Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul - PowerPoint PPT Presentation

P ossible Alternatives • Exhaustive testing • feasible for 32-bit float: ~ 30 seconds (with 1 core for sinf ) • infeasible for 64-bit double: > 4000 years ( = 30 seconds × 2 32 ) • infeasible even for input range X = −1, 1 1 ∵ (# of doubles between −1 and 1 ) = 2 (# of all doubles) • Machine-checkable proofs • Harrison used transcendental functions are very accurate [ ] • construction of these proofs often requires considerable persistence 24

P ossible Alternatives • Exhaustive testing • feasible for 32-bit float: ~ 30 seconds (with 1 core for sinf ) • infeasible for 64-bit double: > 4000 years ( = 30 seconds × 2 32 ) • infeasible even for input range X = −1, 1 1 ∵ (# of doubles between −1 and 1 ) = 2 (# of all doubles) • Machine-checkable proofs • Harrison used transcendental functions are very accurate [ ] • construction of these proofs often requires considerable persistence. 27

P ossible Automatic Alternatives • If only floating-point operations are used, various automatic techniques can be applied • e.g., Astree , Fluctuat , ROSA , FPTaylor • Several commercial tools (e.g., Astree, Fluctuat) can handle certain bit-trick routines • We are unaware of a general technique for verifying mixed floating-point and bit-level code 28

P ossible Automatic Alternatives • If only floating-point operations are used, various automatic techniques can be applied • e.g., Astree , Fluctuat , ROSA , FPTaylor • Several commercial tools (e.g., Astree, Fluctuat) can handle certain bit-trick routines • We are unaware of a general technique for verifying mixed floating-point and bit-level code 29

Our Method 30

𝑓 𝑦 Explained 1 vmovddup %xmm0, %xmm0 2 vmulpd L2E, %xmm0, %xmm2 3 vroundpd $0, %xmm2, %xmm2 4 vcvtpd2dqx %xmm2, %xmm3 5 vpaddd B, %xmm3, %xmm3 6 vpslld $20, %xmm3, %xmm3 7 vpshufd $114, %xmm3, %xmm3 8 vmulpd C1, %xmm2, %xmm1 9 vmulpd C2, %xmm2, %xmm2 10 vaddpd %xmm1, %xmm0, %xmm1 11 vaddpd %xmm2, %xmm1, %xmm1 12 vmovapd T1, %xmm0 13 vmulpd T12, %xmm1, %xmm2 14 vaddpd T11, %xmm2, %xmm2 ... 36 vaddpd %xmm0, %xmm1, %xmm0 37 vmulpd %xmm3, %xmm0, %xmm0 38 retq 31

𝑓 𝑦 Explained 𝑦 1 vmovddup %xmm0, %xmm0 2 vmulpd L2E, %xmm0, %xmm2 𝑂 = round 𝑦 ∙ log 2 𝑓 3 vroundpd $0, %xmm2, %xmm2 4 vcvtpd2dqx %xmm2, %xmm3 5 vpaddd B, %xmm3, %xmm3 6 vpslld $20, %xmm3, %xmm3 7 vpshufd $114, %xmm3, %xmm3 8 vmulpd C1, %xmm2, %xmm1 9 vmulpd C2, %xmm2, %xmm2 10 vaddpd %xmm1, %xmm0, %xmm1 11 vaddpd %xmm2, %xmm1, %xmm1 12 vmovapd T1, %xmm0 13 vmulpd T12, %xmm1, %xmm2 14 vaddpd T11, %xmm2, %xmm2 ... 36 vaddpd %xmm0, %xmm1, %xmm0 37 vmulpd %xmm3, %xmm0, %xmm0 38 retq 32

𝑓 𝑦 Explained 𝑦 1 vmovddup %xmm0, %xmm0 2 vmulpd L2E, %xmm0, %xmm2 𝑂 = round 𝑦 ∙ log 2 𝑓 3 vroundpd $0, %xmm2, %xmm2 4 vcvtpd2dqx %xmm2, %xmm3 5 vpaddd B, %xmm3, %xmm3 2 𝑂 6 vpslld $20, %xmm3, %xmm3 7 vpshufd $114, %xmm3, %xmm3 8 vmulpd C1, %xmm2, %xmm1 9 vmulpd C2, %xmm2, %xmm2 10 vaddpd %xmm1, %xmm0, %xmm1 11 vaddpd %xmm2, %xmm1, %xmm1 12 vmovapd T1, %xmm0 13 vmulpd T12, %xmm1, %xmm2 14 vaddpd T11, %xmm2, %xmm2 ... 36 vaddpd %xmm0, %xmm1, %xmm0 37 vmulpd %xmm3, %xmm0, %xmm0 38 retq 33

𝑓 𝑦 Explained 𝑦 1 vmovddup %xmm0, %xmm0 2 vmulpd L2E, %xmm0, %xmm2 𝑂 = round 𝑦 ∙ log 2 𝑓 3 vroundpd $0, %xmm2, %xmm2 4 vcvtpd2dqx %xmm2, %xmm3 5 vpaddd B, %xmm3, %xmm3 2 𝑂 6 vpslld $20, %xmm3, %xmm3 7 vpshufd $114, %xmm3, %xmm3 8 vmulpd C1, %xmm2, %xmm1 9 vmulpd C2, %xmm2, %xmm2 𝑠 = 𝑦 − 𝑂 ∙ ln 2 10 vaddpd %xmm1, %xmm0, %xmm1 11 vaddpd %xmm2, %xmm1, %xmm1 12 vmovapd T1, %xmm0 12 𝑠 𝑗 13 vmulpd T12, %xmm1, %xmm2 𝑓 𝑠 ≈ ෍ 14 vaddpd T11, %xmm2, %xmm2 𝑗! ... 𝑗=0 36 vaddpd %xmm0, %xmm1, %xmm0 37 vmulpd %xmm3, %xmm0, %xmm0 𝑓 𝑦 = 𝑓 𝑂∙ln 2 ∙ 𝑓 𝑠 ≈ 2 𝑂 ∙ 𝑓 𝑠 38 retq 34

𝑓 𝑦 Explained 𝑦 1 vmovddup %xmm0, %xmm0 2 vmulpd L2E, %xmm0, %xmm2 𝑂 = round 𝑦 ∙ log 2 𝑓 3 vroundpd $0, %xmm2, %xmm2 4 vcvtpd2dqx %xmm2, %xmm3 5 vpaddd B, %xmm3, %xmm3 2 𝑂 6 vpslld $20, %xmm3, %xmm3 7 vpshufd $114, %xmm3, %xmm3 8 vmulpd C1, %xmm2, %xmm1 9 vmulpd C2, %xmm2, %xmm2 𝑠 = 𝑦 − 𝑂 ∙ ln 2 10 vaddpd %xmm1, %xmm0, %xmm1 11 vaddpd %xmm2, %xmm1, %xmm1 12 vmovapd T1, %xmm0 12 𝑠 𝑗 13 vmulpd T12, %xmm1, %xmm2 𝑓 𝑠 ≈ ෍ 14 vaddpd T11, %xmm2, %xmm2 𝑗! ... 𝑗=0 36 vaddpd %xmm0, %xmm1, %xmm0 37 vmulpd %xmm3, %xmm0, %xmm0 𝑓 𝑦 = 𝑓 𝑂∙ln 2 ∙ 𝑓 𝑠 ≈ 2 𝑂 ∙ 𝑓 𝑠 38 retq Find a small Θ > 0 such that Goal: 𝑓 𝑦 −2 𝑂 𝑓 𝑠 ≤ Θ for all 𝑦 ∈ 𝑌 𝑓 𝑦 35

1) Abstract Floating-P oint Operations • Assume only floating-point operations are used • 1 + 𝜗 property • A standard way to model rounding errors • For 64-bit doubles, 𝜗 = 2 −53 • This property has been used in previous automatic techniques (FPTaylor -point programs 36

1) Abstract Floating-P oint Operations • Assume only floating-point operations are used • 1 + 𝜗 property • A standard way to model rounding errors • For 64-bit doubles, 𝜗 = 2 −53 • This property has been used in previous automatic techniques (FPTaylor -point programs 37

1) Abstract Floating-P oint Operations • Assume only floating-point operations are used • 1 + 𝜗 property • A standard way to model rounding errors 𝑦 ⨂ f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗 • For 64-bit doubles, 𝜗 = 2 −53 • This property has been used in previous automatic techniques (FPTaylor -point programs 38

1) Abstract Floating-P oint Operations • Assume only floating-point operations are used • 1 + 𝜗 property • A standard way to model rounding errors 𝑦 ⨂ f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗 0 1 𝑦⨂𝑧 • For 64-bit doubles, 𝜗 = 2 −53 • This property has been used in previous automatic techniques (FPTaylor -point programs 39

1) Abstract Floating-P oint Operations • Assume only floating-point operations are used • 1 + 𝜗 property • A standard way to model rounding errors 𝑦 ⨂ f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗 0 1 𝑦⨂𝑧 • For 64-bit doubles, 𝜗 = 2 −53 • This property has been used in previous automatic techniques (FPTaylor -point programs 40

