copilot-verifier: Include in mainline copilot repo. Refs #622.

The `copilot-verifier` package was originally developed in an external repo
(https://github.com/Copilot-Language/copilot-verifier), but there is interest
in having all Copilot projects and libraries merged into the main
https://github.com/Copilot-Language/copilot repo for ease of management.

This commit includes the last state of the old `copilot-verified` repo into the
main Copilot repo as a new subdirectory, disregarding the commit history.

Author: RyanGlScott

copilot-verifier/CHANGELOG

@@ -0,0 +1,40 @@
+2025-05-08
+        * Version bump (4.4). (#85)
+
+2025-03-10
+        * Version bump (4.3). (#82)
+        * Add `smtSolver` option to `VerifierOptions`. (#78)
+        * Add `smtFloatMode` option to `VerifierOptions`. (#79)
+
+2025-01-20
+        * Version bump (4.2). (#76)
+        * Reject specs that use multiple triggers with the same name. (#74)
+
+2024-11-08
+        * Version bump (4.1). (#72)
+
+2024-09-09
+        * Version bump (4.0). (#69)
+        * Support verifying programs that use array updates. (#63)
+        * Support verifying programs that use struct updates. (#57)
+
+2024-08-03
+        * Support building with `crucible-llvm-0.7` and `crux-llvm-0.9`. (#64)
+        * Support GHC 9.4 through 9.8. (#65)
+
+2024-07-30
+        * When using `Noisy` verbosity, always log proof goals related to the
+          core correspondence proof, even if the goals are trivial. (#51)
+        * When using `Noisy` verbosity, log more information about which proof
+          goals arise before or after calling the `step()` function. (#52)
+
+2024-07-11
+        * Version bump (3.20). (#58)
+
+2024-03-08
+        * Version bump (3.19). (#53)
+        * Provide more detailed feedback upon a successful run of the verifier.
+        * Make the examples build with Copilot 3.19. (#53)
+
+2024-02-06
+        * Initial release of `copilot-verifier`.

copilot-verifier/LICENSE

@@ -0,0 +1,30 @@
+Copyright (c) 2021-2024 Galois Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+  * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+  * Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+
+  * Neither the name of Galois, Inc. nor the names of its contributors
+    may be used to endorse or promote products derived from this
+    software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
+OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

copilot-verifier/README.md

@@ -0,0 +1,152 @@
+Cabal-version: 2.2
+Name:          copilot-verifier
+Version:       4.4
+Author:        Galois Inc.
+Maintainer:    rscott@galois.com
+Copyright:     (c) Galois, Inc 2021-2024
+License:       BSD-3-Clause
+License-file:  LICENSE
+Build-type:    Simple
+Category:      Language
+Synopsis:      System for verifying the correctness of generated Copilot programs
+Description:
+  @copilot-verifier@ is an add-on to the [Copilot Stream
+  DSL](https://copilot-language.github.io) for verifying the correctness of C
+  code generated by the @copilot-c99@ package.
+  .
+  @copilot-verifier@ uses the [Crucible symbolic
+  simulator](https://github.com/galoisinc/crucible) to interpret the semantics
+  of the generated C program and and to produce verification conditions
+  sufficient to guarantee that the meaning of the generated program corresponds
+  in a precise way to the meaning of the original stream specification. The
+  generated verification conditions are then dispatched to SMT solvers to be
+  automatically solved.
+extra-doc-files: CHANGELOG, README.md
+
+source-repository head
+  type:     git
+  location: https://github.com/GaloisInc/copilot-verifier
+  subdir:   copilot-verifier
+
+common bldflags
+  ghc-options: -Wall
+               -Werror=incomplete-patterns
+               -Werror=missing-methods
+               -Werror=overlapping-patterns
+               -Wpartial-fields
+               -Wincomplete-uni-patterns
+  ghc-prof-options: -O2 -fprof-auto-exported
+  default-language: Haskell2010
+  default-extensions:
+     NondecreasingIndentation
+  build-depends:
+    aeson >= 1.5 && < 2.3,
+    base >= 4.8 && < 4.20,
+    bv-sized >= 1.0.0 && < 1.1,
+    bytestring,
+    containers >= 0.5.9.0,
+    copilot-c99 >= 4.4 && < 4.5,
+    copilot-core >= 4.4 && < 4.5,
+    copilot-theorem >= 4.4 && < 4.5,
+    crucible >= 0.7.1 && < 0.8,
+    crucible-llvm >= 0.7 && < 0.8,
+    crux >= 0.7.1 && < 0.8,
+    crux-llvm >= 0.9 && < 0.10,
+    filepath,
+    lens,
+    llvm-pretty >= 0.12.1.0 && < 0.13,
+    mtl,
+    panic >= 0.3,
+    parameterized-utils >= 2.1.4 && < 2.2,
+    prettyprinter >= 1.7.0,
+    text,
+    transformers,
+    vector,
+    what4 >= 1.6.1 && < 1.7
+
+library
+  import: bldflags
+
+  hs-source-dirs: src
+  exposed-modules:
+    Copilot.Verifier
+    Copilot.Verifier.FloatMode
+    Copilot.Verifier.Log
+    Copilot.Verifier.Solver
+
+library copilot-verifier-examples
+  import: bldflags
+
+  hs-source-dirs: examples
+  build-depends:
+    case-insensitive,
+    copilot >= 4.4 && < 4.5,
+    copilot-language >= 4.4 && < 4.5,
+    copilot-libraries >= 4.4 && < 4.5,
+    copilot-prettyprinter >= 4.4 && < 4.5,
+    copilot-verifier
+  exposed-modules:
+    Copilot.Verifier.Examples
+
+    Copilot.Verifier.Examples.ShouldFail.Partial.AbsIntMin
+    Copilot.Verifier.Examples.ShouldFail.Partial.AddSignedWrap
+    Copilot.Verifier.Examples.ShouldFail.Partial.DivByZero
+    Copilot.Verifier.Examples.ShouldFail.Partial.IndexOutOfBounds
+    Copilot.Verifier.Examples.ShouldFail.Partial.ModByZero
+    Copilot.Verifier.Examples.ShouldFail.Partial.MulSignedWrap
+    Copilot.Verifier.Examples.ShouldFail.Partial.ShiftLTooLarge
+    Copilot.Verifier.Examples.ShouldFail.Partial.ShiftRTooLarge
+    Copilot.Verifier.Examples.ShouldFail.Partial.SubSignedWrap
+
+    Copilot.Verifier.Examples.ShouldPass.Array
+    Copilot.Verifier.Examples.ShouldPass.ArrayGen
+    Copilot.Verifier.Examples.ShouldPass.ArrayOfStructs
+    Copilot.Verifier.Examples.ShouldPass.ArrayTriggerArgument
+    Copilot.Verifier.Examples.ShouldPass.Arith
+    Copilot.Verifier.Examples.ShouldPass.Clock
+    Copilot.Verifier.Examples.ShouldPass.Counter
+    Copilot.Verifier.Examples.ShouldPass.Engine
+    Copilot.Verifier.Examples.ShouldPass.FPNegation
+    Copilot.Verifier.Examples.ShouldPass.FPOps
+    Copilot.Verifier.Examples.ShouldPass.Heater
+    Copilot.Verifier.Examples.ShouldPass.IntOps
+    Copilot.Verifier.Examples.ShouldPass.Partial.AbsIntMin
+    Copilot.Verifier.Examples.ShouldPass.Partial.AddSignedWrap
+    Copilot.Verifier.Examples.ShouldPass.Partial.DivByZero
+    Copilot.Verifier.Examples.ShouldPass.Partial.IndexOutOfBounds
+    Copilot.Verifier.Examples.ShouldPass.Partial.ModByZero
+    Copilot.Verifier.Examples.ShouldPass.Partial.MulSignedWrap
+    Copilot.Verifier.Examples.ShouldPass.Partial.ShiftLTooLarge
+    Copilot.Verifier.Examples.ShouldPass.Partial.ShiftRTooLarge
+    Copilot.Verifier.Examples.ShouldPass.Partial.SubSignedWrap
+    Copilot.Verifier.Examples.ShouldPass.Structs
+    Copilot.Verifier.Examples.ShouldPass.UpdateArray
+    Copilot.Verifier.Examples.ShouldPass.UpdateStruct
+    Copilot.Verifier.Examples.ShouldPass.Voting
+    Copilot.Verifier.Examples.ShouldPass.WCV
+
+executable verify-examples
+  import: bldflags
+
+  hs-source-dirs: exe
+  main-is: VerifyExamples.hs
+  build-depends:
+    case-insensitive,
+    copilot-verifier,
+    copilot-verifier-examples,
+    optparse-applicative
+
+test-suite copilot-verifier-test
+  import: bldflags
+
+  type: exitcode-stdio-1.0
+  hs-source-dirs: test
+  build-depends:
+    case-insensitive,
+    copilot-verifier,
+    copilot-verifier-examples,
+    silently >= 1.2,
+    tasty >= 0.10,
+    tasty-expected-failure >= 0.12,
+    tasty-hunit >= 0.10
+  main-is: Test.hs

copilot-verifier/copilot-verifier.cabal

@@ -0,0 +1,97 @@
+{-# LANGUAGE OverloadedStrings #-}
+module Copilot.Verifier.Examples
+  ( shouldFailExamples
+  , shouldPassExamples
+  ) where
+
+import qualified Data.CaseInsensitive as CI
+import Data.CaseInsensitive (CI)
+import qualified Data.Map as Map
+import Data.Map (Map)
+import Data.Text (Text)
+
+import Copilot.Verifier (Verbosity)
+import qualified Copilot.Verifier.Examples.ShouldFail.Partial.AbsIntMin        as Fail.AbsIntMin
+import qualified Copilot.Verifier.Examples.ShouldFail.Partial.AddSignedWrap    as Fail.AddSignedWrap
+import qualified Copilot.Verifier.Examples.ShouldFail.Partial.DivByZero        as Fail.DivByZero
+import qualified Copilot.Verifier.Examples.ShouldFail.Partial.IndexOutOfBounds as Fail.IndexOutOfBounds
+import qualified Copilot.Verifier.Examples.ShouldFail.Partial.ModByZero        as Fail.ModByZero
+import qualified Copilot.Verifier.Examples.ShouldFail.Partial.MulSignedWrap    as Fail.MulSignedWrap
+import qualified Copilot.Verifier.Examples.ShouldFail.Partial.ShiftLTooLarge   as Fail.ShiftLTooLarge
+import qualified Copilot.Verifier.Examples.ShouldFail.Partial.ShiftRTooLarge   as Fail.ShiftRTooLarge
+import qualified Copilot.Verifier.Examples.ShouldFail.Partial.SubSignedWrap    as Fail.SubSignedWrap
+import qualified Copilot.Verifier.Examples.ShouldPass.Array                    as Array
+import qualified Copilot.Verifier.Examples.ShouldPass.ArrayGen                 as ArrayGen
+import qualified Copilot.Verifier.Examples.ShouldPass.ArrayOfStructs           as ArrayOfStructs
+import qualified Copilot.Verifier.Examples.ShouldPass.ArrayTriggerArgument     as ArrayTriggerArgument
+import qualified Copilot.Verifier.Examples.ShouldPass.Arith                    as Arith
+import qualified Copilot.Verifier.Examples.ShouldPass.Clock                    as Clock
+import qualified Copilot.Verifier.Examples.ShouldPass.Counter                  as Counter
+import qualified Copilot.Verifier.Examples.ShouldPass.Engine                   as Engine
+import qualified Copilot.Verifier.Examples.ShouldPass.FPNegation               as FPNegation
+import qualified Copilot.Verifier.Examples.ShouldPass.FPOps                    as FPOps
+import qualified Copilot.Verifier.Examples.ShouldPass.Heater                   as Heater
+import qualified Copilot.Verifier.Examples.ShouldPass.IntOps                   as IntOps
+import qualified Copilot.Verifier.Examples.ShouldPass.Partial.AbsIntMin        as Pass.AbsIntMin
+import qualified Copilot.Verifier.Examples.ShouldPass.Partial.AddSignedWrap    as Pass.AddSignedWrap
+import qualified Copilot.Verifier.Examples.ShouldPass.Partial.IndexOutOfBounds as Pass.IndexOutOfBounds
+import qualified Copilot.Verifier.Examples.ShouldPass.Partial.DivByZero        as Pass.DivByZero
+import qualified Copilot.Verifier.Examples.ShouldPass.Partial.ModByZero        as Pass.ModByZero
+import qualified Copilot.Verifier.Examples.ShouldPass.Partial.MulSignedWrap    as Pass.MulSignedWrap
+import qualified Copilot.Verifier.Examples.ShouldPass.Partial.ShiftLTooLarge   as Pass.ShiftLTooLarge
+import qualified Copilot.Verifier.Examples.ShouldPass.Partial.ShiftRTooLarge   as Pass.ShiftRTooLarge
+import qualified Copilot.Verifier.Examples.ShouldPass.Partial.SubSignedWrap    as Pass.SubSignedWrap
+import qualified Copilot.Verifier.Examples.ShouldPass.Structs                  as Structs
+import qualified Copilot.Verifier.Examples.ShouldPass.UpdateArray              as UpdateArray
+import qualified Copilot.Verifier.Examples.ShouldPass.UpdateStruct             as UpdateStruct
+import qualified Copilot.Verifier.Examples.ShouldPass.Voting                   as Voting
+import qualified Copilot.Verifier.Examples.ShouldPass.WCV                      as WCV
+
+shouldFailExamples :: Verbosity -> Map (CI Text) (IO ())
+shouldFailExamples verb = Map.fromList
+    [ -- Partial operation tests
+      example "AbsIntMin-fail" (Fail.AbsIntMin.verifySpec verb)
+    , example "AddSignedWrap-fail" (Fail.AddSignedWrap.verifySpec verb)
+    , example "DivByZero-fail" (Fail.DivByZero.verifySpec verb)
+    , example "IndexOutOfBounds-fail" (Fail.IndexOutOfBounds.verifySpec verb)
+    , example "ModByZero-fail" (Fail.ModByZero.verifySpec verb)
+    , example "MulSignedWrap-fail" (Fail.MulSignedWrap.verifySpec verb)
+    , example "ShiftLTooLarge-fail" (Fail.ShiftLTooLarge.verifySpec verb)
+    , example "ShiftRTooLarge-fail" (Fail.ShiftRTooLarge.verifySpec verb)
+    , example "SubSignedWrap-fail" (Fail.SubSignedWrap.verifySpec verb)
+    ]
+
+shouldPassExamples :: Verbosity -> Map (CI Text) (IO ())
+shouldPassExamples verb = Map.fromList
+    [ example "Array" (Array.verifySpec verb)
+    , example "ArrayGen" (ArrayGen.verifySpec verb)
+    , example "ArrayOfStructs" (ArrayOfStructs.verifySpec verb)
+    , example "ArrayTriggerArgument" (ArrayTriggerArgument.verifySpec verb)
+    , example "Arith" (Arith.verifySpec verb)
+    , example "Clock" (Clock.verifySpec verb)
+    , example "Counter" (Counter.verifySpec verb)
+    , example "Engine" (Engine.verifySpec verb)
+    , example "FPNegation" (FPNegation.verifySpec verb)
+    , example "FPOps" (FPOps.verifySpec verb)
+    , example "Heater" (Heater.verifySpec verb)
+    , example "IntOps" (IntOps.verifySpec verb)
+    , example "Structs" (Structs.verifySpec verb)
+    , example "UpdateArray" (UpdateArray.verifySpec verb)
+    , example "UpdateStruct" (UpdateStruct.verifySpec verb)
+    , example "Voting" (Voting.verifySpec verb)
+    , example "WCV" (WCV.verifySpec verb)
+
+      -- Partial operation tests
+    , example "AbsIntMin-pass" (Pass.AbsIntMin.verifySpec verb)
+    , example "AddSignedWrap-pass" (Pass.AddSignedWrap.verifySpec verb)
+    , example "DivByZero-pass" (Pass.DivByZero.verifySpec verb)
+    , example "IndexOutOfBounds-pass" (Pass.IndexOutOfBounds.verifySpec verb)
+    , example "ModByZero-pass" (Pass.ModByZero.verifySpec verb)
+    , example "MulSignedWrap-pass" (Pass.MulSignedWrap.verifySpec verb)
+    , example "ShiftLTooLarge-pass" (Pass.ShiftLTooLarge.verifySpec verb)
+    , example "ShiftRTooLarge-pass" (Pass.ShiftRTooLarge.verifySpec verb)
+    , example "SubSignedWrap-pass" (Pass.SubSignedWrap.verifySpec verb)
+    ]
+
+example :: Text -> IO () -> (CI Text, IO ())
+example name action = (CI.mk name, action)

copilot-verifier/examples/Copilot/Verifier/Examples.hs

@@ -0,0 +1,28 @@
+{-# LANGUAGE NoImplicitPrelude #-}
+
+-- | This will fail to verify since the verification does not assume the
+-- @notIntMin@ property, which is needed to prevent undefined behavior when
+-- invoking the 'abs' function.
+module Copilot.Verifier.Examples.ShouldFail.Partial.AbsIntMin where
+
+import Language.Copilot
+import Copilot.Compile.C99
+import Copilot.Verifier ( Verbosity, VerifierOptions(..)
+                        , defaultVerifierOptions, verifyWithOptions )
+
+spec :: Spec
+spec = do
+  let stream :: Stream Int32
+      stream = extern "stream" Nothing
+
+  _ <- prop "notIntMin" (forAll (stream > constI32 minBound))
+  trigger "streamAbs" (abs stream == 1) [arg stream]
+
+verifySpec :: Verbosity -> IO ()
+verifySpec verb = do
+  spec' <- reify spec
+  verifyWithOptions defaultVerifierOptions{verbosity = verb}
+    mkDefaultCSettings
+    -- ["notIntMin"]
+    []
+    "absIntMinFail" spec'

copilot-verifier/examples/Copilot/Verifier/Examples/ShouldFail/Partial/AbsIntMin.hs

@@ -0,0 +1,27 @@
+{-# LANGUAGE NoImplicitPrelude #-}
+
+-- | This will fail to verify since the verification does not assume the
+-- @notIntMax@ property, which is needed to prevent signed integer overflow.
+module Copilot.Verifier.Examples.ShouldFail.Partial.AddSignedWrap where
+
+import Language.Copilot
+import Copilot.Compile.C99
+import Copilot.Verifier ( Verbosity, VerifierOptions(..)
+                        , defaultVerifierOptions, verifyWithOptions )
+
+spec :: Spec
+spec = do
+  let stream :: Stream Int32
+      stream = extern "stream" Nothing
+
+  _ <- prop "notIntMax" (forAll (stream < constI32 maxBound))
+  trigger "streamAddSigned" ((stream + 1) == 1) [arg stream]
+
+verifySpec :: Verbosity -> IO ()
+verifySpec verb = do
+  spec' <- reify spec
+  verifyWithOptions defaultVerifierOptions{verbosity = verb}
+    mkDefaultCSettings
+    -- ["notIntMax"]
+    []
+    "addSignedWrapFail" spec'