Stack Overflow
Stack Overflow

Questions tagged [dafny]

Dafny is a programming language with built-in specification constructs.

Dafny is a compiled language used for functional testing of functional correctness of programs.

Home page: https://dafny.org/

485 questions
3
votes
2 answers

Z3 model for correct Dafny method

For a correct method, can Z3 find a model for the method's verification condition? I had thought not, but here is an example where the method is correct yet verification finds a model. This was with Dafny 1.9.7.
Theodore Norvell
  • 15,366
  • 6
  • 31
  • 45
3
votes
1 answer

How can I prompt Dafny to perform induction on a sequence?

I'm wondering what I need to add to the following to make it pass dafny? function mapper (input: seq) : seq<(int, int)> ensures |mapper(input)| == |input| { if |input| == 0 then [] else [(0,input[0])] + mapper(input[1..]) } // given…
JRR
  • 6,014
  • 6
  • 39
  • 59
3
votes
1 answer

Dafny: copy array region method validation

I am working on a language comparison of several languages created with verification in mind (Whiley, Dafny and Frama-C etc.) I was given this example of a function which copied a region of one array to another array with different placement within…
vivichrist
  • 309
  • 2
  • 9
3
votes
1 answer

Include one Dafny file in another

I want to reuse the same Dafny code in several programs. Is it possible to include one Dafny file in another? The manual does not describe any way to do it.
lexicalscope
  • 7,158
  • 6
  • 37
  • 57
2
votes
1 answer

How to define exponential and log function for real variables in Dafny?

I have been trying to use Dafny for verification of some algorithms. In some parts, the calculation needs exponential and log functions, but Dafny does not offer any libaries or built-in math functions. I checked some other verification codes, for…
MogicFrog
  • 27
  • 4
2
votes
1 answer

How to show that other elements are unchanged when modifying an element in an array of arrays?

I have an array of arrays and would like a method that changes one of the elements and can ensures that all the other elements are unchanged. This feels like it should be straightforward, but I've been banging my head against it for a while. "assert…
Ben Reynwar
  • 1,547
  • 14
  • 21
2
votes
1 answer

Why does this Dafny function return an empty sequence?

I'm trying to prove that encoding/decoding a LEB128 (well actually LEB64) varint is lossless. Here's my code: function decode_varint(input: seq) : bv64 requires |input| > 0 { var byte := input[0]; var val := (byte & 0x7F) as bv64; …
Timmmm
  • 88,195
  • 71
  • 364
  • 509
2
votes
1 answer

Decreases Clause for Expression Evaluation

I cannot seem to figure out why the following fails to establish termination; datatype Expr = Const(nat) | Add(Expr,Expr) function eval(e: Expr) : nat decreases e { match e case Const(v) => v case Add(e1,e2) =>…
redjamjar
  • 535
  • 2
  • 11
2
votes
2 answers

Dafny can't prove simple exists quantifier

This may be an extremely stupid question, but here goes: Why can Dafny very this: var arr := new int[2]; arr[0], arr[1] := -1, -2; assert exists k :: 0 <= k < arr.Length && arr[k] < 0; but not this: var arr := new int[2]; arr[0], arr[1] := -1,…
arn
  • 83
  • 6
2
votes
1 answer

Dafny question: How to sort the Dutch Flag problem with four colors?

I'm trying to sort the Dutch Flag problem with 4 colors instead of 3, it seems that Dafny does not really verify and I could not fix it as well. This is my code: datatype Colour = RED | WHITE | PINK | BLUE method FlagSort(flag: array)…
user20483294
2
votes
1 answer

Context's modifies clause violation for class with autocontracts

I have a simple class with autocontracts in Dafny, that creates a new instance of itself. But Dafny says that "call might violate context's modifies clause" when I call foo.Add() inside Bar method I can't tell why I'm getting this error since the…
Filipe Oliveira
  • 43
  • 4
2
votes
2 answers

dafny matrix expressions and functions

I'm trying to define a matrix transpose method and functions in Dafny. I'm having difficulty defining the function version. /** verifies **/ method transpose(matrix: array2) returns (result: array2) ensures result.Length0 ==…
Hath995
  • 821
  • 6
  • 12
2
votes
1 answer

prove decreases clause of mutually recursive class functions

I'm having trouble showing how to ensure recursively decreasing functions on a tree class in Dafny. I have the following definitions which verify. class RoseTree { var NodeType: int var id: string var children: array ghost…
Hath995
  • 821
  • 6
  • 12
2
votes
1 answer

Asserted precondition might not hold in mutual inductive Dafny lemmas

I am trying to prove something about the semantics of programs with side-effects in Dafny using trees that record the interaction, following the free monad approach. Thus, what the semantics will produce are trees of the following shape (simplified…
Henning Basold
  • 121
  • 3
2
votes
1 answer

Why can't dafny prove A[i-1] <= A[i] ensures A[i] <= A[j] for i <= j

ghost method lemma1(A:array) requires A.Length>2 requires forall i:: 0 <= i-1 < i < A.Length ==> A[i-1] <= A[i] ensures A[0] <= A[1] <= A[2] { } the code above works, but the following doesn't work ghost method…
fed4
  • 21
  • 2
1 2
3
32 33