Robustness analysis of finite precision implementations 1cm Eric

Robustness analysis of finite precision implementations 1cm Eric

Robustness analysis of finite precision
implementations
Eric Goubault and Sylvie Putot
LMeASI, CEA LIST | Réunion CAFEIN, 29-30 octobre 2013
Motivations
Context: automatic validation of numerical programs
Infer invariant properties both in floating-point and real number semantics
Abstract interpretation based static analysis (affine arithmetic/zonotopes)
Validate finite precision implementations: prove the program computes
something close to expected (in real numbers)
Bound and propagate rounding errors: accuracy of computations
Behaviour of the program (control flow, number of iterations)
Implemented in our abstract interpreter FLUCTUAT
A difficulty in error analysis: unstable tests
When finite precision and real control flows are potentially different
If discontinuity of treatment between branches, error analysis is unsound
When considering sets of executions, most tests are potentially unstable
We propose here to compute discontinuity errors in unstable tests
Makes our error analysis sound in presence of unstable tests
Provides a robustness analysis
CEA | Réunion CAFEIN, 29-30 octobre 2013 | p. 2
Linked to program robustness & continuity analysis
Can small uncertainty on inputs cause only small perturbations on the outputs
(with different execution paths): notions classical for control systems but not
so much for software implementations.
Some recent work in critical embedded sofware:
Some real cases (cf NASA engineer Bushnell’s pres. at NSV 2011 on the
F22 raptor crossing int. date line in 2007)
Continuity in Software Systems [Hamlet 2002]
Continuity analysis and robustness of programs [Chaudhuri, Gulwani,
Lublineramn 2010-2012]
Robust software synthesis, Symbolic robustness analysis, etc [Majumdar,
Render, Tabuada, Saha, 2009-2012]
CEA | Réunion CAFEIN, 29-30 octobre 2013 | p. 3
A typical example of unstable tests: affine interpolators
All tests are unstable, but the implementation is robust, the conditional block
does not introduce a discontinuity
CEA | Réunion CAFEIN, 29-30 octobre 2013 | p. 4
But discontinuities also actually occur (sqrt approx.)
#d e f i n e s q r t 2 1 . 4 1 4 2 1 3 5 3 8 1 6 9 8 6 0 8 3 9 8 4 3 7 5 0
d o u b l e x , y ; x = DREAL WITH ERROR ( 1 , 2 , 0 , 0 . 0 0 1 ) ;
i f ( x >2)
y = s q r t 2 ∗(1+( x /2 −1)∗(.5 −0.125∗( x / 2 − 1 ) ) ) ;
else
y = 1+(x −1)∗(.5+( x −1)∗( −.125+( x − 1 ) ∗ . 0 6 2 5 ) ) ;
Without unstable test analysis, unsound results in Fluctuat:
An unstable test is signalled at the if statement
y has real value in [1,1.4531] with an error in [-0.0005312,0.00008592]
Unstable test: consider for instance r x = 2 and f x = 2 + 0.001
execution in reals (r x = 2) takes the else branch: r y = 1.4375,
execution in floats (f x = 2 + 0.001) takes the then branch: f y = 1.4145...
The test introduces a discontinuity f y − r y = −0.023 around the test
condition (x == 2): larger than the error bounds
want to consider discontinuity as a new error term; accurate abstraction ?
CEA | Réunion CAFEIN, 29-30 octobre 2013 | p. 5
With unstable test analysis
CEA | Réunion CAFEIN, 29-30 octobre 2013 | p. 6
Outline of the talk
Abstraction of real and finite precision computations in FLUCTUAT
Affine arithmetic and zonotopes
Extension to the analysis of finite precision implementations
Test interpretation, unstable test / robustness analysis
CEA | Réunion CAFEIN, 29-30 octobre 2013 | p. 7
Affine Arithmetic (Comba & Stolfi 93)
Affine forms
Affine form for variable x:
x̂ = x0 + x1 ε1 + . . . + xn εn , xi ∈ R
where the εi are symbolic variables (noise symbols), with value in [−1, 1].
Sharing εi between variables expresses implicit dependency
Interval concretization of affine form x̂:
"
x0 −
n
X
|xi |, x0 +
i=0
n
X
#
|xi |
i=0
Geometric concretization as zonotopes in Rp
15 y
x̂
=
20 −4ε1
ŷ
=
10 −2ε1 +ε2
+2ε3 +3ε4
10
−ε4
5
10
15
20
25
x
30
CEA | Réunion CAFEIN, 29-30 octobre 2013 | p. 8
Affine arithmetic
Assignment x := [a, b] introduces a noise symbol:
x̂ =
(b − a)
(a + b)
+
εi .
2
2
Addition/subtraction are exact:
x̂ + ŷ = (x0 + y0 ) + (x1 + y1 )ε1 + . . . + (xn + yn )εn
Non linear operations : approximate linear form, new noise term bounding
the approximation error
Close to Taylor models of low degree (large ranges for static analysis)
CEA | Réunion CAFEIN, 29-30 octobre 2013 | p. 9
Test interpretation
Main idea to interpret test, informally
Affine forms are unchanged, translate the condition on noise symbols
Equality tests are interpreted by the substitution of one noise symbol of
the constraint
Example
real x = [0 ,10];
r e a l y = 2∗ x ;
i f ( y >= 1 0 )
y = x;
Affine forms before tests: x = 5 + 5ε1 , y = 10 + 10ε1
In the if branch ε1 ≥ 0: condition acts on both x and y
Functional interpretation
The test condition leads to a condition on the noise symbols εi , that can be
interpreted as a restriction to the set of inputs that can lead to an execution
satisfying the test condition.
CEA
2013 | p. 10
|
Réunion
CAFEIN,
29-30
octobre
Component-wise upper bound
x̂ = 3 + ε1 + 2ε2
û = 0 + ε1 + ε2
ŷ = 1 − 2ε1 + ε2
x̂ ∪ ŷ
∪
=
û = 0 + ε1 + ε2
û
=
=
2 + ε2 + 3η1
0 + ε1 + ε2
û
x̂, ŷ
Construction (cost O(n × p))
Keep “minimal common dependencies”
zi = argmin
|r |, ∀i ≥ 1
xi ∧yi ≤r ≤xi ∨yi
CEA
2013 | p. 11
|
Réunion
CAFEIN,
29-30
octobre
Component-wise upper bound
x̂ = 3 + ε1 + 2ε2
û = 0 + ε1 + ε2
ŷ = 1 − 2ε1 + ε2
x̂ ∪ ŷ
∪
=
û = 0 + ε1 + ε2
û
=
=
2 + ε2 + 3η1
0 + ε1 + ε2
û
x̂, ŷ
x̂ ∪ŷ
Construction (cost O(n × p))
Keep “minimal common dependencies”
zi = argmin
|r |, ∀i ≥ 1
xi ∧yi ≤r ≤xi ∨yi
For each dimension, concretization is the interval union of the
concretizations: γ(x̂ ∪ ŷ ) = γ(x̂) ∪ γ(ŷ )
CEA
2013 | p. 11
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 12
FLUCTUAT: concrete semantics for finite precision analysis
Aim: compute rounding errors and their propagation
we need the real and floating-point values
for each variable, we compute (f x , r x , e x )
then we will abstract each term (real value and errors)
float x ,y , z ;
x = 0 . 1 ; //
y = 0 . 5 ; //
z = x+y ; //
t = x ∗ z ; //
[1]
[2]
[3]
[4]
fx
=
0.1 + 1.49e −9 [1]
f
y
=
0.5
f
z
=
0.6 + 1.49e −9 [1] + 2.23e −8 [3]
f
t
=
0.06 + 1.04e −9 [1] + 2.23e −9 [3] − 8.94e −10 [4] − 3.55e −17 [ho]
CEA
|
Réunion
CAFEIN,
29-30
octobre
Example (Fluctuat)
CEA
2013 | p. 13
|
Réunion
CAFEIN,
29-30
octobre
Abstract domain in Fluctuat
Abstract value at each control point c
For each variable, affine forms for real value and error:
fx
=
(αx0 +
M
αxi εri ) +(
i
|
+
{z
real value
}
e0x
+
|{z}
center of the error
M
mix
εri
M
elx εel
l
| {z }
uncertainty on error due to point
l
)
i
| {z }
propag of uncertainty on value at pt
i
Constraints on noise symbols coming from interpretation of test condition
x
r
εr ∈ ΦX
r for real control flow (test on the r : constraints on the εi )
x = r x + ex :
(εr , εe ) ∈ ΦX
for
finite
precision
control
flow
(test
on
the
f
f
constraints on the εri and εel )
Unstable test condition = intersection of constraints εr ∈ ΦXr u ΦYf :
unstable test: for a same execution (same values of the noise symbols εi )
the control flow is different
restricts the range of the εi : allows us to bound accurately the
discontinuity error
CEA | Réunion CAFEIN, 29-30
2013 | p. 14
octobre
Formally, sound abstraction (with discontinuity errors)
Abstract value
An abstract value X , for a program with p variables x1 , . . . , xp , is a tuple
X = (R X , E X , D X , ΦXr , ΦXf ) composed of the following affine sets and
constraints, for all k = 1, . . . , p:
P

X
X
R X : r̂kX = r0,k
+ Pni=1 ri,k
εri
where εr ∈ ΦXr


 E X : ê X = e X + n e X εr + Pm e X
e
where (εr , εe ) ∈ ΦXf
k
0,k
i,k i
j=1 n+j,k εj
Pi=1
o
X
X
X
X
d

D : d̂k = d0,k + i=1 di,k εi


fˆkX = r̂kX + êkX
where (εr , εe ) ∈ ΦXf
E X is the propagated rounding error, D X the propagated discontinuity error
New discontinuity errors computed when joining branches of a possibly
unstable test
Z = X t Y is Z = (R Z , E Z , D Z , ΦXr ∪ ΦYr , ΦXf ∪ ΦYf ) such that

Z
Z
Z
X
X
X
Y
Y
Y
 (R , Φr ∪ Φf ) = (R , Φr ∪ Φf ) t (R , Φr ∪ Φf )
Z
Z
X
X
Y
Y
(E , Φf ) = (E , Φf ) t (E , Φf )
 Z
D = D X t D Y t (R X − R Y , ΦXf u ΦYr ) t (R Y − R X , ΦYf u ΦXr )
CEA
2013 | p. 15
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 16
Example: sound unstable test analysis
x
x := [1,3] + u; // [1]
if (x ≤ 2)
y = x+2; // [2]
else
y = x; // [3]
// [4]
x
x
At cpt 1: r̂[1]
= 2 + εr1 ; ê[1]
=u
5
4
x
fˆ[1]
3
x
r̂[1]
2
1
0
-1
εr1
0
1
CEA
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 16
Example: sound unstable test analysis
y
x := [1,3] + u; // [1]
if (x ≤ 2)
y = x+2; // [2]
else
y = x; // [3]
// [4]
x
x
r̂[1]
= 2 + εr1 ; ê[1]
=u
5
4
3
2
1
εr1
0
-1
0
[2]
Φr : εr1 ≤ 0
1
[3]
Φr : εr1 > 0
Test x ≤ 2, real flow:
[2]
x
Φr : r̂[1]
= 2 + εr1 ≤ 2
CEA
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 16
Example: sound unstable test analysis
y
x := [1,3] + u; // [1]
if (x ≤ 2)
y = x+2; // [2]
5
4
3
else
y = x; // [3]
// [4]
2
1
εr1
0
-1
x
x
r̂[1]
= 2 + εr1 ; ê[1]
=u
0
[2]
Φr : εr1 ≤ 0
1
[3]
Φr : εr1 > 0
[2]
y
Real at [2]: (r̂[2]
= 4 + εr1 , Φr )
[3]
y
Real at [3]: (r̂[3] = 2 + εr1 , Φr )
CEA
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 16
Example: sound unstable test analysis
y
x := [1,3] + u; // [1]
if (x ≤ 2)
y = x+2; // [2]
5
4
y
r̂[2]
3
else
y = x; // [3]
// [4]
y
r̂[3]
2
1
εr1
0
-1
x
x
r̂[1]
= 2 + εr1 ; ê[1]
=u
−u 0
[2]
Φr : εr1 ≤ 0
[2]
y
= 4 + εr1 , Φr )
Real at [2]: (r̂[2]
[3]
y
Real at [3]: (r̂[3] = 2 + εr1 , Φr )
[2]
Φf : εr1 ≤ −u
1
[3]
Φr : εr1 > 0
[3]
Φf : εr1 > −u
Test x ≤ 2, float flow:
[2]
x
x
Φf : r̂[1]
+ ê[1]
= 2 + εr1 + u ≤ 2
CEA
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 16
Example: sound unstable test analysis
y
x := [1,3] + u; // [1]
if (x ≤ 2)
y = x+2; // [2]
5
4
y
fˆ[2]
3
else
y = x; // [3]
// [4]
y
fˆ[3]
y
r̂[2]
y
r̂[3]
2
1
[2]
y
Real at [2]: (r̂[2]
= 4 + εr1 , Φr )
[3]
y
Real at [3]: (r̂[3] = 2 + εr1 , Φr )
εr1
0
-1
−u 0
[2]
Φr : εr1 ≤ 0
[2]
Φf : εr1 ≤ −u
1
[3]
Φr : εr1 > 0
[3]
Φf : εr1 > −u
y
x
Error at [2]: ê[2]
= ê[1]
+ δεe2
y
x
Error at [3]: ê[3]
= ê[1]
CEA
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 16
Example: sound unstable test analysis
y
x := [1,3] + u; // [1]
if (x ≤ 2)
y = x+2; // [2]
5
4
y
fˆ[2]
else
y = x; // [3]
// [4]
y
fˆ[3]
y
r̂[2]
3
y
r̂[3]
2
1
[2]
y
Real at [2]: (r̂[2]
= 4 + εr1 , Φr )
[3]
y
Real at [3]: (r̂[3] = 2 + εr1 , Φr )
εr1
0
-1
−u 0
[2]
Φr :
εr1
≤0
[2]
Φf : εr1 ≤ −u
y
Error at [2]: ê[2]
= u + δεe2
y
Error at [3]: ê[3] = u
[2]
1
[3]
Φr :
εr1
>0
[3]
Φf : εr1 > −u
[3]
Φr u Φf : −u < εr1 ≤ 0
Unstable test, first possibility:
[2]
[3]
Φr u Φf : −u < εr1 ≤ 0
CEA
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 16
Example: sound unstable test analysis
y
x := [1,3] + u; // [1]
if (x ≤ 2)
y = x+2; // [2]
5
4
y
fˆ[2]
else
y = x; // [3]
// [4]
y
fˆ[3]
y
r̂[2]
3
y
r̂[3]
2
1
[2]
y
Real at [2]: (r̂[2]
= 4 + εr1 , Φr )
[3]
y
Real at [3]: (r̂[3] = 2 + εr1 , Φr )
εr1
0
-1
−u 0
[2]
Φr :
[2]
εr1
≤0
Φf : εr1 ≤ −u
1
[3]
Φr :
εr1
>0
[3]
Φf : εr1 > −u
y
Error at [2]: ê[2]
= u + δεe2
y
Error at [3]: ê[3] = u
Unstable test, second possibility:
[3]
[2]
Φr u Φf = ∅
CEA
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 16
Example: sound unstable test analysis
y
x := [1,3] + u; // [1]
if (x ≤ 2)
y = x+2; // [2]
5
4
y
fˆ[2]
else
y = x; // [3]
// [4]
y
fˆ[3]
y
r̂[2]
3
y
r̂[3]
2
1
[2]
y
Real at [2]: (r̂[2]
= 4 + εr1 , Φr )
[3]
y
Real at [3]: (r̂[3] = 2 + εr1 , Φr )
εr1
0
-1
−u 0
[2]
Φr :
εr1
≤0
[2]
Φf : εr1 ≤ −u
y
Error at [2]: ê[2]
= u + δεe2
y
Error at [3]: ê[3] = u
[2]
1
[3]
Φr :
εr1
>0
[3]
Φf : εr1 > −u
[3]
Φr u Φf : −u < εr1 ≤ 0
[3]
[2]
[3]
[2]
y
y
y
y
y
y
y
y
Error at [4] :ê[2]
t ê[3]
t ( fˆ[3]
− r̂[2]
, Φf u Φr ) = ê[2]
t ê[3]
+ (r̂[3]
− r̂[2]
, Φf u Φr )
| {z }
y
y
y
r̂[3] +ê[3] −r̂[2]
CEA
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 16
Example: sound unstable test analysis
y
x := [1,3] + u; // [1]
if (x ≤ 2)
y = x+2; // [2]
5
y
fˆ[2]
4
else
y = x; // [3]
// [4]
y
fˆ[3]
y
r̂[2]
3
y
r̂[3]
2
1
[2]
y
Real at [2]: (r̂[2]
= 4 + εr1 , Φr )
[3]
y
Real at [3]: (r̂[3] = 2 + εr1 , Φr )
εr1
0
-1
−u 0
[2]
Φr :
εr1
≤0
[2]
Φf : εr1 ≤ −u
y
Error at [2]: ê[2]
= u + δεe2
y
Error at [3]: ê[3] = u
[2]
1
[3]
Φr :
εr1
>0
[3]
Φf : εr1 > −u
[3]
Φr u Φf : −u < εr1 ≤ 0
[3]
y
y
y
y
e
r
Error at [4] :ê[2]
t ê[3]
+ (r̂[3]
− r̂[2]
, Φf u Φ[2]
r ) = u + δε2 − 2χ[−u,0] (ε1 )
| {z } |
{z
}
y
ê[4]
y
d̂[4]
CEA
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 16
Example: sound unstable test analysis
y
x := [1,3] + u; // [1]
if (x ≤ 2)
y = x+2; // [2]
else
y = x; // [3]
// [4]
5
y
fˆ[2]
4
y
fˆ[3]
y
r̂[2]
3
y
r̂[3]
2
1
0
-1
εr1
−u 0
1
[3]
y
y
y
y
e
r
Error at [4] :ê[2]
t ê[3]
+ (r̂[3]
− r̂[2]
, Φf u Φ[2]
r ) = u + δε2 + −2χ[−u,0] (ε1 )
} |
{z
}
| {z } |
{z
} | {z
y
y
ê[4]
y
d̂[4]
y
ê[4]
d̂[4]
y
Real value r̂[4]
= 3 + εr4 ∈ [2, 4]
y
y
y
Float value fˆ[4]
= r̂[4]
+ ê[4]
= 3 + εr4 + u + δεe2 ∈ [2 + u − δ, 4 + u + δ]
CEA
|
Réunion
CAFEIN,
29-30
octobre
Back to the definitions
Abstract value
An abstract value X , for a program with p variables x1 , . . . , xp , is a tuple
X = (R X , E X , D X , ΦXr , ΦXf ) composed of the following affine sets and
constraints, for all k = 1, . . . , p:
P

X
X
R X : r̂kX = r0,k
+ Pni=1 ri,k
εri
where εr ∈ ΦXr


 E X : ê X = e X + n e X εr + Pm e X
e
where (εr , εe ) ∈ ΦXf
k
0,k
i,k i
j=1 n+j,k εj
Pi=1
o
X
X
X
X
d

D : d̂k = d0,k + i=1 di,k εi


fˆkX = r̂kX + êkX
where (εr , εe ) ∈ ΦXf
E X is the propagated rounding error, D X the propagated discontinuity error
New discontinuity errors computed when joining branches of a possibly
unstable test
Z = X t Y is Z = (R Z , E Z , D Z , ΦXr ∪ ΦYr , ΦXf ∪ ΦYf ) such that

Z
Z
Z
X
X
X
Y
Y
Y
 (R , Φr ∪ Φf ) = (R , Φr ∪ Φf ) t (R , Φr ∪ Φf )
Z
Z
X
X
Y
Y
(E , Φf ) = (E , Φf ) t (E , Φf )
 Z
D = D X t D Y t (R X − R Y , ΦXf u ΦYr ) t (R Y − R X , ΦYf u ΦXr )
CEA
2013 | p. 17
|
Réunion
CAFEIN,
29-30
octobre
Householder algorithm for square root
CEA
2013 | p. 18
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 19
Conclusion
Tractable discontinuity analysis implemented in FLUCTUAT (making it
sound even when tests are unstable)
More applications, in particular to robustness analysis in control
Potential links with constraint-based approaches to the verification of
finite-precision implementations such as, e. g.
O. Ponsini, C. Michel, M. Rueher: Refining Abstract Interpretation Based
Value Analysis with Constraint Programming Techniques. CP 2012
CEA
|
Réunion
CAFEIN,
29-30
octobre
Link to “classical” robustness/discontinuity analysis
The discontinuity terms do not exactly correspond to a simple (dis)continuity
analysis on the test conditions (though it was the case on the previous example)
Example of a simple piecewise continuous function
float x , y;
x = FREAL WITH ERROR ( 0 , 1 , 0 . 2 , 0 . 2 ) ;
i f ( x <= 1 )
y = x; [2]
else
y = 2 − x; [3]
// r ˆ x =0.5+0.5 e p s 1
“Classical” discontinuity analysis for the frontier r x = 1 of Φr yields zero
y
y
=1
discontinuity: r[2]
= r[3]
[2]
[3]
Total error would be (e [2] , Φf ) t (e [3] , Φf ) = 0.2 t −0.2
y
Example: r = 0.9, e = 0.2, f = r + e x = 1.1: r[2]
= 0.9,
y
y
y
f[3] = 2 − 1.1 = 0.9, the error is f[3] − r[2] = 0.
x
[3]
x
x
x
[2]
y
y
(r[3]
−r[2]
, Φf uΦr ) = ((2−r x )−r x , 0.6 < εr1 ) = (1−εr1 , 0.6 < εr1 ) ∈ [0, 0.4]
CEA
2013 | p. 20
|
Réunion
CAFEIN,
29-30
octobre
Second example (unstable test, but no actual discontinuity)
x := [ − 1 , 1 ] + e r r e u r u l p ; [ 1 ]
y := [ − 1 , 1 ] + e r r e u r u l p ; [ 2 ]
if (x < y)
t = y − x;
// [ 4 ]
else
t = x − y;
// [ 5 ]
First discontinuity error:
real takes then branch: εr1 < εr2
float takes if branch: εr1 + uεe1 ≥ εr2 + uεe2 (where u = ulp(1))
intersection (unstable test), computed in intervals
using additional slack variable η1t = εr1 − εr2 , which will appear both in the
constraints on real and floats (more generally, if we are interested in the test
exp1 op exp2, we will associate a slack variable to exp1-exp2).
we then get −2u < εr1 − εr2 < 0 and εe2 ≤ εe1
t
t
and thus f[5]
− r[4]
= 2(εr1 − εr2 ) + u(εe1 − εe2 ) + 5uεe5 ∈ [−7u, 7u].
The other discontinuity error is symmetric.
CEA
2013 | p. 21
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 22
Third example: linearization near the test condition
y
7
x := [1,3] + 2.5e-6; // [1]
6
x = 2 + εr + 2.5e −6 */
/* f[1]
1
5
if (x ≤ 2)
4
y = x*x; // [2]
3
else
y = x*x; // [3]
2
1
0
-1
εr1
0
1
CEA
|
Réunion
CAFEIN,
29-30
octobre
Third example: linearization near the test condition
y
7
x := [1,3] + 2.5e-6; // [1]
6
x = 2 + εr + 2.5e −6 */
/* f[1]
1
5
if (x ≤ 2)
4
y = x*x; // [2]
3
else
y = x*x; // [3]
2
1
εr1
0
-1
[2]: εr1 ≤ 0
Φf : εr1 for float value control flow
[2]: εr1 ≤ −2.5e −6
CEA
2013 | p. 22
1
0
Φr : εr1 for real value control flow
|
Réunion
CAFEIN,
29-30
octobre
Third example: linearization near the test condition
y
7
x := [1,3] + 2.5e-6; // [1]
6
x = 2 + εr + 2.5e −6 */
/* f[1]
1
5
if (x ≤ 2)
4
y = x*x; // [2]
3
else
y = x*x; // [3]
2
1
εr1
0
-1
1
0
Φr : εr1 for real value control flow
[2]: εr1 ≤ 0
[3]: εr1 > 0
Φf : εr1 for float value control flow
[2]: εr1 ≤ −2.5e −6
[3]: εr1 > −2.5e −6
CEA
2013 | p. 22
|
Réunion
CAFEIN,
29-30
octobre
Third example: linearization near the test condition
y
7
x := [1,3] + 2.5e-6; // [1]
6
x = 2 + εr + 2.5e −6 */
/* f[1]
1
5
if (x ≤ 2)
4
y = x*x; // [2]
3
else
y = x*x; // [3]
2
y
f[3]
y
r[2]
1
εr1
0
-1
Φr : εr1 for real value control flow
0
1
[2]: εr1 ≤ 0
Φf : εr1 for float value control flow
[3]: εr1 > −2.5e −6
Φr ∩ Φf : εr1 for unstable test
−2.5e −6 < εr1 ≤ 0
CEA
2013 | p. 22
|
Réunion
CAFEIN,
29-30
octobre
Third example
x := [ 1 , 3 ] + 2 . 5 e −6;
i f ( x <= 2 )
y = x ˆ2;
else
y = x ˆ2;
// [ 1 ]
// [ 2 ]
// [ 3 ]
Unstable test constraint −2.5e −6 < εr1 ≤ 0:
x = 2 + εr , εr ≤ 0
the real number takes the then branch: r[2]
1
1
x = 2 + εr + 2.5e − 6, εr > −2.5e −6
the float takes the else branch f[3]
1
1
interpretation of x 2 involves linearization: new noise symbols η1 and η2
Unstable test error
y
y
f[3]
−r[2]
= δ +e −5 +6.25e −12 +(2+5e −6 )εr1 +(0.125+δ)η2 −0.125η1 +uεe3 (1)
No actual discontinuity around the condition, but the non-linearity
introduced some loss of accuracy in the analysis: bounds for (1) under
constraint −2.5e −6 < εr1 ≤ 0 yield
x
x
−0.25 + δ1 ≤ f[3]
− r[2]
≤ 0.25 + δ2
Need correlation between εr1 and η1 near the boundaries (around εr1 = 0)
CEA
2013 | p. 23
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 24
Real-number execution (then branch)
Linearization control point [2]:
y
r[2]
= (1.5+(ε1 +0.5))2 = 2.25+3(ε1 +0.5)+(ε1 + 0.5)2 = 3.875+3ε1 +0.125η1
| {z }
∈[0,0.25]
with η1 = 8(ε1 + 0.5)2 − 1.
Use of generalized mean value theorem (like in interval affine forms from
SAS’07) around the real value test boundary ε1 = 0, for ε1 ∈ [−0.25, 0]:
ηˆ1 (ε1 ) = η1 (0) + ∆ε1
where ∆ bounds the derivative η10 (ε1 ) in the range [−0.25, 0]. We get
ηˆ1
=
=
1 + 16([−0.25, 0] + 0.5)ε1
1 + [4, 8]ε1 ,
which we can also write
1 + 8ε1 ≤ η1 ≤ 1 + 4ε1
y
Same kind of linearization for η2 introduced in f[3]
in the else branch
CEA
|
Réunion
CAFEIN,
29-30
octobre
y
near the test condition
Linearization of r[2]
y
5
4
εr1
3
-0.25
0
0.25
Classical abstraction:
y
r[2]
= 3.875 + 3ε1 + 0.125η1 , ε1 ≤ 0
Linearization of new symbol near the test condition (ε1 ∈ [−0.25, 0]): using
1 + 8ε1 ≤ η1 ≤ 1 + 4ε1 we have
y
4 + 4ε1 ≤ r[2]
≤ 4 + 3.5ε1 (ε1 ∈ [−0.25, 0])
CEA
2013 | p. 25
|
Réunion
CAFEIN,
29-30
octobre
2013 | p. 26
Discontinuity error
Now,
y
y
f[3]
− r[2]
= δ + e −5 + 6.25e −12 + (2 + 5e −6 )εr1 + (0.125 + δ)η2 − 0.125η1 + uεe3
with

−6
r
 −2.5e < ε1 ≤ 0
1 + 8ε1 ≤ η1 ≤ 1 + 4ε1
 0.125−δ−(1+5e −6 )ε1
≤ η2 ≤
0.125+δ
0.125−δ−0.5ε1
0.125+δ
gives:
y
y
f[3]
− r[2]
= e −5 + 6.25e −12 + uεe3 + [0, (1 + 5e −6 )εr1 ]
Very tight estimate! (actual gap because of the 2.5e −6 error on the input)
The decomposition in error in the else branch and discontinuity error can
y
y
y
be obtained by the decomposition f[3]
= r[3]
+ e[3]
.
CEA
|
Réunion
CAFEIN,
29-30
octobre
Commissariat Ãă lâĂŹÃl’nergie atomique et aux Ãl’nergies alternatives
Institut Carnot CEA LIST
Centre de Saclay | 91191 Gif-sur-Yvette Cedex
T. +33 (0)1 69 08 XX XX| F. +33 (0)1 69 08 YY YY
Etablissement public Ãă caractÃĺre industriel et commercial | RCS Paris B 775 685 019
Direction
DÃl’partement
Laboratoire