Commit 43cdec44 authored by Joachim Bard's avatar Joachim Bard

Merge branch 'master' of gitlab.mpi-sws.org:AVA/FloVer

parents c6ea9dea 6a6ee6a4
# Project FloVer
## FM 2019
All implementations included in the FM2019 submission are on the branch [FM19][2].
The folder `scripts` contains the scripts we used to run the evaluation from the paper.
Changes described in the paper can be found in the folder `coq`. The overall soundness theorem is stated in file `CertificateChecker.v`.
The SMT-based range validator and its soundness proof can be found in file [SMTValidation.v][3], and the Subdivision checker can be found in file [SubdivsChecker.v][4].
## FMCAD 2018
The artifact and scripts used to run the evaluation for FMCAD 2018 can be found on the branch [FMCAD 2018][1].
......@@ -30,7 +37,7 @@ Full support for fixed-point programs is also only available in `affine_arithmet
## Checking Coq certificates
FloVer is known to compile with coq `8.7.2` and `8.8.0`.
FloVer is known to compile with coq `8.8.2`.
To check the Coq certificate, you need to enter the `coq` directory.
Place any certificate you want to have checked into the `output` folder in the
coq directory and then run
......@@ -43,9 +50,8 @@ This will compile all coq files and then in the end the certificate in the outpu
To compile the file `IEEE_connection.v` showing the relation to IEEE754 semantics, it is necessary to install
the Flocq library via opam:
```bash
$ opam install coq-flocq.2.6.1
$ opam install coq-flocq.3.1.0
```
Note that due to some incompatibilities, FloVer currently does not support flocq 3.0.
The coq binary is build in the directory `coq/binary` and you can compile it by
running `make native` in the directory.
......@@ -99,7 +105,7 @@ $ ./cake_checker CERTIFICATE_FILE
## Contributors
In no particular order: Raphael Monat, Nikita Zyuzin, Heiko Becker
In no particular order: Raphael Monat, Nikita Zyuzin, Joachim Bard, Heiko Becker
Acknowledgements
......@@ -107,4 +113,7 @@ Acknowledgements
We would like to thank Jacques-Henri Jourdan for the many insightful discussions
and technical help while working on the initial version of FloVer.
[1]: https://gitlab.mpi-sws.org/AVA/FloVer/tree/FMCAD2018
\ No newline at end of file
[1]: https://gitlab.mpi-sws.org/AVA/FloVer/tree/FMCAD2018
[2]: https://gitlab.mpi-sws.org/AVA/FloVer/tree/FM19
[3]: https://gitlab.mpi-sws.org/AVA/FloVer/blob/FM19/coq/SMTValidation.v
[4]: https://gitlab.mpi-sws.org/AVA/FloVer/blob/FM19/coq/SubdivsChecker.v
\ No newline at end of file
This diff is collapsed.
......@@ -25,6 +25,10 @@ Definition CertificateChecker (e: expr Q) (absenv: analysisResult)
| _ => false
end.
(**
General soundness theorem, exposing all invariants that are shown by
the separate validator functions
**)
Theorem Certificate_checking_is_sound_general (e:expr Q) (absenv:analysisResult)
P Qmap subdivs defVars:
forall (E1 E2:env) DeltaMap,
......@@ -63,13 +67,11 @@ Proof.
intros. cbn in *; congruence. }
exists Gamma; intros approxEnv_E1E2.
destruct subdivs.
- edestruct result_checking_sound as (validR & validFPR & validErr); eauto.
- edestruct result_checking_sound; eauto.
intuition.
edestruct validRanges_single as (iv_e & err_e & vR & find_e & eval_real_e & ?); eauto.
edestruct validErrorBoundsRec_single as ((vFP & mFP & eval_fp_e) & H4); eauto.
assert (validSSA e (freeVars e) = true) as Hssa_small.
{ apply andb_true_iff in certificate_valid as (Hssa & _).
eapply validSSA_downward_closed; eauto using validSSA_checks_freeVars. set_tac. }
apply validSSA_sound in Hssa_small as (outVars & Hssa_small).
edestruct validErrorBoundsRec_single; eauto.
destruct H5 as (? & ? & ?).
repeat eexists; eauto.
- (* general version of subdivs_checking_sound *) admit.
Admitted.
......@@ -84,7 +86,6 @@ Theorem Certificate_checking_is_sound (e:expr Q) (absenv:analysisResult)
forall (E1 E2:env) DeltaMap,
(forall (v : R) (m' : mType),
exists d : R, DeltaMap v m' = Some d /\ (Rabs d <= mTypeToR m')%R) ->
eval_precond E1 P ->
unsat_queries Qmap ->
(forall Qmap, In Qmap (queriesInSubdivs subdivs) -> unsat_queries Qmap) ->
......
......@@ -17,23 +17,26 @@ Definition ResultChecker (e: expr Q) (absenv: analysisResult)
(**
Soundness proof for the result checker.
**)
Theorem result_checking_sound (e: expr Q) (absenv: analysisResult) P Qmap defVars Gamma DeltaMap:
forall (E1 E2: env),
(forall (v : R) (m' : mType), exists d : R, DeltaMap v m' = Some d /\ (Rabs d <= mTypeToR m')%R) ->
Theorem result_checking_sound (e: expr Q) (absenv: analysisResult) P Qmap defVars Gamma:
forall (E1 E2: env) DeltaMap,
(forall (v : R) (m' : mType),
exists d : R, DeltaMap v m' = Some d /\ (Rabs d <= mTypeToR m')%R) ->
approxEnv E1 (toRExpMap Gamma) absenv (freeVars e) NatSet.empty E2 ->
eval_precond E1 P ->
unsat_queries Qmap ->
getValidMap defVars e (FloverMap.empty mType) = Succes Gamma ->
ResultChecker e absenv P Qmap defVars Gamma = true ->
validRanges e absenv E1 (toRTMap (toRExpMap Gamma)) /\
validFPRanges e E2 Gamma DeltaMap /\
validErrorBounds e E1 E2 absenv Gamma.
exists outVars,
ssa e (freeVars e) outVars /\
validRanges e absenv E1 (toRTMap (toRExpMap Gamma)) /\
validErrorBounds e E1 E2 absenv Gamma /\
validFPRanges e E2 Gamma DeltaMap.
(**
The proofs is a simple composition of the soundness proofs for the range
validator and the error bound validator.
**)
Proof.
intros * deltas_matched approxE1E2 P_valid unsat_qs valid_typeMap results_valid.
intros * deltaMap_valid approxE1E2 P_valid unsat_qs valid_typeMap results_valid.
unfold ResultChecker in results_valid.
assert (validTypes e Gamma).
{ eapply getValidMap_top_correct; eauto.
......@@ -75,11 +78,11 @@ Proof.
*)
assert (ssa e (NatSet.union (freeVars e) (NatSet.empty)) outVars2).
{ eapply ssa_equal_set; eauto. }
repeat split; auto.
eexists; repeat split; try eauto.
- eapply RoundoffErrorValidator_sound; eauto.
- eapply FPRangeValidator_sound; eauto.
+ eapply RoundoffErrorValidator_sound; eauto.
+ intros v Hin. set_tac.
- eapply RoundoffErrorValidator_sound; eauto.
+ intros; set_tac.
Qed.
(**
......@@ -105,96 +108,10 @@ Corollary result_checking_sound_single (e: expr Q) (absenv: analysisResult) P Qm
Proof.
intros * deltas_matched P_valid unsat_qs valid_typeMap results_valid.
exists Gamma; intros approxE1E2.
assert (validRanges e absenv E1 (toRTMap (toRExpMap Gamma))) as validRange
by (eapply result_checking_sound; eauto).
assert (validErrorBounds e E1 E2 absenv Gamma) as Hsound
by (eapply result_checking_sound; eauto).
edestruct result_checking_sound as (? & _ & validRange & Hsound & _); try eauto.
eapply validRanges_single in validRange.
destruct validRange as [iv [err [vR [Hfind [eval_real validRange]]]]].
eapply validErrorBoundsRec_single in Hsound; eauto.
destruct Hsound as [[vF [mF eval_float]] err_bounded]; auto.
exists iv, err, vR, vF, mF; repeat split; auto.
Qed.
(*
Definition CertificateCheckerCmd (f:cmd Q) (absenv:analysisResult) (P: precond)
(Qmap: FloverMap.t (SMTLogic * SMTLogic)) defVars :=
match getValidMapCmd defVars f (FloverMap.empty mType) with
| Succes Gamma =>
if (validSSA f (preVars P))
then
if (RangeValidatorCmd f absenv P Qmap NatSet.empty) &&
FPRangeValidatorCmd f absenv Gamma NatSet.empty
then (RoundoffErrorValidatorCmd f Gamma absenv NatSet.empty)
else false
else false
| _ => false
end.
Theorem Certificate_checking_cmds_is_sound (f:cmd Q) (absenv:analysisResult) P Qmap
defVars DeltaMap:
forall (E1 E2:env),
(forall (e' : expr R) (m' : mType),
exists d : R, DeltaMap e' m' = Some d /\ (Rabs d <= mTypeToR m')%R) ->
eval_precond E1 P ->
unsat_queries Qmap ->
CertificateCheckerCmd f absenv P Qmap defVars = true ->
exists Gamma,
approxEnv E1 (toRExpMap Gamma) absenv (freeVars f) NatSet.empty E2 ->
exists iv err vR vF m,
FloverMap.find (getRetExp f) absenv = Some (iv,err) /\
bstep (toREvalCmd (toRCmd f)) E1 (toRTMap (toRExpMap Gamma)) DeltaMapR vR REAL /\
bstep (toRCmd f) E2 (toRExpMap Gamma) DeltaMap vF m /\
(forall vF m,
bstep (toRCmd f) E2 (toRExpMap Gamma) DeltaMap vF m ->
(Rabs (vR - vF) <= Q2R (err))%R).
(**
The proofs is a simple composition of the soundness proofs for the range
validator and the error bound validator.
**)
Proof.
intros * deltas_matched P_valid unsat_qs certificate_valid.
unfold CertificateCheckerCmd in certificate_valid.
destruct (getValidMapCmd defVars f (FloverMap.empty mType)) eqn:?;
try congruence.
rename t into Gamma.
assert (validTypesCmd f Gamma).
{ eapply getValidMapCmd_correct; try eauto.
intros; cbn in *; congruence. }
exists Gamma; intros approxE1E2.
repeat rewrite <- andb_lazy_alt in certificate_valid.
andb_to_prop certificate_valid.
pose proof (validSSA_checks_freeVars _ _ L) as sub.
assert (validSSA f (freeVars f) = true) as ssa_valid
by (eapply validSSA_downward_closed; eauto; set_tac).
apply validSSA_sound in ssa_valid as [outVars_small ssa_f_small].
apply validSSA_sound in L.
destruct L as [outVars ssa_f].
assert (ssa f (preVars P NatSet.empty) outVars) as ssa_valid.
{ eapply ssa_equal_set; eauto.
apply NatSetProps.empty_union_2.
apply NatSet.empty_spec. }
rename R into validFPRanges.
assert (dVars_range_valid NatSet.empty E1 absenv).
{ unfold dVars_range_valid.
intros; set_tac. }
assert (NatSet.Subset (freeVars f -- NatSet.empty) (freeVars f))
as freeVars_contained by set_tac.
assert (validRangesCmd f absenv E1 (toRTMap (toRExpMap Gamma))) as valid_f.
{ eapply (RangeValidatorCmd_sound _ (fVars:=preVars P)); eauto; intuition.
unfold affine_dVars_range_valid; intros.
set_tac. }
pose proof (validRangesCmd_single _ _ _ _ valid_f) as valid_single.
destruct valid_single as [iv [ err [vR [map_f [eval_real bounded_real_f]]]]].
destruct iv as [f_lo f_hi].
pose proof RoundoffErrorValidatorCmd_sound as Hsound.
eapply validErrorBoundsCmd_single in Hsound; eauto.
- specialize Hsound as ((vF & mF & eval_float) & ?).
exists (f_lo, f_hi), err, vR, vF, mF; repeat split; try auto.
- eapply ssa_equal_set. 2: exact ssa_f_small.
apply NatSetProps.empty_union_2.
apply NatSet.empty_spec.
- unfold dVars_contained; intros; set_tac.
Qed.
*)
......@@ -442,6 +442,11 @@ Theorem subdivs_checking_sound (e: expr Q) (absenv: analysisResult) P subdivs de
(forall Qmap, In Qmap (queriesInSubdivs subdivs) -> unsat_queries Qmap) ->
getValidMap defVars e (FloverMap.empty mType) = Succes Gamma ->
SubdivsChecker e absenv P subdivs defVars Gamma = true ->
(*
validRanges e absenv E1 (toRTMap (toRExpMap Gamma)) /\
validFPRanges e E2 Gamma absenv /\
validErrorBounds e E1 E2 absenv Gamma.
*)
exists Gamma,
approxEnv E1 (toRExpMap Gamma) absenv (freeVars e) NatSet.empty E2 ->
exists iv err vR vF m,
......@@ -463,14 +468,15 @@ Proof.
pose proof (checkSubdivs_sound e _ _ _ _ _ _ _ valid_subdivs in_subdivs) as [range_err_check A_leq].
assert (ResultChecker e A P1 Qmap defVars Gamma = true) as res_check
by (unfold ResultChecker; now rewrite valid_ssa', range_err_check).
exists Gamma; intros approxE1E2.
assert (approxEnv E1 (toRExpMap Gamma) A (freeVars e) NatSet.empty E2) as approxE1E2'
by (eapply approxEnv_empty_dVars; eauto).
assert (validRanges e A E1 (toRTMap (toRExpMap Gamma))) as validRange.
{ eapply result_checking_sound; eauto.
{ edestruct result_checking_sound; eauto; [| intuition].
apply unsat_qs. apply in_map_iff. now exists (P1, A, Qmap). }
assert (validErrorBounds e E1 E2 A Gamma) as Hsound.
{ eapply result_checking_sound; eauto.
{ edestruct result_checking_sound; eauto; [| intuition].
apply unsat_qs. apply in_map_iff. now exists (P1, A, Qmap). }
eapply validRanges_single in validRange.
destruct validRange as [iv [err [vR [Hfind [eval_real validRange]]]]].
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment