diff options
Diffstat (limited to 'Chalice/tests')
267 files changed, 0 insertions, 10937 deletions
diff --git a/Chalice/tests/examples/AVLTree.iterative.chalice b/Chalice/tests/examples/AVLTree.iterative.chalice deleted file mode 100644 index 4156a73f..00000000 --- a/Chalice/tests/examples/AVLTree.iterative.chalice +++ /dev/null @@ -1,227 +0,0 @@ -class AVLTree{
- var root : AVLTreeNode;
-
- predicate valid{
- acc(root,100)
- && (root!=null ==> root.valid)
- && (root!=null ==> acc(root.parent,100))
- && (root!=null ==> root.parent==null)
- && (root!=null ==> acc(root.root,50))
- && (root!=null ==> root.root==root)
- }
-
- method init()
- requires acc(root,100);
- ensures valid;
- {
- root := null;
- fold valid;
- }
-
- method has(k : int) returns (b : bool)
- requires valid;
- ensures valid;
- {
- unfold valid;
- if (root==null){
- b := false;
- fold valid;
- }else{
- var n : AVLTreeNode := root;
- b := false;
- var end : bool := false;
- fold n.udParentValid;
- while (!end)
- invariant acc(root,100);
- invariant root != null && acc(root.parent,50);
- invariant n!=null;
- invariant n.valid;
- invariant acc(n.root,40);
- invariant n.udParentValid;
- invariant unfolding n.valid in n.root==root;
- invariant root!=null;
- {
- unfold n.valid;
- unfold n.validRest;
- if (n.key==k){
- b := true;
- fold n.validRest;
- fold n.valid;
- end := true;
- }else{
- if (n.key<k){
- if (n.left==null){
- end := true;
- fold n.validRest;
- fold n.valid;
- }else{
- var p : AVLTreeNode := n;
- unfold p.leftValid;
- n := p.left;
- p.leftDown := true;
- fold p.leftOpen;
- fold p.udValid;
- assert p.right!=p.left;
- assert n.parent.left==n;
- fold n.udParentValid;
- }
- }else{
- if (n.right==null){
- end := true;
- fold n.validRest;
- fold n.valid;
- }else{
- var p : AVLTreeNode := n;
- unfold p.rightValid;
- n := p.right;
- p.leftDown := false;
- fold p.rightOpen;
- fold p.udValid;
- fold n.udParentValid;
- }
- }
- }
- }
-
- end := false;
- while (!end)
- invariant acc(root,100);
- invariant root != null && acc(root.parent,50);
- invariant n!=null;
- invariant n.valid;
- invariant n.udParentValid;
- invariant acc(n.root,40);
- invariant unfolding n.valid in n.root==root;
- invariant root!=null;
- invariant end==>unfolding n.udParentValid in n.parent==null;
- {
- unfold n.udParentValid;
- var p : AVLTreeNode := n.parent;
- if (p==null){
- end := true;
- fold n.udParentValid;
- }else{
- unfold p.udValid;
- if (p.left==n){
- unfold p.leftOpen;
- fold p.leftValid;
- }else{
- unfold p.rightOpen;
- fold p.rightValid;
- }
- fold p.validRest;
- fold p.valid;
- n:=p;
- }
- }
- assert unfolding n.udParentValid in n==root;
- assert acc(n.root,40);
- unfold n.udParentValid;
- assert acc(n.root,50);
- fold valid;
- }
- }
-}
-
-class AVLTreeNode{
- var key : int;
- var left : AVLTreeNode;
- var right : AVLTreeNode;
- var parent : AVLTreeNode;
-
- ghost var leftDown : bool;
- ghost var root : AVLTreeNode;
-
- predicate valid{
- validRest
- && leftValid
- && rightValid
- }
-
- predicate validRest{
- acc(key ,100)
- && acc(root, 30)
- && acc(left ,75)
- && acc(right ,75)
- && acc(leftDown,100)
- && (right!=left || right==null)
- }
-
- predicate rightValid{
- acc(right ,25)
- && acc(root,10)
- && (right!=null ==> right.valid)
- && (right!=null ==> acc(right.parent,100))
- && (right!=null ==> right.parent==this)
- && (right!=null ==> acc(right.root,50))
- && (right!=null ==> right.root==root)
- }
- predicate leftValid{
- acc(left ,25)
- && acc(root,10)
- && (left!=null ==> left.valid)
- && (left!=null ==> acc(left.parent,100))
- && (left!=null ==> left.parent == this)
- && (left!=null ==> acc(left.root,50))
- && (left!=null ==> left.root == root)
- }
-
- predicate leftOpen{
- acc(left ,25)
- && acc(root,10)
- && (left!=null ==> acc(left.parent,50))
- && (left!=null ==> left.parent==this)
- }
-
- predicate rightOpen{
- acc(right ,25)
- && acc(root,10)
- && (right!=null ==> acc(right.parent,50))
- && (right!=null ==> right.parent==this)
- }
-
- predicate udParentValid {
- acc(parent,50)
- && acc(root,10)
- && (parent!=null ==> parent.udValid)
- && (parent!=null ==> acc(parent.leftDown,50))
- && (parent!=null ==> acc(parent.left,50))
- && (parent!=null ==> ( parent.leftDown<==>parent.left==this))
- && (parent!=null ==> acc(parent.right,50))
- && (parent!=null ==> (!parent.leftDown<==>parent.right==this))
- && (parent!=null ==> acc(parent.root,50))
- && (parent!=null ==> root==parent.root)
- && (parent==null ==> root==this)
- }
-
- predicate udValid{
- acc(key ,100)
- && acc(leftDown,50)
- && acc(left ,25)
- && acc(right ,25)
- && acc(root ,20)
- && ( leftDown ==> rightValid)
- && ( leftDown ==> leftOpen )
- && (!leftDown ==> leftValid )
- && (!leftDown ==> rightOpen )
- && udParentValid
- }
-
- method init(k : int)
- requires acc(key ,100);
- requires acc(left ,100);
- requires acc(right ,100);
- requires acc(leftDown ,100);
- requires acc(root, 100);
- ensures valid;
- {
- left := null;
- right := null;
- key := k;
-
- fold leftValid;
- fold rightValid;
- fold validRest;
- fold valid;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/examples/AVLTree.iterative.output.txt b/Chalice/tests/examples/AVLTree.iterative.output.txt deleted file mode 100644 index 9b8797ef..00000000 --- a/Chalice/tests/examples/AVLTree.iterative.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of AVLTree.iterative.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/AVLTree.nokeys.chalice b/Chalice/tests/examples/AVLTree.nokeys.chalice deleted file mode 100644 index 721541f2..00000000 --- a/Chalice/tests/examples/AVLTree.nokeys.chalice +++ /dev/null @@ -1,609 +0,0 @@ -class AVLTree{
- var root : AVLTreeNode;
-
- predicate valid{
- acc(root,100)
- && (root!=null ==> root.valid)
- && (root!=null ==> acc(root.height ,50))
- && (root!=null ==> acc(root.balanceFactor,50))
- }
-
- method init()
- requires acc(root,100);
- ensures valid;
- {
- root := null;
- fold valid;
- }
-
- method insert(k : int)
- requires valid;
- ensures valid;
- {
- unfold valid;
- if (root==null){
- var n : AVLTreeNode := new AVLTreeNode;
- call n.init(k);
- root := n;
- }else{
- call r := root.insert(k);
- root := r;
- }
- fold valid;
- }
-
- method remove(k : int)
- requires valid;
- ensures valid;
- {
- unfold valid;
- if (root==null){
- }else{
- call r := root.remove(k);
- root := r;
- }
- fold valid;
- }
-
- method has(k : int) returns (b : bool)
- requires valid;
- ensures valid;
- {
- unfold valid;
- if (root==null){
- b := false;
- }else{
- var bb : bool;
- call bb:= root.has(k);
- b := bb;
- }
- fold valid;
- }
-}
-
-class AVLTreeNode{
- var key : int;
- var height : int;
- var left : AVLTreeNode;
- var right : AVLTreeNode;
- ghost var balanceFactor : int;
-
- predicate valid{
- acc(key ,100)
- && acc(height,50)
- && acc(left ,100)
- && acc(right ,100)
- && acc(balanceFactor,50)
- && (left!=null ==> left.valid)
- && (left!=null ==> acc(left.height ,50))
- && (left!=null ==> acc(left.balanceFactor,50))
- && (left!=null ==> left.height > 0)
- && (right!=null ==> right.valid)
- && (right!=null ==> acc(right.height ,50))
- && (right!=null ==> acc(right.balanceFactor,50))
- && (right!=null ==> right.height > 0)
- && height == ( (left==null?0:left.height)>(right==null?0:right.height) ? (left==null?0:left.height)+1 : (right==null?0:right.height)+1 )
- && balanceFactor == (left==null?0:left.height) - (right==null?0:right.height)
- && balanceFactor<= 1
- && balanceFactor>=-1
- && height > 0
- }
-
- method init(k : int)
- requires acc(key ,100);
- requires acc(height,100);
- requires acc(left ,100);
- requires acc(right ,100);
- requires acc(balanceFactor,100)
- ensures valid;
- ensures acc(height,50);
- ensures acc(balanceFactor,50);
- ensures height == 1;
- ensures balanceFactor == 0;
- {
- left := null;
- right := null;
- key := k;
- call close();
- }
-
- method insert(k : int) returns ( r : AVLTreeNode )
- requires valid;
- requires acc(height,50);
- requires acc(balanceFactor,50);
- ensures r != null;
- ensures r.valid;
- ensures acc(r.height,50);
- ensures acc(r.balanceFactor,50);
- ensures ( r.height == old(height) ) || ( r.height == old(height) + 1 );
- {
- unfold valid;
- if (key==k){
- r := this;
- call r.close();
- }else{ //key!=k
- if (k<key){ // insert left
- var nl : AVLTreeNode;
- if (left==null){
- nl := new AVLTreeNode;
- call nl.init(k);
- }else{
- call nl := left.insert(k);
- }
- left := nl;
- var bf : int;
- call bf := getBalanceFactorI();
-
- if (bf==2){ //rebalance
- call r:= rebalanceLeft();
- }else{ //no rebalance
- r := this;
- call r.close();
- }
- }else{ // k>key -- insert right
- var nr : AVLTreeNode;
- if (right==null){
- nr := new AVLTreeNode;
- call nr.init(k);
- }else{
- call nr := right.insert(k);
- }
- right := nr;
-
- var bf : int;
- call bf := getBalanceFactorI();
- if (bf==-2){ //rebalance
- call r := rebalanceRight();
- }else{//no rebalance
- r := this;
- call r.close();
- }
- }
- }
- }
-
- method remove(k : int) returns ( r : AVLTreeNode )
- requires valid;
- requires acc(height,50);
- requires acc(balanceFactor,50);
- ensures r != null ==> r.valid;
- ensures r != null ==> acc(r.height,50);
- ensures r != null ==> acc(r.balanceFactor,50);
- ensures old(height)>1 ==> r!=null;
- ensures r != null ==> r.height==old(height) || r.height+1==old(height);
- {
- unfold valid;
- if (key==k){
- if (left==null || right==null){
- if (left==null){ // replace with right
- r := right;
- }else{ // right==null
- r := left;
- }
- }else{ // prune max/min of left/right
- var bf : int;
- var nl : AVLTreeNode := left;
- var nr : AVLTreeNode := right;
-
- call bf := getBalanceFactorI();
- if (bf > 0 ){ // left larger - prune leftmax
- call nl,r := left.pruneMax();
- }else{ // right larger equal - prune rightmin
- call nr,r := right.pruneMin();
- }
- unfold r.valid;
- r.left := nl;
- r.right := nr;
- call r.close();
- }
- }else{ //key!=k
- if (k<key){ // remove left
- if (left!=null){
- var nl : AVLTreeNode;
- call nl := left.remove(k);
- left := nl;
-
- var bf : int;
- call bf := getBalanceFactorI();
-
- if (bf==-2){ // rebalance
- call r:=rebalanceRight();
- }else{ // no rebalance
- call close();
- r := this;
- }
- }else{
- r := this;
- call r.close();
- }
- }else{ // k>key -- remove right
- if (right != null){
- var nr : AVLTreeNode;
- call nr := right.remove(k);
- right := nr;
-
- var bf : int;
- call bf := getBalanceFactorI();
- if (bf==2){ // rebalance
- call r := rebalanceLeft();
- }else{ // no rebalance
- r := this;
- call r.close();
- }
- }else{
- r := this;
- call r.close();
- }
- }
- }
- }
-
- method pruneMax() returns ( r : AVLTreeNode, m : AVLTreeNode )
- requires valid;
- requires acc(height,50);
- requires acc(balanceFactor,50);
- ensures r != null ==> r.valid;
- ensures r != null ==> acc(r.height,50);
- ensures r != null ==> acc(r.balanceFactor,50);
- ensures r != null ==> (r.height == old(height) || r.height+1 == old(height));
- ensures old(height) >1 ==> r != null;
- ensures old(height)==1 ==> r == null;
- ensures old(height)==(r==null?0:r.height) || old(height)==(r==null?0:r.height)+1;
- ensures m != null;
- ensures m.valid;
- ensures acc(m.height,50);
- ensures acc(m.balanceFactor,50);
- ensures m.height == 1;
- {
- unfold valid;
- if (right==null){
- r := left;
- left := null;
- call close();
- m := this;
- }else{
- var nr : AVLTreeNode;
- call nr,m := right.pruneMax();
- right := nr;
- var bf : int;
- call bf := getBalanceFactorI();
- if (bf == 2){
- call r:=rebalanceLeft();
- }else{
- call close();
- r := this;
- }
- }
- }
-
- method pruneMin() returns ( r : AVLTreeNode, m : AVLTreeNode )
- requires valid;
- requires acc(height,50);
- requires acc(balanceFactor,50);
- ensures r != null ==> r.valid;
- ensures r != null ==> acc(r.height,50);
- ensures r != null ==> acc(r.balanceFactor,50);
- ensures r != null ==> (r.height == old(height) || r.height == old(height)-1);
- ensures old(height) >1 ==> r != null;
- ensures old(height)==1 ==> r == null;
- ensures old(height)==(r==null?0:r.height) || old(height)==(r==null?0:r.height)+1;
- ensures m != null;
- ensures m.valid;
- ensures acc(m.height,50);
- ensures acc(m.balanceFactor,50);
- ensures m.height == 1;
- {
- unfold valid;
- if (left==null){
- r := right;
- right := null;
- call close();
- m := this;
- assert r!=null ==> (r.height == old(height) || r.height == old(height)-1);
- }else{
- var nl : AVLTreeNode;
- call nl,m := left.pruneMin();
- left := nl;
- var bf : int;
- call bf := getBalanceFactorI();
- if (bf == -2){
- call r:=rebalanceRight();
- assert r != null ==> (r.height == old(height) || r.height == old(height)-1);
- }else{
- call close();
- r := this;
- assert r != null ==> (r.height == old(height) || r.height == old(height)-1);
- }
- }
- }
-
- method has(k : int) returns (b : bool)
- requires valid;
- ensures valid;
- {
- unfold valid;
- if (k==key){
- b := true;
- }else{ //k!=key
- if (k < key){
- if (left!=null){
- call b := left.has(k);
- }else{
- b := false;
- }
- }else{ //k > key;
- if (right!=null){
- call b := right.has(k);
- }else{
- b := false;
- }
- }
- }
- fold valid;
- }
-
- method getBalanceFactor() returns ( bf : int )
- requires valid;
- requires rd(balanceFactor);
-
- ensures valid;
- ensures rd(balanceFactor);
- ensures bf == balanceFactor;
-
- ensures unfolding valid in bf>0 ==> left !=null;
- ensures unfolding valid in bf<0 ==> right!=null;
- {
- unfold valid;
- var lh : int := (left ==null ? 0 : left .height );
- var rh : int := (right==null ? 0 : right.height );
- bf := lh-rh;
-
- fold valid;
- }
-
- //////////////////////////////////////////////////////////
- method getBalanceFactorI() returns ( bf : int )
- requires rd(left);
- requires left!=null ==> left.valid;
- requires left!=null ==> rd(left.height);
- requires rd(right);
- requires right!=null ==> right.valid;
- requires right!=null ==> rd(right.height);
- ensures rd(left);
- ensures left!=null ==> left.valid;
- ensures left!=null ==> rd(left.height);
- ensures rd(right);
- ensures right!=null ==> right.valid;
- ensures right!=null ==> rd(right.height);
- ensures bf == (left==null?0:left.height)-(right==null?0:right.height);
- ensures bf>0 ==> left !=null;
- ensures bf<0 ==> right!=null;
- {
- var lh : int := (left ==null ? 0 : left .height );
- var rh : int := (right==null ? 0 : right.height );
- bf := lh-rh;
- assert right!=null ==> unfolding right.valid in right.height>0;
- assert left !=null ==> unfolding left .valid in left .height>0;
- assert lh>=0;
- assert rh>=0;
- }
-
- method close()
- requires acc(key ,100);
- requires acc(height,100);
- requires acc(left ,100);
- requires acc(right ,100);
- requires acc(balanceFactor,100);
- requires left!=null ==> left.valid;
- requires left!=null ==> acc(left.height ,50);
- requires left!=null ==> acc(left.balanceFactor,50);
- requires right!=null ==> right.valid;
- requires right!=null ==> acc(right.height ,50);
- requires right!=null ==> acc(right.balanceFactor,50);
- requires ( left==null ? 0 : left.height )-( right==null ? 0 : right.height ) <= 1;
- requires ( left==null ? 0 : left.height )-( right==null ? 0 : right.height ) >=-1;
- ensures valid;
- ensures acc(height ,50);
- ensures acc(balanceFactor,50);
- ensures height ==
- ( ( old(left)==null ? 0 : old(left.height) )>( old(right)==null ? 0 : old(right.height) )
- ?
- ( old(left)==null ? 0 : old(left.height) )+1
- :
- ( old(right)==null ? 0 : old(right.height))+1
- );
- ensures balanceFactor ==
- ( old(left)==null ? 0 : old(left.height) )-( old(right)==null ? 0 : old(right.height) );
- {
- var lh : int := (left ==null ? 0 : left .height );
- var rh : int := (right==null ? 0 : right.height );
-
- assert left !=null ==> unfolding left .valid in left .height>0;
- assert right!=null ==> unfolding right.valid in right.height>0;
- height := ( (( left==null ? 0 : left.height )>( right==null ? 0 : right.height )) ? ( left==null ? 0 : left.height )+1 : ( right==null ? 0 : right.height )+1);
-
- balanceFactor := ( left==null ? 0 : left.height )-( right==null ? 0 : right.height );
-
- fold valid;
- }
-
- method rebalanceLeft() returns ( r : AVLTreeNode )
- requires acc(key ,100);
- requires acc(height,100);
- requires acc(left ,100);
- requires acc(right ,100);
- requires acc(balanceFactor,100);
- requires left!=null;
- requires left.valid;
- requires acc(left.height ,50);
- requires acc(left.balanceFactor,50);
- requires right!=null ==> right.valid;
- requires right!=null ==> acc(right.height ,50)
- requires right!=null ==> acc(right.balanceFactor,50)
- requires left.height-(right==null?0:right.height)==2;
- ensures r != null && r.valid;
- ensures acc(r.height ,50);
- ensures acc(r.balanceFactor,50);
- ensures r.height == old(left.height) || r.height == old(left.height)+1;
- {
- var lbf : int;
- call lbf := left.getBalanceFactor();
- if (lbf<0){
- assert unfolding left.valid in lbf==-1;
- call r := rebalanceRL();
- }else{//lbf>=0
- call r := rebalanceRR();
- }
- }
-
- method rebalanceRL() returns ( r : AVLTreeNode )
- requires acc(key ,100);
- requires acc(height,100);
- requires acc(left ,100);
- requires acc(right ,100);
- requires acc(balanceFactor,100);
- requires left!=null;
- requires left.valid;
- requires acc(left.height ,50);
- requires acc(left.balanceFactor,50);
- requires right!=null ==> right.valid;
- requires right!=null ==> acc(right.height ,50)
- requires right!=null ==> acc(right.balanceFactor,50)
- requires left.height-(right==null?0:right.height)==2;
- requires left.balanceFactor==-1;
- ensures r != null && r.valid;
- ensures acc(r.height ,50);
- ensures acc(r.balanceFactor,50);
- ensures r.height == old(left.height);
- {
- unfold left.valid;
- r := left.right;
- unfold r.valid;
-
- left.right := r.left;
- call left.close();
- r.left := left;
- left := r.right;
-
- call close();
- r.right := this;
- call r.close();
- }
-
- method rebalanceRR() returns ( r : AVLTreeNode )
- requires acc(key ,100);
- requires acc(height,100);
- requires acc(left ,100);
- requires acc(right ,100);
- requires acc(balanceFactor,100);
- requires left!=null;
- requires left.valid;
- requires acc(left.height ,50);
- requires acc(left.balanceFactor,50);
- requires right!=null ==> right.valid;
- requires right!=null ==> acc(right.height ,50)
- requires right!=null ==> acc(right.balanceFactor,50)
- requires left.height - (right==null?0:right.height)==2;
- requires left.balanceFactor>=0;
- ensures r != null && r.valid;
- ensures acc(r.height ,50);
- ensures acc(r.balanceFactor,50);
- ensures r.height == old(left.height) || r.height == old(left.height)+1;
- {
- unfold left.valid;
- r := left;
- left := r.right;
- call close();
- r.right := this;
- call r.close();
- }
-
- method rebalanceRight() returns ( r : AVLTreeNode )
- requires acc(key ,100);
- requires acc(height,100);
- requires acc(left ,100);
- requires acc(right ,100);
- requires acc(balanceFactor,100);
- requires left!=null==>left.valid;
- requires left!=null==>acc(left.height ,50);
- requires left!=null==>acc(left.balanceFactor,50);
- requires right!=null;
- requires right.valid;
- requires acc(right.height ,50)
- requires acc(right.balanceFactor,50)
- requires (left==null?0:left.height)-right.height==-2;
- ensures r != null && r.valid;
- ensures acc(r.height ,50);
- ensures acc(r.balanceFactor,50);
- ensures r.height == old(right.height) || r.height == old(right.height)+1;
- {
- var rbf : int;
- call rbf := right.getBalanceFactor();
- if (rbf>0){
- assert unfolding right.valid in rbf==1;
- call r := rebalanceLR();
- }else{//rbf<=0
- call r := rebalanceLL();
- }
- }
-
- method rebalanceLR() returns ( r : AVLTreeNode )
- requires acc(key ,100);
- requires acc(height,100);
- requires acc(left ,100);
- requires acc(right ,100);
- requires acc(balanceFactor,100);
- requires left!=null==>left.valid;
- requires left!=null==>acc(left.height ,50);
- requires left!=null==>acc(left.balanceFactor,50);
- requires right!=null;
- requires right.valid;
- requires acc(right.height ,50);
- requires acc(right.balanceFactor,50);
- requires (left==null?0:left.height)-right.height==-2;
- requires right.balanceFactor==1;
- ensures r != null && r.valid;
- ensures acc(r.height ,50);
- ensures acc(r.balanceFactor,50);
- ensures r.height == old(right.height);
- {
- unfold right.valid;
- r := right.left;
- unfold r.valid;
- right.left := r.right;
- call right.close();
- r.right := right;
- right := r.left;
- call close();
- r.left := this;
- call r.close();
- }
-
- method rebalanceLL() returns ( r : AVLTreeNode )
- requires acc(key ,100);
- requires acc(height,100);
- requires acc(left ,100);
- requires acc(right ,100);
- requires acc(balanceFactor,100);
- requires left!=null==>left.valid;
- requires left!=null==>acc(left.height ,50);
- requires left!=null==>acc(left.balanceFactor,50);
- requires right!=null;
- requires right.valid;
- requires acc(right.height ,50);
- requires acc(right.balanceFactor,50);
- requires (left==null?0:left.height)-right.height==-2;
- requires right.balanceFactor<=0;
- ensures r != null && r.valid;
- ensures acc(r.height ,50);
- ensures acc(r.balanceFactor,50);
- ensures r.height == old(right.height) || r.height == old(right.height)+1;
- {
- unfold right.valid;
- r := right;
- right := r.left;
- call close();
- r.left := this;
- call r.close();
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/examples/AVLTree.nokeys.output.txt b/Chalice/tests/examples/AVLTree.nokeys.output.txt deleted file mode 100644 index 49850add..00000000 --- a/Chalice/tests/examples/AVLTree.nokeys.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of AVLTree.nokeys.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/AssociationList.chalice b/Chalice/tests/examples/AssociationList.chalice deleted file mode 100644 index 418bcd12..00000000 --- a/Chalice/tests/examples/AssociationList.chalice +++ /dev/null @@ -1,122 +0,0 @@ -/*
- Note: This example seems to be completely broken. The failing assertion
- about locking/unlocking too much causes an inconsistency and all following
- assertions pass by default.
- It seems that the specification, in particular the loop invariant in method
- Add, is wrong. (see also http://boogie.codeplex.com/workitem/10207)
- -- August 2011, Stefan Heule
-*/
-
-class Client {
- method Main(d: Data)
- requires d != null
- {
- var a := new AssociationList
- call a.Init()
- call a.Add(5, d)
- call a.Add(10, d)
- var t: Data
- call t := a.Get(10)
- }
-}
-
-class AssociationList {
- var head: Node // sentinel
- invariant rd(head) && head != null
- invariant rd(mu) && rd(head.mu) && this << head
-
- method Init()
- requires acc(head) && acc(mu) && mu == lockbottom
- ensures acc(mu) && waitlevel << this
- {
- head := new Node
- head.next := null
- share head
- share this between waitlevel and head
- }
-
- method Add(key: int, value: Data)
- requires value != null
- requires rd(mu) && waitlevel << this
- ensures rd(mu)
- {
- acquire this
- var p: Node := head
- acquire p
- release this
-
- var n := new Node
- n.key := key
- n.value := value
- n.next := p.next
- p.next := n
- share n between p and n.next
- release p
- }
-
- method Get(key: int) returns (d: Data)
- requires rd(mu) && waitlevel << this
- ensures rd(mu)
- {
- d := null
- acquire this
- var p: Node := head
- acquire p
- release this
-
- if (p.next != null) {
- acquire p.next
- if (p.next.key == key) {
- d := p.next.value
- } else {
- var done := false
- while (!done)
- // invariant: holds p and p.next
- invariant p != null && rd(p.key) && rd(p.value) && acc(p.next) && acc(p.mu,50) && p.next != null
- invariant acc(p.next.mu) && p << p.next
- invariant rd(p.next.key) && rd(p.next.value) && acc(p.next.next)
- invariant p.next.next != null ==>
- acc(p.next.next.mu,50) && p.next << p.next.next
- invariant holds(p) && holds(p.next) && waitlevel == p.next.mu
- invariant p.next.next != null ==> waitlevel << p.next.next
- lockchange p, p.next.next
- {
- if (p.next.next == null) {
- done := true // key not present
- } else {
- acquire p.next.next
- if (p.next.next.key == key) {
- done := true // key is present
- d := p.next.next.value
- // move p.next.next closer to the head by one step
-
- var t: Node := p.next
- p.next := t.next
- t.next := p.next.next
- p.next.next := t
- reorder t between p.next and t.next
- release t
- } else {
- var t: Node := p
- p := p.next
- release t
- }
- }
- }
- }
- release p.next
- }
- release p
- }
-}
-
-class Data { }
-
-class Node
-{
- var key: int
- var value: Data
- var next: Node
- invariant rd(key) && rd(value) && acc(next) && acc(mu,50)
- invariant next != null ==> acc(next.mu,50) && this << next
-}
diff --git a/Chalice/tests/examples/AssociationList.output.txt b/Chalice/tests/examples/AssociationList.output.txt deleted file mode 100644 index e7ae56f6..00000000 --- a/Chalice/tests/examples/AssociationList.output.txt +++ /dev/null @@ -1,10 +0,0 @@ -Verification of AssociationList.chalice using parameters=""
-
- 28.3: The postcondition at 30.13 might not hold. Insufficient fraction at 30.13 for mu. - 73.9: Method execution before loop might lock/unlock more than allowed by lockchange clause of loop. - 98.15: Monitor invariant might hot hold. Insufficient fraction at 120.13 for Node.key. - 102.15: Monitor invariant might hot hold. Insufficient fraction at 120.13 for Node.key. - 73.9: The loop might lock/unlock more than the lockchange clause allows. - 107.7: Monitor invariant might hot hold. Insufficient fraction at 120.13 for Node.key. - -Boogie program verifier finished with 6 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/BackgroundComputation.chalice b/Chalice/tests/examples/BackgroundComputation.chalice deleted file mode 100644 index e8168183..00000000 --- a/Chalice/tests/examples/BackgroundComputation.chalice +++ /dev/null @@ -1,38 +0,0 @@ -class C {
- var x: int;
-
- method main()
- requires acc(x);
- ensures acc(x);
- {
- // start long-running processing
- fork tk := processing();
-
- /* do some computation itself */
-
- // finish
- call finish(tk);
- }
-
- method finish(tk: token<C.processing>)
- requires acc(x,100-rd(tk));
- requires acc(tk.joinable) && tk.joinable && tk != null;
- requires eval(tk.fork this.processing(), true);
- ensures acc(x);
- {
- var res: int;
- join res := tk;
-
- // final write to x (requires full permission)
- this.x := res - 1;
- }
-
- method processing() returns (res: int)
- requires rd(x);
- ensures rd(x);
- {
- res := 1;
- /* do some computation */
- }
-
-}
diff --git a/Chalice/tests/examples/BackgroundComputation.output.txt b/Chalice/tests/examples/BackgroundComputation.output.txt deleted file mode 100644 index ad3f590e..00000000 --- a/Chalice/tests/examples/BackgroundComputation.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of BackgroundComputation.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/CopyLessMessagePassing-with-ack.chalice b/Chalice/tests/examples/CopyLessMessagePassing-with-ack.chalice deleted file mode 100644 index 9ed9f0a9..00000000 --- a/Chalice/tests/examples/CopyLessMessagePassing-with-ack.chalice +++ /dev/null @@ -1,87 +0,0 @@ -// program inspired by "Proving Copyless Message Passing" (Villard, Lozes and Calcagno, APLAS 2009)
-
-// msg tag indicates what the type of the message
-// channel is freed by Getter when it completes
-// ack works, but an assume is needed and negative credits are sent over channels!
-
-// Conjecture: it is ok to send debit for yourself over yourself.
-// Why: Suppose a channel that allows self-debt is involved in a deadlock. The either that channel is empty, which means there's no difference between the situation with or with self-debt. Or the channel is non-empty. This means that we can make progress by receiving the message stored in the channel! Does this make any sense?
-
-channel C(msg: int, n: Node) where
- (msg == 0 || msg == 1 || msg == 2) &&
- (msg == 0 ==> credit(this, -1)) && // ack
- (msg == 1 ==> n != null && acc(n.next) && acc(n.mu) && credit(this, -1)) && // cell
- (msg == 2 ==> acc(this.mu, 50)); // done
-
-
-class Node {
- var next: Node;
-
- function length(): int
- requires this.list;
- {
- unfolding this.list in 1 + (next == null ? 0 : next.length())
- }
-
- predicate list {
- acc(next) && acc(mu) && (next != null ==> next.list)
- }
-}
-
-class Program {
- method Putter(e: C, x0: Node)
- requires e!= null && acc(e.mu, 50) && e.mu == waitlevel && (x0 != null ==> x0.list) && (x0 != null ==> credit(e, - 1));
- {
- var x: Node := x0;
- var t: Node;
-
- while(x != null)
- invariant (x != null ==> x.list) && acc(e.mu, 50) && credit(e, - 1);
- {
- unfold x.list;
- t := x.next;
- send e(1, x);
- x := t;
- var ack;
- assume waitlevel << e.mu; // Chalice should be able to figure this out itself
- receive ack, t := e;
- if(ack != 2) { assume false; /* abort */ }
- }
- send e(2, null);
- }
-
- method Getter(f: C)
- requires f!= null && credit(f, 1) && acc(f.mu, 50) && waitlevel << f.mu;
- {
- var x: Node := null;
- var msg := 1;
- while(msg != 0)
- invariant msg == 0 || msg == 1;
- invariant acc(f.mu, 50) && waitlevel << f.mu && (credit(f, 1));
- {
- assert msg == 1
- receive msg, x := f;
-
- if(msg == 1) {
- free x;
- }
- send f(0, null);
- if(msg == 2) { assume false; /* abort */ }
- }
- receive msg, x := f;
- if (msg != 2) { assume false; /* abort */ }
- free f; // close the channel
- }
-
- method Main(x: Node)
- requires x != null;
- requires x.list;
- {
- var e := new C;
- fork Putter(e, x);
- fork Getter(e);
- }
-}
-
-
-
diff --git a/Chalice/tests/examples/CopyLessMessagePassing-with-ack.output.txt b/Chalice/tests/examples/CopyLessMessagePassing-with-ack.output.txt deleted file mode 100644 index 91c56769..00000000 --- a/Chalice/tests/examples/CopyLessMessagePassing-with-ack.output.txt +++ /dev/null @@ -1,8 +0,0 @@ -Verification of CopyLessMessagePassing-with-ack.chalice using parameters=""
-
- - 48.22: Assumption introduces a contradiction. - 69.22: Assumption introduces a contradiction. - 72.21: Assumption introduces a contradiction. - -Boogie program verifier finished with 0 errors and 3 smoke test warnings
diff --git a/Chalice/tests/examples/CopyLessMessagePassing-with-ack2.chalice b/Chalice/tests/examples/CopyLessMessagePassing-with-ack2.chalice deleted file mode 100644 index 3b03853d..00000000 --- a/Chalice/tests/examples/CopyLessMessagePassing-with-ack2.chalice +++ /dev/null @@ -1,86 +0,0 @@ -// program inspired by "Proving Copyless Message Passing" (Villard, Lozes and Calcagno, APLAS 2009)
-
-// msg tag indicates what the type of the message
-// channel is freed by Getter when it completes
-// ack-channel instead of single channel with ack message channel
-// using Owicki-Gries ghostfields can be used to remove the "assume false;" statements
-
-// Conjecture: it is ok to send debit credit(d, -x) over a channel c as long as
-// a) d.mu << c.mu
-// b) leaking positive or negative debit is not allowed
-
-channel AckChannel(ch: C) where ch != null && credit(ch, -1); // ack
-
-channel C(msg: bool, n: Node, ackC: AckChannel) where
- (!msg ==> acc(this.mu, 50) && acc(ackC.mu, 50)) &&
- (msg ==> n != null && acc(n.next) && acc(n.mu) && ackC != null && credit(ackC, -1)); // cell
-
-class Node {
- var next: Node;
-
- function length(): int
- requires this.list;
- {
- unfolding this.list in 1 + (next == null ? 0 : next.length())
- }
-
- predicate list {
- acc(next) && acc(mu) && (next != null ==> next.list)
- }
-}
-
-class Program {
- method Putter(e: C, x0: Node, ackC: AckChannel)
- requires e!= null && acc(e.mu, 50) && e.mu == waitlevel && acc(ackC.mu, 50) && e.mu << ackC.mu && (x0 != null ==> x0.list) && (x0 != null ==> credit(e, - 1));
- {
- var x: Node := x0;
- var t: Node;
-
- while(x != null)
- invariant (x != null ==> x.list) && acc(e.mu, 50) && acc(ackC.mu, 50) && e.mu << ackC.mu && credit(e, - 1);
- {
- unfold x.list;
- t := x.next;
- send e(true, x, ackC);
- x := t;
- var ack;
- assume waitlevel << ackC.mu; // Chalice should be able to figure this out itself?
- var ctmp: C;
- receive ctmp := ackC;
- if(ctmp != e) { assume false; /* abort */ }
- }
- send e(false, null, ackC);
- }
-
- method Getter(f: C, ackC: AckChannel)
- requires f!= null && credit(f, 1) && acc(f.mu, 50) && waitlevel << f.mu && ackC != null && acc(ackC.mu, 50) && f.mu << ackC.mu;
- {
- var x: Node := null;
- var msg: bool := true;
- while(msg)
- invariant acc(f.mu, 50) && waitlevel << f.mu && (msg ==> credit(f, 1)) && (!msg ==> acc(f.mu, 50) && acc(ackC.mu, 50));
- {
- var ackC2: AckChannel;
- receive msg, x, ackC2 := f;
- if(ackC2 != ackC) { assume false; /* abort */ }
- if(msg) {
- free x;
- send ackC(f);
- }
- }
- free f; // close the channel
- }
-
- method Main(x: Node)
- requires x != null;
- requires x.list;
- {
- var e := new C;
- var ackC := new AckChannel above e;
- fork Putter(e, x, ackC);
- fork Getter(e, ackC);
- }
-}
-
-
-
diff --git a/Chalice/tests/examples/CopyLessMessagePassing-with-ack2.output.txt b/Chalice/tests/examples/CopyLessMessagePassing-with-ack2.output.txt deleted file mode 100644 index 2d6d752d..00000000 --- a/Chalice/tests/examples/CopyLessMessagePassing-with-ack2.output.txt +++ /dev/null @@ -1,7 +0,0 @@ -Verification of CopyLessMessagePassing-with-ack2.chalice using parameters=""
-
- - 50.23: Assumption introduces a contradiction. - 65.27: Assumption introduces a contradiction. - -Boogie program verifier finished with 0 errors and 2 smoke test warnings
diff --git a/Chalice/tests/examples/CopyLessMessagePassing.chalice b/Chalice/tests/examples/CopyLessMessagePassing.chalice deleted file mode 100644 index 3a9b80e0..00000000 --- a/Chalice/tests/examples/CopyLessMessagePassing.chalice +++ /dev/null @@ -1,72 +0,0 @@ -// program inspired by "Proving Copyless Message Passing" (Villard, Lozes and Calcagno, APLAS 2009)
-
-// msg tag indicates what the type of the message
-// channel is freed by Getter when it completes
-
-// todo: accept ack message before sending the next one (requires sending negative credit!)
-
-channel C(msg: bool, n: Node) where n!= null && acc(n.next) && acc(n.mu) && (msg ==> credit(this, 1)) && (!msg ==> acc(this.mu, 50));
-
-class Node {
- var next: Node;
-
- function length(): int
- requires this.list;
- {
- unfolding this.list in 1 + (next == null ? 0 : next.length())
- }
-
- predicate list {
- acc(next) && acc(mu) && (next != null ==> next.list)
- }
-}
-
-class Program {
- method Putter(e: C, x0: Node)
- requires e!= null && acc(e.mu, 50) && (x0 != null ==> x0.list) && (x0 != null ==> credit(e, - 1));
- {
- var x: Node := x0;
- var t: Node;
-
- while(x != null)
- invariant (x != null ==> x.list) && (x!=null ==> acc(e.mu, 50)) && (x != null ==> credit(e, - 1));
- {
- unfold x.list;
- t := x.next;
- if(t != null) {
- send e(true, x);
- } else {
- send e(false, x);
- }
- x := t;
- }
- }
-
- method Getter(f: C)
- requires f!= null && credit(f, 1) && acc(f.mu, 50) && waitlevel << f.mu;
- {
- var x: Node := null;
- var msg: bool := true;
- while(msg)
- invariant acc(f.mu, 50) && waitlevel << f.mu && (msg ==> credit(f, 1)) && (!msg ==> acc(f.mu, 50));
- {
- receive msg, x := f;
- if(msg) {
- free x;
- }
- }
- free f; // close the channel
- }
-
- method Main(x: Node)
- requires x != null;
- requires x.list;
- {
- var e := new C;
- fork Putter(e, x);
- fork Getter(e);
- }
-}
-
-
-
diff --git a/Chalice/tests/examples/CopyLessMessagePassing.output.txt b/Chalice/tests/examples/CopyLessMessagePassing.output.txt deleted file mode 100644 index 2caf540b..00000000 --- a/Chalice/tests/examples/CopyLessMessagePassing.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of CopyLessMessagePassing.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/FictionallyDisjointCells.chalice b/Chalice/tests/examples/FictionallyDisjointCells.chalice deleted file mode 100644 index d26dedbb..00000000 --- a/Chalice/tests/examples/FictionallyDisjointCells.chalice +++ /dev/null @@ -1,75 +0,0 @@ -class Cell
-{
- var inner: InnerCell;
-
- predicate inv
- {
- acc(inner) && inner!=null && rd(inner.value,1) && rd*(inner.mu) && rd*(this.mu)
- }
-
- method CellConstructor()
- requires acc(inner) && acc(this.mu)
- ensures inv && get()==0;
- {
- inner := new InnerCell;
- call inner.InnerCellConstructor(0)
- share inner;
- fold inv;
- }
-
- method CellConstructor2(other: Cell)
- requires acc(inner) && acc(this.mu)
- requires other != null && other.inv;
- requires unfolding other.inv in waitlevel << other.inner.mu
- ensures inv && other.inv && get()==other.get();
- {
- unfold other.inv;
- inner := other.inner;
- acquire inner;
- inner.refCount := inner.refCount+1;
- release inner;
- fold other.inv;
- fold inv;
- }
-
- function get():int
- requires inv;
- { unfolding inv in inner.value }
-
- method set(x:int)
- requires inv;
- requires unfolding inv in waitlevel << inner.mu
- ensures inv && get()==x;
- {
- var old_in: InnerCell;
- unfold inv;
- old_in := inner;
- acquire old_in;
- if (inner.refCount==1) { inner.value:=x; }
- else
- {
- inner.refCount := inner.refCount-1;
- inner := new InnerCell;
- call inner.InnerCellConstructor(x)
- share inner;
- }
- release old_in;
- fold inv;
- }
-}
-
-class InnerCell
-{
- var value: int;
- var refCount: int;
-
- invariant acc(refCount) && refCount > 0 && acc(value,100-rd(refCount));
-
- method InnerCellConstructor(val: int)
- requires acc(refCount) && acc(value)
- ensures acc(refCount) && acc(value) && refCount==1 && value == val;
- {
- refCount := 1;
- value := val
- }
-}
diff --git a/Chalice/tests/examples/FictionallyDisjointCells.output.txt b/Chalice/tests/examples/FictionallyDisjointCells.output.txt deleted file mode 100644 index 0b8b0c4f..00000000 --- a/Chalice/tests/examples/FictionallyDisjointCells.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of FictionallyDisjointCells.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/ForkJoin.chalice b/Chalice/tests/examples/ForkJoin.chalice deleted file mode 100644 index e79cded9..00000000 --- a/Chalice/tests/examples/ForkJoin.chalice +++ /dev/null @@ -1,77 +0,0 @@ -/* Example taken from ESOP submission */
-
-class T {
- var k: int;
- var l: int;
-
- method run()
- requires acc(k);
- ensures acc(k) && k == old(k) + 1;
- {
- k := k + 1;
- }
-}
-
-class Program {
- method main() {
- var x := new T;
- x.k := 17;
- x.l := 20;
- fork tok := x.run();
- x.l := 10;
- join tok;
- assert x.k == 18 && x.l == 10;
- }
-
- method justJoin(tok: token<T.run>, x: T) returns (rt: int)
- requires x!=null && tok!=null && acc(tok.joinable) && tok.joinable && eval(tok.fork x.run(), acc(x.k));
- ensures rt == old(eval(tok.fork x.run(), x.k)) + 1;
- {
- join tok;
- rt := x.k;
- }
-}
-
-/* example using asynchronous method calls */
-
-class C {
- var x: int;
-
- method m(v: int) returns (rt: int)
- ensures rt == v + 1;
- {
- rt := v + 1;
- }
-}
-
-class Program2 {
- method main1(){
- var c := new C;
- var tok: token<C.m>;
- fork tok := c.m(5);
-
- // do some computation
-
- var x : int;
- join x := tok;
- assert x == 6;
- }
-
- method main2(){
- var c := new C;
- var tok: token<C.m>;
- fork tok := c.m(5);
-
- // do some computation
-
- call foo(tok, c);
- }
-
- method foo(tok: token<C.m>, o: C)
- requires tok!=null && acc(tok.joinable) && tok.joinable && eval(tok.fork o.m(5), true);
- {
- var x: int;
- join x := tok;
- assert x == 6;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/examples/ForkJoin.output.txt b/Chalice/tests/examples/ForkJoin.output.txt deleted file mode 100644 index 5ddd0f65..00000000 --- a/Chalice/tests/examples/ForkJoin.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of ForkJoin.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/HandOverHand.chalice b/Chalice/tests/examples/HandOverHand.chalice deleted file mode 100644 index 31818ca6..00000000 --- a/Chalice/tests/examples/HandOverHand.chalice +++ /dev/null @@ -1,132 +0,0 @@ -class List {
- ghost var sum: int
- var head: Node
- invariant acc(head) && head != null
- invariant rd(head.val) && head.val == -1
- invariant rd(mu) && acc(head.mu,50) && this << head
- invariant acc(sum,20) && acc(head.sum, 50) && sum == head.sum
-
- method Main()
- {
- var list := new List
- call list.Init()
- call list.Insert(8)
- call list.Insert(12)
- call list.Insert(4)
- assert list.sum == 24
- }
-
- method Init()
- requires acc(mu) && mu == lockbottom && acc(head) && acc(sum)
- ensures rd*(mu) && waitlevel << this
- ensures acc(sum,80) && sum == 0
- {
- var t := new Node
- t.val := -1
- t.next := null
- t.sum := 0
- share t
- head := t
- sum := 0
- share this between waitlevel and t
- }
-
- method Insert(x: int)
- requires rd(mu) && waitlevel << this
- requires acc(sum,80) && 0 <= x
- ensures rd(mu)
- ensures acc(sum,80) && sum == old(sum) + x
- {
- acquire this
- assert waitlevel == this.mu;
- sum := sum + x
- var p: Node := head
- acquire p
- p.sum := p.sum + x
- release this
-
- while (p.next != null && p.next.val < x)
- invariant p != null && acc(p.next) && acc(p.val,rd(p)) && acc(p.mu,50)
- invariant holds(p) && waitlevel == p.mu
- invariant !old(holds(p)) && !old(rd holds(p))
- invariant p.next != null ==> acc(p.next.mu,50) && p << p.next
- invariant p.next != null ==> acc(p.next.val,rd(p.next)) && p.val <= p.next.val
- invariant acc(p.sum, 50)
- invariant p.next == null ==> p.sum == x
- invariant p.next != null ==> acc(p.next.sum, 50) && p.sum == p.next.val + p.next.sum + x
- invariant p.val <= x
- lockchange p
- {
- var nx: Node := p.next
- acquire nx
- nx.sum := nx.sum + x
- release p
- p := nx
- }
- var t := new Node
- t.val := x
- t.next := p.next
- if (t.next == null) { t.sum := 0 } else { t.sum := p.next.val + p.next.sum }
- share t between p and p.next
- p.next := t
- release p
- }
-
- method Delete(x: int) returns (wasPresent: bool)
- requires rd(mu) && waitlevel << this
- requires acc(sum,80) && 0 <= x
- ensures acc(sum,80) && (wasPresent ==> sum == old(sum) - x) && (!wasPresent ==> sum == old(sum))
- {
- ghost const c
-
- acquire this
- sum := sum - c
- var p: Node := head
- acquire p
- p.sum := p.sum - c
- release this
-
- while (p.next != null && p.next.val < x)
- invariant p != null && acc(p.next) && acc(p.val,rd(p)) && acc(p.mu,50)
- invariant holds(p) && waitlevel == p.mu && !assigned(c)
- invariant !old(holds(p)) && !old(rd holds(p))
- invariant p.next != null ==> acc(p.next.mu,50) && p << p.next
- invariant p.next != null ==> acc(p.next.val,rd(p.next)) && p.val <= p.next.val
- invariant acc(p.sum, 50)
- invariant p.next == null ==> p.sum == 0 - c
- invariant p.next != null ==> acc(p.next.sum, 50) && p.sum == p.next.val + p.next.sum - c
- invariant p.val <= x
- lockchange p
- {
- var nx: Node := p.next
- acquire nx
- nx.sum := nx.sum - c
- release p
- p := nx
- }
- if (p.next != null && p.next.val == x) {
- wasPresent := true
- c := x
- var nx: Node := p.next
- acquire nx
- p.next := nx.next
- unshare nx
- } else {
- wasPresent := false
- c := 0
- }
- release p
- }
-}
-
-class Node {
- ghost var sum: int
- var val: int
- var next: Node
- invariant acc(next) && rd(val)
- invariant next != null ==> rd(next.val) && val <= next.val
- invariant acc(sum, 50)
- invariant next == null ==> sum == 0
- invariant next != null ==> acc(next.sum, 50) && sum == next.val + next.sum
- invariant acc(mu,50) && (next != null ==> acc(next.mu,50) && this << next)
-}
diff --git a/Chalice/tests/examples/HandOverHand.output.txt b/Chalice/tests/examples/HandOverHand.output.txt deleted file mode 100644 index 13ff996a..00000000 --- a/Chalice/tests/examples/HandOverHand.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of HandOverHand.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/OwickiGries.chalice b/Chalice/tests/examples/OwickiGries.chalice deleted file mode 100644 index f466b58a..00000000 --- a/Chalice/tests/examples/OwickiGries.chalice +++ /dev/null @@ -1,35 +0,0 @@ -class OwickiGries {
- var counter: int
- ghost var c0: int
- ghost var c1: int
- invariant acc(counter) && acc(c0,50) && acc(c1,50) && counter == c0 + c1
-
- method Main() {
- var og := new OwickiGries{ counter := 0, c0 := 0, c1 := 0 }
- share og
-
- fork tk0 := og.Worker(false)
- fork tk1 := og.Worker(true)
- join tk0; join tk1
-
- acquire og; unshare og
- assert og.counter == 2
- }
-
- method Worker(b: bool)
- requires rd(mu) && waitlevel << mu
- requires (!b ==> acc(c0,50)) && (b ==> acc(c1,50))
- ensures rd(mu)
- ensures !b ==> acc(c0,50) && c0 == old(c0) + 1
- ensures b ==> acc(c1,50) && c1 == old(c1) + 1
- {
- lock (this) {
- counter := counter + 1
- if (!b) {
- c0 := c0 + 1
- } else {
- c1 := c1 + 1
- }
- }
- }
-}
diff --git a/Chalice/tests/examples/OwickiGries.output.txt b/Chalice/tests/examples/OwickiGries.output.txt deleted file mode 100644 index 8235b0f4..00000000 --- a/Chalice/tests/examples/OwickiGries.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of OwickiGries.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/PetersonsAlgorithm.chalice b/Chalice/tests/examples/PetersonsAlgorithm.chalice deleted file mode 100644 index 8760b04b..00000000 --- a/Chalice/tests/examples/PetersonsAlgorithm.chalice +++ /dev/null @@ -1,79 +0,0 @@ -class Peterson {
- var x0: bool;
- var x1: bool;
- var turn: bool;
- ghost var cs0: bool;
- ghost var cs1: bool;
- ghost var b0: bool;
- ghost var b1: bool;
-
- invariant acc(x0,50) && acc(x1,50) && acc(turn);
- invariant acc(cs0,50) && acc(cs1,50) && acc(b0,50) && acc(b1,50);
- invariant cs0 ==> x0 && !b0 && (!x1 || !turn || b1);
- invariant cs1 ==> x1 && !b1 && (!x0 || turn || b0);
-
- method Main() {
- var p := new Peterson{ x0 := false, x1 := false,
- cs0 := false, cs1 := false, b0 := false, b1 := false };
- share p;
- fork p.Process0();
- fork p.Process1();
- // The purpose of the following loop is simply to prove mutual exclusion, that is,
- // to prove that !(cs0 && cs1) follows from the monitor invariant.
- while (true)
- invariant rd(p.mu) && waitlevel << p.mu;
- {
- lock (p) { assert !(p.cs0 && p.cs1); }
- }
- }
-
- method Process0()
- requires rd(mu) && waitlevel << mu;
- requires acc(x0,50) && acc(cs0,50) && acc(b0,50) && !x0 && !cs0 && !b0;
- {
- while (true)
- invariant rd(mu) && waitlevel << mu;
- invariant acc(x0,50) && acc(cs0,50) && acc(b0,50) && !x0 && !cs0 && !b0;
- {
- [[ x0 := true; b0 := true; ]]
- [[ turn := true; b0 := false; ]]
- // await (!x1 || !turn)
- var waiting := true;
- while (waiting)
- invariant rd(mu) && waitlevel << mu && acc(cs0,50);
- invariant acc(x0,50) && acc(b0,50) && x0 && !b0;
- invariant !waiting ==> cs0;
- {
- [[ if (!x1) { waiting := false; cs0 := true; } ]]
- [[ if (!turn) { waiting := false; cs0 := true; } ]]
- }
- // critical section...
- [[ cs0 := false; x0 := false; ]]
- }
- }
-
- method Process1()
- requires rd(mu) && waitlevel << mu;
- requires acc(x1,50) && acc(cs1,50) && acc(b1,50) && !x1 && !cs1 && !b1;
- {
- while (true)
- invariant rd(mu) && waitlevel << mu;
- invariant acc(x1,50) && acc(cs1,50) && acc(b1,50) && !x1 && !cs1 && !b1;
- {
- [[ x1 := true; b1 := true; ]]
- [[ turn := false; b1 := false; ]]
- // await (!x0 || turn)
- var waiting := true;
- while (waiting)
- invariant rd(mu) && waitlevel << mu && acc(cs1,50);
- invariant acc(x1,50) && acc(b1,50) && x1 && !b1;
- invariant !waiting ==> cs1;
- {
- [[ if (!x0) { waiting := false; cs1 := true; } ]]
- [[ if (turn) { waiting := false; cs1 := true; } ]]
- }
- // critical section...
- [[ cs1 := false; x1 := false; ]]
- }
- }
-}
diff --git a/Chalice/tests/examples/PetersonsAlgorithm.output.txt b/Chalice/tests/examples/PetersonsAlgorithm.output.txt deleted file mode 100644 index 1be5bf8c..00000000 --- a/Chalice/tests/examples/PetersonsAlgorithm.output.txt +++ /dev/null @@ -1,8 +0,0 @@ -Verification of PetersonsAlgorithm.chalice using parameters=""
-
- - 23.5: The statements after the while-loop are unreachable. - 34.5: The statements after the while-loop are unreachable. - 59.5: The statements after the while-loop are unreachable. - -Boogie program verifier finished with 0 errors and 3 smoke test warnings
diff --git a/Chalice/tests/examples/ProdConsChannel.chalice b/Chalice/tests/examples/ProdConsChannel.chalice deleted file mode 100644 index abac4f5c..00000000 --- a/Chalice/tests/examples/ProdConsChannel.chalice +++ /dev/null @@ -1,45 +0,0 @@ -class Cell {
- var val: int
-}
-
-channel Ch(c: Cell) where
- c != null ==> acc(c.val) && 0 <= c.val && credit(this)
-
-class Program {
- method Main() {
- var ch := new Ch
- fork tk0 := Producer(ch)
- fork tk1 := Consumer(ch)
- join tk0
- join tk1
- }
- method Producer(ch: Ch)
- requires ch != null
- ensures credit(ch)
- {
- var i := 0
- while (i < 25)
- {
- var x := i*i
- var c := new Cell { val := x }
- send ch(c)
- i := i + 1
- }
- send ch(null)
- }
- method Consumer(ch: Ch)
- requires rd(ch.mu) && waitlevel << ch.mu
- requires credit(ch)
- ensures rd(ch.mu)
- {
- var c: Cell
- receive c := ch
- while (c != null)
- invariant rd(ch.mu) && waitlevel << ch.mu
- invariant c != null ==> acc(c.val) && 0 <= c.val && credit(ch)
- {
- var i := c.val
- receive c := ch
- }
- }
-}
diff --git a/Chalice/tests/examples/ProdConsChannel.output.txt b/Chalice/tests/examples/ProdConsChannel.output.txt deleted file mode 100644 index 20a587da..00000000 --- a/Chalice/tests/examples/ProdConsChannel.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of ProdConsChannel.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/RockBand.chalice b/Chalice/tests/examples/RockBand.chalice deleted file mode 100644 index 379b4113..00000000 --- a/Chalice/tests/examples/RockBand.chalice +++ /dev/null @@ -1,112 +0,0 @@ -// chalice-parameter=-checkLeaks -defaults -autoFold
-// verify this program with -checkLeaks -defaults -autoFold
-
-class Client {
- method Main() {
- var b := new RockBand
- call b.Init()
- call b.Play()
- call b.Play()
- call b.Dispose()
- }
-}
-
-class RockBand module M {
- var gigs: int
- var gt: Guitar
- var doowops: seq<Vocalist>
- var b3: Organ
- predicate Valid {
- acc(gigs) && 0 <= gigs &&
- acc(gt) && gt != null && gt.Valid &&
- acc(gt.mu) && // to enable an eventual free
- acc(doowops) && //forall d: Vocalist in doowops :: d != null && d.Valid} &&
- acc(b3) && b3 != null && b3.Valid &&
- acc(b3.mu) // to enable an eventual free
- }
-
- method Init()
- requires acc(this.*)
- ensures Valid
- {
- gigs := 0
- gt := new Guitar
- call gt.Init()
- b3 := new Organ
- call b3.Init()
- }
-
- method Dispose()
- requires Valid && acc(mu)
- {
- call gt.Dispose()
- call b3.Dispose()
- free this
- }
-
- method Play()
- requires Valid
- ensures Valid
- {
- gigs := gigs + 1
- call gt.Strum()
- call b3.Grind()
- }
-}
-
-class Guitar module Musicians {
- predicate Valid { true }
- method Init()
- requires acc(this.*)
- ensures Valid
- {
- }
- method Dispose()
- requires Valid && acc(mu)
- {
- free this
- }
- method Strum()
- requires Valid
- ensures Valid
- {
- }
-}
-
-class Vocalist module Musicians {
- predicate Valid { true }
- method Init()
- requires acc(this.*)
- ensures Valid
- {
- }
- method Dispose()
- requires Valid && acc(mu)
- {
- free this
- }
- method Strum()
- requires Valid
- ensures Valid
- {
- }
-}
-
-class Organ module Musicians {
- predicate Valid { true }
- method Init()
- requires acc(this.*)
- ensures Valid
- {
- }
- method Dispose()
- requires Valid && acc(mu)
- {
- free this
- }
- method Grind()
- requires Valid
- ensures Valid
- {
- }
-}
diff --git a/Chalice/tests/examples/RockBand.output.txt b/Chalice/tests/examples/RockBand.output.txt deleted file mode 100644 index f505fdb3..00000000 --- a/Chalice/tests/examples/RockBand.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of RockBand.chalice using parameters="-checkLeaks -defaults -autoFold"
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/Sieve.chalice b/Chalice/tests/examples/Sieve.chalice deleted file mode 100644 index d7223d04..00000000 --- a/Chalice/tests/examples/Sieve.chalice +++ /dev/null @@ -1,63 +0,0 @@ -channel NumberStream(x: int) where 2 <= x ==> credit(this);
-
-class Sieve {
- method Counter(n: NumberStream, to: int) // sends the plurals along n
- requires rd(n.mu) && credit(n,-1) && 0 <= to;
- {
- var i := 2;
- while (i < to)
- invariant rd(n.mu);
- invariant 2 <= i;
- invariant credit(n, -1)
- {
- send n(i);
- i := i + 1;
- }
- send n(-1);
- }
-
- method Filter(prime: int, r: NumberStream, s: NumberStream)
- requires 2 <= prime;
- requires rd(r.mu) && waitlevel << r.mu;
- requires rd(s.mu) && s.mu << r.mu && credit(r) && credit(s, -1);
- {
- receive x := r;
- while (2 <= x)
- invariant rd(r.mu) && rd(s.mu) && s << r && waitlevel << r.mu;
- invariant 2<= x ==> credit(r);
- invariant credit(s, -1);
- {
- if (x % prime != 0) { // suppress multiples of prime
- send s(x);
- }
- receive x := r;
-
- }
- send s(-1);
- }
-
- method Start()
- {
- var ch := new NumberStream;
- fork Counter(ch, 101);
- var p: int;
- receive p := ch;
- while (2 <= p)
- invariant ch != null;
- invariant 2 <= p ==> credit(ch, 1);
- invariant rd*(ch.mu) && waitlevel << ch.mu;
- {
- // print p--it's a prime!
- var cp := new ChalicePrint; call cp.Int(p);
-
- var n := new NumberStream between waitlevel and ch;
- fork Filter(p, ch, n);
- ch := n;
- receive p := ch;
- }
- }
-}
-
-external class ChalicePrint {
- method Int(x: int) { }
-}
diff --git a/Chalice/tests/examples/Sieve.output.txt b/Chalice/tests/examples/Sieve.output.txt deleted file mode 100644 index 0e37cd00..00000000 --- a/Chalice/tests/examples/Sieve.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of Sieve.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/Solver.chalice b/Chalice/tests/examples/Solver.chalice deleted file mode 100644 index 0de8a987..00000000 --- a/Chalice/tests/examples/Solver.chalice +++ /dev/null @@ -1,44 +0,0 @@ -class Client {
-
- method main(p: Problem, s: Solver) returns (r: int)
- requires acc(p.f) && s != null
- ensures acc(p.f)
- {
- // start randomized computations
- var tk1: token<Solver.solve>
- var tk2: token<Solver.solve>
- call tk1 := s.start(p)
- call tk2 := s.start(p)
-
- // get the results
- var r1: int
- join r1 := tk1
- var r2: int
- join r2:= tk2
- r := r1 > r2 ? r1 : r2
- }
-
-}
-class Solver {
-
- method solve(p: Problem, d: Data) returns (r: int)
- requires rd(p.f)
- requires acc(d.*)
- ensures rd(p.f)
- { /* ... */ }
-
- method start(p: Problem)
- returns (tk: token<Solver.solve>)
- requires rd(p.f)
- ensures acc(p.f, rd-rd(tk))
- ensures acc(tk.joinable) && tk.joinable;
- ensures eval(tk.fork this.solve(p,_), true)
- {
- var d: Data := new Data
- /* .. perform some set-up/initialization and prepare the data d for the solve method */
- fork tk := solve(p, d)
- }
-
-}
-class Problem { var f: int }
-class Data { var f: int; var g: int }
diff --git a/Chalice/tests/examples/Solver.output.txt b/Chalice/tests/examples/Solver.output.txt deleted file mode 100644 index 7b6882c5..00000000 --- a/Chalice/tests/examples/Solver.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of Solver.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/TreeOfWorker.chalice b/Chalice/tests/examples/TreeOfWorker.chalice deleted file mode 100644 index 6483f884..00000000 --- a/Chalice/tests/examples/TreeOfWorker.chalice +++ /dev/null @@ -1,29 +0,0 @@ -class Node {
- var l: Node
- var r: Node
-
- method work(data: Data)
- requires rd(data.f)
- requires valid
- ensures rd(data.f)
- ensures valid
- {
- var tkl: token<Node.work>
- var tkr: token<Node.work>
-
- unfold valid
- if (l != null) { fork tkl := l.work(data) }
- if (r != null) { fork tkr := r.work(data) }
- /* .. perform work on this node (using the global data: data.f) */
- if (l != null) { join tkl }
- if (r != null) { join tkr }
- fold valid
- }
-
- predicate valid {
- acc(l) && acc(r) &&
- (l != null ==> l.valid) &&
- (r != null ==> r.valid)
- }
-}
-class Data { var f: int; }
diff --git a/Chalice/tests/examples/TreeOfWorker.output.txt b/Chalice/tests/examples/TreeOfWorker.output.txt deleted file mode 100644 index fe0c3376..00000000 --- a/Chalice/tests/examples/TreeOfWorker.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of TreeOfWorker.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/UnboundedThreads.chalice b/Chalice/tests/examples/UnboundedThreads.chalice deleted file mode 100644 index c52bb10a..00000000 --- a/Chalice/tests/examples/UnboundedThreads.chalice +++ /dev/null @@ -1,59 +0,0 @@ -class C {
-
- var f: int;
-
- method main(n: int)
- requires n > 0 && acc(this.f)
- ensures acc(this.f)
- {
- // fork all threads, and join them afterwards
- call work(n);
-
- this.f := 100; // we want a full permission in the end
- }
-
- method work(n: int)
- requires rd(this.f,n)
- ensures rd(this.f,n)
- {
- var tks:seq<token<C.m>> := nil<token<C.m>>;
-
- // first loop; fork all threads
- var i := 0;
- while (i < n)
- invariant i <= n && |tks| == i;
- invariant i < n ==> rd(this.f,n-i);
- invariant acc(tks[*].joinable);
- invariant forall k in [0..|tks|] :: tks[k] != null && tks[k].joinable;
- invariant forall k in [0..|tks|] :: eval(tks[k].fork this.m(), true);
- invariant forall k,j in [0..|tks|] :: k < j ==> tks[k] != tks[j];
- {
- fork tk := m();
- tks := tks ++ [tk];
- i := i+1;
- }
-
- // second loop; join all threads
- i := n;
- while (i > 0)
- invariant i >= 0 && |tks| == i;
- invariant i < n ==> rd(this.f,n-i); // BUG: the eval construct inside the quantification does not give us the information needed to proof this invariant, see http://boogie.codeplex.com/workitem/10187
- invariant acc(tks[*].joinable);
- invariant forall k in [0..|tks|] :: tks[k] != null && tks[k].joinable;
- invariant forall k in [0..|tks|] :: eval(tks[k].fork this.m(), true);
- invariant forall k,j in [0..|tks|] :: k < j ==> tks[k] != tks[j];
- {
- var tk: token<C.m>;
- tk := tks[i-1];
- join tk;
- i := i-1;
- tks := tks[0..i];
- }
- }
-
- method m()
- requires rd(this.f,1);
- ensures rd(this.f,1);
- { /* do some computation */ }
-
-}
diff --git a/Chalice/tests/examples/UnboundedThreads.output.txt b/Chalice/tests/examples/UnboundedThreads.output.txt deleted file mode 100644 index f8a05ed9..00000000 --- a/Chalice/tests/examples/UnboundedThreads.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of UnboundedThreads.chalice using parameters=""
-
- 40.17: The loop invariant at 40.17 might not be preserved by the loop. Insufficient epsilons at 40.27 for C.f. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/cell.chalice b/Chalice/tests/examples/cell.chalice deleted file mode 100644 index 1cf82950..00000000 --- a/Chalice/tests/examples/cell.chalice +++ /dev/null @@ -1,163 +0,0 @@ -class Cell module Library {
- var x: int;
-
- method init(v: int)
- requires acc(this.x) && 0<=v;
- ensures valid && this.get() == v;
- {
- x := v;
- fold valid;
- }
-
- method set(v: int)
- requires valid && 0<=v;
- ensures valid && get()==v;
- {
- unfold valid;
- x := v;
- fold valid;
- }
-
- method increment()
- requires valid;
- ensures valid && get() == old(get()) + 1;
- {
- unfold valid;
- x := x + 1;
- fold valid;
- }
-
- method dispose()
- requires valid && acc(mu);
- ensures true;
- {
- unfold valid;
- free this;
- }
-
- function get(): int
- requires valid;
- ensures 0<=result;
- {
- unfolding valid in x
- }
-
- predicate valid {
- acc(this.x) && 0<=x
- }
-
- invariant valid;
-}
-
-class Interval module Library2 {
- var left: Cell;
- var right: Cell;
-
- method init(l: int, r: int)
- requires 0<=l && l <= r;
- requires acc(left) && acc(right);
- ensures valid;
- ensures getLeft()==l;
- ensures getRight()==r;
- {
- left := new Cell;
- call left.init(l);
- right := new Cell;
- call right.init(r);
- fold valid;
- }
-
- method setLeft(l: int)
- requires valid;
- requires 0<=l && l<=getRight();
- ensures valid;
- ensures getLeft()==l && getRight()==old(getRight());
- {
- unfold valid;
- call left.set(l);
- fold valid;
- }
-
- method setRight(r: int)
- requires valid;
- requires 0<=r && getLeft()<=r;
- ensures valid;
- ensures getLeft()==old(getLeft()) && getRight()==r;
- {
- unfold valid;
- call right.set(r);
- fold valid;
- }
-
- method shift(v: int)
- requires valid;
- requires 0<=v;
- ensures valid;
- ensures getLeft()==old(getLeft())+v && getRight()==old(getRight())+v;
- {
- unfold valid;
- call left.set(left.get()+v);
- call right.set(right.get()+v);
- fold valid;
- }
-
- function getLeft() : int
- requires valid;
- {
- unfolding valid in left.get()
- }
-
- function getRight() : int
- requires valid;
- {
- unfolding valid in right.get()
- }
-
- predicate valid
- {
- acc(left) && acc(right) && left!=null && right!=null && left.valid && right.valid && left.get() <= right.get()
- }
-}
-
-class Program module Main {
- method main(){
- var c1 := new Cell;
- call c1.init(5);
- call c1.set(6);
-
- var c2 := new Cell;
- call c2.init(10);
- call c2.set(11);
-
- assert c1.get() == 6;
- }
-
- method main2(){
- var c: Cell;
-
- c := new Cell;
- call c.init(0);
- call c.dispose();
-
- assert c.valid; // should fail
- }
-
- method main3() returns (rt: Cell)
- ensures rt!=null && rt.valid && rt.get() == 0;
- {
- rt := new Cell;
- call rt.init(0);
- }
-
- method main4() {
- var c: Cell;
-
- c := new Cell;
- call c.init(0);
- share c;
-
- acquire c;
- call c.set(1);
- release c;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/examples/cell.output.txt b/Chalice/tests/examples/cell.output.txt deleted file mode 100644 index b1567d01..00000000 --- a/Chalice/tests/examples/cell.output.txt +++ /dev/null @@ -1,8 +0,0 @@ -Verification of cell.chalice using parameters=""
-
- 142.5: Assertion might not hold. Insufficient fraction at 142.12 for Cell.valid. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 135.3: The end of method main2 is unreachable. - -Boogie program verifier finished with 1 errors and 1 smoke test warnings
diff --git a/Chalice/tests/examples/dining-philosophers.chalice b/Chalice/tests/examples/dining-philosophers.chalice deleted file mode 100644 index f4a7d1a6..00000000 --- a/Chalice/tests/examples/dining-philosophers.chalice +++ /dev/null @@ -1,93 +0,0 @@ -class Philosopher module Philosophers {
- var left: Fork;
- var right: Fork;
-
- method init(f1: Fork, f2: Fork)
- requires f1!=null && f2!=null;
- requires acc(this.*);
- ensures valid;
- ensures getLeft()==f1 && getRight()==f2;
- {
- left := f1;
- right := f2;
- fold valid;
- }
-
- method run()
- requires valid;
