the correctness of
play

the Correctness of math.h Implementations Wonyeol Lee 1,2 Rahul - PowerPoint PPT Presentation

Feb 05, 2024 •576 likes •2.05k views

On Automatically Proving the Correctness of math.h Implementations Wonyeol Lee 1,2 Rahul Sharma 3 Alex Aiken 1 1 Stanford University 2 KAIST 3 Microsoft Research POPL 2018 1 /146 Our Goal mathematical specification Industry

  1. Previous Work • Machine-checkable proofs • Harrison used HOL Light to prove [FMCAD’00 ] : “Intel’s sin has precision loss of < 0.574 ulps ” • “Construction of these proofs often requires considerable persistence .” [FMSD’00] • Automatic techniques • Astree [PLDI’03] , Fluctuat [FMICS’09] , Gappa [TOMS’10] , MathSAT [FMCAD’12 ] , Rosa [POPL’14] , FPTaylor [FM’15 ] , Lee/Sharma/Aiken [PLDI’16], ⋯ • None of them can prove < 1 ulp error bound automatically 32 /146

  2. 1 + 𝜗 Property • A standard way to model rounding errors • Theorem For any double 𝑏 and 𝑐 , and ∗ ∈ {+, −,×,/} , 𝑏 ⊛ 𝑐 = 𝑏 ∗ 𝑐 1 + 𝜀 for some 𝜀 < 𝜗 • where 𝜗 = 2 −53 That is, 33 /146

  3. 1 + 𝜗 Property • A standard way to model rounding errors • Theorem For any double 𝑏 and 𝑐 , and ∗ ∈ {+, −,×,/} , 𝑏 ⊛ 𝑐 = 𝑏 ∗ 𝑐 1 + 𝜀 for some 𝜀 < 𝜗 • where 𝜗 = 2 −53 34 /146

  4. 1 + 𝜗 Property • A standard way to model rounding errors • Theorem For any double 𝑏 and 𝑐 , and ∗ ∈ {+, −,×,/} , 𝑏 ⊛ 𝑐 = 𝑏 ∗ 𝑐 1 + 𝜀 for some 𝜀 < 𝜗 • where 𝜗 = 2 −53 That is, 0 1 𝑏 ⊛ 𝑐 35 /146

  5. 1 + 𝜗 Property • A standard way to model rounding errors • Theorem For any double 𝑏 and 𝑐 , and ∗ ∈ {+, −,×,/} , 𝑏 ⊛ 𝑐 = 𝑏 ∗ 𝑐 1 + 𝜀 for some 𝜀 < 𝜗 • where 𝜗 = 2 −53 That is, 0 1 𝑏 ⊛ 𝑐 𝑏 ∗ 𝑐 36 /146

  6. 1 + 𝜗 Property • A standard way to model rounding errors • Theorem For any double 𝑏 and 𝑐 , and ∗ ∈ {+, −,×,/} , 𝑏 ⊛ 𝑐 = 𝑏 ∗ 𝑐 1 + 𝜀 for some 𝜀 < 𝜗 • where 𝜗 = 2 −53 That is, 𝑏 ∗ 𝑐 1 + 𝜀 ∶ 𝜀 < 𝜗 0 1 𝑏 ⊛ 𝑐 𝑏 ∗ 𝑐 37 /146

  7. 1 + 𝜗 Property • A standard way to model rounding errors • Theorem For any double 𝑏 and 𝑐 , and ∗ ∈ {+, −,×,/} , 𝑏 ⊛ 𝑐 = 𝑏 ∗ 𝑐 1 + 𝜀 for some 𝜀 < 𝜗 • where 𝜗 = 2 −53 That is, 𝑏 ∗ 𝑐 1 + 𝜀 ∶ 𝜀 < 𝜗 0 1 𝑏 ⊛ 𝑐 𝑏 ∗ 𝑐 38 /146

  8. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 1. Construct abstraction 𝐵 𝜀 of 𝑓 : 𝐵 𝜀 𝑦 = 1 + 0.5 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 • 𝐵 𝜀 is a sound abstraction of 𝑓 (or 𝑓 ⊑ 𝐵 𝜀 ): 𝑓 𝑦 ∈ {𝐵 𝜀 𝑦 ∶ 𝜀 1 , 𝜀 2 < 𝜗} for all 𝑦 ∈ 𝑌 39 /146

  9. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 1. Construct abstraction 𝐵 𝜀 of 𝑓 : 𝐵 𝜀 𝑦 = 1 + 0.5 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 • 𝐵 𝜀 is a sound abstraction of 𝑓 (or 𝑓 ⊑ 𝐵 𝜀 ): 𝑓 𝑦 ∈ {𝐵 𝜀 𝑦 ∶ 𝜀 1 , 𝜀 2 < 𝜗} for all 𝑦 ∈ 𝑌 40 /146

