# Frama-C news and ideas

## Tag - floating-point

Tuesday, May 14 2013

## Contrarianism

If I told you that when `n` is a positive power of two and `d` an arbitrary number, both represented as `double`, the condition `(n - 1) * d + d == n * d` in strictly-IEEE-754-implementing C is always true, would you start looking for a counter-example, or start looking for a convincing argument that this property may hold?

If you started looking for counter-examples, would you start with the vicious values? Trying to see if `NaN` or `+inf` can be interpreted as “a positive power of two” or “an arbitrary number” represented “as `double`”? A subnormal value for `d`? A subnormal value such that `n*d` is normal? A subnormal value such that `(n - 1) * d` is subnormal and `n * d` is normal?

Or would you try your luck with ordinary values such as `0.1` for `d` and `4` for `n`?

This post is based on a remark by Stephen Canon. Also, I have discovered a truly remarkable proof of the property which this quick post is too small to contain.

Saturday, May 11 2013

## Big round numbers, and a book review

Nearly 15 months ago, according to a past article, this blog celebrated its 15-months anniversary, and celebrated with the announcement of minor milestones having been reached: 100 articles and 50 comments.

Fifteen months after that, the current count is nearly 200 articles and 200 comments. Also, the blog managed to get 100 subscribers in Google's centralized service for never having to mark the same post as read twice, Reader. This was a close call.

A lot of recent posts have been related to floating-point arithmetic. I would like to reassure everyone that this was only a fluke. Floating-point correctness became one of the Frama-C tenets with our involvement in two collaborative projects, U3CAT and Hisseo, now both completed. Very recently, something must have clicked for me and I became quite engrossed by the subject.

As a result of this recent passion, in the last few days, I started reading the “Handbook of Floating-Point Arithmetic”, by Jean-Michel Muller et al. This book is both thick and dense, but fortunately well organized, so that it is easy to skip over sections you do not feel concerned with, such as decimal floating-point or hardware implementation details. This book is an amazing overview. It contains cristal-clear explanations of floating-point idioms that I was until then painstakingly reverse-engineering from library code. Fifteen years from now, people will say, “… and you should read the Handbook of Floating-Point Arithmetic. It is a bit dated now, but it is still the best reference, just complete it with this one and that one”, just like people might say now about Aho, Sethi and Ullman's Dragon book for compilation.

Except that right now, the book is amazingly current. The references to hardware are references to hardware that you might still have, or certainly remember having had. The open questions are still open. If you were offered the chance to read the Dragon book when it came out and was all shiny and new, would you pass? If not, and if there is the slightest chance that you might hold an interest in the mysteries of floating-point computation in the foreseeable future, read this book now, for the bragging rights.

In addition, the book goes down to the lowest levels of detail, with occasional snippets of programs to make it clear what is meant. The snippets are C code, and irreproachable C code.

Thursday, May 9 2013

## The OCaml runtime

The OCaml runtime allows polymorphism through the uniform representation of types. Every OCaml value is represented as a single word, so that it is possible to have a single implementation for, say, “list of things”, with functions to access (e.g. `List.length`) and build (e.g. `List.map`) these lists that work just the same whether they are lists of ints, of floats, or of lists of sets of integers.

Anything that does not fit in in a word is allocated in a block in the heap. The word representing this data is then a pointer to the block. Since the heap contains only blocks of words, all these pointers are aligned: their few least significants bits are always unset.

Argumentless constructors (like this: `type fruit = Apple | Orange | Banana`) and integers do not represent so much information that they need to be allocated in the heap. Their representation is unboxed. The data is directly inside the word that would otherwise have been a pointer. So while a list of lists is actually a list of pointers, a list of ints contains the ints with one less indirection. The functions accessing and building lists do not notice because ints and pointers have the same size.

Still, the Garbage Collector needs to be able to recognize pointers from integers. A pointer points to a well-formed block in the heap that is by definition alive (since it is being visited by the GC) and should be marked so. An integer can have any value and could, if precautions were not taken, accidentally look like a pointer. This could cause dead blocks to look alive, but much worse, it would also cause the GC to change bits in what it thinks is the header of a live block, when it is actually following an integer that looks like a pointer and messing up user data.

This is why unboxed integers provide 31 bits (for 32-bit OCaml) or 63 bits (for 64-bit OCaml) to the OCaml programmer. In the representation, behind the scenes, the least significant bit of a word containing an integer is always set, to distinguish it from a pointer. 31- or 63-bit integers are rather unusual, so anyone who uses OCaml at all knows this. What users of OCaml do not usually know is why there isn't a 63-bit unboxed float type for 64-bit OCaml.

## There is no unboxed 63-bit floating-point type in OCaml

And the answer to this last question is that there is no particular reason one shouldn't have a 63-bit unboxed float type in OCaml. Defining one only requires carefully answering two more intricately related questions:

• What 63-bit floating-point format should be used?
• How will the OCaml interpreter compute values in this format?

In 1990, when 64-bit computers were few, Xavier Leroy decided that in his (then future) Caml-light system, the type for floating-point would be 64-bit double precision. The double precision floating-point format did not come close to fitting in the then-prevalent 32-bit word:

Floating-point numbers are allocated in the heap as unstructured blocks of length one, two or three words, depending on the possibilities of the hardware and on the required precision. An unboxed representation is possible, using the 10 suffix for instance, but this gives only 30 bits to represent floating-point numbers. Such a format lacks precision, and does not correspond to any standard format, so it involves fairly brutal truncations. Good old 64-bit, IEEE-standard floating point numbers seem more useful, even if they have to be allocated.

