dafny

问题 Here's a simple Dafny program: two line of code and three assertions. method Main() { var S := set s: int | 0 <= s < 50 :: 2 * s; var T := set t | t in S && t < 25; assert |S| == 50; // does not verify assert T <= S; // does verify assert T < S; // does not verify } The cardinality of S is 50, but Dafny can't verify this claim, as written. Similarly, T is obviously a subset of S, and Dafny can verify this claim; but T is also a proper subset of S, and Dafny cannot verify this claim. What is

问题 Here's a simple Dafny program: two line of code and three assertions. method Main() { var S := set s: int | 0 <= s < 50 :: 2 * s; var T := set t | t in S && t < 25; assert |S| == 50; // does not verify assert T <= S; // does verify assert T < S; // does not verify } The cardinality of S is 50, but Dafny can't verify this claim, as written. Similarly, T is obviously a subset of S, and Dafny can verify this claim; but T is also a proper subset of S, and Dafny cannot verify this claim. What is

问题 I have an array line that has a string contained in it of length l , pat is another array that has a string contained in it of length p . Note: p and l are not the length of the arrays The objective is to see if the string contained in pat exists in line . If so, this method should return the index in line of the first letter of the word, if not it should return -1 . The invariants that are giving us the "no terms found to trigger on" errors are ensures exists j :: ( 0<= j < l) && j == pos;

问题 I have an array line that has a string contained in it of length l , pat is another array that has a string contained in it of length p . Note: p and l are not the length of the arrays The objective is to see if the string contained in pat exists in line . If so, this method should return the index in line of the first letter of the word, if not it should return -1 . The invariants that are giving us the "no terms found to trigger on" errors are ensures exists j :: ( 0<= j < l) && j == pos;

问题 Why does the following assertion fail? In addition, why does all the assertions work, if I un-comment ASSERT 0 (line 22)? function CountFactors(i:nat): nat requires i >= 1; { var a := set b | 1 <= b <= i && i % b == 0; |a| } function CountFactorsSet(i:nat): set<nat> requires i >= 1; { var a := set b | 1 <= b <= i && i % b == 0; a } method CountFactorsMethod(i:nat) returns (a: set<nat>) requires i >= 1; { a := set b | 1 <= b <= i && i % b == 0; } method Main() { var r:= CountFactorsMethod(2);

问题 In the Dafny code below the var notUsed := t; line seems redundant as notUsed is, as the name suggests, not used. But, with out this line the var e :| e in t line becomes not unique. Why has this assignment changed the uniqueness? predicate setIsSeq<T>(t : set<T>, q : seq<T>) { (|t| == |q|) ==> (forall i :: (0 <= i < |q|) ==> (q[i] in t)) && (forall x :: x in t ==> (x in q)) } function method fSetToSeq<T>(t : set<T>) : (r : seq<T>) decreases t ensures setIsSeq(t,r); { var notUsed := t;//with

问题 I'm trying to prove some properties of BFS with dafny , but so far I can't even prove termination . The progression of the algorithm is guaranteed by the fact that once a node is colored false (visited) it will not be colored true again. Still, I am having a hard time translating this fact to a formal dafny decreases <something> : class Graph { var adjList : seq<seq<int>>; } method BFS(G : Graph, s : int) returns (d : array<int>) requires 0 <= s < |G.adjList| requires forall u :: 0 <= u < |G

问题 Can Dafny model integer overflow ? I was surprised when Dafny proved the following: method overflow(c : int) { if (c > 0) { assert((c+1) > 0); } } What am I missing? 回答1: The type int in Dafny means "mathematical integer". So there is no overflow. If you want to model machine arithmetic, there are a few ways to do it. One way is to define something like: type uint64 = x:int | 0 <= x < 0x10000000000000000 and then when you try to store the result in a uint64 you will get an error: method

问题 Can Dafny model integer overflow ? I was surprised when Dafny proved the following: method overflow(c : int) { if (c > 0) { assert((c+1) > 0); } } What am I missing? 回答1: The type int in Dafny means "mathematical integer". So there is no overflow. If you want to model machine arithmetic, there are a few ways to do it. One way is to define something like: type uint64 = x:int | 0 <= x < 0x10000000000000000 and then when you try to store the result in a uint64 you will get an error: method

问题 I know one Dafny source file can be included in another, leading to textual concatenation of the files prior to verification. But I don't have a clear mental model of the relationships between includes, imports, and which files are verified when. Perhaps an expert can elaborate. Thanks. 回答1: This is at least partially documented in the Dafny Reference Manual in various sections. Section 2.0 discusses include : Included files also obey the Dafny grammar. Dafny parses and processes the