formal verification of floating point programs
play

Formal Verification of Floating-Point programs Sylvie Boldo and - PowerPoint PPT Presentation

Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filli atre Montpellier June, 26th 2007 INRIA Futurs CNRS, LRI Existing tools Model and specification of FP numbers Examples Conclusion Motivations


  1. Formal Verification of Floating-Point programs Sylvie Boldo and Jean-Christophe Filliˆ atre Montpellier – June, 26th 2007 INRIA Futurs CNRS, LRI

  2. Existing tools Model and specification of FP numbers Examples Conclusion Motivations Goal: reliability in numerical software Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  3. Existing tools Model and specification of FP numbers Examples Conclusion Motivations Goal: reliability in numerical software Tool: formal proofs Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  4. Existing tools Model and specification of FP numbers Examples Conclusion Motivations Goal: reliability in numerical software Tool: formal proofs Drawback: we were not checking the real program Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  5. Existing tools Model and specification of FP numbers Examples Conclusion Motivations Goal: reliability in numerical software Tool: formal proofs Drawback: we were not checking the real program ⇒ put together existing tools ⇒ check what is really written by programmers Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  6. Existing tools Model and specification of FP numbers Examples Conclusion Outline Existing tools Caduceus Formalization of floats Model and specification of FP numbers Examples Conclusion Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  7. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion What is Caduceus? The method is to annotate the C program Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  8. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion What is Caduceus? The method is to annotate the C program We add pre-conditions and post-conditions to functions We add variants, invariants, assertions Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  9. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion What is Caduceus? The method is to annotate the C program We add pre-conditions and post-conditions to functions We add variants, invariants, assertions The tool generates proof obligations (such as Coq theorems) associated to the user annotations The proof of the verification conditions ensures that the program meets its specification Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  10. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Caduceus Java Java C

  11. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Caduceus Java Java C Krakatoa Krakatoa Caduceus Caduceus

  12. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Caduceus Java Java C Krakatoa Krakatoa Caduceus Caduceus Why Why

  13. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Caduceus Java Java C Krakatoa Krakatoa Caduceus Caduceus Why Why Coq Coq PVS PVS HOL HOL Mizar Mizar Proof obligations Proof obligations

  14. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Caduceus Java Java C Krakatoa Krakatoa Caduceus Caduceus Why Why Coq Coq Simplify Simplify haRVey haRVey PVS PVS HOL HOL Mizar Mizar CVC CVC Proof obligations Proof obligations Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  15. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Example: search in an array int index ( int t [ ] , int n , int v ) { int i = 0; while ( i < n) { i f ( t [ i ] == v ) break ; i ++; } return i ; } Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  16. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Example: search in an array /*@ requires \valid_range(t,0,n-1) @ ensures @ (0 <= \result < n => t[\result] == v) && @ (\result == n => @ \forall int i; 0 <= i < n => t[i] != v) */ index ( int t [ ] , int n , v ) { int int i = 0; int /*@ invariant 0 <= i && @ \forall int k; 0 <= k < i => t[k] != v @ variant n - i */ ( i < n) { while ( t [ i ] == v ) break ; i f i ++; } return i ; } Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  17. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Existing tools Caduceus Formalization of floats Model and specification of FP numbers Examples Conclusion Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  18. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Coq formalization (by Daumas, Rideau, Th´ ery) Float = pair of signed integers (mantissa, exponent) ( n , e ) ∈ Z 2 Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  19. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Coq formalization (by Daumas, Rideau, Th´ ery) Float = pair of signed integers (mantissa, exponent) associated to a real value n × β e ∈ R ( n , e ) ∈ Z 2 ֒ → Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  20. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Coq formalization (by Daumas, Rideau, Th´ ery) Float = pair of signed integers (mantissa, exponent) associated to a real value n × β e ∈ R ( n , e ) ∈ Z 2 ֒ → 1 . 00010 2 E 4 �→ (100010 2 , − 1) 2 → 17 ֒ IEEE-754 significant of 754R real value ⇒ normal floats, subnormal floats, cohorts, overflow Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  21. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Partial Conclusion ◮ We have all the needed tools ◮ program → formal theorem (obligations) ◮ formal float, formal rounding. . . Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  22. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Partial Conclusion ◮ We have all the needed tools ◮ program → formal theorem (obligations) ◮ formal float, formal rounding. . . ◮ We have to merge them to get a tool: program → formal theorem on FP arithmetic Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  23. Existing tools Model and specification of FP numbers Caduceus Examples Formalization of floats Conclusion Partial Conclusion ◮ We have all the needed tools ◮ program → formal theorem (obligations) ◮ formal float, formal rounding. . . ◮ We have to merge them to get a tool: program → formal theorem on FP arithmetic ◮ We have to decide how to specify a FP program! Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  24. Existing tools Model and specification of FP numbers Examples Conclusion Existing tools Caduceus Formalization of floats Model and specification of FP numbers Examples Conclusion Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  25. Existing tools Model and specification of FP numbers Examples Conclusion Caduceus’s model of FP numbers A “program” float is a triple: ◮ the floating-point number, as computed by the program, x → x f floating-point part Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  26. Existing tools Model and specification of FP numbers Examples Conclusion Caduceus’s model of FP numbers A “program” float is a triple: ◮ the floating-point number, as computed by the program, x → x f floating-point part ◮ the value if all previous computations were exact, x → x e exact part Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

  27. Existing tools Model and specification of FP numbers Examples Conclusion Caduceus’s model of FP numbers A “program” float is a triple: ◮ the floating-point number, as computed by the program, x → x f floating-point part ◮ the value if all previous computations were exact, x → x e exact part ◮ the ideally computed value x → x m model part Sylvie Boldo & Jean-Christophe Filliˆ atre Formal Verification of Floating-Point programs

Recommend


More recommend