Results 1  10
of
28
MultiProver Verification of FloatingPoint Programs ⋆
"... Abstract. In the context of deductive program verification, supporting floatingpoint computations is tricky. We propose an expressive language to formally specify behavioral properties of such programs. We give a firstorder axiomatization of floatingpoint operations which allows to reduce verifica ..."
Abstract

Cited by 28 (5 self)
 Add to MetaCart
(Show Context)
Abstract. In the context of deductive program verification, supporting floatingpoint computations is tricky. We propose an expressive language to formally specify behavioral properties of such programs. We give a firstorder axiomatization of floatingpoint operations which allows to reduce verification to checking the validity of logic formulas, in a suitable form for a large class of provers including SMT solvers and interactive proof assistants. Experiments using the FramaC platform for static analysis of C code are presented. 1
Varieties of Static Analyzers: A Comparison with ASTRÉE
"... We discuss the characteristic properties of ASTRÉE, an automatic static analyzer for proving the absence of runtime errors in safetycritical realtime synchronous controlcommand C programs, and compare it with a variety of other program analysis tools. 1 ..."
Abstract

Cited by 22 (5 self)
 Add to MetaCart
(Show Context)
We discuss the characteristic properties of ASTRÉE, an automatic static analyzer for proving the absence of runtime errors in safetycritical realtime synchronous controlcommand C programs, and compare it with a variety of other program analysis tools. 1
S.: Static analysis of finite precision computations
 In: VMCAI’11. LNCS
, 2011
"... Abstract. We define several abstract semantics for the static analysis of finite precision computations, that bound not only the ranges of values taken by numerical variables of a program, but also the difference with the result of the same sequence of operations in an idealized real number semantic ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We define several abstract semantics for the static analysis of finite precision computations, that bound not only the ranges of values taken by numerical variables of a program, but also the difference with the result of the same sequence of operations in an idealized real number semantics. These domains point out with more or less detail (control point, block, function for instance) sources of numerical errors in the program and the way they were propagated by further computations, thus allowing to evaluate not only the rounding error, but also sensitivity to inputs or parameters of the program. We describe two classes of abstractions, a non relational one based on intervals, and a weakly relational one based on parametrized zonotopic abstract domains called affine sets, especially well suited for sensitivity analysis and test generation. These abstract domains are implemented in the Fluctuat static analyzer, and we finally present some experiments. 1
Combining Coq and Gappa for Certifying FloatingPoint Programs
, 2009
"... Formal verification of numerical programs is notoriously difficult. On the one hand, there exist automatic tools specialized in floatingpoint arithmetic, such as Gappa, but they target very restrictive logics. On the other hand, there are interactive theorem provers based on the LCF approach, such ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
Formal verification of numerical programs is notoriously difficult. On the one hand, there exist automatic tools specialized in floatingpoint arithmetic, such as Gappa, but they target very restrictive logics. On the other hand, there are interactive theorem provers based on the LCF approach, such as Coq, that handle a generalpurpose logic but that lack proof automation for floatingpoint properties. To alleviate these issues, we have implemented a mechanism for calling Gappa from a Coq interactive proof. This paper presents this combination and shows on several examples how this approach offers a significant speedup in the process of verifying floatingpoint programs.
A FormallyVerified C Compiler Supporting FloatingPoint Arithmetic
, 2012
"... Abstract—Floatingpoint arithmetic is known to be tricky: roundings, formats, exceptional values. The IEEE754 standard was a push towards straightening the field and made formal reasoning about floatingpoint computations possible. Unfortunately, this is not sufficient to guarantee the final result ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract—Floatingpoint arithmetic is known to be tricky: roundings, formats, exceptional values. The IEEE754 standard was a push towards straightening the field and made formal reasoning about floatingpoint computations possible. Unfortunately, this is not sufficient to guarantee the final result of a program, as several other actors are involved: programming language, compiler, architecture. The CompCert formallyverified compiler provides a solution to this problem: this compiler comes with a mathematical specification of the semantics of its source language (ISO C90) and target platforms (ARM, PowerPC, x86SSE2), and with a proof that compilation preserves semantics. In this paper, we report on our recent success in formally specifying and proving correct CompCert’s compilation of floatingpoint arithmetic. Since CompCert is verified using the Coq proof assistant, this effort required a suitable Coq formalization of the IEEE754 standard; we extended the Flocq library for this purpose. As a result, we obtain the first formally verified compiler that provably preserves the semantics of floatingpoint programs. Index Terms—floatingpoint arithmetic; verified compilation; formal proof; floatingpoint semantic preservation; I.
Hardwareindependent proofs of numerical programs
, 2010
"... On recent architectures, a numerical program may give different answers depending on the execution hardware and the compilation. Our goal is to formally prove properties about numerical programs that are true for multiple architectures and compilers. We propose an approach that states the rounding e ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
On recent architectures, a numerical program may give different answers depending on the execution hardware and the compilation. Our goal is to formally prove properties about numerical programs that are true for multiple architectures and compilers. We propose an approach that states the rounding error of each floatingpoint computation whatever the environment. This approach is implemented in the FramaC platform for static analysis of C code. Small case studies using this approach are entirely and automatically proved.
Kahan’s algorithm for a correct discriminant computation at last formally proven, in
 n o 2, February 2009
"... Abstract—This article tackles Kahan’s algorithm to compute accurately the discriminant. This is a known difficult problem, and this algorithm leads to an error bounded by 2 ulps of the floatingpoint result. The proofs involved are long and tricky and even trickier than expected as the test involved ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
Abstract—This article tackles Kahan’s algorithm to compute accurately the discriminant. This is a known difficult problem, and this algorithm leads to an error bounded by 2 ulps of the floatingpoint result. The proofs involved are long and tricky and even trickier than expected as the test involved may give a result different from the result of the same test without rounding. We give here the total demonstration of the validity of this algorithm, and we provide sufficient conditions to guarantee that neither overflow nor underflow will jeopardize the result. The IEEE754 doubleprecision program is annotated using the Why platform and the proof obligations are done using the Coq automatic proof checker. Index Terms—Floating point, discriminant, formal proof, Why platform, Coq.
Symbolic Crosschecking of DataParallel Floating Point Code
"... I hereby declare that this work is my own and that all other work is appropriately acknowledged. In this thesis we present a symbolic executionbased technique for crosschecking programs accelerated using SIMD or OpenCL against an unaccelerated version, as well as a technique for detecting data rac ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
I hereby declare that this work is my own and that all other work is appropriately acknowledged. In this thesis we present a symbolic executionbased technique for crosschecking programs accelerated using SIMD or OpenCL against an unaccelerated version, as well as a technique for detecting data races in OpenCL programs. Our techniques are implemented in KLEECL, a symbolic execution engine based on KLEE that supports symbolic reasoning on the equivalence between expressions involving both integer and floatingpoint operations. While the current generation of constraint solvers provide good support for integer arithmetic, there is little support available for floatingpoint arithmetic, due to the complexity inherent in such computations. The key insight behind our approach is that floatingpoint values are only reliably equal if they are essentially built by the same operations. This allows us to use an algorithm based on symbolic expression matching augmented with canonicalisation rules to determine path equivalence. Under symbolic execution, we have to verify equivalence along every feasible controlflow path. We reduce the branching factor of this process by aggressively merging conditionals,
Robustness Analysis of Finite Precision Implementations
"... Abstract. A desirable property of control systems is robustness to inputs, when small perturbations of the inputs of a system will cause only small perturbations on outputs. This property should be maintained at the implementation level, where close inputs can lead to different execution paths. The ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. A desirable property of control systems is robustness to inputs, when small perturbations of the inputs of a system will cause only small perturbations on outputs. This property should be maintained at the implementation level, where close inputs can lead to different execution paths. The problem becomes crucial for finite precision implementations, where any elementary computation is affected by an error. In this context, almost every test is potentially unstable, that is, for a given input, the finite precision and real numbers paths may differ. Still, stateoftheart error analyses rely on the stable test hypothesis, yielding unsound error bounds when the conditional block is not robust to uncertainties. We propose a new abstractinterpretation based error analysis of finite precision implementations, which is sound in presence of unstable tests, by bounding the discontinuity error for path divergences. This gives a tractable analysis implemented in the FLUCTUAT analyzer. 1
Formal verification of numerical programs: from C annotated programs to Coq proofs
, 2010
"... Numerical programs may require a high level of guarantee. This can be achieved by applying formal methods, such as machinechecked proofs. But these tools handle mathematical theorems while we are interested in C code. To achieve this high level of confidence on C programs, we use a chain of tools ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Numerical programs may require a high level of guarantee. This can be achieved by applying formal methods, such as machinechecked proofs. But these tools handle mathematical theorems while we are interested in C code. To achieve this high level of confidence on C programs, we use a chain of tools: FramaC, its Jessie plugin, Why and Coq. This requires the C program to be annotated: this means that each function must be precisely specified, and we will prove the correctness of the program by proving both that it meets its specifications and that it does not fail. Examples will be given to illustrate the features of this approach.