  10. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 1. Construct abstraction 𝐵 𝜀 of 𝑓 : 𝐵 𝜀 𝑦 = 1 + 0.5 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 • 𝐵 𝜀 is a sound abstraction of 𝑓 (or 𝑓 ⊑ 𝐵 𝜀 ): 𝑓 𝑦 ∈ {𝐵 𝜀 𝑦 ∶ 𝜀 1 , 𝜀 2 < 𝜗} for all 𝑦 ∈ 𝑌 41 /146

  11. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 1. Construct abstraction 𝐵 𝜀 of 𝑓 : 𝐵 𝜀 𝑦 = 1 + 0.5 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 ⊕ ⊗ = • 𝐵 𝜀 is a sound abstraction of 𝑓 (or 𝑓 ⊑ 𝐵 𝜀 ): 𝑓 𝑦 ∈ {𝐵 𝜀 𝑦 ∶ 𝜀 1 , 𝜀 2 < 𝜗} for all 𝑦 ∈ 𝑌 42 /146

  12. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 1. Construct abstraction 𝐵 𝜀 of 𝑓 : 𝐵 𝜀 𝑦 = 1 + 0.5 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 = • 𝐵 𝜀 is a sound abstraction of 𝑓 (or 𝑓 ⊑ 𝐵 𝜀 ): 𝑓 𝑦 ∈ {𝐵 𝜀 𝑦 ∶ 𝜀 1 , 𝜀 2 < 𝜗} for all 𝑦 ∈ 𝑌 43 /146

  13. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 1. Construct abstraction 𝐵 𝜀 of 𝑓 : 𝐵 𝜀 𝑦 = 1 + 0.5 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 • 𝐵 𝜀 is a sound abstraction of 𝑓 (or 𝑓 ⊑ 𝐵 𝜀 ): 𝑓 𝑦 ∈ {𝐵 𝜀 𝑦 ∶ 𝜀 1 , 𝜀 2 < 𝜗} for all 𝑦 ∈ 𝑌 44 /146

  14. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 1. Construct abstraction 𝐵 𝜀 of 𝑓 : 𝐵 𝜀 𝑦 = 1 + 0.5 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 • 𝐵 𝜀 is a sound abstraction of 𝑓 (or 𝑓 ⊑ 𝐵 𝜀 ): 𝑓 𝑦 ∈ {𝐵 𝜀 𝑦 ∶ 𝜀 1 , 𝜀 2 < 𝜗} for all 𝑦 ∈ 𝑌 45 /146

  15. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 2. Compute a bound on relative error of 𝑓 : 𝑔(𝑦)−𝐵 𝜀 𝑦 Θ 𝑠𝑓𝑚 = max 𝑔(𝑦) 𝑦∈ −0.1,0.1 , 𝜀 1 ,𝜀 2 ∈ −𝜗,𝜗 1+𝑦− 1+ 0.5 × 𝑦 1+𝜀 1 1+𝜀 2 = max 1+𝑦 𝑦∈ −0.1,0.1 , 𝜀 1 ,𝜀 2 ∈ −𝜗,𝜗 3. Compute a bound on ulp error of 𝑓 : Θ 𝑣𝑚𝑞 = Θ 𝑠𝑓𝑚 /𝜗 46 /146

  16. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 2. Compute a bound on relative error of 𝑓 : 𝑔(𝑦)−𝐵 𝜀 𝑦 Θ 𝑠𝑓𝑚 = max 𝑔(𝑦) 𝑦∈ −0.1,0.1 , 𝜀 1 ,𝜀 2 ∈ −𝜗,𝜗 1+𝑦− 1+ 0.5 × 𝑦 1+𝜀 1 1+𝜀 2 = max 1+𝑦 𝑦∈ −0.1,0.1 , 𝜀 1 ,𝜀 2 ∈ −𝜗,𝜗 3. Compute a bound on ulp error of 𝑓 : Θ 𝑣𝑚𝑞 = Θ 𝑠𝑓𝑚 /𝜗 47 /146

  17. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 2. Compute a bound on relative error of 𝑓 : 𝑔(𝑦)−𝐵 𝜀 𝑦 Θ 𝑠𝑓𝑚 = max 𝑔(𝑦) 𝑦∈ −0.1,0.1 , 𝜀 1 ,𝜀 2 ∈ −𝜗,𝜗 1+𝑦− 1+ 0.5 × 𝑦 1+𝜀 1 1+𝜀 2 = max 1+𝑦 𝑦∈ −0.1,0.1 , 𝜀 1 ,𝜀 2 ∈ −𝜗,𝜗 3. Compute a bound on ulp error of 𝑓 : Θ 𝑣𝑚𝑞 = Θ 𝑠𝑓𝑚 /𝜗 Theorem ErrUlp 𝑏, 𝑐 ≤ ErrRel 𝑏, 𝑐 /𝜗 48 /146

  18. Standard Error Analysis • Example: 𝑔 𝑦 = 1 + 𝑦 over 𝑌 = [−0.1, 0.1] 𝑓 = 1 ⊕ 0.5 ⊗ 𝑦 ⟵ implementation of 𝑔 𝑦 2. Compute a bound on relative error of 𝑓 : 𝑔(𝑦)−𝐵 𝜀 𝑦 Θ 𝑠𝑓𝑚 = max 𝑔(𝑦) 𝑦∈ −0.1,0.1 , 𝜀 1 ,𝜀 2 ∈ −𝜗,𝜗 1+𝑦− 1+ 0.5 × 𝑦 1+𝜀 1 1+𝜀 2 = max 1+𝑦 𝑦∈ −0.1,0.1 , 𝜀 1 ,𝜀 2 ∈ −𝜗,𝜗 3. Compute a bound on ulp error of 𝑓 : Θ 𝑣𝑚𝑞 = Θ 𝑠𝑓𝑚 /𝜗 Theorem ErrUlp 𝑏, 𝑐 ≤ ErrRel 𝑏, 𝑐 /𝜗 49 /146

  19. Standard Error Analysis: Limitation 50 /146

  20. Standard Error Analysis: Limitation Intel’s log 10 14 ⋮ ulp error based on standard input value error analysis error bounds from [PLDI’16] 51 /146

  21. Standard Error Analysis: Limitation Intel’s log 10 14 ⋮ ulp error 3 ulps based on standard input value error analysis error bounds from [PLDI’16] 1 ulp 52 /146

  22. Standard Error Analysis: Limitation Intel’s log 10 14 ⋮ ulp error 4095 4096 , 1 3 ulps based on standard input value error analysis error bounds from [PLDI’16] 1 ulp 53 /146

  23. Why the Loose Error Bound? • Floating-point operations are sometimes exact if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 = 0.125 × 𝑦 𝑦 ⊖ 1 0 = 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 • Standard error analysis constructs imprecise abstractions if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 (1 + 𝜀) 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 (1 + 𝜀′) 54 /146

  24. Why the Loose Error Bound? • Floating-point operations are sometimes exact if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 = 0.125 × 𝑦 𝑦 ⊖ 1 0 = 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 • Standard error analysis constructs imprecise abstractions if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 (1 + 𝜀) 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 (1 + 𝜀′) 55 /146

  25. Why the Loose Error Bound? • Floating-point operations are sometimes exact if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 = 0.125 × 𝑦 𝑦 ⊖ 1 0 = 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 • Standard error analysis constructs imprecise abstractions if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 (1 + 𝜀) 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 (1 + 𝜀′) 56 /146

  26. Why the Loose Error Bound? • Floating-point operations are sometimes exact if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 = 0.125 × 𝑦 𝑦 ⊖ 1 0 = 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 • Standard error analysis constructs imprecise abstractions if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 (1 + 𝜀) 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 (1 + 𝜀′) 57 /146

  27. Why the Loose Error Bound? • Floating-point operations are sometimes exact if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 = 0.125 × 𝑦 𝑦 ⊖ 1 0 = 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 • Standard error analysis constructs imprecise abstractions if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 (1 + 𝜀) 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 (1 + 𝜀′) 58 /146

  28. Why the Loose Error Bound? • Floating-point operations are sometimes exact if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 = 0.125 × 𝑦 𝑦 ⊖ 1 0 = 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 • Standard error analysis constructs imprecise abstractions if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 (1 + 𝜀) 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 (1 + 𝜀′) 59 /146

  29. Why the Loose Error Bound? • Floating-point operations are sometimes exact if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 = 0.125 × 𝑦 𝑦 ⊖ 1 0 = 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 • Standard error analysis constructs imprecise abstractions if 0.125𝑦 ≥ 2 −1022 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 0.125 ⊗ 𝑦 ⊑ 0.125 × 𝑦 (1 + 𝜀) 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 if 0.5 ≤ 𝑦 ≤ 2 𝑦 ⊖ 1 0 ⊑ 𝑦 − 1 (1 + 𝜀′) 60 /146

  30. Analysis of log 4095 • For 𝑦 ∈ 4096 , 1 , log computes 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 ≈ 𝑦 − 1 128 • and returns 𝑠 𝑦 − 1 2 𝑠 𝑦 2 + ⋯ + 1 7 𝑠 𝑦 7 • Roughly speaking, (precision loss of log ) ≥ (precision loss of 𝑠 𝑦 ) 61 /146

  31. Analysis of log 4095 • For 𝑦 ∈ 4096 , 1 , log computes 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 ≈ 𝑦 − 1 128 • and returns 𝑠 𝑦 − 1 2 𝑠 𝑦 2 + ⋯ + 1 7 𝑠 𝑦 7 • Roughly speaking, (precision loss of log ) ≥ (precision loss of 𝑠 𝑦 ) 62 /146

  32. Analysis of log 4095 • For 𝑦 ∈ 4096 , 1 , log computes 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 ≈ 𝑦 − 1 128 • and returns 𝑠 𝑦 − 1 2 𝑠 𝑦 2 + ⋯ + 1 7 𝑠 𝑦 7 • Roughly speaking, (precision loss of log ) ≥ (precision loss of 𝑠 𝑦 ) 63 /146

  33. Analysis of log 4095 • For 𝑦 ∈ 4096 , 1 , log computes 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 ≈ 𝑦 − 1 128 • and returns 𝑠 𝑦 − 1 2 𝑠 𝑦 2 + ⋯ + 1 7 𝑠 𝑦 7 • Roughly speaking, (precision loss of log ) ≥ (precision loss of 𝑠 𝑦 ) 64 /146

  34. Analysis of log 4095 • For 𝑦 ∈ 4096 , 1 , log computes 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 ≈ 𝑦 − 1 128 • and returns 𝑠 𝑦 − 1 2 𝑠 𝑦 2 + ⋯ + 1 7 𝑠 𝑦 7 • Roughly speaking, (precision loss of log ) ≥ (precision loss of 𝑠 𝑦 ) 65 /146

  35. Standard Analysis of log 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • Abstraction of 𝑠 𝑦 : 1 + 𝜀 0 − 255 × 1 𝐵 𝜀 𝑦 = 2 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 + ⋯ 128 2 = 𝑦 − 1 + 𝑦 − 255 256 𝜀 1 + ⋯ 00000000000000 • Bound on relative error of 𝑠 𝑦 : 𝑦 − 255 𝐵 𝜀 𝑦 − (𝑦 − 1) 256 max ≥ max 𝜗 . . 𝑦 − 1 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀 𝑗 <𝜗 4096≤𝑦<1 66 /146

  36. Standard Analysis of log 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • Abstraction of 𝑠 𝑦 : 1 + 𝜀 0 − 255 × 1 𝐵 𝜀 𝑦 = 2 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 + ⋯ 128 2 = 𝑦 − 1 + 𝑦 − 255 256 𝜀 1 + ⋯ 00000000000000 • Bound on relative error of 𝑠 𝑦 : 𝑦 − 255 𝐵 𝜀 𝑦 − (𝑦 − 1) 256 max ≥ max 𝜗 . . 𝑦 − 1 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀 𝑗 <𝜗 4096≤𝑦<1 67 /146

  37. Standard Analysis of log 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • Abstraction of 𝑠 𝑦 : 1 + 𝜀 0 − 255 × 1 𝐵 𝜀 𝑦 = 2 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 + ⋯ 128 2 = 𝑦 − 1 + 𝑦 − 255 256 𝜀 1 + ⋯ 00000000000000 • Bound on relative error of 𝑠 𝑦 : 𝑦 − 255 𝐵 𝜀 𝑦 − (𝑦 − 1) 256 max ≥ max 𝜗 . . 𝑦 − 1 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀 𝑗 <𝜗 4096≤𝑦<1 68 /146

  38. Standard Analysis of log 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • Abstraction of 𝑠 𝑦 : 1 + 𝜀 0 − 255 × 1 𝐵 𝜀 𝑦 = 2 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 + ⋯ 128 2 = 𝑦 − 1 + 𝑦 − 255 256 𝜀 1 + ⋯ 00000000000000 • Bound on relative error of 𝑠 𝑦 : 𝑦 − 255 𝐵 𝜀 𝑦 − (𝑦 − 1) 256 max ≥ max 𝜗 . . 𝑦 − 1 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀 𝑗 <𝜗 4096≤𝑦<1 69 /146

  39. Standard Analysis of log 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • Abstraction of 𝑠 𝑦 : 1 + 𝜀 0 − 255 × 1 𝐵 𝜀 𝑦 = 2 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 + ⋯ 128 2 = 𝑦 − 1 + 𝑦 − 255 256 𝜀 1 + ⋯ 00000000000000 • Bound on relative error of 𝑠 𝑦 : 𝑦 − 255 𝐵 𝜀 𝑦 − (𝑦 − 1) 256 max ≥ max 𝜗 . . 𝑦 − 1 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀 𝑗 <𝜗 4096≤𝑦<1 70 /146

  40. Standard Analysis of log 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • Abstraction of 𝑠 𝑦 : 1 + 𝜀 0 − 255 × 1 𝐵 𝜀 𝑦 = 2 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 + ⋯ 128 2 = 𝑦 − 1 + 𝑦 − 255 256 𝜀 1 + ⋯ 00000000000000 • Bound on relative error of 𝑠 𝑦 : 𝑦 − 255 𝐵 𝜀 𝑦 − (𝑦 − 1) 256 max ≥ max 𝜗 . . 𝑦 − 1 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀 𝑗 <𝜗 4096≤𝑦<1 71 /146

  41. Standard Analysis of log 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 128 ⊗ 1 255 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • Abstraction of 𝑠 𝑦 : 1 + 𝜀 0 − 255 × 1 𝐵 𝜀 𝑦 = 2 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 + ⋯ 128 2 = 𝑦 − 1 + 𝑦 − 255 256 𝜀 1 + ⋯ 00000000000000 • Bound on relative error of 𝑠 𝑦 : unbounded 𝑦 − 255 𝐵 𝜀 𝑦 − (𝑦 − 1) 256 max ≥ max 𝜗 . . 𝑦 − 1 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀 𝑗 <𝜗 4096≤𝑦<1 72 /146

  42. Standard Analysis of log 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • Abstraction of 𝑠 𝑦 : 1 + 𝜀 0 − 255 × 1 𝐵 𝜀 𝑦 = 2 × 𝑦 1 + 𝜀 1 1 + 𝜀 2 + ⋯ 128 2 = 𝑦 − 1 + 𝑦 − 255 256 𝜀 1 + ⋯ 00000000000000 10 14 ulps for log near 𝑦 = 1 [PLDI’16] • Bound on relative error of 𝑠 𝑦 : unbounded 𝑦 − 255 𝐵 𝜀 𝑦 − (𝑦 − 1) 256 max ≥ max 𝜗 . . 𝑦 − 1 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀 𝑗 <𝜗 4096≤𝑦<1 73 /146

  43. Precise Analysis of log 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 𝐵′ 𝜀 𝑦 − (𝑦 − 1) 𝑦 − 1 max = max 𝑦 − 1 𝜗 . . 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀′ <𝜗 4096≤𝑦<1 0000000000000 = 𝜗 74 /146

  44. Precise Analysis of log exact 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 75 /146

  45. Precise Analysis of log exact 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 76 /146

  46. Precise Analysis of log exact 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 77 /146

  47. Precise Analysis of log exact 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 78 /146

  48. Precise Analysis of log exact 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • More precise abstraction of 𝑠 𝑦 : 𝐵′ 𝜀 𝑦 = 𝑦 − 1 + 𝑦 − 1 𝜀′ 79 /146

  49. Precise Analysis of log exact 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • More precise abstraction of 𝑠 𝑦 : 𝐵′ 𝜀 𝑦 = 𝑦 − 1 + 𝑦 − 1 𝜀′ • Tighter bound on relative error of 𝑠 𝑦 : 𝐵′ 𝜀 𝑦 − (𝑦 − 1) 𝑦 − 1 max = max 𝑦 − 1 𝜗 . . 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀′ <𝜗 4096≤𝑦<1 0000000000000 = 𝜗 80 /146

  50. Precise Analysis of log exact 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • More precise abstraction of 𝑠 𝑦 : 𝐵′ 𝜀 𝑦 = 𝑦 − 1 + 𝑦 − 1 𝜀′ • Tighter bound on relative error of 𝑠 𝑦 : 𝐵′ 𝜀 𝑦 − (𝑦 − 1) 𝑦 − 1 max = max 𝑦 − 1 𝜗 . . 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀′ <𝜗 4096≤𝑦<1 0000000000000 = 𝜗 We prove a bound of 0.583 ulps for log 81 /146

  51. Precise Analysis of log exact 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • More precise abstraction of 𝑠 𝑦 : To prove the 1 ulp error bound, 𝐵′ 𝜀 𝑦 = 𝑦 − 1 + 𝑦 − 1 𝜀′ • Need to construct more precise abstractions • Tighter bound on relative error of 𝑠 𝑦 : Need to use floating-point exactness results 𝐵′ 𝜀 𝑦 − (𝑦 − 1) 𝑦 − 1 max = max 𝑦 − 1 𝜗 . . 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀′ <𝜗 4096≤𝑦<1 0000000000000 = 𝜗 We prove a bound of 0.583 ulps for log 82 /146

  52. Precise Analysis of log exact 2 ⊗ 𝑦 ⊖ 255 ⊗ 1 255 128 ⊗ 1 4095 𝑠 𝑦 = 2 ⊕ 2 ⊖ 1 4096 ≤ 𝑦 < 1 128 • More precise abstraction of 𝑠 𝑦 : To prove the 1 ulp error bound, 𝐵′ 𝜀 𝑦 = 𝑦 − 1 + 𝑦 − 1 𝜀′ • Need to construct more precise abstractions • Tighter bound on relative error of 𝑠 𝑦 : • Need to use floating-point exactness results 𝐵′ 𝜀 𝑦 − (𝑦 − 1) 𝑦 − 1 max = max 𝑦 − 1 𝜗 . . 𝑦 − 1 4095 4095 4096≤𝑦<1, 𝜀′ <𝜗 4096≤𝑦<1 0000000000000 = 𝜗 We prove a bound of 0.583 ulps for log 83 /146

  53. Sterbenz’s Theorem • Theorem [Sterbenz, 1973] 1 2 𝑏 ≤ 𝑐 ≤ 2𝑏 ⟹ 𝑏 ⊖ 𝑐 = 𝑏 − 𝑐 • Example: 84 /146

  54. Sterbenz’s Theorem • Theorem [Sterbenz, 1973] 1 2 𝑏 ≤ 𝑐 ≤ 2𝑏 ⟹ 𝑏 ⊖ 𝑐 = 𝑏 − 𝑐 4095 • Example: log for 𝑦 ∈ 4096 , 1 85 /146

