SMT SMT-LIB Theory of Floating-Point Conclusions An Automatable Formal Semantics for IEEE-754 Floating-Point Arithmetic Martin Brain , Cesare Tinelli, Philipp R¨ ummer, Thomas Wahl (and the rest of the SMT community) University of Oxford June 24, 2015
SMT SMT-LIB Theory of Floating-Point Conclusions Hasn’t this been done before? Isabelle A formal model of IEEE floating point arithmetic HOL Interpretation of IEEE-854 floating-point standard and definition in the HOL system. HOL Light Floating point verification in HOL light: The exponential function (Intel) ACL2 A mechanically checked proof of the AMD5K86TM floating-point division program (AMD and Centaur) PVS Defining the IEEE-854 floating-point standard in PVS Coq A generic library for floating-point numbers and its application to exact computing Coq Floating-point arithmetic in the Coq system Coq Flocq: A Unified Library for Proving Floating-point Algorithms in Coq
SMT SMT-LIB Theory of Floating-Point Conclusions Hasn’t this been done before? Isabelle A formal model of IEEE floating point arithmetic HOL Interpretation of IEEE-854 floating-point standard and definition in the HOL system. HOL Light Floating point verification in HOL light: The exponential function (Intel) ACL2 A mechanically checked proof of the AMD5K86TM floating-point division program (AMD and Centaur) PVS Defining the IEEE-854 floating-point standard in PVS Coq A generic library for floating-point numbers and its application to exact computing Coq Floating-point arithmetic in the Coq system Coq Flocq: A Unified Library for Proving Floating-point Algorithms in Coq ... there is another way to think about theorem-proving ...
SMT SMT-LIB Theory of Floating-Point Conclusions Is there an x and y such that ... 0 < x 0 < y x + y < x
SMT SMT-LIB Theory of Floating-Point Conclusions Is there an x and y such that ... 0 ♣ x 0 ♣ y x ♠ y ♣ x
SMT SMT-LIB Theory of Floating-Point Conclusions Is there an x and y such that ... 0 ♣ x 0 ♣ y x ♠ y ♣ x It depends on the interpretation (of ♣ and ♠ )! D = Z � ♣ � = < Z � ♠ � = + Z NO!
SMT SMT-LIB Theory of Floating-Point Conclusions Is there an x and y such that ... 0 ♣ x 0 ♣ y x ♠ y ♣ x It depends on the interpretation (of ♣ and ♠ )! D = { 00 , 01 , 10 , 11 } � ♣ � = bvult � ♠ � = bvplus Yes ( x = 01, y = 11)
SMT SMT-LIB Theory of Floating-Point Conclusions First Order Logic Syntax Semantics Fix a signature Σ An interpretation is M = ( D , � . � : Σ → (2 D n )) (i.e. Σ = {♣ , ♠} ) Satisfiability An interpretation M satisfies a formula φ : M | = φ If φ evaluated over D (using � . � ) is true.
SMT SMT-LIB Theory of Floating-Point Conclusions How Do We Fix The Meaning of Symbols? Option 1 – Axiomatic M | = Axioms ⇒ φ = ∀ a , b , c � a ♣ b ∧ b ♣ c ⇒ a ♣ c Axioms = ∀ a � ¬ a ♣ a . . . Formalisation is solver INPUT . Pros Cons + Easy to implement - All formulae quantified + Flexible - Axioms not always simple + Can add theorems - Hard to solve
SMT SMT-LIB Theory of Floating-Point Conclusions How Do We Fix The Meaning of Symbols? Option 2 – Algebraic Fix signature Σ ′ and its interpretation M ′ = ( D , � . � : Σ ′ → (2 D n )). D = Z � ♣ � = < Z � ♠ � = + Z Is there M extension of M ′ such that: M | = φ Formalisation is solver SPECIFICATION . Pros Cons + Fast decision procedures - Theory has to be built into solver + Counter-examples - Implementation harder + Few quantifiers
SMT SMT-LIB Theory of Floating-Point Conclusions How Do We Fix The Meaning of Symbols? Option 2 – Algebraic Fix signature Σ ′ and its interpretation M ′ = ( D , � . � : Σ ′ → (2 D n )). D = Z � ♣ � = < Z � ♠ � = + Z Is there M extension of M ′ such that: M | = φ Formalisation is solver SPECIFICATION . Pros Cons + Fast decision procedures - Theory has to be built into solver + Counter-examples - Implementation harder + Few quantifiers
SMT SMT-LIB Theory of Floating-Point Conclusions SAT Modulo Theory (SMT) The major school of algebraic solvers. Theories = specifications of (sets of) interpretations. SMT-LIB : international standard for SMT solvers. Mature implementations : CVC4, Z3, MathSAT, Yices, STP, Boolector, OpenSMT, ... Near ubiquitous in software verification.
SMT SMT-LIB Theory of Floating-Point Conclusions SMT 1 SMT-LIB Theory of Floating-Point 2 Conclusions 3
SMT SMT-LIB Theory of Floating-Point Conclusions Requirements Principles Bit-Exact Must do exactly what the hardware does Precise Gives SAT / UNSAT (ideally with model / proof) Automated Ideally fast and “out of the box” Flexible Support different decision procedures Target Applications Path feasibility / test-case generation Generation of special values Numerical instability Undefined behaviour Hardware verification Functional correctness Automated numerical analysis
SMT SMT-LIB Theory of Floating-Point Conclusions IEEE-754 2008
SMT SMT-LIB Theory of Floating-Point Conclusions Level 1 : Extended Reals R ∗ = R ∪ { + ∞ , −∞ , NaN } (partially ordered, additive and multiplicative commutative monoid with the distributivity property) + ∞ � w ⇔ w = + ∞ u + NaN = NaN + u = NaN w � −∞ ⇔ w = −∞ − NaN = NaN − (+ ∞ ) = −∞ u · NaN = NaN · u = NaN − ( −∞ ) = + ∞ NaN − 1 + ∞ − 1 = NaN = 0 −∞ − 1 ⇔ u = NaN NaN � u = 0 0 − 1 u � NaN ⇔ u = NaN = + ∞ . . .
SMT SMT-LIB Theory of Floating-Point Conclusions Level 2(ish) : Domain = F ε,σ ∪ { NaN } F ε,σ = FZ ε,σ ∪ FS ε,σ ∪ FN ε,σ ∪ FI ε,σ F ε,σ FZ ε,σ = { ( s , e , m ) ∈ B ε,σ | e = 0 ε , m = 0 σ − 1 } = { ( s , e , m ) ∈ B ε,σ | e = 0 ε , m � = 0 σ − 1 } FS ε,σ FN ε,σ = { ( s , e , m ) ∈ B ε,σ | e � = 1 ε , e � = 0 ε } FI ε,σ = { ( s , e , m ) ∈ B ε,σ | e = 1 ε , m = 0 σ − 1 } v ε,σ : F ε,σ → R ∗
SMT SMT-LIB Theory of Floating-Point Conclusions IEEE-754 2008 again
SMT SMT-LIB Theory of Floating-Point Conclusions Upper and Lower Adjoints + ∞ + Inf +0 0 − 0 − Inf −∞
SMT SMT-LIB Theory of Floating-Point Conclusions Upper and Lower Adjoints + ∞ v + Inf v +0 0 − 0 v − Inf v −∞
SMT SMT-LIB Theory of Floating-Point Conclusions Upper and Lower Adjoints + ∞ v + Inf v v v +0 0 − 0 v − Inf v −∞
SMT SMT-LIB Theory of Floating-Point Conclusions Rounding is (Just) Selecting Between Adjoints! rnd ( v , mode , sz , r ) = v ( r ) or v ( r ) This allows us to round to any format of float, bit-vectors, Z , integer valued floats, ...
SMT SMT-LIB Theory of Floating-Point Conclusions Operations add ε,σ ( rm , f , g ) = rnd ( v , rm , addSign ( rm , f , g ) , v ( f ) + v ( g )) sub ε,σ ( rm , f , g ) = rnd ( v , rm , subSign ( rm , f , g ) , v ( f ) − v ( g )) mul ε,σ ( rm , f , g ) = rnd ( v , rm , xorSign ( f , g ) , v ( f ) ∗ v ( g )) div ǫ,σ ( rm , f , g ) = � neg ε,σ ( rnd ( v , rm , ⊤ , − ( v ( f ) / v ( g )))) xorSign ( f , g ) rnd ( v , rm , ⊥ , v ( f ) / v ( g )) ¬ xorSign ( f , g ) fma ε,σ ( rm , f , g , h ) = rnd ( v , rm , fmaSign ( rm , f , g , h ) , ( v ( f ) ∗ v ( g )) + v ( h ))
SMT SMT-LIB Theory of Floating-Point Conclusions Limitations and Omissions No decimal floats Only one NaN (no signaling / quiet, no payload) No exceptions No attributes No trigonometric functions
SMT SMT-LIB Theory of Floating-Point Conclusions Implementations Bit-blast ACDL Axiomatic CVC4 ( � ) ( � ) Z3 � MathSAT � � Sonolar � Alt-Ergo ( � ) CBMC �
SMT SMT-LIB Theory of Floating-Point Conclusions SMT 1 SMT-LIB Theory of Floating-Point 2 Conclusions 3
SMT SMT-LIB Theory of Floating-Point Conclusions Help Needed! Correctness Examples (edge cases, tests, challenge problems) “Diamond free” circuits (multiply, divide, shift, float add, normalise) Elementary functions Floating-point remainder
SMT SMT-LIB Theory of Floating-Point Conclusions Conclusions 1 Formalisation as input (axiomatic) vs. formalisation as specification (algebraic) 2 Rounding as choice of adjoints. 3 Have a specification (and implementations) of an SMT-LIB standard of floating-point.
SMT SMT-LIB Theory of Floating-Point Conclusions Conclusions 1 Formalisation as input (axiomatic) vs. formalisation as specification (algebraic) 2 Rounding as choice of adjoints. 3 Have a specification (and implementations) of an SMT-LIB standard of floating-point. Thank you for your time and attention. Made using only Free Software
Recommend
More recommend
