Formal Verification of Mathematical Algorithms

Similar documents
Intel s Successes with Formal Methods

The LCF Approach to Theorem Proving

Formal verification of IA-64 division algorithms

Optimizing Scientific Libraries for the Itanium

Formalizing Mathematics

An Informal introduction to Formal Verification

COEN6551: Formal Hardware Verification

NICTA Advanced Course. Theorem Proving Principles, Techniques, Applications. Gerwin Klein Formal Methods

- Introduction to propositional, predicate and higher order logics

Formal Theorem Proving and Sum-of-Squares Techniques

Theorem Proving for Verification

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Floating-Point Verification by Theorem Proving

Formal Reliability Analysis of Combinational Circuits using Theorem Proving

Computational Logic and the Quest for Greater Automation

Interactive Theorem Proving in Industry

Requirements Validation. Content. What the standards say (*) ?? Validation, Verification, Accreditation!! Correctness and completeness

Isolating critical cases for reciprocals using integer factorization. John Harrison Intel Corporation ARITH-16 Santiago de Compostela 17th June 2003

07 Practical Application of The Axiomatic Method

The Formal Proof Susan Gillmor and Samantha Rabinowicz Project for MA341: Appreciation of Number Theory Boston University Summer Term

Existence and Consistency in Bounded Arithmetic

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Computer-Checked Meta-Logic

Executing the formal semantics of the Accellera Property Specification Language

Formal proof: current progress and outstanding challenges

Proving Type Soundness of Simple Languages in ACL2

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Lectures on Computational Type Theory

Typing λ-terms. Types. Typed λ-terms. Base Types. The Typing Relation. Advanced Formal Methods. Lecture 3: Simply Typed Lambda calculus

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Write your own Theorem Prover

Between proof theory and model theory Three traditions in logic: Syntactic (formal deduction)

Model Checking: An Introduction

utomated Reasoning 2 What is automated reasoning? In one sense we'll interpret our title narrowly: we are interested in reasoning in logic and mathema

Automata Theory. Definition. Computational Complexity Theory. Computability Theory

Mechanizing Elliptic Curve Associativity

Compute the behavior of reality even if it is impossible to observe the processes (for example a black hole in astrophysics).

Last Time. Inference Rules

Peano Arithmetic. CSC 438F/2404F Notes (S. Cook) Fall, Goals Now

03 Review of First-Order Logic

Inductive Theorem Proving

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

02 The Axiomatic Method

Accurate Reliability Analysis of Combinational Circuits using Theorem Proving

Abstractions and Decision Procedures for Effective Software Model Checking

Finite-State Model Checking

Great Theoretical Ideas

Automating the Verification of Floating-point Algorithms

The Calculus of Inductive Constructions

Human-Readable Machine-Verifiable Proofs for Teaching Constructive Logic

Limits of Computation

Static Program Analysis

Building a Computer Adder

Numerical Analysis and Computing

Section 3.1: Direct Proof and Counterexample 1

Chapter 1 Mathematical Preliminaries and Error Analysis

Large Numbers, Busy Beavers, Noncomputability and Incompleteness

Code Generation for a Simple First-Order Prover

Proof Techniques (Review of Math 271)

Certified Roundoff Error Bounds using Semidefinite Programming

02 Propositional Logic

Introduction to Turing Machines

Towards a Mechanised Denotational Semantics for Modelica

Lecture 14 Rosser s Theorem, the length of proofs, Robinson s Arithmetic, and Church s theorem. Michael Beeson

Propositional Calculus - Hilbert system H Moonzoo Kim CS Division of EECS Dept. KAIST

Reliability Block Diagrams based Analysis: A Survey

Chapter 1 Computer Arithmetic

Program Testing and Constructive Validity

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Beyond First-Order Logic

Mathematical Logic. Introduction to Reasoning and Automated Reasoning. Hilbert-style Propositional Reasoning. Chiara Ghidini. FBK-IRST, Trento, Italy

Alan Bundy. Automated Reasoning LTL Model Checking

DVClub Europe Formal fault analysis for ISO fault metrics on real world designs. Jörg Große Product Manager Functional Safety November 2016


Performance Analysis of ARQ Protocols using a Theorem Prover

September 13, Cemela Summer School. Mathematics as language. Fact or Metaphor? John T. Baldwin. Framing the issues. structures and languages

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Examples: P: it is not the case that P. P Q: P or Q P Q: P implies Q (if P then Q) Typical formula:

A Brief Introduction to Model Checking

Lecture 11: Measuring the Complexity of Proofs

Toward a new formalization of real numbers

The Logic of Proofs, Semantically

BOOLEAN ALGEBRA INTRODUCTION SUBSETS

Natural deduction for truth-functional logic

Floating Point Number Systems. Simon Fraser University Surrey Campus MACM 316 Spring 2005 Instructor: Ha Le

Theorem Proving beyond Deduction

Hierarchic Superposition: Completeness without Compactness

The natural numbers. The natural numbers come with an addition +, a multiplication and an order < p < q, q < p, p = q.