  55. Sterbenz’s Theorem • Theorem [Sterbenz, 1973] 1 2 𝑏 ≤ 𝑐 ≤ 2𝑏 ⟹ 𝑏 ⊖ 𝑐 = 𝑏 − 𝑐 4095 • Example: log for 𝑦 ∈ 4096 , 1 𝜌 𝜌 • Example: sin for 𝑦 ∈ 2𝜌 − 64 , 2𝜌 + 64 1. Compute 𝑧 = 𝑦 ⊖ 2𝜌 3! 𝑧 3 + ⋯ + 1 1 9! 𝑧 9 2. Return 𝑧 − ≈ 𝑡𝑗𝑜 𝑧 86 /146

  56. Sterbenz’s Theorem • Theorem [Sterbenz, 1973] 1 2 𝑏 ≤ 𝑐 ≤ 2𝑏 ⟹ 𝑏 ⊖ 𝑐 = 𝑏 − 𝑐 4095 • Example: log for 𝑦 ∈ 4096 , 1 𝜌 𝜌 • Example: sin for 𝑦 ∈ 2𝜌 − 64 , 2𝜌 + 64 1. Compute 𝑧 = 𝑦 ⊖ 2𝜌 3! 𝑧 3 + ⋯ + 1 1 9! 𝑧 9 2. Return 𝑧 − ≈ 𝑡𝑗𝑜 𝑧 87 /146

  57. Sterbenz’s Theorem • Theorem [Sterbenz, 1973] 1 2 𝑏 ≤ 𝑐 ≤ 2𝑏 ⟹ 𝑏 ⊖ 𝑐 = 𝑏 − 𝑐 4095 • Example: log for 𝑦 ∈ 4096 , 1 𝜌 𝜌 • Example: sin for 𝑦 ∈ 2𝜌 − 64 , 2𝜌 + 64 exact 1. Compute 𝑧 = 𝑦 ⊖ 2𝜌 3! 𝑧 3 + ⋯ + 1 1 9! 𝑧 9 2. Return 𝑧 − ≈ 𝑡𝑗𝑜 𝑧 88 /146

  58. Sterbenz’s Theorem • Theorem [Sterbenz, 1973] 1 2 𝑏 ≤ 𝑐 ≤ 2𝑏 ⟹ 𝑏 ⊖ 𝑐 = 𝑏 − 𝑐 4095 • Example: log for 𝑦 ∈ 4096 , 1 𝜌 𝜌 • Example: sin for 𝑦 ∈ 2𝜌 − 64 , 2𝜌 + 64 precision loss exact 1. Compute 𝑧 = 𝑦 ⊖ 2𝜌 of sin is small 3! 𝑧 3 + ⋯ + 1 1 9! 𝑧 9 2. Return 𝑧 − ≈ 𝑡𝑗𝑜 𝑧 89 /146

  59. Sterbenz’s Theorem • How to apply the theorem automatically? 𝑓 ⊖ 𝑓 ′ ⊑ ? 𝑓 ⊖ 𝑓 ′ • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 90 /146

  60. Sterbenz’s Theorem • How to apply the theorem automatically? 𝑓 ⊖ 𝑓 ′ ⊑ ? 𝑓 ⊖ 𝑓 ′ • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 91 /146

  61. Sterbenz’s Theorem • How to apply the theorem automatically? 𝑓 ⊖ 𝑓 ′ ⊑ ? 𝑓 ⊖ 𝑓 ′ • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 92 /146

  62. Sterbenz’s Theorem • How to apply the theorem automatically? 𝑓 ⊖ 𝑓 ′ ⊑ ? 𝑓 ⊖ 𝑓 ′ • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 93 /146

  63. Sterbenz’s Theorem • How to apply the theorem automatically? 𝑓 ⊖ 𝑓 ′ ⊑ ? 𝑓 ⊖ 𝑓 ′ • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 94 /146

  64. Sterbenz’s Theorem • How to apply the theorem automatically? 𝑓 ⊖ 𝑓 ′ ⊑ ? 𝑓 ⊖ 𝑓 ′ • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 95 /146

  65. Sterbenz’s Theorem • How to apply the theorem automatically? 𝑓 ⊖ 𝑓 ′ ⊑ ? 𝑓 ⊖ 𝑓 ′ • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 true 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 96 /146

  66. Sterbenz’s Theorem • How to apply the theorem automatically? 𝑓 ⊖ 𝑓 ′ ⊑ ? 𝑓 ⊖ 𝑓 ′ • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 true 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 97 /146

  67. Sterbenz’s Theorem • How to apply the theorem automatically? 𝑓 ⊖ 𝑓 ′ ⊑ ? 𝑓 ⊖ 𝑓 ′ • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 true 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 98 /146

  68. Sterbenz’s Theorem • How to apply the theorem automatically? can apply 𝑓 ⊖ 𝑓 ′ ⊑ ? 𝑓 ⊖ 𝑓 ′ the theorem • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 true 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 99 /146

