Enable Non-determinism of float operations in Miri and change std tests #138062
Conversation
rustbot
added
S-waiting-on-review
|
The Miri subtree was changed cc @rust-lang/miri |
LorrensP-2158466
changed the title
|
The library changes lgtm, for the rest r? @RalfJung |
I should have clarified: the doc tests fail when running |
src/tools/miri/src/intrinsics/mod.rs
Outdated
| 2, // log2(4) | ||
| ); | ||
|
|
||
| // Clamp values to the output range defined in IEEE 754 9.1. |
There was a problem hiding this comment.
We said we're going to follow the C standard, which is more permissive than the IEEE spec. Is there a reference for this in the C standard?
There was a problem hiding this comment.
Yes and no...
For some operations it specifies it like this:
The atan functions return arctan x in the interval [−π/2, +π/2] radians
But for sin and cos like this:
The sin functions return
sin x
If I read "returns sin x", I understand it as "the output is [-1, +1]", but maybe that's just me.
src/tools/miri/src/intrinsics/mod.rs
Outdated
| let fixed_res = match (f1.category(), f2.category()) { | ||
| // 1^y = 1 for any y even a NaN. | ||
| // TODO: C Standard says any NaN, IEEE says not a Signaling NaN | ||
| (Category::Normal, _) if f1 == 1.0f32.to_soft() => Some(1.0f32.to_soft()), |
There was a problem hiding this comment.
Can you avoid using soft floats here?
There was a problem hiding this comment.
In the miri issue you said this:
except that the logic for fixed_res and clamp has to be done with soft-floats.
Did I misunderstand what you meant?
There was a problem hiding this comment.
Argh sorry, I meant "avoid using hard floats" :)
src/tools/miri/src/intrinsics/mod.rs
Outdated
| let fixed_res = match (f1.category(), f2.category()) { | ||
| // 1^y = 1 for any y even a NaN. | ||
| // TODO: C says any NaN, IEEE says no a Sign NaN | ||
| (Category::Normal, _) if f1 == 1.0f64.to_soft() => Some(1.0f64.to_soft()), |
There was a problem hiding this comment.
Please do not duplicate the same logic 4 times. We were a bit lazy here so far as the boilerplate for making the code generic was bigger than the code, but with all this special-case handling that is no longer the case.
src/tools/miri/tests/pass/float.rs
Outdated
| // accept up to 64ULP (16ULP for host floats and 16ULP for miri artificial error and 32 for any rounding errors) | ||
| assert_approx_eq!($a, $b, 64); | ||
| // accept up to 52ULP (16ULP for host floats, 4ULP for miri artificial error and 32 for any rounding errors) | ||
| assert_approx_eq!($a, $b, 52); |
There was a problem hiding this comment.
Do we really still need 52 ULP? I would have hoped that 32 works now.
There was a problem hiding this comment.
Indeed 32 works, don't know why I didn't tried it.
There was a problem hiding this comment.
I tried lower but got some ULP differences of 27.
src/tools/miri/tests/pass/float.rs
Outdated
| // TODO: How to test NaN inputs? f*::NAN is not guaranteed | ||
| // to be any specific bit pattern (in std). |
There was a problem hiding this comment.
It is guaranteed to be a NaN though. Why do you want a specific bit pattern?
There was a problem hiding this comment.
IEEE is not as permissive as C, so it doesn't matter much now, just one case: C standard says for pown(powi) the following:
pown(x, 0) returns 1 for all x not a signaling NaN
And since std doesn't guarantee the specific bit pattern of NaN, I'm not quite sure how to test it.
There was a problem hiding this comment.
Oh, since NAN might be signaling? That'd be quite bad.^^
Please rely on it being not signalling, I'll see if we can fix the docs.
it is failing the tests that use |
library/std/tests/floats/lib.rs
Outdated
| macro_rules! assert_approx_eq { | ||
| ($a:expr, $b:expr) => {{ assert_approx_eq!($a, $b, 1.0e-6) }}; | ||
| ($a:expr, $b:expr) => {{ assert_approx_eq!($a, $b, 1.0e-4) }}; |
There was a problem hiding this comment.
