Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul - - PowerPoint PPT Presentation

Verifying Bit-Manipulations

• f Floating-P
• int

Wonyeol Lee

Rahul Sharma Alex Aiken Stanford University PLDI 2016

This Talk

• Example:
• Goal:

Bound the difference between spec and implementation

• Key contribution:

Verify binaries that mix floating-point and bit- level operations

• 𝑓𝑦

mathematical specification

2

This Talk

• Example:
• Goal:

Bound the difference between spec and implementation

• Key contribution:

Verify binaries that mix floating-point and bit- level operations

• 𝑓𝑦

floating-point implementation ... vpslld $20, %xmm3, %xmm3 vpshufd $114, %xmm3, %xmm3 vmulpd C1, %xmm2, %xmm1 vmulpd C2, %xmm2, %xmm2 ... mathematical specification

3

This Talk

• Example:
• Goal:

Bound the difference between spec and implementation

• Key contribution:

Verify binaries that mix floating-point and bit- level operations

• ≠

𝑓𝑦

floating-point implementation ... vpslld $20, %xmm3, %xmm3 vpshufd $114, %xmm3, %xmm3 vmulpd C1, %xmm2, %xmm1 vmulpd C2, %xmm2, %xmm2 ... mathematical specification

4

This Talk

• Example:
• Goal:

Bound the difference between spec and implementation

• Key contribution:

Verify binaries that mix floating-point and bit- level operations

• ≠

how different?

𝑓𝑦

floating-point implementation ... vpslld $20, %xmm3, %xmm3 vpshufd $114, %xmm3, %xmm3 vmulpd C1, %xmm2, %xmm1 vmulpd C2, %xmm2, %xmm2 ... mathematical specification

5

This Talk

• Example:
• Goal:

Bound the difference between spec and implementation

• Key contribution:

Verify binaries that mix floating-point and bit- level operations

• ≠

how different?

𝑓𝑦

floating-point implementation ... vpslld $20, %xmm3, %xmm3 vpshufd $114, %xmm3, %xmm3 vmulpd C1, %xmm2, %xmm1 vmulpd C2, %xmm2, %xmm2 ... mathematical specification

6

This Talk

• Example:
• Goal:

Bound the difference between spec and implementation

• Key contribution:

Verify binaries that mix floating-point and bit- level operations

• ≠

how different?

𝑓𝑦

floating-point implementation ... vpslld $20, %xmm3, %xmm3 vpshufd $114, %xmm3, %xmm3 vmulpd C1, %xmm2, %xmm1 vmulpd C2, %xmm2, %xmm2 ... mathematical specification

7

This Talk

• Example:
• Goal:

Bound the difference between spec and implementation

• Key contribution:

Verify binaries that mix floating-point and bit- level operations

• ≠

how different?

𝑓𝑦

floating-point implementation ... vpslld $20, %xmm3, %xmm3 vpshufd $114, %xmm3, %xmm3 vmulpd C1, %xmm2, %xmm1 vmulpd C2, %xmm2, %xmm2 ... mathematical specification

8

• Example:
• Automatic reasoning about floating-point is not easy
• have rounding errors
• d
• Associativity:

1 + 1030 − 1030 = 1 ≠ 0 = (1 + 1030) − 1030

• It becomes much harder if bit-level operations are used

Floating-P

• int Numbers

9

1 01111111111 1100⋯00 (2) = −1 1 ∙ 21023−1023 ∙ 1.110 ⋯ 00(2)

• Example:
• Automatic reasoning about floating-point is not easy
• have rounding errors
• d
• Associativity:

1 + 1030 − 1030 = 1 ≠ 0 = (1 + 1030) − 1030

• It becomes much harder if bit-level operations are used

Floating-P

• int Numbers

10

1 01111111111 1100⋯00 (2) = −1 1 ∙ 21023−1023 ∙ 1.110 ⋯ 00(2)

• Example:
• Automatic reasoning about floating-point is not easy
• have rounding errors
• d
• Associativity:

1 + 1030 − 1030 = 1 ≠ 0 = (1 + 1030) − 1030

• It becomes much harder if bit-level operations are used

Floating-P

• int Numbers

11

1 01111111111 1100⋯00 (2) = −1 1 ∙ 21023−1023 ∙ 1.110 ⋯ 00(2)

Bit-Level Operations

• Example:

Given 𝑂 (in int), compute 2𝑂 (in double)

• Such bit-manipulations are ubiquitous in highly optimized

floating-point implementations

• If a code mixes floating-point and bit-level operations,

reasoning about the code is difficult

12

Bit-Level Operations

• Example:

Given 𝑂 (in int), compute 2𝑂 (in double)

• Such bit-manipulations are ubiquitous in highly optimized

floating-point implementations

• If a code mixes floating-point and bit-level operations,

reasoning about the code is difficult

1 [int] 2𝑂 [int] 2𝑂 [double]

bit-shifting by 𝑂 converting from int to double here 𝑂 = 10

13

Bit-Level Operations

• Example:

Given 𝑂 (in int), compute 2𝑂 (in double)

• Such bit-manipulations are ubiquitous in highly optimized

floating-point implementations

• If a code mixes floating-point and bit-level operations,

reasoning about the code is difficult

1 [int] 2𝑂 [int] 2𝑂 [double]

bit-shifting by 𝑂 converting from int to double here 𝑂 = 10

14

expensive

Bit-Level Operations

• Example:

Given 𝑂 (in int), compute 2𝑂 (in double)

• Such bit-manipulations are ubiquitous in highly optimized

floating-point implementations

• If a code mixes floating-point and bit-level operations,

reasoning about the code is difficult

works only for 0 ≤ 𝑂 ≤ 31

1 [int] 2𝑂 [int] 2𝑂 [double]

bit-shifting by 𝑂 converting from int to double here 𝑂 = 10

15

expensive

Bit-Level Operations

• Example:

Given 𝑂 (in int), compute 2𝑂 (in double)

• Such bit-manipulations are ubiquitous in highly optimized

floating-point implementations

• If a code mixes floating-point and bit-level operations,

reasoning about the code is difficult

integer addition bit-shifting by 52

𝑂 [int] 𝑂 + 1023 [int] 00 ⋯ 0 [52 bits]

[12 bits]

works only for 0 ≤ 𝑂 ≤ 31

1 [int] 2𝑂 [int] 2𝑂 [double]

bit-shifting by 𝑂 converting from int to double here 𝑂 = 10

16

expensive

Bit-Level Operations

• Example:

Given 𝑂 (in int), compute 2𝑂 (in double)

• Such bit-manipulations are ubiquitous in highly optimized

floating-point implementations

• If a code mixes floating-point and bit-level operations,

reasoning about the code is difficult

integer addition bit-shifting by 52

𝑂 [int] 𝑂 + 1023 [int] 00 ⋯ 0 [52 bits]

[12 bits]

2𝑂 [double]

works only for 0 ≤ 𝑂 ≤ 31

1 [int] 2𝑂 [int] 2𝑂 [double]

bit-shifting by 𝑂 converting from int to double here 𝑂 = 10

17

expensive

Bit-Level Operations

• Example:

Given 𝑂 (in int), compute 2𝑂 (in double)

• Such bit-manipulations are ubiquitous in highly optimized

floating-point implementations

• If a code mixes floating-point and bit-level operations,

reasoning about the code is difficult

integer addition bit-shifting by 52

𝑂 [int] 𝑂 + 1023 [int] 00 ⋯ 0 [52 bits]

[12 bits]

2𝑂 [double]

works only for 0 ≤ 𝑂 ≤ 31 works for −1022 ≤ 𝑂 ≤ 1023

1 [int] 2𝑂 [int] 2𝑂 [double]

bit-shifting by 𝑂 converting from int to double here 𝑂 = 10

18

expensive

Bit-Level Operations

• Example:

Given 𝑂 (in int), compute 2𝑂 (in double)

• Such bit-manipulations are ubiquitous in highly optimized

floating-point implementations

• If a code mixes floating-point and bit-level operations,

reasoning about the code is difficult

integer addition bit-shifting by 52

𝑂 [int] 𝑂 + 1023 [int] 00 ⋯ 0 [52 bits]

[12 bits]

2𝑂 [double]

works only for 0 ≤ 𝑂 ≤ 31 works for −1022 ≤ 𝑂 ≤ 1023

1 [int] 2𝑂 [int] 2𝑂 [double]

bit-shifting by 𝑂 converting from int to double here 𝑂 = 10

19

expensive

Problem Statement

• Goal:

Find a small Θ > 0 such that

𝑔 𝑦 −𝑄 𝑦 𝑔(𝑦)

≤ Θ for all 𝑦 ∈ 𝑌

• i.e.,

prove a bound on the maximum precision loss

mathematical specification

𝑔: ℝ → ℝ

𝑓𝑦

20

Problem Statement

• Goal:

Find a small Θ > 0 such that

𝑔 𝑦 −𝑄 𝑦 𝑔(𝑦)

≤ Θ for all 𝑦 ∈ 𝑌

• i.e.,

prove a bound on the maximum precision loss

binary 𝑄 that mixes floating-point and bit-level operations mathematical specification

𝑔: ℝ → ℝ

𝑓𝑦

... vpslld $20, %xmm3, %xmm3 vpshufd $114, %xmm3, %xmm3 vmulpd C1, %xmm2, %xmm1 vmulpd C2, %xmm2, %xmm2 ... vpslld vpshufd

21

Problem Statement

• Goal:

Find a small Θ > 0 such that

𝑔 𝑦 −𝑄 𝑦 𝑔(𝑦)

≤ Θ for all 𝑦 ∈ 𝑌

• i.e.,

prove a bound on the maximum precision loss

binary 𝑄 that mixes floating-point and bit-level operations mathematical specification

𝑔: ℝ → ℝ

𝑓𝑦

input range 𝑌 ⊆ ℝ

[−1, 1]

... vpslld $20, %xmm3, %xmm3 vpshufd $114, %xmm3, %xmm3 vmulpd C1, %xmm2, %xmm1 vmulpd C2, %xmm2, %xmm2 ... vpslld vpshufd

22

Problem Statement

• Goal:

Find a small Θ > 0 such that

𝑔 𝑦 −𝑄 𝑦 𝑔(𝑦)

≤ Θ for all 𝑦 ∈ 𝑌

• i.e.,

prove a bound on the maximum precision loss

binary 𝑄 that mixes floating-point and bit-level operations mathematical specification

𝑔: ℝ → ℝ

𝑓𝑦

input range 𝑌 ⊆ ℝ

[−1, 1]

... vpslld $20, %xmm3, %xmm3 vpshufd $114, %xmm3, %xmm3 vmulpd C1, %xmm2, %xmm1 vmulpd C2, %xmm2, %xmm2 ... vpslld vpshufd

23

P

• ssible Alternatives
• Exhaustive testing
• feasible for 32-bit float:

~ 30 seconds (with 1 core for sinf)

• infeasible for 64-bit double:

> 4000 years (= 30 seconds × 232)

• infeasible even for input range X = −1, 1

∵ (# of doubles between −1 and 1) =

1 2 (# of all doubles)

• Machine-checkable proofs
• Harrison used

transcendental functions are very accurate [

]

• construction of these proofs often requires considerable

persistence

24

P

• ssible Alternatives
• Exhaustive testing
• feasible for 32-bit float:

~ 30 seconds (with 1 core for sinf)

• infeasible for 64-bit double:

> 4000 years (= 30 seconds × 232)

• infeasible even for input range X = −1, 1

∵ (# of doubles between −1 and 1) =

1 2 (# of all doubles)

• Machine-checkable proofs
• Harrison used

transcendental functions are very accurate [

]

• construction of these proofs often requires considerable

persistence

25

P

• ssible Alternatives
• Exhaustive testing
• feasible for 32-bit float:

~ 30 seconds (with 1 core for sinf)

• infeasible for 64-bit double:

> 4000 years (= 30 seconds × 232)

• infeasible even for input range X = −1, 1

∵ (# of doubles between −1 and 1) =

1 2 (# of all doubles)

• Machine-checkable proofs
• Harrison used

transcendental functions are very accurate [

]

• construction of these proofs often requires considerable

persistence

26

P

• ssible Alternatives
• Exhaustive testing
• feasible for 32-bit float:

~ 30 seconds (with 1 core for sinf)

• infeasible for 64-bit double:

> 4000 years (= 30 seconds × 232)

• infeasible even for input range X = −1, 1

∵ (# of doubles between −1 and 1) =

1 2 (# of all doubles)

• Machine-checkable proofs
• Harrison used

transcendental functions are very accurate [

]

• construction of these proofs often requires considerable

persistence.

27

P

• ssible Automatic Alternatives
• If only floating-point operations are used,

various automatic techniques can be applied

• e.g.,

Astree , Fluctuat , ROSA , FPTaylor

• Several commercial tools (e.g.,

Astree, Fluctuat) can handle certain bit-trick routines

• We are unaware of a general technique for verifying

mixed floating-point and bit-level code

28

P

• ssible Automatic Alternatives
• If only floating-point operations are used,

various automatic techniques can be applied

• e.g.,

Astree , Fluctuat , ROSA , FPTaylor

• Several commercial tools (e.g.,

Astree, Fluctuat) can handle certain bit-trick routines

• We are unaware of a general technique for verifying

mixed floating-point and bit-level code

29

Our Method

30

1 vmovddup %xmm0, %xmm0 2 vmulpd L2E, %xmm0, %xmm2 3 vroundpd $0, %xmm2, %xmm2 4 vcvtpd2dqx %xmm2, %xmm3 5 vpaddd B, %xmm3, %xmm3 6 vpslld $20, %xmm3, %xmm3 7 vpshufd $114, %xmm3, %xmm3 8 vmulpd C1, %xmm2, %xmm1 9 vmulpd C2, %xmm2, %xmm2 10 vaddpd %xmm1, %xmm0, %xmm1 11 vaddpd %xmm2, %xmm1, %xmm1 12 vmovapd T1, %xmm0 13 vmulpd T12, %xmm1, %xmm2 14 vaddpd T11, %xmm2, %xmm2 ... 36 vaddpd %xmm0, %xmm1, %xmm0 37 vmulpd %xmm3, %xmm0, %xmm0 38 retq

𝑓𝑦 Explained

31

1 vmovddup %xmm0, %xmm0 2 vmulpd L2E, %xmm0, %xmm2 3 vroundpd $0, %xmm2, %xmm2 4 vcvtpd2dqx %xmm2, %xmm3 5 vpaddd B, %xmm3, %xmm3 6 vpslld $20, %xmm3, %xmm3 7 vpshufd $114, %xmm3, %xmm3 8 vmulpd C1, %xmm2, %xmm1 9 vmulpd C2, %xmm2, %xmm2 10 vaddpd %xmm1, %xmm0, %xmm1 11 vaddpd %xmm2, %xmm1, %xmm1 12 vmovapd T1, %xmm0 13 vmulpd T12, %xmm1, %xmm2 14 vaddpd T11, %xmm2, %xmm2 ... 36 vaddpd %xmm0, %xmm1, %xmm0 37 vmulpd %xmm3, %xmm0, %xmm0 38 retq

𝑓𝑦 Explained

𝑂 = round 𝑦 ∙ log2 𝑓 𝑦

32

1 vmovddup %xmm0, %xmm0 2 vmulpd L2E, %xmm0, %xmm2 3 vroundpd $0, %xmm2, %xmm2 4 vcvtpd2dqx %xmm2, %xmm3 5 vpaddd B, %xmm3, %xmm3 6 vpslld $20, %xmm3, %xmm3 7 vpshufd $114, %xmm3, %xmm3 8 vmulpd C1, %xmm2, %xmm1 9 vmulpd C2, %xmm2, %xmm2 10 vaddpd %xmm1, %xmm0, %xmm1 11 vaddpd %xmm2, %xmm1, %xmm1 12 vmovapd T1, %xmm0 13 vmulpd T12, %xmm1, %xmm2 14 vaddpd T11, %xmm2, %xmm2 ... 36 vaddpd %xmm0, %xmm1, %xmm0 37 vmulpd %xmm3, %xmm0, %xmm0 38 retq

2𝑂

𝑓𝑦 Explained

𝑂 = round 𝑦 ∙ log2 𝑓 𝑦

33

1 vmovddup %xmm0, %xmm0 2 vmulpd L2E, %xmm0, %xmm2 3 vroundpd $0, %xmm2, %xmm2 4 vcvtpd2dqx %xmm2, %xmm3 5 vpaddd B, %xmm3, %xmm3 6 vpslld $20, %xmm3, %xmm3 7 vpshufd $114, %xmm3, %xmm3 8 vmulpd C1, %xmm2, %xmm1 9 vmulpd C2, %xmm2, %xmm2 10 vaddpd %xmm1, %xmm0, %xmm1 11 vaddpd %xmm2, %xmm1, %xmm1 12 vmovapd T1, %xmm0 13 vmulpd T12, %xmm1, %xmm2 14 vaddpd T11, %xmm2, %xmm2 ... 36 vaddpd %xmm0, %xmm1, %xmm0 37 vmulpd %xmm3, %xmm0, %xmm0 38 retq

