Highest Voted 'dafny' Questions

2

votes

1 answer

how are sequences intended to be represented in Dafny?

Sequences in Dafny are an immutable type, so from a verification point of view, it doesn't matter how they are represented at runtime. But as functional programmers know, it's normal to represent lists in a functional language (under the hood, in a…

dafny

asked Oct 25 '21 at 16:07

Alley Stoughton

41
3

2

votes

1 answer

Method precondition fails after 4 calls to the method - Value uniqueness in array

I am trying to write a dafny program that has an array of a fixed size. This array can then be added to via a method if it has not been filled and the values being added do not already exist in the array. At first it seemed to run fine, however,…

arrays dafny

asked Apr 19 '21 at 03:47

Dan

7,286
6
49
114

2

votes

1 answer

Is it possible to call a function inside of a constructor in dafny?

I'm trying to flip a boolean when instantiating a class. But I'm getting the following error: " in the first division of the constructor body (before 'new;'), 'this' can only be used to assign to its fieldsResolver ". Is this really not possible?…

dafny formal-verification

asked Apr 08 '21 at 10:05

Joshua Kalejaiye

43
4

2

votes

1 answer

Dafny multisets

In a reference manual (http://www.cse.unsw.edu.au/~se2011/DafnyDocumentation/Dafny%20-%20ValueTypes.pdf), we can find: two multisets are equal if they have exactly the same count of each element. However, there is no violation if I assert: assert…

theorem-proving dafny multiset

asked Apr 07 '21 at 08:59

Theo Deep

666
4
15

2

votes

0 answers

Understanding the :fuel attribute in Dafny

The experimental :fuel attribute of a function (which defaults to 1) should control how many times a function is unfolded during proof search. However, it seems to work in an unexpected way, as illustrated next with an example based on the tests…

dafny

asked Dec 06 '20 at 07:18

Stefan Ciobaca

138
7

2

votes

1 answer

Proving size of Binary Search Tree in Dafny

I am trying to prove the correctness of a binary search tree implementation in Dafny, but I am struggling to prove that the computed size corresponds to the size of the elements set. So far I have written the following code: datatype TreeSet = …

dafny

asked Nov 27 '20 at 17:17

João Matos

21
1
2

2

votes

1 answer

For an array in Dafny whats the difference between old(a[0]) and old(a)[0]

For an array in Dafny, what's the difference between old(a[0]) and old(a)[0]? A method modifies an array 'a' by adding 1 to the first element. At the conclusion of the method, what is the value of old(a[0]) and old(a)[0]?

dafny

asked Nov 01 '20 at 05:17

MissyR

23
2

2

votes

1 answer

Why this dafny post-condition is not inferred?

I have proved some purely existential lemmas (with no out-results) in a similar constructive way to this one: https://rise4fun.com/Dafny/Wvly lemma DivModExistsUnique_Lemma (x:nat, y:nat) requires y != 0 ensures exists q:nat, r:nat :: x == y*q + r…

assert formal-languages dafny formal-verification formal-methods

asked Oct 08 '20 at 14:38

Biowav

140
7

2

votes

1 answer

How do you tell Dafny to use a lemma when validating termination

Dafny makes use of a decreases clause to verify that a recursive function terminates. When verification fails can Dafny be given a hint, in this case in the form of a lemma. How to I tell Dafny to use the lemma when checking that the decreases…

terminate hint dafny

asked Sep 21 '20 at 02:34

david streader

589
2
7

2

votes

1 answer

How can I define a decreases for mutually recursive functions in Dafny?

In the "Draft Dafny Reference Manual" 4.0.2 it describes defining decreases clauses for mutually recursive functions but where the variables decreasing in both functions are of the type nat. I have tried to do the same thing but it has not…

dafny mutual-recursion

asked Sep 16 '20 at 09:15

david streader

589
2
7

2

votes

1 answer

dafny modeling integer overflow

Can Dafny model integer overflow? I was surprised when Dafny proved the following: method overflow(c : int) { if (c > 0) { assert((c+1) > 0); } } What am I missing?

integer-overflow dafny

asked Sep 16 '20 at 08:14

OrenIshShalom

5,974
9
37
87

2

votes

1 answer

Can Dafny verify summing elements from the right?

Hi I gather that when performing induction Dafny unfold the specification of a function. Thus when writing a method that implements the function it is best to traverse an array in the similar direction. This understanding corresponds the behaviour…

loops dafny induction

asked Sep 12 '20 at 04:44

david streader

589
2
7

2

votes

1 answer

What does Dafny know about loops with a break?

I am used to loops while Grd invariant Inv { ..} assert Inv && !Grd; with out any break Dafny knows that Inv && ! Grd is true but: Dafny does not check the loop invariant after a break; command. Hence method tester(s:seq) returns (r:int)…

iteration break dafny

asked Sep 08 '20 at 19:50

david streader

589
2
7

2

votes

1 answer

why do we use implication instead of conjugation in dafny when describing forall?

I do not understand why we use ==> instead of just using && all the time to perform implication. Take this code I found online, for example: var a: array := new int[3]; a[0], a[1], a[2] := 1,1,1; assert forall j:: 0 <= j < a.length ==> a[j]…

dafny

asked Aug 31 '20 at 22:54

harry_2381

21
1

2

votes

1 answer

Assertion, forall, and maps: Universal quantifiers does not work with maps

In this example, I insert only one value in a map and I try to assert that any two keys in this map is the same. However the assertion fails. Here is the link. datatype HostState = HostState(counter:nat, vote: map>) predicate…

dafny

asked Aug 29 '20 at 01:42

Shravan

2,553
2
16
19

Questions tagged [dafny]