Guillaume Melquiond

A Formally-Verified C Compiler Supporting Floating-Point Arithmetic

Floating-point arithmetic is known to be tricky: roundings, formats, exceptional values. The IEEE-754 standard was a push towards straightening the field and made formal reasoning about floating-point computations easier and flourishing. Unfortunately, this is not sufficient to guarantee the final result of a program, as several other actors are involved: programming language, compiler, architecture. The Comp Certformally-verified compiler provides a solution to this problem: this compiler comes with a mathematical specification of the semantics of its source language (a large subset of ISO C90) and target platforms (ARM, PowerPC, x86-SSE2), and with a proof that compilation preserves semantics. In this paper, we report on our recent success in formally specifying and proving correct Comp Certs compilation of floating-point arithmetic. Since CompCert is verified using the Coq proof assistant, this effort required a suitable Coq formalization of the IEEE-754 standard, we extended the Flocq library for this purpose. As a result, we obtain the first formally verified compiler that provably preserves the semantics of floating-point programs.

Emulation of a FMA and Correctly Rounded Sums: Proved Algorithms Using Rounding to Odd

Rounding to odd is a nonstandard rounding on floating-point numbers. By using it for some intermediate values instead of rounding to nearest, correctly rounded results can be obtained at the end of computations. We present an algorithm for emulating the fused multiply-and-add operator. We also present an iterative algorithm for computing the correctly rounded sum of a set of floating-point numbers under mild assumptions. A variation on both previous algorithms is the correctly rounded sum of any three floating-point numbers. This leads to efficient implementations, even when this rounding is not available. In order to guarantee the correctness of these properties and algorithms, we formally proved them by using the Coq proof checker.

Proving Bounds on Real-Valued Functions with Computations

A compact liquid crystal display of the type wherein a pixel array formed of liquid crystal material is addressed by an associated array of MOSFET circuits, each circuit including a switching device and an overlying storage capacitor. A plurality of substantially parallel gate buses located orthogonal to and insulated from a plurality of parallel drain diffusions are provided for the application of control and video data to the array. A layer of metallization, located within the backplate, forms a common ground plate for the capacitors of the array, shielding the drain diffusions from incident light and thereby eliminating the need for space-consuming diffusion-to-conductor contact regions.

Compilation of FP Programs

The IEEE-754 standard has improved the portability and reproducibility of the results of FP programs by mandating that every basic FP operation be performed as if the result was first computed with infinite precision and then rounded to the target format. In particular, most hardware components providing FP arithmetic are nowadays compliant with this standard. Unfortunately, this still does not guarantee that an FP program will behave in a reproducible way, as both the programming language and the compiler can interfere with the proper execution of FP arithmetic.

The Coq System

The Coq software is a proof assistant, that is, its primary purpose is to let users state theorems, to help them write the proofs of these theorems, and to finally check that these proofs are correct with respect to some logical rules. This chapter gives only the most basic concepts about Coq. It is not meant to replace the reference manual or some actual books on the topic.

Deductive Program Verification

Have described several algorithms that perform FP computations and have shown how to formally verify their correctness (e.g. the computed value is close enough to the ideal value). Has presented a C compiler and the proof that it compiles FP operations in a way that does not invalidate the correctness of a C program. Now we are interested in the last piece of the puzzle, that is, proving the correctness of a C program and not just of the corresponding algorithm. First motivates program verification and explains how it differs from algorithm verification as done in previous chapters. We rely here on deductive verification and the toolchain we use for the examples of this chapter is Frama-C/Jessie/Why3; more information on the corresponding methodology is given. Then presents several examples of C programs. Most of them have been previously described, such as the area of a triangle or the average of two numbers. Finally, presents an alternative for ensuring that, whatever the compiler decisions about FP arithmetic, the compiled programs behave as specified.

Formalization of Formats and Basic Operators

Has given an informal description of FP arithmetic and has given a short overview of the Coq proof assistant. Let us now explain how this arithmetic can be formalized in Coq. More precisely, this chapter describes how it is formalized in the Flocq library. Such a formalization has two purposes. First, it should properly model the various arithmetics we are interested in. In particular, it should be a good match for any arithmetic compliant with the IEEE-754 standard, but it should also be able to cover more exotic formats. For instance, numerous lemmas can be applied just as well to fixed-point formats as to floating-point formats. Second, the formalization should be suitable for verifying theorems and algorithms relying on such an arithmetic.

Example Proofs of Advanced Operators

Has covered error-free transformations (EFTs) and lossless computations. In this chapter, the considered operators get more complicated. We can no longer get rid of inaccuracies, so the goal is to reduce them or to control them. The purpose of this chapter is twofold: first, to give more guarantees on advanced operators of the literature, potentially useful to the reader; second, to cover a variety of techniques and concerns when verifying FP algorithms. This is why the proofs are not detailed much (compared to the first chapters) and only the prominent points (such as case distinctions, difficulties, and peculiar definitions) are given.

Real and Numerical Analysis

For the vast majority of FP users, FP arithmetic is not a research topic per se. It is just a tool to quickly get a result, hopefully accurate. This chapter describes experiments that extend beyond the realm of simple FP arithmetic toward real analysis and numerical analysis. Our running example comes from numerical analysis: it is a program to get an approximation to the solution of the 1D wave equation described. This application requires mathematical theorems that would have been next to impossible to prove using the real analysis formalization from Coq’s standard library. This is why we use another formalization of real analysis detailed, in particular to prove the existence and regularity of the solution of the 1D wave equation using d’Alembert’s formula. The properties of the numerical scheme, e.g. convergence, are proved. Then the round-off errors are bounded. Finally, the verification of the C program is explained.

Error-Free Computations and Applications

Even if FP computations are inexact most of the time, we can prove the exactness of some computations or retain some exactness using remainders as done in this chapter. We are interested in subcases where an FP computation is error-free, and will give several sufficient assumptions. When an FP computation is not exact, we moreover aim at computing the error it made, using FP operators only. This kind of algorithm is called an error-free transformation (EFT). Given an operation ◇ on two operands x and y, the corresponding EFT produces two FP numbers r h and r l such that r h = □( x ◇ y ) and x ◇ y = r h xa0+xa0 r l . In other words, the EFT produces the rounding of the operation and the exact error of this operation. These operators will probably be recommended by the next version of the IEEE-754 standard (that will be published in 2018) for the addition (denoted as augmentedAddition) and the multiplication (denoted by augmentedMultiplication). When the error cannot be represented by an FP number (as in the case of division and square root), we will study the conditions needed to ensure that the remainders x − □ x / y ⋅ y and x − □ x 2 are representable by an FP number. These remainders can then be used in subsequent computations. The algorithms for computing these EFTs are well-known and their formalization adds an extra level of guarantee. In particular, the requirements on the radix and the handling of underflow have to be specified.