raf t Identifying suspicious values in programs with floating-point numbers Michel RUEHER University of Nice Sophia-Antipolis / I3S – CNRS, France (joined work with Olivier Dagstuhl1321 Ponsini, Claude Michel) January 2013 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Introduction • Problem: verifying programs with floating-point computations Embedded systems written in C (transportation, nuclear plants,...) • Programs use floating-point numbers but I Specifications are written with the semantics of reals “in mind” I Programs are written with the semantics of reals “in mind” 2/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Floating-point arithmetic pitfalls Rounding Counter-intuitive properties (0.1)10 = (0.000110011001100 · · · )2 simple precision 0.100000001490116119384765625 • Neither associative nor distributive operators (−10000001 + 107 ) + 0.5 6= −10000001 + (107 + 0.5) • Absorption, cancellation phenomena Absorption: 107 + 0.5 = 107 Cancellation: ((1 − 10−7 ) − 1) ∗ 107 = −1.192...(6= −1) → Floats are source of errors in programs 3/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Objectives & Method Goals: → bounds for variables with real numbers semantics and floating-point numbers semantics → bounds for the error due to the use of floating-point numbers instead of real numbers to identify suspicious values Method: combining abstract interpretation & constraint programming 4/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Outline Problematic: Verifying Programs with FP computations AI Approach: Abstraction of program states Constraint Programming over continous domains Motivating example Combining AI and CP Experiments Conclusion 5/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic AI Approach: Abstraction of program states Intervals, zonotopes, polyhedra... Zonotopes: convex polytopes with a central symmetry Sets of affine forms â = a0 + a1 ε1 + · · · + an εn b̂ = b0 + b1 ε1 + · · · + bn εn with εi ∈ [−1, 1] .. . + Good trade-off between performance and precision – Not very accurate for nonlinear expressions – Not accurate on very common program constructs such as conditionals 6/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic AI: Static analysis (cont.) + Good scalability for I I I Showing absence of runtime errors Estimating rounding errors and their propagation Checking properties of programs – Lack of precision I I Approximations may be very coarse Over-approximation possible false alarms 7/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic AI & False alarm From Cousot: 8/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic CP over continous domains: overall scheme CP over continous domains ≡ a branch & prune process → an iteration of two steps: 1. Pruning the search space 2. Making a choice to generate two (or more) sub-problems Pruning step → reduces an interval when the upper bound or the lower bound does not satisfy some constraint Branching step → splits the domain of some variable in two or more intervals 9/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering & Solving process (example) Courtesy to Gilles Trombettoni 10/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering & Solving process (example) Courtesy to Gilles Trombettoni 11/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering & Solving process (example) Courtesy to Gilles Trombettoni 12/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering & Solving process (example) Courtesy to Gilles Trombettoni 13/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering & Solving process (example) Courtesy to Gilles Trombettoni 14/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering & Solving process (example) Courtesy to Gilles Trombettoni 15/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering & Solving process (example) Courtesy to Gilles Trombettoni 16/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering & Solving process (example) Courtesy to Gilles Trombettoni 17/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering & Solving process (example) Courtesy to Gilles Trombettoni 18/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering & Solving process (example) Courtesy to Gilles Trombettoni 19/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Local consistencies Working with a single constraint Consider Dx = [x, x] and c(x, x1 , . . . , xn ) If c(x, x1 , . . . , xn ) does not hold for any values a ∈ [x, x 0 ], then Dx → [x 0 , x] 20/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic 2B–consistency • A constraint cj is 2B–consistent if for any variable xi of cj , the bounds Dxi and Dxi have a support in the domains of all other variables of cj →Variable x is 2B–consistent for f (x, x1 , . . . , xn ) = 0 if the lower (resp. upper) bound of the domain of x is the smallest (resp. largest) solution of f (x, x1 , . . . , xn ) A CSP is 2B–consistent iff all its constraints are 2B–consistent 21/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic 3B–Consistency (1) 3B–Consistency, a shaving process → checks whether 2B–Consistency can be enforced when the domain of a variable is reduced to the value of one of its bounds in the whole system 22/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic 3B–Consistency (2) Let (X , D, C) be a CSP and Dx = [a, b], if Φ2B (PDx ←[a, a+b ] ) = ∅ 2 a+b 2 ) of Dx will be removed and the filtering process continues on the interval [ a+b 2 , b] • then the part [a, • otherwise, the filtering process continues on the interval [a, 3a+b 4 ]. 23/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Constraint Programming framework: sum up + Good refutation capabilities Flexibility: handling of integers, floats, non-linear expressions,... – Scalability Pruning may be costly for large domains A CSP is a conjunction of constraints a different constraint system is required for each path of the CFG 24/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Motivating example float x = [0,10]; float y = x*x - x; if (y >= 0) y = x/10; else y = x*x + 2; 25/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Example 1: Abstract Interpretation (zonotopes) float x = [0,10]; float y = x*x - x; if (y >= 0) y = x/10; else y = x*x + 2; P0 : x̂ 0 = 5 + 5ε1 Dx0 = [0, 10] ε1 ∈ [−1, 1] y =x ∗x −x y ≥0 P2 : ŷ 2 = ŷ 1 Dx2 = [0, 10] Dy2 = [0, 90] P1 : ŷ 1 = 32.5 + 45ε1 + 12.5η1 η1 ∈ [−1, 1] Dx1 = [0, 10] Dy1 = [−10, 90] y ≥0 y <0 P4 y =x ∗x +2 y = x/10 P3 : ŷ 3 = 0.5 + 0.5ε1 Dy3 = [0, 1] P5 P6 26/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Example 1: Abstract Interpretation (zonotopes) float x = [0,10]; float y = x*x - x; if (y >= 0) y = x/10; else y = x*x + 2; P0 : x̂ 0 = 5 + 5ε1 Dx0 = [0, 10] ε1 ∈ [−1, 1] y =x ∗x −x y ≥0 P2 : ŷ 2 = ŷ 1 Dx2 = [0, 10] Dy2 = [0, 90] P1 : ŷ 1 = 32.5 + 45ε1 + 12.5η1 η1 ∈ [−1, 1] Dx1 = [0, 10] Dy1 = [−10, 90] y ≥0 y <0 P4 : ŷ 4 = ŷ 1 Dx4 = [0, 10] Dy4 = [−10, 0[ y =x ∗x +2 y = x/10 P3 : ŷ 3 = 0.5 + 0.5ε1 Dy3 = [0, 1] P5 P6 27/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Example 1: Abstract Interpretation (zonotopes) float x = [0,10]; float y = x*x - x; if (y >= 0) y = x/10; else y = x*x + 2; P0 : x̂ 0 = 5 + 5ε1 Dx0 = [0, 10] y =x ∗x −x y ≥0 P2 : ŷ 2 = ŷ 1 Dx2 = [0, 10] Dy2 = [0, 90] y = x/10 P3 : ŷ 3 = 0.5 + 0.5ε1 Dy3 = [0, 1] ε1 ∈ [−1, 1] P1 : ŷ 1 = 32.5 + 45ε1 + 12.5η1 η1 ∈ [−1, 1] Dx1 = [0, 10] Dy1 = [−10, 90] y ≥0 y <0 P4 : ŷ 4 = ŷ 1 Dx4 = [0, 10] Dy4 = [−10, 0[ y =x ∗x +2 P5 : ŷ 5 = 39.5 + 50ε1 + 12.5η1 Dy5 = [2, 102] P6 : ŷ 6 = ŷ 3 ∪ ŷ 5 = 39.5 + 0.5ε1 + 62η2 η2 ∈ [−1, 1] Dy6 = Dy3 ∪ Dy5 = [0, 102] 28/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Example 1: Constraint Programming P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102] y0 = x0 ∗ x0 − x0 y0 = x0 ∗ x0 − x0 y0 ≥ 0 y1 = x0 /10 filtering Dx10 = [0, 10] Dy10 = [0, 90] Dy11 = [0, 1] y0 ≥ 0 y0 ≥ 0 y0 < 0 y1 = x0 /10 y1 = x0 ∗ x0 + 2 P6 29/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Example 1: Constraint Programming P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102] y0 = x0 ∗ x0 − x0 y0 = x0 ∗ x0 − x0 y0 ≥ 0 y1 = x0 /10 filtering Dx10 = [0, 10] Dy10 = [0, 90] Dy11 = [0, 1] y0 = x0 ∗ x0 − x0 y0 < 0 y1 = x0 ∗ x0 + 2 y0 ≥ 0 y0 ≥ 0 y0 < 0 y1 = x0 /10 y1 = x0 ∗ x0 + 2 filtering Dx20 = [0, 