ebook img

Certifying floating-point implementations using Gappa PDF

0.2 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Certifying floating-point implementations using Gappa

Certifying floating-point implementations using Gappa Florent deDinechin,ChristophLauter,and GuillaumeMelquiond February 2,2008 8 Abstract 0 Highconfidenceinfloating-pointprogramsrequiresprovingnumericalpropertiesoffinalandintermediatevalues. 0 Onemayneedtoguaranteethatavaluestayswithinsomerange,orthattheerrorrelativetosomeidealvalueiswell 2 bounded. Such work may require several lines of proof for each line of code, and will usually be broken by the n smallestchangetothecode(e.g. formaintenanceoroptimizationpurpose). Certifyingtheseprogramsbyhandis a thereforevery tedious and error-prone. Thisarticlediscusses the use of the Gappa proof assistant in thiscontext. J Gappa has two main advantages over previous approaches: Its input format is very close to the actual C code to 3 validate, and it automates error evaluation and propagation using interval arithmetic. Besides, it can be used to incrementallyprovecomplexmathematicalpropertiespertainingtotheCcode. Yetitdoesnotrequireanyspecific ] A knowledge about automatictheorem proving, and thusisaccessible toawide community. Moreover, Gappa may generateaformalproofoftheresultsthatcanbechecked independently byalower-levelproof assistantlikeCoq, N henceprovidinganevenhigherconfidenceinthecertificationofthenumericalcode.Thearticledemonstratestheuse . s ofthistoolonareal-sizeexample,anelementaryfunctionwithcorrectlyroundedoutput. c [ 1 Introduction 1 v 3 Floating-point(FP)arithmeticwasdesignedtohelpdevelopingsoftwarehandlingrealnumbers.However,FPnumbers 2 are only an approximation to the real numbers. A novice programmer may incorrectly assume that FP numbers 5 possessallthebasicpropertiesoftherealnumbers,forinstanceassociativityoftheaddition,andwastetimefighting 0 the associated subtle bugs. Having been bitten once, he may foreverstay wary of FP computingas somethingthat . 1 cannotbe trusted. As many safety-critical systems rely on floating-pointarithmetic, the question of the confidence 0 thatonecanhaveinsuchsystemsisofparamountimportance,allthemoreasfloating-pointhardware,longavailable 8 0 inmainstreamprocessors,isnowalsoincreasinglydesignedintoembeddedsystems. : This question was addressed in 1985 by the IEEE-754 standard for floating-pointarithmetic [1]. This standard v definescommonfloating-pointformats(singleanddoubleprecision),butitalsopreciselyspecifiesthebehaviorofthe i X basic operators+, , , , and√ . Intheroundingmodeto thenearest, these operatorsshallreturnthecorrectly − × ÷ r rounded result, uniquely defined as the floating-pointnumber closest to the exact mathematical value (in case of a a tie,thenumberreturnedistheonewiththeevenmantissa). Thestandardalsodefinesthreedirectedroundingmodes (towards+ ,towards ,andtowards0)withsimilarcorrectroundingrequirementsontheoperators. ∞ −∞ Theadoptionandwidespreaduseofthisstandardhaveincreasedthenumericalqualityandportabilityoffloating- pointcode. Ithas improvedconfidencein such code and allowed constructionof proofsof numericalbehavior[2]. Directed rounding modes are also the key to enable efficient interval arithmetic [3], a general technique to obtain validatednumericalresults. Thisarticle isrelated tothe IEEE-754standardintwo ways. Firstly, itdiscusses theissue of provingproperties ofnumericalcode,buildinguponthepropertiesspecifiedbythisstandard. Secondly,oneofourcasestudieswillbe theproofoftheimplementationofanelementaryfunction(thelogarithm)returningcorrectly-roundedresults. Such correctly-roundedimplementationswillcontributetoabetterfloating-pointstandard,wherethenumericalqualityof elementaryfunctionsmatchesthatofthebasicoperators. ElementaryfunctionswereleftoutoftheIEEE-754standardin1985inpartbecausethecorrectroundingproperty ismuchmoredifficulttoguaranteethanforthebasicarithmeticoperators.Theproblemwillbeexposedindetailinthe sequel.Inshort,thecorrectnessoftheimplementationofacorrectlyroundedfunctionrequirestheaprioriknowledge 1 ofaboundontheoverallerrorofevaluatingf(x). Moreover,thisboundshouldbetight,asalooseboundnegatively impactsperformance[4,5]. Thisarticledescribesanapproachtomachine-checkableproofsofsuchtightbounds,whichisbothinteractiveand easy to manage, yetmuch safer than a hand-writtenproof. Itappliesto