## Multi-Prover Verification of Floating-Point Programs ⋆

Citations: | 16 - 3 self |

### BibTeX

@MISC{Ayad_multi-proververification,

author = {Ali Ayad and Claude Marché},

title = {Multi-Prover Verification of Floating-Point Programs ⋆},

year = {}

}

### OpenURL

### Abstract

Abstract. In the context of deductive program verification, supporting floatingpoint computations is tricky. We propose an expressive language to formally specify behavioral properties of such programs. We give a first-order axiomatization of floating-point operations which allows to reduce verification to checking the validity of logic formulas, in a suitable form for a large class of provers including SMT solvers and interactive proof assistants. Experiments using the Frama-C platform for static analysis of C code are presented. 1

### Citations

492 | The Spec# programming system: an overview
- Barnett, Leino, et al.
- 2005
(Show Context)
Citation Context ...anguages to specify the requirements. Nowadays, several implementations of deductive verification approaches exist for standard programming languages, e.g., ESC-Java2 [12] and KeY [6] for Java, Spec# =-=[3]-=- for C#, VCC [29] and FramaC [18] for C. In each of them, contracts (made of preconditions, postconditions, and several other kinds of annotations) are inserted into the program source text with speci... |

388 | What every computer scientist should know about floating-point arithmetic
- Goldberg
- 1991
(Show Context)
Citation Context ...the comparison operators on FP numbers. It explains when FP exceptions occur, and introduces special values to represent signed infinities and NaNs. We summarize here the essential parts we need, see =-=[19]-=- for more details. In this paper we focus on the 32-bits (type float in C, Java) and 64-bits (type double) binary formats; adaptation to other formats is straightforward. Generally speaking, in any of... |

320 | An overview of JML tools and applications
- Burdy, Cheon, et al.
- 2005
(Show Context)
Citation Context ...with specific syntax, usually in a special form of comments that are ignored by compilers. The resulting annotation languages are called Behavioral Interface Specification Languages (BISL), e.g., JML =-=[10]-=- for Java, ACSL [5] for C. To analyse accurary of FP computations, abstract interpretation-based techniques have shown quite successful on critical software. However, there are very few attempts ⋆ Thi... |

192 |
for Floating-Point Arithmetic
- Standard
- 2008
(Show Context)
Citation Context ...epresents the current state of Frama-C, and the upper part presents the additions we make for dealing with FP computations. 2 The IEEE-754 Standard for Floating-Point Arithmetic The IEEE-754 standard =-=[1]-=- defines an expected behavior of FP computations. It describes binary and decimal formats to represent FP numbers, and specifies the elemen-tary operations and the comparison operators on FP numbers.... |

87 | The Why/Krakatoa/Caduceus platform for deductive program verification
- Filliâtre, Marché
- 2007
(Show Context)
Citation Context ..., and the round_f operator. But unlike SMT provers, Gappa does not handle quantifiers. All the provers mentioned above are available as back-ends for the Frama-C environment and its Jessie/Why plugin =-=[17]-=-. Our experiments are conducted with those. Example 3 (Example 1 continued). The VCs for our Remez approximation of exponential are the following: – 3 VCs for the representability of constants 0.98903... |

84 | Full functional verification of linked data structures
- Zee, Kuncak, et al.
- 2008
(Show Context)
Citation Context ...olvers, Gappa for reasoning about rounding, and interactive proving to prove all VCs. Improving cooperation of provers is an interesting perspective, e.g. like in the Jahob verification tool for Java =-=[31]-=- which selects the prover to call depending on the class of goal (but does not support FP).Turning the Gappa techniques for FP into some specific built-in theory for SMT solvers should be considered.... |

40 | A generic library of floating-point numbers and its application to exact computing
- Daumas, Rideau, et al.
- 2001
(Show Context)
Citation Context ...0; z.u = 0.0; } return z; } Fig. 4. Multiplication of intervals 6 Related Works and Perspectives There exist several formalizations of FP arithmetic in various proof environments: two variants in Coq =-=[14, 22]-=- and one in PVS [24] exclude special values; one in ACL2 [27] and one in HOL-light [20] also deal with special values. Compared to those, our purely first-order axiomatization has the clear disadvanta... |

