110 |
110 |
111 Nitpick requires the Kodkodi package for Isabelle as well as a Java 1.5 virtual |
111 Nitpick requires the Kodkodi package for Isabelle as well as a Java 1.5 virtual |
112 machine called \texttt{java}. The examples presented in this manual can be found |
112 machine called \texttt{java}. The examples presented in this manual can be found |
113 in Isabelle's \texttt{src/HOL/Nitpick\_Examples/Manual\_Nits.thy} theory. |
113 in Isabelle's \texttt{src/HOL/Nitpick\_Examples/Manual\_Nits.thy} theory. |
114 |
114 |
|
115 Throughout this manual, we will explicitly invoke the \textbf{nitpick} command. |
|
116 Nitpick also provides an automatic mode that can be enabled using the |
|
117 ``Auto Nitpick'' option from the ``Isabelle'' menu in Proof General. In this |
|
118 mode, Nitpick is run on every newly entered theorem, much like Auto Quickcheck. |
|
119 The collective time limit for Auto Nitpick and Auto Quickcheck can be set using |
|
120 the ``Auto Counterexample Time Limit'' option. |
|
121 |
115 \newbox\boxA |
122 \newbox\boxA |
116 \setbox\boxA=\hbox{\texttt{nospam}} |
123 \setbox\boxA=\hbox{\texttt{nospam}} |
117 |
124 |
118 The known bugs and limitations at the time of writing are listed in |
125 The known bugs and limitations at the time of writing are listed in |
119 \S\ref{known-bugs-and-limitations}. Comments and bug reports concerning Nitpick |
126 \S\ref{known-bugs-and-limitations}. Comments and bug reports concerning Nitpick |
151 after the \textbf{begin} keyword. The JNI version of MiniSat is bundled with |
158 after the \textbf{begin} keyword. The JNI version of MiniSat is bundled with |
152 Kodkodi and is precompiled for the major platforms. Other SAT solvers can also |
159 Kodkodi and is precompiled for the major platforms. Other SAT solvers can also |
153 be installed, as explained in \S\ref{optimizations}. If you have already |
160 be installed, as explained in \S\ref{optimizations}. If you have already |
154 configured SAT solvers in Isabelle (e.g., for Refute), these will also be |
161 configured SAT solvers in Isabelle (e.g., for Refute), these will also be |
155 available to Nitpick. |
162 available to Nitpick. |
156 |
|
157 Throughout this manual, we will explicitly invoke the \textbf{nitpick} command. |
|
158 Nitpick also provides an automatic mode that can be enabled by specifying |
|
159 |
|
160 \prew |
|
161 \textbf{nitpick\_params} [\textit{auto}] |
|
162 \postw |
|
163 |
|
164 at the beginning of the theory file. In this mode, Nitpick is run for up to 5 |
|
165 seconds (by default) on every newly entered theorem, much like Auto Quickcheck. |
|
166 |
163 |
167 \subsection{Propositional Logic} |
164 \subsection{Propositional Logic} |
168 \label{propositional-logic} |
165 \label{propositional-logic} |
169 |
166 |
170 Let's start with a trivial example from propositional logic: |
167 Let's start with a trivial example from propositional logic: |
1593 (\S\ref{mode-of-operation}), scope of search (\S\ref{scope-of-search}), output |
1590 (\S\ref{mode-of-operation}), scope of search (\S\ref{scope-of-search}), output |
1594 format (\S\ref{output-format}), automatic counterexample checks |
1591 format (\S\ref{output-format}), automatic counterexample checks |
1595 (\S\ref{authentication}), optimizations |
1592 (\S\ref{authentication}), optimizations |
1596 (\S\ref{optimizations}), and timeouts (\S\ref{timeouts}). |
1593 (\S\ref{optimizations}), and timeouts (\S\ref{timeouts}). |
1597 |
1594 |
|
