Veri(cid:12)cation of IEEE Compliant Subtractive Division Algorithms 1 2 Paul S. Miner and James F. Leathrum, Jr. 1 NASA Langley Research Center, Hampton VA23681-0001 USA, E-mail: [email protected] 2 Old Dominion University, Department ofElectrical and Computer Engineering, Norfolk VA23529 USA,E-mail: [email protected] Abstract. A parameterized de(cid:12)nition of subtractive (cid:13)oating point di- vision algorithms is presented and veri(cid:12)ed using PVS. The general al- gorithm is proven to satisfy a formal de(cid:12)nition of an IEEE standard for (cid:13)oating point arithmetic. The utility of the general speci(cid:12)cation is illustrated usinganumberofdi(cid:11)erentinstancesofthegeneralalgorithm. 1 Introduction As computing systems become more complex, it becomes increasingly di(cid:14)cult toensure thattestingfullyexercises thedesign.Thiswasmadeabundantlyclear by the infamousbug in the (cid:13)oatingpoint unitof the Intel Pentium(TM)micro- processor. The bug consists of (cid:12)ve missing entries in a lookup table. Pratt [20] providesathoroughanalysisofthiserror.Heprovidescompellingargumentsthat athoroughmanualanalysisofadesign maystillallowerrors to evadedetection. This is particularly true if the (cid:13)aw is in a region of the design that is thought to be unreachable. Machine assisted reasoning is crucial to prevent such errors. The SRT divider[19] veri(cid:12)ed by Rue(cid:25), Srivas, and Shankar[17] illustrates how the Prototype Veri(cid:12)cation System (PVS) [16] can be used to prevent omissions in lookup tables similar to that employed by the Pentium (TM). Their work describes a formalrelationship froma veri(cid:12)ed algorithmto aformaldescription of a hardware design. In order to complete the veri(cid:12)cation, it is necessary to relate the algorithmto a formaldescription of the (cid:13)oating point operation. Our work provides a formalrelationship fromthe IEEE (cid:13)oating point stan- dards [6,7]toaclassofveri(cid:12)eddivisionalgorithms.Astrengthoftheoremprover based veri(cid:12)cation is that it allows veri(cid:12)cation of classes of algorithms. Once a class is veri(cid:12)ed with respect to the standard, itis trivialto instantiate it with a speci(cid:12)c instance. The SRTdivider [19]veri(cid:12)ed in[17] is an instance of the class wehaveveri(cid:12)ed.Otherinstances includetheclassicalrestoringandnonrestoring division algorithms.Thus, our general theory provides a standard speci(cid:12)cation for IEEE compliantsubtractive division. The veri(cid:12)cation is structured in a hierarchical fashion. At the root is a ver- i(cid:12)cation of the class of subtractive division algorithms.We illustrate the utility ofthe general veri(cid:12)cation byexhibitinganumber ofinstances. Then it is shown how these algorithms can be extended to provide IEEE compliant rounding. These instances provideacollectionofformalspeci(cid:12)cations forimplementations of (cid:13)oating point division that are known to meet the standard. 2 Related work Much of the previous work in theorem prover based veri(cid:12)cation of (cid:13)oating point algorithms has focused on verifying core algorithms and a correspond- inghardware design.The (cid:12)rst e(cid:11)orts targeted veri(cid:12)ed implementationofbinary nonrestoring algorithms.Leeser, O’Leary, and others present a veri(cid:12)cation (us- ing Nuprl) of a binary nonrestoring square root algorithmand its implementa- tion[12,9].Verkest,et alpresent asimilarveri(cid:12)cation(usingnqthm)ofabinary nonrestoring divisionalgorithm[21]. In response to the (cid:13)aw in the Pentium[20], several researchers investigated theorem prover based veri(cid:12)cations of SRT division hardware. Clarke, German, and Zhao used the Analytica theorem prover to verify Taylor’s[19] radix-4 SRT division circuit [4]. Their veri(cid:12)cation includes an abstract representation of the lookup table and a proof that it de(cid:12)nes all necessary values for the quo- tient selection logic. Rue(cid:25), Srivas, and Shankar generalize this work using the PVS theoremprover. They present a general veri(cid:12)cationofarbitrary