Milnes strings #3576
Milnes strings #3576
Conversation
…alidation-time with a Test.LexemeFL.fst that checks __FL__
…) added a validation-time test for it 3) make WARN_ERROR?= in ulib/gmake/fstar.mk so I could suppress some warnings in test
|
Still have the github writing to the slack channel problem, so my fix did not take. |
|
Hi Brian, Thanks for this PR. A few comments:
|
|
|
||
| /// Return the first difference position as an option for the whole string. | ||
| val first_diff (s1 s2: string) : | ||
| Tot (o : (option (pos: nat{pos <= (min (strlen s1) (strlen s2))})) { |
There was a problem hiding this comment.
It is usually easier to work with o:option pos { Some? o ==> Some?.v o ==> min (strlen s1) (strlen s2) } that with the type you've written
| (((Some?.v o) = strlen s1 \/ (Some?.v o) = strlen s2) /\ strlen s1 <> strlen s2) | ||
| \/ | ||
| (((Some?.v o) < strlen s1 /\ (Some?.v o) < strlen s2) /\ | ||
| (index s1 (Some?.v o) <> (index s2 (Some?.v o))))) |
There was a problem hiding this comment.
This big refinement formula here is a duplicate of the formula in first_diff. Refactoring them into a single definition is better than copying it
|
Will do although I had problems proving with =, I'll try again. That's why
there is a streq. Is there a definition of = on strings somewhere that I
did not find?
…On Mon, Oct 21, 2024 at 2:48 PM nikswamy ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In ulib/FStar.String.fsti
<#3576 (comment)>:
> +val streq_upto' s1 (s2: string{strlen s1 = strlen s2}) (pos: nat{streq_upto s1 s2 pos}) :
+ Tot (b:bool{b <==> streq s1 s2})
+
+val streq' (s1 s2: string) : Tot (b:bool{b <==> streq s1 s2})
+
+/// Return the first difference position upto a pos as an option.
+val first_diff' s1 s2
+ (pos: nat{pos <= strlen s1 /\ pos <= strlen s2 /\ streq_upto s1 s2 pos}) :
+ Tot (o : (option (pos: nat{pos <= (min (strlen s1) (strlen s2))})) {
+ (None? o ==> strlen s1 = strlen s2 /\ streq_upto s1 s2 (strlen s1)) /\
+ (Some? o ==>
+ streq_upto_min s1 s2 ((Some?.v o) - 1) /\
+ (((Some?.v o) = strlen s1 \/ (Some?.v o) = strlen s2) /\ strlen s1 <> strlen s2)
+ \/
+ (((Some?.v o) < strlen s1 /\ (Some?.v o) < strlen s2) /\
+ (index s1 (Some?.v o) <> (index s2 (Some?.v o)))))
This big refinement formula here is a duplicate of the formula in
first_diff. Refactoring them into a single definition is better than
copying it
—
Reply to this email directly, view it on GitHub
<#3576 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACKMDK4FKGRDFFYSDUYZX6LZ4VZBFAVCNFSM6AAAAABQA3CT7WVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDGOBTGM3DOMZZGQ>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I have 'thickened' strings quite a bit.
There are additions to the end of FStar.String.fst that define a partial string equality
and string equality and provide a string difference (for upcoming Final testing framework). The added functions are in FStar.String.Base and quite a few
proofs in FStar.String.Properties. As well as as a decidable equality class on streq.
FStar.String.Properties has 36 proofs showing the relationships between
streq, streq' (it's boolean equivalent), lengths, indexes and the string differencer
first_diff.
This, as expected, does not seem to increase proof times.
I did not include Base and Properties into FStar.String.fsti, so it's questionable
if I have the right form here. And is it right to name the property streq and the
boolean streq'?
I also added a tests/validate-time/Test.FStar.String.fst to test this.
And adjusted fstar.mk to allow overwriting of WARN_ERROR so I could cut down some warnings in validate-time tests.