1 Nantes Nantes -- -- 24 Novembre 2005 24 Novembre 2005 1 Symbolic Symbolic Execution Execution of of Floating Floating- Point Point Computations Computations A A constraint constraint- based based testing testing approach approach Bernard Bernard Botella Botella Thales Thales Aerospace Aerospace Claude Michel Claude Michel Projet COPRIN Projet COPRIN INRIA Sophia INRIA Sophia- Antipolis Antipolis Arnaud Arnaud Gotlieb Gotlieb Projet LANDE Projet LANDE - IRISA IRISA INRIA Rennes INRIA Rennes 2 Nantes Nantes -- -- 24 Novembre 2005 24 Novembre 2005 Part Part of of the the ACI V ACI V 3 F Project : F Project : Validation & V Validation & Vé rification rification of of floating floating- point point computations computations Partners : - LIFC – INRIA Cassis (B. Legeard, …) - I3S – INRIA Coprin (C. Michel, M. Rueher, …) - IRISA – INRIA Vertecs / Lande (A.Gotlieb, T.Jéron,…) - CEA – Lsl/List (B. Marre, M. Martel, E. Goubault, …) http://lifc.univ-fcomte.fr/%7Ev3f/
21
Embed
Symbolic Execution of Floating-Point Computationspeople.rennes.inria.fr/Arnaud.Gotlieb/publications/... · 1 Nantes -- 24 Novembre 2005 11 Symbolic Execution of Floating-Point Computations
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Nantes Nantes ---- 24 Novembre 200524 Novembre 2005 11
Partners :- LIFC – INRIA Cassis (B. Legeard, …)- I3S – INRIA Coprin (C. Michel, M. Rueher, …) - IRISA – INRIA Vertecs / Lande (A.Gotlieb, T.Jéron,…)- CEA – Lsl/List (B. Marre, M. Martel, E. Goubault, …)
http://lifc.univ-fcomte.fr/%7Ev3f/
2
33Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
IntroductionIntroductionSymbolic Execution (SE): Evaluation of statements
with symbolic values along a control flow path
SE is exploited in several applications :- automatic test data generation [King 75, Clarke TSE’76, Meudec STVR’01]
- feasible path analysis [Goldberg et al. ISSTA’94]
- program proving [Chen et al. ISSTA’02]
- software model checking [Khushid et al. TACAS’03]...
Currently, floating-point variables are handledas reals or rationals in SE applications
44Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
float foo( float x) {
float y = 1.0e12, z ;
1. if( x < 10000.0 )
2. z = x + y;
3. if( z > y)
4. …
Is the path 1-2-3-4 feasible ?
Path conditions:
x < 10000.0
x + 1.0e12 > 1.0e12
On the reals : x ∈ (0,10000)
On the floats : no solution !
3
55Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
float foo( float x) {
float y = 1.0e12, z ;
1. if( x > 0.0 )
2. z = x + y;
3. if( z == y)
4. …
Is the path 1-2-3-4 feasible ?
Path conditions:
x > 0.0
x + 1.0e12 = 1.0e12
On the reals : no solution
On the floats: x ∈ (0, 32767.99…)
Conversely,
66Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
Our Our roadmaproadmap
To To buildbuild a a constraintconstraint solversolver overover thethe floatsfloats
To combine To combine thethe solversolver overover thethe floatsfloats withwith a a finitefinite domaindomain constraintconstraint solversolver to deal to deal withwith mixedmixedcomputations computations
To To provideprovide adequateadequate labelling labelling strategiesstrategies overoverfloatingfloating--pointpoint variablesvariables
4
77Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
88Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
BinaryBinary floatingfloating--pointpoint numbersnumbers (IEEE(IEEE--754)754)float : (s,f,e) a bit pattern of 32, 64 or more bits
0 < e < emax : Normalized
(-1)s 1.f 2 (e - bias)
e = 0 : Denormalized (-1)s 0.f 2 (– bias + 1)
+0.0, -0.0e = emax : +INF, -INF, NaNs
4 rounding modes (near,up,down,chop),5 types of fp_exceptionMonotony of rounding required
sign (1 bit)
significand (23, 52 bits or extended)
exponent (8, 11 bits or extended)
5
99Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
- Poor (but well-done) approximation of the reals- finite set not uniformly distributed over the reals- associativity and distributivity are lost in general,…
For add,sub,mult,div,sqrt,rem and conv:the floating-point result of an operation betweenfloating-point numbers must be the rounding result ofthe exact operation over the reals
Ex : 999999995904f add 10000f yields to 999999995904f= near(999999995904f + 10000f)
1010Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
ContextContext ofof thisthis workworkProgramsPrograms thatthat strictlystrictly conformconform to IEEEto IEEE--754754E ::= E add E |E subs E |E mult E |E div E
|E == E |E != E |E > E | E >= E|(float) E |(double) E | Var | Constants
No No extendedextended--formatsformats, , onlyonly thethe toto--thethe--nearestnearest roundingrounding mode, mode, nono exception, exception, nono NaNsNaNs
TemporaryTemporary resultsresults are are storedstored in in knownknown formats formats ((requiresrequires to set to set upup specificspecific options options whenwhen compilingcompiling) )
6
1111Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
Path = Path = nnii .... nnjj is a (partial) path of the CFGis a (partial) path of the CFGState State = = {<v,{<v,ϕϕ>}>}vv∈∈Var(PVar(P) ) ϕϕ is an algebraic is an algebraic exprexpr. over . over XXPCPC = = cc11,...,,...,ccnn a finite conjunction of conditions a finite conjunction of conditions
overover XX and temporary assignmentsand temporary assignments
7
1313Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
Symbolic state : features
((Path,State,PCPath,State,PC)) is computed either by a forwardor a backward analysis over the vertex of Path
Let Let SSPCPC be the solution-set of PCPCthen ∀∀XX∈∈SSPCPC,, PathPath is activated by is activated by XX
WhenWhen SSPCPC==∅∅ thenthen PathPath is nonis non--feasible feasible
However, finding all the nonHowever, finding all the non--feasible paths is a feasible paths is a classical classical undecidableundecidable problem problem [Weyuker 79]
1414Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
2525Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
FPSE: Floating-Point Symbolic Execution
- Implemented as part as the INKA toolB. Botella : full design and first implementationMe : constraint propagation engine and improvments
on fp projection functions
- Handles C computations for gcc/solaris/sparcand visual/xp/intel (unsound w.r.t. the stack of 80-bits registers)
- Written in SICStus Prolog (constraint propagation engine)and C (floating-point projection functions)
- Integrated with a collaborative integer constraint solver(SICStus clpfd library)
2626Nantes Nantes ---- 24 Novembre 200524 Novembre 2005
A straightforward collaboration principleSynchronous trigger mechanism between FPSE and clpfdCommunicates through alarms (fd_global mechanism) whenint-to-float or float-to-int conversion constraints are encountered
I (long) X
FPSE clpfd
alarm(dom(J) is pruned)AwakeY (float) J
tell( I in minFD(X)..maxFD(X))
tell( Y in minFP(J)..maxFP(J))
14
2727Nantes Nantes ---- 24 Novembre 200524 Novembre 2005