radixSRT division algorithms,instantiate their theory with Taylor’sradix-4 SRT division circuit [19], and verify a description of the hardware. Included in their work is a technique to verify a concrete representation of the lookup table. By virtue of PVS’ type system,proof obligationsare automaticallygenerated to ensure that blank entries in the table are inaccessible. In all of the e(cid:11)orts above, the veri(cid:12)cations address the functional correct- ness of (cid:13)oating point algorithms and an associated hardware design. They do not address the issue ofrelatingthe algorithmstoa formalde(cid:12)nition of(cid:13)oating point operations. Harrison has presented a veri(cid:12)cation of two (cid:13)oating point al- gorithms;square root, and a CORDIC[22] natural logarithmalgorithm[8]. For both algorithms, Harrison relates the proofs to a (cid:13)oating point interpretation. Although he does not present hardware descriptions, he does address some of the preliminaryerror analysis necessary to provide correct rounding. The IEEE standards for (cid:13)oating point arithmetic unambiguouslystate that operations shall be performedas if it (cid:12)rst produced an intermediate resultcorrect to in(cid:12)niteprecisionandwithunbounded range,andthenthatresultrounded according to one of the modes ::: [6, 7] Barrett manuallyveri(cid:12)ed a general rounding algorithmwith respect to a Z for- malization of IEEE 754[1, 2]. When Barrett performed his veri(cid:12)cation, there was no machine assisted reasoning for the Z speci(cid:12)cation language. Some tools for machine assisted application of Z have recently been developed [13]. Thus far, these have not been applied to (cid:13)oating point veri(cid:12)cation. Recently,the microcode for the (cid:13)oating point divisionand square root algo- TM rithmsoftheAMD5K86 microprocessorhasbeenmechanicallyveri(cid:12)edusing the ACL2theoremprover[15,18].Bothalgorithmsassumecorrect hardware for (cid:13)oating point multiplication, addition, and subtraction. Both veri(cid:12)cations in- cludedetailedanalysisofroundingandproofthatthedeliveredresultisrounded in accordance with the IEEE standard. In addition, the veri(cid:12)cations guarantee that all intermediate results of the algorithms (cid:12)t the datapath of the existing (cid:13)oating point hardware. Our work is a generalization of the Rue(cid:25), Srivas, and Shankar veri(cid:12)cation. In addition, to the SRT algorithms, our veri(cid:12)cation encompasses most of the algorithmspresented in[5]. In addition, our veri(cid:12)cation includes a formal path relating the algorithmto the IEEE standard. 2.1 Brief introduction to PVS The Prototype Veri(cid:12)cation System (PVS) [16] is a veri(cid:12)cation system that pro- vides support for general purpose theorem proving. The speci(cid:12)cation language is a higher order logic augmented with dependent types. Theories can be pa- rameterized, and the dependent type mechanism allows for stating arbitrary constraints on theory parameters. The type system of PVS includes predicate subtypes and is therefore undecidable. PVS frequently generates proof obliga- tionstoensurethatexpressions arewelltyped.PVShaspowerfuldecisionproce- dures,so manyproofsinvolvingsimplearithmeticexpressions canbe discharged automatically.Inaddition,PVSprovidesacollectionofpre-provenresults inthe prelude.Alsoincluded with PVS are libraries providingsupport for bit-vectors and (cid:12)nite sets. In PVS, the real numbers are a base type, and other numeric types are de(cid:12)ned as subtypes of the reals. This allows speci(cid:12)cations to freely mixoperations on numeric types. 3 General veri(cid:12)cation of subtractive division algorithms Therearetwoprincipleclassesof(cid:13)oatingpointdivisionalgorithms.Thesubtrac- tivealgorithmsuseshiftingfollowedbyaddition/subtractiontogeneratequotient digitsintimelinearwithrespect tothesize oftheoperands.Multiplicativealgo- rithms,such as Goldschmidt’sAlgorithmorNewton-Raphsoniterations provide fewer iterations,but the operations ineach iterationgrowincreasinglycomplex. Ercegovac and Lang present a detailed study of subtractive algorithms algo- rithms for both division and square root[5]. The general division algorithm is presented inPVSprovidingaparameterizedclassofveri(cid:12)edsubtractive division algorithms. 