Example using Coq 8.2 Theorem Rle Fexp eq Zle : forall x y :float, (x <= y)%R -> Fexp x = Fexp y -> (Fnum x <= Fnum y)%Z. intros x y H’ H’0. apply le IZR. apply (Rle monotony contra exp radix) with (z := Fexp x); auto with real arith. pattern (Fexp x) at 2 in |- *; rewrite H’0; auto. Qed. With keywords, stating of the theorem, tactics and names of used theorems. Theorem (Rle Fexp eq Zle) If two floats x = ( n x , e x ) and y = ( n y , e y ) verifies x ≤ y, and e x = e y , then n x ≤ n y . Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 15 / 41
Plan Motivations 1 Tools 2 Formal proof Frama-C/Jessie/Why Examples 3 Conclusions 4 Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 16 / 41
Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41
Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Available plugins : Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41
Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Available plugins : ◮ value analysis Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41
Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Available plugins : ◮ value analysis ◮ Jessie, the deductive verification plug-in (based on weakest precondition computation techniques) Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41
Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Available plugins : ◮ value analysis ◮ Jessie, the deductive verification plug-in (based on weakest precondition computation techniques) ◮ . . . Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41
Frama-C/Jessie/Why Frama-C is a framework dedicated to the analysis of the source code of software written in C. Available plugins : ◮ value analysis ◮ Jessie, the deductive verification plug-in (based on weakest precondition computation techniques) ◮ . . . Free softwares in CAML available at http://frama-c.com/ and http://why.lri.fr/ . Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 17 / 41
Frama-C/Jessie/Why ACSL-annotated C program Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 18 / 41
Frama-C/Jessie/Why ACSL-annotated C program Frama-C/Jessie plug-in WHY verification condition generator Verification conditions Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 18 / 41
Frama-C/Jessie/Why ACSL-annotated C program Frama-C/Jessie plug-in WHY verification condition generator Verification conditions Automatic provers Interactive provers (Alt-Ergo,Gappa,CVC3,etc.) (Coq,PVS,etc.) Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 18 / 41
ACSL ANSI/ISO C Specification Language Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41
ACSL ANSI/ISO C Specification Language behavioral specification language for C programs Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41
ACSL ANSI/ISO C Specification Language behavioral specification language for C programs pre-conditions and post-conditions to functions (and which variables are modified). Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41
ACSL ANSI/ISO C Specification Language behavioral specification language for C programs pre-conditions and post-conditions to functions (and which variables are modified). variants and invariants of the loops. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41
ACSL ANSI/ISO C Specification Language behavioral specification language for C programs pre-conditions and post-conditions to functions (and which variables are modified). variants and invariants of the loops. assertions Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41
ACSL ANSI/ISO C Specification Language behavioral specification language for C programs pre-conditions and post-conditions to functions (and which variables are modified). variants and invariants of the loops. assertions In annotations, all computations are exact. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 19 / 41
ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41
ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part the value that would have been obtained with exact computations, x → x e exact part Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41
ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part the value that would have been obtained with exact computations, x → x e exact part the value that we ideally wanted to compute x → x m model part Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41
ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part 1+x+x*x/2 the value that would have been obtained with exact computations, 1 + x + x 2 x → x e exact part 2 the value that we ideally wanted to compute x → x m model part exp( x ) Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41
ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part 1+x+x*x/2 the value that would have been obtained with exact computations, 1 + x + x 2 x → x e exact part 2 the value that we ideally wanted to compute x → x m model part exp( x ) ⇒ easy to split into method error and rounding error Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41
ACSL and floating-point numbers A floating-point number is a triple : the floating-point number, really computed by the program, x → x f floating-point part 1+x+x*x/2 the value that would have been obtained with exact computations, 1 + x + x 2 x → x e exact part 2 the value that we ideally wanted to compute x → x m model part exp( x ) ⇒ easy to split into method error and rounding error For a float f , we have macros such as \ rounding error(f) and \ exact(f) , while f (as a real) is its floating-point value. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 20 / 41
