1. 06 Oct, 2015 1 commit
  2. 11 Aug, 2015 1 commit
  3. 16 Jul, 2015 1 commit
    • David Hauzar's avatar
      Adding information about the line that corresponds to the VC check · 68b3134d
      David Hauzar authored
      to the counter-example model.
      This line must be marked with the label "model_vc".
      If VC line is postcondition, it can be marked with the label
      "model_func" or "model_func:func_name". Terms corresponding to
      old values of arguments will be marked with @old, term corresponding
      to the function result will be marked with @result or
      func_name@result if func_name was given.
      Pretty printing of model element names in counter-example.
      Possibility to print differently model elements corresponding to
      function result, old values of function arguments and other model
  4. 18 Jun, 2015 1 commit
  5. 27 Apr, 2015 1 commit
  6. 21 Mar, 2015 1 commit
  7. 20 Mar, 2015 1 commit
  8. 19 Mar, 2015 1 commit
  9. 05 Jan, 2015 1 commit
  10. 25 Oct, 2014 1 commit
  11. 22 Oct, 2014 1 commit
  12. 20 Sep, 2014 2 commits
  13. 07 Apr, 2014 1 commit
  14. 14 Mar, 2014 1 commit
  15. 05 Mar, 2014 1 commit
  16. 17 Feb, 2014 1 commit
  17. 16 Feb, 2014 1 commit
  18. 14 Feb, 2014 3 commits
    • Andrei Paskevich's avatar
      WhyML: change the syntax of "abstract" · 4fd8b24d
      Andrei Paskevich authored
      The old syntax:   abstract expr [spec]...
      The semicolon binds more loosely than "abstract" and
      the specification clauses are optional, so that
      "abstract e1; e2" is the same as "(abstract e1); e2"
      and "abstract e1; e2; ensures {...}" is a syntax error.
      The new syntax:   abstract [spec]... expr end
      This allows to put sequences of expressions under "abstract"
      without ambiguity and moves the specification clauses to the
      beginning. In other words, "abstract" becomes a "begin" with
      a specification attached. The spec-at-the-top is consistent
      with the syntax of functions and the whole seems to be more
      natural for the intented use of "abstract" (a logical cut).
    • Andrei Paskevich's avatar
      WhyML: admit terminating semi-colons when there is no ambiguity · e66e2a3f
      Andrei Paskevich authored
        begin ... expr; end
        let fn x y = ... expr ; in ...
        match ... with pat -> ... expr ; | pat -> ... expr ; end
      In this way, it's much easier to add and remove additional
      assertions at the end of ()-typed blocks.
    • Andrei Paskevich's avatar
  19. 12 Feb, 2014 1 commit
  20. 20 Jan, 2014 1 commit
    • Andrei Paskevich's avatar
      WhyML: add "diverges", "reads {}", and "writes {}" effect clauses · 83858597
      Andrei Paskevich authored
      - "diverges" states that the computation may not terminate (which
        does not mean that is always diverges: just as any other effect
        annotation, this clause states a possibility of a side effect).
      - "reads {}" states that the computation does not access any variable
        except those that are listed elsewhere in the specification (or the
        proper function arguments, if "reads" is in a function spec).
      - "writes {}" states that the computation does not modify any mutable
      - If a function definition or an abstract computation may diverge,
        but there is no "diverges" clause in the specification, a warning
        is produced. If a function definition or an abstract computation
        always terminates, but there is a "diverges" clause in the spec,
        an error is produced.
      - If there is a "reads" or a "writes" clause in a function definition
        or an abstract computation, then every modified value must be listed
        in "writes" and every accessed external variable not mentioned in
        the spec must be listed in "reads". (Notice that this is a stricter
        requirement than before, when the presence of a "writes" clause
        did not require to specify "reads".) However, one does not have to
        write "reads {}" or "writes {}" if the corresponding lists are empty.
  21. 24 Nov, 2013 1 commit
  22. 22 Nov, 2013 1 commit
    • Andrei Paskevich's avatar
      WhyML: introduce "val ... in ..." construction · 7ecd3139
      Andrei Paskevich authored
      This is a syntactic sugar for higher-order "any", for which
      I can't find reasonably unambiguous syntax. One can write
        val x : int <spec> in <expr>
        val f (x : int) : int <spec> in <expr>
        val f <spec> (x : int) : int <spec> in <expr>
      for a function which is created via some effectful computation.
      This is a generalized form of top-level "val" which only admits
      latent effects (as in the second form above).
  23. 20 Nov, 2013 2 commits
  24. 19 Nov, 2013 4 commits
  25. 27 Oct, 2013 1 commit
    • Andrei Paskevich's avatar
      accept untyped variables under quantifiers · 02fcd207
      Andrei Paskevich authored
      It is a matter of ongoing discussion how much type information we
      require from the user for the sake of readability of specification.
      Since types of quantified variables are important part of axioms
      and lemmas, we required them for the same reason we require the
      full prototypes for functions and predicates. However, when we
      typecheck program annotations, explicit types in quantifiers may
      quickly become an annoyance. Let's say, we define a polymorphic
      function "fn":
        let fn x y
          requires { forall z:'a. ... -> z = x }
        = ...
      Since in programs we [are going to] accept implicit type variables,
      the user may omit the types of "x" and "y", and they will be inferred
      by the typechecker. Now, if we are obliged to write the type of "z"
      in the postcondition, we cannot simply write 'a, because it will not
      unify with the implicit type of "x" (remember that programs are typed
      independently of specs). So, if we write the type of "z", we also have
      to write the type of "x". This is annoying and may even lead to errors
      if, by mistake, the user chooses 'a for the type of "x" and thus
      freezes 'a in all function definitions in "fn" while they were
      polymorphic in 'a till then.
      For this reason, it seems reasonable to accept untyped variables
      under quantifiers (DISCUSS: should we accept them only in specs?).
      However, we still require type variables in logic to be explicitly
      named (unless they come from the program, then they are accepted),
      and thus polymorphic axioms and lemmas would still have to have
      the explicitly typed quantified variables.
  26. 19 Oct, 2013 1 commit
    • Andrei Paskevich's avatar
      switch Typing to the new Dterm-based API · 460e93f8
      Andrei Paskevich authored
      - Make [Highord.pred 'a] an alias for [Highord.func 'a bool],
      rename [Highorg.(@!)] to [(@)], remove [Highorg.(@?)], remove
      the quantifiers [\!] and [\?] and only leave [\] which is the
      only true lambda now;
      - Allow mixing bool and Prop in logic, Dterm will introduce
      coercions where necessary (trying to minimize the number of
      if-then-else in the term context).
  27. 27 May, 2013 1 commit
  28. 25 Apr, 2013 1 commit
    • Andrei Paskevich's avatar
      whyml episode VI: the return of read effects · b4caa997
      Andrei Paskevich authored
      By popular demand, read effects are back. They serve to mark dependence
      of a program function on external variables which are otherwise not
      mentioned in the function's specification. Such annotation is necessary,
      for example, to add the needed type invariants.
      The "reads" clauses are comma-separated variables (contrary to write
      effects, where one must point out the modified field).
      If a user specifies a "reads" clause for a defined function, we check
      that every listed variable occurs in the code and that every free
      variable in the code occurs in the specification (which includes the
      "reads" clause). Notice that this concers function arguments, too:
        val r : ref int
        let f (x : ref int) reads {r} = x := !r
      would require x to be added to reads.
  29. 07 Apr, 2013 1 commit
  30. 06 Apr, 2013 1 commit
  31. 23 Mar, 2013 1 commit
  32. 22 Mar, 2013 1 commit
    • Jean-Christophe Filliâtre's avatar
      lemma functions · 3a716828
      Jean-Christophe Filliâtre authored
      a lemma function is introduced with 'let lemma f' or 'let rec lemma f'
      it is a ghost function
      it must have return type unit and read-only effects
      it introduces a goal (its WP), followed by an axiom
        forall args/reads, precondition => postcondition
  33. 06 Mar, 2013 1 commit