dafny - Invariant set may vary -


a method copies negative elements of array of integers array has property set of elements in result subset of elements in original array, stays same during copy.

the problem in code below that, write in result array, dafny somehow forgets original set unchanged. how fix this?

method copy_neg (a: array<int>, b: array<int>)   requires != null && b != null && != b   requires a.length == b.length   modifies b {   var := 0;   var r := 0;   ghost var sa := set j | 0 <= j < a.length :: a[j];   while < a.length     invariant 0 <= r <= <= a.length     invariant sa == set j | 0 <= j < a.length :: a[j]   {     if a[i] < 0 {       assert sa == set j | 0 <= j < a.length :: a[j]; // ok       b[r] := a[i];       assert sa == set j | 0 <= j < a.length :: a[j]; // ko!       r := r + 1;     }     := + 1;   } }

edit

following james wilcox's answer, replacing inclusions of sets predicates on sequences works best.

here complete specification (for array distinct elements). post-condition has detailed bit in loop invariant , dumb assert remains in middle of loop, ghost variables gone, great.

method copy_neg (a: array<int>, b: array<int>)   returns (r: nat)   requires != null && b != null && != b   requires a.length <= b.length   modifies b   ensures 0 <= r <= a.length   ensures forall x | x in a[..] :: x < 0 <==> x in b[..r] {   r := 0;   var := 0;   while < a.length     invariant 0 <= r <= <= a.length     invariant forall x | x in b[..r] :: x < 0     invariant forall x | x in a[..i] && x < 0 :: x in b[..r]   {     if a[i] < 0 {       b[r] := a[i];       assert forall x | x in b[..r] :: x < 0;       r := r + 1;     }     := + 1;   } }

this indeed confusing. explain why dafny has trouble proving below, first let me give few ways make go through.

first workaround

one way make proof go through insert following forall statement after line b[r] := a[i];. 

forall x | x in sa   ensures x in set j | 0 <= j < a.length :: a[j] {   var j :| 0 <= j < a.length && x == old(a[j]);   assert x == a[j]; }

the forall statement proof sa <= set j | 0 <= j < a.length :: a[j]. come why works below.

second workaround

in general, when reasoning arrays in dafny, best use a[..] syntax convert array mathematical sequence, , work sequence. if need work set of elements, can use set x | x in a[..], , have better time if use set j | 0 <= j < a.length :: a[j].

systematically replacing set j | 0 <= j < a.length :: a[j] set x | x in a[..] causes program verify.

third solution

popping level specifying method, seems don't need mention set of elements. instead, can away saying "every element of b element of a". or, more formally forall x | x in b[..] :: x in a[..]. not quite valid postcondition method, because method may not fill out of b. since i'm not sure other constraints are, i'll leave you.

explanations

dafny's sets elements of type a translated boogie maps [a]bool, element maps true iff in set. comprehensions such set j | 0 <= j < a.length :: a[j] translated boogie maps definition involves existential quantifier. particular comprehension translates map maps x to

exists j | 0 <= j < a.length :: x == read($heap, a, indexfield(j))

where read expression boogie translation of a[j], which, in particular, makes heap explicit.

so, prove element in set defined comprehension, z3 needs prove existential quantifier, hard. z3 uses triggers prove such quantifiers, , dafny tells z3 use trigger read($heap, a, indexfield(j)) when trying prove quantifier. turns out not great trigger choice, because mentions current value of heap. thus, when heap changes (ie, after updating b[r]), trigger may not fire, , failing proof.

dafny lets customize trigger uses set comprehensions using {:trigger} attribute. unfortunately, there no great choice of trigger @ dafny level. however, reasonable trigger program @ boogie/z3 level indexfield(j) (though bad trigger such expressions in general, since overly general). z3 infer trigger if dafny doesn't tell otherwise. can dafny out of way saying {:autotriggers false}, this

invariant sa == set j {:autotriggers false} | 0 <= j < a.length :: a[j]

this solution unsatisfying , requires detailed knowledge of dafny's internals. we've understood it, can understand other workarounds proposed.

for first workaround, proof goes through because forall statement mentions a[j], trigger. causes z3 prove existential.

for second workaround, have simplified set comprehension expression no longer introduces existential quantifier. instead comprehension set x | x in a[..], translated map maps x to

x in a[..]

(ignoring details of how a[..] translated). means z3 never has prove existential, otherwise similar proof goes through.

the third solution works similar reasons, since uses no comprehensions , no problematic existential quantifiers/


Comments

Post a Comment

Popular posts from this blog

resizing Telegram inline keyboard -

telegram's inline keyboard great feature lots of different use cases. inline buttons added list of items this: inline_keyboard = [[inlinekeyboardbutton(text="button", callback_data="button"), inlinekeyboardbutton(text="reset",callback_data="reset")]] inline_keyboard_markup = inlinekeyboardmarkup(inline_keyboard) update.message.reply_text("hi", reply_markup=inline_keyboard_markup) the above code adds 2 buttons each half width of chat screen. i know the normal keyboard button there resize_keyboard parameter somehow can used. my question is there way resize inline buttons ? example make full width or quarter width. unfortunately, can't now. :( you can suggest @botsupport , might add feature next version.
Read more

command line - How can a Python program background itself? -

consider following python command-line program. doesn't work because incomplete, think illustrates problem: #!/usr/bin/python3 import multiprocessing pool = multiprocessing.pool() task in expensive_iterator_with_user_interaction(): pool.call_async(expensive_computation, (task,)) pool.close() print("dear user, may press ctrl-z , bg script.") pool.join() thus, problem scripts needs user input while it's launching expensive parallel processes. there moment when user interaction not needed anymore. then, ask user background process shell actions. however, can achieved program itself? (side note: core of problem entanglement of user input firing “expensive computations”. therefore, cannot separate both in 2 scripts, , letting 1 spawning other daemon.) the command screen may you. use screen -l create new session , run application. after inputting data, can press " ctrl-a " , press " d " on keyboard detach session. now
Read more

php - "cURL error 28: Resolving timed out" on Wordpress on Azure App Service on Linux -

Image
my wordpress installation on azure app service on linux using custom docker container has slow response times. pages take around 20-40 seconds load. i have troubleshooting plugin installed indicates problem "curl error 28: resolving timed out after n milliseconds" when making requests following urls https://api.wordpress.org/core/version-check/1.7/ http://api.wordpress.org/core/version-check/1.7/ https://api.wordpress.org/plugins/update-check/1.1/ http://api.wordpress.org/plugins/update-check/1.1/ https://api.wordpress.org/themes/update-check/1.1/ http://api.wordpress.org/themes/update-check/1.1/ curl works fine on scm-site command line. example works ok. curl -x post http://api.wordpress.org/core/version-check/1.7/ edit if ssh container , run php code, works fine. <?php $url = 'http://api.wordpress.org/core/version-check/1.7/'; $fields = array( 'version' => urlencode('4.8.1'), 'php' => urlencode(
Read more