Integrate FloVer with the RealCake work

Author: HeikoBecker

icing/flover/.HOLCOMMIT

@@ -0,0 +1 @@
+cf32220437a948e43d98b65374ff189830d0baf2

icing/flover/CertificateCheckerScript.sml

@@ -0,0 +1,161 @@
+(**
+  This file contains the HOL4 implementation of the certificate checker as well
+  as its soundness proof. The checker is a composition of the range analysis
+  validator and the error bound validator. Running this function on the encoded
+  analysis result gives the desired theorem as shown in the soundness theorem.
+**)
+open simpLib realTheory realLib RealArith RealSimpsTheory;
+open AbbrevsTheory ExpressionsTheory FloverTactics ExpressionAbbrevsTheory
+     ExpressionSemanticsTheory ErrorBoundsTheory IntervalArithTheory
+     RealRangeArithTheory IntervalValidationTheory ErrorValidationTheory
+     ssaPrgsTheory FPRangeValidatorTheory TypeValidatorTheory FloverMapTheory;
+
+open preambleFloVer;
+
+val _ = new_theory "CertificateChecker";
+val _ = temp_overload_on("abs",``real$abs``);
+
+(** Certificate checking function **)
+Definition CertificateChecker_def:
+  CertificateChecker (e:real expr) (A:analysisResult) (P:precond)
+     (defVars: typeMap)=
+  (case getValidMap defVars e FloverMapTree_empty of
+  | Fail s => NONE
+  | FailDet _ _ => NONE
+  | Succes Gamma =>
+    if (validIntervalbounds e A P LN /\
+        FPRangeValidator e A Gamma LN)
+    then
+      if validErrorbound e Gamma A LN
+      then SOME Gamma
+      else NONE
+    else NONE)
+End
+
+(**
+   Soundness proof for the certificate checker.
+   Apart from assuming two executions, one in R and one on floats, we assume that
+   the real valued execution respects the precondition.
+**)
+Theorem Certificate_checking_is_sound:
+  !(e:real expr) (A:analysisResult) (P:precond) (E1 E2:env) defVars fVars Gamma.
+      (!v.
+          v IN (domain fVars) ==>
+          ?vR.
+            (E1 v = SOME vR) /\
+            FST (P v) <= vR /\ vR <= SND (P v)) /\
+      (domain (usedVars e)) SUBSET (domain fVars) /\
+      CertificateChecker e A P defVars = SOME Gamma /\
+      approxEnv E1 (toRExpMap Gamma) A fVars LN E2 ==>
+      ?iv err vR vF m.
+        FloverMapTree_find e A = SOME (iv,err) /\
+        eval_expr E1 (toRTMap (toRExpMap Gamma)) (toREval e) vR REAL /\
+        eval_expr E2 (toRExpMap Gamma) e vF m /\
+        (!vF m.
+           eval_expr E2 (toRExpMap Gamma) e vF m ==>
+           abs (vR - vF) <= err /\ validFloatValue vF m)
+Proof
+(**
+   The proofs is a simple composition of the soundness proofs for the range
+   validator and the error bound validator.
+**)
+  simp [CertificateChecker_def]
+  \\ rpt strip_tac
+  \\ Cases_on `getValidMap defVars e FloverMapTree_empty` \\ fs[]
+  \\ IMP_RES_TAC getValidMap_top_correct
+  \\ rveq
+  \\ `validTypes e Gamma`
+    by (first_x_assum irule
+        \\ fs[FloverMapTree_empty_def, FloverMapTree_mem_def, FloverMapTree_find_def])
+  \\ drule validIntervalbounds_sound
+  \\ rpt (disch_then drule)
+  \\ disch_then (qspecl_then [`fVars`,`E1`, `Gamma`] destruct)
+  \\ fs[dVars_range_valid_def, fVars_P_sound_def]
+  \\ drule validErrorbound_sound
+  \\ rpt (disch_then drule)
+  \\ IMP_RES_TAC validRanges_single
+  \\ disch_then (qspecl_then [`vR`, `err`, `FST iv`, `SND iv`] destruct)
+  \\ fs[]
+  \\ rpt (find_exists_tac \\ fs[])
+  \\ rpt strip_tac
+  >- (first_x_assum irule \\ fs[]
+      \\ asm_exists_tac \\ fs[])
+  \\ drule FPRangeValidator_sound
+  \\ rpt (disch_then drule)
+  \\ disch_then irule \\ fs[]
+QED
+
+Definition CertificateCheckerCmd_def:
+  CertificateCheckerCmd (f:real cmd) (absenv:analysisResult) (P:precond)
+     defVars =
+    (case getValidMapCmd defVars f FloverMapTree_empty of
+    | Fail _ => NONE
+    | FailDet _ _ => NONE
+    | Succes Gamma =>
+      if (validSSA f (freeVars f))
+        then
+          if ((validIntervalboundsCmd f absenv P LN) /\
+             FPRangeValidatorCmd f absenv Gamma LN)
+          then
+            if validErrorboundCmd f Gamma absenv LN
+            then SOME Gamma
+            else NONE
+          else NONE
+          else NONE)
+End
+
+Theorem CertificateCmd_checking_is_sound:
+  !(f:real cmd) (A:analysisResult) (P:precond) defVars
+     (E1 E2:env) (fVars:num_set) Gamma.
+      (!v.
+          v IN (domain (freeVars f)) ==>
+          ?vR.
+            (E1 v = SOME vR) /\
+            FST (P v) <= vR /\ vR <= SND (P v)) /\
+      domain (freeVars f) SUBSET (domain fVars) /\
+      CertificateCheckerCmd f A P defVars = SOME Gamma /\
+      approxEnv E1 (toRExpMap Gamma) A (freeVars f) LN E2 ==>
+        ?iv err vR vF m.
+          FloverMapTree_find (getRetExp f) A = SOME (iv, err) /\
+          bstep (toREvalCmd f) E1 (toRTMap (toRExpMap Gamma)) vR REAL /\
+          bstep f E2 (toRExpMap Gamma) vF m /\
+          (!vF m. bstep f E2 (toRExpMap Gamma) vF m ==> abs (vR - vF) <= err)
+Proof
+  simp [CertificateCheckerCmd_def]
+  \\ rpt strip_tac
+  \\ Cases_on `getValidMapCmd defVars f FloverMapTree_empty` \\ fs[]
+  \\ rveq \\ imp_res_tac getValidMapCmd_correct
+  \\ `validTypesCmd f Gamma`
+    by (first_x_assum irule
+        \\ fs[FloverMapTree_empty_def, FloverMapTree_mem_def, FloverMapTree_find_def])
+  \\ `?outVars. ssa f (freeVars f) outVars` by (match_mp_tac validSSA_sound \\ fs[])
+  \\ qspecl_then
+       [`f`, `A`, `E1`, `freeVars f`, `LN`, `outVars`, `P`, `Gamma`]
+       destruct validIntervalboundsCmd_sound
+  \\ fs[dVars_range_valid_def, fVars_P_sound_def]
+  \\ IMP_RES_TAC validRangesCmd_single
+  \\ qspecl_then
+       [`f`, `A`, `E1`, `E2`, `outVars`, `freeVars f`, `LN`, `vR`, `FST iv_e`,
+        `SND iv_e`, `err_e`, `m`, `Gamma`]
+       destruct validErrorboundCmd_gives_eval
+  \\ fs[]
+  \\ rpt (find_exists_tac \\ fs[])
+  \\ rpt strip_tac
+  \\ drule validErrorboundCmd_sound
+  \\ rpt (disch_then drule)
+  \\ rename1 `bstep f E2 _ vF2 m2`
+  \\ disch_then
+      (qspecl_then
+        [`outVars`, `vR`, `vF2`, `FST iv_e`, `SND iv_e`, `err_e`, `m2`] destruct)
+  \\ fs[]
+QED
+
+Theorem CertificateCheckerCmd_Gamma_is_getValidMapCmd:
+  CertificateCheckerCmd f A P dVars = SOME Gamma ⇒
+  getValidMapCmd dVars f FloverMapTree_empty = Succes Gamma
+Proof
+  fs[CertificateCheckerCmd_def]
+  \\ rpt (TOP_CASE_TAC \\ fs[])
+QED
+
+val _ = export_theory();

icing/flover/CertificateGeneratorScript.sml

@@ -0,0 +1,48 @@
+open RealIntervalInferenceTheory ErrorIntervalInferenceTheory ExpressionsTheory
+     FloverMapTheory TypeValidatorTheory CommandsTheory AbbrevsTheory
+     ExpressionAbbrevsTheory;
+open preambleFloVer;
+
+val _ = new_theory "CertificateGenerator";
+
+val CertificateGeneratorExp_def = Define `
+  CertificateGeneratorExp (f:real expr) (P:precond) (Gamma:typeMap)
+    :(real expr # precond # typeMap # analysisResult) option =
+    let
+      ivMap = inferIntervalbounds f P FloverMapTree_empty;
+      fullTMap = getValidMap Gamma f FloverMapTree_empty;
+    in
+      case ivMap, fullTMap of
+      | SOME ivMap, Succes tMap =>
+        (case inferErrorbound f tMap ivMap FloverMapTree_empty of
+        | SOME errMap => SOME (f,P,Gamma,errMap)
+        | NONE => NONE)
+      | _, _ => NONE`;
+
+val getExp_def = Define `
+  getExp (f, P, Gamma, errMap) = f`;
+
+val getError_def = Define `
+  getError (f, P, Gamma, errMap) = FloverMapTree_find f errMap`;
+
+val CertificateGeneratorCmd_def = Define `
+  CertificateGeneratorCmd (f:real cmd) (P:precond) (Gamma:typeMap)
+    :(real cmd # precond # typeMap # analysisResult) option =
+    let
+      ivMap = inferIntervalboundsCmd f P FloverMapTree_empty;
+      fullTMap = getValidMapCmd Gamma f FloverMapTree_empty;
+    in
+      case ivMap, fullTMap of
+      | SOME ivMap, Succes tMap =>
+        (case inferErrorboundCmd f tMap ivMap FloverMapTree_empty of
+        | SOME errMap => SOME (f,P,Gamma,errMap)
+        | NONE => NONE)
+      | _, _ => NONE`;
+
+val getCmd_def = Define `
+  getCmd (f, P, Gamma, errMap) = f`;
+
+val getError_def = Define `
+  getError (f, P, Gamma, errMap) = FloverMapTree_find (getRetExp f) errMap`;
+
+val _ = export_theory ();

icing/flover/EnvironmentsScript.sml

@@ -0,0 +1,158 @@
+open simpLib realTheory realLib RealArith sptreeTheory;
+open AbbrevsTheory ExpressionAbbrevsTheory RealSimpsTheory CommandsTheory
+     FloverTactics FloverMapTheory MachineTypeTheory;
+open preambleFloVer;
+
+val _ = new_theory "Environments";
+
+val _ = temp_overload_on("abs",``real$abs``);
+
+Definition approxEnv_def:
+  approxEnv E1 Gamma absEnv (fVars:num_set) (dVars:num_set) E2 =
+    ((* No variable defined twice *)
+    domain fVars INTER domain dVars = EMPTY ∧
+    (* environments are only defined for the domain *)
+    (∀ x. ~ (x IN (domain fVars UNION domain dVars)) ⇒
+       E1 x = NONE ∧ E2 x = NONE) ∧
+    (* All free variables are bounded in error by their machine epsilon *)
+    (∀ x. x IN domain fVars ⇒
+       ∃ m v1 v2.
+         Gamma (Var x) = SOME m ∧
+         E1 x = SOME v1 ∧
+         E2 x = SOME v2 ∧
+         abs (v1 - v2) ≤ computeError v1 m) ∧
+    (* All bound variables are bounded in error by their inferred bound *)
+    (∀ x. x IN domain dVars ⇒
+      ∃ m iv err v1 v2.
+        Gamma (Var x) = SOME m ∧
+        E1 x = SOME v1 ∧
+        E2 x = SOME v2 ∧
+        FloverMapTree_find (Var x) absEnv = SOME (iv, err) ∧
+        abs (v1 - v2) ≤ err))
+End
+
+Theorem approxEnvRefl:
+  approxEnv emptyEnv Gamma A LN LN emptyEnv
+Proof
+  simp[approxEnv_def]
+QED
+
+Theorem approxEnvUpdFree:
+(!(E1:env) (E2:env) (Gamma: real expr -> mType option) (A:analysisResult)
+    (fVars:num_set) (dVars:num_set) v1 v2 x.
+      approxEnv E1 Gamma A fVars dVars E2 /\
+      (Gamma (Var x) = SOME m) /\
+      (abs (v1 - v2) <= computeError v1  m) /\
+      (lookup x (union fVars dVars) = NONE) ==>
+      approxEnv (updEnv x v1 E1)
+                Gamma A (insert x () fVars) dVars
+                (updEnv x v2 E2))
+Proof
+  rw[] \\ fs[approxEnv_def] \\ rpt conj_tac
+  >- (
+   fs[EXTENSION, lookup_union, option_case_eq]
+   \\ CCONTR_TAC \\ fs[] \\ rveq
+   \\ metis_tac[domain_lookup])
+  >- (
+   rpt strip_tac \\ rveq \\ res_tac
+   \\ fsrw_tac [SATISFY_ss] []
+   \\ ‘x' ≠ x’
+      by (CCONTR_TAC \\ fs[] \\ rveq
+          \\ fs[lookup_union, option_case_eq, domain_lookup])
+   \\ fs[])
+  \\ rpt strip_tac \\ res_tac \\ fsrw_tac [SATISFY_ss] []
+   \\ ‘x' ≠ x’
+      by (CCONTR_TAC \\ fs[] \\ rveq
+          \\ fs[lookup_union, option_case_eq, domain_lookup])
+   \\ fs[]
+QED
+
+Theorem approxEnvUpdBound:
+  ∀ (E1:env) (E2:env) (Gamma: real expr -> mType option) (A:analysisResult)
+    (fVars:num_set) (dVars:num_set) v1 v2 x iv err.
+      approxEnv E1 Gamma A fVars dVars E2 /\
+      Gamma (Var x) = SOME m /\
+      FloverMapTree_find (Var x) A = SOME (iv,err) /\
+      abs (v1 - v2) <= err /\
+      (lookup x (union fVars dVars) = NONE) ==>
+      approxEnv (updEnv x v1 E1)
+                Gamma A fVars (insert x () dVars)
+                (updEnv x v2 E2)
+Proof
+  rw[] \\ fs[approxEnv_def] \\ rpt conj_tac
+  >- (
+   fs[EXTENSION, lookup_union, option_case_eq]
+   \\ CCONTR_TAC \\ fs[] \\ rveq
+   \\ metis_tac[domain_lookup])
+  >- (
+   rpt strip_tac \\ rveq \\ res_tac
+   \\ fsrw_tac [SATISFY_ss] []
+   \\ ‘x' ≠ x’
+      by (CCONTR_TAC \\ fs[] \\ rveq
+          \\ fs[lookup_union, option_case_eq, domain_lookup])
+   \\ fs[])
+  \\ rpt strip_tac \\ res_tac \\ fsrw_tac [SATISFY_ss] []
+   \\ ‘x' ≠ x’
+      by (CCONTR_TAC \\ fs[] \\ rveq
+          \\ fs[lookup_union, option_case_eq, domain_lookup])
+   \\ fs[]
+QED
+
+val approxEnv_rules = LIST_CONJ [approxEnvRefl, approxEnvUpdFree, approxEnvUpdBound]
+val _ = save_thm ("approxEnv_rules", approxEnv_rules);
+
+Theorem approxEnv_gives_value:
+  !E1 E2 x v (fVars:num_set) (dVars:num_set) absenv Gamma.
+    approxEnv E1 Gamma absenv fVars dVars E2 /\
+    E1 x = SOME v /\
+    x IN ((domain fVars) UNION (domain dVars)) ==>
+    ?v2. E2 x = SOME v2
+Proof
+  rw[approxEnv_def] \\ res_tac \\ fsrw_tac [SATISFY_ss] []
+QED
+
+Theorem approxEnv_fVar_bounded:
+  !E1 Gamma absenv fVars dVars E2 x v v2 m.
+      approxEnv E1 Gamma absenv fVars dVars E2 /\
+      E1 x = SOME v /\
+      E2 x = SOME v2 /\
+      x IN (domain fVars) /\
+      Gamma (Var x) = SOME m ==>
+      abs (v - v2) <= computeError v m
+Proof
+  rw[approxEnv_def] \\ res_tac \\ fs[]
+  \\ metis_tac[]
+QED
+
+Theorem approxEnv_dVar_bounded:
+  !E1 (Gamma:real expr -> mType option) (A:analysisResult) fVars dVars E2 x v v2 m iv e.
+      approxEnv E1 Gamma A fVars dVars E2 /\
+      E1 x = SOME v /\
+      E2 x = SOME v2 /\
+      x IN (domain dVars) /\
+      Gamma (Var x) = SOME m /\
+      FloverMapTree_find (Var x) A = SOME (iv, e) ==>
+      abs (v - v2) <= e
+Proof
+  rw[approxEnv_def] \\ res_tac \\ fs[]
+  \\ metis_tac[]
+QED
+
+Theorem approxEnv_refl:
+  ∀ fVars dVars E1 Gamma A.
+  (domain fVars INTER domain dVars = EMPTY) ∧
+  (∀ x. x IN (domain fVars) UNION (domain dVars) ⇒
+   ∃ v. E1 x = SOME v) ∧
+  (∀ x. ~ (x IN (domain fVars) UNION (domain dVars)) ⇒
+   E1 x = NONE) ∧
+  (∀ x. x IN (domain dVars) ⇒ ∃ err iv. FloverMapTree_find (Var x) A = SOME (iv, err) ∧ 0 ≤ err) ∧
+  (∀ x. x IN (domain fVars) UNION (domain dVars) ⇒
+   ∃ m. Gamma (Var x) = SOME m) ⇒
+  approxEnv E1 Gamma A fVars dVars E1
+Proof
+  rw[approxEnv_def] \\ res_tac \\ fsrw_tac [SATISFY_ss] []
+  \\ Cases_on ‘m’ \\ fs[mTypeToR_pos]
+  \\ irule computeError_pos
+QED
+
+val _ = export_theory ();;