Dracula:   Reference Manual
Teachpacks
2.4 "doublecheck"
On this page:
2.4.1 Properties
defproperty
2.4.2 Random Distributions
random-sexp
random-atom
random-boolean
random-symbol
random-char
random-string
random-number
random-rational
random-integer
random-natural
random-between
random-data-size
random-element-of
random-list-of
random-sexp-of
defrandom
random-case
    ← prev  up  next → 

2.4 "doublecheck"

(include-book "doublecheck" :dir :teachpacks)

This teachpack defines automated random test generation as a complement to theorem proving. Each property declared via DoubleCheck is tested randomly by Dracula, and verified logically by ACL2. For a gentle introduction, see Doublecheck in Dracula: A Guide to ACL2 Theorem Proving in DrRacket.

2.4.1 Properties

syntax

(defproperty name property-option ... (bind ...) test theorem-option ...)

 
property-option = :repeat repeat-expr
  | :limit  limit-expr
     
bind = var bind-option ...
     
bind-option = :where hypothesis-expr
  | :value random-expr
  | :limit limit-expr
     
theorem-option = :rule-classes rule-classes
  | :instructions instructions
  | :hints        hints
  | :otf-flg      otf-flg
  | :doc          doc-string
Use defproperty to define DoubleCheck properties. Running the properties opens a GUI displaying results, including success, failure, and the values of randomly chosen variables.

Each defproperty form defines a property called name which states that test must be true for all assignments to each var in the bindings. DoubleCheck attempts to run the test repeat times (default 50), but limits the attempts to generate satisfactory random data to limit times (default 2500).

Dracula generates values for each var by running random-expr, which defaults to (random-sexp). The var is generated until hypothesis-expr evaluates to true (non-nil), or limit attempts have been made (defaulting to the property’s limit, defaulting to 50 as noted above).

ACL2 evaluates each defproperty as a theorem (defthm) equivalent to:

(defthm name (implies (and hypothesis-expr ...) test) theorem-option ...)

Here are some examples to illustrate the translation from theorems to DoubleCheck properties.

Example 1:
(include-book "doublecheck" :dir :teachpacks)
 
; This theorem has no hypotheses.
(defthm acl2-count-cons-theorem
  (> (acl2-count (cons a b)) (+ (acl2-count a) (acl2-count b))))
 
; The corresponding defproperty lists the free variables.
(defproperty acl2-count-cons-property
  (a b)
  (> (acl2-count (cons a b)) (+ (acl2-count a) (acl2-count b))))

Example 2:
(include-book "doublecheck" :dir :teachpacks)
 
; This theorem needs some hypotheses.
(defthm rationalp-/-theorem
  (implies (and (integerp x) (posp y))
           (rationalp (/ x y))))
 
; DoubleCheck expresses these as :where clauses.
(defproperty rationalp-/-property
  (x :where (integerp x)
   y :where (posp y))
  (rationalp (/ x y)))

Example 3:
(include-book "doublecheck" :dir :teachpacks)
 
; These hypotheses state a relationship between variables.
(defthm member-equal-nth-theorem
  (implies (and (proper-consp lst)
                (natp idx)
                (< idx (len lst)))
           (member-equal (nth idx lst) lst))
  :rule-classes (:rewrite :forward-chaining))
 
; We can help DoubleCheck by picking random distributions
; that are likely to satisfy the hypotheses.
(defproperty member-equal-nth-property
  (lst :where (proper-consp lst)
       :value (random-list-of (random-sexp))
   idx :where (and (natp idx) (< idx (len lst)))
       :value (random-between 0 (1- (len lst))))
  (member-equal (nth idx lst) lst)
  :rule-classes (:rewrite :forward-chaining))

2.4.2 Random Distributions

Randomness is an inherently imperative process. As such, it is not reflected in the logic of ACL2. The random distribution functions of DoubleCheck may only be used within :value clauses of defproperty, or in other random distributions.

procedure

(random-sexp)  t

procedure

(random-atom)  atom

procedure

(random-boolean)  booleanp

procedure

(random-symbol)  symbolp

procedure

(random-char)  characterp

procedure

(random-string)  stringp

procedure

(random-number)  acl2-numberp

procedure

(random-rational)  rationalp

procedure

(random-integer)  integerp

procedure

(random-natural)  natp

These distributions produce random elements of the builtin Dracula types. When no distribution is given for a property binding, defproperty uses random-sexp by default.

procedure

(random-between lo hi)  integerp

  lo : integerp
  hi : integerp
Produces an integer uniformly distributed between lo and hi, inclusive; lo must be less than or equal to hi.

procedure

(random-data-size)  natp

Produces a natural number weighted to prefer small numbers, appropriate for limiting the size of randomly produced values. This is the default distribution for the length of random lists and the size of random s-expressions.

procedure

(random-element-of lst)  t

  lst : proper-consp
Chooses among the elements of lst, distributed uniformly.

syntax

(random-list-of expr maybe-size)

 
maybe-size = 
  | :size size
Constructs a random list of length size (default (random-data-size)), each of whose elements is the result of evaluating expr.

syntax

(random-sexp-of expr maybe-size)

 
maybe-size = 
  | :size size
Constructs a random cons-tree with size total cons-pairs (default (random-data-size)), each of whose leaves is the result of evaluating expr.

syntax

(defrandom name (arg ...) body)

The defrandom form defines new random distributions. It takes the same form as defun, but the body may refer to other random distributions.

Example:
; Construct a distribution for random association lists:
(defrandom random-alist (len)
  (random-list-of (cons (random-atom) (random-sexp)) :size len))
 
; ...and now use it:
(defproperty acons-preserves-alistp
  (alist :where (alistp alist) :value (random-alist (random-between 0 10))
   key :where (atom key) :value (random-atom)
   datum)
  (alistp (acons key datum alist)))

syntax

(random-case clause ...)

 
clause = expr
  | expr :weight weight
Chooses an expression from the clauses, each with the associated weight (defaulting to 1), and yields its result; the other expressions are not evaluated. This is useful with defrandom for defining recursive distributions.

Be careful of the branching factor; a distribution with a high probability of unbounded recursion is often unlikely to terminate. It is useful to give a depth parameter to limit recursion.

Example:
; Create a distribution for random expressions:
(defrandom random-expression (max-depth)
  (random-case
   (random-symbol) ; variable
   (random-string) ; string literal
   (random-number) ; number literal
   ; one-argument function call
   ; (probability decreases with max-depth)
   (list (random-symbol) (random-expression (1- max-depth)))
   :weight (- 1 (/ 1 max-depth))))

    ← prev  up  next →