Automating the Verification of Floating-point Algorithms
|
|
|
- Osborn Bennett
- 5 years ago
- Views:
Transcription
1 Introduction Interval+Error Advanced Gappa Conclusion Automating the Verification of Floating-point Algorithms Guillaume Melquiond Inria Saclay Île-de-France LRI, Université Paris Sud, CNRS Guillaume Melquiond Automating the Verification of FP Algorithms 1 / 48
2 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability This Talk s Content Disclaimer I will not talk much about SMT. Guillaume Melquiond Automating the Verification of FP Algorithms 2 / 48
3 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability This Talk s Content Disclaimer I will not talk much about SMT. I will not talk about floating-point arithmetic in general, but only about its use in a peculiar context: mathematical libraries (libm). Guillaume Melquiond Automating the Verification of FP Algorithms 2 / 48
4 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability This Talk s Content Disclaimer I will not talk much about SMT. I will not talk about floating-point arithmetic in general, but only about its use in a peculiar context: mathematical libraries (libm). I will focus on a specific procedure for verifying floating-point algorithms: the Gappa tool. Guillaume Melquiond Automating the Verification of FP Algorithms 2 / 48
5 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Why Floating-point Arithmetic? The real world is much more continuous than one could hope, so real numbers tend to creep in all the applications. Guillaume Melquiond Automating the Verification of FP Algorithms 3 / 48
6 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Why Floating-point Arithmetic? The real world is much more continuous than one could hope, so real numbers tend to creep in all the applications. How to compute with them? Use a subset, e.g. rational or algebraic numbers. Guillaume Melquiond Automating the Verification of FP Algorithms 3 / 48
7 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Why Floating-point Arithmetic? The real world is much more continuous than one could hope, so real numbers tend to creep in all the applications. How to compute with them? Use a subset, e.g. rational or algebraic numbers. Compute with arbitrary precision. Guillaume Melquiond Automating the Verification of FP Algorithms 3 / 48
8 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Why Floating-point Arithmetic? The real world is much more continuous than one could hope, so real numbers tend to creep in all the applications. How to compute with them? Use a subset, e.g. rational or algebraic numbers. Compute with arbitrary precision. Approximate operations, e.g. floating-point numbers. Guillaume Melquiond Automating the Verification of FP Algorithms 3 / 48
9 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Why Floating-point Arithmetic? The real world is much more continuous than one could hope, so real numbers tend to creep in all the applications. How to compute with them? Use a subset, e.g. rational or algebraic numbers. Compute with arbitrary precision. Approximate operations, e.g. floating-point numbers. Speed of FP operations is high and deterministic, but all bets are off with respect to the quality of FP results: precision is known, but accuracy is not. Guillaume Melquiond Automating the Verification of FP Algorithms 3 / 48
10 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability FP Arithmetic Quick Reference Card IEEE-754 FP numbers Exceptional values: ±0, ±, Not-a-Number. Finite values: F = {m β e R m, e Z m < β p e min e e max } with β, p, e min, e max parameters of the format. Guillaume Melquiond Automating the Verification of FP Algorithms 4 / 48
11 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability FP Arithmetic Quick Reference Card IEEE-754 FP numbers Exceptional values: ±0, ±, Not-a-Number. Finite values: F = {m β e R m, e Z m < β p e min e e max } with β, p, e min, e max parameters of the format. FP arithmetic operations Every operation shall be performed as if it first produced an intermediate result correct to infinite precision and with unbounded range, and then rounded that result. a b = (a + b), a b = (a b), and so on. Rounding to nearest: y F, (x) x y x. Guillaume Melquiond Automating the Verification of FP Algorithms 4 / 48
12 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Verifying Floating-point Algorithms People tend to verify FP algorithms in two steps: 1 Prove correctness assuming that all operators are infinitely precise. Guillaume Melquiond Automating the Verification of FP Algorithms 5 / 48
13 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Verifying Floating-point Algorithms People tend to verify FP algorithms in two steps: 1 Prove correctness assuming that all operators are infinitely precise. 2 Check that limited precision does not have much impact: Guillaume Melquiond Automating the Verification of FP Algorithms 5 / 48
14 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Verifying Floating-point Algorithms People tend to verify FP algorithms in two steps: 1 Prove correctness assuming that all operators are infinitely precise. 2 Check that limited precision does not have much impact: preconditions of functions are still satisfied; Guillaume Melquiond Automating the Verification of FP Algorithms 5 / 48
15 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Verifying Floating-point Algorithms People tend to verify FP algorithms in two steps: 1 Prove correctness assuming that all operators are infinitely precise. 2 Check that limited precision does not have much impact: preconditions of functions are still satisfied; control-flow changes are innocuous; Guillaume Melquiond Automating the Verification of FP Algorithms 5 / 48
16 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Verifying Floating-point Algorithms People tend to verify FP algorithms in two steps: 1 Prove correctness assuming that all operators are infinitely precise. 2 Check that limited precision does not have much impact: preconditions of functions are still satisfied; control-flow changes are innocuous; accuracy of the computed values is good enough. Guillaume Melquiond Automating the Verification of FP Algorithms 5 / 48
17 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Verifying Floating-point Algorithms People tend to verify FP algorithms in two steps: 1 Prove correctness assuming that all operators are infinitely precise. 2 Check that limited precision does not have much impact: preconditions of functions are still satisfied; control-flow changes are innocuous; accuracy of the computed values is good enough. Guillaume Melquiond Automating the Verification of FP Algorithms 5 / 48
18 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Verifying Floating-point Algorithms People tend to verify FP algorithms in two steps: 1 Prove correctness assuming that all operators are infinitely precise. 2 Check that limited precision does not have much impact: preconditions of functions are still satisfied; control-flow changes are innocuous; accuracy of the computed values is good enough. There exist numerous automated tools for this job. But what if your algorithm is intricate or you need a formal proof? Guillaume Melquiond Automating the Verification of FP Algorithms 5 / 48
19 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Outline 1 Introduction Context Gallery Gappa Decidability 2 Interval arithmetic and forward error analysis 3 Dealing with more intricate algorithms 4 The Gappa tool 5 Conclusion Guillaume Melquiond Automating the Verification of FP Algorithms 6 / 48
20 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 1: Toy Elementary Function float toy_sin ( float x) { assert ( fabsf (x) <= 1.0 f); if ( fabsf (x) < 0x1p -5f) return x; return x * (1.0 f - x * x * 0 x28e9p -16 f); } Guillaume Melquiond Automating the Verification of FP Algorithms 7 / 48
21 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 1: Toy Elementary Function float toy_sin ( float x) { assert ( fabsf (x) <= 1.0 f); if ( fabsf (x) < 0x1p -5f) return x; return x * (1.0 f - x * x * 0 x28e9p -16 f); } Verification condition for accuracy x F 32, x 1 toy sin x sin x Guillaume Melquiond Automating the Verification of FP Algorithms 7 / 48
22 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 1: Toy Elementary Function float toy_sin ( float x) { assert ( fabsf (x) <= 1.0 f); if ( fabsf (x) < 0x1p -5f) return x; return x * (1.0 f - x * x * 0 x28e9p -16 f); } Verification condition for accuracy x F 32, x 1 toy sin x 1 sin x Optional hypothesis: x x 3 sin x Guillaume Melquiond Automating the Verification of FP Algorithms 7 / 48
23 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 1: Toy Elementary Function float toy_sin ( float x) { assert ( fabsf (x) <= 1.0 f); if ( fabsf (x) < 0x1p -5f) return x; return x * (1.0 f - x * x * 0 x28e9p -16 f); } Verification condition for accuracy x F 32, x 1 toy sin x 1 sin x Optional hypothesis: x x 3 sin x Relative errors. Guillaume Melquiond Automating the Verification of FP Algorithms 7 / 48
24 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 2: Cody-Waite Argument Reduction for Exp double exp ( double x) { if ( fabs (x) >= 800) return...; double k = nearbyint ( x * 0 x b82fep0 ); double t1 = x - k * 0 xb f7d1cp -4; double t2 = t1 - k * 0 xf.79 abc9e3b398p -48;... } Guillaume Melquiond Automating the Verification of FP Algorithms 8 / 48