Type Theory and Constructive Mathematics. Type Theory and Constructive Mathematics Thierry Coquand. University of Gothenburg

Main Issues in Computer Mathematics. Henk Barendregt Brouwer Institute Radboud University Nijmegen, The Netherlands

Cogito ergo sum non machina!

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

PREDICATE LOGIC: UNDECIDABILITY AND INCOMPLETENESS HUTH AND RYAN 2.5, SUPPLEMENTARY NOTES 2

Bidirectional Decision Procedures for the Intuitionistic Propositional Modal Logic IS4

2. Introduction to commutative rings (continued)

Binary addition example worked out

- Why aren t there more quantum algorithms? - Quantum Programming Languages. By : Amanda Cieslak and Ahmana Tarin

MACHINE COMPUTING. the limitations

Interactive Theorem Provers

Automated Reasoning and its Applications

Transcription:

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics Applications Conclusions

Formal Verification of Mathematical Algorithms 2 The cost of bugs Computers are often used in safety-critical systems where a failure could cause loss of life. Even when not a matter of life and death, bugs can be financially serious if a faulty product has to be recalled or replaced. 1994 FDIV bug in the Intel Pentium processor: US $500 million. Today, new products are ramped much faster... So Intel is especially interested in all techniques to reduce errors.

Formal Verification of Mathematical Algorithms 3 Complexity of designs At the same time, market pressures are leading to more and more complex designs where bugs are more likely. A 4-fold increase in pre-silicon bugs in Intel processor designs per generation. Approximately 8000 bugs introduced during design of the Pentium 4. Fortunately, pre-silicon detection rates are now well over 99.5%. Just enough to tread water...

Formal Verification of Mathematical Algorithms 4 Limits of testing Bugs are usually detected by extensive testing, including pre-silicon simulation. Slow especially pre-silicon Too many possibilities to test them all For example: 2 160 possible pairs of floating point numbers (possible inputs to an adder). Vastly higher number of possible states of a complex microarchitecture. Formal verification offers a possible solution to the non-exhaustiveness problem.

Formal Verification of Mathematical Algorithms 5 Formal verification Formal verification: mathematically prove the correctness of a design with respect to a mathematical formal specification. Actual requirements Formal specification Design model Actual system

Formal Verification of Mathematical Algorithms 6 Formal verification is hard Writing out a completely formal proof of correctness for real-world hardware and software is difficult. Must specify intended behavior formally Need to make many hidden assumptions explicit Requires long detailed proofs, difficult to review The state of the art is quite limited. Software verification has been around since the 60s, but there have been few major successes.

Formal Verification of Mathematical Algorithms 7 Machine-checked proof A more promising approach is to have the proof checked (or even generated) by a computer program. It can reduce the risk of mistakes. The computer can automate some parts of the proofs. There are limits on the power of automation, so detailed human guidance is usually necessary.

Formal Verification of Mathematical Algorithms 8 Approaches to formal verification There are three major approaches to formal verification, and Intel uses all of them, often in combination: Symbolic simulation Temporal logic model checking General theorem proving One of the major tools used for hardware verification at Intel is a combined system. As well as general theorem proving and traditional CTL and LTL model checking it supports symbolic trajectory evaluation (STE).

Formal Verification of Mathematical Algorithms 9 Levels of verification My job involves verifying higher-level floating-point algorithms based on assumed correct behavior of hardware primitives. sin correct fma correct gate-level description We will assume that all the operations used obey the underlying specifications as given in the Architecture Manual and the IEEE Standard for Binary Floating-Point Arithmetic. This is a typical specification for lower-level verification (someone else s job).

Formal Verification of Mathematical Algorithms 10 Context Specific work reported here is for the Intel Itanium TM processor. Some similar work has been done for software libraries for the Intel Pentium 4 processor. Floating point algorithms for division, square root and transcendental functions are used for: Software libraries (C libm etc.) or compiler inlining Implementing x86 hardware intrinsics The level at which the algorithms are modeled is similar in each case.

Formal Verification of Mathematical Algorithms 11 Theorem proving infrastructure What do we need to formally verify such mathematical software? Theorems about basic real analysis and properties of the transcendental functions, and even bits of number theory. Theorems about special properties of floating point numbers, floating point rounding etc. Automation of as much tedious reasoning as possible. Programmability of special-purpose inference routines. A flexible framework in which these components can be developed and applied in a reliable way. We use the HOL Light theorem prover. Other possibilities would include PVS and maybe ACL2.

Formal Verification of Mathematical Algorithms 12 Quick introduction to HOL Light HOL Light is a member of the large family of HOL theorem provers. An LCF-style programmable proof checker written in CAML Light / OCaml, which also serves as the interaction language. Supports classical higher order logic based on polymorphic simply typed lambda-calculus. Extremely simple logical core: 10 basic logical inference rules plus 2 definition mechanisms and 3 axioms. More powerful proof procedures programmed on top, inheriting their reliability from the logical core. Fully programmable by the user. Well-developed mathematical theories including basic real analysis. HOL Light is available for download from: http://www.cl.cam.ac.uk/users/jrh/hol-light

Formal Verification of Mathematical Algorithms 13 HOL Light primitive rules (1) t = t REFL Γ s = t t = u Γ s = u TRANS Γ s = t u = v Γ s(u) = t(v) MK COMB Γ s = t Γ (λx. s) = (λx. t) ABS (λx. t)x = t BETA

Formal Verification of Mathematical Algorithms 14 HOL Light primitive rules (2) {p} p ASSUME Γ p = q p Γ q EQ MP Γ p q (Γ {q}) ( {p}) p = q DEDUCT ANTISYM RULE Γ[x 1,...,x n ] p[x 1,...,x n ] Γ[t 1,...,t n ] p[t 1,...,t n ] INST Γ[α 1,...,α n ] p[α 1,...,α n ] Γ[γ 1,...,γ n ] p[γ 1,...,γ n ] INST TYPE

Formal Verification of Mathematical Algorithms 15 Formalized mathematics Our work involves the actual formalization of mathematics in a simple logical proof system. (Not just formalization-in-principle.) In the same spirit as the work of many logical pioneers (Frege, Peano, Russell and Whitehead). The aim is the same: precision in assertions and reliability of proofs. Arguably, formal proofs written out by people would not be more reliable than informal proofs probably quite the reverse. In fact, the proofs we do sometimes involve 10 8 primitive inferences very difficult for people to do at all! But computers are very good at applying formal rules efficiently and without error, so we really do get a dramatic improvement in reliability.

Formal Verification of Mathematical Algorithms 16 Applying formal real analysis We ve formalized a definitional construction of the real numbers, and the development on top of it of basic real analysis (limits, series, differentiation, power series,...). Used: to prove basic identities used in computation tan(b + x) = tan(b) + 1 sin(b)cos(b) tan(x) cot(b) tan(x) to verify Taylor or Laurent expansions for functions with convergence criteria: cot(x) = 1/x 1 3 x 1 45 x3 2 945 x5... and to prove that particular minimax polynomials really are approximations to a given precision.

Formal Verification of Mathematical Algorithms 17 Applying formal number theory Sometimes we need to employ a little number theory too: Initial trigonometric range reduction r = x N π/2 needs to be done with a relatively involved algorithm. To justify it, we need to analyze how close a floating-point number can be to an integral multiple of π/2, a classic problem in Diophantine approximation solvable using convergents. Analytical proof of correctness of some square root algorithms excludes special cases that can be characterized as the solution of Diophantine equations of the form 2 p m = k 2 + d. We need to enumerate a provably exhaustive set of k and m for given p and d.

Formal Verification of Mathematical Algorithms 18 Programmability Note that for some applications, programmability of the theorem prover is practically essential. The structure of the proof is essentially predictable, and we can program up a general procedure, whereas chreographing various instances by hand would be almost unbearably tedious. Can bound polynomial approximation error using a more accurate Taylor series and a recursive procedure based on recursive root isolation and bounding of all the derivatives of the difference polynomial. Can solve Diophantine equations using even-odd case analysis to reduce p, and proceed by recursion. This is something HOL supports well, given its implementation within a general purpose programming language.

Formal Verification of Mathematical Algorithms 19 Conclusions Because of HOL s mathematical generality, all the reasoning needed can be done in a unified way with the customary HOL guarantee of soundness: Underlying pure mathematics Formalization of floating point operations Proof of basic exclusion zone properties Routine relative error computation for the final result before rounding Number-theoretic isolation of difficult cases Explicit computation with those cases Etc. Moreover, because HOL is programmable, many of these parts can be, and have been, automated. Could be said to realize, and extend, the work of the logical pioneers in actual formalization.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback