formal verification of numerical programs from c
play

Formal verification of numerical programs: from C annotated programs - PowerPoint PPT Presentation

Sep 08, 2023 •342 likes •1.72k views

Third International Workshop on Numerical Software Verification Formal verification of numerical programs: from C annotated programs to Coq proofs Sylvie Boldo INRIA Saclay - Ile-de-France July 15th, 2010 Thanks to the organizers !

  1. Example using Coq 8.2 Theorem Rle Fexp eq Zle : forall x y :float, (x <= y)%R -> Fexp x = Fexp y -> (Fnum x <= Fnum y)%Z. intros x y H’ H’0. apply le IZR. apply (Rle monotony contra exp radix) with (z := Fexp x); auto with real arith. pattern (Fexp x) at 2 in |- *; rewrite H’0; auto. Qed. With keywords, stating of the theorem, tactics and names of used theorems. Theorem (Rle Fexp eq Zle) If two floats x = ( n x , e x ) and y = ( n y , e y ) verifies x ≤ y, and e x = e y , then n x ≤ n y . Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 15 / 41

  2. Plan Motivations 1 Tools 2 Formal proof Frama-C/Jessie/Why Examples 3 Conclusions 4 Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 16 / 41

  3. Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41

  4. Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Available plugins : Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41

  5. Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Available plugins : ◮ value analysis Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41

  6. Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Available plugins : ◮ value analysis ◮ Jessie, the deductive verification plug-in (based on weakest precondition computation techniques) Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41

  7. Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Available plugins : ◮ value analysis ◮ Jessie, the deductive verification plug-in (based on weakest precondition computation techniques) ◮ . . . Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41

  8. Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Available plugins : ◮ value analysis ◮ Jessie, the deductive verification plug-in (based on weakest precondition computation techniques) ◮ . . . Free softwares in CAML available at http://frama-c.com/ and http://why.lri.fr/ . Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41

  9. Frama-C/Jessie/Why ACSL-annotated C program Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 18 / 41

  10. Frama-C/Jessie/Why ACSL-annotated C program Frama-C/Jessie plug-in WHY verification condition generator Verification conditions Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 18 / 41

  11. Frama-C/Jessie/Why ACSL-annotated C program Frama-C/Jessie plug-in WHY verification condition generator Verification conditions Automatic provers Interactive provers (Alt-Ergo,Gappa,CVC3,etc.) (Coq,PVS,etc.) Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 18 / 41

  12. ACSL ANSI/ISO C Specification Language Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41

  13. ACSL ANSI/ISO C Specification Language behavioral specification language for C programs Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41

  14. ACSL ANSI/ISO C Specification Language behavioral specification language for C programs pre-conditions and post-conditions to functions (and which variables are modified). Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41

  15. ACSL ANSI/ISO C Specification Language behavioral specification language for C programs pre-conditions and post-conditions to functions (and which variables are modified). variants and invariants of the loops. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41

  16. ACSL ANSI/ISO C Specification Language behavioral specification language for C programs pre-conditions and post-conditions to functions (and which variables are modified). variants and invariants of the loops. assertions Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41

  17. ACSL ANSI/ISO C Specification Language behavioral specification language for C programs pre-conditions and post-conditions to functions (and which variables are modified). variants and invariants of the loops. assertions In annotations, all computations are exact. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41

  18. ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41

  19. ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part the value that would have been obtained with exact computations, x → x e exact part Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41

  20. ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part the value that would have been obtained with exact computations, x → x e exact part the value that we ideally wanted to compute x → x m model part Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41

  21. ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part 1+x+x*x/2 the value that would have been obtained with exact computations, 1 + x + x 2 x → x e exact part 2 the value that we ideally wanted to compute x → x m model part exp( x ) Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41

  22. ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part 1+x+x*x/2 the value that would have been obtained with exact computations, 1 + x + x 2 x → x e exact part 2 the value that we ideally wanted to compute x → x m model part exp( x ) ⇒ easy to split into method error and rounding error Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41

  23. ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part 1+x+x*x/2 the value that would have been obtained with exact computations, 1 + x + x 2 x → x e exact part 2 the value that we ideally wanted to compute x → x m model part exp( x ) ⇒ easy to split into method error and rounding error For a float f , we have macros such as \ rounding error(f) and \ exact(f) , while f (as a real) is its floating-point value. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41

  24. Pragmas Several pragmas corresponding to different formalization for floating-point numbers. defensive (default pragma) : IEEE roundings occur. We prove that no exceptional behavior may happen (Overflow, NaN creation. . .) Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 21 / 41

  25. Pragmas Several pragmas corresponding to different formalization for floating-point numbers. defensive (default pragma) : IEEE roundings occur. We prove that no exceptional behavior may happen (Overflow, NaN creation. . .) math : all computations are exact. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 21 / 41

  26. Pragmas Several pragmas corresponding to different formalization for floating-point numbers. defensive (default pragma) : IEEE roundings occur. We prove that no exceptional behavior may happen (Overflow, NaN creation. . .) math : all computations are exact. full : IEEE roundings occur. Exceptional behaviors may happen. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 21 / 41

  27. Pragmas Several pragmas corresponding to different formalization for floating-point numbers. defensive (default pragma) : IEEE roundings occur. We prove that no exceptional behavior may happen (Overflow, NaN creation. . .) math : all computations are exact. full : IEEE roundings occur. Exceptional behaviors may happen. multi-rounding : we may have any hardware and compiler (80-bit extended registers, FMA) Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 21 / 41

  28. Plan Motivations 1 Tools 2 Formal proof Frama-C/Jessie/Why Examples 3 Conclusions 4 Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 22 / 41

  29. Examples All examples use Frama-C Boron and Why 2.26. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 23 / 41

  30. Examples All examples use Frama-C Boron and Why 2.26. All proof obligations are proved using Coq. (except 2 inequalities in the last example). Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 23 / 41

  31. Examples All examples use Frama-C Boron and Why 2.26. All proof obligations are proved using Coq. (except 2 inequalities in the last example). Code & proofs available on http://www.lri.fr/~sboldo/research.html . Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 23 / 41

  32. Sterbenz Theorem (Sterbenz) If x and y are FP numbers in a given precision such that y 2 ≤ x ≤ 2 y , then x − y fits in a FP number in the same precision and is therefore computed without error. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 24 / 41

  33. Sterbenz – program /*@ requires y/2. <= x <= 2.*y; @ ensures \result == x-y; @*/ f l o a t Sterbenz ( f l o a t x , f l o a t y ) { return x − y ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 25 / 41

  34. Sterbenz – program Exact subtraction /*@ requires y/2. <= x <= 2.*y; @ ensures \result == x-y; @*/ f l o a t Sterbenz ( f l o a t x , f l o a t y ) { return x − y ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 25 / 41

  35. Sterbenz – program 1 PO : exact subtraction /*@ requires y/2. <= x <= 2.*y; @ ensures \result == x-y; @*/ f l o a t Sterbenz ( f l o a t x , f l o a t y ) { return x − y ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 25 / 41

  36. Sterbenz – program 1 PO : exact subtraction /*@ requires y/2. <= x <= 2.*y; @ ensures \result == x-y; @*/ f l o a t Sterbenz ( f l o a t x , f l o a t y ) { return x − y ; } 1 PO : no overflow Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 25 / 41

  37. Veltkamp/Dekker Theorem (Veltkamp/Dekker) Provided no Overflow and no Underflow occur, there is an algorithm computing the exact error of the multiplication using only FP operations. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 26 / 41

  38. Veltkamp/Dekker Theorem (Veltkamp/Dekker) Provided no Overflow and no Underflow occur, there is an algorithm computing the exact error of the multiplication using only FP operations. Idea : split your floats in 2, multiply all the parts, add them in the correct order. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 26 / 41