25 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 2: Cody-Waite Argument Reduction for Exp double exp ( double x) { if ( fabs (x) >= 800) return...; double k = nearbyint ( x * 0 x b82fep0 ); double t1 = x - k * 0 xb f7d1cp -4; double t2 = t1 - k * 0 xf.79 abc9e3b398p -48;... } Verification conditions t , t 2 (x k 0xb.17217f7d1cf79abc9e3b398p-4) Guillaume Melquiond Automating the Verification of FP Algorithms 8 / 48
26 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 2: Cody-Waite Argument Reduction for Exp double exp ( double x) { if ( fabs (x) >= 800) return...; double k = nearbyint ( x * 0 x b82fep0 ); double t1 = x - k * 0 xb f7d1cp -4; double t2 = t1 - k * 0 xf.79 abc9e3b398p -48;... } Verification conditions t , t 2 (x k 0xb.17217f7d1cf79abc9e3b398p-4) Vanishing round-off errors. Guillaume Melquiond Automating the Verification of FP Algorithms 8 / 48
27 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 3: Itanium Division of 16-bit Unsigned Integers // Inputs: dividend a in f6, divisor b in f7, in f9 frcpa.s1 f8,p6=f6,f7 ;; (p6) fma.s1 f6=f6,f8,f0 (p6) fnma.s1 f7=f7,f8,f9 ;; (p6) fma.s1 f8=f7,f6,f6 ;; fcvt.fx. trunc.s1 f8=f8 // Output: a/b in f8 Guillaume Melquiond Automating the Verification of FP Algorithms 9 / 48
28 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 3: Itanium Division of 16-bit Unsigned Integers y 0 1/b [frcpa] q 0 = (a y 0 ) e 0 = ( b y 0 ) q 1 = (e 0 q 0 + q 0 ) q = q 1 with ( ) rounding to nearest on Itanium s 82-bit format. Guillaume Melquiond Automating the Verification of FP Algorithms 9 / 48
29 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 3: Itanium Division of 16-bit Unsigned Integers y 0 1/b [frcpa] q 0 = (a y 0 ) e 0 = ( b y 0 ) q 1 = (e 0 q 0 + q 0 ) q = q 1 with ( ) rounding to nearest on Itanium s 82-bit format. Verification condition a, b [ 1; ], q = a/b Guillaume Melquiond Automating the Verification of FP Algorithms 9 / 48
30 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 3: Itanium Division of 16-bit Unsigned Integers y 0 1/b [frcpa] q 0 = (a y 0 ) e 0 = ( b y 0 ) q 1 = (e 0 q 0 + q 0 ) q = q 1 with ( ) rounding to nearest on Itanium s 82-bit format. Verification condition a, b [ 1; ], q = a/b Vanishing round-off errors. Polynomial manipulations. Guillaume Melquiond Automating the Verification of FP Algorithms 9 / 48
31 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 4: Knuth TwoSum Algorithm s = a + b t = s - a e = (a - (s - t)) + (b - t) Guillaume Melquiond Automating the Verification of FP Algorithms 10 / 48
32 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 4: Knuth TwoSum Algorithm s = a + b t = s - a e = (a - (s - t)) + (b - t) Verification condition Assuming no overflow occurs, s + e = a + b. Guillaume Melquiond Automating the Verification of FP Algorithms 10 / 48
33 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Example 4: Knuth TwoSum Algorithm s = a + b t = s - a e = (a - (s - t)) + (b - t) Verification condition Assuming no overflow occurs, s + e = a + b. Pointless infinitely-precise values. Pointless round-off errors. Guillaume Melquiond Automating the Verification of FP Algorithms 10 / 48
34 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Scope and Constraints of Gappa Scope Only real numbers: no exceptional values. Basic arithmetic operations: +,,,. Radix-2 fixed- and FP arithmetic (no multi-precision). Logical formulas (no control flow). Guillaume Melquiond Automating the Verification of FP Algorithms 11 / 48
35 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Scope and Constraints of Gappa Scope Only real numbers: no exceptional values. Basic arithmetic operations: +,,,. Radix-2 fixed- and FP arithmetic (no multi-precision). Logical formulas (no control flow). Features Compute range and format of expressions. Bound forward errors. Guillaume Melquiond Automating the Verification of FP Algorithms 11 / 48
36 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Scope and Constraints of Gappa Scope Only real numbers: no exceptional values. Basic arithmetic operations: +,,,. Radix-2 fixed- and FP arithmetic (no multi-precision). Logical formulas (no control flow). Features Compute range and format of expressions. Bound forward errors. Constraints Handle complicated formulas (possibly with some user help). Generate Coq proofs that fit into Flocq s formalism. Answer instantly. Guillaume Melquiond Automating the Verification of FP Algorithms 11 / 48
37 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Why No Exceptional Values? Safety of most programs relies on their absence. In that case, range computation is sufficient. Guillaume Melquiond Automating the Verification of FP Algorithms 12 / 48
38 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Why No Exceptional Values? Safety of most programs relies on their absence. In that case, range computation is sufficient. Their propagation is purely combinatorial anyway. Just use your preferred SAT method. Guillaume Melquiond Automating the Verification of FP Algorithms 12 / 48
39 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability The Gappa Tool Gappa 1.1: 11k lines of C++, 8k lines of Coq, GPL d. Guillaume Melquiond Automating the Verification of FP Algorithms 13 / 48
40 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability The Gappa Tool Gappa 1.1: 11k lines of C++, 8k lines of Coq, GPL d. Example (Cody-Waite argument reduction for exp) x = float < ieee_64,ne >( dummyx ); # x is a double Log2h = 0 xb f7d1cp -4; # 42 bits out of 53 InvLog2 = 0 x b82fep0 ; k = int <ne >( float < ieee_64,ne >(x* InvLog2 )); t1 float < ieee_64,ne >= x - k* Log2h ; # prove that t1 is computed exactly { x in [0.7, 800] -> t1 = x - k* Log2h } Log2h ~ 1/ InvLog2 ; # user hint Guillaume Melquiond Automating the Verification of FP Algorithms 13 / 48
41 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability The Gappa Tool Gappa 1.1: 11k lines of C++, 8k lines of Coq, GPL d. Example (Cody-Waite argument reduction for exp) x = float < ieee_64,ne >( dummyx ); # x is a double Log2h = 0 xb f7d1cp -4; # 42 bits out of 53 InvLog2 = 0 x b82fep0 ; k = int <ne >( float < ieee_64,ne >(x* InvLog2 )); t1 float < ieee_64,ne >= x - k* Log2h ; # prove that t1 is computed exactly { x in [0.7, 800] -> t1 = x - k* Log2h } Log2h ~ 1/ InvLog2 ; # user hint Generated Coq proof: 664 lines, 55 reasoning steps. Guillaume Melquiond Automating the Verification of FP Algorithms 13 / 48
42 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Rounding Operators and Decidability Effective rounding (x) = ulp(x) x/ulp(x), with ulp(x) the distance between the 2 FP numbers surrounding x. Note: ulp is piecewise constant, e.g ranges for binary64. Guillaume Melquiond Automating the Verification of FP Algorithms 14 / 48
43 Introduction Interval+Error Advanced Gappa Conclusion Context Gallery Gappa Decidability Rounding Operators and Decidability Effective rounding (x) = ulp(x) x/ulp(x), with ulp(x) the distance between the 2 FP numbers surrounding x. Note: ulp is piecewise constant, e.g ranges for binary64. Decidability of FP arithmetic For bounded quantifications, the following theories are decidable: (R, +, ( )), (F,,,...). Guillaume Melquiond Automating the Verification of FP Algorithms 14 / 48
44 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Outline 1 Introduction 2 Interval arithmetic and forward error analysis Preliminaries Interval arithmetic Forward error analysis Example 1: toy elementary function 3 Dealing with more intricate algorithms 4 The Gappa tool 5 Conclusion Guillaume Melquiond Automating the Verification of FP Algorithms 15 / 48
45 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine What We Want to Prove Bounds on program expressions: x 1,..., x m R, e 1 I 1... e n I n e J with I 1,..., I n, J intervals with nonsymbolic bounds. Guillaume Melquiond Automating the Verification of FP Algorithms 16 / 48
46 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine What We Want to Prove Bounds on program expressions: x 1,..., x m R, e 1 I 1... e n I n e J with I 1,..., I n, J intervals with nonsymbolic bounds. Bounds on forward errors: x 1,..., x m R, e 1 I 1... e n I n ẽ e K with ẽ and e two expressions with close values. Guillaume Melquiond Automating the Verification of FP Algorithms 16 / 48
47 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine A Variety of Forward Errors Example (Addition) Let u and v be approximated by ũ and ṽ. What is the error between (ũ + ṽ) and u + v? Guillaume Melquiond Automating the Verification of FP Algorithms 17 / 48
48 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine A Variety of Forward Errors Example (Addition) Let u and v be approximated by ũ and ṽ. What is the error between (ũ + ṽ) and u + v? Three errors are involved: between ũ and u, between ṽ and v, round-off error between (ũ + ṽ) and ũ + ṽ. Guillaume Melquiond Automating the Verification of FP Algorithms 17 / 48
49 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine A Variety of Forward Errors Example (Addition) Let u and v be approximated by ũ and ṽ. What is the error between (ũ + ṽ) and u + v? Three errors are involved: between ũ and u, between ṽ and v, round-off error between (ũ + ṽ) and ũ + ṽ. Each error bound might be either absolute: ũ u I, or relative: (ũ u)/u I. Guillaume Melquiond Automating the Verification of FP Algorithms 17 / 48
