## Behavioral Properties of Floating-Point Programs ⋆

Citations: | 3 - 3 self |

### BibTeX

@MISC{Ayad_behavioralproperties,

author = {Ali Ayad and Claude Marché},

title = {Behavioral Properties of Floating-Point Programs ⋆},

year = {}

}

### OpenURL

### Abstract

Abstract. We propose an expressive language to specify formally behavioral properties of programs involving floating-point computations. We present a deductive verification technique, which allows to prove formally that a given program meets its specifications, using either SMT-class automatic theorem provers or general interactive proof assistants. Experiments using the Frama-C platform for static analysis of C code are presented. 1

### Citations

1500 |
A discipline of Programming
- Dijkstra
- 1976
(Show Context)
Citation Context ...straction. A common approach is to generate automatically logic formulas called verification conditions (VCs for short), with techniques for instance based on Dijkstra’s weakest precondition calculus =-=[15]-=-. The generated formulas must be checked valid hopefully by automatic theorem provers. Complex behavioral properties of programs can be verified by deductive verification techniques, since these techn... |

480 | The Spec# programming system: An overview
- Barnett, Leino, et al.
(Show Context)
Citation Context ...anguages to specify the requirements. Nowadays, several implementations of deductive verification approaches exist for standard programming languages, e.g., ESC-Java2 [11] and KeY [6] for Java, Spec# =-=[3]-=- for C#, VCC [28] and Frama-C [18] for C. In each of them, contracts (made of preconditions, postconditions, and several other kinds of annotations) are inserted into the program ⋆ This work was suppo... |

375 | What Every Computer Scientist Should Know about Floating Point Arithmetic
- Goldberg
- 1991
(Show Context)
Citation Context ...ne chooses whose significand (of canonical representatives) is even. The standard defines three special values: −∞, +∞ and NaN. It also distinguishes between positive zero (+0) and negative zero (-0) =-=[19]-=-. These numbers should be treated both in the input and the output of the arithmetic operations as usual. For example, (+∞) + (+∞) = (+∞), 1/(+∞) = +0, 1/(−0) = −∞, (+0)/(+0) = NaN, (−0) × (+∞) = NaN ... |

315 | An overview of JML tools and applications
- Burdy, Cheon, et al.
- 2005
(Show Context)
Citation Context ... text with specific syntax, usually in a special form of comments that are ignored by compilers. The resulting annotations languages are called Behavioral Interface Specification Languages, e.g., JML =-=[9]-=- for Java, ACSL [5] for C. To analyse FP (floating-point) computations, abstract interpretation-based techniques have shown quite successful on critical software, as examplified by tools Fluctuat [20]... |

181 |
for floating–point arithmetic
- standard
- 2006
(Show Context)
Citation Context ...d in the Frama-C [18] platform for static analysis of C code, and experiments performed with this platform are presented along this paper. 2 Preliminaries: the IEEE-754 Standard The IEEE-754 Standard =-=[1]-=- defines an expected behavior of FP (floating-point) computations. It describes binary and decimal formats to represent FP numbers, and specifies the elementary operations and the comparison operators... |

86 | The Why/Krakatoa/Caduceus platform for deductive program verification
- Filliâtre, Marché
- 2007
(Show Context)
Citation Context ...essions involving real constants, arithmetic operations, and the round_float operator. All the provers mentioned above are available as back-ends for the Frama-C environment and its Jessie/Why plugin =-=[17]-=-. Our experiments are conducted with those. Example 7 (Example 1 continued). The VCs for our Remez approximation of exponential are the following: – 3 VCs for the representability of constants 0.98903... |

84 |
The satisfiability modulo theories library (SMT-LIB). www.smtlib.org
- Barrett, Ranise, et al.
- 2008
(Show Context)
Citation Context ...wever, we must consider provers that are able to understand first-order logic with integer and real arithmetic. Suitable automatic provers are those of the SMT-family (Satisfiability Modulo Theories) =-=[26]-=- which support first-order quantification, such as Z3 [14], CVC3 [4], Yices [16], Alt-Ergo [12]. Due to the high expressiveness of the logic, these provers are necessarily incomplete. Hence we may als... |