First, a remark: it is not necessary to distinguish floats from ints: that is what the static type-system is for. From the point of view of the GC they are all non-pointers, and that's the only important thing. So if we decide to unbox floats, we can take advantage of the same representation as for integers, a word with the least significant bit set. And nowadays even the proverbial grandmother has a 64-bit computer to read e-mail on, hence the temptation to unbox floats.

Second, the reticence to truncate the mantissa of any existing format remains well-founded. Suppose that we defined a format with 51 explicit mantissa bits as opposed to double-precision's 52. We could use the double-precision hardware for computations and then round to 51 bits of mantissa, but the sizes are so close that this would introduced plenty of double rounding errors, where the result is less precise than if it had been rounded directly to 51 bits. As someone who has to deal with the consequences of hardware computing 64-bit mantissas that are then rounded a second time to 52-bit, I feel dirty just imagining this possibility. If we went for 1 sign bit, 11 exponent bits, 51 explicit mantissa bits, we would have to use software emulation to round directly to the correct result.

This post is about another idea to take advantage of the double-precision hardware to implement a 63-bit floating-point type.

## A truncationless 63-bit floating-point format

### Borrow a bit from the exponent

Taking one of the bits from the 11 reserved for the exponent in the IEEE 754 double-precision format does not have such noticeable consequences. At the top of the scale, it is easy to map values above a threshold to infinity. This does not involve double-rouding error. At the bottom of the scale, things are more complicated. The very smallest floating-point numbers of a proper floating-point format, called subnormals, have an effective precision of less than the nominal 52 bits. Computing with full-range double-precision and then rounding to reduced-range 63-bit means that the result of a computation can be computed as a normal double-precision number with 52-bit mantissa, say 1.324867e-168, and then rounded to the narrower effective precision of a 63-bit subnormal float.

Incidentally, this sort of issue is the sort that remains even after you have configured an x87 to use only the 53 or 24 mantissa bits that make sense to compute with the precision of double- or single-precision. Only the range of the mantissa is reduced, not that of the exponent, so numbers that would be subnormals in the targeted type are normal when represented in a x87 register. You could hope to fix them after each computation with an option such as GCC's -ffloat-store, but then they are double-rounded. The first rounding is at 53 or 24 bits, and the second to the effective precision of the subnormal.

### Double-rounding, Never!

But since overflows are much easier to handle, we can cheat. In order to make sure that subnormal results are rounded directly to the effective precision, we can bias the computations so that if the result is going to be a 63-bit subnormal, the double-precision operation produces a subnormal result already.

In practice, this means that when the OCaml program is adding numbers 1.00000000001e-152 and -1.0e-152, we do not show these numbers to the double-precision hardware. What we show to the hardware instead is these numbers multiplied by 2^-512, so that if the result need to be subnormal in the 63-bit format, and in this example, it needs, then a subnormal double-precision will be computed with the same number of bits of precision.

In fact, we can maintain this “store numbers as 2^-512 times their intended value” convention all the time, and only come out of it at the time of calling library functions such as `printf()`.

For multiplication of two operands represented as 2^-512 times their real value, one of the arguments needs to be unbiased (or rebiased: if you have a trick to remember which is which, please share) before the hardware multiplication, by multiplying it by 2^512.

For division the result must be rebiased after it is computed.

The implementation of the correctly-rounded function `sqrt()` for 63-bit floats is left as an exercise to the reader.

### Implementation

A quick and dirty implementation, only tested as much as shown, is available from ideone. Now I would love for someone who actually uses floating-point in OCaml to finish integrating this in the OCaml runtime and do some benchmarks. Not that I expect it will be very fast: the 63-bit representation involves a lot of bit-shuffling, and OCaml uses its own tricks, such as unboxing floats inside arrays, so that it will be hard to compete.

## Credits

I should note that I have been reading a report on implementing a perfect emulation of IEEE 754 double-precision using x87 hardware, and that the idea presented here was likely to be contained there. Google, which is prompt to point to the wrong definition of FLT_EPSILON, has been no help in finding this report again.

## Correct and wrong definitions for the constant FLT_EPSILON

```FLT_EPSILON the minimum positive number such that 1.0 + FLT_EPSILON != 1.0.
```

No, no, no, no, no.

I don't know where this definition originates from, but it is obviously from some sort of standard C library, and it is wrong, wrong, wrong, wrong, wrong. The definition of the C99 standard is:

the difference between 1 and the least value greater than 1 that is representable in the given floating point type, b^(1−p)

The GNU C library gets it right:

FLT_EPSILON: This is the difference between 1 and the smallest floating point number of type float that is greater than 1.

## The difference

On any usual architecture, with the correct definition, FLT_EPSILON is `0x0.000002p0`, the difference between `0x1.000000p0` and the smallest float above it, `0x1.000002p0`.

The notation `0x1.000002p0` is a convenient hexadecimal input format, introduced in C99, for floating-point numbers. The last digit is a `2` where one might have expected a `1` because single-precision floats have 23 explicit bits of mantissa, and 23 is not a multiple of 4. So the `2` in `0x1.000002p0` represents the last bit that can be set in a single-precision floating-point number in the interval [1…2).

