piVC verifies termination when it shouldn't (integer division)

[mvolfik]

I'm preparing a short talk for high school students about program verification, and wanted to use piVC as an approachable example. While writing a binary search implementation, I got into this state, which is verified successfully for both Correctness and Termination, but it doesn't terminate when called as binarySearch([0], 1):

@pre sorted(list, 0, |list|)
@post ((rv = -1 <-> (|list| = 0 || forall i. ((i >= 0 && i < |list|) -> list[i] != target))) && (rv != -1 -> list[rv] = target))
int binarySearch(int[] list, int target) {
	if (|list| = 0) return -1;
	int first := 0;
	int last := |list|;
	while @ (sorted(list, 0, |list|) && 0 <= first && first < last && last <= |list|
		&& forall i. ((i >= 0 && i < first) -> list[i] < target)
		&& forall i. ((i >= last && i < |list|) -> list[i] > target))
		# (last - first)
		(first != last)
	{
		int half := (first + last) / 2;
		if (list[half] = target)
			return half;
		if (list[half] > target)
			last := half;
		else
			first := half;
	}
	if (list[first] = target)
		return first;
	return -1;
}

I believe the problem is with integer division - for last > first >= 0, (first + last) / 2 > first always holds, but not when we trim the floating point part.

[jgalenson]

Thanks for the report! Unfortunately, we wrote this code a very long time ago, so it's not too likely we'll be able to fix it (unless the fix ends up being quite simple).

That said, I do remember issues with integer division. Looking over the code now, it looks like I wasn't sure how to express it in SMTLIB1, but we do have code for SMTLB2 and the Yices language. Which solver were you using? It's possible that if you change the solver (which I believe you can do by changing smt_solver_name in pivc-server.conf), you might get something that handles integer division better.

[mvolfik]

Unfortunately, we wrote this code a very long time ago
totally get that, thanks for even replying! :)

I actually don't know what server I'm using, I'm attending @jankofron 's lecture that uses pi so I was using his server until now.

So I burned half a day trying to get different solvers running, and while debugging all the different errors, I stumbled upon the AST, and found that pi has a different operator for integer division (which throws an error if the server doesn't support it): div instead of /. I couldn't figure it out how to try it locally, but it works on my lecturer's server and disproves the program correctly.

So this is solved for me now, but maybe pi could throw an error if you use / for integer arithmetic?

Also, I'll try to find out what setup is used for our lecture so I could play with it more locally.

[jankofron]

I actually don't know what server I'm using, I'm attending @jankofron 's lecture that uses pi so I was using his server until now.

Our backend for teaching uses the Z3 solver, version 4.5. Newer versions have different output for the counterexamples and some tweaking of the ocaml code is needed (which I have not done). Switching to another backend is possible quite easily using the config file as @jgalenson suggests. I have not tried this, though.

[mvolfik]

changing backends with config file works, but I only got yices v1 running correctly, the rest had some mismatch with command-line flags, input/output parsing etc.

Newer versions have different output for the counterexamples and some tweaking of the ocaml code is needed

that explains it, thanks a lot! I was looking exactly at the z3 ouput parsing when I found the integer division, didn't realize I could just try downgrading. Will try to get it running later today to not run my intro (for Smršť) off your server

[jgalenson]

It's great that you got this working!

Yes, I believe there are separate division operators. I believe that was to allow more choice for users, but perhaps it would help prevent errors if we removed one of them?

Are there any specific feature requests related to newer or different versions of solvers? I'm happy to take a look and see if they're easy to support, although I make absolutely no promises.