Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possibly incorrect lemma in example-archive (src/example-archive/simple-examples/working/list_2.c) #111

Open
kiranandcode opened this issue Jan 27, 2025 · 1 comment
Open

Possibly incorrect lemma in example-archive (src/example-archive/simple-examples/working/list_2.c) #111

kiranandcode opened this issue Jan 27, 2025 · 1 comment

Comments

@kiranandcode
Copy link

Hi, I was just going through the snippets in the example archive looking, and I realised that it might be the case that one of the lemmas assumed in one is incorrect?

cn-tutorial/src/example-archive/simple-examples/working/list_2.c

Lines 12 to 18 in c9706ff

/*@
lemma IntListSeqSnoc(pointer p, pointer tail)
requires take l1 = IntListSeg(p, tail);
take v = Owned<struct list_node>(tail);
ensures take l2 = IntListSeg(p, v.next);
l2 == append(l1, Seq_Cons { val: v.val, next: Seq_Nil {} });
@*/

In particular, shouldn't v.next be constrained to not be equal to any of the next-fields inside the list segment? (because if so, then it forms a loop and the segment would be cut off early?).

Discovered this while playing around and trying to prove this lemma in CN directly with the following encoding:

void lemma_make_segment_from_parts(struct list_node *head, struct list_node *tail) 
/*@
   requires take H = Owned<struct list_node>(head);
            take LS = IntListSeg(H.next, tail);
            !(head == tail);
    ensures take LS_NEW = IntListSeg(head, tail);
            LS_NEW == Seq_Cons { val: H.val, next: LS };
@*/ {
}

void lemma_intlist_seq_snoc(struct list_node *head, struct list_node *prev_curr)
/*@
  requires take l1 = IntListSeg(head, prev_curr);
           take v = Owned<struct list_node>(prev_curr);
           v.next != prev_curr;
  ensures take l2 = IntListSeg(head, v.next);
          l2 == append(l1, Seq_Cons { val: v.val, next: Seq_Nil {} });
  @*/
{
  /*@ split_case (ptr_eq(head,prev_curr)); @*/
  if(head == prev_curr) {
    /*@ assert (l1 == Seq_Nil {}); @*/
    /*@ unfold append(l1, Seq_Cons { val: v.val, next: Seq_Nil {} }); @*/
    /*@ split_case (ptr_eq(prev_curr, v.next)); @*/
    return;
  } else {
    struct list_node *prev_curr_next = prev_curr->next;
    lemma_intlist_seq_snoc(head->next, prev_curr);
    /*@ split_case (ptr_eq(head,prev_curr)); @*/
    lemma_make_segment_from_parts(head, prev_curr_next);
    /*@ assert (true); @*/
  }
}
@kiranandcode
Copy link
Author

Oh, I'm realising that maybe it's in example-archive because it's been archived? tentatively closing this issue accordingly, and saw that a more correct encoding was already implemented in src/examples/queue/pop_unified.c

@cp526 cp526 reopened this Jan 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cp526 @kiranandcode