39 | A Generic Library of Floating-Point Numbers and Its Application to Exact Computing
- Daumas, Rideau, et al.
- 15
(Show Context)
Citation Context ... SMT provers to deal with all the cases of the complex propositional structures. 6 Related Works There exist several formalizations of FP arithmetic in various proof environments: two variants in Coq =-=[13, 24]-=- and one in PVS 7 exclude special values; one in ACL2 [22] and one in HOL-light [21] also deal with special values. Compare to those, our purely firstorder axiomatization has the clear disadvantage of... |

36 | Floating Point Verification in HOL Light: The Exponential Function
- Harrison
- 1997
(Show Context)
Citation Context ...ed Works There exist several formalizations of FP arithmetic in various proof environments: two variants in Coq [13, 24] and one in PVS 7 exclude special values; one in ACL2 [22] and one in HOL-light =-=[21]-=- also deal with special values. Compare to those, our purely firstorder axiomatization has the clear disadvantage of being incomplete, but has the advantage of allowing use of off-the-shelf automatic ... |

32 | A mechanically checked proof of the correctness of the kernel of the AMD5K86 floating-point division algorithm
- Moore, Lynch, et al.
(Show Context)
Citation Context ...tional structures. 6 Related Works There exist several formalizations of FP arithmetic in various proof environments: two variants in Coq [13, 24] and one in PVS 7 exclude special values; one in ACL2 =-=[22]-=- and one in HOL-light [21] also deal with special values. Compare to those, our purely firstorder axiomatization has the clear disadvantage of being incomplete, but has the advantage of allowing use o... |

26 | Static analysis of numerical algorithms
- Goubault, Putot
(Show Context)
Citation Context ... [9] for Java, ACSL [5] for C. To analyse FP (floating-point) computations, abstract interpretation-based techniques have shown quite successful on critical software, as examplified by tools Fluctuat =-=[20]-=- and Astree [7]. However, there are very few attempts to provide ways to specify and to prove behavioral properties of floating-programs in deductive verification systems like those mentioned above. A... |

16 |
Formal verification of floating-point programs
- Boldo, Filliâtre
- 2007
(Show Context)
Citation Context ...ide ways to specify and to prove behavioral properties of floating-programs in deductive verification systems like those mentioned above. A first proposal has been made in 2007 by Boldo and Filliâtre =-=[8]-=- for C code, using the Coq proof assistant [29] for discharging VCs. The approach presented in this paper is a follow-up of the Boldo-Filliâtre approach, which we extend in two main directions: first ... |

12 | Proving bounds on real-valued functions with computations
- Melquiond
- 2008
(Show Context)
Citation Context ...rily incomplete. Hence we may also use interactive theorem provers, such as Coq and PVS. Additionally, recall that our modeling involves an uninterpreted rounding function round_float. The Gappa tool =-=[25]-=- is an automatic prover, which specifically handles formulas made of equalities and inequalities over expressions involving real constants, arithmetic operations, and the round_float operator. All the... |

8 |
CC(X): Semantic combination of congruence closure with solvable theories
- Conchon, Contejean, et al.
(Show Context)
Citation Context ...real arithmetic. Suitable automatic provers are those of the SMT-family (Satisfiability Modulo Theories) [26] which support first-order quantification, such as Z3 [14], CVC3 [4], Yices [16], Alt-Ergo =-=[12]-=-. Due to the high expressiveness of the logic, these provers are necessarily incomplete. Hence we may also use interactive theorem provers, such as Coq and PVS. Additionally, recall that our modeling ... |