  69. Sterbenz’s Theorem • How to apply the theorem automatically? can apply 𝑓 ⊖ 𝑓 ′ ⊑ 𝐵 𝜀 𝑦 − 𝐵 ′ ? 𝑓 ⊖ 𝑓 ′ 𝜀 𝑦 the theorem • Construct: 𝑓 ⊑ 𝐵 𝜀 , 𝑓′ ⊑ 𝐵 ′ 𝜀 𝐵′ 𝜀 𝑦 − 1 • Check: ≥ 0 and min 2 𝐵 𝜀 𝑦 true 𝑦, 𝜀 • max 𝐵′ 𝜀 𝑦 − 2𝐵 𝜀 𝑦 ≤ 0 𝑦, 𝜀 1 2 𝐵 𝜀 𝑦 ≤ 𝐵 ′ ⟹ 𝜀 𝑦 ≤ 2𝐵 𝜀 𝑦 for all 𝑦 ∈ 𝑌 , all 𝜀 𝑗 < 𝜗 • Precondition of theorem: 1 2 𝑓 𝑦 ≤ 𝑓 ′ 𝑦 ≤ 2𝑓 𝑦 ⟹ for all 𝑦 ∈ 𝑌 100 /146

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness:

3/10/10 Proving Program Correctness The Axiomatic Approach What is Correctness? Correctness: partial correctness + termination Partial correctness: Program implements its specification 1 3/10/10 Proving Partial Correctness

420 views • 13 slides
08Program Verification II CS 5209: Foundation in Logic and AI Martin Henz and Aquinas Hobor

08Program Verification II CS 5209: Foundation in Logic and AI Martin Henz and Aquinas Hobor

Review Hoare Triples; Partial and Total Correctness Practical Aspects of Correctness Proofs Correctness of the Factorial Function Proof Calculus for Total Correctness 08Program Verification II CS 5209: Foundation in Logic and AI Martin

778 views • 39 slides
Program Correctness Assert formal correctness statements about

Program Correctness Assert formal correctness statements about

Program Correctness Assert formal correctness statements about cri4cal parts of a program and reason effec4vely A program is intended to carry out a

1.01k views • 57 slides
Reducing Total Correctness to Partial Correctness by a Transformation of the Language Semantics a

Reducing Total Correctness to Partial Correctness by a Transformation of the Language Semantics a

Reducing Total Correctness to Partial Correctness by a Transformation of the Language Semantics a 1 a 2 Sebastian Buruian S , tefan Ciob ac 1 Alexandru Ioan Cuza University Bitedefender 2 Alexandru Ioan Cuza University WPTE 2018

435 views • 21 slides
Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick

Proving Correctness of Graph Programs Relative to Recursively Nested Conditions Nils Erik Flick Universitt Oldenburg February 2017 Intro Correctness Results Rel. Work Conclusion Extras Outline Correctness and Graph Programs 1

354 views • 24 slides
Recalling Our Intro to the Course 1 The Program Correctness Problem ? Conventional models of

Recalling Our Intro to the Course 1 The Program Correctness Problem ? Conventional models of

Recalling Our Intro to the Course 1 The Program Correctness Problem ? Conventional models of using computers not easy to determine correctness! Has become a very important issue, not just in safety-critical apps. Components with

534 views • 36 slides
Correctness of Program Transformations as a Termination Problem Conrad Rau, David Sabel and

Correctness of Program Transformations as a Termination Problem Conrad Rau, David Sabel and

Correctness of Program Transformations as a Termination Problem Conrad Rau, David Sabel and Manfred Schmidt-Schau Goethe-University, Frankfurt am Main, Germany IJCAR 2012, Manchester, UK 1 Introduction &amp; Motivation Automate correctness

345 views • 34 slides
Proving Correctness of a KRK Chess Endgame Strategy by SAT-based Constraint Solving Marko

Proving Correctness of a KRK Chess Endgame Strategy by SAT-based Constraint Solving Marko

Introduction Reduction to SAT and URSA system Chess Endgame Strategies and Bratkos Strategy for KRK URSA Specification of KRK Endgame and of Strategy Correctness of Strategy Discussion and Conclusions Proving Correctness of a KRK Chess

390 views • 27 slides
Correctness of parallel programs Shaz Qadeer Research in

Correctness of parallel programs Shaz Qadeer Research in

Correctness of parallel programs Shaz Qadeer Research in So7ware Engineering CSEP 506 Spring 2011 Why is correctness important? So7ware development is

565 views • 30 slides
Program correctness and verification Programs should be: clear; efficient; robust; reliable;

Program correctness and verification Programs should be: clear; efficient; robust; reliable;

Program correctness and verification Programs should be: clear; efficient; robust; reliable; user friendly; well documented; . . . but first of all, CORRECT dont forget though: also, executable. . . Correctness

202 views • 19 slides
Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud

Machine-checked correctness and complexity of a Union-Find implementation Arthur Charguraud Franois Pottier December 16, 2015 1 / 1 Message Lets begin with a demo... Proving correctness and termination is not enough! 2 / 1

782 views • 17 slides
Recursion: Introduction and Correctness Lecture B Jones MWF 9-9:50am PCNYN 109 Lecture D

Recursion: Introduction and Correctness Lecture B Jones MWF 9-9:50am PCNYN 109 Lecture D

Recursion: Introduction and Correctness Lecture B Jones MWF 9-9:50am PCNYN 109 Lecture D Russell MWF 4-4:50am Center 101 http://cseweb.ucsd.edu/classes/sp16/cse21-bd/ April 11, 2016 Today's plan 1. What's recursion? 2. Correctness of