1595 You can instruct Nitpick to run automatically on newly entered theorems by |
|
1596 enabling the ``Auto Nitpick'' option from the ``Isabelle'' menu in Proof |
|
1597 General. For automatic runs, \textit{user\_axioms} (\S\ref{mode-of-operation}) |
|
1598 and \textit{assms} (\S\ref{mode-of-operation}) are implicitly enabled, |
|
1599 \textit{blocking} (\S\ref{mode-of-operation}), \textit{verbose} |
|
1600 (\S\ref{output-format}), and \textit{debug} (\S\ref{output-format}) are |
|
1601 disabled, \textit{max\_potential} (\S\ref{output-format}) is taken to be 0, and |
|
1602 \textit{timeout} (\S\ref{timeouts}) is superseded by the ``Auto Counterexample |
|
1603 Time Limit'' in Proof General's ``Isabelle'' menu. Nitpick's output is also more |
|
1604 concise. |
|
1605 |
1598 The number of options can be overwhelming at first glance. Do not let that worry |
1606 The number of options can be overwhelming at first glance. Do not let that worry |
1599 you: Nitpick's defaults have been chosen so that it almost always does the right |
1607 you: Nitpick's defaults have been chosen so that it almost always does the right |
1600 thing, and the most important options have been covered in context in |
1608 thing, and the most important options have been covered in context in |
1601 \S\ref{first-steps}. |
1609 \S\ref{first-steps}. |
1602 |
1610 |
1620 ``$f~x$''~``$g~y$''). |
1628 ``$f~x$''~``$g~y$''). |
1621 \item[$\bullet$] \qtybf{type}: A HOL type. |
1629 \item[$\bullet$] \qtybf{type}: A HOL type. |
1622 \end{enum} |
1630 \end{enum} |
1623 |
1631 |
1624 Default values are indicated in square brackets. Boolean options have a negated |
1632 Default values are indicated in square brackets. Boolean options have a negated |
1625 counterpart (e.g., \textit{auto} vs.\ \textit{no\_auto}). When setting Boolean |
1633 counterpart (e.g., \textit{blocking} vs.\ \textit{no\_blocking}). When setting |
1626 options, ``= \textit{true}'' may be omitted. |
1634 Boolean options, ``= \textit{true}'' may be omitted. |
1627 |
1635 |
1628 \subsection{Mode of Operation} |
1636 \subsection{Mode of Operation} |
1629 \label{mode-of-operation} |
1637 \label{mode-of-operation} |
1630 |
1638 |
1631 \begin{enum} |
1639 \begin{enum} |
1632 \opfalse{auto}{no\_auto} |
|
1633 Specifies whether Nitpick should be run automatically on newly entered theorems. |
|
1634 For automatic runs, \textit{user\_axioms} (\S\ref{mode-of-operation}) and |
|
1635 \textit{assms} (\S\ref{mode-of-operation}) are implicitly enabled, |
|
1636 \textit{blocking} (\S\ref{mode-of-operation}), \textit{verbose} |
|
1637 (\S\ref{output-format}), and \textit{debug} (\S\ref{output-format}) are |
|
1638 disabled, \textit{max\_potential} (\S\ref{output-format}) is taken to be 0, and |
|
1639 \textit{auto\_timeout} (\S\ref{timeouts}) is used as the time limit instead of |
|
1640 \textit{timeout} (\S\ref{timeouts}). The output is also more concise. |
|
1641 |
|
1642 \nopagebreak |
|
1643 {\small See also \textit{auto\_timeout} (\S\ref{timeouts}).} |
|
1644 |
|
1645 \optrue{blocking}{non\_blocking} |
1640 \optrue{blocking}{non\_blocking} |
1646 Specifies whether the \textbf{nitpick} command should operate synchronously. |
1641 Specifies whether the \textbf{nitpick} command should operate synchronously. |
1647 The asynchronous (non-blocking) mode lets the user start proving the putative |
1642 The asynchronous (non-blocking) mode lets the user start proving the putative |
1648 theorem while Nitpick looks for a counterexample, but it can also be more |
1643 theorem while Nitpick looks for a counterexample, but it can also be more |
1649 confusing. For technical reasons, automatic runs currently always block. |
1644 confusing. For technical reasons, automatic runs currently always block. |
1650 |
|
1651 \nopagebreak |
|
1652 {\small See also \textit{auto} (\S\ref{mode-of-operation}).} |
|
1653 |
1645 |
1654 \optrue{falsify}{satisfy} |
1646 \optrue{falsify}{satisfy} |
1655 Specifies whether Nitpick should look for falsifying examples (countermodels) or |
1647 Specifies whether Nitpick should look for falsifying examples (countermodels) or |
1656 satisfying examples (models). This manual assumes throughout that |
1648 satisfying examples (models). This manual assumes throughout that |
1657 \textit{falsify} is enabled. |
1649 \textit{falsify} is enabled. |
1668 these conditions are tagged as ``likely genuine.'' The \textit{debug} |
1660 these conditions are tagged as ``likely genuine.'' The \textit{debug} |
1669 (\S\ref{output-format}) option can be used to find out which axioms were |
1661 (\S\ref{output-format}) option can be used to find out which axioms were |
1670 considered. |
1662 considered. |
1671 |
1663 |
1672 \nopagebreak |
1664 \nopagebreak |
1673 {\small See also \textit{auto} (\S\ref{mode-of-operation}), \textit{assms} |
1665 {\small See also \textit{assms} (\S\ref{mode-of-operation}) and \textit{debug} |
1674 (\S\ref{mode-of-operation}), and \textit{debug} (\S\ref{output-format}).} |
1666 (\S\ref{output-format}).} |
1675 |
1667 |
1676 \optrue{assms}{no\_assms} |
1668 \optrue{assms}{no\_assms} |
1677 Specifies whether the relevant assumptions in structured proof should be |
1669 Specifies whether the relevant assumptions in structured proof should be |
1678 considered. The option is implicitly enabled for automatic runs. |
1670 considered. The option is implicitly enabled for automatic runs. |
1679 |
1671 |
1680 \nopagebreak |
1672 \nopagebreak |
1681 {\small See also \textit{auto} (\S\ref{mode-of-operation}) |
1673 {\small See also \textit{user\_axioms} (\S\ref{mode-of-operation}).} |
1682 and \textit{user\_axioms} (\S\ref{mode-of-operation}).} |
|
1683 |
1674 |
1684 \opfalse{overlord}{no\_overlord} |
1675 \opfalse{overlord}{no\_overlord} |
1685 Specifies whether Nitpick should put its temporary files in |
1676 Specifies whether Nitpick should put its temporary files in |
1686 \texttt{\$ISABELLE\_\allowbreak HOME\_\allowbreak USER}, which is useful for |
1677 \texttt{\$ISABELLE\_\allowbreak HOME\_\allowbreak USER}, which is useful for |
1687 debugging Nitpick but also unsafe if several instances of the tool are run |
1678 debugging Nitpick but also unsafe if several instances of the tool are run |
1859 \opfalse{verbose}{quiet} |
1850 \opfalse{verbose}{quiet} |
1860 Specifies whether the \textbf{nitpick} command should explain what it does. This |
1851 Specifies whether the \textbf{nitpick} command should explain what it does. This |
1861 option is useful to determine which scopes are tried or which SAT solver is |
1852 option is useful to determine which scopes are tried or which SAT solver is |
1862 used. This option is implicitly disabled for automatic runs. |
1853 used. This option is implicitly disabled for automatic runs. |
1863 |
1854 |
1864 \nopagebreak |
|
1865 {\small See also \textit{auto} (\S\ref{mode-of-operation}).} |
|
1866 |
|
1867 \opfalse{debug}{no\_debug} |
1855 \opfalse{debug}{no\_debug} |
1868 Specifies whether Nitpick should display additional debugging information beyond |
1856 Specifies whether Nitpick should display additional debugging information beyond |
1869 what \textit{verbose} already displays. Enabling \textit{debug} also enables |
1857 what \textit{verbose} already displays. Enabling \textit{debug} also enables |
1870 \textit{verbose} and \textit{show\_all} behind the scenes. The \textit{debug} |
1858 \textit{verbose} and \textit{show\_all} behind the scenes. The \textit{debug} |
1871 option is implicitly disabled for automatic runs. |
1859 option is implicitly disabled for automatic runs. |
1872 |
1860 |
1873 \nopagebreak |
1861 \nopagebreak |
1874 {\small See also \textit{auto} (\S\ref{mode-of-operation}), \textit{overlord} |
1862 {\small See also \textit{overlord} (\S\ref{mode-of-operation}) and |
1875 (\S\ref{mode-of-operation}), and \textit{batch\_size} (\S\ref{optimizations}).} |
1863 \textit{batch\_size} (\S\ref{optimizations}).} |
1876 |
1864 |
1877 \optrue{show\_skolems}{hide\_skolem} |
1865 \optrue{show\_skolems}{hide\_skolem} |
1878 Specifies whether the values of Skolem constants should be displayed as part of |
1866 Specifies whether the values of Skolem constants should be displayed as part of |
1879 counterexamples. Skolem constants correspond to bound variables in the original |
1867 counterexamples. Skolem constants correspond to bound variables in the original |
1880 formula and usually help us to understand why the counterexample falsifies the |
1868 formula and usually help us to understand why the counterexample falsifies the |
1908 \textit{MiniSatJNI}. Also be aware that many of the counterexamples may look |
1896 \textit{MiniSatJNI}. Also be aware that many of the counterexamples may look |
1909 identical, unless the \textit{show\_all} (\S\ref{output-format}) option is |
1897 identical, unless the \textit{show\_all} (\S\ref{output-format}) option is |
1910 enabled. |
1898 enabled. |
1911 |
1899 |
1912 \nopagebreak |
1900 \nopagebreak |
1913 {\small See also \textit{auto} (\S\ref{mode-of-operation}), |
1901 {\small See also \textit{check\_potential} (\S\ref{authentication}) and |
1914 \textit{check\_potential} (\S\ref{authentication}), and |
|
1915 \textit{sat\_solver} (\S\ref{optimizations}).} |
1902 \textit{sat\_solver} (\S\ref{optimizations}).} |
1916 |
1903 |
1917 \opt{max\_genuine}{int}{$\mathbf{1}$} |
1904 \opt{max\_genuine}{int}{$\mathbf{1}$} |
1918 Specifies the maximum number of genuine counterexamples to display. If you set |
1905 Specifies the maximum number of genuine counterexamples to display. If you set |
1919 this option to a value greater than 1, you will need an incremental SAT solver: |
1906 this option to a value greater than 1, you will need an incremental SAT solver: |
1966 Specifies whether potential counterexamples should be given to Isabelle's |
1953 Specifies whether potential counterexamples should be given to Isabelle's |
1967 \textit{auto} tactic to assess their validity. If a potential counterexample is |
1954 \textit{auto} tactic to assess their validity. If a potential counterexample is |
1968 shown to be genuine, Nitpick displays a message to this effect and terminates. |
1955 shown to be genuine, Nitpick displays a message to this effect and terminates. |
1969 |
1956 |
1970 \nopagebreak |
1957 \nopagebreak |
1971 {\small See also \textit{max\_potential} (\S\ref{output-format}) and |
1958 {\small See also \textit{max\_potential} (\S\ref{output-format}).} |
1972 \textit{auto\_timeout} (\S\ref{timeouts}).} |
|
1973 |
1959 |
1974 \opfalse{check\_genuine}{trust\_genuine} |
1960 \opfalse{check\_genuine}{trust\_genuine} |
1975 Specifies whether genuine and likely genuine counterexamples should be given to |
1961 Specifies whether genuine and likely genuine counterexamples should be given to |
1976 Isabelle's \textit{auto} tactic to assess their validity. If a ``genuine'' |
1962 Isabelle's \textit{auto} tactic to assess their validity. If a ``genuine'' |
1977 counterexample is shown to be spurious, the user is kindly asked to send a bug |
1963 counterexample is shown to be spurious, the user is kindly asked to send a bug |
1978 report to the author at |
1964 report to the author at |
1979 \texttt{blan{\color{white}nospam}\kern-\wd\boxA{}chette@in.tum.de}. |
1965 \texttt{blan{\color{white}nospam}\kern-\wd\boxA{}chette@in.tum.de}. |
1980 |
1966 |
1981 \nopagebreak |
1967 \nopagebreak |
1982 {\small See also \textit{max\_genuine} (\S\ref{output-format}) and |
1968 {\small See also \textit{max\_genuine} (\S\ref{output-format}).} |
1983 \textit{auto\_timeout} (\S\ref{timeouts}).} |
|
1984 |
1969 |
1985 \ops{expect}{string} |
1970 \ops{expect}{string} |
1986 Specifies the expected outcome, which must be one of the following: |
1971 Specifies the expected outcome, which must be one of the following: |
1987 |
1972 |
1988 \begin{enum} |
1973 \begin{enum} |
2204 \begin{enum} |
2189 \begin{enum} |
2205 \opt{timeout}{time}{$\mathbf{30}$ s} |
2190 \opt{timeout}{time}{$\mathbf{30}$ s} |
2206 Specifies the maximum amount of time that the \textbf{nitpick} command should |
2191 Specifies the maximum amount of time that the \textbf{nitpick} command should |
2207 spend looking for a counterexample. Nitpick tries to honor this constraint as |
2192 spend looking for a counterexample. Nitpick tries to honor this constraint as |
2208 well as it can but offers no guarantees. For automatic runs, |
2193 well as it can but offers no guarantees. For automatic runs, |
2209 \textit{auto\_timeout} is used instead. |
2194 \textit{timeout} is ignored; instead, Auto Quickcheck and Auto Nitpick share |
2210 |
2195 a time slot whose length is specified by the ``Auto Counterexample Time |
2211 \nopagebreak |
2196 Limit'' option in Proof General. |
2212 {\small See also \textit{auto} (\S\ref{mode-of-operation}) |
2197 |
2213 and \textit{max\_threads} (\S\ref{optimizations}).} |
2198 \nopagebreak |
2214 |
2199 {\small See also \textit{max\_threads} (\S\ref{optimizations}).} |
2215 \opt{auto\_timeout}{time}{$\mathbf{5}$ s} |
|
2216 Specifies the maximum amount of time that Nitpick should use to find a |
|
2217 counterexample when running automatically. Nitpick tries to honor this |
|
2218 constraint as well as it can but offers no guarantees. |
|
2219 |
|
2220 \nopagebreak |
|
2221 {\small See also \textit{auto} (\S\ref{mode-of-operation}).} |
|
2222 |
2200 |
2223 \opt{tac\_timeout}{time}{$\mathbf{500}$\,ms} |
2201 \opt{tac\_timeout}{time}{$\mathbf{500}$\,ms} |
2224 Specifies the maximum amount of time that the \textit{auto} tactic should use |
2202 Specifies the maximum amount of time that the \textit{auto} tactic should use |
2225 when checking a counterexample, and similarly that \textit{lexicographic\_order} |
2203 when checking a counterexample, and similarly that \textit{lexicographic\_order} |
2226 and \textit{sizechange} should use when checking whether a (co)in\-duc\-tive |
2204 and \textit{sizechange} should use when checking whether a (co)in\-duc\-tive |