-----------------------------------------------------------------------------
-- |
-- Module    : Documentation.SBV.Examples.WeakestPreconditions.IntSqrt
-- Copyright : (c) Levent Erkok
-- License   : BSD3
-- Maintainer: erkokl@gmail.com
-- Stability : experimental
--
-- Proof of correctness of an imperative integer square-root algorithm, using
-- weakest preconditions. The algorithm computes the floor of the square-root
-- of a given non-negative integer by keeping a running some of all odd numbers
-- starting from 1. Recall that @1+3+5+...+(2n+1) = (n+1)^2@, thus we can
-- stop the counting when we exceed the input number.
-----------------------------------------------------------------------------

{-# LANGUAGE DeriveAnyClass        #-}
{-# LANGUAGE DeriveGeneric         #-}
{-# LANGUAGE DeriveTraversable     #-}
{-# LANGUAGE FlexibleInstances     #-}
{-# LANGUAGE MultiParamTypeClasses #-}
{-# LANGUAGE NamedFieldPuns        #-}

{-# OPTIONS_GHC -Wall -Werror #-}

module Documentation.SBV.Examples.WeakestPreconditions.IntSqrt where

import Data.SBV
import Data.SBV.Control

import Data.SBV.Tools.WeakestPreconditions

import GHC.Generics (Generic)

import Prelude hiding (sqrt)

