Safe Haskell | None |
---|---|

Language | Haskell2010 |

Author : Levent Erkok License : BSD3 Maintainer: erkokl@gmail.com Stability : experimental

An example showing how traditional state-transition invariance problems can be coded using SBV, using induction. We also demonstrate the use of invariant strengthening.

This example comes from Bradley's Understanding IC3 paper, which considers the following two programs:

x, y := 1, 1 x, y := 1, 1 while *: while *: x, y := x+1, y+x x, y := x+y, y+x

Where `*`

stands for non-deterministic choice. For each program we try to prove that `y >= 1`

is an invariant.

It turns out that the property `y >= 1`

is indeed an invariant, but is
not inductive for either program. We proceed to strengten the invariant
and establish it for the first case. We then note that the same strengthening
doesn't work for the second program, and find a further strengthening to
establish that case as well. This example follows the introductory example
in Bradley's paper quite closely.

## Synopsis

- data S a = S {}
- problem :: (S SInteger -> [S SInteger]) -> [(String, S SInteger -> SBool)] -> IO (InductionResult (S Integer))
- pgm1 :: S SInteger -> [S SInteger]
- pgm2 :: S SInteger -> [S SInteger]
- ex1 :: IO (InductionResult (S Integer))
- ex2 :: IO (InductionResult (S Integer))
- ex3 :: IO (InductionResult (S Integer))
- ex4 :: IO (InductionResult (S Integer))
- ex5 :: IO (InductionResult (S Integer))
- ex6 :: IO (InductionResult (S Integer))

# System state

System state. We simply have two components, parameterized over the type so we can put in both concrete and symbolic values.

# Encoding the problem

problem :: (S SInteger -> [S SInteger]) -> [(String, S SInteger -> SBool)] -> IO (InductionResult (S Integer)) Source #

We parameterize over the transition relation and the strengthenings to investigate various combinations.

# Examples

ex1 :: IO (InductionResult (S Integer)) Source #

Example 1: First program, with no strengthenings. We have:

`>>>`

Failed while establishing consecution. Counter-example to inductiveness: S {x = -1, y = 1}`ex1`

ex2 :: IO (InductionResult (S Integer)) Source #

Example 2: First program, strengthened with `x >= 0`

. We have:

`>>>`

Q.E.D.`ex2`

ex3 :: IO (InductionResult (S Integer)) Source #

Example 3: Second program, with no strengthenings. We have:

`>>>`

Failed while establishing consecution. Counter-example to inductiveness: S {x = -1, y = 1}`ex3`

ex4 :: IO (InductionResult (S Integer)) Source #

Example 4: Second program, strengthened with `x >= 0`

. We have:

`>>>`

Failed while establishing consecution for strengthening "x >= 0". Counter-example to inductiveness: S {x = 0, y = -1}`ex4`

ex5 :: IO (InductionResult (S Integer)) Source #

Example 5: Second program, strengthened with `x >= 0`

and `y >= 1`

separately. We have:

`>>>`

Failed while establishing consecution for strengthening "x >= 0". Counter-example to inductiveness: S {x = 0, y = -1}`ex5`

Note how this was sufficient in `ex2`

to establish the invariant for the first
program, but fails for the second.

ex6 :: IO (InductionResult (S Integer)) Source #

Example 6: Second program, strengthened with `x >= 0 /\ y >= 1`

simultaneously. We have:

`>>>`

Q.E.D.`ex6`

Compare this to `ex5`

. As pointed out by Bradley, this shows that
*a conjunction of assertions can be inductive when none of its components, on its own, is inductive.*
It remains an art to find proper loop invariants, though the science is improving!