Real Behavior of Floating Point Numbers SMT 2017 | Bruno Marre, - - PowerPoint PPT Presentation

23 July 2017

Real Behavior of Floating Point Numbers

SMT 2017 | Bruno Marre, Bobot François, Zakaria Chihani

COLIBRI (Bruno Marre)

Started in 2000 for test case generation Used only as a library in PathCrawler and Gatel CP solver uses Eclipse Prolog Proprietary with the help of IRSN No test case that use NaN or infinities Only fp.eq, no =, only RNE, +0 = −0, only 32/64 bit integer modulo, real

CEA | 23 July 2017 | p. 2

COLIBRI (Bruno Marre)

Started in 2000 for test case generation Used only as a library in PathCrawler and Gatel CP solver uses Eclipse Prolog Proprietary freeware for academic with the help of IRSN No test case that use NaN or infinities Only fp.eq, no =, only RNE, +0 = −0, only 32/64 bit integer modulo, real

CEA | 23 July 2017 | p. 2

Architecture

Propagation Labelling Splitting sat unsat

CEA | 23 July 2017 | p. 3

Architecture

Propagation

Labelling Splitting

sat unsat

CEA | 23 July 2017 | p. 3

Floating Points

✔ Clear Semantic: x y = o(x + y)

CEA | 23 July 2017 | p. 4

Floating Points

✔ Clear Semantic: x y = o(x + y) ✘ Few algebraic properties: not associative, x y = x y = 0

CEA | 23 July 2017 | p. 4

Floating Points

✔ Clear Semantic: x y = o(x + y) ✘ Few algebraic properties: not associative, x y = x y = 0 ✘ Counter-intuitive:

10

• 0.1 · · · 0.1 = 0.1 10. = 1.

CEA | 23 July 2017 | p. 4

Floating Points

✔ Clear Semantic: x y = o(x + y) ✘ Few algebraic properties: not associative, x y = x y = 0 ✘ Counter-intuitive:

10

• 0.1 · · · 0.1 = 0.1 10. = 1.

✘ State of the art: current bit-blasting doesn’t scale

CEA | 23 July 2017 | p. 4

Floating Points

✔ Clear Semantic: x y = o(x + y) ✘ Few algebraic properties: not associative, x y = x y = 0 ✘ Counter-intuitive:

10

• 0.1 · · · 0.1 = 0.1 10. = 1.

✘ State of the art: current bit-blasting doesn’t scale ✘ Pervasives in programs

CEA | 23 July 2017 | p. 4

Domain Specific Approach of CP

Xi ∈ [1; 10] = ⇒ X0X1X2X3X4X5X6X7 ∈ [8; 80] Z3 : 3s COLIBRI: < 0.1s (+0.25s)

CEA | 23 July 2017 | p. 5

Domain Specific Approach of CP

Xi ∈ [1; 10] = ⇒ X0X1X2X3X4X5X6X7 ∈ [8; 80] Z3 : 3s COLIBRI: < 0.1s (+0.25s) Xi ∈ [1; 10] = ⇒ X0X1X2X3X4X5X6X7 ∈ [1; 108] Z3 : 31min COLIBRI: < 0.1s (+0.25s)

CEA | 23 July 2017 | p. 5

COLIBRI: Floating Point

Precise domain propagation: x y = 0.05 = ⇒ x, y ∈ [−0.1259..; 0.175....]

CEA | 23 July 2017 | p. 6

COLIBRI: Floating Point

Precise domain propagation: x y = 0.05 = ⇒ x, y ∈ [−0.1259..; 0.175....] 0.05: 0x3fa999999999999a

CEA | 23 July 2017 | p. 6

COLIBRI: Floating Point

Precise domain propagation: x y = 0.05 = ⇒ x, y ∈ [−0.1259..; 0.175....] 0.05: 0x3fa999999999999a Distance graph on floating-point numbers

CEA | 23 July 2017 | p. 6

Distance graph on floating-point numbers

x IEEE-format, num(x) 0. num(x) − num(fp.mul _ 2 x) = 252

CEA | 23 July 2017 | p. 7

Distance graph on floating-point numbers

x IEEE-format, num(x) 0. +1p − 1074 1 +1p − 1073 2 1.0 0x3ff0000000000000 2.0 0x4000000000000000 num(x) − num(fp.mul _ 2 x) = 252

CEA | 23 July 2017 | p. 7

Distance graph on floating-point numbers

x IEEE-format, num(x) −2.0 −0x4000000000000000 −1.0 −0x3ff0000000000000 −1p − 1073 −2 −1p − 1074 −1 0. +1p − 1074 1 +1p − 1073 2 1.0 0x3ff0000000000000 2.0 0x4000000000000000 num(x) − num(fp.mul _ 2 x) = 252