50 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine A Variety of Round-off Errors The round-off error between (ũ + ṽ) and ũ + ṽ is absolutely bounded if ũ and ṽ are bounded, Guillaume Melquiond Automating the Verification of FP Algorithms 18 / 48
51 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine A Variety of Round-off Errors The round-off error between (ũ + ṽ) and ũ + ṽ is absolutely bounded if ũ and ṽ are bounded, relatively bounded for FP formats with gradual underflow, Guillaume Melquiond Automating the Verification of FP Algorithms 18 / 48
52 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine A Variety of Round-off Errors The round-off error between (ũ + ṽ) and ũ + ṽ is absolutely bounded if ũ and ṽ are bounded, relatively bounded for FP formats with gradual underflow, relatively bounded if ũ + ṽ is far enough from 0, Guillaume Melquiond Automating the Verification of FP Algorithms 18 / 48
53 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine A Variety of Round-off Errors The round-off error between (ũ + ṽ) and ũ + ṽ is absolutely bounded if ũ and ṽ are bounded, relatively bounded for FP formats with gradual underflow, relatively bounded if ũ + ṽ is far enough from 0, zero if ũ + ṽ is in a suitable fixed-point format, Guillaume Melquiond Automating the Verification of FP Algorithms 18 / 48
54 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine A Variety of Round-off Errors The round-off error between (ũ + ṽ) and ũ + ṽ is absolutely bounded if ũ and ṽ are bounded, relatively bounded for FP formats with gradual underflow, relatively bounded if ũ + ṽ is far enough from 0, zero if ũ + ṽ is in a suitable fixed-point format, zero if ũ/ṽ [ 2, 1/2] for FP formats with gradual underflow. Guillaume Melquiond Automating the Verification of FP Algorithms 18 / 48
55 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Interval Arithmetic Interval arithmetic extends operations on real numbers to operations on closed connected subsets of real numbers. Application Instead of proving x [a, b], f (x) [c, d], you can prove F ([a, b]) [c, d], assuming that F is an interval extension of f. Guillaume Melquiond Automating the Verification of FP Algorithms 19 / 48
56 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Interval Arithmetic Interval arithmetic extends operations on real numbers to operations on closed connected subsets of real numbers. Application Instead of proving x [a, b], f (x) [c, d], you can prove F ([a, b]) [c, d], assuming that F is an interval extension of f. Evaluating F is easy; it involves operations on bounds only: x [a, b] y [c, d] x + y [a + c, b + d]. This makes interval arithmetic suitable for automatically proving bounds on real-valued expressions. Guillaume Melquiond Automating the Verification of FP Algorithms 19 / 48
57 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Interval Arithmetic and Dependencies Independent expressions If a [3, 5] and b [1, 2] are independent, then a b [3 2, 5 1] = [1, 4] is the optimal enclosure. Guillaume Melquiond Automating the Verification of FP Algorithms 20 / 48
58 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Interval Arithmetic and Dependencies Independent expressions If a [3, 5] and b [1, 2] are independent, then a b [3 2, 5 1] = [1, 4] is the optimal enclosure. Correlated expressions If we have a [1, 100], interval arithmetic gives (a + ε) a [1 + ε, ε] [1, 100] = [ 99 + ε, 99 + ε] while the optimal enclosure is [ε, ε]. Guillaume Melquiond Automating the Verification of FP Algorithms 20 / 48
59 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Interval Arithmetic and Dependencies Various methods solve the dependency issue: octogons, ellipsoids, zonotopes, Taylor/Chebyshev models, decision procedures, e.g. simplex or CAD. Unfortunately they are much costlier than interval arithmetic at execution time, and even worse at formalization time. Guillaume Melquiond Automating the Verification of FP Algorithms 21 / 48
60 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Leveraging Forward Error Analysis Some well-known results of the standard model of FP arithmetic: The absolute error of the sum is the sum of the absolute errors. (ũ + ṽ) (u + v) = (ũ u) + (ṽ v). Guillaume Melquiond Automating the Verification of FP Algorithms 22 / 48
61 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Leveraging Forward Error Analysis Some well-known results of the standard model of FP arithmetic: The absolute error of the sum is the sum of the absolute errors. (ũ + ṽ) (u + v) = (ũ u) + (ṽ v). The relative error of the product is the sum of the relative errors. ũṽ uv 1 = ε u + ε v + ε u ε v with ε u = ũ/u 1 and ε v = ṽ/v 1. Guillaume Melquiond Automating the Verification of FP Algorithms 22 / 48
62 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Leveraging Forward Error Analysis Some well-known results of the standard model of FP arithmetic: The absolute error of the sum is the sum of the absolute errors. (ũ + ṽ) (u + v) = (ũ u) + (ṽ v). The relative error of the product is the sum of the relative errors. ũṽ uv 1 = ε u + ε v + ε u ε v with ε u = ũ/u 1 and ε v = ṽ/v 1. The relative round-off error is bounded. (u) u 1 2 p if u... Guillaume Melquiond Automating the Verification of FP Algorithms 22 / 48
63 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Leveraging Forward Error Analysis Rewriting system: (ũ + ṽ) (u + v) (ũ u) + (ṽ v) (ũṽ)/(uv) 1 ε u + ε v + ε u ε v Sufficient as long as errors are not correlated, expressions have the same inductive structure with correlated sub-expressions in the same places. Because of the 2-step design/verification process, these hypotheses often hold. Guillaume Melquiond Automating the Verification of FP Algorithms 23 / 48
64 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Example 1: Toy Elementary Function How to efficiently compute sin x for x 1 with a relative accuracy bounded by ? Guillaume Melquiond Automating the Verification of FP Algorithms 24 / 48
65 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Example 1: Toy Elementary Function How to efficiently compute sin x for x 1 with a relative accuracy bounded by ? Example (Toy sine) float toy_sin ( float x) { if ( fabsf (x) < 0x1p -5f) return x; return x * (1.0 f - x * x * 0 x28e9p -16 f); } Guillaume Melquiond Automating the Verification of FP Algorithms 24 / 48
66 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Example 1: Toy Elementary Function How to efficiently compute sin x for x 1 with a relative accuracy bounded by ? Example (Toy sine) float toy_sin ( float x) { if ( fabsf (x) < 0x1p -5f) return x; return x * (1.0 f - x * x * 0 x28e9p -16 f); } An actual implementation of sin would use more than just 2 polynomials, and/or perform an argument reduction. But the proof process is the same! Guillaume Melquiond Automating the Verification of FP Algorithms 24 / 48
67 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Approximating a Mathematical Function How to compute an accurate FP approximation of g(x) for any x? Guillaume Melquiond Automating the Verification of FP Algorithms 25 / 48
68 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Approximating a Mathematical Function How to compute an accurate FP approximation of g(x) for any x? 1 Find an approximation ĝ of g that uses only real operations that can be approximated by your floating-point unit. Bound the method error ĝ(x)/g(x) 1. Guillaume Melquiond Automating the Verification of FP Algorithms 25 / 48
69 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Approximating a Mathematical Function How to compute an accurate FP approximation of g(x) for any x? 1 Find an approximation ĝ of g that uses only real operations that can be approximated by your floating-point unit. Bound the method error ĝ(x)/g(x) 1. 2 Write g that implements ĝ with floating-point operations. Bound the round-off error g(x)/ĝ(x) 1. Guillaume Melquiond Automating the Verification of FP Algorithms 25 / 48
70 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Approximating a Mathematical Function How to compute an accurate FP approximation of g(x) for any x? 1 Find an approximation ĝ of g that uses only real operations that can be approximated by your floating-point unit. Bound the method error ĝ(x)/g(x) 1. 2 Write g that implements ĝ with floating-point operations. Bound the round-off error g(x)/ĝ(x) 1. 3 Compose both bounds to get g(x)/g(x) 1. Guillaume Melquiond Automating the Verification of FP Algorithms 25 / 48
71 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Approximating a Mathematical Function How to compute an accurate FP approximation of g(x) for any x? 1 Find an approximation ĝ of g that uses only real operations that can be approximated by your floating-point unit. Bound the method error ĝ(x)/g(x) 1. 2 Write g that implements ĝ with floating-point operations. Bound the round-off error g(x)/ĝ(x) 1. 3 Compose both bounds to get g(x)/g(x) 1. Proving correctness is just a matter of computing tight bounds for these expressions. Guillaume Melquiond Automating the Verification of FP Algorithms 25 / 48
72 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Method Error (Relative) Method error: x (1 x ) sin x 1. Interval analysis knows how to bound such an expression. Guillaume Melquiond Automating the Verification of FP Algorithms 26 / 48
