Invertibility Conditions for Floating-Point Formulae by Brain, M. et al.
              
City, University of London Institutional Repository
Citation: Brain, M. ORCID: 0000-0003-4216-7151, Niemetz, A., Preiner, M., Reynolds, A., 
Barrett, C. and Tinelli, C. (2019). Invertibility Conditions for Floating-Point Formulae. In: 
Computer Aided Verification. CAV 2019. Lecture Notes in Computer Science, 11562. (pp. 
116-136). Cham: Springer. ISBN 978-3-030-25542-8 
This is the published version of the paper. 
This version of the publication may differ from the final published 
version. 
Permanent repository link:  http://openaccess.city.ac.uk/id/eprint/22749/
Link to published version: 
Copyright and reuse: City Research Online aims to make research 
outputs of City, University of London available to a wider audience. 
Copyright and Moral Rights remain with the author(s) and/or copyright 
holders. URLs from City Research Online may be freely distributed and 
linked to.
City Research Online:            http://openaccess.city.ac.uk/            publications@city.ac.uk
City Research Online
Invertibility Conditions for Floating-Point
Formulas
Martin Brain3,4 , Aina Niemetz1 , Mathias Preiner1(B) ,
Andrew Reynolds2 , Clark Barrett1 , and Cesare Tinelli2
1 Stanford University, Stanford, USA
preiner@cs.stanford.edu
2 The University of Iowa, Iowa City, USA
3 University of Oxford, Oxford, UK
4 City, University of London, London, UK
Abstract. Automated reasoning procedures are essential for a number
of applications that involve bit-exact ﬂoating-point computations. This
paper presents conditions that characterize when a variable in a ﬂoating-
point constraint has a solution, which we call invertibility conditions. We
describe a novel workﬂow that combines human interaction and a syntax-
guided synthesis (SyGuS) solver that was used for discovering these con-
ditions. We verify our conditions for several ﬂoating-point formats. One
implication of this result is that a fragment of ﬂoating-point arithmetic
admits compact quantiﬁer elimination. We implement our invertibility
conditions in a prototype extension of our solver CVC4, showing their
usefulness for solving quantiﬁed constraints over ﬂoating-points.
1 Introduction
Satisﬁability Modulo Theories (SMT) formulas including either the theory of
ﬂoating-point numbers [12] or universal quantiﬁers [24,32] are widely regarded
as some of the hardest to solve. Problems that combine universal quantiﬁcation
over ﬂoating-points are rare—experience to date has suggested they are hard for
solvers and would-be users should either give up or develop their own incomplete
techniques. However, progress in theory solvers for ﬂoating-point [11] and the
use of expression synthesis for handling universal quantiﬁers [27,29] suggest that
these problems may not be entirely out of reach after all, which could potentially
impact a number of interesting applications.
This paper makes substantial progress towards a scalable approach for solv-
ing quantiﬁed ﬂoating-point constraints directly in an SMT solver. Developing
procedures for quantiﬁed ﬂoating-points requires considerable eﬀort, both foun-
dationally and in practice. We focus primarily on establishing a foundation for
lifting to quantiﬁed ﬂoating-point formulas a procedure for solving quantiﬁed
bit-vector formulas by Niemetz et al. [26]. That procedure relies on so-called
This work was supported in part by DARPA (award no. FA8650-18-2-7861), ONR
(award no. N68335-17-C-0558) and NSF (award no. 1656926).
c© The Author(s) 2019
I. Dillig and S. Tasiran (Eds.): CAV 2019, LNCS 11562, pp. 116–136, 2019.
https://doi.org/10.1007/978-3-030-25543-5_8
Invertibility Conditions for Floating-Point Formulas 117
invertibility conditions, intuitively, formulas that state under which conditions
an argument of a given operator and predicate in an equation has a solution.
Building on this concept and a state-of-the-art expression synthesis engine [29],
we generate invertibility conditions for a majority of operators and predicates in
the theory of ﬂoating-point numbers. In the context of quantiﬁer-free ﬂoating-
point formulas, ﬂoating-point invertibility conditions may enable us to lift the
propagation-based local search approach for bit-vectors in [25] to the theory of
ﬂoating-point numbers.
This work demonstrates that invertibility conditions exist and show promise
for solving quantiﬁed ﬂoating-point constraints. More speciﬁcally, it makes the
following contributions:
– In Sect. 3, we present invertibility conditions for the majority of operators
and predicates in the SMT-LIB standard theory of ﬂoating-point numbers.
– In Sect. 4, we present a custom methodology based on syntax-guided synthesis
and decision tree learning that we developed for the purpose of synthesizing
the invertibility conditions presented here.
– In Sect. 5, we present a quantiﬁer elimination procedure for a fragment of
the theory that is based on invertibility conditions, and give experimental
evidence of its potential, based on quantiﬁed ﬂoating-point problems coming
from a veriﬁcation application.
Related Work. To our knowledge, no previous work speciﬁcally discusses tech-
niques for solving universally quantiﬁed ﬂoating-point formulas. Brain et al. [11]
provide a comprehensive review of decision procedures for quantiﬁer-free bit-
exact ﬂoating-point using both SMT-based as well as other approaches. They
identify four groups of techniques: bit-blasting approaches that use ﬂoating-point
circuits to generate bit-vector formulas [13,16,20,33], interval techniques that
use partitioning and interval propagation [10,22,23,31], optimization and numer-
ical approaches that work with complete valuations [4,7,18,21], and axiomatic
techniques that use partial or total axiomatizations of the theory of ﬂoating-point
numbers in other theories such as real arithmetic [14,15].
On the other hand, approaches for universal quantiﬁcation have been devel-
oped in modern SMT solvers that target other background theories, includ-
ing linear arithmetic [8,17,29] and bit-vectors [26,27,32]. At a high level, these
approaches use model-based reﬁnement loops that lazily add instances of univer-
sal quantiﬁers until they reach a conﬂict at the quantiﬁer-free level, or otherwise
saturate with a model.
2 Preliminaries
We assume the usual notions and terminology of many-sorted ﬁrst-order logic with
equality (denoted by≈). LetΣ be a signature consisting of a setΣs of sort symbols
and a set Σf of interpreted (and sorted) function symbols. Each function symbol f
has a sort τ1× ...×τn → τ , with arity n ≥ 0 and τ1, ..., τn, τ ∈ Σs. We assume that
Σ includes a Boolean sort Bool and the Boolean constants  (true) and ⊥ (false).
118 M. Brain et al.
We further assume the usual deﬁnition of well-sorted terms, literals, and (quanti-
ﬁed) formulas with variables and symbols from Σ, and refer to them as Σ-terms,
Σ-atoms, and so on. For a Σ-term or Σ-formula e, we denote the free variables
of e (deﬁned as usual) as FV(e) and use e[x] to denote that the variable x occurs
free in e. We write e[t] for the term or formula obtained from e by replacing each
occurrence of x in e by t.
A theory T is a pair (Σ, I), where Σ is a signature and I is a non-empty class
of Σ-interpretations (the models of T ) that is closed under variable reassignment,
i.e., every Σ-interpretation that only diﬀers from an I ∈ I in how it interprets
variables is also in I. A Σ-formula ϕ is T -satisfiable (resp. T -unsatisfiable) if it
is satisﬁed by some (resp. no) interpretation in I; it is T -valid if it is satisﬁed by
all interpretations in I. We will sometimes omit T when the theory is understood
from context.
