| Copyright | (c) Levent Erkok |
|---|---|
| License | BSD3 |
| Maintainer | erkokl@gmail.com |
| Stability | experimental |
| Safe Haskell | None |
| Language | Haskell2010 |
Data.SBV
Contents
- Programming with symbolic values
- Symbolic types
- Creating a symbolic variable
- Creating a list of symbolic variables
- Operations on symbolic values
- Polynomial arithmetic and CRCs
- Conditionals: Mergeable values
- Symbolic equality
- Symbolic ordering
- Symbolic integral numbers
- Division
- The Boolean class
- Pretty-printing and reading numbers in Hex & Binary
- Checking satisfiability in path conditions
- Uninterpreted sorts, constants, and functions
- Enumerations
- Properties, proofs, satisfiability, and safety
- Proving properties using multiple solvers
- Optimization
- Computing expected values
- Model extraction
- SMT Interface: Configurations and solvers
- Symbolic computations
- Getting SMT-Lib output (for offline analysis)
- Test case generation
- Code generation from symbolic programs
- Module exports
Description
(The sbv library is hosted at http://github.com/LeventErkok/sbv. Comments, bug reports, and patches are always welcome.)
SBV: SMT Based Verification
Express properties about Haskell programs and automatically prove them using SMT solvers.
>>>prove $ \x -> x `shiftL` 2 .== 4 * (x :: SWord8)Q.E.D.
>>>prove $ \x -> x `shiftL` 2 .== 2 * (x :: SWord8)Falsifiable. Counter-example: s0 = 32 :: Word8
The function prove has the following type:
prove::Provablea => a ->IOThmResult
The class Provable comes with instances for n-ary predicates, for arbitrary n.
The predicates are just regular Haskell functions over symbolic types listed below.
Functions for checking satisfiability (sat and allSat) are also
provided.
The sbv library introduces the following symbolic types:
SBool: Symbolic Booleans (bits).SWord8,SWord16,SWord32,SWord64: Symbolic Words (unsigned).SInt8,SInt16,SInt32,SInt64: Symbolic Ints (signed).SInteger: Unbounded signed integers.SReal: Algebraic-real numbersSFloat: IEEE-754 single-precision floating point valuesSDouble: IEEE-754 double-precision floating point valuesSArray,SFunArray: Flat arrays of symbolic values.- Symbolic polynomials over GF(2^n), polynomial arithmetic, and CRCs.
- Uninterpreted constants and functions over symbolic values, with user defined SMT-Lib axioms.
- Uninterpreted sorts, and proofs over such sorts, potentially with axioms.
The user can construct ordinary Haskell programs using these types, which behave
very similar to their concrete counterparts. In particular these types belong to the
standard classes Num, Bits, custom versions of Eq (EqSymbolic)
and Ord (OrdSymbolic), along with several other custom classes for simplifying
programming with symbolic values. The framework takes full advantage of Haskell's type
inference to avoid many common mistakes.
Furthermore, predicates (i.e., functions that return SBool) built out of
these types can also be:
- proven correct via an external SMT solver (the
provefunction) - checked for satisfiability (the
sat,allSatfunctions) - used in synthesis (the
satfunction with existentials) - quick-checked
If a predicate is not valid, prove will return a counterexample: An
assignment to inputs such that the predicate fails. The sat function will
return a satisfying assignment, if there is one. The allSat function returns
all satisfying assignments, lazily.
The sbv library uses third-party SMT solvers via the standard SMT-Lib interface: http://smtlib.cs.uiowa.edu/
The SBV library is designed to work with any SMT-Lib compliant SMT-solver. Currently, we support the following SMT-Solvers out-of-the box:
- ABC from University of Berkeley: http://www.eecs.berkeley.edu/~alanmi/abc/
- CVC4 from New York University and University of Iowa: http://cvc4.cs.nyu.edu/
- Boolector from Johannes Kepler University: http://fmv.jku.at/boolector/
- MathSAT from Fondazione Bruno Kessler and DISI-University of Trento: http://mathsat.fbk.eu/
- Yices from SRI: http://yices.csl.sri.com/
- Z3 from Microsoft: http://github.com/Z3Prover/z3/wiki
SBV also allows calling these solvers in parallel, either getting results from multiple solvers
or returning the fastest one. (See proveWithAll, proveWithAny, etc.)
Support for other compliant solvers can be added relatively easily, please get in touch if there is a solver you'd like to see included.
- type SBool = SBV Bool
- type SWord8 = SBV Word8
- type SWord16 = SBV Word16
- type SWord32 = SBV Word32
- type SWord64 = SBV Word64
- type SInt8 = SBV Int8
- type SInt16 = SBV Int16
- type SInt32 = SBV Int32
- type SInt64 = SBV Int64
- type SInteger = SBV Integer
- type SFloat = SBV Float
- type SDouble = SBV Double
- class (SymWord a, RealFloat a) => IEEEFloating a where
- class IEEEFloatConvertable a where
- data RoundingMode
- type SRoundingMode = SBV RoundingMode
- nan :: Floating a => a
- infinity :: Floating a => a
- sNaN :: (Floating a, SymWord a) => SBV a
- sInfinity :: (Floating a, SymWord a) => SBV a
- sRoundNearestTiesToEven :: SRoundingMode
- sRoundNearestTiesToAway :: SRoundingMode
- sRoundTowardPositive :: SRoundingMode
- sRoundTowardNegative :: SRoundingMode
- sRoundTowardZero :: SRoundingMode
- sRNE :: SRoundingMode
- sRNA :: SRoundingMode
- sRTP :: SRoundingMode
- sRTN :: SRoundingMode
- sRTZ :: SRoundingMode
- sFloatAsSWord32 :: SFloat -> SWord32
- sWord32AsSFloat :: SWord32 -> SFloat
- sDoubleAsSWord64 :: SDouble -> SWord64
- sWord64AsSDouble :: SWord64 -> SDouble
- blastSFloat :: SFloat -> (SBool, [SBool], [SBool])
- blastSDouble :: SDouble -> (SBool, [SBool], [SBool])
- type SReal = SBV AlgReal
- data AlgReal
- sRealToSInteger :: SReal -> SInteger
- sBool :: String -> Symbolic SBool
- sWord8 :: String -> Symbolic SWord8
- sWord16 :: String -> Symbolic SWord16
- sWord32 :: String -> Symbolic SWord32
- sWord64 :: String -> Symbolic SWord64
- sInt8 :: String -> Symbolic SInt8
- sInt16 :: String -> Symbolic SInt16
- sInt32 :: String -> Symbolic SInt32
- sInt64 :: String -> Symbolic SInt64
- sInteger :: String -> Symbolic SInteger
- sReal :: String -> Symbolic SReal
- sFloat :: String -> Symbolic SFloat
- sDouble :: String -> Symbolic SDouble
- sBools :: [String] -> Symbolic [SBool]
- sWord8s :: [String] -> Symbolic [SWord8]
- sWord16s :: [String] -> Symbolic [SWord16]
- sWord32s :: [String] -> Symbolic [SWord32]
- sWord64s :: [String] -> Symbolic [SWord64]
- sInt8s :: [String] -> Symbolic [SInt8]
- sInt16s :: [String] -> Symbolic [SInt16]
- sInt32s :: [String] -> Symbolic [SInt32]
- sInt64s :: [String] -> Symbolic [SInt64]
- sIntegers :: [String] -> Symbolic [SInteger]
- sReals :: [String] -> Symbolic [SReal]
- sFloats :: [String] -> Symbolic [SFloat]
- sDoubles :: [String] -> Symbolic [SDouble]
- data SBV a
- class SymArray array where
- data SArray a b
- data SFunArray a b
- mkSFunArray :: (SBV a -> SBV b) -> SFunArray a b
- type STree i e = STreeInternal (SBV i) (SBV e)
- readSTree :: (Num i, Bits i, SymWord i, SymWord e) => STree i e -> SBV i -> SBV e
- writeSTree :: (Mergeable (SBV e), Num i, Bits i, SymWord i, SymWord e) => STree i e -> SBV i -> SBV e -> STree i e
- mkSTree :: forall i e. HasKind i => [SBV e] -> STree i e
- sTestBit :: SBV a -> Int -> SBool
- sExtractBits :: SBV a -> [Int] -> [SBool]
- sPopCount :: (Num a, Bits a, SymWord a) => SBV a -> SWord8
- sShiftLeft :: (SIntegral a, SIntegral b) => SBV a -> SBV b -> SBV a
- sShiftRight :: (SIntegral a, SIntegral b) => SBV a -> SBV b -> SBV a
- sRotateLeft :: (SIntegral a, SIntegral b, SDivisible (SBV b)) => SBV a -> SBV b -> SBV a
- sRotateRight :: (SIntegral a, SIntegral b, SDivisible (SBV b)) => SBV a -> SBV b -> SBV a
- sSignedShiftArithRight :: (SIntegral a, SIntegral b) => SBV a -> SBV b -> SBV a
- sFromIntegral :: forall a b. (Integral a, HasKind a, Num a, SymWord a, HasKind b, Num b, SymWord b) => SBV a -> SBV b
- setBitTo :: (Num a, Bits a, SymWord a) => SBV a -> Int -> SBool -> SBV a
- oneIf :: (Num a, SymWord a) => SBool -> SBV a
- lsb :: SBV a -> SBool
- msb :: (Num a, Bits a, SymWord a) => SBV a -> SBool
- label :: SymWord a => String -> SBV a -> SBV a
- allEqual :: EqSymbolic a => [a] -> SBool
- allDifferent :: EqSymbolic a => [a] -> SBool
- inRange :: OrdSymbolic a => a -> (a, a) -> SBool
- sElem :: EqSymbolic a => a -> [a] -> SBool
- fullAdder :: SIntegral a => SBV a -> SBV a -> (SBool, SBV a)
- fullMultiplier :: SIntegral a => SBV a -> SBV a -> (SBV a, SBV a)
- (.^) :: (Mergeable b, Num b, SIntegral e) => b -> SBV e -> b
- blastBE :: (Num a, Bits a, SymWord a) => SBV a -> [SBool]
- blastLE :: (Num a, Bits a, SymWord a) => SBV a -> [SBool]
- class FromBits a where
- class Splittable a b | b -> a where
- class (Num a, Bits a) => Polynomial a where
- crcBV :: Int -> [SBool] -> [SBool] -> [SBool]
- crc :: (FromBits (SBV a), FromBits (SBV b), Num a, Num b, Bits a, Bits b, SymWord a, SymWord b) => Int -> SBV a -> SBV b -> SBV b
- class Mergeable a where
- ite :: Mergeable a => SBool -> a -> a -> a
- iteLazy :: Mergeable a => SBool -> a -> a -> a
- class EqSymbolic a where
- class (Mergeable a, EqSymbolic a) => OrdSymbolic a where
- class (SymWord a, Num a, Bits a) => SIntegral a
- class SDivisible a where
- class Boolean b where
- bAnd :: Boolean b => [b] -> b
- bOr :: Boolean b => [b] -> b
- bAny :: Boolean b => (a -> b) -> [a] -> b
- bAll :: Boolean b => (a -> b) -> [a] -> b
- class PrettyNum a where
- readBin :: Num a => String -> a
- isSatisfiableInCurrentPath :: SBool -> Symbolic Bool
- class Uninterpreted a where
- addAxiom :: String -> [String] -> Symbolic ()
- type Predicate = Symbolic SBool
- class Provable a where
- class Equality a where
- prove :: Provable a => a -> IO ThmResult
- proveWith :: Provable a => SMTConfig -> a -> IO ThmResult
- isTheorem :: Provable a => Maybe Int -> a -> IO (Maybe Bool)
- isTheoremWith :: Provable a => SMTConfig -> Maybe Int -> a -> IO (Maybe Bool)
- sat :: Provable a => a -> IO SatResult
- satWith :: Provable a => SMTConfig -> a -> IO SatResult
- isSatisfiable :: Provable a => Maybe Int -> a -> IO (Maybe Bool)
- isSatisfiableWith :: Provable a => SMTConfig -> Maybe Int -> a -> IO (Maybe Bool)
- sAssert :: Maybe CallStack -> String -> SBool -> SBV a -> SBV a
- safe :: SExecutable a => a -> IO [SafeResult]
- safeWith :: SExecutable a => SMTConfig -> a -> IO [SafeResult]
- isSafe :: SafeResult -> Bool
- class SExecutable a where
- allSat :: Provable a => a -> IO AllSatResult
- allSatWith :: Provable a => SMTConfig -> a -> IO AllSatResult
- solve :: [SBool] -> Symbolic SBool
- constrain :: SBool -> Symbolic ()
- pConstrain :: Double -> SBool -> Symbolic ()
- isVacuous :: Provable a => a -> IO Bool
- isVacuousWith :: Provable a => SMTConfig -> a -> IO Bool
- sbvQuickCheck :: Symbolic SBool -> IO Bool
- proveWithAll :: Provable a => [SMTConfig] -> a -> IO [(Solver, ThmResult)]
- proveWithAny :: Provable a => [SMTConfig] -> a -> IO (Solver, ThmResult)
- satWithAll :: Provable a => [SMTConfig] -> a -> IO [(Solver, SatResult)]
- satWithAny :: Provable a => [SMTConfig] -> a -> IO (Solver, SatResult)
- minimize :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => OptimizeOpts -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a])
- maximize :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => OptimizeOpts -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a])
- optimize :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => OptimizeOpts -> (SBV c -> SBV c -> SBool) -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a])
- minimizeWith :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => SMTConfig -> OptimizeOpts -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a])
- maximizeWith :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => SMTConfig -> OptimizeOpts -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a])
- optimizeWith :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => SMTConfig -> OptimizeOpts -> (SBV c -> SBV c -> SBool) -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a])
- expectedValue :: Outputtable a => Symbolic a -> IO [Double]
- expectedValueWith :: Outputtable a => Bool -> Int -> Maybe Int -> Double -> Symbolic a -> IO [Double]
- newtype ThmResult = ThmResult SMTResult
- newtype SatResult = SatResult SMTResult
- newtype SafeResult = SafeResult (Maybe String, String, SMTResult)
- newtype AllSatResult = AllSatResult (Bool, [SMTResult])
- data SMTResult
- class SatModel a where
- class Modelable a where
- displayModels :: SatModel a => (Int -> (Bool, a) -> IO ()) -> AllSatResult -> IO Int
- extractModels :: SatModel a => AllSatResult -> [a]
- getModelDictionaries :: AllSatResult -> [Map String CW]
- getModelValues :: SymWord b => String -> AllSatResult -> [Maybe b]
- getModelUninterpretedValues :: String -> AllSatResult -> [Maybe String]
- data SMTConfig = SMTConfig {
- verbose :: Bool
- timing :: Bool
- sBranchTimeOut :: Maybe Int
- timeOut :: Maybe Int
- printBase :: Int
- printRealPrec :: Int
- solverTweaks :: [String]
- satCmd :: String
- isNonModelVar :: String -> Bool
- smtFile :: Maybe FilePath
- smtLibVersion :: SMTLibVersion
- solver :: SMTSolver
- roundingMode :: RoundingMode
- useLogic :: Maybe Logic
- data SMTLibVersion = SMTLib2
- data SMTLibLogic
- data Logic
- data OptimizeOpts
- data Solver
- data SMTSolver = SMTSolver {
- name :: Solver
- executable :: String
- options :: [String]
- engine :: SMTEngine
- capabilities :: SolverCapabilities
- boolector :: SMTConfig
- cvc4 :: SMTConfig
- yices :: SMTConfig
- z3 :: SMTConfig
- mathSAT :: SMTConfig
- abc :: SMTConfig
- defaultSolverConfig :: Solver -> SMTConfig
- sbvCurrentSolver :: SMTConfig
- defaultSMTCfg :: SMTConfig
- sbvCheckSolverInstallation :: SMTConfig -> IO Bool
- sbvAvailableSolvers :: IO [SMTConfig]
- data Symbolic a
- output :: Outputtable a => a -> Symbolic a
- class (HasKind a, Ord a) => SymWord a where
- compileToSMTLib :: Provable a => SMTLibVersion -> Bool -> a -> IO String
- generateSMTBenchmarks :: Provable a => Bool -> FilePath -> a -> IO ()
- genTest :: Outputtable a => Int -> Symbolic a -> IO TestVectors
- getTestValues :: TestVectors -> [([CW], [CW])]
- data TestVectors
- data TestStyle
- renderTest :: TestStyle -> TestVectors -> String
- data CW = CW {}
- class HasKind a where
- data Kind
- cwToBool :: CW -> Bool
- data SBVCodeGen a
- cgPerformRTCs :: Bool -> SBVCodeGen ()
- cgSetDriverValues :: [Integer] -> SBVCodeGen ()
- cgGenerateDriver :: Bool -> SBVCodeGen ()
- cgGenerateMakefile :: Bool -> SBVCodeGen ()
- cgInput :: SymWord a => String -> SBVCodeGen (SBV a)
- cgInputArr :: SymWord a => Int -> String -> SBVCodeGen [SBV a]
- cgOutput :: String -> SBV a -> SBVCodeGen ()
- cgOutputArr :: SymWord a => String -> [SBV a] -> SBVCodeGen ()
- cgReturn :: SBV a -> SBVCodeGen ()
- cgReturnArr :: SymWord a => [SBV a] -> SBVCodeGen ()
- cgAddPrototype :: [String] -> SBVCodeGen ()
- cgAddDecl :: [String] -> SBVCodeGen ()
- cgAddLDFlags :: [String] -> SBVCodeGen ()
- cgIgnoreSAssert :: Bool -> SBVCodeGen ()
- cgIntegerSize :: Int -> SBVCodeGen ()
- cgSRealType :: CgSRealType -> SBVCodeGen ()
- data CgSRealType
- compileToC :: Maybe FilePath -> String -> SBVCodeGen () -> IO ()
- compileToCLib :: Maybe FilePath -> String -> [(String, SBVCodeGen ())] -> IO ()
- module Data.Bits
- module Data.Word
- module Data.Int
- module Data.Ratio
Programming with symbolic values
The SBV library is really two things:
- A framework for writing symbolic programs in Haskell, i.e., programs operating on symbolic values along with the usual concrete counterparts.
- A framework for proving properties of such programs using SMT solvers.
The programming goal of SBV is to provide a seamless experience, i.e., let people program
in the usual Haskell style without distractions of symbolic coding. While Haskell helps
in some aspects (the Num and Bits classes simplify coding), it makes life harder
in others. For instance, if-then-else only takes Bool as a test in Haskell, and
comparisons (> etc.) only return Bools. Clearly we would like these values to be
symbolic (i.e., SBool), thus stopping us from using some native Haskell constructs.
When symbolic versions of operators are needed, they are typically obtained by prepending a dot,
for instance == becomes .==. Care has been taken to make the transition painless. In
particular, any Haskell program you build out of symbolic components is fully concretely
executable within Haskell, without the need for any custom interpreters. (They are truly
Haskell programs, not AST's built out of pieces of syntax.) This provides for an integrated
feel of the system, one of the original design goals for SBV.
Symbolic types
Symbolic bit
Unsigned symbolic bit-vectors
Signed symbolic bit-vectors
Signed unbounded integers
The SBV library supports unbounded signed integers with the type SInteger, which are not subject to
overflow/underflow as it is the case with the bounded types, such as SWord8, SInt16, etc. However,
some bit-vector based operations are not supported for the SInteger type while in the verification mode. That
is, you can use these operations on SInteger values during normal programming/simulation.
but the SMT translation will not support these operations since there corresponding operations are not supported in SMT-Lib.
Note that this should rarely be a problem in practice, as these operations are mostly meaningful on fixed-size
bit-vectors. The operations that are restricted to bounded word/int sizes are:
- Rotations and shifts:
rotateL,rotateR,shiftL,shiftR - Bitwise logical ops:
.&.,.|.,xor,complement - Extraction and concatenation:
split,#, andextend(see theSplittableclass)
Usual arithmetic (+, -, *, sQuotRem, sQuot, sRem, sDivMod, sDiv, sMod) and logical operations (.<, .<=, .>, .>=, .==, ./=) operations are
supported for SInteger fully, both in programming and verification modes.
IEEE-floating point numbers
Floating point numbers are defined by the IEEE-754 standard; and correspond to Haskell's
Float and Double types. For SMT support with floating-point numbers, see the paper
by Rummer and Wahl: http://www.philipp.ruemmer.org/publications/smt-fpa.pdf.
class (SymWord a, RealFloat a) => IEEEFloating a where Source #
A class of floating-point (IEEE754) operations, some of which behave differently based on rounding modes. Note that unless the rounding mode is concretely RoundNearestTiesToEven, we will not concretely evaluate these, but rather pass down to the SMT solver.
Methods
fpAbs :: SBV a -> SBV a Source #
Compute the floating point absolute value.
fpNeg :: SBV a -> SBV a Source #
Compute the unary negation. Note that 0 - x is not equivalent to -x for floating-point, since -0 and 0 are different.
fpAdd :: SRoundingMode -> SBV a -> SBV a -> SBV a Source #
Add two floating point values, using the given rounding mode
fpSub :: SRoundingMode -> SBV a -> SBV a -> SBV a Source #
Subtract two floating point values, using the given rounding mode
fpMul :: SRoundingMode -> SBV a -> SBV a -> SBV a Source #
Multiply two floating point values, using the given rounding mode
fpDiv :: SRoundingMode -> SBV a -> SBV a -> SBV a Source #
Divide two floating point values, using the given rounding mode
fpFMA :: SRoundingMode -> SBV a -> SBV a -> SBV a -> SBV a Source #
Fused-multiply-add three floating point values, using the given rounding mode. fpFMA x y z = x*y+z but with only
one rounding done for the whole operation; not two. Note that we will never concretely evaluate this function since
Haskell lacks an FMA implementation.
fpSqrt :: SRoundingMode -> SBV a -> SBV a Source #
Compute the square-root of a float, using the given rounding mode
fpRem :: SBV a -> SBV a -> SBV a Source #
Compute the remainder: x - y * n, where n is the truncated integer nearest to x/y. The rounding mode
is implicitly assumed to be RoundNearestTiesToEven.
fpRoundToIntegral :: SRoundingMode -> SBV a -> SBV a Source #
Round to the nearest integral value, using the given rounding mode.
fpMin :: SBV a -> SBV a -> SBV a Source #
Compute the minimum of two floats, respects infinity and NaN values
fpMax :: SBV a -> SBV a -> SBV a Source #
Compute the maximum of two floats, respects infinity and NaN values
fpIsEqualObject :: SBV a -> SBV a -> SBool Source #
Are the two given floats exactly the same. That is, NaN will compare equal to itself, +0 will not compare
equal to -0 etc. This is the object level equality, as opposed to the semantic equality. (For the latter, just use .==.)
fpIsNormal :: SBV a -> SBool Source #
Is the floating-point number a normal value. (i.e., not denormalized.)
fpIsSubnormal :: SBV a -> SBool Source #
Is the floating-point number a subnormal value. (Also known as denormal.)
fpIsZero :: SBV a -> SBool Source #
Is the floating-point number 0? (Note that both +0 and -0 will satisfy this predicate.)
fpIsInfinite :: SBV a -> SBool Source #
Is the floating-point number infinity? (Note that both +oo and -oo will satisfy this predicate.)
fpIsNaN :: SBV a -> SBool Source #
Is the floating-point number a NaN value?
fpIsNegative :: SBV a -> SBool Source #
Is the floating-point number negative? Note that -0 satisfies this predicate but +0 does not.
fpIsPositive :: SBV a -> SBool Source #
Is the floating-point number positive? Note that +0 satisfies this predicate but -0 does not.
fpIsNegativeZero :: SBV a -> SBool Source #
Is the floating point number -0?
fpIsPositiveZero :: SBV a -> SBool Source #
Is the floating point number +0?
fpIsPoint :: SBV a -> SBool Source #
Is the floating-point number a regular floating point, i.e., not NaN, nor +oo, nor -oo. Normals or denormals are allowed.
Instances
| IEEEFloating Double Source # | SDouble instance |
| IEEEFloating Float Source # | SFloat instance |
class IEEEFloatConvertable a where Source #
Capture convertability from/to FloatingPoint representations
NB. fromSFloat and fromSDouble are underspecified when given
when given a NaN, +oo, or -oo value that cannot be represented
in the target domain. For these inputs, we define the result to be +0, arbitrarily.
Minimal complete definition
Methods
fromSFloat :: SRoundingMode -> SFloat -> SBV a Source #
toSFloat :: SRoundingMode -> SBV a -> SFloat Source #
fromSDouble :: SRoundingMode -> SDouble -> SBV a Source #
Instances
data RoundingMode Source #
Rounding mode to be used for the IEEE floating-point operations.
Note that Haskell's default is RoundNearestTiesToEven. If you use
a different rounding mode, then the counter-examples you get may not
match what you observe in Haskell.
Constructors
| RoundNearestTiesToEven | Round to nearest representable floating point value. If precisely at half-way, pick the even number. (In this context, even means the lowest-order bit is zero.) |
| RoundNearestTiesToAway | Round to nearest representable floating point value. If precisely at half-way, pick the number further away from 0. (That is, for positive values, pick the greater; for negative values, pick the smaller.) |
| RoundTowardPositive | Round towards positive infinity. (Also known as rounding-up or ceiling.) |
| RoundTowardNegative | Round towards negative infinity. (Also known as rounding-down or floor.) |
| RoundTowardZero | Round towards zero. (Also known as truncation.) |
Instances
| Bounded RoundingMode Source # | |
| Enum RoundingMode Source # | |
| Eq RoundingMode Source # | |
| Data RoundingMode Source # | |
| Ord RoundingMode Source # | |
| Read RoundingMode Source # | |
| Show RoundingMode Source # | |
| HasKind RoundingMode Source # |
|
| SymWord RoundingMode Source # |
|
| SatModel RoundingMode Source # | A rounding mode, extracted from a model. (Default definition suffices) |
type SRoundingMode = SBV RoundingMode Source #
The symbolic variant of RoundingMode
Rounding modes
sRoundNearestTiesToEven :: SRoundingMode Source #
Symbolic variant of RoundNearestTiesToEven
sRoundNearestTiesToAway :: SRoundingMode Source #
Symbolic variant of RoundNearestTiesToAway
sRoundTowardPositive :: SRoundingMode Source #
Symbolic variant of RoundNearestPositive
sRoundTowardNegative :: SRoundingMode Source #
Symbolic variant of RoundTowardNegative
sRoundTowardZero :: SRoundingMode Source #
Symbolic variant of RoundTowardZero
sRNE :: SRoundingMode Source #
Alias for sRoundNearestTiesToEven
sRNA :: SRoundingMode Source #
Alias for sRoundNearestTiesToAway
sRTP :: SRoundingMode Source #
Alias for sRoundTowardPositive
sRTN :: SRoundingMode Source #
Alias for sRoundTowardNegative
sRTZ :: SRoundingMode Source #
Alias for sRoundTowardZero
Bit-pattern conversions
sFloatAsSWord32 :: SFloat -> SWord32 Source #
Convert an SFloat to an SWord32, preserving the bit-correspondence. Note that since the
representation for NaNs are not unique, this function will return a symbolic value when given a
concrete NaN.
Implementation note: Since there's no corresponding function in SMTLib for conversion to bit-representation due to partiality, we use a translation trick by allocating a new word variable, converting it to float, and requiring it to be equivalent to the input. In code-generation mode, we simply map it to a simple conversion.
sWord32AsSFloat :: SWord32 -> SFloat Source #
Reinterpret the bits in a 32-bit word as a single-precision floating point number
sDoubleAsSWord64 :: SDouble -> SWord64 Source #
Convert an SDouble to an SWord64, preserving the bit-correspondence. Note that since the
representation for NaNs are not unique, this function will return a symbolic value when given a
concrete NaN.
See the implementation note for sFloatAsSWord32, as it applies here as well.
sWord64AsSDouble :: SWord64 -> SDouble Source #
Reinterpret the bits in a 32-bit word as a single-precision floating point number
blastSFloat :: SFloat -> (SBool, [SBool], [SBool]) Source #
Extract the sign/exponent/mantissa of a single-precision float. The output will have 8 bits in the second argument for exponent, and 23 in the third for the mantissa.
blastSDouble :: SDouble -> (SBool, [SBool], [SBool]) Source #
Extract the sign/exponent/mantissa of a single-precision float. The output will have 11 bits in the second argument for exponent, and 52 in the third for the mantissa.
Signed algebraic reals
Algebraic reals are roots of single-variable polynomials with rational coefficients. (See
http://en.wikipedia.org/wiki/Algebraic_number.) Note that algebraic reals are infinite
precision numbers, but they do not cover all real numbers. (In particular, they cannot
represent transcendentals.) Some irrational numbers are algebraic (such as sqrt 2), while
others are not (such as pi and e).
SBV can deal with real numbers just fine, since the theory of reals is decidable. (See http://smtlib.cs.uiowa.edu/theories-Reals.shtml.) In addition, by leveraging backend solver capabilities, SBV can also represent and solve non-linear equations involving real-variables. (For instance, the Z3 SMT solver, supports polynomial constraints on reals starting with v4.0.)
Algebraic reals. Note that the representation is left abstract. We represent rational results explicitly, while the roots-of-polynomials are represented implicitly by their defining equation
Instances
| Eq AlgReal Source # | |
| Fractional AlgReal Source # | NB: Following the other types we have, we require `a/0` to be `0` for all a. |
| Num AlgReal Source # | |
| Ord AlgReal Source # | |
| Real AlgReal Source # | |
| Show AlgReal Source # | |
| Random AlgReal Source # | |
| Arbitrary AlgReal Source # | |
| HasKind AlgReal Source # | |
| SatModel AlgReal Source # |
|
| IEEEFloatConvertable AlgReal Source # | |
sRealToSInteger :: SReal -> SInteger Source #
Convert an SReal to an SInteger. That is, it computes the
largest integer n that satisfies sIntegerToSReal n <= r
essentially giving us the floor.
For instance, 1.3 will be 1, but -1.3 will be -2.
Creating a symbolic variable
These functions simplify declaring symbolic variables of various types. Strictly speaking, they are just synonyms
for free (specialized at the given type), but they might be easier to use.
Creating a list of symbolic variables
These functions simplify declaring a sequence symbolic variables of various types. Strictly speaking, they are just synonyms
for mapM free (specialized at the given type), but they might be easier to use.
Abstract SBV type
The Symbolic value. The parameter a is phantom, but is
extremely important in keeping the user interface strongly typed.
Instances
Arrays of symbolic values
class SymArray array where Source #
Flat arrays of symbolic values
An array a b is an array indexed by the type SBV aSBV bnewArray_ and newArray methods, then the elements
are left unspecified, i.e., the solver is free to choose any value. This is the right thing
to do if arrays are used as inputs to functions to be verified, typically.
While it's certainly possible for user to create instances of SymArray, the
SArray and SFunArray instances already provided should cover most use cases
in practice. (There are some differences between these models, however, see the corresponding
declaration.)
Minimal complete definition: All methods are required, no defaults.
Minimal complete definition
newArray_, newArray, readArray, resetArray, writeArray, mergeArrays
Methods
newArray_ :: (HasKind a, HasKind b) => Maybe (SBV b) -> Symbolic (array a b) Source #
Create a new array, with an optional initial value
newArray :: (HasKind a, HasKind b) => String -> Maybe (SBV b) -> Symbolic (array a b) Source #
Create a named new array, with an optional initial value
readArray :: array a b -> SBV a -> SBV b Source #
Read the array element at a
resetArray :: SymWord b => array a b -> SBV b -> array a b Source #
Reset all the elements of the array to the value b
writeArray :: SymWord b => array a b -> SBV a -> SBV b -> array a b Source #
Update the element at a to be b
mergeArrays :: SymWord b => SBV Bool -> array a b -> array a b -> array a b Source #
Merge two given arrays on the symbolic condition
Intuitively: mergeArrays cond a b = if cond then a else b.
Merging pushes the if-then-else choice down on to elements
Arrays implemented in terms of SMT-arrays: http://smtlib.cs.uiowa.edu/theories-ArraysEx.shtml
- Maps directly to SMT-lib arrays
- Reading from an unintialized value is OK and yields an unspecified result
- Can check for equality of these arrays
- Cannot quick-check theorems using
SArrayvalues - Typically slower as it heavily relies on SMT-solving for the array theory
Arrays implemented internally as functions
- Internally handled by the library and not mapped to SMT-Lib
- Reading an uninitialized value is considered an error (will throw exception)
- Cannot check for equality (internally represented as functions)
- Can quick-check
- Typically faster as it gets compiled away during translation
mkSFunArray :: (SBV a -> SBV b) -> SFunArray a b Source #
Lift a function to an array. Useful for creating arrays in a pure context. (Otherwise use newArray.)
Full binary trees
type STree i e = STreeInternal (SBV i) (SBV e) Source #
A symbolic tree containing values of type e, indexed by
elements of type i. Note that these are full-trees, and their
their shapes remain constant. There is no API provided that
can change the shape of the tree. These structures are useful
when dealing with data-structures that are indexed with symbolic
values where access time is important. STree structures provide
logarithmic time reads and writes.
readSTree :: (Num i, Bits i, SymWord i, SymWord e) => STree i e -> SBV i -> SBV e Source #
Reading a value. We bit-blast the index and descend down the full tree according to bit-values.
writeSTree :: (Mergeable (SBV e), Num i, Bits i, SymWord i, SymWord e) => STree i e -> SBV i -> SBV e -> STree i e Source #
Writing a value, similar to how reads are done. The important thing is that the tree representation keeps updates to a minimum.
mkSTree :: forall i e. HasKind i => [SBV e] -> STree i e Source #
Construct the fully balanced initial tree using the given values.
Operations on symbolic values
Word level
sExtractBits :: SBV a -> [Int] -> [SBool] Source #
Variant of sTestBit, where we want to extract multiple bit positions.
sPopCount :: (Num a, Bits a, SymWord a) => SBV a -> SWord8 Source #
Replacement for popCount. Since popCount returns an Int, we cannot implement
it for symbolic words. Here, we return an SWord8, which can overflow when used on
quantities that have more than 255 bits. Currently, that's only the SInteger type
that SBV supports, all other types are safe. Even with SInteger, this will only
overflow if there are at least 256-bits set in the number, and the smallest such
number is 2^256-1, which is a pretty darn big number to worry about for practical
purposes. In any case, we do not support sPopCount for unbounded symbolic integers,
as the only possible implementation wouldn't symbolically terminate. So the only overflow
issue is with really-really large concrete SInteger values.
sShiftRight :: (SIntegral a, SIntegral b) => SBV a -> SBV b -> SBV a Source #
Generalization of shiftR, when the shift-amount is symbolic. Since Haskell's
shiftR only takes an Int as the shift amount, it cannot be used when we have
a symbolic amount to shift with. The first argument should be a bounded quantity.
NB. If the shiftee is signed, then this is an arithmetic shift; otherwise it's logical,
following the usual Haskell convention. See sSignedShiftArithRight for a variant
that explicitly uses the msb as the sign bit, even for unsigned underlying types.
sRotateLeft :: (SIntegral a, SIntegral b, SDivisible (SBV b)) => SBV a -> SBV b -> SBV a Source #
sRotateRight :: (SIntegral a, SIntegral b, SDivisible (SBV b)) => SBV a -> SBV b -> SBV a Source #
sSignedShiftArithRight :: (SIntegral a, SIntegral b) => SBV a -> SBV b -> SBV a Source #
Arithmetic shift-right with a symbolic unsigned shift amount. This is equivalent
to sShiftRight when the argument is signed. However, if the argument is unsigned,
then it explicitly treats its msb as a sign-bit, and uses it as the bit that
gets shifted in. Useful when using the underlying unsigned bit representation to implement
custom signed operations. Note that there is no direct Haskell analogue of this function.
sFromIntegral :: forall a b. (Integral a, HasKind a, Num a, SymWord a, HasKind b, Num b, SymWord b) => SBV a -> SBV b Source #
Conversion between integral-symbolic values, akin to Haskell's fromIntegral
oneIf :: (Num a, SymWord a) => SBool -> SBV a Source #
Returns 1 if the boolean is true, otherwise 0.
msb :: (Num a, Bits a, SymWord a) => SBV a -> SBool Source #
Most significant bit of a word, always stored at the last position.
label :: SymWord a => String -> SBV a -> SBV a Source #
label: Label the result of an expression. This is essentially a no-op, but useful as it generates a comment in the generated C/SMT-Lib code. Note that if the argument is a constant, then the label is dropped completely, per the usual constant folding strategy.
Predicates
allEqual :: EqSymbolic a => [a] -> SBool Source #
Returns (symbolic) true if all the elements of the given list are the same.
allDifferent :: EqSymbolic a => [a] -> SBool Source #
Returns (symbolic) true if all the elements of the given list are different.
inRange :: OrdSymbolic a => a -> (a, a) -> SBool Source #
Returns (symbolic) true if the argument is in range
sElem :: EqSymbolic a => a -> [a] -> SBool Source #
Symbolic membership test
Addition and Multiplication with high-bits
fullAdder :: SIntegral a => SBV a -> SBV a -> (SBool, SBV a) Source #
Full adder. Returns the carry-out from the addition.
N.B. Only works for unsigned types. Signed arguments will be rejected.
fullMultiplier :: SIntegral a => SBV a -> SBV a -> (SBV a, SBV a) Source #
Full multiplier: Returns both the high-order and the low-order bits in a tuple, thus fully accounting for the overflow.
N.B. Only works for unsigned types. Signed arguments will be rejected.
N.B. The higher-order bits are determined using a simple shift-add multiplier, thus involving bit-blasting. It'd be naive to expect SMT solvers to deal efficiently with properties involving this function, at least with the current state of the art.
Exponentiation
(.^) :: (Mergeable b, Num b, SIntegral e) => b -> SBV e -> b Source #
Symbolic exponentiation using bit blasting and repeated squaring.
N.B. The exponent must be unsigned. Signed exponents will be rejected.
Blasting/Unblasting
blastBE :: (Num a, Bits a, SymWord a) => SBV a -> [SBool] Source #
Big-endian blasting of a word into its bits. Also see the FromBits class.
blastLE :: (Num a, Bits a, SymWord a) => SBV a -> [SBool] Source #
Little-endian blasting of a word into its bits. Also see the FromBits class.
class FromBits a where Source #
Unblasting a value from symbolic-bits. The bits can be given little-endian or big-endian. For a signed number in little-endian, we assume the very last bit is the sign digit. This is a bit awkward, but it is more consistent with the "reverse" view of little-big-endian representations
Minimal complete definition: fromBitsLE
Minimal complete definition
Methods
fromBitsLE, fromBitsBE :: [SBool] -> a Source #
Splitting, joining, and extending
class Splittable a b | b -> a where Source #
Splitting an a into two b's and joining back.
Intuitively, a is a larger bit-size word than b, typically double.
The extend operation captures embedding of a b value into an a
without changing its semantic value.
Minimal complete definition: All, no defaults.
Instances
| Splittable Word8 Word4 Source # | Joiningsplitting tofrom Word8 |
| Splittable Word16 Word8 Source # | |
| Splittable Word32 Word16 Source # | |
| Splittable Word64 Word32 Source # | |
| Splittable SWord64 SWord32 Source # | |
| Splittable SWord32 SWord16 Source # | |
| Splittable SWord16 SWord8 Source # | |
Polynomial arithmetic and CRCs
class (Num a, Bits a) => Polynomial a where Source #
Implements polynomial addition, multiplication, division, and modulus operations
over GF(2^n). NB. Similar to sQuotRem, division by 0 is interpreted as follows:
x pDivMod 0 = (0, x)for all x (including 0)
Minimal complete definition: pMult, pDivMod, showPolynomial
Minimal complete definition
Methods
polynomial :: [Int] -> a Source #
Given bit-positions to be set, create a polynomial For instance
polynomial [0, 1, 3] :: SWord8
will evaluate to 11, since it sets the bits 0, 1, and 3. Mathematicans would write this polynomial
as x^3 + x + 1. And in fact, showPoly will show it like that.
Add two polynomials in GF(2^n).
pMult :: (a, a, [Int]) -> a Source #
Multiply two polynomials in GF(2^n), and reduce it by the irreducible specified by the polynomial as specified by coefficients of the third argument. Note that the third argument is specifically left in this form as it is usally in GF(2^(n+1)), which is not available in our formalism. (That is, we would need SWord9 for SWord8 multiplication, etc.) Also note that we do not support symbolic irreducibles, which is a minor shortcoming. (Most GF's will come with fixed irreducibles, so this should not be a problem in practice.)
Passing [] for the third argument will multiply the polynomials and then ignore the higher bits that won't fit into the resulting size.
Divide two polynomials in GF(2^n), see above note for division by 0.
Compute modulus of two polynomials in GF(2^n), see above note for modulus by 0.
pDivMod :: a -> a -> (a, a) Source #
Division and modulus packed together.
showPoly :: a -> String Source #
Display a polynomial like a mathematician would (over the monomial x), with a type.
showPolynomial :: Bool -> a -> String Source #
Display a polynomial like a mathematician would (over the monomial x), the first argument
controls if the final type is shown as well.
crcBV :: Int -> [SBool] -> [SBool] -> [SBool] Source #
Compute CRCs over bit-vectors. The call crcBV n m p computes
the CRC of the message m with respect to polynomial p. The
inputs are assumed to be blasted big-endian. The number
n specifies how many bits of CRC is needed. Note that n
is actually the degree of the polynomial p, and thus it seems
redundant to pass it in. However, in a typical proof context,
the polynomial can be symbolic, so we cannot compute the degree
easily. While this can be worked-around by generating code that
accounts for all possible degrees, the resulting code would
be unnecessarily big and complicated, and much harder to reason
with. (Also note that a CRC is just the remainder from the
polynomial division, but this routine is much faster in practice.)
NB. The nth bit of the polynomial p must be set for the CRC
to be computed correctly. Note that the polynomial argument p will
not even have this bit present most of the time, as it will typically
contain bits 0 through n-1 as usual in the CRC literature. The higher
order nth bit is simply assumed to be set, as it does not make
sense to use a polynomial of a lesser degree. This is usually not a problem
since CRC polynomials are designed and expressed this way.
NB. The literature on CRC's has many variants on how CRC's are computed. We follow the following simple procedure:
- Extend the message
mby addingn0 bits on the right - Divide the polynomial thus obtained by the
p - The remainder is the CRC value.
There are many variants on final XOR's, reversed polynomials etc., so it is essential to double check you use the correct algorithm.
crc :: (FromBits (SBV a), FromBits (SBV b), Num a, Num b, Bits a, Bits b, SymWord a, SymWord b) => Int -> SBV a -> SBV b -> SBV b Source #
Conditionals: Mergeable values
class Mergeable a where Source #
Symbolic conditionals are modeled by the Mergeable class, describing
how to merge the results of an if-then-else call with a symbolic test. SBV
provides all basic types as instances of this class, so users only need
to declare instances for custom data-types of their programs as needed.
A Mergeable instance may be automatically derived for a custom data-type
with a single constructor where the type of each field is an instance of
Mergeable, such as a record of symbolic values. Users only need to add
Generic and Mergeable to the deriving clause for the data-type. See
Status for an example and an
illustration of what the instance would look like if written by hand.
The function select is a total-indexing function out of a list of choices
with a default value, simulating array/list indexing. It's an n-way generalization
of the ite function.
Minimal complete definition: None, if the type is instance of Generic. Otherwise
symbolicMerge. Note that most types subject to merging are likely to be
trivial instances of Generic.
Methods
symbolicMerge :: Bool -> SBool -> a -> a -> a Source #
Merge two values based on the condition. The first argument states whether we force the then-and-else branches before the merging, at the word level. This is an efficiency concern; one that we'd rather not make but unfortunately necessary for getting symbolic simulation working efficiently.
select :: (SymWord b, Num b) => [a] -> a -> SBV b -> a Source #
Total indexing operation. select xs default index is intuitively
the same as xs !! index, except it evaluates to default if index
underflows/overflows.
symbolicMerge :: (Generic a, GMergeable (Rep a)) => Bool -> SBool -> a -> a -> a Source #
Merge two values based on the condition. The first argument states whether we force the then-and-else branches before the merging, at the word level. This is an efficiency concern; one that we'd rather not make but unfortunately necessary for getting symbolic simulation working efficiently.
Instances
ite :: Mergeable a => SBool -> a -> a -> a Source #
If-then-else. This is by definition symbolicMerge with both
branches forced. This is typically the desired behavior, but also
see iteLazy should you need more laziness.
iteLazy :: Mergeable a => SBool -> a -> a -> a Source #
A Lazy version of ite, which does not force its arguments. This might cause issues for symbolic simulation with large thunks around, so use with care.
Symbolic equality
class EqSymbolic a where Source #
Symbolic Equality. Note that we can't use Haskell's Eq class since Haskell insists on returning Bool
Comparing symbolic values will necessarily return a symbolic value.
Minimal complete definition: .==
Minimal complete definition
Instances
| EqSymbolic Bool Source # | |
| EqSymbolic a => EqSymbolic [a] Source # | |
| EqSymbolic a => EqSymbolic (Maybe a) Source # | |
| EqSymbolic (SBV a) Source # | |
| (EqSymbolic a, EqSymbolic b) => EqSymbolic (Either a b) Source # | |
| (EqSymbolic a, EqSymbolic b) => EqSymbolic (a, b) Source # | |
| EqSymbolic (SArray a b) Source # | |
| (EqSymbolic a, EqSymbolic b, EqSymbolic c) => EqSymbolic (a, b, c) Source # | |
| (EqSymbolic a, EqSymbolic b, EqSymbolic c, EqSymbolic d) => EqSymbolic (a, b, c, d) Source # | |
| (EqSymbolic a, EqSymbolic b, EqSymbolic c, EqSymbolic d, EqSymbolic e) => EqSymbolic (a, b, c, d, e) Source # | |
| (EqSymbolic a, EqSymbolic b, EqSymbolic c, EqSymbolic d, EqSymbolic e, EqSymbolic f) => EqSymbolic (a, b, c, d, e, f) Source # | |
| (EqSymbolic a, EqSymbolic b, EqSymbolic c, EqSymbolic d, EqSymbolic e, EqSymbolic f, EqSymbolic g) => EqSymbolic (a, b, c, d, e, f, g) Source # | |
Symbolic ordering
class (Mergeable a, EqSymbolic a) => OrdSymbolic a where Source #
Symbolic Comparisons. Similar to Eq, we cannot implement Haskell's Ord class
since there is no way to return an Ordering value from a symbolic comparison.
Furthermore, OrdSymbolic requires Mergeable to implement if-then-else, for the
benefit of implementing symbolic versions of max and min functions.
Minimal complete definition: .<
Minimal complete definition
Instances
| OrdSymbolic a => OrdSymbolic [a] Source # | |
| OrdSymbolic a => OrdSymbolic (Maybe a) Source # | |
| SymWord a => OrdSymbolic (SBV a) Source # | |
| (OrdSymbolic a, OrdSymbolic b) => OrdSymbolic (Either a b) Source # | |
| (OrdSymbolic a, OrdSymbolic b) => OrdSymbolic (a, b) Source # | |
| (OrdSymbolic a, OrdSymbolic b, OrdSymbolic c) => OrdSymbolic (a, b, c) Source # | |
| (OrdSymbolic a, OrdSymbolic b, OrdSymbolic c, OrdSymbolic d) => OrdSymbolic (a, b, c, d) Source # | |
| (OrdSymbolic a, OrdSymbolic b, OrdSymbolic c, OrdSymbolic d, OrdSymbolic e) => OrdSymbolic (a, b, c, d, e) Source # | |
| (OrdSymbolic a, OrdSymbolic b, OrdSymbolic c, OrdSymbolic d, OrdSymbolic e, OrdSymbolic f) => OrdSymbolic (a, b, c, d, e, f) Source # | |
| (OrdSymbolic a, OrdSymbolic b, OrdSymbolic c, OrdSymbolic d, OrdSymbolic e, OrdSymbolic f, OrdSymbolic g) => OrdSymbolic (a, b, c, d, e, f, g) Source # | |
Symbolic integral numbers
class (SymWord a, Num a, Bits a) => SIntegral a Source #
Symbolic Numbers. This is a simple class that simply incorporates all number like
base types together, simplifying writing polymorphic type-signatures that work for all
symbolic numbers, such as SWord8, SInt8 etc. For instance, we can write a generic
list-minimum function as follows:
mm :: SIntegral a => [SBV a] -> SBV a mm = foldr1 (a b -> ite (a .<= b) a b)
It is similar to the standard Integral class, except ranging over symbolic instances.
Instances
Division
class SDivisible a where Source #
The SDivisible class captures the essence of division.
Unfortunately we cannot use Haskell's Integral class since the Real
and Enum superclasses are not implementable for symbolic bit-vectors.
However, quotRem and divMod makes perfect sense, and the SDivisible class captures
this operation. One issue is how division by 0 behaves. The verification
technology requires total functions, and there are several design choices
here. We follow Isabelle/HOL approach of assigning the value 0 for division
by 0. Therefore, we impose the following pair of laws:
xsQuotRem0 = (0, x) xsDivMod0 = (0, x)
Note that our instances implement this law even when x is 0 itself.
NB. quot truncates toward zero, while div truncates toward negative infinity.