73 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Binary32 Round-off Error (Relative) Round-off error: (x (1 ( (x2 ) ))) x (1 x ) 1. Gappa knows how to bound such an expression. (And how to compose method and round-off errors.) Guillaume Melquiond Automating the Verification of FP Algorithms 27 / 48
74 Introduction Interval+Error Advanced Gappa Conclusion Prelim Interval Forward Ex:Sine Gappa Script, as Written by a Human Example (Relative error for a toy sin = float < ieee_32,ne >; x = rnd ( dummyx ); # x is a float # floating-point implementation y rnd = x * (1 - x* x * 0 x28e9p -16) ; # infinitely-precise computation My = x * (1 - x* x * 0 x28e9p -16) ; { x in [1b -5,1] /\ # relative method error My -/ sin_x <= 1.55 e -3 -> # relative total error y -/ sin_x <= e -3 } Guillaume Melquiond Automating the Verification of FP Algorithms 28 / 48
75 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Outline 1 Introduction 2 Interval arithmetic and forward error analysis 3 Dealing with more intricate algorithms Example 2: Cody-Waite argument reduction for exp Example 3: Itanium division of 16-bit unsigned integers 4 The Gappa tool 5 Conclusion Guillaume Melquiond Automating the Verification of FP Algorithms 29 / 48
76 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Intricate Algorithms For some algorithms, bounding errors is not sufficient, as they might rely on various tricks: exact computations, error compensations, convergent iterations, and so on. Guillaume Melquiond Automating the Verification of FP Algorithms 30 / 48
77 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Goal: compute exp x for x 800. Argument reduction: replace x by a value close to 0, so that exp can be approximated by a small polynomial. Guillaume Melquiond Automating the Verification of FP Algorithms 31 / 48
78 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Goal: compute exp x for x 800. Argument reduction: replace x by a value close to 0, so that exp can be approximated by a small polynomial. Idea 1: use exp x = 2 k exp(x k log 2) with k an integer. Guillaume Melquiond Automating the Verification of FP Algorithms 31 / 48
79 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Goal: compute exp x for x 800. Argument reduction: replace x by a value close to 0, so that exp can be approximated by a small polynomial. Idea 1: use exp x = 2 k exp(x k log 2) with k an integer. Issue: how to compute x k log 2 accurately? Guillaume Melquiond Automating the Verification of FP Algorithms 31 / 48
80 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Goal: compute exp x for x 800. Argument reduction: replace x by a value close to 0, so that exp can be approximated by a small polynomial. Idea 1: use exp x = 2 k exp(x k log 2) with k an integer. Issue: how to compute x k log 2 accurately? Idea 2: use log 2 = l h + l l + ε with ε close to negligible. exp x = 2 k exp((x kl h ) kl l ) exp( kε). Guillaume Melquiond Automating the Verification of FP Algorithms 31 / 48
81 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Goal: compute exp x for x 800. Argument reduction: replace x by a value close to 0, so that exp can be approximated by a small polynomial. Idea 1: use exp x = 2 k exp(x k log 2) with k an integer. Issue: how to compute x k log 2 accurately? Idea 2: use log 2 = l h + l l + ε with ε close to negligible. exp x = 2 k exp((x kl h ) kl l ) exp( kε). Implementation: evaluate (x kl h ) kl l with FP arithmetic. exp x = 2 k exp( (...)) exp(δ kε). Guillaume Melquiond Automating the Verification of FP Algorithms 31 / 48
82 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Goal: compute exp x for x 800. Argument reduction: replace x by a value close to 0, so that exp can be approximated by a small polynomial. Idea 1: use exp x = 2 k exp(x k log 2) with k an integer. Issue: how to compute x k log 2 accurately? Idea 2: use log 2 = l h + l l + ε with ε close to negligible. exp x = 2 k exp((x kl h ) kl l ) exp( kε). Implementation: evaluate (x kl h ) kl l with FP arithmetic. Issue: how much is δ? exp x = 2 k exp( (...)) exp(δ kε). Guillaume Melquiond Automating the Verification of FP Algorithms 31 / 48
83 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Example (Cody-Waite argument reduction for exp, part 1) Log2h = 0 xb f7d1cp -4; # 42 bits out of 53 Log2l = 0 xf.79 abc9e3b398p -48; InvLog2 = 0 x b82fep0 ; k = int <ne >( rnd (x* InvLog2 )); t1 rnd = x - k* Log2h ; Guillaume Melquiond Automating the Verification of FP Algorithms 32 / 48
84 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Example (Cody-Waite argument reduction for exp, part 1) Log2h = 0 xb f7d1cp -4; # 42 bits out of 53 Log2l = 0 xf.79 abc9e3b398p -48; InvLog2 = 0 x b82fep0 ; k = int <ne >( rnd (x* InvLog2 )); t1 rnd = x - k* Log2h ; Proof. 1 x 800, so k < 2048, so k fits on 11 bits. Guillaume Melquiond Automating the Verification of FP Algorithms 32 / 48
85 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Example (Cody-Waite argument reduction for exp, part 1) Log2h = 0 xb f7d1cp -4; # 42 bits out of 53 Log2l = 0 xf.79 abc9e3b398p -48; InvLog2 = 0 x b82fep0 ; k = int <ne >( rnd (x* InvLog2 )); t1 rnd = x - k* Log2h ; Proof. 1 x 800, so k < 2048, so k fits on 11 bits. 2 l h fits on 42 bits, so (kl h ) = kl h. Guillaume Melquiond Automating the Verification of FP Algorithms 32 / 48
86 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Example (Cody-Waite argument reduction for exp, part 1) Log2h = 0 xb f7d1cp -4; # 42 bits out of 53 Log2l = 0 xf.79 abc9e3b398p -48; InvLog2 = 0 x b82fep0 ; k = int <ne >( rnd (x* InvLog2 )); t1 rnd = x - k* Log2h ; Proof. 1 x 800, so k < 2048, so k fits on 11 bits. 2 l h fits on 42 bits, so (kl h ) = kl h. 3 l 1 h InvLog2, so x kl h. Guillaume Melquiond Automating the Verification of FP Algorithms 32 / 48
87 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for Exp Example (Cody-Waite argument reduction for exp, part 1) Log2h = 0 xb f7d1cp -4; # 42 bits out of 53 Log2l = 0 xf.79 abc9e3b398p -48; InvLog2 = 0 x b82fep0 ; k = int <ne >( rnd (x* InvLog2 )); t1 rnd = x - k* Log2h ; Proof. 1 x 800, so k < 2048, so k fits on 11 bits. 2 l h fits on 42 bits, so (kl h ) = kl h. 3 l 1 h InvLog2, so x kl h. 4 So t 1 = (x (kl h )) = x kl h by Sterbenz lemma. Guillaume Melquiond Automating the Verification of FP Algorithms 32 / 48
88 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 2: Cody-Waite Argument Reduction for = float <ieee_64,ne >; x = rnd ( dummyx ); # x is a double # Cody-Waite argument reduction Log2h = 0xb f7d1cp -4; # 42 bits out of 53 Log2l = 0xf.79 abc9e3b398p -48; InvLog2 = 0x b82fep0 ; k = int <ne >( rnd (x* InvLog2 )); t1 rnd = x - k* Log2h ; t2 rnd = t1 - k* Log2l ; # exact values T1 = x - k* Log2h ; T2 = T1 - k* Log2l ; { x in [0.3, 800] -> t1 = T1 /\ T1 in [ -0.35,0.35] /\ t2 - T2 in? } Log2h ~ 1/ InvLog2 ; # try harder! T1 $ x; Guillaume Melquiond Automating the Verification of FP Algorithms 33 / 48
89 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 3: Itanium Division of 16-bit Unsigned Integers Intel Itanium processors have no hardware divisor. How to efficiently perform a division with just add and mul? Guillaume Melquiond Automating the Verification of FP Algorithms 34 / 48
90 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Example 3: Itanium Division of 16-bit Unsigned Integers Intel Itanium processors have no hardware divisor. How to efficiently perform a division with just add and mul? y 0 1/b [frcpa] q 0 = (a y 0 ) e 0 = ( b y 0 ) q 1 = (e 0 q 0 + q 0 ) q = q 1 with ( ) rounding to nearest on the extended 82-bit format. Correctness of the division a, b [[1; 65535]], q = a/b. Guillaume Melquiond Automating the Verification of FP Algorithms 34 / 48
91 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Proof Sketch Theorem (Exclusion zones) Given a and b positive integers. If 0 a (q 1 /(a/b) 1) < 1, then q 1 = a/b. Guillaume Melquiond Automating the Verification of FP Algorithms 35 / 48
92 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Proof Sketch Theorem (Exclusion zones) Given a and b positive integers. If 0 a (q 1 /(a/b) 1) < 1, then q 1 = a/b. Notice the relative error between the FP value q 1 and the real a/b. So proving the correctness is just a matter of bounding this error. Guillaume Melquiond Automating the Verification of FP Algorithms 35 / 48
93 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Proof Sketch Continued Bounding the method error ˆq 1 a/b and the round-off error q 1 ˆq 1 and composing them does not work at all. There is some error compensation. Guillaume Melquiond Automating the Verification of FP Algorithms 36 / 48
94 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Proof Sketch Continued Bounding the method error ˆq 1 a/b and the round-off error q 1 ˆq 1 and composing them does not work at all. There is some error compensation. What the developers knew when designing the algorithm: If not for 2 17, the code would perform a Newton iteration: ˆq 1 /(a/b) 1 = ε 2 0 with ε 0 = y 0 /(1/b) 1. By taking 2 17 into account, ˆq 1 /(a/b) 1 = ε (1 + ε 0) Guillaume Melquiond Automating the Verification of FP Algorithms 36 / 48
