Computer Arithmetic and Formal Proofs: Verifying Floating-point Algorithms with the Coq System

By Sylvie Boldo and Guillaume Melquiond

Floating-point arithmetic is ubiquitous in modern computing, as it is the tool of choice to approximate real numbers. Due to its limited range and precision, its use can become quite involved and potentially lead to numerous failures. One way to greatly increase confidence in floating-point software is by computer-assisted verification of its correctness proofs.

This book provides a comprehensive view of how to formally specify and verify tricky floating-point algorithms with the Coq proof assistant. It describes the Flocq formalization of floating-point arithmetic and some methods to automate theorem proofs. It then presents the specification and verification of various algorithms, from error-free transformations to a numerical scheme for a partial differential equation. The examples cover not only mathematical algorithms but also C programs as well as issues related to compilation.  

• Describes the notions of specification and weakest precondition computation and their practical use
• Shows how to tackle algorithms that extend beyond the realm of simple floating-point arithmetic
• Includes real analysis and a case study about numerical analysis

• Language: English
• Publisher: Elsevier Science
• Release date: Nov 17, 2017
• ISBN: 9780081011706

Sylvie Boldo

Sylvie Boldo is a Research Director at INRIA in Orsay, France.

Book preview

Computer Arithmetic and Formal Proofs

Verifying Floating-point Algorithms with the Coq System

Sylvie Boldo

Guillaume Melquiond

Series Editor

Valérie Berthé

Table of Contents

Cover

Title page

Copyright

Preface

Acknowledgments

List of Algorithms

Introduction

1: Floating-Point Arithmetic

Abstract

1.1 FP numbers as real numbers

1.2 Error analysis

1.3 Exceptional values

1.4 Additional definitions and properties

2: The Coq System

Abstract

2.1 A brief overview of the system

2.2 Tactics

3: Formalization of Formats and Basic Operators

Abstract

3.1 FP formats and their properties

3.2 Rounding operators and their properties

3.3 How to perform basic FP operations

3.4 IEEE-754 binary formats and operators

4: Automated Methods

Abstract

4.1 Algebraic manipulations

4.2 Interval arithmetic

4.3 Bounds on round-off error

5: Error-Free Computations and Applications

Abstract

5.1 Exact addition and EFT for addition

5.2 EFT for multiplication

5.3 Remainder of the integer division

5.4 Remainders of the FP division and square root

5.5 Taking the square root of the square

5.6 Remainders for the fused-multiply-add (FMA)

6: Example Proofs of Advanced Operators

Abstract

6.1 Accurate computation of the area of a triangle

6.2 Argument reduction

6.3 Faithful rounding of Horner evaluation

6.4 Integer division computed using FMA

6.5 Average of two FP numbers

6.6 Orientation of three points

6.7 Order-2 discriminant

7: Compilation of FP Programs

Abstract

7.1 Semantics of languages and FP arithmetic

7.2 Verified compilation

7.3 Conversions between integers and FP numbers

8: Deductive Program Verification

Abstract

8.1 Introduction

8.2 Our method and tools for program verification

8.3 Examples of annotated programs

8.4 Robustness against compiler optimizations

9: Real and Numerical Analysis

Abstract

9.1 Running example: three-point scheme for the 1D wave equation

9.2 Advanced formalization of real analysis

9.3 Method error of the 3-point scheme for the 1D wave equation

9.4 Round-off error

9.5 Program verification

Bibliography

Index

Copyright

First published 2017 in Great Britain and the United States by ISTE Press Ltd and Elsevier Ltd

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form or by any means, with the prior permission in writing of the publishers, or in the case of reprographic reproduction in accordance with the terms and licenses issued by the CLA. Enquiries concerning reproduction outside these terms should be sent to the publishers at the undermentioned address:

ISTE Press Ltd

27-37 St George’s Road

London SW19 4EU

UK

www.iste.co.uk

Elsevier Ltd

The Boulevard, Langford Lane

Kidlington, Oxford, OX5 1GB

UK

www.elsevier.com

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

For information on all our publications visit our website at http://store.elsevier.com/

© ISTE Press Ltd 2017

The rights of Sylvie Boldo and Guillaume Melquiond to be identified as the authors of this work have been asserted by them in accordance with the Copyright, Designs and Patents Act 1988.

British Library Cataloguing-in-Publication Data

A CIP record for this book is available from the British Library

Library of Congress Cataloging in Publication Data

A catalog record for this book is available from the Library of Congress

ISBN 978-1-78548-112-3

Printed and bound in the UK and US

Preface

Sylvie Boldo; Guillaume Melquiond August 2017

Once upon a time in 2010, we began the development of the Flocq library to merge the existing disparate formalizations of floating-point arithmetic for the Coq proof assistant. It was not an easy task: we wanted to have our cake and eat it too. On the one hand, we wanted high-level properties on floating-point numbers as real numbers with a mathematical definition of rounding (such as the nearest floating-point number). On the other hand, we also wanted to be able to perform computations inside the proof assistant (which is antinomic with considering only real numbers). Finally, more than have our cake and eat it too, we wanted to sell the used flour: we wanted to explore exotic formats, their deficiencies and properties (such as fixed-point formats, IEEE-754 floating-point formats, flush-to-zero formats, and many others).

Since that time, we have changed office and have improved the Flocq library in various ways. As time flew by, we did not feel the need to change our original design choices, the only small difference being the definition of a reasonable value for ulp(0). We developed more automation, more formalized high-level properties, proved algorithms, and verified programs. Moreover, we got users! Contrary to our forecast, the library has been used by other researchers for their own deeds worldwide, for teaching purposes, and even in a commercial software.

Now is the time to put everything together to offer a comprehensive lecture on Flocq and on several tools related to it. We have aimed at homogeneity, understandability, and pedagogy. We have assumed our readers to be Master’s or PhD students, engineers or researchers, who are already familiar either with floating-point arithmetic or with formal verification and who would like to broaden their expertise to the other domain.

We hope you will get to learn something new about formal proofs and computer arithmetic. More importantly, we sincerely hope that, after reading this book, you will feel like formally verifying your own floating-point algorithms.

Acknowledgments

We are indebted to a large amount of people, including (by alphabetical order starting with letter p):

– 

Our parents. Thanks for your deep and fundamental support that has helped us to become better persons/researchers.

– 

Our reviewers. Thanks for reading and criticizing the first version of this book. You really helped us make it better: Valérie Berthé, François Bobot, François Clément, Florian Faissole, Stef Graillat, Philippe Langlois, Christoph Lauter, Xavier Leroy, Assia Mahboubi, Claude Marché, Érik Martin-Dorel, Jean-Michel Muller, Laurence Rideau, Pierre Roux and Laurent Théry. Special thanks to Claude-Pierre Jeannerod for his numerous comments. The remaining errors are all ours.

– 

Our team. Thanks for your cheerfulness, chocolate, coffee, and tea. We have spent a large amount of time in a dull white room without sunlight and we really enjoyed your support.

– 

The Boullis family: Nicolas, Cyril, and Cédric. Thanks for letting one of the authors sometimes work during the evenings/nights/weekends, and for having given her the best time of her life.

– 

Our collaborators. Thanks for working with us! You have been strictly necessary for some of the results presented in this book:

- 

part of Chapter 4 is based on some work done with Assia Mahboubi, Thomas Sibut-Pinote, and the members of the TaMaDi project, in particular Érik Martin-Dorel;

- 

parf of Chapter 5 is based on some work done with Jean-Michel Muller, Laurence Rideau, and Laurent Théry;

- 

part of Chapter 6 is based on some work done with Sylvain Pion;

- 

Chapter 7 is based on some work done with Jacques-Henri Jourdan and Xavier Leroy;

- 

part of Chapter 8 is based on some work done with Jean-Christophe Filliâtre, Claude Marché, and Thi Minh Tuyen Nguyen;

- 

Chapter 9 is based on some work done with François Clément, Jean-Christophe Filliâtre, Catherine Lelay, Micaela Mayero, and Pierre Weis.