𝑓𝑦 = 𝑓𝑂∙ln 2 ∙ 𝑓𝑠 ≈ 2𝑂 ∙ 𝑓𝑠 𝑓𝑠 ≈ ෍

𝑗=0 12 𝑠𝑗

𝑗! 𝑠 = 𝑦 − 𝑂 ∙ ln 2 2𝑂

𝑓𝑦 Explained

𝑂 = round 𝑦 ∙ log2 𝑓 𝑦

34

1 vmovddup %xmm0, %xmm0 2 vmulpd L2E, %xmm0, %xmm2 3 vroundpd $0, %xmm2, %xmm2 4 vcvtpd2dqx %xmm2, %xmm3 5 vpaddd B, %xmm3, %xmm3 6 vpslld $20, %xmm3, %xmm3 7 vpshufd $114, %xmm3, %xmm3 8 vmulpd C1, %xmm2, %xmm1 9 vmulpd C2, %xmm2, %xmm2 10 vaddpd %xmm1, %xmm0, %xmm1 11 vaddpd %xmm2, %xmm1, %xmm1 12 vmovapd T1, %xmm0 13 vmulpd T12, %xmm1, %xmm2 14 vaddpd T11, %xmm2, %xmm2 ... 36 vaddpd %xmm0, %xmm1, %xmm0 37 vmulpd %xmm3, %xmm0, %xmm0 38 retq

𝑓𝑦 = 𝑓𝑂∙ln 2 ∙ 𝑓𝑠 ≈ 2𝑂 ∙ 𝑓𝑠 𝑓𝑠 ≈ ෍

𝑗=0 12 𝑠𝑗

𝑗! 𝑠 = 𝑦 − 𝑂 ∙ ln 2 2𝑂

𝑓𝑦 Explained

𝑂 = round 𝑦 ∙ log2 𝑓 𝑦

Goal: Find a small Θ > 0 such that

𝑓𝑦−2𝑂𝑓𝑠 𝑓𝑦

≤ Θ for all 𝑦 ∈ 𝑌

35

• Assume only floating-point operations are used
• 1 + 𝜗

property

• A standard way to model rounding errors
• For 64-bit doubles,

𝜗 = 2−53

• This property has been used in previous automatic techniques

(FPTaylor

• point programs

1) Abstract Floating-P

• int Operations

36

• Assume only floating-point operations are used
• 1 + 𝜗

property

• A standard way to model rounding errors
• For 64-bit doubles,

𝜗 = 2−53

• This property has been used in previous automatic techniques

(FPTaylor

• point programs

1) Abstract Floating-P

• int Operations

37

• Assume only floating-point operations are used
• 1 + 𝜗

property

• A standard way to model rounding errors
• For 64-bit doubles,

𝜗 = 2−53

• This property has been used in previous automatic techniques

(FPTaylor

• point programs

𝑦 ⨂f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗

1) Abstract Floating-P

• int Operations

38

• Assume only floating-point operations are used
• 1 + 𝜗

property

• A standard way to model rounding errors
• For 64-bit doubles,

𝜗 = 2−53

• This property has been used in previous automatic techniques

(FPTaylor

• point programs

𝑦 ⨂f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗

1) Abstract Floating-P

• int Operations

39

𝑦⨂𝑧

1

• Assume only floating-point operations are used
• 1 + 𝜗

property

• A standard way to model rounding errors
• For 64-bit doubles,

𝜗 = 2−53

• This property has been used in previous automatic techniques

(FPTaylor

• point programs

𝑦 ⨂f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗

1) Abstract Floating-P

• int Operations

40

𝑦⨂𝑧

1

• Assume only floating-point operations are used
• 1 + 𝜗

property

• A standard way to model rounding errors
• For 64-bit doubles,

𝜗 = 2−53

• This property has been used in previous automatic techniques

(FPTaylor

• point programs

𝑦 ⨂f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗

1) Abstract Floating-P

• int Operations

41

𝑦 ⨂f 𝑧 𝑦⨂𝑧

1

• Assume only floating-point operations are used
• 1 + 𝜗

property

• A standard way to model rounding errors
• For 64-bit doubles,

𝜗 = 2−53

• This property has been used in previous automatic techniques

(FPTaylor

• point programs

𝑦 ⨂f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗

1) Abstract Floating-P

• int Operations

42

𝑦 ⨂f 𝑧 𝑦⨂𝑧

1

𝜗

• Assume only floating-point operations are used
• 1 + 𝜗

property

• A standard way to model rounding errors
• For 64-bit doubles,

𝜗 = 2−53

• This property has been used in previous automatic techniques

(FPTaylor

• point programs

𝑦 ⨂f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗

1) Abstract Floating-P

• int Operations

43

𝑦 ⨂f 𝑧 𝑦⨂𝑧

1

𝜗

• Compute a symbolic abstraction 𝐵𝜀 𝑦
• f a program 𝑄
• Example:
• F

rom 1 + 𝜗 property, 𝐵𝜀 𝑦 satisfies

𝑄 𝑦 ∈ 𝐵𝜀 𝑦 ∶ 𝜀𝑗 < 𝜗 for all 𝑦

• Example:

1) Abstract Floating-P

• int Operations

44

• Compute a symbolic abstraction 𝐵𝜀 𝑦
• f a program 𝑄
• Example:
• F

rom 1 + 𝜗 property, 𝐵𝜀 𝑦 satisfies

𝑄 𝑦 ∈ 𝐵𝜀 𝑦 ∶ 𝜀𝑗 < 𝜗 for all 𝑦

• Example:

1) Abstract Floating-P

• int Operations

45

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2

• Compute a symbolic abstraction 𝐵𝜀 𝑦
• f a program 𝑄
• Example:
• F

rom 1 + 𝜗 property, 𝐵𝜀 𝑦 satisfies

𝑄 𝑦 ∈ 𝐵𝜀 𝑦 ∶ 𝜀𝑗 < 𝜗 for all 𝑦

• Example:

1) Abstract Floating-P

• int Operations

46

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2 𝐵𝜀 𝑦

• Compute a symbolic abstraction 𝐵𝜀 𝑦
• f a program 𝑄
• Example:
• F

rom 1 + 𝜗 property, 𝐵𝜀 𝑦 satisfies

𝑄 𝑦 ∈ 𝐵𝜀 𝑦 ∶ 𝜀𝑗 < 𝜗 for all 𝑦

• Example:

