Merge branch 'main' into fabian

Author: fzaiser

.github/workflows/format.yml

@@ -0,0 +1,14 @@
+name: 'Check formatting'
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - 'main'
+jobs:
+  check-format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: bash scripts/prep.sh
+      - run: DAFNY=dafny/dafny bash scripts/checkformat.sh

Guidelines.md

@@ -1,4 +1,8 @@
-Following are guidelines that one should follow unless there is a good technical reason not to.
+The Dafny 386 guidelines.
+
+By default, you should adhere the following guidelines to structure your development. 
+It may happen that not following the guidelines would lead to a better solution: when that is
+the case, you should present your case with the rest of the developers. 
 
 * Languages features to avoid:
     * import opened.
@@ -8,10 +12,13 @@ Following are guidelines that one should follow unless there is a good technical
 
 * Even if a function is not meant to be part of the compiled code, don't use ghost unless necessary.
 * Do not attach postconditions to functions. Instead, prove the postcondition as a separate lemma.
+* Use function preconditions only when the function is genuinely partial and that making total would requires the use of the error monad or a dummy value.
 * Make functions opaque.
 * Name preconditions of lemmas and reveal them only when necessary.
 * Be mindful of resource usage and refine your proof until it is less than 1M.
-* In particular, avoid `{:vcs_split_on_every_assert}` as this can increase the verification time a lot.
+* Do not use internal prover directives such as `{:vcs_split_on_every_assert}` or `{:trigger}`.
+* A method should have a unique postcondition that establishes its equivalence with a functional model.
+* Local variables must be typed explicitly. 
 * Keep proofs short and modular, as for a pencil and paper proof.
 * Prefer structured proofs in natural deduction rathen than sequences of assertions.
 * Unless it is logically or mathematically necessary:
@@ -143,6 +150,7 @@ lemma Foo2()
       </td>
    </tr>
 </table>
+
 * Establish preconditions of assertion in a by clause. For example, consider lemma Foo() requires A ensures B
 <table>
    <tr>

audit.log

@@ -2,37 +2,22 @@
 Auditing ./src/Dafny-VMC.dfy
 
 Auditing ./src/Distributions/Base/Interface.dfy
- Coin: Definition has `assume {:axiom}` statement in body. 
+ Coin: Definition has `assume {:axiom}` statement in body.
 
 Auditing ./src/Distributions/Base/Model.dfy
 
 Auditing ./src/Distributions/Bernoulli/Correctness.dfy
- ProbBernoulliIsIndepFn: Declaration has explicit `{:axiom}` attribute. 
- BernoulliCorrectness: Declaration has explicit `{:axiom}` attribute. 
 
 Auditing ./src/Distributions/Bernoulli/Implementation.dfy
 
 Auditing ./src/Distributions/Bernoulli/Interface.dfy
- Bernoulli: Compiled declaration has no body and has an ensures clause. 
 
 Auditing ./src/Distributions/Bernoulli/Model.dfy
- ProbBernoulli: Definition has `assume {:axiom}` statement in body. 
 
 Auditing ./src/Distributions/BernoulliExpNeg/Implementation.dfy
 
 Auditing ./src/Distributions/BernoulliExpNeg/Interface.dfy
 
-Auditing ./src/Distributions/BernoulliRational/Correctness.dfy
- /!\ No terms found to trigger on.
- /!\ No terms found to trigger on.
-
-Auditing ./src/Distributions/BernoulliRational/Implementation.dfy
-
-Auditing ./src/Distributions/BernoulliRational/Interface.dfy
- BernoulliRational: Compiled declaration has no body and has an ensures clause. 
-
-Auditing ./src/Distributions/BernoulliRational/Model.dfy
-
 Auditing ./src/Distributions/DiscreteGaussian/Implementation.dfy
 
 Auditing ./src/Distributions/DiscreteGaussian/Interface.dfy
@@ -41,75 +26,64 @@ Auditing ./src/Distributions/DiscreteLaplace/Implementation.dfy
 
 Auditing ./src/Distributions/DiscreteLaplace/Interface.dfy
 
-Auditing ./src/Distributions/Geometric/Correctness.dfy
- ProbGeometricIsIndepFn: Declaration has explicit `{:axiom}` attribute. 
- ProbGeometricCorrectness: Declaration has explicit `{:axiom}` attribute. 
-
-Auditing ./src/Distributions/Geometric/Implementation.dfy
-
-Auditing ./src/Distributions/Geometric/Interface.dfy
- Geometric: Compiled declaration has no body and has an ensures clause. 
-
-Auditing ./src/Distributions/Geometric/Model.dfy
- ProbWhileGeometricTerminates: Declaration has explicit `{:axiom}` attribute. 
-
 Auditing ./src/Distributions/Uniform/Correctness.dfy
  /!\ No terms found to trigger on.
  /!\ No terms found to trigger on.
- UniformCorrectnessCorrectMeasureCaseNGreaterOne: Definition has `assume {:axiom}` statement in body. 
- ProbUniformIsIndepFn: Declaration has explicit `{:axiom}` attribute. 
+ UniformCorrectnessCorrectMeasureCaseNGreaterOne: Definition has `assume {:axiom}` statement in body.
+ ProbUniformIsIndepFn: Declaration has explicit `{:axiom}` attribute.
 
 Auditing ./src/Distributions/Uniform/Implementation.dfy
- Uniform: Definition has `assume {:axiom}` statement in body. 
- Uniform: Definition has `assume {:axiom}` statement in body. 
+ Uniform: Definition has `assume {:axiom}` statement in body.
+ Uniform: Definition has `assume {:axiom}` statement in body.
 
 Auditing ./src/Distributions/Uniform/Interface.dfy
- Uniform: Compiled declaration has no body and has an ensures clause. 
 
 Auditing ./src/Distributions/Uniform/Model.dfy
 
 Auditing ./src/Distributions/UniformPowerOfTwo/Correctness.dfy
- ProbUniformAlternative: Definition has `assume {:axiom}` statement in body. 
- ProbUnifIsIndepFn: Declaration has explicit `{:axiom}` attribute. 
- ProbUnifForAllStar: Declaration has explicit `{:axiom}` attribute. 
+ ProbUniformAlternative: Definition has `assume {:axiom}` statement in body.
+ UnifCorrectness2: Definition has `assume {:axiom}` statement in body.
+ UnifCorrectness2: Definition has `assume {:axiom}` statement in body.
+ ProbUnifIsIndepFn: Declaration has explicit `{:axiom}` attribute.
 
 Auditing ./src/Distributions/UniformPowerOfTwo/Implementation.dfy
 
 Auditing ./src/Distributions/UniformPowerOfTwo/Interface.dfy
- UniformPowerOfTwo: Compiled declaration has no body and has an ensures clause. 
 
 Auditing ./src/Distributions/UniformPowerOfTwo/Model.dfy
- ProbUnifTerminates: Declaration has explicit `{:axiom}` attribute. 
- ProbUnifCorrespondence: Definition has `assume {:axiom}` statement in body. 
+ ProbUnifTerminates: Declaration has explicit `{:axiom}` attribute.
+ ProbUnifCorrespondence: Definition has `assume {:axiom}` statement in body.
 
 Auditing ./src/Math/Helper.dfy
 
 Auditing ./src/Math/MeasureTheory.dfy
- CountableSum: Definition has `assume {:axiom}` statement in body. 
- CountableSumOfZeroesIsZero: Declaration has explicit `{:axiom}` attribute. 
+ CountableSum: Definition has `assume {:axiom}` statement in body.
+ CountableSumOfZeroesIsZero: Declaration has explicit `{:axiom}` attribute.
+
+Auditing ./src/Math/Rationals.dfy
 
 Auditing ./src/ProbabilisticProgramming/Independence.dfy
- IsIndepFn: Declaration has explicit `{:axiom}` attribute. 
- DeconstructIsIndepFn: Declaration has explicit `{:axiom}` attribute. 
- ReturnIsIndepFn: Declaration has explicit `{:axiom}` attribute. 
- IndepFnIsCompositional: Declaration has explicit `{:axiom}` attribute. 
+ IsIndepFn: Declaration has explicit `{:axiom}` attribute.
+ DeconstructIsIndepFn: Declaration has explicit `{:axiom}` attribute.
+ ReturnIsIndepFn: Declaration has explicit `{:axiom}` attribute.
+ IndepFnIsCompositional: Declaration has explicit `{:axiom}` attribute.
 
 Auditing ./src/ProbabilisticProgramming/Monad.dfy
- TailIsRNG: Declaration has explicit `{:axiom}` attribute. 
- HeadIsMeasurable: Declaration has explicit `{:axiom}` attribute. 
- MeasureHeadDrop: Declaration has explicit `{:axiom}` attribute. 
- TailIsMeasurePreserving: Declaration has explicit `{:axiom}` attribute. 
+ TailIsRNG: Declaration has explicit `{:axiom}` attribute.
+ HeadIsMeasurable: Declaration has explicit `{:axiom}` attribute.
+ MeasureHeadDrop: Declaration has explicit `{:axiom}` attribute.
+ TailIsMeasurePreserving: Declaration has explicit `{:axiom}` attribute.
 
 Auditing ./src/ProbabilisticProgramming/Quantifier.dfy
 
 Auditing ./src/ProbabilisticProgramming/RandomNumberGenerator.dfy
- IsRNG: Declaration has explicit `{:axiom}` attribute. 
- RNGHasMeasure: Declaration has explicit `{:axiom}` attribute. 
+ IsRNG: Declaration has explicit `{:axiom}` attribute.
+ RNGHasMeasure: Declaration has explicit `{:axiom}` attribute.
 
 Auditing ./src/ProbabilisticProgramming/WhileAndUntil.dfy
- ProbWhile: Definition has `assume {:axiom}` statement in body. 
- EnsureProbWhileTerminates: Declaration has explicit `{:axiom}` attribute. 
- ProbUntilProbabilityFraction: Declaration has explicit `{:axiom}` attribute. 
- ProbUntilAsBind: Declaration has explicit `{:axiom}` attribute. 
- EnsureProbUntilTerminatesAndForAll: Definition has `assume {:axiom}` statement in body. 
+ ProbWhile: Definition has `assume {:axiom}` statement in body.
+ EnsureProbWhileTerminates: Declaration has explicit `{:axiom}` attribute.
+ ProbUntilProbabilityFraction: Declaration has explicit `{:axiom}` attribute.
+ ProbUntilAsBind: Declaration has explicit `{:axiom}` attribute.
+ EnsureProbUntilTerminatesAndForAll: Definition has `assume {:axiom}` statement in body.
 

docs/dafny/ExamplesExternUniform.dfy

@@ -8,6 +8,7 @@
 include "../../src/Dafny-VMC.dfy"
 
 module RandomExamples {
+  import Rationals
   import DafnyVMC
 
   method Main()
@@ -55,62 +56,39 @@ module RandomExamples {
     }
     print "Estimated probabilities for UniformInterval(7,10): ", (a as real) / (n as real), "; ", (b as real) / (n as real), "; " , (c as real) / (n as real), " (each should be around 0.33)\n";
 
-    a := 0;
-    b := 0;
-    for i := 0 to n {
-      var k := r.Geometric();
-      if k == 5 {
-        a := a + 1;
-      } else if k == 10  {
-        b := b + 1;
-      }
-    }
-    print "Estimated probabilities for Geometric(0.5): " , (a as real) / (n as real), " (should be around 0.015625) and " , (b as real) / (n as real), " (should be around 0.00048828125) \n";
-
     t := 0;
     for i := 0 to n {
-      var b := r.BernoulliRational(1, 5);
+      var b := r.Bernoulli(Rationals.Rational(1, 5));
       if b {
         t := t + 1;
       }
     }
 
-    print "Estimated parameter for BernoulliRational(1, 5): ", (t as real) / (n as real), " (should be around 0.2)\n";
+    print "Estimated parameter for Bernoulli(1, 5): ", (t as real) / (n as real), " (should be around 0.2)\n";
 
     t := 0;
     for i := 0 to n {
-      var b := r.BernoulliRational(0, 5);
+      var b := r.Bernoulli(Rationals.Rational(0, 5));
       if b {
         t := t + 1;
       }
     }
 
-    print "Estimated parameter for BernoulliRational(0, 5): ", (t as real) / (n as real), " (should be around 0.0)\n";
-
-    t := 0;
-    for i := 0 to n {
-      var b := r.BernoulliRational(5, 5);
-      if b {
-        t := t + 1;
-      }
-    }
-
-    print "Estimated parameter for BernoulliRational(5, 5): ", (t as real) / (n as real), " (should be around 1.0\n";
-
+    print "Estimated parameter for Bernoulli(0, 5): ", (t as real) / (n as real), " (should be around 0.0)\n";
 
     t := 0;
     for i := 0 to n {
-      var b := r.Bernoulli(0.2);
+      var b := r.Bernoulli(Rationals.Rational(5, 5));
       if b {
         t := t + 1;
       }
     }
 
-    print "Estimated parameter for Bernoulli(0.2): ", (t as real) / (n as real), " (should be around 0.2)\n";
+    print "Estimated parameter for Bernoulli(5, 5): ", (t as real) / (n as real), " (should be around 1.0\n";
 
     t := 0;
     for i := 0 to n {
-      var u := r.BernoulliExpNeg(2.30258509299); // about -ln(0.1)
+      var u := r.BernoulliExpNeg(Rationals.Rational(12381, 5377)); // about -ln(0.1)
       if u {
         t := t + 1;
       }
@@ -121,7 +99,7 @@ module RandomExamples {
     var count1 := 0;
     var countneg1 := 0;
     for i := 0 to n {
-      var u := r.DiscreteLaplace(5, 7); // DiscreteLaplace(7/5)
+      var u := r.DiscreteLaplace(Rationals.Rational(7, 5));
       match u {
         case -1 => countneg1 := countneg1 + 1;
         case 0 => count0 := count0 + 1;
@@ -138,7 +116,7 @@ module RandomExamples {
     count1 := 0;
     countneg1 := 0;
     for i := 0 to n {
-      var u := r.DiscreteGaussian(1.4);
+      var u := r.DiscreteGaussian(Rationals.Rational(7, 5));
       match u {
         case -1 => countneg1 := countneg1 + 1;
         case 0 => count0 := count0 + 1;

docs/dafny/ExamplesFoundational.dfy

@@ -8,6 +8,7 @@
 include "../../src/Dafny-VMC.dfy"
 
 module RandomExamples {
+  import Rationals
   import DafnyVMC
 
   method Main()
@@ -55,61 +56,39 @@ module RandomExamples {
     }
     print "Estimated probabilities for UniformInterval(7,10): ", (a as real) / (n as real), "; ", (b as real) / (n as real), "; " , (c as real) / (n as real), " (each should be around 0.33)\n";
 
-    a := 0;
-    b := 0;
-    for i := 0 to n {
-      var k := r.Geometric();
-      if k == 5 {
-        a := a + 1;
-      } else if k == 10  {
-        b := b + 1;
-      }
-    }
-    print "Estimated probabilities for Geometric(0.5): " , (a as real) / (n as real), " (should be around 0.015625) and " , (b as real) / (n as real), " (should be around 0.00048828125) \n";
-
-    t := 0;
-    for i := 0 to n {
-      var b := r.BernoulliRational(1, 5);
-      if b {
-        t := t + 1;
-      }
-    }
-
-    print "Estimated parameter for BernoulliRational(1, 5): ", (t as real) / (n as real), " (should be around 0.2)\n";
-
     t := 0;
     for i := 0 to n {
-      var b := r.BernoulliRational(0, 5);
+      var b := r.Bernoulli(Rationals.Rational(1, 5));
       if b {
         t := t + 1;
       }
     }
 
-    print "Estimated parameter for BernoulliRational(0, 5): ", (t as real) / (n as real), " (should be around 0.0)\n";
+    print "Estimated parameter for Bernoulli(1/5): ", (t as real) / (n as real), " (should be around 0.2)\n";
 
     t := 0;
     for i := 0 to n {
-      var b := r.BernoulliRational(5, 5);
+      var b := r.Bernoulli(Rationals.Rational(0, 5));
       if b {
         t := t + 1;
       }
     }
 
-    print "Estimated parameter for BernoulliRational(5, 5): ", (t as real) / (n as real), " (should be around 1.0\n";
+    print "Estimated parameter for Bernoulli(0/5): ", (t as real) / (n as real), " (should be around 0.0)\n";
 
     t := 0;
     for i := 0 to n {
-      var b := r.Bernoulli(0.2);
+      var b := r.Bernoulli(Rationals.Rational(5, 5));
       if b {
         t := t + 1;
       }
     }
 
-    print "Estimated parameter for Bernoulli(0.2): ", (t as real) / (n as real), " (should be around 0.2)\n";
+    print "Estimated parameter for Bernoulli(5/5): ", (t as real) / (n as real), " (should be around 1.0\n";
 
     t := 0;
     for i := 0 to n {
-      var u := r.BernoulliExpNeg(2.30258509299); // about -ln(0.1)
+      var u := r.BernoulliExpNeg(Rationals.Rational(12381, 5377)); // about -ln(0.1)
       if u {
         t := t + 1;
       }
@@ -120,7 +99,7 @@ module RandomExamples {
     var count1 := 0;
     var countneg1 := 0;
     for i := 0 to n {
-      var u := r.DiscreteLaplace(5, 7); // DiscreteLaplace(7/5)
+      var u := r.DiscreteLaplace(Rationals.Rational(7, 5));
       match u {
         case -1 => countneg1 := countneg1 + 1;
         case 0 => count0 := count0 + 1;
@@ -137,7 +116,7 @@ module RandomExamples {
     count1 := 0;
     countneg1 := 0;
     for i := 0 to n {
-      var u := r.DiscreteGaussian(1.4);
+      var u := r.DiscreteGaussian(Rationals.Rational(7, 5));
       match u {
         case -1 => countneg1 := countneg1 + 1;
         case 0 => count0 := count0 + 1;

docs/dafny/index.html

@@ -1,5 +1,7 @@
 Using the Dafny-VMC library in a Dafny application.
 <br>
+<a href="dafny-doc/index.html">Dafny documentation</a>
+<br>
 <a href="ExamplesFoundational.dfy">Example using the foundational uniform sampler</a>
 <br>
 <a href="ExamplesExternUniform.dfy">Example using the extern uniform sampler</a>

scripts/audit.sh

@@ -13,5 +13,5 @@ echo '' > audit.log
 for file in `find ./src -type f -name '*.dfy' | xargs -n1 | sort | xargs`
 do
   echo Auditing $file >> audit.log
-  $DAFNY audit $file | grep -v '{:termination false}\|{:extern}\|decreases *\|Dafny auditor completed\|Dafny program verifier' | sed 's/.*Warning://' | sed 's/Possible.*//' >> audit.log
+  $DAFNY audit $file | grep -v '{:termination false}\|{:extern}\|decreases *\|Dafny auditor completed\|Dafny program verifier\|No terms found to trigger on\|Compiled declaration has no body' | sed 's/.*Warning://' | sed 's/Possible.*//' >> audit.log
 done