IFM 2025

Installation & Configuration

To install both Cameleer and Gospel, one should use a specific branch of a fork. Start by cloning Cameleer and Gospel, and checkout to the origin/ifm branch on both forks.

git clone git@github.com:ionchirica/cameleer.git
git clone git@github.com:ionchirica/gospel.git

I recommend making a new opam switch (naming it ifm, for example) with the 4.14.0 base compiler:

opam switch create ifm 4.14.0
eval $(opam env --switch=ifm)

It may be possible that your version of GCC does no longer compile OCaml version 4.14.0. This issue has been filed here, and the fix can be found here.

Then, one should first install/build Gospel and Cameleer (on the origin/iteration branches), with the following command in both directories:

git checkout ifm
opam pin add . 
eval $(opam env)

If everything was successful, you can now launch cameleer with the provided list of examples, found here, for instance, cameleer seq.ml. A strategy that can be used, in Why3, is to select a Verification Condition or Module and press R, this will re-run the saved session, which is included in the zip.

Statistics (Per Module)

Seq

Why3 Proof Results for Project "seq"

Theory "seq.Seq": fully verified

ObligationsAlt-Ergo 2.5.4CVC4 1.7CVC5 1.2.0
List.T.Fold.permitted_empty---------
split_vc
permitted_empty.00.06------
List.T.Iter.permitted_empty---------
split_vc
permitted_empty.00.08------
List.T.Map.permitted_empty0.07------
List.T.Filter.permitted_empty0.08------
VC for sum_of_seq---------
split_vc
loop invariant init0.10------
precondition0.08------
precondition0.09------
loop variant decrease0.08------
loop invariant preservation8.89------
postcondition4.16------
VC for stack_of_seq4.99------
VC for queue_of_seq---------
split_vc
loop invariant init0.12------
precondition0.10------
precondition0.09------
loop variant decrease0.11------
loop invariant preservation0.19------
postcondition0.13------
VC for filter_seq0.66------
VC for map_seq0.21------
VC for gt_seq---------
split_vc
loop invariant init0.12------
precondition0.10------
precondition0.09------
loop variant decrease0.12------
loop invariant preservation0.29------
loop variant decrease0.11------
loop invariant preservation0.28------
postcondition---12.2412.83
Oper

Why3 Proof Results for Project "oper"

Theory "oper.Oper": fully verified

ObligationsAlt-Ergo 2.5.4CVC4 1.7CVC5 1.2.0
equal_hashes_COMPARABLE0.06------
VC for gt---------
exists (empty1: fset t)
gt'vc.0---------
exists (fun (_: t) -> empty1: fset t)
gt'vc.0.0------0.17
Oper.G.Fold_vertex.permitted_empty0.09------
Oper.G.Fold_succ.permitted_empty0.09------
Oper.G.Fold_succ_e.permitted_empty0.10------
Oper.G.Fold_edges.permitted_empty0.10------
VC for copy_vertices---------
split_vc
loop invariant init0.13------
precondition0.11------
precondition0.09------
loop variant decrease0.15------
loop invariant preservation0.29------
postcondition0.14------
postcondition0.11------
VC for intersect---------
split_vc
loop invariant init0.14------
precondition0.09------
precondition0.07------
loop invariant init0.47------
precondition0.10------
precondition0.09------
loop variant decrease0.24------
loop invariant preservation0.97------
loop variant decrease0.21------
loop invariant preservation0.19------
loop variant decrease0.15------
loop invariant preservation0.39------
postcondition0.20------
postcondition0.11------
VC for mirror---------
split_vc
loop invariant init0.14------
precondition0.11------
precondition0.09------
loop variant decrease0.17------
loop invariant preservation---1.21---
postcondition0.14------
postcondition0.12------
VC for complement---------
split_vc
loop invariant init0.31------
precondition0.11------
precondition0.09------
loop invariant init0.88------
precondition0.11------
precondition0.10------
loop variant decrease0.20------
loop invariant preservation1.99------
loop variant decrease0.18------
loop invariant preservation0.42------
postcondition0.13------
postcondition0.12------
postcondition0.12------
VC for union---------
split_vc
loop invariant init0.26------
precondition0.11------
precondition0.09------
loop invariant init1.13------
precondition0.12------
precondition0.09------
loop variant decrease0.23------
loop invariant preservation1.28------
loop variant decrease0.21------
loop invariant preservation0.36------
postcondition0.13------
postcondition---0.60---
Path

Why3 Proof Results for Project "path"

Theory "path.Path": fully verified

ObligationsAlt-Ergo 2.5.2Alt-Ergo 2.5.4CVC4 1.7
seq_cons0.04 (obsolete)0.09---
equal_hashes_HASHABLE0.04 (obsolete)0.08---
equal_hashes_COMPARABLE0.04 (obsolete)0.08---
VC for gt---------
exists (empty1: fset t)
gt'vc.0---------
exists (fun(_:t) -> empty1: fset t)
gt'vc.0.00.06 (obsolete)0.10---
Check.G.Iter_succ.permitted_empty0.04 (obsolete)0.10---
Check.path_suc---------
split_vc
path_suc.0---------
unfold has_path
path_suc.0.0---------
unfold has_path in H1
path_suc.0.0.0---------
introduce_exists
path_suc.0.0.0.0---------
exists (snoc p v3)
path_suc.0.0.0.0.00.11 (obsolete)0.18---
Check.edge_path0.06 (obsolete)0.11---
Check.self_path0.10 (obsolete)0.11---
VC for intermediate_value_funcresult missing (obsolete)1.65---
Check.intermediate_value---------
split_vc
intermediate_value.0---------
instantiate intermediate_value_func'spec p,u,v
intermediate_value.0.0---------
instantiate Hinst (to_list s)
intermediate_value.0.0.0---------
instantiate Hinst g
intermediate_value.0.0.0.0---------
destruct_rec Hinst
destruct premise0.04 (obsolete)0.09---
destruct premise0.05 (obsolete)0.09---
destruct premise0.25 (obsolete)0.28---
intermediate_value.0.0.0.0.30.44 (obsolete)0.40---
VC for check_path---------
split_vc
postcondition0.08 (obsolete)0.15---
postcondition0.08 (obsolete)0.09---
postcondition0.08 (obsolete)0.12---
postcondition0.05 (obsolete)0.09---
postcondition0.05 (obsolete)0.09---
postcondition0.06 (obsolete)0.11---
postcondition0.08 (obsolete)0.09---
postcondition0.06 (obsolete)0.10---
postcondition0.07 (obsolete)0.11---
postcondition0.09 (obsolete)0.14---
postcondition0.08 (obsolete)0.11---
postcondition0.06 (obsolete)0.09---
postconditionresult missing (obsolete)0.20---
postconditionresult missing (obsolete)0.37---
postconditionresult missing (obsolete)1.11---
postconditionresult missing (obsolete)0.09---
postconditionresult missing (obsolete)0.10---
postconditionresult missing (obsolete)0.11---
postconditionresult missing (obsolete)0.10---
postcondition---------
unfold disjoint
VC for check_pathresult missing (obsolete)2.04---
postconditionresult missing (obsolete)0.12---
postconditionresult missing (obsolete)0.16---
postconditionresult missing (obsolete)0.52---
postconditionresult missing (obsolete)0.10---
preconditionresult missing (obsolete)0.44---
loop invariant init---------
split_vc
loop invariant init---------
inline_goal
loop invariant init---------
split_all_full
VC for check_pathresult missing (obsolete)0.18---
VC for check_pathresult missing (obsolete)0.53---
VC for check_pathresult missing (obsolete)0.10---
VC for check_path1.32 (obsolete)------
split_vc
VC for check_pathresult missing (obsolete)1.03---
VC for check_pathresult missing (obsolete)0.13---
VC for check_pathresult missing (obsolete)0.14---
VC for check_path---------
unfold disjoint
VC for check_path---------
split_vc
VC for check_pathresult missing (obsolete)1.05---
VC for check_pathresult missing (obsolete)1.06---
VC for check_pathresult missing (obsolete)0.18---
VC for check_pathresult missing (obsolete)0.62---
VC for check_pathresult missing (obsolete)0.10---
VC for check_pathresult missing (obsolete)0.15---
VC for check_pathresult missing (obsolete)0.10---
VC for check_path---------
inline_goal
VC for check_pathresult missing (obsolete)0.13---
preconditionresult missing (obsolete)0.13---
preconditionresult missing (obsolete)0.10---
loop variant decreaseresult missing (obsolete)0.56---
loop invariant preservation---------
split_vc
loop invariant preservation---------
inline_goal
loop invariant preservation---------
split_all_full
VC for check_pathresult missing (obsolete)0.14---
VC for check_pathresult missing (obsolete)1.08---
VC for check_path---------
split_vc
VC for check_path---------
inline_goal
VC for check_pathresult missing (obsolete)Timeout (30.00s)16.93
VC for check_pathresult missing (obsolete)0.57---
VC for check_pathresult missing (obsolete)6.46---
VC for check_pathresult missing (obsolete)0.51---
VC for check_pathresult missing (obsolete)4.82---
VC for check_pathresult missing (obsolete)0.22---
VC for check_pathresult missing (obsolete)0.51---
VC for check_pathresult missing (obsolete)0.14---
VC for check_pathresult missing (obsolete)0.15---
VC for check_pathresult missing (obsolete)0.22---
VC for check_pathresult missing (obsolete)0.94---
loop variant decreaseresult missing (obsolete)0.52---
loop invariant preservationresult missing (obsolete)1.05---
variant decreaseresult missing (obsolete)0.42---
precondition---------
case (mem3 v1 q.view2)
true case (precondition)result missing (obsolete)0.14---
false case (precondition)---------
case (mem3 v2 q.view2)
false case (true case. precondition)result missing (obsolete)0.41---
false case (precondition)---------
assert (not mem1 v2 visited.dom)
asserted formularesult missing (obsolete)0.14---
false case (precondition)---------
assert (mem1 v1 visited.dom)
asserted formularesult missing (obsolete)0.13---
false case (precondition)---------
instantiate intermediate_value (fun x -> mem1 x visited.dom)
false case (precondition)---------
instantiate Hinst v1,v2
false case (precondition)---------
unfold has_path in H
false case (precondition)---------
introduce_exists
false case (precondition)---------
instantiate Hinst p,graph
false case (precondition)---------
destruct Hinst
destruct premiseresult missing (obsolete)0.14---
false case (precondition)---------
destruct Hinst
destruct premiseresult missing (obsolete)0.14---
false case (precondition)---------
destruct Hinst
destruct premiseresult missing (obsolete)0.11---
false case (precondition)---------
introduce_exists
false case (precondition)---------
exists v'
check_path'vc.33.1.1.1.1.0.0.0.0.0.1.1.1.0.0result missing (obsolete)1.39---
preconditionresult missing (obsolete)0.14---
preconditionresult missing (obsolete)0.20---
preconditionresult missing (obsolete)0.40---
precondition---------
assert (forall vt. mem4 vt sucs -> mem1 vt graph.dom1)
asserted formularesult missing (obsolete)0.21---
preconditionresult missing (obsolete)0.14---
preconditionresult missing (obsolete)0.20---
preconditionresult missing (obsolete)0.14---
preconditionresult missing (obsolete)0.14---
preconditionresult missing (obsolete)0.21---
precondition---------
split_vc
preconditionresult missing (obsolete)0.47---
preconditionresult missing (obsolete)0.21---
preconditionresult missing (obsolete)0.21---
preconditionresult missing (obsolete)0.14---
postconditionresult missing (obsolete)0.11---
postconditionresult missing (obsolete)0.10---
postconditionresult missing (obsolete)0.15---
postconditionresult missing (obsolete)0.10---
postconditionresult missing (obsolete)0.11---
postconditionresult missing (obsolete)0.14---
postconditionresult missing (obsolete)0.11---
postconditionresult missing (obsolete)0.11---
postconditionresult missing (obsolete)0.14---
postconditionresult missing (obsolete)0.22---
postconditionresult missing (obsolete)0.14---
postconditionresult missing (obsolete)0.11---
exceptional postconditionresult missing (obsolete)0.10---
preconditionresult missing (obsolete)0.15---
preconditionresult missing (obsolete)0.13---
preconditionresult missing (obsolete)0.14---
preconditionresult missing (obsolete)0.21---
preconditionresult missing (obsolete)0.23---
preconditionresult missing (obsolete)0.23---
preconditionresult missing (obsolete)0.26---
preconditionresult missing (obsolete)0.35---
preconditionresult missing (obsolete)0.13---
preconditionresult missing (obsolete)0.26---
preconditionresult missing (obsolete)0.14---
preconditionresult missing (obsolete)0.18---
preconditionresult missing (obsolete)0.12---
postconditionresult missing (obsolete)0.09---
Tree

Why3 Proof Results for Project "tree"

Theory "tree.Tree": fully verified

ObligationsAlt-Ergo 2.5.4CVC5 1.2.0
Tree.T.Fold.permitted_empty0.08---
Tree.T.Fold_level.permitted_empty0.09---
Tree.T.Iter.permitted_empty0.06---
Tree.T.Filter.permitted_empty0.09---
VC for sum_tree------
split_vc
loop invariant init0.06---
precondition0.08---
precondition0.07---
loop variant decrease0.10---
loop invariant preservation9.40---
postcondition3.78---
VC for tree_height0.09---
VC for gt_seq------
split_vc
loop invariant init0.14---
precondition0.11---
precondition0.09---
loop variant decrease0.13---
loop invariant preservation0.33---
loop variant decrease0.13---
loop invariant preservation0.30---
postcondition---1.92

Platform used

The benchmarks were conducted on a machine with a processor i5-2520M 2 cores @ 3.2GHz; 12Gb RAM; 64-bit linux kernel 6.9.5.