3.1 General algorithm de(cid:12)nition Subtractive algorithms generate one quotient digit per iteration. They are de- (cid:0)i signed so that in iteration i the remainder is no larger than r for a radix-r algorithm. Ercegovac and Lang present a series of interrelated factors which di(cid:11)erentiate subtractive division algorithms: the radix (r), the quotient-digit set (f(cid:0)a;(cid:0)a+1;:::;(cid:0)1;0;1;:::;a(cid:0)1;ag), the range of the divisor (b), and the quotient-digit select function (qs) [5]. These factors are all parameters to the general division theory. The formalparameters are: r : {i : posint | i > 1}, a : {i : posint | ceiling((r-1)/2) <= i & i < r}, b : {i : posint | 1 < i & i <= r}, (IMPORTING divide_types[r, a, b]) qs : qs_type The (cid:12)rst three parameters are de(cid:12)ned using predicate subtypes of the positive integers. In addition, the types for a and b are constrained by the value of r. The type signature for function qs depends on all of the previous parameters. The declaration for type qs type is imported from theory divide types. Theory a divide types declares constant (cid:26)= r(cid:0)1 and the followingtypes: D_type : TYPE = {d : real | 1 <= d & d < b} dividend : TYPE = {x : posreal | 1/r <= x & x < rho} p_type(D) : TYPE = {p : real | abs(p) <= rho*D} qs_type : TYPE = [D : D_type, p : p_type(D) -> {q : subrange(-a,a) | abs(r*p - q*D) <= rho*D}] Constant (cid:26) denotes the redundancy factor of the quotient-digit set. It repre- sents a trade-o(cid:11) in design complexity between the quotient selection function and generation of divisor multiples. The type of the divisor is constrained by D type, which is de(cid:12)ned to include the numeric range of the signi(cid:12)cand of a normalized (cid:13)oating point number. The type of the dividend is constrained to ensure that it satis(cid:12)es constraints imposed on the partial remainder. Parame- terized type p type(D) encodes an invariant, dependent on divisor D, that the partial remainder must satisfy during execution of the algorithm. Finally, the type of the quotient selection function, qs type, is restricted to functions that, given a divisor D and a partial remainderp such that jpj(cid:20)(cid:26)(cid:1)D, return a digit q such that (cid:0)a(cid:20)q (cid:20)a and jr(cid:1)p(cid:0)q(cid:1)Dj(cid:20)(cid:26)(cid:1)D. The subtractive division algorithms, given divisor D and dividend X, are characterized by the following recurrence equations for the quotient q and the partial remainder p: qi =r(cid:1)qi(cid:0)1+qdi pi =r(cid:1)pi(cid:0)1(cid:0)qdi(cid:1)D (1) where q0 = 0, p0 = X, and qdi is the quotient digit selected for iteration i. A PVS speci(cid:12)cation of Equation1 is: divide(X,D)(n) : RECURSIVE [# p : p_type(D), q: integer #] = IF n=0 THEN (# p := X, q := 0 #) ELSE (# p := r*p(divide(X,D)(n-1)) - qd_n*D, q := r*q(divide(X,D)(n-1)) + qd_n #) WHERE qd_n = qs(D,p(divide(X,D)(n-1))) ENDIF MEASURE n By using record types for the range of the function, the de(cid:12)nition is a direct transliteration of the recurrence equations. In addition,by declaring the partial remainderto be oftype p type(D),PVS automaticallygenerates aproofobliga- tion to ensure that the invariantis satis(cid:12)ed. This obligationis proven using the type constraints on the quotient selection function. 