sbv-8.7: SMT Based Verification: Symbolic Haskell theorem prover using SMT solving.

Copyright(c) Levent Erkok
LicenseBSD3
Maintainererkokl@gmail.com
Stabilityexperimental
Safe HaskellNone
LanguageHaskell2010

Documentation.SBV.Examples.ProofTools.Strengthen

Contents

Description

An example showing how traditional state-transition invariance problems can be coded using SBV, using induction. We also demonstrate the use of invariant strengthening.

This example comes from Bradley's Understanding IC3 paper, which considers the following two programs:

     x, y := 1, 1                    x, y := 1, 1
     while *:                        while *:
       x, y := x+1, y+x                x, y := x+y, y+x

Where * stands for non-deterministic choice. For each program we try to prove that y >= 1 is an invariant.

It turns out that the property y >= 1 is indeed an invariant, but is not inductive for either program. We proceed to strengten the invariant and establish it for the first case. We then note that the same strengthening doesn't work for the second program, and find a further strengthening to establish that case as well. This example follows the introductory example in Bradley's paper quite closely.

Synopsis

System state

data S a Source #

System state. We simply have two components, parameterized over the type so we can put in both concrete and symbolic values.

Constructors

S 

Fields

  • x :: a
     
  • y :: a
     
Instances
Functor S Source # 
Instance details

Defined in Documentation.SBV.Examples.ProofTools.Strengthen

Methods

fmap :: (a -> b) -> S a -> S b #

(<$) :: a -> S b -> S a #

Foldable S Source # 
Instance details

Defined in Documentation.SBV.Examples.ProofTools.Strengthen

Methods

fold :: Monoid m => S m -> m #

foldMap :: Monoid m => (a -> m) -> S a -> m #

foldr :: (a -> b -> b) -> b -> S a -> b #

foldr' :: (a -> b -> b) -> b -> S a -> b #

foldl :: (b -> a -> b) -> b -> S a -> b #

foldl' :: (b -> a -> b) -> b -> S a -> b #

foldr1 :: (a -> a -> a) -> S a -> a #

foldl1 :: (a -> a -> a) -> S a -> a #

toList :: S a -> [a] #

null :: S a -> Bool #

length :: S a -> Int #

elem :: Eq a => a -> S a -> Bool #

maximum :: Ord a => S a -> a #

minimum :: Ord a => S a -> a #

sum :: Num a => S a -> a #

product :: Num a => S a -> a #

Traversable S Source # 
Instance details

Defined in Documentation.SBV.Examples.ProofTools.Strengthen

Methods

traverse :: Applicative f => (a -> f b) -> S a -> f (S b) #

sequenceA :: Applicative f => S (f a) -> f (S a) #

mapM :: Monad m => (a -> m b) -> S a -> m (S b) #

sequence :: Monad m => S (m a) -> m (S a) #

Fresh IO (S SInteger) Source #

Fresh instance for our state

Instance details

Defined in Documentation.SBV.Examples.ProofTools.Strengthen

Show a => Show (S a) Source # 
Instance details

Defined in Documentation.SBV.Examples.ProofTools.Strengthen

Methods

showsPrec :: Int -> S a -> ShowS #

show :: S a -> String #

showList :: [S a] -> ShowS #

Encoding the problem

problem :: (S SInteger -> [S SInteger]) -> [(String, S SInteger -> SBool)] -> IO (InductionResult (S Integer)) Source #

We parameterize over the transition relation and the strengthenings to investigate various combinations.

pgm1 :: S SInteger -> [S SInteger] Source #

The first program, coded as a transition relation:

pgm2 :: S SInteger -> [S SInteger] Source #

The second program, coded as a transition relation:

Examples

ex1 :: IO (InductionResult (S Integer)) Source #

Example 1: First program, with no strengthenings. We have:

>>> ex1
Failed while establishing consecution.
Counter-example to inductiveness:
  S {x = -1, y = 1}

ex2 :: IO (InductionResult (S Integer)) Source #

Example 2: First program, strengthened with x >= 0. We have:

>>> ex2
Q.E.D.

ex3 :: IO (InductionResult (S Integer)) Source #

Example 3: Second program, with no strengthenings. We have:

>>> ex3
Failed while establishing consecution.
Counter-example to inductiveness:
  S {x = -1, y = 1}

ex4 :: IO (InductionResult (S Integer)) Source #

Example 4: Second program, strengthened with x >= 0. We have:

>>> ex4
Failed while establishing consecution for strengthening "x >= 0".
Counter-example to inductiveness:
  S {x = 0, y = -1}

ex5 :: IO (InductionResult (S Integer)) Source #

Example 5: Second program, strengthened with x >= 0 and y >= 1 separately. We have:

>>> ex5
Failed while establishing consecution for strengthening "x >= 0".
Counter-example to inductiveness:
  S {x = 0, y = -1}

Note how this was sufficient in ex2 to establish the invariant for the first program, but fails for the second.

ex6 :: IO (InductionResult (S Integer)) Source #

Example 6: Second program, strengthened with x >= 0 /\ y >= 1 simultaneously. We have:

>>> ex6
Q.E.D.

Compare this to ex5. As pointed out by Bradley, this shows that a conjunction of assertions can be inductive when none of its components, on its own, is inductive. It remains an art to find proper loop invariants, though the science is improving!