37 | The pitfalls of verifying floating-point computations
- Monniaux
- 2008
(Show Context)
Citation Context ...rties of FP programs in deductive verification systems like those above mentioned. This is difficult because FP computations are described operationally and have tricky behaviors as shown by Monniaux =-=[25]-=-. Consequently, it is hard to describe denotationally in a logic setting. A first proposal has been made in 2007 by Boldo and Filliâtre [7] for C code, using the Coq proof assistant [30] for dischargi... |

36 | Floating Point Verification in HOL Light: the Exponential Function
- Harrison
- 1997
(Show Context)
Citation Context ...tives There exist several formalizations of FP arithmetic in various proof environments: two variants in Coq [14, 22] and one in PVS [24] exclude special values; one in ACL2 [27] and one in HOL-light =-=[20]-=- also deal with special values. Compared to those, our purely first-order axiomatization has the clear disadvantage of being incomplete, but has the advantage of allowing use of off-the-shelf automati... |

33 | Dening the IEEE-854 Floating-Point Standard
- Miner
- 1995
(Show Context)
Citation Context ...; } Fig. 4. Multiplication of intervals 6 Related Works and Perspectives There exist several formalizations of FP arithmetic in various proof environments: two variants in Coq [14, 22] and one in PVS =-=[24]-=- exclude special values; one in ACL2 [27] and one in HOL-light [20] also deal with special values. Compared to those, our purely first-order axiomatization has the clear disadvantage of being incomple... |

32 | A mechanically checked proof of the correctness of the kernel of the AMD5K86 floating-point division algorithm
- Moore, Lynch, et al.
(Show Context)
Citation Context ... Related Works and Perspectives There exist several formalizations of FP arithmetic in various proof environments: two variants in Coq [14, 22] and one in PVS [24] exclude special values; one in ACL2 =-=[27]-=- and one in HOL-light [20] also deal with special values. Compared to those, our purely first-order axiomatization has the clear disadvantage of being incomplete, but has the advantage of allowing use... |

22 |
The Yices SMT solver. Available at http://yices.csl.sri.com/tool-paper.pdf
- Dutertre, Moura
- 2006
(Show Context)
Citation Context ...ic with integer and real arithmetic. Suitable automatic provers are those of the SMT-family (Satisfiability Modulo Theories) which support first-order quantification, such as Z3 [15], CVC3 [4], Yices =-=[16]-=-, Alt-Ergo [13]. Due to the high expressiveness of the logic, these provers are necessarily incomplete. Hence we may also use interactive theorem provers, such as Coq and PVS. Additionally, recall tha... |

16 |
Formal Verification of Floating-Point Programs
- BOLDO, FILLIÂTRE
- 2007
(Show Context)
Citation Context ...perationally and have tricky behaviors as shown by Monniaux [25]. Consequently, it is hard to describe denotationally in a logic setting. A first proposal has been made in 2007 by Boldo and Filliâtre =-=[7]-=- for C code, using the Coq proof assistant [30] for discharging VCs. The approach presented in this paper is a follow-up of the Boldo-Filliâtre approach, which we extend in two main directions: first ... |

15 | Mixed abstractions for floating-point arithmetic
- Brillout, Kroening, et al.
- 2009
(Show Context)
Citation Context ...ntial for successful deductive verification. Another interesting future work is to automatically infer annotations, for example using abstract interpretation techniques [26] or abstraction refinement =-=[9]-=-, to assist this task. Acknowledgements We thank G. Melquiond for his help in the use of the Gappa tool, the FP-specific Coq tactics, and more generally for his suggestions about the approach presente... |

15 | Automatic Modular Abstractions for Linear Constraints
- Monniaux
- 2009
(Show Context)
Citation Context ...tract for mul_up above) is essential for successful deductive verification. Another interesting future work is to automatically infer annotations, for example using abstract interpretation techniques =-=[26]-=- or abstraction refinement [9], to assist this task. Acknowledgements We thank G. Melquiond for his help in the use of the Gappa tool, the FP-specific Coq tactics, and more generally for his suggestio... |

13 | Proving bounds on real-valued functions with computations
- Melquiond
- 2008
(Show Context)
Citation Context ...essarily incomplete. Hence we may also use interactive theorem provers, such as Coq and PVS. Additionally, recall that our modeling involves an uninterpreted rounding function round_f. The Gappa tool =-=[23]-=- is an automatic prover, which specifically handles formulas made of equalities and inequalities over expressions involving real constants, arithmetic operations, and the round_f operator. But unlike ... |

8 | Hardware-independent proofs of numerical programs
- BOLDO, NGUYEN
(Show Context)
Citation Context ...-time (reorganization of expression order, use of fused multiply-add instructions) ; or at runtime by using extra precision (e.g., 80 bits FP precision in 387 processors) on intermediate calculations =-=[8]-=-. Discovering the proper annotations (e.g. contract for mul_up above) is essential for successful deductive verification. Another interesting future work is to automatically infer annotations, for exa... |

6 | Floating-point arithmetic in the Coq system
- Melquiond
(Show Context)
Citation Context ...ence that our axiomatization is consistent. Second, when dealing with a VC in Coq involving FP arithmetic, we can benefit from all the theorems proved in Coq about FP numbers. We build upon the Gappa =-=[22]-=- library which provides: (1) a definition of binary finite FP numbers: type float2 (a pair of integers as in section 2) together with a function float2R mapping (n, e) to the real n × 2 e ; (2) a comp... |

5 | Reassessing JML’s Logical Foundation
- Chalin
- 2005
(Show Context)
Citation Context ... belongs to an interval i. Notice the trick for computing the upper bound in Down mode, using negations. Notice that since we choose a standard logic with total functions, usual caution must be taken =-=[11]-=-: a formula should mention the real value of some FP expression x only in contexts where \is_finite(x) is known to hold, such as in the definition of predicate double_le_real of Fig. 3 (similarly as o... |

5 |
Not a number of floating point problems
- Leavens
- 2006
(Show Context)
Citation Context ...x*(−y)); } Fig. 5. Auxiliary functions on intervals lows to incorporate FP reasoning in environments for program verification for generalpurpose programming languages like C or Java. In 2006, Leavens =-=[21]-=- described some pitfalls when trying to incorporate FP special values and specifically NaN values in a BISL like JML for Java. In its approach, FP numbers, rounding and such also appear in annotations... |

4 | Combining ACL2 and an Automated Verification Tool to Verify a Multiplier
- Reeber, Sawada
- 2006
(Show Context)
Citation Context ...ear in annotations, which cause several issues and traps for specifiers. We argue that our approach, using instead real numbers in annotations, solves these kind of problems. In 2006, Reeber & Sawada =-=[28]-=- used the ACL2 system together with a automated tool to verify a FP multiplier unit. Although their goal is at a significantly different concern (hardware verification instead of software behavioral p... |

3 | Behavioral properties of floating-point programs. Hisseo publications
- Ayad, Marché
- 2009
(Show Context)
Citation Context ...is_infinite, \is_NaN are unary predicates to test whether an expression of type float or double is either finite, infinite or NaN. Additional shortcuts are provided, e.g. \is_plus_infinity, etc. (See =-=[2]-=- for details.) Example 2. Interval arithmetic aims at computing lower bounds and upper bounds of real expressions. It is a typical example of a FP program that uses a specific rounding mode and makes ... |

3 | ESC/Java2 implementation notes
- Cok, Kiniry
- 2007
(Show Context)
Citation Context ...e with expressive specification languages to specify the requirements. Nowadays, several implementations of deductive verification approaches exist for standard programming languages, e.g., ESC-Java2 =-=[12]-=- and KeY [6] for Java, Spec# [3] for C#, VCC [29] and FramaC [18] for C. In each of them, contracts (made of preconditions, postconditions, and several other kinds of annotations) are inserted into th... |

2 |
Z3, an efficient SMT solver. http://research. microsoft.com/projects/z3
- Moura, Bjørner
(Show Context)
Citation Context ...rstand first-order logic with integer and real arithmetic. Suitable automatic provers are those of the SMT-family (Satisfiability Modulo Theories) which support first-order quantification, such as Z3 =-=[15]-=-, CVC3 [4], Yices [16], Alt-Ergo [13]. Due to the high expressiveness of the logic, these provers are necessarily incomplete. Hence we may also use interactive theorem provers, such as Coq and PVS. Ad... |

2 |
A glimpse of a verifying C compiler. http: //www.cs.ru.nl/~tews/cv07/cv07-smans.pdf
- Schulte, Xia, et al.
(Show Context)
Citation Context ...ify the requirements. Nowadays, several implementations of deductive verification approaches exist for standard programming languages, e.g., ESC-Java2 [12] and KeY [6] for Java, Spec# [3] for C#, VCC =-=[29]-=- and FramaC [18] for C. In each of them, contracts (made of preconditions, postconditions, and several other kinds of annotations) are inserted into the program source text with specific syntax, usual... |