-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug in proofs #279
Comments
Leon verification is only sound modulo termination.
If you run your example through the termination checker (--termination
argument),
it will give you an input to a or b that introduces non-termination.
Cheers,
Nicolas
…On 09. 12. 16 17:13, Baptiste Lepers wrote:
Pretty serious bug, or did I miss something?
import leon.collection._
import leon.lang._
import scala.Any
object Scheduler {
def a(i:BigInt):BigInt = {
i- 1;
} ensuring(res=> b(i)&& res== 2)
def b(i:BigInt): Boolean = {
val c = a(i);
(i== 1)==> (c== 0)
}.holds
}
(This code verifies on b3ad5fc
<b3ad5fc>,
but shoudn't because a doesn't always return 2...)
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#279>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADKzhG5yPfrcvdoETeKQjET44vCebWEpks5rGX4-gaJpZM4LJGKZ>.
|
Strangely enough the Isabelle solver thinks |
Ok... Would it be possible to give an error in that case? It is a bit strange to see that this code passes verification :) |
Well, detecting non-termination and/or proving termination can be quite
expensive (typically much more so than verification).
The extra wait time would probably be a significant pain in verification
efforts.
Maybe it would be useful to run a dumbed-down and faster version of the
termination checker to try to
detect potential non-termination, but in practice you would probably get
lots of spurious false positives or
miss real cases of non-termination.
We would need a set of "concrete" benchmarks where verification was hurt
because of non-termination to
determine what checks we should be running.
@Lars: this is pretty weird. What kind of operational semantics does
Isabelle use for this case? Does the example pass verification too?
Cheers,
Nicolas
…On 09. 12. 16 17:29, Baptiste Lepers wrote:
Ok... Would it be possible to give an error in that case? It is a bit
strange to see that this code passes verification :)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#279 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADKzhEHMpRCkTXppFS571BIqYKpwhUr0ks5rGYHtgaJpZM4LJGKZ>.
|
It turns out my assessment was wrong. Here's what Isabelle sees: fun a :: "int ⇒ int" and b :: "int ⇒ bool" where
"a i = i - 1" |
"b i = (i = 1 ⟶ a i = 0)" Hence, the function definitions themselves are definitely terminating, because there is no call to |
In essence, the question is: How do you deal with pre- and postconditions introducing complications in the call graph? |
By the way, the Isabelle backend is supposed to always give sound results even without |
I think that @BLepers is not specifically talking about the Isabelle back end. Termination checker should be on by default and turning it off explicitly should be allowed but known to cause soundness issues if the functions are not terminating. @BLepers , let us know what termination checker reports and if it is too weak in some cases. |
The termination checker says that a does not finish:
So I guess it makes sense that the verification phase is not sound for that example (even though it should probably fail by default as Viktor said because errors like that can easily be made). What I find a bit confusing in that example is that a() never "really" calls b(). I.e., if you run the applicative code without the "ensuring", there is no infinite loop. (Basically I just tried to separate a bit the proof logic - b() - and the applicative code - a()). |
The guarantee Leon is giving you when it says "valid" is that if you run the code, every time you encounter a contract, it won't evaluate to Note that with termination (and a few other checks that guarantee the program won't crash), never evaluating to |
Pretty serious bug, or did I miss something?
(This code verifies on b3ad5fc, but shoudn't because a doesn't always return 2...)
The text was updated successfully, but these errors were encountered: