Copyright | (c) Levent Erkok |
---|---|
License | BSD3 |
Maintainer | erkokl@gmail.com |
Stability | experimental |
Safe Haskell | None |
Language | Haskell2010 |
Induction engine for state transition systems. See the following examples for details:
- Documentation.SBV.Examples.ProofTools.Strengthen: Use of strengthening to establish inductive invariants.
- Documentation.SBV.Examples.ProofTools.Sum: Proof for correctness of an algorithm to sum up numbers,
- Documentation.SBV.Examples.ProofTools.Fibonacci: Proof for correctness of an algorithm to fast-compute fibonacci numbers, using axiomatization.
Synopsis
- data InductionResult a
- = Failed InductionStep a
- | Proven
- data InductionStep
- induct :: (Show res, Queriable IO st, res ~ QueryResult st) => Bool -> Symbolic () -> (st -> SBool) -> (st -> [st]) -> [(String, st -> SBool)] -> (st -> SBool) -> (st -> (SBool, SBool)) -> IO (InductionResult res)
- inductWith :: (Show res, Queriable IO st, res ~ QueryResult st) => SMTConfig -> Bool -> Symbolic () -> (st -> SBool) -> (st -> [st]) -> [(String, st -> SBool)] -> (st -> SBool) -> (st -> (SBool, SBool)) -> IO (InductionResult res)
Documentation
data InductionResult a Source #
Result of an inductive proof, with a counter-example in case of failure.
If a proof is found (indicated by a Proven
result), then the invariant holds
and the goal is established once the termination condition holds. If it fails, then
it can fail either in an initiation step or in a consecution step:
- A
Failed
result in anInitiation
step means that the invariant does not hold for the initial state, and thus indicates a true failure. - A
Failed
result in aConsecution
step will return a state s. This state is known as a CTI (counterexample to inductiveness): It will lead to a violation of the invariant in one step. However, this does not mean the property is invalid: It could be the case that it is simply not inductive. In this case, human intervention---or a smarter algorithm like IC3 for certain domains---is needed to see if one can strengthen the invariant so an inductive proof can be found. How this strengthening can be done remains an art, but the science is improving with algorithms like IC3. - A
Failed
result in aPartialCorrectness
step means that the invariant holds, but assuming the termination condition the goal still does not follow. That is, the partial correctness does not hold.
Instances
Show a => Show (InductionResult a) Source # | Show instance for |
Defined in Data.SBV.Tools.Induction showsPrec :: Int -> InductionResult a -> ShowS # show :: InductionResult a -> String # showList :: [InductionResult a] -> ShowS # |
data InductionStep Source #
A step in an inductive proof. If the tag is present (i.e., Just nm
), then
the step belongs to the subproof that establishes the strengthening named nm
.
Instances
Show InductionStep Source # | Show instance for |
Defined in Data.SBV.Tools.Induction showsPrec :: Int -> InductionStep -> ShowS # show :: InductionStep -> String # showList :: [InductionStep] -> ShowS # |
:: (Show res, Queriable IO st, res ~ QueryResult st) | |
=> Bool | Verbose mode |
-> Symbolic () | Setup code, if necessary. (Typically used for |
-> (st -> SBool) | Initial condition |
-> (st -> [st]) | Transition relation |
-> [(String, st -> SBool)] | Strengthenings, if any. The |
-> (st -> SBool) | Invariant that ensures the goal upon termination |
-> (st -> (SBool, SBool)) | Termination condition and the goal to establish |
-> IO (InductionResult res) | Either proven, or a concrete state value that, if reachable, fails the invariant. |
Induction engine, using the default solver. See Documentation.SBV.Examples.ProofTools.Strengthen and Documentation.SBV.Examples.ProofTools.Sum for examples.