CEA | 23 July 2017 | p. 7

Distance graph on floating-point numbers

x IEEE-format, num(x) −2.0 −0x4000000000000000 −1.0 −0x3ff0000000000000 −1p − 1073 −2 −1p − 1074 −1 −0. −0 0. +1p − 1074 1 +1p − 1073 2 1.0 0x3ff0000000000000 2.0 0x4000000000000000 num(x) − num(fp.mul _ 2 x) = 252

CEA | 23 July 2017 | p. 7

Distance graph on floating-point numbers

x ∈ [1; 10], fp.mul RNE x 2 = y x y {252} w ∈ [1; 10], fp.add RNE w 3 = z w z [num(13) − num(10); num(4) − num(1)]

CEA | 23 July 2017 | p. 8

COLIBRI: Floating Point

Precise domain propagation: x y = 0.05 = ⇒ x, y ∈ [−0.1259..; 0.175....] 0.05: 0x3fa999999999999a Distance graph on floating-point numbers Monotonic functions:

• (f (x)) < o(y) =

⇒ o(x) ≤ o(f −1(o(y)))

CEA | 23 July 2017 | p. 9

COLIBRI: Floating Point

Precise domain propagation: x y = 0.05 = ⇒ x, y ∈ [−0.1259..; 0.175....] 0.05: 0x3fa999999999999a Distance graph on floating-point numbers Monotonic functions:

• (f (x)) < o(y) =

⇒ o(x) ≤ o(f −1(o(y))) Instantiated for many functions

CEA | 23 July 2017 | p. 9

COLIBRI: Floating Point

Precise domain propagation: x y = 0.05 = ⇒ x, y ∈ [−0.1259..; 0.175....] 0.05: 0x3fa999999999999a Distance graph on floating-point numbers Monotonic functions:

• (f (x)) < o(y) =

⇒ o(x) ≤ o(f −1(o(y))) Instantiated for many functions Linearization of constraints for simplex

CEA | 23 July 2017 | p. 9

Interesting and Simple Real Examples

1 /∗@ requires 0 ≤ x ≤ 1000;

requires 0 ≤ y ≤ 1000;

3

ensures 0 ≤ \result ≤ 1; @∗/ double x_normalisation(double x,double y){

5

return x/sqrt(x∗x + y∗y);

7

}

CEA | 23 July 2017 | p. 10

COLIBRI: Example of Reasoning

0 ≤ x, y ≤ 1000 = ⇒

• x2 y2 ≥ x ?

CEA | 23 July 2017 | p. 11

COLIBRI: Example of Reasoning

0 ≤ x, y ≤ 1000 = ⇒

• x2 y2 ≥ x ?
• (x2) + o(y2)
• < x
• (x2) + o(y2) ≤ o(x2)
• (x2) + o(y2) = o(x2)
• (x2)
• < x

x < x if o(x2) is normalized

• (x2) is denormalized

x the minimum of the remaining values is a solution

CEA | 23 July 2017 | p. 11

COLIBRI: Example of Reasoning

0 ≤ x, y ≤ 1000 = ⇒

• x2 y2 ≥ x ?
• (x2) + o(y2)
• < x
• (x2) + o(y2) ≤ o(x2)
• (x2) + o(y2) = o(x2)
• (x2)
• < x

x < x if o(x2) is normalized

• (x2) is denormalized

x the minimum of the remaining values is a solution There is a counter-example!

CEA | 23 July 2017 | p. 11

Interesting and Simple Real Examples: Corrected

/∗@ requires 0.0001 ≤ x ≤ 1000;

2

requires 0.0001 ≤ y ≤ 1000; ensures 0 ≤ \result ≤ 1; @∗/

4 double x_normalisation(double x,double y){ 6

return x/sqrt(x∗x + y∗y);

8 } CEA | 23 July 2017 | p. 12

Other Examples: From SPARK User Rule

procedure User_Rule_7 (X, Y, Z, A : Float;

2

Res : out Boolean) is

4

begin pragma Assume (Z ≥ 0.0);

6

pragma Assume (X ≥ Y); pragma Assume (Y ≥ Z);

8

pragma Assume (X > Z); pragma Assume (A ≥ 1.0);

10

Res := (X − Y) / (X − Z) ≤ A; pragma Assert (Res); −− valid

12

end User_Rule_7;

CEA | 23 July 2017 | p. 13

Other Examples: From SPARK User Rule

A ≤ X Y X Z ≤ B with ...

• X 2 Y 2 ≤ X

with ... X √ X 2 Y 2 ≤ 1 with ...

CEA | 23 July 2017 | p. 14

Linearization [Belaid2012]

For t a normal positive number with double precision:

• (t)

CEA | 23 July 2017 | p. 15

Linearization [Belaid2012]

For t a normal positive number with double precision: (1 − 1 252 − 1) · t ≤ o(t) ≤ (1 + 1 252 + 1) · t.

CEA | 23 July 2017 | p. 15

Linearization [Belaid2012]

For t a normal positive number with double precision: (1 − 1 252 − 1) · t ≤ o(t) ≤ (1 + 1 252 + 1) · t. (0. ≤f x ≤f 10.0) ∧ (0. ≤f y ≤f 10.0) ⇒ ((x y) x) y ≤f 0.0001

CEA | 23 July 2017 | p. 15

Linearization [Belaid2012]

For t a normal positive number with double precision: (1 − 1 252 − 1) · t ≤ o(t) ≤ (1 + 1 252 + 1) · t. (0. ≤f x ≤f 10.0) ∧ (0. ≤f y ≤f 10.0) ⇒

• (o(o(x + y) − x) − y) ≤f 0.0001

CEA | 23 July 2017 | p. 15

Bitvector and Integer Arithmetic (CPAIOR17)

High-level view of bitvectors New propagations for integers ↔ bitvectors

CEA | 23 July 2017 | p. 16

Interreductions

D ∆ Int/BV D ∆ FP D ∆ Real ➃ ➀ ➅ ➂ ➄ ➁

CEA | 23 July 2017 | p. 17

Casts

x, y ∈ [1; 1000], fp.to_sbv _ x = w, fp.to_sbv _ y = z x y w z [0; ...]

CEA | 23 July 2017 | p. 18

Casts

x, y ∈ [1; 1000], fp.to_sbv _ x = w, fp.to_sbv _ y = z x y w z [0; ...] [0; ...]

CEA | 23 July 2017 | p. 18

Griggio and Schanda

20 40 60 80 100 120 140 160 180 200 10 20 30 40 50 60

proved time(s)

COLIBRI no simplex no delta MathSAT ACDCL Z3

CEA | 23 July 2017 | p. 19

Future Work

Look at the unsolved benchmarks

CEA | 23 July 2017 | p. 20

Future Work

Look at the unsolved benchmarks More confidence in the propagation and rewrite rules

CEA | 23 July 2017 | p. 20

Future Work

Look at the unsolved benchmarks More confidence in the propagation and rewrite rules Uninterpreted functions and quantifiers

CEA | 23 July 2017 | p. 20

Future Work

Look at the unsolved benchmarks More confidence in the propagation and rewrite rules Uninterpreted functions and quantifiers MCsat

CEA | 23 July 2017 | p. 20

Future Work

Look at the unsolved benchmarks More confidence in the propagation and rewrite rules Uninterpreted functions and quantifiers MCsat Reduce the loading time...

CEA | 23 July 2017 | p. 20

CEA | 23 July 2017 | p. 21

CEA | 23 July 2017 | p. 22

Floating-Point Arithmetic: Monotonic func- tions

(CEA, UPSud)

Theorem

Let D, E ⊂ R, f : D → E and f −1 : E → D such that ∀x : D, f −1(f (x)) = x f increasing We have ∀x ∈ D, o(y) ∈ E, o(f (x)) < o(y) = ⇒ o(x) ≤ o(f −1(o(y))) ∀x ∈ D, y ∈ E, o(f (x)) < o(f (y)) = ⇒ x < y Instantiated for many functions in COLIBRI’s DBM

CEA | 23 July 2017 | p. 23

Interesting and Simple Real Examples

/∗@ ensures \result ≤ (double) 1; @∗/

2 double test2(){

double x = read_sensor();

4

/∗@ assert (double) 0 ≤ x ≤ (double) 1000; @∗/ double y = read_sensor();

6

double z = read_sensor();

8

x = x ∗ x + z ∗ z + y ∗ y + 1;

10

if (z ≤ y){ return (x−y)/(x−z);

12

} else { return (x−z)/(x−y);

14

} }

CEA | 23 July 2017 | p. 24

The Problems

SMT

shared Engine

CC

• l

Bo

1

T

2

T ...

n

T

D L P

CP

shared Engine

• l

Bo

1

T

2

T ...

n

T

D P

CEA | 23 July 2017 | p. 25

Direction de la Recherche Technologique Département d’Ingénierie des Logiciels et des Systèmes Laboratoire de Sûreté des Logiciels Commissariat à l’énergie atomique et aux énergies alternatives Institut Carnot CEA LIST Centre de Saclay | 91191 Gif-sur-Yvette Cedex

• T. +33 (0)1 69 08 82 98| F. +33 (0)1 69 08 83 95

Etablissement public à caractère industriel et commercial | RCS Paris B 775 685 019