1,167 research outputs found
Correct Approximation of IEEE 754 Floating-Point Arithmetic for Program Verification
Verification of programs using floating-point arithmetic is challenging on
several accounts. One of the difficulties of reasoning about such programs is
due to the peculiarities of floating-point arithmetic: rounding errors,
infinities, non-numeric objects (NaNs), signed zeroes, denormal numbers,
different rounding modes, etc. One possibility to reason about floating-point
arithmetic is to model a program computation path by means of a set of ternary
constraints of the form z = x op y and use constraint propagation techniques to
infer new information on the variables' possible values. In this setting, we
define and prove the correctness of algorithms to precisely bound the value of
one of the variables x, y or z, starting from the bounds known for the other
two. We do this for each of the operations and for each rounding mode defined
by the IEEE 754 binary floating-point standard, even in the case the rounding
mode in effect is only partially known. This is the first time that such
so-called filtering algorithms are defined and their correctness is formally
proved. This is an important slab for paving the way to formal verification of
programs that use floating-point arithmetics.Comment: 64 pages, 19 figures, 2 table
Certifying floating-point implementations using Gappa
High confidence in floating-point programs requires proving numerical
properties of final and intermediate values. One may need to guarantee that a
value stays within some range, or that the error relative to some ideal value
is well bounded. Such work may require several lines of proof for each line of
code, and will usually be broken by the smallest change to the code (e.g. for
maintenance or optimization purpose). Certifying these programs by hand is
therefore very tedious and error-prone. This article discusses the use of the
Gappa proof assistant in this context. Gappa has two main advantages over
previous approaches: Its input format is very close to the actual C code to
validate, and it automates error evaluation and propagation using interval
arithmetic. Besides, it can be used to incrementally prove complex mathematical
properties pertaining to the C code. Yet it does not require any specific
knowledge about automatic theorem proving, and thus is accessible to a wide
community. Moreover, Gappa may generate a formal proof of the results that can
be checked independently by a lower-level proof assistant like Coq, hence
providing an even higher confidence in the certification of the numerical code.
The article demonstrates the use of this tool on a real-size example, an
elementary function with correctly rounded output
Trusting Computations: a Mechanized Proof from Partial Differential Equations to Actual Program
Computer programs may go wrong due to exceptional behaviors, out-of-bound
array accesses, or simply coding errors. Thus, they cannot be blindly trusted.
Scientific computing programs make no exception in that respect, and even bring
specific accuracy issues due to their massive use of floating-point
computations. Yet, it is uncommon to guarantee their correctness. Indeed, we
had to extend existing methods and tools for proving the correct behavior of
programs to verify an existing numerical analysis program. This C program
implements the second-order centered finite difference explicit scheme for
solving the 1D wave equation. In fact, we have gone much further as we have
mechanically verified the convergence of the numerical scheme in order to get a
complete formal proof covering all aspects from partial differential equations
to actual numerical results. To the best of our knowledge, this is the first
time such a comprehensive proof is achieved.Comment: N° RR-8197 (2012). arXiv admin note: text overlap with
arXiv:1112.179
Robustness Verification of Support Vector Machines
We study the problem of formally verifying the robustness to adversarial
examples of support vector machines (SVMs), a major machine learning model for
classification and regression tasks. Following a recent stream of works on
formal robustness verification of (deep) neural networks, our approach relies
on a sound abstract version of a given SVM classifier to be used for checking
its robustness. This methodology is parametric on a given numerical abstraction
of real values and, analogously to the case of neural networks, needs neither
abstract least upper bounds nor widening operators on this abstraction. The
standard interval domain provides a simple instantiation of our abstraction
technique, which is enhanced with the domain of reduced affine forms, which is
an efficient abstraction of the zonotope abstract domain. This robustness
verification technique has been fully implemented and experimentally evaluated
on SVMs based on linear and nonlinear (polynomial and radial basis function)
kernels, which have been trained on the popular MNIST dataset of images and on
the recent and more challenging Fashion-MNIST dataset. The experimental results
of our prototype SVM robustness verifier appear to be encouraging: this
automated verification is fast, scalable and shows significantly high
percentages of provable robustness on the test set of MNIST, in particular
compared to the analogous provable robustness of neural networks
Verified compilation and optimization of floating-point kernels
When verifying safety-critical code on the level of source code, we trust the compiler to produce machine code that preserves the behavior of the source code. Trusting a verified compiler is easy. A rigorous machine-checked proof shows that the compiler correctly translates source code into machine code. Modern verified compilers (e.g. CompCert and CakeML) have rich input languages, but only rudimentary support for floating-point arithmetic. In fact, state-of-the-art verified compilers only implement and verify an inflexible one-to-one translation from floating-point source code to machine code. This translation completely ignores that floating-point arithmetic is actually a discrete representation of the continuous real numbers. This thesis presents two extensions improving floating-point arithmetic in CakeML. First, the thesis demonstrates verified compilation of elementary functions to floating-point code in: Dandelion, an automatic verifier for polynomial approximations of elementary functions; and libmGen, a proof-producing compiler relating floating-point machine code to the implemented real-numbered elementary function. Second, the thesis demonstrates verified optimization of floating-point code in: Icing, a floating-point language extending standard floating-point arithmetic with optimizations similar to those used by unverified compilers, like GCC and LLVM; and RealCake, an extension of CakeML with Icing into the first fully verified optimizing compiler for floating-point arithmetic.Bei der Verifizierung von sicherheitsrelevantem Quellcode vertrauen wir dem Compiler, dass er Maschinencode ausgibt, der sich wie der Quellcode verhält. Man kann ohne weiteres einem verifizierten Compiler vertrauen. Ein rigoroser maschinen-ü}berprüfter Beweis zeigt, dass der Compiler Quellcode in korrekten Maschinencode übersetzt. Moderne verifizierte Compiler (z.B. CompCert und CakeML) haben komplizierte Eingabesprachen, aber unterstützen Gleitkommaarithmetik nur rudimentär. De facto implementieren und verifizieren hochmoderne verifizierte Compiler für Gleitkommaarithmetik nur eine starre eins-zu-eins Übersetzung von Quell- zu Maschinencode. Diese Übersetzung ignoriert vollständig, dass Gleitkommaarithmetik eigentlich eine diskrete Repräsentation der kontinuierlichen reellen Zahlen ist. Diese Dissertation präsentiert zwei Erweiterungen die Gleitkommaarithmetik in CakeML verbessern. Zuerst demonstriert die Dissertation verifizierte Übersetzung von elementaren Funktionen in Gleitkommacode mit: Dandelion, einem automatischen Verifizierer für Polynomapproximierungen von elementaren Funktionen; und libmGen, einen Beweis-erzeugenden Compiler der Gleitkommacode in Relation mit der implementierten elementaren Funktion setzt. Dann demonstriert die Dissertation verifizierte Optimierung von Gleitkommacode mit: Icing, einer Gleitkommasprache die Gleitkommaarithmetik mit Optimierungen erweitert die ähnlich zu denen in unverifizierten Compilern, wie GCC und LLVM, sind; und RealCake, eine Erweiterung von CakeML mit Icing als der erste vollverifizierte Compiler für Gleitkommaarithmetik
On Sound Relative Error Bounds for Floating-Point Arithmetic
State-of-the-art static analysis tools for verifying finite-precision code
compute worst-case absolute error bounds on numerical errors. These are,
however, often not a good estimate of accuracy as they do not take into account
the magnitude of the computed values. Relative errors, which compute errors
relative to the value's magnitude, are thus preferable. While today's tools do
report relative error bounds, these are merely computed via absolute errors and
thus not necessarily tight or more informative. Furthermore, whenever the
computed value is close to zero on part of the domain, the tools do not report
any relative error estimate at all. Surprisingly, the quality of relative error
bounds computed by today's tools has not been systematically studied or
reported to date. In this paper, we investigate how state-of-the-art static
techniques for computing sound absolute error bounds can be used, extended and
combined for the computation of relative errors. Our experiments on a standard
benchmark set show that computing relative errors directly, as opposed to via
absolute errors, is often beneficial and can provide error estimates up to six
orders of magnitude tighter, i.e. more accurate. We also show that interval
subdivision, another commonly used technique to reduce over-approximations, has
less benefit when computing relative errors directly, but it can help to
alleviate the effects of the inherent issue of relative error estimates close
to zero
- …