– 

Our employer, Inria. Thanks for supporting us while we spent a lot of time writing this book.

List of Algorithms

4.1 Gappa script for bounding the round-off error of Cody and Waite’s polynomial evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . .122

5.1 Fast2Sum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

5.2 2Sum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

5.3 Computation of the error of a multiplication when an FMA is available 145

5.4 Veltkamp’s splitting of an FP number . . . . . . . . . . . . . . . . . . 146

5.5 Dekker’s product for computing the error of a multiplication . . . . . 152

5.6 Computation of the error of an FMA . . . . . . . . . . . . . . . . . . . 161

5.7 Computation of an approximation of the error of an FMA . . . . . . . 163

6.1 Cody and Waite’s argument reduction when computing exp(x) . . . . 170

6.2 Coefficients of the rational approximation of exp . . . . . . . . . . . . 173

6.3 Definition and specification of Cody and Waite’s exponential . . . . . 174

6.4 Itanium assembly for dividing two unsigned 16-bit integers . . . . . . 180

6.5 Computation of q = ⌊ a/b ⌋ for two integers a, b ∈ [1; 65535] . . . . . 181

6.6 Accurate computation of the average (Sterbenz) . . . . . . . . . . . . . 191

6.7 Correct computation of the average . . . . . . . . . . . . . . . . . . . . . . 191

6.8 Robust implementation of orient2d . . . . . . . . . . . . . . . . . . . .201

6.9 Accurate computation of the order-2 discriminant . . . . . . . . . . . . 203

7.1 Opposite of Fast2Sum of 1 and 2− 53 + 2− 78 . . . . . . . . . . . . . . 209

7.2 Example from GCC bug #323 . . . . . . . . . . . . . . . . . . . . . . . 211

7.3 Pseudo-code for the u64_f64 conversion . . . . . . . . . . . . . . . . . 231

8.1 C program that depicts Sterbenz’ theorem . . . . . . . . . . . . . . . . 240

8.2 C program for Veltkamp’s and Dekker’s algorithms . . . . . . . . . . 242

8.3 C program for computing the area of a triangle . . . . . . . . . . . . . 243

8.4 C program for the absolute value . . . . . . . . . . . . . . . . . . . . . 245

8.5 C program for Sterbenz’ average computation (part 1/2) . . . . . . . . 246

8.6 C program for Sterbenz’ average computation (part 2/2) . . . . . . . . 247

8.7 C program for correct average computation . . . . . . . . . . . . . . . 248

8.8 C program for computing the radix by Malcolm algorithm . . . . . . . 250

8.9 C program, excerpt of KB3D – unannotated version . . . . . . . . . . 254

8.10 C program, excerpt of KB3D, sign function . . . . . . . . . . . . . . . 255

8.11 C program, excerpt of KB3D . . . . . . . . . . . . . . . . . . . . . . . 256

8.12 C program, excerpt of KB3D – architecture-independent version . . . 258

9.1 Excerpt 1/5 of the C program for the 3-point scheme . . . . . . . . . . 284

9.2 Excerpt 2/5 of the C program for the 3-point scheme . . . . . . . . . . 285

9.3 Excerpt 3/5 of the C program for the 3-point scheme . . . . . . . . . . 285

9.4 Excerpt 4/5 of the C program for the 3-point scheme . . . . . . . . . . 286

9.5 Excerpt 5/5 of the C program for the 3-point scheme . . . . . . . . . . 288

Introduction

Computer arithmetic is a field of computer science that investigates how computers should represent numbers and perform operations on them. It includes integer arithmetic, fixed-point arithmetic, and the arithmetic this book focuses on: floating-point (FP) arithmetic, which will be more thoroughly described in stands for the value 2⁶⁰:

– 

returns 0;

– 

) returns 1.