95 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division The Gappa Script, as Written by a Human Example (Division of 16-bit unsigned integers on = float <x86_80,ne >; # algorithm with no rounding operators q0 = a * y0; e0 = 1 + 1b b * y0; q1 = q0 + e0 * q0; # notations for relative errors eps0 = (y0-1 / b) / (1 / b); err = (q1 - a / b) / (a / b); { # a and b are (a, 0) /\ a in [1,65535] (b, 0) /\ b in [1,65535] /\ # specification of (y0, 11) /\ eps0 <= /\ # Newton s iteration, almost err = -( eps0 * eps0 ) + (1 + eps0 ) * 1b -17 -> # the separation hypothesis is satisfied err in [0,1] /\ a * err in [0, ] /\ # all the computations are exact rnd (q0) = q0 /\ rnd (e0) = e0 /\ rnd (q1) = q1 } # try harder! rnd (q1) = q1 $ 1 / b; Guillaume Melquiond Automating the Verification of FP Algorithms 37 / 48
96 Introduction Interval+Error Advanced Gappa Conclusion Ex:Cody-Waite Ex:Division Proof Sketch, the Coq Version Lemma div_ u16_ spec : forall a b, (1 <= a <= 65535) % Z -> (1 <= b <= 65535) % Z -> div_u16 a b = ( a / b)% Z. Proof. intros a b Ba Bb. apply Zfloor_ imp. cut (0 <= b * q1 - a < 1). lra. set ( err := (q1 - a / b) / (a / b)). replace ( b * q1 - a) with ( a * err ) by field. set ( y0 := frcpa b). set ( Mq0 := a * y0 + 0). set ( Me0 := 1 + pow2 ( -17) - b * y0). set ( Mq1 := Me0 * Mq0 + Mq0 ). set ( eps0 := (y0-1 / b) / (1 / b)). assert (( Mq1 - a / b) / (a / b) = -( eps0 * eps0 ) + (1 + eps0 ) * pow2 ( -17) ) by field. generalize ( frcpa_ spec b) ( FIX_ format_ Z2R radix2 a) ( FIX_ format_ Z2R radix2 b). gappa. Qed. Guillaume Melquiond Automating the Verification of FP Algorithms 38 / 48
97 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Outline 1 Introduction 2 Interval arithmetic and forward error analysis 3 Dealing with more intricate algorithms 4 The Gappa tool Supported properties Proof process Theorem database 5 Conclusion Guillaume Melquiond Automating the Verification of FP Algorithms 39 / 48
98 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems A Few Words About Gappa Starting from a formula, Gappa saturates a set of theorems to infer new properties until it encounters a contradiction. Guillaume Melquiond Automating the Verification of FP Algorithms 40 / 48
99 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems A Few Words About Gappa Starting from a formula, Gappa saturates a set of theorems to infer new properties until it encounters a contradiction. Supported properties BND(x, I ) x I ABS(x, I ) x I REL(x, y, I ) ε I, x = y (1 + ε) FIX(x, e) m Z, x = m 2 e FLT(x, p) m, e Z, x = m 2 e m < 2 p NZR(x) x 0 EQL(x, y) x = y Guillaume Melquiond Automating the Verification of FP Algorithms 40 / 48
100 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems A Few Words About Gappa Starting from a formula, Gappa saturates a set of theorems to infer new properties until it encounters a contradiction. Supported properties BND(x, I ) x I ABS(x, I ) x I REL(x, y, I ) ε I, x = y (1 + ε) FIX(x, e) m Z, x = m 2 e FLT(x, p) m, e Z, x = m 2 e m < 2 p NZR(x) x 0 EQL(x, y) x = y To prove div u16, Gappa tried to apply 17k theorems. The final proof infers 80 properties. Guillaume Melquiond Automating the Verification of FP Algorithms 40 / 48
101 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Proof Process Given a logical formula about some expressions e 1,..., e n, Gappa performs the following steps: Guillaume Melquiond Automating the Verification of FP Algorithms 41 / 48
102 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Proof Process Given a logical formula about some expressions e 1,..., e n, Gappa performs the following steps: 1 Recursively and symbolically instantiate all the theorems that might lead to deducing a fact about some expression e i. (backward reasoning) Guillaume Melquiond Automating the Verification of FP Algorithms 41 / 48
103 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Proof Process Given a logical formula about some expressions e 1,..., e n, Gappa performs the following steps: 1 Recursively and symbolically instantiate all the theorems that might lead to deducing a fact about some expression e i. (backward reasoning) 2 Iteratively and numerically instantiate all these theorems. Keep track of them when they produce a new fact. (forward reasoning) Guillaume Melquiond Automating the Verification of FP Algorithms 41 / 48
104 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Proof Process Given a logical formula about some expressions e 1,..., e n, Gappa performs the following steps: 1 Recursively and symbolically instantiate all the theorems that might lead to deducing a fact about some expression e i. (backward reasoning) 2 Iteratively and numerically instantiate all these theorems. Keep track of them when they produce a new fact. (forward reasoning) 3 Once a full proof trace is obtained, minimize it by simplifying or removing as many theorem instances as possible. Guillaume Melquiond Automating the Verification of FP Algorithms 41 / 48
105 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Proof Process Given a logical formula about some expressions e 1,..., e n, Gappa performs the following steps: 1 Recursively and symbolically instantiate all the theorems that might lead to deducing a fact about some expression e i. (backward reasoning) 2 Iteratively and numerically instantiate all these theorems. Keep track of them when they produce a new fact. (forward reasoning) 3 Once a full proof trace is obtained, minimize it by simplifying or removing as many theorem instances as possible. 4 Generate a formal proof from the trace. Guillaume Melquiond Automating the Verification of FP Algorithms 41 / 48
106 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Theorem Database Naive interval arithmetic: u [u, u] v [v, v] u + v [u + v, u + v]. Guillaume Melquiond Automating the Verification of FP Algorithms 42 / 48
107 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Theorem Database Naive interval arithmetic: u [u, u] v [v, v] u + v [u + v, u + v]. Not so naive interval arithmetic: u U v V u + v [lower( U V ), upper(u + V )]. Guillaume Melquiond Automating the Verification of FP Algorithms 42 / 48
108 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Theorem Database Naive interval arithmetic: u [u, u] v [v, v] u + v [u + v, u + v]. Not so naive interval arithmetic: u U v V u + v [lower( U V ), upper(u + V )]. Floating- and fixed-point arithmetic properties: u Z ε [ 2 53, 2 53 ], (u) = u (1 + ε). Guillaume Melquiond Automating the Verification of FP Algorithms 42 / 48
109 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Theorem Database Naive interval arithmetic: u [u, u] v [v, v] u + v [u + v, u + v]. Not so naive interval arithmetic: u U v V u + v [lower( U V ), upper(u + V )]. Floating- and fixed-point arithmetic properties: u Z ε [ 2 53, 2 53 ], (u) = u (1 + ε). Forward error analysis: ũ ṽ u v = (ũ u) v + u (ṽ v) + (ũ u) (ṽ v). Guillaume Melquiond Automating the Verification of FP Algorithms 42 / 48
110 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Theorem Database Naive interval arithmetic: u [u, u] v [v, v] u + v [u + v, u + v]. Not so naive interval arithmetic: u U v V u + v [lower( U V ), upper(u + V )]. Floating- and fixed-point arithmetic properties: u Z ε [ 2 53, 2 53 ], (u) = u (1 + ε). Forward error analysis: ũ ṽ u v = (ũ u) v + u (ṽ v) + (ũ u) (ṽ v). Precision handling: FLT(x, p) FLT(y, q) FLT(x y, p + q). Guillaume Melquiond Automating the Verification of FP Algorithms 42 / 48
111 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Theorem Database Naive interval arithmetic: u [u, u] v [v, v] u + v [u + v, u + v]. Not so naive interval arithmetic: u U v V u + v [lower( U V ), upper(u + V )]. Floating- and fixed-point arithmetic properties: u Z ε [ 2 53, 2 53 ], (u) = u (1 + ε). Forward error analysis: ũ ṽ u v = (ũ u) v + u (ṽ v) + (ũ u) (ṽ v). Precision handling: FLT(x, p) FLT(y, q) FLT(x y, p + q). And so on. Guillaume Melquiond Automating the Verification of FP Algorithms 42 / 48
112 Introduction Interval+Error Advanced Gappa Conclusion Properties Process Theorems Theorem Database Category Thm Interval arithmetic 21 Representability 14 Relative error 15 Rewriting rules 45 FP/FXP arithmetic 25 Miscellaneous 27 Total 147 Guillaume Melquiond Automating the Verification of FP Algorithms 43 / 48
113 Introduction Interval+Error Advanced Gappa Conclusion AltErgo-Gappa Ex:Knuth Conclusion Outline 1 Introduction 2 Interval arithmetic and forward error analysis 3 Dealing with more intricate algorithms 4 The Gappa tool 5 Conclusion AltErgo + Gappa Example 4: Knuth TwoSum Algorithm Conclusion Guillaume Melquiond Automating the Verification of FP Algorithms 44 / 48
Round-off Error Analysis of Explicit One-Step Numerical Integration Methods
Round-off Error Analysis of Explicit One-Step Numerical Integration Methods 24th IEEE Symposium on Computer Arithmetic Sylvie Boldo 1 Florian Faissole 1 Alexandre Chapoutot 2 1 Inria - LRI, Univ. Paris-Sud
Designing a Correct Numerical Algorithm
Intro Implem Errors Sollya Gappa Norm Conc Christoph Lauter Guillaume Melquiond March 27, 2013 Intro Implem Errors Sollya Gappa Norm Conc Outline 1 Introduction 2 Implementation theory 3 Error analysis
Innocuous Double Rounding of Basic Arithmetic Operations
Innocuous Double Rounding of Basic Arithmetic Operations Pierre Roux ISAE, ONERA Double rounding occurs when a floating-point value is first rounded to an intermediate precision before being rounded to
Formal verification of IA-64 division algorithms
Formal verification of IA-64 division algorithms 1 Formal verification of IA-64 division algorithms John Harrison Intel Corporation IA-64 overview HOL Light overview IEEE correctness Division on IA-64
Optimizing Scientific Libraries for the Itanium
0 Optimizing Scientific Libraries for the Itanium John Harrison Intel Corporation Gelato Federation Meeting, HP Cupertino May 25, 2005 1 Quick summary Intel supplies drop-in replacement versions of common
On various ways to split a floating-point number
On various ways to split a floating-point number Claude-Pierre Jeannerod Jean-Michel Muller Paul Zimmermann Inria, CNRS, ENS Lyon, Université de Lyon, Université de Lorraine France ARITH-25 June 2018 -2-
How to Compute the Area of a Triangle: a Formal Revisit with a Tighter Error Bound
How to Compute the Area of a Triangle: a Formal Revisit with a Tighter Error Bound Sylvie Boldo To cite this version: Sylvie Boldo. How to Compute the Area of a Triangle: a Formal Revisit with a Tighter
How to Compute the Area of a Triangle: a Formal Revisit
How to Compute the Area of a Triangle: a Formal Revisit Sylvie Boldo To cite this version: Sylvie Boldo. How to Compute the Area of a Triangle: a Formal Revisit. Alberto Nannarelli and Peter-Michael Seidel
The Classical Relative Error Bounds for Computing a2 + b 2 and c/ a 2 + b 2 in Binary Floating-Point Arithmetic are Asymptotically Optimal
-1- The Classical Relative Error Bounds for Computing a2 + b 2 and c/ a 2 + b 2 in Binary Floating-Point Arithmetic are Asymptotically Optimal Claude-Pierre Jeannerod Jean-Michel Muller Antoine Plet Inria,
Computation of the error functions erf and erfc in arbitrary precision with correct rounding
Computation of the error functions erf and erfc in arbitrary precision with correct rounding Sylvain Chevillard Arenaire, LIP, ENS-Lyon, France Sylvain.Chevillard@ens-lyon.fr Nathalie Revol INRIA, Arenaire,
An Introduction to Differential Algebra
An Introduction to Differential Algebra Alexander Wittig1, P. Di Lizia, R. Armellin, et al. 1 ESA Advanced Concepts Team (TEC-SF) SRL, Milan Dinamica Outline 1 Overview Five Views of Differential Algebra
Formal Verification of Mathematical Algorithms
Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing
Getting tight error bounds in floating-point arithmetic: illustration with complex functions, and the real x n function
Getting tight error bounds in floating-point arithmetic: illustration with complex functions, and the real x n function Jean-Michel Muller collaborators: S. Graillat, C.-P. Jeannerod, N. Louvet V. Lefèvre
Intel s Successes with Formal Methods
0 Intel s Successes with Formal Methods John Harrison Intel Corporation Software, Science & Society World Forestry Center, Portland OR December 5, 2003 1 Bugs in computer systems Most modern computer systems
Automated design of floating-point logarithm functions on integer processors
23rd IEEE Symposium on Computer Arithmetic Santa Clara, CA, USA, 10-13 July 2016 Automated design of floating-point logarithm functions on integer processors Guillaume Revy (presented by Florent de Dinechin)
Mathematical preliminaries and error analysis
Mathematical preliminaries and error analysis Tsung-Ming Huang Department of Mathematics National Taiwan Normal University, Taiwan September 12, 2015 Outline 1 Round-off errors and computer arithmetic
Short Division of Long Integers. (joint work with David Harvey)
Short Division of Long Integers (joint work with David Harvey) Paul Zimmermann October 6, 2011 The problem to be solved Divide efficiently a p-bit floating-point number by another p-bit f-p number in the
Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5
CS 70 Discrete Mathematics and Probability Theory Summer 2014 James Cook Note 5 Modular Arithmetic In several settings, such as error-correcting codes and cryptography, we sometimes wish to work over a
Floating Point Arithmetic and Rounding Error Analysis
Floating Point Arithmetic and Rounding Error Analysis Claude-Pierre Jeannerod Nathalie Revol Inria LIP, ENS de Lyon 2 Context Starting point: How do numerical algorithms behave in nite precision arithmetic?
Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6
CS 70 Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6 1 Modular Arithmetic In several settings, such as error-correcting codes and cryptography, we sometimes
2. Introduction to commutative rings (continued)
2. Introduction to commutative rings (continued) 2.1. New examples of commutative rings. Recall that in the first lecture we defined the notions of commutative rings and field and gave some examples of
CHAPTER 4: EXPLORING Z
CHAPTER 4: EXPLORING Z MATH 378, CSUSM. SPRING 2009. AITKEN 1. Introduction In this chapter we continue the study of the ring Z. We begin with absolute values. The absolute value function Z N is the identity
Notes on arithmetic. 1. Representation in base B
Notes on arithmetic The Babylonians that is to say, the people that inhabited what is now southern Iraq for reasons not entirely clear to us, ued base 60 in scientific calculation. This offers us an excuse
Cylindrical Algebraic Decomposition in Coq
Cylindrical Algebraic Decomposition in Coq MAP 2010 - Logroño 13-16 November 2010 Assia Mahboubi INRIA Microsoft Research Joint Centre (France) INRIA Saclay Île-de-France École Polytechnique, Palaiseau
Rigorous Polynomial Approximations and Applications
Rigorous Polynomial Approximations and Applications Mioara Joldeș under the supervision of: Nicolas Brisebarre and Jean-Michel Muller École Normale Supérieure de Lyon, Arénaire Team, Laboratoire de l Informatique
MATH ASSIGNMENT 03 SOLUTIONS
MATH444.0 ASSIGNMENT 03 SOLUTIONS 4.3 Newton s method can be used to compute reciprocals, without division. To compute /R, let fx) = x R so that fx) = 0 when x = /R. Write down the Newton iteration for
Newton-Raphson Algorithms for Floating-Point Division Using an FMA
Newton-Raphson Algorithms for Floating-Point Division Using an FMA Nicolas Louvet, Jean-Michel Muller, Adrien Panhaleux Abstract Since the introduction of the Fused Multiply and Add (FMA) in the IEEE-754-2008
Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples
Hoare Logic I Introduction to Deductive Program Verification Işıl Dillig Program Spec Deductive verifier FOL formula Theorem prover valid contingent Example specs: safety (no crashes), absence of arithmetic
Computing Machine-Efficient Polynomial Approximations
Computing Machine-Efficient Polynomial Approximations N. Brisebarre, S. Chevillard, G. Hanrot, J.-M. Muller, D. Stehlé, A. Tisserand and S. Torres Arénaire, LIP, É.N.S. Lyon Journées du GDR et du réseau
Arithmetic-Geometric Means for π A formal study and computation inside Coq
Arithmetic-Geometric Means for π A formal study and computation inside Coq Yves Bertot June 2014 1 / 21 Objectives Studying an algorithm for computing a mathematical constant to high precision Frontier
Construction of Real Algebraic Numbers in Coq
Construction of Real Algebraic Numbers in Coq INRIA Saclay Île-de-France LIX École Polytechnique INRIA Microsoft Research Joint Centre cohen@crans.org August 13, 2012 Why algebraic numbers? Field strictly
Chapter 4 Number Representations
Chapter 4 Number Representations SKEE2263 Digital Systems Mun im/ismahani/izam {munim@utm.my,e-izam@utm.my,ismahani@fke.utm.my} February 9, 2016 Table of Contents 1 Fundamentals 2 Signed Numbers 3 Fixed-Point
Nonlinear Control as Program Synthesis (A Starter)
Nonlinear Control as Program Synthesis (A Starter) Sicun Gao MIT December 15, 2014 Preliminaries Definition (L RF ) L RF is the first-order language over the reals that allows arbitrary numerically computable
Arithmetic and Error. How does error arise? How does error arise? Notes for Part 1 of CMSC 460
Notes for Part 1 of CMSC 460 Dianne P. O Leary Preliminaries: Mathematical modeling Computer arithmetic Errors 1999-2006 Dianne P. O'Leary 1 Arithmetic and Error What we need to know about error: -- how
1 ERROR ANALYSIS IN COMPUTATION
1 ERROR ANALYSIS IN COMPUTATION 1.2 Round-Off Errors & Computer Arithmetic (a) Computer Representation of Numbers Two types: integer mode (not used in MATLAB) floating-point mode x R ˆx F(β, t, l, u),
Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions
Chapter 1 Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions 1.1 The IMP Language IMP is a programming language with an extensible syntax that was developed in the late 1960s. We will
Introduction to Numerical Analysis
Introduction to Numerical Analysis S. Baskar and S. Sivaji Ganesh Department of Mathematics Indian Institute of Technology Bombay Powai, Mumbai 400 076. Introduction to Numerical Analysis Lecture Notes
Formal verification for numerical methods
Formal verification for numerical methods Ioana Paşca PhD thesis at INRIA Sophia Antipolis, Marelle Team Advisor: Yves Bertot 1 7 1 Robots 2 7 Robots efficiency 2 7 Robots efficiency safety 2 7 Inside
DR.RUPNATHJI( DR.RUPAK NATH )
Contents 1 Sets 1 2 The Real Numbers 9 3 Sequences 29 4 Series 59 5 Functions 81 6 Power Series 105 7 The elementary functions 111 Chapter 1 Sets It is very convenient to introduce some notation and terminology
Lecture 7 Feb 4, 14. Sections 1.7 and 1.8 Some problems from Sec 1.8
Lecture 7 Feb 4, 14 Sections 1.7 and 1.8 Some problems from Sec 1.8 Section Summary Proof by Cases Existence Proofs Constructive Nonconstructive Disproof by Counterexample Nonexistence Proofs Uniqueness
Solving Triangular Systems More Accurately and Efficiently
17th IMACS World Congress, July 11-15, 2005, Paris, France Scientific Computation, Applied Mathematics and Simulation Solving Triangular Systems More Accurately and Efficiently Philippe LANGLOIS and Nicolas
QUADRATIC PROGRAMMING?
QUADRATIC PROGRAMMING? WILLIAM Y. SIT Department of Mathematics, The City College of The City University of New York, New York, NY 10031, USA E-mail: wyscc@cunyvm.cuny.edu This is a talk on how to program
Proofs. Chapter 2 P P Q Q
Chapter Proofs In this chapter we develop three methods for proving a statement. To start let s suppose the statement is of the form P Q or if P, then Q. Direct: This method typically starts with P. Then,
Homework 2 Foundations of Computational Math 1 Fall 2018
Homework 2 Foundations of Computational Math 1 Fall 2018 Note that Problems 2 and 8 have coding in them. Problem 2 is a simple task while Problem 8 is very involved (and has in fact been given as a programming
Theorem Proving for Verification
0 Theorem Proving for Verification John Harrison Intel Corporation CAV 2008 Princeton 9th July 2008 1 Formal verification Formal verification: mathematically prove the correctness of a design with respect
n n P} is a bounded subset Proof. Let A be a nonempty subset of Z, bounded above. Define the set
1 Mathematical Induction We assume that the set Z of integers are well defined, and we are familiar with the addition, subtraction, multiplication, and division. In particular, we assume the following
Cylindrical Algebraic Decomposition in Coq
Cylindrical Algebraic Decomposition in Coq MAP 2010 - Logroño 13-16 November 2010 Assia Mahboubi INRIA Microsoft Research Joint Centre (France) INRIA Saclay Île-de-France École Polytechnique, Palaiseau
Outline Goals and Assumptions Real Numbers Rational and Irrational. L11: Numbers. Alice E. Fischer
L11: Numbers Alice E. Fischer CSCI 1166 Discrete Mathematics for Computing March 5-8, 2018 1 Goals and Assumptions 2 Real Numbers 3 Rational and Irrational Assumptions We rely the following assumptions:
Notes for Chapter 1 of. Scientific Computing with Case Studies
Notes for Chapter 1 of Scientific Computing with Case Studies Dianne P. O Leary SIAM Press, 2008 Mathematical modeling Computer arithmetic Errors 1999-2008 Dianne P. O'Leary 1 Arithmetic and Error What
1. (16 points) Circle T if the corresponding statement is True or F if it is False.
Name Solution Key Show All Work!!! Page 1 1. (16 points) Circle T if the corresponding statement is True or F if it is False. T F The sequence {1, 1, 1, 1, 1, 1...} is an example of an Alternating sequence.
Section 3.1: Direct Proof and Counterexample 1
Section 3.1: Direct Proof and Counterexample 1 In this chapter, we introduce the notion of proof in mathematics. A mathematical proof is valid logical argument in mathematics which shows that a given conclusion
Optimizing the Representation of Intervals
Optimizing the Representation of Intervals Javier D. Bruguera University of Santiago de Compostela, Spain Numerical Sofware: Design, Analysis and Verification Santander, Spain, July 4-6 2012 Contents 1
ON COMPUTAMBLE NUMBERS, WITH AN APPLICATION TO THE ENTSCHENIDUGSPROBLEM. Turing 1936
ON COMPUTAMBLE NUMBERS, WITH AN APPLICATION TO THE ENTSCHENIDUGSPROBLEM Turing 1936 Where are We? Ignoramus et ignorabimus Wir mussen wissen Wir werden wissen We do not know We shall not know We must know
We are going to discuss what it means for a sequence to converge in three stages: First, we define what it means for a sequence to converge to zero
Chapter Limits of Sequences Calculus Student: lim s n = 0 means the s n are getting closer and closer to zero but never gets there. Instructor: ARGHHHHH! Exercise. Think of a better response for the instructor.
A heuristic prover for real inequalities
A heuristic prover for real inequalities Jeremy Avigad Department of Philosophy and Department of Mathematical Sciences Carnegie Mellon University joint work with Robert Y. Lewis and Cody Roux (many slides
Arithmetic-Geometric Means for π A formal study
Arithmetic-Geometric Means for π A formal study Yves Bertot February 014 Objectives Already studied computations of pi through roots of cos, arctan, Archimedes Follow an exam from the French national selection
CONSTRUCTION OF THE REAL NUMBERS.
CONSTRUCTION OF THE REAL NUMBERS. IAN KIMING 1. Motivation. It will not come as a big surprise to anyone when I say that we need the real numbers in mathematics. More to the point, we need to be able to
Leonardo de Moura Microsoft Research
Leonardo de Moura Microsoft Research Logic is The Calculus of Computer Science (Z. Manna). High computational complexity Naïve solutions will not scale Is formula F satisfiable modulo theory T? SMT solvers
3 The language of proof
3 The language of proof After working through this section, you should be able to: (a) understand what is asserted by various types of mathematical statements, in particular implications and equivalences;
Accurate polynomial evaluation in floating point arithmetic
in floating point arithmetic Université de Perpignan Via Domitia Laboratoire LP2A Équipe de recherche en Informatique DALI MIMS Seminar, February, 10 th 2006 General motivation Provide numerical algorithms
1. Introduction to commutative rings and fields
1. Introduction to commutative rings and fields Very informally speaking, a commutative ring is a set in which we can add, subtract and multiply elements so that the usual laws hold. A field is a commutative
EAD 115. Numerical Solution of Engineering and Scientific Problems. David M. Rocke Department of Applied Science
EAD 115 Numerical Solution of Engineering and Scientific Problems David M. Rocke Department of Applied Science Computer Representation of Numbers Counting numbers (unsigned integers) are the numbers 0,
Isolating critical cases for reciprocals using integer factorization. John Harrison Intel Corporation ARITH-16 Santiago de Compostela 17th June 2003
0 Isolating critical cases for reciprocals using integer factorization John Harrison Intel Corporation ARITH-16 Santiago de Compostela 17th June 2003 1 result before the final rounding Background Suppose
Section 7.2: One-to-One, Onto and Inverse Functions
Section 7.2: One-to-One, Onto and Inverse Functions In this section we shall developed the elementary notions of one-to-one, onto and inverse functions, similar to that developed in a basic algebra course.
Chapter One. The Real Number System
Chapter One. The Real Number System We shall give a quick introduction to the real number system. It is imperative that we know how the set of real numbers behaves in the way that its completeness and
Algorithms CMSC Basic algorithms in Number Theory: Euclid s algorithm and multiplicative inverse
Algorithms CMSC-27200 Basic algorithms in Number Theory: Euclid s algorithm and multiplicative inverse Instructor: László Babai Last updated 02-14-2015. Z denotes the set of integers. All variables in
Logic. Definition [1] A logic is a formal language that comes with rules for deducing the truth of one proposition from the truth of another.
