Fix floating-point remainder soundness and add soundness documentation#4570
Fix floating-point remainder soundness and add soundness documentation#4570feliperodri wants to merge 4 commits intomodel-checking:mainfrom
Conversation
github-actions
bot
added
Z-EndToEndBenchCI
The remainder (%) operator on floating-point types was incorrectly using CBMC's integer 'mod' operation, which CBMC silently ignores for floatbv types, producing incorrect verification results. Use the floatbv_mod binary operator for float/double operands, which correctly implements IEEE 754 fmod semantics matching Rust's % on floating-point types. Resolves model-checking#2669 Signed-off-by: Felipe R. Monteiro <felisous@amazon.com>
Document what Kani checks (always-on and opt-in), what it does not check, and known soundness caveats (CBMC backend, bounded verification, floating-point, object size limits, function pointers). Resolves model-checking#1495 Signed-off-by: Felipe R. Monteiro <felisous@amazon.com>
feliperodri
force-pushed
the
fix-soundness-issues
branch
from
d8f915d to
a6380e4
Compare
CBMC does not emit a 'division by zero' check for floatbv_mod (float remainder), unlike integer mod. Remove the expected line since the float remainder operator now correctly uses floatbv_mod. Signed-off-by: Felipe R. Monteiro <felisous@amazon.com>
…ixed The float remainder bug tracked by this fixme test is resolved by the floatbv_mod change. Remove the fixme suffix so it runs as a passing test in the kani suite instead of an expected-failure in kani-fixme. Signed-off-by: Felipe R. Monteiro <felisous@amazon.com>
|
Neither benchmark uses floating-point. Our change didn't cause this perf-benchcomp. These are solver runtime fluctuations: the SAT solver (CaDiCaL) is nondeterministic in its performance on shared CI runners. The same benchmarks that regressed on main (inet::checksum::tests::differential at 2.3x) are different from the ones regressing here, which confirms this is runner-level noise, not a code change effect. The perf-regression.yaml threshold is solver_runtime > 1.5x with a minimum of 10 seconds. These benchmarks are in the 35-82 second range where a 1.5-1.7x fluctuation is common on shared GitHub-hosted runners due to CPU contention from other jobs on the same host. This is not caused by the |
1 participant
Two soundness-related fixes:
Fix incorrect floating-point remainder (Incorrect floating point result with remainder (
%) operator #2669): The % operator onf32/f64was silently producing wrong results because Kani emitted CBMC's integer mod operation for floating-point operands. CBMC ignores integer mod on floatbv types, leading to incorrect verification results (false negatives).Add soundness documentation (Soundness documentation #1495): New docs/src/soundness.md page documenting what Kani checks, what it does not check, and known soundness caveats.
Fix for #2669
Added
FloatbvModas a newBinaryOperatorvariant that maps to CBMC'sfloatbv_modexpression, which implements IEEE 754 fmod semantics. TheExpr::rem()method now dispatches toFloatbvModfor floating-point operands and Mod for integers.Changes:
FloatbvModvariant, type validation, return type, and conditional dispatch inrem().FloatbvModIREP ID and string mapping.FloatbvMod→IrepId::FloatbvModconversion.Fix for #1495
New documentation page covering:
Resolves #2669
Resolves #1495
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.