Document Open Access Logo

Taming Floating-Point Rounding Errors with Proofs (Invited Talk)

Author Laura Titolo

PDF HTML 5

Files

Thumbnail PDF
PDF
LIPIcs.ITP.2025.41.pdf
  • Filesize: 411 kB
  • 3 pages
HTML5 Logo HTML (experimental)
LIPIcs.ITP.2025.41.html

Document Identifiers

Subject Classification

ACM Subject Classification
  • Software and its engineering → Formal methods
Keywords
  • Floating point arithmetic
  • avionics

Metrics

Abstract

Developing floating-point software poses significant challenges due to round-off errors inherent in computer arithmetic. These errors can accumulate over the course of numerical computations, significantly affecting the evaluation of both arithmetic and Boolean expressions. Reasoning about floating-point computations is especially important in safety-critical systems, where discrepancies between ideal real-number calculations and their finite-precision implementations can lead to catastrophic consequences.
This talk provides an overview of the application of theorem proving to the formal verification of NASA’s safety-critical avionics software that relies on finite-precision arithmetic. Key applications include geofencing, detect-and-avoid algorithms, and aircraft positioning systems. In particular, the talk highlights how theorem proving has been effectively integrated with static analysis and global optimization tools to develop new toolchains that improve the reliability of floating-point programs and provide formal guarantees of their correctness.
The talk begins with the formal verification of the ADS-B Compact Position Reporting (CPR) algorithm. The Automatic Dependent Surveillance–Broadcast (ADS-B) protocol [RTCA SC-186, 2009] is a fundamental component of the next generation of air transportation systems, providing direct exchange of precise aircraft state information. The use of ADS-B has been mandatory since 2020 for most commercial aircraft in the U.S. [Code of Federal Regulations, 2015] and Europe [European Commission, 2017]. Currently, about 100,000 general aviation aircraft are equipped with ADS-B. The CPR algorithm is responsible for encoding and decoding aircraft positions in ADS-B messages. Unfortunately, pilots and manufacturers have reported errors in the positions obtained using the CPR algorithm.
In [Dutle et al., 2017], it was formally proven that the original operational requirements of the CPR algorithm were insufficient to guarantee the intended precision, even when assuming computations are performed with exact arithmetic. Therefore, the ideal real-number implementation of CPR has been formally proven correct under a slightly tightened set of requirements. Nevertheless, even under these more restrictive requirements, a straightforward floating-point implementation of the CPR algorithm may still be unsound and produce incorrect results due to round-off errors.
An alternative implementation of the CPR algorithm is presented in [Titolo et al., 2018]. This version includes simplifications that reduce the numerical complexity of the expressions compared to the original version. The double-precision floating-point implementation of this improved version is proven correct using a combination of formal methods tools: the static analyzer Frama-C [Kirchner et al., 2015], the interactive theorem prover PVS [Owre et al., 1992], and Gappa [de Dinechin et al., 2011], a tool for formally verifying properties of numerical programs.
While successful, the proposed verification approach is not fully automatic and it requires a certain level of expertise. A background in floating-point arithmetic and a deep understanding of the features of each tool is essential for completing the verification. In order to automatize this approach, the PRECiSA static analyzer and the ReFlow code extractor were developed.
PRECiSA [Moscato et al., 2017; Titolo et al., 2018; Titolo et al., 2024] is a static analyzer for floating-point programs. It bounds the round-off errors that may occur and produces externally checkable certificates. PRECiSA uses static analysis by abstract interpretation to approximate the collecting semantics of the program and compute symbolic round-off error expressions that model the error along each program trace. The global optimizer Kodiak [Smith et al., 2015] is used to evaluate these symbolic expressions, producing sound numerical enclosures. PRECiSA generates proof certificates that ensure the correctness of both the symbolic and numerical round-off error estimations. It relies on the higher-order logic interactive theorem prover PVS [Owre et al., 1992], the floating-point formalization originally presented in [Boldo and Muñoz, 2006] and extended in [Moscato et al., 2017], as well as the formalization of Kodiak’s branch-and-bound algorithm [Narkawicz and Muñoz, 2013].
ReFlow [Titolo et al., 2020] is a C code extractor that produces a formally verified floating-point C implementation from a PVS real-number specification. It instruments the code to emit a warning when the floating-point control flow may diverge from the real-number specification due to unstable conditionals, and it automatically generates ACSL [Baudin et al., 2016] annotations that express the relationship between the floating-point implementation and its real-number counterpart.
ReFlow is integrated with the Frama-C analyzer and the PVS theorem prover to provide a fully automatic toolchain for generating and verifying floating-point C code from a PVS real-number specification. In particular, the code generated by ReFlow is used as input to Frama-C, which produces a set of verification conditions in the PVS specification language. Although PVS is an interactive theorem prover, these verification conditions are automatically discharged by ad hoc strategies. As a result, users do not need expertise in theorem proving or floating-point arithmetic to verify the correctness of the generated C program. This verification toolchain has been used to generate C implementations from two formal developments by NASA: the winding number point-in-polygon algorithm used for geofencing applications [Moscato et al., 2019], and a fragment of the DAIDALUS [Muñoz et al., 2015] software library [Bernardes et al., 2023].
The talk concludes by outlining future challenges in verifying floating-point code, focusing on LLM-generated code and quantized neural networks, which are especially vulnerable to rounding errors.

Cite As Get BibTex

Laura Titolo. Taming Floating-Point Rounding Errors with Proofs (Invited Talk). In 16th International Conference on Interactive Theorem Proving (ITP 2025). Leibniz International Proceedings in Informatics (LIPIcs), Volume 352, pp. 41:1-41:3, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2025) https://doi.org/10.4230/LIPIcs.ITP.2025.41

Author Details

Laura Titolo
  • Code Metal, Boston, MA, USA

References

  1. P. Baudin, P. Cuoq, J. C. Filliâtre, C. Marché, B. Monate, Y. Moy, and V. Prevosto. ACSL: ANSI/ISO C Specification Language, version 1.12, 2016. Google Scholar
  2. N. Bernardes, M. Moscato, L. Titolo, and M. Ayala-Rincón. A provably correct floating-point implementation of well clear avionics concepts. In Formal Methods in Computer-Aided Design (FMCAD 2023), pages 237-246. IEEE, 2023. URL: https://doi.org/10.34727/2023/ISBN.978-3-85448-060-0_32.
  3. S. Boldo and C. Muñoz. A high-level formalization of floating-point numbers in PVS. Technical Report CR-2006-214298, NASA, 2006. Google Scholar
  4. Code of Federal Regulations. Automatic Dependent Surveillance-Broadcast (ADS-B) Out, 91 c.f.r., section 225, 2015. Google Scholar
  5. F. de Dinechin, C. Lauter, and G. Melquiond. Certifying the floating-point implementation of an elementary function using Gappa. IEEE Trans. on Computers, 60(2):242-253, 2011. URL: https://doi.org/10.1109/TC.2010.128.
  6. A. Dutle, M. Moscato, L. Titolo, and C. Muñoz. A formal analysis of the compact position reporting algorithm. 9th Working Conference on Verified Software: Theories, Tools, and Experiments, VSTTE 2017, Revised Selected Papers, 10712:19-34, 2017. URL: https://doi.org/10.1007/978-3-319-72308-2_2.
  7. European Commission. Commission Implementing Regulation (EU) 2017/386 of 6 march 2017 amending Implementing Regulation (EU) No 1207/2011, C/2017/1426, 2017. Google Scholar
  8. F. Kirchner, N. Kosmatov, V. Prevosto, J. Signoles, and B. Yakobowski. Frama-C: A software analysis perspective. Formal Aspects of Computing, 27(3):573-609, 2015. URL: https://doi.org/10.1007/S00165-014-0326-7.
  9. M. Moscato, L. Titolo, A. Dutle, and C. Muñoz. Automatic estimation of verified floating-point round-off errors via static analysis. In Proceedings of the 36th International Conference on Computer Safety, Reliablilty, and Security, SAFECOMP 2017. Springer, 2017. Google Scholar
  10. M. Moscato, L. Titolo, M. Feliú, and C. Muñoz. Provably correct floating-point implementation of a point-in-polygon algorithm. In Proceedings of the 23nd International Symposium on Formal Methods (FM 2019), volume 11800 of Lecture Notes in Computer Science, pages 21-37. Springer, 2019. URL: https://doi.org/10.1007/978-3-030-30942-8_3.
  11. C. Muñoz, A. Narkawicz, G. Hagen, J. Upchurch, A. Dutle, and M. Consiglio. DAIDALUS: Detect and Avoid Alerting Logic for Unmanned Systems. In Proceedings of the 34th Digital Avionics Systems Conference (DASC 2015), Prague, Czech Republic, September 2015. Google Scholar
  12. A. Narkawicz and C. Muñoz. A formally verified generic branching algorithm for global optimization. In Proceedings of the 5th International Conference on Verified Software: Theories, Tools, Experiments (VSTTE)., pages 326-343. Springer, 2013. URL: https://doi.org/10.1007/978-3-642-54108-7_17.
  13. S. Owre, J. Rushby, and N. Shankar. PVS: A prototype verification system. In Proceedings of the 11th International Conference on Automated Deduction (CADE), pages 748-752. Springer, 1992. URL: https://doi.org/10.1007/3-540-55602-8_217.
  14. RTCA SC-186. Minimum Operational Performance Standards for 1090 MHz extended squitter Automatic Dependent Surveillance - Broadcast (ADS-B) and Traffic Information Services - Broadcast (TIS-B), 2009. Google Scholar
  15. A. P. Smith, C. Muñoz, A. J. Narkawicz, and M. Markevicius. A rigorous generic branch and bound solver for nonlinear problems. In Proceedings of the 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC 2015, pages 71-78, 2015. Google Scholar
  16. L. Titolo, M. Feliú, M. Moscato, and C. Muñoz. An abstract interpretation framework for the round-off error analysis of floating-point programs. In Proceedings of the 19th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI), pages 516-537. Springer, 2018. URL: https://doi.org/10.1007/978-3-319-73721-8_24.
  17. L. Titolo, M. Moscato, M. Feliú, P. Masci, and C. Muñoz. Rigorous floating-point round-off error analysis in precisa 4.0. In 26th International Symposium on Formal Method (FM 2024), volume 14934 of Lecture Notes in Computer Science, pages 20-38. Springer, 2024. URL: https://doi.org/10.1007/978-3-031-71177-0_2.
  18. L. Titolo, M. Moscato, M. Feliú, and C. Muñoz. Automatic generation of guard-stable floating-point code. In Proceedings of the 16th International Conference on Integrated Formal Methods (IFM 2020), volume 12546 of Lecture Notes in Computer Science, pages 141-159. Springer, 2020. URL: https://doi.org/10.1007/978-3-030-63461-2_8.
  19. L. Titolo, M. Moscato, C. Muñoz, A. Dutle, and F. Bobot. A formally verified floating-point implementation of the compact position reporting algorithm. In Proceedings of the 22nd International Symposium on Formal Methods (FM 2018), volume 10951 of Lecture Notes in Computer Science, pages 364-381. Springer, 2018. URL: https://doi.org/10.1007/978-3-319-95582-7_22.
Any Issues?
X

Feedback on the Current Page

CAPTCHA

Thanks for your feedback!

Feedback submitted to Dagstuhl Publishing

Could not send message

Please try again later or send an E-mail
© 2023-2025 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact