type t = {
v: int;
} invariant { 0 <= v }
```
It is currently not possible to prove that:
```
forall x1 x2:t. x1.v = x2.v -> x1 = x2
```
Which is compiled to:
```
forall x1 x2:t. (view x1).v = (view x2).v -> x1 = x2
```
We need to add the property that `view` is injective, for example using `mk` its inverse:
```
forall x:t [view x]. mk (view x) = x
Currently:
```
type t = { f1: ...; f2: ... } invariant { ... } by { f1 = ...; f2 = ...}
```
proposed:
```
type t = { ... } invariant { ... } by e
```
where all leaf of `e` in result position have the shape `{ f1 = ...; f2 = ...}`
The implementation:
- parsing e as an expression
- typing check that all the leaf define all the fields of the record, and translate the leaf into a tuple in the order of the field definition. So the witness is well-typed and doesn't use the defined type.
- check the properties on e
The properties on e checked, currently (not complete, nor correct?):
- no side effect
- pure
Using split_all_full on goals containing the ieee_float theory can result in out of memory (see attached file [b.mlw](/uploads/777dac8832951acc1eacf6a489be58ba/b.mlw) ). Most likely, on the hypothesis fma_special, the negative monoid generated by split_core grows exponentially (which eventually eat all available memory).
I encountered this problem when launching the strategy "1" (problem which should be solved by #282).
This issue is to keep track of discussions.
The question is the following. On why3 0.88, it was possible to add attributes to the program in order to retrieve them later in goals. This behaviour disappeared: it seems to be needed by SPARK for tracability of goals (goals A contains stuff that originate from this and that part of the code).
```
module Test
use int.Int
type d = {mutable contents: int; mutable useless: int}
let f c
ensures { c.contents = 1 }
= (*[@vc_sp]*)
c.contents <- 2;
[@This disappears] (c.contents <- 3);
c.contents <- 4
end
```
Copying potentially interested persons: @paskevyc @marche
> Yes, the semantics changed in version 2.6 [0]. `(bvurem s t)` returns `s` if `t` is zero (before, the value was a fresh constant). CVC4 automatically chooses the semantics that matches the SMT-LIB version. You can manually toggle the behavior with --(no-)bv-div-zero-const (enabling the flag corresponds to the 2.6 version, disabling to earlier versions). If your problems only use QF_BV, you can also improve performance by compiling CVC4 with support for CaDiCaL (run the `contrib/get-cadical` script, then configure with `--cadical`) and then using the flags `--bitblast=eager --bv-sat-solver=cadical` (eager bitblasting and using CaDiCaL as the SAT solver).
Is that possible that we now need to add the option "--(no-)bv-div-zero-const" to the smt-lib provers using 2.6 ? It seems to help SPARK users.
Additional question:
Will there be a problem with the following axiom because urem seems to be linked to bvurem by smt-lib drivers ? (axioms about "mod ?x 0" do not seem to exist so I guess it is ok unless mod is also mapped by a driver?)
```
val function urem (v1 v2 : t) : t
axiom to_uint_urem:
forall v1 v2. to_uint (urem v1 v2) = mod (to_uint v1) (to_uint v2)
```
module Test
use int.Int
type d = {mutable contents: int; mutable useless: int}
let f c
ensures { c.contents = 1 }
= (*[@vc_sp]*)
c.contents <- 2
end
```
module FF
use real.Truncate
use real.RealInfix
use int.Int
lemma floor: forall x. x <. 1. -> floor x = 0
(* x = 0.0 *)
end
```
`automake: warning: autoconf input should be named 'configure.ac', not 'configure.in'
configure.in: error: no proper invocation of AM_INIT_AUTOMAKE was found.
configure.in: You should verify that configure.in invokes AM_INIT_AUTOMAKE,
configure.in: that aclocal.m4 is present in the top-level directory,
configure.in: and that aclocal.m4 was recently regenerated (using aclocal)
configure.in:171: installing './install-sh'
automake: error: no 'Makefile.am' found for any configure output`
I am trying to make a Dockerfile for Why3, and this is preventing the build process to carry on.
I found a way to ignore the error (appending `; exit 0` behind the command) but it seems very dirty).
This error is not blocking (after running the command, the other steps run properly) but it seems that there you be a better way to handle this ...
* [ ] bug in the task for location of terms which are dereferenced with "!" -> records.mlw ? #344
* [ ] Solve problems with polymorphism ? How ?
* [x] Write the docs ( #237 is related)
* [ ] issue #252
* [ ] Interface:
* [ ] Add a boolean in proofattempt result to indicate if counterexamples can be launched on proofattempt
* [ ] Change the status image in the ide to show that counterexamples can be queried* [ ] Solve bugs in ce Why3:
* [ ] bug in the task for location of terms which are dereferenced with "!" -> records.mlw ? #344
* [ ] Solve problems with polymorphism ? How ?
* [x] Write the docs ( #237 is related)
* [ ] issue #252
* [ ] Interface:
* [ ] Add a boolean in proofattempt result to indicate if counterexamples can be launched on proofattempt
* [ ] Change the status image in the ide to show that counterexamples can be queriedDAILLER SylvainDAILLER Sylvainhttps://gitlab.inria.fr/why3/why3/issues/252Check counterexamples benchmark2019-06-25T14:59:04ZDAILLER SylvainCheck counterexamples benchmarkThis is the list of examples for counterexamples that needs to be checked for good counterexamples:
val swap (t : array int) (i j : int): unit
requires { 0 <= i < length t /\ 0 <= j < length t }
ensures { t = (old t)[i <- old t[j]][j <- old t[i]] }
```
It would be good to have a way in the surface language to express and enforce that such a module is not meant to be actually used. Proposed syntax: `use ghost int.Int`. This would also make the extraction a lot less adhoc with respect to these modules.
A possible implementation would be to flag the corresponding scopes as being restricted. Any symbol accessed through such a scope would be forbidden to occur in non-ghost code. The change in `Why3extract.use_fold` would be trivial.
Open questions:
- what if the user do both `use` and `use ghost`?
```
Goal forall P Q, (forall x y, P x y -> Q) -> P 3 4 -> Q.
intros P Q H H1.
apply H with (1:=H1).
```
We could imagine:
`apply H with_hyp H1`
```
use int.Int
use int.MinMax
use ref.Ref
let f3 (a b : ref int) (c d: int)
requires { c < d }
ensures { result = min c d /\ !b = 22 }
=
a :=
(fun () -> if c < d then
(b := 4; c)
else
d) (* Here we should probably add a postcondition *) ();
!a + !b
I don't know if I already opened an issue for this but there should be locations for ident generated by the sp_expr function in vc.ml. In this part of the code, I would like the None locations to be replaced by the appropriate locations:
```
let fresh_wr2 v _ = clone_pv None v in
let fresh_rd2 v _ = if v.pv_ity.ity_pure then None
else Some (clone_pv None v) in
```
This is apparently possible to do by adding a location to constructor Kseq and then propagating it.
The file ieee_float.mlw contains a number of `TODO` related to `axiom .` lines. Are the corresponding axioms going to change in the future ? Are they going to be kept as axioms ?Hello,
The file ieee_float.mlw contains a number of `TODO` related to `axiom .` lines. Are the corresponding axioms going to change in the future ? Are they going to be kept as axioms ?https://gitlab.inria.fr/why3/why3/issues/222syntax function in extraction drivers2019-05-21T09:26:54ZJean-Christophe Filliâtresyntax function in extraction driversSince 1.0.0, it makes no sense to use "syntax function" in extraction drivers. It should be "syntax val" instead.Since 1.0.0, it makes no sense to use "syntax function" in extraction drivers. It should be "syntax val" instead.PARREIRA PEREIRA Mário JoséPARREIRA PEREIRA Mário Joséhttps://gitlab.inria.fr/why3/why3/issues/215Extraction des foncteurs2018-10-19T14:55:13ZFrançois BobotExtraction des foncteursLes clones et l'extraction vers les foncteurs sont expérimentales. Pour les utilisateurs expert on pourrait essayer d'ajouter des exemples. On pourrait également réfléchir a ajouter des constructions dans les drivers pour simplifier l'extraction des modules (juste "module M va vers module N") et foncteurs (juste "c'est un foncteur avec ce mapping des arguments").
