diff -r a935175fe6b6 -r f462e49eaf11 src/HOL/Quickcheck_Examples/Quickcheck_Examples.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/Quickcheck_Examples/Quickcheck_Examples.thy Wed Feb 22 08:01:41 2012 +0100 @@ -0,0 +1,541 @@ +(* Title: HOL/ex/Quickcheck_Examples.thy + Author: Stefan Berghofer, Lukas Bulwahn + Copyright 2004 - 2010 TU Muenchen +*) + +header {* Examples for the 'quickcheck' command *} + +theory Quickcheck_Examples +imports Complex_Main "~~/src/HOL/Library/Dlist" "~~/src/HOL/Library/Multiset" +begin + +text {* +The 'quickcheck' command allows to find counterexamples by evaluating +formulae. +Currently, there are two different exploration schemes: +- random testing: this is incomplete, but explores the search space faster. +- exhaustive testing: this is complete, but increasing the depth leads to + exponentially many assignments. + +quickcheck can handle quantifiers on finite universes. + +*} + +declare [[quickcheck_timeout = 3600]] + +subsection {* Lists *} + +theorem "map g (map f xs) = map (g o f) xs" + quickcheck[random, expect = no_counterexample] + quickcheck[exhaustive, size = 3, expect = no_counterexample] + oops + +theorem "map g (map f xs) = map (f o g) xs" + quickcheck[random, expect = counterexample] + quickcheck[exhaustive, expect = counterexample] + oops + +theorem "rev (xs @ ys) = rev ys @ rev xs" + quickcheck[random, expect = no_counterexample] + quickcheck[exhaustive, expect = no_counterexample] + quickcheck[exhaustive, size = 1000, timeout = 0.1] + oops + +theorem "rev (xs @ ys) = rev xs @ rev ys" + quickcheck[random, expect = counterexample] + quickcheck[exhaustive, expect = counterexample] + oops + +theorem "rev (rev xs) = xs" + quickcheck[random, expect = no_counterexample] + quickcheck[exhaustive, expect = no_counterexample] + oops + +theorem "rev xs = xs" + quickcheck[tester = random, finite_types = true, report = false, expect = counterexample] + quickcheck[tester = random, finite_types = false, report = false, expect = counterexample] + quickcheck[tester = random, finite_types = true, report = true, expect = counterexample] + quickcheck[tester = random, finite_types = false, report = true, expect = counterexample] + quickcheck[tester = exhaustive, finite_types = true, expect = counterexample] + quickcheck[tester = exhaustive, finite_types = false, expect = counterexample] +oops + + +text {* An example involving functions inside other data structures *} + +primrec app :: "('a \ 'a) list \ 'a \ 'a" where + "app [] x = x" + | "app (f # fs) x = app fs (f x)" + +lemma "app (fs @ gs) x = app gs (app fs x)" + quickcheck[random, expect = no_counterexample] + quickcheck[exhaustive, size = 4, expect = no_counterexample] + by (induct fs arbitrary: x) simp_all + +lemma "app (fs @ gs) x = app fs (app gs x)" + quickcheck[random, expect = counterexample] + quickcheck[exhaustive, expect = counterexample] + oops + +primrec occurs :: "'a \ 'a list \ nat" where + "occurs a [] = 0" + | "occurs a (x#xs) = (if (x=a) then Suc(occurs a xs) else occurs a xs)" + +primrec del1 :: "'a \ 'a list \ 'a list" where + "del1 a [] = []" + | "del1 a (x#xs) = (if (x=a) then xs else (x#del1 a xs))" + +text {* A lemma, you'd think to be true from our experience with delAll *} +lemma "Suc (occurs a (del1 a xs)) = occurs a xs" + -- {* Wrong. Precondition needed.*} + quickcheck[random, expect = counterexample] + quickcheck[exhaustive, expect = counterexample] + oops + +lemma "xs ~= [] \ Suc (occurs a (del1 a xs)) = occurs a xs" + quickcheck[random, expect = counterexample] + quickcheck[exhaustive, expect = counterexample] + -- {* Also wrong.*} + oops + +lemma "0 < occurs a xs \ Suc (occurs a (del1 a xs)) = occurs a xs" + quickcheck[random, expect = no_counterexample] + quickcheck[exhaustive, expect = no_counterexample] + by (induct xs) auto + +primrec replace :: "'a \ 'a \ 'a list \ 'a list" where + "replace a b [] = []" + | "replace a b (x#xs) = (if (x=a) then (b#(replace a b xs)) + else (x#(replace a b xs)))" + +lemma "occurs a xs = occurs b (replace a b xs)" + quickcheck[random, expect = counterexample] + quickcheck[exhaustive, expect = counterexample] + -- {* Wrong. Precondition needed.*} + oops + +lemma "occurs b xs = 0 \ a=b \ occurs a xs = occurs b (replace a b xs)" + quickcheck[random, expect = no_counterexample] + quickcheck[exhaustive, expect = no_counterexample] + by (induct xs) simp_all + + +subsection {* Trees *} + +datatype 'a tree = Twig | Leaf 'a | Branch "'a tree" "'a tree" + +primrec leaves :: "'a tree \ 'a list" where + "leaves Twig = []" + | "leaves (Leaf a) = [a]" + | "leaves (Branch l r) = (leaves l) @ (leaves r)" + +primrec plant :: "'a list \ 'a tree" where + "plant [] = Twig " + | "plant (x#xs) = Branch (Leaf x) (plant xs)" + +primrec mirror :: "'a tree \ 'a tree" where + "mirror (Twig) = Twig " + | "mirror (Leaf a) = Leaf a " + | "mirror (Branch l r) = Branch (mirror r) (mirror l)" + +theorem "plant (rev (leaves xt)) = mirror xt" + quickcheck[random, expect = counterexample] + quickcheck[exhaustive, expect = counterexample] + --{* Wrong! *} + oops + +theorem "plant((leaves xt) @ (leaves yt)) = Branch xt yt" + quickcheck[random, expect = counterexample] + quickcheck[exhaustive, expect = counterexample] + --{* Wrong! *} + oops + +datatype 'a ntree = Tip "'a" | Node "'a" "'a ntree" "'a ntree" + +primrec inOrder :: "'a ntree \ 'a list" where + "inOrder (Tip a)= [a]" + | "inOrder (Node f x y) = (inOrder x)@[f]@(inOrder y)" + +primrec root :: "'a ntree \ 'a" where + "root (Tip a) = a" + | "root (Node f x y) = f" + +theorem "hd (inOrder xt) = root xt" + quickcheck[random, expect = counterexample] + quickcheck[exhaustive, expect = counterexample] + --{* Wrong! *} + oops + + +subsection {* Exhaustive Testing beats Random Testing *} + +text {* Here are some examples from mutants from the List theory +where exhaustive testing beats random testing *} + +lemma + "[] ~= xs ==> hd xs = last (x # xs)" +quickcheck[random] +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + assumes "!!i. [| i < n; i < length xs |] ==> P (xs ! i)" "n < length xs ==> ~ P (xs ! n)" + shows "drop n xs = takeWhile P xs" +quickcheck[random, iterations = 10000, quiet] +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "i < length (List.transpose (List.transpose xs)) ==> xs ! i = map (%xs. xs ! i) [ys<-xs. i < length ys]" +quickcheck[random, iterations = 10000] +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "i < n - m ==> f (lcm m i) = map f [m.. f (lcm m i) = map f [m.. k <= listsum ns" +quickcheck[random, iterations = 10000, finite_types = false, quiet] +quickcheck[exhaustive, finite_types = false, expect = counterexample] +oops + +lemma + "[| ys = x # xs1; zs = xs1 @ xs |] ==> ys @ zs = x # xs" +quickcheck[random, iterations = 10000] +quickcheck[exhaustive, expect = counterexample] +oops + +lemma +"i < length xs ==> take (Suc i) xs = [] @ xs ! i # take i xs" +quickcheck[random, iterations = 10000] +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "i < length xs ==> take (Suc i) xs = (xs ! i # xs) @ take i []" +quickcheck[random, iterations = 10000] +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "[| sorted (rev (map length xs)); i < length xs |] ==> xs ! i = map (%ys. ys ! i) [ys<-remdups xs. i < length ys]" +quickcheck[random] +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "[| sorted (rev (map length xs)); i < length xs |] ==> xs ! i = map (%ys. ys ! i) [ys<-List.transpose xs. length ys \ {..x. P x) \ (\x. P x)" + quickcheck[random, expect = counterexample] + quickcheck[exhaustive, expect = counterexample] +oops + +lemma "(\x. \y. P x y) \ (\y. \x. P x y)" + quickcheck[random, expect = counterexample] + quickcheck[expect = counterexample] +oops + +lemma "(\x. P x) \ (EX! x. P x)" + quickcheck[random, expect = counterexample] + quickcheck[expect = counterexample] +oops + + +subsection {* Examples with sets *} + +lemma + "{} = A Un - A" +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "[| bij_betw f A B; bij_betw f C D |] ==> bij_betw f (A Un C) (B Un D)" +quickcheck[exhaustive, expect = counterexample] +oops + + +subsection {* Examples with relations *} + +lemma + "acyclic (R :: ('a * 'a) set) ==> acyclic S ==> acyclic (R Un S)" +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "acyclic (R :: (nat * nat) set) ==> acyclic S ==> acyclic (R Un S)" +quickcheck[exhaustive, expect = counterexample] +oops + +(* FIXME: some dramatic performance decrease after changing the code equation of the ntrancl *) +lemma + "(x, z) : rtrancl (R Un S) ==> \ y. (x, y) : rtrancl R & (y, z) : rtrancl S" +(*quickcheck[exhaustive, expect = counterexample]*) +oops + +lemma + "wf (R :: ('a * 'a) set) ==> wf S ==> wf (R Un S)" +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "wf (R :: (nat * nat) set) ==> wf S ==> wf (R Un S)" +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "wf (R :: (int * int) set) ==> wf S ==> wf (R Un S)" +quickcheck[exhaustive, expect = counterexample] +oops + + +subsection {* Examples with the descriptive operator *} + +lemma + "(THE x. x = a) = b" +quickcheck[random, expect = counterexample] +quickcheck[exhaustive, expect = counterexample] +oops + +subsection {* Examples with Multisets *} + +lemma + "X + Y = Y + (Z :: 'a multiset)" +quickcheck[random, expect = counterexample] +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "X - Y = Y - (Z :: 'a multiset)" +quickcheck[random, expect = counterexample] +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "N + M - N = (N::'a multiset)" +quickcheck[random, expect = counterexample] +quickcheck[exhaustive, expect = counterexample] +oops + +subsection {* Examples with numerical types *} + +text {* +Quickcheck supports the common types nat, int, rat and real. +*} + +lemma + "(x :: nat) > 0 ==> y > 0 ==> z > 0 ==> x * x + y * y \ z * z" +quickcheck[exhaustive, size = 10, expect = counterexample] +quickcheck[random, size = 10] +oops + +lemma + "(x :: int) > 0 ==> y > 0 ==> z > 0 ==> x * x + y * y \ z * z" +quickcheck[exhaustive, size = 10, expect = counterexample] +quickcheck[random, size = 10] +oops + +lemma + "(x :: rat) > 0 ==> y > 0 ==> z > 0 ==> x * x + y * y \ z * z" +quickcheck[exhaustive, size = 10, expect = counterexample] +quickcheck[random, size = 10] +oops + +lemma "(x :: rat) >= 0" +quickcheck[random, expect = counterexample] +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "(x :: real) > 0 ==> y > 0 ==> z > 0 ==> x * x + y * y \ z * z" +quickcheck[exhaustive, size = 10, expect = counterexample] +quickcheck[random, size = 10] +oops + +lemma "(x :: real) >= 0" +quickcheck[random, expect = counterexample] +quickcheck[exhaustive, expect = counterexample] +oops + +subsubsection {* floor and ceiling functions *} + +lemma + "floor x + floor y = floor (x + y :: rat)" +quickcheck[expect = counterexample] +oops + +lemma + "floor x + floor y = floor (x + y :: real)" +quickcheck[expect = counterexample] +oops + +lemma + "ceiling x + ceiling y = ceiling (x + y :: rat)" +quickcheck[expect = counterexample] +oops + +lemma + "ceiling x + ceiling y = ceiling (x + y :: real)" +quickcheck[expect = counterexample] +oops + +subsection {* Examples with abstract types *} + +lemma + "Dlist.length (Dlist.remove x xs) = Dlist.length xs - 1" +quickcheck[exhaustive] +quickcheck[random] +oops + +lemma + "Dlist.length (Dlist.insert x xs) = Dlist.length xs + 1" +quickcheck[exhaustive] +quickcheck[random] +oops + +subsection {* Examples with Records *} + +record point = + xpos :: nat + ypos :: nat + +lemma + "xpos r = xpos r' ==> r = r'" +quickcheck[exhaustive, expect = counterexample] +quickcheck[random, expect = counterexample] +oops + +datatype colour = Red | Green | Blue + +record cpoint = point + + colour :: colour + +lemma + "xpos r = xpos r' ==> ypos r = ypos r' ==> (r :: cpoint) = r'" +quickcheck[exhaustive, expect = counterexample] +quickcheck[random, expect = counterexample] +oops + +subsection {* Examples with locales *} + +locale Truth + +context Truth +begin + +lemma "False" +quickcheck[exhaustive, expect = counterexample] +oops + +end + +interpretation Truth . + +context Truth +begin + +lemma "False" +quickcheck[exhaustive, expect = counterexample] +oops + +end + +locale antisym = + fixes R + assumes "R x y --> R y x --> x = y" +begin + +lemma + "R x y --> R y z --> R x z" +quickcheck[exhaustive, finite_type_size = 2, expect = no_counterexample] +quickcheck[exhaustive, expect = counterexample] +oops + +end + +subsection {* Examples with HOL quantifiers *} + +lemma + "\ xs ys. xs = [] --> xs = ys" +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "ys = [] --> (\xs. xs = [] --> xs = y # ys)" +quickcheck[exhaustive, expect = counterexample] +oops + +lemma + "\xs. (\ ys. ys = []) --> xs = ys" +quickcheck[exhaustive, expect = counterexample] +oops + +subsection {* Examples with underspecified/partial functions *} + +lemma + "xs = [] ==> hd xs \ x" +quickcheck[exhaustive, expect = no_counterexample] +quickcheck[random, report = false, expect = no_counterexample] +quickcheck[random, report = true, expect = no_counterexample] +oops + +lemma + "xs = [] ==> hd xs = x" +quickcheck[exhaustive, expect = no_counterexample] +quickcheck[random, report = false, expect = no_counterexample] +quickcheck[random, report = true, expect = no_counterexample] +oops + +lemma "xs = [] ==> hd xs = x ==> x = y" +quickcheck[exhaustive, expect = no_counterexample] +quickcheck[random, report = false, expect = no_counterexample] +quickcheck[random, report = true, expect = no_counterexample] +oops + +text {* with the simple testing scheme *} + +setup {* Exhaustive_Generators.setup_exhaustive_datatype_interpretation *} +declare [[quickcheck_full_support = false]] + +lemma + "xs = [] ==> hd xs \ x" +quickcheck[exhaustive, expect = no_counterexample] +oops + +lemma + "xs = [] ==> hd xs = x" +quickcheck[exhaustive, expect = no_counterexample] +oops + +lemma "xs = [] ==> hd xs = x ==> x = y" +quickcheck[exhaustive, expect = no_counterexample] +oops + +declare [[quickcheck_full_support = true]] + +end