![Logic. Definition [1] A logic is a formal language that comes with rules for deducing the truth of one proposition from the truth of another.](/thumbs/87/97228443.jpg "Logic. Definition [1] A logic is a formal language that comes with rules for deducing the truth of one proposition from the truth of another.")
Math 0413 Appendix A.0 Logic Definition [1] A logic is a formal language that comes with rules for deducing the truth of one proposition from the truth of another. This type of logic is called propositional.
Chapter 1 Error Analysis
Chapter 1 Error Analysis Several sources of errors are important for numerical data processing: Experimental uncertainty: Input data from an experiment have a limited precision. Instead of the vector of
Lecture 21: Algebraic Computation Models
princeton university cos 522: computational complexity Lecture 21: Algebraic Computation Models Lecturer: Sanjeev Arora Scribe:Loukas Georgiadis We think of numerical algorithms root-finding, gaussian
Introduction to Finite Di erence Methods
Introduction to Finite Di erence Methods ME 448/548 Notes Gerald Recktenwald Portland State University Department of Mechanical Engineering gerry@pdx.edu ME 448/548: Introduction to Finite Di erence Approximation
Announcements. Read Section 2.1 (Sets), 2.2 (Set Operations) and 5.1 (Mathematical Induction) Existence Proofs. Non-constructive
Announcements Homework 2 Due Homework 3 Posted Due next Monday Quiz 2 on Wednesday Read Section 2.1 (Sets), 2.2 (Set Operations) and 5.1 (Mathematical Induction) Exam 1 in two weeks Monday, February 19
Proof Techniques (Review of Math 271)
Chapter 2 Proof Techniques (Review of Math 271) 2.1 Overview This chapter reviews proof techniques that were probably introduced in Math 271 and that may also have been used in a different way in Phil
Accurate Multiple-Precision Gauss-Legendre Quadrature
Accurate Multiple-Precision Gauss-Legendre Quadrature Laurent Fousse 1,2 1 Université Henri-Poincaré Nancy 1 2 INRIA Rocquencourt 18th IEEE International Symposium on Computer Arithmetic Outline Motivation
Formal methods in analysis
Formal methods in analysis Jeremy Avigad Department of Philosophy and Department of Mathematical Sciences Carnegie Mellon University May 2015 Sequence of lectures 1. Formal methods in mathematics 2. Automated
A lower bound for scheduling of unit jobs with immediate decision on parallel machines
A lower bound for scheduling of unit jobs with immediate decision on parallel machines Tomáš Ebenlendr Jiří Sgall Abstract Consider scheduling of unit jobs with release times and deadlines on m identical
A Guide to Proof-Writing
A Guide to Proof-Writing 437 A Guide to Proof-Writing by Ron Morash, University of Michigan Dearborn Toward the end of Section 1.5, the text states that there is no algorithm for proving theorems.... Such
Basic Logic and Proof Techniques
Chapter 3 Basic Logic and Proof Techniques Now that we have introduced a number of mathematical objects to study and have a few proof techniques at our disposal, we pause to look a little more closely
Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013
Chapter 2 Reductions and NP CS 573: Algorithms, Fall 2013 August 29, 2013 2.1 Reductions Continued 2.1.1 The Satisfiability Problem SAT 2.1.1.1 Propositional Formulas Definition 2.1.1. Consider a set of
Low-Degree Polynomial Roots
Low-Degree Polynomial Roots David Eberly, Geometric Tools, Redmond WA 98052 https://www.geometrictools.com/ This work is licensed under the Creative Commons Attribution 4.0 International License. To view
4ccurate 4lgorithms in Floating Point 4rithmetic
4ccurate 4lgorithms in Floating Point 4rithmetic Philippe LANGLOIS 1 1 DALI Research Team, University of Perpignan, France SCAN 2006 at Duisburg, Germany, 26-29 September 2006 Philippe LANGLOIS (UPVD)
cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications
cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications n-bit unsigned integer representation Represent integer x as sum of powers of 2: If x = n 1 i=0 b i 2 i where each b i
Wave Equation Numerical Resolution: a Comprehensive Mechanized Proof of a C Program
Journal of Automated Reasoning manuscript No. (will be inserted by the editor) Wave Equation Numerical Resolution: a Comprehensive Mechanized Proof of a C Program Sylvie Boldo François Clément Jean-Christophe
Lecture Notes: Axiomatic Semantics and Hoare-style Verification
Lecture Notes: Axiomatic Semantics and Hoare-style Verification 17-355/17-665/17-819O: Program Analysis (Spring 2018) Claire Le Goues and Jonathan Aldrich clegoues@cs.cmu.edu, aldrich@cs.cmu.edu It has
Accurate Multiple-Precision Gauss-Legendre Quadrature
Accurate Multiple-Precision Gauss-Legendre Quadrature Laurent Fousse Université Henri-Poincaré Nancy 1 laurent@komite.net Abstract Numerical integration is an operation that is frequently available in
MATH 1A, Complete Lecture Notes. Fedor Duzhin
MATH 1A, Complete Lecture Notes Fedor Duzhin 2007 Contents I Limit 6 1 Sets and Functions 7 1.1 Sets................................. 7 1.2 Functions.............................. 8 1.3 How to define a
Round-off Error Analysis of Explicit One-Step Numerical Integration Methods
Round-off Error Analysis of Explicit One-Step Numerical Integration Methods Sylvie Boldo, Florian Faissole, Alexandre Chapoutot To cite this version: Sylvie Boldo, Florian Faissole, Alexandre Chapoutot
Optimizing MPC for robust and scalable integer and floating-point arithmetic
Optimizing MPC for robust and scalable integer and floating-point arithmetic Liisi Kerik * Peeter Laud * Jaak Randmets * * Cybernetica AS University of Tartu, Institute of Computer Science January 30,
What is Binary? Digital Systems and Information Representation. An Example. Physical Representation. Boolean Algebra
What is Binary? Digital Systems and Information Representation CSE 102 Underlying base signals are two valued: 0 or 1 true or false (T or F) high or low (H or L) One bit is the smallest unambiguous unit
Jim Lambers MAT 610 Summer Session Lecture 2 Notes
Jim Lambers MAT 610 Summer Session 2009-10 Lecture 2 Notes These notes correspond to Sections 2.2-2.4 in the text. Vector Norms Given vectors x and y of length one, which are simply scalars x and y, the
Proofs. Chapter 2 P P Q Q
Chapter Proofs In this chapter we develop three methods for proving a statement. To start let s suppose the statement is of the form P Q or if P, then Q. Direct: This method typically starts with P. Then,
Termination of LCTRSs
Termination of LCTRSs Cynthia Kop 1 1 Department of Computer Science, University of Innsbruck Technikerstraße 21a, 6020 Innsbruck, Austria Cynthia.Kop@uibk.ac.at Abstract Logically Constrained Term Rewriting
Chapter One Hilbert s 7th Problem: It s statement and origins
Chapter One Hilbert s 7th Problem: It s statement and origins At the second International Congress of athematicians in Paris, 900, the mathematician David Hilbert was invited to deliver a keynote address,
Foundations of Mathematics MATH 220 FALL 2017 Lecture Notes
Foundations of Mathematics MATH 220 FALL 2017 Lecture Notes These notes form a brief summary of what has been covered during the lectures. All the definitions must be memorized and understood. Statements
* 8 Groups, with Appendix containing Rings and Fields.
* 8 Groups, with Appendix containing Rings and Fields Binary Operations Definition We say that is a binary operation on a set S if, and only if, a, b, a b S Implicit in this definition is the idea that
Elements of Floating-point Arithmetic
Elements of Floating-point Arithmetic Sanzheng Qiao Department of Computing and Software McMaster University July, 2012 Outline 1 Floating-point Numbers Representations IEEE Floating-point Standards Underflow
Geometric Steiner Trees
Geometric Steiner Trees From the book: Optimal Interconnection Trees in the Plane By Marcus Brazil and Martin Zachariasen Part 3: Computational Complexity and the Steiner Tree Problem Marcus Brazil 2015
Quantifiers. Leonardo de Moura Microsoft Research
Quantifiers Leonardo de Moura Microsoft Research Satisfiability a > b + 2, a = 2c + 10, c + b 1000 SAT a = 0, b = 3, c = 5 Model 0 > 3 + 2, 0 = 2 5 + 10, 5 + ( 3) 1000 Quantifiers x y x > 0 f x, y = 0
Intelligent Agents. Formal Characteristics of Planning. Ute Schmid. Cognitive Systems, Applied Computer Science, Bamberg University
Intelligent Agents Formal Characteristics of Planning Ute Schmid Cognitive Systems, Applied Computer Science, Bamberg University Extensions to the slides for chapter 3 of Dana Nau with contributions by
Computation of dot products in finite fields with floating-point arithmetic
Computation of dot products in finite fields with floating-point arithmetic Stef Graillat Joint work with Jérémy Jean LIP6/PEQUAN - Université Pierre et Marie Curie (Paris 6) - CNRS Computer-assisted proofs