1. 28 Sep, 2018 1 commit
    • Raphael Rieu-Helft's avatar
      Add support for partial functions · 17ed1270
      Raphael Rieu-Helft authored
      Program functions can be declared as partial with "let/val partial".
      Similarly to "diverges", partial code cannot be ghost, however it does not need to be
      explicitly specified as partial.
      
      Fixes #184.
      17ed1270
  2. 21 Sep, 2018 2 commits
  3. 13 Sep, 2018 4 commits
  4. 12 Sep, 2018 1 commit
    • Guillaume Melquiond's avatar
      Improve the lexicographic order for variants. · 0fb980c6
      Guillaume Melquiond authored
      1. better handle the equality case, which is the reason for using a
         lexicographic order in the first place;
      2. implement a proper lexicographic order, i.e., make (a,b) smaller
         than (a,b,c).
      
      As a consequence of these two changes, in the following example, the VC
      for f goes from (0 <= x /\ x < x) to true:
      
      let rec f (x y : int) : int variant { x, () } = g x y
      with g (x y : int) : int variant { x } = f (x-1) y
      0fb980c6
  5. 07 Jul, 2018 1 commit
    • Andrei Paskevich's avatar
      confine all notation handling inside Ident · 0fea401c
      Andrei Paskevich authored
      This commit removes all hard-coded "infix ..", "prefix ..",
      and "mixfix .." from the rest of the code, and handles the
      symbolic notation entirely inside Ident. It does not change
      the notation itself.
      0fea401c
  6. 24 Jun, 2018 2 commits
  7. 17 Jun, 2018 1 commit
    • Andrei Paskevich's avatar
      Vc: handle missing "diverges" in Vc, not in Dexpr · 3e802ac9
      Andrei Paskevich authored
      On a missing "diverges", Vc emits a warning and adds
      a "false" sub-goal at the location of the non-terminating
      loop or function call. The explanation on this sub-goal is
      "termination", but should probably be "termination (failure)".
      
      The "diverges" clase propagates downwards: if it is put on
      the top-level function, there is no need to repeat it on local
      functions or abstract blocks.
      3e802ac9
  8. 01 Jun, 2018 1 commit
  9. 31 May, 2018 2 commits
    • Jean-Christophe Filliâtre's avatar
      new VC to prove well-foundedness of user-provided variants · 4af9081d
      Jean-Christophe Filliâtre authored
      fixes issue #57
      
      a new theory relations.WellFounded is introduced for this purpose
      (and must be imported whenever one wants to make use of a custom
      relation for a variant)
      
      it defines, inductively, a notion of accessibility for a given
      predicate R (x is accessible whenever all elements smaller than x for R
      are alreay accessible)
      
      whenever one has to prove that a variant decreases, a new VC is also
      generated, to show that the old value of the variant is accessible
      for the order relation
      
      note: accessibility being defined inductively, proving well-foundedness
      is out of reach of SMT solvers; but at least this is sound now
      4af9081d
    • Andrei Paskevich's avatar
      Mlw: better locations for modified variables · f4becc27
      Andrei Paskevich authored
      Also, move some model-related labelling from Parser to Vc.
      f4becc27
  10. 16 Apr, 2018 1 commit
  11. 21 Mar, 2018 1 commit
    • Guillaume Melquiond's avatar
      Homogenize constructor names. · 6ef0273e
      Guillaume Melquiond authored
      The pattern-matching construct in the logic is now systematically named
      "Tcase" in constructors (Ptree.Tmatch -> Tcase). The one in the
      programs (supporting exceptions) is now systematically named "Ematch"
      (Expr.Ecase -> Ematch, Dexpr.DEcase -> DEmatch). They are now homogeneous
      with the other constructors: Term.Tcase, Dterm.DTcase, Ptree.Ematch,
      Mltree.Ematch. Smart constructor Expr.e_case was renamed accordingly.
      6ef0273e
  12. 20 Mar, 2018 1 commit
  13. 17 Jan, 2018 1 commit
  14. 14 Dec, 2017 1 commit
  15. 06 Dec, 2017 1 commit
  16. 24 Nov, 2017 1 commit
  17. 20 Nov, 2017 1 commit
  18. 17 Nov, 2017 1 commit
  19. 17 Oct, 2017 1 commit
  20. 22 Jun, 2017 1 commit
    • Andrei Paskevich's avatar
      WhyML: check type invariants · 15fc3d65
      Andrei Paskevich authored
      Type declarations for records (incuding the private records) can
      now be followed by a "witness": a set of values for the record
      fields that must satisfy the type invariant (if any). The fields
      must be initialized with pure terminating program expressions.
      The current syntax, proposed by Martin, is
      
          type t 'a = { f: ty1; g: ty2 }
            invariant { J[f,g] }
            by { f = e1; g = e2 }
      
      The generated proof obligation is the VC for
      
          let g = e2 in let f = e1 in assert { J[f,g] }
      
      In absence of an explicit witness, an existential proof obligation
      "exists f,g. J[f,g]" is produced.
      15fc3d65
  21. 13 Jun, 2017 1 commit
    • Andrei Paskevich's avatar
      WhyML: white-box blocks · 516cfd3a
      Andrei Paskevich authored
      Just as abstract blocks, "white-box blocks" are program expressions
      with an additional contract attached to their execution place.
      Contrary to abstract blocks, whiteboxes do not hide their contents
      from the outer computation. In most cases, you would not need
      whiteboxes at all, as the same effect can be achieved by adding
      assertions. Their utility comes from their syntax: the added
      contract clauses bind to the expression and do not require
      additional semicolons, begin-end's, let-in's or try-with's.
      
      Compare:
      
          let x = <expr> in assert { P x }; x
      to  <expr> ensures { P result }
      or  <expr> returns { x -> P x }
      
          if ... then begin let x = <expr> in assert { P x }; x end; ...
      to  if ... then <expr> ensures { P result }; ...
      
          try <expr> with E x -> assert { P x }; raise E x; end
      to  <expr> raises { E x -> P x }
      
      Internally, whiteboxes are just abstract blocks (zero-argument
      anonymous functions executed in-place) with the label "vc:white_box"
      on top. The user never needs to write this label explicitly though.
      516cfd3a
  22. 11 Jun, 2017 1 commit
  23. 08 Jun, 2017 1 commit
    • Andrei Paskevich's avatar
      Mlw: for-loops over range types · 2f7b69b5
      Andrei Paskevich authored
      In the surface language, the loop index is always int in
      the loop invariant and all annotations and pure terms inside
      the loop. If you want to access the original range-typed index,
      use "let copy_i = i in" in the program code before your assertion.
      Of course, you cannot do that for the loop invariant, which is
      what we want.
      2f7b69b5
  24. 05 Jun, 2017 1 commit
  25. 25 May, 2017 1 commit
  26. 23 May, 2017 2 commits
  27. 22 May, 2017 2 commits
  28. 11 May, 2017 1 commit
    • Andrei Paskevich's avatar
      Pdecl: split type declarations in chunks · b6e2a7b6
      Andrei Paskevich authored
      Refinement code requires private types to reside in
      separate program declarations. So we split type decls
      into chunks where all non-free types are declared
      separately and only constructible (Ddata) types are
      kept together. The code preserves the original order
      wherever possible.
      
      Also, export ls_of_rs and fd_of_rs from Expr: these are
      used everywhere in src/mlw anyway.
      
      Also, remove some range/float-related "assert false".
      b6e2a7b6
  29. 02 May, 2017 3 commits
  30. 01 May, 2017 1 commit