-- * Program state

-- | The state for the division program, parameterized over a base type @a@.
data SqrtS a = SqrtS { SqrtS a -> a
x    :: a   -- ^ The input
                     , SqrtS a -> a
sqrt :: a   -- ^ The floor of the square root
                     , SqrtS a -> a
i    :: a   -- ^ Successive squares, as the sum of j's
                     , SqrtS a -> a
j    :: a   -- ^ Successive odds
                     }
                     deriving (Int -> SqrtS a -> ShowS
[SqrtS a] -> ShowS
SqrtS a -> String
(Int -> SqrtS a -> ShowS)
-> (SqrtS a -> String) -> ([SqrtS a] -> ShowS) -> Show (SqrtS a)
forall a. Show a => Int -> SqrtS a -> ShowS
forall a. Show a => [SqrtS a] -> ShowS
forall a. Show a => SqrtS a -> String
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [SqrtS a] -> ShowS
$cshowList :: forall a. Show a => [SqrtS a] -> ShowS
show :: SqrtS a -> String
$cshow :: forall a. Show a => SqrtS a -> String
showsPrec :: Int -> SqrtS a -> ShowS
$cshowsPrec :: forall a. Show a => Int -> SqrtS a -> ShowS
Show, (forall x. SqrtS a -> Rep (SqrtS a) x)
-> (forall x. Rep (SqrtS a) x -> SqrtS a) -> Generic (SqrtS a)
forall x. Rep (SqrtS a) x -> SqrtS a
forall x. SqrtS a -> Rep (SqrtS a) x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
forall a x. Rep (SqrtS a) x -> SqrtS a
forall a x. SqrtS a -> Rep (SqrtS a) x
$cto :: forall a x. Rep (SqrtS a) x -> SqrtS a
$cfrom :: forall a x. SqrtS a -> Rep (SqrtS a) x
Generic, Bool -> SBool -> SqrtS a -> SqrtS a -> SqrtS a
(Bool -> SBool -> SqrtS a -> SqrtS a -> SqrtS a)
-> (forall b.
    (Ord b, SymVal b, Num b) =>
    [SqrtS a] -> SqrtS a -> SBV b -> SqrtS a)
-> Mergeable (SqrtS a)
forall b.
(Ord b, SymVal b, Num b) =>
[SqrtS a] -> SqrtS a -> SBV b -> SqrtS a
forall a.
Mergeable a =>
Bool -> SBool -> SqrtS a -> SqrtS a -> SqrtS a
forall a b.
(Mergeable a, Ord b, SymVal b, Num b) =>
[SqrtS a] -> SqrtS a -> SBV b -> SqrtS a
forall a.
(Bool -> SBool -> a -> a -> a)
-> (forall b. (Ord b, SymVal b, Num b) => [a] -> a -> SBV b -> a)
-> Mergeable a
select :: [SqrtS a] -> SqrtS a -> SBV b -> SqrtS a
$cselect :: forall a b.
(Mergeable a, Ord b, SymVal b, Num b) =>
[SqrtS a] -> SqrtS a -> SBV b -> SqrtS a
symbolicMerge :: Bool -> SBool -> SqrtS a -> SqrtS a -> SqrtS a
$csymbolicMerge :: forall a.
Mergeable a =>
Bool -> SBool -> SqrtS a -> SqrtS a -> SqrtS a
Mergeable, a -> SqrtS b -> SqrtS a
(a -> b) -> SqrtS a -> SqrtS b
(forall a b. (a -> b) -> SqrtS a -> SqrtS b)
-> (forall a b. a -> SqrtS b -> SqrtS a) -> Functor SqrtS
forall a b. a -> SqrtS b -> SqrtS a
forall a b. (a -> b) -> SqrtS a -> SqrtS b
forall (f :: * -> *).
(forall a b. (a -> b) -> f a -> f b)
-> (forall a b. a -> f b -> f a) -> Functor f
<$ :: a -> SqrtS b -> SqrtS a
$c<$ :: forall a b. a -> SqrtS b -> SqrtS a
fmap :: (a -> b) -> SqrtS a -> SqrtS b
$cfmap :: forall a b. (a -> b) -> SqrtS a -> SqrtS b
Functor, SqrtS a -> Bool
(a -> m) -> SqrtS a -> m
(a -> b -> b) -> b -> SqrtS a -> b
(forall m. Monoid m => SqrtS m -> m)
-> (forall m a. Monoid m => (a -> m) -> SqrtS a -> m)
-> (forall m a. Monoid m => (a -> m) -> SqrtS a -> m)
-> (forall a b. (a -> b -> b) -> b -> SqrtS a -> b)
-> (forall a b. (a -> b -> b) -> b -> SqrtS a -> b)
-> (forall b a. (b -> a -> b) -> b -> SqrtS a -> b)
-> (forall b a. (b -> a -> b) -> b -> SqrtS a -> b)
-> (forall a. (a -> a -> a) -> SqrtS a -> a)
-> (forall a. (a -> a -> a) -> SqrtS a -> a)
-> (forall a. SqrtS a -> [a])
-> (forall a. SqrtS a -> Bool)
-> (forall a. SqrtS a -> Int)
-> (forall a. Eq a => a -> SqrtS a -> Bool)
-> (forall a. Ord a => SqrtS a -> a)
-> (forall a. Ord a => SqrtS a -> a)
-> (forall a. Num a => SqrtS a -> a)
-> (forall a. Num a => SqrtS a -> a)
-> Foldable SqrtS
forall a. Eq a => a -> SqrtS a -> Bool
forall a. Num a => SqrtS a -> a
forall a. Ord a => SqrtS a -> a
forall m. Monoid m => SqrtS m -> m
forall a. SqrtS a -> Bool
forall a. SqrtS a -> Int
forall a. SqrtS a -> [a]
forall a. (a -> a -> a) -> SqrtS a -> a
forall m a. Monoid m => (a -> m) -> SqrtS a -> m
forall b a. (b -> a -> b) -> b -> SqrtS a -> b
forall a b. (a -> b -> b) -> b -> SqrtS a -> b
forall (t :: * -> *).
(forall m. Monoid m => t m -> m)
-> (forall m a. Monoid m => (a -> m) -> t a -> m)
-> (forall m a. Monoid m => (a -> m) -> t a -> m)
-> (forall a b. (a -> b -> b) -> b -> t a -> b)
-> (forall a b. (a -> b -> b) -> b -> t a -> b)
-> (forall b a. (b -> a -> b) -> b -> t a -> b)
-> (forall b a. (b -> a -> b) -> b -> t a -> b)
-> (forall a. (a -> a -> a) -> t a -> a)
-> (forall a. (a -> a -> a) -> t a -> a)
-> (forall a. t a -> [a])
-> (forall a. t a -> Bool)
-> (forall a. t a -> Int)
-> (forall a. Eq a => a -> t a -> Bool)
-> (forall a. Ord a => t a -> a)
-> (forall a. Ord a => t a -> a)
-> (forall a. Num a => t a -> a)
-> (forall a. Num a => t a -> a)
-> Foldable t
product :: SqrtS a -> a
$cproduct :: forall a. Num a => SqrtS a -> a
sum :: SqrtS a -> a
$csum :: forall a. Num a => SqrtS a -> a
minimum :: SqrtS a -> a
$cminimum :: forall a. Ord a => SqrtS a -> a
maximum :: SqrtS a -> a
$cmaximum :: forall a. Ord a => SqrtS a -> a
elem :: a -> SqrtS a -> Bool
$celem :: forall a. Eq a => a -> SqrtS a -> Bool
length :: SqrtS a -> Int
$clength :: forall a. SqrtS a -> Int
null :: SqrtS a -> Bool
$cnull :: forall a. SqrtS a -> Bool
toList :: SqrtS a -> [a]
$ctoList :: forall a. SqrtS a -> [a]
foldl1 :: (a -> a -> a) -> SqrtS a -> a
$cfoldl1 :: forall a. (a -> a -> a) -> SqrtS a -> a
foldr1 :: (a -> a -> a) -> SqrtS a -> a
$cfoldr1 :: forall a. (a -> a -> a) -> SqrtS a -> a
foldl' :: (b -> a -> b) -> b -> SqrtS a -> b
$cfoldl' :: forall b a. (b -> a -> b) -> b -> SqrtS a -> b
foldl :: (b -> a -> b) -> b -> SqrtS a -> b
$cfoldl :: forall b a. (b -> a -> b) -> b -> SqrtS a -> b
foldr' :: (a -> b -> b) -> b -> SqrtS a -> b
$cfoldr' :: forall a b. (a -> b -> b) -> b -> SqrtS a -> b
foldr :: (a -> b -> b) -> b -> SqrtS a -> b
$cfoldr :: forall a b. (a -> b -> b) -> b -> SqrtS a -> b
foldMap' :: (a -> m) -> SqrtS a -> m
$cfoldMap' :: forall m a. Monoid m => (a -> m) -> SqrtS a -> m
foldMap :: (a -> m) -> SqrtS a -> m
$cfoldMap :: forall m a. Monoid m => (a -> m) -> SqrtS a -> m
fold :: SqrtS m -> m
$cfold :: forall m. Monoid m => SqrtS m -> m
Foldable, Functor SqrtS
Foldable SqrtS
Functor SqrtS
-> Foldable SqrtS
-> (forall (f :: * -> *) a b.
    Applicative f =>
    (a -> f b) -> SqrtS a -> f (SqrtS b))
-> (forall (f :: * -> *) a.
    Applicative f =>
    SqrtS (f a) -> f (SqrtS a))
-> (forall (m :: * -> *) a b.
    Monad m =>
    (a -> m b) -> SqrtS a -> m (SqrtS b))
-> (forall (m :: * -> *) a. Monad m => SqrtS (m a) -> m (SqrtS a))
-> Traversable SqrtS
(a -> f b) -> SqrtS a -> f (SqrtS b)
forall (t :: * -> *).
Functor t
-> Foldable t
-> (forall (f :: * -> *) a b.
    Applicative f =>
    (a -> f b) -> t a -> f (t b))
-> (forall (f :: * -> *) a. Applicative f => t (f a) -> f (t a))
-> (forall (m :: * -> *) a b.
    Monad m =>
    (a -> m b) -> t a -> m (t b))
-> (forall (m :: * -> *) a. Monad m => t (m a) -> m (t a))
-> Traversable t
forall (m :: * -> *) a. Monad m => SqrtS (m a) -> m (SqrtS a)
forall (f :: * -> *) a. Applicative f => SqrtS (f a) -> f (SqrtS a)
forall (m :: * -> *) a b.
Monad m =>
(a -> m b) -> SqrtS a -> m (SqrtS b)
forall (f :: * -> *) a b.
Applicative f =>
(a -> f b) -> SqrtS a -> f (SqrtS b)
sequence :: SqrtS (m a) -> m (SqrtS a)
$csequence :: forall (m :: * -> *) a. Monad m => SqrtS (m a) -> m (SqrtS a)
mapM :: (a -> m b) -> SqrtS a -> m (SqrtS b)
$cmapM :: forall (m :: * -> *) a b.
Monad m =>
(a -> m b) -> SqrtS a -> m (SqrtS b)
sequenceA :: SqrtS (f a) -> f (SqrtS a)
$csequenceA :: forall (f :: * -> *) a. Applicative f => SqrtS (f a) -> f (SqrtS a)
traverse :: (a -> f b) -> SqrtS a -> f (SqrtS b)
$ctraverse :: forall (f :: * -> *) a b.
Applicative f =>
(a -> f b) -> SqrtS a -> f (SqrtS b)
$cp2Traversable :: Foldable SqrtS
$cp1Traversable :: Functor SqrtS
Traversable)

-- | Show instance for 'SqrtS'. The above deriving clause would work just as well,
-- but we want it to be a little prettier here, and hence the @OVERLAPS@ directive.
instance {-# OVERLAPS #-} (SymVal a, Show a) => Show (SqrtS (SBV a)) where
   show :: SqrtS (SBV a) -> String
show (SqrtS SBV a
x SBV a
sqrt SBV a
i SBV a
j) = String
"{x = " String -> ShowS
forall a. [a] -> [a] -> [a]
++ SBV a -> String
forall a. (Show a, SymVal a) => SBV a -> String
sh SBV a
x String -> ShowS
forall a. [a] -> [a] -> [a]
++ String
", sqrt = " String -> ShowS
forall a. [a] -> [a] -> [a]
++ SBV a -> String
forall a. (Show a, SymVal a) => SBV a -> String
sh SBV a
sqrt String -> ShowS
forall a. [a] -> [a] -> [a]
++ String
", i = " String -> ShowS
forall a. [a] -> [a] -> [a]
++ SBV a -> String
forall a. (Show a, SymVal a) => SBV a -> String
sh SBV a
i String -> ShowS
forall a. [a] -> [a] -> [a]
++ String
", j = " String -> ShowS
forall a. [a] -> [a] -> [a]
++ SBV a -> String
forall a. (Show a, SymVal a) => SBV a -> String
sh SBV a
j String -> ShowS
forall a. [a] -> [a] -> [a]
++ String
"}"
     where sh :: SBV a -> String
sh SBV a
v = String -> (a -> String) -> Maybe a -> String
forall b a. b -> (a -> b) -> Maybe a -> b
maybe String
"<symbolic>" a -> String
forall a. Show a => a -> String
show (SBV a -> Maybe a
forall a. SymVal a => SBV a -> Maybe a
unliteral SBV a
v)

-- | 'Fresh' instance for the program state
instance SymVal a => Fresh IO (SqrtS (SBV a)) where
  fresh :: QueryT IO (SqrtS (SBV a))
fresh = SBV a -> SBV a -> SBV a -> SBV a -> SqrtS (SBV a)
forall a. a -> a -> a -> a -> SqrtS a
SqrtS (SBV a -> SBV a -> SBV a -> SBV a -> SqrtS (SBV a))
-> QueryT IO (SBV a)
-> QueryT IO (SBV a -> SBV a -> SBV a -> SqrtS (SBV a))
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
<$> QueryT IO (SBV a)
forall a. SymVal a => Query (SBV a)
freshVar_  QueryT IO (SBV a -> SBV a -> SBV a -> SqrtS (SBV a))
-> QueryT IO (SBV a) -> QueryT IO (SBV a -> SBV a -> SqrtS (SBV a))
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
<*> QueryT IO (SBV a)
forall a. SymVal a => Query (SBV a)
freshVar_ QueryT IO (SBV a -> SBV a -> SqrtS (SBV a))
-> QueryT IO (SBV a) -> QueryT IO (SBV a -> SqrtS (SBV a))
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
<*> QueryT IO (SBV a)
forall a. SymVal a => Query (SBV a)
freshVar_ QueryT IO (SBV a -> SqrtS (SBV a))
-> QueryT IO (SBV a) -> QueryT IO (SqrtS (SBV a))
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
<*> QueryT IO (SBV a)
forall a. SymVal a => Query (SBV a)
freshVar_

-- | Helper type synonym
type S = SqrtS SInteger

-- * The algorithm

-- | The imperative square-root algorithm, assuming non-negative @x@
--
-- @
--    sqrt = 0                  -- set sqrt to 0
--    i    = 1                  -- set i to 1, sum of j's so far
--    j    = 1                  -- set j to be the first odd number i
--    while i <= x              -- while the sum hasn't exceeded x yet
--      sqrt = sqrt + 1              -- increase the sqrt
--      j    = j + 2                 -- next odd number
--      i    = i + j                 -- running sum of j's
-- @
--
-- Note that we need to explicitly annotate each loop with its invariant and the termination
-- measure. For convenience, we take those two as parameters for simplicity.
algorithm :: Invariant S -> Maybe (Measure S) -> Stmt S
algorithm :: Invariant S -> Maybe (Measure S) -> Stmt S
algorithm Invariant S
inv Maybe (Measure S)
msr = [Stmt S] -> Stmt S
forall st. [Stmt st] -> Stmt st
Seq [ String -> Invariant S -> Stmt S
forall st. String -> (st -> SBool) -> Stmt st
assert String
"x >= 0" (Invariant S -> Stmt S) -> Invariant S -> Stmt S
forall a b. (a -> b) -> a -> b
$ \SqrtS{SInteger
x :: SInteger
x :: forall a. SqrtS a -> a
x} -> SInteger
x SInteger -> SInteger -> SBool
forall a. OrdSymbolic a => a -> a -> SBool
.>= SInteger
0
                        , (S -> S) -> Stmt S
forall st. (st -> st) -> Stmt st
Assign ((S -> S) -> Stmt S) -> (S -> S) -> Stmt S
forall a b. (a -> b) -> a -> b
$ \S
st -> S
st{sqrt :: SInteger
sqrt = SInteger
0, i :: SInteger
i = SInteger
1, j :: SInteger
j = SInteger
1}
                        , String
-> Invariant S
-> Maybe (Measure S)
-> Invariant S
-> Stmt S
-> Stmt S
forall st.
String
-> Invariant st
-> Maybe (Measure st)
-> Invariant st
-> Stmt st
-> Stmt st
While String
"i <= x"
                                Invariant S
inv
                                Maybe (Measure S)
msr
                                (\SqrtS{SInteger
x :: SInteger
x :: forall a. SqrtS a -> a
x, SInteger
i :: SInteger
i :: forall a. SqrtS a -> a
i} -> SInteger
i SInteger -> SInteger -> SBool
forall a. OrdSymbolic a => a -> a -> SBool
.<= SInteger
x)
                                (Stmt S -> Stmt S) -> Stmt S -> Stmt S
forall a b. (a -> b) -> a -> b
$ [Stmt S] -> Stmt S
forall st. [Stmt st] -> Stmt st
Seq [ (S -> S) -> Stmt S
forall st. (st -> st) -> Stmt st
Assign ((S -> S) -> Stmt S) -> (S -> S) -> Stmt S
forall a b. (a -> b) -> a -> b
$ \st :: S
st@SqrtS{SInteger
sqrt :: SInteger
sqrt :: forall a. SqrtS a -> a
sqrt} -> S
st{sqrt :: SInteger
sqrt = SInteger
sqrt SInteger -> SInteger -> SInteger
forall a. Num a => a -> a -> a
+ SInteger
1}
                                      , (S -> S) -> Stmt S
forall st. (st -> st) -> Stmt st
Assign ((S -> S) -> Stmt S) -> (S -> S) -> Stmt S
forall a b. (a -> b) -> a -> b
$ \st :: S
st@SqrtS{SInteger
j :: SInteger
j :: forall a. SqrtS a -> a
j}    -> S
st{j :: SInteger
j    = SInteger
j SInteger -> SInteger -> SInteger
forall a. Num a => a -> a -> a
+ SInteger
2}
                                      , (S -> S) -> Stmt S
forall st. (st -> st) -> Stmt st
Assign ((S -> S) -> Stmt S) -> (S -> S) -> Stmt S
forall a b. (a -> b) -> a -> b
$ \st :: S
st@SqrtS{SInteger
i :: SInteger
i :: forall a. SqrtS a -> a
i, SInteger
j :: SInteger
j :: forall a. SqrtS a -> a
j} -> S
st{i :: SInteger
i    = SInteger
i SInteger -> SInteger -> SInteger
forall a. Num a => a -> a -> a
+ SInteger
j}
                                      ]
                        ]

-- | Precondition for our program: @x@ must be non-negative. Note that there is an explicit
-- call to 'Data.SBV.Tools.WeakestPreconditions.abort' in our program to protect against this case, so if we do not have this
-- precondition, all programs will fail.
pre :: S -> SBool
pre :: Invariant S
pre SqrtS{SInteger
x :: SInteger
x :: forall a. SqrtS a -> a
x} = SInteger
x SInteger -> SInteger -> SBool
forall a. OrdSymbolic a => a -> a -> SBool
.>= SInteger
0

-- | Postcondition for our program: The @sqrt@ squared must be less than or equal to @x@, and
-- @sqrt+1@ squared must strictly exceed @x@.
post :: S -> SBool
post :: Invariant S
post SqrtS{SInteger
x :: SInteger
x :: forall a. SqrtS a -> a
x, SInteger
sqrt :: SInteger
sqrt :: forall a. SqrtS a -> a
sqrt} = SInteger -> SInteger
forall a. Num a => a -> a
sq SInteger
sqrt SInteger -> SInteger -> SBool
forall a. OrdSymbolic a => a -> a -> SBool
.<= SInteger
x SBool -> SBool -> SBool
.&& SInteger -> SInteger
forall a. Num a => a -> a
sq (SInteger
sqrtSInteger -> SInteger -> SInteger
forall a. Num a => a -> a -> a
+SInteger
1) SInteger -> SInteger -> SBool
forall a. OrdSymbolic a => a -> a -> SBool
.> SInteger
x
  where sq :: a -> a
sq a
n = a
n a -> a -> a
forall a. Num a => a -> a -> a
* a
n

-- | Stability condition: Program must leave @x@ unchanged.
noChange :: Stable S
noChange :: Stable S
noChange = [String -> (S -> SInteger) -> S -> S -> (String, SBool)
forall a st.
EqSymbolic a =>
String -> (st -> a) -> st -> st -> (String, SBool)
stable String
"x" S -> SInteger
forall a. SqrtS a -> a
x]

-- | A program is the algorithm, together with its pre- and post-conditions.
imperativeSqrt :: Invariant S -> Maybe (Measure S) -> Program S
imperativeSqrt :: Invariant S -> Maybe (Measure S) -> Program S
imperativeSqrt Invariant S
inv Maybe (Measure S)
msr = Program :: forall st.
Symbolic ()
-> (st -> SBool)
-> Stmt st
-> (st -> SBool)
-> Stable st
-> Program st
Program { setup :: Symbolic ()
setup         = () -> Symbolic ()
forall (m :: * -> *) a. Monad m => a -> m a
return ()
                                 , precondition :: Invariant S
precondition  = Invariant S
pre
                                 , program :: Stmt S
program       = Invariant S -> Maybe (Measure S) -> Stmt S
algorithm Invariant S
inv Maybe (Measure S)
msr
                                 , postcondition :: Invariant S
postcondition = Invariant S
post
                                 , stability :: Stable S
stability     = Stable S
noChange
                                 }

-- * Correctness

-- | The invariant is that at each iteration of the loop @sqrt@ remains below or equal
-- to the actual square-root, and @i@ tracks the square of the next value. We also
-- have that @j@ is the @sqrt@'th odd value. Coming up with this invariant is not for
-- the faint of heart, for details I would strongly recommend looking at Manna's seminal
-- /Mathematical Theory of Computation/ book (chapter 3). The @j .> 0@ part is needed
-- to establish the termination.
invariant :: Invariant S
invariant :: Invariant S
invariant SqrtS{SInteger
x :: SInteger
x :: forall a. SqrtS a -> a
x, SInteger
sqrt :: SInteger
sqrt :: forall a. SqrtS a -> a
sqrt, SInteger
i :: SInteger
i :: forall a. SqrtS a -> a
i, SInteger
j :: SInteger
j :: forall a. SqrtS a -> a
j} = SInteger
j SInteger -> SInteger -> SBool
forall a. OrdSymbolic a => a -> a -> SBool
.> SInteger
0 SBool -> SBool -> SBool
.&& SInteger -> SInteger
forall a. Num a => a -> a
sq SInteger
sqrt SInteger -> SInteger -> SBool
forall a. OrdSymbolic a => a -> a -> SBool
.<= SInteger
x SBool -> SBool -> SBool
.&& SInteger
i SInteger -> SInteger -> SBool
forall a. EqSymbolic a => a -> a -> SBool
.== SInteger -> SInteger
forall a. Num a => a -> a
sq (SInteger
sqrt SInteger -> SInteger -> SInteger
forall a. Num a => a -> a -> a
+ SInteger
1) SBool -> SBool -> SBool
.&& SInteger
j SInteger -> SInteger -> SBool
forall a. EqSymbolic a => a -> a -> SBool
.== SInteger
2SInteger -> SInteger -> SInteger
forall a. Num a => a -> a -> a
*SInteger
sqrt SInteger -> SInteger -> SInteger
forall a. Num a => a -> a -> a
+ SInteger
1
  where sq :: a -> a
sq a
n = a
n a -> a -> a
forall a. Num a => a -> a -> a
* a
n

-- | The measure. In each iteration @i@ strictly increases, thus reducing the differential @x - i@
measure :: Measure S
measure :: Measure S
measure SqrtS{SInteger
x :: SInteger
x :: forall a. SqrtS a -> a
x, SInteger
i :: SInteger
i :: forall a. SqrtS a -> a
i} = [SInteger
x SInteger -> SInteger -> SInteger
forall a. Num a => a -> a -> a
- SInteger
i]

-- | Check that the program terminates and the post condition holds. We have:
--
-- >>> correctness
-- Total correctness is established.
-- Q.E.D.
correctness :: IO ()
correctness :: IO ()
correctness = ProofResult (SqrtS Integer) -> IO ()
forall a. Show a => a -> IO ()
print (ProofResult (SqrtS Integer) -> IO ())
-> IO (ProofResult (SqrtS Integer)) -> IO ()
forall (m :: * -> *) a b. Monad m => (a -> m b) -> m a -> m b
=<< WPConfig -> Program S -> IO (ProofResult (SqrtS Integer))
forall st res.
(Show res, Mergeable st, Queriable IO st res) =>
WPConfig -> Program st -> IO (ProofResult res)
wpProveWith WPConfig
defaultWPCfg{wpVerbose :: Bool
wpVerbose=Bool
True} (Invariant S -> Maybe (Measure S) -> Program S
imperativeSqrt Invariant S
invariant (Measure S -> Maybe (Measure S)
forall a. a -> Maybe a
Just Measure S
measure))