Îõ³h&úF™D !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ ƒ „ … † ‡ ˆ ‰ Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–— ˜ ™ š › œ ž Ÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò ÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõ ö ÷ ø ù ú û ü ý þ ÿ € ‚ ƒ „ … † ‡ ˆ ‰ Š ‹ Œ Ž ‘ ’ “ ” • – — ˜ ™ š › œ ž Ÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ € ‚ ƒ „ … † ‡ ˆ ‰ Š ‹ Œ Ž ‘ ’ “ ” • – — ˜ ™ š › œ ž Ÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ €‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€ ‚ ƒ „ … † ‡ ˆ ‰ Š ‹ Œ Ž ‘ ’ “ ” • – — ˜ ™ š › œ ž Ÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê ë ì í î ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ €‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º» ¼!½!¾!¿!À!Á!Â!Ã!Ä!Å"Æ"Ç#È#É#Ê#Ë#Ì#Í$Î$Ï$Ð$Ñ$Ò%Ó%Ô%Õ&Ö&×&Ø&Ù&Ú'Û'Ü'Ý(Þ(ß(à(á(â(ã(ä(å(æ(ç(è(é(ê(ë(ì(í(î(ï(ð(ñ(ò(ó(ô(õ(ö(÷(ø(ù(ú(û(ü(ý(þ(ÿ(€((‚(ƒ(„(…(†(‡(ˆ(‰(Š)‹)Œ))Ž)))‘)’)“)”)•)–)—*˜*™*š*›*œ**ž*Ÿ* *¡*¢*£*¤*¥*¦*§*¨*©*ª*«*¬**®*¯*°*±*²*³*´*µ*¶*·*¸*¹*º*»*¼*½+¾,¿,À,Á,Â,Ã-Ä-Å-Æ-Ç-È-É-Ê-Ë.Ì.Í.Î.Ï.Ð.Ñ.Ò.Ó.Ô.Õ.Ö.×.Ø.Ù.Ú.Û.Ü.Ý.Þ.ß.à/á/â/ã/ä0å0æ1ç2è2é2ê3ë3ì3í3î4ï4ð4ñ4ò4ó4ô4õ4ö4÷4ø4ù4ú4û4ü4ý4þ4ÿ4€44‚5ƒ5„5…5†5‡5ˆ6‰6Š7‹8Œ88Ž888‘8’8“8”8•8–8—8˜8™8š8›8œ88ž8Ÿ8 8¡8¢8£8¤9¥9¦9§:¨:©:ª:«:¬::®;¯<°=±=²>³>´>µ>¶>·>¸>¹>º>»>¼>½>¾>¿>À>Á>Â>Ã>Ä>Å>Æ>Ç>È>É>Ê>Ë>Ì>Í>Î>Ï?Ð@ÑAÒBÓCÔCÕCÖC×CØCÙCÚCÛCÜCÝCÞCßCàDáDâDãDäDåDæDçDèDéDêDëDìDíDîEïEðEñEòEóEôEõEöE÷EøEùEúEûEüEýEþEÿE€FF‚FƒF„F…F†F‡FˆF‰FŠF‹FŒFGŽGGG‘G’G“G”G•G–G—G˜G™GšG›GœGGžGŸG G¡G¢G£G¤G¥G¦G§G¨H©HªH«H¬HH®H¯H°H±H²H³H´HµI¶I·I¸I¹IºI»I¼I½I¾I¿JÀJÁJÂJÃKÄLÅLÆLÇLÈLÉLÊLËLÌLÍLÎLÏMÐMÑMÒNÓNÔNÕNÖN×NØNÙNÚNÛNÜNÝNÞNßNàNáNâNãNäNåNæNçNèNéNêNëNìNíNîNïNðNñNòNóNôNõNöN÷NøNùNúNûNüNýNþNÿN€NN‚NƒN„N…N†N‡NˆN‰NŠN‹NŒNNŽNNN‘N’N“N”N•N–N—N˜N™NšN›NœNNžNŸN N¡N¢N£N¤N¥N¦N§N¨N©NªN«N¬NN®N¯N°N±N²N³N´NµN¶N·O¸O¹OºO»O¼O½O¾O¿OÀOÁOÂOÃOÄOÅOÆOÇOÈOÉOÊOËOÌOÍPÎPÏPÐPÑPÒPÓPÔPÕPÖP×PØPÙPÚPÛPÜPÝPÞPßPàPáPâPãPäPåQæQçQèQéQêQëQìQíQîQïQðRñSòSóSôSõSöS÷SøSùTúTûTüTýTþTÿT€TT‚TƒT„T…T†T‡TˆT‰TŠT‹TŒTTŽTTT‘T’T“T”T•T–T—T˜T™TšT›TœTTžTŸT T¡T¢T£T¤T¥T¦T§T¨T©TªT«T¬TT®T¯T°T±T²T³T´TµT¶U·U¸U¹VºW»W¼W½W¾W¿WÀWÁWÂWÃWÄWÅWÆWÇWÈWÉWÊXËXÌXÍXÎXÏXÐXÑXÒXÓXÔXÕXÖX×XØXÙXÚXÛXÜXÝXÞXßXàXáXâXãXäXåXæXçXèXéXêXëXìXíXîXïXðXñXòXóXôXõXöX÷XøXùXúXûXüXýXþXÿX€XX‚XƒX„X…X†X‡XˆX‰YŠY‹ZŒZ[Ž[[[‘[’[“[”[•\–\—\˜\™\š\›\œ\\ž\Ÿ\ \¡\¢\£\¤\¥\¦\§\¨\©\ª\«\¬\\®]¯]°]±]²]³]´]µ]¶]·]¸]¹]º]»]¼]½]¾]¿]À]Á]Â]Ã]Ä]Å]Æ]Ç]È]É]Ê]Ë]Ì]Í]Î]Ï]Ð]Ñ]Ò]Ó]Ô]Õ]Ö]×]Ø]Ù]Ú]Û]Ü]Ý]Þ^ß^à_á_â`ã`äaåaæaçaèbébêbëbìbíbîbïbðbñbòbóbôbõböb÷bøcùcúcûcücýcþcÿc€cc‚cƒc„c…c†c‡cˆc‰cŠc‹cŒccŽccc‘c’c“c”c•c–c—c˜c™cšc›cœccžcŸc c¡c¢c£c¤c¥c¦c§c¨c©cªc«c¬cc®c¯c°c±c²c³c´cµc¶c·c¸c¹cºc»c¼c½d¾d¿dÀeÁeÂeÃeÄeÅeÆeÇeÈeÉeÊeËeÌeÍeÎeÏfÐfÑgÒgÓhÔhÕhÖh×hØhÙhÚhÛhÜhÝhÞhßiàiáiâiãiäiåiæiçièiéiêjëjìjíjîjïjðjñjòjójôkõkök÷køkùkúkûkükýkþkÿk€kk‚kƒk„k…l†l‡lˆl‰lŠl‹lŒllŽlll‘l’l“l”l•l–l—l˜m™mšm›mœmmžmŸm m¡m¢m£m¤m¥m¦m§m¨m©mªm«m¬mm®m¯n°n±n²n³n´nµn¶n·n¸n¹nºn»n¼n½n¾n¿nÀnÁnÂnÃnÄnÅnÆoÇoÈoÉoÊoËoÌoÍoÎoÏoÐoÑoÒoÓoÔoÕoÖo×oØoÙoÚoÛoÜoÝpÞpßpàpápâpãpäpåpæpçpèpépêpëpìpípîpïpðpñpòpópôqõqöq÷qøqùqúqûqüqýqþqÿq€qq‚qƒq„q…q†q‡qˆq‰rŠr‹rŒrrŽrrr‘r’r“r”r•r–r—r˜r™ršr›rœršs(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredOM/sbvŸSMT-Lib logics. If left unspecified SBV will pick the logic based on what it determines is needed. However, the user can override this choice using a call to tò This is especially handy if one is experimenting with custom logics that might be supported on new solvers. See 'http://smtlib.cs.uiowa.edu/logics.shtml for the official list.sbv§Formulas over the theory of linear integer arithmetic and arrays extended with free sort and function symbols but restricted to arrays with integer indices and values.sbvùLinear formulas with free sort and function symbols over one- and two-dimentional arrays of integer index and real value.sbvôFormulas with free function and predicate symbols over a theory of arrays of arrays of integer index and real value.sbv*Linear formulas in linear real arithmetic.sbvÌQuantifier-free formulas over the theory of bitvectors and bitvector arrays.sbvùQuantifier-free formulas over the theory of bitvectors and bitvector arrays extended with free sort and function symbols.sbvïQuantifier-free linear formulas over the theory of integer arrays extended with free sort and function symbols.sbvÇQuantifier-free formulas over the theory of arrays with extensionality. sbvÂQuantifier-free formulas over the theory of fixed-size bitvectors. sbvŸDifference Logic over the integers. Boolean combinations of inequations of the form x - y < b where x and y are integer variables and b is an integer constant.sbvŠUnquantified linear integer arithmetic. In essence, Boolean combinations of inequations between linear polynomials over integer variables.sbv„Unquantified linear real arithmetic. In essence, Boolean combinations of inequations between linear polynomials over real variables. sbv#Quantifier-free integer arithmetic.sbv Quantifier-free real arithmetic.sbv¥Difference Logic over the reals. In essence, Boolean combinations of inequations of the form x - y < b where x and y are real variables and b is a rational constant.sbvåUnquantified formulas built over a signature of uninterpreted (i.e., free) sort and function symbols.sbvÓUnquantified formulas over bitvectors with uninterpreted sort function and symbols.sbváDifference Logic over the integers (in essence) but with uninterpreted sort and function symbols.sbvÔUnquantified linear integer arithmetic with uninterpreted sort and function symbols.sbvÑUnquantified linear real arithmetic with uninterpreted sort and function symbols.sbvÕUnquantified non-linear real arithmetic with uninterpreted sort and function symbols.sbvÝUnquantified non-linear real integer arithmetic with uninterpreted sort and function symbols.sbvÄLinear real arithmetic with uninterpreted sort and function symbols.sbvËNon-linear integer arithmetic with uninterpreted sort and function symbols.sbvÜQuantifier-free formulas over the theory of floating point numbers, arrays, and bit-vectors.sbvÃQuantifier-free formulas over the theory of floating point numbers.sbvQuantifier-free finite domains.sbv4Quantifier-free formulas over the theory of strings.sbvThe catch-all value.sbv=Use this value when you want SBV to simply not set the logic.sbv(In case you need a really custom string! sbvÐOption values that can be set in the solver, following the SMTLib specification )http://smtlib.cs.uiowa.edu/language.shtml.3Note that not all solvers may support all of these!ÉFurthermore, SBV doesn't support the following options allowed by SMTLib.:interactive-mode+ (Deprecated in SMTLib, use " instead.):print-successÈ (SBV critically needs this to be True in query mode.):produce-modelsÉ (SBV always sets this option so it can extract models.):regular-output-channelÔ (SBV always requires regular output to come on stdout for query purposes.):global-declarationsÖ (SBV always uses global declarations since definitions are accumulative.) Note that , and -ƒ are, strictly speaking, not SMTLib options. However, we treat it as such here uniformly, as it fits better with how options work..sbv(Collectable information from the solver.8sbvReason for reporting unknown.=sbv"Behavior of the solver for errors.@sbv(Collectable information from the solver.IsbvResult of a u or v call.Jsbv=Satisfiable: A model is available, which can be queried with w.KsbvÞDelta-satisfiable: A delta-sat model is available. String is the precision info, if available.LsbvÈUnsatisfiable: No model is available. Unsat cores might be obtained via x.Msbv Unknown: Use y5 to obtain an explanation why this might be the case.sbv7Can this command only be run at the very beginning? If žú then we will reject setting these options in the query mode. Note that this classification follows the SMTLib document.Ÿsbv±Can this option be set multiple times? I'm only making a guess here. If this returns True, then we'll only send the last instance we see. We might need to update as necessary. sbvÍTranslate an option setting to SMTLib. Note the SetLogic/SetInfo discrepancy.¡sbvShow instance for unknown¢sbvTrivial rnf instanceÑ !"#$%&'()*+,-./0123456789:;<=>?@GEABCDFHIJKLMŸ z(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÁÃXÐNsbv4Conversion from internal rationals to Haskell valuesOsbv'Root of a polynomial, cannot be reducedPsbvAn exact rationalQsbvAn approximated valueRsbv*Interval. Can be open/closed on both ends.SsbvŽA univariate polynomial, represented simply as a coefficient list. For instance, "5x^3 + 2x - 5" is represented as [(5, 3), (2, 1), (-5, 0)]UsbvÀAlgebraic reals. Note that the representation is left abstract. We represent rational results explicitly, while the roots-of-polynomials are represented implicitly by their defining equationVsbvÌbool says it's exact (i.e., SMT-solver did not return it with ? at the end.)Wsbvêwhich root of this polynomial and an approximate decimal representation with given precision, if availableXsbv"interval, with low and high boundsYsbv)Is the endpoint included in the interval?Zsbv%open: i.e., doesn't include the point[sbv closed: i.e., includes the point\sbv7Extract the point associated with the open-closed point£sbv3Check whether a given argument is an exact rational¤sbvãConstruct a poly-root real with a given approximate value (either as a decimal, or polynomial-root)¥sbvÁStructural equality for AlgReal; used when constants are Map keys¦sbvÄStructural comparisons for AlgReal; used when constants are Map keys§sbv Render an UÁ as an SMTLib2 value. Only supports rationals for the time being.¨sbv Render an U“ as a Haskell value. Only supports rationals, since there is no corresponding standard Haskell type that can represent root-of-polynomial variety.]sbvConvert an U to a © . If the U is exact, then you get a ª value. Otherwise, you get a «( value which is simply an approximation.¬sbvãMerge the representation of two algebraic reals, one assumed to be in polynomial form, the other in decimal. Arguments can be the same kind, so long as they are both rationals and equivalent; if not there must be one that is precise. It's an error to pass anything else to this function! (Used in reconstructing SMT counter-example values with reals).sbvÌNB: Following the other types we have, we require `a/0` to be `0` for all a.NOPQRSTUVWXYZ[\£¤¥¦§¨]¬{(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredYÍ^sbvùNames reserved by SMTLib. This list is current as of Dec 6 2015; but of course there's no guarantee it'll stay that way.^|(c) Brian SchroederBSD3erkokl@gmail.comexperimental Safe-Inferred\Ã_sbvMonads which support ® operations and can extract all ®2 behavior for interoperation with functions like }~, which takes an ®Ú action in negative position. This function can not be implemented for transformers like ReaderT r or StateT s, whose resultant ®6 actions are a function of some environment or state.`sbv Law: the m a yielded by ® is pure with respect to ®.¯sbvIO extraction for strict °.±sbvIO extraction for lazy ².³sbvIO extraction for ´.µsbvIO extraction for ¶.·sbvTrivial IO extraction for ®._`(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred×Üa¡¸sbv¸We have a nasty issue with the usual String/List confusion in Haskell. However, we can do a simple dynamic trick to determine where we are. The ice is thin here, but it seems to work.¹sbvMonadic lift over 2-tuplesºsbvMonadic lift over 3-tuples»sbvMonadic lift over 4-tuples¼sbvMonadic lift over 5-tuples½sbvMonadic lift over 6-tuples¾sbvMonadic lift over 7-tuples¿sbvMonadic lift over 8-tuplesÀsbvŠGiven a sequence of arguments, join them together in a manner that could be used on the command line, giving preference to the Windows cmd shell quoting conventions.öFor an alternative version, intended for actual running the result in a shell, see "System.Process.showCommandForUser"ÁsbvÃGiven a string, split into the available arguments. The inverse of À#. Courtesy of the cmdargs package.ÂsbvæGiven an SMTLib string (i.e., one that works in the string theory), convert it to a Haskell equivalentÃsbv‡Given a Haskell string, convert it to SMTLib. if ord is 0x00020 to 0x0007E, then we print it as is to cover the printable ASCII range.¸¹º»¼½¾¿ÀÁÂÃ€(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred(16<ÁÃÌÙÚÜãïo—asbváRounding mode to be used for the IEEE floating-point operations. Note that Haskell's default is bö. If you use a different rounding mode, then the counter-examples you get may not match what you observe in Haskell.bsbvùRound to nearest representable floating point value. If precisely at half-way, pick the even number. (In this context, even% means the lowest-order bit is zero.)csbvÎRound to nearest representable floating point value. If precisely at half-way, pick the number further away from 0. (That is, for positive values, pick the greater; for negative values, pick the smaller.)dsbvÈRound towards positive infinity. (Also known as rounding-up or ceiling.)esbvÈRound towards negative infinity. (Also known as rounding-down or floor.)fsbv/Round towards zero. (Also known as truncation.)gsbvÃA valid float has restrictions on eb/sb values. NB. In the below encoding, I found that CPP is very finicky about substitution of the machine-dependent macros. If you try to put the conditionals in the same line, it fails to substitute for some reason. Hence the awkward spacing. Filed this as a bug report for CPPHS at 1https://github.com/malcolmwallace/cpphs/issues/25.ÄsbvCatch an invalid FP.hsbv9Type family to create the appropriate non-zero constraintÅsbvCatch 0-width casesisbvñA class for capturing values that have a sign and a size (finite or infinite) minimal complete definition: kindOf, unless you can take advantage of the default signature: This class can be automatically derived for data-types that have a Æ† instance; this is useful for creating uninterpreted sorts. So, in reality, end users should almost never need to define any methods.~sbvKind of symbolic valueÇsbv;A version of show for kinds that says Bool instead of SBoolÈsbvÉPut parens if necessary. This test is rather crummy, but seems to work okÉsbvHow the type maps to SMT landÊsbv+Does this kind represent a signed quantity?ËsbvÀConstruct an uninterpreted/enumerated kind from a piece of data; we distinguish simple enumerations as those are mapped to proper SMT-Lib2 data-types; while others go completely uninterpretedÌsbváGrab the bit-size from the proxy. If the nat is too large to fit in an int, we throw an error. (This would mean too big of a bit-size, that we can't really deal with in any practical realm.) In fact, even the range allowed by this conversion (i.e., the entire range of a 64-bit int) is just impractical, but it's hard to come up with a better bound.ÍsbvÁDo we have a completely uninterpreted sort lying around anywhere?ÎsbvÐShould we ask the solver to flatten the output? This comes in handy so output is parseable Essentially, we're being conservative here and simply requesting flattening anything that has some structure to it.sbv;Convert a rounding mode to the format SMT-Lib2 understands.Ïsbv«The interesting about the show instance is that it can tell apart two kinds nicely; since it conveniently ignores the enumeration constructors. Also, when we construct a ƒ<, we make sure we don't use any of the reserved names; see Ë for details.ÐsbvThis instance allows us to use the `kindOf (Proxy @a)` idiom instead of the `kindOf (undefined :: a)`, which is safer and looks more idiomatic.Ñsbva kind5abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽÇÉËÌÍÎ(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÂwisbv¯The SMT-Lib (in particular Z3) implementation for min/max for floats does not agree with Haskell's; and also it does not agree with what the hardware does. Sigh.. See: ,http://ghc.haskell.org/trac/ghc/ticket/10378 'http://github.com/Z3Prover/z3/issues/68‚ So, we codify here what the Z3 (SMTLib) is implementing for fpMax. The discrepancy with Haskell is that the NaN propagation doesn't work in Haskell The discrepancy with x86 is that given +0/-0, x86 returns the second argument; SMTLib is non-deterministic‘sbv SMTLib compliant definition for ‚. See the comments for ƒ.’sbv.Convert double to float and back. Essentially fromRational . toRational, except careful on NaN, Infinities, and -0.“sbvëCompute the "floating-point" remainder function, the float/double value that remains from the division of x and yË. There are strict rules around 0's, Infinities, and NaN's as coded below.”sbvÂConvert a float to the nearest integral representable in that type•sbvüCheck that two floats are the exact same values, i.e., +0/-0 does not compare equal, and NaN's compare equal to themselves.–sbv$Ordering for floats, avoiding the +0-0ÏNaN issues. Note that this is essentially used for indexing into a map, so we need to be total. Thus, the order we pick is: NaN -oo -0 +0 +oo The placement of NaN here is questionable, but immaterial.—sbvCheck if a number is "normal." Note that +0/-0 is not considered a normal-number and also this is not simply the negation of isDenormalized!˜sbvReinterpret-casts a Ò to a Ó.™sbvReinterpret-casts a Ó to a Ò.šsbvReinterpret-casts a Ô to a Õ.›sbvReinterpret-casts a Õ to a Ô.‘’“”•–—˜™š›„(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred1ÁÃÌÚÜïƒ\ œsbv1Internal representation of a parameterized float.ÃA note on cardinality: If we have eb exponent bits, and sb significand bits, then the total number of floats is 2^sb*(2^eb-1) + 3: All exponents except 11..11 is allowed. So we get, 2^eb-1, different combinations, each with a sign, giving us 2^sb*(2^eb-1) totals. Then we have two infinities, and one NaN, adding 3 more.¡sbvÊAbbreviation for IEEE quadruble precision float, bit width 128 = 15 + 113.¢sbvÅAbbreviation for IEEE double precision float, bit width 64 = 11 + 53.£sbvÄAbbreviation for IEEE single precision float, bit width 32 = 8 + 24.¤sbvÃAbbreviation for brain-float precision float, bit width 16 = 8 + 8.¥sbvÂAbbreviation for IEEE half precision float, bit width 16 = 5 + 11.¦sbvÆA floating point value, indexed by its exponent and significand sizes.An IEEE SP is FloatingPoint 8 24 DP is FloatingPoint 11 53 etc.ÖsbvRemove redundant p+0 etc.×sbv–Show a big float in the base given. NB. Do not be tempted to use BF.showFreeMin below; it produces arguably correct but very confusing results. See 0https://github.com/GaloisInc/cryptol/issues/1089! for a discussion of the issues.ØsbvDefault options for BF options.§sbv,Construct a float, by appropriately rounding¨sbvConvert from an signexponentðmantissa representation to a float. The values are the integers representing the bit-patterns of these values, i.e., the raw representation. We assume that these integers fit into the ranges given, i.e., no overflow checking is done here.©sbvÎMake NaN. Exponent is all 1s. Significand is non-zero. The sign is irrelevant.ªsbv4Make Infinity. Exponent is all 1s. Significand is 0.«sbvMake a signed zero.¬sbvMake from an integer value.sbv/Make a generalized floating-point value from a ©.Ùsbv"Represent the FP in SMTLib2 formatÚsbv4Structural comparison only, for internal map indexesÛsbv!Compute the signum of a big float®sbvÍEncode from exponent/mantissa form to a float representation. Corresponds to Ü in Haskell.Ýsbv‚Lift a unary operation, simple case of function with no status. Here, we call fpFromBigFloat since the big-float isn't size aware.¯sbvConvert from a IEEE float.°sbvConvert from a IEEE double.ÞsbvÀReal-frac instance for big-floats. Beware, not that well tested!ßsbv;Real instance for big-floats. Beware, not that well tested!àsbvÝReal-float instance for big-floats. Beware! Some of these aren't really all that well tested.ásbv Floating instance for big-floatsâsbv"Fractional instance for big-floatsãsbvNum instance for big-floatsäsbvNum instance for FloatingPointåsbvÜShow instance for Floats. By default we print in base 10, with standard scientific notation.œžŸ ¡¢£¤¥¦æÖ×Ø§¨©ª«¬ÙÚ®¯°(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredƒíœžŸ §¨©ª«¬®¯°œžŸ ¨§©ª«¬¯°®…(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred×Üï’.±sbvØA simple expression type over extended values, covering infinity, epsilon and intervals.¸sbvöA generalized CV allows for expressions involving infinite and epsilon values/intervals Used in optimization problems.»sbv»ø represents a concrete word of a fixed size: For signed words, the most significant digit is considered to be the sign.¿sbvA constant valueÀsbvAlgebraic realÁsbvBit-vector/unbounded integerÂsbvFloatÃsbvDoubleÄsbvArbitrary floatÅsbvRationalÆsbv CharacterÇsbvStringÈsbvListÉsbv$Set. Can be regular or complemented.ÊsbvØValue of an uninterpreted/user kind. The Maybe Int shows index position for enumerationsËsbvTupleÌsbvMaybeÍsbvDisjoint unionÎsbvA Îß is either a regular set or a set given by its complement from the corresponding universal set.çsbvStructural equality for Î. We need EqOrd instances for Î$ because we want to put them in maps²tables. But we don't want to derive these, nor make it an instance! Why? Because the same set can have multiple representations if the underlying type is finite. For instance, {True} = U - {False}¬ for boolean sets! Instead, we use the following two functions, which are equivalent to Eq/Ord instances and work for our purposes, but we do not export these to the user.èsbv Comparing Î values. See comments for ç on why we don't define the é instance.êsbvÌAssign a rank to constant values, this is structural and helps with orderingësbv*Show an extended CV, with kind if requiredÑsbvIs this a regular CV?ÒsbvAre two CV's of the same type?ÓsbvÄConvert a CV to a Haskell boolean (NB. Assumes input is well-kinded)ÔsbvµNormalize a CV. Essentially performs modular arithmetic to make sure the value can fit in the given bit-size. Note that this is rather tricky for negative values, due to asymmetry. (i.e., an 8-bit negative number represents values in the range -128 to 127; thus we have to be careful on the negative side.)ÕsbvConstant False as a »,. We represent it using the integer value 0.ÖsbvConstant True as a »,. We represent it using the integer value 1.ìsbv Lift a unary function through a ».×sbv!Lift a binary function through a ».ØsbvMap a unary function through a ».Ùsbv Map a binary function through a ».ísbv)Show a CV, with kind info if bool is TrueÚsbv(Create a constant word from an integral.îsbv"Generate a random constant value (¿) of the correct kind.ïsbv"Generate a random constant value (») of the correct kind.ðsbvÖShow instance. Regular sets are shown as usual. Complements are shown "U -" notation.ñsbv-Ord instance for VWVal. Same comments as the ò% instance why this cannot be derived.ósbvùEq instance for CVVal. Note that we cannot simply derive Eq/Ord, since CVAlgReal doesn't have proper instances for these when values are infinitely precise reals. However, we do need a structural eq/ord for Map indexes; so define custom ones here:ôsbvShow instance for ».õsbv~ instance for CVösbv"Show instance, shows with the kind÷sbvKind instance for Extended CVøsbvShow instance for Generalized »ùsbv~ instance for generalized CV2±·¶µ´²³¸¹º»¾¼½¿ÍÌËÊÉÈÅÄÁÀÂÃÇÆÎÏÐçèêëÑÒÓÔÕÖì×ØÙíÚîï†(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred“ÍÛsbv2Specify how to save timing information, if at all.ßsbvShow ú in human readable form. ú‚ is essentially picoseconds (10^-12 seconds). We show it so that it's represented at the day:hour:minute:second.XXX granularity.ÛÜÝÞß‡(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred"'()*68;<ÁÃÄÅÇÑÔ×ÙÚÜõ”µàsbvQuery execution contextásbvTriggered from inside SBVâsbvTriggered from user codeãsbv An SMT solveråsbvThe solver in useæsbvThe path to its executableçsbvÐEach line sent to the solver will be passed through this function (typically id)èsbv Options to provide to the solverésbv=The solver engine, responsible for interpreting solver outputêsbv"Various capabilities of the solverësbvSolvers that SBV is aware ofûsbv An SMT engineõsbv%A script, to be passed to the solver.÷sbvInitial feedøsbv'Continuation script, to extract resultsùsbvÇThe result of an SMT solver call. Each constructor is tagged with the †ú that created it so that further tools can inspect it and build layers of results, if needed. For ordinary uses of the library, this type should not be needed, instead use the accessor functions on it. (Custom Show instances and model extractors.)úsbvÙUnsatisfiable. If unsat-cores are enabled, they will be returned in the second parameter.ûsbvSatisfiable with modelüsbv= NaN, and so-forth. So, we have to make sure we don't optimize floats and doubles, in case the argument turns out to be NaN.¬sbv)Predicate to check if a value is concretesbv²Predicate for optimizing word operations like (+) and (*). NB. We specifically do *not* match for Double/Float; because FP-arithmetic doesn't obey traditional rules. For instance, 0 * x = 0 fails if x happens to be NaN or +/- Infinity. So, we merely return False when given a floating-point value here.®sbvÏPredicate for optimizing word operations like (+) and (*). NB. See comment on 6 for why we don't match for Float/Double values here.¯sbv’Predicate for optimizing bitwise operations. The unbounded integer case of checking against -1 might look dubious, but that's how Haskell treats °% as a member of the Bits class, try (-1 :: Integer) ± i for any i and you'll get ž.²sbv%Predicate for optimizing comparisons.³sbv%Predicate for optimizing comparisons.´sbvêMost operations on concrete rationals require a compatibility check to avoid faulting on algebraic reals.µsbv;Quot/Rem operations require a nonzero check on the divisor.¶sbv'Same as rationalCheck, except for SBV'sòsbvÄGiven a composite structure, figure out how to compare for less than·sbvStructural less-than for tuples¸sbvStructural less-than for maybes¹sbvStructural less-than for eitherºsbvConvert an £ to an ¤Í, preserving the bit-correspondence. Note that since the representation for NaNÔs are not unique, this function will return a symbolic value when given a concrete NaN.ÉImplementation note: Since there's no corresponding function in SMTLib for conversion to bit-representation due to partiality, we use a translation trick by allocating a new word variable, converting it to float, and requiring it to be equivalent to the input. In code-generation mode, we simply map it to a simple conversion.»sbvConvert an ¥ to an ¦Í, preserving the bit-correspondence. Note that since the representation for NaNÔs are not unique, this function will return a symbolic value when given a concrete NaN.ÉImplementation note: Since there's no corresponding function in SMTLib for conversion to bit-representation due to partiality, we use a translation trick by allocating a new word variable, converting it to float, and requiring it to be equivalent to the input. In code-generation mode, we simply map it to a simple conversion.¼sbvÄConvert a float to the word containing the corresponding bit patternÒª½«¬®¯°±¢£²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊË¥ÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëì¨íîïðñªòº»¼§(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred12;<=ÁÂÃÄÅÌÚÜïJ†öósbv+Arrays implemented in terms of SMT-arrays: 2http://smtlib.cs.uiowa.edu/theories-ArraysEx.shtmlMaps directly to SMT-lib arraysÌReading from an uninitialized value is OK. If the default value is given in øÓ, it will be the result. Otherwise, the read yields an uninterpreted constant.&Can check for equality of these arrays:Cannot be used in code-generation (i.e., compilation to C)"Cannot quick-check theorems using SArray valuesösbvArrays of symbolic values An array a b! is an array indexed by the type Å a, with elements of type Å b.ÚIf a default value is supplied, then all the array elements will be initialized to this value. Otherwise, they will be left unspecified, i.e., a read from an unwritten location will produce an uninterpreted constant.ëThe reason for this class is rather historic. In the past, SBV provided two different kinds of arrays: an óœ abstraction that mapped directly to SMTLib arrays (which is still available today), and a functional notion of arrays that used internal caching, called SFunArrayÂ. The latter has been removed as the code turned out to be rather tricky and hard to maintain; so we only have one instance of this class. But end users can add their own instances, if needed.NB. ùæ insists on a concrete initializer, because not having one would break referential transparency. See -https://github.com/LeventErkok/sbv/issues/553 for details.÷sbvGeneralization of ¨øsbvGeneralization of ©ùsbvCreate a literal arrayúsbvRead the array element at aûsbvUpdate the element at a to be büsbv?Merge two given arrays on the symbolic condition Intuitively: ,mergeArrays cond a b = if cond then a else b=. Merging pushes the if-then-else choice down on to elementsýsbv+Internal function, not exported to the userþsbvA þà is a potential symbolic value that can be created instances of to be fed to a symbolic program.ÿsbvGeneralization of ª€sbv#Turn a literal constant to symbolicsbv+Extract a literal, from a CV representation‚sbv/Does it concretely satisfy the given predicate?ƒsbvGeneralization of «„sbvGeneralization of ¬…sbvGeneralization of †sbvGeneralization of ®‡sbvGeneralization of ¯ˆsbvGeneralization of °‰sbvGeneralization of ±ŠsbvGeneralization of ²‹sbvGeneralization of ³ŒsbvGeneralization of ´sbvGeneralization of µŽsbv+Extract a literal, if the value is concretesbvIs the symbolic word concrete?sbv%Is the symbolic word really symbolic?‘sbvÆA class representing what can be returned from a symbolic computation.’sbvGeneralization of ¶“sbvêActions we can do in a context: Either at problem description time or while we are dynamically querying. ¸ and Üí are two instances of this class. Note that we use this mechanism internally and do not export it from SBV.”sbvÆAdd a constraint, any satisfying instance must satisfy this condition.•sbvéAdd a soft constraint. The solver will try to satisfy this condition if possible, but won't if it cannot.–sbvÂAdd a named constraint. The name is used in unsat-core extraction.—sbv,Add a constraint, with arbitrary attributes.˜sbvSet info. Example: setInfo ":status" ["unsat"].™sbvSet an option.šsbvSet the logic.›sbv§Add a user specified axiom to the generated SMT-Lib file. The first argument is a mere string, use for commenting purposes. The second argument is intended to hold the multiple-lines of the axiom text as expressed in SMT-Lib notation. Note that we perform no checks on the axiom itself, to see whether it's actually well-formed or is sensible by any means. A separate formalization of SMT-Lib would be very useful here.œsbvŽAdd a user-defined SMTLib function. You should define the name given here as an uninterpreted value as well. SBV performs no checks on the SMTLib definition you give, so if it doesn't match the required type, or is malformed in any way, the call will fail at run-time.sbvèSet a solver time-out value, in milli-seconds. This function essentially translates to the SMTLib call (set-info :timeout val)ò, and your backend solver may or may not support it! The amount given is in milliseconds. Also see the function ·: for finer level control of time-outs, directly from SBV.žsbv*Get the state associated with this contextŸsbvThe symbolic variant of a sbv7Internal representation of a symbolic simulation result¡sbv'SMTLib representation, given the config£sbvSymbolic 8-tuple.¤sbvSymbolic 7-tuple.¥sbvSymbolic 6-tuple.¦sbvSymbolic 5-tuple.§sbvSymbolic 4-tuple.¨sbvSymbolic 3-tuple.©sbvSymbolic 2-tuple. NB. ª and © are equivalent.ªsbvSymbolic 2-tuple. NB. ª and © are equivalent.«sbv Symbolic ¸¹. Note that we use Î‹, which supports both regular sets and complements, i.e., those obtained from the universal set (of the right type) by removing elements.¬sbv Symbolic ¾sbv Symbolic ¿®sbv7A symbolic list of items. Note that a symbolic list is not= a list of symbolic items, that is, it is not the case that SList a = [a]Æ, unlike what one might expect following haskell lists/sequences. An ®ê is a symbolic value of its own, of possibly arbitrary but finite length, and internally processed as one unit as opposed to a fixed-length list of items. Note that lists can be nested, i.e., we do allow lists of lists of ... items.¯sbvA symbolic rational value.°sbv2A symbolic string. Note that a symbolic string is notÂ a list of symbolic characters, that is, it is not the case that SString = [SChar]>, unlike what one might expect following Haskell strings. An ° is a symbolic value of its own, of possibly arbitrary but finite length, and internally processed as one unit as opposed to a fixed-length list of characters.±sbvÎA symbolic character. Note that this is the full unicode character set. see: 8http://smtlib.cs.uiowa.edu/theories-UnicodeStrings.shtml for details.²sbvA symbolic quad-precision float³sbv!A symbolic double-precision float´sbv!A symbolic single-precision floatµsbv&A symbolic brain-float precision float¶sbvA symbolic half-precision float·sbv3A symbolic arbitrary precision floating point value¸sbv0IEEE-754 double-precision floating point numbers¹sbv0IEEE-754 single-precision floating point numbersºsbv0Infinite precision symbolic algebraic real value»sbv(Infinite precision signed symbolic value¼sbv;64-bit signed symbolic value, 2's complement representation½sbv;32-bit signed symbolic value, 2's complement representation¾sbv;16-bit signed symbolic value, 2's complement representation¿sbv:8-bit signed symbolic value, 2's complement representationÀsbv64-bit unsigned symbolic valueÁsbv32-bit unsigned symbolic valueÂsbv16-bit unsigned symbolic valueÃsbv8-bit unsigned symbolic valueÄsbvA symbolic boolean/bitÅsbvThe Symbolic value. The parameter aÖ is phantom, but is extremely important in keeping the user interface strongly typed.ÈsbvGet the current path conditionÉsbv4Extend the path condition with the given test value.ÊsbvNot-A-Number for Ô and ÒØ. Surprisingly, Haskell Prelude doesn't have this value defined, so we provide it here.Ësbv Infinity for Ô and ÒØ. Surprisingly, Haskell Prelude doesn't have this value defined, so we provide it here.Ìsbv;Symbolic variant of Not-A-Number. This value will inhabit ¹, ¸ and ·. types.ÍsbvSync-up the external solver with new context we have generatedÒsbvRetrieve the query contextÓsbvGeneralization of ÔÔsbvGeneralization of Õ½sbvGeneralization of Ö¾sbvGeneralization of ×¿sbvGeneralization of ØÀsbvGeneralization of ÙÕsbv#Creating arrays, internal use only.ÁsbvGeneralization of ÚÖsbvGeneralization of Û×sbvúSend a string to the solver, and return the response. Except, if the response is one of the "ignore" ones, keep querying.ØsbvGeneralization of ÜÙsbvGeneralization of ÝÂsbvGeneralization of wÃsbvÑRegistering an uninterpreted SMT function. This is typically not necessary as uses of the UI function itself will register it automatically. But there are cases where doing this explicitly can come in handy.ÚsbvPointwise function value extraction. If we get unlucky and can't parse z3's output (happens when we have all booleans and z3 decides to spit out an expression), just brute force our way out of it. Note that we only do this if we have a pure boolean type, as otherwise we'd blow up. And I think it'll only be necessary then, I haven't seen z3 try anything smarter in other scenarios.Ûsbv¯For saturation purposes, get a proper argument. The forall quantification is safe here since we only use in smtFunSaturate calls, which looks at the kind stored inside only.ÄsbvGeneralization of ÞÅsbvGeneralization of ßÜsbvòGet the value of a term, but in CV form. Used internally. The model-index, in particular is extremely Z3 specific!Ýsbv5"Make up" a CV for this type. Like zero, but smarter.Þsbv$Go from an SExpr directly to a valueßsbvÃRecover a given solver-printed value with a possible interpretationàsbvGeneralization of àásbvRetrieve value from the solverâsbvGeneralization of áãsbvGeneralization of âÆsbvGeneralization of uÇsbvGeneralization of ãäsbvÎWhat are the top level inputs? Trackers are returned as top level existentialsÈsbvËGet observables, i.e., those explicitly labeled by the user with a call to ä.åsbvòGet UIs, both constants and functions. This call returns both the before and after query ones. Generalization of å×. Note that if we have an defined axiom, then it is not really a UI, so we drop those.æsbvReturn all satisfying models.çsbvGeneralization of æÉsbvGeneralization of çèsbvBail out if a parse goes badésbvGeneralization of èêsbv(Convert a query result to an SMT ProblemësbvGeneralization of éìsbvGeneric Ý instance for things that are á and look like containers:ísbvGeneric Ý instance for þ valuesîsbvê as a “.ïsbvFunctions of arity 8ðsbvFunctions of arity 7ñsbvFunctions of arity 6òsbvFunctions of arity 5ósbvFunctions of arity 4ôsbvFunctions of arity 3õsbvFunctions of arity 2ösbvFunctions of arity 1+Ë÷øùúûüÍÎÏÐ¼ÒÓÔ½¾¿ÀÁÖØÙÂÃÄÅßàâãÆÇäÈåæçÉèéêëë(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred'(Ô×Üã½."ýsbv An Assignment of a model bindingÊsbvGeneralization of ìËsbvGeneralization of ìÌsbvGeneralization of yÍsbvGeneralization of íÎsbvGeneralization of îþsbvÃClassify a model based on whether it has unbound objectives or not.ÿsbvGeneralization of ï€sbvGeneralization of ðsbvGeneralization of ñÏsbvGeneralization of ò‚sbvÀGet a model stored at an index. This is likely very Z3 specific!ƒsbvëJust after a check-sat is issued, collect objective values. Used internally only, not exposed to the user.ÐsbvGeneralization of vÑsbvGeneralization of ó„sbvÇHelper for the two variants of checkSatAssuming we have. Internal only.ÒsbvGeneralization of ô…sbv;Upon a pop, we need to restore all arrays and tables. See: ,http://github.com/LeventErkok/sbv/issues/374ÓsbvGeneralization of õÔsbvGeneralization of öÕsbvGeneralization of ÷ÖsbvGeneralization of ø×sbvGeneralization of ùØsbvGeneralization of úÙsbvGeneralization of ûÚsbvGeneralization of x†sbvÀRetrieve the unsat core if it was asked for in the configurationÛsbvGeneralization of üÜsbvGeneralization of ý . Use this version with MathSAT.ÝsbvGeneralization of þ. Use this version with Z3.ÞsbvGeneralization of ÿßsbvGeneralization of €àsbvMake an assignment. The type ý1 is abstract, the result is typically passed to á:Û mkSMTResult [ a |-> 332 , b |-> 2.3 , c |-> True ] End users should use ÏÜ for automatically constructing models from the current solver state. However, an explicit ýÑ might be handy in complex scenarios where a model needs to be created manually.ásbvGeneralization of ’ NB. This function does not allow users to create interpretations for UI-Funs. But that's probably not a good idea anyhow. Also, if you use the ’ or “? features, SBV will fail on models returned via this function.û !"#$%&'()*+,-./0123456789:;<=>?@GEABCDFHIJKLMœ¼½¾¿ÀÖØÙÂÅÆÇÈæÉý‡ÊËÌÍÎÿ€ÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáà11(c) Brian Schroeder Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred¾xâsbvRun a custom query.Ö !"#$%&'()*+,-./01234567=>?@GEABCDFHIJKLM_`œÜãæç¼½¾¿ÀÁÂÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâÖ_`æçãÜâ½¾¿ÀIJKLMÆÍÇÐÑÂÄÅÏßÎÌÈÚÛÜÝÞ@GEABCDFH=>?./01234567ÊËÒÔÕÓÖ×àáÙœÉÁØ¼ !"#$%&'()*+,-‚(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred'/ÁÂÃÄÅÔÜØx<ãsbvÉSymbolically executable program fragments. This class is mainly used for æõ calls, and is sufficiently populated internally to cover most use cases. Users can extend it as they wish to allow æÆ checks for SBV programs that return/take types that are user-defined.äsbvGeneralization of ƒåsbvGeneralization of „æsbvGeneralization of ÆçsbvGeneralization of …èsbvè is specialization of é to the ®Ú monad. Unless you are using transformers explicitly, this is the type you should prefer.ésbvA type aá is provable if we can turn it into a predicate. Note that a predicate can be made from a curried function of arbitrary arity, where each element is either a symbolic type or up-to a 7-tuple of symbolic-types. So predicates can be constructed from almost arbitrary Haskell functions that have arbitrary shapes. (See the instance declarations below.)êsbvGeneralization of †ësbvGeneralization of ‡ìsbvGeneralization of ˆísbvGeneralization of ‰îsbvGeneralization of ÇïsbvGeneralization of ŠðsbvGeneralization of ‹ñsbvGeneralization of ŒòsbvGeneralization of ŽósbvGeneralization of ôsbvGeneralization of ŽõsbvGeneralization of ösbvGeneralization of ÷sbvGeneralization of ŽøsbvGeneralization of ÅùsbvGeneralization of úsbvGeneralization of ûsbvGeneralization of ‘üsbvGeneralization of ’ýsbvGeneralization of “þsbvGeneralization of ”ÿsbvGeneralization of •€sbv)Validate a model obtained from the solversbvžA goal is a symbolic program that returns no values. The idea is that the constraints/min-max goals will serve as appropriate directives for sat/prove calls.‚sbv¸A predicate is a symbolic program that returns a (symbolic) boolean value. For all intents and purposes, it can be treated as an n-ary function from symbolic-values to a boolean. The ¸À monad captures the underlying representation, and can/should be ignored by the users of the library, unless you are building further utilities on top of SBV itself. Instead, simply use the ‚ type when necessary.ˆsbvñIf supported, this makes all output go to stdout, which works better with SBV Alas, not all solvers support it..ƒsbvÂDefault configuration for the ABC synthesis and verification tool.„sbv2Default configuration for the Boolector SMT solver…sbv1Default configuration for the Bitwuzla SMT solver†sbv.Default configuration for the CVC4 SMT Solver.‡sbv.Default configuration for the CVC5 SMT Solver.ˆsbv/Default configuration for the Yices SMT Solver.‰sbv0Default configuration for the MathSAT SMT solverŠsbv/Default configuration for the Yices SMT Solver.‹sbv+Default configuration for the Z3 SMT solverŒsbvMinimal complete definition: None, if the type is instance of Generic . Otherwise ¨Ñ. Note that most types subject to merging are likely to be trivial instances of Generic.¨sbv§Merge two values based on the condition. The first argument states whether we force the then-and-else branches before the merging, at the word level. This is an efficiency concern; one that we'd rather not make but unfortunately necessary for getting symbolic simulation working efficiently.©sbvTotal indexing operation. select xs default index is intuitively the same as xs !! index, except it evaluates to default if index underflows/overflows.ªsbvThe ªÐ class captures the essence of division. Unfortunately we cannot use Haskell's ’ class since the “ and ”È superclasses are not implementable for symbolic bit-vectors. However, • and –" both make perfect sense, and the ª© class captures this operation. One issue is how division by 0 behaves. The verification technology requires total functions, and there are several design choices here. We follow Isabelle/HOL approach of assigning the value 0 for division by 0. Therefore, we impose the following pair of laws: x « 0 = (0, x) x ¬ 0 = (0, x) 5Note that our instances implement this law even when x is 0 itself.NB. — truncates toward zero, while ˜$ truncates toward negative infinity.(C code generation of division operationsÂIn the case of division or modulo of a minimal signed value (e.g. -128 for ¿) by -1Œ, SMTLIB and Haskell agree on what the result should be. Unfortunately the result in C code depends on CPU architecture and compiler settings, as this is undefined behaviour in C. **SBV does not guarantee** what will happen in generated C code in this corner case.±sbv;Finite bit-length symbolic values. Essentially the same as Á, but further leaves out °. Loosely based on Haskell's FiniteBits„ class, but with more methods defined and structured differently to fit into the symbolic world view. Minimal complete definition: ².²sbv Bit size.³sbv:Least significant bit of a word, always stored at index 0.´sbvÃMost significant bit of a word, always stored at the last position.µsbv,Big-endian blasting of a word into its bits.¶sbv/Little-endian blasting of a word into its bits.·sbv4Reconstruct from given bits, given in little-endian.¸sbv4Reconstruct from given bits, given in little-endian.¹sbvReplacement for ±, returning Ä instead of Á.ºsbvVariant of ¹2, where we want to extract multiple bit positions.»sbvVariant of ™, returning a symbolic value.¼sbvA combo of š and ›%, when the bit to be set is symbolic.½sbvÎFull adder, returns carry-out from the addition. Only for unsigned quantities.¾sbvÔFull multiplier, returns both high and low-order bits. Only for unsigned quantities.¿sbv9Count leading zeros in a word, big-endian interpretation.Àsbv:Count trailing zeros in a word, big-endian interpretation.ÁsbvÅSymbolic Numbers. This is a simple class that simply incorporates all number like base types together, simplifying writing polymorphic type-signatures that work for all symbolic numbers, such as Ã, ¿Í etc. For instance, we can write a generic list-minimum function as follows:Ó mm :: SIntegral a => [SBV a] -> SBV a mm = foldr1 (a b -> ite (a .<= b) a b) It is similar to the standard ’/ class, except ranging over symbolic instances.Âsbv!Symbolic Comparisons. Similar to ò , we cannot implement Haskell's é+ class since there is no way to return an œ1 value from a symbolic comparison. Furthermore, Â requires §Ò to implement if-then-else, for the benefit of implementing symbolic versions of and ž functions.ÃsbvSymbolic less than.ÄsbvSymbolic less than or equal to.ÅsbvSymbolic greater than.Æsbv"Symbolic greater than or equal to.ÇsbvSymbolic minimum.ÈsbvSymbolic maximum.Ésbv Is the value within the allowed inclusive range?Êsbv4Symbolic Equality. Note that we can't use Haskell's òó class since Haskell insists on returning Bool Comparing symbolic values will necessarily return a symbolic value.ËsbvSymbolic equality.ÌsbvSymbolic inequality.ÍsbvStrong equality. On floats (¹/¸0), strong equality is object equality; that is NaN == NaN holds, but +0 == -0Ê doesn't. On other types, (.===) is simply (.==). Note that (.==) is the rightÇ notion of equality for floats per IEEE754 specs, since by definition +0 == -0 and NaNÜ equals no other value including itself. But occasionally we want to be stronger and state NaN equals NaN and +0 and -0Ö are different from each other. In a context where your type is concrete, simply use šÁ. But in a polymorphic context, use the strong equality instead.ÍNB. If you do not care about or work with floats, simply use (.==) and (./=).ÎsbvÌNegation of strong equality. Equaivalent to negation of (.===) on all types.ÏsbvReturns (symbolic) Î5 if all the elements of the given list are different.ÐsbvReturns (symbolic) Î¾ if all the elements of the given list are different. The second list contains exceptions, i.e., if an element belongs to that set, it will be considered distinct regardless of repetition.ÑsbvReturns (symbolic) Î4 if all the elements of the given list are the same.ÒsbvSymbolic membership test.Ósbv!Symbolic negated membership test.ÔsbväIdentify tuple like things. Note that there are no methods, just instances to control type inferenceŸsbv+Generate a finite symbolic bitvector, named sbv-Generate a finite symbolic bitvector, unnamedÕsbv$Generate a finite constant bitvectorÖsbv'Convert a constant to an integral value×sbvGeneralization of ›ØsbvGeneralization of œ¡sbvGeneralization of ÙsbvGeneralization of žÚsbvGeneralization of Ÿ¢sbvGeneralization of ÛsbvGeneralization of ¡ÜsbvGeneralization of ¢£sbvGeneralization of £ÝsbvGeneralization of ¤ÞsbvGeneralization of ¥¤sbvGeneralization of ¦ßsbvGeneralization of §àsbvGeneralization of ¨¥sbvGeneralization of ©ásbvGeneralization of ªâsbvGeneralization of «¦sbvGeneralization of ¬ãsbvGeneralization of äsbvGeneralization of ®§sbvGeneralization of ¯åsbvGeneralization of °æsbvGeneralization of ±¨sbvGeneralization of ²çsbvGeneralization of ³èsbvGeneralization of ´©sbvGeneralization of µésbvGeneralization of ¶êsbvGeneralization of ·ªsbvGeneralization of ¸ësbvGeneralization of ¹ìsbvGeneralization of º«sbvGeneralization of »ísbvGeneralization of ¼îsbvGeneralization of ½¬sbvGeneralization of ¾ïsbvGeneralization of ¿ðsbvGeneralization of ÀsbvGeneralization of ÁñsbvGeneralization of Â®sbvGeneralization of Ã¯sbvGeneralization of Ä°sbvGeneralization of Å±sbvGeneralization of Æ²sbvGeneralization of Ç³sbvGeneralization of È´sbvGeneralization of ÉµsbvGeneralization of Ê¶sbvGeneralization of Ë·sbvGeneralization of Ì¸sbvGeneralization of Í¹sbvGeneralization of ÎºsbvGeneralization of Ï»sbvGeneralization of Ð¼sbvGeneralization of Ñ½sbvGeneralization of Ò¾sbvGeneralization of Ó¿sbvGeneralization of ÔòsbvGeneralization of ÕÀsbvGeneralization of ÖósbvGeneralization of ×ôsbvGeneralization of ØÁsbvGeneralization of ÙõsbvGeneralization of ÚösbvGeneralization of ÛÂsbvGeneralization of Ü÷sbvGeneralization of ÝÃsbvGeneralization of ÞÄsbvGeneralization of ßÅsbvGeneralization of àÆsbvGeneralization of áÇsbvGeneralization of âÈsbvGeneralization of ãÉsbvGeneralization of äÊsbvGeneralization of åËsbvGeneralization of æÌsbvGeneralization of çÍsbvGeneralization of èÎsbvGeneralization of éÏsbvGeneralization of êÐsbvGeneralization of èÑsbvGeneralization of éøsbvGeneralization of ëùsbvËConvert an SReal to an SInteger. That is, it computes the largest integer n that satisfies sIntegerToSReal n <= r essentially giving us the floor.For instance, 1.3 will be 1, but -1.3 will be -2.úsbv–label: Label the result of an expression. This is essentially a no-op, but useful as it generates a comment in the generated C/SMT-Lib code. Note that if the argument is a constant, then the label is dropped completely, per the usual constant folding strategy. Compare this to ü. which is good for printing counter-examples.Òsbv$Check if an observable name is good.ûsbv©Observe the value of an expression, if the given condition holds. Such values are useful in model construction, as they are printed part of a satisfying model, or a counter-example. The same works for quick-check as well. Useful when we want to see intermediate values, or expected/obtained pairs in a particular run. Note that an observed expression is always symbolic, i.e., it won't be constant folded. Compare this to úÃ which is used for putting a label in the generated SMTLib-C code.üsbv9Observe the value of an expression, unconditionally. See û for a generalized version.ýsbvæA variant of observe that you can use at the top-level. This is useful with quick-check, for instance.þsbvReturns 1 if the boolean is Î, otherwise 0.Ósbv+Lift a pseudo-boolean op, performing checksÿsbvÎ if at most k of the input arguments are Î€sbvÎ if at least k of the input arguments are ÎsbvÎ if exactly k of the input arguments are Î‚sbvÎ if the sum of coefficients for Î elements is at most k. Generalizes ÿ.ƒsbvÎ if the sum of coefficients for Î elements is at least k. Generalizes €.„sbvÎ if the sum of coefficients for Î elements is exactly least k. Useful for coding exactly K-of-N2 constraints, and in particular mutex constraints.…sbvÎ if there is at most one set bit†sbvÎ if there is exactly one set bitÔsbvÅConvert a concrete pseudo-boolean to given int; converting to integerÕsbv:Predicate for optimizing word operations like (+) and (*).Ösbv:Predicate for optimizing word operations like (+) and (*).‡sbvÁSymbolic exponentiation using bit blasting and repeated squaring.ÚN.B. The exponent must be unsigned/bounded if symbolic. Signed exponents will be rejected.×sbv&Lift a 1 arg FP-op, using sRNE defaultØsbv7Lift a float/double unary function, only over constantsÙsbv8Lift a float/double binary function, only over constantsÚsbvLift an sreal unary functionÛsbvLift an sreal binary functionˆsbv?Conversion between integral-symbolic values, akin to Haskell's ÜÝsbvÑLift a binary operation thru it's dynamic counterpart. Note that we still want the actual functions here as differ in their type compared to their dynamic counterparts, but the implementations are the same.‰sbvGeneralization of Þ6, when the shift-amount is symbolic. Since Haskell's Þ only takes an ‘Ö as the shift amount, it cannot be used when we have a symbolic amount to shift with.ŠsbvGeneralization of ß6, when the shift-amount is symbolic. Since Haskell's ß only takes an ‘Ö as the shift amount, it cannot be used when we have a symbolic amount to shift with.…NB. If the shiftee is signed, then this is an arithmetic shift; otherwise it's logical, following the usual Haskell convention. See ‹á for a variant that explicitly uses the msb as the sign bit, even for unsigned underlying types.‹sbvÕArithmetic shift-right with a symbolic unsigned shift amount. This is equivalent to ŠÈ when the argument is signed. However, if the argument is unsigned, then it explicitly treats its msb as a sign-bit, and uses it as the bit that gets shifted in. Useful when using the underlying unsigned bit representation to implement custom signed operations. Note that there is no direct Haskell analogue of this function.ŒsbvGeneralization of à6, when the shift-amount is symbolic. Since Haskell's à only takes an ‘‡ as the shift amount, it cannot be used when we have a symbolic amount to shift with. The first argument should be a bounded quantity.sbv½An implementation of rotate-left, using a barrel shifter like design. Only works when both arguments are finite bitvectors, and furthermore when the second argument is unsigned. The first condition is enforced by the type, but the second is dynamically checked. We provide this implementation as an alternative to Œ« since SMTLib logic does not support variable argument rotates (as opposed to shifts), and thus this implementation can produce better code for verification compared to Œ.ŽsbvGeneralization of á6, when the shift-amount is symbolic. Since Haskell's á only takes an ‘‡ as the shift amount, it cannot be used when we have a symbolic amount to shift with. The first argument should be a bounded quantity.sbvÙAn implementation of rotate-right, using a barrel shifter like design. See comments for for details.âsbv*Helper function for use in enum operationssbvLift •2 to symbolic words. Division by 0 is defined s.t. x/0 = 0; which holds even when x is 0 itself.‘sbvLift –2 to symbolic words. Division by 0 is defined s.t. x/0 = 0; which holds even when x is 0õ itself. Essentially, this is conversion from quotRem (truncate to 0) to divMod (truncate towards negative infinity)’sbv$If-then-else. This is by definition ¨Ó with both branches forced. This is typically the desired behavior, but also see “ should you need more laziness.“sbv˜A Lazy version of ite, which does not force its arguments. This might cause issues for symbolic simulation with large thunks around, so use with care.”sbvÂSymbolic assert. Check that the given boolean condition is always Îö in the given path. The optional first argument can be used to provide call-stack info via GHC's location facilities.ãsbv#Merge two symbolic values, at kind k, possibly forceå'ing the branches to make sure they do not evaluate to the same result. This should only be used for internal purposes; as default definitions provided should suffice in many cases. (i.e., End users should only need to define ¨2 when needed; which should be rare to start with.)äsbv?Construct a useful error message if we hit an unmergeable case.åsbv6Merge concrete values that can be checked for equalitysbvËNot exported. Symbolic merge using the generic representation provided by ìí.æsbv(Add an axiom. Only used internally, use ›Ì from user programs which works over both regular and query modes of usage.•sbvGeneralization of îsbvGeneralization of ïŽsbvGeneralization of ð–sbv1Quick check an SBV property. Note that a regular quickCheckÚ call will work just as well. Use this variant if you want to receive the boolean result.çsbv§Explicit sharing combinator. The SBV library has internal caching/hash-consing mechanisms built in, based on Andy Gill's type-safe observable sharing technique (see: =http://ku-fpg.github.io/files/Gill-09-TypeSafeReification.pdfõ). However, there might be times where being explicit on the sharing can help, especially in experimental code. The çÍ combinator ensures that its first argument is computed once and passed on to its continuation, explicitly indicating the intent of sharing. Most use cases of the SBV library should simply use Haskell's let construct for this purpose.èsbvÆSymbolic computations provide a context for writing symbolic programs.ésbvUsing ™ or ±6 on non-concrete values will result in an error. Use » or ¹ instead.êsbvòSReal Floating instance, used in conjunction with the dReal solver for delta-satisfiability. Note that we do not constant fold these values (except for pi), as Haskell doesn't really have any means of computing them for arbitrary rationals.ësbv We give a specific instance for ·ˆ, because the underlying floating-point type doesn't support fromRational directly. The overlap with the above instance is unfortunate.ìsbvØDefine Floating instance on SBV's; only for base types that are already floating; i.e., ¹, ¸, and º*. (See the separate definition below for ·+.) Note that unless you use delta-sat via ñò on º¶, most of the fields are "undefined" for symbolic values. We will add methods as they are supported by SMTLib. Currently, the only symbolically available function in this class is í for ¹, ¸ and ·.îsbvSymVal for 8-tuplesïsbvSymVal for 7-tuplesðsbvSymVal for 6-tuplesñsbvSymVal for 5-tuplesòsbvSymVal for 4-tuplesósbvSymVal for 3-tuplesôsbvSymVal for 2-tuplesõsbvSymVal for 0-tuple (i.e., unit)ösbvÖRegular expressions can be compared for equality. Note that we diverge here from the equality in the concrete sense; i.e., the Eq instance does not match the symbolic case. This is a bit unfortunate, but unavoidable with the current design of how we "distinguish" operators. Hopefully shouldn't be a big deal, though one should be careful.÷sbvØIf comparison is over something SMTLib can handle, just translate it. Otherwise desugar.¸‡†ƒ„š›œžŸ ¡¢¦£¤¥§©¨ª«¬®¯°±´²³µ¶·¸¹º»¼½¾¿ÀÁÂÉÃÄÅÆÇÈÊËÌÏÍÎÐÑÒÓÔŸ ÕÖ×Ø¡ÙÚ¢ÛÜ£ÝÞ¤ßà¥áâ¦ãä§åæ¨çè©éêªëì«íî¬ïðñ®¯°±²³´µ¶·¸¹º»¼½¾¿òÀóôÁõöÂ÷ÃÄÅÆÇÈÉÊËÌÍÎÏÐÑøùúûüýþÿ€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”ã•Ž–ç ›4Ã4Ä4Å4Æ4Ë4Ì4Í4Î4 -(c) Joel Burget Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred1ÁÂÃÄÅÇÌ×Üï<øsbv tuple @(Integer, Bool, (String, Char)) (untuple p) .== pQ.E.D.˜sbvÄConstructing a tuple from its parts. Forms an isomorphism pair with —:Æprove $ \p -> untuple @(Integer, Bool, (String, Char)) (tuple p) .== pQ.E.D.ùsbv The class ù4 captures the notion that a type has a certain fieldúsbvField labels™sbvôField access, inspired by the lens library. This is merely reverse application, but allows us to write things like (1, 2)^._1ó which is likely to be familiar to most Haskell programmers out there. Note that this is precisely equivalent to _1 (1, 2)', but perhaps it reads a little nicer.ûsbvöDynamic interface to exporting tuples, this function is not exported on purpose; use it only via the field functions š, ›, etc.šsbvAccess the 1st element of an STupleN, 2 <= N <= 8. Also see ™.›sbvAccess the 2nd element of an STupleN, 2 <= N <= 8. Also see ™.œsbvAccess the 3rd element of an STupleN, 3 <= N <= 8. Also see ™.sbvAccess the 4th element of an STupleN, 4 <= N <= 8. Also see ™.žsbvAccess the 5th element of an STupleN, 5 <= N <= 8. Also see ™.ŸsbvAccess the 6th element of an STupleN, 6 <= N <= 8. Also see ™. sbvAccess the 7th element of an STupleN, 7 <= N <= 8. Also see ™.¡sbvAccess the 8th element of an STupleN, 8 <= N <= 8. Also see ™.˜—™š›œžŸ ¡™š›œžŸ ¡˜—™8(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÁÂÃÜï@ÓsbvÝA symbolic tree containing values of type e, indexed by elements of type i. Note that these are full-trees, and their their shapes remain constant. There is no API provided that can change the shape of the tree. These structures are useful when dealing with data-structures that are indexed with symbolic values where access time is important. Ó7 structures provide logarithmic time reads and writes.ÔsbvàReading a value. We bit-blast the index and descend down the full tree according to bit-values.Õsbv€Writing a value, similar to how reads are done. The important thing is that the tree representation keeps updates to a minimum.ÖsbvÁConstruct the fully balanced initial tree using the given values.ÓÔÕÖÓÔÕÖ-(c) Joel Burget Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred"×ÜïZ>#ÙsbvLength of a string.sat $ \s -> length s .== 2Satisfiable. Model: s0 = "BA" :: Stringsat $ \s -> length s .< 0 Unsatisfiable=prove $ \s1 s2 -> length s1 + length s2 .== length (s1 ++ s2)Q.E.D.ÚsbvÚ s is True iff the string is empty(prove $ \s -> null s .<=> length s .== 0Q.E.D."prove $ \s -> null s .<=> s .== ""Q.E.D.ÛsbvÛÂ returns the head of a string. Unspecified if the string is empty.&prove $ \c -> head (singleton c) .== cQ.E.D.ÜsbvÜÂ returns the tail of a string. Unspecified if the string is empty.-prove $ \h s -> tail (singleton h ++ s) .== sQ.E.D.Àprove $ \s -> length s .> 0 .=> length (tail s) .== length s - 1Q.E.D.Âprove $ \s -> sNot (null s) .=> singleton (head s) ++ tail s .== sQ.E.D.Ýsbv@ÝÖ returns the pair of the first character and tail. Unspecified if the string is empty.ÞsbvÞÒ returns all but the last element of the list. Unspecified if the string is empty.-prove $ \c t -> init (t ++ singleton c) .== tQ.E.D.ßsbvß cÜ is the string of length 1 that contains the only character whose value is the 8-bit value c.7prove $ \c -> c .== literal 'A' .=> singleton c .== "A"Q.E.D.(prove $ \c -> length (singleton c) .== 1Q.E.D.àsbvà s offset. Substring of length 1 at offset in s*. Unspecified if offset is out of bounds.Çprove $ \s1 s2 -> strToStrAt (s1 ++ s2) (length s1) .== strToStrAt s2 0Q.E.D.Ísat $ \s -> length s .>= 2 .&& strToStrAt s 0 ./= strToStrAt s (length s - 1)Satisfiable. Model: s0 = "AB" :: Stringásbvá s i' is the 8-bit value stored at location i). Unspecified if index is out of bounds.Íprove $ \i -> i .>= 0 .&& i .<= 4 .=> "AAAAA" `strToCharAt` i .== literal 'A'Q.E.D.>>> prove $ s i c -> i É (0, length s - 1) .&& s á2 i .== c .=> indexOf s (singleton c) .<= i Q.E.D.âsbvShort cut for áãsbvã cs is the string of length |cs|Ö containing precisely those characters. Note that there is no corresponding function explode:, since we wouldn't know the length of a symbolic string.8prove $ \c1 c2 c3 -> length (implode [c1, c2, c3]) .== 3Q.E.D.åprove $ \c1 c2 c3 -> map (strToCharAt (implode [c1, c2, c3])) (map literal [0 .. 2]) .== [c1, c2, c3]Q.E.D.äsbv$Prepend an element, the traditional cons.åsbvAppend an elementæsbvÒEmpty string. This value has the property that it's the only string with length 0:+prove $ \l -> length l .== 0 .<=> l .== nilQ.E.D.çsbv"Concatenate two strings. See also è.èsbvShort cut for ç.Ôsat $ \x y z -> length x .== 5 .&& length y .== 1 .&& x ++ y ++ z .== "Hello world!"Satisfiable. Model: s0 = "Hello" :: String s1 = " " :: String s2 = "world!" :: Stringésbvé sub s. Does s contain the substring sub?4prove $ \s1 s2 s3 -> s2 `isInfixOf` (s1 ++ s2 ++ s3)Q.E.D.Èprove $ \s1 s2 -> s1 `isInfixOf` s2 .&& s2 `isInfixOf` s1 .<=> s1 .== s2Q.E.D.êsbvê pre s. Is pre a prefix of s?,prove $ \s1 s2 -> s1 `isPrefixOf` (s1 ++ s2)Q.E.D.Çprove $ \s1 s2 -> s1 `isPrefixOf` s2 .=> subStr s2 0 (length s1) .== s1Q.E.D.ësbvë suf s. Is suf a suffix of s?,prove $ \s1 s2 -> s2 `isSuffixOf` (s1 ++ s2)Q.E.D.Ýprove $ \s1 s2 -> s1 `isSuffixOf` s2 .=> subStr s2 (length s2 - length s1) (length s1) .== s1Q.E.D.ìsbvì len s. Corresponds to Haskell's ì on symbolic-strings.3prove $ \s i -> i .>= 0 .=> length (take i s) .<= iQ.E.D.ísbví len s. Corresponds to Haskell's í on symbolic-strings..prove $ \s i -> length (drop i s) .<= length sQ.E.D.*prove $ \s i -> take i s ++ drop i s .== sQ.E.D.îsbvî s offset len is the substring of s at offset offset with length lenÙ. This function is under-specified when the offset is outside the range of positions in s or len is negative or offset+len exceeds the length of s.Ýprove $ \s i -> i .>= 0 .&& i .< length s .=> subStr s 0 i ++ subStr s i (length s - i) .== sQ.E.D.+sat $ \i j -> subStr "hello" i j .== "ell"Satisfiable. Model: s0 = 1 :: Integer s1 = 3 :: Integer)sat $ \i j -> subStr "hell" i j .== "no" Unsatisfiableïsbvï s src dst". Replace the first occurrence of src by dst in sÅprove $ \s -> replace "hello" s "world" .== "world" .=> s .== "hello"Q.E.D.Çprove $ \s1 s2 s3 -> length s2 .> length s1 .=> replace s1 s2 s3 .== s1Q.E.D.ðsbvð s sub. Retrieves first position of sub in s, -1- if there are no occurrences. Equivalent to ñ s sub 0.!>>> prove $ s i -> i .> 0 .&& i .lengths .=' indexOf s (subStr s i 1) .<= i Q.E.D.Áprove $ \s1 s2 -> length s2 .> length s1 .=> indexOf s1 s2 .== -1Q.E.D.ñsbvñ s sub offset. Retrieves first position of sub at or after offset in s, -1 if there are no occurrences.9prove $ \s sub -> offsetIndexOf s sub 0 .== indexOf s subQ.E.D.×prove $ \s sub i -> i .>= length s .&& length sub .> 0 .=> offsetIndexOf s sub i .== -1Q.E.D.Âprove $ \s sub i -> i .> length s .=> offsetIndexOf s sub i .== -1Q.E.D.òsbvò s‹ reverses the string. >>> sat $ s -> reverse s .== "abc" Satisfiable. Model: s0 = "cba" :: String >>> prove $ s -> reverse s .== "" .= null s Q.E.D.ósbvó s%. Retrieve integer encoded by string sÑ (ground rewriting only). Note that by definition this function only works when sÜ only contains digits, that is, if it encodes a natural number. Otherwise, it returns '-1'.Íprove $ \s -> let n = strToNat s in length s .== 1 .=> (-1) .<= n .&& n .<= 9Q.E.D.ôsbvô i%. Retrieve string encoded by integer i¬ (ground rewriting only). Again, only naturals are supported, any input that is not a natural number produces empty string, even though we take an integer as an argument.5prove $ \i -> length (natToStr i) .== 3 .=> i .<= 999Q.E.D.üsbv#Lift a unary operator over strings.ýsbv$Lift a binary operator over strings.þsbv%Lift a ternary operator over strings.ÿsbv!Concrete evaluation for unary ops€sbv"Concrete evaluation for binary opssbv#Concrete evaluation for ternary ops‚sbv%Is the string concretely known empty?ÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôÙÚÛÜÝÞßàáâãçäåæèéëêìíîïðñòóôä5è5 (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred×Üïy_õsbv Empty set.empty :: SSet Integer{} :: {SInteger}ösbv Full set.full :: SSet IntegerU :: {SInteger}ÅNote that the universal set over a type is represented by the letter U.÷sbvSynonym for ö.øsbvSingleton list.singleton 2 :: SSet Integer{2} :: {SInteger}ùsbvConversion from a list.fromList ([] :: [Integer]){} :: {SInteger}fromList [1,2,3]{1,2,3} :: {SInteger}fromList [5,5,5,12,12,3]{3,5,12} :: {SInteger}úsbvComplement.+empty .== complement (full :: SSet Integer)True2Complementing twice gets us back the original set:?prove $ \(s :: SSet Integer) -> complement (complement s) .== sQ.E.D.ûsbvInsert an element into a set.Insertion is order independent:Ûprove $ \x y (s :: SSet Integer) -> x `insert` (y `insert` s) .== y `insert` (x `insert` s)Q.E.D.5Deletion after insertion is not necessarily identity:Áprove $ \x (s :: SSet Integer) -> x `delete` (x `insert` s) .== sFalsifiable. Counter-example: s0 = 2 :: Integer s1 = {2} :: {Integer}ÄBut the above is true if the element isn't in the set to start with:Õprove $ \x (s :: SSet Integer) -> x `notMember` s .=> x `delete` (x `insert` s) .== sQ.E.D.'Insertion into a full set does nothing:6prove $ \x -> insert x full .== (full :: SSet Integer)Q.E.D.üsbvDelete an element from a set.Deletion is order independent:Ûprove $ \x y (s :: SSet Integer) -> x `delete` (y `delete` s) .== y `delete` (x `delete` s)Q.E.D.5Insertion after deletion is not necessarily identity:Áprove $ \x (s :: SSet Integer) -> x `insert` (x `delete` s) .== sFalsifiable. Counter-example: s0 = 2 :: Integer s1 = {} :: {Integer}ÁBut the above is true if the element is in the set to start with:Òprove $ \x (s :: SSet Integer) -> x `member` s .=> x `insert` (x `delete` s) .== sQ.E.D.(Deletion from an empty set does nothing:8prove $ \x -> delete x empty .== (empty :: SSet Integer)Q.E.D.ýsbvTest for membership.2prove $ \x -> x `member` singleton (x :: SInteger)Q.E.D.;prove $ \x (s :: SSet Integer) -> x `member` (x `insert` s)Q.E.D./prove $ \x -> x `member` (full :: SSet Integer)Q.E.D.þsbvTest for non-membership.Åprove $ \x -> x `notMember` observe "set" (singleton (x :: SInteger))Falsifiable. Counter-example: set = {0} :: {Integer} s0 = 0 :: Integer>prove $ \x (s :: SSet Integer) -> x `notMember` (x `delete` s)Q.E.D.3prove $ \x -> x `notMember` (empty :: SSet Integer)Q.E.D.ÿsbvIs this the empty set?null (empty :: SSet Integer)True9prove $ \x -> null (x `delete` singleton (x :: SInteger))Q.E.D.#prove $ null (full :: SSet Integer)FalsifiableNote how we have to call Çñ in the last case since dealing with infinite sets requires a call to the solver and cannot be constant folded.€ sbvSynonym for ÿ. sbvIs this the full set?&prove $ isFull (empty :: SSet Integer)FalsifiableÈprove $ \x -> isFull (observe "set" (x `delete` (full :: SSet Integer)))Falsifiable. Counter-example: set = U - {2} :: {Integer} s0 = 2 :: IntegerisFull (full :: SSet Integer)TrueNote how we have to call Çò in the first case since dealing with infinite sets requires a call to the solver and cannot be constant folded.‚ sbvSynonym for .ƒ sbvšDoes the set have the given size? It implicitly asserts that the set it is operating on is finite. NB. Only z3 supported this call, and as discussed in )http://github.com/Z3Prover/z3/issues/3854„, recent versions of z3 doesn't support size calls either. So, you can only use this if you have a sufficiently old version of z3.=prove $ \i -> hasSize (empty :: SSet Integer) i .== (i .== 0)Q.E.D.,sat $ \i -> hasSize (full :: SSet Integer) i UnsatisfiableÇThe following tests are commented out since z3 no longer supports size:‘>>> prove $ \a b i j k -> hasSize (a :: SSet Integer) i .&& hasSize (b :: SSet Integer) j .&& hasSize (a `union` b) k .=> k .>= i `smax` j Q.E.D.˜>>> prove $ \a b i j k -> hasSize (a :: SSet Integer) i .&& hasSize (b :: SSet Integer) j .&& hasSize (a `intersection` b) k .=> k .<= i `smin` j Q.E.D.Ä>>> prove $ \a k -> hasSize (a :: SSet Integer) k .=> k .>= 0 Q.E.D.„ sbvSubset test.1prove $ empty `isSubsetOf` (full :: SSet Integer)Q.E.D.?prove $ \x (s :: SSet Integer) -> s `isSubsetOf` (x `insert` s)Q.E.D.?prove $ \x (s :: SSet Integer) -> (x `delete` s) `isSubsetOf` sQ.E.D.… sbvProper subset test.7prove $ empty `isProperSubsetOf` (full :: SSet Integer)Q.E.D.Åprove $ \x (s :: SSet Integer) -> s `isProperSubsetOf` (x `insert` s)Falsifiable. Counter-example: s0 = 2 :: Integer s1 = U :: {Integer}Ùprove $ \x (s :: SSet Integer) -> x `notMember` s .=> s `isProperSubsetOf` (x `insert` s)Q.E.D.Åprove $ \x (s :: SSet Integer) -> (x `delete` s) `isProperSubsetOf` sFalsifiable. Counter-example: s0 = 2 :: Integer s1 = U - {2,3} :: {Integer}Öprove $ \x (s :: SSet Integer) -> x `member` s .=> (x `delete` s) `isProperSubsetOf` sQ.E.D.† sbvDisjoint test..disjoint (fromList [2,4,6]) (fromList [1,3])True2disjoint (fromList [2,4,6,8]) (fromList [2,3,5,7])False2disjoint (fromList [1,2]) (fromList [1,2,3,4])False9prove $ \(s :: SSet Integer) -> s `disjoint` complement sQ.E.D./allSat $ \(s :: SSet Integer) -> s `disjoint` sSolution #1: s0 = {} :: {Integer}This is the only solution.ÓThe last example is particularly interesting: The empty set is the only set where † is not reflexive!ÞNote that disjointness of a set from its complement is guaranteed by the fact that all types are inhabited; an implicit assumption we have in classic logic which is also enjoyed by Haskell due to the presence of bottom!‡ sbvUnion.Òunion (fromList [1..10]) (fromList [5..15]) .== (fromList [1..15] :: SSet Integer)True=prove $ \(a :: SSet Integer) b -> a `union` b .== b `union` aQ.E.D.×prove $ \(a :: SSet Integer) b c -> a `union` (b `union` c) .== (a `union` b) `union` cQ.E.D.7prove $ \(a :: SSet Integer) -> a `union` full .== fullQ.E.D.5prove $ \(a :: SSet Integer) -> a `union` empty .== aQ.E.D.?prove $ \(a :: SSet Integer) -> a `union` complement a .== fullQ.E.D.ˆ sbvUnions. Equivalent to ƒ ‡ õ.-prove $ unions [] .== (empty :: SSet Integer)Q.E.D.‰ sbv Intersection.Ùintersection (fromList [1..10]) (fromList [5..15]) .== (fromList [5..10] :: SSet Integer)TrueËprove $ \(a :: SSet Integer) b -> a `intersection` b .== b `intersection` aQ.E.D.óprove $ \(a :: SSet Integer) b c -> a `intersection` (b `intersection` c) .== (a `intersection` b) `intersection` cQ.E.D.;prove $ \(a :: SSet Integer) -> a `intersection` full .== aQ.E.D.Àprove $ \(a :: SSet Integer) -> a `intersection` empty .== emptyQ.E.D.Çprove $ \(a :: SSet Integer) -> a `intersection` complement a .== emptyQ.E.D.Ñprove $ \(a :: SSet Integer) b -> a `disjoint` b .=> a `intersection` b .== emptyQ.E.D.Š sbvIntersections. Equivalent to ƒ ‰ ö. Note that Haskell's ¸¹Û does not support this operation as it does not have a way of representing universal sets.3prove $ intersections [] .== (full :: SSet Integer)Q.E.D.‹ sbvDifference.>prove $ \(a :: SSet Integer) -> empty `difference` a .== emptyQ.E.D.:prove $ \(a :: SSet Integer) -> a `difference` empty .== aQ.E.D.Äprove $ \(a :: SSet Integer) -> full `difference` a .== complement aQ.E.D.:prove $ \(a :: SSet Integer) -> a `difference` a .== emptyQ.E.D.Œ sbvSynonym for ‹ .õö÷øùúûüýþÿ€ ‚ ƒ „ … † ‡ ˆ ‰ Š ‹ Œ õö÷øùúûüýþÿ€ ‚ ƒ „ … † ‡ ˆ ‰ Š ‹ Œ Œ 9 (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred{© sbvýConstruct a symbolic rational from a given numerator and denominator. Note that it is not possible to deconstruct a rational by taking numerator and denominator fields, since we do not represent them canonically. (This is due to the fact that SMTLib has no functions to compute the GCD. One can use the maximization engine to compute the GCD of numbers, but not as a function.) 7-(c) Joel Burget Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÁÃ×Üï…cŽ sbv The symbolic Œ.sNothing :: SMaybe IntegerNothing :: SMaybe Integer sbv'Check if the symbolic value is nothing.&isNothing (sNothing :: SMaybe Integer)True"isNothing (sJust (literal "nope"))False sbv Construct an SMaybe a from an SBV a.sJust (3 :: SInteger)Just 3 :: SMaybe Integer‘ sbv+Check if the symbolic value is not nothing.#isJust (sNothing :: SMaybe Integer)FalseisJust (sJust (literal "yep"))True,prove $ \x -> isJust (sJust (x :: SInteger))Q.E.D.’ sbvÖReturn the value of an optional value. The default is returned if Nothing. Compare to “ .(fromMaybe 2 (sNothing :: SMaybe Integer) 2 :: SInteger'fromMaybe 2 (sJust 5 :: SMaybe Integer) 5 :: SInteger fromMaybe x (sNothing :: SMaybe Integer) .== xQ.E.D.?prove $ \x -> fromMaybe (x+1) (sJust x :: SMaybe Integer) .== xQ.E.D.“ sbvÿReturn the value of an optional value. The behavior is undefined if passed Nothing, i.e., it can return any value. Compare to ’ .fromJust (sJust (literal 'a'))'a' :: SChar1prove $ \x -> fromJust (sJust x) .== (x :: SChar)Q.E.D..sat $ \x -> x .== (fromJust sNothing :: SChar)Satisfiable. Model: s0 = 'A' :: Char§Note how we get a satisfying assignment in the last case: The behavior is unspecified, thus the SMT solver picks whatever satisfies the constraints, if there is one.” sbv Construct an SMaybe a from a Maybe (SBV a). liftMaybe (Just (3 :: SInteger))Just 3 :: SMaybe Integer%liftMaybe (Nothing :: Maybe SInteger)Nothing :: SMaybe Integer• sbv Map over the „ side of a ¾.?prove $ \x -> fromJust (map (+1) (sJust x)) .== x+(1::SInteger)Q.E.D.,let f = uninterpret "f" :: SInteger -> SBool-prove $ \x -> map f (sJust x) .== sJust (f x)Q.E.D.map f sNothing .== sNothingTrue– sbvMap over two maybe values.— sbvCase analysis for symbolic ¾s. If the value #, return the default value; if it ‘ , apply the function.*maybe 0 (`sMod` 2) (sJust (3 :: SInteger)) 1 :: SInteger/maybe 0 (`sMod` 2) (sNothing :: SMaybe Integer) 0 :: SInteger,let f = uninterpret "f" :: SInteger -> SBool+prove $ \x d -> maybe d f (sJust x) .== f xQ.E.D.&prove $ \d -> maybe d f sNothing .== dQ.E.D.˜ sbvCustom Ñ instance over ¬ Ž ‘ ’ “ ” • – — Ž ” — • – ‘ ’ “ -(c) Joel Burget Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred#×Üï ;#™ sbvLength of a list.,sat $ \(l :: SList Word16) -> length l .== 2Satisfiable. Model: s0 = [0,0] :: [Word16]+sat $ \(l :: SList Word16) -> length l .< 0 Unsatisfiableáprove $ \(l1 :: SList Word16) (l2 :: SList Word16) -> length l1 + length l2 .== length (l1 ++ l2)Q.E.D.š sbvš s is True iff the list is empty:prove $ \(l :: SList Word16) -> null l .<=> length l .== 0Q.E.D.4prove $ \(l :: SList Word16) -> null l .<=> l .== []Q.E.D.› sbv› Ç returns the first element of a list. Unspecified if the list is empty.4prove $ \c -> head (singleton c) .== (c :: SInteger)Q.E.D.œ sbvœ > returns the tail of a list. Unspecified if the list is empty.;prove $ \(h :: SInteger) t -> tail (singleton h ++ t) .== tQ.E.D.Óprove $ \(l :: SList Integer) -> length l .> 0 .=> length (tail l) .== length l - 1Q.E.D.Õprove $ \(l :: SList Integer) -> sNot (null l) .=> singleton (head l) ++ tail l .== lQ.E.D. sbv É returns the pair of the head and tail. Unspecified if the list is empty.ž sbvž Ð returns all but the last element of the list. Unspecified if the list is empty.;prove $ \(h :: SInteger) t -> init (t ++ singleton h) .== tQ.E.D.Ÿ sbvŸ x6 is the list of length 1 that contains the only value x.4prove $ \(x :: SInteger) -> head (singleton x) .== xQ.E.D.6prove $ \(x :: SInteger) -> length (singleton x) .== 1Q.E.D. sbv l offset. List of length 1 at offset in l). Unspecified if index is out of bounds.Þprove $ \(l1 :: SList Integer) l2 -> listToListAt (l1 ++ l2) (length l1) .== listToListAt l2 0Q.E.D.ãsat $ \(l :: SList Word16) -> length l .>= 2 .&& listToListAt l 0 ./= listToListAt l (length l - 1)Satisfiable. Model: s0 = [0,32] :: [Word16]¡ sbv¡ l i! is the value stored at location i). Unspecified if index is out of bounds.Íprove $ \i -> i `inRange` (0, 4) .=> [1,1,1,1,1] `elemAt` i .== (1::SInteger)Q.E.D.*>>> prove $ (l :: SList Integer) i e -> i É (0, length l - 1) .&& l ¡ 2 i .== e .=> indexOf l (singleton e) .<= i Q.E.D.¢ sbvShort cut for ¡ £ sbv£ es is the list of length |es|Ô containing precisely those elements. Note that there is no corresponding function explode8, since we wouldn't know the length of a symbolic list.Æprove $ \(e1 :: SInteger) e2 e3 -> length (implode [e1, e2, e3]) .== 3Q.E.D.îprove $ \(e1 :: SInteger) e2 e3 -> map (elemAt (implode [e1, e2, e3])) (map literal [0 .. 2]) .== [e1, e2, e3]Q.E.D.¤ sbv Concatenate two lists. See also ¨ .¥ sbv$Prepend an element, the traditional cons.¦ sbvAppend an element§ sbvÎEmpty list. This value has the property that it's the only list with length 0:>prove $ \(l :: SList Integer) -> length l .== 0 .<=> l .== nilQ.E.D.¨ sbvShort cut for ¤ .Ïsat $ \x y z -> length x .== 5 .&& length y .== 1 .&& x ++ y ++ z .== [1 .. 12]Satisfiable. Model:$ s0 = [1,2,3,4,5] :: [Integer]$ s1 = [6] :: [Integer]$ s2 = [7,8,9,10,11,12] :: [Integer]© sbv© e l. Does l contain the element e?ª sbvª e l. Does l not contain the element e?« sbv« sub l. Does l contain the subsequence sub?Çprove $ \(l1 :: SList Integer) l2 l3 -> l2 `isInfixOf` (l1 ++ l2 ++ l3)Q.E.D.Ûprove $ \(l1 :: SList Integer) l2 -> l1 `isInfixOf` l2 .&& l2 `isInfixOf` l1 .<=> l1 .== l2Q.E.D.¬ sbv¬ pre l. Is pre a prefix of l??prove $ \(l1 :: SList Integer) l2 -> l1 `isPrefixOf` (l1 ++ l2)Q.E.D.Ûprove $ \(l1 :: SList Integer) l2 -> l1 `isPrefixOf` l2 .=> subList l2 0 (length l1) .== l1Q.E.D. sbv suf l. Is suf a suffix of l?>prove $ \(l1 :: SList Word16) l2 -> l2 `isSuffixOf` (l1 ++ l2)Q.E.D.ðprove $ \(l1 :: SList Word16) l2 -> l1 `isSuffixOf` l2 .=> subList l2 (length l2 - length l1) (length l1) .== l1Q.E.D.® sbv® len l. Corresponds to Haskell's ® on symbolic lists.Æprove $ \(l :: SList Integer) i -> i .>= 0 .=> length (take i l) .<= iQ.E.D.¯ sbv¯ len s. Corresponds to Haskell's ¯ on symbolic-lists.Àprove $ \(l :: SList Word16) i -> length (drop i l) .<= length lQ.E.D. take i l ++ drop i l .== lQ.E.D.° sbv° s offset len is the sublist of s at offset offset with length lenÙ. This function is under-specified when the offset is outside the range of positions in s or len is negative or offset+len exceeds the length of s.òprove $ \(l :: SList Integer) i -> i .>= 0 .&& i .< length l .=> subList l 0 i ++ subList l i (length l - i) .== lQ.E.D.?sat $ \i j -> subList [1..5] i j .== ([2..4] :: SList Integer)Satisfiable. Model: s0 = 1 :: Integer s1 = 3 :: Integer?sat $ \i j -> subList [1..5] i j .== ([6..7] :: SList Integer) Unsatisfiable± sbv± l src dst". Replace the first occurrence of src by dst in sÔprove $ \l -> replace [1..5] l [6..10] .== [6..10] .=> l .== ([1..5] :: SList Word8)Q.E.D.Úprove $ \(l1 :: SList Integer) l2 l3 -> length l2 .> length l1 .=> replace l1 l2 l3 .== l1Q.E.D.² sbv² l sub. Retrieves first position of sub in l, -1- if there are no occurrences. Equivalent to ³ l sub 0.1>>> prove $ (l :: SList Int8) i -> i .> 0 .&& i .lengthl .=( indexOf l (subList l i 1) .<= i Q.E.D.Óprove $ \(l1 :: SList Word16) l2 -> length l2 .> length l1 .=> indexOf l1 l2 .== -1Q.E.D.³ sbv³ l sub offset. Retrieves first position of sub at or after offset in l, -1 if there are no occurrences.Éprove $ \(l :: SList Int8) sub -> offsetIndexOf l sub 0 .== indexOf l subQ.E.D.çprove $ \(l :: SList Int8) sub i -> i .>= length l .&& length sub .> 0 .=> offsetIndexOf l sub i .== -1Q.E.D.Òprove $ \(l :: SList Int8) sub i -> i .> length l .=> offsetIndexOf l sub i .== -1Q.E.D.´ sbv´ sÃ reverses the sequence. >>> sat $ (l :: SList Integer) -> reverse l .== literal [3, 2, 1] Satisfiable. Model: s0 = [1,2,3] :: [Integer] >>> prove $ (l :: SList Word32) -> reverse l .== [] .= null l Q.E.D.…sbv!Lift a unary operator over lists.†sbv"Lift a binary operator over lists.‡sbv#Lift a ternary operator over lists.ˆsbv!Concrete evaluation for unary ops‰sbv"Concrete evaluation for binary opsŠsbv#Concrete evaluation for ternary ops‹sbv#Is the list concretely known empty?™ š › œ ž Ÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ ™ š › œ ž Ÿ ¡ ¢ £ ¤ ¥ ¦ § ¨ © ª « ¬ ® ¯ ° ± ² ³ ´ ¥ 5¨ 5-(c) Joel Burget Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred×Üï®µ sbv Construct an SEither a b from an SBV asLeft 3 :: SEither Integer BoolLeft 3 :: SEither Integer Bool¶ sbvReturn Î if the given symbolic value is ª, Ï otherwise(isLeft (sLeft 3 :: SEither Integer Bool)True-isLeft (sRight sTrue :: SEither Integer Bool)False· sbv Construct an SEither a b from an SBV b%sRight sFalse :: SEither Integer Bool#Right False :: SEither Integer Bool¸ sbvReturn Î if the given symbolic value is «, Ï otherwise)isRight (sLeft 3 :: SEither Integer Bool)False.isRight (sRight sTrue :: SEither Integer Bool)True¹ sbv Construct an SEither a b from an Either (SBV a) (SBV b),liftEither (Left 3 :: Either SInteger SBool)Left 3 :: SEither Integer Bool1liftEither (Right sTrue :: Either SInteger SBool)"Right True :: SEither Integer Boolº sbvCase analysis for symbolic ¿s. If the value ¶ #, apply the first function; if it ¸ , apply the second function.either (*2) (*3) (sLeft 3) 6 :: SIntegereither (*2) (*3) (sRight 3) 9 :: SInteger/let f = uninterpret "f" :: SInteger -> SInteger/let g = uninterpret "g" :: SInteger -> SInteger*prove $ \x -> either f g (sLeft x) .== f xQ.E.D.+prove $ \x -> either f g (sRight x) .== g xQ.E.D.» sbv"Map over both sides of a symbolic ¿ at the same time/let f = uninterpret "f" :: SInteger -> SInteger/let g = uninterpret "g" :: SInteger -> SInteger4prove $ \x -> fromLeft (bimap f g (sLeft x)) .== f xQ.E.D.6prove $ \x -> fromRight (bimap f g (sRight x)) .== g xQ.E.D.¼ sbvMap over the left side of an ¿/let f = uninterpret "f" :: SInteger -> SIntegerÊprove $ \x -> first f (sLeft x :: SEither Integer Integer) .== sLeft (f x)Q.E.D.Èprove $ \x -> first f (sRight x :: SEither Integer Integer) .== sRight xQ.E.D.½ sbvMap over the right side of an ¿/let f = uninterpret "f" :: SInteger -> SIntegerÍprove $ \x -> second f (sRight x :: SEither Integer Integer) .== sRight (f x)Q.E.D.Çprove $ \x -> second f (sLeft x :: SEither Integer Integer) .== sLeft xQ.E.D.¾ sbvüReturn the value from the left component. The behavior is undefined if passed a right value, i.e., it can return any value.6fromLeft (sLeft (literal 'a') :: SEither Char Integer)'a' :: SCharÉprove $ \x -> fromLeft (sLeft x :: SEither Char Integer) .== (x :: SChar)Q.E.D.?sat $ \x -> x .== (fromLeft (sRight 4 :: SEither Char Integer))Satisfiable. Model: s0 = 'A' :: Char§Note how we get a satisfying assignment in the last case: The behavior is unspecified, thus the SMT solver picks whatever satisfies the constraints, if there is one.¿ sbvüReturn the value from the right component. The behavior is undefined if passed a left value, i.e., it can return any value.8fromRight (sRight (literal 'a') :: SEither Integer Char)'a' :: SCharÎprove $ \x -> fromRight (sRight x :: SEither Char Integer) .== (x :: SInteger)Q.E.D.Ësat $ \x -> x .== (fromRight (sLeft (literal 'a') :: SEither Char Integer))Satisfiable. Model: s0 = 0 :: Integer§Note how we get a satisfying assignment in the last case: The behavior is unspecified, thus the SMT solver picks whatever satisfies the constraints, if there is one.µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ µ · ¹ º » ¼ ½ ¶ ¸ ¾ ¿ ó(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred1ÁÃÌÙÚÜï¸°,À sbv3A symbolic signed bit-vector carrying its size infoÁ sbv*A signed bit-vector carrying its size infoÂ sbv5A symbolic unsigned bit-vector carrying its size infoÃ sbv-An unsigned bit-vector carrying its size infoÄ sbvGeneralization of ôŒsbvGeneralization of õÅ sbvGeneralization of ªÆ sbvGeneralization of ösbvGeneralization of ÷Ç sbvGeneralization of øÈ sbv7Extract a portion of bits to form a smaller bit-vector.É sbvJoin two bitvectors.Ê sbvZero extend a bit-vector.Ë sbvSign extend a bit-vector.Ì sbv'Drop bits from the top of a bit-vector.Í sbv'Take bits from the top of a bit-vector.ŽsbvOptimizing Ã sbvConstructing models for Ã sbv± instance for Ã ‘sbvª instance for Ã ’sbvÁ instance for Ã “sbv’ instance for Ã ”sbv“ instance for Ã •sbv” instance for Ã –sbvÑ instance for Ã —sbv˜ instance for Ã ™sbvþ instance for Ã šsbvÃ has a kind›sbvShow instance for Ã œsbvª instance for Â sbvOptimizing Á žsbvConstructing models for Á Ÿsbv± instance for Á sbvª instance for Á ¡sbvÁ instance for Á ¢sbv’ instance for Á £sbv“ instance for Á ¤sbv” instance for Á ¥sbvÑ instance for Á ¦sbv˜ instance for Á §sbvþ instance for Á ¨sbvÁ has a kind©sbvShow instance for Á ªsbvª instance for À È sbvi : Start position, numbered from n-1 to 0sbvj: End position, numbered from n-1 to 0, j <= i must holdsbvInput bit vector of size nsbvOutput is of size i - j + 1É sbvFirst input, of size n, becomes the left sidesbvSecond input, of size m, becomes the right sidesbvConcatenation, of size n+mÊ sbvInput, of size nsbvOutput, of size m. n < m must holdË sbvInput, of size nsbvOutput, of size m. n < m must holdÌ sbvi: Number of bits to drop. i < n must hold.sbvInput, of size nsbvOutput, of size m. m = n - i holds.Í sbvi: Number of bits to take. 0 < i <= n must hold.sbvInput, of size nsbvOutput, of size iÀ Á Â Ã Ä ŒÅ Æ Ç È É Ê Ë Ì Í É 5(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred 1ÁÂÃÌÚÊÎ sbvðImplements polynomial addition, multiplication, division, and modulus operations over GF(2^n). NB. Similar to «, division by 0 is interpreted as follows:x Ô 0 = (0, x)for all x (including 0)Minimal complete definition: Ñ , Ô , Ö Ï sbvÀGiven bit-positions to be set, create a polynomial For instancepolynomial [0, 1, 3] :: SWord8will evaluate to 11, since it sets the bits 0, 1, and 31. Mathematicians would write this polynomial as x^3 + x + 1. And in fact, Õ will show it like that.Ð sbvAdd two polynomials in GF(2^n).Ñ sbv•Multiply two polynomials in GF(2^n), and reduce it by the irreducible specified by the polynomial as specified by coefficients of the third argument. Note that the third argument is specifically left in this form as it is usually in GF(2^(n+1)), which is not available in our formalism. (That is, we would need SWord9 for SWord8 multiplication, etc.) Also note that we do not support symbolic irreducibles, which is a minor shortcoming. (Most GF's will come with fixed irreducibles, so this should not be a problem in practice.)ˆPassing [] for the third argument will multiply the polynomials and then ignore the higher bits that won't fit into the resulting size.Ò sbvÄDivide two polynomials in GF(2^n), see above note for division by 0.Ó sbvÏCompute modulus of two polynomials in GF(2^n), see above note for modulus by 0.Ô sbv%Division and modulus packed together.Õ sbvÃDisplay a polynomial like a mathematician would (over the monomial x), with a type.Ö sbvÃDisplay a polynomial like a mathematician would (over the monomial xÃ), the first argument controls if the final type is shown as well.«sbvPretty print as a polynomial× sbvAdd two polynomialsØ sbvüRun down a boolean condition over two lists. Note that this is different than zipWith as shorter list is assumed to be filled with sFalse at the end (i.e., zero-bits); which nicely pads it when considered as an unsigned number in little-endian form.¬sbvýMultiply two polynomials and reduce by the third (concrete) irreducible, given by its coefficients. See the remarks for the Ñ function for this design choiceÙ sbv8Compute modulus/remainder of polynomials on bit-vectors.Ú sbv(Compute CRCs over bit-vectors. The call crcBV n m p" computes the CRC of the message m with respect to polynomial pÀ. The inputs are assumed to be blasted big-endian. The number n5 specifies how many bits of CRC is needed. Note that n+ is actually the degree of the polynomial pÒ, and thus it seems redundant to pass it in. However, in a typical proof context, the polynomial can be symbolic, so we cannot compute the degree easily. While this can be worked-around by generating code that accounts for all possible degrees, the resulting code would be unnecessarily big and complicated, and much harder to reason with. (Also note that a CRC is just the remainder from the polynomial division, but this routine is much faster in practice.)NB. The nth bit of the polynomial p mustÑ be set for the CRC to be computed correctly. Note that the polynomial argument pÛ will not even have this bit present most of the time, as it will typically contain bits 0 through n-13 as usual in the CRC literature. The higher order nÀth bit is simply assumed to be set, as it does not make sense to use a polynomial of a lesser degree. This is usually not a problem since CRC polynomials are designed and expressed this way.óNB. The literature on CRC's has many variants on how CRC's are computed. We follow the following simple procedure:Extend the message m by adding n 0 bits on the right+Divide the polynomial thus obtained by the pThe remainder is the CRC value.ûThere are many variants on final XOR's, reversed polynomials etc., so it is essential to double check you use the correct algorithm.Û sbvÁCompute CRC's over polynomials, i.e., symbolic words. The first ‘0 argument plays the same role as the one in the Ú function.Î Ï Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Î Ï Ð Ñ Ò Ó Ô Õ Ö Û Ú Ø Ù × (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred ÁÂÃ×ÜïÙ!å sbvãA class of checked-arithmetic operations. These follow the usual arithmetic, except make calls to ÒÊ to ensure no overflow/underflow can occur. Use them in conjunction with Æ" to ensure no overflow can happen.ë sbvÂDetecting underflow/overflow conditions. For each function, the first result is the condition under which the computation underflows, and the second is the condition under which it overflows.ì sbvåBit-vector addition. Unsigned addition can only overflow. Signed addition can underflow and overflow.åA tell tale sign of unsigned addition overflow is when the sum is less than minimum of the arguments.Äprove $ \x y -> snd (bvAddO x (y::SWord16)) .<=> x + y .< x `smin` yQ.E.D.í sbvïBit-vector subtraction. Unsigned subtraction can only underflow. Signed subtraction can underflow and overflow.î sbv÷Bit-vector multiplication. Unsigned multiplication can only overflow. Signed multiplication can underflow and overflow.ï sbvSame as î ê, except instead of doing the computation internally, it simply sends it off to z3 as a primitive. Obviously, only use if you have the z3 backend! Note that z3 provides this operation only when no logic is set, so make sure to call setLogic Logic_NONE in your program!ð sbvÆBit-vector division. Unsigned division neither underflows nor overflows. Signed division can only overflow. In fact, for each signed bitvector type, there's precisely one pair that overflows, when x is minBound and y is -1:,allSat $ \x y -> snd (x `bvDivO` (y::SInt8))Solution #1: s0 = -128 :: Int8 s1 = -1 :: Int8This is the only solution.ñ sbv‚Bit-vector negation. Unsigned negation neither underflows nor overflows. Signed negation can only overflow, when the argument is minBound::prove $ \x -> x .== minBound .<=> snd (bvNegO (x::SInt16))Q.E.D.sbvZero-extend to given bits®sbvÌSign-extend to given bits. Note that we keep the signedness of the argument.¯sbvGet the sign-bit°sbvIs the sign-bit high?±sbvIs the sign-bit low?²sbvDo these have the same sign?³sbvDo these have opposing signs?´sbvCheck all trueµsbv.Are all the bits between a b (inclusive) zero?¶sbv-Are all the bits between a b (inclusive) one?·sbv%Unsigned addition. Can only overflow.¸sbvSigned addition.¹sbv)Unsigned subtraction. Can only underflow.ºsbvSigned subtraction.»sbv+Unsigned multiplication. Can only overflow.¼sbvSigned multiplication.½sbvIs this a concrete value?¾sbv:Unsigned multiplication, fast version using z3 primitives.¿sbv8Signed multiplication, fast version using z3 primitives.Àsbv5Unsigned division. Neither underflows, nor overflows.Ásbv#Signed division. Can only overflow.Âsbv5Unsigned negation. Neither underflows, nor overflows.Ãsbv#Signed negation. Can only overflow.ò sbvßDetecting underflow/overflow conditions for casting between bit-vectors. The first output is the result, the second component itself is a pair with the first boolean indicating underflow and the second indicating overflow.:sFromIntegralO (256 :: SInt16) :: (SWord8, (SBool, SBool))(0 :: SWord8,(False,True))9sFromIntegralO (-2 :: SInt16) :: (SWord8, (SBool, SBool))(254 :: SWord8,(True,False))8sFromIntegralO (2 :: SInt16) :: (SWord8, (SBool, SBool))(2 :: SWord8,(False,False))Üprove $ \x -> sFromIntegralO (x::SInt32) .== (sFromIntegral x :: SInteger, (sFalse, sFalse))Q.E.D.)As the last example shows, converting to ê- never underflows or overflows for any value.ó sbvVersion of ˆ that has calls to Ò> for checking no overflow/underflow can happen. Use it with a Æ call.å æ ç è é ê ë ì í î ï ð ñ ò ó ë ì í î ï ð ñ å æ ç è é ê ò ó æ 6ç 6è 7é 7ù(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred<ÁÂÃÌ×ÙÚÜïúÅ‰ sbvConversion to and from floatsŠ sbv.Convert from an IEEE74 single precision float.‹ sbv.Convert to an IEEE-754 Single-precision float.Œ sbv.Convert from an IEEE74 double precision float. sbv.Convert to an IEEE-754 Double-precision float.Ž sbv)Convert from an arbitrary floating point. sbv'Convert to an arbitrary floating point. sbv„A class of floating-point (IEEE754) operations, some of which behave differently based on rounding modes. Note that unless the rounding mode is concretely RoundNearestTiesToEven, we will not concretely evaluate these, but rather pass down to the SMT solver.‘ sbv*Compute the floating point absolute value.’ sbv&Compute the unary negation. Note that 0 - x is not equivalent to -x for floating-point, since -0 and 0 are different.“ sbv c `elem` singleton cQ.E.D. prove $ \c -> sNot (c `elem` "")Q.E.D.µ sbv#Is the character not in the string?4prove $ \c s -> c `elem` s .<=> sNot (c `notElem` s)Q.E.D.¶ sbvThe ¶ of a character.· sbv*Conversion from an integer to a character.8prove $ \x -> 0 .<= x .&& x .< 256 .=> ord (chr x) .== xQ.E.D.prove $ \x -> chr (ord x) .== xQ.E.D.Þsbv˜Lift a char function to a symbolic version. If the given char is not in the class recognized by predicate, the output is the same as the input. Only works for the Latin1 set, i.e., the first 256 characters. If the given character is outside this range, it's returned unchanged.ßsbvìLift a char predicate to a symbolic version. Only works for the Latin1 set, i.e., the first 256 characters.¸ sbvâConvert to lower-case. Only works for the Latin1 subset, otherwise returns its argument unchanged.5prove $ \c -> toLowerL1 (toLowerL1 c) .== toLowerL1 cQ.E.D.Öprove $ \c -> isLowerL1 c .&& c `notElem` "\181\255" .=> toLowerL1 (toUpperL1 c) .== cQ.E.D.¹ sbvâConvert to upper-case. Only works for the Latin1 subset, otherwise returns its argument unchanged.5prove $ \c -> toUpperL1 (toUpperL1 c) .== toUpperL1 cQ.E.D.;prove $ \c -> isUpperL1 c .=> toUpperL1 (toLowerL1 c) .== cQ.E.D.º sbvíConvert a digit to an integer. Works for hexadecimal digits too. If the input isn't a digit, then return -1.×prove $ \c -> isDigit c .|| isHexDigit c .=> digitToInt c .>= 0 .&& digitToInt c .<= 15Q.E.D.Çprove $ \c -> sNot (isDigit c .|| isHexDigit c) .=> digitToInt c .== -1Q.E.D.» sbv*Convert an integer to a digit, inverse of º §. If the integer is out of bounds, we return the arbitrarily chosen space character. Note that for hexadecimal letters, we return the corresponding lowercase letter.Æprove $ \i -> i .>= 0 .&& i .<= 15 .=> digitToInt (intToDigit i) .== iQ.E.D.Çprove $ \i -> i .< 0 .|| i .> 15 .=> digitToInt (intToDigit i) .== -1Q.E.D.Ðprove $ \c -> digitToInt c .== -1 .<=> intToDigit (digitToInt c) .== literal ' 'Q.E.D.¼ sbv‘Is this a control character? Control characters are essentially the non-printing characters. Only works for the Latin1 subset, otherwise returns Ï.½ sbvÉIs this white-space? Only works for the Latin1 subset, otherwise returns Ï.¾ sbvÔIs this a lower-case character? Only works for the Latin1 subset, otherwise returns Ï.5prove $ \c -> isUpperL1 c .=> isLowerL1 (toLowerL1 c)Q.E.D.¿ sbvÕIs this an upper-case character? Only works for the Latin1 subset, otherwise returns Ï.0prove $ \c -> sNot (isLowerL1 c .&& isUpperL1 c)Q.E.D.À sbvÃIs this an alphabet character? That is lower-case, upper-case and title-case letters, plus letters of caseless scripts and modifiers letters. Only works for the Latin1 subset, otherwise returns Ï.Á sbvâIs this an alphabetical character or a digit? Only works for the Latin1 subset, otherwise returns Ï.>prove $ \c -> isAlphaNumL1 c .<=> isAlphaL1 c .|| isNumberL1 cQ.E.D.Â sbvÓIs this a printable character? Only works for the Latin1 subset, otherwise returns Ï.Ã sbv%Is this an ASCII digit, i.e., one of 0..9 . Note that this is a subset of È (prove $ \c -> isDigit c .=> isNumberL1 cQ.E.D.Ä sbv%Is this an Octal digit, i.e., one of 0..7.Å sbv!Is this a Hex digit, i.e, one of 0..9, a..f, A..F.-prove $ \c -> isHexDigit c .=> isAlphaNumL1 cQ.E.D.Æ sbvÓIs this an alphabet character. Only works for the Latin1 subset, otherwise returns Ï.+prove $ \c -> isLetterL1 c .<=> isAlphaL1 cQ.E.D.Ç sbvÄIs this a mark? Only works for the Latin1 subset, otherwise returns Ï.ÖNote that there are no marks in the Latin1 set, so this function always returns false!prove $ sNot . isMarkL1Q.E.D.È sbvÐIs this a number character? Only works for the Latin1 subset, otherwise returns Ï.É sbvÐIs this a punctuation mark? Only works for the Latin1 subset, otherwise returns Ï.Ê sbvÆIs this a symbol? Only works for the Latin1 subset, otherwise returns Ï.Ë sbvÉIs this a separator? Only works for the Latin1 subset, otherwise returns Ï.-prove $ \c -> isSeparatorL1 c .=> isSpaceL1 cQ.E.D.Ì sbv;Is this an ASCII character, i.e., the first 128 characters.Í sbvIs this a Latin1 character?Î sbv*Is this an ASCII Upper-case letter? i.e., A thru ZÝprove $ \c -> isAsciiUpper c .<=> ord c .>= ord (literal 'A') .&& ord c .<= ord (literal 'Z')Q.E.D.;prove $ \c -> isAsciiUpper c .<=> isAscii c .&& isUpperL1 cQ.E.D.Ï sbv*Is this an ASCII Lower-case letter? i.e., a thru zÝprove $ \c -> isAsciiLower c .<=> ord c .>= ord (literal 'a') .&& ord c .<= ord (literal 'z')Q.E.D.;prove $ \c -> isAsciiLower c .<=> isAscii c .&& isLowerL1 cQ.E.D.´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï ´ µ ¶ · ¸ ¹ º » ¼ ½ ¾ ¿ À Á Â Ã Ä Å Æ Ç È É Ê Ë Ì Í Î Ï (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred"ÁÃ×Üï#ÚÐ sbv/Matchable class. Things we can match against a —.ÅFor instance, you can generate valid-looking phone numbers like this::set -XOverloadedStringslet dig09 = Range '0' '9'let dig19 = Range '1' '9'"let pre = dig19 * Loop 2 2 dig09"let post = dig19 * Loop 3 3 dig09let phone = pre * "-" * post(sat $ \s -> (s :: SString) `match` phoneSatisfiable. Model: s0 = "200-8000" :: StringÑ sbvÑ s r checks whether s! is in the language generated by r.Ò sbv%Match everything, universal acceptor./prove $ \(s :: SString) -> s `match` everythingQ.E.D.Ó sbv"Match nothing, universal rejector.3prove $ \(s :: SString) -> sNot (s `match` nothing)Q.E.D.Ô sbv.Match any character, i.e., strings of length 1Àprove $ \(s :: SString) -> s `match` anyChar .<=> length s .== 1Q.E.D.Õ sbvÑA literal regular-expression, matching the given string exactly. Note that with OverloadedStringsë extension, you can simply use a Haskell string to mean the same thing, so this function is rarely needed.Ëprove $ \(s :: SString) -> s `match` exactly "LITERAL" .<=> s .== "LITERAL"Q.E.D.Ö sbv#Helper to define a character class.Öprove $ \(c :: SChar) -> c `match` oneOf "ABCD" .<=> sAny (c .==) (map literal "ABCD")Q.E.D.× sbvÁRecognize a newline. Also includes carriage-return and form-feed.newline=(re.union (str.to.re "\n") (str.to.re "\r") (str.to.re "\f"))/prove $ \c -> c `match` newline .=> isSpaceL1 cQ.E.D.Ø sbvRecognize a tab.tab(str.to.re "\t")2prove $ \c -> c `match` tab .=> c .== literal '\t'Q.E.D.àsbvÀLift a char function to a regular expression that recognizes it.Ù sbv.Recognize white-space, but without a new line.Ûprove $ \c -> c `match` whiteSpaceNoNewLine .=> c `match` whiteSpace .&& c ./= literal '\n'Q.E.D.Ú sbvRecognize white space.2prove $ \c -> c `match` whiteSpace .=> isSpaceL1 cQ.E.D.Û sbv"Recognize a punctuation character.9prove $ \c -> c `match` punctuation .=> isPunctuationL1 cQ.E.D.Ü sbv$Recognize an alphabet letter, i.e., A..Z, a..z.Ý sbv$Recognize an ASCII lower case letter asciiLower(re.range "a" "z")Èprove $ \c -> (c :: SChar) `match` asciiLower .=> c `match` asciiLetterQ.E.D.Æprove $ \c -> c `match` asciiLower .=> toUpperL1 c `match` asciiUpperQ.E.D.Æprove $ \c -> c `match` asciiLetter .=> toLowerL1 c `match` asciiLowerQ.E.D.Þ sbvRecognize an upper case letter asciiUpper(re.range "A" "Z")Èprove $ \c -> (c :: SChar) `match` asciiUpper .=> c `match` asciiLetterQ.E.D.Æprove $ \c -> c `match` asciiUpper .=> toLowerL1 c `match` asciiLowerQ.E.D.Æprove $ \c -> c `match` asciiLetter .=> toUpperL1 c `match` asciiUpperQ.E.D.ß sbvRecognize a digit. One of 0..9.digit(re.range "0" "9")Îprove $ \c -> c `match` digit .<=> let v = digitToInt c in 0 .<= v .&& v .< 10Q.E.D.7prove $ \c -> sNot ((c::SChar) `match` (digit - digit))Q.E.D.à sbv!Recognize an octal digit. One of 0..7.octDigit(re.range "0" "7")Ðprove $ \c -> c `match` octDigit .<=> let v = digitToInt c in 0 .<= v .&& v .< 8Q.E.D.?prove $ \(c :: SChar) -> c `match` octDigit .=> c `match` digitQ.E.D.á sbv&Recognize a hexadecimal digit. One of 0..9, a..f, A..F.hexDigitÃ(re.union (re.range "0" "9") (re.range "a" "f") (re.range "A" "F"))Ñprove $ \c -> c `match` hexDigit .<=> let v = digitToInt c in 0 .<= v .&& v .< 16Q.E.D.?prove $ \(c :: SChar) -> c `match` digit .=> c `match` hexDigitQ.E.D.â sbvRecognize a decimal number.decimal(re.+ (re.range "0" "9"))Ñprove $ \s -> (s::SString) `match` decimal .=> sNot (s `match` KStar asciiLetter)Q.E.D.ã sbv:Recognize an octal number. Must have a prefix of the form 0o/0O.octalÎ(re.++ (re.union (str.to.re "0o") (str.to.re "0O")) (re.+ (re.range "0" "7")))Âprove $ \s -> s `match` octal .=> sAny (.== take 2 s) ["0o", "0O"]Q.E.D.ä sbv?Recognize a hexadecimal number. Must have a prefix of the form 0x/0X.hexadecimalÿ(re.++ (re.union (str.to.re "0x") (str.to.re "0X")) (re.+ (re.union (re.range "0" "9") (re.range "a" "f") (re.range "A" "F"))))Èprove $ \s -> s `match` hexadecimal .=> sAny (.== take 2 s) ["0x", "0X"]Q.E.D.å sbv„Recognize a floating point number. The exponent part is optional if a fraction is present. The exponent may or may not have a sign.3prove $ \s -> s `match` floating .=> length s .>= 3Q.E.D.æ sbv¿For the purposes of this regular expression, an identifier consists of a letter followed by zero or more letters, digits, underscores, and single quotes. The first letter must be lowercase. s `match` identifier .=> isAsciiLower (head s)Q.E.D.5prove $ \s -> s `match` identifier .=> length s .>= 1Q.E.D.ásbv#Lift a unary operator over strings.âsbv!Concrete evaluation for unary opsãsbv$Quiet GHC about testing only importsç sbvMatching symbolic strings.è sbvÉMatching a character simply means the singleton string matches the regex.'—™¥œ˜š›žŸ ¡¢£¤¦Ð Ñ Ò Ó Ô Õ Ö × Ø Ù Ú Û Ü Ý Þ ß à á â ã ä å æ '—™¥œ˜š›žŸ ¡¢£¤¦Ð Ñ Ò Ó Ô Õ Ö × Ù Ú Ø Û Ü Ý Þ ß à á â ã ä å æ ú(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred5ÛÜ'+é sbv‚Check whether the given solver is installed and is ready to go. This call does a simple call to the solver to ensure all is well.ê sbv:The default configs corresponding to supported SMT solversë sbvÅReturn the known available solver configs, installed on your machine.äsbväTurn a name into a symbolic type. If first argument is true, we'll also derive Eq and Ord instances.ì sbv$Make an enumeration a symbolic type.í sbvMake an uninterpred sort.åsbv*Make sure the given type is an enumerationæsbv)Make sure the given type is an empty dataé ê ë ì í û1(c) Brian Schroeder Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferredjè3î sbvAsk solver for info.ÃNB. For a version which generalizes over the underlying monad, see ìï sbvRetrieve the value of an 'SMTOption.' The curious function argument is on purpose here, simply pass the constructor name. Example: the call ï ü will return either Nothing or Just (ProduceUnsatCores True) or Just (ProduceUnsatCores False).Result will be Œ, if the solver does not support this option.ÃNB. For a version which generalizes over the underlying monad, see ýð sbv-Get the reason unknown. Only internally used.ÃNB. For a version which generalizes over the underlying monad, see yñ sbv0Get the observables recorded during a query run.ÃNB. For a version which generalizes over the underlying monad, see þçsbvÀGet the uninterpreted constants/functions recorded during a run.ÃNB. For a version which generalizes over the underlying monad, see åò sbv*Issue check-sat and get an SMT Result out.ÃNB. For a version which generalizes over the underlying monad, see îèsbvÀIssue check-sat and get results of a lexicographic optimization.ÃNB. For a version which generalizes over the underlying monad, see ïésbvÇIssue check-sat and get results of an independent (boxed) optimization.ÃNB. For a version which generalizes over the underlying monad, see ðêsbv,Construct a pareto-front optimization resultÃNB. For a version which generalizes over the underlying monad, see ñó sbvØCollect model values. It is implicitly assumed that we are in a check-sat context. See ò = for a variant that issues a check-sat first and returns an ù.ÃNB. For a version which generalizes over the underlying monad, see òô sbvÁCheck for satisfiability, under the given conditions. Similar to uç except it allows making further assumptions as captured by the first argument of booleans. (Also see õ Ñ for a variant that returns the subset of the given assumptions that led to the ÿ conclusion.)ÃNB. For a version which generalizes over the underlying monad, see võ sbvðCheck for satisfiability, under the given conditions. Returns the unsatisfiable set of assumptions. Similar to uî except it allows making further assumptions as captured by the first argument of booleans. If the result is ÿÐ, the user will also receive a subset of the given assumptions that led to the ÿö conclusion. Note that while this set will be a subset of the inputs, it is not necessarily guaranteed to be minimal.ÉYou must have arranged for the production of unsat assumptions first via € $ ž for this call to not error out!Usage note: þ is usually easier to use than õ <, as it allows the use of named assertions, as obtained by ‚. If þ 9 fills your needs, you should definitely prefer it over õ .ÃNB. For a version which generalizes over the underlying monad, see óö sbvØThe current assertion stack depth, i.e., #push - #pops after start. Always non-negative.ÃNB. For a version which generalizes over the underlying monad, see ô÷ sbvïRun the query in a new assertion stack. That is, we push the context, run the query commands, and pop it back.ÃNB. For a version which generalizes over the underlying monad, see õø sbvÀPush the context, entering a new one. Pushes multiple levels if n > 1.ÃNB. For a version which generalizes over the underlying monad, see öù sbv 1. It's an error to pop levels that don't exist.ÃNB. For a version which generalizes over the underlying monad, see ÷ú sbv‡Search for a result via a sequence of case-splits, guided by the user. If one of the conditions lead to a satisfiable result, returns Just+ that result. If none of them do, returns Nothing‘. Note that we automatically generate a coverage case and search for it automatically as well. In that latter case, the string returned will be Coverage?. The first argument controls printing progress messages See ,Documentation.SBV.Examples.Queries.CaseSplit for an example use case.ÃNB. For a version which generalizes over the underlying monad, see øû sbvŸReset the solver, by forgetting all the assertions. However, bindings are kept as is, as opposed to a full reset of the solver. Use this variant to clean-up the solver state while leaving the bindings intact. Pops all assertion levels. Declarations and definitions resulting from the tì command are unaffected. Note that SBV implicitly uses global-declarations, so bindings will remain intact.ÃNB. For a version which generalizes over the underlying monad, see ùü sbvÇEcho a string. Note that the echoing is done by the solver, not by SBV.ÃNB. For a version which generalizes over the underlying monad, see úý sbvŸExit the solver. This action will cause the solver to terminate. Needless to say, trying to communicate with the solver after issuing "exit" will simply fail.ÃNB. For a version which generalizes over the underlying monad, see ûþ sbvÞRetrieve the unsat-core. Note you must have arranged for unsat cores to be produced first via € $ ü ž for this call to not error out!NB. There is no notion of a minimal unsat-core, in case unsatisfiability can be derived in multiple ways. Furthermore, Z3 does not guarantee that the generated unsat core does not have any redundant assertions either, as doing so can incur a performance penalty. (There might be assertions in the set that is not needed.) To ensure all the assertions in the core are relevant, use: € $ ƒ ":smt.core.minimize" ["true"] "Note that this only works with Z3.ÃNB. For a version which generalizes over the underlying monad, see xÿ sbvÔRetrieve the proof. Note you must have arranged for proofs to be produced first via € $ „ ž for this call to not error out!A proof is simply a §¹, as returned by the solver. In the future, SBV might provide a better datatype, depending on the use cases. Please get in touch if you use this function and can suggest a better API.ÃNB. For a version which generalizes over the underlying monad, see ü€sbv1Interpolant extraction for MathSAT. Compare with Ê, which performs similar function (but with a different use model) in Z3.!Retrieve an interpolant after an ÿÛ result is obtained. Note you must have arranged for interpolants to be produced first via € $ … ž for this call to not error out!-To get an interpolant for a pair of formulas A and B, use a †( call to attach interplation groups to A and B. Then call € ["A"]À, assuming those are the names you gave to the formulas in the A group.An interpolant for A and B is a formula I such that:# A .=> I and B .=> sNot I That is, it's evidence that A and B cannot be true together since A implies I but B implies not I; establishing that A and B5 cannot be satisfied at the same time. Furthermore, I0 will have only the symbols that are common to A and B.ÝNB. Interpolant extraction isn't standardized well in SMTLib. Currently both MathSAT and Z3 support them, but with slightly differing APIs. So, we support two APIs with slightly differing types to accommodate both. See /Documentation.SBV.Examples.Queries.Interpolants& for example usages in these solvers.ÃNB. For a version which generalizes over the underlying monad, see ýsbv,Interpolant extraction for z3. Compare with €Ï, which performs similar function (but with a different use model) in MathSAT.3Unlike the MathSAT variant, you should simply call À on symbolic booleans to retrieve the interpolant. Do not call Ž“ or create named constraints. This makes it harder to identify formulas, but the current state of affairs in interpolant API requires this kludge.An interpolant for A and B is a formula I such that:" A ==> I and B ==> not I That is, it's evidence that A and B cannot be true together since A implies I but B implies not I; establishing that A and B5 cannot be satisfied at the same time. Furthermore, I0 will have only the symbols that are common to A and B.In Z3, interpolants generalize to sequences: If you pass more than two formulas, then you will get a sequence of interpolants. In general, for NÃ formulas that are not satisfiable together, you will be returned N-1 interpolants. If formulas are A1 .. An, then interpolants will be I1 .. I(N-1) , such that A1 ==> I1, A2 /\ I1 ==> I2, A3 /\ I2 ==> I3, ..., and finally AN ===> not I(N-1).áCurrently, SBV only returns simple and sequence interpolants, and does not support tree-interpolants. If you need these, please get in touch. Furthermore, the result will be a list of mere strings representing the interpolating formulas, as opposed to a more structured type. Please get in touch if you use this function and can suggest a better API.ÝNB. Interpolant extraction isn't standardized well in SMTLib. Currently both MathSAT and Z3 support them, but with slightly differing APIs. So, we support two APIs with slightly differing types to accommodate both. See /Documentation.SBV.Examples.Queries.Interpolants& for example usages in these solvers.ÃNB. For a version which generalizes over the underlying monad, see þ‚sbvÚRetrieve assertions. Note you must have arranged for assertions to be available first via € $ ‡ ž for this call to not error out!ÞNote that the set of assertions returned is merely a list of strings, just like the case for ÿ ž. In the future, SBV might provide a better datatype, depending on the use cases. Please get in touch if you use this function and can suggest a better API.ÃNB. For a version which generalizes over the underlying monad, see ÿƒsbv:Retrieve the assignment. This is a lightweight version of ‹Ë, where the solver returns the truth value for all named subterms of type Á.?You must have first arranged for assignments to be produced via € $ ˆ ž for this call to not error out!ÃNB. For a version which generalizes over the underlying monad, see €„sbv,Produce the query result from an assignment.ÃNB. For a version which generalizes over the underlying monad, see …sbvPerform an arbitrary IO action.ÃNB. For a version which generalizes over the underlying monad, see ÓësbvModify the query stateÃNB. For a version which generalizes over the underlying monad, see Ôìsbv$Execute in a new incremental contextÃNB. For a version which generalizes over the underlying monad, see Õ†sbvSimilar to ‡", except creates unnamed variable.ÃNB. For a version which generalizes over the underlying monad, see Ö‡sbvÙCreate a fresh variable in query mode. You should prefer creating input variables using œ, ±Ü, etc., which act as primary inputs to the model and can be existential or universal. Use ‡é only in query mode for anonymous temporary variables. Such variables are always existential. Note that ‡ò should hardly be needed: Your input variables and symbolic expressions should suffice for most major use cases.ÃNB. For a version which generalizes over the underlying monad, see ×ˆsbvSimilar to ‰, except creates unnamed array.ÃNB. For a version which generalizes over the underlying monad, see Ø‰sbvíCreate a fresh array in query mode. Again, you should prefer creating arrays before the queries start using ©, but this method can come in handy in occasional cases where you need a new array after you start the query based interaction.ÃNB. For a version which generalizes over the underlying monad, see ÙŠsbvIf ‰ is žÑ, print the message, useful for debugging messages in custom queries. Note that ŠÔ will be respected: If a file redirection is given, the output will go to the file.ÃNB. For a version which generalizes over the underlying monad, see Úísbv4Send a string to the solver, and return the responseÃNB. For a version which generalizes over the underlying monad, see Ûîsbv6Send a string to the solver. If the first argument is žÒ, we will require a "success" response as well. Otherwise, we'll fire and forget.ÃNB. For a version which generalizes over the underlying monad, see Üïsbv§Retrieve a responses from the solver until it produces a synchronization tag. We make the tag unique by attaching a time stamp, so no need to worry about getting the wrong tag unless it happens in the very same picosecond! We return multiple valid s-expressions till the solver responds with the tag. Should only be used for internal tasks or when we want to synchronize communications, and not on a regular basis! Use î/í¶ for that purpose. This comes in handy, however, when solvers respond multiple times as in optimization for instance, where we both get a check-sat answer and some objective values.ÃNB. For a version which generalizes over the underlying monad, see Ý‹sbvGet the value of a term.ÃNB. For a version which generalizes over the underlying monad, see wŒsbv3Get the value of an uninterpreted sort, as a StringÃNB. For a version which generalizes over the underlying monad, see ßsbvÂGet the value of an uninterpreted function, as a list of domain, value pairs. The final value is the "else" clause, i.e., what the function maps values outside of the domain of the first list.ðsbvÿGet the value of a term. If the kind is Real and solver supports decimal approximations, we will "squash" the representations.ÃNB. For a version which generalizes over the underlying monad, see àñsbv'Get the value of an uninterpreted valueòsbvÁGet the value of an uninterpreted function as an association listÃNB. For a version which generalizes over the underlying monad, see âŽsbvCheck for satisfiability.ÃNB. For a version which generalizes over the underlying monad, see usbvÚEnsure that the current context is satisfiable. If not, this function will throw an error.ÃNB. For a version which generalizes over the underlying monad, see ísbv?Check for satisfiability with a custom check-sat-using command.ÃNB. For a version which generalizes over the underlying monad, see ãósbvÃRetrieve the set of unsatisfiable assumptions, following a call to óé. Note that this function isn't exported to the user, but rather used internally. The user simple calls ó.ÃNB. For a version which generalizes over the underlying monad, see æ‘sbvñTimeout a query action, typically a command call to the underlying SMT solver. The duration is in microseconds (1/10^6þ seconds). If the duration is negative, then no timeout is imposed. When specifying long timeouts, be careful not to exceed maxBound :: Intú. (On a 64 bit machine, this bound is practically infinite. But on a 32 bit machine, it corresponds to about 36 minutes!)Semantics: The call timeout n qê causes the timeout value to be applied to all interactive calls that take place as we execute the query q:. That is, each call that happens during the execution of qå gets a separate time-out value, as opposed to one timeout value that limits the whole query. This is typically the intended behavior. It is advisable to apply this combinator to calls that involve a single call to the solver for finer control, as opposed to an entire set of interactions. However, different use cases might call for different scenarios.ðIf the solver responds within the time-out specified, then we continue as usual. However, if the backend solver times-out using this mechanism, there is no telling what the state of the solver will be. Thus, we raise an error in this case.ÃNB. For a version which generalizes over the underlying monad, see çôsbv)Bail out if we don't get what we expectedÃNB. For a version which generalizes over the underlying monad, see èõsbvExecute a query.ÃNB. For a version which generalizes over the underlying monad, see é3î ï ð ñ çò èéêó ô õ ö ÷ ø ù ú û ü ý þ ÿ €‚ƒ„…ëì†‡ˆ‰Šíîï‹ŒðñòŽó‘ôõ(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred/kÇ’sbvRun a custom queryÜ !"#$%&'()*+,-./01234567=>?@GEABCDFHIJKLM_`œÜÝÞßàáâæçÃàî ï ð ñ ò ó ô õ ö ÷ ø ù ú û ü ý þ ÿ €‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’Ü_`æçÝÞßàáâÜ’†‡ˆ‰IJKLMŽô õ ‹ÃŒó ƒò ð ñ þ ÿ €‚@GEABCDFH=>?./01234567î ï ö ø ù ÷ ú û à„ý œ‘Šü … !"#$%&'()*+,-‹(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÁÃÑ)4“sbvÃDifferent kinds of "files" we can produce. Currently this is quite C specific.˜sbv5Representation of a collection of generated programs.šsbvPossible mappings for the ºÃ type when translated to C. Used in conjunction with the function ¿™. Note that the particular characteristics of the mapped types depend on the platform and the compiler used for compiling the generated C program. See )http://en.wikipedia.org/wiki/C_data_types for details.›sbvfloatœsbvdoublesbvlong doubležsbv§The code-generation monad. Allows for precise layout of input values reference parameters (for returning composite values in languages such as C), and return values. sbvCode-generation state©sbv%Abstraction of target language values¬sbvOptions for code-generation.®sbvIf žÒ, perform run-time-checks for index-out-of-bounds or shifting-by-large values etc.¯sbv2Bit-size to use for representing SInteger (if any)°sbv+Type to use for representing SReal (if any)±sbvÙValues to use for the driver program generated, useful for generating non-random drivers.²sbvIf ž , will generate a driver program³sbvIf ž, will generate a makefile´sbvIf ž, will ignore Ò callsµsbvIf ž7, will overwrite the generated files without prompting.¶sbvIf žð, then 8-bit unsigned values will be shown in hex as well, otherwise decimal. (Other types always shown in hex.)·sbv5Abstract over code generation for different languagesºsbvõDefault options for code generation. The run-time checks are turned-off, and the driver values are completely random.»sbv)Initial configuration for code-generation¼sbv.Reach into symbolic monad from code-generation½sbváSets RTC (run-time-checks) for index-out-of-bounds, shift-with-large value etc. on/off. Default: À.¾sbv4Sets number of bits to be used for representing the »< type in the generated C code. The argument must be one of 8, 16, 32, or 64¬. Note that this is essentially unsafe as the semantics of unbounded Haskell integers becomes reduced to the corresponding bit size, as typical in most C implementations.¿sbv0Sets the C type to be used for representing the º> type in the generated C code. The setting can be one of C's "float", "double", or "long double"ò, types, depending on the precision needed. Note that this is essentially unsafe as the semantics of infinite precision SReal values becomes reduced to the corresponding floating point type in C, and hence it is subject to rounding errors.Àsbv.Should we generate a driver program? Default: ží. When a library is generated, it will have a driver if any of the constituent functions has a driver. (See Œ.)Ásbv(Should we generate a Makefile? Default: ž.Âsbv‹Sets driver program run time values, useful for generating programs with fixed drivers for testing. Default: None, i.e., use random values.Ãsbv&Ignore assertions (those generated by Ò calls) in the generated C codeÄsbvïAdds the given lines to the header file generated, useful for generating programs with uninterpreted functions.Åsbv If passed žï, then we will not ask the user if we're overwriting files as we generate the C code. Otherwise, we'll prompt.Æsbv If passed ž², then we will show 'SWord 8' type in hex. Otherwise we'll show it in decimal. All signed types are shown decimal, and all unsigned larger types are shown hexadecimal otherwise.ÇsbvðAdds the given lines to the program file generated, useful for generating programs with uninterpreted functions.ÈsbvêAdds the given words to the compiler options in the generated Makefile, useful for linking extra stuff in.Ésbv.Creates an atomic input in the generated code.Êsbv-Creates an array input in the generated code.Ësbv/Creates an atomic output in the generated code.Ìsbv.Creates an array output in the generated code.Ísbv9Creates a returned (unnamed) value in the generated code.Îsbv?Creates a returned (unnamed) array value in the generated code.Ïsbv.Creates an atomic input in the generated code.Ðsbv-Creates an array input in the generated code.Ñsbv/Creates an atomic output in the generated code.Òsbv.Creates an array output in the generated code.Ósbv9Creates a returned (unnamed) value in the generated code.Ôsbv?Creates a returned (unnamed) array value in the generated code.ÕsbvIs this a driver program?ÖsbvIs this a make file?×sbvýGenerate code for a symbolic program, returning a Code-gen bundle, i.e., collection of makefiles, source code, headers, etc.Øsbv4Render a code-gen bundle to a directory or to stdoutösbvAn alternative to Pretty's renderâ, which might have "leading" white-space in empty lines. This version eliminates such whitespace.Æ“”•–—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¹¸º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×Ø(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÔÙsbvçGiven a symbolic computation, render it as an equivalent collection of files that make up a C program:ÿThe first argument is the directory name under which the files will be saved. To save files in the current directory pass „ ".". Use Œ for printing to stdout.>The second argument is the name of the C function to generate.2The final argument is the function to be compiled.!Compilation will also generate a Makefile‘, a header file, and a driver (test) program, etc. As a result, we return whatever the code-gen function returns. Most uses should simply have ()û as the return type here, but the value can be useful if you want to chain the result of one compilation act to the next.ÚsbvLower level version of Ù, producing a ˜Ûsbv£Create code to generate a library archive (.a) from given symbolic functions. Useful when generating code from multiple functions that work together as a library.ÿThe first argument is the directory name under which the files will be saved. To save files in the current directory pass „ ".". Use Œ for printing to stdout.;The second argument is the name of the archive to generate.“The third argument is the list of functions to include, in the form of function-name/code pairs, similar to the second and third arguments of Ù, except in a list.ÜsbvLower level version of Û, producing a ˜÷sbvÒPretty print a functions type. If there is only one output, we compile it as a function that returns that value. Otherwise, we compile it as a void function that takes return values as pointers to be updated.øsbvÔRenders as "const SWord8 s0", etc. the first parameter is the width of the typefieldùsbvÁReturn the proper declaration and the result as a pair. No constsúsbv3Renders as "s0", etc, or the corresponding constantûsbv!Words as it would map to a C wordüsbvAlmost a "show", but map SWord1 to SBool- which is used for extracting one-bit words.ýsbv!The printf specifier for the typeþsbvîMake a constant value of the given type. We don't check for out of bounds here, as it should not be needed. There are many options here, using binary, decimal, etc. We simply use decimal for values 8-bits or less, and hex otherwise.ÿsbvÄGenerate a makefile. The first argument is True if we have a driver.€sbvGenerate the headersbv"Generate an example driver program‚sbvGenerate the C programƒsbv•Merge a bunch of bundles to generate code for a library. For the final config, we simply return the first config we receive, or the default if none.„sbv!Create a Makefile for the library…sbvCreate a driver for a libraryÙÚÛÜ(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferredwš›œž¼½¾¿ÀÁÂÃÄÅÆÇÈÏÐÑÒÓÔÙÛž¼½ÂÀÁÅÆÏÐÑÒÓÔÄÇÈÃ¾¿š›œÙÛ(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÂ×ÙÚÜ–•ÝsbvÉSend an arbitrary string to the solver in a query. Note that this is inherently dangerous as it can put the solver in an arbitrary state and confuse SBV. If you use this feature, you are on your own!ÞsbvöRetrieve multiple responses from the solver, until it responds with a user given tag that we shall arrange for internally. The optional timeout is in milliseconds. If the time-out is exceeded, then we will raise an error. Note that this is inherently dangerous as it can put the solver in an arbitrary state and confuse SBV. If you use this feature, you are on your own!ßsbv²Send an arbitrary string to the solver in a query, and return a response. Note that this is inherently dangerous as it can put the solver in an arbitrary state and confuse SBV.àsbvInverse transformation to ¯ 0. Note that this isn't a perfect inverse, since -0 maps to 0 and back to 0. Otherwise, it's faithful:ýprove $ \x -> let f = sComparableSWord32AsSFloat x in fpIsNaN f .|| fpIsNegativeZero f .|| sFloatAsComparableSWord32 f .== xQ.E.D.ñprove $ \x -> fpIsNegativeZero x .|| sComparableSWord32AsSFloat (sFloatAsComparableSWord32 x) `fpIsEqualObject` xQ.E.D.ásbvInverse transformation to ° 0. Note that this isn't a perfect inverse, since -0 maps to 0 and back to 0. Otherwise, it's faithful:ÿprove $ \x -> let d = sComparableSWord64AsSDouble x in fpIsNaN d .|| fpIsNegativeZero d .|| sDoubleAsComparableSWord64 d .== xQ.E.D.óprove $ \x -> fpIsNegativeZero x .|| sComparableSWord64AsSDouble (sDoubleAsComparableSWord64 x) `fpIsEqualObject` xQ.E.D.âsbvInverse transformation to ² 0. Note that this isn't a perfect inverse, since -0 maps to 0 and back to 0. Otherwise, it's faithful:–prove $ \x -> let d = sComparableSWordAsSFloatingPoint x in fpIsNaN d .|| fpIsNegativeZero d .|| sFloatingPointAsComparableSWord (d :: SFPHalf) .== xQ.E.D.Šprove $ \x -> fpIsNegativeZero x .|| sComparableSWordAsSFloatingPoint (sFloatingPointAsComparableSWord x) `fpIsEqualObject` (x :: SFPHalf)Q.E.D.STUXVW^afedbci}|{zyxwvutsrqponmljk~ŽŒ‹Š‰ˆ‡†…„ƒ‚€‘’“”•–—˜™š›±·¶µ´²³¸¹º»¼½¾¿ÍÌËÊÉÈÅÄÁÀÂÃÇÆÎÏÐÑÒÓÔÕÖ×ØÙÚÛÞÜÝßàáâãéèçåêäæëôóòñðïîìíõøö÷ùÿýûúþü€‚ƒ„…†›š™˜—–•”“’‘Ž‹Š‰Œœ‡ˆžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¼½¾¿ÂÁÀÃÄÅÆÇÈËÉÊÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛãäåèðïîíìëéêñôòóõ÷öøûùúüýþÿ€‚ƒ„…†‡ˆ‰Š‹•”“’‘Ž–Œ—¦¤£¢¡ Ÿž›š˜œ™¥§¨©ª¹¸·¶µ´³²±°¯®«¬ºÀ¿¾½»¼Á×ÖÕÔÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄÂÃØ‰ˆ‡†…„ƒ‚üûúùøöõôóòñðïîíìëéèæåäãâáàßÝÜÛÚÙÞþÿ€ý÷êçŠ‹ŒŽ‘’“”–—˜™š›¡¢£¤¦§¨©óôõöýùü÷øúûþÿ‚Ž€Œ‹Šˆ‡†…„‰ƒ‘’“ž˜™š—–•”›œŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêïîíìðëñòóôõö÷øùúûüýþÿ€µ»ÕÖ×‘¯ ° ² “—–”•˜™š›œžŸ ¨§¦¥¤£¡¢©ª«¬¶µ´³²±°¯®·¹¸º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÚÜÝÞßàáâÀÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛ¿ÂÁÀÃÄÅÆàáâ…†‡žŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²ÄÃÂÁÀ¿¾½¼»º¹¸·¶µ´³²¯±°®¬ª©¨§¦¥¤£ÎÏÐ«ÊËÌÍabcdefŸÝÞßàáâãäåæþ‰ƒ„…†‡ˆŠ‹Œ€Ž‚ÿ»¼½¾¿ÇÆÃÂÀÁÄÅÈÉÊËÌÍUVWXST±²³´µ¶·¸¹ºÑÒÓÚ×ØÙŠ‹‘ÖÕÔ¼½ÎÏÐÑÒÓÔÕÖ×ÙÚÛÜØÅÆÇŒŽèÈÉÊËÇöúûø÷üùýóôõçé‚š¦·§¨ijklmnopqrstuvwxyz{|}Øêç÷ý€ÿþÞÙÚÛÜÝßàáâãäåæèéëìíîïðñòóôõöøùúûü‚ƒ„…†‡ˆ‰º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ª«¬®¯°±²³´µ¶·¸¹§¨©‹–ŒŽ‘’“”•—™¥œ˜š›žŸ ¡¢£¤¦üý™þÿ€¸¡¾ÈÉ”¿ÂÁÀ~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’ÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛ“›œ”•–—š™˜ž—£“ƒ„–ˆ‰Š’³´µ¶©^žŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²¢õö÷øëìíîïðñòóôãäæêåçèéùþüúûýÿ€‚ƒ„…†‡ˆœŒ‰Š‹Ž‘’“”•–—˜™š›øùúûõ÷öñòóôèéêëìíîïðãäå ¡¢ÕÖ»¼½¾×µ»€‚ƒ„…‘˜›ÚÜžŸ¼ÏÐÑÒÓÔÉÊËÌÍÎ½ÂÄÇÈÃÅÆ¾¿š›œ·¹¸¬®¯°±²³´µ¶ ¡¢£¤¥¦§¨˜™“”•–—©ª«º»ÕÖÀÁ×Ø‘’“”•–—˜™š›êðëìíîïöñòóôõ÷øùúÿ€ûüýþÛÜÝÞßÝßÞ¤¯ ° ² àáâŽ1(c) Brian Schroeder Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred1<ÁÂÃÌÙÚö?™†sbv7Conversion from a fixed-sized BV to a sized bit-vector.ãsbvÖConvert a fixed-sized bit-vector to the corresponding sized bit-vector, for instance Â to 'SWord 16'. See also å.‡sbv3Capture the correspondence in terms of a constraintäsbv x `shiftL` 2 .== yÝis a predicate with two arguments, captured using an ordinary Haskell function. Internally, x will be named s0 and y will be named s1.‰Remember that SBV assumes that the input is in prenex-normal form. That is, all quantifiers are at the beginning of the predicate. See Data.SBV#noteOnNested1note on reasoning in the presence of quantifiers for more information.ÃNB. For a version which generalizes over the underlying monad, see †èsbvÝTurns a value into a predicate, allowing users to provide names for the inputs. If the user does not provide enough number of names for the variables, the remaining ones will be internally generated. Note that the names are only used for printing models and has no other significance; in particular, we do not check that they are unique. Example:< universal ["x", "y"] $ \(x::SWord8) y -> x `shiftL` 2 .== y>This is the same as above, except the variables will be named x and yÇ respectively, simplifying the counter-examples when they are printed.‰Remember that SBV assumes that the input is in prenex-normal form. That is, all quantifiers are at the beginning of the predicate. See Data.SBV#noteOnNested1note on reasoning in the presence of quantifiers for more information.ÃNB. For a version which generalizes over the underlying monad, see ‡ésbv9Turns a value into an existentially quantified predicate.‰Remember that SBV assumes that the input is in prenex-normal form. That is, all quantifiers are at the beginning of the predicate. See Data.SBV#noteOnNested1note on reasoning in the presence of quantifiers for more information.ÃNB. For a version which generalizes over the underlying monad, see ˆêsbvVersion of é that allows user defined names.‰Remember that SBV assumes that the input is in prenex-normal form. That is, all quantifiers are at the beginning of the predicate. See Data.SBV#noteOnNested1note on reasoning in the presence of quantifiers for more information.ÃNB. For a version which generalizes over the underlying monad, see ‰ësbv,Prove a predicate, using the default solver.ÃNB. For a version which generalizes over the underlying monad, see Çìsbv/Prove the predicate using the given SMT-solver.ÃNB. For a version which generalizes over the underlying monad, see ŠísbvÆProve a predicate with delta-satisfiability, using the default solver.ÃNB. For a version which generalizes over the underlying monad, see ÇîsbvÉProve the predicate with delta-satisfiability using the given SMT-solver.ÃNB. For a version which generalizes over the underlying monad, see ŠïsbvÇFind a satisfying assignment for a predicate, using the default solver.ÃNB. For a version which generalizes over the underlying monad, see Žðsbv8Find a satisfying assignment using the given SMT-solver.ÃNB. For a version which generalizes over the underlying monad, see ñsbvæFind a delta-satisfying assignment for a predicate, using the default solver for delta-satisfiability.ÃNB. For a version which generalizes over the underlying monad, see òsbv8Find a satisfying assignment using the given SMT-solver.ÃNB. For a version which generalizes over the underlying monad, see ósbvÊFind all satisfying assignments, using the default solver. Equivalent to ô . See ô for details.ÃNB. For a version which generalizes over the underlying monad, see ôsbvÇReturn all satisfying assignments for a predicate. Note that this call will block until all satisfying assignments are found. If you have a problem with infinitely many satisfying models (consider »è) or a very large number of them, you might have to wait for a long time. To avoid such cases, use the ‡‘! parameter in the configuration.òNB. Uninterpreted constant/function values and counter-examples for array values are ignored for the purposes of ó¦. That is, only the satisfying assignments modulo uninterpreted functions and array inputs will be returned. This is due to the limitation of not having a robust means of getting a function counter-example back from the SMT solver. Find all satisfying assignments using the given SMT-solverÃNB. For a version which generalizes over the underlying monad, see ŽõsbvOptimize a given collection of ñs.ÃNB. For a version which generalizes over the underlying monad, see Åösbv4Optimizes the objectives using the given SMT-solver.ÃNB. For a version which generalizes over the underlying monad, see ÷sbvÈCheck if the constraints given are consistent, using the default solver.ÃNB. For a version which generalizes over the underlying monad, see øsbvÄDetermine if the constraints are vacuous using the given SMT-solver.ÃNB. For a version which generalizes over the underlying monad, see ‘ùsbv,Checks theoremhood using the default solver.ÃNB. For a version which generalizes over the underlying monad, see ’úsbv,Check whether a given property is a theorem.ÃNB. For a version which generalizes over the underlying monad, see “ûsbv/Checks satisfiability using the default solver.ÃNB. For a version which generalizes over the underlying monad, see ”üsbv.Check whether a given property is satisfiable.ÃNB. For a version which generalizes over the underlying monad, see •ýsbv5Run an arbitrary symbolic computation, equivalent to þ ÃNB. For a version which generalizes over the underlying monad, see –þsbvÇRuns an arbitrary symbolic computation, exposed to the user in SAT modeÃNB. For a version which generalizes over the underlying monad, see —ÿsbvÃNB. For a version which generalizes over the underlying monad, see ƒ€sbvÃNB. For a version which generalizes over the underlying monad, see „sbv&Check safety using the default solver.ÃNB. For a version which generalizes over the underlying monad, see Æ‚sbvCheck if any of the Ò calls can be violated.ÃNB. For a version which generalizes over the underlying monad, see …ŒsbvCreate a symbolic variable.ÃNB. For a version which generalizes over the underlying monad, see ºsbv 5, y + z .< x] ÃNB. For a version which generalizes over the underlying monad, see ëêsbv4Introduce a soft assertion, with an optional penaltyÃNB. For a version which generalizes over the underlying monad, see îësbvMinimize a named metricÃNB. For a version which generalizes over the underlying monad, see ïìsbvMaximize a named metricÃNB. For a version which generalizes over the underlying monad, see ðsbv toBytes ((fromBytes [a, b, c, d]) :: SWord 32) .== [a, b, c, d]Q.E.D.ïsbv Convert from a sequence of bytes7prove $ \r -> fromBytes (toBytes r) .== (r :: SWord 64)Q.E.D.ðsbvÿShow a value in detailed (cracked) form, if possible. This makes most sense with numbers, and especially floating-point types.ñsbv½An implementation of rotate-left, using a barrel shifter like design. Only works when both arguments are finite bitvectors, and furthermore when the second argument is unsigned. The first condition is enforced by the type, but the second is dynamically checked. We provide this implementation as an alternative to Œ« since SMTLib logic does not support variable argument rotates (as opposed to shifts), and thus this implementation can produce better code for verification compared to Œ.áprove $ \x y -> (x `sBarrelRotateLeft` y) `sBarrelRotateRight` (y :: SWord32) .== (x :: SWord64)Q.E.D.òsbvÙAn implementation of rotate-right, using a barrel shifter like design. See comments for ñ for details.áprove $ \x y -> (x `sBarrelRotateRight` y) `sBarrelRotateLeft` (y :: SWord32) .== (x :: SWord64)Q.E.D.ósbv7Extract a portion of bits to form a smaller bit-vector.éprove $ \x -> bvExtract (Proxy @7) (Proxy @3) (x :: SWord 12) .== bvDrop (Proxy @4) (bvTake (Proxy @9) x)Q.E.D.ôsbvJoin two bitvectors.Úprove $ \x y -> x .== bvExtract (Proxy @79) (Proxy @71) ((x :: SWord 9) # (y :: SWord 71))Q.E.D.õsbvZero extend a bit-vector.Üprove $ \x -> bvExtract (Proxy @20) (Proxy @12) (zeroExtend (x :: SInt 12) :: SInt 21) .== 0Q.E.D.ösbvSign extend a bit-vector.íprove $ \x -> sNot (msb x) .=> bvExtract (Proxy @20) (Proxy @12) (signExtend (x :: SInt 12) :: SInt 21) .== 0Q.E.D.øprove $ \x -> msb x .=> bvExtract (Proxy @20) (Proxy @12) (signExtend (x :: SInt 12) :: SInt 21) .== complement 0Q.E.D.÷sbv'Drop bits from the top of a bit-vector.5prove $ \x -> bvDrop (Proxy @0) (x :: SWord 43) .== xQ.E.D.Ñprove $ \x -> bvDrop (Proxy @20) (x :: SWord 21) .== ite (lsb x) 1 (0 :: SWord 1)Q.E.D.øsbv'Take bits from the top of a bit-vector.6prove $ \x -> bvTake (Proxy @13) (x :: SWord 13) .== xQ.E.D.Ãprove $ \x -> bvTake (Proxy @1) (x :: SWord 13) .== ite (msb x) 1 0Q.E.D.Ëprove $ \x -> bvTake (Proxy @4) x # bvDrop (Proxy @4) x .== (x :: SWord 23)Q.E.D.ùsbvÂ 1024 instance for íúsbvÂ 512 instance for íûsbvÂ 256 instance for íüsbvÂ 128 instance for íýsbvÂ 64 instance for íþsbvÂ 32 instance for íÿsbvÂ 16 instance for í€ sbvÂ 8 instance for íósbvi : Start position, numbered from n-1 to 0sbvj: End position, numbered from n-1 to 0, j <= i must holdsbvInput bit vector of size nsbvOutput is of size i - j + 1ôsbvFirst input, of size n, becomes the left sidesbvSecond input, of size m, becomes the right sidesbvConcatenation, of size n+mõsbvInput, of size nsbvOutput, of size m. n < m must holdösbvInput, of size nsbvOutput, of size m. n < m must hold÷sbvi: Number of bits to drop. i < n must hold.sbvInput, of size nsbvOutput, of size m. m = n - i holds.øsbvi: Number of bits to take. 0 < i <= n must hold.sbvInput, of size nsbvOutput, of size i¹‘º¶³°•©–¼¸ÓÕ—˜™š›œžŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´±ßÞµšáà¶™·¸¹›º»¼½¾¿ÀÁÂÃÄÅ 89:; sFalse)[]"ranges (\(_ :: SInteger) -> sTrue) [(-oo,oo)]Áranges (\(x :: SInteger) -> sAnd [x .<= 120, x .>= -12, x ./= 3])[[-12,3),(3,120]]Èranges (\(x :: SInteger) -> sAnd [x .<= 75, x .>= 5, x ./= 6, x ./= 67])[[5,6),(6,67),(67,75]]?ranges (\(x :: SInteger) -> sAnd [x .<= 75, x ./= 3, x ./= 67])[(-oo,3),(3,67),(67,75]]6ranges (\(x :: SReal) -> sAnd [x .>= 3.2, x .<= 12.7])[[3.2,12.7]]4ranges (\(x :: SReal) -> sAnd [x .<= 12.7, x ./= 8])[(-oo,8.0),(8.0,12.7]]5ranges (\(x :: SReal) -> sAnd [x .>= 12.7, x ./= 15])[[12.7,15.0),(15.0,oo)]1ranges (\(x :: SInt8) -> sAnd [x .<= 7, x ./= 6])[[-128,6),(6,7]]ranges $ \x -> x .>= (0::SReal) [[0.0,oo)]ranges $ \x -> x .<= (0::SReal)[(-oo,0.0]]$ranges $ \(x :: SWord8) -> 2*x .== 4[[2,3),(129,130]]¶ sbv5Compute ranges, using the given solver configuration.· sbvShow instance for ¯ ¯ ° ± ² ³ ´ µ ¶ ± ² ³ ´ ¯ ° µ ¶ (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÂA7¸ sbvÈResult of an inductive proof, with a counter-example in case of failure.$If a proof is found (indicated by a º » result), then the invariant holds and the goal is established once the termination condition holds. If it fails, then it can fail either in an initiation step or in a consecution step:A ¹ result in an ¼ $ step means that the invariant does notÅ hold for the initial state, and thus indicates a true failure.A ¹ result in a ½ step will return a state s¦. This state is known as a CTI (counterexample to inductiveness): It will lead to a violation of the invariant in one step. However, this does not mean the property is invalid: It could be the case that it is simply not inductive. In this case, human intervention---or a smarter algorithm like IC3 for certain domains---is needed to see if one can strengthen the invariant so an inductive proof can be found. How this strengthening can be done remains an art, but the science is improving with algorithms like IC3.A ¹ result in a ¾ ¨ step means that the invariant holds, but assuming the termination condition the goal still does not follow. That is, the partial correctness does not hold.» sbv;A step in an inductive proof. If the tag is present (i.e., Just nmÓ), then the step belongs to the subproof that establishes the strengthening named nm.¿ sbv0Induction engine, using the default solver. See 0Documentation.SBV.Examples.ProofTools.Strengthen and )Documentation.SBV.Examples.ProofTools.Sum for examples.À sbv.Induction engine, configurable with the solverÁ sbvShow instance for » , diagnostic purposes only.Â sbvShow instance for ¸ , diagnostic purposes only.¿ sbvVerbose modesbv.Setup code, if necessary. (Typically used for ™ calls. Pass return () if not needed.)sbvInitial conditionsbvTransition relationsbvStrengthenings, if any. The String is a simple tag.sbv0Invariant that ensures the goal upon terminationsbv/Termination condition and the goal to establishsbvÑEither proven, or a concrete state value that, if reachable, fails the invariant. ¸ º ¹ » ¼ ½ ¾ ¿ À ¸ º ¹ » ¼ ½ ¾ ¿ À (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred#×ÜDÛËsbv1Case analysis on a symbolic list. (Not exported.)Ã sbvBounded fold from the right.Ä sbv$Bounded monadic fold from the right.Å sbvBounded fold from the left.Æ sbv#Bounded monadic fold from the left.Ç sbvBounded sum.È sbvBounded product.É sbvBounded map.Ê sbvBounded monadic map.Ë sbvBounded filter.Ì sbvBounded logical andÍ sbvBounded logical orÎ sbvBounded anyÏ sbvBounded allÐ sbv,Bounded maximum. Undefined if list is empty.Ñ sbv,Bounded minimum. Undefined if list is empty.Ò sbvBounded zipWithÓ sbvBounded element checkÔ sbvBounded reverseÌsbv$Bounded paramorphism (not exported).Ísbv4Insert an element into a sorted list (not exported).Õ sbvBounded insertion sortÃ Ä Å Æ Ç È É Ê Ë Ì Í Î Ï Ð Ñ Ò Ó Ô Õ Ã Ä Å Æ É Ê Ë Ò Ó Ç È Ì Í Î Ï Ð Ñ Ô Õ (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÂO±Ö sbv(Bounded fixed-point operation. The call bfix bnd nm f unrolls the recursion in f at most bnd5 times, and uninterprets the function (with the name nm) after the bound is reached.úThis combinator is handy for dealing with recursive definitions that are not symbolically terminating and when the property we are interested in does not require an infinite unrolling, or when we are happy with a bounded proof. In particular, this operator can be used as a basis of software-bounded model checking algorithms built on top of SBV. The bound can be successively refined in a CEGAR like loop as necessary, by analyzing the counter-examples and rejecting them if they are false-negatives.äFor instance, we can define the factorial function using the bounded fixed-point operator like this:ô bfac :: SInteger -> SInteger bfac = bfix 10 "fac" fact where fact f n = ite (n .== 0) 1 (n * f (n-1)) øThis definition unrolls the recursion in factorial at most 10 times before uninterpreting the result. We can now prove:?prove $ \n -> n .>= 1 .&& n .<= 9 .=> bfac n .== n * bfac (n-1)Q.E.D.ÛAnd we would get a bogus counter-example if the proof of our property needs a larger bound:-prove $ \n -> n .== 10 .=> bfac n .== 3628800Falsifiable. Counter-example: s0 = 10 :: Integer fac :: Integer -> Integer fac _ = 2ÃThe counter-example is telling us how it instantiated the function fac< when the recursion bottomed out: It simply made it return 2Ó for all arguments at that point, which provides the (unintended) counter-example.%By design, if a function defined via Ö ª is given a concrete argument, it will unroll the recursion as much as necessary to complete the call (which can of course diverge). The bound only applies if the given argument is symbolic. This fact can be used to observe concrete values to see where the bounded-model-checking approach fails:Ôprove $ \n -> n .== 10 .=> observe "bfac_n" (bfac n) .== observe "bfac_10" (bfac 10)Falsifiable. Counter-example: bfac_10 = 3628800 :: Integer bfac_n = 7257600 :: Integer s0 = 10 :: Integer fac :: Integer -> Integer fac _ = 2ÙHere, we see further evidence that the SMT solver must have decided to assign the value 2ï in the final call just as it was reaching the base case, and thus got the final result incorrect. (Note that 7257600 = 2 * 3628800<.) A wrapper algorithm can then assert the actual value of bfac 10? here as an extra constraint and can search for "deeper bugs."Ö Ö (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÂS9× sbv6Bounded model checking, using the default solver. See )Documentation.SBV.Examples.ProofTools.BMC for an example use case.ùNote that the BMC engine does *not* guarantee that the solution is unique. However, if it does find a solution at depth i7, it is guaranteed that there are no shorter solutions.Ø sbv4Bounded model checking, configurable with the solver× sbvOptional boundsbvVerbose: prints iteration countsbv.Setup code, if necessary. (Typically used for ™ calls. Pass return () if not needed.)sbvInitial conditionsbvTransition relationsbvÎGoal to cover, i.e., we find a set of transitions that satisfy this predicate.sbvÔEither a result, or a satisfying path of given length and intermediate observations.× Ø × Ø (c) Brian HuffmanBSD3erkokl@gmail.comexperimental Safe-Inferred_DÙ sbvDynamic variant of quick-checkÚ sbv‹Create SMT-Lib benchmarks. The first argument is the basename of the file, we will automatically add ".smt2" per SMT-Lib2 convention. The Á argument controls whether this is a SAT instance, i.e., translate the query directly, or a PROVE instance, i.e., translate the negated query.Û sbv/Proves the predicate using the given SMT-solverÜ sbv7Find a satisfying assignment using the given SMT-solverÝ sbv'Check safety using the given SMT-solverÞ sbv:Find all satisfying assignments using the given SMT-solverß sbvþProve a property with multiple solvers, running them in separate threads. The results will be returned in the order produced.à sbvªProve a property with multiple solvers, running them in separate threads. Only the result of the first one to finish will be returned, remaining threads will be killed.á sbv¦Prove a property with query mode using multiple threads. Each query computation will spawn a thread and a unique instance of your solver to run asynchronously. The ¸ ¼Ù is duplicated for each thread. This function will block until all child threads return.â sbv¦Prove a property with query mode using multiple threads. Each query computation will spawn a thread and a unique instance of your solver to run asynchronously. The ¸ ¼ú is duplicated for each thread. This function will return the first query computation that completes, killing the others.ã sbv™Find a satisfying assignment to a property with multiple solvers, running them in separate threads. The results will be returned in the order produced.ä sbvÄFind a satisfying assignment to a property with multiple solvers, running them in separate threads. Only the result of the first one to finish will be returned, remaining threads will be killed.å sbvÕFind a satisfying assignment to a property with multiple threads in query mode. The ¸ ¼É represents what is known to all child query threads. Each query thread will spawn a unique instance of the solver. Only the first one to finish will be returned and the other threads will be killed.æ sbvÕFind a satisfying assignment to a property with multiple threads in query mode. The ¸ ¼¶ represents what is known to all child query threads. Each query thread will spawn a unique instance of the solver. This function will block until all child threads have completed.ç sbvžExtract a model, the result is a tuple where the first argument (if True) indicates whether the model was "probable". (i.e., if the solver returned unknown.)è sbv‹Extract a model dictionary. Extract a dictionary mapping the variables to their respective values as returned by the SMT solver. Also see ›œ.é sbvÀCreate a named fresh existential variable in the current contextê sbvÃCreate an unnamed fresh existential variable in the current contextŠijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ»¼½¾¿ÇÆÃÂÀÁÄÅÈÉÊËÌÍÓãäæêåçèéëìíîïðñòóôùþüúûýÿ†‡ˆœŒ‰Š‹Ž‘’“”•–—˜™š›µ¶¸¼ˆ‰Š•œžŸ ¥ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñò¤¥¦§¨©ª«¬®¯°±²³´µƒ„…†‡ˆ‰Š‹Œé ê ë š›œž½¾¿ÀÁÂÃÄÇÈÉÊËÌÍÎÙÛÙ Ú Û Ü Ý Þ ß à á â ã ä å æ ç è é ê Š¼ijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ»¼½¾¿ÇÆÃÂÀÁÄÅÈÉÊËÌÍÓªíîïðñ¸ˆ‰Šœê é žŸ «¬³®´¯°±²µ¶ÊËÌ·ÍÎÏÐò¸¹º»¼½ÇÈÉ¾ÄÅÆÑÒÓÔÕÖ×ØÙÚÛÜáâãàäåæÀçèéìêëÃÂ¿ÁÝÞß•Û Ü Þ Ý ß à ã ä á â å æ Ù ³´±²ª«¬®¯°¨©¤¥¦§ùþüúûýÿµç è †‡ˆœŒ‰Š‹Ž‘’“”•–—˜™š›µ¶ëìíîïðñòóôãäæêåçèé„…†‡ˆŠ‹‰ƒê Œé ë ¥ž½ÂÀÁÉÊËÌÍÎÄÇÈÃ¾¿š›œÙÛÚ (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÂe´ë sbvFormalizes Ãhttp://graphics.stanford.edu/~seander/bithacks.html#IntegerMinOrMaxì sbvFormalizes Ãhttp://graphics.stanford.edu/~seander/bithacks.html#IntegerMinOrMaxí sbvFormalizes Çhttp://graphics.stanford.edu/~seander/bithacks.html#DetectOppositeSignsî sbvFormalizes Ýhttp://graphics.stanford.edu/~seander/bithacks.html#ConditionalSetOrClearBitsWithoutBranchingï sbvFormalizes Çhttp://graphics.stanford.edu/~seander/bithacks.html#DetermineIfPowerOf2ð sbvCollection of queriesë ì í î ï ð ë ì í î ï ð (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferredkðñ sbv·Model the mid-point computation of the binary search, which is broken due to arithmetic overflow. Note how we use the overflow checking variants of the arithmetic operators. We have:!checkArithOverflow midPointBrokení./Documentation/SBV/Examples/BitPrecise/BrokenSearch.hs:39:32:+!: SInt32 addition overflows: Violated. Model: low = 2147475456 :: Int32 high = 2147483646 :: Int32Indeed:*(2147475456 + 2147483646) `div` (2::Int32)-4097%giving us a negative mid-point value!ò sbvþThe correct version of how to compute the mid-point. As expected, this version doesn't have any underflow or overflow issues: checkArithOverflow midPointFixedNo violations detected.1As expected, the value is computed correctly too:"checkCorrectMidValue midPointFixedQ.E.D.ó sbvÁShow that the variant suggested by the blog post is good as well:4mid = ((unsigned int)low + (unsigned int)high) >> 1;ÓIn this case the overflow is eliminated by doing the computation at a wider range:&checkArithOverflow midPointAlternativeNo violations detected.)And the value computed is indeed correct:(checkCorrectMidValue midPointAlternativeQ.E.D.ô sbv=A helper predicate to check safety under the conditions that low is at least 0 and high is at least low.õ sbvAnother helper to show that the result is actually the correct value, if it was done over 64-bit integers, which is sufficiently large enough.ñ ò ó ô õ ñ ò ó ô õ (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred1;={l(ö sbv4Helper synonym for capturing relevant bits of Mostek÷ sbvAn instruction is modeled as a ø Í transformer. We model mostek programs in direct continuation passing style.ø sbvÂPrograms are essentially state transformers (on the machine state)ù sbv0Given a machine state, compute a value out of itú sbvÜAbstraction of the machine: The CPU consists of memory, registers, and flags. Unlike traditional hardware, we assume the program is stored in some other memory area that we need not model. (No self modifying programs!)ú + is equipped with an automatically derived §! instance because each field is §.ÿ sbv2Memory is simply an array from locations to values€sbv?We have three memory locations, sufficient to model our problemsbvmultiplicand‚sbv multiplierƒsbv'low byte of the result gets stored here„sbv Flag bank…sbv Register bank†sbv-Convenient synonym for symbolic machine bits.‡sbvMostek was an 8-bit machine.ˆsbvThe carry flag (‰) and the zero flag (Š)‹sbvØWe model only two registers of Mostek that is used in the above algorithm, can add more.Žsbv!Get the value of a given registersbv!Set the value of a given registersbvGet the value of a flag‘sbvSet the value of a flag’sbvRead memory“sbvWrite to memory”sbv.Checking overflow. In Legato's multiplier the ADC¨ instruction needs to see if the expression x + y + c overflowed, as checked by this function. Note that we verify the correctness of this check separately below in •.•sbvCorrectness theorem for our ” implementation.We have:checkOverflowCorrectQ.E.D.–sbvLDX: Set register X to value v—sbvLDA: Set register A to value v˜sbvCLC: Clear the carry flag™sbv9ROR, memory version: Rotate the value at memory location aÐ to the right by 1 bit, using the carry flag as a transfer position. That is, the final bit of the memory location becomes the new carry and the carry moves over to the first bit. This very instruction is one of the reasons why Legato's multiplier is quite hard to understand and is typically presented as a verification challenge.šsbvROR, register version: Same as ™, except through register r.›sbvBCC: branch to label l if the carry flag is sFalseœsbv%ADC: Increment the value of register A. by the value of memory contents at location a7, using the carry-bit as the carry-in for the addition.sbv%DEX: Decrement the value of register Xžsbv&BNE: Branch if the zero-flag is sFalseŸsbvThe ŸÕ combinator "stops" our program, providing the final continuation that does nothing. sbvMultiplies the contents of F1 and F2), storing the low byte of the result in LO% and the high byte of it in register Aí. The implementation is a direct transliteration of Legato's algorithm given at the top, using our notation.¡sbvGiven values for F1 and F2, runLegato" takes an arbitrary machine state m; and returns the high and low bytes of the multiplication.¢sbvûCreate an instance of the Mostek machine, initialized by the memory and the relevant values of the registers and the flags£sbvÎThe correctness theorem. For all possible memory configurations, the factors (x and yÇ below), the location of the low-byte result and the initial-values of registers and the flags, this function will return True only if running Legato's algorithm does indeed compute the product of x and y correctly.¤sbvThe correctness theorem.¥sbvÆGenerate a C program that implements Legato's algorithm automatically.0ö ÷ ø ù ú ý ü þ û ÿ €ƒ‚„…†‡ˆŠ‰‹ŒŽ‘’“”•–—˜™š›œžŸ ¡¢£¤¥0‹ŒˆŠ‰‡†…„€ƒ‚ÿ ú ý ü þ û ù ø Ž‘’“”•÷ –—˜™š›œžŸ ¡ö ¢£¤¥(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferredµ´sbvÉElement type of lists we'd like to sort. For simplicity, we'll just use Ã) here, but we can pick any symbolic type.µsbv5Merging two given sorted lists, preserving the order.¶sbv¥Simple merge-sort implementation. We simply divide the input list in two halves so long as it has at least two elements, sort each half on its own, and then merge.·sbv1Check whether a given sequence is non-decreasing.¸sbvèCheck whether two given sequences are permutations. We simply check that each sequence is a subset of the other, when considered as a set. The check is slightly complicated for the need to account for possibly duplicated elements.¹sbv¹Asserting correctness of merge-sort for a list of the given size. Note that we can only check correctness for fixed-size lists. Also, the proof will get more and more complicated for the backend SMT solver as the list size increases. A value around 5 or 6 should be fairly easy to prove. For instance, we have: correctness 5Q.E.D.ºsbv3Generate C code for merge-sorting an array of size nã. Again, we're restricted to fixed size inputs. While the output is not how one would code merge sort in C by hand, it's a faithful rendering of all the operations merge-sort would do as described by its Haskell counterpart.´µ¶·¸¹º´µ¶·¸¹º (c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred„Ð»sbv7Find the multiplier and the mask as described. We have:maskAndMultSatisfiable. Model:% mask = 0x8080808080808080 :: Word64% mult = 0x0002040810204081 :: Word64øThat is, any 64 bit value masked by the first and multiplied by the second value above will have its bits at positions [7,15,23,31,39,47,55,63] moved to positions [56,57,58,59,60,61,62,63] respectively.•NB. Depending on your z3 version, you might also get the following multiplier as the result: 0x8202040810204081. That value works just fine as well!õNB. Note the custom call to z3 with a specific tactic. A simple call to z3 unfortunately does not terminate quickly.»»!(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred×Ü‰Ò ¼sbvÉA poor man's representation of powerlists and basic operations on them: (http://dl.acm.org/citation.cfm?id=1973564 We merely represent power-lists by ordinary lists.½sbv The tie operator, concatenation.¾sbváThe zip operator, zips the power-lists of the same size, returns a powerlist of double the size.¿sbvInverse of zipping.ÀsbvReference prefix sum (ps) is simply Haskell's scanl1 function.ÁsbvThe Ladner-Fischer (lf$) implementation of prefix-sum. See Êhttp://www.cs.utexas.edu/~plaxton/c/337/05f/slides/ParallelRecursion-4.pdf or pg. 16 of (http://dl.acm.org/citation.cfm?id=197356ÂsbvçCorrectness theorem, for a powerlist of given size, an associative operator, and its left-unit element.ÃsbvÎProves Ladner-Fischer is equivalent to reference specification for addition. 0; is the left-unit element, and we use a power-list of size 8 . We have:thm1Q.E.D.ÄsbvÐProves Ladner-Fischer is equivalent to reference specification for the function max. 0; is the left-unit element, and we use a power-list of size 16 . We have:thm2Q.E.D. ¼½¾¿ÀÁÂÃÄ ¼½¾¿ÀÁÂÃÄ"(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred“ÝÅsbv,Simple function that returns add/sum of argsÆsbvËGenerate C code for addSub. Here's the output showing the generated C code: genAddSubé%== BEGIN: "Makefile" ================Ã# Makefile for addSub. Automatically generated by SBV. Do not edit!=# include any user-defined .mk file in the current directory. -include *.mkCC?=gcc0CCFLAGS?=-Wall -O3 -DNDEBUG -fomit-frame-pointerall: addSub_driveraddSub.o: addSub.c addSub.h ${CC} ${CCFLAGS} -c $< -o $@ addSub_driver.o: addSub_driver.c ${CC} ${CCFLAGS} -c $< -o $@'addSub_driver: addSub.o addSub_driver.o ${CC} ${CCFLAGS} $^ -o $@clean: rm -f *.overyclean: clean rm -f addSub_driver%== END: "Makefile" ==================%== BEGIN: "addSub.h" ================Ê/* Header file for addSub. Automatically generated by SBV. Do not edit! */##ifndef __addSub__HEADER_INCLUDED__##define __addSub__HEADER_INCLUDED__#include #include #include #include #include #include #include /* The boolean type */typedef bool SBool;/* The float type */typedef float SFloat;/* The double type */typedef double SDouble;/* Unsigned bit-vectors */typedef uint8_t SWord8;typedef uint16_t SWord16;typedef uint32_t SWord32;typedef uint64_t SWord64;/* Signed bit-vectors */typedef int8_t SInt8;typedef int16_t SInt16;typedef int32_t SInt32;typedef int64_t SInt64;/* Entry point prototype: */8void addSub(const SWord8 x, const SWord8 y, SWord8 *sum, SWord8 *dif);(#endif /* __addSub__HEADER_INCLUDED__ */%== END: "addSub.h" ==================,== BEGIN: "addSub_driver.c" ================(/* Example driver program for addSub. */:/* Automatically generated by SBV. Edit as you see fit! */#include #include "addSub.h"int main(void){ SWord8 sum; SWord8 dif; addSub(132, 241, &sum, &dif);. printf("addSub(132, 241, &sum, &dif) ->\n");$ printf(" sum = %"PRIu8"\n", sum);$ printf(" dif = %"PRIu8"\n", dif); return 0;},== END: "addSub_driver.c" ==================%== BEGIN: "addSub.c" ================Ä/* File: "addSub.c". Automatically generated by SBV. Do not edit! */#include "addSub.h"8void addSub(const SWord8 x, const SWord8 y, SWord8 *sum, SWord8 *dif){ const SWord8 s0 = x; const SWord8 s1 = y; const SWord8 s2 = s0 + s1; const SWord8 s3 = s0 - s1; *sum = s2; *dif = s3;}%== END: "addSub.c" ==================ÅÆÅÆ#(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred™|ÇsbvThe USB CRC polynomial: x^5 + x^2 + 1â. Although this polynomial needs just 6 bits to represent (5 if higher order bit is implicitly assumed to be set), we'll simply use a 16 bit number for its representation to keep things simple for code generation purposes.Èsbv‰Given an 11 bit message, compute the CRC of it using the USB polynomial, which is 5 bits, and then append it to the msg to get a 16-bit word. Again, the incoming 11-bits is represented as a 16-bit word, with 5 highest bits essentially ignored for input purposes.Ésbv(Alternate method for computing the CRC, mathematically´. We shift the number to the left by 5, and then compute the remainder from the polynomial division by the USB polynomial. The result is then appended to the end of the message.ÊsbvProve that the custom Ú Þ function is equivalent to the mathematical definition of CRC's for 11 bit messages. We have:crcGoodQ.E.D.ËsbvÏGenerate a C function to compute the USB CRC, using the internal CRC function.ÌsbvGenerate a C function to compute the USB CRC, using the mathematical definition of the CRCs. While this version generates functionally equivalent C code, it's less efficient; it has about 30% more code. So, the above version is preferable for code generation purposes.ÇÈÉÊËÌÇÈÉÊËÌ$*(c) Lee Pike Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred¯SÍsbvãThis is a naive implementation of fibonacci, and will work fine (albeit slow) for concrete inputs:map fib0 [0..6]Ü[0 :: SWord64,1 :: SWord64,1 :: SWord64,2 :: SWord64,3 :: SWord64,5 :: SWord64,8 :: SWord64]However, it is not suitable for doing proofs or generating code, as it is not symbolically terminating when it is called with a symbolic value n. When we recursively call fib0 on n-1 (or n-2), the test against 0Œ will always explore both branches since the result will be symbolic, hence will not terminate. (An integrated theorem prover can establish termination after a certain number of unrollings, but this would be quite expensive to implement, and would be impractical.)ÎsbvãThe recursion-depth limited version of fibonacci. Limiting the maximum number to be 20, we can say:map (fib1 20) [0..6]Ü[0 :: SWord64,1 :: SWord64,1 :: SWord64,2 :: SWord64,3 :: SWord64,5 :: SWord64,8 :: SWord64]ËThe function will work correctly, so long as the index we query is at most top*, and otherwise will return the value at topý. Note that we also use accumulating parameters here for efficiency, although this is orthogonal to the termination concern. A note on modular arithmetic: The 64-bit word we use to represent the values will of course eventually overflow, beware! Fibonacci is a fast growing function..ÏsbvWe can generate code for Î using the ÏÔ action. Note that the generated code will grow larger as we pick larger values of topÉ, but only linearly, thanks to the accumulating parameter trick used by ÎÄ. The following is an excerpt from the code generated for the call genFib1 10;, where the code will work correctly for indexes up to 10:Œ SWord64 fib1(const SWord64 x) { const SWord64 s0 = x; const SBool s2 = s0 == 0x0000000000000000ULL; const SBool s4 = s0 == 0x0000000000000001ULL; const SBool s6 = s0 == 0x0000000000000002ULL; const SBool s8 = s0 == 0x0000000000000003ULL; const SBool s10 = s0 == 0x0000000000000004ULL; const SBool s12 = s0 == 0x0000000000000005ULL; const SBool s14 = s0 == 0x0000000000000006ULL; const SBool s17 = s0 == 0x0000000000000007ULL; const SBool s19 = s0 == 0x0000000000000008ULL; const SBool s22 = s0 == 0x0000000000000009ULL; const SWord64 s25 = s22 ? 0x0000000000000022ULL : 0x0000000000000037ULL; const SWord64 s26 = s19 ? 0x0000000000000015ULL : s25; const SWord64 s27 = s17 ? 0x000000000000000dULL : s26; const SWord64 s28 = s14 ? 0x0000000000000008ULL : s27; const SWord64 s29 = s12 ? 0x0000000000000005ULL : s28; const SWord64 s30 = s10 ? 0x0000000000000003ULL : s29; const SWord64 s31 = s8 ? 0x0000000000000002ULL : s30; const SWord64 s32 = s6 ? 0x0000000000000001ULL : s31; const SWord64 s33 = s4 ? 0x0000000000000001ULL : s32; const SWord64 s34 = s2 ? 0x0000000000000000ULL : s33; return s34; }Ðsbv,Compute the fibonacci numbers statically at code-generation0 time and put them in a table, accessed by the © call. Ñsbv Once we have Ðó, we can generate the C code straightforwardly. Below is an excerpt from the code that SBV generates for the call genFib2 64Ç. Note that this code is a constant-time look-up table implementation of fibonacci, with no run-time overhead. The index can be made arbitrarily large, naturally. (Note that this function returns 0> if the index is larger than 64, as specified by the call to © with default 0.)ÓSWord64 fibLookup(const SWord64 x) { const SWord64 s0 = x; static const SWord64 table0[] = { 0x0000000000000000ULL, 0x0000000000000001ULL, 0x0000000000000001ULL, 0x0000000000000002ULL, 0x0000000000000003ULL, 0x0000000000000005ULL, 0x0000000000000008ULL, 0x000000000000000dULL, 0x0000000000000015ULL, 0x0000000000000022ULL, 0x0000000000000037ULL, 0x0000000000000059ULL, 0x0000000000000090ULL, 0x00000000000000e9ULL, 0x0000000000000179ULL, 0x0000000000000262ULL, 0x00000000000003dbULL, 0x000000000000063dULL, 0x0000000000000a18ULL, 0x0000000000001055ULL, 0x0000000000001a6dULL, 0x0000000000002ac2ULL, 0x000000000000452fULL, 0x0000000000006ff1ULL, 0x000000000000b520ULL, 0x0000000000012511ULL, 0x000000000001da31ULL, 0x000000000002ff42ULL, 0x000000000004d973ULL, 0x000000000007d8b5ULL, 0x00000000000cb228ULL, 0x0000000000148addULL, 0x0000000000213d05ULL, 0x000000000035c7e2ULL, 0x00000000005704e7ULL, 0x00000000008cccc9ULL, 0x0000000000e3d1b0ULL, 0x0000000001709e79ULL, 0x0000000002547029ULL, 0x0000000003c50ea2ULL, 0x0000000006197ecbULL, 0x0000000009de8d6dULL, 0x000000000ff80c38ULL, 0x0000000019d699a5ULL, 0x0000000029cea5ddULL, 0x0000000043a53f82ULL, 0x000000006d73e55fULL, 0x00000000b11924e1ULL, 0x000000011e8d0a40ULL, 0x00000001cfa62f21ULL, 0x00000002ee333961ULL, 0x00000004bdd96882ULL, 0x00000007ac0ca1e3ULL, 0x0000000c69e60a65ULL, 0x0000001415f2ac48ULL, 0x000000207fd8b6adULL, 0x0000003495cb62f5ULL, 0x0000005515a419a2ULL, 0x00000089ab6f7c97ULL, 0x000000dec1139639ULL, 0x000001686c8312d0ULL, 0x000002472d96a909ULL, 0x000003af9a19bbd9ULL, 0x000005f6c7b064e2ULL, 0x000009a661ca20bbULL }; const SWord64 s65 = s0 >= 65 ? 0x0000000000000000ULL : table0[s0]; return s65; }ÍÎÏÐÑÍÎÏÐÑ%(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred¼YÒsbv>The symbolic GCD algorithm, over two 8-bit numbers. We define sgcd a 0 to be a for all a, which implies sgcd 0 0 = 0’. Note that this is essentially Euclid's algorithm, except with a recursion depth counter. We need the depth counter since the algorithm is not symbolically terminatingÅ, as we don't have a means of determining that the second argument (b€) will eventually reach 0 in a symbolic context. Hence we stop after 12 iterations. Why 12? We've empirically determined that this algorithm will recurse at most 12 times for arbitrary 8-bit numbers. Of course, this is a claim that we shall prove below.ÓsbvWe have:prove sgcdIsCorrectQ.E.D.ÔsbvàThis call will generate the required C files. The following is the function body generated for Ò,. (We are not showing the generated header, MakefileÖ, and the driver programs for brevity.) Note that the generated function is a constant time algorithm for GCD. It is not necessarily fastest, but it will take precisely the same amount of time for all values of x and y.¨/* File: "sgcd.c". Automatically generated by SBV. Do not edit! */ #include #include #include #include #include #include "sgcd.h" SWord8 sgcd(const SWord8 x, const SWord8 y) { const SWord8 s0 = x; const SWord8 s1 = y; const SBool s3 = s1 == 0; const SWord8 s4 = (s1 == 0) ? s0 : (s0 % s1); const SWord8 s5 = s3 ? s0 : s4; const SBool s6 = 0 == s5; const SWord8 s7 = (s5 == 0) ? s1 : (s1 % s5); const SWord8 s8 = s6 ? s1 : s7; const SBool s9 = 0 == s8; const SWord8 s10 = (s8 == 0) ? s5 : (s5 % s8); const SWord8 s11 = s9 ? s5 : s10; const SBool s12 = 0 == s11; const SWord8 s13 = (s11 == 0) ? s8 : (s8 % s11); const SWord8 s14 = s12 ? s8 : s13; const SBool s15 = 0 == s14; const SWord8 s16 = (s14 == 0) ? s11 : (s11 % s14); const SWord8 s17 = s15 ? s11 : s16; const SBool s18 = 0 == s17; const SWord8 s19 = (s17 == 0) ? s14 : (s14 % s17); const SWord8 s20 = s18 ? s14 : s19; const SBool s21 = 0 == s20; const SWord8 s22 = (s20 == 0) ? s17 : (s17 % s20); const SWord8 s23 = s21 ? s17 : s22; const SBool s24 = 0 == s23; const SWord8 s25 = (s23 == 0) ? s20 : (s20 % s23); const SWord8 s26 = s24 ? s20 : s25; const SBool s27 = 0 == s26; const SWord8 s28 = (s26 == 0) ? s23 : (s23 % s26); const SWord8 s29 = s27 ? s23 : s28; const SBool s30 = 0 == s29; const SWord8 s31 = (s29 == 0) ? s26 : (s26 % s29); const SWord8 s32 = s30 ? s26 : s31; const SBool s33 = 0 == s32; const SWord8 s34 = (s32 == 0) ? s29 : (s29 % s32); const SWord8 s35 = s33 ? s29 : s34; const SBool s36 = 0 == s35; const SWord8 s37 = s36 ? s32 : s35; const SWord8 s38 = s33 ? s29 : s37; const SWord8 s39 = s30 ? s26 : s38; const SWord8 s40 = s27 ? s23 : s39; const SWord8 s41 = s24 ? s20 : s40; const SWord8 s42 = s21 ? s17 : s41; const SWord8 s43 = s18 ? s14 : s42; const SWord8 s44 = s15 ? s11 : s43; const SWord8 s45 = s12 ? s8 : s44; const SWord8 s46 = s9 ? s5 : s45; const SWord8 s47 = s6 ? s1 : s46; const SWord8 s48 = s3 ? s0 : s47; return s48; }ÒÓÔÒÓÔ&(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÓGÕsbv¨Given a 64-bit quantity, the simplest (and obvious) way to count the number of bits that are set in it is to simply walk through all the bits and add 1 to a running count. This is slow, as it requires 64 iterations, but is simple and easy to convince yourself that it is correct. For instance:popCountSlow 0x0123456789ABCDEF32 :: SWord8ÖsbvÅFaster version. This is essentially the same algorithm, except we go 8 bits at a time instead of one by one, by using a precomputed table of population-count values for each byte. This algorithm loops= only 8 times, and hence is at least 8 times more efficient.×sbv·Look-up table, containing population counts for all possible 8-bit value, from 0 to 255. Note that we do not "hard-code" the values, but merely use the slow version to compute them.ØsbvßStates the correctness of faster population-count algorithm, with respect to the reference slow version. Turns out Z3's default solver is rather slow for this one, but there's a magic incantation to make it go fast. See )http://github.com/Z3Prover/z3/issues/1150 for details.ølet cmd = "(check-sat-using (then (using-params ackermannize_bv :div0_ackermann_limit 1000000) simplify bit-blast sat))"0proveWith z3{satCmd = cmd} fastPopCountIsCorrectQ.E.D.ÙsbvöNot only we can prove that faster version is correct, but we can also automatically generate C code to compute population-counts for us. This action will generate all the C files that you will need, including a driver program for test purposes.'Below is the generated header file for Ö:genPopCountInCŠ%== BEGIN: "Makefile" ================Å# Makefile for popCount. Automatically generated by SBV. Do not edit!=# include any user-defined .mk file in the current directory. -include *.mkCC?=gcc0CCFLAGS?=-Wall -O3 -DNDEBUG -fomit-frame-pointerall: popCount_driver!popCount.o: popCount.c popCount.h ${CC} ${CCFLAGS} -c $< -o $@$popCount_driver.o: popCount_driver.c ${CC} ${CCFLAGS} -c $< -o $@-popCount_driver: popCount.o popCount_driver.o ${CC} ${CCFLAGS} $^ -o $@clean: rm -f *.overyclean: clean rm -f popCount_driver%== END: "Makefile" =================='== BEGIN: "popCount.h" ================Ì/* Header file for popCount. Automatically generated by SBV. Do not edit! */%#ifndef __popCount__HEADER_INCLUDED__%#define __popCount__HEADER_INCLUDED__#include #include #include #include #include #include #include /* The boolean type */typedef bool SBool;/* The float type */typedef float SFloat;/* The double type */typedef double SDouble;/* Unsigned bit-vectors */typedef uint8_t SWord8;typedef uint16_t SWord16;typedef uint32_t SWord32;typedef uint64_t SWord64;/* Signed bit-vectors */typedef int8_t SInt8;typedef int16_t SInt16;typedef int32_t SInt32;typedef int64_t SInt64;/* Entry point prototype: */!SWord8 popCount(const SWord64 x);*#endif /* __popCount__HEADER_INCLUDED__ */'== END: "popCount.h" ==================.== BEGIN: "popCount_driver.c" ================*/* Example driver program for popCount. */:/* Automatically generated by SBV. Edit as you see fit! */#include #include "popCount.h"int main(void){: const SWord8 __result = popCount(0x1b02e143e4f0e0e5ULL);Ã printf("popCount(0x1b02e143e4f0e0e5ULL) = %"PRIu8"\n", __result); return 0;}.== END: "popCount_driver.c" =================='== BEGIN: "popCount.c" ================Æ/* File: "popCount.c". Automatically generated by SBV. Do not edit! */#include "popCount.h" SWord8 popCount(const SWord64 x){ const SWord64 s0 = x;" static const SWord8 table0[] = {Ç 0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4, 1, 2, 2, 3, 2, 3,Ç 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4,Ç 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 1, 2,Ç 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, 4, 5,Ç 3, 4, 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5,Ç 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 1, 2, 2, 3,Ç 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4,Ç 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6,Ç 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 2, 3, 3, 4, 3, 4,Ç 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6,Ç 5, 6, 6, 7, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7, 4, 5,. 5, 6, 5, 6, 6, 7, 5, 6, 6, 7, 6, 7, 7, 8 };1 const SWord64 s11 = s0 & 0x00000000000000ffULL;" const SWord8 s12 = table0[s11]; const SWord64 s14 = s0 >> 8;2 const SWord64 s15 = 0x00000000000000ffULL & s14;" const SWord8 s16 = table0[s15]; const SWord8 s17 = s12 + s16; const SWord64 s18 = s14 >> 8;2 const SWord64 s19 = 0x00000000000000ffULL & s18;" const SWord8 s20 = table0[s19]; const SWord8 s21 = s17 + s20; const SWord64 s22 = s18 >> 8;2 const SWord64 s23 = 0x00000000000000ffULL & s22;" const SWord8 s24 = table0[s23]; const SWord8 s25 = s21 + s24; const SWord64 s26 = s22 >> 8;2 const SWord64 s27 = 0x00000000000000ffULL & s26;" const SWord8 s28 = table0[s27]; const SWord8 s29 = s25 + s28; const SWord64 s30 = s26 >> 8;2 const SWord64 s31 = 0x00000000000000ffULL & s30;" const SWord8 s32 = table0[s31]; const SWord8 s33 = s29 + s32; const SWord64 s34 = s30 >> 8;2 const SWord64 s35 = 0x00000000000000ffULL & s34;" const SWord8 s36 = table0[s35]; const SWord8 s37 = s33 + s36; const SWord64 s38 = s34 >> 8;2 const SWord64 s39 = 0x00000000000000ffULL & s38;" const SWord8 s40 = table0[s39]; const SWord8 s41 = s37 + s40; return s41;}'== END: "popCount.c" ==================ÕÖ×ØÙÕÖ×ØÙ'(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred×ÚsbvÕA definition of shiftLeft that can deal with variable length shifts. (Note that the Þ method from the ° class requires an ‘£ shift amount.) Unfortunately, this'll generate rather clumsy C code due to the use of tables etc., so we uninterpret it for code generation purposes using the ¤ function.Ûsbv¾Test function that uses shiftLeft defined above. When used as a normal Haskell function or in verification the definition is fully used, i.e., no uninterpretation happens. To wit, we have:tstShiftLeft 3 4 5224 :: SWord32,prove $ \x y -> tstShiftLeft x y 0 .== x + yQ.E.D.Üsbv¡Generate C code for "tstShiftLeft". In this case, SBV will *use* the user given definition verbatim, instead of generating code for it. (Also see the functions Ç, È, and Ä.)ÚÛÜÚÛÜ((c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred1Î÷-Ýsbv¬The key schedule. AES executes in rounds, and it treats first and last round keys slightly differently than the middle ones. We reflect that choice by being explicit about it in our type. The length of the middle list of keys depends on the key-size, which in turn determines the number of rounds.Þsbv×The key, which can be 128, 192, or 256 bits. Represented as a sequence of 32-bit words.ßsbvÊAES state. The state consists of four 32-bit words, each of which is in turn treated as four GF28's, i.e., 4 bytes. The T-Box implementation keeps the four-bytes together for efficient representation.àsbvœAn element of the Galois Field 2^8, which are essentially polynomials with maximum degree 7. They are conveniently represented as values between 0 and 255.ásbvíMultiplication in GF(2^8). This is simple polynomial multiplication, followed by the irreducible polynomial x^8+x^4+x^3+x^1+1. We simply use the Ñ 0 function exported by SBV to do the operation. âsbv‚Exponentiation by a constant in GF(2^8). The implementation uses the usual square-and-multiply trick to speed up the computation.ãsbvùComputing inverses in GF(2^8). By the mathematical properties of GF(2^8) and the particular irreducible polynomial used x^8+x^5+x^3+x^1+1û, it turns out that raising to the 254 power gives us the multiplicative inverse. Of course, we can prove this using SBV::prove $ \x -> x ./= 0 .=> x `gf28Mult` gf28Inverse x .== 1Q.E.D.Note that we exclude 0? in our theorem, as it does not have a multiplicative inverse.äsbv4Rotating a state row by a fixed amount to the right.åsbvÏDefinition of round-constants, as specified in Section 5.2 of the AES standard.æsbvThe InvMixColumns° transformation, as described in Section 5.3.3 of the standard. Note that this transformation is only used explicitly during key-expansion in the T-Box implementation of AES.çsbvKey expansion. Starting with the given key, returns an infinite sequence of words, as described by the AES standard, Section 5.2, Figure 11.èsbv·The values of the AES S-box table. Note that we describe the S-box programmatically using the mathematical construction given in Section 5.1.1 of the standard. However, the code-generation will turn this into a mere look-up table, as it is just a constant table, all computation being done at "compile-time".ésbv÷The sbox transformation. We simply select from the sbox table. Note that we are obliged to give a default value (here 0Á) to be used if the index is out-of-bounds as required by SBV's ©× function. However, that will never happen since the table has all 256 elements in it.êsbvÏThe values of the inverse S-box table. Again, the construction is programmatic.ësbv!The inverse s-box transformation.ìsbvProve that the é and ë are inverses. We have:prove sboxInverseCorrectQ.E.D.ísbv…Adding the round-key to the current state. We simply exploit the fact that addition is just xor in implementing this transformation.îsbv.T-box table generation function for encryptionïsbv&First look-up table used in encryptionðsbv'Second look-up table used in encryptionñsbv&Third look-up table used in encryptionòsbv'Fourth look-up table used in encryptionósbv.T-box table generating function for decryptionôsbv&First look-up table used in decryptionõsbv'Second look-up table used in decryptionösbv&Third look-up table used in decryption÷sbv'Fourth look-up table used in decryptionøsbvƒGeneric round function. Given the function to perform one round, a key-schedule, and a starting state, it performs the AES rounds.ùsbv‘One encryption round. The first argument indicates whether this is the final round or not, in which case the construction is slightly different.úsbvüOne decryption round. Similar to the encryption round, the first argument indicates whether this is the final round or not.ûsbvÔKey schedule. Given a 128, 192, or 256 bit key, expand it to get key-schedules for encryption and decryption. The key is given as a sequence of 32-bit words. (4 elements for 128-bits, 6 for 192, and 8 for 256.)üsbvÌBlock encryption. The first argument is the plain-text, which must have precisely 4 elements, for a total of 128-bits of input. The second argument is the key-schedule to be used, obtained by a call to ûÈ. The output will always have 4 32-bit words, which is the cipher-text.ýsbv3Block decryption. The arguments are the same as in üà, except the first argument is the cipher-text and the output is the corresponding plain-text.þsbv?128-bit encryption test, from Appendix C.1 of the AES standard:map hex8 t128Enc-["69c4e0d8","6a7b0430","d8cdb780","70b4c55a"]ÿsbv?128-bit decryption test, from Appendix C.1 of the AES standard:map hex8 t128Dec-["00112233","44556677","8899aabb","ccddeeff"]€sbv?192-bit encryption test, from Appendix C.2 of the AES standard:map hex8 t192Enc-["dda97ca4","864cdfe0","6eaf70a0","ec0d7191"]sbv?192-bit decryption test, from Appendix C.2 of the AES standard:map hex8 t192Dec-["00112233","44556677","8899aabb","ccddeeff"]‚sbv:256-bit encryption, from Appendix C.3 of the AES standard:map hex8 t256Enc-["8ea2b7ca","516745bf","eafc4990","4b496089"]ƒsbv:256-bit decryption, from Appendix C.3 of the AES standard:map hex8 t256Dec-["00112233","44556677","8899aabb","ccddeeff"]„sbv;Correctness theorem for 128-bit AES. Ideally, we would run: prove aes128IsCorrect ¾to get a proof automatically. Unfortunately, while SBV will successfully generate the proof obligation for this theorem and ship it to the SMT solver, it would be naive to expect the SMT-solver to finish that proof in any reasonable time with the currently available SMT solving technologies. Instead, we can issue: quickCheck aes128IsCorrect €and get some degree of confidence in our code. Similar predicates can be easily constructed for 192, and 256 bit cases as well.…sbv+Code generation for 128-bit AES encryption.ÝThe following sample from the generated code-lines show how T-Boxes are rendered as C arrays:® static const SWord32 table1[] = { 0xc66363a5UL, 0xf87c7c84UL, 0xee777799UL, 0xf67b7b8dUL, 0xfff2f20dUL, 0xd66b6bbdUL, 0xde6f6fb1UL, 0x91c5c554UL, 0x60303050UL, 0x02010103UL, 0xce6767a9UL, 0x562b2b7dUL, 0xe7fefe19UL, 0xb5d7d762UL, 0x4dababe6UL, 0xec76769aUL, ... } šThe generated program has 5 tables (one sbox table, and 4-Tboxes), all converted to fast C arrays. Here is a sample of the generated straightline C-code:ª const SWord8 s1915 = (SWord8) s1912; const SWord8 s1916 = table0[s1915]; const SWord16 s1917 = (((SWord16) s1914) << 8) | ((SWord16) s1916); const SWord32 s1918 = (((SWord32) s1911) << 16) | ((SWord32) s1917); const SWord32 s1919 = s1844 ^ s1918; const SWord32 s1920 = s1903 ^ s1919; øThe GNU C-compiler does a fine job of optimizing this straightline code to generate a fairly efficient C implementation.†sbvÇComponents of the AES implementation that the library is generated from‡sbv8Generate code for AES functionality; given the key size.ˆsbvÅGenerate a C library, containing functions for performing 128-bit encdecÙkey-expansion. A note on performance: In a very rough speed test, the generated code was able to do 6.3 million block encryptions per second on a decent MacBook Pro. On the same machine, OpenSSL reports 8.2 million block encryptions per second. So, the generated code is about 25% slower as compared to the highly optimized OpenSSL implementation. (Note that the speed test was done somewhat simplistically, so these numbers should be considered very rough estimates.)‰sbvFor doctest purposes only„sbvplain-text wordssbv key-wordssbv+True if round-trip gives us plain-text back-ÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰-àáâãßÞÝäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ€‚ƒ„…†‡ˆ‰)(c) Austin SeippBSD3erkokl@gmail.comexperimental Safe-InferredÜÙ Šsbv:Represents the current state of the RC4 stream: it is the S array along with the i and j index values used by the PRGA.‹sbvThe key is a stream of ¼ values.ŒsbvÚRC4 State contains 256 8-bit values. We use the symbolically accessible full-binary type Óþ to represent the state, since RC4 needs access to the array via a symbolic index and it's important to minimize access time.sbvÓConstruct the fully balanced initial tree, where the leaves are simply the numbers 0 through 255.Žsbv$Swaps two elements in the RC4 array.sbvÚImplements the PRGA used in RC4. We return the new state and the next key value generated.sbvÀConstructs the state to be used by the PRGA using the given key.‘sbvÃThe key-schedule. Note that this function returns an infinite list.’sbv0Generate a key-schedule from a given key-string.“sbvðRC4 encryption. We generate key-words and xor it with the input. The following test-vectors are from Wikipedia http://en.wikipedia.org/wiki/RC4:*concatMap hex2 $ encrypt "Key" "Plaintext""bbf316e8d940af0ad3"'concatMap hex2 $ encrypt "Wiki" "pedia""1021bf0420"2concatMap hex2 $ encrypt "Secret" "Attack at dawn""45a01f645fc35b383552544b9bf5"”sbv×RC4 decryption. Essentially the same as decryption. For the above test vectors we have:Ädecrypt "Key" [0xbb, 0xf3, 0x16, 0xe8, 0xd9, 0x40, 0xaf, 0x0a, 0xd3]"Plaintext"-decrypt "Wiki" [0x10, 0x21, 0xbf, 0x04, 0x20]"pedia"ådecrypt "Secret" [0x45, 0xa0, 0x1f, 0x64, 0x5f, 0xc3, 0x5b, 0x38, 0x35, 0x52, 0x54, 0x4b, 0x9b, 0xf5]"Attack at dawn"•sbvõProve that round-trip encryption/decryption leaves the plain-text unchanged. The theorem is stated parametrically over key and plain-text sizes. The expression performs the proof for a 40-bit key (5 bytes) and 40-bit plaintext (again 5 bytes).Note that this theorem is trivial to prove, since it is essentially establishing xor'in the same value twice leaves a word unchanged (i.e., x ² y ² y = xë). However, the proof takes quite a while to complete, as it gives rise to a fairly large symbolic trace.–sbvFor doctest purposes only Š‹ŒŽ‘’“”•– Œ‹ŠŽ‘’“”•–*(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred'1×Üï$—sbv—5 is a synonym for lists, but makes the intent clear.™sbvèParameterized SHA representation, that captures all the differences between variants of the algorithm. w is the word-size type.›sbv/Section 1 : Word size we operate withœsbv-Section 1 : Block size for messagessbv7Section 4.1.2-3 : Coefficients of the Sum0 functionžsbv7Section 4.1.2-3 : Coefficients of the Sum1 functionŸsbv9Section 4.1.2-3 : Coefficients of the sigma0 function sbv9Section 4.1.2-3 : Coefficients of the sigma1 function¡sbv)Section 4.2.2-3 : Magic SHA constants¢sbv(Section 5.3.2-6 : Initial hash value£sbvÅSection 6.2.2, 6.4.2: How many iterations are there in the inner loop¤sbvThe choose function.¥sbvThe majority function.¦sbvûThe sum-0 function. We parameterize over the rotation amounts as different variants of SHA use different rotation amounts.§sbv)The sum-1 function. Again, parameterized.¨sbv#The sigma0 function. Parameterized.©sbv#The sigma1 function. Parameterized.ªsbvParameterization for SHA224.«sbv9Parameterization for SHA256. Inherits mostly from SHA224.¬sbvParameterization for SHA384.sbv9Parameterization for SHA512. Inherits mostly from SHA384.®sbv 2^64 (or 2^128), and you'd run out of memory first!±sbvØHash one block of message, starting from a previous hash. This function corresponds to body of the for-loop in the spec. This function always produces a list of length 8, corresponding to the final 8 values of the H.²sbvÔCompute the hash of a given string using the specified parameterized hash algorithm.³sbvSHA224 digest.´sbvSHA256 digest.µsbvSHA384 digest.¶sbvSHA512 digest.·sbvSHA512_224 digest.¸sbvSHA512_256 digest.¹sbvÎCollection of known answer tests for SHA. Since these tests take too long during regular regression runs, we pass as an argument how many to run. Increase the below number to 24 to run all tests. We have:knownAnswerTests 1Trueºsbv×Generate code for one block of SHA256 in action, starting from an arbitrary hash value.»sbvÔHelper for chunking a list by given lengths and combining each chunk with a function¼sbv'Nicely lay out a hash value as a string&—˜™£¢¡ Ÿžœ›š¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼&™£¢¡ Ÿžœ›š¤¥¦§¨©ª«¬®¯—˜°±²³´µ¶·¸¹º»¼+(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred m½sbv)Encode the delta-sat problem as given in http://dreal.github.io/ We have:flyspeck Unsatisfiable½½,(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred1ë¾sbvÆCompute the 16 bit CRC of a 48 bit message, using the given polynomial¿sbvÁCount the differing bits in the message and the corresponding CRCÀsbvGiven a hamming distance value hd, À returns trueÊ if the 16 bit polynomial can distinguish all messages that has at most hd? different bits. Note that we express this conversely: If the sent and receivedù messages are different, then it must be the case that that must differ from each other (including CRCs), in more than hd bits.ÁsbvËGenerate good CRC polynomials for 48-bit words, given the hamming distance hd.ÂsbváFind and display all degree 16 polynomials with hamming distance at least 4, for 48 bit messages.When run, this function prints:ç Polynomial #1. x^16 + x^3 + x^2 + 1 Polynomial #2. x^16 + x^3 + x^2 + x + 1 Polynomial #3. x^16 + x^3 + x + 1 Polynomial #4. x^16 + x^15 + x^2 + 1 Polynomial #5. x^16 + x^15 + x^2 + x + 1 Found: 5 polynomial(s). ’Note that different runs can produce different results, depending on the random numbers used by the solver, solver version, etc. (Also, the solver will take some time to generate these results. On my machine, the first five polynomials were generated in about 5 minutes.)¾¿ÀÁÂ¾¿ÀÁÂ-(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÄÃsbvúFor a homogeneous problem, the solution is any linear combination of the resulting vectors. For a non-homogeneous problem, the solution is any linear combination of the vectors in the second component plus one of the vectors in the first component.Æsbv±ldn: Solve a (L)inear (D)iophantine equation, returning minimal solutions over (N)aturals. The input is given as a rows of equations, with rhs values separated into a tuple. The first parameter limits the search to bound: In case there are too many solutions, you might want to limit your search space.ÇsbvÅFind the basis solution. By definition, the basis has all non-trivial (i.e., non-0) solutions that cannot be written as the sum of two other solutions. We use the mathematically equivalent statement that a solution is in the basis if it's least according to the natural partial order using the ordinary less-than relation.ÈsbvSolve the equation:2x + y - z = 2We have:test2NonHomogeneous [[0,2,0],[1,0,0]] [[0,1,1],[1,0,2]]/which means that the solutions are of the form:9(0, 2, 0) + k (0, 1, 1) + k' (1, 0, 2) = (k', 2+k, k+2k')OR9(1, 0, 0) + k (0, 1, 1) + k' (1, 0, 2) = (1+k', k, k+2k')for arbitrary k, k'¸. It's easy to see that these are really solutions to the equation given. It's harder to see that they cover all possibilities, but a moments thought reveals that is indeed the case.Ésbv“A puzzle: Five sailors and a monkey escape from a naufrage and reach an island with coconuts. Before dawn, they gather a few of them and decide to sleep first and share the next day. At night, however, one of them awakes, counts the nuts, makes five parts, gives the remaining nut to the monkey, saves his share away, and sleeps. All other sailors do the same, one by one. When they all wake up in the morning, they again make 5 shares, and give the last remaining nut to the monkey. How many nuts were there at the beginning?7We can model this as a series of diophantine equations:„ x_0 = 5 x_1 + 1 4 x_1 = 5 x_2 + 1 4 x_2 = 5 x_3 + 1 4 x_3 = 5 x_4 + 1 4 x_4 = 5 x_5 + 1 4 x_5 = 5 x_6 + 1 ¸We need to solve for x_0, over the naturals. If you run this program, z3 takes its time (quite long!) but, it eventually computes: [15621,3124,2499,1999,1599,1279,1023] as the answer.That is:’ * There was a total of 15621 coconuts * 1st sailor: 15621 = 3124*5+1, leaving 15621-3124-1 = 12496 * 2nd sailor: 12496 = 2499*5+1, leaving 12496-2499-1 = 9996 * 3rd sailor: 9996 = 1999*5+1, leaving 9996-1999-1 = 7996 * 4th sailor: 7996 = 1599*5+1, leaving 7996-1599-1 = 6396 * 5th sailor: 6396 = 1279*5+1, leaving 6396-1279-1 = 5116 * In the morning, they had: 5116 = 1023*5+1. ’Note that this is the minimum solution, that is, we are guaranteed that there's no solution with less number of coconuts. In fact, any member of [15625*k-4 | k <- [1..]] is a solution, i.e., so are 31246, 46871, 62496, 78121, etc.öNote that we iteratively deepen our search by requesting increasing number of solutions to avoid the all-sat pitfall.ÃÅÄÆÇÈÉÃÅÄÆÇÈÉ.(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred#56=Ü*n Ësbv,Each agent can be in one of the three statesÌsbvRegular workÍsbv!Intention to enter critical stateÎsbvIn the critical stateÏsbvSymbolic version of the type Ë.Ðsbv$Symbolic version of the constructor Ì.Ñsbv$Symbolic version of the constructor Í.Òsbv$Symbolic version of the constructor Î.ÓsbvšA bounded mutex property holds for two sequences of state transitions, if they are not in their critical section at the same time up to that given bound.Ôsbv1A sequence is valid upto a bound if it starts at Ì', and follows the mutex rules. That is:From Ì it can switch to Í or stay ÌFrom Í it can switch to Î if it's its turnFrom Î it can either stay in Î or go back to Ì The variable me identifies the agent id.ÕsbvÐThe mutex algorithm, coded implicitly as an assignment to turns. Turns start at 1, and at each stage is either 1 or 2ƒ; giving preference to that process. The only condition is that if either process is in its critical section, then the turn value stays the same. Note that this is sufficient to satisfy safety (i.e., mutual exclusion), though it does not guarantee liveness.Ösbv1Check that we have the mutex property so long as Ô and ÕÓ holds; i.e., so long as both the agents and the arbiter act according to the rules. The check is bounded up-to-the given concrete bound; so this is an example of a bounded-model-checking style proof. We have: checkMutex 20All is good!×sbv¯Our algorithm is correct, but it is not fair. It does not guarantee that a process that wants to enter its critical-section will always do so eventually. Demonstrate this by trying to show a bounded trace of length 10, such that the second process is ready but never transitions to critical. We have:Ïghci> notFair 10 Fairness is violated at bound: 10 P1: [Idle,Idle,Ready,Critical,Idle,Idle,Ready,Critical,Idle,Idle] P2: [Idle,Ready,Ready,Ready,Ready,Ready,Ready,Ready,Ready,Ready] Ts: [1,2,1,1,1,1,1,1,1,1]«As expected, P2 gets ready but never goes critical since the arbiter keeps picking P1 unfairly. (You might get a different trace depending on what z3 happens to produce!)$Exercise for the reader: Change the Õÿ function so that it alternates the turns from the previous value if neither process is in critical. Show that this makes the ×ä function below no longer exhibits the issue. Is this sufficient? Concurrent programming is tricky! ËÎÍÌÏÐÑÒÓÔÕÖ× ËÎÍÌÏÒÑÐÓÔÕÖ×/(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÜ.ïàsbvêA deck is simply a list of integers. Note that a regular deck will have distinct cards, we do not impose this in our proof. That is, the proof works regardless whether we put duplicates into the deck, which generalizes the theorem.ásbv$Count-out-and-transfer (COAT): Take kÁ cards from top, reverse it, and put it at the bottom of a deck.âsbv COAT 4 times.ãsbv4Key property of COATing. If you take a deck of size nÓ, and COAT it 4 times, then the deck remains in the same order. The COAT factor, k6, must be greater than half the size of the deck size.6Note that the proof time increases significantly with n.. Here's a proof for deck size of 6, for all k >= 3.coatCheck 6Q.E.D.ËIt's interesting to note that one can also express this theorem by making n› symbolic as well. However, doing so definitely requires an inductive proof, and the SMT-solver doesn't handle this case out-of-the-box, running forever.àáâãáâàã0(c) Joel BurgetBSD3erkokl@gmail.comexperimental Safe-Inferred0'äsbv3Compute a prefix of the fibonacci numbers. We have: mkFibs 10[1,1,2,3,5,8,13,21,34,55]åsbvÝGenerate fibonacci numbers as a sequence. Note that we constrain only the first 200 entries.äåäå1(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred#Ü1Tæsbv>Simple example demonstrating the use of nested lists. We have:Turned off. See: *https://github.com/Z3Prover/z3/issues/28208 nestedExample [[1,2,3],[4,5,6,7],[8,9,10],[11,12,13]]ææ2(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred"5Žçsbv+A simple predicate, based on two variables x and y , true when 0 <= x <= 1 and x - abs y is 0.èsbv=Generate all satisfying assignments for our problem. We have: allModels Solution #1: x = 1 :: Integer y = -1 :: IntegerSolution #2: x = 1 :: Integer y = 1 :: IntegerSolution #3: x = 0 :: Integer y = 0 :: IntegerFound 3 different solutions.Note that solutions 2 and 3 share the value x = 1&, since there are multiple values of y% that make this particular choice of x satisfy our constraint.ésbvÀGenerate all satisfying assignments, but we first tell SBV that yÍ should not be considered as a model problem, i.e., it's auxiliary. We have:modelsWithYAuxSolution #1: x = 1 :: IntegerSolution #2: x = 0 :: IntegerFound 2 different solutions.ÇNote that we now have only two solutions, one for each unique value of x that satisfy our constraint.çèéçèé3(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred9¾êsbv¬Sum of numbers from 0 to the given number. Note that this cannot be defined as a regular Haskell function, as it wouldn't terminate as it recurses on a symbolic argument.ësbv¡Add the definition of sum to the SMT solver. Note that SBV performs no checks on your definition, neither that it is well formed, or even has the correct type!ìsbvA simple proof using êó. We get a failure, because we haven't given the solver the definition, and thus it goes completely uninterpreted.We have: badExampleFalsifiable. Counter-example: sumToN :: Integer -> Integer sumToN _ = 0Since êÖ remains uninterpreted, the solver gave us a model that obviously fails the property.ísbvóSame example, except this time we give the solver the definition of the function, and thus the proof goes through.We have:goodExampleQ.E.D.ÒIn this case, the solver has the definition, and proves the predicate as expected.êëìíêëìí4(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred56=Ü?% îsbvÅA simple enumerated type, that we'd like to translate to SMT-Lib intact; i.e., this type will not be uninterpreted but rather preserved and will be just like any other symbolic type SBV provides.-Also note that we need to have the following LANGUAGE options defined: TemplateHaskell, StandaloneDeriving, DeriveDataTypeable, DeriveAnyClass for this to work.òsbvSymbolic version of the type î.ósbv$Symbolic version of the constructor ï.ôsbv$Symbolic version of the constructor ð.õsbv$Symbolic version of the constructor ñ.ösbvÂHave the SMT solver enumerate the elements of the domain. We have:eltsSolution #1: s0 = C :: ESolution #2: s0 = B :: ESolution #3: s0 = A :: EFound 3 different solutions.÷sbv9Shows that if we require 4 distinct elements of the type îÁ, we shall fail; as the domain only has three elements. We have:four UnsatisfiableøsbvøEnumerations are automatically ordered, so we can ask for the maximum element. Note the use of quantification. We have:maxESatisfiable. Model: maxE = C :: Eùsbv/Similarly, we get the minimum element. We have:minESatisfiable. Model: minE = A :: Eîïðñòóôõö÷øùîïðñòõôóö÷øù5(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred1ÜTï‚sbvýProve that floating point addition is not associative. For illustration purposes, we will require one of the inputs to be a NaN . We have:prove $ assocPlus (0/0)Falsifiable. Counter-example: s0 = 0.0 :: Float s1 = 0.0 :: FloatIndeed:let i = 0/0 :: Floati + (0.0 + 0.0)NaN((i + 0.0) + 0.0)NaNBut keep in mind that NaN< does not equal itself in the floating point world! We have:$let nan = 0/0 :: Float in nan == nanFalseƒsbv:Prove that addition is not associative, even if we ignore NaN/Infinity+ values. To do this, we use the predicate § -, which is true of a floating point number (¹ or ¸) if it is neither NaN nor InfinityÁ. (That is, it's a representable point in the real-number line.)We have:assocPlusRegularFalsifiable. Counter-example: x = 1.5652655e23 :: Float y = -1.3279453e22 :: Float z = 1.8019954e20 :: FloatIndeed, we have:let x = 1.5652655e23 :: Floatlet y = -1.3279453e22 :: Floatlet z = 1.8019954e20 :: Floatx + (y + z)1.434273e23(x + y) + z1.4342729e23#Note the difference in the results!„sbvDemonstrate that a+b = a does not necessarily mean b is 0Ï in the floating point world, even when we disallow the obvious solution when a and b are Infinity. We have:nonZeroAdditionFalsifiable. Counter-example: a = 9.072796e16 :: Float b = 1.7942292e-24 :: FloatIndeed, we have:let a = 9.072796e16 :: Floatlet b = 1.7942292e-24 :: Float a + b == aTrueb == 0False…sbvThis example illustrates that a * (1/a) does not necessarily equal 1). Again, we protect against division by 0 and NaN/Infinity.We have:multInverseFalsifiable. Counter-example: a = -13539.329 :: FloatIndeed, we have:let a = -13539.329 :: Float a * (1/a) 0.99999994†sbvÃOne interesting aspect of floating-point is that the chosen rounding-mode can effect the results of a computation if the exact result cannot be precisely represented. SBV exports the functions “ , ” , • , – , — and ˜ 2 which allows users to specify the IEEE supported aŸ for the operation. This example illustrates how SBV can be used to find rounding-modes where, for instance, addition can produce different results. We have:roundingAddSatisfiable. Model:& rm = RoundTowardZero :: RoundingMode x = 4.0564797e31 :: Float y = 2.055174e25 :: Float°(Note that depending on your version of Z3, you might get a different result.) Unfortunately Haskell floats do not allow computation with arbitrary rounding modes, but SBV's · type does. We have:ÃfpAdd sRoundNearestTiesToEven 4.0564797e31 2.055174e25 :: SFPSingle$4.05648192e31 :: SFloatingPoint 8 24‹sbvSymbolic version of Œ.ŒsbvÂSimilarly, we can create another newtype, this time wrapping over ¸£. As an example, consider measuring the human height in centimetres? The tallest person in history, Robert Wadlow, was 272 cm. We don't need negative values, so ¸, is the smallest type that suits our needs.ŽsbvSymbolic version of .sbvA is a newtype wrapper around °.‘sbv5The tallest human ever was 272 cm. We can simply use €# to lift it to the symbolic space.’sbv„Given a distance between a floor and a ceiling, we can see whether the human can stand in that room. Comparison is expressed using ˆ.“sbvNow, suppose we want to see whether we could design a room with a ceiling high enough that any human could stand in it. We have:sat problemSatisfiable. Model:! floorToCeiling = 3 :: Integer humanheight = 255 :: Word16”sbvThe þÿ instance simply uses stock definitions. This is always possible for newtypes that simply wrap over an existing symbolic type.•sbvTo use É symbolically, we associate it with the underlying symbolic type's kind.–sbvSimilarly here, for the þ instance.—sbvÀSymbolic instance simply follows the underlying type, just like . ‹ŒŽ‘’“ ŽŒ‹‘’“9(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferreda¤sbvèA simple variant of division, where we explicitly require the caller to make sure the divisor is not 0.¥sbv#Check whether an arbitrary call to ¤5 is safe. Clearly, we do not expect this to be safe:test1è[./Documentation/SBV/Examples/Misc/NoDiv0.hs:38:14:checkedDiv: Divisor should not be 0: Violated. Model: s0 = 0 :: Int32 s1 = 0 :: Int32]¦sbvÖRepeat the test, except this time we explicitly protect against the bad case. We have:test2ï[./Documentation/SBV/Examples/Misc/NoDiv0.hs:46:41:checkedDiv: Divisor should not be 0: No violations detected]¤¥¦¤¥¦:(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferredfƒ§sbv€Helper synonym for representing GF(2^8); which are merely 8-bit unsigned words. Largest term in such a polynomial has degree 7.¨sbv·Multiplication in Rijndael's field; usual polynomial multiplication followed by reduction by the irreducible polynomial. The irreducible used by Rijndael's field is the polynomial x^8 + x^4 + x^3 + x + 1 , which we write by giving it's exponents in SBV. See: Îhttp://en.wikipedia.org/wiki/Finite_field_arithmetic#Rijndael.27s_finite_fieldÉ. Note that the irreducible itself is not in GF28! It has a degree of 8.NB. You can use the Õ Æ function to print polynomials nicely, as a mathematician would write.©sbv States that the unit polynomial 1, is the unit elementªsbv)States that multiplication is commutative«sbvóStates that multiplication is associative, note that associativity proofs are notoriously hard for SAT/SMT solvers¬sbvÑStates that the usual multiplication rule holds over GF(2^n) polynomials Checks: if (a, b) = x Ô y then x = y Ñ a + b being careful about y = 0ú. When divisor is 0, then quotient is defined to be 0 and the remainder is the numerator. (Note that addition is simply ² in GF(2^8).)sbvQueries§¨©ª«¬§¨©ª«¬;(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferredg]®sbvØAbbreviation for set of integers. For convenience only in monomorphising the properties.®®<(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred"iä¯sbváCreate two strings, requiring one to be a particular value, constraining the other to be different than another constant string. But also add soft constraints to indicate our preferences for each of these variables. We get:exampleSatisfiable. Model:( x = "x-must-really-be-hello" :: String( y = "default-y-value" :: StringNote how the value of xÊ is constrained properly and thus the default value doesn't kick in, but yÓ takes the default value since it is acceptable by all the other hard constraints.¯¯=-(c) Joel Burget Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred"Üm6°sbvÆA dictionary is a list of lookup values. Note that we store the type [(a, b)]8 as a symbolic value here, mixing sequences and tuples.±sbvÔCreate a dictionary of length 5, such that each element has an string key and each value is the length of the key. We impose a few more constraints to make the output interesting. For instance, you might get:Î ghci> example [("nt_",3),("dHAk",4),("kzkk0",5),("mZxs9s",6),("c32'dPM",7)] ÿDepending on your version of z3, a different answer might be provided. Here, we check that it satisfies our length conditions: import Data.List (genericLength)Öexample >>= \ex -> return (length ex == 5 && all (\(l, i) -> genericLength l == i) ex)True°±°±>(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred56=ÌÚÜrt²sbvA simple enumerationºsbvSymbolic version of the type ².»sbv$Symbolic version of the constructor ³.¼sbv$Symbolic version of the constructor ´.½sbv$Symbolic version of the constructor µ.¾sbv$Symbolic version of the constructor ¶.¿sbv$Symbolic version of the constructor ·.Àsbv$Symbolic version of the constructor ¸.Ásbv$Symbolic version of the constructor ¹.ÂsbvIdentify weekend daysÃsbvÈUsing optimization, find the latest day that is not a weekend. We have: almostWeekendOptimal model: almostWeekend = Fri :: Day last-day = 4 :: Word8ÄsbvÃUsing optimization, find the first day after the weekend. We have:weekendJustOverOptimal model: weekendJustOver = Mon :: Day first-day = 0 :: Word8Åsbv9Using optimization, find the first weekend day: We have:firstWeekendOptimal model: firstWeekend = Sat :: Day first-weekend = 5 :: Word8Æsbv0Make day an optimizable value, by mapping it to ¼ß in the most obvious way. We can map it to any value the underlying solver can optimize, but ¼( is the simplest and it'll fit the bill.²¹·¶µ´³¸º»¼½¾¿ÀÁÂÃÄÅ²¹·¶µ´³¸ºÁÀ¿¾½¼»ÂÃÄÅ?(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferredu™ÏsbvÝOptimization goals where min/max values might require assignments to values that are infinite (integer case), or infinite/epsilon (real case). This simple example demonstrates how SBV can be used to extract such values.We have:optimize Independent problem1Objective "one-x": Optimal in an extension field: one-x = oo :: Integer min_y = 7.0 :: Real min_z = 5.0 :: Real1Objective "min_y": Optimal in an extension field: one-x = oo :: Integer min_y = 7.0 :: Real min_z = 5.0 :: Real1Objective "min_z": Optimal in an extension field: one-x = oo :: Integer min_y = 7.0 :: Real min_z = 5.0 :: RealÏÏ@(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferredw1ÐsbvTaken from 6http://people.brunel.ac.uk/~mastjjb/jeb/or/morelp.htmlmaximize 5x1 + 6x2 subject to x1 + x2 <= 10x1 - x2 >= 35x1 + 4x2 <= 35x1 >= 0x2 >= 0optimize Lexicographic problemOptimal model: x1 = 47 % 9 :: Real x2 = 20 % 9 :: Real goal = 355 % 9 :: RealÐÐA(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred|ÑsbvTaken from 6http://people.brunel.ac.uk/~mastjjb/jeb/or/morelp.htmlÄA company makes two products (X and Y) using two machines (A and B).‚Each unit of X that is produced requires 50 minutes processing time on machine A and 30 minutes processing time on machine B.‚Each unit of Y that is produced requires 24 minutes processing time on machine A and 33 minutes processing time on machine B.ÍAt the start of the current week there are 30 units of X and 90 units of Y in stock. Available processing time on machine A is forecast to be 40 hours and on machine B is forecast to be 35 hours.êThe demand for X in the current week is forecast to be 75 units and for Y is forecast to be 95 units.ùCompany policy is to maximise the combined sum of the units of X and the units of Y in stock at the end of the week.= 0 . We have:ex2Q.E.D.÷sbv;Example 3: Second program, with no strengthenings. We have:ex3&Failed while establishing consecution.!Counter-example to inductiveness: S {x = -1, y = 1}øsbv-Example 4: Second program, strengthened with x >= 0 . We have:ex4ÁFailed while establishing consecution for strengthening "x >= 0".!Counter-example to inductiveness: S {x = 0, y = -1}ùsbv-Example 5: Second program, strengthened with x >= 0 and y >= 1 separately. We have:ex5ÁFailed while establishing consecution for strengthening "x >= 0".!Counter-example to inductiveness: S {x = 0, y = -1} Note how this was sufficient in öÍ to establish the invariant for the first program, but fails for the second.úsbv-Example 6: Second program, strengthened with x >= 0 /\ y >= 1 simultaneously. We have:ex6Q.E.D.Compare this to ù.. As pointed out by Bradley, this shows that ãa conjunction of assertions can be inductive when none of its components, on its own, is inductive.Ô It remains an art to find proper loop invariants, though the science is improving!ûsbvá instance for our state îñðïòóôõö÷øùú îñðïòóôõö÷øùúF(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred '89:;=ÁÃÄÅ’Ä€sbvýSystem state. We simply have two components, parameterized over the type so we can put in both concrete and symbolic values.…sbv;Encoding partial correctness of the sum algorithm. We have: sumCorrectQ.E.D.†sbvá instance for our state€„ƒ‚…€„ƒ‚…G(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred'æsbvÔThe ALU is simply a state transformer, manipulating the state, wrapped around SBV's ¸ monad.ŽsbvÜThe state of the machine. We keep track of the data values, along with the input parameters.sbvValues of registers‘sbv$Input parameters, stored in reverse.’sbvçAn item of data to be processed. We can either be referring to a named register, or an immediate value.–sbvÆWe operate on 64-bit signed integers. It is also possible to use the unbounded integers here as the problem description doesn't mention any size limitations. But performance isn't as good with unbounded integers, and 64-bit signed bit-vectors seem to fit the bill just fine, much like any other modern processor these days.—sbv2A Register in the machine, identified by its name.˜sbvShorthand for the w register.™sbvShorthand for the x register.šsbvShorthand for the y register.›sbvShorthand for the z register.œsbvñReading a value. For a register, we simply look it up in the environment. For an immediate, we simply return it.sbv)Writing a value. We update the registers.žsbv“Reading an input value. In this version, we simply write a free symbolic value to the specified register, and keep track of the inputs explicitly.Ÿsbv Addition. sbvMultiplication.¡sbv Division.¢sbvModulus.£sbv Equality.¤sbv§Run a given program, returning the final state. We simply start with the initial environment mapping all registers to zero, as specified in the problem specification.¥sbvWe simply run the ¦ program, and specify the constraints at the end. We take a boolean as a parameter, choosing whether we want to minimize or maximize the model-number. We have:puzzle TrueOptimal model:0 Maximum model number = 96918996924991 :: Int64puzzle FalseOptimal model:0 Minimum model number = 91811241911641 :: Int64¦sbv×The program we need to crack. Note that different users get different programs on the Advent-Of-Code site, so this is simply one example. You can simply cut-and-paste your version instead. (Don't forget the pragma NegativeLiterals to GHC so add x -1 parses correctly as add x (-1).)§sbvÑ instance for ’³. This is merely there for us to be able to represent programs in a natural way, i.e, lifting integers (positive and negative). Other methods are neither implemented nor needed.Ž‘’•”“–—˜™š›œžŸ ¡¢£¤¥¦—–’•”“˜™š›Ž‘œžŸ ¡¢£¤¥¦H(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred£Ç ¨sbvÎRepresent day by 8-bit words; Again, an uninterpreted type would work as well.©sbvâRepresent month by 8-bit words; We can also use an uninterpreted type, but numbers work well here.ªsbv!Months referenced in the problem.«sbv!Months referenced in the problem.¬sbv!Months referenced in the problem.sbv!Months referenced in the problem.®sbvThis is the only solution. (Unique up to prefix existentials.)˜So, a garden with 3 flowers is the only solution. (Note that we simply skip over the prefix existentials and the assignments to uninterpreted function ÀÉ for model purposes here, as they don't represent a different solution.)·º¹¸»¼½¾¿ÀÁÂÃÄ·º¹¸¼¿¾½»ÀÁÂÃÄP(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred56=ÜÆÍsbvColors we're allowedÒsbv6The grid is an array mapping each button to its color.ÓsbvSymbolic version of button.ÔsbvÅUse 8-bit words for button numbers, even though we only have 1 to 19.ÕsbvSymbolic version of the type Í.Ösbv$Symbolic version of the constructor Î.×sbv$Symbolic version of the constructor Ï.Øsbv$Symbolic version of the constructor Ð.Ùsbv$Symbolic version of the constructor Ñ.ÚsbvÑGiven a button press, and the current grid, compute the next grid. If the button is "unpressable", i.e., if it is not one of the center buttons or it is currently colored black, we return the grid unchanged.ÛsbvIteratively search at increasing depths of button-presses to see if we can transform from the initial board position to a final board position.Üsbv"A particular example run. We have:example Searching at depth: 0Searching at depth: 1Searching at depth: 2Searching at depth: 3Searching at depth: 4Searching at depth: 5Searching at depth: 6Found: [10,10,9,11,14,6]Found: [10,10,11,9,14,6]There are no more solutions.ÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÍÎÏÐÑÕÙØ×ÖÔÓÒÚÛÜQ(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred;=ÊûåsbvÄA Jug has a capacity (i.e., maximum amount of water it can hold), and content, showing how much it currently has. The invariant is that content is always non-negative and is at most the capacity.ésbv›Transfer from one jug to another. By definition, we transfer to fill the second jug, which may end up filling it fully, or leaving some in the first jug.êsbvÙAt the beginning, we have an full 8-gallon jug, and two empty jugs, 5 and 3 gallons each.ësbvßWe've solved the puzzle if 8 and 5 gallon jugs have 4 gallons each, and the third one is empty.ìsbvExecute a bunch of moves.ísbvSolve the puzzle. We have:puzzle # of moves: 0 # of moves: 1 # of moves: 2 # of moves: 3 # of moves: 4 # of moves: 5 # of moves: 6 # of moves: 71 --> 22 --> 33 --> 12 --> 31 --> 22 --> 33 --> 1Here's the contents in terms of gallons after each move: (8, 0, 0) (3, 5, 0) (3, 2, 3) (6, 2, 0) (6, 0, 2) (1, 5, 2) (1, 4, 3) (4, 4, 0)ÿNote that by construction this is the minimum length solution. (Though our construction does not guarantee that it is unique.) åèçæéêëìí åèçæéêëìíR(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÌ¹ðsbvPrints the only solution: ladyAndTigersSolution #1: sign1 = False :: Bool sign2 = False :: Bool sign3 = True :: Bool tiger1 = False :: Bool tiger2 = True :: Bool tiger3 = True :: BoolThis is the only solution.ÇThat is, the lady is in room 1, and only the third room's sign is true.ððS(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÎÚñsbv"The puzzle board is a list of rowsòsbvA row is a list of elementsósbvUse 32-bit words for elements.ôsbv4Checks that all elements in a list are within boundsõsbv#Get the diagonal of a square matrixösbv'Test if a given board is a magic square÷sbv3Group a list of elements in the sublists of length iøsbvGiven n, magic n prints all solutions to the nxn magic square problemñòóôõö÷øóòñôõö÷øT(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred'56=ÁÃÔáùsbvRolesýsbvSexes€sbv Locations„sbvSymbolic version of the type €.…sbv$Symbolic version of the constructor .†sbv$Symbolic version of the constructor ‚.‡sbv$Symbolic version of the constructor ƒ.sbvSymbolic version of the type ý.‘sbv$Symbolic version of the constructor þ.’sbv$Symbolic version of the constructor ÿ.›sbvHelper functoržsbvÐA person has a name, age, together with location and sex. We parameterize over a function so we can use this struct both in a concrete context and a symbolic context. Note that the name is always concrete.¥sbvSymbolic version of the type ù.¦sbv$Symbolic version of the constructor ú.§sbv$Symbolic version of the constructor û.¨sbv$Symbolic version of the constructor ü.©sbvCreate a new symbolic personªsbv1Get the concrete value of the person in the model«sbvSolve the puzzle. We have:killer&Alice 48 Bar Female Bystander#Husband 47 Beach Male Killer#Brother 48 Beach Male Victim&Daughter 20 Alone Female Bystander&Son 21 Bar Male BystanderËThat is, Alice's brother was the victim and Alice's husband was the killer.¬sbvÃConstraints of the puzzle, coded following the English description.sbv Show a person$ùüûúýÿþ€‚ƒ„…†‡‘’›œž£¡ ¤¢Ÿ¥¦§¨©ª«¬$€‚ƒýÿþùüûú„‡†…’‘¥¨§¦ž£¡ ¤¢Ÿ›œ©ª«¬U(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÖå¶sbvÅA solution is a sequence of row-numbers where queens should be placed·sbv Checks that a given solution of n5-queens is valid, i.e., no queen captures any other.¸sbvGiven n, it solves the n-queens) puzzle, printing all possible solutions.¶·¸¶·¸V(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredØl¹sbvSolve the puzzle. We have: sendMoreMoney Solution #1: s = 9 :: Integer e = 5 :: Integer n = 6 :: Integer d = 7 :: Integer m = 1 :: Integer o = 0 :: Integer r = 8 :: Integer y = 2 :: IntegerThis is the only solution.That is:9567 + 1085 == 10652True¹¹W(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÝØºsbv‰A puzzle is a pair: First is the number of missing elements, second is a function that given that many elements returns the final board.»sbv&A Sudoku board is a sequence of 9 rows¼sbvÜA row is a sequence of 8-bit words, too large indeed for representing 1-9, but does not harm½sbvæGiven a series of elements, make sure they are all different and they all are numbers between 1 and 9¾sbv1Given a full Sudoku board, check that it is valid¿sbv*Solve a given puzzle and print the resultsÀsbvÔHelper function to display results nicely, not really needed, but helps presentationÁsbvFind all solutions to a puzzleÂsbvFind an arbitrary good boardÃsbv(A random puzzle, found on the internet..Äsbv.Another random puzzle, found on the internet..Åsbv.Another random puzzle, found on the internet..ÆsbväAccording to the web, this is the toughest sudoku puzzle ever.. It even has a name: Al Escargot: Êhttp://zonkedyak.blogspot.com/2006/11/worlds-hardest-sudoku-puzzle-al.htmlÇsbv/This one has been called diabolical, apparentlyÈsbv)The following is nefarious according to %http://haskell.org/haskellwiki/SudokuÉsbvÆSolve them all, this takes a fraction of a second to run for each caseº»¼½¾¿ÀÁÂÃÄÅÆÇÈÉ¼»½¾º¿ÀÁÂÃÄÅÆÇÈÉX(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred56;=ÁÃëb&ÊsbvóU2 band members. We want to translate this to SMT-Lib as a data-type, and hence the call to mkSymbolicEnumeration.ÏsbvLocation of the flashÒsbvSymbolic variant for timeÓsbvModel time using 32 bitsÔsbvSymbolic version of the type Ê.Õsbv$Symbolic version of the constructor Ë.Ösbv$Symbolic version of the constructor Ì.×sbv$Symbolic version of the constructor Í.Øsbv$Symbolic version of the constructor Î.Ùsbv*Crossing times for each member of the bandÚsbv6The symbolic variant.. The duplication is unfortunate.ãsbvýA move action is a sequence of triples. The first component is symbolically True if only one member crosses. (In this case the third element of the triple is irrelevant.) If the first component is (symbolically) False, then both members move togetheräsbv/A puzzle move is modeled as a state-transformeråsbv(The status of the puzzle after each move4This type is equipped with an automatically derived §! instance because each field is §. A ‘: instance must also be derived for this to work, and the DeriveAnyClass2 language extension must be enabled. The derived §ê instance simply walks down the structure field by field and merges each one. An equivalent hand-written §* instance is provided in a comment below.çsbvelapsed timeèsbvlocation of the flashésbvlocation of Bonoêsbvlocation of Edgeësbvlocation of Adamìsbvlocation of LarryísbvSymbolic version of the type Ï.îsbv$Symbolic version of the constructor Ð.ïsbv$Symbolic version of the constructor Ñ.ðsbv Edge, Bono 2 <-- Bono 3 --> Larry, Adam13 <-- Edge15 --> Edge, BonoTotal time: 17Solution #2: 0 --> Edge, Bono 2 <-- Edge 4 --> Larry, Adam14 <-- Bono15 --> Edge, BonoTotal time: 17 Found: 2 solutions with 5 moves.-Finding all possible solutions to the puzzle.þsbvMergeable instance for äÛ simply pushes the merging the data after run of each branch starting from the same state.,ÊÎÍËÌÏÑÐÒÓÔÕÖ×ØÙÚãäåìëêéèçæíîïðñòóôõö÷øùúûüý,ÊÎÍËÌÔØ×ÖÕÓÒÙÚÏÑÐíïîåìëêéèçæðäñòóôõö÷øùãúûüýY(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferredïï‰sbvFind all solutions to x + y .== 10 for positive x and y3. This is rather silly to do in the query mode as ó„ can do this automatically, but it demonstrates how we can dynamically query the result and put in new constraints based on those.ŠsbvRun the query. We have:demoStarting the all-sat engine!Iteration: 1Current solution is: (0,10)Iteration: 2Current solution is: (1,9)Iteration: 3Current solution is: (2,8)Iteration: 4Current solution is: (3,7)Iteration: 5Current solution is: (4,6)Iteration: 6Current solution is: (5,5)Iteration: 7Current solution is: (6,4)Iteration: 8Current solution is: (7,3)Iteration: 9Current solution is: (8,2) Iteration: 10Current solution is: (9,1) Iteration: 11Current solution is: (10,0) Iteration: 12No other solution!Å[(0,10),(1,9),(2,8),(3,7),(4,6),(5,5),(6,4),(7,3),(8,2),(9,1),(10,0)]‰Š‰ŠZ(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredóÉ‹sbvãA simple floating-point problem, but we do the sat-analysis via a case-split. Due to the nature of floating-point numbers, a case-split on the characteristics of the number (such as NaN, negative-zero, etc. is most suitable.)We have:csDemo1 Case fpIsNegativeZero: Starting$Case fpIsNegativeZero: UnsatisfiableCase fpIsPositiveZero: Starting$Case fpIsPositiveZero: UnsatisfiableCase fpIsNormal: StartingCase fpIsNormal: UnsatisfiableCase fpIsSubnormal: Starting!Case fpIsSubnormal: UnsatisfiableCase fpIsPoint: StartingCase fpIsPoint: UnsatisfiableCase fpIsNaN: StartingCase fpIsNaN: Satisfiable("fpIsNaN",NaN)Œsbv!Demonstrates the "coverage" case.We have:csDemo2Case negative: StartingCase negative: UnsatisfiableCase less than 8: StartingCase less than 8: UnsatisfiableCase Coverage: StartingCase Coverage: Satisfiable("Coverage",10)‹Œ‹Œ[/(c) Jeffrey Young Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredýªsbvFind all solutions to x + y .== 10 for positive x and yÃ, but at each iteration we would like to ensure that the value of x´ we get is at least twice as large as the previous one. This is rather silly, but demonstrates how we can dynamically query the result and put in new constraints based on those.Žsbv¶In our first query we'll define a constraint that will not be known to the shared or second query and then solve for an answer that will differ from the first query. Note that we need to pass an MVar in so that we can operate on the shared variables. In general, the variables you want to operate on should be defined in the shared part of the query and then passed to the children queries via channels, MVars, or TVars. In this query we constrain x to be less than y and then return the sum of the values. We add a threadDelay just for demonstration purposessbvûIn the second query we constrain for an answer where y is smaller than x, and then return the product of the found values.sbvÑRun the demo several times to see that the children threads will change ordering.‘sbvExample computation.’sbvIn our first query we will make a constrain, solve the constraint and return the values for our variables, then we'll mutate the MVar sending information to the second query. Note that you could use channels, or TVars, or TMVars, whatever you need here, we just use MVars for demonstration purposes. Also note that this effectively creates an ordering between the children queries“sbv×In the second query we create a new variable z, and then a symbolic query using information from the first query and return a solution that uses the new variable and the old variables. Each child query is run in a separate instance of z3 so you can think of this query as driving to a point in the search space, then waiting for more information, once it gets that information it will run a completely separate computation from the first one and return its results.”sbvÇIn our second demonstration we show how through the use of concurrency constructs the user can have children queries communicate with one another. Note that the children queries are independent and so anything side-effectual like a push or a pop will be isolated to that child thread, unless of course it happens in shared.Ž‘’“”Ž‘’“”\(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred56=Ü\ •sbv0Days of the week. We make it symbolic using the ì splice.sbvSymbolic version of the type •.žsbv$Symbolic version of the constructor –.Ÿsbv$Symbolic version of the constructor —. sbv$Symbolic version of the constructor ˜.¡sbv$Symbolic version of the constructor ™.¢sbv$Symbolic version of the constructor š.£sbv$Symbolic version of the constructor ›.¤sbv$Symbolic version of the constructor œ.¥sbvÁA trivial query to find three consecutive days that's all before ™Ó. The point here is that we can perform queries on such enumerated values and use ‹Ò on them and return their values from queries just like any other value. We have:findDays[Monday,Tuesday,Wednesday]•˜—™œ›–šžŸ ¡¢£¤¥•˜—™œ›–š¤£¢¡ Ÿž¥](c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred 56=ÁÃÜ)®sbvÛSupported binary operators. To keep the search-space small, we will only allow division by 2 or 40, and exponentiation will only be to the power 0Õ. This does restrict the search space, but is sufficient to solve all the instances.´sbv&Supported unary operators. Similar to ®Ö case, we will restrict square-root and factorial to be only applied to the value @4.¸sbvSymbolic version of the type ®.¹sbv$Symbolic version of the constructor ¯.ºsbv$Symbolic version of the constructor °.»sbv$Symbolic version of the constructor ±.¼sbv$Symbolic version of the constructor ².½sbv$Symbolic version of the constructor ³.ÆsbvÊThe shape of a tree, either a binary node, or a unary node, or the number 4', represented hear by the constructor Fá. We parameterize by the operator type: When doing symbolic computations, we'll fill those with ¸ and ÊÇ. When finding the shapes, we will simply put unit values, i.e., holes.ÊsbvSymbolic version of the type ´.Ësbv$Symbolic version of the constructor µ.Ìsbv$Symbolic version of the constructor ¶.Ísbv$Symbolic version of the constructor ·.ÎsbvËConstruct all possible tree shapes. The argument here follows the logic in !http://www.gigamonkeys.com/trees/æ: We simply construct all possible shapes and extend with the operators. The number of such trees is:length allPossibleTrees640Note that this is a lot# smaller than what is generated by !http://www.gigamonkeys.com/trees/Ü. (There, the number of trees is 10240000: 16000 times more than what we have to consider!)ÏsbvÅGiven a tree with hols, fill it with symbolic operators. This is the trickÊ that allows us to consider only 640 trees as opposed to over 10 million.ÐsbvˆMinor helper for writing "symbolic" case statements. Simply walks down a list of values to match against a symbolic version of the key.ÑsbvžEvaluate a symbolic tree, obtaining a symbolic value. Note how we structure this evaluation so we impose extra constraints on what values square-root, divide etc. can take. This is the power of the symbolic approach: We can put arbitrary symbolic constraints as we evaluate the tree.Òsbv8In the query mode, find a filling of a given tree shape t2, such that it evaluates to the requested number i+. Note that we return back a concrete tree.ÓsbvúGiven an integer, walk through all possible tree shapes (at most 640 of them), and find a filling that solves the puzzle.Ôsbv¢Solution to the puzzle. When you run this puzzle, the solver can produce different results than what's shown here, but the expressions should still be all valid!¹ghci> puzzle 0 [OK]: (4 - (4 + (4 - 4))) 1 [OK]: (4 / (4 + (4 - 4))) 2 [OK]: sqrt((4 + (4 * (4 - 4)))) 3 [OK]: (4 - (4 ^ (4 - 4))) 4 [OK]: (4 + (4 * (4 - 4))) 5 [OK]: (4 + (4 ^ (4 - 4))) 6 [OK]: (4 + sqrt((4 * (4 / 4)))) 7 [OK]: (4 + (4 - (4 / 4))) 8 [OK]: (4 - (4 - (4 + 4))) 9 [OK]: (4 + (4 + (4 / 4))) 10 [OK]: (4 + (4 + (4 - sqrt(4)))) 11 [OK]: (4 + ((4 + 4!) / 4)) 12 [OK]: (4 * (4 - (4 / 4))) 13 [OK]: (4! + ((sqrt(4) - 4!) / sqrt(4))) 14 [OK]: (4 + (4 + (4 + sqrt(4)))) 15 [OK]: (4 + ((4! - sqrt(4)) / sqrt(4))) 16 [OK]: (4 * (4 * (4 / 4))) 17 [OK]: (4 + ((sqrt(4) + 4!) / sqrt(4))) 18 [OK]: -(4 + (4 - (sqrt(4) + 4!))) 19 [OK]: -(4 - (4! - (4 / 4))) 20 [OK]: (4 * (4 + (4 / 4))) ÕsbvA rudimentary È# instance for trees, nothing fancy.®³²°±¯´·¶µ¸¹º»¼½ÆÈÉÇÊËÌÍÎÏÐÑÒÓÔ®³²°±¯¸½¼»º¹´·¶µÊÍÌËÆÈÉÇÎÏÐÑÒÓÔ^(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred§ÞsbvãUse the backend solver to guess the number given as argument. The number is assumed to be between 0 and 1000î, and we use a simple binary search. Returns the sequence of guesses we performed during the search process.ßsbvŸPlay a round of the game, making the solver guess the secret number 42. Note that you can generate a random-number and make the solver guess it too! We have:play Current bounds: (0,1000)Current bounds: (21,1000)Current bounds: (31,1000)Current bounds: (36,1000)Current bounds: (39,1000)Current bounds: (40,1000)Current bounds: (41,1000)Current bounds: (42,1000)Solved in: 8 guesses: 0 21 31 36 39 40 41 42ÞßÞß_(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred¨àsbvÌMathSAT example. Compute the interpolant for the following sets of formulas:{x - 3y >= -1, x + y >= 0}AND{z - 2x >= 3, 2z <= 1}‡where the variables are integers. Note that these sets of formulas are themselves satisfiable, but not taken all together. The pair (x, y) = (0, 0)# satisfies the first set. The pair (x, z) = (-2, 0)3 satisfies the second. However, there's no triple (x, y, z)Õ that satisfies all these four formulas together. We can use SBV to check this fact:Úsat $ \x y z -> sAnd [x - 3*y .>= -1, x + y .>= 0, z - 2*x .>= 3, 2 * z .<= (1::SInteger)] UnsatisfiableÁAn interpolant for these sets would only talk about the variable x" that is common to both. We have:!runSMTWith mathSAT exampleMathSAT"(<= 0 s0)"ìNotice that we get a string back, not a term; so there's some back-translation we need to do. We know that s0 is xÆ through our translation mechanism, so the interpolant is saying that x >= 0… is entailed by the first set of formulas, and is inconsistent with the second. Let's use SBV to indeed show that this is the case:Êprove $ \x y -> (x - 3*y .>= -1 .&& x + y .>= 0) .=> (x .>= (0::SInteger))Q.E.D.And:Îprove $ \x z -> (z - 2*x .>= 3 .&& 2 * z .<= 1) .=> sNot (x .>= (0::SInteger))Q.E.D.4This establishes that we indeed have an interpolant!ásbv1Z3 example. Compute the interpolant for formulas y = 2x and y = 2z+1.ÁThese formulas are not satisfiable together since it would mean y‚ is both even and odd at the same time. An interpolant for this pair of formulas is a formula that's expressed only in terms of y6, which is the only common symbol among them. We have:runSMT evenOdd'"(or (= s1 0) (= s1 (* 2 (div s1 2))))"ýThis is a bit hard to read unfortunately, due to translation artifacts and use of strings. To analyze, we need to know that s1 is yÍ through SBV's translation. Let's express it in regular infix notation with y for s1:(y == 0) || (y == 2 * (y ˜ 2))Notice that the only symbol is yß, as required. To establish that this is indeed an interpolant, we should establish that when y is even, this formula is True ; and if y is odd, then it should be Falseá. You can argue mathematically that this indeed the case, but let's just use SBV to prove these:Ùprove $ \y -> (y `sMod` 2 .== 0) .=> ((y .== 0) .|| (y .== 2 * (y `sDiv` (2::SInteger))))Q.E.D.And:Þprove $ \y -> (y `sMod` 2 .== 1) .=> sNot ((y .== 0) .|| (y .== 2 * (y `sDiv` (2::SInteger))))Q.E.D.4This establishes that we indeed have an interpolant!àáàá`(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred ³âsbvÃA simple goal with three constraints, two of which are conflicting with each other. The third is irrelevant, in the sense that it does not contribute to the fact that the goal is unsatisfiable.ãsbvExtract the unsat-core of â . We have:ucCore-Unsat core is: ["less than 5","more than 10"]"Demonstrating that the constraint a .> b is not) needed for unsatisfiablity in this case.âãâãa(c) Joel BurgetBSD3erkokl@gmail.comexperimental Safe-Inferred""ªäsbv9Solve a given crossword, returning the corresponding rowsåsbvSolve ;http://regexcrossword.com/challenges/intermediate/puzzles/1puzzle1 ["ATO","WEL"]æsbvSolve ;http://regexcrossword.com/challenges/intermediate/puzzles/2puzzle2["WA","LK","ER"]çsbvSolve ;http://regexcrossword.com/challenges/palindromeda/puzzles/3puzzle3["RATS","ABUT","TUBA","STAR"]äåæçäåæçb(c) Joel BurgetBSD3erkokl@gmail.comexperimental Safe-Inferred"Ü)ÓèsbvÛEvaluation monad. The state argument is the environment to store variables as we evaluate.ésbvSimple expression languageîsbv-Given an expression, symbolically evaluate itïsbvÓA simple program to query all messages with a given topic id. In SQL like notation:Æ query ("SELECT msg FROM msgs where topicid='" ++ my_topicid ++ "'") ðsbv findInjection exampleProgram "kg'; DROP TABLE 'users" ëthough the topic might change obviously. Indeed, if we substitute the suggested string, we get the program:Åquery ("SELECT msg FROM msgs WHERE topicid='kg'; DROP TABLE 'users'")which would query for topic kg! and then delete the users table!ÅHere, we make sure that the injection ends with the malicious string:Ð("'; DROP TABLE 'users" `Data.List.isSuffixOf`) <$> findInjection exampleProgramTrue÷sbv6Literals strings can be lifted to be constant programsèéíìêëîïðñòóôõöéíìêëèîïðñòóôõöc(c) Brian SchroederBSD3erkokl@gmail.comexperimental Safe-Inferred)*8ÌÑ2&øsbvMonad for querying a solver.ûsbvThe result of ¤ing the combination of a ‚ and a þ.þsbv$A property describes a quality of a ‚ . It is a ‡ yields a boolean value.€sbvÍA symbolic value representing the result of running a program -- its output.‚sbv2A program that can reference two input variables, x and y.„sbv)Monad for performing symbolic evaluation.‡sbvNOT (p OR (q AND r)) == (NOT p AND NOT q) OR (NOT p AND NOT r)>, following from the axioms we have specified above. We have:testQ.E.D. ÀÁÂÃÄÅÆÇÈ ÀÁÂÃÄÅÆÇÈf(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred9ÏsbvAn uninterpreted functionÐsbv Asserts that f x z == f (y+2) z whenever x == y+2. Naturally correct: prove thmGoodQ.E.D.ÏÐÏÐg(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredÜC¢ÑsbvÒThe uninterpreted implementation of our 2x2 multiplier. We simply receive two 2-bit values, and return the high and the low bit of the resulting multiplication via two uninterpreted functions that we called mul22_hi and mul22_lo¦. Note that there is absolutely no computation going on here, aside from simply passing the arguments to the uninterpreted functions and stitching it back together.NB. While defining mul22_loÕ we used our domain knowledge that the low-bit of the multiplication only depends on the low bits of the inputs. However, this is merely a simplifying assumption; we could have passed all the arguments as well.Òsbv¯Synthesize a 2x2 multiplier. We use 8-bit inputs merely because that is the lowest bit-size SBV supports but that is more or less irrelevant. (Larger sizes would work too.) We simply assert this for all input values, extract the bottom two bits, and assert that our "uninterpreted" implementation in Ñ! is precisely the same. We have:sat synthMul22 Satisfiable. Model:2 mul22_hi :: Bool -> Bool -> Bool -> Bool -> Bool) mul22_hi False True True True = True) mul22_hi True True False True = True) mul22_hi True False False True = True) mul22_hi False True True False = True) mul22_hi True False True True = True) mul22_hi True True True False = True* mul22_hi _ _ _ _ = False" mul22_lo :: Bool -> Bool -> Bool mul22_lo True True = True mul22_lo _ _ = FalseºIt is easy to see that the low bit is simply the logical-and of the low bits. It takes a moment of staring, but you can see that the high bit is correct as well: The logical formula is a1b xor a0b1Ñ, and if you work out the truth-table presented, you'll see that it is exactly that. Of course, you can use SBV to prove this. First, let's define the function we have synthesized into a symbolic function::{ 1mul22_hi :: (SBool, SBool, SBool, SBool) -> SBoolÃmul22_hi params = params `sElem` [ (sFalse, sTrue , sTrue , sTrue )Ã , (sTrue , sTrue , sFalse, sTrue )Ã , (sTrue , sFalse, sFalse, sTrue )Ã , (sFalse, sTrue , sTrue , sFalse)Ã , (sTrue , sFalse, sTrue , sTrue )Ã , (sTrue , sTrue , sTrue , sFalse)" ]:}Now we can say:Òprove $ \a1 a0 b1 b0 -> mul22_hi (a1, a0, b1, b0) .== (a1 .&& b0) .<+> (a0 .&& b1)Q.E.D.>and rest assured that we have a correctly synthesized circuit!ÑÒÑÒh(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-InferredKÍÓsbvA binary boolean functionÔsbvA ternary boolean functionÕsbvÔPositive Shannon cofactor of a boolean function, with respect to its first argumentÖsbvÔNegative Shannon cofactor of a boolean function, with respect to its first argument×sbvÃShannon's expansion over the first argument of a function. We have:shannonQ.E.D.Øsbv×Alternative form of Shannon's expansion over the first argument of a function. We have:shannon2Q.E.D.Ùsbv’Computing the derivative of a boolean function (boolean difference). Defined as exclusive-or of Shannon cofactors with respect to that variable.ÚsbvæThe no-wiggle theorem: If the derivative of a function with respect to a variable is constant False, then that variable does not "wiggle" the function; i.e., any changes to it won't affect the result of the function. In fact, we have an equivalence: The variable only changes the result of the function iff the derivative with respect to it is not False:noWiggleQ.E.D.Ûsbv‡Universal quantification of a boolean function with respect to a variable. Simply defined as the conjunction of the Shannon cofactors.ÜsbvShow that universal quantification is really meaningful: That is, if the universal quantification with respect to a variable is True, then both cofactors are true for those arguments. Of course, this is a trivial theorem if you think about it for a moment, or you can just let SBV prove it for you:univOKQ.E.D.Ýsbv‰Existential quantification of a boolean function with respect to a variable. Simply defined as the conjunction of the Shannon cofactors.Þsbv°Show that existential quantification is really meaningful: That is, if the existential quantification with respect to a variable is True, then one of the cofactors must be true for those arguments. Again, this is a trivial theorem if you think about it for a moment, but we will just let SBV prove it:existsOKQ.E.D.ÓÔÕÖ×ØÙÚÛÜÝÞÔÓÕÖ×ØÙÚÛÜÝÞi(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred56=OQßsbvÝA new data-type that we expect to use in an uninterpreted fashion in the backend SMT solver.àsbvSymbolic version of the type ß.ásbv5Declare an uninterpreted function that works over Q'sâsbvÇA satisfiable example, stating that there is an element of the domain ß such that áÌ returns a different element. Note that this is valid only when the domain ß$ has at least two elements. We have:t1Satisfiable. Model: x = Q!val!0 :: Q f :: Q -> Q f _ = Q!val!1ãsbvëThis is a variant on the first example, except we also add an axiom for the sort, stating that the domain ßÒ has only one element. In this case the problem naturally becomes unsat. We have:t2 Unsatisfiableßàáâãßàáâãj(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred56=U«êsbvøA "list-like" data type, but one we plan to uninterpret at the SMT level. The actual shape is really immaterial for us.ësbvSymbolic version of the type ê.ìsbvùAn uninterpreted "classify" function. Really, we only care about the fact that such a function exists, not what it does.ísbvßFormulate a query that essentially asserts a cardinality constraint on the uninterpreted sort ê§. The goal is to say there are precisely 3 such things, as it might be the case. We manage this by declaring four elements, and asserting that for a free variable of this sort, the shape of the data matches one of these three instances. That is, we assert that all the instances of the data êˆ can be classified into 3 equivalence classes. Then, allSat returns all the possible instances, which of course are all uninterpreted.As expected, we have:allSat genLsSolution #1: l = L!val!2 :: L l0 = L!val!0 :: L l1 = L!val!1 :: L l2 = L!val!2 :: L classify :: L -> Integer classify L!val!2 = 2 classify L!val!1 = 1 classify _ = 0Solution #2: l = L!val!1 :: L l0 = L!val!0 :: L l1 = L!val!1 :: L l2 = L!val!2 :: L classify :: L -> Integer classify L!val!2 = 2 classify L!val!1 = 1 classify _ = 0Solution #3: l = L!val!0 :: L l0 = L!val!0 :: L l1 = L!val!1 :: L l2 = L!val!2 :: L classify :: L -> Integer classify L!val!2 = 2 classify L!val!1 = 1 classify _ = 0Found 3 different solutions.êëìíêëìíkLevent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred#';=ÁÃÄÅZˆ ôsbvHelper type synonymõsbvThe concrete counterpart of ÷2. Again, we can't simply use the duality between SBV a and a due to the difference between SList a and [a].÷sbvÅThe state of the length program, paramaterized over the element type aùsbvThe first input listúsbvThe second input listûsbvTemporary variableüsbvOutputýsbv The imperative append algorithm:§ zs = [] ts = xs while not (null ts) zs = zs ++ [head ts] ts = tail ts ts = ys while not (null ts) zs = zs ++ [head ts] ts = tail ts þsbvÇA program is the algorithm, together with its pre- and post-conditions.ÿsbvWe check that zs is xs ++ ys upon termination.correctness!Total correctness is established.Q.E.D.€sbvShow instance for ÷ñ. The above deriving clause would work just as well, but we want it to be a little prettier here, and hence the OVERLAPS directive.sbvÝ instance for the program state‚sbv>Show instance, a bit more prettier than what would be derived:ôõö÷üûúùøýþÿ÷üûúùøõöôýþÿl(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred '89:;=ÁÃÄÅ_ñ…sbvHelper type synonym†sbv?The state for the swap program, parameterized over a base type a.ˆsbvInput value‰sbvOutputŠsbvThe increment algorithm: y = x+1 ÕThe point here isn't really that this program is interesting, but we want to demonstrate various aspects of WP proofs. So, we take a before and after program to annotate our algorithm so we can experiment later.‹sbv‚Precondition for our program. Strictly speaking, we don't really need any preconditions, but for example purposes, we'll require x to be non-negative.ŒsbvPostcondition for our program: y must equal x+1.sbvStability: x must remain unchanged.ŽsbvÇA program is the algorithm, together with its pre- and post-conditions.sbvƒState the correctness with respect to before/after programs. In the simple case of nothing prior/after, we have the obvious proof:correctness Skip Skip!Total correctness is established.Q.E.D.sbvá instance for the program state‘sbvShow instance for †ñ. The above deriving clause would work just as well, but we want it to be a little prettier here, and hence the OVERLAPS directive.…†‰ˆ‡Š‹ŒŽ†‰ˆ‡…Š‹ŒŽm(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred '89:;=ÁÃÄÅgÅ˜sbvHelper type synonym™sbv>The state for the sum program, parameterized over a base type a.›sbvThe input valueœsbvLoop countersbvtracks fib (i+1)žsbvtracks fib iŸsbv#The imperative fibonacci algorithm:Ñ i = 0 k = 1 m = 0 while i < n: m, k = k, m + k i++ When the loop terminates, m contains fib(n). sbvÆSymbolic fibonacci as our specification. Note that we cannot really implement the fibonacci function since it is not symbolically terminating. So, we instead uninterpret and axiomatize it below.ÁNB. The concrete part of the definition is only used in calls to « = and is not needed for the proof. If you don't need to call « <, you can simply ignore that part and directly uninterpret.¡sbvñConstraints and axioms we need to state explicitly to tell the SMT solver about our specification for fibonacci.¢sbvPrecondition for our program: n must be non-negative.£sbvPostcondition for our program: m = fib n¤sbv(Stability condition: Program must leave n unchanged.¥sbvÇA program is the algorithm, together with its pre- and post-conditions.¦sbvÁWith the axioms in place, it is trivial to establish correctness:correctness!Total correctness is established.Q.E.D.ƒNote that I found this proof to be quite fragile: If you do not get the algorithm right or the axioms aren't in place, z3 simply goes to an infinite loop, instead of providing counter-examples. Of course, this is to be expected with the quantifiers present.§sbvá instance for the program state¨sbvShow instance for ™ñ. The above deriving clause would work just as well, but we want it to be a little prettier here, and hence the OVERLAPS directive.˜™ž›œšŸ ¡¢£¤¥¦™ž›œš˜Ÿ ¡¢£¤¥¦n(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred '89:;=ÁÃÄÅp°¯sbvHelper type synonym°sbv>The state for the sum program, parameterized over a base type a.²sbvFirst value³sbvSecond value´sbvCopy of x to be modifiedµsbvCopy of y to be modified¶sbv9The imperative GCD algorithm, assuming strictly positive x and y:¼ i = x j = y while i != j -- While not equal if i > j i = i - j -- i is greater; reduce it by j else j = j - i -- j is greater; reduce it by i When the loop terminates, i equals j and contains GCD(x, y).·sbvºSymbolic GCD as our specification. Note that we cannot really implement the GCD function since it is not symbolically terminating. So, we instead uninterpret and axiomatize it below.ÁNB. The concrete part of the definition is only used in calls to « = and is not needed for the proof. If you don't need to call « ì, you can simply ignore that part and directly uninterpret. In that case, we simply use Prelude's version.¸sbvëConstraints and axioms we need to state explicitly to tell the SMT solver about our specification for GCD.¹sbvPrecondition for our program: x and y must be strictly positiveºsbvPostcondition for our program: i == j and i = gcd x y»sbv(Stability condition: Program must leave x and y unchanged.¼sbvÇA program is the algorithm, together with its pre- and post-conditions.½sbvÁWith the axioms in place, it is trivial to establish correctness:correctness!Total correctness is established.Q.E.D.ƒNote that I found this proof to be quite fragile: If you do not get the algorithm right or the axioms aren't in place, z3 simply goes to an infinite loop, instead of providing counter-examples. Of course, this is to be expected with the quantifiers present.¾sbvá instance for the program state¿sbvShow instance for °ñ. The above deriving clause would work just as well, but we want it to be a little prettier here, and hence the OVERLAPS directive.¯°µ³²´±¶·¸¹º»¼½°µ³²´±¯¶·¸¹º»¼½o(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred '89:;=ÁÃÄÅy’ÆsbvHelper type synonymÇsbvÃThe state for the division program, parameterized over a base type a.ÉsbvThe dividendÊsbvThe divisorËsbvThe quotientÌsbv The remainderÍsbv9The imperative division algorithm, assuming non-negative x and strictly positive y:— r = x -- set remainder to x q = 0 -- set quotient to 0 while y <= r -- while we can still subtract r = r - y -- reduce the remainder q = q + 1 -- increase the quotient ¤Note that we need to explicitly annotate each loop with its invariant and the termination measure. For convenience, we take those two as parameters for simplicity.ÎsbvPrecondition for our program: x must non-negative and yÄ must be strictly positive. Note that there is an explicit call to Ÿî in our program to protect against this case, so if we do not have this precondition, all programs will fail.ÏsbvÌPostcondition for our program: Remainder must be non-negative and less than y, and it must hold that x = q*y + r:ÐsbvStability: x and y must remain unchanged.ÑsbvÇA program is the algorithm, together with its pre- and post-conditions.ÒsbvThe invariant is simply that x = q * y + r holds at all times and r$ is strictly positive. We need the y > 0ä part of the invariant to establish the measure decreases, which is guaranteed by our precondition.ÓsbvThe measure. In each iteration r0 decreases, but always remains positive. Since y is strictly positive, r% can serve as a measure for the loop.ÔsbvÈCheck that the program terminates and the post condition holds. We have:correctness!Total correctness is established.Q.E.D.Õsbvá instance for the program stateÖsbvShow instance for Çñ. The above deriving clause would work just as well, but we want it to be a little prettier here, and hence the OVERLAPS directive.ÆÇËÊÌÉÈÍÎÏÐÑÒÓÔÇËÊÌÉÈÆÍÎÏÐÑÒÓÔp(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred '89:;=ÁÃÄÅƒÝsbvHelper type synonymÞsbvÃThe state for the division program, parameterized over a base type a.àsbv The inputásbvThe floor of the square rootâsbv%Successive squares, as the sum of j'sãsbvSuccessive oddsäsbv 0. part is needed to establish the termination.êsbvThe measure. In each iteration i4 strictly increases, thus reducing the differential x - iësbvÈCheck that the program terminates and the post condition holds. We have:correctness!Total correctness is established.Q.E.D.ìsbvá instance for the program stateísbvShow instance for Þñ. The above deriving clause would work just as well, but we want it to be a little prettier here, and hence the OVERLAPS directive.ÝÞãàâáßäåæçèéêëÞãàâáßÝäåæçèéêëq(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred';=ÁÃÄÅOôsbvHelper type synonymõsbvThe concrete counterpart to ÷6. Note that we can no longer use the duality between SBV a and aË as in other examples and just use one datatype for both. This is because SList a and [a] are fundamentally different types. This can be a bit confusing at first, but the point is that it is the list that is symbolic in case of an SList a„, not that we have a concrete list with symbolic elements in it. Subtle difference, but it is important to keep these two separate.÷sbvÅThe state of the length program, paramaterized over the element type aùsbvThe input listúsbv Copy of inputûsbvRunning lengthüsbv The imperative length algorithm:Ì ys = xs l = 0 while not (null ys) l = l+1 ys = tail ys ±Note that we need to explicitly annotate each loop with its invariant and the termination measure. For convenience, we take those two as parameters, so we can experiment later.ýsbv>Precondition for our program. Nothing! It works for all lists.þsbvPostcondition for our program: l& must be the length of the input list.ÿsbv(Stability condition: Program must leave xs unchanged.€sbvÇA program is the algorithm, together with its pre- and post-conditions.sbvˆThe invariant simply relates the length of the input to the length of the current suffix and the length of the prefix traversed so far.‚sbv'The measure is obviously the length of ys1, as we peel elements off of it through the loop.ƒsbvWe check that l! is the length of the input list xs› upon termination. Note that even though this is an inductive proof, it is fairly easy to prove with our SMT based technology, which doesn't really handle induction at all! The usual inductive proof steps are baked into the invariant establishment phase of the WP proof. We have:correctness!Total correctness is established.Q.E.D.„sbvÉShow instance: A simplified version of what would otherwise be generated.…sbv'We have to write the bijection between ÷ and õÂ explicitly. Luckily, the definition is more or less boilerplate.†sbvÀShow instance: Similarly, we want to be a bit more concise here.ôõö÷úùûøüýþÿ€‚ƒ÷úùûøõöôüýþÿ€‚ƒr(c) Levent ErkokBSD3erkokl@gmail.comexperimental Safe-Inferred '89:;=ÁÃÄÅ™ ‰sbvHelper type synonymŠsbv>The state for the sum program, parameterized over a base type a.ŒsbvThe input valuesbvLoop counterŽsbvRunning sumsbv#The imperative summation algorithm:; i = 0 s = 0 while i < n i = i+1 s = s+i ±Note that we need to explicitly annotate each loop with its invariant and the termination measure. For convenience, we take those two as parameters, so we can experiment later.sbvPrecondition for our program: n? must be non-negative. Note that there is an explicit call to Ÿî in our program to protect against this case, so if we do not have this precondition, all programs will fail.‘sbvPostcondition for our program: s5 must be the sum of all numbers up to and including n.’sbv(Stability condition: Program must leave n unchanged.“sbvÇA program is the algorithm, together with its pre- and post-conditions.”sbv&Check that the program terminates and s equals n*(n+1)/26 upon termination, i.e., the sum of all numbers upto n . Note that this only holds if n >= 0Â to start with, as guaranteed by the precondition of our program.#The correct termination measure is n-i9: It goes down in each iteration provided we start with n >= 0° and it always remains non-negative while the loop is executing. Note that we do not need a lexicographic measure in this case, hence we simply return a list of one element.Œ>>Ž>>>‘>ã>’>“>”>•>–>—>˜>™>š>›>œ>>ž>Ÿ> >¡>¢>£>¤>¥>¦>§?È@ÈA¨B©CñCñCªC«CÈC¬CC®C¯C°C±C²C³DñDñD´DµD¶D·D¸D®D°D¹DºD±D²D³EñEñEªE«EÈE»E¼E¬EE½E¾E¿EÀE®E°E±E²E³FñFñFÁF´F·FÂF®F°F¹FºF±F²F³GÃGÈGÈGÄGÅG¸GÆGÇGÈGï Gó GÉGªG«GÊGËGÌGÍGÎGÏGÐGÑGÒGÓGÔGÕGÖHŒH×HØHÙHÚHÛHÜHÝHÞHßHàHÔHáIâIãIäIåIæIçIèIéIêIÔJëJìJÔJíKÔLîLïLðLñLòLóLôLõLöL÷LøMùMúMûNüNýNþNÿN€NN‚NƒN„N…N†N‡NˆN‰NŠN‹NŒNNŽNNN‘N’N“N”N•N–N—N˜N™NšN›NœNNžNŸN N¡N¢N£N¤N¥N¦N§N¨N©NªN«N¬NN®N¯N°N±N²N³N´NµN¶N·N¸N¹NºN»N¼N½N¾N¿NÀNÁNÂNÃNÄNÅNÆNÇNÈNÉNÊNËNÌNÍNÎNÏNÐNÑNÒNÓNÔNÕNÖN×NØNÙNÚNÛNÜNÝNÞNßNàOüOýO€OOáOˆO‰OŒOOâOãOìOÔOäOŽOOO‘O’O“O”O•PüPåPPþPýPæPçPèPˆPéPPŠP‰PêPëPŠPŽPPP‘P’P“P”P•QìQìQíQîQïQðQñQòQÔQóQôRõSöS÷SøSùSúSûSüSýTþTÿT€TT‚TƒT„Tè T…T†T‡TˆT‰TŠT‹TŒTTŽTTT‘T‘TT’T“T”T•T–T—T˜T™TšT›TœTTTžTŸTŸT T¡T¢T£T¤T¥T¦T§T¨T©TªT«TÔT¬TT®T¯T°T±T²T³T´U¥UµU¶V·W¸WöW÷WùWÜW¹WºW»W¼W½W¾W¿WÀWÁWÂWÃXÄXÅXÆXÇXÈXè XÉXÊXËXÌXÍXÎXÏXÐXÑXÒXÓXÔXÕXÖX×XØXÙXÚXÛXÜXÝX™X™XÞXßXàXáXâXãXˆXäXåXæXú XçXèXéXêXëXìXíXîXÓXµXïXðXñXòXóXŒXXŽXXX‘X‘XYôYõZöZ÷[ø[ù[ú[õ[û[ü[ý[þ\Œ\ÿ\€\\‚\ƒ\„\…\“\†\‡\ˆ\‰\Š\‹\Œ\\ \¡\¢\£\¤\¥\¦\§]Ž]Ú]Ü]Û]]]‘]’]“]”]•]–]—]˜]™]š]›]œ]]ž]Ÿ] ]¡]¢]£]Ð]¤]¥]¦]§]¨]©]ª]«]¬]]®]¯]Ô]°]±]²]³]´]µ]¶]·]¸^¹^º_»_¼`½`¾a¿a½a¾a¿bÀbÁbbbÂbÃbbÄbÅbÆbÇbÈbÉbÊbËbÌcÍcÍcÎcÏcÐcÑcÒcÒcÖcÖcž cž cÓcÓcÔcÕcÖc×cÚcãcäcØcëcécècÙcÚcÚcÛcÜcÝcÞcÞcßcàcácâccãcäcåcæcçcècùc¬cc½cécêcëcìcícîcïcðcñcòcócôcõcöc÷cøcùcúcûcücýdþdÿd€eÐee‚eƒe„e…e†e‡eªeˆe‰eŠe‹eŒefþfŽggh‘h’h“h”h•h–h—h˜h‡h™h‰hšiÍi›iþiÖi×iœiižiŸi i¡j¢j£j¤j¥j¦j§j¨j©jªj«kÏk¬k¬kkk®k¯k°k±k²k³k¡k´kµk¶k·k¸l¹lºlºlªl«l²l»l¼l½l¾l¡l¿lÀlÁlÂlÃlÄlÅlÆm¥mÇmÇm·m´mµm¶m²mÈmÉm»m¼m½mÊm¡mËmÌmÍmÎmÏmÐmÑmÒnìnÓnÓnªn«n´nÔn²nÕnÖn»n¼n½n×n¡nØnÙnÚnÛnÜnÝnÞnßoàoáoáoªo«oâoão²o»o¼o½oäoåoæo¡oçoèoéoêoëoìoíoîpñpïpïpªpðp´pÔp²p»p¼p½pñpåpæp¡pòpópôpõpöp÷pøpùqñqúqúqûqûq®q¯qüq²q»q¼q½qýqåqæq¡qþqÿq€qq‚rñrƒrƒr·r´rÁr²r»r¼r½r„r¡r…r†r‡rˆr‰rŠr‹rŒsŽs‘s’s“s”z•z–z—z˜z™zš›œ›žŸ›ž z¡z¢Ž£|¤¥¦§|¨¥©§|ª¥«¬|¥®¯|°±²³´µ¶·¸¹º»¼€½€¾›¿¸€À€Á€Â€Ã€Ä€Å€Æ€Ç€È€É€ÊŽË›ÌÍŽÎ›ÌÏ„Ð„Ñ„Ò„Ó„Ô„Õ›Ö×„Ø„Ù„Ú„Û„Ü„Ý„Þ„ß„à„¼…á…âŽãä…å…æ…ç…è…é…ê…ë…ìŽãí…î…ï…ð…ñ…ò…ó…ôõö÷‡ø‡ù‡ú‡û‡ü‡ý‡þ‡ÿ‡€‡‡‚‡ƒ‡„‡…‡†‡‡‡ˆ›‰Š‡Þ‡þ‡‹‡Œ‡‡Ž‡‡‡‘‡’‡“‡”‡•‡–‡—‡˜‡™‡š‡›‡œ‡‡ž‡Ÿ‡ ‡¡‡¢‡£‡¤‡¥‡¦‡§‡¨‡©‡ª‡«‡¬‡‡®‡¯‡°‡±‡²‡³‡´‡µ‡¶‡·‡¸‡¹‡º‡»‡¼‡½‡“‡¾‡¿‡À‡Á‡š‡›‡Â‡Ã‡Ä‡Å‡Æ‡Ç‡È‡É›ÊË‡Ì‡Í‡Î‡Ï‡Ð‡Ñ‡Ò‡Ó‡Ô‡Õ‡Ö‡×ŽãØŽãÙ‡Ú‡ù‡Û‡È‡Ü‡Ý‡Þ‡ß‡à‡á‡â‡ã‡ä‡å‡æ‡ç‡è‡é‡ê‡ë‡ì‡í‡î‡ï‡ð‡ñ‡ò‡ó‡ô‡õ‡û‡ö‡÷‡ø‡ÿ‡ù‡ú‡û‡ü‡ý‡þ‡ÿ‡€‡‡‚‡ƒ‡„‡…‡†‡‡‡ˆ‡‰‡Š‡‹‡Œ‡‡Ž‡‡‡‘‡’‡“‡”‡•‡–‡—¢˜¢™¢š¢›¢œ¢¢ž¢Ÿ¢ ¢¡¢ô¢¢¢£¢¤¥¦§›¨©¢ª¢«¢¬¢¢®¢¯¢°¢±¢²¢³¢´¢ž›‰µ›ž¶Ž·Ž¸›¹‚›¹ƒ›¹º›¹»§¼§½›¾¿§À§Á½Â½Ã½Ä½Å½Æ½Ç½È½É½Ê½Ë½Ì½Í½Î½Ï½Ð½Ñ½Ò½Ó½Ô½Õ¾Ö¾×¾Ø¾Ù¾Ú¿Û¿Ü¿Ý¿Þ¿œ¿ß¿à¿á¿â¿ã¿ä¿å¿æ¿ç¿èÀéÀêÀëÀìÀíÀîÀïÀðÀñÀòÀóÁôÁõÁöÁ÷ÁøÁùÁúÁûÃüÃýÃþÃÿÄ€ÄÄ‚ÄƒÄ„Ä…Ä†Ž‡ÄˆÄ‰ÄŠÄ‹ÄŒÄÄŽÄÄÄ‘Ä’Ä“Ä”Ä•Ä–Ä—Ä˜Ä™ÄšŽ›Äœ›žÄŸÄ Ä¡Ä¢Ä£Ä¤Ä¥Ä¦›§¨Ä©Äª›§«Ä¬Ä›§®Ä¯›Ì°Ä±›§²Ä³›Ì´ÄµÄ¶Ä·Ä¸Ä¹ÈˆÉ‰ÊŒËòÌ“ ÍŠÎ‹Ï’ Ð‘ ÑºÑ»Ñ¼Ñ½Ñ¾Ñ¿ÑÀÑÁÑÔÑÕÑÂÑÛÑÃÑÜÑÝÑÄÑÅÑÆÑÇÑÈÑÉÑàÑÊÑáÑâÑËÑåÑÌÑæÑÍÑèÑÎÑéÑÏÑÐÑÑÑÒÑÓÑÔÑÕÑÖÑ×ÑØÑÙÑÚÑÛÑÜÑÝÑÞÑßëàëáëïëðëñëâëãëäëåëæë— ‚ç‚è‚é‚ê‚ë˜ï˜ð˜ì˜í›îï›œð›œñ›òó›œô›œõ›œö›œÐ›¨÷›¨ø›¨ùŽúŽãûŽãü˜ý˜þ˜˜ ˜£˜¦˜©˜¬˜¯˜²˜µ˜¸˜»˜¾˜Á˜Ã˜Ä˜Å˜Æ˜Ç˜È˜É˜Ê˜Ë˜Ì˜Í˜Î˜Ï˜Ð˜Ñ˜Ò˜Ó˜Ô˜Ö˜Ù˜Ü˜Þ˜ß˜à˜á˜â˜ã˜ä˜å˜æ˜ç˜è˜é˜ê˜™˜š˜ÿ˜€˜˜¢˜£˜‚˜ƒ˜„˜…˜†›œ‡˜ˆ›¨‰›¨Š›¨‹›¨Œ˜˜Ž˜˜˜‘˜’˜“˜”˜•˜–˜—›Öð˜˜˜™˜š˜›˜œ˜˜ž˜Ÿ˜ ˜¡ ¢ £ ù ¤Ø¥¦§¨©ª›¹«›‰¬Ø¥¦§¨©ªóõó÷óó®ó¯ó°ó±ó²ó³ó´óµó¶›ò·ó¸ó¹óºó»ó¼ó½ó¾ó¿óÀóÁóÂóÃóÄóÅóÆóÇóÈóÉÊËÌÍÎ”“ÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàùáùâù§ù¨ùãù©ùäùØùåù¥ùæùçù¦ùïùðùñùèùéùêùëùìùíùîùïùðùñòóóØ§ôúõúöú÷ûåûïûðûñûÔûÕûÛûÜûÝûàûáûâûæûèûé‹øùúûüýþÿ€‚ƒ„…†‡ŽˆŽ‰ŽŠŽ‹ŽŒŽŽºŽ’Ž›Ž“Ž™ŽšŽ›ŽœŽ›œŽŽ›‘›ž’›ž’›ž“›ž”›ž”›ž•›ž–›ž–›ž—›žè›žè›ž˜›ž™›Ìš›Ì››Ìœ›Ì›Ìž›ÌŸ›Ì ›¨¡›¨¢›¨£›¨¤›¨Ÿ›¨¥›¨¦›¨§›¨¨›¨©›¨ª›¨«›¨¬›¨Ö ›¨›¨®›¨¯›¨°›¨±›¨²›¨³›¨´›¨µ›œ¶›œ·›œ¸¹è º»¼½¾¿›ÀÁÂsbv-9.2-EXhSlRq2jzw1HOWUUNWVFEData.SBV.TransData.SBV.Trans.ControlData.SBVData.SBV.InternalsData.SBV.FloatData.SBV.ControlData.SBV.RegExpData.SBV.DynamicData.SBV.Tools.GenTestData.SBV.TupleData.SBV.Tools.STreeData.SBV.StringData.SBV.SetData.SBV.RationalData.SBV.Maybe Data.SBV.ListData.SBV.EitherData.SBV.Tools.PolynomialData.SBV.Tools.Overflow Data.SBV.CharData.SBV.Tools.CodeGen#Data.SBV.Tools.WeakestPreconditionsData.SBV.Tools.RangeData.SBV.Tools.InductionData.SBV.Tools.BoundedListData.SBV.Tools.BoundedFixData.SBV.Tools.BMC/Documentation.SBV.Examples.BitPrecise.BitTricks2Documentation.SBV.Examples.BitPrecise.BrokenSearch,Documentation.SBV.Examples.BitPrecise.Legato/Documentation.SBV.Examples.BitPrecise.MergeSort.Documentation.SBV.Examples.BitPrecise.MultMask/Documentation.SBV.Examples.BitPrecise.PrefixSum0Documentation.SBV.Examples.CodeGeneration.AddSub2Documentation.SBV.Examples.CodeGeneration.CRC_USB53Documentation.SBV.Examples.CodeGeneration.Fibonacci-Documentation.SBV.Examples.CodeGeneration.GCD9Documentation.SBV.Examples.CodeGeneration.PopulationCount7Documentation.SBV.Examples.CodeGeneration.Uninterpreted%Documentation.SBV.Examples.Crypto.AES%Documentation.SBV.Examples.Crypto.RC4%Documentation.SBV.Examples.Crypto.SHA,Documentation.SBV.Examples.DeltaSat.DeltaSat5Documentation.SBV.Examples.Existentials.CRCPolynomial3Documentation.SBV.Examples.Existentials.Diophantine-Documentation.SBV.Examples.Lists.BoundedMutex4Documentation.SBV.Examples.Lists.CountOutAndTransfer*Documentation.SBV.Examples.Lists.Fibonacci'Documentation.SBV.Examples.Lists.Nested)Documentation.SBV.Examples.Misc.Auxiliary+Documentation.SBV.Examples.Misc.Definitions)Documentation.SBV.Examples.Misc.Enumerate(Documentation.SBV.Examples.Misc.Floating,Documentation.SBV.Examples.Misc.ModelExtract+Documentation.SBV.Examples.Misc.NestedArray(Documentation.SBV.Examples.Misc.Newtypes&Documentation.SBV.Examples.Misc.NoDiv0+Documentation.SBV.Examples.Misc.Polynomials*Documentation.SBV.Examples.Misc.SetAlgebra-Documentation.SBV.Examples.Misc.SoftConstrain%Documentation.SBV.Examples.Misc.Tuple1Documentation.SBV.Examples.Optimization.Enumerate0Documentation.SBV.Examples.Optimization.ExtField1Documentation.SBV.Examples.Optimization.LinearOpt2Documentation.SBV.Examples.Optimization.Production*Documentation.SBV.Examples.Optimization.VM)Documentation.SBV.Examples.ProofTools.BMC/Documentation.SBV.Examples.ProofTools.Fibonacci0Documentation.SBV.Examples.ProofTools.Strengthen)Documentation.SBV.Examples.ProofTools.Sum.Documentation.SBV.Examples.Puzzles.AOC_2021_24+Documentation.SBV.Examples.Puzzles.Birthday(Documentation.SBV.Examples.Puzzles.Coins)Documentation.SBV.Examples.Puzzles.Counts.Documentation.SBV.Examples.Puzzles.DogCatMouse*Documentation.SBV.Examples.Puzzles.Drinker+Documentation.SBV.Examples.Puzzles.Euler185'Documentation.SBV.Examples.Puzzles.Fish)Documentation.SBV.Examples.Puzzles.Garden,Documentation.SBV.Examples.Puzzles.HexPuzzle'Documentation.SBV.Examples.Puzzles.Jugs0Documentation.SBV.Examples.Puzzles.LadyAndTigers.Documentation.SBV.Examples.Puzzles.MagicSquare)Documentation.SBV.Examples.Puzzles.Murder*Documentation.SBV.Examples.Puzzles.NQueens0Documentation.SBV.Examples.Puzzles.SendMoreMoney)Documentation.SBV.Examples.Puzzles.Sudoku+Documentation.SBV.Examples.Puzzles.U2Bridge)Documentation.SBV.Examples.Queries.AllSat,Documentation.SBV.Examples.Queries.CaseSplit.Documentation.SBV.Examples.Queries.Concurrency(Documentation.SBV.Examples.Queries.Enums,Documentation.SBV.Examples.Queries.FourFours.Documentation.SBV.Examples.Queries.GuessNumber/Documentation.SBV.Examples.Queries.Interpolants,Documentation.SBV.Examples.Queries.UnsatCore1Documentation.SBV.Examples.Strings.RegexCrossword/Documentation.SBV.Examples.Strings.SQLInjection4Documentation.SBV.Examples.Transformers.SymbolicEval,Documentation.SBV.Examples.Uninterpreted.AUF/Documentation.SBV.Examples.Uninterpreted.Deduce1Documentation.SBV.Examples.Uninterpreted.Function1Documentation.SBV.Examples.Uninterpreted.Multiply0Documentation.SBV.Examples.Uninterpreted.Shannon-Documentation.SBV.Examples.Uninterpreted.Sort5Documentation.SBV.Examples.Uninterpreted.UISortAllSat6Documentation.SBV.Examples.WeakestPreconditions.Append6Documentation.SBV.Examples.WeakestPreconditions.Basics3Documentation.SBV.Examples.WeakestPreconditions.Fib3Documentation.SBV.Examples.WeakestPreconditions.GCD6Documentation.SBV.Examples.WeakestPreconditions.IntDiv7Documentation.SBV.Examples.WeakestPreconditions.IntSqrt6Documentation.SBV.Examples.WeakestPreconditions.Length3Documentation.SBV.Examples.WeakestPreconditions.SumData.SBV.Control.TypessetLogiccheckSatcheckSatAssuminggetValuegetUnsatCoregetUnknownReasonData.SBV.Core.AlgRealsData.SBV.SMT.SMTLibNamesData.SBV.Utils.ExtractIOControl.ConcurrentcatchesData.SBV.Utils.LibData.SBV.Core.KindData.SBV.Utils.NumericfpMinfpMaxData.SBV.Core.SizedFloatsData.SBV.Core.ConcreteData.SBV.Utils.TDiffData.SBV.Core.Symbolicz3yicescvc4 boolectormathSATallSatsatSymbolicQuerymatchRegExpMatchable svToSymSVgenTestsWordNsWordN_sIntNsIntN_runSymbolicaddNewSMTOptionimposeConstraintaddSValOptGoal outputSVal Data.BitsBits Data.SBV.CoreSBVData.SBV.Core.OperationsSFloatSWord32SDoubleSWord64Data.SBV.Core.Data newArray_newArraymkSymVal sbvForall sbvForall_mkForallVars sbvExists sbvExists_mkExistVarsfreefree_ mkFreeVarssymbolic symbolicsoutputtimeOutDataSetmkSymSBV sbvToSymSW EqSymbolicData.SBV.Utils.SExprData.SBV.Utils.PrettyNumData.SBV.Utils.CrackNumData.SBV.SMT.UtilsData.SBV.SMT.SMTLib2registerKindData.SBV.SMT.SMTLibData.SBV.SMT.SMToptimizesafeproveData.SBV.Provers.Z3Data.SBV.Provers.YicesData.SBV.Provers.MathSATData.SBV.Provers.DRealData.SBV.Provers.CVC5Data.SBV.Provers.CVC4Data.SBV.Provers.BoolectorData.SBV.Provers.BitwuzlaData.SBV.Provers.ABCData.SBV.Control.UtilssAssertiomodifyQueryStateinNewContext freshVar_freshVarfreshArray_ freshArray queryDebugasksendretrieveResponsegetFunctiongetUninterpretedValue getValueCV getUICValgetUIFunCVAssoc checkSatUsingobservegetUIsgetUnsatAssumptionstimeout unexpectedexecuteQueryQueryTData.SBV.Control.QuerygetInfo ensureSatgetSMTResultgetLexicographicOptResultsgetIndependentOptResultsgetParetoOptResultsgetModel$checkSatAssumingWithUnsatisfiableSetgetAssertionStackDepthinNewAssertionStackpushpop caseSplitresetAssertionsechoexitgetProofgetInterpolantMathSATgetInterpolantZ3 getAssertions getAssignmentmkSMTResultData.SBV.Provers.ProversName_sNamesafeWith universal_ universalexistential_existential proveWithdprove dproveWithsatWith allSatWithoptimizeWith isVacuous isVacuousWith isTheorem isTheoremWith isSatisfiableisSatisfiableWithrunSMT runSMTWithData.SBV.Core.ModelStatusfpIsEqualObjectgenMkSymVarsBoolsBool_sBoolssWord8sWord8_sWord8ssWord16sWord16_sWord16ssWord32sWord32_sWord32ssWord64sWord64_sWord64ssInt8sInt8_sInt8ssInt16sInt16_sInt16ssInt32sInt32_sInt32ssInt64sInt64_sInt64ssInteger sInteger_ sIntegerssRealsReal_sRealssFloatsFloat_sFloatssDoublesDouble_sDoublessFPHalfsFPHalf_sFPHalfs sFPBFloat sFPBFloat_ sFPBFloats sFPSingle sFPSingle_ sFPSingles sFPDouble sFPDouble_ sFPDoublessFPQuadsFPQuad_sFPQuadssFloatingPointsFloatingPoint_sFloatingPointssCharsChar_sCharssStringsString_sStringssListsList_sListssTuplesTuple_sTuples sRational sRational_ sRationalssEithersEither_sEitherssMaybesMaybe_sMaybessSetsolveGGenericsassertWithPenaltyminimizemaximizeData.SBV.ProversdRealData.SBV.Core.SizedsWordsWord_sIntsInt_sIntsData.SBV.Core.FloatingData.SBV.ClientData.SBV.Control.BaseIOProduceUnsatCores getOptiongetObservablesUnsat setOptionProduceUnsatAssumptionsnamedConstraint OptionKeyword ProduceProofsProduceInterpolantsconstrainWithAttributeProduceAssertionsProduceAssignmentsverboseredirectVerboseData.SBV.Compilers.CodeGen compileToCLibData.SBV.Compilers.CData.SBV.Client.BaseIOdsat defaultSMTCfgallSatMaxModelCount sbvToSymSVsWords SFPBFloatSEither SRationalSMaybeSSetsSet_sSetsData.SBV.SMTgetModelDictionaries Control.MonadwhenabortLogicAUFLIAAUFLIRAAUFNIRALRAQF_ABVQF_AUFBV QF_AUFLIAQF_AXQF_BVQF_IDLQF_LIAQF_LRAQF_NIAQF_NRAQF_RDLQF_UFQF_UFBVQF_UFIDLQF_UFLIAQF_UFLRAQF_UFNRA QF_UFNIRAUFLRAUFNIAQF_FPBVQF_FPQF_FDQF_S Logic_ALL Logic_NONECustomLogic SMTOptionDiagnosticOutputChannel RandomSeedReproducibleResourceLimitSMTVerbositySetLogicSetInfoSMTInfoResponseResp_UnsupportedResp_AllStatisticsResp_AssertionStackLevelsResp_Authors Resp_Error Resp_NameResp_ReasonUnknownResp_VersionResp_InfoKeywordSMTReasonUnknown UnknownMemOutUnknownIncompleteUnknownTimeOutUnknownOtherSMTErrorBehaviorErrorImmediateExitErrorContinuedExecutionSMTInfoFlag AllStatisticsAssertionStackLevelsAuthors ErrorBehaviorName ReasonUnknownVersionInfoKeywordCheckSatResultSatDSatUnk RationalCVRatIrreducibleRatExact RatApproxRatIntervalAlgRealPolyAlgRealAlgRationalAlgPolyRootAlgInterval RealPoint OpenPointClosedPoint realPointalgRealToRationalsmtLibReservedNames ExtractIO extractIORoundingModeRoundNearestTiesToEvenRoundNearestTiesToAwayRoundTowardPositiveRoundTowardNegativeRoundTowardZero ValidFloatBVIsNonZeroHasKindkindOfhasSign intSizeOf isBoolean isBoundedisRealisFloatisDouble isRationalisFPisUnbounded isUserSortisCharisStringisListisSetisTupleisMaybeisEithershowTypeKindKBoolKBounded KUnboundedKReal KUserSortKFloatKDoubleKFPKCharKStringKListKSetKTupleKMaybe KRationalKEithersmtRoundingModefpMaxHfpMinHfp2fpfpRemHfpRoundToIntegralHfpIsEqualObjectHfpCompareObjectHfpIsNormalizedHfloatToWordwordToFloatdoubleToWordwordToDoubleFPfpExponentSizefpSignificandSizefpValueFPQuadFPDoubleFPSingleFPBFloatFPHalf FloatingPointfpFromBigFloatfpFromRawRepfpNaNfpInffpZero fpFromIntegerfpFromRational fpEncodeFloatfpFromFloatfpFromDoubleExtCVInfiniteEpsilonInterval BoundedCVAddExtCVMulExtCV GeneralizedCV ExtendedCV RegularCVCV_cvKindcvValCValCAlgRealCIntegerCFloatCDoubleCFP CRationalCCharCStringCListCSet CUserSortCTupleCMaybeCEitherRCSet RegularSet ComplementSetisRegularCV cvSameTypecvToBoolnormCVfalseCVtrueCVliftCV2mapCVmapCV2 mkConstCVTimingNoTimingPrintTiming SaveTiming showTDiffQueryContext QueryInternal QueryExternal SMTSolvername executable preprocessoptionsenginecapabilitiesSolverABC BoolectorBitwuzlaCVC4CVC5DRealMathSATYicesZ3 SMTScript scriptBodyscriptModel SMTResult UnsatisfiableSatisfiableDeltaSatSatExtFieldUnknown ProofErrorSMTModelmodelObjectives modelBindingsmodelAssocsmodelUIFuns SMTConfigtiming printBase printRealPreccrackNumsatCmdallSatPrintAlongsatTrackUFs isNonModelVar validateModeloptimizeValidateConstraints transcript smtLibVersion dsatPrecisionsolver extraArgsallowQuantifiedQueriesroundingModesolverSetOptionsignoreExitCodeSolverCapabilitiessupportsQuantifierssupportsDefineFunsupportsDistinctsupportsBitVectorssupportsUninterpretedSortssupportsUnboundedIntssupportsInt2bv supportsRealssupportsApproxRealssupportsDeltaSatsupportsIEEE754supportsSetssupportsOptimizationsupportsPseudoBooleanssupportsCustomQueriessupportsGlobalDeclssupportsDataTypessupportsDirectAccessorssupportsFlattenedModels SMTLibPgm SMTLibVersionSMTLib2Cached SymbolicT MonadSymbolicsymbolicEnvSValState SBVRunModeSMTModeCodeGenConcreteIStageISetupISafeIRun ArrayInfoArrayContext ArrayFreeArrayMutate ArrayMergeResultreskinds resTracesresObservables resUISegs resInputs resConsts resTables resArraysresUIConsts resAxiomsresAsgnsresConstraints resAssertions resOutputs QueriablecreateprojectembedFreshfresh runQueryT MonadQuery queryState QueryStatequeryAsk querySendqueryRetrieveResponsequeryConfigqueryTerminatequeryTimeOutValuequeryAssertionStackDepth ObjectiveMinimizeMaximizeAssertWithPenaltyPenaltyDefaultPenalty OptimizeStyle LexicographicIndependentParetoNamedSymVarSBVPgmpgmAssignmentsSBVExprSBVAppSBVType VarContextNonQueryVarQueryVar QuantifierALLEXSeqOp SeqConcatSeqLenSeqUnitSeqNth SeqSubseq SeqIndexOfSeqContainsSeqPrefixOfSeqSuffixOf SeqReplace SBVReverseRegExpLiteralAllAllCharNoneRangeConcKStarKPlusOptCompDiffLoopPowerUnionInterRegExOpRegExEqRegExNEqStrOp StrConcatStrLenStrUnitStrNth StrSubstr StrIndexOfStrContainsStrPrefixOfStrSuffixOf StrReplaceStrStrToNatStrNatToStr StrToCodeStrFromCodeStrInRePBOp PB_AtMost PB_AtLeast PB_ExactlyPB_LePB_GePB_EqFPOpFP_CastFP_ReinterpretFP_AbsFP_NegFP_AddFP_SubFP_MulFP_DivFP_FMAFP_SqrtFP_RemFP_RoundToIntegralFP_MinFP_MaxFP_ObjEqualFP_IsNormalFP_IsSubnormal FP_IsZero FP_IsInfiniteFP_IsNaN FP_IsNegative FP_IsPositiveOpPlusTimesMinusUNegAbsQuotRemEqualNotEqualLessThanGreaterThanLessEq GreaterEqIteAndOrXOrNotShlShrRolRorExtractJoin ZeroExtend SignExtendLkUpArrEqArrReadKindCast UninterpretedLabelIEEEFP NonLinear OverflowOp PseudoBooleanSetOpTupleConstructorTupleAccessEitherConstructorEitherIsEitherAccessRationalConstructorMaybeConstructorMaybeIsMaybeAccessSVNodeIdgetId forceSVArgfalseSVtrueSVneedsExistentials isCodeGenMode inSMTModesvUninterpretednewUninterpretedinternalVariable getTableIndexnewExprsvToSV svMkSymVarextractSymbolicSimulationStateinternalConstraintcacheuncache uncacheAIsmtLibVersionExtensionSArrsvTruesvFalsesvBool svIntegersvFloatsvDoublesvFloatingPointsvRealsvAsBoolsvAsIntegersvNumerator svDenominatorsvEnumFromThenTosvPlussvTimessvMinussvUNegsvAbssvDividesvExp svBlastLEsvSetBit svBlastBEsvWordFromLEsvWordFromBE svAddConstantsvIncrementsvDecrementsvQuotsvRem svQuotRemsvEqual svNotEqual svStrongEqual svLessThan svGreaterThansvLessEqsvGreaterEqsvAndsvOrsvXOrsvNotsvShlsvShrsvRolsvRor svExtractsvJoinsvZeroExtendsvSignExtendsvIte svLazyItesvSymbolicMergesvSelectsvSignsvUnsignsvFromIntegral svToWord1svFromWord1 svTestBitsvShiftLeftsvShiftRightsvRotateLeftsvBarrelRotateLeftsvBarrelRotateRight svRotateRightreadSArr writeSArr mergeSArrnewSArreqSArrsvStructuralLessThanSArrayunSArraySymArray sListArray readArray writeArraymergeArraysnewArrayInStateSymValliteralfromCVisConcretely unliteral isConcrete isSymbolicOutputtable SolverContext constrain softConstrainsetInfoaddAxiomaddSMTDefinition setTimeOutcontextState SRoundingMode SMTProblem smtLibPgmSTuple8STuple7STuple6STuple5STuple4STuple3STuple2STupleSListSStringSCharSFPQuad SFPDouble SFPSingleSFPHalfSFloatingPointSRealSIntegerSInt64SInt32SInt16SInt8SWord16SWord8SBoolunSBVgetPathConditionextendPathConditionnaninfinitysNaN sInfinitysTruesFalsesNot.&&.||.<+>.~&.~|.=>.<=>fromBoolsAndsOrsAnysAllsRoundNearestTiesToEvensRoundNearestTiesToAwaysRoundTowardPositivesRoundTowardNegativesRoundTowardZerosRNEsRNAsRTPsRTNsRTZsbvToSV PrettyNumhexSbinShexPbinPhexbinshexchexshexIsbinsbinIreadBin showCFloatshowCDouble showHFloatshowHDoubleshowSMTFloat showSMTDouble cvToSMTLibmkSkolemZero showBFloatshowFloatAtBaseshowNegativeNumber TestStyleHaskellCForteTestVectors getTestValues renderTestSBVExceptionsbvExceptionDescriptionsbvExceptionSentsbvExceptionExpectedsbvExceptionReceivedsbvExceptionStdOutsbvExceptionStdErrsbvExceptionExitCodesbvExceptionConfigsbvExceptionReasonsbvExceptionHint ModelablemodelExistsgetModelAssignmentgetModelDictionary getModelValuegetModelUninterpretedValueextractModelgetModelObjectivesgetModelObjectiveValuegetModelUIFunsgetModelUIFunValueSatModelparseCVscvtModelOptimizeResultLexicographicResultParetoResultIndependentResult SafeResultAllSatResultallSatMaxModelCountReachedallSatHasPrefixExistentialsallSatSolverReturnedUnknownallSatSolverReturnedDSat allSatResults SatResult ThmResultgenParse extractModelsgetModelValuesgetModelUninterpretedValues displayModels showModelregisterUISMTFunction|->querySExecutableProvable MProvabledsatWithvalidateGoal Predicateabcbitwuzlacvc5defaultDeltaSMTCfgproveWithAllproveWithAny satWithAll satWithAnysatConcurrentWithAnyproveConcurrentWithAnysatConcurrentWithAllproveConcurrentWithAllgenerateSMTBenchmarkisSafeEquality===MetricMetricSpace toMetricSpacefromMetricSpace msMinimize msMaximizeuninterpret cgUninterpretsbvUninterpretsym Mergeable symbolicMergeselect SDivisiblesQuotRemsDivModsQuotsRemsDivsModSFiniteBitssFiniteBitSizelsbmsbblastBEblastLE fromBitsBE fromBitsLEsTestBitsExtractBits sPopCountsetBitTo fullAdderfullMultipliersCountLeadingZerossCountTrailingZeros SIntegralOrdSymbolic.<.<=.>.>=sminsmaxinRange.==./=.===./==distinctdistinctExceptallEqualsElemsNotElemSymTuple genLiteral genFromCVsRealToSIntegerlabel observeIfsObserveoneIfpbAtMost pbAtLeast pbExactlypbLepbGepbEq pbMutexedpbStronglyMutexed.^ sFromIntegral sShiftLeftsShiftRightsSignedShiftArithRightsRotateLeftsBarrelRotateLeftsRotateRightsBarrelRotateRightliftQRemliftDModiteiteLazy sbvQuickCheckuntupletuple^._1_2_3_4_5_6_7_8$fMetric(,,,,,,,)$fMetric(,,,,,,)$fMetric(,,,,,)$fMetric(,,,,) $fMetric(,,,)$fMetric(,,)$fMetric(,)$fHasField"_8"h(,,,,,,,)$fHasField"_7"g(,,,,,,,)$fHasField"_7"g(,,,,,,)$fHasField"_6"f(,,,,,,,)$fHasField"_6"f(,,,,,,)$fHasField"_6"f(,,,,,)$fHasField"_5"e(,,,,,,,)$fHasField"_5"e(,,,,,,)$fHasField"_5"e(,,,,,)$fHasField"_5"e(,,,,)$fHasField"_4"d(,,,,,,,)$fHasField"_4"d(,,,,,,)$fHasField"_4"d(,,,,,)$fHasField"_4"d(,,,,)$fHasField"_4"d(,,,)$fHasField"_3"c(,,,,,,,)$fHasField"_3"c(,,,,,,)$fHasField"_3"c(,,,,,)$fHasField"_3"c(,,,,)$fHasField"_3"c(,,,)$fHasField"_3"c(,,)$fHasField"_2"b(,,,,,,,)$fHasField"_2"b(,,,,,,)$fHasField"_2"b(,,,,,)$fHasField"_2"b(,,,,)$fHasField"_2"b(,,,)$fHasField"_2"b(,,)$fHasField"_2"b(,)$fHasField"_1"a(,,,,,,,)$fHasField"_1"a(,,,,,,)$fHasField"_1"a(,,,,,)$fHasField"_1"a(,,,,)$fHasField"_1"a(,,,)$fHasField"_1"a(,,)$fHasField"_1"a(,)$fTuple(,,,,,,,)(,,,,,,,)$fTuple(,,,,,,)(,,,,,,)$fTuple(,,,,,)(,,,,,)$fTuple(,,,,)(,,,,)$fTuple(,,,)(,,,)$fTuple(,,)(,,) $fTuple(,)(,)STree readSTree writeSTreemkSTree$fMergeableSTreeInternal$fShowSTreeInternallengthnullheadtailunconsinit singleton strToStrAtstrToCharAt!!implode.:snocnilconcat++ isInfixOf isPrefixOf isSuffixOftakedropsubStrreplaceindexOf offsetIndexOfreversestrToNatnatToStremptyfullfromList complementinsertdeletemember notMemberisEmptyisFullisUniversalhasSize isSubsetOfisProperSubsetOfdisjointunionunionsintersection intersections difference\\.%sNothing isNothingsJustisJust fromMaybefromJust liftMaybemapmap2maybe$fNumSBVlistToListAtelemAtelemnotElemsubListsLeftisLeftsRightisRight liftEithereitherbimapfirstsecondfromLeft fromRightSIntIntNSWordWordN bvExtract# zeroExtend signExtendbvDropbvTake Polynomial polynomialpAddpMultpDivpModpDivModshowPolyshowPolynomialaddPolyitesmdpcrcBVcrc$fPolynomialSBV$fPolynomialSBV0$fPolynomialSBV1$fPolynomialSBV2$fPolynomialSBV3$fPolynomialWord64$fPolynomialWord32$fPolynomialWord16$fPolynomialWord8CheckedArithmetic+!-!*!/! negateChecked ArithOverflowbvAddObvSubObvMulO bvMulOFastbvDivObvNegOsFromIntegralOsFromIntegralChecked$fArithOverflowSVal$fArithOverflowSBV$fArithOverflowSBV0$fArithOverflowSBV1$fArithOverflowSBV2$fArithOverflowSBV3$fArithOverflowSBV4$fArithOverflowSBV5$fArithOverflowSBV6$fArithOverflowSBV7$fArithOverflowSBV8$fCheckedArithmeticIntN$fCheckedArithmeticWordN$fCheckedArithmeticInt64$fCheckedArithmeticInt32$fCheckedArithmeticInt16$fCheckedArithmeticInt8$fCheckedArithmeticWord64$fCheckedArithmeticWord32$fCheckedArithmeticWord16$fCheckedArithmeticWord8IEEEFloatConvertible fromSFloattoSFloatfromSDouble toSDoublefromSFloatingPointtoSFloatingPointIEEEFloatingfpAbsfpNegfpAddfpSubfpMulfpDivfpFMAfpSqrtfpRemfpRoundToIntegral fpIsNormal fpIsSubnormalfpIsZerofpIsInfinitefpIsNaNfpIsNegativefpIsPositivefpIsNegativeZerofpIsPositiveZero fpIsPointsFloatAsSWord32sDoubleAsSWord64blastSFloatblastSDoubleblastSFloatingPointsWord32AsSFloatsWord64AsSDoublesFloatAsComparableSWord32sDoubleAsComparableSWord64sFloatingPointAsSWordsFloatingPointAsComparableSWordsWordAsSFloatingPointordchr toLowerL1 toUpperL1 digitToInt intToDigitisControlL1 isSpaceL1 isLowerL1 isUpperL1 isAlphaL1isAlphaNumL1 isPrintL1isDigit isOctDigit isHexDigit isLetterL1isMarkL1 isNumberL1isPunctuationL1 isSymbolL1 isSeparatorL1isAsciiisLatin1isAsciiUpperisAsciiLower everythingnothinganyCharexactlyoneOfnewlinetabwhiteSpaceNoNewLine whiteSpacepunctuationasciiLetter asciiLower asciiUpperdigitoctDigithexDigitdecimaloctalhexadecimalfloating identifier$fRegExpMatchableSBV$fRegExpMatchableSBV0sbvCheckSolverInstallationdefaultSolverConfiggetAvailableSolversmkSymbolicEnumerationmkUninterpretedSort CgPgmKind CgMakefileCgHeaderCgSourceCgDriverCgPgmBundleCgSRealTypeCgFloatCgDoubleCgLongDouble SBVCodeGenCgStatecgInputs cgOutputs cgReturnscgPrototypescgDecls cgLDFlags cgFinalConfigCgValCgAtomicCgArrayCgConfigcgRTC cgIntegercgRealcgDriverValscgGenDriver cgGenMakefilecgIgnoreAssertscgOverwriteGenerated cgShowU8InHexCgTarget targetName translatedefaultCgConfiginitCgStatecgSym cgPerformRTCs cgIntegerSizecgSRealTypecgGenerateDrivercgGenerateMakefilecgSetDriverValuescgIgnoreSAssertcgAddPrototypecgOverwriteFilescgShowU8UsingHex cgAddDeclcgAddLDFlags svCgInputsvCgInputArr svCgOutput svCgOutputArr svCgReturn svCgReturnArrcgInput cgInputArrcgOutputcgOutputArrcgReturncgReturnArr isCgDriverisCgMakefilecodeGenrenderCgPgmBundle compileToCcompileToC'compileToCLib'sendStringToSolverretrieveResponseFromSolversendRequestToSolversComparableSWord32AsSFloatsComparableSWord64AsSDouble sComparableSWordAsSFloatingPointtoSizedToSized fromSized FromSized ByteConvertertoBytes fromBytescrack$fByteConverterSBV$fByteConverterSBV0$fByteConverterSBV1$fByteConverterSBV2$fByteConverterSBV3$fByteConverterSBV4$fByteConverterSBV5$fByteConverterSBV6GoodStuckWPConfigwpSolver wpVerboseProofResultProven IndeterminateFailedVCBadPreconditionBadPostconditionUnstableAbortReachableInvariantPreInvariantMaintainMeasureBoundMeasureDecreaseStmtSkipAbortAssignIfWhileSeqMeasure InvariantStableProgramsetuppreconditionprogram postcondition stabilityassertstablewpProveWithwpProvedefaultWPCfgtraceExecution$fShowVC$fShowProofResult$fShowStatusBoundary UnboundedOpenClosedranges rangesWith$fShowRangeInductionResult InductionStep InitiationConsecutionPartialCorrectnessinduct inductWith$fShowInductionStep$fShowInductionResultbfoldrbfoldrMbfoldlbfoldlMbsumbprodbmapbmapMbfilterbandborbanyballbmaximumbminimumbzipWithbelembreversebsortbfixbmcbmcWithsvQuickChecksvNewVar svNewVar_fastMinCorrectfastMaxCorrectoppositeSignsCorrectconditionalSetClearCorrectpowerOfTwoCorrectqueriesmidPointBroken midPointFixedmidPointAlternativecheckArithOverflowcheckCorrectMidValueInitValsInstructionMostekmemory registersflagsMemoryLocationF1F2LOFlags RegistersBitValueFlagFlagCFlagZRegisterRegXRegAgetRegsetReggetFlagsetFlagpeekpoke checkOverflowcheckOverflowCorrectldxldaclcrorMrorRbccadcdexbneendlegato runLegatoinitMachinelegatoIsCorrectcorrectnessTheorem legatoInC$fGenericMostek$fMergeableMostek$fEqLocation $fOrdLocation$fIxLocation$fBoundedLocation$fEqFlag $fOrdFlag$fIxFlag $fBoundedFlag$fEqRegister $fOrdRegister$fIxRegister$fBoundedRegisterEmerge mergeSort nonDecreasingisPermutationOfcorrectnessmaskAndMult PowerListtiePLzipPLunzipPLpslfflIsCorrectthm1thm2addSub genAddSubusb5crcUSBcrcUSB'crcGoodcg1cg2fib0fib1genFib1fib2genFib2sgcd sgcdIsCorrect genGCDInCpopCountSlowpopCountFastpop8fastPopCountIsCorrectgenPopCountInC shiftLefttstShiftLeftgenCCodeKSKeyGF28gf28Multgf28Powgf28InverserotRroundConstants invMixColumnskeyExpansion sboxTablesboxunSBoxTableunSBoxsboxInverseCorrectaddRoundKeyt0Funct0t1t2t3u0Funcu0u1u2u3doRoundsaesRoundaesInvRoundaesKeySchedule aesEncrypt aesDecryptt128Enct128Dect192Enct192Dect256Enct256Decaes128IsCorrectcgAES128BlockEncryptaesLibComponentscgAESLibrarycgAES128Libraryhex8RC4SinitSswapprgainitRC4keySchedulekeyScheduleStringencryptdecryptrc4IsCorrecthex2BlockSHAwordSize blockSizesum0Coefficientssum1Coefficientssigma0Coefficientssigma1CoefficientsshaConstantsh0shaLoopCountchmajsum0sum1sigma0sigma1sha224Psha256Psha384Psha512Psha512_224Psha512_256PprepareMessage hashBlockshaPsha224sha256sha384sha512 sha512_224 sha512_256knownAnswerTestscgSHA256chunkByshowHashflyspeck crc_48_16 diffCountgenPolyfindHD4PolynomialsSolutionHomogeneousNonHomogeneousldnbasistestsailors$fShowSolutionIdleReadyCriticalSStatesIdlesReady sCriticalmutex validSequence validTurns checkMutexnotFair$fSatModelState$fHasKindState $fSymValState$fDataState$fReadState$fShowState $fOrdState $fEqStateDeckcoatfourCoat coatCheckmkFibsgenFibs nestedExampleproblem allModelsmodelsWithYAuxsumToN defineSum badExamplegoodExampleABSEsAsBsCeltsfourmaxEminE$fSatModelE $fHasKindE $fSymValE$fDataE$fReadE$fShowE$fOrdE$fEqE assocPlusassocPlusRegularnonZeroAdditionmultInverseroundingAdd fp54BoundsoutsidegenValsnestedArraySHumanHeightInCmHumanHeightInCmSMetresMetrestallestHumanEverceilingHighEnoughForHuman$fSymValMetres$fHasKindMetres$fSymValHumanHeightInCm$fHasKindHumanHeightInCm$fRealHumanHeightInCm$fIntegralHumanHeightInCm$fNumHumanHeightInCm$fEnumHumanHeightInCm$fEqHumanHeightInCm$fOrdHumanHeightInCm$fRealMetres$fIntegralMetres$fNumMetres$fEnumMetres $fEqMetres$fOrdMetres checkedDivtest1test2gfMultmultUnitmultComm multAssoc polyDivModtestGF28SIexampleDictDayMonTueWedThuFriSunSDaysMonsTuesWedsThusFrisSatsSun isWeekend almostWeekendweekendJustOverfirstWeekend$fMetricDay $fSatModelDay$fHasKindDay$fSymValDay $fDataDay $fReadDay $fShowDay$fOrdDay$fEqDay productionallocatexyex1ex2 $fFreshIOS $fEqSymbolicS$fShowS $fFunctorS$fFoldableS$fTraversableSikmn fibCorrect$fMergeableS $fGenericSpgm1pgm2ex3ex4ex5ex6s sumCorrectALUenvinputsRegImmregisterwzreadwriteinpaddmuldivmodeqlrunpuzzlemonad $fNumDataMonthmayjunejulyaugustvalid existsDay forallDayexistsMonthforallMonthcherylCoinmkCoincombinationsc1c2c3c4c5c6CountcountcountsPSPddrinker1drinker2$fSatModelP $fHasKindP $fSymValP$fDataP$fReadP$fShowPguesseseuler185 solveEuler185ColorRedGreenWhiteYellowBlueNationalityBritonDaneSwede NorwegianGermanSColorsRedsGreensWhitesYellowsBlue$fSatModelColor$fHasKindColor $fSymValColor$fDataColor$fReadColor$fShowColor $fOrdColor $fEqColorBeverageTeaCoffeeMilkBeerWaterSNationalitysBritonsDanesSwede sNorwegiansGerman$fSatModelNationality$fHasKindNationality$fSymValNationality$fDataNationality$fReadNationality$fShowNationality$fOrdNationality$fEqNationalityPetDogHorseCatBirdFish SBeveragesTeasCoffeesMilksBeersWater$fSatModelBeverage$fHasKindBeverage$fSymValBeverage$fDataBeverage$fReadBeverage$fShowBeverage $fOrdBeverage$fEqBeverageSportFootballBaseball VolleyballHockeyTennisSPetsDogsHorsesCatsBirdsFish $fSatModelPet$fHasKindPet$fSymValPet $fDataPet $fReadPet $fShowPet$fOrdPet$fEqPetSSport sFootball sBaseballsVolleyballsHockeysTennis fishOwner$fSatModelSport$fHasKindSport $fSymValSport$fDataSport$fReadSport$fShowSport $fOrdSport $fEqSportFlowercol validPickflowerCountBlackGridSButtonButtonsBlacknextsearchJugcapacitycontenttransferinitJugssolvedmoves$fGenericJug$fMergeableJug ladyAndTigersBoardRowElemcheckdiagisMagicchunkmagicRoleVictimKiller BystanderSexMaleFemaleBarBeachAlone SLocationsBarsBeachsAlone$fSatModelLocation$fHasKindLocation$fSymValLocation$fDataLocation$fReadLocation$fShowLocationSSexsMalesFemale $fSatModelSex$fHasKindSex$fSymValSex $fDataSex $fReadSex $fShowSex$fOrdSex$fEqSexConstgetConstPersonnmagelocationsexroleSRolesVictimsKiller sBystander newPerson getPersonkiller$fShowPerson$fSatModelRole $fHasKindRole$fSymValRole $fDataRole $fReadRole $fShowRole $fOrdRole$fEqRoleisValidnQueens sendMoreMoneyPuzzlesudokudispSolutionsolveAllpuzzle0puzzle1puzzle2puzzle3puzzle4puzzle5puzzle6 allPuzzlesU2MemberBonoEdgeAdamLarryHereThereSTimeTime SU2MembersBonosEdgesAdamsLarry crossTime sCrossTime$fSatModelU2Member$fHasKindU2Member$fSymValU2Member$fDataU2Member$fReadU2Member$fShowU2Member $fOrdU2Member$fEqU2MemberActionsMovetimeflashlBonolEdgelAdamlLarrysHeresTherestartwhereIs xferFlash xferPerson bumpTime1 bumpTime2whenSmove1move2solveNsolveU2$fMergeableStateT$fGenericStatus$fMergeableStatusgoodSumdemocsDemo1csDemo2sharedqueryOnequeryTwosharedDependent firstQuerysecondQuery demoDependentMondayTuesday WednesdayThursdayFridaySaturdaySundaysMondaysTuesday sWednesday sThursdaysFriday sSaturdaysSundayfindDaysBinOpDivideExptUnOpNegateSqrt FactorialSBinOpsPlussMinussTimessDividesExpt$fSatModelBinOp$fHasKindBinOp $fSymValBinOp$fDataBinOp$fReadBinOp$fShowBinOp $fOrdBinOp $fEqBinOpTUFSUnOpsNegatesSqrt sFactorialallPossibleTreesfillsCaseevalgeneratefind$fShowT$fSatModelUnOp $fHasKindUnOp$fSymValUnOp $fDataUnOp $fReadUnOp $fShowUnOp $fOrdUnOp$fEqUnOpguessplayexampleMathSATevenOddpucCoresolveCrosswordMSQLExprConcatReadVarexampleProgramnameRestrReselectRedropRestatementRe exploitRe findInjection$fIsStringSQLExprQrunQCheckResultProvedCounterexamplePropertyEvalunEvalTermVarLitEqualsImpliesEnvenvXenvYresultAllocrunAllocallocallocEnv unsafeCastSBVrunEvalmkResultrunProgramEvalrunPropertyEval generalizemkQuery $fFunctorQ$fApplicativeQ$fMonadQ $fMonadIOQ$fMonadError[]Q $fMonadQueryQ$fEqCheckResult$fShowCheckResult $fFunctorEval$fApplicativeEval$fMonadEval$fMonadReaderEnvEval$fMonadError[]Eval$fEqEnv $fShowEnv$fFunctorAlloc$fApplicativeAlloc$fMonadAlloc$fMonadIOAlloc$fMonadError[]Alloc$fMonadSymbolicAllocfthmproveSArraySBandornotax1ax2ax3$fSatModelB $fHasKindB $fSymValB$fDataB$fReadB$fShowBthmGoodmul22 synthMul22BinaryTernaryposnegshannonshannon2 derivativenoWiggleunivOKexistsOKSQ$fSatModelQ $fHasKindQ $fSymValQ$fDataQ$fReadQ$fShowQLSLclassifygenLs$fSatModelL $fHasKindL $fSymValL$fDataL$fReadL$fShowLAppCAppSxsystszs algorithmimperativeAppend $fShowAppS$fQueriableIOAppSAppC $fShowAppC $fGenericAppS$fMergeableAppSIIncSprepostnoChange imperativeInc $fFreshIOIncS $fShowIncS$fShowIncS0 $fGenericIncS$fMergeableIncS $fFunctorIncS$fFoldableIncS$fTraversableIncSFibSfib axiomatizeFib imperativeFib $fFreshIOFibS $fShowFibS$fShowFibS0 $fGenericFibS$fMergeableFibS $fFunctorFibS$fFoldableFibS$fTraversableFibSGCDSjgcd axiomatizeGCD imperativeGCD $fFreshIOGCDS $fShowGCDS$fShowGCDS0 $fGenericGCDS$fMergeableGCDS $fFunctorGCDS$fFoldableGCDS$fTraversableGCDSDDivSqr imperativeDiv invariantmeasure $fFreshIODivS $fShowDivS$fShowDivS0 $fGenericDivS$fMergeableDivS $fFunctorDivS$fFoldableDivS$fTraversableDivSSqrtSsqrtimperativeSqrt$fFreshIOSqrtS$fShowSqrtS$fShowSqrtS0$fGenericSqrtS$fMergeableSqrtS$fFunctorSqrtS$fFoldableSqrtS$fTraversableSqrtSLenCLenSlimperativeLength $fShowLenS$fQueriableIOLenSLenC $fShowLenC $fGenericLenS$fMergeableLenSSumS imperativeSum $fFreshIOSumS $fShowSumS$fShowSumS0 $fGenericSumS$fMergeableSumS $fFunctorSumS$fFoldableSumS$fTraversableSumSisStartModeOptionghc-prim GHC.TypesTrueisOnlyOnceOptionsetSMTOption$fShowSMTReasonUnknown$fNFDataSMTReasonUnknownisExactRational mkPolyRealalgRealStructuralEqualalgRealStructuralComparealgRealToSMTLib2algRealToHaskellbaseGHC.RealRationalData.EitherLeftRight mergeAlgReals$fFractionalAlgRealIO$fExtractIOWriterTtransformers-0.5.6.2!Control.Monad.Trans.Writer.StrictWriterT$fExtractIOWriterT0Control.Monad.Trans.Writer.Lazy$fExtractIOExceptTControl.Monad.Trans.ExceptExceptT$fExtractIOMaybeTControl.Monad.Trans.MaybeMaybeT $fExtractIOIO isKStringmlift2mlift3mlift4mlift5mlift6mlift7mlift8joinArgs splitArgsqfsToStringstringToQFSInvalidFloatBVZeroWidth Data.DatashowBaseKind kindParensmtTypekindHasSignconstructUKind intOfProxyhasUninterpretedSortsneedsFlattening $fShowKind$fHasKindProxy$fHasKindRoundingModeFloatGHC.WordWord32DoubleWord64bfRemoveRedundantExp bfToStringmkBFOptsfprToSMTLib2fprCompareObjectbfSignum GHC.FloatencodeFloatlift1$fRealFracFP$fRealFP $fRealFloatFP$fFloatingFP$fFractionalFP$fNumFP$fNumFloatingPoint$fShowFloatingPointeqRCSetcompareRCSetGHC.ClassesOrdcvRank showExtCVliftCVshowCV randomCValrandomCV$fShowRCSet $fOrdCValEq$fEqCVal$fShowCV$fHasKindCV$fShowExtCV$fHasKindExtCV$fShowGeneralizedCV$fHasKindGeneralizedCV time-1.11.1.1(Data.Time.Clock.Internal.NominalDiffTimeNominalDiffTime SMTEngine ArrayIndexpathCondInputsAllInps InternInps UserInputsIncStateCacheCgMapUIMap FArrayMapArrayMapTableMapKindSetCnstMapExprMap GHC.MaybeNothingOvOpOverflow_SMul_OVFLOverflow_SMul_UDFLOverflow_UMul_OVFLNROpswKindswNodeIdregExpToSMTStringregExpToStringreorder toNamedSV' toNamedSVnamedNodeIdgetSVgetUserNamegetUserName' objectiveNameisSafetyCheckingIStage isSetupIStageisRunIStagenewIncStatewithNewIncState quantifiernamedSymVaronUserInputsonInternInputsonAllInputsaddInternInputaddUserInput getInputslookupInput getUniversalsuserInpsPrefixByprefixExistentialsprefixUniversalsinputsFromListWithuserInputsToListinternInputsToListinputsToListgetSValPathConditionextendSValPathCondition noInteractivenoInteractiveEvermodifyStatemodifyIncStaterecordObservableincrementInternalCounteraddAssertionnewSV registerLabelnewConstmapSymbolicTsvMkTrackerVar svMkSymVarGenintroduceUserName uncacheGenvalidationRequested$fOrdSV$fEqSV $fShowNROp $fShowOvOp$fShowRegExp$fNumRegExpGHC.NumNum$fIsStringRegExp $fShowRegExOp$fShowStrOp$fShowSeqOp$fShowQuantifier$fEqNamedSymVar$fMonoidInputs$fSemigroupInputs$fShowArrayIndex$fShowQueryContext$fShowSMTConfig$fEqSVal==/=$fMonadSymbolicSymbolicTunArrayIndexrunMode rIncState startTimerCInforObservablesrctr rUsedKinds rUsedLblsrinpsrConstraintsroutsrtblMapspgm rconstMaprexprMap rArrayMap rFArrayMaprUIMaprCgMapraxiomsrSMTOptions rOptGoalsrAssertsrSVCacherAICacherQueryState userInputsinternInputs allInputsrNewInps rNewKinds rNewConstsrNewArrsrNewTblsrNewUIs rNewAsgnsrNewConstraintsSetEqual SetMember SetInsert SetDeleteSetIntersectSetUnion SetSubset SetDifference SetComplement SetHasSizeNR_SinNR_CosNR_TanNR_ASinNR_ACosNR_ATanNR_SqrtNR_SinhNR_CoshNR_TanhNR_ExpNR_LogNR_PowsvStringsvChar eqOptBool svSetEqualrotsvShiftsvMkOverflow mkSymOpSCmkSymOpeqOptisConcreteZero isConcreteOneisConcreteOnes ghc-bignumGHC.Num.IntegerIntegerGHC.BitstestBit isConcreteMax isConcreteMin rationalChecknonzeroCheckrationalSBVChecktupleLTmaybeLTeitherLTsvFloatAsSWord32svDoubleAsSWord64svFloatingPointAsSWordMaybeEitherFalseBool Data.Foldableanyall$fEqSBV $fShowSBVGHC.ShowShow$fSymValRoundingMode$fIsListSBVSExprtokenizeparenDeficit parseSExprrdFPgetTripleFloatgetTripleDoubleconstantMapparseSExprFunctionparseSetLambdaparseLambdaExpressionparseStoreAssociationschainAssignsEConENumERealEFloatEFloatingPointEDoubleEApppads2s16showSMTRationaltoSMTLibRationalHasFloatData FloatDataFPKindCrackNumintgetKindgetExponentDatafloatmkRuler$fCrackNumCV$fShowFPKind$fHasFloatDataFP$fHasFloatDataDouble$fHasFloatDataFloatSMTLibIncConverterSMTLibConverteraddAnnotationsshowTimeoutValuealignDiagnostic alignPlainalignWithPrefixdebug mergeSExpr$fShowSBVException$fExceptionSBVExceptioncvtdeclSort declTuplefindTupleAritiescontainsSum containsMaybecontainsRationalscvtInctoSMTLibtoIncSMTLib toSMTLib2toIncSMTLib2 SolverLine SolverRegular SolverTimeoutSolverExceptionresultConfiggetPrecision parseModelOutInt showSMTResultshowModelDictionaryshowModelUIshCVpipeProcessstandardEnginestandardSolver runSolver recordEndTimestartTranscriptfinalizeTranscript$fSatModel(,,,,,,)$fSatModel(,,,,,)$fSatModel(,,,,)$fSatModel(,,,)$fSatModel(,,) $fSatModel(,)$fSatModel[]$fSatModelCharChar $fSatModel[]0GHC.BaseString$fSatModelRoundingMode$fSatModelCV$fSatModelFloatingPoint$fSatModelDouble$fSatModelFloat$fSatModelAlgReal$fSatModelInteger$fSatModelInt64GHC.IntInt64$fSatModelWord64$fSatModelInt32Int32$fSatModelWord32$fSatModelInt16Int16$fSatModelWord16Word16$fSatModelInt8Int8$fSatModelWord8Word8$fSatModelBool$fSatModel()$fModelableSMTResult$fModelableSatResult$fModelableThmResultSMTFunctionaddQueryConstraint getConfig getObjectives getSBVPgmgetSBVAssertionssyncUpSolver getQueryStatemkFreshArrayaskIgnoringpointWiseExtractmkArggetValueCVHelperdefaultKindedValue sexprToValrecoverKindedValueextractValuegetQuantifiedInputsgetAllSatResultparse runProofOn$fQueriablemtt$fQueriablemSBVa$fSolverContextQueryT$fSMTFunctionFUN(,,,,,,,)r$fSMTFunctionFUN(,,,,,,)r$fSMTFunctionFUN(,,,,,)r$fSMTFunctionFUN(,,,,)r$fSMTFunctionFUN(,,,)r$fSMTFunctionFUN(,,)r$fSMTFunctionFUN(,)r$fSMTFunctionFUNar sexprToArg smtFunNamesmtFunSaturate smtFunType smtFunDefault sexprToFun Assignment classifyModelgetModelAtIndexgetObjectiveValuescheckSatAssumingHelperrestoreTablesAndArraysgetUnsatCoreIfRequestedallOnStdOutrunWithQueryrunInThread sbvWithAny sbvWithAll GMergeablesymbolicMergeDefaultGHC.GenericsGenericIntegralRealGHC.EnumEnumquotRemdivModquotpopCountsetBitclearBitOrderingmaxmingenVargenVar_checkObservableNameliftPBpbToIntegerlift1Flift1FNSlift2FNS lift1SReal lift2SRealfromIntegralliftViaSValshiftLshiftRrotateLrotateRenumCvtsymbolicMergeWithKindcannotMerge concreteMergeaddSymAxiomslet$fSolverContextSymbolicT $fBitsSBV $fFloatingSBV$fFloatingSBV0$fFloatingSBV1$fSymVal(,,,,,,,)$fSymVal(,,,,,,)$fSymVal(,,,,,)$fSymVal(,,,,) $fSymVal(,,,)$fSymVal(,,)$fSymVal(,) $fSymVal()$fEqSymbolicRegExp$fOrdSymbolicSBVTupleHasFieldsymbolicFieldAccesslift2lift3 concEval1 concEval2 concEval3isConcretelyEmptyfoldrJust $fMetricWordN$fSatModelWordN$fSFiniteBitsWordN$fSDivisibleWordN$fSIntegralWordN$fIntegralWordN$fRealWordN$fEnumWordN $fNumWordN$fBoundedWordNBounded $fSymValWordN$fHasKindWordN$fShowWordN$fSDivisibleSBV$fMetricIntN$fSatModelIntN$fSFiniteBitsIntN$fSDivisibleIntN$fSIntegralIntN$fIntegralIntN $fRealIntN $fEnumIntN $fNumIntN $fBoundedIntN$fSymValIntN $fHasKindIntN $fShowIntN$fSDivisibleSBV0sppolyMultzxsxsignBitsameSigndiffSignsvAllallZeroallOnebvuaddobvsaddobvusubobvssubobvumulobvsmuloknownbvumuloFastbvsmuloFastbvudivobvsdivobvunegobvsnegogenericFromFloatgenericToFloat concEval2BaddRMlift1BliftMMlift2Blift1FPlift2FPlift3FP$fRealFloatFloatingPoint$fRealFracFloatingPoint$fRealFloatingPoint$fMetricDouble $fMetricFloat$fIEEEFloatingDouble$fIEEEFloatingFloat liftFunL1 liftPredL1__unuseddeclareSymbolicensureEnumerationensureEmptyDatarender' pprCFunHeaderdeclSV declSVNoConstshowSVpprCWord showCType specifiermkConstgenMake genHeader genDrivergenCProg mergeToLib genLibMakemergeDrivers ToSizedBVToSizedCstrFromSizedBV FromSizedCstr ToSizedErrFromSizedErrRatioWord Data.RatioapproxRationalXorgetXorIorgetIorIffgetIffgetAndoneBits byteSwap64 byteSwap32 byteSwap16bitReverse8bitReverse64bitReverse32bitReverse16 FiniteBits finiteBitSizecountLeadingZeroscountTrailingZeroszeroBitsxorunsafeShiftRunsafeShiftLshiftrotateisSigned complementBitbitSizeMaybebitSizebit.&..|.toIntegralSizedtestBitDefaultpopCountDefault bitDefault numeratordenominator%LocisTotaldispVCisClosedlcasebparabinsertData.Functor.IdentityIdentity