1.026] P6 30/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Example 1: Constraint Programming P0 : Dx0 = [0, 10] Dy0 = [−10, 90] Dy1 = [0, 102] y0 = x0 ∗ x0 − x0 y0 = x0 ∗ x0 − x0 y0 ≥ 0 y1 = x0 /10 filtering Dx10 = [0, 10] Dy10 = [0, 90] Dy11 = [0, 1] y0 = x0 ∗ x0 − x0 y0 < 0 y1 = x0 ∗ x0 + 2 y0 ≥ 0 y0 ≥ 0 y0 < 0 y1 = x0 /10 y1 = x0 ∗ x0 + 2 filtering Dx20 = [0, 1.026] Dy20 = [−0.257, 0] Dy21 = [2, 3.027] P6 : Dy31 = Dy11 ∪ Dy21 = [0, 3.027] 31/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Proposed approach: Combining AI and CP Successive exploration and merging steps • Use of AI to compute a first approximation of the values of variables at a program node where two branches join • Building a constraint system for each branch between two join nodes in the CFG of the program and use of CP local consistencies to shrink the domains computed by AI 32/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Filtering techniques • FPCS: 3B(w)-consistency over the floats I Projection functions for floats I Handling of rounding modes I Handling of x86 architecture specifics • RealPaver: 2B(w)-consistency & Box-consistency over the reals I I Reliable approximations of continuous solution sets Correctly rounded interval methods and constraint satisfaction techniques 33/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Experiments: benchmarks • Illustrative programs I quadratic → real roots of a quadratic equation (GNU scientific library); contains many conditionals I sinus7 → the 7th-order Taylor series of function sinus I sqrt → an approximate value (error of 10−2 ) of the square root of a number greater than 4 (Babylonian method) I bigLoop: contains non-linear expressions followed by a loop that iterates one million times I rump: a very particular polynomial designed to outline a catastrophic cancellation phenomenon • 55 benchs from CDFL, a program analyzer for proving the absence of runtime errors in program with floating-point computations based on Conflict-Driven Learning 34/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Experiments: Results over the floating-point numbers quadratic1 quadratic1 quadratic2 quadratic2 sinus7 rump sqrt1 sqrt2 bigLoop Total x0 x1 x0 x1 Fluctuat (AI) Domain Time [−∞, ∞] 0.13 s [−∞, ∞] 0.13 s [−2e6, 0] 0.13 s [−1e6, 0] 0.13 s [−1.009, 1.009] 0.12 s [−1.2e37, 2e37] 0.13 s [2.116, 2.354] 0.13 s [−∞, ∞] 0.2 s [−∞, ∞] 0.15 s 1.25 s RAICP (AI + CP) Domain Time [−∞, 0] 0.39 s [−8.125, ∞] 0.39 s [−1e6, 0] 0.39 s [−3906, 0] 0.39 s [−0.853, 0.852] 0.22 s [−1.2e37, 2e37] 0.22 s [2.121, 2.347] 0.81 s [2.232, 3.168] 1.59 s [0, 10] 0.7 s 5.1 s Fluctuat : state-of-the-art AI analyzer for estimating rounding errors and their propagation using zonotopes 35/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Experiments: Results over the real numbers quadratic1 quadratic1 quadratic2 quadratic2 sinus7 rump sqrt1 sqrt2 bigLoop Total x0 x1 x0 x1 Fluctuat (AI) Domain Time [−∞, ∞] 0.14 s [−∞, ∞] 0.14 s [−2e6, 0] 0.14 s [−1e6, 0] 0.14 s [−1.009, 1.009] 0.12 s [−1.2e37, 2e37] 0.13 s [2.116, 2.354] 0.13 s [2.098, 3.435] 0.2 s [−∞, ∞] 0.15 s 1.29 s RAICP (AI + CP) Domain Time [−∞, 0] 1.55 s [−8.006, ∞] 1.55 s [−1e6, 0] 0.58 s [−5.186e5, 0] 0.58 s [−0.842, 0.843] 0.34 s [−1.2e37, 1.7e37] 1.26 s [2.121, 2.346] 0.35 s [2.232, 3.165] 0.57 s [0, 10] 0.8 s 7.58 s 36/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Experiments: eliminating false alarms CDFL: Program analyzer for proving the absence of runtime errors in program with floating-point computations based on Conflict-Driven Learning RAICP False alarms Total time 0 40.55 s Fluctuat 11 18.37 s CDFL 0 208.99 s Computed on the 55 benchs from CDFL paper (TACAS’12, D’Silva, Leopold Haller, Daniel Kroening, Michael Tautschnig) 37/38 AI Approach Constraint Programming Motivating example AI+CP Experiments Conclusion raf t Problematic Conclusion AI + CP framework: Efficient computation and sharp good domain approximations Further works: interact with AI at the abstract domain level • Better approximations • Keep statement contribution to rounding errors 38/38
© Copyright 2025 Paperzz