Formal Verification of Numerical Programs: From C Annotated Programs to Mechanical Proofs

Numerical programs may require a high level of guarantee. This can be achieved by applying formal methods, such as machine-checked proofs. But these tools handle mathematical theorems while we are interested in C code, in which numerical computations are performed using floating-point arithmetic, whereas proof tools typically handle exact real arithmetic. To achieve this high level of confidence on C programs, we use a chain of tools: Frama-C, its Jessie plugin, Why and provers among Coq, Gappa, Alt-Ergo, CVC3 and Z3. This approach requires the C program to be annotated: each function must be precisely specified, and we prove the correctness of the program by proving both that it meets its specifications and that no runtime error may occur. The purpose of this paper is to illustrate, on various examples, the features of this approach.

[1]  Pat H. Sterbenz,et al.  Floating-point computation , 1973 .

[2]  Peter Baumgartner,et al.  Proceedings of the 4th international joint conference on Automated Reasoning , 2008 .

[3]  Cesar Munoz,et al.  Proceedings of the Second NASA Formal Methods Symposium , 2010 .

[4]  Francisco Supino Marcondes,et al.  An approach for modeling a formal Use Case Type at early development phase without loosing abstraction , 2010, Innovations in Systems and Software Engineering.

[5]  John Harrison,et al.  Formal Verification of Floating Point Trigonometric Functions , 2000, FMCAD.

[6]  Claude Marché,et al.  Multi-Prover Verification of Floating-Point Programs , 2010, IJCAR.

[7]  Laurence Rideau,et al.  A Generic Library for Floating-Point Numbers and Its Application to Exact Computing , 2001, TPHOLs.

[8]  Guillaume Melquiond Proving Bounds on Real-Valued Functions with Computations , 2008, IJCAR.

[9]  Paul S. Miner,et al.  Specification of the ieee-854 floating-point standard in hol and pvs , 1995 .

[10]  Josef Stoer,et al.  Numerische Mathematik 1 , 1989 .

[11]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[12]  Sylvie Boldo,et al.  Proofs of numerical programs when the compiler optimizes , 2011, Innovations in Systems and Software Engineering.

[13]  David Monniaux,et al.  Analyse statique : de la théorie à la pratique ; analyse statique de code embarqué de grande taille, génération de domaines abstraits. (Static analysis: from theory to practice ; Static analysis of large-scale embedded code, generation of abstract domains) , 2009 .

[14]  Eric Goubault,et al.  Towards an Industrial Use of FLUCTUAT on Safety-Critical Avionics Software , 2009, FMICS.

[15]  J. Filliâtre,et al.  ACSL: ANSI/ISO C Specification Language , 2008 .

[16]  Claude Marché,et al.  The Why/Krakatoa/Caduceus Platform for Deductive Program Verification , 2007, CAV.

[17]  Guillaume Melquiond,et al.  Floating-point arithmetic in the Coq system , 2012, Inf. Comput..

[18]  David M. Russinoff A Mechanically Checked Proof of IEEE Compliance of the Floating Point Multiplication, Division and Square Root Algorithms of the AMD-K7™ Processor , 1998, LMS J. Comput. Math..

[19]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, Electron. Notes Theor. Comput. Sci..

[20]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[21]  Sylvie Boldo,et al.  Hardware-independent Proofs of Numerical Programs , 2010, NASA Formal Methods.

[22]  James Demmel,et al.  IEEE Standard for Floating-Point Arithmetic , 2008 .

[23]  Guillaume Melquiond,et al.  Formal Proof of a Wave Equation Resolution Scheme: The Method Error , 2010, ITP.

[24]  Patrick Brézillon,et al.  Lecture Notes in Artificial Intelligence , 1999 .

[25]  Bernard Carré,et al.  SPARK—an annotated Ada subset for safety-critical programming , 1990, TRI-Ada '90.

[26]  Eric Goubault,et al.  Static Analysis of Numerical Algorithms , 2006, SAS.

[27]  Sylvie Boldo,et al.  Pitfalls of a Full Floating-Point Proof: Example on the Formal Proof of the Veltkamp/Dekker Algorithms , 2006, IJCAR.

[28]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[29]  Sylvie Boldo,et al.  Preuves formelles en arithmétiques à virgule flottante , 2004 .

[30]  Jean-Christophe Filliâtre,et al.  Formal Verification of Floating-Point Programs , 2007, 18th IEEE Symposium on Computer Arithmetic (ARITH '07).

[31]  James Hardy Wilkinson,et al.  Rounding errors in algebraic processes , 1964, IFIP Congress.

[32]  Nicholas J. Higham,et al.  INVERSE PROBLEMS NEWSLETTER , 1991 .

[33]  Mei Han An,et al.  accuracy and stability of numerical algorithms , 1991 .

[34]  Yannick Moy,et al.  Jessie Plugin Tutorial Beryllium Version , 2009 .

[35]  T. J. Dekker,et al.  A floating-point technique for extending the available precision , 1971 .

[36]  Patrick Cousot,et al.  The ASTREÉ Analyzer , 2005, ESOP.

[37]  Sylvie Boldo,et al.  Kahan's Algorithm for a Correct Discriminant Computation at Last Formally Proven , 2009, IEEE Transactions on Computers.

[38]  Gary T. Leavens,et al.  Not a Number of Floating Point Problems , 2006, J. Object Technol..

[39]  Holger Hermanns,et al.  Proceedings of the 19th international conference on Computer aided verification , 2007 .

[40]  Sylvie Boldo,et al.  Floats and Ropes: A Case Study for Formal Numerical Program Verification , 2009, ICALP.

[41]  Yannick Moy,et al.  Modular inference of subprogram contracts for safety checking , 2010, J. Symb. Comput..

[42]  Guillaume Melquiond,et al.  Combining Coq and Gappa for Certifying Floating-Point Programs , 2009, Calculemus/MKM.

[43]  Pierre Castéran,et al.  Interactive Theorem Proving and Program Development , 2004, Texts in Theoretical Computer Science An EATCS Series.