Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Domain axioms not instantiated for all relevant cases #753

Closed
marcoeilers opened this issue Oct 3, 2023 · 3 comments
Closed

Domain axioms not instantiated for all relevant cases #753

marcoeilers opened this issue Oct 3, 2023 · 3 comments

Comments

@marcoeilers
Copy link
Contributor

The following example does not verify in Silicon even though it should:

domain Val  {}

domain WellFoundedOrder[T]  {

  function decreasing(arg1: T, arg2: T): Bool

  function bounded(arg1: T): Bool
}

domain List[V]  {

  function Nil(): List[V]

  function Cons(value: V, tail: List[V]): List[V]

  function get_List_value(t: List[V]): V

  function get_List_tail(t: List[V]): List[V]

  function List_tag(t: List[V]): Int

  axiom {
    (forall value: V, tail: List[V] ::
      { (Cons(value, tail): List[V]) }
      value == (get_List_value((Cons(value, tail): List[V])): V))
  }

  axiom {
    (forall value: V, tail: List[V] ::
      { (Cons(value, tail): List[V]) }
      tail == (get_List_tail((Cons(value, tail): List[V])): List[V]))
  }

  axiom {
    (List_tag((Nil(): List[V])): Int) == 1
  }

  axiom {
    (forall value: V, tail: List[V] ::
      { (Cons(value, tail): List[V]) }
      (List_tag((Cons(value, tail): List[V])): Int) == 0)
  }

  axiom {
    (forall t: List[V] ::
      { (List_tag(t): Int) }
      { (get_List_value(t): V) }
      { (get_List_tail(t): List[V]) }
      (List_tag(t) == 1 && t == (Nil(): List[V])) ||
      (List_tag(t) == 0 && exists v: V, l: List[V] :: t == Cons(v, l))
      //(t == (Cons((get_List_value(t): V), (get_List_tail(t): List[V])): List[V]))
      )
  }
}

domain ListWellFoundedOrder[V]  {

  axiom {
    (bounded((Nil(): List[V])): Bool)
  }

  axiom {
    (forall value: V, tail: List[V] ::
      { (Cons(value, tail): List[V]) }
      (bounded((Cons(value, tail): List[V])): Bool) &&
      (decreasing(tail, (Cons(value, tail): List[V])): Bool))
  }
}

// decreases l
function len(l: List[Val]): Int
  ensures result >= 0
{
  ((List_tag(l): Int) == 1 ? 0 : 1 + len((get_List_tail(l): List[Val])))
}

// decreases l
method len_termination_proof(l: List[Val])
{
  if ((List_tag(l): Int) == 1) {
  } else {
    assert (decreasing((get_List_tail(l): List[Val]), old(l)): Bool) &&
      (bounded(old(l)): Bool)}
}

The issue seems to be that the axioms in ListWellFoundedOrder are not instantiated for type argument Val, even though they obviously need to be.
@mschwerhoff
Copy link
Contributor

Potentially related: #526, #300

@marcoeilers
Copy link
Contributor Author

Ha, funny, I just ran the tests with my fix and saw that this fixes the unexpected output for issue #300. And I tried #526 manually and that fixes it, too. Nice! Thanks for pointing those out!

@marcoeilers marcoeilers mentioned this issue Oct 3, 2023
Merged
@marcoeilers
Copy link
Contributor Author

Fixed in viperproject/silver#742.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mschwerhoff @marcoeilers