Instances
| SDivisible Int8 Source # | |
| SDivisible Int16 Source # | |
| SDivisible Int32 Source # | |
| SDivisible Int64 Source # | |
| SDivisible Integer Source # | |
| SDivisible Word8 Source # | |
| SDivisible Word16 Source # | |
| SDivisible Word32 Source # | |
| SDivisible Word64 Source # | |
| SDivisible CW Source # | |
| SDivisible SInteger Source # | |
| SDivisible SInt64 Source # | |
| SDivisible SInt32 Source # | |
| SDivisible SInt16 Source # | |
| SDivisible SInt8 Source # | |
| SDivisible SWord64 Source # | |
| SDivisible SWord32 Source # | |
| SDivisible SWord16 Source # | |
| SDivisible SWord8 Source # | |
| SDivisible SWord4 Source # | SDvisible instance, using default methods |
| SDivisible Word4 Source # | SDvisible instance, using 0-extension |
The Boolean class
class Boolean b where Source #
The Boolean class: a generalization of Haskell's Bool type
Haskell Bool and SBV's SBool are instances of this class, unifying the treatment of boolean values.
Minimal complete definition: true, bnot, &&&
However, it's advisable to define false, and ||| as well (typically), for clarity.
Methods
logical true
logical false
complement
(&&&) :: b -> b -> b infixr 3 Source #
and
(|||) :: b -> b -> b infixr 2 Source #
or
(~&) :: b -> b -> b infixr 3 Source #
nand
(~|) :: b -> b -> b infixr 2 Source #
nor
(<+>) :: b -> b -> b infixl 6 Source #
xor
(==>) :: b -> b -> b infixr 1 Source #
implies
(<=>) :: b -> b -> b infixr 1 Source #
equivalence
fromBool :: Bool -> b Source #
cast from Bool
Generalizations of boolean operations
Pretty-printing and reading numbers in Hex & Binary
class PrettyNum a where Source #
PrettyNum class captures printing of numbers in hex and binary formats; also supporting negative numbers.
Methods
Show a number in hexadecimal (starting with 0x and type.)
Show a number in binary (starting with 0b and type.)
Show a number in hex, without prefix, or types.
Show a number in bin, without prefix, or types.
Instances
readBin :: Num a => String -> a Source #
A more convenient interface for reading binary numbers, also supports negative numbers
Checking satisfiability in path conditions
isSatisfiableInCurrentPath :: SBool -> Symbolic Bool Source #
Check if a boolean condition is satisfiable in the current state. This function can be useful in contexts where an
interpreter implemented on top of SBV needs to decide if a particular stae (represented by the boolean) is reachable
in the current if-then-else paths implied by the ite calls.
Uninterpreted sorts, constants, and functions
Users can introduce new uninterpreted sorts simply by defining a data-type in Haskell and registering it as such. The following example demonstrates:
data B = B () deriving (Eq, Ord, Show, Read, Data, SymWord, HasKind, SatModel)
(Note that you'll also need to use the language pragmas DeriveDataTypeable, DeriveAnyClass, and import Data.Generics for the above to work.)
This is all it takes to introduce B as an uninterpreted sort in SBV, which makes the type SBV B automagically become available as the type
of symbolic values that ranges over B values. Note that the () argument is important to distinguish it from enumerations.
Uninterpreted functions over both uninterpreted and regular sorts can be declared using the facilities introduced by
the Uninterpreted class.
class Uninterpreted a where Source #
Uninterpreted constants and functions. An uninterpreted constant is a value that is indexed by its name. The only property the prover assumes about these values are that they are equivalent to themselves; i.e., (for functions) they return the same results when applied to same arguments. We support uninterpreted-functions as a general means of black-box'ing operations that are irrelevant for the purposes of the proof; i.e., when the proofs can be performed without any knowledge about the function itself.
Minimal complete definition: sbvUninterpret. However, most instances in
practice are already provided by SBV, so end-users should not need to define their
own instances.
Minimal complete definition
Methods
uninterpret :: String -> a Source #
Uninterpret a value, receiving an object that can be used instead. Use this version when you do not need to add an axiom about this value.
cgUninterpret :: String -> [String] -> a -> a Source #
Uninterpret a value, only for the purposes of code-generation. For execution and verification the value is used as is. For code-generation, the alternate definition is used. This is useful when we want to take advantage of native libraries on the target languages.
sbvUninterpret :: Maybe ([String], a) -> String -> a Source #
Most generalized form of uninterpretation, this function should not be needed by end-user-code, but is rather useful for the library development.
Instances
addAxiom :: String -> [String] -> Symbolic () Source #
Add a user specified axiom to the generated SMT-Lib file. The first argument is a mere string, use for commenting purposes. The second argument is intended to hold the multiple-lines of the axiom text as expressed in SMT-Lib notation. Note that we perform no checks on the axiom itself, to see whether it's actually well-formed or is sensical by any means. A separate formalization of SMT-Lib would be very useful here.
Enumerations
If the uninterpreted sort definition takes the form of an enumeration (i.e., a simple data type with all nullary constructors), then SBV will actually translate that as just such a data-type to SMT-Lib, and will use the constructors as the inhabitants of the said sort. A simple example is:
data X = A | B | C deriving (Eq, Ord, Show, Read, Data, SymWord, HasKind, SatModel)
Now, the user can define
type SX = SBV X
and treat SX as a regular symbolic type ranging over the values A, B, and C. Such values can be compared for equality, and with the usual
other comparison operators, such as .==, ./=, .>, .>=, <, and <=.
Note that in this latter case the type is no longer uninterpreted, but is properly represented as a simple enumeration of the said elements. A simple query would look like:
allSat $ x -> x .== (x :: SX)
which would list all three elements of this domain as satisfying solutions.
Solution #1:
s0 = A :: X
Solution #2:
s0 = B :: X
Solution #3:
s0 = C :: X
Found 3 different solutions.
Note that the result is properly typed as X elements; these are not mere strings. So, in a getModel scenario, the user can recover actual
elements of the domain and program further with those values as usual.
Properties, proofs, satisfiability, and safety
The SBV library provides a "push-button" verification system via automated SMT solving. The design goal is to let SMT solvers be used without any knowledge of how SMT solvers work or how different logics operate. The details are hidden behind the SBV framework, providing Haskell programmers with a clean API that is unencumbered by the details of individual solvers. To that end, we use the SMT-Lib standard (http://smtlib.cs.uiowa.edu/) to communicate with arbitrary SMT solvers.
Predicates
type Predicate = Symbolic SBool Source #
A predicate is a symbolic program that returns a (symbolic) boolean value. For all intents and
purposes, it can be treated as an n-ary function from symbolic-values to a boolean. The Symbolic
monad captures the underlying representation, and can/should be ignored by the users of the library,
unless you are building further utilities on top of SBV itself. Instead, simply use the Predicate
type when necessary.
class Provable a where Source #
A type a is provable if we can turn it into a predicate.
Note that a predicate can be made from a curried function of arbitrary arity, where
each element is either a symbolic type or up-to a 7-tuple of symbolic-types. So
predicates can be constructed from almost arbitrary Haskell functions that have arbitrary
shapes. (See the instance declarations below.)
Methods
forAll_ :: a -> Predicate Source #
Turns a value into a universally quantified predicate, internally naming the inputs.
In this case the sbv library will use names of the form s1, s2, etc. to name these variables
Example:
forAll_ $ \(x::SWord8) y -> x `shiftL` 2 .== y
is a predicate with two arguments, captured using an ordinary Haskell function. Internally,
x will be named s0 and y will be named s1.
forAll :: [String] -> a -> Predicate Source #
Turns a value into a predicate, allowing users to provide names for the inputs. If the user does not provide enough number of names for the variables, the remaining ones will be internally generated. Note that the names are only used for printing models and has no other significance; in particular, we do not check that they are unique. Example:
forAll ["x", "y"] $ \(x::SWord8) y -> x `shiftL` 2 .== y
This is the same as above, except the variables will be named x and y respectively,
simplifying the counter-examples when they are printed.
forSome_ :: a -> Predicate Source #
Turns a value into an existentially quantified predicate. (Indeed, exists would have been
a better choice here for the name, but alas it's already taken.)
forSome :: [String] -> a -> Predicate Source #
Version of forSome that allows user defined names
Instances
| Provable SBool Source # | |
| Provable Predicate Source # | |
| (SymWord a, SymWord b, Provable p) => Provable ((SBV a, SBV b) -> p) Source # | |
| (SymWord a, SymWord b, SymWord c, Provable p) => Provable ((SBV a, SBV b, SBV c) -> p) Source # | |
| (SymWord a, SymWord b, SymWord c, SymWord d, Provable p) => Provable ((SBV a, SBV b, SBV c, SBV d) -> p) Source # | |
| (SymWord a, SymWord b, SymWord c, SymWord d, SymWord e, Provable p) => Provable ((SBV a, SBV b, SBV c, SBV d, SBV e) -> p) Source # | |
| (SymWord a, SymWord b, SymWord c, SymWord d, SymWord e, SymWord f, Provable p) => Provable ((SBV a, SBV b, SBV c, SBV d, SBV e, SBV f) -> p) Source # | |
| (SymWord a, SymWord b, SymWord c, SymWord d, SymWord e, SymWord f, SymWord g, Provable p) => Provable ((SBV a, SBV b, SBV c, SBV d, SBV e, SBV f, SBV g) -> p) Source # | |
| (HasKind a, HasKind b, Provable p) => Provable (SFunArray a b -> p) Source # | |
| (HasKind a, HasKind b, Provable p) => Provable (SArray a b -> p) Source # | |
| (SymWord a, Provable p) => Provable (SBV a -> p) Source # | |
class Equality a where Source #
Equality as a proof method. Allows for very concise construction of equivalence proofs, which is very typical in bit-precise proofs.
Minimal complete definition
Instances
Proving properties
prove :: Provable a => a -> IO ThmResult Source #
Prove a predicate, equivalent to proveWith defaultSMTCfg
proveWith :: Provable a => SMTConfig -> a -> IO ThmResult Source #
Proves the predicate using the given SMT-solver
isTheorem :: Provable a => Maybe Int -> a -> IO (Maybe Bool) Source #
Checks theoremhood within the given optional time limit of i seconds.
Returns Nothing if times out, or the result wrapped in a Just otherwise.
isTheoremWith :: Provable a => SMTConfig -> Maybe Int -> a -> IO (Maybe Bool) Source #
Check whether a given property is a theorem, with an optional time out and the given solver.
Returns Nothing if times out, or the result wrapped in a Just otherwise.
Checking satisfiability
sat :: Provable a => a -> IO SatResult Source #
Find a satisfying assignment for a predicate, equivalent to satWith defaultSMTCfg
satWith :: Provable a => SMTConfig -> a -> IO SatResult Source #
Find a satisfying assignment using the given SMT-solver
isSatisfiable :: Provable a => Maybe Int -> a -> IO (Maybe Bool) Source #
Checks satisfiability within the given optional time limit of i seconds.
Returns Nothing if times out, or the result wrapped in a Just otherwise.
isSatisfiableWith :: Provable a => SMTConfig -> Maybe Int -> a -> IO (Maybe Bool) Source #
Check whether a given property is satisfiable, with an optional time out and the given solver.
Returns Nothing if times out, or the result wrapped in a Just otherwise.
Checking safety
The sAssert function allows users to introduce invariants to make sure
certain properties hold at all times. This is another mechanism to provide further documentation/contract info
into SBV code. The functions safe and safeWith can be used to statically discharge these proof assumptions.
If a violation is found, SBV will print a model showing which inputs lead to the invariant being violated.
Here's a simple example. Let's assume we have a function that does subtraction, and requires its first argument to be larger than the second:
>>>let sub x y = sAssert Nothing "sub: x >= y must hold!" (x .>= y) (x - y)
Clearly, this function is not safe, as there's nothing that stops us from passing it a larger second argument.
We can use safe to statically see if such a violation is possible before we use this function elsewhere.
>>>safe (sub :: SInt8 -> SInt8 -> SInt8)[sub: x >= y must hold!: Violated. Model: s0 = -128 :: Int8 s1 = -127 :: Int8]
What happens if we make sure to arrange for this invariant? Consider this version:
>>>let safeSub x y = ite (x .>= y) (sub x y) 0
Clearly, safeSub must be safe. And indeed, SBV can prove that:
>>>safe (safeSub :: SInt8 -> SInt8 -> SInt8)[sub: x >= y must hold!: No violations detected]
Note how we used sub and safeSub polymorphically. We only need to monomorphise our types when a proof
attempt is done, as we did in the safe calls.
If required, the user can pass a CallStack through the first argument to sAssert, which will be used
by SBV to print a diagnostic info to pinpoint the failure.
Also see Data.SBV.Examples.Misc.NoDiv0 for the classic div-by-zero example.
sAssert :: Maybe CallStack -> String -> SBool -> SBV a -> SBV a Source #
Symbolic assert. Check that the given boolean condition is always true in the given path. The optional first argument can be used to provide call-stack info via GHC's location facilities.
safe :: SExecutable a => a -> IO [SafeResult] Source #
Check that all the sAssert calls are safe, equivalent to safeWith defaultSMTCfg
safeWith :: SExecutable a => SMTConfig -> a -> IO [SafeResult] Source #
Check if any of the assertions can be violated
isSafe :: SafeResult -> Bool Source #
Check if a safe-call was safe or not, turning a SafeResult to a Bool.
class SExecutable a where Source #
Symbolically executable program fragments. This class is mainly used for safe calls, and is sufficently populated internally to cover most use
cases. Users can extend it as they wish to allow safe checks for SBV programs that return/take types that are user-defined.
Instances
Finding all satisfying assignments
allSat :: Provable a => a -> IO AllSatResult Source #
Return all satisfying assignments for a predicate, equivalent to allSatWith defaultSMTCfg
NB. Uninterpreted constant/function values and counter-examples for array values are ignored for
the purposes of allSat
allSatWith :: Provable a => SMTConfig -> a -> IO AllSatResult Source #
Find all satisfying assignments using the given SMT-solver
Satisfying a sequence of boolean conditions
solve :: [SBool] -> Symbolic SBool Source #
Form the symbolic conjunction of a given list of boolean conditions. Useful in expressing problems with constraints, like the following:
do [x, y, z] <- sIntegers ["x", "y", "z"]
solve [x .> 5, y + z .< x]
Adding constraints
A constraint is a means for restricting the input domain of a formula. Here's a simple example:
do x <-exists"x" y <-exists"y"constrain$ x .> yconstrain$ x + y .>= 12constrain$ y .>= 3 ...
The first constraint requires x to be larger than y. The scond one says that
sum of x and y must be at least 12, and the final one says that y to be at least 3.
Constraints provide an easy way to assert additional properties on the input domain, right at the point of
the introduction of variables.
Note that the proper reading of a constraint depends on the context:
- In a
sat(orallSat) call: The constraint added is asserted conjunctively. That is, the resulting satisfying model (if any) will always satisfy all the constraints given. - In a
provecall: In this case, the constraint acts as an implication. The property is proved under the assumption that the constraint holds. In other words, the constraint says that we only care about the input space that satisfies the constraint. - In a
quickCheckcall: The constraint acts as a filter forquickCheck; if the constraint does not hold, then the input value is considered to be irrelevant and is skipped. Note that this is similar toprove, but is stronger: We do not accept a test case to be valid just because the constraints fail on them, although semantically the implication does hold. We simply skip that test case as a bad test vector. - In a
genTestcall: Similar toquickCheckandprove: If a constraint does not hold, the input value is ignored and is not included in the test set.
A good use case (in fact the motivating use case) for constrain is attaching a
constraint to a forall or exists variable at the time of its creation.
Also, the conjunctive semantics for sat and the implicative
semantics for prove simplify programming by choosing the correct interpretation
automatically. However, one should be aware of the semantic difference. For instance, in
the presence of constraints, formulas that are provable are not necessarily
satisfiable. To wit, consider:
do x <-exists"x"constrain$ x .< x return $ x .< (x ::SWord8)
This predicate is unsatisfiable since no element of SWord8 is less than itself. But
it's (vacuously) true, since it excludes the entire domain of values, thus making the proof
trivial. Hence, this predicate is provable, but is not satisfiable. To make sure the given
constraints are not vacuous, the functions isVacuous (and isVacuousWith) can be used.
Also note that this semantics imply that test case generation (genTest) and quick-check
can take arbitrarily long in the presence of constraints, if the random input values generated
rarely satisfy the constraints. (As an extreme case, consider constrain false
A probabilistic constraint (see pConstrain) attaches a probability threshold for the
constraint to be considered. For instance:
pConstrain 0.8 c
will make sure that the condition c is satisfied 80% of the time (and correspondingly, falsified 20%
of the time), in expectation. This variant is useful for genTest and quickCheck functions, where we
want to filter the test cases according to some probability distribution, to make sure that the test-vectors
are drawn from interesting subsets of the input space. For instance, if we were to generate 100 test cases
with the above constraint, we'd expect about 80 of them to satisfy the condition c, while about 20 of them
will fail it.
The following properties hold:
constrain=pConstrain1pConstraint c =pConstrain(1-t) (not c)
Note that while constrain can be used freely, pConstrain is only allowed in the contexts of
genTest or quickCheck. Calls to pConstrain in a prove/sat call will be rejected as SBV does not
deal with probabilistic constraints when it comes to satisfiability and proofs.
Also, both constrain and pConstrain calls during code-generation will also be rejected, for similar reasons.
constrain :: SBool -> Symbolic () Source #
Adding arbitrary constraints. When adding constraints, one has to be careful about
making sure they are not inconsistent. The function isVacuous can be use for this purpose.
Here is an example. Consider the following predicate:
>>>let pred = do { x <- forall "x"; constrain $ x .< x; return $ x .>= (5 :: SWord8) }
This predicate asserts that all 8-bit values are larger than 5, subject to the constraint that the
values considered satisfy x .< x, i.e., they are less than themselves. Since there are no values that
satisfy this constraint, the proof will pass vacuously:
>>>prove predQ.E.D.
We can use isVacuous to make sure to see that the pass was vacuous:
>>>isVacuous predTrue
While the above example is trivial, things can get complicated if there are multiple constraints with non-straightforward relations; so if constraints are used one should make sure to check the predicate is not vacuously true. Here's an example that is not vacuous:
>>>let pred' = do { x <- forall "x"; constrain $ x .> 6; return $ x .>= (5 :: SWord8) }
This time the proof passes as expected:
>>>prove pred'Q.E.D.
And the proof is not vacuous:
>>>isVacuous pred'False
pConstrain :: Double -> SBool -> Symbolic () Source #
Adding a probabilistic constraint. The Double argument is the probability
threshold. Probabilistic constraints are useful for genTest and quickCheck
calls where we restrict our attention to interesting parts of the input domain.
Checking constraint vacuity
isVacuous :: Provable a => a -> IO Bool Source #
Check if the given constraints are satisfiable, equivalent to isVacuousWith defaultSMTCfgconstrain for an example use of isVacuous.
isVacuousWith :: Provable a => SMTConfig -> a -> IO Bool Source #
Determine if the constraints are vacuous using the given SMT-solver
Quick-checking
sbvQuickCheck :: Symbolic SBool -> IO Bool Source #
Quick check an SBV property. Note that a regular quickCheck call will work just as
well. Use this variant if you want to receive the boolean result.
Proving properties using multiple solvers
On a multi-core machine, it might be desirable to try a given property using multiple SMT solvers, using parallel threads. Even with machines with single-cores, threading can be helpful if you want to try out multiple-solvers but do not know which one would work the best for the problem at hand ahead of time.
The functions in this section allow proving/satisfiability-checking with multiple backends at the same time. Each function comes in two variants, one that returns the results from all solvers, the other that returns the fastest one.
The All variants, (i.e., proveWithAll, satWithAll) run all solvers and
return all the results. SBV internally makes sure that the result is lazily generated; so,
the order of solvers given does not matter. In other words, the order of results will follow
the order of the solvers as they finish, not as given by the user. These variants are useful when you
want to make sure multiple-solvers agree (or disagree!) on a given problem.
The Any variants, (i.e., proveWithAny, satWithAny) will run all the solvers
in parallel, and return the results of the first one finishing. The other threads will then be killed. These variants
are useful when you do not care if the solvers produce the same result, but rather want to get the
solution as quickly as possible, taking advantage of modern many-core machines.
Note that the function sbvAvailableSolvers will return all the installed solvers, which can be
used as the first argument to all these functions, if you simply want to try all available solvers on a machine.
proveWithAll :: Provable a => [SMTConfig] -> a -> IO [(Solver, ThmResult)] Source #
Prove a property with multiple solvers, running them in separate threads. The results will be returned in the order produced.
proveWithAny :: Provable a => [SMTConfig] -> a -> IO (Solver, ThmResult) Source #
Prove a property with multiple solvers, running them in separate threads. Only the result of the first one to finish will be returned, remaining threads will be killed.
satWithAll :: Provable a => [SMTConfig] -> a -> IO [(Solver, SatResult)] Source #
Find a satisfying assignment to a property with multiple solvers, running them in separate threads. The results will be returned in the order produced.
satWithAny :: Provable a => [SMTConfig] -> a -> IO (Solver, SatResult) Source #
Find a satisfying assignment to a property with multiple solvers, running them in separate threads. Only the result of the first one to finish will be returned, remaining threads will be killed.
Optimization
Symbolic optimization. A call of the form:
minimize Quantified cost n valid
returns Just xs, such that:
xshas preciselynelementsvalid xsholdscost xsis minimal. That is, for all sequencesysthat satisfy the first two criteria above,cost xs .<= cost ysholds.
If there is no such sequence, then minimize will return Nothing.
The function maximize is similar, except the comparator is .>=. So the value returned has the largest cost (or value, in that case).
The function optimize allows the user to give a custom comparison function.
The OptimizeOpts argument controls how the optimization is done. If Quantified is used, then the SBV optimization engine satisfies the following predicate:
exists xs. forall ys. valid xs && (valid ys `implies` (cost xs `cmp` cost ys))
Note that this may cause efficiency problems as it involves alternating quantifiers.
If OptimizeOpts is set to Iterative True, then SBV will programmatically
search for an optimal solution, by repeatedly calling the solver appropriately. (The boolean argument controls whether progress reports are given. Use
False for quiet operation.)
Quantified vs Iterative
Note that the quantified and iterative versions are two different optimization approaches and may not necessarily yield the same results. In particular, the quantified version can tell us no such solution exists if there is no global optimum value, while the iterative version might simply loop forever for such a problem. To wit, consider the example:
maximize Quantified head 1 (const true :: [SInteger] -> SBool)
which asks for the largest SInteger value. The SMT solver will happily answer back saying there is no such value with the Quantified call, but the Iterative variant
will simply loop forever as it would search through an infinite chain of ascending SInteger values.
In practice, however, the iterative version is usually the more effective choice since alternating quantifiers are hard to deal with for many SMT-solvers and thus will
likely result in an unknown result. While the Iterative variant can loop for a long time, one can simply use the boolean flag True and see how the search is progressing.
minimize :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => OptimizeOpts -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a]) Source #
Minimizes a cost function with respect to a constraint. Examples:
>>>minimize Quantified sum 3 (bAll (.> (10 :: SInteger)))Just [11,11,11]
maximize :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => OptimizeOpts -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a]) Source #
Maximizes a cost function with respect to a constraint. Examples:
>>>maximize Quantified sum 3 (bAll (.< (10 :: SInteger)))Just [9,9,9]
optimize :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => OptimizeOpts -> (SBV c -> SBV c -> SBool) -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a]) Source #
Variant of optimizeWith using the default solver. See optimizeWith for parameter descriptions.
minimizeWith :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => SMTConfig -> OptimizeOpts -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a]) Source #
Variant of minimize allowing the use of a user specified solver. See optimizeWith for parameter descriptions.
maximizeWith :: (SatModel a, SymWord a, Show a, SymWord c, Show c) => SMTConfig -> OptimizeOpts -> ([SBV a] -> SBV c) -> Int -> ([SBV a] -> SBool) -> IO (Maybe [a]) Source #
Variant of maximize allowing the use of a user specified solver. See optimizeWith for parameter descriptions.
Computing expected values
expectedValue :: Outputtable a => Symbolic a -> IO [Double] Source #
Given a symbolic computation that produces a value, compute the
expected value that value would take if this computation is run
with its free variables drawn from uniform distributions of its
respective values, satisfying the given constraints specified by
constrain and pConstrain calls. This is equivalent to calling
expectedValueWith the following parameters: verbose, warm-up
round count of 10000, no maximum iteration count, and with
convergence margin 0.0001.
expectedValueWith :: Outputtable a => Bool -> Int -> Maybe Int -> Double -> Symbolic a -> IO [Double] Source #
Generalized version of expectedValue, allowing the user to specify the
warm-up count and the convergence factor. Maximum iteration count can also
be specified, at which point convergence won't be sought. The boolean controls verbosity.
Model extraction
The default Show instances for prover calls provide all the counter-example information in a
human-readable form and should be sufficient for most casual uses of sbv. However, tools built
on top of sbv will inevitably need to look into the constructed models more deeply, programmatically
extracting their results and performing actions based on them. The API provided in this section
aims at simplifying this task.
Inspecting proof results
ThmResult, SatResult, and AllSatResult are simple newtype wrappers over SMTResult. Their
main purpose is so that we can provide custom Show instances to print results accordingly.
A prove call results in a ThmResult
newtype SafeResult Source #
A safe call results in a SafeResult
Constructors
| SafeResult (Maybe String, String, SMTResult) |
Instances
| Show SafeResult Source # | User friendly way of printing safety results |
newtype AllSatResult Source #
An allSat call results in a AllSatResult. The boolean says whether
we should warn the user about prefix-existentials.
Constructors
| AllSatResult (Bool, [SMTResult]) |
Instances
| Show AllSatResult Source # | The Show instance of AllSatResults. Note that we have to be careful in being lazy enough as the typical use case is to pull results out as they become available. |
The result of an SMT solver call. Each constructor is tagged with
the SMTConfig that created it so that further tools can inspect it
and build layers of results, if needed. For ordinary uses of the library,
this type should not be needed, instead use the accessor functions on
it. (Custom Show instances and model extractors.)
Constructors
| Unsatisfiable SMTConfig | Unsatisfiable |
| Satisfiable SMTConfig SMTModel | Satisfiable with model |
| Unknown SMTConfig SMTModel | Prover returned unknown, with a potential (possibly bogus) model |
| ProofError SMTConfig [String] | Prover errored out |
| TimeOut SMTConfig | Computation timed out (see the |
Programmable model extraction
While default Show instances are sufficient for most use cases, it is sometimes desirable (especially
for library construction) that the SMT-models are reinterpreted in terms of domain types. Programmable
extraction allows getting arbitrarily typed models out of SMT models.
class SatModel a where Source #
Instances of SatModel can be automatically extracted from models returned by the
solvers. The idea is that the sbv infrastructure provides a stream of CW's (constant-words)
coming from the solver, and the type a is interpreted based on these constants. Many typical
instances are already provided, so new instances can be declared with relative ease.
Minimum complete definition: parseCWs
Methods
parseCWs :: [CW] -> Maybe (a, [CW]) Source #
Given a sequence of constant-words, extract one instance of the type a, returning
the remaining elements untouched. If the next element is not what's expected for this
type you should return Nothing
cvtModel :: (a -> Maybe b) -> Maybe (a, [CW]) -> Maybe (b, [CW]) Source #
Given a parsed model instance, transform it using f, and return the result.
The default definition for this method should be sufficient in most use cases.
parseCWs :: Read a => [CW] -> Maybe (a, [CW]) Source #
Given a sequence of constant-words, extract one instance of the type a, returning
the remaining elements untouched. If the next element is not what's expected for this
type you should return Nothing
Instances
| SatModel Bool Source # |
|
| SatModel Double Source # |
|
| SatModel Float Source # |
|
| SatModel Int8 Source # |
|
| SatModel Int16 Source # |
|
| SatModel Int32 Source # |
|
| SatModel Int64 Source # |
|
| SatModel Integer Source # |
|
| SatModel Word8 Source # |
|
| SatModel Word16 Source # |
|
| SatModel Word32 Source # |
|
| SatModel Word64 Source # |
|
| SatModel () Source # | Base case for |
| SatModel AlgReal Source # |
|
| SatModel CW Source # |
|
| SatModel RoundingMode Source # | A rounding mode, extracted from a model. (Default definition suffices) |
| SatModel Word4 Source # | SatModel instance, merely uses the generic parsing method. |
| SatModel Location Source # | |
| SatModel U2Member Source # | |
| SatModel a => SatModel [a] Source # | A list of values as extracted from a model. When reading a list, we go as long as we can (maximal-munch). Note that this never fails, as we can always return the empty list! |
| (SatModel a, SatModel b) => SatModel (a, b) Source # | Tuples extracted from a model |
| (SatModel a, SatModel b, SatModel c) => SatModel (a, b, c) Source # | 3-Tuples extracted from a model |
| (SatModel a, SatModel b, SatModel c, SatModel d) => SatModel (a, b, c, d) Source # | 4-Tuples extracted from a model |
| (SatModel a, SatModel b, SatModel c, SatModel d, SatModel e) => SatModel (a, b, c, d, e) Source # | 5-Tuples extracted from a model |
| (SatModel a, SatModel b, SatModel c, SatModel d, SatModel e, SatModel f) => SatModel (a, b, c, d, e, f) Source # | 6-Tuples extracted from a model |
| (SatModel a, SatModel b, SatModel c, SatModel d, SatModel e, SatModel f, SatModel g) => SatModel (a, b, c, d, e, f, g) Source # | 7-Tuples extracted from a model |
class Modelable a where Source #
Various SMT results that we can extract models out of.
Minimal complete definition
Methods
modelExists :: a -> Bool Source #
Is there a model?
getModel :: SatModel b => a -> Either String (Bool, b) Source #
Extract a model, the result is a tuple where the first argument (if True) indicates whether the model was "probable". (i.e., if the solver returned unknown.)
getModelDictionary :: a -> Map String CW Source #
Extract a model dictionary. Extract a dictionary mapping the variables to
their respective values as returned by the SMT solver. Also see getModelDictionaries.
getModelValue :: SymWord b => String -> a -> Maybe b Source #
Extract a model value for a given element. Also see getModelValues.
getModelUninterpretedValue :: String -> a -> Maybe String Source #
Extract a representative name for the model value of an uninterpreted kind.
This is supposed to correspond to the value as computed internally by the
SMT solver; and is unportable from solver to solver. Also see getModelUninterpretedValues.
extractModel :: SatModel b => a -> Maybe b Source #
A simpler variant of getModel to get a model out without the fuss.
displayModels :: SatModel a => (Int -> (Bool, a) -> IO ()) -> AllSatResult -> IO Int Source #
Given an allSat call, we typically want to iterate over it and print the results in sequence. The
displayModels function automates this task by calling disp on each result, consecutively. The first
Int argument to disp 'is the current model number. The second argument is a tuple, where the first
element indicates whether the model is alleged (i.e., if the solver is not sure, returing Unknown)
extractModels :: SatModel a => AllSatResult -> [a] Source #
Return all the models from an allSat call, similar to extractModel but
is suitable for the case of multiple results.
getModelDictionaries :: AllSatResult -> [Map String CW] Source #
Get dictionaries from an all-sat call. Similar to getModelDictionary.
getModelValues :: SymWord b => String -> AllSatResult -> [Maybe b] Source #
Extract value of a variable from an all-sat call. Similar to getModelValue.
getModelUninterpretedValues :: String -> AllSatResult -> [Maybe String] Source #
Extract value of an uninterpreted variable from an all-sat call. Similar to getModelUninterpretedValue.
SMT Interface: Configurations and solvers
Solver configuration. See also z3, yices, cvc4, boolector, mathSAT, etc. which are instantiations of this type for those solvers, with
reasonable defaults. In particular, custom configuration can be created by varying those values. (Such as z3{verbose=True}.)
Most fields are self explanatory. The notion of precision for printing algebraic reals stems from the fact that such values does
not necessarily have finite decimal representations, and hence we have to stop printing at some depth. It is important to
emphasize that such values always have infinite precision internally. The issue is merely with how we print such an infinite
precision value on the screen. The field printRealPrec controls the printing precision, by specifying the number of digits after
the decimal point. The default value is 16, but it can be set to any positive integer.
When printing, SBV will add the suffix ... at the and of a real-value, if the given bound is not sufficient to represent the real-value
exactly. Otherwise, the number will be written out in standard decimal notation. Note that SBV will always print the whole value if it
is precise (i.e., if it fits in a finite number of digits), regardless of the precision limit. The limit only applies if the representation
of the real value is not finite, i.e., if it is not rational.
The printBase field can be used to print numbers in base 2, 10, or 16. If base 2 or 16 is used, then floating-point values will
be printed in their internal memory-layout format as well, which can come in handy for bit-precise analysis.
Constructors
| SMTConfig | |
Fields
| |
data SMTLibVersion Source #
Representation of SMTLib Program versions. As of June 2015, we're dropping support for SMTLib1, and supporting SMTLib2 only. We keep this data-type around in case SMTLib3 comes along and we want to support 2 and 3 simultaneously.
Constructors
| SMTLib2 |
data SMTLibLogic Source #
SMT-Lib logics. If left unspecified SBV will pick the logic based on what it determines is needed. However, the
user can override this choice using the useLogic parameter to the configuration. This is especially handy if
one is experimenting with custom logics that might be supported on new solvers. See http://smtlib.cs.uiowa.edu/logics.shtml
for the official list.
Constructors
| AUFLIA | Formulas over the theory of linear integer arithmetic and arrays extended with free sort and function symbols but restricted to arrays with integer indices and values |
| AUFLIRA | Linear formulas with free sort and function symbols over one- and two-dimentional arrays of integer index and real value |
| AUFNIRA | Formulas with free function and predicate symbols over a theory of arrays of arrays of integer index and real value |
| LRA | Linear formulas in linear real arithmetic |
| QF_ABV | Quantifier-free formulas over the theory of bitvectors and bitvector arrays |
| QF_AUFBV | Quantifier-free formulas over the theory of bitvectors and bitvector arrays extended with free sort and function symbols |
| QF_AUFLIA | Quantifier-free linear formulas over the theory of integer arrays extended with free sort and function symbols |
| QF_AX | Quantifier-free formulas over the theory of arrays with extensionality |
| QF_BV | Quantifier-free formulas over the theory of fixed-size bitvectors |
| QF_IDL | Difference Logic over the integers. Boolean combinations of inequations of the form x - y < b where x and y are integer variables and b is an integer constant |
| QF_LIA | Unquantified linear integer arithmetic. In essence, Boolean combinations of inequations between linear polynomials over integer variables |
| QF_LRA | Unquantified linear real arithmetic. In essence, Boolean combinations of inequations between linear polynomials over real variables. |
| QF_NIA | Quantifier-free integer arithmetic. |
| QF_NRA | Quantifier-free real arithmetic. |
| QF_RDL | Difference Logic over the reals. In essence, Boolean combinations of inequations of the form x - y < b where x and y are real variables and b is a rational constant. |
| QF_UF | Unquantified formulas built over a signature of uninterpreted (i.e., free) sort and function symbols. |
| QF_UFBV | Unquantified formulas over bitvectors with uninterpreted sort function and symbols. |
| QF_UFIDL | Difference Logic over the integers (in essence) but with uninterpreted sort and function symbols. |
| QF_UFLIA | Unquantified linear integer arithmetic with uninterpreted sort and function symbols. |
| QF_UFLRA | Unquantified linear real arithmetic with uninterpreted sort and function symbols. |
| QF_UFNRA | Unquantified non-linear real arithmetic with uninterpreted sort and function symbols. |
| UFLRA | Linear real arithmetic with uninterpreted sort and function symbols. |
| UFNIA | Non-linear integer arithmetic with uninterpreted sort and function symbols. |
| QF_FPBV | Quantifier-free formulas over the theory of floating point numbers, arrays, and bit-vectors |
| QF_FP | Quantifier-free formulas over the theory of floating point numbers |
Instances
Chosen logic for the solver
Constructors
| PredefinedLogic SMTLibLogic | Use one of the logics as defined by the standard |
| CustomLogic String | Use this name for the logic |
data OptimizeOpts Source #
Optimizer configuration. Note that iterative and quantified approaches are in general not interchangeable. For instance, iterative solutions will loop infinitely when there is no optimal value, but quantified solutions can handle such problems. Of course, quantified problems are harder for SMT solvers, naturally.
Constructors
| Iterative Bool | Iteratively search. if True, it will be reporting progress |
| Quantified | Use quantifiers |
Solvers that SBV is aware of
An SMT solver
Constructors
| SMTSolver | |
Fields
| |
defaultSolverConfig :: Solver -> SMTConfig Source #
The default configs corresponding to supported SMT solvers
sbvCurrentSolver :: SMTConfig Source #
The currently active solver, obtained by importing Data.SBV. To have other solvers current, import one of the bridge modules Data.SBV.Bridge.ABC, Data.SBV.Bridge.Boolector, Data.SBV.Bridge.CVC4, Data.SBV.Bridge.Yices, or Data.SBV.Bridge.Z3 directly.
defaultSMTCfg :: SMTConfig Source #
The default solver used by SBV. This is currently set to z3.
sbvCheckSolverInstallation :: SMTConfig -> IO Bool Source #
Check whether the given solver is installed and is ready to go. This call does a simple call to the solver to ensure all is well.
sbvAvailableSolvers :: IO [SMTConfig] Source #
Return the known available solver configs, installed on your machine.
Symbolic computations
A Symbolic computation. Represented by a reader monad carrying the state of the computation, layered on top of IO for creating unique references to hold onto intermediate results.
output :: Outputtable a => a -> Symbolic a Source #
Mark an interim result as an output. Useful when constructing Symbolic programs that return multiple values, or when the result is programmatically computed.
class (HasKind a, Ord a) => SymWord a where Source #
A SymWord is a potential symbolic bitvector that can be created instances of
to be fed to a symbolic program. Note that these methods are typically not needed
in casual uses with prove, sat, allSat etc, as default instances automatically
provide the necessary bits.
Methods
forall :: String -> Symbolic (SBV a) Source #
Create a user named input (universal)
forall_ :: Symbolic (SBV a) Source #
Create an automatically named input
mkForallVars :: Int -> Symbolic [SBV a] Source #
Get a bunch of new words
exists :: String -> Symbolic (SBV a) Source #
Create an existential variable
exists_ :: Symbolic (SBV a) Source #
Create an automatically named existential variable
mkExistVars :: Int -> Symbolic [SBV a] Source #
Create a bunch of existentials
free :: String -> Symbolic (SBV a) Source #
Create a free variable, universal in a proof, existential in sat
free_ :: Symbolic (SBV a) Source #
Create an unnamed free variable, universal in proof, existential in sat
mkFreeVars :: Int -> Symbolic [SBV a] Source #
Create a bunch of free vars
symbolic :: String -> Symbolic (SBV a) Source #
Similar to free; Just a more convenient name
symbolics :: [String] -> Symbolic [SBV a] Source #
Similar to mkFreeVars; but automatically gives names based on the strings
literal :: a -> SBV a Source #
Turn a literal constant to symbolic
unliteral :: SBV a -> Maybe a Source #
Extract a literal, if the value is concrete
Extract a literal, from a CW representation
isConcrete :: SBV a -> Bool Source #
Is the symbolic word concrete?
isSymbolic :: SBV a -> Bool Source #
Is the symbolic word really symbolic?
isConcretely :: SBV a -> (a -> Bool) -> Bool Source #
Does it concretely satisfy the given predicate?
mkSymWord :: Maybe Quantifier -> Maybe String -> Symbolic (SBV a) Source #
One stop allocator
literal :: Show a => a -> SBV a Source #
Turn a literal constant to symbolic
fromCW :: Read a => CW -> a Source #
Extract a literal, from a CW representation
mkSymWord :: (Read a, Data a) => Maybe Quantifier -> Maybe String -> Symbolic (SBV a) Source #
One stop allocator
Instances
| SymWord RoundingMode Source # |
|
| SymWord E Source # | |
| SymWord Word4 Source # | SymWord instance, allowing this type to be used in proofs/sat etc. |
| SymWord Sport Source # | |
| SymWord Pet Source # | |
| SymWord Beverage Source # | |
| SymWord Nationality Source # | |
| SymWord Color Source # | |
| SymWord Location Source # | |
| SymWord U2Member Source # | |
| SymWord B Source # | |
| SymWord Q Source # | |
| SymWord L Source # | Declare instances to make |
Getting SMT-Lib output (for offline analysis)
Arguments
| :: Provable a | |
| => SMTLibVersion | Version of SMTLib to compile to. (Only SMTLib2 supported currently.) |
| -> Bool | If True, translate directly, otherwise negate the goal. (Use True for SAT queries, False for PROVE queries.) |
| -> a | |
| -> IO String |
Compiles to SMT-Lib and returns the resulting program as a string. Useful for saving the result to a file for off-line analysis, for instance if you have an SMT solver that's not natively supported out-of-the box by the SBV library. It takes two arguments:
- version: The SMTLib-version to produce. Note that we currently only support SMTLib2.
- isSat : If
True, will translate it as a SAT query, i.e., in the positive. IfFalse, will translate as a PROVE query, i.e., it will negate the result. (In this case, the check-sat call to the SMT solver will produce UNSAT if the input is a theorem, as usual.)
generateSMTBenchmarks :: Provable a => Bool -> FilePath -> a -> IO () Source #
Create SMT-Lib benchmarks, for supported versions of SMTLib. The first argument is the basename of the file.
The Bool argument controls whether this is a SAT instance, i.e., translate the query
directly, or a PROVE instance, i.e., translate the negated query. (See the second boolean argument to
compileToSMTLib for details.)
Test case generation
genTest :: Outputtable a => Int -> Symbolic a -> IO TestVectors Source #
Generate a set of concrete test values from a symbolic program. The output
can be rendered as test vectors in different languages as necessary. Use the
function output call to indicate what fields should be in the test result.
(Also see constrain and pConstrain for filtering acceptable test values.)
getTestValues :: TestVectors -> [([CW], [CW])] Source #
Retrieve the test vectors for further processing. This function
is useful in cases where renderTest is not sufficient and custom
output (or further preprocessing) is needed.
data TestVectors Source #
Type of test vectors (abstract)
Test output style
Constructors
| Haskell String | As a Haskell value with given name |
| C String | As a C array of structs with given name |
| Forte String Bool ([Int], [Int]) | As a Forte/Verilog value with given name. If the boolean is True then vectors are blasted big-endian, otherwise little-endian The indices are the split points on bit-vectors for input and output values |
renderTest :: TestStyle -> TestVectors -> String Source #
Render the test as a Haskell value with the given name n.
CW represents a concrete word of a fixed size:
Endianness is mostly irrelevant (see the FromBits class).
For signed words, the most significant digit is considered to be the sign.
class HasKind a where Source #
A class for capturing values that have a sign and a size (finite or infinite)
minimal complete definition: kindOf. This class can be automatically derived
for data-types that have a Data instance; this is useful for creating uninterpreted
sorts.
Methods
intSizeOf :: a -> Int Source #
isBoolean :: a -> Bool Source #
isBounded :: a -> Bool Source #
isDouble :: a -> Bool Source #
isInteger :: a -> Bool Source #
isUninterpreted :: a -> Bool Source #
Instances
| HasKind Bool Source # | |
| HasKind Double Source # | |
| HasKind Float Source # | |
| HasKind Int8 Source # | |
| HasKind Int16 Source # | |
| HasKind Int32 Source # | |
| HasKind Int64 Source # | |
| HasKind Integer Source # | |
| HasKind Word8 Source # | |
| HasKind Word16 Source # | |
| HasKind Word32 Source # | |
| HasKind Word64 Source # | |
| HasKind AlgReal Source # | |
| HasKind Kind Source # | |
| HasKind CW Source # |
|
| HasKind RoundingMode Source # |
|
| HasKind SVal Source # | |
| HasKind SW Source # | |
| HasKind E Source # | |
| HasKind Word4 Source # | HasKind instance; simply returning the underlying kind for the type |
| HasKind Sport Source # | |
| HasKind Pet Source # | |
| HasKind Beverage Source # | |
| HasKind Nationality Source # | |
| HasKind Color Source # | |
| HasKind Location Source # | |
| HasKind U2Member Source # | |
| HasKind B Source # | |
| HasKind Q Source # | |
| HasKind L Source # | Similarly, |
| HasKind (SBV a) Source # | |
Kind of symbolic value
Code generation from symbolic programs
The SBV library can generate straight-line executable code in C. (While other target languages are
certainly possible, currently only C is supported.) The generated code will perform no run-time memory-allocations,
(no calls to malloc), so its memory usage can be predicted ahead of time. Also, the functions will execute precisely the
same instructions in all calls, so they have predictable timing properties as well. The generated code
has no loops or jumps, and is typically quite fast. While the generated code can be large due to complete unrolling,
these characteristics make them suitable for use in hard real-time systems, as well as in traditional computing.
data SBVCodeGen a Source #
The code-generation monad. Allows for precise layout of input values reference parameters (for returning composite values in languages such as C), and return values.
Instances
Setting code-generation options
cgPerformRTCs :: Bool -> SBVCodeGen () Source #
Sets RTC (run-time-checks) for index-out-of-bounds, shift-with-large value etc. on/off. Default: False.
cgSetDriverValues :: [Integer] -> SBVCodeGen () Source #
Sets driver program run time values, useful for generating programs with fixed drivers for testing. Default: None, i.e., use random values.
cgGenerateDriver :: Bool -> SBVCodeGen () Source #
Should we generate a driver program? Default: True. When a library is generated, it will have
a driver if any of the contituent functions has a driver. (See compileToCLib.)
cgGenerateMakefile :: Bool -> SBVCodeGen () Source #
Should we generate a Makefile? Default: True.
Designating inputs
cgInput :: SymWord a => String -> SBVCodeGen (SBV a) Source #
Creates an atomic input in the generated code.
cgInputArr :: SymWord a => Int -> String -> SBVCodeGen [SBV a] Source #
Creates an array input in the generated code.
Designating outputs
cgOutput :: String -> SBV a -> SBVCodeGen () Source #
Creates an atomic output in the generated code.
cgOutputArr :: SymWord a => String -> [SBV a] -> SBVCodeGen () Source #
Creates an array output in the generated code.
Designating return values
cgReturn :: SBV a -> SBVCodeGen () Source #
Creates a returned (unnamed) value in the generated code.
cgReturnArr :: SymWord a => [SBV a] -> SBVCodeGen () Source #
Creates a returned (unnamed) array value in the generated code.
Code generation with uninterpreted functions
cgAddPrototype :: [String] -> SBVCodeGen () Source #
Adds the given lines to the header file generated, useful for generating programs with uninterpreted functions.
cgAddDecl :: [String] -> SBVCodeGen () Source #
Adds the given lines to the program file generated, useful for generating programs with uninterpreted functions.
cgAddLDFlags :: [String] -> SBVCodeGen () Source #
Adds the given words to the compiler options in the generated Makefile, useful for linking extra stuff in.
cgIgnoreSAssert :: Bool -> SBVCodeGen () Source #
Ignore assertions (those generated by sAssert calls) in the generated C code
Code generation with SInteger and SReal types
The types SInteger and SReal are unbounded quantities that have no direct counterparts in the C language. Therefore,
it is not possible to generate standard C code for SBV programs using these types, unless custom libraries are available. To
overcome this, SBV allows the user to explicitly set what the corresponding types should be for these two cases, using
the functions below. Note that while these mappings will produce valid C code, the resulting code will be subject to
overflow/underflows for SInteger, and rounding for SReal, so there is an implicit loss of precision.
If the user does not specify these mappings, then SBV will refuse to compile programs that involve these types.
cgIntegerSize :: Int -> SBVCodeGen () Source #
Sets number of bits to be used for representing the SInteger type in the generated C code.
The argument must be one of 8, 16, 32, or 64. Note that this is essentially unsafe as
the semantics of unbounded Haskell integers becomes reduced to the corresponding bit size, as
typical in most C implementations.
cgSRealType :: CgSRealType -> SBVCodeGen () Source #
Sets the C type to be used for representing the SReal type in the generated C code.
The setting can be one of C's "float", "double", or "long double", types, depending
on the precision needed. Note that this is essentially unsafe as the semantics of
infinite precision SReal values becomes reduced to the corresponding floating point type in
C, and hence it is subject to rounding errors.
data CgSRealType Source #
Possible mappings for the SReal type when translated to C. Used in conjunction
with the function cgSRealType. Note that the particular characteristics of the
mapped types depend on the platform and the compiler used for compiling the generated
C program. See http://en.wikipedia.org/wiki/C_data_types for details.
Constructors
| CgFloat | float |
| CgDouble | double |
| CgLongDouble | long double |
Instances
| Eq CgSRealType Source # | |
| Show CgSRealType Source # |
|
Compilation to C
compileToC :: Maybe FilePath -> String -> SBVCodeGen () -> IO () Source #
Given a symbolic computation, render it as an equivalent collection of files that make up a C program:
- The first argument is the directory name under which the files will be saved. To save
files in the current directory pass
Just"."Nothingfor printing to stdout. - The second argument is the name of the C function to generate.
- The final argument is the function to be compiled.
Compilation will also generate a Makefile, a header file, and a driver (test) program, etc.
compileToCLib :: Maybe FilePath -> String -> [(String, SBVCodeGen ())] -> IO () Source #
Create code to generate a library archive (.a) from given symbolic functions. Useful when generating code from multiple functions that work together as a library.
- The first argument is the directory name under which the files will be saved. To save
files in the current directory pass
Just"."Nothingfor printing to stdout. - The second argument is the name of the archive to generate.
- The third argument is the list of functions to include, in the form of function-name/code pairs, similar
to the second and third arguments of
compileToC, except in a list.
Module exports
The SBV library exports the following modules wholesale, as user programs will have to import these modules to make any sensible use of the SBV functionality.
module Data.Bits
module Data.Word
module Data.Int
module Data.Ratio