Improved real float modeling #192
Conversation
|
So, the model as written is unsound, as it allows me to coerce the verifier to prove |
| ensures (float___is_inf__(self, false) == true && float___is_inf__(other, false) == true) || | ||
| (float___is_inf__(self, true) == true && float___is_inf__(other, true) == true) ==> | ||
| result == float___box_nan() | ||
| ensures (float___is_inf__(self, false) == true && float___is_inf__(other, false) == false && float___is_nan__(other)) == false || |
There was a problem hiding this comment.
Closing parenthesis is in the wrong place, should be after == false, right?
There was a problem hiding this comment.
Yes, that's definitely a typo. I'll get that fixed...
| ensures (float___is_inf__(other, false) == true && float___is_inf__(self, false) == true) || | ||
| (float___is_inf__(other, true) == true && float___is_inf__(self, true) == true) ==> | ||
| result == float___box_nan() | ||
| ensures (float___is_inf__(other, false) == true && float___is_inf__(self, false) == false && float___is_nan__(self)) == false || |
|
So it appears that the main issue was the way I've tested the changes together with the rounding error issue when translating float literals. The verifier would encounter an assert such as I've tried removing the offending assertions and using values with exact representations while keeping all parts involving any special values and the issue goes away. |
|
I think it was the typo in the postcondition? Even if you remove the asserts that didn't pass you could still prove false in the end, or at least I could locally. |
|
Oh yes, but I could still make it prove |
|
Besides the bug, I've added a contract function The cleanest way would have been to model the existing |
|
I think we can merge this now, right? |
|
I'd say so, yes. |
Add support for infinity and NaN values to the real number based float model.
This change is