Stack Overflow
Stack Overflow

Questions tagged [dafny]

Dafny is a programming language with built-in specification constructs.

Dafny is a programming language with built-in specification constructs. The Dafny static program verifier can be used to verify the functional correctness of programs.

The Dafny programming language is designed to support the static verification of programs. It is imperative, sequential, supports generic classes, dynamic allocation, and inductive datatypes, and builds in specification constructs. The specifications include pre- and postconditions, frame specifications (read and write sets), and termination metrics. To further support specifications, the language also offers updatable ghost variables, recursive functions, and types like sets and sequences. Specifications and ghost constructs are used only during verification; the compiler omits them from the executable code.

The Dafny verifier is run as part of the compiler. As such, a programmer interacts with it much in the same way as with the static type checker—when the tool produces errors, the programmer responds by changing the program’s type declarations, specifications, and statements.

Home page: http://research.microsoft.com/en-us/projects/dafny/

328 questions
17
votes
1 answer

what's the difference between lean, f*, and dafny?

They are from Microsoft and seem like they are proof assistants? Besides syntactical differences are there practical aspects that make them different from one another (say ability to do automation, expressive power, etc)? I am new to formal…
JRR
  • 5,290
  • 4
  • 32
  • 54
15
votes
1 answer

Proving the 100 Prisoners and a lightbulb with Dafny

Consider the standard strategy to solve the 100 prisoners and a lightbulb problem. Here's my attempt to model it in Dafny: method strategy(P: set, Special: T) returns (count: int) requires |P| > 1 && Special in P ensures count == (|P| -…
Hugo Sereno Ferreira
  • 8,665
  • 6
  • 41
  • 88
7
votes
1 answer

Reading from (Writing to) files in Dafny

I've been looking at some dafny tutorials and couldn't find how to read from (or write to) simple text files. Surely, this has to be possible right?
OrenIshShalom
  • 3,258
  • 4
  • 18
  • 39
6
votes
1 answer

Dafny context modifies clause error

i am having a really hard time getting rid of the last error in my Dafny program. Can someone point me in the right direction? Here is the code: http://rise4fun.com/Dafny/2FPo I am getting this error: assignment may update an array element not in…
Adrien Pecher
  • 315
  • 5
  • 13
4
votes
1 answer

While loop termination with null references in Dafny linked list implementation

I am new to Dafny and am trying to write a simple linked list implementation that adds all the integers stored in a linked list. Here is the code: class Node { var elem: int; var next: Node?; constructor (data: int) { elem := data; next :=…
Johnny Green
  • 43
  • 2
4
votes
1 answer

How to get a C# program from a dafny program?

I cannot see how to get a C# program from a dafny program. I've downloaded dafny in Visual Studio Code and also downloaded C#. I have a program in dafny and can right-click on the program and choose Compile and Run, but I'd like to generate a C#…
LyX2394
  • 101
  • 5
4
votes
1 answer

(Dafny) Adding elements of an array into another - loop invariant

I have a function sum that takes two arrays a and b as inputs and modifies b such that b[i] = a[0] + a[1] + ... + a[i]. I wrote this function and want to verify it with Dafny. However, Dafny tells me that my loop invariant might not be maintainted…
Dory
  • 129
  • 7
4
votes
1 answer

Selection Sort in Dafny

I am trying to implement selection sort in Dafny. My sorted and FindMin functions do work, but selectionsort itself contains assertions which Dafny will not prove, even if they are correct. Here is my program: predicate sorted(a:array,i:int) …
hacatu
  • 580
  • 4
  • 14
3
votes
1 answer

How can I write a Dafny axiom about a function that reads the heap?

Is there a way to encode a function that reads the heap and returns a heap-independent snapshot? This would be very useful for an experiemental encoding I would like to develop. For example, I tried writing a Dafny function called edges that I plan…
Arshavir
  • 41
  • 3
3
votes
1 answer

Asserting about the return value of a method involving sequences

I'm a beginner with Dafny, and I'm wondering why the assertion just before the print in the Main method is violated. I'm trying to find the rightmost index where an item should be inserted in order to preserve the order in the sequence, which in…
lilezek
  • 5,800
  • 19
  • 43
3
votes
1 answer

Dafny no terms to trigger on predicate

I have the following snippet Dafny code for a tic tac toe game to check if player 1 has a winning row on the board: predicate isWinRowForPlayer1(board: array2) reads board requires board.Length0 == board.Length1 == 3 &&…
Jofbr
  • 378
  • 1
  • 16
3
votes
1 answer

Dafny: What does no terms found to trigger on mean?

I am getting a warning in Dafny which says that my quantifiers have No terms found to trigger on. What I am trying to do for my code is to find the largest number that has a square value that is less than or equal to the given natural number 'n'.…
Chris
  • 41
  • 1
  • 4
3
votes
1 answer

Show loopy eveness in Dafny

This is the code I’m trying to prove: function rec_even(a: nat) : bool requires a >= 0; { if a == 0 then true else if a == 1 then false else rec_even(a - 2) } method Even(key: int) returns (res: bool) requires key >=…
rausted
  • 941
  • 5
  • 18
3
votes
1 answer

How do I iterate over the elements of a finite set object in Dafny?

What is the best way to iterate over the elements of a finite set object in Dafny? An example of working code would be delightful.
Kevin S
  • 407
  • 2
  • 9
3
votes
1 answer

Different "sorted" predicates should be equivalent in Dafny

According to Automating Induction with an SMT Solver the following should work on Dafny: ghost method AdjacentImpliesTransitive(s: seq) requires ∀ i • 1 ≤ i < |s| ==> s[i-1] ≤ s[i]; ensures ∀ i,j {:induction j} • 0 ≤ i < j < |s| ==> s[i] ≤…
fulem
  • 43
  • 6
1
2 3
21 22