Many strange behaviors caused by FP operations may be found in [MUL 10]. The following example is Muller’s sequence defined by

In practice, it converges toward 100, while mathematically, it should converge toward 6. This discrepancy can be explained by giving a closed form for un:

with the values of α, β, and γ depending on the initial values. The aforementioned values of u0 and u1 imply that α = 0 and β ≠ 0, so the sequence should converge toward 6. But the rounding error on the first values makes it as if α was small but nonzero, therefore the computed sequence converges toward 100.

Many more subtleties exist, such as very small FP numbers (called subnormal numbers), exceptional values, and so on. Guaranteeing that an algorithm is correct or nearly correct for some given inputs is therefore a difficult task, which requires trust and automation.

Formal proofs may be used to provide more trust. If an article or person tells you something is true (such as a theorem, an algorithm, a program), will you believe it? This question is more sociological than scientific [DEM 77]. You may believe it for many different reasons: because you trust the author, because the result seems reasonable, because everybody believes it, because it looks like something you already believe, because you read the proof, because you tested the program, and so on. We all have a trust base, meaning a set of persons, theorems, algorithms, and programs we believe in. But we all have a different trust base, so to convince as many people as possible, you have to reduce the trust base as much as possible.

Proofs are usually considered as an absolute matter and mathematicians are those who can discover these absolute facts and show them. Mathematicians, however, might fail. An old book of 1935 makes an inventory of 500 errors made by famous mathematicians [LEC 35]. Given the current publication rate, an updated inventory would now take several bookshelves. As humans are fallible, how can we make proofs more reliable? A solution is to rely on a less-fallible device, the computer, to carefully check the proofs. The lack of imagination of computers, however, means we need to detail the proofs much more than mathematicians usually do.

We need a language of rules, the kind of language even a thing as stupid as a computer can use (Porter) [MAC 04]. Formal logic studies the languages used to define abstract objects such as groups or real numbers and reason about them. Logical reasoning aims at checking every step of the proof, so as to guarantee only justified assumptions and correct inferences are used. The reasoning steps that are applied to deduce from a property believed to be true a new property believed to be true called an inference rule. They are usually handled at a syntactic level: only the form of the statements matters, their content does not. For instance, the modus ponens rule states that, if both properties A and "if A then B" hold, then property B holds too, whatever the meaning of A and B. To check these syntactic rules are correctly applied, a mechanical device as stupid as a computer can be used. It will be faster and more systematic than a human being, as long as the proof is comprehensive and given in a language understandable by the computer. To decrease the trust base, one may choose the LCF approach [GOR 00], meaning the only thing to trust is a small kernel that entirely checks the proof. It does not matter whether the rest of the system, such as proof search, is bug-ridden, as each proof step will ultimately be checked by the trusted kernel. In this case, the proof must be complete: there is no more skipping some part of the proof for shortening or legibility.

Even when we rely on formal systems, how sure are we of the result? This can be restated as what trust can you put in a formal system?, or as who checks the checker? [POL 98]. There is a complementary and more pragmatic point of view influenced by Davis [DAV 72] with this nice title: Fidelity in Mathematical Discourse: Is One and One Really Two?. It describes Platonic mathematics and its beliefs. In particular, Platonic mathematics assumes that symbol manipulation is perfect. Davis argues that this manipulation is in fact wrong with a given probability. This probability depends on whether the manipulation is performed by a human (≈ 10− 3) or a machine (≈ 10− 10). Indeed, a human may forget a corner case or lose concentration, while a cosmic ray may mislead a computer to accept an incorrect proof. Although perfection is not achievable, computers and formal proof assistants are still the best way to decrease the probability of failure, and hence increase the trust.

Among the many existing formal systems, the one we use in this book is the Coq proof assistant, which provides a higher-order logic with dependent types, as described in Chapter 2. For the sociological and historical aspects of mechanized proofs, we refer the reader to MacKenzie [MAC 04].