1) Abstract Floating-P oint Operations • Assume only floating-point operations are used • 1 + 𝜗 property • A standard way to model rounding errors 𝑦 ⨂ f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗 0 1 𝑦⨂𝑧 𝑦 ⨂ f 𝑧 • For 64-bit doubles, 𝜗 = 2 −53 • This property has been used in previous automatic techniques (FPTaylor -point programs 41

1) Abstract Floating-P oint Operations • Assume only floating-point operations are used • 1 + 𝜗 property • A standard way to model rounding errors 𝑦 ⨂ f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗 𝜗 0 1 𝑦⨂𝑧 𝑦 ⨂ f 𝑧 • For 64-bit doubles, 𝜗 = 2 −53 • This property has been used in previous automatic techniques (FPTaylor -point programs 42

1) Abstract Floating-P oint Operations • Assume only floating-point operations are used • 1 + 𝜗 property • A standard way to model rounding errors 𝑦 ⨂ f 𝑧 ∈ 𝑦⨂𝑧 1 + 𝜀 ∶ 𝜀 < 𝜗 𝜗 0 1 𝑦⨂𝑧 𝑦 ⨂ f 𝑧 • For 64-bit doubles, 𝜗 = 2 −53 • This property has been used in previous automatic techniques (FPTaylor -point programs 43

1) Abstract Floating-P oint Operations • Compute a symbolic abstraction 𝐵 𝜀 𝑦 of a program 𝑄 • Example: • F 𝐵 𝜀 𝑦 satisfies rom 1 + 𝜗 property, 𝑄 𝑦 ∈ 𝐵 𝜀 𝑦 ∶ 𝜀 𝑗 < 𝜗 for all 𝑦 • Example: 44

1) Abstract Floating-P oint Operations • Compute a symbolic abstraction 𝐵 𝜀 𝑦 of a program 𝑄 • Example: 𝑄 𝑦 = 2 × f 𝑦 1 + 𝜀 1 + f 3 1 + 𝜀 2 • F 𝐵 𝜀 𝑦 satisfies rom 1 + 𝜗 property, 𝑄 𝑦 ∈ 𝐵 𝜀 𝑦 ∶ 𝜀 𝑗 < 𝜗 for all 𝑦 • Example: 45

1) Abstract Floating-P oint Operations • Compute a symbolic abstraction 𝐵 𝜀 𝑦 of a program 𝑄 • Example: 𝐵 𝜀 𝑦 𝑄 𝑦 = 2 × f 𝑦 1 + 𝜀 1 + f 3 1 + 𝜀 2 • F 𝐵 𝜀 𝑦 satisfies rom 1 + 𝜗 property, 𝑄 𝑦 ∈ 𝐵 𝜀 𝑦 ∶ 𝜀 𝑗 < 𝜗 for all 𝑦 • Example: 46

1) Abstract Floating-P oint Operations • Compute a symbolic abstraction 𝐵 𝜀 𝑦 of a program 𝑄 • Example: 𝐵 𝜀 𝑦 𝑄 𝑦 = 2 × f 𝑦 × 1 + 𝜀 1 + f 3 + 1 + 𝜀 2 • F 𝐵 𝜀 𝑦 satisfies rom 1 + 𝜗 property, 𝑄 𝑦 ∈ 𝐵 𝜀 𝑦 ∶ 𝜀 𝑗 < 𝜗 for all 𝑦 • Example: 47

1) Abstract Floating-P oint Operations • Compute a symbolic abstraction 𝐵 𝜀 𝑦 of a program 𝑄 • Example: 𝐵 𝜀 𝑦 𝑄 𝑦 = 2 × f 𝑦 × 1 + 𝜀 1 + f 3 + 1 + 𝜀 2 • F 𝐵 𝜀 𝑦 satisfies rom 1 + 𝜗 property, 𝑄 𝑦 ∈ 𝐵 𝜀 𝑦 ∶ 𝜀 𝑗 < 𝜗 for all 𝑦 • Example: 𝑄 𝑦 = 2 × f 𝑦 1 + 𝜀 1 + f 3 1 + 𝜀 2 ∶ 𝜀 1 , 𝜀 2 < 𝜗 50

1) Abstract Floating-P oint Operations • Compute a symbolic abstraction 𝐵 𝜀 𝑦 of a program 𝑄 • Example: 𝐵 𝜀 𝑦 𝑄 𝑦 = 2 × f 𝑦 × 1 + 𝜀 1 + + f 3 1 + 𝜀 2 • F 𝐵 𝜀 𝑦 satisfies rom 1 + 𝜗 property, 𝑄 𝑦 ∈ 𝐵 𝜀 𝑦 ∶ 𝜀 𝑗 < 𝜗 for all 𝑦 • Example: { } 𝑄 𝑦 = 2 × f 𝑦 × 1 + 𝜀 1 + f 3 + 1 + 𝜀 2 ∶ 𝜀 1 , 𝜀 2 < 𝜗 51

