We present an approach to integrating the refinement relation between infinite integer types (used in specification languages) and finite integer types (used in programming languages) into software verification calculi. Since integer types in programming languages have finite ranges, in general they are not a correct data refinement of the mathematical integers usually used in specification languages. Ensuring the correctness of such a refinement requires generating and verifying additional proof obligations. We tackle this problem considering Java and UML/OCL as example. We present a sequent calculus for Java integer arithmetic with integrated generation of refinement proof obligations. Thus, there is no explicit...

Abstract. We discuss the formal verification of some low-level mathematical software for the Intel ® Itanium ® architecture. A number of important algorithms have been proven correct using the HOL Light theorem prover. After briefly surveying some of our formal verification work, we discuss in more detail the verification of a square root algorithm, which helps to illustrate why some features of HOL Light, in particular programmability, make it especially suitable for these applications. 1. Overview The Intel ® Itanium ® architecture is a new 64-bit architecture jointly developed by Intel and Hewlett-Packard, implemented in the Itanium® processor family (IPF). Among the software supplied by Intel to support IPF processors are some optimized mathematical functions to supplement or replace less efficient generic libraries. Naturally, the correctness of the algorithms used in such software is always a major concern. This is particularly so for division, square root and certain transcendental function kernels, which are intimately tied to the basic architecture. First, in IA-32 compatibility mode, these algorithms are used by hardware instructions like fptan and fdiv. And while in “native ” mode, division and square root are implemented in software, typical users are likely to see them as part of the basic architecture. The formal verification of some of the division algorithms is described by Harrison (2000b), and a representative verification of a transcendental function by Harrison (2000a). In this paper we complete the picture by considering a square root algorithm. Division, transcendental functions and square roots all have quite distinctive features and their formal verifications differ widely from each other. The present proofs have a number of interesting features, and show how important some theorem prover features — in particular programmability — are. The formal verifications are conducted using the freely available 1 HOL Light prover (Harrison, 1996). HOL Light is a version of HOL (Gordon and Melham, 1993), itself a descendent of Edinburgh LCF

This paper extends PVS's standard bitvector library with multiplication, division and remainder operations, together with associated results. This extension is needed to give appropriate semantics to Java's integral types in program verification. Special emphasis is therefore put on Java's widening and narrowing functions in relation to the newly defined operations on bitvectors.

Abstract: This paper overviews the application of formal verification techniques to hardware in general, and to floating-point hardware in particular. A specific challenge is to connect the usual mathematical view of continuous arithmetic operations with the discrete world, in a credible and verifiable way.

In this paper we will discuss the fundamental ideas behind proof assistants: What are they and what is a proof anyway? We give a short history of the main ideas, emphasizing the way they ensure the correctness of the mathematics formalized. We will also briefly discuss the places where proof assistants are used and how we envision their extended use in the future. While being an introduction into the world of proof assistants and the main issues behind them, this paper is also a position paper that pushes the further use of proof assistants. We believe that these systems will become the future of mathematics, where definitions, statements, computations and proofs are all available in a computerized form. An important application is and will be in computer supported modelling and verification of systems. But their is still along road ahead and we will indicate what we believe is needed for the further proliferation of proof assistants.

Dedicated to the friends and families who blessed and supported me iv

One approach to testing and/or proving correctness of a floating-point algorithm computing a function f is based on finding input floating-point numbers a such that the exact result f(a) is very close to a “rounding boundary”, i.e. a floating-point number or a midpoint between them. In the present paper we show how to do this for the reciprocal function by utilizing prime factorizations. We present the method and show examples, as well as making a fairly detailed study of its expected and worst-case behavior. We point out how this analysis of reciprocals can be useful in analyzing certain reciprocal algorithms, and also show how the approach can be trivially adapted to the reciprocal square root function.

Since the introduction of the Fused Multiply and Add (FMA) in the IEEE-754-2008 standard [6] for floatingpoint arithmetic, division based on Newton-Raphson’s iterations becomes a viable alternative to SRT-based divisions. The Newton-Raphson iterations were already used in some architecture prior to the revision of the IEEE-754 norm. For example, Itanium architecture already used this kind of iterations [8]. Unfortunately, the proofs of the correctness of binary algorithms do not extend to the case of decimal floating-point arithmetic. In this paper, we present general methods to prove the correct rounding of division algorithms using Newton-Raphson’s iterations in software, for radix 2 and radix 10 floating-point arithmetic. Keywords floating-point arithmetic; decimal floating-point arithmetic; division

Double rounding is a phenomenon that may occur when different floating-point precisions are available on a same system, or when performing scaled operations whose final result is subnormal. Although double rounding is, in general, innocuous, it may change the behavior of some useful small floating-point algorithms. We analyze the potential influence of double roundings on the Fast2Sum and 2Sum algorithms, on some summation algorithms, and Veltkamp’s splitting. We also show how to handle possible double roundings when performing scaled Newton-Raphson division iterations (to avoid possible underflow problems).