Prove false with bitvectors #2511
Assignees
Labels
kind: bug
Crashes, unsoundness, incorrect output, etc. If possible, add a `part:` label
logic
An inconsistency in Dafny's logic (e.g. in the Boogie prelude)
part: verifier
Translation from Dafny to Boogie (translator)
Comments
MikaelMayer
added
kind: bug
|
Ouch, nice find! Here is an even smaller example: I have a fix coming up, I think. |
|
Another variant: |
|
And another one: |
cpitclaudel
added a commit
that referenced
this issue
Jul 28, 2022
Dafny adds a free invariant on each loops that states that the loop variable is
smaller than or equal to its initial value. For bitvectors, Dafny produced ≥
instead of ≤, possibly due to a typo?
Specifically, the issue was:
- In `Translator.TrStatement.cs` (`TrLoop`):
```
// include a free invariant that says that all completed iterations so far have only decreased the termination metric
…
Bpl.Expr decrCheck = DecreasesCheck(toks, types, types, decrs, initDecr, null, null, true, false);
```
- In `Translator.cs` (`DecreasesCheck`):
```
Bpl.Expr less, atmost, eq;
ComputeLessEq(toks[i], types0[i], types1[i], ee0[i], ee1[i], out less, out atmost, out eq, includeLowerBound);
```
- In `Translator.cs` (`ComputeLessEq`):
```
} else if (ty0 is BitvectorType) {
BitvectorType bv = (BitvectorType)ty0;
eq = Bpl.Expr.Eq(e0, e1);
less = FunctionCall(tok, "lt_bv" + bv.Width, Bpl.Type.Bool, e0, e1);
atmost = FunctionCall(tok, "ge_bv" + bv.Width, Bpl.Type.Bool, e0, e1);
```
`"ge_bv"` is wrong.
* `Source/Dafny/Verifier/Translator.cs`
(`ComputeLessEq`): Change `ge` into `le`.
* `Test/git-issues/git-issue-2511.dfy`:
New file, showing the issue in all places where `ComputeLessEq` was used.
Introduced in 3f899b9.
Closes #2511.
cpitclaudel
added a commit
that referenced
this issue
Jul 28, 2022
Dafny adds a free invariant on each loops that states that the loop variable is
smaller than or equal to its initial value. For bitvectors, Dafny produced ≥
instead of ≤, possibly due to a typo?
Specifically, the issue was:
- In `Translator.TrStatement.cs` (`TrLoop`):
```
// include a free invariant that says that all completed iterations so far have only decreased the termination metric
…
Bpl.Expr decrCheck = DecreasesCheck(toks, types, types, decrs, initDecr, null, null, true, false);
```
- In `Translator.cs` (`DecreasesCheck`):
```
Bpl.Expr less, atmost, eq;
ComputeLessEq(toks[i], types0[i], types1[i], ee0[i], ee1[i], out less, out atmost, out eq, includeLowerBound);
```
- In `Translator.cs` (`ComputeLessEq`):
```
} else if (ty0 is BitvectorType) {
BitvectorType bv = (BitvectorType)ty0;
eq = Bpl.Expr.Eq(e0, e1);
less = FunctionCall(tok, "lt_bv" + bv.Width, Bpl.Type.Bool, e0, e1);
atmost = FunctionCall(tok, "ge_bv" + bv.Width, Bpl.Type.Bool, e0, e1);
```
`"ge_bv"` is wrong.
* `Source/Dafny/Verifier/Translator.cs`
(`ComputeLessEq`): Change `ge` into `le`.
* `Test/git-issues/git-issue-2511.dfy`:
New file, showing the issue in all places where `ComputeLessEq` was used.
Introduced in 3f899b9.
Closes #2511.
cpitclaudel
added a commit
that referenced
this issue
Jul 28, 2022
Dafny adds a free invariant on each loop that states that the loop variable is
smaller than or equal to its initial value. For bitvectors, Dafny produced ≥
instead of ≤, possibly due to a typo.
Specifically, the issue was:
- In `Translator.TrStatement.cs` (`TrLoop`):
```
// include a free invariant that says that all completed iterations so far have only decreased the termination metric
…
Bpl.Expr decrCheck = DecreasesCheck(toks, types, types, decrs, initDecr, null, null, true, false);
```
- In `Translator.cs` (`DecreasesCheck`):
```
Bpl.Expr less, atmost, eq;
ComputeLessEq(toks[i], types0[i], types1[i], ee0[i], ee1[i], out less, out atmost, out eq, includeLowerBound);
```
- In `Translator.cs` (`ComputeLessEq`):
```
} else if (ty0 is BitvectorType) {
BitvectorType bv = (BitvectorType)ty0;
eq = Bpl.Expr.Eq(e0, e1);
less = FunctionCall(tok, "lt_bv" + bv.Width, Bpl.Type.Bool, e0, e1);
atmost = FunctionCall(tok, "ge_bv" + bv.Width, Bpl.Type.Bool, e0, e1);
```
`"ge_bv"` is wrong.
* `Source/Dafny/Verifier/Translator.cs`
(`ComputeLessEq`): Change `ge` into `le`.
* `Test/git-issues/git-issue-2511.dfy`:
New file, showing the issue in all places where `ComputeLessEq` was used.
Introduced in 3f899b9.
Closes #2511.
cpitclaudel
added a commit
that referenced
this issue
Jul 29, 2022
Dafny adds a free invariant on each loop that states that the loop variable is
smaller than or equal to its initial value. For bitvectors, Dafny produced ≥
instead of ≤, possibly due to a typo.
Specifically, the issue was:
- In `Translator.TrStatement.cs` (`TrLoop`):
```
// include a free invariant that says that all completed iterations so far have only decreased the termination metric
…
Bpl.Expr decrCheck = DecreasesCheck(toks, types, types, decrs, initDecr, null, null, true, false);
```
- In `Translator.cs` (`DecreasesCheck`):
```
Bpl.Expr less, atmost, eq;
ComputeLessEq(toks[i], types0[i], types1[i], ee0[i], ee1[i], out less, out atmost, out eq, includeLowerBound);
```
- In `Translator.cs` (`ComputeLessEq`):
```
} else if (ty0 is BitvectorType) {
BitvectorType bv = (BitvectorType)ty0;
eq = Bpl.Expr.Eq(e0, e1);
less = FunctionCall(tok, "lt_bv" + bv.Width, Bpl.Type.Bool, e0, e1);
atmost = FunctionCall(tok, "ge_bv" + bv.Width, Bpl.Type.Bool, e0, e1);
```
`"ge_bv"` is wrong.
* `Source/Dafny/Verifier/Translator.cs`
(`ComputeLessEq`): Change `ge` into `le`.
* `Test/git-issues/git-issue-2511.dfy`:
New file, showing the issue in all places where `ComputeLessEq` was used.
Introduced in 3f899b9.
Closes #2511.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have no idea why, but I can prove false with the following code:
The text was updated successfully, but these errors were encountered: