ú΁‚zā,      !"#$%&'()*+ (c) Levent ErkokBSD3erkokl@gmail.com experimentalSafe+The actual annotation.ÏPlugin options. Note that we allow picking multiple solvers, which will all be run in parallel. You can pick and choose any number of them, or if you want to run all available solvers, then use the option v. The default behavior is to error-out on failure, using the default-SMT solver picked by SBV, which is currently Z3.Continue even if proof failsVSkip the proof. Can be handy for properties that we currently do not want to focus on.*Produce verbose output, good for debuggingDProduce really verbose output, use only when things go really wrong!Perform quickCheck +Uninterpret this binding for proof purposes 9Use these names for the arguments; need not be exhaustive NIf a list-input is found, use this length. If not specified, we will complain! Use Z3  Use Yices Use BoolectorUse CVC4 Use MathSATUse ABCURun all installed solvers in parallel, and report the result from the first to finish-A property annotation, using default options.)Synonym for sbv really, just looks cooler   (c) Levent ErkokBSD3erkokl@gmail.com experimentalNone35IN,+The values kept track of by the interpreter-The kinds used by the plugin.'Configuration info as we run the plugin/The interpreter monad0Interpreter environment12Certain "very-polymorphic" things are just special28Given the user options, determine which solver(s) to use3:Structural lifting of a boolean function (eq/neq) over Val4Symbolic equality over values5"Symbolic if-then-else over values.6MCompute the span given a Tick. Returns the old-span if the tick span useless.7Compute the span for a binding.8‰Pick the first "good" span, hopefully corresponding to the closest location to where we are in the code when we issue an error message.9%Show a GHC span in user-friendly form:@This comes mighty handy! Wonder why GHC doesn't have it already:;Outputable instance for Val<Outputable instance for S.Kind=Outputable instance for SKind3,>?@AB-CDEF.GHIJK/0LMNOPQRSTUVWXYZ1[\]^23456789:;<=/,>?@AB-CDEF.GHIJK/0LMNOPQRSTUVWXYZ1[\]^23456789,>?@AB-CDEF.GHIJK/0LMNOPQRSTUVWXYZ1[\]^23456789:;<=(c) Levent ErkokBSD3erkokl@gmail.com experimentalNone_#Dispatch the analyzer over bindings`Prove an SBVTheoremagSafely execute an action, catching the exceptions, printing and returning False if something goes wrongbReturns True if proof went thrucĸ’Is this really a dictionary in disguise? This is a terrible hack, and the ice is thin here. But it seems to work. TODO: Figure out if there's a better way of doing this. Note that this function really does get applications, when those dictionaries are parameterized by others. Think of the case where "Eq [a]" dictionary depends on "Eq a", for instance. In these cases, GHC to produces applications.dUninterpret an expressioneBConvert a Core type to an SBV Type, retaining functions and tuples _`abcfdge_ _`abcfdge(c) Levent ErkokBSD3erkokl@gmail.com experimentalNone<hTWhat tuple-sizes we support? We go upto 15, but would be easy to change if necessaryi.Build the initial environment containing typesj2Build the initial environment containing functionsk#Basic conversions, only on one kindl?Symbolic functions supported by the plugin; those from a class.m DestructorsnlThese types show up during uninterpretation, but are not really "interesting" as they are singly inhabited.oTCertain things are just too special, as they uniformly apply to uninterpreted types.p$Lift a binary type, with result boolqLift a unary typerLift a binary types0Lift a binary type, where second argument is Intt(Construct the type for a split operationu'Construct the type for a join operationvType of enumFromTo: [x .. y]w Type of enumFromThenTo: [x .. y]x/Lift a unary SBV function that via kind/integery3Lift a unary SBV function to the plugin value spacez>Lift a two argument SBV function to our the plugin value space{Lifting splits|DLifting an equality is special; since it acts uniformly over tuples.}Lifting enumFromTo: [x .. y]~$Lifting sEnumFromThenTo: [x, y .. z]CImplement [x .. y] or [x, y .. z]; provided the inputs are concretehijklmnopqrstuvwxyz{|}~€ijmnohijklmnopqrstuvwxyz{|}~€ (c) Levent ErkokBSD3erkokl@gmail.com experimentalNoneEntry point to the plugin(c) Levent ErkokBSD3erkokl@gmail.com experimentalNone  (c) Levent ErkokBSD3erkokl@gmail.com experimentalNone5Merging two given sorted lists, preserving the order.!Simple merge-sort implementation.1Check whether a given sequence is non-decreasing.čCheck whether two given sequences are permutations. We simply check that each sequence is a subset of the other, when considered as a set. The check is slightly complicated for the need to account for possibly duplicated elements.ÓAsserting correctness of merge-sort for a list of the given size. Note that we can only check correctness for fixed-size lists. Also, the proof will get more and more complicated for the backend SMT solver as n" increases. Here we try it with 4.We have: R [SBV] tests/T48.hs:100:1-16 Proving "mergeSortCorrect", using Z3. [Z3] Q.E.D. (c) Levent ErkokBSD3erkokl@gmail.com experimentalNoneGThe range detector must output if the range is larger than this amount.NThe range detector must have sent an output before this many cycles have past.+Given a last-signal-time calculator, named  calculate^, check that it satisfies the following three requirements: We must've just sent a signal if:minRate9: The last-time we sent is strictly less than the  amountminRange=: We must've just sent a signal if the range is beyond manualOverrideC: We must've just sent a signal if the manual-override is specifiedmA "bad" implementation, see if you can spot the problem with it, before looking at the failed theorem below!Using SBV, prove that the K is indeed a bad implementation. Here's the output we get from the plugin: Á [SBV] MicroController.hs:85:1-8 Proving "checkBad", using Z3. [Z3] Falsifiable. Counter-example: range = 200 :: Int64 manual = False :: Bool timeSince = 9 :: Int64 šWe're being told that if the range is 200, and manual override is off, and time-since last is 9, then our "calculator" returns 10. But that violates the minRate) requirement, since we never want to go ! cycles without sending a signal! PA "good" implementation, properly handling the off-by-one error of the original.!=We now verify that the good variant is indeed good. We have: P [SBV] MicroController.hs:108:1-9 Proving "checkGood", using Z3. [Z3] Q.E.D.  ! ! ! !(c) Levent ErkokBSD3erkokl@gmail.com experimentalNone "GSBVPlugin can only see definitions in the current module. So we define " ourselves.#Returns 1 if bool is True$ Formalizes Chttp://graphics.stanford.edu/~seander/bithacks.html#IntegerMinOrMax% Formalizes Chttp://graphics.stanford.edu/~seander/bithacks.html#IntegerMinOrMax& Formalizes Ghttp://graphics.stanford.edu/~seander/bithacks.html#DetectOppositeSigns' Formalizes ]http://graphics.stanford.edu/~seander/bithacks.html#ConditionalSetOrClearBitsWithoutBranching( Formalizes Ghttp://graphics.stanford.edu/~seander/bithacks.html#DetermineIfPowerOf2) Formalizes ?http://graphics.stanford.edu/~seander/bithacks.html#MaskedMerge* Formalizes Chttp://graphics.stanford.edu/~seander/bithacks.html#RoundUpPowerOf2+ Formalizes >http://graphics.stanford.edu/~seander/bithacks.html#ZeroInWord "#$%&'()*+ "#$%&'()*+ "#$%&'()*+ "#$%&'()*+‚      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOP8QRST:UVWXYZ[\]^_`ab;cdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰sbvPl_ES4AYXtbuZgJUcLnv9hNVsData.SBV.Plugin"Data.SBV.Plugin.Examples.MergeSort(Data.SBV.Plugin.Examples.MicroController"Data.SBV.Plugin.Examples.BitTricksData.SBV.Plugin.DataData.SBV.Plugin.CommonData.SBV.Plugin.AnalyzeData.SBV.Plugin.EnvData.SBV.Plugin.Plugin SBVAnnotationSBVoptions SBVOption IgnoreFailureSkipVerboseDebug QuickCheck UninterpretNamesListSizeZ3Yices BoolectorCVC4MathSATABC AnySolversbvtheorempluginmerge mergeSort nonDecreasingisPermutationOfmergeSortCorrectsafetyDistance maxTimeSince checkSpeccomputeLastBadcheckBadcomputeLastGood checkGoodelemoneIffastMinCorrectfastMaxCorrectoppositeSignsCorrectconditionalSetClearCorrectpowerOfTwoCorrectmaskedMergeCorrectroundPowerOfTwoCorrect zeroInWordValSKindConfigEvalEnvSpecials pickSolvers liftEqValeqValiteValtickSpanvarSpanpickSpanshowSpan $fShowExpr$fOutputableVal$fOutputableKind$fOutputableSKindBaseTypTupLstFuncKBaseKTupKLstKFunisGHCiopts sbvAnnotationcfgEnvcurLocflags machWordSize mbListSize uninterestingrUninterpreted rUsedNamesrUITypesspecialstcMapenvMapdestMapcoreMapbailOut isEqualityisTupleisList analyzeBindprovesafelyproveItisReallyADictionary uninterpretgetTypemkSym mkValidNamesupportTupleSizes buildTCEnv buildFunEnv basicFuncssymFuncs buildDestsuninterestingTypes buildSpecials tlift2Booltlift1tlift2 tlift2ShRottSplittJoin tEnumFromTotEnumFromThenTolift1Intlift1lift2 liftSplitliftEq sEnumFromTosEnumFromThenToenumListthToGHCgrabTH