Pragmas Several pragmas corresponding to different formalization for floating-point numbers. defensive (default pragma) : IEEE roundings occur. We prove that no exceptional behavior may happen (Overflow, NaN creation. . .) Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 21 / 41
Pragmas Several pragmas corresponding to different formalization for floating-point numbers. defensive (default pragma) : IEEE roundings occur. We prove that no exceptional behavior may happen (Overflow, NaN creation. . .) math : all computations are exact. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 21 / 41
Pragmas Several pragmas corresponding to different formalization for floating-point numbers. defensive (default pragma) : IEEE roundings occur. We prove that no exceptional behavior may happen (Overflow, NaN creation. . .) math : all computations are exact. full : IEEE roundings occur. Exceptional behaviors may happen. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 21 / 41
Pragmas Several pragmas corresponding to different formalization for floating-point numbers. defensive (default pragma) : IEEE roundings occur. We prove that no exceptional behavior may happen (Overflow, NaN creation. . .) math : all computations are exact. full : IEEE roundings occur. Exceptional behaviors may happen. multi-rounding : we may have any hardware and compiler (80-bit extended registers, FMA) Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 21 / 41
Plan Motivations 1 Tools 2 Formal proof Frama-C/Jessie/Why Examples 3 Conclusions 4 Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 22 / 41
Examples All examples use Frama-C Boron and Why 2.26. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 23 / 41
Examples All examples use Frama-C Boron and Why 2.26. All proof obligations are proved using Coq. (except 2 inequalities in the last example). Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 23 / 41
Examples All examples use Frama-C Boron and Why 2.26. All proof obligations are proved using Coq. (except 2 inequalities in the last example). Code & proofs available on http://www.lri.fr/~sboldo/research.html . Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 23 / 41
Sterbenz Theorem (Sterbenz) If x and y are FP numbers in a given precision such that y 2 ≤ x ≤ 2 y , then x − y fits in a FP number in the same precision and is therefore computed without error. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 24 / 41
Sterbenz – program /*@ requires y/2. <= x <= 2.*y; @ ensures \result == x-y; @*/ f l o a t Sterbenz ( f l o a t x , f l o a t y ) { return x − y ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 25 / 41
Sterbenz – program Exact subtraction /*@ requires y/2. <= x <= 2.*y; @ ensures \result == x-y; @*/ f l o a t Sterbenz ( f l o a t x , f l o a t y ) { return x − y ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 25 / 41
Sterbenz – program 1 PO : exact subtraction /*@ requires y/2. <= x <= 2.*y; @ ensures \result == x-y; @*/ f l o a t Sterbenz ( f l o a t x , f l o a t y ) { return x − y ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 25 / 41
Sterbenz – program 1 PO : exact subtraction /*@ requires y/2. <= x <= 2.*y; @ ensures \result == x-y; @*/ f l o a t Sterbenz ( f l o a t x , f l o a t y ) { return x − y ; } 1 PO : no overflow Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 25 / 41
Veltkamp/Dekker Theorem (Veltkamp/Dekker) Provided no Overflow and no Underflow occur, there is an algorithm computing the exact error of the multiplication using only FP operations. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 26 / 41
Veltkamp/Dekker Theorem (Veltkamp/Dekker) Provided no Overflow and no Underflow occur, there is an algorithm computing the exact error of the multiplication using only FP operations. Idea : split your floats in 2, multiply all the parts, add them in the correct order. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 26 / 41
Veltkamp : how to split a floating-point number Let C = 2 27 + 1 for double precision numbers. 27 bits x 2 27 × x + p = ◦ ( x × C ) q = ◦ ( x − p ) x 1 = p + q Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 27 / 41
Dekker : how to get the error of the multiplication r 1 = ◦ ( x × y ) x 1 × y 1 t 1 = x 1 × y 1 − r x 1 × y 2 t 2 = t 1 + x 1 × y 2 x 2 × y 1 t 3 = t 2 + x 2 × y 1 x 2 × y 2 r 2 = t 3 + x 2 × y 2 Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 28 / 41
Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41
Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; Split x and y py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41
Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; Multiply all halves and r2+=hx ∗ ty ; r2+=hy ∗ tx ; add all the results r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41
Veltkamp/Dekker – program xy = ◦ ( xy ) /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41
Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && Overflow @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41
Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; If no Underflow @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41