  39. Veltkamp : how to split a floating-point number Let C = 2 27 + 1 for double precision numbers. 27 bits x 2 27 × x + p = ◦ ( x × C ) q = ◦ ( x − p ) x 1 = p + q Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 27 / 41

  40. Dekker : how to get the error of the multiplication r 1 = ◦ ( x × y ) x 1 × y 1 t 1 = x 1 × y 1 − r x 1 × y 2 t 2 = t 1 + x 1 × y 2 x 2 × y 1 t 3 = t 2 + x 2 × y 1 x 2 × y 2 r 2 = t 3 + x 2 × y 2 Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 28 / 41

  41. Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41

  42. Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; Split x and y py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41

  43. Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; Multiply all halves and r2+=hx ∗ ty ; r2+=hy ∗ tx ; add all the results r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41

  44. Veltkamp/Dekker – program xy = ◦ ( xy ) /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41

  45. Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && Overflow @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41

  46. Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; If no Underflow @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41

  47. Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); Exact error of ⊗ @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41

  48. Accurate discriminant It is pretty hard to compute b 2 − ac accurately. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 30 / 41

  49. Accurate discriminant It is pretty hard to compute b 2 − ac accurately. Theorem (Kahan) Provided no Overflow and no Underflow occur, there is an algorithm computing the b 2 − a ∗ c within 2 ulps. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 30 / 41

  50. Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41

  51. Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; Test whether ac ≈ b 2 p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41

  52. Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; Test whether ac ≈ b 2 p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) If ac �≈ b 2 , compute naively d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41

  53. Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; Test whether ac ≈ b 2 p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { If ac ≈ b 2 , compute accurately dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; using errors of the multiplications d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41

  54. Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && Underflow @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41

  55. Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && Overflow @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41

  56. Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. 2 ulps @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41

  57. Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) Function calls d=p − q ; e l s e { ⇒ pre-conditions to prove dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; ⇒ post-conditions guaranteed d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41

  58. Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ In initial proof, double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; test assumed correct p=b ∗ b ; ⇒ Additional proof q=a ∗ c ; when test is incorrect i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41

  59. Wave equation resolution scheme ∂ 2 u ( x , t ) − c 2 ∂ 2 u ( x , t ) = s ( x , t ) ∂ t 2 ∂ x 2 Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 32 / 41

  60. Wave equation resolution scheme t t k t k − 1 ∂ 2 u ( x , t ) − c 2 ∂ 2 u ( x , t ) ֒ → = s ( x , t ) t k − 2 ∂ t 2 ∂ x 2 x j − 1 x j x j +1 x Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 32 / 41

  61. Wave equation resolution scheme t t k t k − 1 ∂ 2 u ( x , t ) − c 2 ∂ 2 u ( x , t ) ֒ → = s ( x , t ) t k − 2 ∂ t 2 ∂ x 2 x j − 1 x j x j +1 x j − 2 u k − 1 + u k − 2 − c 2 u k − 1 j +1 − 2 u k − 1 + u k − 1 u k j j j j − 1 = s k − 1 ∆ t 2 ∆ x 2 j Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 32 / 41

  62. Wave equation resolution scheme – program double ∗∗ forward prop ( i n t ni , i n t nk , double dx , double dt , double v , double xs , double l ) { double ∗∗ p ; i n t i , k ; double a1 , a , dp ; a1 = dt /dx ∗ v ; a = a1 ∗ a1 ; [ . . . ] // i n i t i a l i z a t i o n s of p [ . . . ] [ 0 ] and p [ . . . ] [ 1 ] /* propagation = time loop */ /*@ loop invariant 1 <= k <= nk && analytic_error (p,ni ,ni ,k,a); @ loop variant nk -k; */ f o r ( k=1; k < nk ; k++) { p [ 0 ] [ k+1] = 0 . ; /* time iteration = space loop */ /*@ loop invariant 1 <= i <= ni && analytic_error (p,ni ,i-1,k+1,a) @ loop variant ni -i; */ f o r ( i =1; i < n i ; i ++) { dp = p [ i +1][ k ] − 2. ∗ p [ i ] [ k ] + p [ i − 1][ k ] ; p [ i ] [ k+1] = 2. ∗ p [ i ] [ k ] − p [ i ] [ k − 1] + a ∗ dp ; } p [ n i ] [ k+1] = 0 . ; } return p ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 33 / 41

