 28 Sep, 2018 1 commit


Raphael RieuHelft authored
Program functions can be declared as partial with "let/val partial". Similarly to "diverges", partial code cannot be ghost, however it does not need to be explicitly specified as partial. Fixes #184.

 21 Sep, 2018 2 commits


Andrei Paskevich authored

Andrei Paskevich authored

 13 Sep, 2018 4 commits


Guillaume Melquiond authored
This reverts commit ce0b3584. Counterexample: predicate rev (x y:int) = x <= 1 /\ x > y let rec function f1 () : () variant { 0, 1, 0 } = f2 () with f2 () : () variant { 0, 0, 1 } = f3 () with f3 () : () variant { 0, 0 with rev, 0 } = f4 () with f4 () : () variant { 0, 1 with rev, 1 } = f1 ()

Andrei Paskevich authored

Andrei Paskevich authored

Guillaume Melquiond authored

 12 Sep, 2018 1 commit


Guillaume Melquiond authored
1. better handle the equality case, which is the reason for using a lexicographic order in the first place; 2. implement a proper lexicographic order, i.e., make (a,b) smaller than (a,b,c). As a consequence of these two changes, in the following example, the VC for f goes from (0 <= x /\ x < x) to true: let rec f (x y : int) : int variant { x, () } = g x y with g (x y : int) : int variant { x } = f (x1) y

 07 Jul, 2018 1 commit


Andrei Paskevich authored
This commit removes all hardcoded "infix ..", "prefix ..", and "mixfix .." from the rest of the code, and handles the symbolic notation entirely inside Ident. It does not change the notation itself.

 24 Jun, 2018 2 commits


Andrei Paskevich authored

Guillaume Melquiond authored

 17 Jun, 2018 1 commit


Andrei Paskevich authored
On a missing "diverges", Vc emits a warning and adds a "false" subgoal at the location of the nonterminating loop or function call. The explanation on this subgoal is "termination", but should probably be "termination (failure)". The "diverges" clase propagates downwards: if it is put on the toplevel function, there is no need to repeat it on local functions or abstract blocks.

 01 Jun, 2018 1 commit


Andrei Paskevich authored

 31 May, 2018 2 commits


JeanChristophe Filliâtre authored
fixes issue #57 a new theory relations.WellFounded is introduced for this purpose (and must be imported whenever one wants to make use of a custom relation for a variant) it defines, inductively, a notion of accessibility for a given predicate R (x is accessible whenever all elements smaller than x for R are alreay accessible) whenever one has to prove that a variant decreases, a new VC is also generated, to show that the old value of the variant is accessible for the order relation note: accessibility being defined inductively, proving wellfoundedness is out of reach of SMT solvers; but at least this is sound now

Andrei Paskevich authored
Also, move some modelrelated labelling from Parser to Vc.

 16 Apr, 2018 1 commit


Andrei Paskevich authored
This is the most sensible way to recognize that we are looking at a recursive function call, and we need that in Vc, even if there is no actual variant to check, in order to rename the oldies in Eexec.

 21 Mar, 2018 1 commit


Guillaume Melquiond authored
The patternmatching construct in the logic is now systematically named "Tcase" in constructors (Ptree.Tmatch > Tcase). The one in the programs (supporting exceptions) is now systematically named "Ematch" (Expr.Ecase > Ematch, Dexpr.DEcase > DEmatch). They are now homogeneous with the other constructors: Term.Tcase, Dterm.DTcase, Ptree.Ematch, Mltree.Ematch. Smart constructor Expr.e_case was renamed accordingly.

 20 Mar, 2018 1 commit


Andrei Paskevich authored

 17 Jan, 2018 1 commit


Guillaume Melquiond authored

 14 Dec, 2017 1 commit


Guillaume Melquiond authored

 06 Dec, 2017 1 commit


Andrei Paskevich authored

 24 Nov, 2017 1 commit


Andrei Paskevich authored

 20 Nov, 2017 1 commit


Andrei Paskevich authored

 17 Nov, 2017 1 commit


Andrei Paskevich authored

 17 Oct, 2017 1 commit


Guillaume Melquiond authored

 22 Jun, 2017 1 commit


Andrei Paskevich authored
Type declarations for records (incuding the private records) can now be followed by a "witness": a set of values for the record fields that must satisfy the type invariant (if any). The fields must be initialized with pure terminating program expressions. The current syntax, proposed by Martin, is type t 'a = { f: ty1; g: ty2 } invariant { J[f,g] } by { f = e1; g = e2 } The generated proof obligation is the VC for let g = e2 in let f = e1 in assert { J[f,g] } In absence of an explicit witness, an existential proof obligation "exists f,g. J[f,g]" is produced.

 13 Jun, 2017 1 commit


Andrei Paskevich authored
Just as abstract blocks, "whitebox blocks" are program expressions with an additional contract attached to their execution place. Contrary to abstract blocks, whiteboxes do not hide their contents from the outer computation. In most cases, you would not need whiteboxes at all, as the same effect can be achieved by adding assertions. Their utility comes from their syntax: the added contract clauses bind to the expression and do not require additional semicolons, beginend's, letin's or trywith's. Compare: let x = <expr> in assert { P x }; x to <expr> ensures { P result } or <expr> returns { x > P x } if ... then begin let x = <expr> in assert { P x }; x end; ... to if ... then <expr> ensures { P result }; ... try <expr> with E x > assert { P x }; raise E x; end to <expr> raises { E x > P x } Internally, whiteboxes are just abstract blocks (zeroargument anonymous functions executed inplace) with the label "vc:white_box" on top. The user never needs to write this label explicitly though.

 11 Jun, 2017 1 commit


Andrei Paskevich authored

 08 Jun, 2017 1 commit


Andrei Paskevich authored
In the surface language, the loop index is always int in the loop invariant and all annotations and pure terms inside the loop. If you want to access the original rangetyped index, use "let copy_i = i in" in the program code before your assertion. Of course, you cannot do that for the loop invariant, which is what we want.

 05 Jun, 2017 1 commit


Andrei Paskevich authored

 25 May, 2017 1 commit


Andrei Paskevich authored
We cannot split ite's and matches created in this way, and it is hard to control how much goes into them. Try for now to only convert boolvalued ite's.

 23 May, 2017 2 commits


Andrei Paskevich authored

Andrei Paskevich authored

 22 May, 2017 2 commits


Andrei Paskevich authored
Instead, we put a "stop_split" over the subsequent postcondition under the (begin > end + 1) assumption. When this assumption is unrealizable (strict for), this allows us to discharge the whole branch as a single goal.

Andrei Paskevich authored
We will want to use stop_split higher in the VC formulas.

 11 May, 2017 1 commit


Andrei Paskevich authored
Refinement code requires private types to reside in separate program declarations. So we split type decls into chunks where all nonfree types are declared separately and only constructible (Ddata) types are kept together. The code preserves the original order wherever possible. Also, export ls_of_rs and fd_of_rs from Expr: these are used everywhere in src/mlw anyway. Also, remove some range/floatrelated "assert false".

 02 May, 2017 3 commits


Andrei Paskevich authored

Andrei Paskevich authored

Andrei Paskevich authored

 01 May, 2017 1 commit


Andrei Paskevich authored
