Copyright | (c) Levent Erkok |
---|---|

License | BSD3 |

Maintainer | erkokl@gmail.com |

Stability | experimental |

Safe Haskell | None |

Language | Haskell2010 |

Induction engine for state transition systems. See the following examples for details:

- Documentation.SBV.Examples.ProofTools.Strengthen: Use of strengthening to establish inductive invariants.
- Documentation.SBV.Examples.ProofTools.Sum: Proof for correctness of an algorithm to sum up numbers,
- Documentation.SBV.Examples.ProofTools.Fibonacci: Proof for correctness of an algorithm to fast-compute fibonacci numbers, using axiomatization.

## Synopsis

- data InductionResult a
- = Failed InductionStep a
- | Proven

- data InductionStep
- induct :: (Show res, Queriable IO st res) => Bool -> Symbolic () -> (st -> SBool) -> (st -> [st]) -> [(String, st -> SBool)] -> (st -> SBool) -> (st -> (SBool, SBool)) -> IO (InductionResult res)
- inductWith :: (Show res, Queriable IO st res) => SMTConfig -> Bool -> Symbolic () -> (st -> SBool) -> (st -> [st]) -> [(String, st -> SBool)] -> (st -> SBool) -> (st -> (SBool, SBool)) -> IO (InductionResult res)

# Documentation

data InductionResult a Source #

Result of an inductive proof, with a counter-example in case of failure.

If a proof is found (indicated by a `Proven`

result), then the invariant holds
and the goal is established once the termination condition holds. If it fails, then
it can fail either in an initiation step or in a consecution step:

- A
`Failed`

result in an`Initiation`

step means that the invariant does*not*hold for the initial state, and thus indicates a true failure. - A
`Failed`

result in a`Consecution`

step will return a state*s*. This state is known as a CTI (counterexample to inductiveness): It will lead to a violation of the invariant in one step. However, this does not mean the property is invalid: It could be the case that it is simply not inductive. In this case, human intervention---or a smarter algorithm like IC3 for certain domains---is needed to see if one can strengthen the invariant so an inductive proof can be found. How this strengthening can be done remains an art, but the science is improving with algorithms like IC3. - A
`Failed`

result in a`PartialCorrectness`

step means that the invariant holds, but assuming the termination condition the goal still does not follow. That is, the partial correctness does not hold.

## Instances

Show a => Show (InductionResult a) Source # | Show instance for |

Defined in Data.SBV.Tools.Induction showsPrec :: Int -> InductionResult a -> ShowS # show :: InductionResult a -> String # showList :: [InductionResult a] -> ShowS # |

data InductionStep Source #

A step in an inductive proof. If the tag is present (i.e., `Just nm`

), then
the step belongs to the subproof that establishes the strengthening named `nm`

.

## Instances

Show InductionStep Source # | Show instance for |

Defined in Data.SBV.Tools.Induction showsPrec :: Int -> InductionStep -> ShowS # show :: InductionStep -> String # showList :: [InductionStep] -> ShowS # |

:: (Show res, Queriable IO st res) | |

=> Bool | Verbose mode |

-> Symbolic () | Setup code, if necessary. (Typically used for |

-> (st -> SBool) | Initial condition |

-> (st -> [st]) | Transition relation |

-> [(String, st -> SBool)] | Strengthenings, if any. The |

-> (st -> SBool) | Invariant that ensures the goal upon termination |

-> (st -> (SBool, SBool)) | Termination condition and the goal to establish |

-> IO (InductionResult res) | Either proven, or a concrete state value that, if reachable, fails the invariant. |

Induction engine, using the default solver. See Documentation.SBV.Examples.ProofTools.Strengthen and Documentation.SBV.Examples.ProofTools.Sum for examples.