Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
I
inox
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
LARA
inox
Commits
a037dff0
Commit
a037dff0
authored
10 years ago
by
Regis Blanc
Browse files
Options
Downloads
Patches
Plain Diff
explain leon postcondition verification
parent
1820ce4f
No related branches found
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
doc/verification.rst
+36
-6
36 additions, 6 deletions
doc/verification.rst
with
36 additions
and
6 deletions
doc/verification.rst
+
36
−
6
View file @
a037dff0
...
...
@@ -51,16 +51,46 @@ Formally, we consider a function
def f(x: A): B = {
require(prec)
body
} ensuring(r
es
=> post)
} ensuring(r => post)
where, ``prec`` is a boolean expression with free variables contained in
``{x}``, and ``post`` is a boolean expression with free variables contained in
``{x, res}``. The types of ``x`` and ``res`` are respectively ``A`` and ``B``.
where, :math:`\mbox{prec}(x)` is a boolean expression with free variables
contained in :math:`\{ x \}`, :math:`\mbox{body}(x)` is a boolean expression with
free variables contained in :math:`\{ x \}` and :math:`\mbox{post}(x, r)` is a
boolean expression with free variables contained in :math:`\{ x, r \}`. The
types of :math:`x` and :math:`r` are respectively ``A`` and ``B``. We write
:math:`\mbox{expr}(a)` to mean the substitution in :math:`\mbox{expr}` of its
free variable by :math:`a`.
Leon attempts to prove the following theorem:
::
forall x, prec(x) implies post(body(x), x)
.. math::
\forall x. \mbox{prec}(x) \implies \mbox{post}(x, \mbox{body}(x))
If Leon is able to prove the above theorem, it returns ``valid`` for the
function ``f``. This gives you a guarantee that the function ``f`` is correct
with respect to its contract.
However, if the theorem is not valid, Leon will return a counterexample to the
theorem. The negation of the theorem is:
.. math::
\exists x. \mbox{prec}(x) \land \neg \mbox{post}(x, \mbox{body}(x))
and to prove the validity of the negation, Leon finds a witness :math:`x` --- a
counterexample --- such that the precondition is verified and the postcondition
is not.
The general problem of verification is undecidable for a Turing-complete
language, and the Leon language is Turing-complete. So Leon has to be
incomplete in some sense. Generally, Leon will eventually find a counterexample
if one exists. However, in practice some program structures require too many
unrollings and Leon is likely to timeout (or being out of memory) before
finding the counterexample. When the postcondition is valid, it could also
happen that Leon keeps unrolling the program forever, without being able to
prove the correctness. We discuss the exact conditions for this in the
chapter on Leon's algorithms.
Preconditions
*************
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
