0

What I'm having issue with is two different methods in two different classes not cooperating, the set-up is as following:

class A{
    method b()
    ensures statement
    {
        // Do something
    }
}

class C{
    method d()
    requires statement
    {
        // Do something
    }
}

And a main that calls them as following:

method Main(){
    var a: new A;
    var c: new C;

    a.b();
    c.d(); // Error: possible violation of function precondition
}

Why doesn't method d recognize that method b ensures its precondition? If it's a limitation on Dafny's prover how would I go about fixing this issue?

Edit: Messed up the syntax when I was creating this example, so the test program works. The real one however still got issues. The specific class I'm struggling with is mentioned below:

class TokenController{
        var database : map<int, Token>; 

        // Create a new token if one of the following is true:
        // * Token is null
        // * Invalid token
        //
        // Returns true if it was created, false otherwise.
        method createToken(key:int, securityLevel:int) returns (res: bool)
        modifies this`database;
        requires Defines.LOW() <= securityLevel <= Defines.HIGH();
        ensures key in database;
        ensures database[key] != null;
        ensures database[key].isValid;
        ensures old(key!in database) || old(database[key] == null) || old(!database[key].isValid) <==> res;
        {
            if(key !in database || database[key] == null || !database[key].isValid){
                var token := new Token.Token;
                token.init(key, securityLevel);
                // Add it to the map
                database := database[key:=token];
                res := true;
            }
            else{
                res := false;
            }
        }

        // Returns true if keyt matches the one in the database and the token is valid. Otherwise false.
        predicate method validToken(key:int)
        requires keyin database;
        requires database[key] != null;
        reads this`database;
        reads this.database[key];
        {
            database[key].fingerprint == key && database[key].isValid
        }
}

In main it's called as following:

var tokenRes : bool;
tokenRes := tokenController.createToken(0, 0);
tokenRes := tokenController.validToken(0); //  Error: possible violation of function precondition
David S
  • 195
  • 5
  • 19
  • Can you add asserts() with the ensured statement and the required statement between the calls to b and d? What and where is the error then? – larsr Dec 13 '15 at 18:19
  • On the test program it works, I had missed a param for one of the methods which made it fail. So the problem I'm having in the real program is most likely an issue with my ensures. Do you mind looking a short segment over? Will post it in it's own post for clarity. – David S Dec 13 '15 at 18:56
  • 1
    It would be nice if you could remove dependencies on types that you don't define, such as Token. Or provide code or references. A good way to get an answer is to make it possible for other StackOverflow users to simply cut-and-paste your example into http://rise4fun.com/dafny to take a look at the code. – larsr Dec 13 '15 at 19:38
  • After adding some definitions for Token, LOW, and HIGH(), the program verifies fine for me: http://rise4fun.com/Dafny/wQPiO – Rustan Leino Feb 28 '17 at 02:35

0 Answers0