sbv-8.1: SMT Based Verification: Symbolic Haskell theorem prover using SMT solving.

Documentation.SBV.Examples.WeakestPreconditions.Length

Description

Proof of correctness of an imperative list-length algorithm, using weakest preconditions. Illustrates the use of SBV's symbolic lists together with the WP algorithm.

Synopsis

# Program state

data LenS a Source #

The state of the length program, paramaterized over the element type a

Constructors

 LenS Fieldsxs :: SList aThe input listys :: SList aCopy of inputl :: SIntegerRunning length
Instances
 Source # We have to write the bijection between LenS and LenC explicitly. Luckily, the definition is more or less boilerplate. Instance details Methods (SymVal a, Show a) => Show (LenS a) Source # Show instance: A simplified version of what would otherwise be generated. Instance details MethodsshowsPrec :: Int -> LenS a -> ShowS #show :: LenS a -> String #showList :: [LenS a] -> ShowS # Generic (LenS a) Source # Instance details Associated Typestype Rep (LenS a) :: Type -> Type # Methodsfrom :: LenS a -> Rep (LenS a) x #to :: Rep (LenS a) x -> LenS a # SymVal a => Mergeable (LenS a) Source # Instance details MethodssymbolicMerge :: Bool -> SBool -> LenS a -> LenS a -> LenS a Source #select :: (Ord b, SymVal b, Num b) => [LenS a] -> LenS a -> SBV b -> LenS a Source # type Rep (LenS a) Source # Instance details type Rep (LenS a) = D1 (MetaData "LenS" "Documentation.SBV.Examples.WeakestPreconditions.Length" "sbv-8.1-KJ81LMQmRNq7C7R4pcgIua" False) (C1 (MetaCons "LenS" PrefixI True) (S1 (MetaSel (Just "xs") NoSourceUnpackedness NoSourceStrictness DecidedLazy) (Rec0 (SList a)) :*: (S1 (MetaSel (Just "ys") NoSourceUnpackedness NoSourceStrictness DecidedLazy) (Rec0 (SList a)) :*: S1 (MetaSel (Just "l") NoSourceUnpackedness NoSourceStrictness DecidedLazy) (Rec0 SInteger))))

data LenC a Source #

The concrete counterpart to LenS. Note that we can no longer use the duality between SBV a and a as in other examples and just use one datatype for both. This is because SList a and [a] are fundamentally different types. This can be a bit confusing at first, but the point is that it is the list that is symbolic in case of an SList a, not that we have a concrete list with symbolic elements in it. Subtle difference, but it is important to keep these two separate.

Constructors

 LenC [a] [a] Integer
Instances
 Source # We have to write the bijection between LenS and LenC explicitly. Luckily, the definition is more or less boilerplate. Instance details Methods Show a => Show (LenC a) Source # Show instance: Similarly, we want to be a bit more concise here. Instance details MethodsshowsPrec :: Int -> LenC a -> ShowS #show :: LenC a -> String #showList :: [LenC a] -> ShowS #

type S = LenS Integer Source #

Helper type synonym

# The algorithm

The imperative length algorithm:

   ys = xs
l  = 0
while not (null ys)
l  = l+1
ys = tail ys


Note that we need to explicitly annotate each loop with its invariant and the termination measure. For convenience, we take those two as parameters, so we can experiment later.

pre :: S -> SBool Source #

Precondition for our program. Nothing! It works for all lists.

Postcondition for our program: l must be the length of the input list.

Stability condition: Program must leave xs unchanged.

A program is the algorithm, together with its pre- and post-conditions.

The invariant simply relates the length of the input to the length of the current suffix and the length of the prefix traversed so far.

The measure is obviously the length of ys, as we peel elements off of it through the loop.

# Correctness

We check that l is the length of the input list xs upon termination. Note that even though this is an inductive proof, it is fairly easy to prove with our SMT based technology, which doesn't really handle induction at all! The usual inductive proof steps are baked into the invariant establishment phase of the WP proof. We have:

>>> correctness
Total correctness is established.
Q.E.D.