I think I'd rather not change this for all tests, and in particular not for f64.
An alternative would be to just set this precision with the affected tests in library/std/tests/floats/f32.rs.
There was a problem hiding this comment.
Maybe the precision should be only loosened only with cfg!(miri) as well. I think it is beneficial to learn which platforms, if any, have worse precision than we expect and address that on a case-by-case basis.
|
So I:
|
|
No, a macro is not right. The way to avoid this duplication is to add a function that is generic over the apfloat float type. I'd say just remove |
|
Yeah Sorry, I was confused with your comment: |
|
I was confused with your comment: avoid using soft floats.
sorry for that :(
|
|
No problems! This float stuff it getting to me too :) |
|
So I extended the There is still some repetitiveness, like applying the error or |
src/tools/miri/src/intrinsics/mod.rs
Outdated
| @@ -522,3 +572,121 @@ fn apply_random_float_error_to_imm<'tcx>( | |||
|
|
|||
| interp_ok(ImmTy::from_scalar_int(res, val.layout)) | |||
| } | |||
|
|
|||
| // TODO(lorrens): This can be moved to `helpers` when we implement the other intrinsics. | |||
There was a problem hiding this comment.
No please only but things in helpers that are widely useful across Miri. Specific functionality should remain in its specific file.
There was a problem hiding this comment.
Alright, I thought that this would be the case when implementing the foreign_itmes, since they probably will share this functionality, like asin and such.
There was a problem hiding this comment.
Ah yeah... we'll figure that out when we get there.
src/tools/miri/src/intrinsics/mod.rs
Outdated
| // x^(±0) = 1 for any x, even a NaN | ||
| ("powf32" | "powf64", [_, exp]) if exp.is_zero() => Some(one), | ||
|
|
||
| // C standard doesn't specify or invalid combination |
There was a problem hiding this comment.
Yeah, now that I am reading that again... I'll update it, excuse me for my bad English :)
src/tools/miri/src/intrinsics/mod.rs
Outdated
| // TODO: not sure about this pattern matching stuff. It's definitly cleaner than if-else chains | ||
| // Error code 0158 explains this: https://doc.rust-lang.org/stable/error_codes/E0158.html | ||
| // The only reason I did this is to use the same function for powf as for sin/cos/exp/log |
There was a problem hiding this comment.
I don't understand the comment. The code looks nice though :)
There was a problem hiding this comment.
Okay, I should have explained why the error code applies here.
Consider this arm:
// sin(+- 0) = +- 0.
("sinf32" | "sinf64", [input]) if input.is_zero() => Some(*input),I still have to put an if-guard on it to check that input is Zero, but in my opinion, it would be a lot nicer if I could do the following:
// sin(+- 0) = +- 0.
("sinf32" | "sinf64", [IeeeFloat::<S>::Zero]) => Some(*input),If I then were able to make a constant for 1 and maybe other values, I wouldn't need those if-guards. But unfortunately, the compiler doesn't try to see if this can work; it just assumes this to be non-exhaustive, regardless of a _ => ... arm.
Luckily, you like the code :)
There was a problem hiding this comment.
You can't use consts that depend on generics in patterns like that, that is expected.
src/tools/miri/tests/pass/float.rs
Outdated
| // TODO: How to test NaN inputs? f*::NAN is not guaranteed | ||
| // to be any specific bit pattern (in std). |
There was a problem hiding this comment.
Oh, since NAN might be signaling? That'd be quite bad.^^
Please rely on it being not signalling, I'll see if we can fix the docs.
|
Regarding the library tests, I suggested a plan above for the doc tests. Have you tried that? EDIT: Ah, yes seems you did. :) I assume all tests pass now in the current state of the PR? Also:
I am not convinced we want to do that, so unless @tgross35 asks for it I'd say please stick to the current approach. |
|
@tgross35 could you have a look at the library diff again? // Miri adds some extra error to float functions, make sure the tests still pass.
const APPROX_DETLA: f32 = if cfg!(miri) { 1e-4 } else { 1e-6 }; |
Yes, they indeed pass now. On the topic of doc and doctests, for example, // part of powf doctest
let x = 2.0_f32;
let abs_difference = (x.powf(2.0) - (x * x)).abs();
assert!(abs_difference <= 8.0 * f32::EPSILON);This is not wrong, but shouldn't it be noted that this only works with small values? |
|
r? @tgross35 to reflect the current status. Feel free to re-assign to me if the libs changes are fine. |
|
Let's avoid a conflict with the other in-flight PR, #136457. So let's deal with the algebraic and fast-math operations separately. |
|
Yes, I'm sorry for the lack of updates. I do plan to finish this pr, a lot of changes are still local because they are not done yet. All my project deadlines are this and next week... so yeah :) I expect to push all my changes no later than Monday. |
|
No worries, and thanks for the update. :) (Also, my next review will then take a lot longer as this PR has been fully swapped out of my short-term memory by now.^^) |
Don't worry :), I'm finding this really fun to do, but also somewhat hard, so I like to give it my full attention when I'm working on it.
😆, completely understandable. When I push my changes, I'll post a status of the pr. |
This comment has been minimized.
This comment has been minimized.
|
The current context is as follows. We only create a fixed value when it is non-zero, these can be found in The library tests (and doctests) were changed so that they don't fail under Miri and Trevor approved these, however when testing again today, We also added some tests for |
|
I also tried to rebase the upstream master branch because my fork is a bit outdated. :) All my changes get deleted, and only some things stay. Is there an easier way I can fix this? I followed the @rustbot ready |
rustbot
added
S-waiting-on-review
|
You'll have to resolve those conflicts before I will do another review -- I'd like to see a green CI for that. So I'm afraid there's no way around dealing with them. You can ask for help on Zulip if you're stuck with a rebase. @rustbot author |
rustbot
added
S-waiting-on-author
|
It's probably easier to first squash this into a single big commit, and then rebase that -- otherwise you'll likely see repeated conflicts while rebasing the many commits in your branch. |
|
Yes that's understandable. Thanks for the help! |
LorrensP-2158466
force-pushed
the
miri-enable-float-nondet
branch
from
61df399 to
557f172
Compare
|
Alright, squashing and then rebasing helped, thanks! But it's all still local because updating my branch pulled in a bunch of tests, which test behaviour we have not yet implemented. The test now is this one: assert_eq!(1.0, 0.0f64.exp());These operations do not yet use the |
|
These operations do not yet use the fixed_float_val of the clamp_float_val function.
They should also not have a random error then. Then the test should still work right?
|
LorrensP-2158466
force-pushed
the
miri-enable-float-nondet
branch
from
557f172 to
bddfc69
Compare
|
Alright, my previous comment was wrong... I have learned a valuable lesson to never have my branch out of date for so long. This was all a bit confusing hahahaha :). My comment about the current status/context still holds, but I had to change some things.
|
|
@rustbot ready |
rustbot
added
S-waiting-on-review
|
Are you talking about doctests, library tests, or miri tests here?
|
|
The |
| @@ -1008,17 +1033,82 @@ pub fn libm() { | |||
| assert_approx_eq!(25f32.powf(-2f32), 0.0016f32); | |||
| assert_approx_eq!(400f64.powf(0.5f64), 20f64); | |||
|
|
|||
| // Some inputs to powf and powi result in fixed outputs | |||
| // and thus must be exactly equal to that value | |||
There was a problem hiding this comment.
| // and thus must be exactly equal to that value | |
| // and thus must be exactly equal to that value. |
| assert_eq!((-1f64).powf(f64::NEG_INFINITY), 1.0); | ||
|
|
||
| // For pow (powf in rust) the C standard says: | ||
| // x^0 = 1 for all x even a sNaN |
There was a problem hiding this comment.
| // x^0 = 1 for all x even a sNaN | |
| // x^0 = 1 for all x even a sNaN | |
| // FIXME(#4286): this does not match the behavior of all implementations. |
| assert_eq!(SNAN_F64.powf(0.0), 1.0); | ||
|
|
||
| // For pown (powi in rust) the C standard says: | ||
| // x^0 = 1 for all x even a sNaN |
There was a problem hiding this comment.
| // x^0 = 1 for all x even a sNaN | |
| // x^0 = 1 for all x even a sNaN | |
| // FIXME(#4286): this does not match the behavior of all implementations. |
| @@ -748,7 +748,7 @@ impl f32 { | |||
| /// // asin(sin(pi/2)) | |||
| /// let abs_difference = (f.sin().asin() - std::f32::consts::FRAC_PI_2).abs(); | |||
| /// | |||
| /// assert!(abs_difference <= f32::EPSILON); | |||
| /// // assert!(abs_difference <= 12.0 * f32::EPSILON); | |||
There was a problem hiding this comment.
We can't have commented-out doctests. What exactly is happening here?
There was a problem hiding this comment.
I've run this test with many seeds and printed abs_difference / EPSILON each time. I got results between 0 and 8192. As usual, FP arithmetic precision degrades a lot when one subtracts two numbers that are fairly close to each other.
@tgross35 what do you suggest we do in this case? There's not really a reason to promise that f.sin().asin() - std::f32::consts::FRAC_PI_2 will be only a few epsilon away from 0. We could make this assert!(abs_difference < 1e-3); which passes on 10k different random seeds (for the RNG used to apply the error). That's quite far from EPSILON, but, well EPSILON is just really small...
There was a problem hiding this comment.
I don't think epsilon is really that meaningful as an error reference point, using 1e-3 seems better to me here anyway. asin is quite sensitive around 1.0 so the error compounding is pretty understandable.
There was a problem hiding this comment.
Should some of the other tests that are changed in this PR also use fixed constants like 1e-4 or so, or should we stick to EPSILON there?
There was a problem hiding this comment.
Maybe 1e-4 is clearer than the operation on EPSILON?
There was a problem hiding this comment.
Yeah that's the point I was trying to make :)
There was a problem hiding this comment.
I agree with your point :)
I'll change all of those to the 1e notation
| @@ -748,7 +748,7 @@ impl f64 { | |||
| /// // asin(sin(pi/2)) | |||
| /// let abs_difference = (f.sin().asin() - std::f64::consts::FRAC_PI_2).abs(); | |||
| /// | |||
| /// assert!(abs_difference < 1e-10); | |||
| /// // assert!(abs_difference < 1e-8); | |||
There was a problem hiding this comment.
Same here regarding commented-out tests.
| assert_approx_eq!( | ||
| 3.4f32.powf(4.5), | ||
| 246.408218, | ||
| APPROX_DELTA /* Miri float-non-det: Make tests pass for now */ |
There was a problem hiding this comment.
Why does every use of this variable have that comment? The variable itself already explains everything there is to say, right?
There was a problem hiding this comment.
You're right, I did it to make it clearer why the constant is used in those locations. I'll remove them!
|
@rustbot author |
rustbot
added
S-waiting-on-author
Links to #4208 and #3555 in Miri.
Non-determinism of floating point operations was disabled in #137594 because it breaks the tests and doc-tests in core/coretests and std.
This PR:
assert_eq!toassert_approx_eq!.assert_approx_eq!macro to allow up to 1e-4 to make the tests passTODO:
assert_approx_eqto use the same technique as Miri (i.e., using ULP instead of EPSILON)try-job: x86_64-gnu-aux