Formal specification and verification of the standard mathematical functions Текст научной статьи по специальности «Компьютерные и информационные науки»

FORMAL SPECIFICATION AND VERIFICATION OF THE STANDARD MATHEMATICAL FUNCTIONS

N. V. Shilov1, I. S. Anureev2, E. V. Bodin2, D. A. Kondratiev2, A. V. Promsky2,

S. O. Shilova, B. L. Faifel3

1 Innopolis University, 420500, Innopolis, Russia 2A.P. Ershov Institute of Informatics Systems, 630090, Novosibirsk, Russia 3 Yu. Gagarin State Technical University of Saratov, 410054, Saratov, Russia

UDC 004.052

DOI: 10.24411/9999-016A-2019-10088

Research project "Platform-independent approach to formal specification and verification of standard mathematical functions" is aimed onto a development of an incremental combined approach to the specification and verification of the standard mathematical functions like sqrt, cos, sin, etc. Platform-independence means that we attempt to design a relatively simple axiomatization of the computer arithmetic in terms of real, rational, and integer arithmetic (i.e. the fields R and Q of real and rational numbers, the ring Z of integers) but dont specify neither base of the computer arithmetic, nor a format of numbers representation. Incrementality means that we start with the most straightforward specification of the simplest easy to verify algorithm in real numbers and finish with a realistic specification and a verification of an algorithm in computer arithmetic. We call our approach combined because we start with a manual (pen-and-paper) verification of some selected algorithm in real numbers, then use these algorithm and verification as a draft and proof-outlines for the algorithm in computer arithmetic and its manual verification, and finish with a computer-aided validation of our manual proofs with some proof-assistant system (to avoid appeals to "obviousness" that are very common in human-carried proofs). In the paper we present first steps towards a platform-independent incremental combined approach to specification and verification of the standard functions cos and sin that implement mathematical trigonometric functions cos and sin.

Keywords: fix-point numbers, floating-point numbers, computer/machine arithmetic, formal verification, partial and total correctness, Hoare triples, Floyd verification method of inductive assertions, irrational numbers, periodic real functions, Taylor expansion/series.

Introduction

One who has a look at verification research and practice may observe that there exist verification in large (scale) and verification in small (scale): verification in large deals (usually) behavioral properties of large-scale complex critical systems like the Curiosity Mars mission [11], while verification in small addresses (usually) functional properties of small programs like computing the standard trigonometry functions [9]. Verification of behavioral properties of a safety/mission/avalability-critical system doesn't guaranty safety/liveness/fairness of the system but may detect some bugs that may cause a very expensive and/or fatal system failure (like launch failure from launch-site "Vostochny" November 28, 2017, [16]). At the same time verification in small also is of the high importance: a tiny bug/mistake/error in a small but frequently/massively used function/program may cause a huge money losses; it is true in particular for the standard computer functions (available in the standard libraries) [8]. Of course this division of the verification research onto two streams — in large and in small scale — is just a split not a break because all verification research work altogether towards incorporation of the formal verification into the software development cycle — at compilation/linking stages maybe [10].

Our paper deals with verification in small, in particular, it looks like that it is about the same topic as [9] i.e. formal verification of two standard computer functions cos and sin that implement well-known trigonometry

The work has been supported by the Russian foundation of basic research (no. 17-01-00789 Platform-independent approach to formal specification and verification of standard mathematical functions).

ISBN 978-5-901548-42-4

mathematical real functions cos, sin : R ^ R. But there are serious differences between [9] and our paper. Firstly, the cited paper is platform-dependent (Intel@IA-64 architecture), its approach is neither incremental nor combined; next it provides neither definition of the both cos and sin functions, nor specification of their computer partners cos and sin; finally, because of use of HOL-light, all algorithms in the cited paper are functional but not imperative. In contrast, in our paper we present platform-independent and incremental approach, based on provided formal definition for mathematical functions, discuss several variants of formal specifications for their computer partners, use Hoare total correctness assertions [1,7] for logical specification of imperative algorithms that implements the computer functions, and finish with manual (pen-and-paper) verification (using Floyd-Hoare approach [1,7]) of the computer functions for argument value in the rage [-1,1] (in radian measure). (Thus we postpone computer-aide validation of our proof for the future while the paper [9] have done computer-aided formal verification.)

Our present paper is a next one in a series of our papers devoted to the development of a platform-independent incremental combined approach to specification and verification of the standard mathematical functions [17-20]. Position papers [17,18] have stated our concern regarding a need of

• better specification and incremental combined platform-independent verification of standard functions,

• introduction and standardization of a certification process for the standard functions,

• inclusion of an incremental combined platform-independent verification into this certification.

A work-in-progress electronic preprint [19] has presented a human-oriented specification and pen-and-paper verification of a computer square root function that implements Newton-Raphson method by non-adaptive for-loop (with a pre-computed number of iterations) and uses a look-up table for initial approximations. The specification in [19] has been presented as a total correctness assertion with use of precise arithmetic and the mathematical square root algorithms has been presented by imperative pseudo-code with explicit distinction between

precise and machine arithmetic, manual verification has been done in Floyd-Hoare style and adjustment (matching) of runs of algorithms with precise arithmetics and with machine arithmetics. It is possible to say that the primary contribution of the paper [19] was an axiomatisation of properties of a machine (fix-point as well as floating-point) arithmetic that are sufficient to carry out the verification.

A journal (Russian) paper [20] is based on an improved axiomatization from [19]. In the cited paper an adaptive imperative algorithm implementing the same Newton-Raphson method for a square root function has been specified by total correctness assertions and verified manually using Floyd-Hoare approach in both fix-point and floating-point arithmetics; the post-condition of the total correctness assertion states that the final overall error is not greater that 2ulp where ulp is Unit in the Last Place — the unit of the last meaningful digit. The paper [20] has reported two steps towards computer-aided validation and verification of the used adaptive algorithm:

• an implementation of a fix-point data type according to the axiomatization can be found at https:// bitbucket.org/ainoneko/lib_verify/src/,

• ACL2 proofs of

— the consistency of the computer arithmetics axiomatization,

— the existence of a look-up table with initial approximations for ^TTT

can be found at https://github.com/apple2-66/c-light/tree/master/experiments/square-root.

1 Computing trigonometric functions in Fix-point Arithmetic

First we axiomatized a platform-independent fix-point arithmetic in the electronic preprint [19] and then improved the initial axiomatization in the journal paper [20]. In the present paper we follow the later version, but explicitly admit that there may be several different fix-point data types simultaneously.

A fix-point data-type (with Gaussian rounding) D satisfies the following axioms.

• The set of values ValD is a finite set of rational numbers Q (and reals R) such that

— it contains the least infD < 0 and the largest supD > 0 elements,

— altogether with

Figure 1: Flowcharts of the algorithms CosCodelnZerOne (left) and CosCodelnFixPoint (right)

* all rational numbers in [infD, supD] with a step > 0,

* all integers IntD in the range [— infD,supD].

• Admissible operations include machine addition ®, subtraction ©, multiplication ©, division 0, integer rounding up ] and down |_ J.

Machine addition and subtraction. If the exact result of the standard mathematical addition (subtraction) of two fix-point values falls within the interval [infD, supD], then machine addition (subtraction respectively) of these arguments equals to the result of the mathematical operation (and notation + and — is used in this case).

Machine multiplication and division. These operations return values that are nearest in ValD to the exact result of the corresponding standard mathematical operation: for any x,y G ValD

— if x x y G ValD then x © y = x x y;

— if x/y G Valo then x 0 y = x/y;

— if x x y G [infd, supD] then |x © y — x x y| < SD/2;

— if x/y G [infD, supD] then |x 0 y — x/yl < So/2;

Integer rounding up and down are defined for all values in Valo.

• Admissible binary relations include all standard equalities and inequalities (within [infD, supD]) denoted in the standard way =, =, <, >, <, >.

We study the trigonometric functions for argument values in the range [—1,1]. The algorithm to compute cosine in this range is presented in the left part of the Fig. 1; the corresponding specification follows:

[(0 < e < 1) & ( — 1 < x < 1)] CosCodelnZerOne [|cs — cosx| < e] .

Correctness of the specification (1) is easy to prove using the following invariant:

0 < £ < 1 — 1 < X < 1

sign = ( — 1)" ep = ( — 1)" x (2n)l x £ tc -

(1)

(2)

2n

(2n)!

Em=(n-1) m=0

(-i)r

(2m)!

The above algorithm CosCodelnZerOne can be converted into algorithm CosCodelnFixPoint (with fix-point arithmetic) presented in the right part of the Fig. 1; the corresponding specification should be modified as follows:

¿b < 1 &

0 < £ < 1 & £ G Valb & 3N G IntB : ((2N)! x £ > 1) & — 1 < 1 & x G Val b

CosCodelnFixPoint

N fp — cosx| < (£+

&

min{N : ((2N)! x £ > 1)}

2

Figure 2: Flowcharts of the algorithms SinCodelnZerOne (left) and SinCodelnFixPoint (right)

(defun my-cos (x &optional (eps 1E-8)) (let ((a 1) (s 1) (k 0)) (loop

(when (<= (abs a) eps) (return s)) (setq a (-(/(* a x x) (+ k 1) (+ k 2))) s (+ s a) k (+ k 2)))))

Figure 3: Lisp-function to compute approximations for cos in unbounded rational arithmetic with accuracy 10-

The algorithm that computes sine values for arguments in the range [-1,1] is presented in the left part of the Fig. 2; the corresponding specification follows:

[(0 < e < 1) & (-1 < x < 1)] SinCodelnZerOne [\sn - sinx\ < e]

(4)

Again, similarly to the above, the algorithm SinCodelnZerOne can be converted into algorithm SinCodelnFixPoint (with fix-point arithmetic) presented in the right part of the Fig. 2; the corresponding specification follows: _

¿b < 1 &

0 < £ < 1 & e € ValB & 3N € IntB : ((2N +1)! x e > 1) & — 1 < x < 1& x € ValB

SinC odelnFixPoint

" ' ' ^ &

(5)

\snfp - smx\ < (£ + n = min{N : ((2N + 1)! x e > 1)}

Conclusion

In this paper we concentrate on design, specification and (a preliminary manual) verification of two trigonometric functions cos and sin in platform-independent fix-point arithmetic for small argument values in the range [—1,1] and use Taylor expansions as the definitions of the functions. Let us enumerate below some problems that need further theoretical and experimental research.

First, we should try to implement our verified algorithms on the virtual computer (for our fix-point arithmetic) available at https://bitbucket.org/ainoneko/lib_verify/src/ and then test these implementations against

• selected algebraic values for these functions (for example, sin 6 = 1, sin ^ = cos ^ = ^, cos 6 = ^, etc.) in lines with test approach suggested and explained in [12,13];

• automatically generated test data computed using Taylor expansions in any language that supports unbounded integer arithmetic; for example, a Lisp-function in Fig. 3 computes approximations for cos in unbounded rational arithmetics with accuracy 10-8.

Next we should complete a pen-and-paper proof of the specification (3) and a proof of the specification (5). Then we should validate/implement both proofs using some proof-assistance since manual proofs accompanied by

8

Table 1: Result of evaluation of (my-cos 50)

nominator denominator

24370613165454113267560338608221954 98255428138520309455467035800407203 92481216493267961919792183534114282 43256901695353743984506265611950655 23779221083103374016633819981723287 8060581913569126766599 25255410493873184332225648114958816 94660898821193613023561185556763590 78896631844387898015300688850221053 37104695728469968259460206109490815 73617550435820266050926650594970281 3572299506856327202849

computer-aided proofs is the core idea of the combined approach to verification. Currently in our studies of the square-root function [19,20]) we are using proof-assistance ACL2 for proof-validation/implementation, but may change our choice later.

Finally we should move from computation, specification and verification of approximations of the trigonometric functions for small argument values in fix-point arithmetic to relatively big argument values in floating-point arithmetics. Computing of the values of the trigonometric functions for big argument values may be reduced to small argument values either using periodicity, or (for example) Chebychev polynomials, the trigonometric addition, the double-angle, and the half-angle formulas. (Remark that in the first case we need to compute approximate values of the constant -k with high precision.)

We would like to finish the paper with a remark that the test-based approach from [12,13] may be used for argument range larger than [—1,1]; automated testing against valid approximations computed using unbounded rational arithmetic also may help; for example table 1 presents rational approximation of cos 50 computed as (my-cos 50) using unbounded rational arithmetic (this rational value is "equal" to a float-point value 0.9649660286).

Please refer our pre-print [21] for further details.

References

[1] Apt K.R., de Boer F.S., Olderog E.-R. Verification of Sequential and Concurrent Programs. Springer-Verlag, 2009.

[2] C reference. https://en.cppreference.com/w/c. (Visited December 27, 2018.)

[3] C reference: cos, cosf, cosl. https://en.cppreference.com/w/c/numeric/math/cos. (Visited December 27, 2018.)

[4] C reference: Fundamental types. https://en.cppreference.com/w/cpp/language/types. (Visited December 27, 2018.)

[5] C reference: sin, sinf, sinl. https://en.cppreference.com/w/c/numeric/math/sin. (Visited December 27, 2018.)

[6] Dorn W.S., McCracken D.D. Numerical Methods with Fortran IV Case Studies. John Wiley & Sons, 1972.

[7] Gries D. The Science of Programming. Springer-Verlag, 1981.

[8] Grohoski G. Verifying Oracle's SPARC Processors with ACL2. Slides of the Invited talk for 14th International Workshop on the ACL2 Theorem Prover and Its Applications. http://www.cs.utexas.edu/users/moore/ acl2/workshop-2017/slides-accepted/grohoski-ACL2_talk.pdf. (Visited December 27, 2018.)

[9] Harrison J. Formal Verification of Floating Point Trigonometric Functions. Lecture Notes in Computer Science. 2000. Vol. 1954. P.217-233.

[10] Hoare C.A.R. The Verifying Compiler: A Grand Challenge for Computing Research. Lecture Notes in Computer Science. 2003. Vol. 2890. P. 1-12.

[11] Holzmann G.J. Mars Code. Commun. ACM, 2014, Vol. 57(2), p. 64-73.

[12] Kuliamin V. Standardization and Testing of Mathematical Functions. Programming and Computer Software. 2007. Vol. 33(3). P. 154-173.

13] Kuliamin V.V. Standardization and Testing of Mathematical Functions in floating point numbers. Lecture Notes in Computer Science. 2010. Vol. 5947. P. 257-268.

14] Pi(number). Encyclopedia of Mathematics. http://www.encyclopediaofmath.org/index.php?title= Pi(number)&oldid=43586. (Visited December 27, 2018.)

15] Radian. Encyclopedia of Mathematics. http://www.encyclopediaofmath.org/index.php?title=Radian& oldid=31576. (Visited December 27, 2018.)

16] "Roskosmos" nazval prichinu neudachnogo zapuska s kosmodroma Vostochnyy (Roskosmos named the cause of the launch failure from launch-site "Vostochny"). https://www.rbc.ru/politics/12/12/2017/ 5a2ebcd59a79479d29667115. (In Russian. Visited December 27, 2018.)

17] Shilov N.V. On the need to specify and verify standard functions. The Bulletin of the Novosibirsk Computing Center (Series: Computer Science), 2015, Vol. 38, p. 105-119.

18] Shilov N.V., Promsky A.V. On specification andd verification of standard mathematical functions. Humanities and Science University Journal, 2016, Vol. 19, p. 57-68.

19] Shilov N.V. Anureev I.S. Berdyshev M., Kondratyev D., Promsky A.V. Towards platform-independent verification of the standard mathematical functions: the square root function. https://arxiv.org/abs/1801.00969 [arXiv:abs/1801.00969]. (Visited December 27, 2018.)

20] Shilov N. V., Kondratyev D. A., Anureev I. S., Bodin E. V, Promsky A. V. Platform-independent Specification and Verification of the Standard Mathematical Square Root Function. Modeling and Analysis of Information Systems, 2018, Vol. 25(6), p. 637-666.

21] Shilov N.V., Faifel B.L., Shilova S.O., Promsky A.V. Towards platform-independent verification of the standard trigonometry functions. https://arxiv.org/abs/1901.03414 [arXiv:abs/1901.03414]. (Visited April 27, 2019.)

22] Trigonometric functions. V.I. Bityutskov (originator), Encyclopedia of Mathematics. http://www. encyclopediaofmath.org/index.php?title=Trigonometric_functions&oldid=14919. (Visited December 27, 2018.)

23] Trigonometric functions: Computation. From Wikipedia, the free encyclopedia. https://en.wikipedia. org/wiki/Trigonometric_functions#Computation. (Visited December 27, 2018.)

24] Weisstein E. W. Trigonometric Addition Formulas. From MathWorld-A Wolfram Web Resource. http:// mathworld.wolfram.com/Double-AngleFormulas.html.

25] Weisstein E. W. Double-Angle Formulas. From MathWorld-A Wolfram Web Resource. http://mathworld. wolfram.com/TrigonometricAdditionFormulas.html.

26] Weisstein E. W. Half-Angle Formulas. From MathWorld-A Wolfram Web Resource. http://mathworld. wolfram.com/Half-AngleFormulas.html.

27] Weisstein E. W. Leibniz Criterion. From MathWorld-A Wolfram Web Resource. http://mathworld. wolfram.com/LeibnizCriterion.html.

Shilov Nikolay Vyacheslavovich — PhD, Assistant Professor of Innopolis University;

e-mail: shiloviis@mail.ru;

Anureev Igor Sergeevich — PhD., Senior Researcher of A.P. Ershov Institute of Informatics Systems SB RAS

e-mail: anureev@iis.nsk.su;

Bodin Evgeniy Viktorovich — Researcher of A.P. Ershov Institute of Informatics Systems SB RAS

e-mail: bodin@iis.nsk.su;

Kondratiev D. A. — PhD student of A.P. Ershov Institute of Informatics Systems SB RAS;

e-mail: apple-66@mail.ru;

Promsky Aleksey Vladimirovich — PhD., Science Secretary of A.P. Ershov Institute of Informatics Systems SB RAS;

e-mail: promsky@iis.nsk.su;

Shilova Svetlana Olegovna — Retired, from A.P. Ershov Institute of Informatics Systems SB RAS;

e-mail: shilov61@inbox.ru;

Faifel Boris Leonidovich — PhD., Assistant Professor of Yu. Gagarin State Technical University of Saratov;

e-mail: catstail@yandex.ru. Received — June 1, 2019