We brieﬂy recap the terminology and notation of Brain et al. [12] which
deﬁnes an SMT-LIB theory TFP of ﬂoating-point numbers based on the IEEE-
754 2008 standard [3]. The signature of TFP includes a parametric family of
sorts Fε,σ where ε and σ are integers greater than or equal to 2 giving the
number of bits used to store the exponent e and signiﬁcand s, respectively.
Each of these sorts contains ﬁve kinds of constants: normal numbers of the form
1.s ∗ 2e, subnormal numbers of the form 0.s ∗ 2−2σ−1−1, two zeros (+0 and −0),
two inﬁnities (+∞ and −∞) and a single not-a-number (NaN). We assume a
map vε,σ for each sort, which maps these constants to their value in the set
R
∗ = R∪{+∞,−∞,NaN}. The theory also provides a rounding-mode sort RM,
which contains ﬁve elements {RNE,RNA,RTP,RTN,RTZ}.
Table 1 lists all considered operators and predicate symbols of theory TFP .
The theory contains a full set of arithmetic operations {|. . .|,+,−, ·,÷,√,max,
min} as well as rem (remainder), rti (round to integral) and fma (combined mul-
tiply and add with just one rounding). The precise semantics of these operators
is given in [12] and follows the same general pattern: vε,σ is used to project the
arguments to R∗, the normal arithmetic is performed in R∗, then the rounding
mode and the result are used to select one of the adjoints of vε,σ to convert
the result back to Fε,σ. Note that the full theory in [12] includes several addi-
tional operators which we omit from discussion here, such as ﬂoating-point min-
imum/maximum, equality with ﬂoating-point semantics (fp.eq), and conversions
between sorts.
Theory TFP further deﬁnes a set of ordering predicates {<,>,≤,≥} and a
set of classiﬁcation predicates {isNorm, isSub, isInf, isZero, isNaN, isNeg, isPos}. In
the following, we denote the rounding mode of an operation above the operator
symbol, e.g., a
RTZ
+ b adds a and b and rounds the result towards zero. We use the
inﬁx operator style for isInf (. . . ≈ ±∞), isZero (. . . ≈ ±0), and isNaN (. . . ≈
NaN) for conciseness. We further use minn/maxn and mins/maxs for ﬂoating-
point constants representing the minimum/maximum normal and subnormal
numbers, respectively. We will omit rounding mode and ﬂoating-point sorts if
they are clear from the context.
Invertibility Conditions for Floating-Point Formulas 119
3 Invertibility Conditions for Floating-Point Formulas
In this section, we adapt the concept of invertibility conditions introduced by
Niemetz et al. in [26] to our theory TFP . Intuitively, an invertibility condition φc
for a literal l[x] is the exact condition under which l[x] has a solution for x, i.e.,
φc is equivalent to ∃x. l[x] in TFP .
Definition 1 (Floating-Point Invertibility Condition). Let l[x] be a ΣFP -literal.
A quantiﬁer-free ΣFP -formula φc is an invertibility condition for x in l[x] if
x ∈ FV(φc) and φc ⇔ ∃x. l[x] is TFP -valid.
As a simple example of an invertibility condition, given literal |x| ≈ t where
|x| denotes the absolute value of x, a solution for x exists if and only if t is
not negative, i.e., if ¬isNeg(t) holds. We introduce additional terminology for
the sake of the discussion. We deﬁne the dimension of an invertibility condition
problem ∃x. l[x] as the number of free variables it contains. For example, if s
and t are variables, then the dimension of ∃x. x + s ≈ t is two, the dimension of
∃x. isZero(x+ s) is one, and the dimension of ∃x. isZero(|x|) is zero. A literal l[x]
is fully invertible if its invertibility condition is . A term e is an (unconditional)
inverse for x in l[x] if l[e] is equivalent to . For example, the literal −x ≈ t
is fully invertible and −t is an inverse for x in this literal. We say that e is a
conditional inverse for l[x] if l[e] is an invertibility condition for l[x].
Our primary goal in this work is to establish invertibility conditions for all
ﬂoating-point constraints that contain exactly one operator and one predicate.
These conditions collectively suﬃce to characterize when any literal l[x] con-
taining exactly one occurrence of x, the variable to solve for, has a solution. In
total, we were able to establish 167 out of 188 invertibility conditions (count-
ing commutative cases only once) using a syntax-guided synthesis framework
which we describe in more detail in Sect. 4. In this section, we present a subset
of these invertibility conditions, highlighting the most interesting cases where
Table 1. Considered ﬂoating-point predicates/operators, with SMT-LIB 2 syntax.
Symbol SMT-LIB syntax Sort
isNorm, isSub fp.isNormal, fp.isSubnormal Fε,σ → Bool
isPos, isNeg fp.isPositive, fp.isNegative Fε,σ → Bool
isInf, isNaN, isZero fp.isInfinite, fp.isNaN, fp.isZero Fε,σ → Bool
≈, <, >, ≤, ≥ =, fp.lt, fp.gt, fp.leq, fp.geq Fε,σ × Fε,σ → Bool
|. . .|, − fp.abs, fp.neg Fε,σ → Fε,σ
rem fp.rem Fε,σ × Fε,σ → Fε,σ
√
, rti fp.sqrt, fp.roundToIntegral RM × Fε,σ → Fε,σ
+, −, ·, ÷ fp.add, fp.sub, fp.mul, fp.div RM × Fε,σ × Fε,σ → Fε,σ
fma fp.fma RM × Fε,σ × Fε,σ × Fε,σ → Fε,σ
120 M. Brain et al.
we succeeded (or failed) to establish an invertibility condition. Due to space
restrictions, we omit the conditions for the remaining cases.1
Table 2. Invertibility conditions for ﬂoating-point operators (excl. fma) with ≈.
Literal Invertibility condition
x
R
+ s≈ t t≈ (tRTP− s) R+ s ∨ t≈ (tRTN− s) R+ s ∨ s≈ t
x
R− s≈ t t≈ (sRTP+ t) R− s ∨ t≈ (sRTN+ t) R− s ∨ (s ≈ t ∧ s≈±∞∧ t≈±∞)
s
R− x≈ t t≈s R+ (tRTP− s)∨ t≈s R+ (tRTN− s)∨ s≈ t
x
R· s≈ t t≈ (tRTP÷ s)R· s ∨ t≈ (tRTN÷ s)R· s ∨ (s≈±∞∧ t≈±∞)∨ (s≈±0∧ t≈±0)
x
R÷ s≈ t t≈ (sRTP· t) R÷ s ∨ t≈ (sRTN· t) R÷ s ∨ (s≈±∞∧ t≈±0)∨ (t≈±∞∧ s≈±0)
s
R÷ x≈ t t≈s R÷ (sRTP÷ t)∨ t≈s R÷ (sRTN÷ t)∨ (s≈±∞∧ t≈±∞)∨ (s≈±0∧ t≈±0)
x rem s≈ t t≈ t rem s
s remx≈ t ?
R
√
x≈ t t≈ R
√
(t
RTP· t)∨ t≈ R
√
(t
RTN· t)∨ t≈±0
|x|≈ t ¬isNeg(t)
−x≈ t 
R
rti(x)≈ t t≈
R
rti(t)
Table 2 lists the invertibility conditions for equality with the operators
{+,−, ·,÷, rem,√, |. . .|,−, rti}, parameterized over a rounding mode R (one of
RNE, RNA, RTP, RTN, or RTZ). Note that operators {+, ·} and the multiplica-
tive step of fma are commutative, and thus the invertibility conditions for both
variants are identical.
Each of the ﬁrst six invertibility conditions in this table follows a pattern. The
ﬁrst two disjuncts are instances of the literal to solve for, where a term involving
rounding modes RTP and RTN is substituted for x. These disjuncts are then
followed by disjuncts for handling special cases for inﬁnity and zero. From the
structure of these conditions, e.g., for +, we can derive the insight that if there
is a solution for x in the equation x
R
+ s≈ t and we are not in a corner case where
s = t, then either t
RTP−s or tRTN− s must be a solution. Based on extensive runs of our
syntax-guided synthesis procedure, we believe this condition is close to having
minimal term size. From this, we conclude that an eﬃcient yet complete method
for solving x
R
+ s≈ t checks whether t − s rounding towards positive or negative
is a solution in the non-trivial case when s and t are disequal, and otherwise
concludes that no solution exists. A similar insight can be derived for the other
invertibility conditions of this form.
1 Available at https://cvc4.cs.stanford.edu/papers/CAV2019-FP.
Invertibility Conditions for Floating-Point Formulas 121
We found that t is a conditional inverse for the case of
R
rti(x)≈ t and
x rem s≈ t, that is, substituting t for x is an invertibility condition. For the
latter, we discovered an alternative invertibility condition:
|tRTP+ t| ≤ |s| ∨ |tRTN+ t| ≤ |s| ∨ ite(t ≈ ±0, s ≈ ±0, t ≈ ±∞) (1)
In contrast to the condition from Table 2, this version does not involve rem.
It follows that certain applications of ﬂoating-point remainder, including those
whose ﬁrst argument is an unconstrained variable, can be eliminated based on
this equivalence. Interestingly, for s remx≈ t, we did not succeed in ﬁnding an
invertibility condition. This case appears to not admit a concise solution; we
discuss further details below.
Table 3 gives the invertibility conditions for ≥. Since these constraints admit
more solutions, they typically have simpler invertibility conditions. In particular,
with the exception of rem, all conditions only involve ﬂoating-point classiﬁers.
When considering literals with predicates, the invertibility conditions for
cases involving x + s and s − x are identical for every predicate and rounding
mode. This is due to the fact that s − x is equivalent to s + (−x), indepen-
dent from the rounding mode. Thus, the negation of the inverse value of x for
an equation involving x + s is the inverse value of x for an equation involving
s − x. Similarly, the invertibility conditions for x · s and s ÷ x over predicates
{<,≤, >,≥, isInf, isNaN, isNeg, isZero} are identical for all rounding modes.
For all predicates except {≈, isNorm, isSub}, the invertibility conditions for
operators {+,−,÷, ·} contain ﬂoating-point classiﬁers only. All of these condi-
tions are also independent from the rounding mode. Similarly, for operator fma
over predicates {isInf, isNaN, isNeg, isPos}, the invertibility conditions contain
Table 3. Invertibility conditions for ﬂoating-point operators (excl. fma) with ≥.
Literal Invertibility condition
x
R
+ s ≥ t (isPos(s)∨ ite(s≈±∞, (t≈±∞ ∧ isNeg(t)), isNeg(s)))∧ t 
≈NaN
x
R− s ≥ t ite(isNeg(s), t 
≈NaN, ite(s≈±∞, (t≈±∞ ∧ isNeg(t)), (isPos(s)∧ t 
≈NaN)))
s
R− x ≥ t (isPos(s)∨ ite(s≈±∞, (t≈±∞ ∧ isNeg(t)), isNeg(s)))∧ t 
≈NaN
x
R· s ≥ t (isNeg(t)∨ t≈±0∨ s 
≈±0)∧ s 
≈NaN∧ t 
≈NaN
x
R÷ s ≥ t (isNeg(t)∨ t≈±0∨ s 
≈±∞)∧ s 
≈NaN∧ t 
≈NaN
s
R÷ x ≥ t (isNeg(t)∨ t≈±0∨ s 
≈±0)∧ s 
≈NaN∧ t 
≈NaN
x rem s ≥ t ite(isNeg(t), s 
≈NaN, (|tRNE+ t| ≤ |s| ∧ t 
≈±∞))∧ s 
≈±0
s remx ≥ t ?
R
√
x ≥ t t 
≈NaN
|x| ≥ t t 
≈NaN
−x ≥ t t 
≈NaN
R
rti(x) ≥ t t 
≈NaN
122 M. Brain et al.
only ﬂoating-point classiﬁers. All of these conditions except for isNeg(fma(x, s, t))
and isPos(fma(x, s, t)) are also independent from the rounding mode.
For all ﬂoating-point operators with predicate isNaN, the invertibility condi-
tion is , i.e., an inverse value for x always exists. This is due to the fact that
every ﬂoating-point operator returns NaN if one of its operands is NaN, hence
NaN can be picked as an inverse value of x. Conversely, we identiﬁed four cases
for which the invertibility condition is ⊥, i.e., an inverse value for x never exists.
These four cases are isNeg(|x|), isInf(x rem s), isInf(s remx), and isSub(rti(x)). For
the ﬁrst three cases, it is obvious why no inverse value exists. The intuition for
isSub(rti(x)) is that integers are not subnormal, and as a result if x is rounded to
an integer it can never be a subnormal number. All of these cases can be easily
implemented as rewrite rules in an SMT solver.
For operator fma, the invertibility conditions over predicates {isInf, isNaN,
isNeg, isPos} contain ﬂoating-point classiﬁers only. For predicate isZero, the
invertibility conditions are more involved. Equations (2) and (3) show the invert-
ibility conditions for isZero(fma(x, s, t)) and isZero(fma(s, t, x)) for all rounding
modes R.
R
fma(−(tRTP÷ s), s, t)≈±0∨
R
fma(−(tRTN÷ s), s, t)≈±0∨ (s≈±0∧ t≈±0) (2)
R
fma(s, t,−(sRTP· t))≈±0∨
R
fma(s, t,−(sRTN· t))≈±0 (3)
These two invertibility conditions contain case splits similar to those in Table 2 and
indicate that, e.g., −t RTP÷ s is an inverse value for x when
R
fma(−(tRTP÷ s), s, t)≈±0
holds.
As we will describe in Sect. 4, an important aspect of synthesizing these
invertibility conditions was considering their visualizations. This helped us deter-
mine which invertibility conditions were relatively simple and which exhibited
complex behavior.
s
t
(a) x+ s ≈ t
s
(b) x · s ≈ t
s
(c) x ÷ s ≈ t
s
(d) s ÷ x ≈ t
Fig. 1. Invertibility conditions for {+, ·,÷} over ≈ for F3,5 and rounding mode RNE.
Invertibility Conditions for Floating-Point Formulas 123
s
t
(a) x rem s ≈ t
s
t
(b) s remx ≈ t
Fig. 2. Invertibility conditions for rem over ≈ for F3,5.
Figure 1 shows the visualizations of the invertibility conditions for operators
{+, ·,÷} over ≈ from Table 2 for sort F3,5 with rounding mode RNE (each of the
literals is two-dimensional). We use 227×227 pixel maps over all possible values
of s and t, where the pixel at point (s, t) is white if the invertibility condition is
true, and black if it is false.2 The values of s are plotted on the horizontal axis
and the values of t are plotted on the vertical axis. The leftmost two columns
(resp. topmost two rows) give the value of the invertibility condition for s = ±0
(resp. t = ±0); the rightmost column (resp. bottom row) gives its value for NaN;
the next two columns left of (resp. next two rows on top of) NaN give its value
for ±∞; the remainder plots the values of the subnormal and normal values of
s and t, left-to-right (resp. top-to-bottom) in increasing order of their absolute
value, alternating between positive and negative values. These visualizations give
an intuition of the complexity of the behavior of invertibility conditions, which
is a consequence of the complex semantics of ﬂoating-point operations.
Figure 2 gives the invertibility condition visualizations for remainder over
≈ with sort F3,5 and rounding mode RNE. The visualization on the left hand
shows that solving for x as the ﬁrst argument is relatively easy. It suggests that
an invertibility condition for this case involves a linear inequality relating the
absolute values of s and t, which we were able to derive in Eq. (1). Solving for x
as the second argument, on the other hand, is much more diﬃcult, as indicated
by the right picture, which has a signiﬁcantly more complex structure. We con-
jecture that no simple solution exists for the latter problem. The visualization of
the invertibility condition gives some of the intuition for this: the diagonal divide
is caused by the fact that output t will always have a smaller absolute value than
the input s. The top-left corner represents subnormal/subnormal computation,
this acts as ﬁxed-point and behaves diﬀerently from the rest of the function.
The stepped blocks along the diagonal occur when s and t have the same expo-
nent and thus the pattern is similar to the invertibility condition for + shown in
Fig. 1. Portions right of the main diagonal appear to exhibit random behavior.
2 Notice that we consider all possible (2σ−1−1)∗2 NaN values of TFP as one single NaN
value. Thus, for sort F3,5 we have 227 ﬂoating-point values (instead of 2
8 = 256).
124 M. Brain et al.
s
t
(a) x rem s > t
s
(b) x rem s ≥ t
s
(c) s remx > t
s
(d) s remx ≥ t
Fig. 3. Invertibility conditions for rem over inequalities for F3,5.
s
t
(a) fma(x, s, t)≈±0
s
(b) fma(s, t, x)≈±0
s
(c) isSub(fma(x, s, t))
s
(d) isSub(fma(s, t, x))
Fig. 4. Invertibility conditions for fma over {isZero, isSub} for F3,5 and rnd. mode RNE.
We believe this is the result of repeated cancellations in the computation of the
remainder for those values, which suggests a behavior that we believe is similar
to the Blum-Blum-Shub random number generator [9].
For remainder with inequalities, we succeeded in determining invertibility
conditions for ≤ and ≥ if x is the ﬁrst argument. However, for x rem s over
{<,>}, and s remx over {≥,≤, <,>} we did not. This is particularly surprising
considering that the invertibility conditions for non-strict and strict inequalities
are nearly identical (varying only by a handful of pixels), as shown in Fig. 3.
Note that for x as the ﬁrst argument, all variations of the concise invertibility
conditions for non-strict inequality we considered failed as solutions for the strict
inequality. This behavior is representative of the many subtle corner cases we
encountered while synthesizing these conditions.
Figure 4 shows visualizations for invertibility conditions involving fma. The left
two images are visualizations for the invertibility conditions for isZero. The corre-
sponding invertibility conditions are given in Eqs. (2) and (3) above. We were not
able to determine invertibility conditions for operator fma over predicate isSub,
which are visualized in the rightmost two pictures in Fig. 4. Finally, we did not
succeed in ﬁnding invertibility conditions for fma with binary predicates, which
are particularly challenging since they are three-dimensional. Finding solutions for
these cases is ongoing work (see Sect. 4 for a more in-depth discussion).
Invertibility Conditions for Floating-Point Formulas 125
4 Synthesis of Floating-Point Invertibility Conditions
Deriving invertibility conditions in TFP is a highly challenging task. We were
unable to derive these conditions manually despite our substantial background
knowledge of ﬂoating-point numbers. As a consequence, we developed a custom
extension of the syntax-guided synthesis (SyGuS) paradigm [1] with the goal of
ﬁnding invertibility conditions automatically, which resulted in the conditions
from Sect. 3. While the extension was optimized for this task, we stress that
our techniques are theory-agnostic and can be used for synthesis problems over
any ﬁnite domain. Our approach builds upon the SyGuS capabilities of the SMT
solver CVC4 [5,29], which has recently been extended to support reasoning about
the theory of ﬂoating-points [11]. We use the invertibility condition for ﬂoating-
point addition with equality here as a running example.
Establishing an invertibility condition requires solving a synthesis problem
with three levels of quantiﬁer alternation. In particular, for ﬂoating-point addi-
tion with equality, we are interested in ﬁnding a solution for predicate IC that
satisﬁes the conjecture:
∃ IC.∀s, t. (IC(s, t) ⇔ (∃x. x R+ s ≈ t)) (4)
for some rounding mode R. In other words, this conjecture states that IC(s, t)
holds exactly when there exists an x that, when rounding the result of adding x
to s according to mode R, yields t. Furthermore, we are interested in ﬁnding a
solution for IC that holds independently of the format of x, s, t. Note that SMT
solvers are not capable of reasoning about constraints that are parametric in the
ﬂoating-point format. To address this challenge, following the methodology from
previous work [26], our strategy for establishing (general) invertibility conditions
ﬁrst solves the synthesis conjecture for a ﬁxed format Fε,σ, and subsequently
checks whether that solution also holds for other formats. The choice of the
number of exponent bits ε and signiﬁcand bits σ in Fε,σ balances two criteria:
1. ε, σ should be large enough to exercise many (or all) of the behaviors of the
operators and relations in our synthesis conjecture,
2. ε, σ should be small enough for the synthesis problem to be tractable.
In our experience, the best choices for (ε, σ) depended on the particular invert-
ibility condition we were solving. The most common choices for (ε, σ) were (3, 5),
(4, 5) and (4, 6). For most two-dimensional invertibility conditions (those that
involve two variables s and t), we used (3, 5), since the required synthesis pro-
cedures mentioned below were roughly eight times faster than for (4, 5). For
one-dimensional invertibility conditions, we often used higher precision formats.
Since ﬂoating-point operators like addition take as additional argument a round-
ing mode R, we assumed a ﬁxed rounding mode when solving, and then cross-
checked our solution for multiple rounding modes.
126 M. Brain et al.
Assume we have chosen to synthesize the invertibility condition for conjec-
ture (4) for format F3,5 and rounding mode RNE. Notice that current SyGuS
solvers [2,29] support only two levels of quantiﬁer alternation. However, we can
expand the innermost quantiﬁer in this conjecture to obtain the conjecture:
∃IC.∀st. (IC(s, t) ⇔ (
226∨
i=0
i
RNE
+ s ≈ t)) (5)
where for simplicity of notation we use i = 0, . . . , 226 to denote the values of
F3,5. This methodology was also used in Niemetz et al. [26], where invertibility
conditions for bit-vector operators were synthesized for bit-width 4 by giving
the conjecture of the above form to an oﬀ-the-shelf SyGuS solver. In contrast
to that work, we found that the synthesis conjecture above is too challenging
to be solved eﬃciently by current state-of-the-art enumerative SyGuS solvers.
The reason for this is twofold. First, the smallest viable ﬂoating-point format is
3 + 5 = 8 bits, which requires the body of (5) to have a signiﬁcantly large number
of disjuncts (227), which is more than ten times larger than the 16 disjuncts
required when synthesizing 4-bit invertibility conditions for bit-vectors. Second,
ﬂoating-point formulas are much harder to solve than bit-vector formulas, due to
the complexity of their bit-blasted encodings. Thus, a signiﬁcantly challenging
satisﬁability query must be solved for each candidate considered within the
SyGuS solver.
To address the above challenges, we perform a more extreme preprocessing
step on our synthesis conjecture, which computes the input/output behavior of
the invertibility condition on all points in the domain of s and t. In other words,
we rephrase our synthesis conjecture as:
∃IC.
226∧
i=0
226∧
j=0
(IC(i, j) ⇔ ci,j) (6)
where each ci,j is a Boolean constant (either  or ⊥) determined by a quantiﬁer-
free satisﬁability query. In particular, for each pair of ﬂoating-point values (i, j),
constant ci,j is  if x+i ≈ j is satisﬁable, and ⊥ if it is unsatisﬁable. In practice,
we represent the above conjecture as a 227 × 227 table, which we call the full
I/O specification of invertibility condition IC. In our experiments, computing
this table for most two-dimensional invertibility conditions of sort F3,5 required
15 min (for 227 ∗ 227 = 51, 529 quantiﬁer-free queries), and 2 h for sort F4,5
(requiring 483 ∗ 483 = 233, 289 queries). This process was accelerated by ﬁrst
applying random sampling over possible values of x to quickly test if a query was
satisﬁable. For some operators, notably remainder, this required signiﬁcantly
more time than for others (up to a factor of 2). Due to the high cost of this
preprocessing step, we generated a database with the full I/O speciﬁcations for
all invertibility conditions from Sect. 3 using a cluster of 50 nodes with Intel
Xeon E5-2637 with 3.5GHz and 32GB memory, and then shared this database
among multiple developers. Computing the full I/O speciﬁcations for F3,5, F4,5,
and F4,6 required a total of 459 days of CPU time (6.1 for F3,5, 54.7 for F4,5, and
Invertibility Conditions for Floating-Point Formulas 127
398.5 for F4,6). Despite the heavy cost of this step, it was crucial for accelerating
our framework for synthesizing invertibility conditions, described next.
PBE SyGuS
Solver
Samples
SyGuS Grammar Side Condition
IC Candidate
User IC Problem
Verifier
Full I/O Spec
solve
filter
cex-guided sampling
Fig. 5. Architecture for synthesizing invertibility conditions for ﬂoating point formulas.
Figure 5 summarizes our architecture for solving synthesis conjectures of the
above form. The user ﬁrst selects an invertibility condition problem to solve,
where we assume the full I/O speciﬁcation has been computed using the afore-
mentioned techniques. At a high level, our architecture can be seen as an inter-
active synthesis environment, where the user manages the interaction between
two subprocedures:
1. a SyGuS solver with support for decision tree learning, and
2. a solution veriﬁer storing the full I/O speciﬁcation of the invertibility condition.
We use a counterexample-guided loop, where the SyGuS solver provides the
solution veriﬁer with candidate solutions, and the solution veriﬁer provides the
SyGuS solver with an evolving subset of sample points taken from the full I/O
speciﬁcation. These points correspond to counterexamples to failed candidate
solutions, and are sampled in a uniformly random manner over the domain of
our speciﬁcation. To accelerate the speed at which our framework converges on a
solution, we conﬁgure the solution veriﬁer to generate multiple counterexample
points (typically 10) for each iteration of the loop. The process terminates when
the SyGuS solver generates a candidate solution that is correct for all points
according to its full I/O speciﬁcation.
We give the user control over both the solutions and counterexample points
generated in this loop. First, as is commonly done in syntax-guided synthesis
applications, the user in our workﬂow provides an input grammar to the SyGuS
solver. This is a context-free grammar in a standard format [28], which contains
a guess of the operators and patterns that may be involved in the invertibility
condition we are synthesizing. Second, note that the domain of ﬂoating-point
numbers can be subdivided into a number of subdomains and special cases (e.g.
normal, subnormal, not-a-number, inﬁnity), as well as split into diﬀerent clas-
siﬁcations (e.g. positive and negative). Our workﬂow allows the user to provide
128 M. Brain et al.
a side condition, whose purpose is to focus on ﬁnding an invertibility condition
that is correct for one of these subdomains. The side condition acts as a ﬁlter-
ing mechanism on the counterexample points generated by the solution veriﬁer.
For example, given the side condition isNorm(s)∧ isNorm(t), the solution veriﬁer
checks candidate solutions generated by the SyGuS solver only against points
(s, t) where both arguments are normal, and consequently only communicates
counterexamples of this form to the SyGuS solver. The solution veriﬁer may
also be conﬁgured to establish that the current candidate solution generated by
the SyGuS solver is conditionally correct, that is, it is true on all points in the
domain that satisfy the side condition.
There are several advantages to the form of the synthesis conjecture in (6)
that we exploit in our workﬂow. First, its structure makes it easy to divide the
problem into sub-cases: our synthesis workﬂow at all times sends only a subset
of the conjuncts of (6) for some (i, j) pairs. As a result, we do not burden the
underlying SyGuS solver with the entire conjecture at once, which would not
scale in practice. A second advantage is that it is in programming-by-examples
(PBE) form, since it consists of a conjunction of concrete input-output pairs.
As a consequence, specialized algorithms can be used by the SyGuS solver to
generate solutions for (approximations of) our conjecture in a way that is highly
scalable in practice. These techniques are broadly referred to as decision tree
learning or uniﬁcation algorithms. As a brief review (see Alur et al. [2] for a
recent SyGuS-based approach), a decision tree learning algorithm is given as
input a set of good examples c1 → , . . . , cn →  and a set of bad examples
d1 → ⊥, . . . , dm → ⊥. The goal of a decision tree algorithm is to ﬁnd a predicate,
or classifier, that evaluates to true on all the good examples, and false on all
the bad examples. In our context, a classiﬁer is expressed as an if-then-else tree
of Boolean sort. Sampling the space of conjecture (6) provides the decision tree
algorithm with good and bad examples and the returned classiﬁer is a candidate
solution that we give to the solution veriﬁer. The SyGuS solver of CVC4 uses
a decision-tree learning algorithm, which we rely on in our workﬂow. Due to
the scalability of this algorithm and the fact that only a small subset of our
conjecture is considered at any given time, candidate solutions are typically
generated by the SyGuS solver in our framework in a matter of seconds.
Another important aspect of the SyGuS solver in Fig. 5 is that it is conﬁgured
to generate multiple solutions for the current set of sample points. Due to the
way the SyGuS-based decision-tree learning algorithm works, these solutions
tend to become more general over the runtime of the solver. As a simple example
(assuming exact integer arithmetic), say the solver is given input points (1, 1) →
, (2, 0) → , (1, 0) → ⊥ and (0, 1) → ⊥ for (s, t). It enumerates predicates over
s and t, starting with simplest predicates ﬁrst, say s ≈ 0, t ≈ 0, s ≈ 1, y ≈ 1,
s + t > 1, and so on. After generating the ﬁrst four predicates, it constructs
the solution ite(s ≈ 1, t ≈ 1, t ≈ 0), which is a correct classiﬁer for the given
set of points. However, after generating the ﬁfth predicate in this list, it returns
s+ t > 1 itself as a solution; this can be seen as a generalization of the previous
solution since it requires no case splitting.
Invertibility Conditions for Floating-Point Formulas 129
Since more general candidate solutions have a higher likelihood of being
actual solutions in our experience, our workﬂow critically relies on the ability of
users to manually terminate the synthesis procedure when they are satisﬁed with
the last generated candidate. Our synthesis procedure logs a list of candidate
solutions that satisfy the conjecture on the current set of sample points. When
the user terminates the synthesis process, the solution veriﬁer will check the last
solution generated in this list. Users have the option to rearrange the elements
of this list by hand, if they have an intuition that a speciﬁc candidate is more
likely to be correct—and so should be tested ﬁrst.
Experience. The ﬁrst challenging invertibility condition we solved with our
framework was addition with equality for rounding mode RNE. Initially, we used
a generic grammar that contained the entire ﬂoating-point signature. As a ﬁrst
key step towards solving this problem, the synthesis procedure suggested the sin-
gle literal t≈sRNE+ (tRNE− s) as candidate solution. Although counterexamples were
found for this candidate, we noticed that it satisﬁed over 98% of the speciﬁcation,
and a visualization of its I/O behavior showed similar patterns to the invertibil-
ity condition we were solving for. Based on these observations, we focused our
grammar towards literals of this form. In particular, we used a function that
takes two ﬂoating-points x, y and two rounding modes R1, R2 as arguments and
returns x
R1
+(y
R2−x) as a builtin symbol of our grammar. We refer to such a function
as a residual computation of y, noting that its value is often approximately y. By
including various functions for residual computations, we focused the eﬀort of
the synthesizer on more interesting predicates. The end solution involved multi-
ple residual computations, as shown in Table 2. Our initial solution was speciﬁc
to the rounding mode RNE. After solving for several other rounding modes, we
were able to construct a parametric solution that was correct for all rounding
modes. In total, it took roughly three days of developer time to discover the
generalized invertibility condition for addition with equality. Many of the sub-
sequent invertibility conditions took a matter of hours, since by then we had a
good intuition for the residual computations that were relevant for each case.
Invertibility conditions involving rem, fma, isNorm, and isSub were challeng-
ing and required further customizations to the grammar, for instance to include
constants that corresponded to the minimum and maximum normal and sub-
normal values. Three-dimensional invertibility conditions (which in this work is
limited to cases of fma with binary predicates) were especially challenging since
the domain of their conjecture is a factor of 227 larger for F3,5 than the others.
Following our strategy for solving the invertibility conditions for speciﬁc formats
and rounding modes, in ongoing work we are investigating solving these cases
by ﬁrst solving the invertibility condition for a ﬁxed value c for one of its free
variables u. Solving a two-dimensional problem of this form with a solution ϕ
may suggest a generalization that works for all values of u where all occurrences
of c in ϕ are replaced by u.
We found the side condition feature of our workﬂow important for narrowing
down which subdomain was the most challenging for the conjecture in question.
130 M. Brain et al.
For instance, for some cases it was very easy to ﬁnd invertibility conditions that
held when both s and t were normal (resp., subnormal), but very diﬃcult when
s was normal and t was subnormal or vice versa.
We also implemented a fully automated mode for the synthesis loop in Fig. 5.
However, in practice, it was more eﬀective to tweak the generated solutions
manually. The amount of user interaction was not prohibitively high in our
experience.
Finally, we found that it was often helpful to visualize the input/output
behavior of candidate solutions. In many cases, the diﬀerence between a candi-
date solution and the desired behavior of the invertibility condition would reveal
a required modiﬁcation to the grammar or would suggest which parts of the
domain of the conjecture to focus on.
4.1 Verifying Conditions for Multiple Formats and Rounding
Modes
We veriﬁed the correctness of all 167 invertibility conditions by checking them
against their corresponding full I/O speciﬁcation for ﬂoating-point formats F3,5,
F4,5, and F4,6 and all rounding modes, which required 1.6 days of CPU time. This
is relatively cheap compared to computing the speciﬁcations, since checking is
essentially constant evaluation of invertibility conditions for all possible input
values. However, this quickly becomes infeasible with increasing precision, since
the time required for computing the I/O speciﬁcation roughly increases by a
factor of 8 for each bit.
As a consequence, we generated quantiﬁed ﬂoating-point problems to verify
the 167 invertibility conditions for formats F3,5, F4,5, F4,6, F5,11 (Float16), F8,24
(Float32), and F11,53 (Float64) and all rounding modes. Each problem checks the
TFP -unsatisﬁability of formula ¬(φc ⇔ ∃x. l[x]), where l[x] corresponds to the
ﬂoating-point literal, and φc to its invertibility condition. In total, we generated
Fig. 6. Recursive procedure QEFP for computing quantiﬁer elimination for x in the unit
linear formula ∃x. P (t1, . . . , tj [x], . . . , tn). The free variables in this formula and the
fresh variable y are implicitly universally quantiﬁed. Placeholder  denotes a ﬂoating-
point operator from Table 1.
Invertibility Conditions for Floating-Point Formulas 131
3786 problems (116 ∗ 5 + 513 for each ﬂoating-point format) and checked them
using CVC4 [5] (master 546bf686) and Z3 [16] (version 4.8.4).
We consider an invertibility condition to be veriﬁed for a ﬂoating-point format
and rounding mode if at least one solver reports unsatisﬁable. Given a CPU time
limit of one hour and a memory limit of 8GB for each solver/benchmark pair, we
were able to verify 3577 (94.5%) invertibility conditions overall, with 99.2% of
F3,5, 99.7% of F4,5, 100% of F4,6, 93.8% of F5,11, 90.2% of F8,24, and 84% of F11,53.
This veriﬁcation with CVC4 and Z3 required a total of 32 days of CPU time.
All veriﬁcation jobs were run on cluster nodes with Intel Xeon E5-2637 3.5GHz
and 32GB memory.
5 Quantifier Elimination for Unit Linear Floating-Point
Formulas
Based on the invertibility conditions presented in Sect. 3, we can deﬁne a quan-
tiﬁer elimination procedure for a restricted fragment of ﬂoating-point formulas.
The procedure applies to unit linear formulas, that is, formulas of the form
∃x. P [x] where P is a ΣFP -literal containing exactly one occurrence of x.
Figure 6 gives a quantiﬁer elimination procedure QEFP for unit linear ﬂoating-
point formulas ∃x. P [x]. We write getIC(y,Q[y]) to indicate the invertibility con-
dition for y in Q[y], which amounts to a table lookup for the appropriate condi-
tion as given in Sect. 3. Note that our procedure is currently a partial function
because we do not have yet invertibility conditions for some unit linear formulas.
The recursive procedure returns a conjunction of conditions based on the path
on which x occurs in P . If x occurs beneath multiple nested function applica-
tions, a fresh variable y is introduced and used for referencing the intermediate
result of the subterm we are currently solving for. We demonstrate this in the
following example.
Example 2. Consider the unit linear formula ∃x. (x R· u) R+ s ≥ t. Invoking the
procedure QEFP on this input yields, after two recursive calls, the conjunction
getIC(y1, y1
R
+ s ≥ t) ∧ getIC(y2, y2 R· u ≈ y1) ∧ getIC(x, x ≈ y2)
where y1 and y2 are fresh variables. The third conjunct is trivially equivalent
to . This formula is quantiﬁer-free and has the properties speciﬁed by the
following theorem.
Theorem 1. Let ∃x. P be a unit linear formula and let I be a model of TFP .
Then, I satifies ¬∃x. P if and only if there exists a model J of TFP (constructible
from I) that satisfies ¬QEFP(∃x. P ).
3 116 invertibility conditions from rounding mode dependent operators and 51 invert-
ibility conditions where the operator is rounding mode independent (e.g., rem).
132 M. Brain et al.
Niemetz et al. [26] present a similar algorithm for solving unit linear bit-vector
literals. In that work, a counterexample-guided loop was devised that made
use of Hilbert-choice expressions for representing quantiﬁer instantiations. In
contrast to that work, we provide here only a quantiﬁer elimination procedure.
Extending our techniques to a general quantiﬁer instantiation strategy is the
subject of ongoing work. We discuss our preliminary work in this direction in
the next section.
6 Solving Quantified Floating-Point Formulas
We implemented a prototype extension of the SMT solver CVC4 that lever-
ages the results of the previous section to determine the satisﬁability of quanti-
ﬁed ﬂoating-point formulas. To handle quantiﬁed formulas, CVC4 uses a basic
model-based instantiation loop (see, e.g., [30,32] for instantiation approaches for
other theories). This technique maintains a quantiﬁer-free set of constraints F
corresponding to instantiations of universally quantiﬁed formulas. It terminates
with the response “unsatisﬁable” if F is unsatisﬁable, and terminates with “sat-
isﬁable” if it can show that the given quantiﬁed formulas are satisﬁed by a model
of TFP that satisﬁes F . For TFP , the instantiations are substitutions of univer-
sally quantiﬁed variables to concrete ﬂoating-point values, e.g. ∀x. P (x) ⇒ P (0),
which can be highly ineﬃcient in the worst case for higher precision.
We extend this basic loop with a preprocessing pass that generates theory
lemmas based on the invertibility conditions corresponding to literals of quanti-
ﬁed formulas ∀x.P with exactly one occurrence of x, as explained in the example
below.
Example 3. Suppose the current set S of formulas contains a formula ϕ of the
form ∀x.¬((x · u) + s ≥ t ∧ Q(x)) where u, s and t are ground terms; then we
add the following formula to S where y1 and y2 are fresh (free) variables:
(getIC(y1, y1 + s ≥ t) ⇒ y1 + s ≥ t) ∧ (getIC(y2, y2 · u ≈ y1) ⇒ y2 · u ≈ y1)
The addition of this lemma is satisﬁability preserving because, if the invertibility
condition holds for y1 + s ≥ t (resp., y2 · u ≈ y1), then y1 (resp., y2) a solution
for that literal. We then add the instantiation lemma ϕ ⇒ ¬((y2 · u) + s ≥ t ∧
Q(y2)). Although x is not necessarily linear in the body of ϕ, if both invertibility
conditions hold, then the combination of the above lemmas implies (y2 ·u)+s ≥ t,
which together with the instantiation lemma allows the solver to infer that the
remaining portion of the quantiﬁed formula Q cannot hold for y2. An inference
of this form may be more productive than enumerating the possible values of x
in instantiations.
Evaluation. We considered all 61 benchmarks from SMT-LIB [6] that contained
quantiﬁed formulas over ﬂoating-points (logic FP), which correspond to veriﬁ-
cation conditions from the software veriﬁcation competition that use a ﬂoating-
point encoding [19]. The invertibility conditions required for solving their liter-
als include ﬂoating-point addition, multiplication and division (both arguments)
Invertibility Conditions for Floating-Point Formulas 133
with equality and inequality. We implemented all cases of invertibility conditions
for solving these cases. We extended our SMT solver CVC4 (GitHub master
5d248c36) with the above preprocessing pass (GitHub cav19fp 9b5acd74), and
compared its performance with (conﬁguration CVC4-ext) and without (conﬁgu-
ration CVC4-base) the above preprocessing pass enabled to the SMT solver Z3
(version 4.8.4). All experiments were run on the same cluster mentioned earlier,
with a memory limit of 8GB and a 1800 s time limit. Overall, CVC4-base solved
35 benchmarks within the time limit (with no benchmarks uniquely solved com-
pared to CVC4-ext), CVC4-ext solved 42 benchmarks (7 of these uniquely solved
compared to the base version), and Z3 solved 56 benchmarks. While CVC4-ext
solves signiﬁcantly fewer benchmarks than Z3, we believe that the improvement
over CVC4-base is indicative that our approach for invertibility conditions shows
potential for solving quantiﬁed ﬂoating-point constraints in SMT solvers. A more
comprehensive evaluation and implementation is left as future work.
7 Conclusion
We have presented invertibility conditions for a large subset of combinations of
ﬂoating-point operators over ﬂoating-point predicates supported by SMT solvers.
These conditions were found by a framework that utilizes syntax-guided synthe-
sis solving, customized for our problem and developed over the course of this
work. We have shown that invertibility conditions imply that a simple frag-
ment of quantiﬁed ﬂoating-points admits compact quantiﬁer elimination, and
have given preliminary evidence that an SMT solver that partially leverages this
technique can have a higher success rate on ﬂoating-point problems coming from
a software veriﬁcation application.
For future work, we plan to extend techniques for quantiﬁed and quantiﬁer-
free ﬂoating-point formulas to incorporate our ﬁndings, in particular to lift pre-
vious quantiﬁer instantiation approaches (e.g., [26]) and local search procedures
(e.g., [25]) for bit-vectors to ﬂoating-points. We also plan to extend and use our
synthesis framework for related challenging synthesis tasks, such as ﬁnding con-
ditions under which more complex constraints have solutions, including those
having multiple occurrences of a variable to solve for. Our synthesis framework
is agnostic to theories and can be used for any sort with a small ﬁnite domain.
It can thus be leveraged also for solutions to quantiﬁed bit-vector constraints.
Finally, we would like to establish formal proofs of correctness of our invertibility
conditions that are independent of ﬂoating-point formats.
References
1. Alur, R., et al.: Syntax-guided synthesis. In: Formal Methods in Computer-Aided
Design, FMCAD 2013, Portland, 20–23 October 2013, pp. 1–8. IEEE (2013).
http://ieeexplore.ieee.org/document/6679385/
134 M. Brain et al.
2. Alur, R., Radhakrishna, A., Udupa, A.: Scaling enumerative program synthesis via
divide and conquer. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol.
10205, pp. 319–336. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-
662-54577-5 18
3. IEEE Standards Association 754-2008 - IEEE standard for ﬂoating-point arith-
metic (2008). https://ieeexplore.ieee.org/servlet/opac?punumber=4610933
4. Barr, E.T., Vo, T., Le, V., Su, Z.: Automatic detection of ﬂoating-point exceptions.
SIGPLAN Not. 48(1), 549–560 (2013)
5. Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011.
LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). https://doi.org/10.