errorboundsas well as rangebounds. Our approachisnotrestrictedtothe validationofelementaryfunctions. Itcurrentlyappliestoanystraight-linefloating- pointprogramofreasonablesize(uptoseveralhundredsofoperations). Thenoveltyhereistheuseofatoolthattransformsahigh-leveldescriptionoftheproofintoamachine-checkable version, in contrast to previouswork by Harrison [6, 7] who directly described the proof of the implementation of some functionsin all the low-leveldetails. The Gappa approachis more concise and more flexible in the case of a subsequentchangetothecode.Moreimportantly,itisaccessibletopeopleoutsidetheformalproofcommunity. Thisarticleisorganizedasfollows.Nextsectiondescribesindetailthechallengesposedbyautomaticcomputation oftightboundsonrangesanderrors.Section3describestheGappatool.Section4givesanoverviewonthetechniques forprovinganelementaryfunctionusingGappaandgiveanextensiveexampleoftheinteractiveconstructionofthe proof. 2 Proving properties of floating-point code 2.1 Floating-pointnumbers are notreal numbers We have already mentioned that floating-point(FP) numbersdo not possess basic properties of real numbers. The followingFPcodesequence,duetoDekker[8],illustratesthis: Listing1: TheFast2Sumalgorithm. s = a+b; 1 r = b-(s-a); 2 Thissequenceconsistsonlyofthreeoperations. ThefirstonecomputestheFPsumofthetwonumbersaandb. The second one would always return b and the third one 0, if this FP sum was exact. As the numbershere are FP numbers,however,thesumisofteninexact,becauseoftherounding. InIEEE-754arithmeticwithround-to-nearest, undercertainconditions,this algorithmcomputesin r theerrorcommittedbythis firstrounding. Inotherwords, it ensuresthatr+s = a+binadditiontothefactthatsistheFPnumberclosesttoa+b. TheFast2Sumalgorithm providesuswithanexactrepresentationofthesumoftwoFPnumbersasapairofFPnumbers,averyusefuloperation. Thisexampleillustratesanimportantpoint,whichpervadesallofthisarticle: FPnumbersmaybeanapproxima- tionofthe realsthatfailsto ensurebasic propertiesofthereals, buttheyarealso a verywell-definedsetofrational numbers,whichhaveotherwell-definedproperties,uponwhichitispossibletobuildmathematicalproofssuchasthe proofoftheFast2Sumalgorithm. LetuscomebacktotheconditionunderwhichtheFast2Sumalgorithmworks.Thisconditionisthattheexponent of a is largerthanor equalto thatof b, whichwill be true forinstance if a b. If oneis to use thisalgorithm, | | ≥ | | onehasfirsttoprovethatthisconditionistrue. NotethatalternativestotheFast2Sumexistforthecasewhenoneis unabletoprovethiscondition. TheversionbyKnuth[9]requires6operationsinsteadof3. Here,beingabletoprove thecondition,whichisapropertyonvaluesofthecode,willresultinbetterperformance. The proof of the properties of the Fast2Sum sequence (three FP operations) requires several pages [8], and is indeedcurrentlyoutofreachof theGappatool, basicallybecauseitcan notbe reducedto manipulatingrangesand errors. Thisisnotaproblem,sincethisalgorithmhasalreadybeenprovenusingmachinecheckers[10]. Weconsider itasagenericbuilding-blockoflargerfloating-pointprograms,andthefocusofourapproachistoautomatetheproof ofsuchlargerprograms.InthecaseoftheFast2Sum,thismeansprovingthecondition. Let us now introduce the class of larger FP programs that we have targeted in this work: implementations of elementaryfunctions 2 2.2 Elementary functions Currentfloating-pointimplementationsof elementaryfunctions[11, 12, 13, 14, 15] have severalfeaturesthatmake theirproofchallenging: Thecodesizeistoolargetobesafelyprovenbyhand.InthefirstversionsoftheCRlibmproject,thecomplete • paperproofofasinglefunctionrequiredtensofpages. Itisdifficulttotrustsuchproofs. The code is optimized for performance, making extensive use of floating-point tricks such as the Fast2Sum • above. As a consequence, classical tools of real analysis cannot be straightforwardly applied. Very often, consideringthesameoperationsonrealnumberswouldbesimplymeaningless. Thecodeisboundtoevolveforoptimizationpurpose,becausebetteralgorithmsmaybefound,butalsobecause • the processor technology evolves. Such changes will impose to rewrite the proof, which is both tedious and error-prone. Much of the knowledge required to prove error bounds on the code is implicit or hidden, be it behind the • semanticsoftheprogramminglanguage(whichdefinesimplicitparenthesing,forexamples),orinthevarious approximationsmade. Therefore,the mere translationof a piece of codeinto a set of mathematicalvariables thatrepresentthevaluesmanipulatedbythiscodeistediousanderror-proneifdonebyhand. Fortunately,FPelementaryfunctionimplementationsalsohavepleasantfeaturesthatmaketheirprooftractable: There is a clear and simple definition of the mathematical object that the floating-point code is supposed to • approximate.Thiswillnotalwaysbethecaseofe.g.scientificsimulationcode. Thecodesizeissmallenoughtobetractable,typicallylessthanahundredfloating-pointoperations. • Thecontrolflowissimple,consistingmostlyofstraight-linecodewithafewtestsbutnoloops. • Thefollowingelaboratesonthesefeatures. 