Veltkamp/Dekker – program /*@ requires xy == \ round_double (\ NearestEven ,x*y) && @ \abs(x) <= 0x1.p995 && @ \abs(y) <= 0x1.p995 && @ \abs(x*y) <= 0x1.p1021; @ ensures ((x*y == 0 || 0x1.p -969 <= \abs(x*y)) @ ==> x*y == xy+\ result ); Exact error of ⊗ @*/ double Dekker ( double x , double y , double xy ) { double C, px , qx , hx , py , qy , hy , tx , ty , r2 ; i n t i ; [ . . . ] /*@ assert C == \pow (2. ,27) + 1. */ px=x ∗ C ; qx=x − px ; hx=px+qx ; tx=x − hx ; py=y ∗ C ; qy=y − py ; hy=py+qy ; ty=y − hy ; r2= − xy+hx ∗ hy ; r2+=hx ∗ ty ; r2+=hy ∗ tx ; r2+=tx ∗ ty ; return r2 ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 29 / 41
Accurate discriminant It is pretty hard to compute b 2 − ac accurately. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 30 / 41
Accurate discriminant It is pretty hard to compute b 2 − ac accurately. Theorem (Kahan) Provided no Overflow and no Underflow occur, there is an algorithm computing the b 2 − a ∗ c within 2 ulps. Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 30 / 41
Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41
Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; Test whether ac ≈ b 2 p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41
Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; Test whether ac ≈ b 2 p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) If ac �≈ b 2 , compute naively d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41
Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; Test whether ac ≈ b 2 p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { If ac ≈ b 2 , compute accurately dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; using errors of the multiplications d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41
Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && Underflow @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41
Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && Overflow @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41
Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. 2 ulps @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41
Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; p=b ∗ b ; q=a ∗ c ; i f ( p+q < = 3 ∗ f a b s (p − q )) Function calls d=p − q ; e l s e { ⇒ pre-conditions to prove dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; ⇒ post-conditions guaranteed d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41
Accurate discriminant – program /*@ requires @ (b==0. || 0x1.p -916 <= \abs(b*b)) && @ (a*c==0. || 0x1.p -916 <= \abs(a*c)) && @ \abs(b) <= 0x1.p510 && @ \abs(a) <= 0x1.p995 && \abs(c) <= 0x1.p995 && @ \abs(a*c) <= 0x1.p1021; @ ensures \result ==0. @ || \abs (\ result -(b*b-a*c)) <= 2.* ulp (\ result ); @ */ In initial proof, double d i s c r i m i n a n t ( double a , double b , double c ) { double p , q , d , dp , dq ; test assumed correct p=b ∗ b ; ⇒ Additional proof q=a ∗ c ; when test is incorrect i f ( p+q < = 3 ∗ f a b s (p − q )) d=p − q ; e l s e { dp=Dekker (b , b , p ) ; dq=Dekker ( a , c , q ) ; d=(p − q)+(dp − dq ) ; } return d ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 31 / 41
Wave equation resolution scheme ∂ 2 u ( x , t ) − c 2 ∂ 2 u ( x , t ) = s ( x , t ) ∂ t 2 ∂ x 2 Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 32 / 41
Wave equation resolution scheme t t k t k − 1 ∂ 2 u ( x , t ) − c 2 ∂ 2 u ( x , t ) ֒ → = s ( x , t ) t k − 2 ∂ t 2 ∂ x 2 x j − 1 x j x j +1 x Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 32 / 41
Wave equation resolution scheme t t k t k − 1 ∂ 2 u ( x , t ) − c 2 ∂ 2 u ( x , t ) ֒ → = s ( x , t ) t k − 2 ∂ t 2 ∂ x 2 x j − 1 x j x j +1 x j − 2 u k − 1 + u k − 2 − c 2 u k − 1 j +1 − 2 u k − 1 + u k − 1 u k j j j j − 1 = s k − 1 ∆ t 2 ∆ x 2 j Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 32 / 41
Wave equation resolution scheme – program double ∗∗ forward prop ( i n t ni , i n t nk , double dx , double dt , double v , double xs , double l ) { double ∗∗ p ; i n t i , k ; double a1 , a , dp ; a1 = dt /dx ∗ v ; a = a1 ∗ a1 ; [ . . . ] // i n i t i a l i z a t i o n s of p [ . . . ] [ 0 ] and p [ . . . ] [ 1 ] /* propagation = time loop */ /*@ loop invariant 1 <= k <= nk && analytic_error (p,ni ,ni ,k,a); @ loop variant nk -k; */ f o r ( k=1; k < nk ; k++) { p [ 0 ] [ k+1] = 0 . ; /* time iteration = space loop */ /*@ loop invariant 1 <= i <= ni && analytic_error (p,ni ,i-1,k+1,a) @ loop variant ni -i; */ f o r ( i =1; i < n i ; i ++) { dp = p [ i +1][ k ] − 2. ∗ p [ i ] [ k ] + p [ i − 1][ k ] ; p [ i ] [ k+1] = 2. ∗ p [ i ] [ k ] − p [ i ] [ k − 1] + a ∗ dp ; } p [ n i ] [ k+1] = 0 . ; } return p ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 33 / 41
Wave equation resolution scheme – program double ∗∗ forward prop ( i n t ni , i n t nk , double dx , double dt , double v , double xs , double l ) { double ∗∗ p ; i n t i , k ; double a1 , a , dp ; a1 = dt /dx ∗ v ; a = a1 ∗ a1 ; [ . . . ] // i n i t i a l i z a t i o n s of p [ . . . ] [ 0 ] and p [ . . . ] [ 1 ] /* propagation = time loop */ /*@ loop invariant 1 <= k <= nk && analytic_error (p,ni ,ni ,k,a); @ loop variant nk -k; */ Time loop f o r ( k=1; k < nk ; k++) { p [ 0 ] [ k+1] = 0 . ; /* time iteration = space loop */ /*@ loop invariant 1 <= i <= ni && analytic_error (p,ni ,i-1,k+1,a) @ loop variant ni -i; */ Space loop f o r ( i =1; i < n i ; i ++) { dp = p [ i +1][ k ] − 2. ∗ p [ i ] [ k ] + p [ i − 1][ k ] ; p [ i ] [ k+1] = 2. ∗ p [ i ] [ k ] − p [ i ] [ k − 1] + a ∗ dp ; } p [ n i ] [ k+1] = 0 . ; } return p ; } Sylvie Boldo (INRIA) Formal verification of numerical programs July 15th, 2010 33 / 41
Recommend
More recommend