1) Abstract Floating-P oint Operations • Compute a symbolic abstraction 𝐵 𝜀 𝑦 of a program 𝑄 • Example: 𝐵 𝜀 𝑦 𝑄 𝑦 = 2 × f 𝑦 × 1 + 𝜀 1 + + f 3 1 + 𝜀 2 • F 𝐵 𝜀 𝑦 satisfies rom 1 + 𝜗 property, 𝑄 𝑦 ∈ 𝐵 𝜀 𝑦 ∶ 𝜀 𝑗 < 𝜗 for all 𝑦 • Example: { } 𝑄 𝑦 = ∈ 2 × f 𝑦 × 1 + 𝜀 1 + f 3 + 1 + 𝜀 2 ∶ 𝜀 1 , 𝜀 2 < 𝜗 52

Our Method: Overview 𝑄(𝑦) −1 1 𝑌 ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... 53

Our Method: Overview 𝑄(𝑦) hard to find −1 1 𝑌 ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... 56

Our Method: Overview 𝑄(𝑦) hard to find −1 1 𝑌 n ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... abstract using 57

Our Method: Overview 𝑄(𝑦) hard to find −1 1 𝑌 𝐽 1 𝐽 2 𝐽 𝑜 n ... vpslld $20, ... vpshufd $114, ... vmulpd C1, ... vmulpd C2, ... ... abstract using 58

Our Method: Overview 𝑄(𝑦) hard to find −1 1 𝑌 𝐽 1 𝐽 2 𝐽 𝑜 n ... ... vpslld $20, ... vpslld $20, ... vpshufd $114, ... vpshufd $114, ... vmulpd C1, ... vmulpd C1, ... ... vmulpd C2, ... vmulpd C2, ... ... vpslld $20, ... ... ... vpslld $20, ... vpshufd $114, ... vpshufd $114, ... vmulpd C1, ... vmulpd C1, ... abstract using vmulpd C2, ... vmulpd C2, ... ... ... 59

Our Method: Overview 𝑄(𝑦) hard to find −1 1 𝑌 𝐽 1 𝐽 2 𝐽 𝑜 n ... ... 1 vpslld $20, ... vpslld $20, ... vpshufd $114, ... vpshufd $114, ... 3 vmulpd C1, ... vmulpd C1, ... ... vmulpd C2, ... vmulpd C2, ... ... vpslld $20, ... ... ... 𝒐 vpslld $20, ... vpshufd $114, ... vpshufd $114, ... 𝟑𝒐 + 𝟐 vmulpd C1, ... vmulpd C1, ... abstract using vmulpd C2, ... vmulpd C2, ... ... partial evaluation ... of bit-level operations 60

Our Method: Overview 𝑄(𝑦) hard to find −1 1 𝑌 𝐽 1 𝐽 2 𝐽 𝑜 n ... ... 1 vpslld $20, ... vpslld $20, ... vpshufd $114, ... vpshufd $114, ... 3 vmulpd C1, ... vmulpd C1, ... ... vmulpd C2, ... vmulpd C2, ... ... vpslld $20, ... ... ... 𝒐 vpslld $20, ... vpshufd $114, ... vpshufd $114, ... 𝟑𝒐 + 𝟐 vmulpd C1, ... only floating-point vmulpd C1, ... abstract using vmulpd C2, ... vmulpd C2, ... ... operations partial evaluation ... of bit-level operations 61

Our Method: Overview 𝑄(𝑦) 𝐵 2,𝜀 (𝑦) 𝐵 1,𝜀 (𝑦) hard to find 𝐵 𝑜,𝜀 (𝑦) −1 1 𝑌 𝐽 1 𝐽 2 𝐽 𝑜 n ... ... 1 vpslld $20, ... vpslld $20, ... vpshufd $114, ... vpshufd $114, ... 3 vmulpd C1, ... vmulpd C1, ... ... vmulpd C2, ... vmulpd C2, ... ... vpslld $20, ... ... ... 𝒐 vpslld $20, ... vpshufd $114, ... vpshufd $114, ... 𝟑𝒐 + 𝟐 vmulpd C1, ... only floating-point vmulpd C1, ... abstract using vmulpd C2, ... vmulpd C2, ... ... operations partial evaluation ... of bit-level operations 62

Our Method: Overview 𝐵 2,𝜀 (𝑦) 𝐵 1,𝜀 (𝑦) 𝐵 𝑜,𝜀 (𝑦) 𝐽 1 𝐽 2 𝐽 𝑜 ... 1 vpslld $20, ... vpshufd $114, ... 3 vmulpd C1, ... ... vmulpd C2, ... ... vpslld $20, ... ... 𝒐 vpslld $20, ... vpshufd $114, ... vpshufd $114, ... 𝟑𝒐 + 𝟐 vmulpd C1, ... vmulpd C1, ... vmulpd C2, ... vmulpd C2, ... ... partial evaluation ... of bit-level operations 63

Our Method: Overview 𝐵 2,𝜀 (𝑦) 𝐵 1,𝜀 (𝑦) 𝐵 𝑜,𝜀 (𝑦) 𝑔 𝑦 − 𝐵 𝑜,𝜀 𝑦 𝑔 𝑦 − 𝐵 1,𝜀 𝑦 𝑔(𝑦) 𝑔(𝑦) 𝐽 1 𝐽 2 𝐽 𝑜 𝐽 1 𝐽 2 𝐽 𝑜 ... 1 vpslld $20, ... vpshufd $114, ... 3 vmulpd C1, ... ... vmulpd C2, ... ... vpslld $20, ... ... 𝒐 vpslld $20, ... vpshufd $114, ... vpshufd $114, ... 𝟑𝒐 + 𝟐 vmulpd C1, ... vmulpd C1, ... vmulpd C2, ... vmulpd C2, ... ... partial evaluation ... of bit-level operations 64

Our Method: Overview 𝐵 2,𝜀 (𝑦) 𝐵 1,𝜀 (𝑦) solve optimization problems 𝐵 𝑜,𝜀 (𝑦) 𝑔 𝑦 − 𝐵 𝑜,𝜀 𝑦 𝑔 𝑦 − 𝐵 1,𝜀 𝑦 max 𝑔(𝑦) max 𝑔(𝑦) 𝐽 1 𝐽 2 𝐽 𝑜 𝐽 1 𝐽 2 𝐽 𝑜 ... 1 vpslld $20, ... vpshufd $114, ... 3 vmulpd C1, ... ... vmulpd C2, ... ... vpslld $20, ... ... 𝒐 vpslld $20, ... vpshufd $114, ... vpshufd $114, ... 𝟑𝒐 + 𝟐 vmulpd C1, ... vmulpd C1, ... vmulpd C2, ... vmulpd C2, ... ... partial evaluation ... of bit-level operations 65

Our Method: Overview 𝐵 2,𝜀 (𝑦) 𝐵 1,𝜀 (𝑦) solve optimization problems 𝐵 𝑜,𝜀 (𝑦) 𝑔 𝑦 − 𝐵 𝑜,𝜀 𝑦 𝑔 𝑦 − 𝐵 1,𝜀 𝑦 max 𝑔(𝑦) max 𝑔(𝑦) 𝐽 1 𝐽 2 𝐽 𝑜 𝐽 1 𝐽 2 𝐽 𝑜 ... 1 vpslld $20, ... answer! vpshufd $114, ... 3 vmulpd C1, ... ... vmulpd C2, ... ... vpslld $20, ... ... 𝒐 vpslld $20, ... vpshufd $114, ... vpshufd $114, ... 𝟑𝒐 + 𝟐 vmulpd C1, ... vmulpd C1, ... vmulpd C2, ... vmulpd C2, ... ... partial evaluation ... of bit-level operations 66

2) Divide the Input Range • Assume bit-level operations are used as well • To handle bit-level operations, divide 𝑌 into intervals 𝐽 𝑙 , on each 𝐽 𝑙 , so that, we can statically know the result of each bit-level operation • Example: 67

2) Divide the Input Range • Assume bit-level operations are used as well • To handle bit-level operations, divide 𝑌 into intervals 𝐽 𝑙 , on each 𝐽 𝑙 , so that, we can statically know the result of each bit-level operation • Example: 68

2) Divide the Input Range • Assume bit-level operations are used as well • To handle bit-level operations, divide 𝑌 into intervals 𝐽 𝑙 , on each 𝐽 𝑙 , so that, we can statically know the result of each bit-level operation −1 𝑌 1 • Example: input x y ← x × f C (C = 0x3ff71547652b82fe) N ← round(y) z ← int(N) + i 0x3ff w ← z << 52 ... 69

2) Divide the Input Range • Assume bit-level operations are used as well • To handle bit-level operations, divide 𝑌 into intervals 𝐽 𝑙 , on each 𝐽 𝑙 , so that, we can statically know the result of each bit-level operation −1 𝑌 1 • Example: 𝐽 −1 𝐽 0 𝐽 1 input x y ← x × f C (C = 0x3ff71547652b82fe) N ← round(y) z ← int(N) + i 0x3ff w ← z << 52 ... 70

2) Divide the Input Range • Assume bit-level operations are used as well • To handle bit-level operations, divide 𝑌 into intervals 𝐽 𝑙 , on each 𝐽 𝑙 , so that, we can statically know the result of each bit-level operation −1 −1 𝑌 𝑌 1 1 • Example: 𝐽 −1 𝐽 −1 𝐽 0 𝐽 0 𝐽 1 𝐽 1 input x y ← x × f C (C = 0x3ff71547652b82fe) N ← round(y) z ← int(N) + i 0x3ff w ← z << 52 ... 71

2) Divide the Input Range • Assume bit-level operations are used as well • To handle bit-level operations, divide 𝑌 into intervals 𝐽 𝑙 , on each 𝐽 𝑙 , so that, we can statically know the result of each bit-level operation −1 −1 𝑌 𝑌 1 1 • Example: 𝐽 −1 𝐽 −1 𝐽 0 𝐽 0 𝐽 1 𝐽 1 input x y ← x × f C (C = 0x3ff71547652b82fe) N ← round(y) −1 z ← int(N) + i 0x3ff w ← z << 52 ... 72

2) Divide the Input Range • Assume bit-level operations are used as well • To handle bit-level operations, divide 𝑌 into intervals 𝐽 𝑙 , on each 𝐽 𝑙 , so that, we can statically know the result of each bit-level operation −1 −1 𝑌 𝑌 1 1 • Example: 𝐽 −1 𝐽 −1 𝐽 0 𝐽 0 𝐽 1 𝐽 1 input x input x y ← x × f C y ← x × f C (C = 0x3ff71547652b82fe) (C = 0x3ff71547652b82fe) N ← round(y) partial evaluation N ← −1 −1 z ← int(N) + i 0x3ff z ← 1022 w ← z << 52 w ← 0.5 ... ... 73

2) Divide the Input Range • Assume bit-level operations are used as well • To handle bit-level operations, divide 𝑌 into intervals 𝐽 𝑙 , on each 𝐽 𝑙 , so that, we can statically know the result of each bit-level operation −1 −1 𝑌 𝑌 1 1 • Example: 𝐽 −1 𝐽 −1 𝐽 0 𝐽 0 𝐽 1 𝐽 1 input x input x y ← x × f C y ← x × f C (C = 0x3ff71547652b82fe) (C = 0x3ff71547652b82fe) N ← round(y) partial evaluation N ← −1 −1 z ← int(N) + i 0x3ff z ← 1022 Only floating-point operations are left w ← z << 52 w ← 0.5 ... ... → Can compute 𝐵 𝜀 𝑦 on each 𝐽 𝑙 74

2) Divide the Input Range • How to find such intervals? • Use symbolic abstractions • Example: • 𝑂 = round 𝑦 × f C • (symbolic abstraction of 𝑦 × f C ) = 𝑦 × C 1 + 𝜀 • Let 𝐽 𝑙 = largest interval contained in 𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5 • Then 𝑂 is evaluated to 𝑙 for every input in 𝐽 𝑙 75

2) Divide the Input Range • How to find such intervals? −1 𝑌 1 • Use symbolic abstractions 𝐽 −1 𝐽 0 𝐽 1 • Example: • 𝑂 = round 𝑦 × f C • (symbolic abstraction of 𝑦 × f C ) = 𝑦 × C 1 + 𝜀 • Let 𝐽 𝑙 = largest interval contained in 𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5 • Then 𝑂 is evaluated to 𝑙 for every input in 𝐽 𝑙 76

2) Divide the Input Range • How to find such intervals? −1 𝑌 1 • Use symbolic abstractions 𝐽 −1 𝐽 0 𝐽 1 𝑂 = −1 𝑂 = 0 𝑂 = 1 • Example: • 𝑂 = round 𝑦 × f C • (symbolic abstraction of 𝑦 × f C ) = 𝑦 × C 1 + 𝜀 • Let 𝐽 𝑙 = largest interval contained in 𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5 • Then 𝑂 is evaluated to 𝑙 for every input in 𝐽 𝑙 77

2) Divide the Input Range • How to find such intervals? −1 𝑌 1 • Use symbolic abstractions 𝐽 −1 𝐽 0 𝐽 1 𝑂 = −1 𝑂 = 0 𝑂 = 1 • Example: • 𝑂 = round 𝑦 × f C • (symbolic abstraction of 𝑦 × f C ) = 𝑦 × C 1 + 𝜀 𝑦 × f C 𝑇(𝑦) = 𝑦 × C 1 + 𝜀 : 𝜀 < 𝜗 • Let 𝐽 𝑙 = largest interval contained in 𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5 • Then 𝑂 is evaluated to 𝑙 for every input in 𝐽 𝑙 81

2) Divide the Input Range • How to find such intervals? −1 𝑌 1 • Use symbolic abstractions 𝐽 −1 𝐽 0 𝐽 1 𝑂 = −1 𝑂 = 0 𝑂 = 1 • Example: • 𝑂 = round 𝑦 × f C • (symbolic abstraction of 𝑦 × f C ) = 𝑦 × C 1 + 𝜀 𝑦 × f C 𝑇(𝑦) = 𝑦 × C 1 + 𝜀 : 𝜀 < 𝜗 𝑙 − 0.5 𝑙 + 0.5 • Let 𝐽 𝑙 = largest interval contained in 𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5 • Then 𝑂 is evaluated to 𝑙 for every input in 𝐽 𝑙 82

2) Divide the Input Range • How to find such intervals? −1 𝑌 1 • Use symbolic abstractions 𝐽 −1 𝐽 0 𝐽 1 𝑂 = −1 𝑂 = 0 𝑂 = 1 • Example: • 𝑂 = round 𝑦 × f C • (symbolic abstraction of 𝑦 × f C ) = 𝑦 × C 1 + 𝜀 𝑦 × f C 𝑇(𝑦) = 𝑦 × C 1 + 𝜀 : 𝜀 < 𝜗 𝑂 = 𝑙 𝑙 − 0.5 𝑙 + 0.5 • Let 𝐽 𝑙 = largest interval contained in 𝑦 ∈ 𝑌 ∶ 𝑇 𝑦 ⊂ 𝑙 − 0.5, 𝑙 + 0.5 • Then 𝑂 is evaluated to 𝑙 for every input in 𝐽 𝑙 83

3) Compute a Bound on Precision Loss • Precision loss on each interval 𝐽 𝑙 • Let 𝐵 𝜀 𝑦 be a symbolic abstraction on 𝐽 𝑙 • Analytical optimization: 𝑓 𝑦 −𝐵 𝜀 𝑦 max 𝑓 𝑦 𝑦∈𝐽 𝑙 , |𝜀 𝑗 |<𝜗 • Use Mathematica to solve optimization problems analytically 86

3) Compute a Bound on Precision Loss • Precision loss on each interval 𝐽 𝑙 • Let 𝐵 𝜀 𝑦 be a symbolic abstraction on 𝐽 𝑙 • Analytical optimization: 𝑓 𝑦 −𝐵 𝜀 𝑦 max 𝑓 𝑦 𝑦∈𝐽 𝑙 , |𝜀 𝑗 |<𝜗 • Use Mathematica to solve optimization problems analytically 87

Are We Done? • No. The constructed intervals do not cover 𝑌 in general • Because we made sound approximations −1 input range 𝑌 1 𝐽 −1 𝐽 0 𝐽 1 88

Are We Done? • No. The constructed intervals do not cover 𝑌 in general • Because we made sound approximations −1 input range 𝑌 1 floating-point numbers 𝐽 −1 𝐽 0 𝐽 1 89

Are We Done? • No. The constructed intervals do not cover 𝑌 in general • Because we made sound approximations −1 input range 𝑌 1 floating-point numbers 𝐽 −1 𝐽 0 𝐽 1 between intervals 90

Are We Done? • No. The constructed intervals do not cover 𝑌 in general • Because we made sound approximations −1 input range 𝑌 1 floating-point numbers 𝐽 −1 𝐽 0 𝐽 1 between intervals 91

Are We Done? • Example: 𝑂 = round 𝑦 × f 𝐷 abstraction of 𝑦 × f 𝐷 : 0 1 0.5 1 For 𝑦 = 𝑂 would be 0 or 1 2𝐷 , • Let 𝐼 = {floating- • We observe that |𝐼| is small in experiment 92

Are We Done? • Example: 𝑂 = round 𝑦 × f 𝐷 abstraction of 𝑦 × f 𝐷 : 0 1 𝑦 = 1/(1.5𝐷) 𝑦 = 1/(3𝐷) 0.5 1 For 𝑦 = 𝑂 would be 0 or 1 2𝐷 , • Let 𝐼 = {floating- • We observe that |𝐼| is small in experiment 93

Are We Done? • Example: 𝑂 = round 𝑦 × f 𝐷 abstraction of 𝑦 × f 𝐷 : 0 1 𝑦 = 1/(1.5𝐷) 𝑦 = 1/(3𝐷) 𝑂 = 0 0.5 𝑂 = 1 1 For 𝑦 = 𝑂 would be 0 or 1 2𝐷 , • Let 𝐼 = {floating- • We observe that |𝐼| is small in experiment 94

Are We Done? • Example: 𝑂 = round 𝑦 × f 𝐷 abstraction of 𝑦 × f 𝐷 : 0 1 𝑦 = 1/(1.5𝐷) 𝑦 = 1/(3𝐷) 𝑦 = 1/(2𝐷) 𝑂 = 0 0.5 𝑂 = 1 1 For 𝑦 = 𝑂 would be 0 or 1 2𝐷 , • Let 𝐼 = {floating- • We observe that |𝐼| is small in experiment 95

Are We Done? • Example: 𝑂 = round 𝑦 × f 𝐷 𝑦 × f 𝐷 abstraction of 𝑦 × f 𝐷 : ? ? ? ? ? ? 0 1 𝑦 = 1/(1.5𝐷) 𝑦 = 1/(3𝐷) 𝑦 = 1/(2𝐷) 𝑂 = 0 0.5 𝑂 = 1 1 For 𝑦 = 𝑂 would be 0 or 1 2𝐷 , • Let 𝐼 = {floating- • We observe that |𝐼| is small in experiment 96

3) Compute a Bound on Precision Loss • Precision loss on each interval 𝐽 𝑙 • Let 𝐵 𝜀 𝑦 be a symbolic abstraction on 𝐽 𝑙 • Analytical optimization: 𝑓 𝑦 −𝐵 𝜀 𝑦 max 𝑓 𝑦 𝑦∈𝐽 𝑙 , |𝜀 𝑗 |<𝜗 • Use Mathematica to solve optimization problems analytically • Precision loss on 𝐼 • For each 𝑦 ∈ 𝐼 , obtain 𝑄 𝑦 by executing the binary • Brute force: 𝑓 𝑦 −𝑄 𝑦 max 𝑓 𝑦 𝑦∈𝐼 • Use Mathematica to compute 𝑓 𝑦 and precision loss exactly 99

3) Compute a Bound on Precision Loss • Precision loss on each interval 𝐽 𝑙 • Let 𝐵 𝜀 𝑦 be a symbolic abstraction on 𝐽 𝑙 • Analytical optimization: take maximum 𝑓 𝑦 −𝐵 𝜀 𝑦 → answer! max 𝑓 𝑦 𝑦∈𝐽 𝑙 , |𝜀 𝑗 |<𝜗 • Use Mathematica to solve optimization problems analytically • Precision loss on 𝐼 • For each 𝑦 ∈ 𝐼 , obtain 𝑄 𝑦 by executing the binary • Brute force: 𝑓 𝑦 −𝑄 𝑦 max 𝑓 𝑦 𝑦∈𝐼 • Use Mathematica to compute 𝑓 𝑦 and precision loss exactly 100

Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul - PowerPoint PPT Presentation

Verifying Bit-Manipulations of Floating-P oint Wonyeol Lee Rahul Sharma Alex Aiken Stanford University PLDI 2016 This Talk Example: mathematical specification Goal: Bound the difference between spec and implementation

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

The Other 95%: The Unsecure Internet You Dont Know About Internet Protocol Manipulations

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Evaluating Resistance to False- Name Manipulations in Elections Vincent Conitzer Bo Waggoner

VIX IX, derivatives and possible manipulations Dont Touch the VIX! Oops. March 2018, Gontran

Reducing a Masked Implementations Effective Security Order with Setup Manipulations And an

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Modular static analysis of string manipulations in C programs a Matthieu Journault, Antoine Min

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Low level programming in Ada95 Useful type declarations Bit manipulations and conversions

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Detecting Object Manipulations in an Assembly Task Jacob Rosenskld mas15jro@student.lu.se

C The TIDE Project www.mbl.edu/tide Whole-ecosystem manipulations in Plum Island Estuary, MA

Bit manipulations Operate on the bits of integers (0,...,31 for 4-byte integer) Single-bit

Fast Straightening Algorithm for Bracket Polynomials Based on Tableau Manipulations Changpeng

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verification Games Verifying Fire Hydrants 10 mins http://pygy.co/bQn

Bit Manipulations Comp 1402/1002 Octal and Hex Constants Octal constant Nos. : Preceeded by 0

Chapter 6. Converter Circuits Where do the boost, 6.1. Circuit manipulations buck-boost,

Xerox/DOM Presentation Fall 2016 CONTENTS 1. Verifying Eligibility 2. Taxonomy Code Placement

possible manipulations Dont Touch the VIX! Oops. March 2018, Gontran de Quillacq Navesink

A heuristic method for formally verifying real inequalities Robert Y. Lewis Vrije Universiteit

MATLAB Seminar CS Grad Seminars Outline 1. MATLAB Basics 2. Matrix Manipulations 3. Using .m