Skip to content

Commit cbdd92a

Browse files
cassiatorczoncassiatorczon
authored
updated tutorial with spurious countermodel information (#117)
1 parent 586e3a8 commit cbdd92a

File tree

4 files changed

+33
-5
lines changed

4 files changed

+33
-5
lines changed

src/images/0.error.png

-768 KB
Binary file not shown.

src/images/0_error.png

39.9 KB
Loading

src/images/string_error.png

149 KB
Loading

src/tutorial.md

+33-5
Original file line numberDiff line numberDiff line change
@@ -135,13 +135,41 @@ producing detailed error information, in the form of an HTML error
135135
report.
136136

137137
Let’s return to the type error from earlier -- `add` without
138-
precondition -- and take a closer look at this report. It
139-
comprises two sections:
140-
141-
<!-- TODO: BCP: It looks quite different now! -->
138+
precondition -- and take a closer look at this report.
142139

143140
_CN error report_
144-
![*CN error report*](images/0.error.png)
141+
![*CN error report: 0*](images/0_error.png)
142+
143+
_Definitions and constraints not handled automatically_
144+
145+
CN checks that the code matches its specification with the help of an SMT
146+
solver. CN passes a set of constraints along with program context to the SMT
147+
solver, which either confirms that a given constraint will always hold in
148+
that program context, provides a counterexample in which the constraint does
149+
not hold, or times out. To avoid timeouts, CN avoids passing some definitions
150+
to the solver, including recursive functions, some predicates with branching,
151+
and constraints with `forall`. The error file displays in this section which
152+
definitions and constraints CN did not pass to the solver.
153+
154+
_Resources that do not satisfy predicate definitions_
155+
156+
Because CN does not pass certain definitions to the solver, it may return
157+
spurious counterexamples that do not respect those definitions. Consider this
158+
example:
159+
160+
![*CN error report: string*](images/string_error.png)
161+
162+
`String` is a predicate representing a null-terminated string.
163+
In general, CN does not know how much to unfold the mutually recursive
164+
predicates `String` and `StringAux`, so it does not pass their full
165+
definition to the solver. This leads to a spurious counterexample: `sIn` is the
166+
singleton string containing exactly the null character `0u8`. This is
167+
impossible; the predicate leaves out the null when constructing the logical
168+
representation of a string. To make clear that this is a bad counterexample,
169+
the error file lists `String(s) (sIn)` under _Resources that do not satisfy
170+
predicate definitions_.
171+
172+
<!-- TODO: BCP: It looks quite different now! -->
145173

146174
_Path to error._ The first section contains information about the
147175
control-flow path leading to the error.

0 commit comments

Comments
 (0)