3.2 Veri(cid:12)cation of the general algorithm To simplifylater de(cid:12)nitions we de(cid:12)ne the abbreviations: De(cid:12)nition1. p(X;D)(n)=^ p(divide(X;D)(n)) q(X;D)(n)=^ q(divide(X;D)(n)) PVS strategy (induct-and-simplify)proves: (cid:0)n (cid:0)n Lemma2. p(X;D)(n)(cid:1)r =X (cid:0)q(X;D)(n)(cid:1)r (cid:1)D The invariantproperty of the partial remainder guarantees (cid:0)n p(X;D)(n)(cid:1)r (cid:0)n Lemma3. (cid:20)r (cid:12) D (cid:12) (cid:12) (cid:12) (cid:12) (cid:12) Tostrengthe(cid:12)n theconvergence(cid:12)property,thealgorithmincludesacorrective step after the (cid:12)nal iteration. De(cid:12)nition4. (cid:0)n (p(X;D)(n)+D)(cid:1)r if p(X;D)(n)<0 (cid:0)n P(X;D)(n) =^ 8(p(X;D)(n)(cid:0)D)(cid:1)r if p(X;D)(n)=D <p(X;D)(n)(cid:1)r(cid:0)n otherwise (cid:0)n : (q(X;D)(n)(cid:0)1)(cid:1)r if p(X;D)(n)<0 (cid:0)n Q(X;D)(n) =^ 8(q(X;D)(n)+1)(cid:1)r if p(X;D)(n)=D <q(X;D)(n)(cid:1)r(cid:0)n otherwise : Expanding the de(cid:12)nitions of P and Q, and using lemma2, we prove: X P(X;D)(n) Theorem5 (correctness). =Q(X;D)(n)+ D D Similarlyexpanding the de(cid:12)nition of P and using lemma3, we prove: P(X;D)(n) (cid:0)n Theorem6 (convergence). <r D X Thus, Q(X;D)(n) contains n radix-r digits of the quotient . D 3.3 Example instantiations A number of quotient selection functions have been developed for use with the general subtractive division algorithm. These include three radix-2 algorithms: restoring,nonrestoring,andSRT;and(cid:12)veradix-4algorithms:twousingselection constants for comparison with p (using a = 3 and a = 2), and three distinct radix-4 SRT lookup tables. The tables developed are for 1)Partial remainder prediction or use of a carry-save adder: approximationof p for error fromeither computingan estimate of the next remainder as in Taylor’scircuit [19] (previously veri(cid:12)ed in [17]), or error froma carry-save adder [5] 2)Use of a signed-digit adder: approximationof p always overestimates, as would be the case when using signed-digit adders to accumulate the remainder [5] 3)Folded lookup table: lookup table folded for reduced real estate The process of veri(cid:12)cation amounts to proving that each quotient digit select function satis(cid:12)es the type constraints ofqs type. The radix-2instantiationsand theradix-4usingselectionconstantswerestraightforwardveri(cid:12)cations.Thepro- cess of verifying lookup tables in PVS was (cid:12)rst illustrated by Rue(cid:25), Srivas,and Shankar[17] and repeated here with respect to the general division algorithm. However, the developmentoftwonewlookuptablesproved insightfulindemon- strating the usefulness of PVS in the design process. Not only were omissions fromthe table detected, but PVS allowedthe faster developmentof new tables. Each table wasdeveloped startingfromthe base table in[17]andthen modi(cid:12)ed tomeetthenewrequirements.PVSwasusedtoindicatewhichtableentrieswere incorrect underthenewspeci(cid:12)cations,allowingthedesignertoeasilymodifythe table. Each new table was fully designed and veri(cid:12)ed in less than three hours elapsed time. 4 Veri(cid:12)cation with respect to the IEEE standard This section illustrates how to extend the above general algorithmto provide a veri(cid:12)ed IEEE compliantimplementationof division. This does not constitute a full proof ofcompliance,it just illustrates how non-exceptional cases of division can be realized. This veri(cid:12)cation step is performed with respect to a formal speci(cid:12)cation of IEEE 854 de(cid:12)ned using PVS [14]. The veri(cid:12)cation is performed in two stages. First, a generalization of the basic guard, round, and sticky bit rounding algorithmis shown to satisfy the requirements of the standard. Then, the general subtractive algorithm is shown to provide su(cid:14)cient information to utilize this rounding scheme. The veri(cid:12)ed rounding scheme is applicable for all (cid:13)oating-point algorithms.In addition, the theory mapping the standard to the general subtractive algorithm includes a number of intermediate results that apply to all (cid:13)oating point division algorithms. 4.1 Rounding scheme The IEEE Standards for (cid:13)oating-pointarithmetic[6,7] require support for four rounding modes. The default mode is round to nearest even, and requires that the return value be the (cid:13)oating point number nearest to the exact result. If the exact result is halfway between two (cid:13)oating point numbers, the standards require that it be rounded to the one with an even least signi(cid:12)cant digit. The otherthree modesroundthe result towardspositivein(cid:12)nity,negativein(cid:12)nity,or zero. The discussion in this section uses the followingfact about real numbers. Lemma7. For any