  63. Wave equation resolution scheme – program double ∗∗ forward prop ( i n t ni , i n t nk , double dx , double dt , double v , double xs , double l ) { double ∗∗ p ; i n t i , k ; double a1 , a , dp ; a1 = dt /dx ∗ v ; a = a1 ∗ a1 ; [ . . . ] // i n i t i a l i z a t i o n s of p [ . . . ] [ 0 ] and p [ . . . ] [ 1 ] /* propagation = time loop */ /*@ loop invariant 1 <= k <= nk && analytic_error (p,ni ,ni ,k,a); @ loop variant nk -k; */ Time loop f o r ( k=1; k < nk ; k++) { p [ 0 ] [ k+1] = 0 . ; /* time iteration = space loop */ /*@ loop invariant 1 <= i <= ni && analytic_error (p,ni ,i-1,k+1,a) @ loop variant ni -i; */ Space loop f o r ( i =1; i < n i ; i ++) { dp = p [ i +1][ k ] − 2. ∗ p [ i ] [ k ] + p [ i − 1][ k ] ; p [ i ] [ k+1] = 2. ∗ p [ i ] [ k ] − p [ i ] [ k − 1] + a ∗ dp ; } p [ n i ] [ k+1] = 0 . ; } return p ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 33 / 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Polyhedral Domains and Widening for Verification of Numerical Programs Goran Frehse Verimag

Polyhedral Domains and Widening for Verification of Numerical Programs Goran Frehse Verimag

Polyhedral Domains and Widening for Verification of Numerical Programs Goran Frehse Verimag Hitashyam Maka and Bruce H. Krogh Carnegie Mellon University 1 Verification of numerical programs Problem definition Polyhedral domains

390 views • 26 slides
Numerical Computations and Formal Methods Guillaume Melquiond Proval, Laboratoire de Recherche en

Numerical Computations and Formal Methods Guillaume Melquiond Proval, Laboratoire de Recherche en

Program verification Formal arithmetic Decision procedures Numerical Computations and Formal Methods Guillaume Melquiond Proval, Laboratoire de Recherche en Informatique INRIA SaclayIdF, Universit e Paris Sud, CNRS October 28, 2009

1.07k views • 77 slides
Practical Formal Verification of MPI and Thread Programs Ganesh Gopalakrishnan, School of

Practical Formal Verification of MPI and Thread Programs Ganesh Gopalakrishnan, School of

Practical Formal Verification of MPI and Thread Programs Ganesh Gopalakrishnan, School of Computing, University of Utah, Salt Lake City, UT 84112 A Half-Day Tutorial Proposed for ICS 2009 http:// www.cs.utah.edu / formal_verification

1.3k views • 102 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis

Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis

Formal Verification of x86 Machine-Code Programs Computer Architecture and Program Analysis Shilpi Goel shigoel@cs.utexas.edu Department of Computer Science The University of Texas at Austin Software and Reliability Can we rely on our

891 views • 65 slides
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether some model (or program) has desired

476 views • 22 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20

A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20

A Proof Repository for Formal Verification of Software Michael Franssen WASDeTT- 3 September 20 th 2010 Cocktail Derive programs from their specifications Does not scale and nobody programs like this Create proofs interactively with an

342 views • 7 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre

Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre

Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre Montpellier June, 26th 2007 INRIA Futurs CNRS, LRI Existing tools Model and specification of FP numbers Examples Conclusion Motivations

410 views • 39 slides
Formal Verification of Differentially Private Mechanisms Marco Gaboardi University at Buffalo,

Formal Verification of Differentially Private Mechanisms Marco Gaboardi University at Buffalo,

