Verification Commands
Imandra has a number of powerful verification commands:
-
verify <func>: takes a function representing a goal and attempts to prove it. If the proof attempt fails, Imandra will try to synthesize a concrete counterexample illustrating the failure. When verifying a formula that doesn’t depend on function parameters,verify (<expr>)is a shorthand forverify (fun () -> <expr>). Verification will be bound by unrolling limits. -
instance <func>: takes a function representing a goal and attempts to synthesize an instance (i.e., a concrete value) that satisfies it. It is useful for answering the question “What is an example value that satisfies this particular property?”. Instance search will be bound by unrolling limits. -
theorem <name> <vars> = <body>: takes a name, variables and a function of the variables representing a goal to be proved. If Imandra proves the goal, the named theorem is installed and may be used in subsequent proofs. Theorems can be tagged with attributes instructing Imandra how the theorem should be (automatically) applied to prove other theorems in the future. -
lemma <name> <vars> = <body>: synonym oftheorem, but idiomatically often used for “smaller” subsidiary results as one is working up to a largertheorem. -
axiom <name> <vars> = <body>: declares an axiom, effectively the same astheorembut forcing Imandra to assume the truth of the conjecture, rather than verifying it. This is of course dangerous and should be used with extreme care.
Examples
verify (fun x -> x + 1 > x)
instance (fun x y -> x < 0 && x + y = 4)
theorem succ_mono n m = succ n > succ m <==> n > m
verify (fun n -> succ n <> 100)