integer b > 1, a nonzero real number z can be uniquely decomposed into three parts: a sign,sgn(z) 2 f(cid:0)1;1g; an integer exponent e(z); and a signi(cid:12)cand 1(cid:20)sig(z) <b such that e(z) z = sgn(z)(cid:2)sig(z)(cid:2)b The followingde(cid:12)nition is from the PVS prelude: De(cid:12)nition8. The fractional part of a real number z is de(cid:12)ned by fzg =^ z(cid:0)bzc The next two de(cid:12)nitions are fromMiner’s PVS formalizationof IEEE 854[14]. The function,round, converting real numberz to aninteger foreach ofthe four rounding modes required by the IEEE standard is de(cid:12)ned by: De(cid:12)nition9. round(z;to pos) =^ dze round(z;to neg) =^ bzc round(z;to zero) =^ sgn(z)(cid:2)bjzjc bzc if fzg<1(cid:0)fzg round(z;to near) =^ 8dze if 1(cid:0)fzg<fzg ><2(cid:2) dz2e otherwise j k >: This de(cid:12)nition is extended to round a real number z to a real number with at mostp base-b digits of precision using the followingfunction: De(cid:12)nition10. p(cid:0)1(cid:0)e(z) e(z)(cid:0)(p(cid:0)1) round scaled(z;mode) =^ round(z(cid:1)b ;mode)(cid:1)b A commonalgorithmforimplementingIEEE compliantroundingto pdigits of precision uses two extra digits and a sticky-(cid:13)ag[11]. The (cid:12)rst extra digit is called the guard digit and ensures that the computed result can be normalized whilepreservingpdigitsofprecision.Thisisnecessary formultiplicationanddi- visionalgorithms.Thesecond extradigitiscalledtherounddigit,andisused to controlrounding forevery modeexcept to zero. Finally,a sticky (cid:13)agis required to distinguish the case when the in(cid:12)nitely precise result lies halfway between two representable values for mode to near. The PVS theory implementing the Guard,Round,Sticky (GRS)scheme has been generalized to allowanarbitrary even radix. Thus it works for both base-2 and base-10 instances of IEEE 854. The principle function realizing the GRS rounding scheme is: De(cid:12)nition11. For s2f(cid:0)1;1g,n2N, base-b digit d, and boolean sticky n+1if s(cid:21)0^((d>0)_sticky) grs(s;n;d;sticky;to pos) =^ (cid:26)n otherwise n+1if s<0^((d>0)_sticky) grs(s;n;d;sticky;to neg) =^ (cid:26)n otherwise grs(s;n;d;sticky;to zero) =^ n b b grs(s;n;d;sticky;to near) =^ n+1if (d> 2)_(d= 2 ^(sticky_odd?(n))) (cid:26)n otherwise To complete the de(cid:12)nition of rounding using the GRS scheme, we use the fol- lowing functions to scale the result and extract the relevant (cid:12)elds. De(cid:12)nition12. p(cid:0)1(cid:0)e(z) scaled(z) =^ bjzj(cid:2)b c p(cid:0)e(z) round digit(z) =^ bjzj(cid:2)b cmodb p(cid:0)e(z) sticky (cid:13)ag(z) =^ fjzj(cid:2)b g6=0 Function scaled extracts the p most signi(cid:12)cant base b digits of z scaled to a naturalnumber.Functionround digitextractsthe(p+1)thdigit,andsticky (cid:13)ag istrue ifandonlyifthere aresigni(cid:12)cantdigitsbeyondthe(p+1)th.Foraresult in a sign and magnitude representation, functions scaled and round digit can be realized in hardware by extracting the appropriate digits from the given result. Implementing the sticky (cid:13)ag requires some additional logic; the actual realization will vary depending upon the algorithm employed to compute the result. For comparisonto round scaled, we de(cid:12)ne De(cid:12)nition13. round grs(z;mode) e(z)(cid:0)(p(cid:0)1) =^ sgn(z)(cid:2)b (cid:2) grs(sgn(z);scaled(z);round digit(z);sticky (cid:13)ag(z);mode) The principle result of this section is: Theorem14. round grs(z;mode)=round scaled(z;mode) The PVS proof of this result consists of a fairlysimplecase analysis, except for modeto near. TheinitialPVSproofformodeto nearincludedacomplicatedcase analysis, where it was di(cid:14)cult to exploit symmetry. IEEE (cid:13)oating point numbers are de(cid:12)ned using a sign and magnitude representation. However, the de(cid:12)nition of round scaleddoesnottakeadvantageofthisrepresentation.Thus,the(cid:12)rstproof for mode to near included an unnatural case split on the sign of the argument. Since the GRS rounding scheme is de(cid:12)ned in terms of a sign and magnitude representation,thecasesfornegativeargumentsdonotaligninthesamemanner as forthe positivearguments.Thus, there was littleopportunityto reuse proofs fromthe corresponding positivecases. The PVS proof has been simpli(cid:12)edusing the followinglemma(which was proven using PVS strategy (grind)) Lemma15. round(z;to near)=sgn(z)(cid:2)round(jzj;to near) Even without the case split due to the sign, the proof for mode to near still involvesadi(cid:14)cultcaseanalysis.Thiscaseanalysisconsistsofrelatingthevalues oftherounddigitandsticky(cid:13)agtothecorrespondingcasesfromthespeci(cid:12)cation for rounding modeto near. 4.2 Relating the general algorithm to the standard The veri(cid:12)ed rounding scheme asserts that in order to achieve IEEE compliant rounding to p signi(cid:12)cant digits, it is su(cid:14)cient to compute (p + 1) truncated signi(cid:12)cant digits and determine if there are any remainingnon-zero digits. The general subtractive division algorithm ensures at least n(cid:0)1 digits of precision afterniterations.Furthermore,ifthecomputedremainderisnonzero,thenthere are additional digits in the in(cid:12)nitely precise result. Since it is possible for the radix of the division algorithm to be di(cid:11)erent from that for the representation of (cid:13)oating point numbers, the PVS theory has to relate the potential division radices to those allowedby the standards. There are some simple results that describe the range of possible values for (cid:13)oating point division. Let x denote a base-b (cid:13)oating point number with p signi(cid:12)cant digits. A (cid:12)nite (cid:13)oating point number x is represented using three (cid:12)elds:asign(cid:27)x 2f0;1g,aninteger exponent Ex,and asigni(cid:12)canddx,where dx is a functionfromf0;:::;(p(cid:0)1)g to f0;:::;(b(cid:0)1)g.The numericalvalue ofdx is given by p(cid:0)1 (cid:0)i vd(x)= dx(i)(cid:1)b Xi=0 The numericalvalue of (cid:13)oating point number x is given by (cid:27)x Ex v(x)=((cid:0)1) (cid:1)b (cid:1)vd(x) A (cid:13)oating point number x such that 1(cid:20)vd(x)<b is normalized.Furthermore, ifitsexponent alsofallswithintherange allowedbythe standard,itisanormal (cid:13)oating point number. TheIEEE standard requires thatalloperationsbe performedasiftoin(cid:12)nite precision and then rounded. The in(cid:12)nitelyprecise quotient oftwo (cid:13)oatingpoint numbers x and y is v(x)=v(y). A number of general facts about (cid:13)oating point division have been proven using PVS. These include the following: Lemma16. v(x) (cid:27)x(cid:0)(cid:27)y Ex(cid:0)Ey vd(x) =((cid:0)1) (cid:1)b (cid:1) v(y) vd(y) This lemmastates that a (cid:13)oating point division algorithm can be decomposed into simple operations on the sign and exponent (cid:12)elds combined with an algo- rithm to compute the quotient of the signi(cid:12)cands. Lemma17. For normalized (cid:13)oating point numbers x and y, (cid:0)1 (cid:0)(p+1) vd(x) (1(cid:0)p) b +b (cid:20) (cid:20) b(cid:0)b vd(y) Lemma18. For normalized (cid:13)oating point numbers x and y, if vd(x) < vd(y) then vd(x) (1(cid:0)p) (cid:20) 1(cid:0)b vd(y) Lemmas 17 and 18 assert that the result of a (cid:13)oating point division algorithm requiresatmostoneleftshifttonormalizetheresult,andfurthermore,theneces- sityofpost-dividenormalizationcanbedeterminedbycomparingthemagnitude ofthe signi(cid:12)cands.Therefore, roundingcannota(cid:11)ect the exponent (cid:12)eldforadi- visionoperation.These results aretrueforany(cid:13)oatingpointdivisionalgorithm; they do not depend on a particular instantiation. These results allowus to de(cid:12)ne the followingexponent adjustment function for the quotient of normalized (cid:13)oating point numbers x and y: 1if vd(x)<vd(y) Adj(x;y)= (cid:26)0otherwise The above results allow us to de(cid:12)ne a template for a (cid:13)oating point division algorithm De(cid:12)nition19. For normal (cid:13)oating point numbers x and y such that Emin (cid:20) vd(x) Ex(cid:0)Ey(cid:0)Adj(x;y)(cid:20)Emax, let z = vd(y) in div algorithm(x;y;mode)=^(cid:12)nite(XOR((cid:27)x;(cid:27)y);Ex(cid:0)Ey(cid:0)Adj(x;y);digit div(x;y) where (cid:27)x(cid:0)(cid:27)y digit div(x;y)=^nat2d(grs(((cid:0)1) ;scaled(z);round digit(z);sticky (cid:13)ag(z);mode)