Formal libraries for floating-point arithmetic have been designed to help with the verification of FP properties of circuits, algorithms, and programs. Formal methods have been applied quite early to the IEEE-754 standard, firstly for a precise specification of FP arithmetic: what does this standard in English really mean? Barrett wrote such a specification in Z [BAR 89]. It was very low-level and included all the features. Later, Miner and Carreño specified the IEEE-754 and 854 standards in PVS and HOL [CAR 95a, MIN 95, CAR 95b]; the definitions were more generic and not as low-level.

Due to the high cost of an incorrect design, processor makers also turned to formal proofs. A nice survey of hardware formal verification techniques, and not just about FP arithmetic, has been done by Kern and Greenstreet [KER 99]. Regarding FP arithmetic, AMD researchers, particularly Russinoff, have proved in ACL2 many FP operators mainly for the AMD-K5 and AMD-K7 chipsmakeatletter [[MOO 98], [RUS 98], [RUS 99], [RUS 00]], and the square root of the IBM Power4 chip [SAW 02]. Specific quotient and square root algorithms have been verified in ACL2 with a focus on obtaining small and correct digit-selection tables [RUS 13]. This last work also shows that there are several mistakes in a previous work by Kornerup [KOR 05]. As for Intel, the Pentium Pro operations have been verified [OLE 99]. The Pentium 4 divider has been verified in the Forte verification environment [KAI 03]. A full proof of the exponential function, from the mathematical function to the circuit was achieved using HOL4 [AKB 10]. A development by Jacobi in PVS is composed of both a low-level specification of the standard and proofs about the correctness of FP units [JAC 02]. This has been implemented in the VAMP processor [JAC 05]. Finally, during his PhD, Harrison verified a full implementation of the exponential function [HAR 00]. He therefore developed a rather high-level formalization of FP arithmetic in HOL Light with the full range of FP values [HAR 99a]. Among others, he has developed algorithms for computing transcendental functions that take into account the hardware, namely IA-64 [HAR 99b].

As far as Coq is concerned, there have previously been three different Coq formalizations of FP arithmetic, designed by the authors of this book. The PFF library was initiated by Daumas, Rideau, and Théry [DAU 01]. Its main characteristic is the fact that roundings are axiomatically formalized. A rounding here is a relation between a real number and an FP number (and the radix, and the FP format). This library contains many proved results (theorems and algorithms) [BOL 04a] but it lacks automation and there is no computational contents. The Gappalib library, on the other hand, is designed to make it possible for Coq to verify the FP properties proved by the Gappa tool [DAU 10] and thus provides computable operations with rounding but only for radix 2. Finally, the CoqInterval library is designed for automation based on intensive radix-2 FP computations [MAR 16].

This book mostly revolves around Flocq [BOL 11b], a Coq formal library described in Chapter 3. It serves as the lower layer of both CoqInterval and Gappalib and supersedes PFF for proving algorithms as it offers genericity, both in terms of radix and formats. In particular, the exploration of properties of exotic formats was impossible in either previous formalizations. The theorem names given in this book refer to the corresponding Coq names in Flocq. The auxiliary lemmas are not named: only the lemmas dedicated to be used out of Flocq are given. Most of the applications and examples of this book, from decision procedures (Chapter 4) to compilers (Chapter 7) are based on Coq and Flocq. Note that this book is more than just formal proofs of theorems representing FP properties or algorithms. We also explain how to verify programs in Chapter 8.

The outline of this book is as follows. Chapter 1 presents some basic notions of FP arithmetic. Two aspects are covered: the first relates it to real arithmetic through formats and rounded computations, while the second anchors FP arithmetic to the IEEE-754 standard and its handling of exceptional values such as infinities and signed zeros.

Chapter 2 then gives an overview of the Coq proof assistant: what the logic formalism is, how the user can perform proof steps, and which libraries that are useful for formalizing FP arithmetic are shipped by default with Coq.

After these two introductory chapters on FP arithmetic and the Coq system, Chapter 3 describes the core of the Flocq library, a Coq formalization of FP arithmetic. It starts by defining what FP formats are and how to merge them into a unified framework. It then gives an abstract description of rounding operators. So that FP computations can be performed within Coq or extracted as reference libraries, this chapter also gives a more computational definition of rounding operators. It finally extends this formalism so as to cover part of the IEEE-754 format.

Chapters 1 and 2, as well as sections 3.1 and 3.2 provide the prerequisites needed for the following chapters, which can mostly be read in no particular order.

Formal proofs of FP algorithms are often a long and tedious process, so any tool that might automate part of them is welcome. Chapter 4 presents a few tools dedicated to proving statements on real or FP arithmetic. Some are tactics from the standard distribution of Coq while others are shipped as external libraries: CoqInterval and Gappa.

While FP operations usually approximate real operations, in some situations the rounded values actually represent the infinitely-precise values. There are some other situations where, while the computations introduce some rounding errors, there is a way to compute some correcting terms so as to recover all the information. Chapter 5 details some of these situations.

At this point, all of the basic blocks have been laid out and one can tackle the verification of larger FP algorithms. Chapter 6 presents a few examples whose correctness was formally proved. These examples give an overview of the kind of specifications one could verify for an FP algorithm: bounds on round-off errors, exactness or robustness of computations, and so on.

Formally verifying some properties about an FP algorithm is no small work but for this work to be meaningful, the verified properties should still hold when the algorithm is eventually executed. Several things might get in the way, the compiler being one of them. This might be due to actual compiler bugs or simply because the programmers and compiler writers have different expectations regarding the compilation of FP code. To alleviate this issue, the CompCert C compiler comes with a precise semantics for FP operations and with a Coq formal proof that it actually implements this semantics. Chapter 7 also gives some details on how the support for FP arithmetic was added to this compiler.

Chapter 8 extends Chapter 6 toward the verification of actual programs. Indeed, the verification of an FP algorithm might have been performed under the assumption that its execution is safe, e.g. operations have not overflowed, arrays have not been accessed outside their bounds. This chapter covers these other aspects of program verification through several examples. It also gives some tools for verifying programs independently of the way some FP operations might be reassociated.

Finally, Chapter 9 tackles an example whose verification involves some complicated mathematical reasoning. This example is a small solver for the one-dimensional wave equation; its specification states how close the computed FP results are from the real solution to the partial differential equation. One of the components of the correctness proof is the Coquelicot formalization of real analysis.

1

Floating-Point Arithmetic

Abstract

Roughly speaking, floating-point (FP) arithmetic is the way numerical quantities are handled by the computer. Many different programs rely on FP computations such as control software, weather forecasts, and hybrid systems (embedded systems mixing continuous and discrete behaviors). FP arithmetic corresponds to scientific notation with a limited number of digits for the integer significand. On modern processors, it is specified by the IEEE-754 standard which defines formats, attributes and roundings, exceptional values, and exception handling. FP arithmetic lacks several basic properties of real arithmetic; for example, addition is not associative. FP arithmetic is therefore often considered as strange and unintuitive. This chapter presents some basic knowledge about FP arithmetic, including numbers and their encoding, and operations and rounding. Further readings about FP arithmetic include.

Keywords

AMD-K5 and AMD-K7; Computer arithmetic; Coq proof assistant; Flocq; FP algorithms; FP operations; IEEE-754 standard; Muller's sequence

Roughly speaking, floating-point (FP) arithmetic is the way numerical quantities are handled by the computer. Many different programs rely on FP computations such as control software, weather forecasts, and hybrid systems (embedded systems mixing continuous and discrete behaviors). FP arithmetic corresponds to scientific notation with a limited number of digits for the integer significand. On modern processors, it is specified by the IEEE-754 standard [IEE 08] which defines formats, attributes and roundings, exceptional values, and exception handling. FP arithmetic lacks several basic properties of real arithmetic; for example, addition is not associative. FP arithmetic is therefore often considered as strange and unintuitive. This chapter presents some basic knowledge about FP arithmetic, including numbers and their encoding, and operations and rounding. Further readings about FP arithmetic include [STE 74, GOL 91, MUL 10].

This chapter is organized as follows: section 1.1 provides a high-level view of FP numbers as a discrete set, and a high-level view of rounding and FP operations. Section 1.2 shows some simple results on the round-off error of a computation. Section 1.3 presents a low-level view of FP numbers, which includes exceptional values such as NaNs or infinities and how operations behave on them. Section 1.4 gives additional definitions and results useful in the rest of the book: faithful rounding, double rounding, and rounding to odd.

1.1 FP numbers as real numbers

We begin with a high-level view of FP numbers, which will be refined in section 1.3. A definition of FP formats and numbers is given in section 1.1.1. An important quantity is the unit in the last place (ulp) of an FP number defined in section 1.1.2. A definition of rounding and the standard rounding modes are given in section 1.1.3. Some FP operations and what they should compute are given in section 1.1.4.

1.1.1 FP formats

Let us consider an integer β called the radix. It is usually either 2 or 10. In a simplified model, an FP number is just a real value mβe satisfying some constraints on m and e given below. The integers m and e are called the integer significand and the exponent. The usual FP formats only consider FP numbers mβe with | m | < βϱ, with ϱ being called the precision. Let us also bound the exponent: emin ≤ e ≤ emax. An FP number is therefore a real value representable in the considered FP format:

With this definition of FP numbers, there might be several representations of the same real value. For instance, in radix 2 and precision 3, the real number 1 is representable by any of (12, 0), (102, − 1), and (1002, − 2). The set of representations of a given real value is called a cohort. We define a canonical representation as follows: it is the FP number with minimal exponent (or equivalently maximal integer significand). In our previous example, it is (1002, − 2).

The IEEE-754 standard adopts a slightly different but equivalent point of view with m being a fixed-point number . The value d0 • d1d2 … dϱ − 1 is called the mantissa. The exponent is shifted compared to our exponent with the integer significand: es = e + ϱ − 1. The minimal and maximal exponents are also shifted accordingly. Our exponent e also corresponds to the q notation of the IEEE-754 for decimal formats. We will stick with the integer significand throughout this book.

with | m | < βϱ. Normal numbers can be represented as mβe with βϱ − 1 ≤ | m | < βϱ and emin ≤ e ≤ e. The numbers in an FP format are therefore a discrete finite set that may be represented on the real axis as done in Figure 1.1. As FP numbers are just a subset of real numbers in this section, there is only one zero seen as a subnormal number. Section 1.3 will later give a notion of sign for zero.

Figure 1.1 Distribution of FP numbers over the real axis.

. When the canonical FP number mβe considered is such that e > emax, we have an overflow and may get a special value. This is ignored until section 1.3.

When the value considered is smaller than the minimal normal ), we have an underflow and may get a subnormal number. Some formats may ignore subnormal numbers; this is called flush-to-zero or abrupt underflow. Subnormal numbers are flushed to the value zero when they are either inputs or outputs of FP operations. One consequence of abrupt underflow is that x = y is no longer equivalent to ○(x − y) = 0 (with ○ being rounding to nearest, see section 1.1.3).

The IEEE-754 standard defines several FP formats. The most used one in this book is binary64 which corresponds to radix 2 with ϱ = 53. Two other binary formats are binary32 with ϱ = 24 and binary128 with ϱ = 113. The standard also defines some radix-10 formats, namely decimal64 with ϱ =  16 and decimal128 with ϱ = 34. More details can be found in section 3.1.2.1.

1.1.2 Unit in the last place

As seen in Figure 1.1, when the exponent increases, the FP numbers are further apart. For instance, there is no FP number between βϱ − 1 and βϱ − 1 + 1; there is no FP number between βϱ and βϱ + β. For a positive FP number x, the δx such that there is no FP number between x and the FP number x + δx is called ulp, for unit in the last place. More precisely, if x = mβe is the canonical representation of an FP number, then we have

This definition only covers FP numbers, but the ulp may be defined for any real number, given an FP format (see section 3.1.3.2 for a formal definition). An