2.2.1 Aprimeronelementaryfunctionevaluation Theevaluationofanelementaryfunctionisclassically[14,15]performedbyapolynomialapproximationvalidona small intervalonly. A range reductionstep bringsthe inputnumberx into thissmall interval, and a reconstruction step buildsthe final result outof the results of both previoussteps. For example, the logarithmmay use as a range reductionthe errorlessdecompositionof x into its mantissa m and exponentE: x = m 2E. It may then evaluate · thelogarithmofthemantissa,andthereconstructionconsistsinevaluatinglog(x) = log(m)+E log(2). Notethat · currentimplementationstypically involveseverallayered steps of range reductionand reconstruction. With current processortechnology,efficientimplementations[11,12,16]relyonlargetablesofprecomputedvalues.Seethebooks byMuller[15]orMarkstein[17]forrecentsurveysonthesubject. Inthepreviouslogarithmexample,therangereductionwasexact,butthereconstructioninvolvedamultiplication by the irrational log(2), and was therefore necessarily approximate. This is not always the case. For example, for trigonometricfunctions,therangereductioninvolvessubtractingmultiplesoftheirrationalπ/2,andwillbeinexact, whereasthereconstructionstep consistsin changingthe signdependingonthequadrant,whichisexactin floating- pointarithmetic. Itshouldnotcomeasasurprisethateitherrangereductionorreconstructionareinexact. Indeed,FPnumbersare rational numbers, but for most elementary functions, it can be proven that, with the exception of a few values, the imageofarationalisirrational.Therefore,inanimplementation,oneisbound,atsomepoint,tomanipulatenumbers whichareapproximationsofirrationalnumbers. Thisintroducesanotherissue whichisespeciallyrelevanttoelementaryfunctionimplementation. Onewantsto obtain a double-precision FP result which is a good approximation to the mathematical result, the latter being an irrationalmostofthetimes. Forthispurpose,oneneedstoevaluateanapproximationofthisirrationaltoaprecision betterthanthatoftheFPformat. 3 2.2.2 Reachingbetter-than-doubleprecision Better-than-doubleprecisionistypicallyattainedthankstodouble-extendedarithmeticonprocessorsthatsupportit, ordouble-doublearithmetic,whereanumberisheldastheunevaluatedsumoftwodoubles,justasthe8-digitdecimal number3.8541942 101mayberepresentedbytheunevaluatedsumoftwo4-digitnumbers3.854 101+1.942 10−3. · · · Well-knownandwell-provenalgorithmsexistformanipulatingdouble-doublenumbers[8,9],thesimplestofwhich istheFast2Sumalreadyintroduced. Howeverthesealgorithmsarecostly,aseachoperationondouble-doublenumbersrequiresseveralFPoperations. Inthisarticle,wewillconsiderimplementationsbasedondouble-doublearithmetic,becausetheyaremorechalleng- ing,butGappahandlesdouble-extendedarithmeticequallywell. 2.3 Floating-pointerrors, but not only Theevaluationofanymathematicalfunctionentailstwomainsourcesoferrors. Approximation errors (also called methodical errors), such as the error of approximating a function with a • polynomial.Onemayhaveamathematicalboundforthem(givenbyaTaylorformulaforinstance),oronemay have to compute such a boundusing numerics[18], for example if the polynomialhas been computed using Remezalgorithm. Roundingerrors,producedbymostfloating-pointoperationsofthecode. • The distinction between both types of errorsis sometimes arbitrary: for example, the error due to roundingthe polynomialcoefficients to floating pointnumbersis usually included in the approximationerror of the polynomial. Thesameholdsfortheroundingoftablevalues,whichisaccountedformoreaccuratelyasapproximationerrorthanas roundingerror.Thispointismentionedherebecausealackofaccuracyinthedefinitionofthevariouserrorsinvolved inagivencodemayleadtooneofthembeingforgotten. 2.4 The point withefficient code Efficient code is especially difficult to analyze and prove because of all the techniques and tricks used by expert programmers. Forinstance,manyfloating-pointoperationsareexact,andtheexperienceddeveloperoffloating-pointcodewill try to use them. Examples include multiplication by a power of two, subtraction of numbers of similar magnitude thanks to Sterbenz’ Lemma [19], exact addition and exact multiplication algorithms (returning a double-double), multiplicationofasmallintegerbyafloating-pointnumberwhosemantissaendswithenoughzeroes,etc. Theexpertprogrammerwillalsodohisbesttoavoidcomputingmoreaccuratelythanstrictlyneeded. Hewillre- movefromthecomputationsomeoperationsthatareexpectednottoimprovetheaccuracyoftheresultbymuch.This canbeexpressedasanadditionalapproximation.However,itsoonbecomesdifficulttoknowwhatisanapproximation towhat,especiallyasthecomputationsarere-parenthesizedtomaximizefloating-pointaccuracy. Toillustratetheresultingcodeobfuscation,letusintroducethepieceofcodethatwillserveasarunningexample alongthisarticle. 2.5 Example: Adouble-double polynomialevaluation Listing2isanextractofthecodeofasinefunctionintheCRlibmlibrary.Thesethreelinescomputethevalueofan oddpolynomialp(y)= y+s y3+s y5+s y7 closetotheTaylorapproximationofthesine(itsdegree-1 3 5 7 × × × coefficientisequalto1).Inouralgorithm,thereducedargumentyisideallyobtainedbysubtractingtotheFPinputx anintegermultipleofπ/256.Asaconsequencey [ π/512,π/512] [ 2−7,2−7]. ∈ − ⊂ − However,asy isirrational,theimplementationofthisrangereductionhastoreturnanumbermoreaccuratethan adouble,otherwisethereisnohopeofachievinganaccuracyofthesinethatmatchesfloating-pointdoubleprecision. Inourimplementation,rangereductionthereforereturnsadouble-doubleyh+yl. 4 Tominimisethenumberofoperations,Hornerruleisusedforthepolynomialevaluation:p(y)=y+y3 (s + 3 × y2 (s +y2 s )). Foradouble-doubleinputy =yh+yl,theexpressiontocomputeisthus(yh+yl)+(yh+ 5 7 × × yl)3 (s +(yh+yl)2 (s +(yh+yl)2 s )). 3 5 7 × × × The actual code uses an approximation to this expression: the computation will be accurate enough if all the Horner steps except the last one are computed in double-precision. Thus, y will be neglected for these iterations, l and coefficientss to s will be stored as double-precisionnumbersnoteds3, s5 and s7. The previousexpression 3 7 becomes: (yh+yl)+yh3 (s3+yh2 (s5+yh2 s7)). × × × However, if this expression is computed as parenthesized above, it will not be very accurate. Specifically, the floating-pointadditionyh+ylwill(bydefinitionofadouble-double)returnyh, sotheinformationheldbyylwill be completelylost. Fortunately,the rest of the Hornerevaluationalso has much smaller magnitudethan yh (this is deducedfromy [ 2−7,2−7], thereforey3 [ 2−21,2−21]). Thefollowingparenthesingisthereforemuchmore ∈ − ∈ − accurate: yh+(cid:0)yl+yh yh2 (s3+yh2 (s5+yh2 s7))(cid:1). × × × × Inthislastversionoftheexpression,onlytheleftmostadditionmustbeaccurate:wewilluseaFast2Sum(which aswesawisanexactadditionoftwodoublesreturningadouble-double).Theotheroperationsusethenative—and thereforefast—double-precisionarithmetic.WeobtainthecodeofListing2. Listing2: ThreelinesofC 1 yh2 = yh*yh; 2 ts = yh2 * (s3 + yh2*(s5 + yh2*s7)); 3 Fast2Sum(sh,sl, yh, yl + yh*ts); Tosumup,thiscodeimplementstheevaluationofapolynomialwithmanylayersofapproximation.Forinstance, variableyh2approximatesy2throughthefollowinglayers: ywasapproximatedbyyh+ylwiththerelativeaccuracyǫ argred • yh+ylisapproximatedbyyhinmostofthecomputation, • yh2isapproximatedbyyh2=yh*yh,withafloating-pointroundingerror. • Inaddition,thepolynomialisanapproximationtothesinefunction,witharelativeerrorboundofǫ which approx issupposedknown(howitwasobtaineditisoutofthescopeofthispaper[18]). Thus,thedifficultyofevaluatingatightboundonanelementaryfunctionimplementationistocombineallthese errorswithoutforgettinganyofthem,andwithoutusingoverlypessimisticboundswhencombiningseveralsources of errors. The typicaltrade-offhere will be thata tight boundrequiresconsiderablemorework than a loose bound (anditsproofmightinspireconsiderablylessconfidence). Somereadersmaygetanideaofthistrade-offbyrelating eachintermediatevaluewithitserrortoconfidenceintervals,andpropagatingtheseerrorsusingintervalarithmetic. Inmanycases, atightererrorwillbeobtainedbysplittingconfidenceintervalsintoseveralcases, andtreatingthem separately,attheexpenseofanexplosionofthenumberofcases. ThisisoneofthetasksthatGappawillhelpfully automate. 2.6 Previous andrelated work Wehavenotyetexplainedwhyatighterrorboundisrequiredinordertoobtainacorrectlyroundedimplementation. Thisquestionissurveyedin[5]. Tosumitup,anerrorboundisneededtoguaranteecorrectrounding,andthetighter the bound, the more efficient the implementation. A related problem is that of proving the behaviour of interval elementaryfunctions[20].Inthiscase,aboundisrequiredtoensurethattheintervalreturnedbythefunctioncontains theimageoftheinputinterval. Alooseboundheremeansreturningalargerintervalthanpossible,andhenceuseless intervalbloat. Inbothcase,thetighterthebound,thebettertheimplementation. Asasummary,proofswrittenforversionoftheCRlibmprojectuptoversions0.8[21]aretypicallycomposedof severalpagesofpaperproofandseveralpagesofsupportingMapleforafewlinesofcode.Thisprovidesanexcellent 5 documentationandhelpsmaintainingthecode,butexperiencehasconsistentlyshownthatsuchproofsareextremely error-prone.ImplementingtheerrorcomputationinMaplewasafirststeptowardstheautomationofthisprocess,but ifithelpsavoidingcomputationmistakes,itdoesnotpreventmethodologicalmistakes. Gappawasdesigned,among otherobjectives,inordertofillthisvoid. Therehasbeenotherattemptsofassistedproofsofelementaryfunctionsorsimilarfloating-pointcode. Thepure formalproofapproachofHarrison[6,7,22]goesdeeperthantheGappaapproach,asitaccountsforapproximation errors. However it is accessible only to experts of formal proofs, and fragile in case of a change to the code. The approachofKrämeretal[23,24]reliesonoperatoroverloadinganddoesnotprovideaformalproof. 3 The Gappa tool Gappa1 extendsthe intervalarithmetic paradigmto the field of numericalcodecertification [25, 26]. Given the de- scriptionofalogicalpropertyinvolvingtheboundsofmathematicalexpressions,thetooltriestoprovethevalidityof thisproperty. Whenthe propertycontainsunboundedexpressions,the toolcomputesboundingrangessuch thatthe propertyholds. Forinstance,theincompleteproperty“x+1 [2,3] x [?,?]”canbeinputtoGappa. Thetool ∈ ⇒ ∈ answersthat[1,2]isarangeoftheexpressionxsuchthatthewholepropertyholds. OnceGappahasreachedthestagewhereitconsidersthepropertytobevalid,itgeneratesaformalproofthatcan becheckedbyanindependentproofassistant. ThisproofiscompletelyindependentofGappaanditsvaliditydoesnot dependonGappa’sownvalidity. Itcanbemechanicallyverifiedbyanexternalproofcheckerandincludedinbigger formaldevelopments. 3.1 Floating-pointconsiderations Section4willgiveexamplesofGappa’ssyntaxandshowthatGappacanbeappliedtomathematicalexpressionsmuch morecomplexthanjustx+1,andinparticulartofloating-pointapproximationofelementaryfunctions.Thisrequires describingfloating-pointarithmeticexpressionswithinGappa. Gappa only manipulates expressions on real numbers. In the property x + 1 [2,3], x is just a universally- quantified real number and the operator + is the usual addition on real numbers∈R. Floating-point arithmetic is expressedthroughtheuseof“roundingoperators”:functionsfromRtoRthatassociatetoarealnumberxitsrounded value (x)inaspecificformat. Theseoperatorsaresufficienttoexpresspropertiesofcoderelyingonmostfloating- ◦ pointorfixed-pointarithmetics. Verifyingthatacomputedvalueisclosetoanidealvaluecannowbedonebycomputinganenclosureoftheerror betweenthesetwovalues.Forexample,theproperty“x [1,2] ( (2 x) 1) (2 x 1) [?,?]”expresses ∈ ⇒◦ ◦ × − − × − ∈ theabsoluteerrorcausedduringthefloating-pointcomputationofthefollowingnumericalcode: float x = ...; 1 assert(1 <= x && x <= 2); 2 3 float y = 2 * x - 1; InfinitiesandNaNs(Not-a-Numbers)arenotanimplicitpartofthisformalism: Theroundingoperatorsreturna real value and there is no upper boundon the magnitudeof the floating-pointnumbers. This means that NaNs and overflowswillnotbegeneratednorpropagatedastheywouldinIEEE-754arithmetic. However,onemayuseGappa toproveveryusefulproperties,forinstancethatoverflows,orNaNsduetosomedivisionby0,cannotoccurinagiven code: This can be expressed in terms of intervals. What one cannot prove are propertiesdepending on the correct propagationofinfinitiesandNaNsinthecode. 3.2 Proving properties using intervals Thankstotheinclusionpropertyofintervalarithmetic,ifxisanelementof[0,3]andyanelementof[1,2],thenx+y isanelementoftheintervalsum[0,3]+[1,2]=[1,5]. Thistechniquebasedonintervalevaluationcanbeappliedto anyexpressiononrealnumbers.ThatishowGappacomputestheenclosuresrequestedbytheuser. 1http://lipforge.ens-lyon.fr/www/gappa/ 6 Intervalarithmeticisnotrestrictedtothisrolethough. Indeedtheintervalsum[0,3]+[1,2] = [1,5]donotonly giveboundsonx+y,itcanalsobeseenasaproofofx+y [1,5].Suchacomputationcanbeformallyincludedas ∈ anhypothesisofthetheoremontheenclosureofthesumoftworealnumbers.Thismethodisknownascomputational reflexivity[27]andallowsfortheproofstobemachine-checkable.ThatishowtheformalproofsgeneratedbyGappa canbecheckedindependentlywithoutrequiringanyhumaninteractionwithaproofassistant. Such “computable” theorems are available for the Coq [28] and HOL Light [29] proof assistants. Previous work [30] on using interval arithmetic for proving numerical theorems has shown that a similar approach can be appliedforthePVS[31]proofassistant. Aslongasaproofcheckerisabletodobasiccomputationsonintegers,the theoremsGappareliesoncouldbeprovided. Asaconsequence,theoutputofGappacanbetargetedtoawiderange offormalcertificationframeworks,ifneeded. 3.3 Other computable predicates Enclosures are not the only useful predicates. As intervals are connected subsets of the real numbers, they are not powerfulenoughtoprovesomepropertiesondiscretesetslikefloating-pointnumbersorintegers. SoGappahandles otherclassesofpredicatesforanexpressionx: FIX(x,e) m Z, x=m 2e ≡ ∃ ∈ · FLT(x,p) m,e Z, x=m 2e m <2p ≡ ∃ ∈ · ∧| | Aswithintervals,Gappacancomputewiththesenewpredicates. Forexample,FIX(x,e ) (y,e ) FIX(x+ x y ∧ ⇒ y,min(e ,e )). Thesepredicatesareespeciallyusefultodetectrealnumbersexactlyrepresentableinagivenformat. x y Inparticular,Gappausesthemtofindroundedoperationsthatcansafelybeignoredbecausetheydonotcontributeto theglobalroundingerror. Letusconsiderthefloating-pointsubtractionoftwofloating-pointnumbersx [3.2,3.3] ∈ and y [1.4,1.8]. Note that Sterbenz’ Lemma is not sufficient to prove that the subtraction is actually exact, as 3.3 >2∈. Gappais,however,abletoautomaticallyprovethat (x y)isequaltox y. 1.4 ◦ − − Asxandyarefloating-pointnumbers,Gappafirstprovesthattheycanberepresentedwith24bitseach(assuming single precision arithmetic). As x is bigger than 3.2, it can then deduce it is a multiple of 2−22, or FIX(x, 22). − Similarly,itprovesFIX(y, 23). ThepropertyFIX(x y, 23)comesthennaturally. Bycomputingwithintervals, − − − Gappaalsoprovesthat x y isboundedby1.9. AconsequenceoftheselasttwopropertiesisFLT(x y,24):only | − | − 24bitsareneededtorepresentx y. Sox yisrepresentablebyasingle-precisionfloating-pointnumber. − − Therearealsosomespecializedpredicatesforenclosures.Thefollowingoneexpressestherangeofanexpression uwithrespecttoanotherexpressionv: REL(u,v,[a,b]) 1<a ǫ [a,b], u=v (1+ǫ) ≡ − ∧∃ ∈ · Thispredicateisseeminglyequivalenttotheenclosureoftherelativeerror u−v.Itallows,however,tosimplifyproofs, v as the error can now be manipulatedeven when v is potentiallyzero. For example, the relative roundingerror of a floating-pointadditionvanisheson subnormalnumbers(includingzero)andis boundedelsewhere, so thefollowing propertyholds:REL( (x+y),x+y,[ 2−53,2−53])whenroundingtonearestindoubleprecision. ◦ − 3.4 Gappa’s engine Becausebasicintervalevaluationsdonotkeeptrackofcorrelationsbetweenexpressionssharingthesameterms,some computed ranges may be too wide to be useful. This is especially true when boundingerrors. For example, when boundingtheabsoluteerror (a) bbetweenanapproximation (a)andanexactvalueb. Thesimplestoptionisto ◦ − ◦ firstcomputetherangesof (a)andb separatelyandthen subtractthem. However,firstrewritingthe expressionas ◦ ( (a) a)+(a b)andthenbounding (a) a(asimpleroundingerror)anda bseparatelybeforeaddingtheir ◦ − − ◦ − − rangesusuallygivesamuchtighterresult. Theserulesareinspiredbytechniquesdevelopersusuallyapplybyhandin ordertocertifytheirnumericalapplications. Gappaincludesadatabaseofsuchrewritingrules(section3.5showshowtheusermayexpandthisdatabase).The toolappliesthemautomatically,so thatitcanboundexpressionsalongvariousevaluationpaths. Sinceanyofthese 7 resultingintervalsenclosestheinitialexpression,theirintersectiondoes,too.Gappakeepstrackofthepathsthatlead tothetightestintervalintersectionanddiscardstheothers,soastoreducethesizeofthefinalproof. Itmayhappen that the resulting intersection is empty; it means that there is a contradictionbetween the hypothesesof the logical propertyandGappawilluseittoproveallthegoalsofthelogicalproperty. Oncethelogicalpropertyhasbeenproved,aformalproofisgeneratedbyretracingthepathsthatwerefollowed whencomputingtheranges. 3.5 Hints WhenGappaisnotabletosatisfythegoalofthelogicalproperty,thisdoesnotnecessarilymeanthatthepropertyis false. ItmayjustmeanthatGappahasnotenoughinformationabouttheexpressionsittriestobound. Itispossible to helpGappain these situationsbyprovidingrewriting hints. These arerewritingrulessimilar to thosepresentedaboveinthecaseofrounding,butwhoseusefulnessisspecifictotheproblemathand. 3.5.1 Explicithints Ahinthasthefollowingform: Expr1 -> Expr2; ItisusedtogivethefollowinginformationtoGappa:“Ibelieveforsomereasonthat,shouldyouneedtocompute anintervalforExpr1,youmightgetatighterintervalbytryingthemathematicallyequivalentExpr2”. Thisfuzzy formulationisbetterexplainedbyconsideringthefollowingexamples. 1. The “some reason” in question will typically be that the programmer knows that expressions A, B and C are different approximations of the same quantity, and furthermore that A is an approximation to B which is an approximationtoC.Aspreviously,thismeansthatthesevariablesarecorrelated,andtheadequatehinttogive inthiscaseis A - C -> (A - B) + (B - C); ItwillsuggesttoGappatofirstcomputeintervalsforA-BandB-C,andthentosumthemtogetanintervalfor A-C. AsthereareaninfinitenumberofarbitraryBexpressionsthatcanbeinsertedintherighthandsideexpression, GappadoesnottrytoapplyeverypossiblerewritingrulewhenitencountersA-C.However,as3.5.2willshow, GappausuallyinferssomeusefulBexpressionsandappliestherewritingrulesautomatically. 2. Relativeerrorscanbemanipulatedsimilarly. Thehinttouseinthiscaseis (A-C)/C -> (A-B)/B + (B-C)/C + ((A-B)/B)*((B-C)/C); Thisisstillamathematicalidentity,asonemaycheckeasily. Again,GappatriestoinfersomeusefulBexpres- sionsandtoapplythecorrespondingrewritingrules. 3. When x is an approximation of MX and a relative error ǫ = x−MX is known by the tool, x can be rewritten MX MX (1+ǫ). Thiskindofhintisusefulincombinationwiththefollowingone. · 4. When manipulating fractional terms such as Expr1 where Expr1 and Expr2 are correlated (for example one Expr2 approximatingtheother),theintervaldivisionfailstogiveusefulresultsiftheintervalforExpr2comesclose to0.Inthiscase,onewilltrytowriteExpr1=A Expr3andExpr2=A Expr4,sothattheintervalonExpr4 · · doesnotcomecloseto0anymore.Thefollowinghintisthenappropriate: Expr1 / Expr2 -> Expr3 / Expr4; ThisrewritingruleisonlyvalidifAisnotzero,sothecaseA = 0hastobehandledseparately. SothatGappa doesnotapplytheruleinaninvalidcontext,aconstraintonAcanbeadded.Therulethusbecomes: 8 Expr1 / Expr2 -> Expr3 / Expr4 { A <> 0 }; Allthesehintsarecorrectifbothsidesaremathematicallyequivalent. Gappathereforechecksthisautomatically. If the test fails, it emits a warning to the user that he or she must review the hint by hand. Therefore,writing even complexhintsisverysafe:onemaynotintroduceanerrorintheproofbywritinghintswhichdonotemitwarnings. Besides,uselesshintsmayconsumeexecutiontimeasGappatriesinvaintousethem,butiftheyareuseless,they willbesilentlyignoredinthefinalproof.Therefore,writinguselesshintsisessentiallyharmless. 3.5.2 Automatichints AfterusingGappatoproveseveralelementaryfunctions,onethingbecameclear: Userskeptwritingthesamehints, typicallyofthethreefirstkindsenumeratedin3.5. Gappawasthereforemodifiedtointroduceanewkindofhint: Expr1 ~ Expr2; that reads “Expr1 approximatesExpr2”. This has the effect of introducingrewriting hints both for absolute and relativedifferencesinvolvingExpr1orExpr2. Theremaybeuselesshintsamongsuchautomatichints, butagain theywillbemostlyharmless. Forinstance,whenitencountersanexpressionoftheformExpr1 - Expr3(foranyexpressionExpr3),Gappa automaticallytries the rule Expr1-Expr3 -> (Expr1-Expr2) + (Expr2-Expr3). And when it encoun- tersExpr3 - Expr2,ittriestherewritingruleExpr3-Expr2 -> (Expr3-Expr1) + (Expr1-Expr2). Bydefault,GappaassumesthatExpr1approximatesExpr2if Expr1istheroundedvalueofExpr2. Italso makesthisassumptionwhenanenclosureoftheabsoluteorrelativeerrorbetweenExpr1andExpr2appearsinthe hypothesesofthelogicalpropositionGappahastoprove. Remark: Itisveryimportant,inthevariousdifferencesappearinginalltheseexpressions,thattheleastaccurate termiswrittenfirstandthemostaccuratewrittenlast. ThemainreasonisthatthetheoremsofGappa’sdatabaseapply to expressionswritten in this order. This orderingconventionpreventsa combinatorialexplosionon the numberof pathstoexplore. 3.5.3 Bisectionanddichotomyhints Finally,itispossibletoinstructGappatosplitsomeintervalsandperformitsexplorationontheresultingsub-intervals. Thereareseveralpossibilities. Forinstance,thefollowinghint $ z in (-1,2); reads“Betterenclosuresmaybeobtainedbyseparatelyconsideringthesub-casesz 1, 1 z 2,and2 z.” ≤− − ≤ ≤ ≤ Thefollowinghintfindsthesplittingpointsautomaticallybyperformingadichotomyontheintervalofzuntilthe partofthegoalcorrespondingtoExprasbeensatisfiedforallthesub-intervalsofz. Expr $ z; 3.5.4 Writinghintsinaninteractiveway Gappahasevolvedtoincludemoreandmoreautomatichints,butmostreal-worldproofsstillrequirewritingcomplex, problem-specifichints. FindingtherighthintthatGappaneedscouldbequitecomplexandwouldrequirecompletely mastering its theorem database and the algorithmsused by its engine. Fortunately, a much simpler way is to build the proofincrementally and question the tool by adding and removingintermediategoals to prove, as the extended example in next section will show. Before that, we first describe the outline of the methodology we use to prove elementaryfunctions. 9 4 Proving elementary functions using Gappa As in every proof work, style is important when working with Gappa: in a machine-checked proof, bad style will not in principle endanger the validity of the proof, but it may preventits author to get to the end. In the CRlibm framework,itmayhinderacceptanceofmachine-checkedproofsamongnewdevelopers. Gappadoesnotimposeastyle, andwhenwestartedusingittherewasnopreviousexperiencetogetinspiration from. Afterafewmonthsofuse,wehadimprovedour“codingstyle”inGappa,sothattheproofsweremuchmore conciseandreadablethantheearlierones.Wehadalsosetupamethodologythatworkswellforelementaryfunctions. Thissectionisanattempttodescribethismethodologyandstyle. Weareawarethattheymaybeinadequateforother applications,andthatevenforelementaryfunctionstheycouldbeimprovedfurther. Themethodologyconsistsinthreesteps,whichcorrespondtothethreesectionsofaGappainputfile. First,theCcodeistranslatedintoGappaequations,inawaythatensuresthattheGappaproofwillindeedprove • somepropertyofthisprogram(andnotofsomeothersimilarprogram). Thenequationsareaddeddescribing whattheprogramissupposedtoimplement.Usually,theseequationsarealsoincorrespondencewiththecode. Then, the propertyto proveis added. Itis usuallyin theformhypotheses -> properties,where the • hypotheses are known bounds on the inputs, or contribution to the error determined outside Gappa, like the approximationerrors. Finally,onehastoaddhintstohelpGappacompletetheproof.Thislastpartisbuiltincrementally. • Thefollowingsectionsdetailthesethreesteps. 4.1 Translating a FPprogram WeconsideragainthefollowingCcode,wherewehaveaddedtheconstants: s3 = -1.6666666666666665741e-01; 1 s5 = 8.3333333333333332177e-03; 2 s7 = -1.9841269841269841253e-04; 3 4 yh2 = yh*yh; 5 ts = yh2 * (s3 + yh2*(s5 + yh2*s7)); 6 Fast2Sum(sh,sl, yh, yl + yh*ts); Thereis a lot of roundingoperationsin this code, so the first thing to do is to define Gappa roundingoperators fortheroundingmodesusedintheprogram. Inourexample,weusethefollowinglinetodefineIEEEdoubleasa shortcutforIEEE-compliantroundingtothenearestdouble,whichisthemodeusedinCRlibm. @IEEEdouble = float<ieee_64,ne>; Then,iftheCcodeisitselfsufficientlysimpleandclean,thetranslationsteponlyconsistsinmakingexplicitthe roundingoperationsimplicitin the Csourcecode. Tostartwith, the constantss3, s5 ands7 are givenasdecimal strings,andtheCcompilersweuseconvertthemto(binary)double-precisionFPnumberswithroundtonearest. We ensurethatGappaworkswiththesesameconstantsasthecompiledCcodebyinsertingexplicitroundingoperations: s3 = IEEEdouble(-1.6666666666666665741e-01); s5 = IEEEdouble( 8.3333333333333332177e-03); s7 = IEEEdouble(-1.9841269841269841253e-04); ThenwehavetodothesameforalltheroundingshiddenbehindCarithmeticoperations. Addingbyhandallthe roundingoperators,however,wouldbetediousanderror-prone,andwouldmaketheGappasyntaxsodifferentfrom the C syntax that it would degradeconfidenceand maintainability. Besides, one would have to apply withouterror therules(wellspecifiedbytheC99standard[32])governingforinstanceimplicitparenthesesinaCexpression. For thesereasons,Gappahasasyntaxthatinstructsittoperformthistaskautomatically.ThefollowingGappalines yh2 IEEEdouble= yh * yh; ts IEEEdouble= yh2 * (s3 + yh2*(s5 + yh2*s7)); 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.