1) Abstract Floating-P

• int Operations

47

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2 𝐵𝜀 𝑦 × +

• Compute a symbolic abstraction 𝐵𝜀 𝑦
• f a program 𝑄
• Example:
• F

rom 1 + 𝜗 property, 𝐵𝜀 𝑦 satisfies

𝑄 𝑦 ∈ 𝐵𝜀 𝑦 ∶ 𝜀𝑗 < 𝜗 for all 𝑦

• Example:

1) Abstract Floating-P

• int Operations

48

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2 𝐵𝜀 𝑦 × +

• Compute a symbolic abstraction 𝐵𝜀 𝑦
• f a program 𝑄
• Example:
• F

rom 1 + 𝜗 property, 𝐵𝜀 𝑦 satisfies

𝑄 𝑦 ∈ 𝐵𝜀 𝑦 ∶ 𝜀𝑗 < 𝜗 for all 𝑦

• Example:

1) Abstract Floating-P

• int Operations

49

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2 𝐵𝜀 𝑦 × +

• Compute a symbolic abstraction 𝐵𝜀 𝑦
• f a program 𝑄
• Example:
• F

rom 1 + 𝜗 property, 𝐵𝜀 𝑦 satisfies

𝑄 𝑦 ∈ 𝐵𝜀 𝑦 ∶ 𝜀𝑗 < 𝜗 for all 𝑦

• Example:

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2 ∶ 𝜀1 , 𝜀2 < 𝜗

1) Abstract Floating-P

• int Operations

50

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2 𝐵𝜀 𝑦 × +

• Compute a symbolic abstraction 𝐵𝜀 𝑦
• f a program 𝑄
• Example:
• F

rom 1 + 𝜗 property, 𝐵𝜀 𝑦 satisfies

𝑄 𝑦 ∈ 𝐵𝜀 𝑦 ∶ 𝜀𝑗 < 𝜗 for all 𝑦

• Example:

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2 ∶ 𝜀1 , 𝜀2 < 𝜗

1) Abstract Floating-P

• int Operations

51

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2 𝐵𝜀 𝑦 × + + ×

} {

• Compute a symbolic abstraction 𝐵𝜀 𝑦
• f a program 𝑄
• Example:
• F

rom 1 + 𝜗 property, 𝐵𝜀 𝑦 satisfies

𝑄 𝑦 ∈ 𝐵𝜀 𝑦 ∶ 𝜀𝑗 < 𝜗 for all 𝑦

• Example:

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2 ∶ 𝜀1 , 𝜀2 < 𝜗

1) Abstract Floating-P

• int Operations

52

𝑄 𝑦 = 2 ×f 𝑦 1 + 𝜀1 +f 3 1 + 𝜀2 𝐵𝜀 𝑦 × + + × ∈

} {

Our Method: Overview

𝑌 −1 1 𝑄(𝑦)

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... 53

Our Method: Overview

𝑌 −1 1 𝑄(𝑦)

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... 54

Our Method: Overview

𝑌 −1 1 𝑄(𝑦)

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... 55

Our Method: Overview

𝑌 −1 1 𝑄(𝑦)

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... 56

hard to find

Our Method: Overview

𝑌 −1 1 𝑄(𝑦)

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... 57

hard to find abstract using n

Our Method: Overview

𝑌 −1 1 𝐽1 𝐽2 𝐽𝑜 𝑄(𝑦)

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... 58

hard to find abstract using n

Our Method: Overview

𝑌 −1 1 𝐽1 𝐽2 𝐽𝑜 𝑄(𝑦)

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... 59

hard to find abstract using n

Our Method: Overview

𝑌 −1 1 𝐽1 𝐽2 𝐽𝑜 𝑄(𝑦)

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ...

1 3 𝒐 𝟑𝒐 + 𝟐 partial evaluation

• f bit-level operations

60

hard to find abstract using n

Our Method: Overview

𝑌 −1 1 𝐽1 𝐽2 𝐽𝑜 𝑄(𝑦)

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ...

1 3 𝒐 𝟑𝒐 + 𝟐 partial evaluation

• f bit-level operations

61

hard to find

• nly floating-point
• perations

abstract using n

Our Method: Overview

𝐵1,𝜀(𝑦) 𝐵𝑜,𝜀(𝑦) 𝐵2,𝜀(𝑦) 𝑌 −1 1 𝐽1 𝐽2 𝐽𝑜 𝑄(𝑦)

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ...

1 3 𝒐 𝟑𝒐 + 𝟐 partial evaluation

• f bit-level operations

62

hard to find

• nly floating-point
• perations

abstract using n

Our Method: Overview

𝐵1,𝜀(𝑦) 𝐵𝑜,𝜀(𝑦) 𝐵2,𝜀(𝑦) 𝐽1 𝐽2 𝐽𝑜

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ...

1 3 𝒐 𝟑𝒐 + 𝟐 partial evaluation

• f bit-level operations

63

Our Method: Overview

𝐽1 𝐽2 𝐽𝑜

𝑔 𝑦 − 𝐵1,𝜀 𝑦 𝑔(𝑦) 𝑔 𝑦 − 𝐵𝑜,𝜀 𝑦 𝑔(𝑦)

𝐵1,𝜀(𝑦) 𝐵𝑜,𝜀(𝑦) 𝐵2,𝜀(𝑦) 𝐽1 𝐽2 𝐽𝑜

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ...

1 3 𝒐 𝟑𝒐 + 𝟐 partial evaluation

• f bit-level operations

64

Our Method: Overview

𝐽1 𝐽2 𝐽𝑜

𝑔 𝑦 − 𝐵1,𝜀 𝑦 𝑔(𝑦) 𝑔 𝑦 − 𝐵𝑜,𝜀 𝑦 𝑔(𝑦)

solve optimization problems

𝐵1,𝜀(𝑦) 𝐵𝑜,𝜀(𝑦) 𝐵2,𝜀(𝑦) 𝐽1 𝐽2 𝐽𝑜

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ...

1 3 𝒐 𝟑𝒐 + 𝟐 partial evaluation

• f bit-level operations

65

max max

Our Method: Overview

𝐽1 𝐽2 𝐽𝑜

𝑔 𝑦 − 𝐵1,𝜀 𝑦 𝑔(𝑦) 𝑔 𝑦 − 𝐵𝑜,𝜀 𝑦 𝑔(𝑦)

answer!

solve optimization problems

𝐵1,𝜀(𝑦) 𝐵𝑜,𝜀(𝑦) 𝐵2,𝜀(𝑦) 𝐽1 𝐽2 𝐽𝑜

... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ...

1 3 𝒐 𝟑𝒐 + 𝟐 partial evaluation

• f bit-level operations

66

max max

• Assume bit-level operations are used as well
• To handle bit-level operations,

divide 𝑌 into intervals 𝐽𝑙, so that,

• n each 𝐽𝑙,

we can statically know the result of each bit-level operation

• Example:

2) Divide the Input Range

67

• Assume bit-level operations are used as well
• To handle bit-level operations,

divide 𝑌 into intervals 𝐽𝑙, so that,

• n each 𝐽𝑙,

we can statically know the result of each bit-level operation

• Example:

2) Divide the Input Range

68

• Assume bit-level operations are used as well
• To handle bit-level operations,

divide 𝑌 into intervals 𝐽𝑙, so that,

• n each 𝐽𝑙,

we can statically know the result of each bit-level operation

• Example:

input x y ← x ×f C

(C= 0x3ff71547652b82fe)

N ← round(y) z ← int(N) +i 0x3ff w ← z << 52 ...

2) Divide the Input Range

−1 1 𝑌

69

• Assume bit-level operations are used as well
• To handle bit-level operations,

divide 𝑌 into intervals 𝐽𝑙, so that,

• n each 𝐽𝑙,

we can statically know the result of each bit-level operation

• Example:

input x y ← x ×f C

(C= 0x3ff71547652b82fe)

N ← round(y) z ← int(N) +i 0x3ff w ← z << 52 ...

2) Divide the Input Range

−1 1 𝑌 𝐽−1 𝐽0 𝐽1

70

• Assume bit-level operations are used as well
• To handle bit-level operations,

divide 𝑌 into intervals 𝐽𝑙, so that,

• n each 𝐽𝑙,

we can statically know the result of each bit-level operation

• Example:

input x y ← x ×f C

(C= 0x3ff71547652b82fe)

N ← round(y) z ← int(N) +i 0x3ff w ← z << 52 ...

2) Divide the Input Range

−1 1 𝑌 𝐽−1 𝐽0 𝐽1

71

𝐽1 𝐽0 𝑌 −1 1 𝐽−1

• Assume bit-level operations are used as well
• To handle bit-level operations,

divide 𝑌 into intervals 𝐽𝑙, so that,

• n each 𝐽𝑙,

we can statically know the result of each bit-level operation

• Example:

input x y ← x ×f C

(C= 0x3ff71547652b82fe)

N ← round(y) z ← int(N) +i 0x3ff w ← z << 52 ...

2) Divide the Input Range

−1 1 𝑌 𝐽−1 𝐽0 𝐽1

72

𝐽1 𝐽0 𝑌 −1 1

−1

𝐽−1

• Assume bit-level operations are used as well
• To handle bit-level operations,

divide 𝑌 into intervals 𝐽𝑙, so that,

• n each 𝐽𝑙,

we can statically know the result of each bit-level operation

• Example:

input x y ← x ×f C

(C= 0x3ff71547652b82fe)

N ← round(y) z ← int(N) +i 0x3ff w ← z << 52 ...

2) Divide the Input Range

−1 1 𝑌 𝐽−1 𝐽0 𝐽1

73

𝐽1 𝐽0 𝑌 −1 1

−1 partial evaluation input x y ← x ×f C

(C= 0x3ff71547652b82fe)

N ← −1 z ← 1022 w ← 0.5 ...

𝐽−1

• Assume bit-level operations are used as well
• To handle bit-level operations,

divide 𝑌 into intervals 𝐽𝑙, so that,

• n each 𝐽𝑙,

we can statically know the result of each bit-level operation

• Example:

input x y ← x ×f C

(C= 0x3ff71547652b82fe)

N ← round(y) z ← int(N) +i 0x3ff w ← z << 52 ...

2) Divide the Input Range

−1 1 𝑌 𝐽−1 𝐽0 𝐽1

74

𝐽1 𝐽0 𝑌 −1 1

−1 partial evaluation input x y ← x ×f C

(C= 0x3ff71547652b82fe)

N ← −1 z ← 1022 w ← 0.5 ...

Only floating-point operations are left

→ Can compute 𝐵𝜀 𝑦

• n each 𝐽𝑙

𝐽−1

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

75

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

76

−1 1 𝑌 𝐽−1 𝐽0 𝐽1

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

77

𝑂 = −1 𝑂 = 0 𝑂 = 1 −1 1 𝑌 𝐽−1 𝐽0 𝐽1

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

78

𝑂 = −1 𝑂 = 0 𝑂 = 1 −1 1 𝑌 𝐽−1 𝐽0 𝐽1

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

79

𝑂 = −1 𝑂 = 0 𝑂 = 1 −1 1 𝑌 𝐽−1 𝐽0 𝐽1

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

80

𝑂 = −1 𝑂 = 0 𝑂 = 1 −1 1 𝑌 𝐽−1 𝐽0 𝐽1

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

𝑇(𝑦) = 𝑦 × C 1 + 𝜀 : 𝜀 < 𝜗 𝑦 ×f C

81

𝑂 = −1 𝑂 = 0 𝑂 = 1 −1 1 𝑌 𝐽−1 𝐽0 𝐽1

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

𝑇(𝑦) = 𝑦 × C 1 + 𝜀 : 𝜀 < 𝜗 𝑦 ×f C 𝑙 − 0.5 𝑙 + 0.5

82

𝑂 = −1 𝑂 = 0 𝑂 = 1 −1 1 𝑌 𝐽−1 𝐽0 𝐽1

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

𝑇(𝑦) = 𝑦 × C 1 + 𝜀 : 𝜀 < 𝜗 𝑦 ×f C 𝑙 − 0.5 𝑙 + 0.5

83

𝑂 = −1 𝑂 = 0 𝑂 = 1 −1 1 𝑌 𝐽−1 𝐽0 𝐽1

𝑂 = 𝑙

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

𝑇(𝑦) = 𝑦 × C 1 + 𝜀 : 𝜀 < 𝜗 𝑦 ×f C 𝑙 − 0.5 𝑙 + 0.5

84

𝑂 = −1 𝑂 = 0 𝑂 = 1 −1 1 𝑌 𝐽−1 𝐽0 𝐽1

𝑂 = 𝑙

2) Divide the Input Range

• How to find such intervals?
• Use symbolic abstractions
• Example:
• 𝑂 = round 𝑦 ×f C
• (symbolic abstraction of 𝑦 ×f C) = 𝑦 × C 1 + 𝜀
• Let 𝐽𝑙 = largest interval contained in

𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5

• Then 𝑂 is evaluated to 𝑙 for every input in 𝐽𝑙

𝑇(𝑦) = 𝑦 × C 1 + 𝜀 : 𝜀 < 𝜗 𝑦 ×f C 𝑙 − 0.5 𝑙 + 0.5

85

𝑂 = −1 𝑂 = 0 𝑂 = 1 −1 1 𝑌 𝐽−1 𝐽0 𝐽1

𝑂 = 𝑙

3) Compute a Bound on Precision Loss

• Precision loss on each interval 𝐽𝑙
• Let 𝐵𝜀 𝑦

be a symbolic abstraction on 𝐽𝑙

• Analytical optimization:

max

𝑦∈𝐽𝑙, |𝜀𝑗|<𝜗 𝑓𝑦−𝐵𝜀 𝑦 𝑓𝑦

• Use Mathematica to solve optimization problems analytically

86

3) Compute a Bound on Precision Loss

• Precision loss on each interval 𝐽𝑙
• Let 𝐵𝜀 𝑦

be a symbolic abstraction on 𝐽𝑙

• Analytical optimization:

max

𝑦∈𝐽𝑙, |𝜀𝑗|<𝜗 𝑓𝑦−𝐵𝜀 𝑦 𝑓𝑦

• Use Mathematica to solve optimization problems analytically

87

• No.

The constructed intervals do not cover 𝑌 in general

• Because we made sound approximations

Are We Done?

−1 1

input range 𝑌

𝐽−1 𝐽0 𝐽1

88

• No.

The constructed intervals do not cover 𝑌 in general

• Because we made sound approximations

Are We Done?

−1 1

input range 𝑌

𝐽−1 𝐽0 𝐽1

89

floating-point numbers

• No.

The constructed intervals do not cover 𝑌 in general

• Because we made sound approximations

Are We Done?

−1 1

input range 𝑌

𝐽−1 𝐽0 𝐽1

90

floating-point numbers between intervals

• No.

The constructed intervals do not cover 𝑌 in general

• Because we made sound approximations

Are We Done?

−1 1

input range 𝑌

𝐽−1 𝐽0 𝐽1

91

floating-point numbers between intervals

• Example:

𝑂 = round 𝑦 ×f 𝐷

For 𝑦 =

1 2𝐷 ,

𝑂 would be 0 or 1

• Let 𝐼 = {floating-
• We observe that |𝐼| is small in experiment

Are We Done?

0.5 1

92

: abstraction of 𝑦 ×f 𝐷

• Example:

𝑂 = round 𝑦 ×f 𝐷

For 𝑦 =

1 2𝐷 ,

𝑂 would be 0 or 1

• Let 𝐼 = {floating-
• We observe that |𝐼| is small in experiment

Are We Done?

0.5 1

93

: abstraction of 𝑦 ×f 𝐷

𝑦 = 1/(3𝐷) 𝑦 = 1/(1.5𝐷)

• Example:

𝑂 = round 𝑦 ×f 𝐷

For 𝑦 =

1 2𝐷 ,

𝑂 would be 0 or 1

• Let 𝐼 = {floating-
• We observe that |𝐼| is small in experiment

Are We Done?

0.5 1

94

: abstraction of 𝑦 ×f 𝐷

𝑦 = 1/(3𝐷) 𝑦 = 1/(1.5𝐷)

𝑂 = 0 𝑂 = 1

• Example:

𝑂 = round 𝑦 ×f 𝐷

For 𝑦 =

1 2𝐷 ,

𝑂 would be 0 or 1

• Let 𝐼 = {floating-
• We observe that |𝐼| is small in experiment

Are We Done?

0.5 1

95

: abstraction of 𝑦 ×f 𝐷

𝑦 = 1/(3𝐷) 𝑦 = 1/(1.5𝐷) 𝑦 = 1/(2𝐷)

𝑂 = 0 𝑂 = 1

• Example:

𝑂 = round 𝑦 ×f 𝐷

For 𝑦 =

1 2𝐷 ,

𝑂 would be 0 or 1

• Let 𝐼 = {floating-
• We observe that |𝐼| is small in experiment

Are We Done?

𝑦 ×f 𝐷 0.5 1

? ? ? ? ? ?

96

: abstraction of 𝑦 ×f 𝐷

𝑦 = 1/(3𝐷) 𝑦 = 1/(1.5𝐷) 𝑦 = 1/(2𝐷)

𝑂 = 0 𝑂 = 1

• Example:

𝑂 = round 𝑦 ×f 𝐷

For 𝑦 =

1 2𝐷 ,

𝑂 would be 0 or 1

• Let 𝐼 = {floating-
• We observe that |𝐼| is small in experiment

Are We Done?

𝑦 ×f 𝐷 0.5 1

? ? ? ? ? ?

97

: abstraction of 𝑦 ×f 𝐷

𝑦 = 1/(3𝐷) 𝑦 = 1/(1.5𝐷) 𝑦 = 1/(2𝐷)

𝑂 = 0 𝑂 = 1

• Example:

𝑂 = round 𝑦 ×f 𝐷

For 𝑦 =

1 2𝐷 ,

𝑂 would be 0 or 1

• Let 𝐼 = {floating-
• We observe that |𝐼| is small in experiment

Are We Done?

𝑦 ×f 𝐷 0.5 1

? ? ? ? ? ?

98

: abstraction of 𝑦 ×f 𝐷

𝑦 = 1/(3𝐷) 𝑦 = 1/(1.5𝐷) 𝑦 = 1/(2𝐷)

𝑂 = 0 𝑂 = 1

3) Compute a Bound on Precision Loss

• Precision loss on each interval 𝐽𝑙
• Let 𝐵𝜀 𝑦

be a symbolic abstraction on 𝐽𝑙

• Analytical optimization:

max

𝑦∈𝐽𝑙, |𝜀𝑗|<𝜗 𝑓𝑦−𝐵𝜀 𝑦 𝑓𝑦

• Use Mathematica to solve optimization problems analytically
• Precision loss on 𝐼
• For each 𝑦 ∈ 𝐼,
• btain 𝑄 𝑦 by executing the binary
• Brute force:

max

𝑦∈𝐼 𝑓𝑦−𝑄 𝑦 𝑓𝑦

• Use Mathematica to compute 𝑓𝑦 and precision loss exactly

99

3) Compute a Bound on Precision Loss

• Precision loss on each interval 𝐽𝑙
• Let 𝐵𝜀 𝑦

be a symbolic abstraction on 𝐽𝑙

• Analytical optimization:

max

𝑦∈𝐽𝑙, |𝜀𝑗|<𝜗 𝑓𝑦−𝐵𝜀 𝑦 𝑓𝑦

• Use Mathematica to solve optimization problems analytically
• Precision loss on 𝐼
• For each 𝑦 ∈ 𝐼,
• btain 𝑄 𝑦 by executing the binary
• Brute force:

max

𝑦∈𝐼 𝑓𝑦−𝑄 𝑦 𝑓𝑦

• Use Mathematica to compute 𝑓𝑦 and precision loss exactly

take maximum

→ answer!

100

Case Studies

101

Settings

• Benchmarks
• exp:

from S3D (a combustion simulation engine)

• sin,

log: from

<math.h>

• Measures of precision loss
• Relative error:

RelErr(𝑏, 𝑐) =

𝑏−𝑐 𝑏

• ULP error:
• Rounding errors of numeric libraries are typically measured by ULPs
• ULPErr 𝑏, 𝑐 = (# of floating-point numbers between 𝑏 and 𝑐)
• Example:
• ULPErr 𝑏, 𝑐 ≤ 2 ∙ RelErr(𝑏, 𝑐)/𝜗

102

Settings

• Benchmarks
• exp:

from S3D (a combustion simulation engine)

• sin,

log: from

<math.h>

• Measures of precision loss
• Relative error:

RelErr(𝑏, 𝑐) =

𝑏−𝑐 𝑏

• ULP error:
• Rounding errors of numeric libraries are typically measured by ULPs
• ULPErr 𝑏, 𝑐 = (# of floating-point numbers between 𝑏 and 𝑐)
• Example:
• ULPErr 𝑏, 𝑐 ≤ 2 ∙ RelErr(𝑏, 𝑐)/𝜗

103

5 ULPs

𝑏 𝑐

Results

Interval Bound on ULP error # of intervals # of

𝜀

Size of

exp [−4, 4] 14 13 29 36 sin − 𝜌 2 , 𝜌 2 9 33 53 110 log (0,4) ∖ 4095 4096 , 1 21 221 25 4095 4096 , 1 1 × 1014 1 25

104

Results

Interval Bound on ULP error # of intervals # of

𝜀

Size of

exp [−4, 4] 14 13 29 36 sin − 𝜌 2 , 𝜌 2 9 33 53 110 log (0,4) ∖ 4095 4096 , 1 21 221 25 4095 4096 , 1 1 × 1014 1 25

105

best illustrates the power of our method

Results: sin, log

x-axis: input value y-axis: ULP error

bounds on the intervals

sin log

106 1014

⋮

Results: sin, log

x-axis: input value y-axis: ULP error

bounds on the intervals

sin log

107 1014

⋮

Limitations of Our Method

• May construct a large number of intervals
• Example:

0x5fe6eb50c7b537a9 – (x >> 1)

• For this example,
• ur method constructs 263 intervals
• May produce loose error bounds
• Example:

1014 ULPs for log on

4095 4096 , 1

• Sometimes 1 + 𝜗

property provides an imprecise abstraction

• Proving a precise error bound requires more sophisticated

error analysis beyond 1 + 𝜗 property

• Our recent result:

6 ULPs for for log on 0,4

108

Limitations of Our Method

• May construct a large number of intervals
• Example:

0x5fe6eb50c7b537a9 – (x >> 1)

• For this example,
• ur method constructs 263 intervals
• May produce loose error bounds
• Example:

1014 ULPs for log on

4095 4096 , 1

• Sometimes 1 + 𝜗

property provides an imprecise abstraction

• Proving a precise error bound requires more sophisticated

error analysis beyond 1 + 𝜗 property

• Our recent result:

6 ULPs for for log on 0,4

109

Summary

• First systematic method for verifying binaries

that mix floating-point and bit-level operations

• Use abstraction,

analytical optimization, and testing

• Directly applicable to highly optimized binaries
• f transcendental functions

110

Questions?

111