4 B. Akbarpour et al.and − ln(2)/64 ≤ r ≤ ln(2)/64. This n is found by roundingx(32/ln(2)) to the nearest integer. Now we decompose n into itsquotient and remainder when divided by 32, i.e. n = 32m + jwith 0 ≤ j ≤ 31. Hencee x = e (32m+j)(ln(2)/32)+r = e ln(2)m e ln(2)j/32 e r = 2 m 2 j/32 e rValues <strong>of</strong> 2 j/32 for 0 ≤ j ≤ 31 are pre-stored constants, andmultiplication by 2 m is fast. Hence we just need to calculate e rfor r ∈[−ln(2)/64, ln(2)/64]. This is done by a lower-orderpolynomial approximation p(r) ≈ e r − 1, where:p(r) = r + 83886762 24 r 2 + 111848762 26 r 3The actual reconstruction <strong>of</strong> e x , for reasons <strong>of</strong> accuracy, isdone by:e x = 2 m (2 j/32 + 2 j/32 p(r))In fact, in order to achieve good accuracy, the abovemathematical description is complicated slightly. The value ris broken down into r 1 + r 2 , where r 2 ≪ r 1 . Similarly thepre-stored constants 2 j/32 are all stored as two separate arraysS lead and S trail with 2 j/32 ≈ S lead (j) + S trail (j) and S trail (j) ≪S lead (j). This would avoid rounding errors as well as take care <strong>of</strong>the ordering <strong>of</strong> operations, hence making the actual code look abit more complicated than the above mathematical description.4. MODELING AND VERIFICATIONMETHODOLOGYThe verification process for the table-driven floating-pointexponential function will be performed on many levels.Harrison [7] formalized and verified using the HOL Lighttheorem prover that a behavioral specification <strong>of</strong> the <strong>IEEE</strong>-<strong>754</strong> table-driven floating-point exponential function impliesits abstract mathematical counterpart. He also performed anerror analysis between these two levels. For this, he firstdeveloped theories in HOL on construction <strong>of</strong> real numbers [16],and formalization <strong>of</strong> <strong>IEEE</strong>-<strong>754</strong> standard-based floating-pointarithmetic [7,17]. Then he used valuation functions to find thereal value <strong>of</strong> the floating-point exponential function output,and defined the error as the difference between this valueand the corresponding output <strong>of</strong> the ideal real exponentialfunction. Then he established fundamental lemmas on erroranalysis <strong>of</strong> floating-point rounding and arithmetic operationsagainst their abstract mathematical counterparts. Finally basedon these lemmas, he proved that the floating-point exponentialfunction algorithm has the correct overflow behavior and, inthe absence <strong>of</strong> overflow, the error in the result is less than 0.54units in the last place compared with the exact mathematicalexponential function. He confirmed and strengthened the mainresults <strong>of</strong> the previously published error analysis in [8], thoughhe uncovered a minor error in the hand pro<strong>of</strong> and located afew subtle corners in the pro<strong>of</strong> that a less careful worker mighteasily have overlooked. The error in postulated theorems wasrelated to the forgetting <strong>of</strong> special or degenerate cases in <strong>IEEE</strong>floating-point such as NaNs and negative zeros.After handling the transition from real to floating-point levels,we move to the RTL design. At this point, we use the standardHOL predicate approach to model the floating-point exponentialfunction at the RTL, as developed by Bui et al. [9] usingVHDL and Verilog, within the HOL environment. The laststep is to verify this level using a classical hierarchical pro<strong>of</strong>approach in HOL [37]. In this way, we hierarchically prove thatthe floating-point exponential function RTL implementationimplies the high-level algorithmic specification that has alreadybeen related to the ideal real specification through the erroranalysis. The verification can be extended in HOL, followinga similar approach, down to gate-level netlist implementation,machine synthesized using the Synopsys tool.The overall modeling and verification process is described inFig. 1, where the white boxes are the material provided by [7–9],while the shaded ones represent those developed in this work.Let X be the input variable and E the corresponding output<strong>of</strong> the floating-point exponential function at the gate level; thenour final goal is:⊢ thm ∀ X E. FP_EXP_GAT E (X, E) =⇒val<strong>of</strong> (float (E)) = exp (val<strong>of</strong> (f loat (X)))+ error (X,E) ∧ abs (error (X,E))≤ error_bound (X, E) (1)Here FP_EXP_GAT E is a predicate describing the floatingpointexponential function in gate level, and its input and outputsignals X and E are Boolean words. To relate these signalsto the corresponding specifications in floating-point and realdomains, we make use <strong>of</strong> the bijection function float, and thevaluation function val<strong>of</strong> . Also, exp is the exponential functionin real domain available in HOL transcendental functions theory(transc). The theorem states that the real value <strong>of</strong> the floatingpointexponential function in gate level is equal to the real value<strong>of</strong> the exponential function in real domain plus an error, andalso the absolute value <strong>of</strong> the error is bounded to a certain valuethat depends on the range <strong>of</strong> the input and output numbers.This goal cannot be reached directly, due to the very highabstraction gap between the gate and abstract mathematicslevels as described above. Therefore, the pro<strong>of</strong> scheme waschanged to hierarchically prove that the gate level implies themore abstract RTL. Then this RTL was related, by a formalpro<strong>of</strong>, to the behavioral specification. The latter was proved toimply the high-level real specification plus the error. This canbe formalized as follows in HOL:⊢ thm ∀ X E. FP_EXP_GAT E (X, E) =⇒FP_EXP_RT L (X, E) (2)⊢ thm ∀ X E. FP _ EXP_RT L (X, E) =⇒FP_EXP_ALGORIT H M (f loat (X), f loat (E)) (3)The Computer Journal, 2009
Verification <strong>of</strong> <strong>IEEE</strong>-<strong>754</strong> <strong>Floating</strong>-<strong>Point</strong> Exponential Function 5FIGURE 1. Overview <strong>of</strong> the specification and verification methodology.⊢ thm∀ X E. FP_EXP_ALGORIT H M(f loat (X), f loat (E)) =⇒val<strong>of</strong> (float (E)) = exp (val<strong>of</strong> (f loat (X)))+ error (X,E) ∧ abs (error (X,E))≤ error_bound (X, E) (4)In these formulas, FP_EXP_RT L and FP_EXP_ALGORIT H M are predicates describing the floatingpointexponential function in RTL and algorithmic levels,respectively. Note that the inputs and outputs in RTL are stillBoolean, however, at the algorithmic level they have floatingpointtype and we use the data conversion function floatto convert the variables from the Boolean type to <strong>IEEE</strong>-<strong>754</strong>standard-based floating-point type. Also, as can be understoodfrom the theorems, there are no finite precision effects in thetransition from gate level to RTL, and also from the RTLto algorithmic level; therefore, the corresponding correctnesstheorems are described as purely logical implications. However,for the transition from the algorithmic level to the abstractmathematical real number domain, we should consider theeffects <strong>of</strong> finite precision between floating-point numbers andreal numbers and conduct an error analysis to bound thecorresponding error. Finally using Equations (2–4), we canreach the final goal stated in Equation (1).Due to the high modularity <strong>of</strong> the design, the goals <strong>of</strong>Equations (2) and (3) could be extended to the specification andimplementation <strong>of</strong> sublevel modules, and then the verificationcontinues with these sublevel modules. These pro<strong>of</strong>s were thencomposed to yield the original goals.5. FORMAL SPECIFICATION ANDIMPLEMENTATION OF THEEXPONENTIAL FUNCTIONIn this section we describe the formal specification andimplementation <strong>of</strong> the <strong>IEEE</strong>-<strong>754</strong> floating-point exponentialfunction in the HOL theorem prover. The verification detailswill be discussed in the next section.5.1. Formal specification <strong>of</strong> the exponential functionThe original analysis <strong>of</strong> the floating-point exponential functionin the algorithmic level was performed by Harrison [7] usingthe HOL Light theorem prover. In this work, we ported thecode from HOL Light to HOL4, Kananaskis-4. We modeledthe algorithmic specification <strong>of</strong> the floating-point exponentialfunction as a predicate in HOL as follows:The Computer Journal, 2009
Change language