ACL2 is also VERY powerful and capable.
CBMC and KLEE try to statically verify assertions in one of three outcomes:
1. Verified: No counter-example was found, that breaks the assertion(s).
2. Rejected: A counter-example was found, that makes an assertion false.
3. Tool runs forever or exhausts system resources.
That means, any test/verification you can do at runtime, can be determined statically. You can use modal logics, automata, everything within practical limits.
The modeling language is also just C, which simplifies things HUGELY.
A very simple example can be found here: https://github.com/kokke/tiny-regex-c/blob/master/formal_ver... (note, this has no specific assertions, only the ones inserted automatically by the tool, to check for run-time errors like zero division, array out of bounds etc.).
For more involved examples, see https://www.cprover.org/cbmc/applications/ or https://klee-se.org/publications/
CBMC scales worse (best for smaller modules, not complete systems), but is also very capable.
You can use both as general-purpose solvers for any problem you can formulate in C/LLVM. You assert that there is no solution, run the tool and (unless you run out of time/resources), you get a counter-example refuting the assertion -> which will then be a valid solution.
I’ve used this to find e.g. a sequence of N bytes with a specific (non-cryptographic) checksum etc. They are very powerful tools.
Amazon AWS uses Dafny to prove the correctness of some complex components.
Then, they extract verified Java code. There are other target languages.
Being based on Hoare logic, Dafny is really simple. The barrier of entry is low.
My question is the same, albeit more technically refined. How do you prove the correctness of a numerical algorithm (operating on a quantized continuum) using type-theoretic/category-theoretic tools like theorem provers like Coq? There are documented tragedies where numerical rounding error of the control logic of a missile costed lives. I have proved mathematical theorems before (Curry-Howard!) but they were mathematical object driven (e.g. sets, groups) not continuous numbers.
This sounds flippant, but I'm being entirely earnest. It's a significantly larger pain because floating point numbers have some messy behavior, but the essential steps remain the same. I've proved theorems about floating point numbers, not reals. Although, again, it's a huge pain, and when I can get away with it I'd prefer to prove things with real numbers and assume magically they transfer to floating point. But if the situation demands it and you have the time and energy, it's perfectly fine to use Coq/Rocq or any other theorem prover to prove things directly about floating point arithmetic.
The article itself is talking about an approach sufficiently low level that you would be proving things about floating point numbers because you would have to be since it's all assembly!
But even at a higher level you can have theorems about floating point numbers. E.g. https://flocq.gitlabpages.inria.fr/
There's nothing category theoretic or even type theoretic about the entities you are trying to prove with the theorem prover. Type theory is merely the "implementation language" of the prover. (And even if there was there's nothing tying type theory or category theory to the real numbers and not to floats)
True for some approaches, but numerical analysis does account for machine epsilon and truncation errors.
I am aware that Inria works with Coq as your link shows. However, the link itself does not answer my question. As a concrete example, how would you prove an implementation of a Kalman filter is correct?
See ACL2's support for floating point arithmetic.
https://www.cs.utexas.edu/~moore/publications/double-float.p...
SMT solvers also support real number theories:
https://shemesh.larc.nasa.gov/fm/papers/nfm2019-draft.pdf
Z3 also supports real theories:
https://youtu.be/_LjN3UclYzU has a different attempt to formalize Kalman filters which I think we can all agree was not a successful formalization.
But that's the actual problem we're trying to solve; nobody really doubts Kalman's proof of his filter's optimality.
So this paper is not a relevant answer to the question, "how would you prove an implementation of a Kalman filter is correct?"
So you would probably adopt some conservative approach in which you showed that the worst case floating point rounding error is << some quantile of error due to the data.
But, I think specialised tools are more commonly used than general process. Eg, see https://github.com/arpra-project/arpra
> As a concrete example, how would you prove an implementation of a Kalman filter is correct?
This would be fun enough to implement if I had more time. But I need to spend time with my family. I'm usually loathe to just post LLM output, but in this case, since you're looking just for the gist, and I don't have the time to write it out in detail, here's some LLM output: https://pastebin.com/0ZU51vN0
Based on a quick skim, I can vouch for the overall approach. There's some minor errors/things I would do differently, and I'm extremely doubtful it typechecks (I didn't use a coding agent, just a chat window), but it captures the overall idea and gives some of the concrete syntax. I would also probably have a third implementation of the 1-d Kalman filter and would prefer some more theorems around the correctness of the Kalman filter itself (in addition to numerical stability). And of course a lot of the theorems are just left as proof stubs at the moment (but those could be filled in given enough time).
But it's enough to demonstrate the overall outline of what it would look like.
The overall approach I would have with floating point algorithms is exemplified by the following pseudo-code for a simple single argument function. We will first need some floating point machinery that establishes the relationship between floating point numbers and real numbers.
# Calculates the corresponding real number from the sign, mantissa, and exponent
floatToR : Float -> R
# Logical predicate that holds if and only if x can be represented exactly in floating point
IsFloat(x: R)
f0 : R -> R
f1 : Float -> Float
f2 : (x : R) -> IsFloat(x) -> R
Then I prove the exact correspondence between `f1` and `f2`.
f1_equal_to_f2 : forall (x: R), (isFloatProof: IsFloat(x)) -> f1(floatToR(x)) = floatToR(f2(x, isFloatProof))
f2_always_returns_floats : forall (x: R), IsFloat(x) -> IsFloat(f2(x))
So then I prove numerical stability on `f2` relative to `f0`. I start with a Wilkinson style backwards error analysis.
f2_is_backwards_stable : forall (x: R), exists (y: R), IsFloat(x) -> f2(x) = f0(y) and IsCloseTo(y, x)
f2_is_forwards_stable : forall (x: R), IsFloat(x) -> IsReasonablyBounded(x) -> IsCloseTo(f2(x), f0(x))
Then finally I extract out `f2` to runnable code (and make sure that compilation process after that has all the right floating point flags, e.g. taking into consideration FMA or just outright disabling FMA if we didn't include it in our verification, making sure various fast math modes are turned off, etc.).
Also there's some subtleties in how to set up the code extraction to make sure you don't inadvertently extract other real-valued functions, but this is already too long.
Committing to unbounded rationals basically opens your system up to DoS attacks.
You could decide to bound rationals in the numerator and denominator, but then you've more or less reinvented a form of floating point.
In order of preference for a high reliability production system I would use:
1. Integers
2. Fixed point
3. Floating point
4. Rationals [waaaayyyy down in fourth place]
Most systems don't have high enough reliability needs though that I would favor fixed point over floating point and so in practice I rarely use fixed point (simply because library and language support is far worse).
https://www.inwap.com/pdp10/hbaker/hakmem/hakmem.html
Edit: link
Do you have any examples of unbounded rational numbers used in a microcontroller program, in a production Forth program, or really in any production user-facing codebase?
I ask specifically for unbounded rational numbers because again bounded rational numbers are effectively equivalent to floating point and fixed denominator rational numbers are equivalent to fixed point.
IEE754 does a good job explaining the representation, but it doesn't define all the operations and possible error codes as near as I can tell.
Is it just assumed "closest representable number to the real value" always?
What about all the various error codes?
IEEE 754 also contains a list of operations that are recommended, but not defined by the standard, such as the exponential function and other functions where it is difficult to round exactly the result.
For the standardized operations, all the possible errors are precisely defined and they must either generate an appropriate exception or produce as result a special value that encodes the kind of error, depending on how the programmer configures the processor.
The standard is perfectly fine. The support of the standard in the popular programming languages is frequently inconvenient or only partial or even absent. For instance it may be impossible to choose to handle the errors by separate exception handlers and it may be impossible to unmask some of the exceptions that are masked by default. Or you may lack the means to control the rounding mode or to choose when to use FMA operations and when to use separate multiplications.
If you enable all the possible exceptions, including that for inexact results, the value of an expression computed with IEEE 754 operations is the same as if it were computed with real numbers, so you do not need to prove anything extra about it.
However this is seldom helpful, because most operations with FP numbers produce inexact results. If you mask only the exception for inexact results, the active rounding rule will be applied after any operation that produces an inexact result.
Then the expression where you replace the real numbers with FP numbers is equivalent with a more complex expression with real numbers that contains rounding operations besides the explicit operations.
Then you have to prove whatever properties are of interest for you when using the more complex expression, which includes rounding operations.
The main advantage of the IEEE 754 standard in comparison with the pathetic way of implementing FP operations before this standard, is that the rounding operations are defined exactly, so you can use them in a formal proof.
Before this standard, most computer makers rounded the results in whatever way happened to be cheaper to implement and there were no guarantees about which will be the result of an operation after rounding, so it was impossible to prove anything about FP expressions computed in such computers.
If you want to prove something about the computation of an expression when more exceptions are masked, not only the inexact result exception, that becomes more complex. When a CPU allows a non-standard handling of the masked exceptions, like flush-to-zero on underflow, that can break any proof.
curious about this
https://www-users.cse.umn.edu/~arnold/disasters/Patriot-dhar...
The Patriot missile didn’t kill 28 people accidentally, it simply failed to intercept an enemy missile.
And it wasn’t launched on an incorrect trajectory either, the radar was looking at a slightly wrong distance window and lost track. Furthermore, the error only starts having an effect after 100 hours of operation, and it seems to have only been problematic with the faster missiles in Iraq that the system wasn’t designed for. They rushed the update and they did actually write a function to deal with this exact numerical issue, but during the refactor they missed one place where it should have been used.
28 lives are obviously significant, but just to note that there are many mitigating factors.
1. That the model/specification makes sense. i.e. that certain properties in the model hold and that it does what you expect.
2. That the SUV/SUT (system under verification/test) corresponds to the model. This encompasses a lot but really what you are doing here is establishing how your system interacts with the world, with what accuracy it does so, etc. And from there you are walking along the internal logic of your system and mapping your representations of the data and the algorithms you are using into some projection from the model with a specified error bound.
So you are inherently dealing with the discrete nature of the system the entire time but you can reason about that discrete value as some distribution of possible values that you carry through the system with each step either
- introducing some additional amount of error/variability or
- tightening the bound of error/variability but trapping outside values into predictable edge cases.
Then it's a matter of reasoning about those edge cases and whether they break the usefulness of the system compared against the idealised model.
See https://www.cl.cam.ac.uk/~jrh13/papers/thesis.html for your question, John Harrison got a job with Intel based on this after their floating point disaster.
But in short: theorem proving is not about equalities, it is about inequalities. And theorems about numerical algorithms are a great example of this.
In this end, it is all about the complexity and stability in time for this matter.
I wonder if AI's compute graph would benefit from a language-level rigor as of Coq.
I'm no expert on assembly-language programming, but probably 90% of the assembly I write on i386, amd64, RISC-V, and ARM is about 40 instructions: ldr, mov, bl, cmp, movs, push, pop, add, b/jmp, bl/blx/call, ret, str, beq/jz, bne/jnz, bhi/ja, bge/jge, cbz, stmia, ldmia, ldmdb, add/adds, addi, sub/subs, bx, xor/eor, and, or/orr, lsls/shl, lsrs/sar/shr, test/tst, inc, dec, lea, and slt, I think. Every once in a while you need a mul or a div or something. But the other 99% of the instruction set is either for optimized vectorized inner loops or for writing operating system kernels.
I think that the reason that i386 assembly (or amd64 assembly) is error-prone is something else, something it has in common with very simple architectures and instruction sets like that of the PDP-8.
What reason is that? (And, if it's not obvious, what are ARM/RISC-V doing that make them less bad?)
There are various minor details of one architecture or the other that make them more or less bug-prone, but those are minor compared to what they have in common.
None of this is because the instruction sets are complex. It would be closer to the mark to say that it's because they are simple.
I've not fleshed this out yet, but I think a relatively simple system would help deal with all the issues you mention in the first paragraph while allowing escape hatches.
implementing prolog/backtracking on top of lisp is certainly possible and not even too hard (see e.g. https://github.com/nikodemus/screamer)
and implementing Coq on top of lisp is also possible.
but IMO the "with ease" phrase is not justified in this context.
if you only mean that lisp will not be in the way if you set out to implement these, then i agree. lisp -- the language and the typical opensource implementation -- will be much less of an obstacle than other languages when chosen as foundations.
Coq: The world’s best macro assembler? (2013) [pdf] - https://news.ycombinator.com/item?id=8752385 - Dec 2014 (61 comments)
A particular emphasis of our work on machine code verification is on using Coq as a place to do everything: modelling the machine, writing programs, assembling or compiling programs, and proving properties of programs.
Coq’s powerful notation feature makes it possible to write assembly programs, and higher-level language programs, inside Coq itself with no need for external tools."
Looks very promising! There is definitely something here!
throwaway198846•2mo ago
AdieuToLogic•2mo ago
volemo•2mo ago
addaon•2mo ago
volemo•2mo ago
graemep•2mo ago
Renaming languages to suit American taste really grates.
Nimrod to Nim was even worse. Apparently Americans cannot get Biblical references.
UltraSane•2mo ago
gryn•2mo ago
umanwizard•2mo ago
Also, “coq” and “cock” are not really pronounced the same either. The English word with the closest pronunciation to “coq” is “coke”.
Narishma•2mo ago
Wrong, it's pronounced exactly like the English "bit".
umanwizard•2mo ago
From Wiktionary, the pronunciation of English bit is /bɪt/, and French bite is /bit/. The sounds represented in IPA by ɪ and i are not the same, which is precisely why “bit” and “beet” sound different to Americans.
Narishma•2mo ago
umanwizard•2mo ago
I am a native speaker of American English and also speak French quite well. If you neither accept personal experience, nor what is written on Wiktionary, what evidence would you accept?
nothrabannosir•2mo ago
Rather than measuring whose French pedigree is longer, I will put down a wager on this. ₹3? :D
UltraSane•2mo ago
This French guy says it exactly like the English word beet.
https://www.merriam-webster.com/dictionary/bit
English bit.
https://www.merriam-webster.com/dictionary/beet
English beet
dugmartin•2mo ago
Bugs Bunny called Elmer Fudd "Nimrod" in a 1940's cartoon to sarcastically refer to Elmer as a great hunter. At that time I think most people probably got the biblical reference. Over time that word morphed into meaning something like an idiot to most Americans due to that cartoon.
The same thing happened to the word "Acme" - the coyote in the road runner cartoons bought all his devices from the "Acme Corporation". Acme means the best/peak and it was a sarcastic reference to none of the gadgets ever working. Now most American's think Acme means generic/bad.
They should have kept the name as Nimrod and named the package manager Acme instead of Nimble.