Skip to content

Commit

Permalink
translate dafny chain of thought prompt to verus
Browse files Browse the repository at this point in the history
  • Loading branch information
edwin1729 authored and WeetHet committed Sep 25, 2024
1 parent a98556a commit f3e3593
Show file tree
Hide file tree
Showing 9 changed files with 166 additions and 0 deletions.
10 changes: 10 additions & 0 deletions prompts/humaneval-verus-cot/steps/001/examples/001/answer.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
Let's go function by function. The first function, `sum` is a specification as it is declared with the `spec` keyword. It does not have a specification, as can be seen by the absence of either a `requires` or `ensures` clause, which are infact disallowed for `spec` functions. Note also the `decreases` clause indicating this is a recursive function. Let's consider, what it can be step by step. We can see that the aruguments to this function are a sequence of `u32` integers. We can see that the function returns an `int`. We can conclude that the function does some accumulation of integers from the sequence. Looking at the body, we can see that the function takes the first element of the sequence and adds it to the accumulated result of evaluating the `sum` function on the rest of the sequence. This means the function is a specification for the sum of the elements of the sequence.

Next, we have the `sum_prop` lemma. Considering it's specification, we can see that it requires a non-empty sequence of integers, as seen by the `requires s.len() > 0` clause. Looking at the ensures clause, we can see that the lemma ensures that the sum of the sequence (as computed by the `sum` function) is equal to the sum of the elements of the sequence without the last element, plus that last element. This is important to prove, because the sum function drops the first element and thus it is not obvious for the prover that the last element can be dropped in the same way.

Finally, we have the `sum_loop` method. This method has a specification, as indicated by the `ensures` clause. The return value is an `Option` type. The specification states that if `Some` is returned `s.unwrap()` should be equal to the sum of the input sequence `numbers`, as computed by the `sum` function, as seen by `s.unwrap() == sum(numbers@)` in the `ensures` clause.

In summary:
1. The `sum` function is itself a specification for computing the sum of a sequence of integers.
2. The `sum_prop` lemma has a specification that proves a property about the `sum` function.
3. The `sum_loop` method has a specification that ensures it correctly computes the sum of a sequence of integers, matching the result of the `sum` function.
38 changes: 38 additions & 0 deletions prompts/humaneval-verus-cot/steps/001/examples/001/question.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
Given the following program, for each function, determine if it has a specification. If it does not, is it itself a specification? If it is a specification, what does it specify?
```verus
spec fn sum(s: Seq<u32>) -> int
decreases s.len()
{
if s.len() == 0 { 0 } else { s[0] + sum(s.subrange(1, s.len() as int)) }
}

proof fn sum_prop(s: Seq<u32>)
requires s.len() > 0,
ensures sum(s) == sum(s.subrange(0, s.len() - 1)) + s[s.len() - 1],
decreases s.len(),
{
if s.len() > 1 {
sum_prop(s.subrange(1, s.len() as int));
assert (s.subrange(0, s.len() - 1).drop_first() == s.subrange(1, s.len() as int).drop_last());
assert(s[0] + sum(s.subrange(0, s.len() - 1).drop_first()) + s[s.len() - 1] == sum(s));
} else {
assert (sum(s) == sum(s.subrange(0, s.len() - 1)) + s[s.len() - 1]) by {
assert (sum(s) == s[0] + sum(s.subrange(1, s.len() as int)));
}
}
}

fn sum_loop(numbers: &Vec<u32>) -> (s: Option<u32>)
ensures s.is_some() ==> s.unwrap() == sum(numbers@),
{
let mut s: u32 = 0;
let mut i = 0;
while i < numbers.len()
{
s = s.checked_add(numbers[i])?;

i += 1;
}
Some(s)
}
```
5 changes: 5 additions & 0 deletions prompts/humaneval-verus-cot/steps/001/question.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Given the following program, for each function, determine if it has a specification. If it does not, is it itself a specification? If it is a specification, what does it specify?

```verus
{program}
```
6 changes: 6 additions & 0 deletions prompts/humaneval-verus-cot/steps/002/examples/001/answer.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
We know that `spec` and `proof` functions cannot have loops. Since `sum` is a `spec` function and `sum_prop` is a `proof` function, they have no loops.
Now, let's examine the 'sum_loop' method. This method contains a while loop that iterates through the elements of the 'numbers' sequence. The loop starts with 's' and 'i' initialized to 0, and continues as long as 'i' is less than the length of 'numbers'. Let's try to understand what 's' and 'i' represent in this context.

Looking at the body of the loop, we can see that it adds the current element of 'numbers' to 's'. This means that 's' is the running sum of the elements in 'numbers', namely 's = sum([email protected](0, i as int))'. 'i' is easier to analyze. It is the index of the current element being processed. In each iteration of the loop, 'i' is incremented by 1, so 'i' represents the index of the next element to be processed.

Each iteration of the loop adds the current element to 's' after checking for overflow. If there is overflow `None` is returned using the shorthand `?` operator. Then 'i' is incremented to move to the next element. This process continues until 'i' reaches the length of 'numbers', at which point the loop terminates and 's' holds the final sum of the elements in 'numbers'.
39 changes: 39 additions & 0 deletions prompts/humaneval-verus-cot/steps/002/examples/001/question.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
Now we are finished with the specifications. Let's move onto the loops.
Given the following program, for each function, determine if it has loops. If it does, try to determine what the loop does in detail. Go through all your thinking and reasoning process step by step.
```verus
spec fn sum(s: Seq<u32>) -> int
decreases s.len()
{
if s.len() == 0 { 0 } else { s[0] + sum(s.subrange(1, s.len() as int)) }
}

proof fn sum_prop(s: Seq<u32>)
requires s.len() > 0,
ensures sum(s) == sum(s.subrange(0, s.len() - 1)) + s[s.len() - 1],
decreases s.len(),
{
if s.len() > 1 {
sum_prop(s.subrange(1, s.len() as int));
assert (s.subrange(0, s.len() - 1).drop_first() == s.subrange(1, s.len() as int).drop_last());
assert(s[0] + sum(s.subrange(0, s.len() - 1).drop_first()) + s[s.len() - 1] == sum(s));
} else {
assert (sum(s) == sum(s.subrange(0, s.len() - 1)) + s[s.len() - 1]) by {
assert (sum(s) == s[0] + sum(s.subrange(1, s.len() as int)));
}
}
}

fn sum_loop(numbers: &Vec<u32>) -> (s: Option<u32>)
ensures s.is_some() ==> s.unwrap() == sum(numbers@),
{
let mut s: u32 = 0;
let mut i = 0;
while i < numbers.len()
{
s = s.checked_add(numbers[i])?;

i += 1;
}
Some(s)
}
```
4 changes: 4 additions & 0 deletions prompts/humaneval-verus-cot/steps/002/question.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
Given the following program, for each function, determine if it has loops. If it does, try to determine what the loop does in detail. Go through all your thinking and reasoning process step by step.
```verus
{program}
```
22 changes: 22 additions & 0 deletions prompts/humaneval-verus-cot/steps/003/examples/001/answer.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
As we've seen, the loop in the `sum_loop` function goes over the elements of the array `numbers` and adds them to the `s` variable, which is equal to the `sum([email protected](0, i as int))` for all `i`, such that `0 <= i <= [email protected]()`. This means that during the execution of the loop the following invariant holds:
1. `0 <= i <= [email protected]()`
2. `s == sum([email protected](i as int))`

The second invariant might be a bit difficult to prove, as it adds the last element of the array to the sum, while, as I've said before, the `sum` function is defined as `sum(a) == a[0] + sum(a.subrange(1, a.len() - 1))`. However, as we've seen, it's possible to use the `sum_prop` function to prove that this invariant holds.
Let's work out how to use it. If applied to the `[email protected](0, i + 1)`, we get:
`sum([email protected](0, i + 1)) == sum([email protected](0, i + 1).subrange(0, i as int)) + numbers@[i as int]`. It might be difficult for verus to prove that `sum([email protected](0, i + 1).subrange(0, i as int)) == sum([email protected](0, i as int))`, so I'd suggest adding an assertion before calling `sum_prop` to make sure that this is the case, namely `assert ([email protected](0, i + 1).subrange(0, i as int) == [email protected](0, i as int))`.
A lemma can only be used inside a proof block and can also add the assertions in this block. So, to use the `sum_prop`, I'd suggest the following code:
```
proof {
assert ([email protected](0, i + 1).subrange(0, i as int) == [email protected](0, i as int));
sum_prop([email protected](0, i + 1));
assert(sum([email protected](0, i + 1)) == sum([email protected](0, i + 1).subrange(0, i as int)) + numbers@[i as int]);
}
```

After the end of the loop we know that `i == [email protected]()` from the first invariant and loop condition `i < numbers.len()` being false. Applying this to the second invaraint we deduce `s == sum([email protected](0, [email protected]() as int)). But in order to prove the postcondition, we need to let verus know that this `[email protected](0, [email protected]() as int)` is the entire sequence `numbers@`. So i suggest adding this after the end of the loop
```
assert([email protected](0, numbers.len() as int) == numbers@);
```

In conclusion, we can say that two invariants hold and the second one could be proved using the `sum_prop` function.
38 changes: 38 additions & 0 deletions prompts/humaneval-verus-cot/steps/003/examples/001/question.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
As we've already analyzed the specifications and the loops, it's time to try to analyze what invariants and patterns hold during the execution of the program. Go over the found loops in the following program in the code and try to find out what invariants and patterns they hold. Go through all your thinking and reasoning process step by step.
```verus
spec fn sum(s: Seq<u32>) -> int
decreases s.len()
{
if s.len() == 0 { 0 } else { s[0] + sum(s.subrange(1, s.len() as int)) }
}

proof fn sum_prop(s: Seq<u32>)
requires s.len() > 0,
ensures sum(s) == sum(s.subrange(0, s.len() - 1)) + s[s.len() - 1],
decreases s.len(),
{
if s.len() > 1 {
sum_prop(s.subrange(1, s.len() as int));
assert (s.subrange(0, s.len() - 1).drop_first() == s.subrange(1, s.len() as int).drop_last());
assert(s[0] + sum(s.subrange(0, s.len() - 1).drop_first()) + s[s.len() - 1] == sum(s));
} else {
assert (sum(s) == sum(s.subrange(0, s.len() - 1)) + s[s.len() - 1]) by {
assert (sum(s) == s[0] + sum(s.subrange(1, s.len() as int)));
}
}
}

fn sum_loop(numbers: &Vec<u32>) -> (s: Option<u32>)
ensures s.is_some() ==> s.unwrap() == sum(numbers@),
{
let mut s: u32 = 0;
let mut i = 0;
while i < numbers.len()
{
s = s.checked_add(numbers[i])?;

i += 1;
}
Some(s)
}
```
4 changes: 4 additions & 0 deletions prompts/humaneval-verus-cot/steps/003/question.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
As we've already analyzed the specifications and the loops, it's time to try to analyze what invariants and patterns hold during the execution of the program. Go over the found loops in the following program in the code and try to find out what invariants and patterns they hold. Go through all your thinking and reasoning process step by step.
```verus
{program}
```

0 comments on commit f3e3593

Please sign in to comment.