Formal proof for delayed finite field arithmetic using floating point operators

Formal proof checkers such as Coq are capable of validating proofs of correction of algorithms for finite field arithmetics but they require extensive training from potential users. The delayed solution of a triangular system over a finite field mixes operations on integers and operations on floating point numbers. We focus in this report on verifying proof obligations that state that no round off error occurred on any of the floating point operations. We use a tool named Gappa that can be learned in a matter of minutes to generate proofs related to floating point arithmetic and hide technicalities of formal proof checkers. We found that three facilities are missing from existing tools. The first one is the ability to use in Gappa new lemmas that cannot be easily expressed as rewriting rules. We coined the second one ``variable interchange'' as it would be required to validate loop interchanges. The third facility handles massive loop unrolling and argument instantiation by generating traces of execution for a large number of cases. We hope that these facilities may sometime in the future be integrated into mainstream code validation.Comment: 8th Conference on Real Numbers and Computers, Saint Jacques de Compostelle : Espagne (2008

Properties of two's complement floating point notations

International audienceFew designs, mostly those of Texas Instruments, continue to use tworsquos complement floating point units. Such units are simpler to build and to validate, but they do not comply to the dominant IEEE standard for floating point arithmetic. We compare some properties of the two systems in this text. Some features are lost, but others remain unchanged. One strong example is the case of Sterbenzrsquos theorem and our recent extension. We show in the paper that the theorem and its extension hold for the tworsquos complement architecture. Still, users should ensure that results are large enough on circuits that do not implement gradual underflow. Theorems have been proven and validated using the Coq automatic proof checker

Properties of the subtraction valid for any floating point system

International audienceWe start in this text with a very generic definition of floating point systems. We show that just a few very natural necessary conditions are sufficient to focus down to two classes of implemented floating point arithmetic. Later, we prove that, for all the existing implementations, high level properties such as Sterbenz's theorem are satisfied. We finish this text by focusing on the differences between an IEEE-754 compatible unit and Texas Instrument TMS/SMJ 320C3x digital signal processing circuit that is recommended for avionics and military applications. The results presented in this text have been validated by the Coq automatic proof checker to build confidence for later implementations in critical systems such as an aircraft flight control primary or secondary computer

Theorems on Efficient Argument Reductions

International audienceA commonly used argument reduction technique in elementary function computations begins with two positive floating point numbers α and γ that approximate (usually irrational but not necessarily) numbers 1/C and C, e.g., C = 2π for trigonometric functions and ln 2 for ex. Given an argument to the function of interest it extracts z as defined by xα = z + ς with z = k2−N and |ς| ≤ 2−N−1, where k,N are integers and N ≥ 0 is preselected, and then computes u = x − zγ. Usually zγ takes more bits than the working precision provides for storing its significand, and thus exact x−zγ may not be represented exactly by a floating point number of the same precision. This will cause performance penalty when the working precision is the highest available on the underlying hardware and thus considerable extra work is needed to get all the bits of x − zγ right. This paper presents theorems that show under mild conditions that can be easily met on today's computer hardware and still allow α ≈ 1/C and γ ≈ C to almost the full working precision, x−zγ is a floating point number of the same precision. An algorithmic procedure based on the theorems is obtained. The results will enhance performance, in particular on machines that has hardware support for fused multiply-add (fma) instruction(s)

Necessary and sufficient conditions for exact floating point operations

Studying floating point arithmetic, authors have shown that the implemented operations (addition, subtraction, multiplication, division and square root) can compute a result and an exact correcting term using the same format as the inputs. Following a path initiated in 1965, all the authors supposed that neither underflow nor overflow occurred in the process. Overflow is not critical as some kind of exception is triggered by such an event that creates remanent non numeric quantities. Underflow may be fatal to the process as it returns wrong numeric values with little warning. Our new necessary and sufficient conditions guarantee that the exact floating point operations are correct when the result is a number. We also present properties when precise rounding is not available in hardware and faithful rounding alone is performed such as using some digital signal processing circuit. We have validated our proofs against the Coq automatic proof checker. Our development has raised many questions, some of them were expected while other ones were very surprising.L’étude de l’arithmétique à virgule flottante a amené certains auteurs à démontrer que les opérations implantées (addition, soustraction, multiplication, division, racine carrée) peuvent calculer un résultat et un terme exact de correction en utilisant le même format que les entrées. Depuis 1965, tous les auteurs ont supposé qu’aucun dépassement de capacité vers l’infiniment petit ou vers l’infiniment grand ne se produisait. L’infiniment grand n’est pas dangereux car un évènement de ce type produit une exception associée à des quantités non numériques persistantes (NaN). L’infiniment petit peut être fatal au processus dans la mesure où il produit des résultat numériques faux avec peu d’avertissement. Nos nouvelles conditions nécessaires et suffisantes assurent que les opérations exactes à virgule flottante sont correctes quand le résultat est un nombre. Nous présentons aussi des résultats dans le cas où un arrondi précis n’est pas disponible en matériel et l’on effectue uniquement un arrondi fidèle comme c’est le cas lorsqu’on utilise certains circuits de traitement numérique du signal. Nous avons validé nos preuves grâce à l’assistant de preuve Coq. Notre développement a posé de nombreuses questions, nous nous attendions à certaines alors que d’autres nous ont surprises

Wave Equation Numerical Resolution: a Comprehensive Mechanized Proof of a C Program

We formally prove correct a C program that implements a numerical scheme for the resolution of the one-dimensional acoustic wave equation. Such an implementation introduces errors at several levels: the numerical scheme introduces method errors, and floating-point computations lead to round-off errors. We annotate this C program to specify both method error and round-off error. We use Frama-C to generate theorems that guarantee the soundness of the code. We discharge these theorems using SMT solvers, Gappa, and Coq. This involves a large Coq development to prove the adequacy of the C program to the numerical scheme and to bound errors. To our knowledge, this is the first time such a numerical analysis program is fully machine-checked.Comment: No. RR-7826 (2011

A simple test qualifying the accuracy of Horner's rule for polynomials

International audiencePolynomials are used in many applications and hidden in libraries such as libm. Whereas the accuracy of the functions used by linear algebra have long been studied, little is available to decide on one scheme to evaluate a polynomial. Common knowledge solely emphasizes that Horner's rule is a good scheme unless the indeterminate is close to one of the polynomial's roots. We propose here a criterion for one step of Horner's scheme to be faithful. A result is defined to be faithful when it was correctly rounded whereas the rounding mode (up, down or to the nearest) cannot be known by the user. Our criterion is checked against the IEEE standard for floating point arithmetic using the Coq automatic proof checker. We then present three programs in Maple, Java and C that check the criterion for a whole polynomial associated with a domain for the indeterminate and a possible truncation error. An example of use is given with the approximation of elementary functions

Corrosion bacterienne en geothermie basse temperature : mecanismes de corrosion par les bacteries sulfato-reductrices

SIGLECNRS T Bordereau / INIST-CNRS - Institut de l'Information Scientifique et TechniqueFRFranc

Preuves formelles en arithmétiques à virgule flottante

Cette thèse est représentative de mon expérience de rapprochement de l'arithmétique à virgule flottante, régie par la norme IEEE-754, et de la preuve formelle, ici l'assistant de preuves Coq. La formalisation des nombres flottants utilisée a été premièrement développée par L. Théry. J'ai tout d'abord testé et enrichi la bibliothèque avec des propriétés simples à exprimer dans le formalisme choisi: le fait qu'une valeur réelle soit exactement représentable par un nombre flottant. J'ai ensuite fait différentes extensions du modèle: rapprochement avec la réalité matérielle des processeurs, généralisation à la représentation en complément à 2 et étude d'un arrondi plus faible. En utilisant les résultats précédents, j'ai étudié deux applications réelles. La première est une bibliothèque de calcul multi-précision basée sur les expansions. La seconde est l'évaluation de fonctions élémentaires (exponentielle, cosinus...): j'ai résolu la plupart des problèmes de la réduction d'argument en garantissant formellement les conditions et algorithmes associés et j'ai étudié l'évaluation polynomiale par l'algorithme de Horner. J'ai montré la faisabilité de preuves formelles dans le domaine complexe de l'arithmétique des ordinateurs. J'ai déterminé les points forts et les limites de cette démarche en obtenant un recul suffisant face à cette formalisation par différents moyens: enrichissement de la bibliothèque, extensions du modèle et validation de vraies applications.This work is representative of my experiments on joining computer arithmetic, directed by the IEEE-754 standard, and formal proofs, here the Coq proof assistant. The floating-point number formalization used was first developed by L. Théry. I first tested and expanded the library with properties that are easy to express in our formalism: the fact that a real value may be represented exactly by a floating-point number. I then tried some extensions of the model: bring it closer to the hardware realities, generalize it to use the two's complement representation and go into a weaker rounding. With these results, I studied two applications. The first one is a multi-precision library using expansions. The second one is the evaluation of elementary functions (logarithm, cosine...): I solved the main problems of argument reduction by formally proving the conditions and algorithms involved and I studied the polynomial evaluation using Horner's rule. I showed the possibility to make formal proofs about the difficult topic of computer arithmetic. I found the advantages and drawbacks of this method by getting enough distance from the formalization by three different means: supplements to the library, extensions of the formalization and validation of real-life applications.LYON-ENS Sciences (693872304) / SudocSudocFranceF