1007/978-3-642-22110-1 14
6. Barrett, C., Stump, A., Tinelli, C.: The satisﬁability modulo theories library (SMT-
LIB) (2010). www.SMT-LIB.org
7. Ben Khadra, M.A., Stoﬀel, D., Kunz, W.: goSAT: ﬂoating-point satisﬁability as
global optimization. In: FMCAD, pp. 11–14. IEEE (2017)
8. Bjørner, N., Janota, M.: Playing with quantiﬁed satisfaction. In: 20th International
Conferences on Logic for Programming, Artiﬁcial Intelligence and Reasoning -
Short Presentations, LPAR 2015, Suva, 24–28 November 2015, pp. 15–27 (2015)
9. Blum, L., Blum, M., Shub, M.: A simple unpredictable pseudo-random number
generator. SIAM J. Comput. 15(2), 364–383 (1986)
10. Brain, M., Dsilva, V., Griggio, A., Haller, L., Kroening, D.: Deciding ﬂoating-
point logic with abstract conﬂict driven clause learning. Formal Methods Syst.
Des. 45(2), 213–245 (2014)
11. Brain, M., Schanda, F., Sun, Y.: Building better bit-blasting for ﬂoating-point
problems. In: Vojnar, T., Zhang, L. (eds.) TACAS 2019, Part I. LNCS, vol. 11427,
pp. 79–98. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17462-0 5
12. Brain, M., Tinelli, C., Ru¨mmer, P., Wahl, T.: An automatable formal semantics
for IEEE-754 ﬂoating-point arithmetic. In: 22nd IEEE Symposium on Computer
Arithmetic, ARITH 2015, Lyon, 22–24 June 2015, pp. 160–167. IEEE (2015)
13. Brillout, A., Kroening, D., Wahl, T.: Mixed abstractions for ﬂoating-point arith-
metic. In: FMCAD, pp. 69–76. IEEE (2009)
14. Conchon, S., Iguernlala, M., Ji, K., Melquiond, G., Fumex, C.: A three-tier strategy
for reasoning about ﬂoating-point numbers in SMT. In: Majumdar, R., Kuncˇak, V.
(eds.) CAV 2017. LNCS, vol. 10427, pp. 419–435. Springer, Cham (2017). https://
doi.org/10.1007/978-3-319-63390-9 22
15. Daumas, M., Melquiond, G.: Certiﬁcation of bounds on expressions involving
rounded operators. ACM Trans. Math. Softw. 37(1), 1–20 (2010)
16. De Moura, L., Bjørner, N.: Z3: an eﬃcient SMT solver. In: Ramakrishnan, C.R.,
Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg
(2008). https://doi.org/10.1007/978-3-540-78800-3 24
17. Dutertre, B.: Solving exists/forall problems in yices. In: Workshop on Satisﬁability
Modulo Theories (2015)
18. Fu, Z., Su, Z.: XSat: a fast ﬂoating-point satisﬁability solver. In: Chaudhuri, S.,
Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780, pp. 187–209. Springer, Cham (2016).
https://doi.org/10.1007/978-3-319-41540-6 11
19. Heizmann, M., et al.: Ultimate automizer with an on-demand construction of
Floyd-Hoare automata. In: Legay, A., Margaria, T. (eds.) TACAS 2017, Part II.
LNCS, vol. 10206, pp. 394–398. Springer, Heidelberg (2017). https://doi.org/10.
1007/978-3-662-54580-5 30
20. Lapschies, F.: SONOLAR, the solver for non-linear arithmetic (2014). http://www.
informatik.uni-bremen.de/agbs/ﬂorian/sonolar
Invertibility Conditions for Floating-Point Formulas 135
21. Liew, D.: JFS: JIT fuzzing solver. https://github.com/delcypher/jfs
22. Marre, B., Bobot, F., Chihani, Z.: Real behavior of ﬂoating point numbers. In:
SMT Workshop (2017)
23. Michel, C., Rueher, M., Lebbah, Y.: Solving constraints over ﬂoating-point num-
bers. In: Walsh, T. (ed.) CP 2001. LNCS, vol. 2239, pp. 524–538. Springer, Hei-
delberg (2001). https://doi.org/10.1007/3-540-45578-7 36
24. de Moura, L., Bjørner, N.: Eﬃcient e-matching for SMT solvers. In: Pfenning,
F. (ed.) CADE 2007. LNCS, vol. 4603, pp. 183–198. Springer, Heidelberg (2007).
https://doi.org/10.1007/978-3-540-73595-3 13
25. Niemetz, A., Preiner, M., Biere, A.: Precise and complete propagation based local
search for satisﬁability modulo theories. In: Chaudhuri, S., Farzan, A. (eds.) CAV
2016, Part I. LNCS, vol. 9779, pp. 199–217. Springer, Cham (2016). https://doi.
org/10.1007/978-3-319-41528-4 11
26. Niemetz, A., Preiner, M., Reynolds, A., Barrett, C., Tinelli, C.: Solving quantiﬁed
bit-vectors using invertibility conditions. In: Chockler, H., Weissenbacher, G. (eds.)
CAV 2018, Part II. LNCS, vol. 10982, pp. 236–255. Springer, Cham (2018). https://
doi.org/10.1007/978-3-319-96142-2 16
27. Preiner, M., Niemetz, A., Biere, A.: Counterexample-guided model synthesis. In:
Legay, A., Margaria, T. (eds.) TACAS 2017, Part I. LNCS, vol. 10205, pp. 264–280.
Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54577-5 15
28. Raghothaman, M., Udupa, A.: Language to specify syntax-guided synthesis prob-
lems, May 2014
29. Reynolds, A., Deters, M., Kuncak, V., Tinelli, C., Barrett, C.: Counterexample-
guided quantiﬁer instantiation for synthesis in SMT. In: Kroening, D., Pa˘sa˘reanu,
C.S. (eds.) CAV 2015, Part II. LNCS, vol. 9207, pp. 198–216. Springer, Cham
(2015). https://doi.org/10.1007/978-3-319-21668-3 12
30. Reynolds, A., King, T., Kuncak, V.: Solving quantiﬁed linear arithmetic by
counterexample-guided instantiation. Formal Methods Syst. Des. 51(3), 500–532
(2017)
31. Scheibler, K., Kupferschmid, S., Becker, B.: Recent improvements in the SMT
solver iSAT. MBMV 13, 231–241 (2013)
32. Wintersteiger, C.M., Hamadi, Y., de Moura, L.M.: Eﬃciently solving quantiﬁed
bit-vector formulas. Formal Methods Syst. Des. 42(1), 3–23 (2013)
33. Zeljic´, A., Wintersteiger, C.M., Ru¨mmer, P.: Approximations for model construc-
tion. In: Demri, S., Kapur, D., Weidenbach, C. (eds.) IJCAR 2014. LNCS (LNAI),
vol. 8562, pp. 344–359. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-
08587-6 26
136 M. Brain et al.
Open Access This chapter is licensed under the terms of the Creative Commons
Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/),
which permits use, sharing, adaptation, distribution and reproduction in any medium
or format, as long as you give appropriate credit to the original author(s) and the
source, provide a link to the Creative Commons license and indicate if changes were
made.
The images or other third party material in this chapter are included in the
chapter’s Creative Commons license, unless indicated otherwise in a credit line to the
material. If material is not included in the chapter’s Creative Commons license and
your intended use is not permitted by statutory regulation or exceeds the permitted
use, you will need to obtain permission directly from the copyright holder.
