Floating p oin t v erication in HOL Ligh t: the exp onen - - PDF document

floating p oin t v eri cation in hol ligh t the exp onen
SMART_READER_LITE
LIVE PREVIEW

Floating p oin t v erication in HOL Ligh t: the exp onen - - PDF document

Mar 02, 2023 170 likes •306 views

Floating p oin t v erication in HOL Ligh t: the exp onen tial function 1 Floating p oin t v erication in HOL Ligh t: the exp onen tial function John Harrison Univ ersit y of Cam bridge In tro

slide-1
SLIDE 1 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 1 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function John Harrison Univ ersit y
  • f
Cam bridge
  • In
tro duction
  • Floating
p
  • in
t correctness
  • Our
implemen tation language
  • The
algorithm
  • Outline
  • f
the HOL pro
  • f
  • General
conclusions John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-2
SLIDE 2 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 2 In tro duction
  • Floating
p
  • in
t algorithms are fairly small, but
  • ften
complicated mathematically .
  • There
ha v e b een errors in commercial systems, e.g. the P en tium FDIV bug in 1994.
  • In
the case
  • f
transcenden tal functions it's dicult ev en to sa y what correctness me ans.
  • V
erication using mo del c hec k ers is dicult b ecause
  • f
the need for mathematical apparatus.
  • It
can ev en b e dicult using theorem pro v ers since not man y
  • f
them ha v e go
  • d
theories
  • f
real n um b ers etc. John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-3
SLIDE 3 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 3 Floating p
  • in
t correctness W e w an t to sp ecify the correctness according to the follo wing diagram: a v (a) E X P (a) exp(v (a)) v (E X P (a))
  • 6
6 E X P exp v v W e measure the dierence b et w een v (E X P (a)) and exp(v (a)) in `units in the last place'
  • f
E X P (a). John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-4
SLIDE 4 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 4 Our implemen tation language This includes the follo wing constructs: c
  • mmand
= variable := expr ession | c
  • mmand
; c
  • mmand
| if expr ession then c
  • mmand
else c
  • mmand
| if expr ession then c
  • mmand
| while expr ession do c
  • mmand
| do c
  • mmand
while expr ession | skip | f expr essiong W e dene a simple relational seman tics in HOL, and deriv e w eak est preconditions and total correctness rules. W e then pro v e total correctness via V C generation. The idea is that this language can b e formally link ed to C, V erilog, Handel, . . . John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-5
SLIDE 5 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 5 The algorithm The algorithm w e v erify is tak en from a pap er b y T ang in A CM T r ansactions
  • n
Mathematic al Softwar e, 1989. Similar tec hniques are widely used for
  • ating
p
  • in
t libraries, and, probably , for hardw are implemen tations. The algorithm relies
  • n
a table
  • f
precomputed constan ts. T ang's pap er giv es actual v alues as hex represen tations
  • f
IEEE n um b ers. The algorithm w
  • rks
in three phases:
  • P
erform range reduction
  • Use
p
  • lynomial
appro ximation
  • Reconstruct
answ er using tables The correctness pro
  • f
reects this. John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-6
SLIDE 6 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 6 Co de for the algorithm if Isnan(X) then E := X else if X == Plus_infinity then E := Plus_infinity else if X == Minus_infinity then E := Plus_zero else if abs(X) > THRESHOLD_1 then if X > Plus_zero then E := Plus_infinity else E := Plus_zero else if abs(X) < THRESHOLD_2 then E := Plus_one + X else (N := INTRND(X * Inv_L); N2 := N % Int_32; N1 := N
  • N2;
if abs(N) >= Int_2e9 then R1 := (X
  • Tofloat(N1)
* L1)
  • Tofloat(N2)
* L1 else R1 := X
  • Tofloat(N)
* L1; R2 := Tofloat(--N) * L2; M := N1 / Int_32; J := N2; R := R1 + R2; Q := R * R * (A1 + R * A2); P := R1 + (R2 + Q); S := S_Lead(J) + S_Trail(J); E1 := S_Lead(J) + (S_Trail(J) + S * P); E := Scalb(E1,M) ) John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-7
SLIDE 7 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 7 Structure
  • f
the HOL pro
  • f
Real numbers / \ / \ / \ Programming / \ language IEEE spec Real analysis | / | | | / | | | / | | | / | Squarefree decomp & | / | Sturm's theorem | / | / | / | / Algorithm | / \ | / \ | / \ | / \ FP lemmas / \ | / \ | / \ | / \ | / \ | / Verification John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-8
SLIDE 8 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 8 Floating p
  • in
t lemmas (1) W e dene the error error(x) resulting from rounding a real n um b er x to a
  • ating
p
  • in
t v alue. Because
  • f
the regular w a y in whic h the
  • p
erations are dened, all the
  • p
erations then relate to their abstract mathematical coun terparts according to the same pattern: |- Finite(a) ^ Finite(b) ^ abs(Val(a) + Val(b)) < threshold(float_format) = ) Finite(a + b) ^ (Val(a + b) = (Val(a) + Val(b)) + error(Val(a) + Val(b))) The comparisons are ev en more straigh tforw ard: |- Finite(a) ^ Finite(b) = ) (a < b = Val(a) < Val(b)) John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-9
SLIDE 9 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 9 Floating p
  • in
t lemmas (2) W e ha v e sev eral lemmas quan tifying the error, e.g. |- abs(x) < threshold(float_format) ^ abs(x) < (&2 pow j / &2 pow 125) = ) abs(error(x)) <= &2 pow j / &2 pow 150 There are man y imp
  • rtan
t situations, ho w ev er, where the
  • p
erations are exact, b ecause the result is exactly represen table, e.g. subtraction
  • f
nearb y v alues with the same sign: |- Finite(a) ^ Finite(b) ^ &2 * abs(Val(a)
  • Val(b))
<= abs(Val(a)) = ) Finite(a
  • b)
^ (Val(a
  • b)
= Val(a)
  • Val(b))
This is a classic result in
  • ating
p
  • in
t error analysis. John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-10
SLIDE 10 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 10 Informal error analysis T ang's error analysis translates quite directly in to HOL. One needs to: 1. Pro v e that clev er implemen tation tric ks ensure certain remainder terms are calculated exactly . This relies
  • n
cancellation, and the fact that pre-stored constan ts ha v e trailing zero es. 2. Pro v e that the p
  • lynomial
appro ximation
  • b
eys the appropriate error b
  • unds.
3. Pro v e that the rounding errors when reconstructing the nal answ er do not get to
  • large.
In T ang's pap er, 1 is quite brief, 2 is dismissed in a few lines, while 3 is giv en a long and detailed pro
  • f.
John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-11
SLIDE 11 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 11 HOL error analysis In the HOL v ersion, this
  • rder
  • f
dicult y is rev ersed! 1. The rst part is not fundamen tally dicult, but quite tric ky b ecause it in v
  • lv
es a lot
  • f
sp ecial cases and lo w-lev el pro
  • fs.
2. The second part in v
  • lv
es n umerical appro ximation, whic h needs a lot
  • f
w
  • rk
to translate in to a formal pro
  • f
(e.g. T a ylor series, Sturm's theorem . . . ). In fact T ang mak es a small mistak e here, though it do esn't aect the nal result. 3. The last part is quite routine, and w e can program HOL to comp
  • se
the rounding errors automatically . Actually , w e deriv e b etter b
  • unds
than T ang do es since w e a v
  • id
making simplifying assumptions to cut do wn the w
  • rk.
John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-12
SLIDE 12 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 12 The nal result Under the v arious `denitional' assumptions, w e conrm T ang's b
  • ttom-line
result: (Isnan(X) = ) Isnan(E)) ^ (X == Plus_infinity _ Finite(X) ^ exp(Val X) >= threshold(float_format) = ) E == Plus_infinity) ^ (X == Minus_infinity = ) E == Plus_zero) ^ (Finite(X) ^ exp(Val X) < threshold(float_format) = ) Isnormal(E) ^ abs(Val(E)
  • exp(Val
X)) < (&54 / &100) * Ulp(E) _ (Isdenormal(E) _ Iszero(E)) ^ abs(Val(E)
  • exp(Val
X)) < (&77 / &100) * Ulp(E)) In fact, this sp ecication is a bit more precise than T ang's, e.g. w e are explicit ab
  • ut
the
  • v
ero w threshold. John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997
slide-13
SLIDE 13 Floating p
  • in
t v erication in HOL Ligh t: the exp
  • nen
tial function 13 Conclusions
  • W
e conrm (and strengthen) the main results
  • f
the hand pro
  • f.
But w e detect a few slips and unco v er subtle issues. This class
  • f
pro
  • fs
is a go
  • d
target for v erication.
  • The
pro
  • f
w as v ery long (o v er 3 mon ths
  • f
w
  • rk),
but most
  • f
this w as dev
  • ted
to general results that could b e re-used.
  • It's
a mistak e to b eliev e that
  • nly
`trivial' mathematics is needed for v erication applications. HOL Ligh t's mathematical theories are essen tial.
  • Automation
  • f
linear arithmetic is practically indisp ensable. Better to
  • ls
for nonlinear reasoning are needed.
  • The
pro
  • f
run times are v ery long
  • wing
to the extensiv e use
  • f
arithmetic done b y inference. John Harrison Univ ersit y
  • f
Cam bridge, Decem b er 1997