview and Proposed New Theories

Floating-point Arithmetic. where you sum up the integer to the left of the decimal point and the fraction to the right.

C NUMERIC FORMATS. Overview. IEEE Single-Precision Floating-point Data Format. Figure C-0. Table C-0. Listing C-0.

Transcription:

Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filliâtre Montpellier June, 26th 2007 INRIA Futurs CNRS, LRI

Motivations Goal: reliability in numerical software

Motivations Goal: reliability in numerical software Tool: formal proofs

Motivations Goal: reliability in numerical software Tool: formal proofs Drawback: we were not checking the real program

Motivations Goal: reliability in numerical software Tool: formal proofs Drawback: we were not checking the real program put together existing tools check what is really written by programmers

Outline Existing tools

What is? The method is to annotate the C program

What is? The method is to annotate the C program We add pre-conditions and post-conditions to functions We add variants, invariants, assertions

What is? The method is to annotate the C program We add pre-conditions and post-conditions to functions We add variants, invariants, assertions The tool generates proof obligations (such as Coq theorems) associated to the user annotations The proof of the verification conditions ensures that the program meets its specification

Java C

Java Krakatoa C

Java Krakatoa C Why

Java Krakatoa C Why Coq PVS HOL Mizar Proof obligations

Java Krakatoa C Why Coq PVS HOL Mizar Simplify harvey CVC Proof obligations

Example: search in an array i n t i n d e x ( i n t t [ ], i n t n, i n t v ) { i n t i = 0 ; while ( i < n ) { i f ( t [ i ] == v ) break ; i ++; } return i ; }

Example: search in an array /*@ requires \ valid_range(t,0,n-1) @ ensures @ (0 <= \ result < n => t[\ result] == v) && @ (\result == n => @ \ forall int i; 0 <= i < n => t[i]!= v) */ i n t i n d e x ( i n t t [ ], i n t n, i n t v ) { i n t i = 0 ; /*@ invariant 0 <= i && @ \ forall int k; 0 <= k < i => t[k]!= v @ variant n - i */ while ( i < n ) { i f ( t [ i ] == v ) break ; i ++; } return i ; }

Existing tools

Coq formalization (by Daumas, Rideau, Théry) Float = pair of signed integers (mantissa, exponent) (n, e) Z 2

Coq formalization (by Daumas, Rideau, Théry) Float = pair of signed integers (mantissa, exponent) associated to a real value (n, e) Z 2 n β e R

Coq formalization (by Daumas, Rideau, Théry) Float = pair of signed integers (mantissa, exponent) associated to a real value (n, e) Z 2 n β e R 1.00010 2 E 4 (100010 2, 1) 2 17 IEEE-754 significant of 754R real value normal floats, subnormal floats, cohorts, overflow

Partial We have all the needed tools program formal theorem (obligations) formal float, formal rounding...

Partial We have all the needed tools program formal theorem (obligations) formal float, formal rounding... We have to merge them to get a tool: program formal theorem on FP arithmetic

Partial We have all the needed tools program formal theorem (obligations) formal float, formal rounding... We have to merge them to get a tool: program formal theorem on FP arithmetic We have to decide how to specify a FP program!

Existing tools

s model of FP numbers A program float is a triple: the floating-point number, as computed by the program, x x f floating-point part

s model of FP numbers A program float is a triple: the floating-point number, as computed by the program, x x f floating-point part the value if all previous computations were exact, x x e exact part

s model of FP numbers A program float is a triple: the floating-point number, as computed by the program, x x f floating-point part the value if all previous computations were exact, x x e exact part the ideally computed value x x m model part

s model of FP numbers (II) Program features types for single and double precision floats roundings that may be switched basic operations...

s model of FP numbers (II) Program features types for single and double precision floats roundings that may be switched basic operations... Specification features computations are exact inside annotations access to the exact and model parts round error and total error macros

Existing tools

Example 1: exact subtraction f l o a t S t e r b e n z ( f l o a t x, f l o a t y ){ return x y ; }

Example 1: exact subtraction /*@ requires y/2 <= x <= 2* y @ ensures \ result == x-y @*/ f l o a t S t e r b e n z ( f l o a t x, f l o a t y ){ return x y ; } (44 lines of Coq)

Example 2: Malcolm s Algorithm double malcolm ( ) { double A, B ; A=2; while (A!= (A+1)) A =2; B=1; while ( (A+B) A!= B) B++; return B ; } (747 lines of Coq)

Example 2: Malcolm s Algorithm /*@ ensures \result == 2 */ double malcolm ( ) { double A, B ; A=2; /*@ assert A==2 */ /*@ invariant A == 2 ^^ my_log(a) @ && 1 <= my_log(a) <= 53 @ variant (53- my_log(a)) */ while (A!= (A+1)) A =2; /*@ assert A == 2 ^^ (53) */ B=1; /*@ assert B==1 */ /*@ invariant B == IRNDD(B) && 1 <= B <= 2 @ variant (2- IRNDD(B)) */ while ( (A+B) A!= B) B++; return B ; }

Example 3: stupid exponential computation double my exp ( double x ) { double y=1+x (1+x / 2 ) ; return y ; }

Example 3: stupid exponential computation /*@ requires x <= 2 ^^ (-3) @ ensures \ model(\ result)== exp(\ model(x)) @ && (\round_error(x)==0 @ => \ round_error(\ result) @ <= 2 ^^ (-52)) @ && \total_error(\result) @ <= \ total_error(x) @ + 2 ^^ (-51) */ double my exp ( double x ) { double y=1+x (1+x / 2 ) ; /*@ \set_model y exp(\model(x)) */ return y ; } (unproved)

Existing tools

Advantages a way to specify and formally prove a FP program includes all other aspects of program verification with or without Overflow intuitive specification

Advantages a way to specify and formally prove a FP program includes all other aspects of program verification with or without Overflow intuitive specification Drawbacks no NaNs, no ± no exception, no flag no way to detect compiler optimizations fails on Intel architectures (no way to predict if 53 or 80 bits are used)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback