Taming Floating-Point Rounding Errors with Proofs (Invited Talk)

Titolo, Laura

doi:10.4230/LIPIcs.ITP.2025.41

Taming Floating-Point Rounding Errors with Proofs

Laura Titolo

Code Metal, Boston, MA, USA

Abstract

Developing floating-point software poses significant challenges due to round-off errors inherent in computer arithmetic. These errors can accumulate over the course of numerical computations, significantly affecting the evaluation of both arithmetic and Boolean expressions. Reasoning about floating-point computations is especially important in safety-critical systems, where discrepancies between ideal real-number calculations and their finite-precision implementations can lead to catastrophic consequences.

This talk provides an overview of the application of theorem proving to the formal verification of NASA’s safety-critical avionics software that relies on finite-precision arithmetic. Key applications include geofencing, detect-and-avoid algorithms, and aircraft positioning systems. In particular, the talk highlights how theorem proving has been effectively integrated with static analysis and global optimization tools to develop new toolchains that improve the reliability of floating-point programs and provide formal guarantees of their correctness.

The talk begins with the formal verification of the ADS-B Compact Position Reporting (CPR) algorithm. The Automatic Dependent Surveillance–Broadcast (ADS-B) protocol [14] is a fundamental component of the next generation of air transportation systems, providing direct exchange of precise aircraft state information. The use of ADS-B has been mandatory since 2020 for most commercial aircraft in the U.S. [4] and Europe [7]. Currently, about 100,000 general aviation aircraft are equipped with ADS-B.¹¹1https://generalaviationnews.com/2020/06/13/ads-b-installations-continue-even-in-midst-of-pandemic/ The CPR algorithm is responsible for encoding and decoding aircraft positions in ADS-B messages. Unfortunately, pilots and manufacturers have reported errors in the positions obtained using the CPR algorithm.

In [6], it was formally proven that the original operational requirements of the CPR algorithm were insufficient to guarantee the intended precision, even when assuming computations are performed with exact arithmetic. Therefore, the ideal real-number implementation of CPR has been formally proven correct under a slightly tightened set of requirements. Nevertheless, even under these more restrictive requirements, a straightforward floating-point implementation of the CPR algorithm may still be unsound and produce incorrect results due to round-off errors.

An alternative implementation of the CPR algorithm is presented in [19]. This version includes simplifications that reduce the numerical complexity of the expressions compared to the original version. The double-precision floating-point implementation of this improved version is proven correct using a combination of formal methods tools: the static analyzer Frama-C [8], the interactive theorem prover PVS [13], and Gappa [5], a tool for formally verifying properties of numerical programs.

While successful, the proposed verification approach is not fully automatic and it requires a certain level of expertise. A background in floating-point arithmetic and a deep understanding of the features of each tool is essential for completing the verification. In order to automatize this approach, the PRECiSA static analyzer and the ReFlow code extractor were developed.

PRECiSA[9, 16, 17] is a static analyzer for floating-point programs. It bounds the round-off errors that may occur and produces externally checkable certificates. PRECiSA uses static analysis by abstract interpretation to approximate the collecting semantics of the program and compute symbolic round-off error expressions that model the error along each program trace. The global optimizer Kodiak [15] is used to evaluate these symbolic expressions, producing sound numerical enclosures. PRECiSA generates proof certificates that ensure the correctness of both the symbolic and numerical round-off error estimations. It relies on the higher-order logic interactive theorem prover PVS [13], the floating-point formalization originally presented in [3] and extended in [9], as well as the formalization of Kodiak’s branch-and-bound algorithm [12].

ReFlow [18] is a C code extractor that produces a formally verified floating-point C implementation from a PVS real-number specification. It instruments the code to emit a warning when the floating-point control flow may diverge from the real-number specification due to unstable conditionals, and it automatically generates ACSL [1] annotations that express the relationship between the floating-point implementation and its real-number counterpart.

ReFlow is integrated with the Frama-C analyzer and the PVS theorem prover to provide a fully automatic toolchain for generating and verifying floating-point C code from a PVS real-number specification. In particular, the code generated by ReFlow is used as input to Frama-C, which produces a set of verification conditions in the PVS specification language. Although PVS is an interactive theorem prover, these verification conditions are automatically discharged by ad hoc strategies. As a result, users do not need expertise in theorem proving or floating-point arithmetic to verify the correctness of the generated C program. This verification toolchain has been used to generate C implementations from two formal developments by NASA: the winding number point-in-polygon algorithm used for geofencing applications [10], and a fragment of the DAIDALUS [11] software library [2].

The talk concludes by outlining future challenges in verifying floating-point code, focusing on LLM-generated code and quantized neural networks, which are especially vulnerable to rounding errors.

Keywords and phrases:

Floating point arithmetic, avionics

Category:

Invited Talk

Copyright and License:

2012 ACM Subject Classification:

Software and its engineering

\rightarrow

Formal methods

DOI:

10.4230/LIPIcs.ITP.2025.41

Event:

16th International Conference on Interactive Theorem Proving (ITP 2025)

Editors:

Yannick Forster and Chantal Keller

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

References

[1] P. Baudin, P. Cuoq, J. C. Filliâtre, C. Marché, B. Monate, Y. Moy, and V. Prevosto. ACSL: ANSI/ISO C Specification Language, version 1.12, 2016.
[2] N. Bernardes, M. Moscato, L. Titolo, and M. Ayala-Rincón. A provably correct floating-point implementation of well clear avionics concepts. In Formal Methods in Computer-Aided Design (FMCAD 2023), pages 237–246. IEEE, 2023. doi:10.34727/2023/ISBN.978-3-85448-060-0_32.
[3] S. Boldo and C. Muñoz. A high-level formalization of floating-point numbers in PVS. Technical Report CR-2006-214298, NASA, 2006.
[4] Code of Federal Regulations. Automatic Dependent Surveillance-Broadcast (ADS-B) Out, 91 c.f.r., section 225, 2015.
[5] F. de Dinechin, C. Lauter, and G. Melquiond. Certifying the floating-point implementation of an elementary function using Gappa. IEEE Trans. on Computers, 60(2):242–253, 2011. doi:10.1109/TC.2010.128.
[6] A. Dutle, M. Moscato, L. Titolo, and C. Muñoz. A formal analysis of the compact position reporting algorithm. 9th Working Conference on Verified Software: Theories, Tools, and Experiments, VSTTE 2017, Revised Selected Papers, 10712:19–34, 2017. doi:10.1007/978-3-319-72308-2_2.
[7] European Commission. Commission Implementing Regulation (EU) 2017/386 of 6 march 2017 amending Implementing Regulation (EU) No 1207/2011, C/2017/1426, 2017.
[8] F. Kirchner, N. Kosmatov, V. Prevosto, J. Signoles, and B. Yakobowski. Frama-C: A software analysis perspective. Formal Aspects of Computing, 27(3):573–609, 2015. doi:10.1007/S00165-014-0326-7.
[9] M. Moscato, L. Titolo, A. Dutle, and C. Muñoz. Automatic estimation of verified floating-point round-off errors via static analysis. In Proceedings of the 36th International Conference on Computer Safety, Reliablilty, and Security, SAFECOMP 2017. Springer, 2017.
[10] M. Moscato, L. Titolo, M. Feliú, and C. Muñoz. Provably correct floating-point implementation of a point-in-polygon algorithm. In Proceedings of the 23nd International Symposium on Formal Methods (FM 2019), volume 11800 of Lecture Notes in Computer Science, pages 21–37. Springer, 2019. doi:10.1007/978-3-030-30942-8_3.
[11] C. Muñoz, A. Narkawicz, G. Hagen, J. Upchurch, A. Dutle, and M. Consiglio. DAIDALUS: Detect and Avoid Alerting Logic for Unmanned Systems. In Proceedings of the 34th Digital Avionics Systems Conference (DASC 2015), Prague, Czech Republic, September 2015.
[12] A. Narkawicz and C. Muñoz. A formally verified generic branching algorithm for global optimization. In Proceedings of the 5th International Conference on Verified Software: Theories, Tools, Experiments (VSTTE)., pages 326–343. Springer, 2013. doi:10.1007/978-3-642-54108-7_17.
[13] S. Owre, J. Rushby, and N. Shankar. PVS: A prototype verification system. In Proceedings of the 11th International Conference on Automated Deduction (CADE), pages 748–752. Springer, 1992. doi:10.1007/3-540-55602-8_217.
[14] RTCA SC-186. Minimum Operational Performance Standards for 1090 MHz extended squitter Automatic Dependent Surveillance - Broadcast (ADS-B) and Traffic Information Services - Broadcast (TIS-B), 2009.
[15] A. P. Smith, C. Muñoz, A. J. Narkawicz, and M. Markevicius. A rigorous generic branch and bound solver for nonlinear problems. In Proceedings of the 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC 2015, pages 71–78, 2015.
[16] L. Titolo, M. Feliú, M. Moscato, and C. Muñoz. An abstract interpretation framework for the round-off error analysis of floating-point programs. In Proceedings of the 19th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI), pages 516–537. Springer, 2018. doi:10.1007/978-3-319-73721-8_24.
[17] L. Titolo, M. Moscato, M. Feliú, P. Masci, and C. Muñoz. Rigorous floating-point round-off error analysis in precisa 4.0. In 26th International Symposium on Formal Method (FM 2024), volume 14934 of Lecture Notes in Computer Science, pages 20–38. Springer, 2024. doi:10.1007/978-3-031-71177-0_2.
[18] L. Titolo, M. Moscato, M. Feliú, and C. Muñoz. Automatic generation of guard-stable floating-point code. In Proceedings of the 16th International Conference on Integrated Formal Methods (IFM 2020), volume 12546 of Lecture Notes in Computer Science, pages 141–159. Springer, 2020. doi:10.1007/978-3-030-63461-2_8.
[19] L. Titolo, M. Moscato, C. Muñoz, A. Dutle, and F. Bobot. A formally verified floating-point implementation of the compact position reporting algorithm. In Proceedings of the 22nd International Symposium on Formal Methods (FM 2018), volume 10951 of Lecture Notes in Computer Science, pages 364–381. Springer, 2018. doi:10.1007/978-3-319-95582-7_22.

[bib.bib1] [1] P. Baudin, P. Cuoq, J. C. Filliâtre, C. Marché, B. Monate, Y. Moy, and V. Prevosto. ACSL: ANSI/ISO C Specification Language, version 1.12, 2016.

[bib.bib2] [2] N. Bernardes, M. Moscato, L. Titolo, and M. Ayala-Rincón. A provably correct floating-point implementation of well clear avionics concepts. In Formal Methods in Computer-Aided Design (FMCAD 2023), pages 237–246. IEEE, 2023. doi:10.34727/2023/ISBN.978-3-85448-060-0_32.

[bib.bib3] [3] S. Boldo and C. Muñoz. A high-level formalization of floating-point numbers in PVS. Technical Report CR-2006-214298, NASA, 2006.

[bib.bib4] [4] Code of Federal Regulations. Automatic Dependent Surveillance-Broadcast (ADS-B) Out, 91 c.f.r., section 225, 2015.

[bib.bib5] [5] F. de Dinechin, C. Lauter, and G. Melquiond. Certifying the floating-point implementation of an elementary function using Gappa. IEEE Trans. on Computers, 60(2):242–253, 2011. doi:10.1109/TC.2010.128.

[bib.bib6] [6] A. Dutle, M. Moscato, L. Titolo, and C. Muñoz. A formal analysis of the compact position reporting algorithm. 9th Working Conference on Verified Software: Theories, Tools, and Experiments, VSTTE 2017, Revised Selected Papers, 10712:19–34, 2017. doi:10.1007/978-3-319-72308-2_2.

[bib.bib7] [7] European Commission. Commission Implementing Regulation (EU) 2017/386 of 6 march 2017 amending Implementing Regulation (EU) No 1207/2011, C/2017/1426, 2017.

[bib.bib8] [8] F. Kirchner, N. Kosmatov, V. Prevosto, J. Signoles, and B. Yakobowski. Frama-C: A software analysis perspective. Formal Aspects of Computing, 27(3):573–609, 2015. doi:10.1007/S00165-014-0326-7.

[bib.bib9] [9] M. Moscato, L. Titolo, A. Dutle, and C. Muñoz. Automatic estimation of verified floating-point round-off errors via static analysis. In Proceedings of the 36th International Conference on Computer Safety, Reliablilty, and Security, SAFECOMP 2017. Springer, 2017.

[bib.bib10] [10] M. Moscato, L. Titolo, M. Feliú, and C. Muñoz. Provably correct floating-point implementation of a point-in-polygon algorithm. In Proceedings of the 23nd International Symposium on Formal Methods (FM 2019), volume 11800 of Lecture Notes in Computer Science, pages 21–37. Springer, 2019. doi:10.1007/978-3-030-30942-8_3.

[bib.bib11] [11] C. Muñoz, A. Narkawicz, G. Hagen, J. Upchurch, A. Dutle, and M. Consiglio. DAIDALUS: Detect and Avoid Alerting Logic for Unmanned Systems. In Proceedings of the 34th Digital Avionics Systems Conference (DASC 2015), Prague, Czech Republic, September 2015.

[bib.bib12] [12] A. Narkawicz and C. Muñoz. A formally verified generic branching algorithm for global optimization. In Proceedings of the 5th International Conference on Verified Software: Theories, Tools, Experiments (VSTTE)., pages 326–343. Springer, 2013. doi:10.1007/978-3-642-54108-7_17.

[bib.bib13] [13] S. Owre, J. Rushby, and N. Shankar. PVS: A prototype verification system. In Proceedings of the 11th International Conference on Automated Deduction (CADE), pages 748–752. Springer, 1992. doi:10.1007/3-540-55602-8_217.

[bib.bib14] [14] RTCA SC-186. Minimum Operational Performance Standards for 1090 MHz extended squitter Automatic Dependent Surveillance - Broadcast (ADS-B) and Traffic Information Services - Broadcast (TIS-B), 2009.

[bib.bib15] [15] A. P. Smith, C. Muñoz, A. J. Narkawicz, and M. Markevicius. A rigorous generic branch and bound solver for nonlinear problems. In Proceedings of the 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC 2015, pages 71–78, 2015.

[bib.bib16] [16] L. Titolo, M. Feliú, M. Moscato, and C. Muñoz. An abstract interpretation framework for the round-off error analysis of floating-point programs. In Proceedings of the 19th International Conference on Verification, Model Checking, and Abstract Interpretation (VMCAI), pages 516–537. Springer, 2018. doi:10.1007/978-3-319-73721-8_24.

[bib.bib17] [17] L. Titolo, M. Moscato, M. Feliú, P. Masci, and C. Muñoz. Rigorous floating-point round-off error analysis in precisa 4.0. In 26th International Symposium on Formal Method (FM 2024), volume 14934 of Lecture Notes in Computer Science, pages 20–38. Springer, 2024. doi:10.1007/978-3-031-71177-0_2.

[bib.bib18] [18] L. Titolo, M. Moscato, M. Feliú, and C. Muñoz. Automatic generation of guard-stable floating-point code. In Proceedings of the 16th International Conference on Integrated Formal Methods (IFM 2020), volume 12546 of Lecture Notes in Computer Science, pages 141–159. Springer, 2020. doi:10.1007/978-3-030-63461-2_8.

[bib.bib19] [19] L. Titolo, M. Moscato, C. Muñoz, A. Dutle, and F. Bobot. A formally verified floating-point implementation of the compact position reporting algorithm. In Proceedings of the 22nd International Symposium on Formal Methods (FM 2018), volume 10951 of Lecture Notes in Computer Science, pages 364–381. Springer, 2018. doi:10.1007/978-3-319-95582-7_22.