Bug in proofs about leon HOT 10 OPEN

from leon.

Strangely enough the Isabelle solver thinks a and b are terminating. Leon claims that b(0) doesn't terminate but Isabelle evaluates that to false. (I'm guessing because i == 1 evaluates to false, so the conclusion is never actually executed.)

from leon.

Ok... Would it be possible to give an error in that case? It is a bit strange to see that this code passes verification :)

from leon.

from leon.

It turns out my assessment was wrong. Here's what Isabelle sees:

fun a :: "int ⇒ int" and b :: "int ⇒ bool" where
"a i = i - 1" |
"b i = (i = 1 ⟶ a i = 0)"

Hence, the function definitions themselves are definitely terminating, because there is no call to b in a (the Isabelle backend will – by default – not include the pre- and postconditions in the function definition). If the functions are annotated with @isabelle.fullBody, then Isabelle sees the call to b and correctly refuses to define the function. I'm unsure what to make of all this.

from leon.

In essence, the question is: How do you deal with pre- and postconditions introducing complications in the call graph?

from leon.

By the way, the Isabelle backend is supposed to always give sound results even without --termination switched on. So there is definitely an issue here somewhere.

from leon.

I think that @BLepers is not specifically talking about the Isabelle back end. Termination checker should be on by default and turning it off explicitly should be allowed but known to cause soundness issues if the functions are not terminating. @BLepers , let us know what termination checker reports and if it is too weak in some cases.

from leon.

The termination checker says that a does not finish:

[  Info  ] ║ apply       ✓ Terminates (Non-recursive)                                           
[  Info  ] ║ apply       ✓ Terminates (Non-recursive)                                          
[  Info  ] ║ a           ✗ Non-terminating for call: a(0)                                     
[  Info  ] ║ b           ✗ Calls non-terminating functions a 

So I guess it makes sense that the verification phase is not sound for that example (even though it should probably fail by default as Viktor said because errors like that can easily be made).

What I find a bit confusing in that example is that a() never "really" calls b(). I.e., if you run the applicative code without the "ensuring", there is no infinite loop. (Basically I just tried to separate a bit the proof logic - b() - and the applicative code - a()).

from leon.

The guarantee Leon is giving you when it says "valid" is that if you run the code, every time you encounter a contract, it won't evaluate to false. In this case, Leon is telling you the contract of a() (namely b()) will never evaluate to false (which is true since it won't terminate). However, you didn't guarantee that the contract would evaluate to true, which is typically what you would want when you say something is verified.

Note that with termination (and a few other checks that guarantee the program won't crash), never evaluating to false is equivalent to always evaluating to true.

from leon.