On Formal Verification in Imperative Multivalued Programming over Continuous Data Types

Inspired and guided by the iRRAM C++ library (Müller 2001), we formally specify a programming language for the paradigm of Exact Real Computation (ERC): reliably operating on encapsulated continuous data types such as (not necessarily algebraic) real numbers — imperatively and exactly (no rounding errors) with primitives computable in the sense of Recursive Analysis including a necessarily modified multivalued (=non-functional) semantics of tests. Three simple numerical problems demonstrate the elegance and convenience of writing programs handling real real numbers: integer rounding, solving systems of linear equations, and continuous root finding. We establish Turing-completeness over the reals: a partial function f :Ď RˆZÑ R is computable (in the sense of Recursive Analysis) iff it can be expressed in ERC. For rigorously specifying and arguing about such computations in Mathematical Logic, we then propose a decidable first-order theory over two sorts, integers and real numbers. We extend the rules of Hoare Logic to support the formal derivation of correctness proofs in ERC; and we have them, including their real quantification, verified in the Coq Proof Assistant. 1 Motivation, Introduction, Overview Correctness is a core of Computer Science: reliably building from single silicon gates via circuits, microprocessor hardware, operating system kernel, libraries, compilers/interpreters, to high-level user programs. Based on mathematical logic, the Theory of Computation collects fundamental concepts and methods devised to help assert correctness on each level and allow for modern modular software engineering. These include specification, algorithm design and analysis, models of computation, semantics of operational primitives, measures of cost, and formal verification — for problems over discrete structures: common continuous realms like real numbers and functions, regularly attributed to numerics, arguably lack behind regarding a rigorous treatment [22, p.412] of its heuristics and ‘recipes’ [32]. Although empirically often successful, numerical computations may be errorenous — with dramatical consequences [34, 19, 18], yet facilitated by complex [26] or vague specifications [30, e04bbc]. Recursive Analysis offers a sound foundation of numerical computation over real numbers, functions, and compact Euclidean subsets [36]: A real number x is computable if some Turing machine can, given p P Z, produce the numerator ap P Z of a dyadic rational ap ̈ 2 approximating x up to absolute error 2. Computing a partial function f :Ď R ˆ Z Ñ R means to convert any integer sequence p~apq and j P Z with }~x ́ ~ap ̈ 2} ď 2 for p~x, jq P dompfq into a sequence pbqq Ď Z with |fp~x, jq ́ bq ̈ 2| ď 2. This notion has pleasant properties (such as closure under composition) and renders arithmetic as well as many transcendental functions computable. Moreover it reflects the cost of contemporary approaches determining π up to billions of digits, that is, up to absolute error ε “ 2 ́n for ∗Based on preprint arXiv:1608.05787v1, we thank Franz Brauße, Cyril Cohen, Pieter Collins, Jeehoon Kang, Johannes Kanig, Sunyoung Kim, and Michal Konečný for seminal discussions — and the referees for helpful feedback. This work was supported by the International Research & Development Program of the National Research Foundation of Korea (NRF) funded by the Ministry of Science and ICT (grant NRF-2016K1A3A7A03950702) and by the European Union’s Horizon 2020 MSCA IRSES project 731143 ar X iv :1 60 8. 05 78 7v 2 [ cs .N A ] 2 1 N ov 2 01 7 2 Gyesik Lee, Norbert Müller, Eike Neumann, Sewon Park, Norbert Preining, Martin Ziegler n « 10 within time polynomial in the binary† precision parameter n. However the underlying Turing machine model is inconvenient to code in practice [3]. The algebraic model [35, 5] on the other hand is intuitive and implicitly prevalent but neglects the cost of internal precision, and its test for equality exhibits superrecursive power [6]. Reconciling and combining the best of both worlds, and inspired by [8], the free C++ library iRRAM [28] provides via object-oriented overloading a data type REAL for (not necessarily algebraic) real numbers: with simultaneously exact and computable primitives by introducing a modified — namely either partial or multivalued (aka non-functional) — semantics of comparisons. Indeed multivaluedness is wellknown inherent to reliable real computation [23, 31]. The present work establishes a theoretical foundation to the above implementation. Section 2 below captures the Exact Real Computation (ERC) paradigm in a formal language for imperative programming over real numbers as abstract data type. The convenience of programming in ERC with modified semantics of comparisons and dealing with multivaluedness/non-functionality in loops and conditional statements is demonstrated in Section 3 with rigorous algorithms for three numerical example problems: (I) multivalued integer rounding, (II) Gaussian Elimination with matrix rank given, and (III) simple single 1D root finding. Theorem 2 asserts that a real function is computable in the sense of Recursive Analysis iff it can be expressed in ERC: Turing-completeness over the reals. We then propose (Section 4) a two-sorted logical structure for rigorously specifying and arguing about the behaviour of such programs; and show its first-order theory decidable (Theorem 3). For verifying program correctness formally, Section 5 adapts and extends the classical Floyd-Hoare Logic to this structure. As proof (pun) of concept, Section 6 applies said extension to the aforementioned root-finding Algorithm (III); and we have this correctness proof, based on the inherently real Intermediate Value Theorem, formally verified in Section 7 using the Coq Proof Assistant. We are convinced that the elegance and verifiability of algorithms in this imperative programming language for real numbers (as opposed to floating point, rational, algebraic numbers, intervals, or sequences of approximations) will simplify rigorous numerical software development [29] and enable rigorous software engineering in Reliable Numerics. 1.1 Related Work IEEE754 is the common standard for hardware-supported (and thus extremely fast) floating-point data types. Their fixed precision and truncation errors cause violations of (or at least heavily complicate) common mathematical properties such as distributivity or the Intermediate Value Theorem. The many rounding modes and other cases (underflow, overflow, NaN) make algorithm verification a real (pun) challenge [7]. ERC introduces a new layer of abstraction: building and relying on correct implementation of the operational semantics on real numbers axiomatized in Definition 1 below — similarly to regular high-level programs building and relying on correct compilers, libraries, operating systems, and hardware. It roughly corresponds to Level III of the core library where, however, the classical/naïve semantics of tests spoils closure under composition [39, p.325]. Indeed, equality of real (as opposed to, say algebraic) numbers is a well-known equivalent to the complement of the Halting Problem [36, Exercise 4.2.9]; whereas algebraic numbers, as supported for instance by the LEDA library [25], are insufficient for important transcendental functions like exp or ln. Multiprecision calculations, interval arithmetic, Domain Theory, and operating on streams of approximations, are common approaches to transcendental computation — yet arguably inconvenient due to the necessity to keep track of the error accumulation and providing only aposteriori bounds [9]. Functional programming can avoid these disadvantages [17, 14], but still lacks broad practial dissemination. †A runtime polynomial in the unary precision parameter 1{ε would be meaningless here. Theorem 3 gives another reason for preferring binary over unary precision. On Formal Verification in Imperative Multivalued Programming over Continuous Data Types 3 2 Programming Language for Exact Real Computation “Don’t test for equality!” may be the first lesson in Numerical Programming 101. Indeed, inequality of real (and not just, say, algebraic) numbers is well-known equivalent to the Halting Problem [36, Exercise 4.2.9]. But which comparisons are permitted, then? Strict inequality “x ą 0” would allow to express equality via the Boolean combination “ px ą 0q^ p ́x ą 0q”. This paradox can be avoided, while maintaining exact arithmetic on real numbers, by replacing the naïve semantics with either a partial or a multivalued/non-functional one. Recall that a partial multivalued‡ mapping f :Ď X Ñ Y (aka search problem) is simply a relation f Ď X ˆ Y , considered as total function f : X Q x ÞÑ ty P Y : px, yq P fu; with the understanding that an algorithm computing f may, given x P dompfq “ tx : fpxq ‰ Hu, return any y P fpxq. Single-valuedness/functionality thus means singleton values. Definition 1 (Exact Real Computation). Consider WHILE programs [15, §1.2.3] with two separate data types: integers Z for counters/Booleans (0=false, 1=true) and reals R, connected by the binary precision embedding ı : Z Q p ÞÑ 2 P R. Perusing C++ notation for illustration purposes, a (possibly partial, but functional) real-valued function f :Ď R ˆ ZÑ R is declared as REAL fpINTEGER p, REAL x1, . . . , xd, INTEGER jq; with one additional integer precision parameter p. It receives arguments j P Z and x1, . . . , xd P R exactly; and has to return a real approximation z to y :“ fpx1, . . . , xd, jq up to absolute error ď 2: provided px1, . . . , xd, jq P dompfq; otherwise it may behave arbitrarily. Let +, -, *, / denote the usual arithmetic on real numbers: exactly! Moreover, > and choose§ denote the following singlevalued partial comparison and multivalued partial predicate: px > yq “ $