7 |
The Astrée Static Analyzer. http://www.astree.ens.fr
- Cousot, Cousot, et al.
(Show Context)
Citation Context ...CSL [5] for C. To analyse FP (floating-point) computations, abstract interpretation-based techniques have shown quite successful on critical software, as examplified by tools Fluctuat [20] and Astree =-=[7]-=-. However, there are very few attempts to provide ways to specify and to prove behavioral properties of floating-programs in deductive verification systems like those mentioned above. A first proposal... |

6 | Floating-point arithmetic in the Coq system
- Melquiond
(Show Context)
Citation Context ...r axiomatization is consistent. Second, when dealing with a VC in Coq involving FP arithmetic, we can benefit from all the theorems proven in Coq about FP numbers. , Indeed, we build upon the Gappa 5 =-=[24]-=- library which provides: – a definition of binary finite FP numbers: type float2 (a pair of integers as in section 4.1) together with a function float2R mapping (n, e) to the real n × 2 e ; – a comple... |

5 |
Not a number of floating point problems
- Leavens
- 2006
(Show Context)
Citation Context ...he-shelf automatic theorem provers. Our approach allows to incorporate FP reasoning in environments for program verification for general-purpose programming languages like C or Java. In 2006, Leavens =-=[23]-=- described some pitfalls when trying to incorporate FP special values and specifically NaN values in a BISL like JML for Java. In its approach, FP numbers, rounding and such also appear in annotations... |

4 | Combining ACL2 and an Automated Verification Tool to Verify a Multiplier
- Reeber, Sawada
- 2006
(Show Context)
Citation Context ...n annotations, which cause several issues and traps for specifiers. We argue that our approach, using true real numbers instead in annotations, solves these kind of problems. In 2006, Reeber & Sawada =-=[27]-=- used the ACL2 system together with a automated tool to verify a FP multiplier unit. Although their goal is at a significantly different concern (hardware verification instead of software behavioral p... |

3 | ESC/Java2 implementation notes
- Cok, Kiniry
- 2007
(Show Context)
Citation Context ...e with expressive specification languages to specify the requirements. Nowadays, several implementations of deductive verification approaches exist for standard programming languages, e.g., ESC-Java2 =-=[11]-=- and KeY [6] for Java, Spec# [3] for C#, VCC [28] and Frama-C [18] for C. In each of them, contracts (made of preconditions, postconditions, and several other kinds of annotations) are inserted into t... |

2 | On formal methods for certifying floating-point C programs, n o
- AYAD
(Show Context)
Citation Context ...type float or double is either finite, infinite or NaN. – \is_positive, \is_negative are similar predicates to test for the sign. – additional shortcuts are provided, e.g. \is_plus_infinity, etc. See =-=[2]-=- for details. – Comparison predicates between expressions of type float or double, e.g. \le_float, \lt_float, \eq_float, etc. 5//@ pragma allowOverflow //@ pragma roundingMode(Down) typedef struct { ... |

2 |
The YICES SMT Solver. available at http://yices. csl.sri.com/tool-paper.pdf
- Dutertre, Moura
- 2006
(Show Context)
Citation Context ...th integer and real arithmetic. Suitable automatic provers are those of the SMT-family (Satisfiability Modulo Theories) [26] which support first-order quantification, such as Z3 [14], CVC3 [4], Yices =-=[16]-=-, Alt-Ergo [12]. Due to the high expressiveness of the logic, these provers are necessarily incomplete. Hence we may also use interactive theorem provers, such as Coq and PVS. Additionally, recall tha... |

2 |
A glimpse of a verifying C compiler. http: //www.cs.ru.nl/~tews/cv07/cv07-smans.pdf
- Schulte, Xia, et al.
(Show Context)
Citation Context ...ify the requirements. Nowadays, several implementations of deductive verification approaches exist for standard programming languages, e.g., ESC-Java2 [11] and KeY [6] for Java, Spec# [3] for C#, VCC =-=[28]-=- and Frama-C [18] for C. In each of them, contracts (made of preconditions, postconditions, and several other kinds of annotations) are inserted into the program ⋆ This work was supported by the Frenc... |