counterexamples | Counterexamples in Type Systems
kandi X-RAY | counterexamples Summary
kandi X-RAY | counterexamples Summary
This repo contains the source of Counterexamples in Type Systems, a compendium of horrible programs that crash, segfault or otherwise explode.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of counterexamples
counterexamples Key Features
counterexamples Examples and Code Snippets
Community Discussions
Trending Discussions on counterexamples
QUESTION
Is a variable that is stored in the .data section by definition a global variable that has program scope? In other words are these two words synonymous and one implies the other, or, for example would it be possible to have a global variable that is not stored in the .data section, or a label/variable that is not global?
Just to give a basic example:
...ANSWER
Answered 2020-Nov-01 at 00:00There are two different concepts: Which "section" a variable goes into and its "visibility"
For comparison, I've add a .bss section variable:
QUESTION
What strategy should be used to prove this result (at the end, with Admitted)? Thanks in advance for any hints. :slight_smile:
Hopefully it is true theorem. I already got burned when I had wrong intuition and there was counterexample found.
...ANSWER
Answered 2020-Oct-22 at 07:31This is more a question of mathematics than a Coq question.
there is probably a counter example. Please investigate this: an assignment shuffles the values of registers aux, x1, x2, ..., x7. However, when you look for permutations, you only look at values of x1, x2, ..., x7.
suppose you have one step that stores the value of x1 into aux, duplicates the value of x2 into x1 and x2, and leaves all other registers unchanged. When looking only at the list of values in x1, ..., x7, this step is not a permutation (because of the duplication). Let's call this step s1.
Then consider the step s2 that duplicates the value of aux into aux and x1 and leaves all other values unchanged. Again, when looking only at registers x1, ..., x7, this is not a permutation, because it introduces a value that was not in these registers before.
Now s1::s2::nil is the identity function on registers x1, ..., x7. It is a permutation. But neither s1 nor (s2::nil) are permuting steps or permutation algorithms.
For a Coq counter example, it is enough to prove that s1 is not a permuting step. Here it is:
QUESTION
Consider the following type constructor:
...ANSWER
Answered 2020-Jun-24 at 19:40It is not a monad. We can adapt your counterexample for Sum; the key property is that 3 <> -3 = 0 = 0 <> 0, which introduces a choice point for the value that 0 maps to in m >>= k. We can choose, e.g., "" <> "a" = "a" <> "" to set up the same choice. So:
QUESTION
template
void f()
{
if constexpr (std::is_trivial_v)
{
// Does the following line never fail?
static_assert(std::is_standard_layout_v);
}
}
ANSWER
Answered 2020-Jun-10 at 08:57#include
class type
{
public: int x;
private: int y;
};
static_assert(std::is_trivial_v< type >);
// not standard layout because different access level of x and y
static_assert(not std::is_standard_layout_v< type >);
QUESTION
Some background: my project is to make a compiler that compiles from a c-like language to Alloy. The input language, that has c-like syntax, must support contracts. For now, I am trying to implement if statements that support pre and post condition statements, similar to the following:
...ANSWER
Answered 2020-Mar-20 at 10:07The first thing is that you need to model your pre-, post- and operations. Functions are terrible for that because they cannot not return something that indicates failure. You, therefore, need to model the operation as a predicate. The value of a predicate indicates if the pre/post are satisfied, the arguments and return values can be modeled as parameters.
This is as far as I can understand your operation:
QUESTION
The Applicative typeclass represents lax monoidal functors that preserve the cartesian monoidal structure on the category of typed functions.
In other words, given the canonical isomorphisms witnessing that (,) forms a monoidal structure:
ANSWER
Answered 2020-Mar-09 at 12:00We can answer at least one of these questions in the negative:
Every Applicative representing a "fixed size" container of elements of its type argument is an instance of StrongApplicative
In fact one of the examples of a lawful StrongApplicative in the original question is wrong. The writer applicative Monoid => (,) m is not StrongApplicative, because for example husk $ unhusk $ ("foo", ()) == ("", ()) /= ("foo", ()).
Similarly, the example of a fixed size container:
QUESTION
I was trying to prove this lemma in Isabelle/HOL.
lemma "(0::nat) ≠ undefined"
But nitpick finds counterexamples to both this and it's negation
lemma "(0::nat) = undefined"
How is this possible? I looked up how undefined is defined and it's an axiom:
axiomatization undefined :: 'a
But it's still classical logic, right? So either "(0::nat) = undefined" or "(0::nat) ≠ undefined" should be true.
Background:
I have a function of type:
type_synonym myfun = "nat ⇒ nat"
and I impose constraints on its image and domain in a locale. When I tried to take a specific function and show that it fulfills all conditions in the locale I got problems since some of the conditions only hold for values that are not undefined.
Thank you in advance :)
...ANSWER
Answered 2020-Jan-20 at 15:27By axiomatisation, each type has one designated value that is undefined. This is not some separate value that lives outside the normal range of that type, i.e. undefined :: nat is a natural number, but you do not know which natural number it is, and in fact you will not be able to prove any non-trivial property about undefined. A trivial property in this context is one that holds for all values of the type.
Therefore, the statement undefined ≠ (0 :: nat) is not provable in Isabelle/HOL, and neither is its negation (bugs and inconsistencies aside).
For undefined :: bool in particular, we know that undefined = True ∨ undefined = False, but again, you will not be able to prove undefined = True or undefined = False.
For the unit type (the one-element type consisting only of the value () :: unit), however, you can prove undefined = (), since this is a trivial property.
As for your original problem, it sounds as if you have to change the way you model undefinedness in your application. Since you did not give any details about what you are doing, it is not really possible to give any specific advice about what to do. But trying to prove anything about undefined is not going to work.
QUESTION
I am modeling a Google Docs-like inline commenting system in Alloy. Specifically, I'm modeling the UI interactions that the user can do. The constraints, in English, are that:
- users can have any number of comments
- users can have any number of comments composing at once
- comments can be either composing or editing, not both
- (eventually) users can expand one comment at a time to view it—text is truncated otherwise.
so far I have only modeled adding a new comment—or so I think! When I run the model below, I expect to see that Alloy cannot find any counterexamples, but it finds one where a comment is in both the composed and composing relations at a single time.
I think there may be something off in my mental model of how Alloy works in this case. I can't see how a comment would possibly be added to the composed relation here: I think init would set all the drafts to have empty relations there, and that the actions in Traces would preclude a comment ever being added to composed. BUT! I'm clearly wrong, since Alloy finds an example where composed is non-empty. Does anyone know what's actually happening here?
ANSWER
Answered 2019-Oct-22 at 22:49This is known as the "frame problem": you've specified that new comments can be put into composing, but not that nothing else happens! You have to make it explicit that the only way the system may change is via newComment. Here's one way you could do that:
QUESTION
Example:
...ANSWER
Answered 2019-Jul-31 at 00:52.000005 <= .000001 * 5 evaluates to false.
Matlab specifies double to be IEEE-754 binary64, but C standard does not, although many implementations use it. Commonly, bases two and ten are used for floating-point. In base ten, the posed relation holds, and in fact the two expressions are equal up to the bounds of the format. (When x is so large that converting it to double yields infinity, equality does not hold.) In other bases, counterexamples similar to those shown in this answer can be found.1 For the remainder of this answer, IEEE-754 binary64 is assumed, in both the format of the numbers and the behavior of the operations.
We should understand how an expression such as .000…000x <= .000…0001 * x is evaluated:
- First, each numeral in the source text is converted to
double. During this conversion, the number is rounded to a representable value. This rounding is commonly done by rounding to the nearest representable value, with ties to the value with the even low digit (bit). - Then the multiplication is performed, and the result is as if the real number result is rounded to a representable value. Again, rounding to nearest is common.
- Then the comparison
<=is evaluated. This has no error; it produces true if and only if the right operand is greater than or equal to the left operand.
I assume x is non-negative. For negative x, see the first addendum.
First, consider using round-to-nearest.
Converting .000001 to double yields 0.000000999999999999999954748111825886258685613938723690807819366455078125. This can be seen in a good C implementation with printf(".99f\n", .000001);. (Since the C standard neither fully specifies the conversion of decimal numerals to floating-point while compiling nor the conversion of floating-point to decimal by printf, there can be variation in implementations that do not use correct rounding-to-nearest.) As we can see, this is less than .000001. This is easily found by printing .1, .01, .001, and so on until we find a numeral that happens to round down. Then we test various x until we find one for which .00000x happens to round up. Converting .000005 to double yields 0.0000050000000000000004090152695701565477293115691281855106353759765625. Next, for small integers x, x is exactly representable in double, so converting that operand to double has no rounding error. We have nearly satisfied .00000x <= .000001 * x, since the left side contains a rounding up while the right side contains a rounding down. However, the multiplication could also have a rounding up that undoes our preparation. Again, testing a few x is likely to find an example where this does not occur—if the multiplication is not exact, then whether it happens to round up or down essentially depends on a single bit somewhere in x, so a few trials suffices to find a working example.
Returning to the original scale, .001 instead of .000001, we can say .00x <= .001 * x holds for all x less than 253. This is because all such integers x are exactly representable in double, and the conversion of .001 to double rounds up, producing 0.001000000000000000020816681711721685132943093776702880859375. Therefore, even if the left side, .00x, rounds down, the right side contains a rounding up that can only be compensated for by a rounding down in the multiplication, as there is no rounding in the conversion of x to double. As each rounding can only move to the next representable value, not skip over any, a rounding down in the multiplication cannot bring the right side below the left. So .00x <= .001 * x holds for all x less than 253.
Above this, converting x to double may cause a rounding error, and searching finds a counterexample easily (in the fourth odd number above 253): 9007199254741.001 <= .001 * 9007199254741001, for which converting 9007199254741.001 to double yields 9007199254741.001953125, converting 9007199254741001 to double yields 9007199254741000, and the right side evaluates to 9007199254741.
If we consider other rounding modes:
- With rounding toward −∞ (rounding down) or toward 0, the right side would suffer up to three rounding errors down, so we can expect numerous cases in which the relation fails.
- With rounding toward +∞ (rounding up), the right side must experience at least one rounding error up, because
.000…0001is never exactly representable in base-two floating-point, and a rounding-up rule never permits the right side to shed this error, and the left side can have only a single rounding error that never overtakes the error on the right, so the relation must always hold.
Can x be negative? The syntax of the question suggests no, as, for x = −3, .00x would become .00-3, which does not form a correct numeral. If we allow this to be -.003, then .00x <= .001 * x fails when x is so great in magnitude that converting it to double yields −∞ but is not so great that converting .00x to double yields −∞. In that case, we compare a finite value to −∞, and the comparison produces false. Within the bounds of the double format, where values remain finite, the comparison would suffer the issues discussed above, subject to some modification regarding the rounding rules.
Note that if .000…0001 is sufficiently small, converting it to double may yield zero (in any standard rounding mode other than toward +∞), and x may be sufficiently large that it yields ∞, in which case multiplying them yields a NaN (or trap), and the relation does not hold because NaNs have no relation to numbers.
1 In bases that are multiples of ten, there may be some unusual interactions that this answer does not explore.
QUESTION
Recently I've finally started to feel like I understand catamorphisms. I wrote some about them in a recent answer, but briefly I would say a catamorphism for a type abstracts over the process of recursively traversing a value of that type, with the pattern matches on that type reified into one function for each constructor the type has. While I would welcome any corrections on this point or on the longer version in the answer of mine linked above, I think I have this more or less down and that is not the subject of this question, just some background.
Once I realized that the functions you pass to a catamorphism correspond exactly to the type's constructors, and the arguments of those functions likewise correspond to the types of those constructors' fields, it all suddenly feels quite mechanical and I don't see where there is any wiggle room for alternate implementations.
For example, I just made up this silly type, with no real concept of what its structure "means", and derived a catamorphism for it. I don't see any other way I could define a general-purpose fold over this type:
...ANSWER
Answered 2017-Oct-04 at 15:30The catamorphism associated to a recursive type can be derived mechanically.
Suppose you have a recursively defined type, having multiple constructors, each one with its own arity. I'll borrow OP's example.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install counterexamples
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