716 views • 40 slides
pytest Big Idea: You can write a function to test the correctness of another function! This is

pytest Big Idea: You can write a function to test the correctness of another function! This is

Testing with pytest Big Idea: You can write a function to test the correctness of another function! This is generally called unit testing in industry Helps you confirm correctness during development Helps you avoid accidentally

218 views • 9 slides
Week 4 Video 7 Memory Algorithms Is future correctness enough? Up until this point weve

Week 4 Video 7 Memory Algorithms Is future correctness enough? Up until this point weve

Week 4 Video 7 Memory Algorithms Is future correctness enough? Up until this point weve been talking about predicting future correctness But what if you forget it tomorrow? Another way to look at knowledge is how long will you

404 views • 15 slides
Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level Correctness Proof Wolfgang Goerigk Christian-Albrechts-Universit at zu Kiel, Germany wg@informatik.uni-kiel.de wg/

297 views • 28 slides
Causal Atomicity: Correctness conditions for weak memory Heike Wehrheim Joint work with Simon

Causal Atomicity: Correctness conditions for weak memory Heike Wehrheim Joint work with Simon

Causal Atomicity: Correctness conditions for weak memory Heike Wehrheim Joint work with Simon Doherty, Brijesh Dongol, John Derrick Paderborn University Germany Our interest Proving correctness of algorithms allowing seemingly atomic access

445 views • 19 slides
Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and

Practical Proof Systems for SAT and QBF Marijn J.H. Heule Dagstuhl Seminar on SAT and Interactions September 20, 2016 1/47 Introduction to SAT and QBF Proof Checking Clausal Proof Systems for SAT and QBF Abstract Proof System for SAT

924 views • 67 slides
Foundational Proof Certificates Making proof universal and permanent Dale Miller INRIA-Saclay

Foundational Proof Certificates Making proof universal and permanent Dale Miller INRIA-Saclay

Foundational Proof Certificates Making proof universal and permanent Dale Miller INRIA-Saclay &amp; LIX, Ecole Polytechnique 23 September 2013 Can we standardize, communicate, and trust formal proofs? Joint work with Zakaria Chihani and

864 views • 37 slides
Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT

Delegation with (nearly) optimal time/space overhead Justin Holmgren Ron Rothblum MIT MIT Verifiable Computation Verifiable Computation Verifiable Computation M(x)=? M(x) = y Verifiable Computation M(x)=? , challenge , proof

1.73k views • 119 slides
A Self-Verifying Theorem Prover Jared Davis (advertisement by J Strother Moore)

A Self-Verifying Theorem Prover Jared Davis (advertisement by J Strother Moore)

A Self-Verifying Theorem Prover Jared Davis (advertisement by J Strother Moore) Department of Computer Sciences University of Texas at Austin September 18, 2009 1 Theorem Prover ? Yes Proof Checker Yes No 2 Rules of

693 views • 40 slides
CUTKB at NTCIR-14 QALab-PoliInfo Task Toshiki Tomihira and Yohei Seki University of Tsukuba,

CUTKB at NTCIR-14 QALab-PoliInfo Task Toshiki Tomihira and Yohei Seki University of Tsukuba,

CUTKB at NTCIR-14 QALab-PoliInfo Task Toshiki Tomihira and Yohei Seki University of Tsukuba, Japan June 12 th , 2019@NTCIR-14 INDEX 1. Motivation 2. Classification task 3. Our approach 4. Evaluation results 5. Summary 1.Motivation

394 views • 24 slides
Decidability of distributed complexity of locally checkable problems on paths Alkida Balliu,

Decidability of distributed complexity of locally checkable problems on paths Alkida Balliu,

Decidability of distributed complexity of locally checkable problems on paths Alkida Balliu, Sebastian Brandt, Yi-Jun Chang, Dennis Olivetti, el Rabie , Jukka Suomela Mika ANR DESCARTES/ESTATE Tuesday, April 2 Mika el RABIE Decidability

971 views • 96 slides
Local Algorithms: Past, Present, Future Jukka Suomela Helsinki Institute for Information

Local Algorithms: Past, Present, Future Jukka Suomela Helsinki Institute for Information

Local Algorithms: Past, Present, Future Jukka Suomela Helsinki Institute for Information Technology HIIT University of Helsinki Wireless Networks and Mobile Computing Carleton University 2627 April 2011 www.hiit.fi/jukka.suomela/tut-2011

1.36k views • 114 slides
Degrees of Lookahead in Context-free Infinite Games Joint work with Wladimir Fridman and Christof

Degrees of Lookahead in Context-free Infinite Games Joint work with Wladimir Fridman and Christof

Degrees of Lookahead in Context-free Infinite Games Joint work with Wladimir Fridman and Christof L oding Martin Zimmermann RWTH Aachen University August 31st, 2011 Games Workshop 2011 Paris, France Martin Zimmermann RWTH Aachen

1.1k views • 68 slides

More recommend