arXiv:0708.3721v1 [cs.MS] 28 Aug 2007 upre npr yh ainlArnuisadSaeAdmin Uni Space the and by h Aeronautics and and NCC-1-02043 National Perpignan. USA Agreement he of 23666, Cooperative by VA NASA part under Hampton, Way, in Exploration supported 100 Aerospace, where se,Ofr od acetrM39L Kadh ssupporte is he and Languedoc-Roussillon. UK Région 9PL, French M13 the Manchester by Road, Oxford ester, o ufiin ogaatetecreteso rtclsoft critical of correctness the guarantee ware. to peer-rev and sufficient simulation, not testing, traditional that belief propertie interaction. numerical ult theorem-prover of human Our proofs minimal guaranteed numbers. p provide automate real to is to over goal strategies calculations customizable developme explicit of formal involving set The an prover. a developed, theorem includes been a also arithmeti in has taylor interval verified, approach and formally of pragmatic splitting effect interval This setting techniques: expansions. dependency algebraic two the an integrate we in reduce place to w take arithmetic order interval base calculations rational Then, number a functions. develop real we elementary bounds, highl for est these and bounds formally on convenient we lower First, a and way. in interactive upper withi as assistant well performed proof as be or t automated can prover In calculations proofs. theorem these mechanical a how in show handle we paper, to difficult remarkably are M n LAS PDadh sspotdi atb h IS253 PICS the by part in supported is he CNRS. and the UPVD ELIAUS, and UM2 ro hcig hoe proving theorem checking, proof pcn AL)agrtm[] tsae httetr aeof rate speed turn ground the in at that 35 flying appears states It aircraft formula Lateral [9]. an for This algorithm Information aircraft. (AILS) Airborne NASA’s Spacing an of of verification the speed ground the rvr 4–8,tefra eicto ftecorrectness routine. the not theorem of is in verification calculations analysis formal these real the Desp concerning perform [4]–[8], functions. developments provers to the necessary non-algebraic of often with all is calculations it systems, applicati functional explicit aerospace engineering implementation of as its verification such prop- and the safety design In verify system requirements. to a tools of and erties techniques mathematical of .Mñz( Muñoz C. .Lse ( Lester D. .Dua ( Daumas M. edyaddssru alrs[][]cnr h shared the confirm [1]–[3] failures disastrous and Deadly Terms Index Abstract ae o xml,teformula the example, for Take, o sabout is omlMethods Formal g stegaiainlfreand force gravitational the is elnme acltoso lmnayfunctions elementary on calculations number Real — [email protected] 180 [email protected] 3 [email protected] 3 elnme acltos nevlarithmetic, interval calculations, number Real — π o e eod ietpofo hsfruais formula this of proof direct A second. per ≤ e ie elNme Calculations: Number Real Verified .I I. v g irr o nevlArithmetic Interval for Library A tan( ncmue cec eest set a to refers science computer in NTRODUCTION 35 180 π swt h ainlIsiueof Institute National the with is ) ) swt h nvriyo Manch- of University the with is ) acDua,DvdLse,adCsrMuñoz César and Lester, David Daumas, Marc ≤ swt h IM,CNRS, LIRMM, the with is ) v 3 ihabn nl of angle bank a with 180 . 1 v π , 250 = nt is knots e are iew npart in d istration ablish with s versity series imate roofs here ons, In . of 3 is e (1) his ite of nt c, d d n y - ee esr ftecreteso h calculations. will the of we correctness results, the the of sure of be checking never formal floating- Without using performed arithmetic. be will calculations external the taeisfrnmrclpooiin r vial rmo from available are propositions numerical for strategies reyaalbeo h nent h eut nuprand upper on PVS Langley is results NASA the development The to Libraries integrated Our Internet. been have International. the bounds logic. lower SRI on higher-order available by for prover freely developed theorem is a It and language tion otie eea uhaxioms. such several contained oanepr a e hs aaeest banadesired a obtain to parameters these set result, can Howeve cases. expert simple domain most in a va a sufficient default designed are The parameters have strategies. the we of proof ones, customizable As highly simple of on effort. an set memory cases human degenerate and on time fail minimum waste to bound with are processes properties automated numerical of interval of functions. prover non-algebraic the theorem includes is a that this in arithmetic knowledge, formalization our complete present to most However, arithmetic well-known. interval are and automati here a to approximations develop amenable series we is operations. The bounds, which these arithmetic non-rational interval of and rational properties rational provable on for l Based of bounds collection a upper is departure wit and of point (1), The Formula assistant. as proof a such properties, numerical prove ically enwitnadflyvrfidi h rttp Verification Prototype the in [12] verified (PVS) fully System and written been work work. our related summarizes to section it Last prover compares V. theorem and proposi- Section a numerical in in method described prove this is to of implementation method boun The a these tions. on describes based IV arithmetic Section interval follows Section as rational functions. organized a elementary is presents for document bounds defines this II of Section rest The [11]. [10], ss ubroeta h fotsesftl;i sthen is and it system, the axioms. futile; of as seems out results effort calculations the the introduce the perform that to tempting cumbersome so is trigonometr several of use the requires properties. and long page a about 2 1 3 nti ae epeetasto neatv ol oautomat to tools interactive of set a present we paper this In u liaega st rvd urnedfra proofs formal guaranteed provide to is goal ultimate Our h ahmtcldvlpetpeetdi hspprhas paper this in presented development mathematical The in presented results the extends and merges paper This nmn ae h omlcekn fnmrclcalculations numerical of checking formal the cases many In samte ffc,teoiia eicto fNS’ ISa AILS NASA’s from of available verification is PVS original the fact, of matter a As http://shemesh.larc.nasa.gov/fm/ftp/larc/PVS-librar e.g. 3 h cuayo atclrcalculation. particular a of accuracy the , n h ainlitra rtmtcadtePVS the and arithmetic interval rational the and 2 V rvdsasrnl ye specifica- typed strongly a provides PVS . http://pvs.csl.sri.com 1 oee,cacsaethat are chances However, . lgorithm eof ne point ower lues hin on. ds. III ed ic r, d 1 - . y/pvslib.html the authors4. B. Trigonometric functions For readability, we will use standard mathematical notations We use the partial approximation by series. along this paper and PVS notations will be limited to illustrate m x2i−1 the use of the library. In the following, we use the first letters sin(x, n) = ( 1)i−1 of the alphabet a,b,... to denote rational numbers, and the X − (2i 1)! i=1 − last letters of the alphabet ...x,y,z to denote arbitrary real m+1 x2i−1 variables. We use boldface for interval variables. Furthermore, sin(x, n) = ( 1)i−1 , X − (2i 1)! if x is an interval variable, x denotes its lower bound and x i=1 − denotes its upper bound. m+1 x2i cos(x, n) = 1+ ( 1)i , X − (2i)! i=1 m II. BOUNDS FOR ELEMENTARY FUNCTIONS x2i cos(x, n) = 1+ ( 1)i , X − (2i)! A PVS basic theory of bounds for square root and trigono- i=1 metric functions was originally proposed for the verification of NASA’s AILS algorithm [9]. We have completed it and where m =2n if x< 0; otherwise, m =2n +1. Proposition 2: x, n : sin(x, n) sin(x) sin(x, n). extended with bounds for natural logarithm, exponential, and ∀ ≤ ≤ Proposition 3: x, n : cos(x, n) cos(x) cos(x, n). arctangent. The basic idea is to provide for each real function ∀ ≤ ≤ f : R R, functions f : (R, N) R and f : (R, N) R 7→ 7→ 7→ closed under Q, such that for all x, n C. Arctangent and π We first use the alternating partial approximation by series f(x, n) f(x) f(x, n), (2) for 0 x 1. ≤ ≤ ≤ ≤ f(x, n) f(x, n + 1), (3) n ≤ 2 +1 ( 1)i f(x, n + 1) f(x, n), (4) atan(x, n) = x2i+1 − , if 0 < x 1, ≤ X 2i +1 ≤ lim f(x, n) = f(x) = lim f(x, n). (5) i=1 n n→∞ n→∞ 2 ( 1)i atan(x, n) = x2i+1 − , if 0 < x 1. X 2i +1 ≤ Formula (2) states that f and f are, respectively, lower and i=1 upper bounds of f, and formulas (3), (4), and (5) state that We note that for x =1 (which we might naïvely wish to use to these bounds can ultimately be improved, as much as needed, 1 1 1 1 define π/4 and hence π) the series: 1 3 + 5 7 + 9 does by increasing the approximation parameter n. − − −··· π converge, but very slowly. Instead, we use the equality 4 = For transcendental functions, we use taylor approximation 4 atan(1/5) atan(1/239), that has much better convergence series. We performed a coarse range reduction [13] since the properties. Using− this identity we can define bounds on π: convergence of taylor series is usually best for small values. More elaborate range reduction techniques [14] would signif- π(n) = 16atan(1,n) 4 atan(1,n), − icantly enhance the speed and the accuracy of the functions π(n) = 16 atan(1,n) 4 atan(1,n). defined in Sections II and III. All the stated propositions in this − section have been formally verified in the verification system PVS. Proposition 4: n : π(n) π π(n). Now, using properties∀ of arctangent,≤ ≤ we extend the range of the function to the whole set of real numbers: A. Square root atan(0,n) = atan(0,n) = 0, π(n) 1 For square root, we use a simple approximation by Newton’s atan(x, n) = atan( ,n), if 1 < x, method. For x 0, 2 − x ≥ atan(x, n) = atan( x, n), if x< 0, − − π(n) 1 sqrt(x, 0) = x +1, atan(x, n) = atan( ,n), if 1 < x, 1 x 2 − x sqrt(x, n +1) = (y + ), where y = sqrt(x, n), atan(x, n) = atan( x, n), if x< 0. 2 y − − x sqrt(x, n) = . sqrt(x, n) Proposition 5: x, n : atan(x, n) atan(x) atan(x, n). ∀ ≤ ≤ Proposition 1: x 0,n : 0 sqrt(x, n) √x < ∀ ≥ ≤ ≤ These are strict inequalities except when x =0. sqrt(x, n). The PVS definition of bounds on atan and π are presented The first inequality is strict when x> 0. in Listing 1. PVS developments are organized in theories, which are collections of mathematical and logical objects 4http://research.nianet.org/~munoz/Interval. such as function definitions, variable declarations, axioms, and lemmas. The atan_approx theory first imports the definition of the arctangent function. Then, it declares variables n,x,px of types nat (natural numbers), real (real num- bers), and posreal (positive real numbers), respectively. For the scope of the theory, these variables are implicitly univer- sally quantified. Though writing definitions, lemmas, theorems PVS Listing 1 Definition of bounds on atan and π and specially proofs in PVS requires some training, reading atan_approx: THEORY theories is possible to anybody with a minimal background in BEGIN logic. IMPORTING atan

D. Exponential n: VAR nat x: VAR real The series we use for the exponential function is px: VAR posreal

∞ xi atan_pos_le1_ub(n,x): real = exp(x)= . atan_series_n(x,2*n) X i! i=0 atan_pos_le1_lb(n,x): real = We could directly find bounds for negative x from this series atan_series_n(x,2*n+1) as, in this case, the series is alternating. However, we will atan_pos_le1_bounds: LEMMA subsequently find that it is convenient to show that our bounds 0 < x AND x <= 1 IMPLIES for the exponential function are strictly positive, and this is not atan_pos_le1_lb(n,x) < atan(x) AND atan(x) < atan_pos_le1_ub(n,x) true for all x 0. Yet, this property holds for 1 x 0. ≤ − ≤ ≤ We define pi_lbn(n): posreal = 4*(4*atan_pos_le1_lb(n,1/5) - 2(n+1)+1 xi atan_pos_le1_ub(n,1/239)) exp(x, n) = , if 1 x< 0, X i! − ≤ pi_ubn(n): posreal = i=0 4*(4*atan_pos_le1_ub(n,1/5) - 2(n+1) xi atan_pos_le1_lb(n,1/239)) exp(x, n) = , if 1 x< 0. X i! − ≤ pi_bounds: THEOREM i=0 pi_lbn(n) < pi AND pi < pi_ubn(n) Using properties of the exponential function, we obtain atan_pos_lb(n,px): real = bounds for the whole set of real numbers: IF px <= 1 THEN atan_pos_le1_lb(n,px) exp(0,n) = exp(0,n) = 1, ELSE x −⌊x⌋ pi_lbn(n)/2 - atan_pos_le1_ub(n,1/px) exp(x, n) = exp( ,n) , if x< 1 ENDIF x − −⌊1 ⌋ atan_pos_ub(n,px): real = exp(x, n) = , if x> 0, IF px <= 1 THEN exp( x, n) atan_pos_le1_ub(n,px) − x −⌊x⌋ ELSE exp(x, n) = exp( ,n) , if x< 1 pi_ubn(n)/2 - atan_pos_le1_lb(n,1/px) x − ENDIF −⌊1 ⌋ exp(x, n) = , if x> 0. exp( x, n) atan_lb(x,n): real = − IF x > 0 THEN atan_pos_lb(n,x) ELSIF x = 0 THEN 0 ELSE -atan_pos_ub(n,-x) ENDIF Notice that unless we can ensure that all of the bounding functions are strictly positive we will run into type-checking atan_ub(x,n): real = problems using the bound definitions for x > 0, e.g., IF x > 0 THEN atan_pos_ub(n,x) ELSIF x = 0 THEN 0 1/exp( x, n) is only defined provided exp( x, n) =0. − − 6 ELSE -atan_pos_lb(n,-x) ENDIF Proposition 6: x, n : 0 < exp(x, n) exp(x) exp(x, n). ∀ ≤ ≤ atan_bounds: THEOREM atan_lb(x,n) <= atan(x) AND These are strict inequalities except when x =0. atan(x) <= atan_ub(x,n)

END atan_approx E. Natural Logarithm For 0 < x 1, we use the alternating series for natural logarithm: ≤

∞ xi ln(x +1) = ( 1)i+1 . X − i i=1 Therefore, we define and hide some technical parts. The theory defines the type n Interval as a record with fields ub and lb of type rat 2 (x 1)i ln(x, n) = ( 1)i+1 − , if 1 < x 2, (rational numbers), variables x,y of type real, variable n X − i ≤ i=1 of type nat, and variables X,Y of type Interval. n 2 +1 (x 1)i ln(x, n) = ( 1)i+1 − , if 1 < x 2. PVS Listing 2 Definition of interval arithmetic X − i ≤ i=1 Interval : THEORY Using properties of the natural logarithm function, we obtain BEGIN

ln(1,n) = ln(1,n) = 0 Interval : TYPE = [# 1 lb : rat, ln(x, n) = ln( ,n), if 0 real number such x> 2 m y +(X,Y): Interval = [|lb(X)+lb(Y), that x =2my and 1 division: -(X,Y): Interval = [|lb(X)-ub(Y), ub(X)-lb(Y)|] lnnat(x:posreal,k:posnat): [nat,posreal] = -(X) : Interval = [|-ub(X), if x < k then (0,x) -lb(X))|] else let (m,y) = lnnat(x/k,k) in *(X,Y): Interval = ... (m+1,y) /(X,Y): Interval = X * [|1/ub(Y), endif 1/lb(Y)|] Abs(X): Interval = ... We next prove the following property: Sq(X) : Interval = ... ^(X,n): Interval = ... Proposition 7: x 1,k > 1 : km x < km+1,y < m ∀ ≥ ≤ k, x = k y, where (m,y)= lnnat(x, k). U(X,Y) : Interval = [|min(lb(X),lb(Y)), If (m,y)= lnnat(2, x), we observe that max(ub(X),ub(Y))|] ... ln(x) = ln(2my)= m ln(2) + ln(y). END Interval Hence, ln(x, n) = m ln(2,n) + ln(y,n), if x> 2, If X is a PVS interval, lb(X) is the lower bound and ln(x, n) = m ln(2,n)+ ln(y,n), if x> 2. ub(X) is the upper bound of X. In PVS, we define the Proposition 8: x> 0,n : ln(x, n) ln(x) ln(x, n). syntactic sugar [|x,y|] to represent the interval [x, y]. These are strict inequalities∀ except when≤x =1. ≤ Interval union x y, written in PVS X U Y, is defined as the smallest rational∪ interval that contains both x and y. III. RATIONAL INTERVAL ARITHMETIC The four basic interval operations are defined as fol- lows [17]: Interval arithmetic has been used for decades as a standard tool for numerical analysis on engineering applications [15], x + y = [x + y, x + y], [16]. In interval arithmetic, operations are evaluated on range x y = [x y, x y], of numbers rather than on real numbers. A (closed) interval − − − x y = [min xy, xy, xy, xy , max xy, xy, xy, xy ], [a,b] is the set of real numbers between a and b, i.e., × { } { } 1 1 [a,b] = x a x b . x/y = x [ , ], if yy > 0. { | ≤ ≤ } × y y The bounds a and b are called the lower bound and upper We also define the unary negation, absolute value, and power bound of [a,b], respectively. Note that if a>b, the interval operators for intervals: is the empty set. The notation [a] abbreviates the point-wise interval [a,a]. x = [ x, x], Interval computations can be performed on the endpoints − − − x = [min x , x , max x , x ], if xx 0. or on the center and the radius. For this work, we decided to | | {| | | |} {| | | |} ≥ work on rational endpoints. Trigonometric and transcendental x = [0, max x , x ], if xx < 0. | | {| | | |} functions for interval arithmetic are defined using the bounds [1] if n =0, presented in Section II.  [xn, xn] if x 0 or odd?(n), xn =  Listing 2 shows a few definitions from the PVS the-  [xn, xn] if x ≥ 0 and even?(n), Interval n n ≤ ory . Dots are used to simplify the presentation  [0, max x , x ] otherwise.  { } Interval operations are defined such that they include the B. Square root, arctangent, exponential, and natural loga- result of their corresponding real operations. This property is rithm called the inclusion property. Interval functions for square root, arctangent, π, exponen- Proposition 9 (Inclusion Property for Basic Operators): If tial, and natural logarithm are defined for an approximation x x and y y then x y x y, where +, , ,/ . parameter n 0: Moreover,∈ ∈x x, x⊗ ∈x ,⊗ and xn ⊗∈{xn, for n− ×0.} It ≥ − ∈ − | | ∈ | | ∈ ≥ is assumed that y does not contain 0 in the case of interval [√x]n = [sqrt(x,n), sqrt(x,n)], if x 0, ≥ division. [atan(x)]n = [atan(x,n), atan(x,n)], Listing 3 specifies this property in PVS. The proposition x x [π]n = [π(n), π(n)], is written x ## X. ∈ [exp(x)]n = [exp(x,n), exp(x,n)],

PVS Listing 3 Basic inclusion properties [ln(x)]n = [ln(x,n), ln(x,n)], if x > 0. Add_inclusion : LEMMA As consequence of Propositions 1, 5, 6, and 8 in Section II, x ## X AND y ## Y =⇒ x+y ## X+Y and the fact that these functions are increasing, the above Sub_inclusion : LEMMA functions satisfy the following inclusion property. x ## X AND y ## Y =⇒ x-y ## X-Y Proposition 12: For all n, if x x then f(x) [f(x)]n, ∈ ∈ where f √ , atan, exp, ln . Moreover, π [π]n. It is Neg_inclusion : LEMMA assumed that∈ {x is non-negative} in the case of∈ square root, x ## X =⇒ -x ## -X and x is positive in the case of natural logarithm. Mult_inclusion : LEMMA x ## X AND y ## Y =⇒ x y ## X Y * * C. Trigonometric functions Div_inclusion : LEMMA Parametric functions for interval trigonometric functions are NOT 0 ## Y AND defined by cases analysis on quadrants where the functions x ## X AND y ## Y =⇒ x/y ## X/Y are increasing or decreasing. The mathematical definitions are Abs_inclusion : LEMMA presented in Figure 1. x ## X =⇒ abs(x) ## abs(X) Note that sin and cos are defined for the whole real line. However, for angles α such that α > π both functions will Sq_inclusion : LEMMA return the interval [ 1, 1], a valid| bound| but not a very good x ## X =⇒ sq(x) ## sq(X) one. Furthermore,− the expression n + 5 in Formula (8) is Pow_inclusion : LEMMA necessary to guarantee that lower and upper bounds of cosine =⇒ π(n+5) π(n+5) x ## X x^n ## X^n are strictly positive in the interval [ 2 , 2 ], and thus, the interval tangent function is always− defined in that interval. The interval trigonometric functions satisfy the inclusion The inclusion property is fundamental to interval arithmetic. property. It guarantees that evaluations of an expression using interval Proposition 13: If x x then f(x) [f(x)]n, where f ∈ π(n+5)∈ π(n+5) ∈ arithmetic bound its exact real value. Any operation in interval sin, cos . Moreover, if x [ , ], tan(x) arithmetic must satisfy the inclusion property with respect to { } ⊆ − 2 2 ∈ [tan(x)]n. its corresponding real operation. The next section proposes a method to prove numerical A. Interval comparisons propositions based on the interval arithmetic described here. There are several possible ways to compare intervals [18]. In this work, we use interval-rational comparisons and interval IV. MECHANICAL PROOFS OF NUMERICAL PROPOSITIONS inclusions. Arithmetic expressions are defined by the following gram- mar, where is an denumerable set of real variables: x < a if x < a, similarly for , V ≤ x > a if x > a, similarly for , e ::= a x e + e e e e e e ≥ e/e| e| ei | √−e π| − sin(| e)× | x y if y x and x y . cos(e|) | |tan( | e) | exp(| e) | ln(e) atan(| e) ⊆ ≤ ≤ | | | | Proposition 10: Assume that x x, a Q ∈ i ∈ N 1) if x ⊲⊳ a then x ⊲⊳a, for ⊲⊳ <, , >, , and ∈ ∈{ ≤ ≥} x 2) if x y then x y. ∈ V ⊆ ∈ We use ⊲⊳ to denote , >, , or <, when ⊲⊳ is, respectively, Numerical propositions P have either the form e ⊲⊳ e , 6 ≥ ≤ 1 2 <, , >, or . where ⊲⊳ <, , >, , or the form e a, where a is a ≤ ≥ Proposition 11: If x ⊲⊳ a and x ⊲⊳ a, then x is empty. constant interval∈ { (an≤ interval≥} with constant rational∈ endpoints). 6 Notice that (x ⊲⊳ a) does not imply x ⊲⊳ a. For instance, As usual, parentheses are used to group real and interval [ 1, 1] is neither¬ greater nor less than 0. 6 expressions as needed. − [sin(x,n), sin(x,n)] if x [ π(n) , π(n) ],  ⊆ − 2 2 [sin(x,n), sin(x,n)] else if x [ π(n) , π(n)],  ⊆ 2 [sin(x)]n =  [min sin(x,n), sin(x,n) , 1] else if x [0, π(n)], (6)  { } ⊆ [sin( x)]n else if x [ π(n), 0],  − − ⊆ −  [ 1, 1] otherwise,  − [cos(x,n), cos(x,n)] if x [0, π(n)],  ⊆ [cos( x)]n else if x [ π(n), 0], [cos(x)]n =  − ⊆ − π n π n (7)  [min cos(x,n), cos(x,n) , 1] else if x [ ( ) , ( ) ], { } ⊆ − 2 2  [ 1, 1] otherwise,  − sin sin π(n + 5) π(n + 5) [tan(x)]n = [ (x,n + 5), (x,n + 5)], if x [ , ]. (8) cos cos ⊆ − 2 2

Fig. 1. Interval trigonometric functions

A context Γ is a set of hypotheses of the form x x. In that case go to step 5. ∈ Γ A ground context is a context where all the intervals are 4) Evaluate [e]n ⊲⊳ 0. If this evaluates to true then fail. By 6 Γ constant. In the following, we use logical judgments in the Proposition 11, the judgment Γ [e]n ⊲⊳ 0 cannot hold. Γ ⊢ sequent calculus style, e.g., Γ P , where all free variables If [e]n ⊲⊳ 0 evaluates to false, increase the approximation occurring in P are in Γ. The intended⊢ semantics of a judgment parameter6 and return to step 3. Γ P is that the numerical proposition P is true under the 5) By Theorem 1, hypotheses⊢ Γ. Γ e [e]Γ. Given a context Γ, an approximation parameter n, and an ⊢ ∈ n expression e, such that the free variables of e are in Γ, we 6) Proposition 10 yields Γ define the interval expression [e]n by recursion on e. Γ Γ e ⊲⊳ 0. [a]n = [a], ⊢ Γ 7) By definition, [x]n = x, where (x x) Γ, Γ Γ Γ ∈ ∈ [e1 e2]n = [e1]n [e2]n, where +, , ,/ , Γ e e ⊲⊳ 0. ⊗ ⊗ ⊗∈{ − × } ⊢ 1 − 2 [ei]Γ = ([e]Γ)i, n n 8) Therefore, [ e]Γ = [e]Γ, − n − n Γ Γ Γ e1 ⊲⊳ e2. [ e ]n = [e]n , ⊢ | | Γ | | [π]n = [π]n, The method above can be easily adapted to judgments of Γ Γ [f(x)]n = [f([x]n)]n, the form Γ e ⊲⊳ a. In this case, the interval expression Γ ⊢ where f sin, cos, tan, exp, ln, atan . [e]n a is evaluated. If the expression evaluates to true, then ∈{ } the original⊆ judgment holds by Theorem 1 and Proposition 10. Theorem 1 (Inclusion): Let Γ be a context, n an approxi- Otherwise, the method should fail. mation parameter, and e a well-defined arithmetic expression The general method is sound, i.e., all the steps can be in Γ, i.e., side conditions for division, square root, logarithm, effectively computed and each one is formally justified. In and tangent are satisfied, particular, the propositions [e]Γ ⊲⊳ 0, [e]Γ ⊲⊳ 0, and [e]Γ a n n 6 n ⊆ Γ can be mechanically computed as they only involve rational Γ e [e]n. (9) Proof: By structural⊢ ∈ induction on e and proposi- arithmetic and constant numerical values. The method is not tions 4, 9, 12, and 13. complete as it does not necessarily terminate. Even if e only involves the four basic operations and no variables, it may be Γ Γ A. A general method for numerical propositions that both [e]n ⊲⊳ 0 and [e]n ⊲⊳ 0 evaluate to false. The absence of a completeness6 result is a fundamental We propose a general method to prove numerical proposi- limitation on any general computable arithmetic. At a practical tions. First, consider a judgment of the form level, the problem arises because all we have available are Γ e ⊲⊳ e , a sequence of approximations to the real numbers x and y; ⊢ 1 2 provided x and y differ, with luck we will eventually have where Γ is a ground context. a pair of approximations whose intervals do not overlap, and 1) Select an approximation parameter n. hence we can return a result for x ⊲⊳ y. However, if x and y 2) Define e = e e . 1 2 are the same real number (note we might not necessarily get 3) Evaluate [e]Γ ⊲⊳− 0. If it evaluates to true, the following n the same sequence of approximations for both x and y), we judgment holds can never be sure whether further evaluation might result in Γ [e]Γ ⊲⊳ 0. us being able to distinguish the numbers. ⊢ n B. Dependency effect k2 is the number of tiles of the second variables alone, and so The dependency effect is a well-known behavior of interval forth, the total number of tiles to be considered for m variables arithmetic due to the fact that interval identity is lost in interval is 1≤j≤m kj . Q evaluations. This may have surprising results, for instance The integration of the Splitting rule into the general method x x is [0] only if x is point-wise. Moreover, as we have is straightforward. First, a splitting is computed for a given set seen− in Section III-A, both x a and x < a may be of variables in Γ. Then, the general method is applied to all false. Additionally, interval arithmetic≥ is subdistributive, i.e., cases. If the general method is successful in all of them, by x (y + z) x y + x z. In the general case the inclusion Proposition 14, the original judgment holds. Otherwise, the is× strict and⊆ some× dependency× effects appear as soon as a method fails and a new splitting may be considered. variable is used more than once in an expression. For the method presented in Section IV-A, it means that the D. Taylor Series Expansions arrangement of the expression e matters. For instance, assume Replacing 2 x x by x can be done automatically. In fact, that we want to prove x [0, 1] 2 x x. This as we will see× in Section− V, these kinds of simplifications are ∈ ⊢ × ≥ is pretty obvious in arithmetic as x is a non-negative real. performed by our PVS implementation of the general method. Using our method, we first consider the arithmetic expression However, these simplifications may not be sufficient even for e = 2 x x and then construct the interval expression simple expressions such as x (1 x), where x [0.1]. The × − [e]Γ = 2 x x, where x = [0, 1]. For any approximation subdistributivity property of interval× − arithmetic states∈ that the n × − parameter n, [e]Γ evaluates to [ 1, 2] which is neither greater interval evaluation of x (1 x) is better than that of the n − nor less than 0. Therefore, the method will not terminate. On equivalent expression x × x2.− Unfortunately, that evaluation the other hand, if instead of the arithmetic expression 2 x x, is not good enough to prove− that x (1 x) [0, 1/4]. In × − we consider the equivalent arithmetic expression x, we have this case, as a domain expert knows,× the− optimal∈ answer is Γ 2 [x]n = [0, 1] and [0, 1] 0 evaluates to true. obtained with the equivalent expression 1/4 (1/2 x) . The ≥ A second observation is that because of the dependency solution is a lot less intuitive when non-algebraic− functio− ns are effect the width of intervals also matters. Consider again the involved. expression e = 2 x x. We have seen that the interval Taylor’s theorem states that a n-differentiable function can × − evaluation of [e]Γ, for x [0, 1], results in [ 1, 2], which be approximated near a given point by a polynomial of degree n ∈ − is not sufficient to prove that [e]Γ 0. On the other hand, n whose coefficients depend on the derivatives of the function n ≥ the expression [e]Γ evaluates to [ 1/2, 1] when x [0, 1/2] at that point. In interval arithmetic, taylor’s theorem can be n − ∈ and it evaluates to [0, 3/2] when x [1/2, 1]. Therefore, we expressed by the following deduction rule. ∈ can prove that, for x [0, 1], [e]Γ [ 1/2, 1] [0, 3/2], Proposition 15: Let x, x ,..., x be strictly proper inter- ∈ n ⊆ − ∪ 0 n i.e., [e]Γ [ 1/2, 3/2], which is a better approximation than vals, f a n-differentiable function on a variable x x, and n ⊆ − [ 1, 2]. If we continue dividing the interval [0, 1] and com- c x a constant, ∈ − ∈ puting the union of the resulting intervals, we can eventually (i) Γ 0 i 0. ∀ ≤ ⊢(n) ∈ ≥ x x f (x) xn These observations lead to two enhancements of the general ∈ ⊢ n ∈ i [Taylor] x x f(x) Σ (xi (x c) )/i! method. First, we could divide each interval in Γ before ∈ ⊢ ∈ i=0 × − applying the general technique. Second, we may want to The expression of Taylor’s rule shows that interval x appears replace the original expression by an equivalent one that is only once in each term of order i for i between 1 and n 1 − less prone to the dependency effect. preventing any dependency effect due to x in a term alone. The term of order n suffers some dependency effect as x also C. Interval splitting appears in the definition of xn. In most cases, n =2 is used to cancel first order dependency effects as presented Listing 4. In interval arithmetic, the dependency effect of the union But in cases where the first derivatives nearly vanish or where of the parts is less than the dependency effect of the whole. the evaluation of the last derivative introduces significant Indeed, the simplest way to reduce the dependency effect is dependency effects, we compute more terms to reach some to divide the interval variables into several tiles (subintervals) better bounds. and to evaluate the original expression on these tiles separately. Using Taylor’s rule require more work than the Splitting This technique is called interval splitting or sub-paving and is rule. In particular, we need to provide intervals x0,..., xn expressed by the following deduction rule. and constant c that satisfy the hypotheses of the rule. For c we Proposition 14: Let Γ be a context, e an expression whose choose the middle point of x unless the user proposes another free variables are x and those in Γ, e an interval expression, point. It follow immediately that c x. For 0 i 0. In PVS: n may be considered. G(x|x < 1): real = 3 x/2 - ln(1-x) n i * For better results, the evaluation of Σi=0(xi (x c) )/i! a can be performed using the splitting technique.× Contrary− ⊆ to A_and_S : lemma G(0.5828) > 0 the approach described in [19], we do not have to generate a new taylor approximation for each tile. By using an interval- %|- A_and_S : PROOF (numerical :defs "G") QED based taylor expansion, the same expression can be reused for all the tiles. One single global taylor expansion has to be In this case, the optional parameter :defs "G" tells validated, and the proofs for all the tiles simply consist in an numerical that the user-defined function G has to be interval evaluation of this expansion. We do not suffer from the expanded before performing the numerical evaluation. The taylor coefficients being irrational numbers, they are simply original proof of this lemma in PVS required the manual given by interval expressions involving rational functions. expansion of 19 terms of the ln series. Relying on rational interval arithmetic leads to conceptually The numerical strategy is aimed to practicality rather simpler proofs. than completeness. In particular, it always terminate and it is configurable for better accuracy (at the expense of perfor- Section V describes how the general method and its ex- mance). tensions are implemented in the PVS theorem prover and Termination is trivially achieved as the strategy does not illustrates the practical use of the library with a few examples. iterate for different approximations, i.e., step 3 either goes to step 5 or fails. In other words, if numerical does not succeed, it does nothing. Furthermore, numerical uses a V. VERIFIED REAL NUMBER CALCULATIONS IN PVS default approximation parameter n = 3, which gives an The interval arithmetic presented in this paper has been accuracy of about 2 decimals for trigonometric functions. developed as a PVS library called Interval. This library However, the user can increase this parameter or set a different contains the specification of interval arithmetic described here approximation to each function according to his/her accuracy and the formal proofs of its properties. We believe that a needs and availability of computational power. Currently, there domain expert can use this library with a basic knowledge of is no direct relation between the approximation parameter theorem provers. Minimal PVS expertise is required as most of and the accuracy, as all the bounding functions have different the technical burden of proving numerical properties is already convergence rates. On-going work aims to provide, an absolute implemented as proof strategies. error of at most 2−p for any expression with a new approx- imation parameter p. The strategy has not been designed to A. Strategies reuse past computations. Therefore, it will be prohibitively expensive to automatically iterate numerical to achieve a The numerical strategy is the basic strategy that im- small approximation on a complex arithmetic expression. plements the general method and its extensions described in In order to reduce the dependency effect, the numerical Section IV. For instance, Formula 1 can be specified in PVS strategy automatically rearranges arithmetic expressions using as follows (comments in PVS start with the symbol % and a simple factorization algorithm. Due to the subdistributivity extend to the end of the line): property, the evaluation of factorized interval expressions is g : posreal = 9.8 %[m/s^2] more accurate than that of non-factorized ones. A set of v : posreal = 250*0.514 %[m/s] lemmas of the NASA Langley PVS Libraries are also used tr35: LEMMA as rewriting rules on arithmetic expressions prior to numerical (g*tan(35*pi/180)/v) * 180/pi evaluations. This set of lemmas is parameterizable and can ## [| 3, 3.1 |] be extended by the user. For instance, trigonometric functions applied to notable angles are automatically rewritten to their %|- tr35: PROOF (numerical) QED exact value. Therefore, numerical is able to prove that We emphasize that, in PVS, tan and pi are the real math- sin(π/2) 1, even if this proposition is not provable using our ∈ ematical function tan and constant π, respectively. Lemma interval arithmetic operators alone. Although it is not currently tr35 is automatically discharged by the numerical strat- implemented, this approach can also be used to normalize egy, which can be entered interactively or in batch mode, as angles to the range [ π, π] that is suitable for the interval − in this case, via the ProofLite library developed by one of the trigonometric functions in Sections III-C. authors [20]. The splitting technique is implemented by allowing the Another example is the proof of the inequality 4.1.35 user to specify the number of tiles to be considered for each in [13]: interval variable or a default value for all of them. The strategy will evenly divide each interval. For example, the simple 3x x : 0 < x 0.5828 = ln(1 x) < . expression in Section IV-D can be proven to be in the range ∀ ≤ ⇒ | − | 2 [0, 9/32] using a splitting of 16 subintervals. The key to prove this inequality is to prove that the function fair : LEMMA 3x x ## [|0,1|] IMPLIES x*(1-x) ## [|0,9/32|] G(x) = ln(1 x) 2 − − %|- fair : PROOF (instint :splitting 16) QED In this example we have used the instint strategy. This strategy is built on top of numerical and per- forms some basic logic manipulations such as introduction of real variables and interval constants. In this case, the proof command (initint :splitting 16) is equiv- alent to (then (skeep) (numerical :vars ("x" "[|0,1|]" 16))). It instructs PVS to introduce the real variable x and then to apply numerical by splitting 16 times the interval [0, 1]. The taylor series expansion technique is implemented in two steps. First, the taylor strategy automatically proves Proposition 15 for a particular function f and degree n. In Fig. 2. Time required to prove tan(x) − r(x) ∈ [−1/30, 1/30] the following example, we show that x x x (1 x) 2 i ∈ ⊢ × − ∈ i=0(xi (x c) )/i!, provided that x is strictly proper. P × − are automatically discharged by the instint strategy with F(X) : MACRO Interval = X*(1-X) DF(X) : MACRO Interval = 1 - 2*X different splitting and taylor’s expansion degrees. As expected D2F(X): MACRO Interval = [| -2 |] taylor’s expansions and splitting get better results than splitting alone. Moreover, second degree expansions are almost always ftaylor : LEMMA better than first degree expansions. This is not necessarily x ## X AND StrictlyProper?(X) IMPLIES the case as illustrated by lemmas fair_atan_t1_14 and x*(1-x) ## Taylor2[X](F,DF,D2F) fair_atan_t2_14: for i = 14, a first degree expansion %|- ftaylor : PROOF (taylor) QED with no splitting is enough to prove the property, while a second degree expansion requires a splitting of 2. MACRO The keyword tells the theorem prover to automati- On a tile t of x, the width of the error expression E that cally expand the definition of the function. The expression does not use taylor’s theorem evaluated on t is larger than Taylor2[X](F,DF,D2F) corresponds to 2 x x i=0( i ( the sum of the width of expressions Atan and R. As the i , where F, DF, and D2F are the intervalP functions× − c) )/i! derivative of the arctangent is between 0.9989 and 1 on x, we corresponding to f, it 1st, and its 2nd derivative. could expect that the width of R is at least twice the width Finally, the strategy instint is called with the lemma of tile t. Therefore, to obtain an error bound of [ 2−i, 2−i] ftaylor. we cannot use tiles larger than 2−i and we will need− at least best : LEMMA 2i/15 2i−1.4 tiles. x ## [|0,1|] IMPLIES x*(1-x) ## [|0, 1/4|] We≈ use the same kind of simple calculation to show that ′ −6 i−14.8 %|- best : PROOF since e (x) 2.37 10 we will need about 2 tiles of width|2−i |≤106/2.37·. This figures are accurate when we use %|- (instint :taylor "ftaylor") · %|- QED second degree expansion but actual computations may require more tiles due to some dependency effects introduced when B. A simple case study we use first degree expansions. Figure 2 presents a summary of the time required to prove The arctangent function is heavily used in aeronautic appli- 5 tan(x) r(x) [ 1/30, 1/30] for i in the range [0, 20] cations as it is fundamental to many Geodesic formulas . One using splitting,− splitting∈ − and first degree taylor’s expansion, common implementation technique uses an approximation and splitting and second degree taylor’s expansion. of the arctangent on the interval x = [ 1/30, 1/30] after argument reduction [21]. For efficiency reasons,− one may want to approximate the function atan(x) to single precision by the C. Implementation and Performance Issues polynomial Actual definitions in PVS have been slightly modified for efficiency reasons. For instance, multiplication is defined using 11184811 3 13421773 5 r(x) = x x x . a case analysis on the sign of the operands. Additionally, − 33554432 − 67108864 all interval operations are completed by returning an empty The coefficients of the polynomial approximation are stored interval if side conditions are not satisfied. This technique exactly using IEEE single precision. avoids some type correctness checks that are expensive. The objective of this case study is to show that The strategies in this library work over the PVS built-in x [ 1/30, 1/30] atan(x) r(x) [ 2−i, 2−i], real numbers. The major advantage of this approach is that the ∈ − ⊢ − ∈ − functionality of the strategies can be extended to handle user for different values of i. The PVS specification of this problem defined real functions without modifying the strategy code. for some values of i is presented in Listing 4. All the lemmas Indeed, optional parameters to the numerical strategy allow 5See, for example, Ed William’s Aviation Formulary at for the specification of arbitrary real functions. If the interval http://williams.best.vwh.net/avform.htm. interpretations are not provided, the strategy tries to build them PVS Listing 4 Accuracy of the arctangent approximation fair_atan : THEORY BEGIN

x :var real r(x) : MACRO real = x - (11184811/33554432) * x^3 - (13421773/67108864) * x^5 e(x) : MACRO real = atan(x) - r(x) Xt : Interval = [| -1/30, 1/30 |]

fair_atan_8 : LEMMA x ## Xt IMPLIES e(x) ## [|-2^-8, 2^-8|] %|- fair_atan_8 : PROOF (instint :splitting 18) QED

X :var Interval R(X) : MACRO Interval = X - 11184811/33554432 * X^3 - 13421773/67108864 * X^5 E(X) : MACRO Interval = Atan(X,4) - R(X) DE(X) : MACRO Interval = 1 / (1 + Sq(X)) - 1 + 3*(X^2*(11184811/33554432)) + 5*(X^4*(13421773/67108864))

atan_taylor1 : LEMMA StrictlyProper?(X) AND x ## X IMPLIES e(x) ## Taylor1[X](E,DE) %|- atan_taylor1 : PROOF (taylor) QED fair_atan_t1_14: LEMMA x ## Xt IMPLIES e(x) ## [|-2^-14, 2^-14|] %|- fair_atan_t1_14 : PROOF (instint :taylor "atan_taylor1") QED fair_atan_t1_20: LEMMA x ## Xt IMPLIES e(x) ## [|-2^-20, 2^-20|] %|- fair_atan_t1_20 : PROOF (instint :taylor "atan_taylor1" :splitting 13) QED

D2E(X) : MACRO Interval = -2*X/Sq(1 + Sq(X)) + 20*(X^3*(13421773/67108864)) + 6*((11184811/33554432)*X)

atan_taylor2 : LEMMA StrictlyProper?(X) AND x ## X IMPLIES e(x) ## Taylor2[X](E,DE,D2E) %|- atan_taylor2 : PROOF (taylor) QED fair_atan_t2_14: LEMMA x ## Xt IMPLIES e(x) ## [|-2^-14, 2^-14|] %|- fair_atan_t2_14 : PROOF (instint :taylor "atan_taylor2" :spitting 2) QED fair_atan_t2_20: LEMMA x ## Xt IMPLIES e(x) ## [|-2^-20, 2^-20|] %|- fair_atan_t2_20 : PROOF (instint :taylor "atan_taylor2" :splitting 5) QED

END fair_atan

from the syntactic definition of the functions. The trade-off VI. CONCLUSION AND LIMITS OF TRACTABILITY for the use of the PVS type real, in favor of a defined data Γ We have presented a pragmatic approach to verify ordinary type for arithmetic expressions, is that the function [e]n and Theorem 1 are at the meta-level, i.e., they are not written in real number computations in theorem provers. To this end, PVS. It also means that the soundness of our method cannot bounds for non-algebraic functions were established based on be proven in PVS itself. In particular, Theorem 1 has to be provable properties of their approximation series. Furthermore, Γ a library for interval arithmetic was developed. The library proven for each particular instance of e and [e]n. This is not a major drawback as, in addition to numerical, we have includes strategies that automatically discharges numerical developed a strategy called inclusion that discharges the inequalities and interval inclusions. Γ sequent Γ e [e]n whenever is needed. PVS strategies are The PVS Interval library contains 306 lemmas in total. It conservative⊢ in the∈ sense that they do not add inconsistencies is roughly 10 thousand lines of specification and proofs and 1 to the theorem prover. Therefore, if numerical succeeds to thousand lines of strategy definitions. These numbers do not discharge a particular goal the answer is correct. take into account the bounding functions, which have been Finally, our method relies on explicit calculations to evaluate fully integrated to the NASA Langley PVS Libraries. It is interval expressions. In theorem provers, explicit calculations difficult to estimate the human effort for this development usually means symbolic evaluations, which are extremely as it has evolved over the years from an original axiomatic inefficient for the interval functions that we want to calculate. specification to a fully foundational set of theories. As far To avoid symbolic evaluations, numerical is implemented as we know, this is the most complete formalization within using computational reflection [22]–[24]. Interval expressions a theorem prover of an interval arithmetic that includes non- are translated to Common Lisp (the implementation language algebraic functions. of PVS) and evaluated there. The extraction and evaluation Research on interval analysis and exact arithmetic is rich mechanism is provided by the PVS ground evaluator [25]. and abundant (see for example [17], [27], [28]). The goal The result of the evaluation is translated back to the PVS of interval analysis is to compute an upper bound of the theorem prover using the PVSio library developed by one of round-off error in a computation performed using floating- the authors [26]. point numbers. In contrast, in an exact arithmetic framework, (NIA) and NASA. Future enhancements include:

• Development of a fully functional floating point arith- metic library [33] in order to generate guaranteed proofs of round-off-errors [32]. • Integration of this library and an exact arithmetic formal- ization in PVS developed by one of the authors [34]. • Implementation of latest developments on Taylor Mod- els [35]–[37], which will enable a greater automation of the Taylor’s series expansion technique.

REFERENCES

Fig. 3. Alternate fair_atan theorems will make use of interval arithmetic [1] Information Management and Technology Division, “Patriot missile defense: software problem led to system failure at Dhahran, Saudi Ara- bia,” United States General Accounting Office, Report B-247094, 1992. [Online]. Available: http://www.fas.org/spp/starwars/gao/im92026.htm an accuracy is specified at the beginning of the computation [2] J.-L. Lions et al., “Ariane 5 flight 501 failure report by the inquiry and the computation is performed in such way that the final board,” European Space Agency, Paris, France, Tech. Rep., 1996. result respects this accuracy. [Online]. Available: http://ravel.esrin.esa.it/docs/esa-x-1819eng.pdf [3] D. Gage and J. McCormick, “We did nothing wrong,” Real numbers and exact arithmetic is also a subject of Baseline, vol. 1, no. 28, pp. 32–58, 2004. [Online]. Available: increasing interest in the theorem proving community. Pio- http://common.ziffdavisinternet.com/download/0/2529/Baseline0304-DissectionNEW.pdf neers in this area were Harrison and Gamboa who, indepen- [4] J. Harrison, Theorem Proving with the Real Numbers. Springer-Verlag, 1998. dently, developed extensive formalizations of real numbers for [5] J. Fleuriot and L. Paulson, “Mechanizing nonstandard real analysis,” HOL [4] and ACL2 [6]. In Coq, an axiomatic definition of LMS Journal of Computation and Mathematics, vol. 3, pp. 140–190, reals is given in [7], and constructive definitions of reals are 2000. [Online]. Available: http://www.lms.ac.uk/jcm/3/lms1999-027/ [6] R. Gamboa, “Mechanically verifying real-valued algorithms in ACL2,” provided in [29] and [30]. As real numbers are built-in in Ph.D. dissertation, University of Texas at Austin, 1999. [Online]. PVS, there is not much meta-theoretical work on real num- Available: ftp://ftp.cs.utexas.edu/pub/boyer/diss/gamboa.pdf bers. However, a PVS library of real analysis was originally [7] M. Mayero, “Formalisation et automatisation de preuves en analyse réelle et numérique,” Ph.D. dissertation, Université developed by Dutertre [31] and currently being maintained Pierre et Marie Curie, Paris, France, 2001. [Online]. Available: and extended as part of the NASA Langley PVS Libraries. http://www.pps.jussieu.fr/~mayero/specif/these-mayero.ps An alternative real analysis library is proposed in [8]. [8] H. Gottliebsen, “Automated theorem proving for mathematics: real analysis in PVS,” Ph.D. dissertation, University of St Andrews, 2001. Closer to our approach are the tools presented in [Online]. Available: http://www.dcs.qmul.ac.uk/~hago/thesis.ps.gz [32] and [10]. These tools generate bounds on the round-off [9] C. Muñoz, V. Carreño, G. Dowek, and R. Butler, “Formal verification errors of numerical programs, and formal proofs that these of conflict detection algorithms,” International Journal on Software Tools for Technology Transfer, vol. 4, no. 3, pp. 371–380, 2003. bounds are correct. The formal proofs are proof scripts that [Online]. Available: http://dx.doi.org/10.1007/s10009-002-0084-3 can be checked off-line using a proof assistant. [10] M. Daumas, G. Melquiond, and C. Muñoz, “Guaranteed proofs Our approach is different from previous works in that we using interval arithmetic,” in Proceedings of the 17th Symposium on Computer Arithmetic, P. Montuschi and E. Schwarz, Eds., focus on automation and pragmatism. In simple words, our Cape Cod, Massachusetts, 2005, pp. 188–195. [Online]. Available: practical contribution is a correct pocket calculator for real http://hal.archives-ouvertes.fr/hal-00164621 number computations in formal proofs. Thanks to all the [11] C. Muñoz and D. Lester, “Real number calculations and theorem proving,” in 18th International Conference on Theorem Proving in previous developments in theorem proving and real numbers, Higher Order Logics, Oxford, England, 2005, pp. 239–254. [Online]. lemmas like Lemma tr35 and Lemma A_and_S are prov- Available: http://dx.doi.org/10.1007/11541868_13 able in HOL, ACL2, Coq, or PVS. The Interval library make [12] S. Owre, J. M. Rushby, and N. Shankar, “PVS: a these proofs routine in PVS. prototype verification system,” in 11th International Conference on Automated Deduction, D. Kapur, Ed. Saratoga, New- As in real life, users benefit in managing both a pocket York: Springer-Verlag, 1992, pp. 748–752. [Online]. Available: calculator and a graphic tool. The fact that the example http://pvs.csl.sri.com/papers/cade92-pvs/cade92-pvs.ps [13] M. Abramowitz and I. A. Stegun, Eds., Handbook of mathematical proposed in Section V-B is reaching the limits of tractability is functions with formulas, graphs, and mathematical tables. Dover not a problem. Our library aims at providing some simple tools publications, 1972, ninth printing. that can be used seamlessly in proofs. Figure 3 would prompt a [14] J.-M. Muller, Elementary functions, algorithms and careful user that fair_atan theorems are a consequence of implementation. Birkhauser, 2006. [Online]. Available: http://www.springer.com/west/home/birkhauser/computer+science?SGWID=4-40353-22- the fact that the derivative of the error is always positive. Such [15] A. Neumaier, Interval methods for systems of equations. Cambridge a fact could happen to be difficult to prove leading some one to University Press, 1990. prove that the error is bounded on some subintervals and that [16] L. Jaulin, M. Kieffer, O. Didrit, and E. Walter, Applied interval analysis. Springer, 2001. [Online]. Available: the derivative is always positive on some other subintervals. http://www.springeronline.com/sgw/cda/frontpage/0,10735,5-40106-22-2093571-0,00.ht Anyways, such proofs will involve our library more than once. [17] R. B. Kearfott, Ed., Rigorous global search: continuous problemes. We continue developing this library and it is currently Kluwer Academic Publishers, 1996. [18] A. Yakovlev, “Classification approach to programming of localizational being used to check numerical properties of aircraft navigation (interval) computations,” Interval Computations, vol. 1, no. 1, pp. 61–84, algorithms developed at the National Institute of Aerospace 1992. [19] J. Sawada, “Formal verification of divide and square root algorithms using series calculation,” in 3rd International Workshop on the ACL2 Theorem Prover and its Applications. University of Grenoble, 2002, pp. 31–49. [20] C. Muñoz, “Batch proving and proof scripting in PVS,” NIA-NASA Langley, National Institute of Aerospace, Hampton, VA, Report NIA Report No. 2007-03, NASA/CR-2007-214546, February 2007. [21] P. Markstein, IA-64 and elementary functions: speed and precision. Prentice Hall, 2000. [22] J. Harrison, “Metatheory and reflection in theorem proving: A survey and critique,” SRI Cambridge, Millers Yard, Cambridge, UK, Technical Report CRC-053, 1995. [23] S. Boutin, “Using reflection to build efficient and certified decision procedures,” in Proceedings of the Third International Symposium on Theoretical Aspects of Computer Software, London, United Kingdom, 1997, pp. 515–529. [24] F. W. von Henke, S. Pfab, H. Pfeifer, and H. Rueß, “Case Studies in Meta-Level Theorem Proving,” in Proc. Intl. Conf. on Theorem Proving in Higher Order Logics, ser. Lecture Notes in Computer Science, J. Grundy and M. Newey, Eds., no. 1479. Springer-Verlag, Sept. 1998, pp. 461–478. [25] N. Shankar, “Efficiently executing PVS,” Computer Science Laboratory, SRI International, Menlo Park, CA, Project report, Nov. 1999, available at http://www.csl.sri.com/shankar/PVSeval.ps.gz. [26] C. Muñoz, “Rapid prototyping in PVS,” NIA-NASA Langley, National Institute of Aerospace, Hampton, VA, Report NIA Report No. 2003-03, NASA/CR-2003-212418, May 2003. [27] P. Gowland and D. Lester, “A survey of exact arithmetic implementations,” in 4th International Workshop on Computability and Complexity in Analysis, Swansea, United Kingdom, 2000, pp. 30–47. [Online]. Available: http://www.link.springer.de/link/service/series/0558/bibs/2064/20640030.htm [28] V. Ménissier-Morain, “Arbitrary precision real arithmetic: design and algorithms,” Journal of Logic and Algebraic Programming, vol. 64, no. 1, pp. 13–39, 2005. [Online]. Available: http://dx.doi.org/10.1016/j.jlap.2004.07.003 [29] A. Ciaffaglione and P. Di Gianantonio, “A certified, corecursive implementation of exact real numbers,” Theoretical Computer Science, vol. 351, no. 1, pp. 39–51, 2006. [Online]. Available: http://dx.doi.org/10.1016/j.tcs.2005.09.061 [30] J. Hughes and M. Niqui, “Admissible digit sets,” Theoretical Computer Science, vol. 351, no. 1, pp. 61–73, 2006. [Online]. Available: http://dx.doi.org/10.1016/j.tcs.2005.09.059 [31] B. Dutertre, “Elements of mathematical analysis in PVS,” in Theorem Proving in Higher Order Logics: 9th International Conference. TPHOLs'97, ser. Lecture Notes in Computer Science, J. von Wright, J. Grundy, , and J. Harrison, Eds., no. 1125. Turku, Finland: Springer-Verlag, August 1996, pp. 141–156. [Online]. Available: http://www.sdl.sri.com/papers/tphol96/ [32] M. Daumas and G. Melquiond, “Generating formally certified bounds on values and round-off errors,” in Real Numbers and Computers, Dagstuhl, Germany, 2004, pp. 55–70. [Online]. Available: http://hal.inria.fr/inria-00070739 [33] S. Boldo and C. Muñoz, “Provably faithful evaluation of polynomials,” in Proceedings of the 2006 ACM Symposium on Applied Computing, Dijon, France, 2006, pp. 1328–1332. [Online]. Available: http://doi.acm.org/10.1145/1141277.1141586 [34] D. Lester and P. Gowland, “Using PVS to validate the algorithms of an exact arithmetic,” Theoretical Computer Science, vol. 291, no. 2, pp. 203–218, Nov. 2002. [35] K. Makino and M. Berz, “Taylor models and other validated functional inclusion methods,” International Journal of Pure and Applied Mathematics, vol. 4, no. 4, pp. 379–456, 2003. [Online]. Available: http://bt.pa.msu.edu/pub/papers/TMIJPAM03/TMIJPAM03.pdf [36] F. Cháves and M. Daumas, “A library to Taylor models for PVS automatic proof checker,” in Proceedings of the NSF workshop on reliable engineering computing, Savannah, Georgia, 2006, pp. 39–52. [Online]. Available: http://www.gtsav.gatech.edu/workshop/rec06/papers/Chaves_paper.pdf [37] F. Cháves, M. Daumas, C. Muñoz, and N. Revol, “Automatic strategies to evaluate formulas on Taylor models and generate proofs in PVS,” in 6th International Congress on Industrial and Applied Mathematics, Zurich, Switzerland, 2007. [Online]. Available: http://www.iciam07.ch/