If one adds FLT_EPSILON to `1.0f`, one does obtain `0x1.000002p0`. But is it the smallest `float` with this property?

```#include <stdio.h>

void pr_candidate(float f)
{
printf("candidate: %.6a\tcandidate+1.0f: %.6a\n", f, 1.0f + f);
}

int main(){
pr_candidate(0x0.000002p0);
pr_candidate(0x0.000001fffffep0);
pr_candidate(0x0.0000018p0);
pr_candidate(0x0.000001000002p0);
pr_candidate(0x0.000001p0);
}
```

This program, compiled and executed, produces:

```candidate: 0x1.000000p-23	candidate+1.0f: 0x1.000002p+0
candidate: 0x1.fffffep-24	candidate+1.0f: 0x1.000002p+0
candidate: 0x1.800000p-24	candidate+1.0f: 0x1.000002p+0
candidate: 0x1.000002p-24	candidate+1.0f: 0x1.000002p+0
candidate: 0x1.000000p-24	candidate+1.0f: 0x1.000000p+0
```

No, `0x0.000002p0` is not the smallest number that, added to `1.0f`, causes the result to be above `1.0f`. This honor goes to `0x0.000001000002p0`, the smallest float above half FLT_EPSILON.

Exactly half FLT_EPSILON, the number `0x0.000001p0` or `0x1.0p-24` as you might prefer to call it, causes the result of the addition to be exactly midway between `1.0f` and its successor. The rule says that the “even” one has to be picked in this case. The “even” one is `1.0f`.

## Conclusion

Fortunately, in the file that initiated this rant, the value for FLT_EPSILON is correct:

```#define FLT_EPSILON 1.19209290E-07F // decimal constant
```

This is the decimal representation of `0x0.000002p0`. Code compiled against this header will work. It is only the comment that's wrong.

Saturday, May 4 2013

## Rounding float to nearest integer, part 3

Two earlier posts showed two different approaches in order to round a float to the nearest integer. The first was to truncate to integer after having added the right quantity (either 0.5 if the programmer is willing to take care of a few dangerous inputs beforehand, or the predecessor of 0.5 so as to have fewer dangerous inputs to watch for).

The second approach was to mess with the representation of the `float` input, trying to recognize where the bits for the fractional part were, deciding whether they represented less or more than one half, and either zeroing them (in the first case), or sending the float up to the nearest integer (in the second case) which was simple for complicated reasons.

## Variations on the first method

Several persons have suggested smart variations on the first theme, included here for the sake of completeness. The first suggestion is as follows (remembering that the input `f` is assumed to be positive, and ignoring overflow issues for simplicity):

```float myround(float f)
{
float candidate = (float) (unsigned int) f;
if (f - candidate <= 0.5) return candidate;
return candidate + 1.0f;
}
```

Other suggestions were to use `modff()`, that separates a floating-point number into its integral and fractional components, or `fmodf(f, 1.0f)`, that computes the remainder of `f` in the division by 1.

These three solutions work better than adding 0.5 for a reason that is simple if one only looks at it superficially: floating-point numbers are denser around zero. Adding 0.5 takes us away from zero, whereas operations `f - candidate`, `modff(f, iptr)` and `fmodf(f, 1.0)` take us closer to zero, in a range where the answer can be exactly represented, so it is. (Note: this is a super-superficial explanation.)

## A third method

### General idea: the power of two giveth, and the power of two taketh away

The third and generally most efficient method for rounding `f` to the nearest integer is to take advantage of this marvelous rounding machine that is IEEE 754 arithmetic. But for this to work, the exact right machine is needed, that is, a C compiler that implements strict IEEE 754 arithmetic and rounds each operation to the precision of the type. If you are using GCC, consider using options `-msse2 -mfpmath=sse`.

We already noticed that single-precision floats between 2^23 and 2^24 are all the integers in this range. If we add some quantity to `f` so that the result ends up in this range, wouldn't it follow that the result obtained will be rounded to the integer? And it would be rounded in round-to-nearest. Exactly what we are looking for:

```  f                 f + 8388608.0f
_____________________________

0.0f                8388608.0f
0.1f                8388608.0f
0.5f                8388608.0f
0.9f                8388609.0f
1.0f                8388609.0f
1.1f                8388609.0f
1.5f                8388610.0f
1.9f                8388610.0f
2.0f                8388610.0f
2.1f                8388610.0f
```

The rounding part goes well, but now we are stuck with large numbers far from the input and from the expected output. Let us try to get back close to zero by subtracting `8388608.0f` again:

```  f                 f + 8388608.0f             f + 8388608.0f - 8388608.0f
____________________________________________________________________

0.0f                8388608.0f                              0.0f
0.1f                8388608.0f                              0.0f
0.5f                8388608.0f                              0.0f
0.9f                8388609.0f                              1.0f
1.0f                8388609.0f                              1.0f
1.1f                8388609.0f                              1.0f
1.5f                8388610.0f                              2.0f
1.9f                8388610.0f                              2.0f
2.0f                8388610.0f                              2.0f
2.1f                8388610.0f                              2.0f
```

It works! The subtraction is exact, for the same kind of reason that was informally sketched for `f - candidate`. Adding `8388608.0f` causes the result to be rounded to the unit, and then subtracting it is exact, producing a `float` that is exactly the original rounded to the nearest integer.

For these inputs anyway. For very large inputs, the situation is different.

### Very large inputs: absorption

```  f                 f + 8388608.0f             f + 8388608.0f - 8388608.0f
____________________________________________________________________

1e28f                  1e28f                               1e28f
1e29f                  1e29f                               1e29f
1e30f                  1e30f                               1e30f
1e31f                  1e31f                               1e31f
```

When `f` is large enough, adding `8388608.0f` to it does nothing, and then subtracting `8388608.0f` from it does nothing again. This is good news, because we are dealing with very large single-precision floats that are already integers, and can be returned directly as the result of our function `myround()`.

In fact, since we entirely avoided converting to a range-challenged integer type, and since adding `8388608.0f` to `FLT_MAX` does not make it overflow (we have been assuming the FPU was in round-to-nearest mode all this time, remember?), we could even caress the dream of a straightforward `myround()` with a single execution path. Small floats rounded to the nearest integer and taken back near zero where they belong, large floats returned unchanged by the addition and the subtraction of a comparatively small quantity (with respect to them).

### Dreams crushed

Unfortunately, although adding and subtracting 2^23 almost always does what we expect (it does for inputs up to 2^23 and above 2^47), there is a range of values for which it does not work. An example:

```  f                 f + 8388608.0f             f + 8388608.0f - 8388608.0f
____________________________________________________________________

8388609.0f          16777216.0f                        8388608.0f
```

In order for function `myround()` to work correctly for all inputs, it still needs a conditional. The simplest is to put aside inputs larger than 2^23 that are all integers, and to use the addition-subtraction trick for the others:

```float myround(float f)
{
if (f >= 0x1.0p23)
return f;
return f + 0x1.0p23f - 0x1.0p23f;
}
```

The function above, in round-to-nearest mode, satisfies the contract we initially set out to fulfill. Interestingly, if the rounding mode is other than round-to-nearest, then it still rounds to a nearby integer, but according to the FPU rounding mode. This is a consequence of the fact that the only inexact operation is the addition. The subtraction, being exact, is not affected by the rounding mode.

For instance, if the FPU is set to round downwards and the argument `f` is `0.9f`, then `f + 8388608.0f` produces `8388608.0f`, and `f + 8388608.0f - 8388608.0f` produces zero.

## Conclusion

This post concludes the “rounding float to nearest integer” series. The method highlighted in this third post is actually the method generally used for function `rintf()`, because the floating-point addition has the effect of setting the “inexact” FPU flag when it is inexact, which is exactly when the function returns an output other than its input, which is when `rintf()` is specified as setting the “inexact” flag.

Function `nearbyintf()` is specified as not touching the FPU flags and would typically be implemented with the method from the second post.

Friday, May 3 2013

## Rounding float to nearest integer, part 2

The previous post offered to round a positive float to the nearest integer, represented as a float, through a conversion back and forth to 32-bit unsigned int. There was also the promise of at least another method. Thanks to reader feedback, there will be two. What was intended to be the second post in the series is hereby relegated to third post.

## Rounding through bit-twiddling

Several readers seemed disappointed that the implementation proposed in the last post was not accessing the bits of float `f` directly. This is possible, of course:

```  assert (sizeof(unsigned int) == sizeof(float));
unsigned int u;
memcpy(&u, &f, sizeof(float));
```

In the previous post I forgot to say that we were assuming 32-bit unsigned ints. From now on we are in addition assuming that floats and unsigned ints have the same endianness, so that it is convenient to work on the bit representation of one by using the other.

Let us special-case the inputs that can mapped to zero or one immediately. We are going to need it. We could do the comparisons to 0.5 and 1.5 on `u`, because positive floats increase with their unsigned integer representation, but there is no reason to, because it is more readable to work on `f`:

```  if (f <= 0.5) return 0.;
if (f <= 1.5) return 1.;
```

Now, to business. The actual exponent of `f` is:

```  int exp = ((u>>23) & 255) - 127;
```

The explicit bits of `f`'s significand are `u & 0x7fffff`, but there is not need to take them out: we will manipulate them directly inside `u`. Actually, at one point we will cheat and manipulate a bit of the exponent at the same time, but it will all be for the best.

A hypothetical significand for the number 1, aligned with the existing significand for `f`, would be `1U << (23 - exp)`. But this is hypothetical, because `23 - exp` can be negative. If this happens, it means that `f` is in a range where all floating-point numbers are integers.

```  if (23 - exp < 0) return f;
unsigned int one = 1U << (23 - exp);
```

You may have noticed that since we special-cased the inputs below `1.5`, variable `one` may be up to `1 << 23` and almost, but not quite align with the explicit bits of `f`'s significand. Let us make a note of this for later. For now, we are interested in the bits that represent the fractional part of `f`, and these are always:

```  unsigned int mask = one - 1;
unsigned int frac = u & mask;
```

If these bits represent less than one half, the function must round down. If this is the case, we can zero all the bits that represent the fractional part of `f` to obtain the integer immediately below `f`.

```  if (frac <= one / 2)
{
float r;
memcpy(&r, &u, sizeof(float));
return r;
}
```

And we are left with the difficult exercise of finding the integer immediately above `f`. If this computation stays in the same binade, this means finding the multiple of `one` immediately above `u`.

“binade” is not a word, according to my dictionary. It should be one. It designates a range of floating-point numbers such as [0.25 … 0.5) or [0.5 … 1.0). I needed it in the last post, but I made do without it. I shouldn't have. Having words to designate things is the most important wossname towards clear thinking.

And if the computation does not stay in the same binade, such as 3.75 rounding up to 4.0? Well, in this case it seems we again only need to find the multiple of `one` immediately above `u`, which is in this case the power of two immediately above `f`, and more to the point, the number the function must return.

```  u = (u + mask) & ~mask;
float r;
memcpy(&r, &u, sizeof(float));
return r;
```

To summarize, a function for rounding a float to the nearest integer by bit-twiddling is as follows. I am not sure what is so interesting about that. I like the function in the previous post or the function in the next post better.

```float myround(float f)
{
assert (sizeof(unsigned int) == sizeof(float));
unsigned int u;
memcpy(&u, &f, sizeof(float));
if (f <= 0.5) return 0.;
if (f <= 1.5) return 1.;
int exp = ((u>>23) & 255) - 127;
if (23 - exp < 0) return f;
unsigned int one = 1U << (23 - exp);
unsigned int mask = one - 1;
unsigned int frac = u & mask;
if (frac <= one / 2)
else
float r;
memcpy(&r, &u, sizeof(float));
return r;
}
```

## To be continued again

The only salient point in the method in this post is how we pretend not to notice when significand arithmetic overflows over the exponent, for inputs between 1.5 and 2.0, 3.5 and 4.0, and so on. The method in next post will be so much more fun than this.

Thursday, May 2 2013

## Harder than it looks: rounding float to nearest integer, part 1

This post is the first in a series on the difficult task of rounding a floating-point number to an integer. Laugh not! The easiest-looking questions can hide unforeseen difficulties, and the most widely accepted solutions can be wrong.

## Problem

Consider the task of rounding a `float` to the nearest integer. The answer is expected as a `float`, same as the input. In other words, we are looking at the work done by standard C99 function `nearbyintf()` when the rounding mode is the default round-to-nearest.

For the sake of simplicity, in this series of posts, we assume that the argument is positive and we allow the function to round any which way if the float argument is exactly in-between two integers. In other words, we are looking at the ACSL specification below.

```/*@ requires 0 <= f <= FLT_MAX ;
ensures -0.5 <= \result - f <= 0.5 ;
ensures \exists integer n; \result == n;
*/
float myround(float f);
```

In the second `ensures` clause, `integer` is an ACSL type (think of it as a super-long `long long`). The formula `\exists integer n; \result == n` simply means that `\result`, the `float` returned by function `myround()`, is a mathematical integer.

## Via truncation

A first idea is to convert the argument `f` to `unsigned int`, and then again to `float`, since that's the expected type for the result:

```float myround(float f)
{
return (float) (unsigned int) f;
}
```

### Obvious overflow issue

One does not need Frama-C's value analysis to spot the very first issue, an overflow for large `float` arguments, but it's there, so we might as well use it:

```\$ frama-c -pp-annot  -val r.c -lib-entry -main myround
...
r.c:9:[kernel] warning: overflow in conversion of f ([-0. .. 3.40282346639e+38])
from floating-point to integer. assert -1 < f < 4294967296;
```

This overflow can be fixed by testing for large arguments. Large floats are all integers, so the function can simply return `f` in this case.

```float myround(float f)
{
if (f >= UINT_MAX) return f;
return (float) (unsigned int) f;
}
```

### Obvious rounding issue

The cast from `float` to `unsigned int` does not round to the nearest integer. It “truncates”, that is, it rounds towards zero. And if you already know this, you probably know too the universally used trick to obtain the nearest integer instead of the immediately smaller one, adding 0.5:

```float myround(float f)
{
if (f >= UINT_MAX) return f;
return (float) (unsigned int) (f + 0.5f);
}
```

This universally used trick is wrong.

### An issue when the ULP of the argument is exactly one

The Unit in the Last Place, or ULP for short, of a floating-point number is its distance to the floats immediately above and immediately below it. For large enough floats, this distance is one. In that range, floats behave as integers.

There is an ambiguity in the above definition for powers of two: the distances to the float immediately above and the float immediately below are not the same. If you know of a usual convention for which one is called the ULP of a power of two, please leave a note in the comments.

```int main()
{
f = 8388609.0f;
printf("%f -> %f\n", f, myround(f));
}
```

With a strict IEEE 754 compiler, the simple test above produces the result below:

```8388609.000000 -> 8388610.000000
```

The value passed as argument is obviously representable as a float, since that's the type of `f`. However, the mathematical sum `f + 0.5` does not have to be representable as a float. In the worst case for us, when the argument is in a range of floats separated by exactly one, the floating-point sum `f + 0.5` falls exactly in-between the two representable floats `f` and `f + 1`. Half the time, it is rounded to the latter, although `f` was already an integer and was the correct answer for function `myround()`. This causes bugs as the one displayed above.

The range of floating-point numbers spaced every 1.0 goes from 2^23 to 2^24. Half these 2^23 values, that is, nearly 4 millions of them, exhibit the problem.

Since the 0.5 trick is nearly universally accepted as the solution to implement rounding to nearest from truncation, this bug is likely to be found in lots of places. Nicolas Cellier identified it in Squeak. He offered a solution, too: switch the FPU to round-downward for the time of the addition `f + 0.5`. But let us not fix the problem just yet, there is another interesting input for the function as it currently stands.

### An issue when the argument is exactly the predecessor of 0.5f

```int main()
{
f = 0.49999997f;
printf("%.9f -> %.9f\n", f, myround(f));
}
```

This test produces the output `0.499999970 -> 1.000000000`, although the input `0.49999997` is clearly closer to `0` than to `1`.

Again, the issue is that the floating-point addition is not exact. The argument `0.49999997f` is the last `float` of the interval `[0.25 … 0.5)`. The mathematical result of `f + 0.5` falls exactly midway between the last float of the interval `[0.5 … 1.0)` and `1.0`. The rule that ties must be rounded to the even choice means that `1.0` is chosen.

### A function that works

The overflow issue and the first non-obvious issue (when ulp(f)=1) can be fixed by the same test: as soon as the ULP of the argument is one, the argument is an integer and can be returned as-is.

The second non-obvious issue, with input `0.49999997f`, can be fixed similarly.

```float myround(float f)
{
if (f >= 0x1.0p23) return f;
if (f <= 0.5) return 0;
return (float) (unsigned int) (f + 0.5f);
}
```

### A better function that works

Changing the FPU rounding mode, the suggestion in the Squeak bug report, is slightly unpalatable for such a simple function, but it suggests to add the predecessor of `0.5f` instead of `0.5f` to avoid the sum rounding up when it shouldn't:

```float myround(float f)
{
if (f >= 0x1.0p23) return f;
return (float) (unsigned int) (f + 0.49999997f);
}
```

It turns out that this works, too. It solves the problem with the input `0.49999997f` without making the function fail its specification for other inputs.

## To be continued

The next post will approach the same question from a different angle. It should not be without its difficulties either.

Wednesday, May 1 2013

## A rant about programming interview questions

Software development is a peculiar field. An applicant for a more traditionally artistic position would bring a portfolio to eir job interview: a selection of creations ey deems representative of eir work and wants to be judged by. But in the field of software development, candidates are often asked to solve a programming problem live, the equivalent of telling a candidate for a photography job “these are nice photographs you have brought, but could you take a picture for me, right now, with this unfamiliar equipment?”

Lots have already been written on programming job interview questions. Googling “fizzbuzz” alone reveals plenty of positions taken, reacted to, and counter-argumented. I do not intend to add to the edifice. Taking a step back, however, I notice that many of these posts do not tackle the question of why what works for the traditional arts should not be appropriate for the art of programming.

What I intend to discuss is the poor quality of “do this simple task, but avoid this simple construct that makes it trivial” interview questions. I hate those. Everytime I hear a new one it seems to reach a new high in sheer stupidity. The questions are usually very poorly specified, too. One such question might be to convert a floating-point value to integer without using a cast. Is `floor()` or `ceil()` allowed? Are other library functions than these ones that solve the problem too directly allowed? May I use a union to access the bits of the floating-point representation? Or `memcpy()`?

Well, I have solved this particular question once and for all. The conversion function makes up the second part of this post. It uses only floating-point computations, no tricks. Now, one just needs to learn it and to regurgitate it as appropriate at interview time (there is no way one can write a working version of this program on blackboard, too). Who is hiring?

## A program

The function below requires a strict IEEE 754 implementation. If your GCC is generating x87 instructions, options `-msse2 -mfpmath=sse` should prevent it from doing so and allow you to run the program:

```#include <math.h>
#include <float.h>
#include <stdio.h>
#include <limits.h>

/*@ requires 0 <= f < ULLONG_MAX + 1 ; */
unsigned long long dbl2ulonglong(double f)
{
if (f < 1) return 0;
unsigned long long l = 0;

for (double coef = 3; coef != 0x1.0p53; coef = 2 * coef - 1, l >>=1)
{
double t = coef * f;
double o = f - t + t - f;
if (o != 0)
{
l |= 0x8000000000000000ULL;
f -= fabs(o);
}
}
l |= 0x8000000000000000ULL;
for ( ; f != 0x1.0p63; f *= 2) l>>=1;
return l;
}

int main()
{
double f = 123456.;
unsigned long long l = dbl2ulonglong(f);
printf("result:%.18g %llu\n", f, l);

f = ULLONG_MAX * 0.99;
l = dbl2ulonglong(f);
printf("result:%.18g %llu\n", f, l);

printf("rounding:%llu %llu %llu %llu\n",
dbl2ulonglong(DBL_MIN),
dbl2ulonglong(1.4),
dbl2ulonglong(1.5),
dbl2ulonglong(1.6));

return 0;
}
```

The expected result is:

```result:123456 123456
result:1.82622766329724559e+19 18262276632972455936
rounding:0 1 1 1
```

Incidentally, does anyone know how to write a correctness proof for this function? A formal proof would be nice, but just an informal explanation of how one convinces oneself that `o = f - t + t - f` is the right formula would already be something.

Saturday, April 6 2013

## Quotes on the Internet

In 2012, Lukas Mathis took a quote out of the context of a blog post by Marco Arment and ran with it. The result was a though-provoking essay. Key quote:

This is a sentiment you often hear from people: casual users only need «entry-level» devices. Even casual users themselves perpetuate it: «Oh, I’m not doing much on my computer, so I always just go with the cheapest option.» And then they buy a horrid, underpowered netbook, find out that it has a tiny screen, is incredibly slow, the keyboard sucks, and they either never actually use it, or eventually come to the conclusion that they just hate computers.

In reality, it’s exactly backwards: proficient users can deal with a crappy computer, but casual users need as good a computer as possible.

Lukas fully develops the idea in his post, Crappy Computers. Go ahead and read it now if you haven't already. This blog will still be here when you come back.

## Floating-point libraries

The idea expressed by Lukas Mathis applies identically in a much more specific setting: developing with floating-point computations. The developers who most need accurate floating-point libraries are those who least care about floating-point. These developers will themselves tell you that it is all the same to them. They do not know what an ULP (“unit in the last place”) is, so what difference is it to them if they get two of them as error where they could have had one or half of one?

In this, they are just as wrong as the casual computer users who pick horrid netbooks for themselves.

### Floating-point-wise, programming environments are not born equal

All recent processors for desktop computers provide basic operations +, -, *, / and square root for IEEE 754 single- and double-precision floating-point numbers. Each operation has its assembly instruction, and since the assembly instruction is the fastest way to implement the operation, compilers have no opportunity to mess things up in a misguided attempt at optimizing for speed.

Who am I kidding? Of course compilers have plenty of opportunities to mess things up.

1. It may seem to a compiler that a compile-time computation is even faster than the assembly instruction provided by the processor, so that if the program computes `x / 10.0`, the compiler may compute `1 / 10.0` at compile-time and generate assembly code that multiplies `x` by this constant instead. This transformation causes the result to be less accurate in some rare cases.
2. Or a compiler may simplify source-code expressions as if floating-point operations were associative when they aren't. It may for instance optimize a carefully crafted floating-point expression such as `a + b - a - b` into `0`.

Nevertheless, there has been much progress recently in standard compliance for compilers' implementations of floating-point. Overall, for programs that only use the basic operators, the situation has never been better.

The situation is not as bright-looking when it comes to mathematical libraries. These libraries provide conversion to and from decimal, and transcendental elementary functions implemented on top of the basic operations. They are typically part of the operating system. Implementations vary wildly in quality from an operating system to the next.

Expert developers know exactly what compromise between accuracy and speed they need, and they typically use their own functions instead of the operating system's. By way of illustration, a famous super-fast pretty-accurate implementation of the inverse square root function is used in Quake III and has been much analyzed.

The casual developer of floating-point programs, on the other hand, will certainly use the functions provided by the system. Some of eir expectations may be naive, or altogether impossible to reconcile with the constraints imposed by the IEEE 754 standard. Other expectations may be common sense, such as a `sin()` function that does not return `-2.76`.

For such a developer, the mathematical libraries should strive to be as accommodating and standard-compliant as possible, because ey needs it, regardless of what ey thinks.

## An example

To illustrate, I have written a string-to-long conversion function. It could have been an entry in John Regehr's contest, but since the deadline is passed, I have allowed the function to expect only positive numbers and to fail miserably when the input is ill-formed.

The function looks like this:

```long str2long(char *p)
{
size_t l = strlen(p);
long acc = 0;

for (size_t i=0; i<l; i++)
{
int digit = p[i] - '0';
long pow10 = pow(10, l - 1U - i);
acc += digit * pow10;;
}
return acc;
}
```

Neat, huh?

I tested this function more than the last function. This time I compiled it and invoked it on a few strings:

```  printf("%ld %ld %ld %ld\n",
str2long("0"),
str2long("123"),
str2long("999"),
str2long("123456789123456789"));
```

You can download the entire C code for yourself. If you run it, you should get:

```0 123 999 123456789123456789
```

I wrote my function to work for all well-formed inputs that fit in a `long` (but I only tested it for four values, so do not embed it in your space shuttle, please). Some of the reasons why I expect it to work are implicit: for one, powers of ten up to 10^22 are exactly representable as double-precision floating-point numbers. Also, I happen to know that on the system I use, the mathematical library is one of the best available.

I am not, in fact, a floating-point expert. I could be completely illiterate with respect to floating-point and have written the exact same function. In fact, this happened to StackOverflow user1257. (I am not saying that StackOverflow user1257 is illiterate with respect to floating-point, either. Ey wrote a function similar to mine, after all.)

User1257's function returned `122` when applied to the string `"123"` !!!

This was so troubling that user1257 suspected a compiler bug. The reality is more likely that on eir computer, the statement `long pow10 = pow(10, 2);` sets variable `pow10` to `99`. The function `pow()` only needs to be inaccurate by 1ULP for this result to come up because of C's truncation behavior (towards zero) when converting from floating-point to integer.

## Conclusion

My `str2long()` function would fail just the same if it was run in user1257's compilation environment. I still think that my function is correct and that I should be able to expect results to the ULP from the math library's `pow()` function. A floating-point expert would never even encounter the issue at all. I might be able to diagnose it and to cope. But the floating-point beginner simply needs an environment in which `long pow10 = pow(10, 2);` sets `pow10` to `100`.

If you program, and if you use floating-point at all, beware of relying on the math library equivalent of a crappy netbook.

Sunday, March 3 2013

## Correct rounding or mathematically-correct rounding?

CRlibm is a high-quality library of floating-point elementary functions. We used it as reference a long time ago in this blog while looking at lesser elementary function implementations and the even lesser properties we could verify about them.

## A bold choice

The CRlibm documentation contains this snippet:

[…] it may happen that the requirement of correct rounding conflicts with a basic mathematical property of the function, such as its domain and range. A typical example is the arctangent of a very large number which, rounded up, will be a number larger than π/2 (fortunately, ◦(π/2) < π/2). The policy that will be implemented in crlibm will be

• to give priority to the mathematical property in round to nearest mode (so as not to hurt the innocent user who may expect such a property to be respected), and

• to give priority to correct rounding in the directed rounding modes, in order to provide trustful bounds to interval arithmetic.

The choice for directed rounding modes is obviously right. I am concerned about the choice made for round-to-nearest. The documentation states the dilemma very well. One can imagine slightly out of range values causing out-of-bound indexes during table look-ups and worse things.

I seldom reason about floating-point programs. I work on static analysis and am only concerned about floating-point inasmuch as it is a requirement for writing a static analyzer correct for programs that include floating-point computations.

However, when I do reason about floating-point programs, I am more often compounding approximations, starting from the base assumption that a correctly rounded function returns a result within 1/2ulp of the mathematical result than I am assuming that atan(x) ≤ π/2. The choice the CRlibm implementors made means that suddenly, the reasoning I often make is wrong. The value of `atan(x)` in the program may not be 1/2ulp from the real arctangent of the same `x`. It can be more when `x` is very large and mathematical-correctness overrode correct rounding.

Truck drivers fall asleep at the wheel when they face long, dull stretches of straight empty roads. Similarly, it is good to have another special case to consider when reasoning about floating-point computations. With only infinites and denormals to worry about, it can get, you know, a bit too easy.

## Oh well, it's only π/2

In this section I rhetorically assume that it is only π/2 for which there is a problem. The CRlibm documentation reminds us that in the case of double precision, we were lucky. Or perhaps it isn't luck, and the IEEE 754 committee took the desirableness of the property (double)π/2 < π/2 into account when it chose the number of bits in the significand of the double-precision format.

How lucky (or careful) have we been, exactly? Let us test it with the program below — assuming my compilation platform works as intended.

```#include <stdio.h>

#define PI(S) 3.1415926535897932384626433832795028841971693993751##S

float f = PI(f);
double d = PI();
long double ld = PI(L);

int main(){
printf("   3.14159265358979323846264338327950288419716939937510\n");
printf("f  %.50f\n", f);
printf("d  %.50f\n", d);
printf("ld %.50Lf\n",ld);
}
```

The result of compiling and executing the program is, for me:

```   3.14159265358979323846264338327950288419716939937510
f  3.14159274101257324218750000000000000000000000000000
d  3.14159265358979311599796346854418516159057617187500
ld 3.14159265358979323851280895940618620443274267017841
```

As you can see, the nearest single-precision float to π is above π, as is the nearest 80-bit long double. The same goes for π/2 because the floating-point representations for π and π/2 only differ in the exponent. Consequently, the issue raised by the CRlibm implementors will come up for both functions `atanf()` and `atanl()`, when it is time to get them done. We were not very lucky after all (or careful when defining the IEEE 754 standard).

## A subjective notion

But what exactly is the informal “mathematical correctness” notion that this post is predicated upon? Yes, the “innocent user” may expect mathematical properties to be respected as much as possible, but there are plenty of mathematical properties! Let us enumerate some more:

If `x ≤ 1` in a program, then `exp(x)` should always be lower than the mathematical constant e.

So far so good. The above is a good rule for an exponential implementation to respect. We are making progress.

Here is another property:

If `x ≥ 1` in a program, then `exp(x)` should always be greater than the mathematical constant e.

We are decidedly unlucky today, because at most one of these is going to be true of any floating-point function `exp()`. The programmatic value `exp(1)` must be either above or below the mathematical constant e (it is never equal to it because the mathematical constant e does not have a finite representation in binary).

## Why does it matter anyway?

Let us revisit the argument:

to give priority to the mathematical property in round to nearest mode (so as not to hurt the innocent user who may expect such a property to be respected)

I alluded to a possible problem with a programmer computing an array index from `atanf(x)` under the assumption that it is always lower than π/2. But how exactly would an innocent user even notice that `atanf(1e30)` is not lower than π/2? The value π/2 cannot exist in eir program any more than e. The user might innocently write an assertion like:

```assert(atanf(x)<=(3.1415926535897932f/2.0f));
```

This assertion will never trigger! The function `atanf()` will indeed return at most the single-precision float `3.1415926535897932f/2.0f`. It does not matter that this number is actually slightly larger than π/2. For all intents and purposes, in the twisted world of single-precision floating-point, this number is π/2.

## Conclusion

There are other scenarios in which the innocent user might genuinely have an unpleasant surprise. The result of a computation may be converted to decimal for humans to read and the user may be surprised to see a value outside the range ey expected. But this user would have the wrong expectations, just as if ey expected `10.0 * atan(x)` to always be less than 5π. Plenty of these users and developers can be found. But my opinion, for what it is worth, is that by making special cases you are not helping these users, only feeding their delusions.

The correct way to set expectations regarding the results of a floating-point program is numerical analysis. Numerical analysis is hard. Special cases such as the authors of CRlibm threaten to implement only seem to make it harder.

- page 1 of 4