Formal Verification of Differentially Private Mechanisms Marco Gaboardi University at Buffalo, SUNY Goal of formal verification: building programs that are correct. Why correctness matters? Why correctness matters? An example: DARPA HACMS

448 views • 40 slides
CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social

CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social

CS 4160 Formal Verification Prof. Clarkson Spring 2019 Approaches to validation Social Less formal: Techniques may Code reviews miss problems in programs Extreme/Pair programming Methodological Design patterns

330 views • 18 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
INF5140 Specification and Verification of Parallel Systems Overview, lecture 1 Spring 2015

INF5140 Specification and Verification of Parallel Systems Overview, lecture 1 Spring 2015

INF5140 Specification and Verification of Parallel Systems Overview, lecture 1 Spring 2015 January 23, 2015 1 / 75 Content See the homepage of the course: http://www.uio.no/studier/emner/matnat/ifi/INF5140/v15/ 2 / 75 Evaluation System

616 views • 39 slides
Parallelizing the Hamiltonian Computation in DQMC Simulations: Checkerboard Method for Sparse

Parallelizing the Hamiltonian Computation in DQMC Simulations: Checkerboard Method for Sparse

Parallelizing the Hamiltonian Computation in DQMC Simulations: Checkerboard Method for Sparse Matrix Exponentials on Multicore and GPU Che-Rung Lee National Tsing Hua University joint work with Zhi-Hung Chen and Quey-Liang Kao Second

784 views • 63 slides
Applica'on Support NDNComm 2014 ICN Tutorial Dry Run

Applica'on Support NDNComm 2014 ICN Tutorial Dry Run

Applica'on Support NDNComm 2014 ICN Tutorial Dry Run September 3, 2014 jburke@ucla.edu 1 MoDvaDon The NDN project's approach is to design and

849 views • 43 slides
Systems and Information Security Issues Prof. Alexander K. Petrenko, petrenko@ispras.ru 12th

Systems and Information Security Issues Prof. Alexander K. Petrenko, petrenko@ispras.ru 12th

Testing and Verification of Operating Systems and Information Security Issues Prof. Alexander K. Petrenko, petrenko@ispras.ru 12th TAROT Summer School on Software Testing, Verification &amp; Validation Paris, July, 2016 Institute for System

1.26k views • 115 slides
Automated Theorem Proving 4/4: Satisfiability Checkers, SAT/SMT A.L. Lamprecht Course Program

Automated Theorem Proving 4/4: Satisfiability Checkers, SAT/SMT A.L. Lamprecht Course Program

Automated Theorem Proving 4/4: Satisfiability Checkers, SAT/SMT A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 30, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk. Available

451 views • 44 slides
COSC345 Week 17 Static verification 4 August 2015 Richard A. O Keefe 1 Aim of static

COSC345 Week 17 Static verification 4 August 2015 Richard A. O Keefe 1 Aim of static

COSC345 Week 17 Static verification 4 August 2015 Richard A. O Keefe 1 Aim of static verification Find defects early Work on incomplete components Work on non-executable items N.B. Testing and debugging cannot start until executable

498 views • 21 slides
Pfff: PHP Program Analysis at Facebook Yoann Padioleau (Facebook)

Pfff: PHP Program Analysis at Facebook Yoann Padioleau (Facebook)

Pfff: PHP Program Analysis at Facebook Yoann Padioleau (Facebook) http://github.com/facebook/pfff OCaml Users and Developers Workshop 2013 About this talk n Feel free to ask questions during the talk PHP Program Analysis at Facebook n

754 views • 17 slides
1 &lt;Insert Picture Here&gt; Give me a proper visual JSF editor or else ... David Konecny

1 &lt;Insert Picture Here&gt; Give me a proper visual JSF editor or else ... David Konecny

1 &lt;Insert Picture Here&gt; Give me a proper visual JSF editor or else ... David Konecny Principal Member of Technical Staff, Oracle The following is intended to outline our general product direction. It is intended for information purposes

582 views • 34 slides

More recommend