- requires acc(getLeft().mu, 10);
- requires acc(getRight().mu, 10);
- requires waitlevel << getLeft().mu;
- requires waitlevel << getRight().mu;
- requires getLeft().mu << getRight().mu;
- {
- while(true)
- invariant valid && acc(getLeft().mu, 10) && acc(getRight().mu, 10) && waitlevel << getLeft().mu && waitlevel << getRight().mu && getLeft().mu << getRight().mu;
- {
- unfold valid;
- acquire left;
- acquire right;
- //eat
- release left;
- release right;
- fold valid;
- }
- }
-
- function getLeft(): Fork
- requires valid;
- ensures result!=null;
- {
- unfolding valid in left
- }
-
- function getRight(): Fork
- requires valid;
- ensures result!=null;
- {
- unfolding valid in right
- }
-
- predicate valid {
- acc(left) && acc(right) && left!=null && right!=null
- }
-}
-
-class Fork module Dining {
- invariant true;
-}
-
-class Program module Main {
- method main(){
- // create forks
- var f1 := new Fork;
- var f2 := new Fork;
- var f3 := new Fork;
-
- share f1;
- share f2 above f1;
- share f3 above f1, f2;
-
- // create philosophers
- var aristotle := new Philosopher;
- call aristotle.init(f1, f2);
-
- var plato := new Philosopher;
- call plato.init(f2, f3);
-
- var kant := new Philosopher;
- call kant.init(f1, f3);
-
- assert f2.mu << f3.mu;
-
- // start eating
- fork tk0 := aristotle.run();
- fork tk1 := plato.run();
- fork tk2 := kant.run();
-
- // everyone's done
- join tk0;
- join tk1;
- join tk2;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/examples/dining-philosophers.output.txt b/Chalice/tests/examples/dining-philosophers.output.txt deleted file mode 100644 index ffba722f..00000000 --- a/Chalice/tests/examples/dining-philosophers.output.txt +++ /dev/null @@ -1,6 +0,0 @@ -Verification of dining-philosophers.chalice using parameters=""
-
- - 24.5: The statements after the while-loop are unreachable. - -Boogie program verifier finished with 0 errors and 1 smoke test warnings
diff --git a/Chalice/tests/examples/generate_reference.bat b/Chalice/tests/examples/generate_reference.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/examples/generate_reference.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/examples/generate_reference_all.bat b/Chalice/tests/examples/generate_reference_all.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/examples/generate_reference_all.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/examples/iterator.chalice b/Chalice/tests/examples/iterator.chalice deleted file mode 100644 index fd5d0352..00000000 --- a/Chalice/tests/examples/iterator.chalice +++ /dev/null @@ -1,150 +0,0 @@ -class List module Collections {
- var contents: seq<int>;
-
- method init()
- requires acc(contents);
- ensures valid && size(100)==0;
- {
- contents := nil<int>;
- fold valid;
- }
-
- method add(x: int)
- requires valid;
- ensures valid && size(100) == old(size(100)+1) && get(size(100)-1, 100) == x;
- ensures forall i in [0..size(100)-1] :: get(i, 100) == old(get(i, 100));
- {
- unfold valid;
- contents := contents ++ [x];
- fold valid;
- }
-
- function get(index: int, f: int): int
- requires 0<f && f<=100 && acc(valid, f) && (0<=index && index<size(f));
- ensures forall i in [1..f] :: get(index, f) == get(index, i);
- {
- unfolding acc(valid, f) in contents[index]
- }
-
- function size(f: int): int
- requires 0<f && f<=100 && acc(valid, f);
- ensures 0<=result;
- ensures forall i in [1..f] :: size(f) == size(i);
- {
- unfolding acc(valid, f) in |contents|
- }
-
- predicate valid {
- acc(contents)
- }
-}
-
-class Iterator module Collections {
- var list: List;
- var index: int;
- var frac: int;
-
- method init(l: List, f: int)
- requires 0<f && f<=100;
- requires acc(list) && acc(index) && acc(frac);
- requires l!=null;
- requires acc(l.valid, f);
- ensures valid;
- ensures getList()==l;
- ensures getFraction()==f;
- {
- list := l;
- this.index := 0;
- frac := f;
- fold valid;
- }
-
- method next() returns (rt: int)
- requires valid && hasNext();
- ensures valid;
- ensures getList()==old(getList());
- ensures getFraction()==old(getFraction());
- {
- unfold valid;
- rt := list.get(index, frac);
- index := index + 1;
- fold valid;
- }
-
- method dispose()
- requires valid;
- ensures acc(old(getList()).valid, old(getFraction()));
- {
- unfold valid;
- }
-
- function hasNext(): bool
- requires valid;
- {
- unfolding valid in index<list.size(frac)
- }
-
- function getFraction(): int
- requires valid;
- ensures 0<result && result<=100;
- {
- unfolding valid in frac
- }
-
- function getList(): List
- requires valid;
- ensures getList()!=null;
- {
- unfolding valid in list
- }
-
- predicate valid
- {
- acc(list) && acc(index) && acc(frac) && 0<frac && frac<=100 && list!=null && acc(list.valid, frac) && 0<=index && index<=list.size(frac)
- }
-}
-
-class Program module Main {
- method main(){
- var tmp: int;
- //create a new list
- var list := new List;
- call list.init();
- call list.add(5);
- call list.add(6);
-
- // create a new iterator
- var iter1 := new Iterator;
- assert list!=null; // needed here: triggering problem?
- assert list.size(100)==2;
- assert list.size(50)==2;
- call iter1.init(list, 10);
-
- // create a second iterator
- var iter2 := new Iterator;
- assert list!=null; // needed here: triggering problem?
- call iter2.init(list, 10);
-
- // iterate over the list
- while(iter1.hasNext())
- invariant iter1.valid && iter1.getList()==list && iter1.getFraction()==10;
- {
- call tmp := iter1.next();
- }
-
- // iterate over the list
- while(iter2.hasNext())
- invariant iter2.valid && iter2.getList()==list && iter2.getFraction()==10;
- {
- call tmp := iter2.next();
- }
-
- // dispose the iterators
- call iter1.dispose();
- call iter2.dispose();
-
- // full access to the list
- assert list.valid;
- assert list.size(50)==2;
- }
-}
diff --git a/Chalice/tests/examples/iterator.output.txt b/Chalice/tests/examples/iterator.output.txt deleted file mode 100644 index 36a72bac..00000000 --- a/Chalice/tests/examples/iterator.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of iterator.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/iterator2.chalice b/Chalice/tests/examples/iterator2.chalice deleted file mode 100644 index 4020ece3..00000000 --- a/Chalice/tests/examples/iterator2.chalice +++ /dev/null @@ -1,134 +0,0 @@ -/* Iterator pattern in Chalice. */
-
-class List module Collections {
- var contents: seq<int>;
-
- method init()
- requires acc(contents);
- ensures valid && size()==0;
- {
- contents := nil<int>;
- fold valid;
- }
-
- method add(x: int)
- requires valid;
- ensures valid && size() == old(size()+1) && get(size()-1) == x; // I don't know why this happens.
- ensures forall i in [0..size()-1] :: get(i) == old(get(i));
- {
- unfold valid;
- contents := contents ++ [x];
- fold valid;
- }
-
- function get(index: int): int
- requires rd(valid) && 0<=index && index<size();
- {
- unfolding rd(valid) in contents[index]
- }
-
- function size(): int
- requires rd(valid);
- ensures 0<=result;
- {
- unfolding rd(valid) in |contents|
- }
-
- predicate valid {
- acc(contents)
- }
-}
-
-class Iterator module Collections {
- var list: List;
- var index: int;
-
- method init(l: List)
- requires acc(list) && acc(index);
- requires l!=null;
- requires acc(l.valid,rd(l.valid));
- ensures valid;
- ensures getList()==l;
- {
- list := l;
- this.index := 0;
- fold valid;
- }
-
- method next() returns (rt: int)
- requires valid && hasNext();
- ensures valid;
- ensures getList()==old(getList());
- {
- unfold valid;
- rt := list.get(index);
- index := index + 1;
- fold valid;
- }
-
- method dispose()
- requires valid;
- ensures acc(old(getList()).valid,rd(old(getList()).valid));
- {
- unfold valid;
- }
-
- function hasNext(): bool
- requires valid;
- {
- unfolding valid in index<list.size()
- }
-
- function getList(): List
- requires valid;
- ensures result!=null;
- {
- unfolding valid in list
- }
-
- predicate valid
- {
- acc(list) && acc(index) && list!=null && rd(list.valid) && 0<=index && index<=list.size()
- }
-}
-
-class Program module Main {
- method main(){
- var tmp: int;
- //create a new list
- var list := new List;
- call list.init();
- call list.add(5);
- call list.add(6);
-
- // create a new iterator
- var iter1 := new Iterator;
- call iter1.init(list);
-
- // create a second iterator
- var iter2 := new Iterator;
- call iter2.init(list);
-
- // iterate over the list
- while(iter1.hasNext())
- invariant iter1.valid && iter1.getList()==list;
- {
- call tmp := iter1.next();
- }
-
- // iterate over the list
- while(iter2.hasNext())
- invariant iter2.valid && iter2.getList()==list;
- {
- call tmp := iter2.next();
- }
-
- // dispose the iterators
- call iter1.dispose();
- call iter2.dispose();
-
- // full access to the list
- assert list.valid;
- assert list.size()==2;
- }
-}
diff --git a/Chalice/tests/examples/iterator2.output.txt b/Chalice/tests/examples/iterator2.output.txt deleted file mode 100644 index a28c5785..00000000 --- a/Chalice/tests/examples/iterator2.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of iterator2.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/linkedlist.chalice b/Chalice/tests/examples/linkedlist.chalice deleted file mode 100644 index a9859aaa..00000000 --- a/Chalice/tests/examples/linkedlist.chalice +++ /dev/null @@ -1,91 +0,0 @@ -/* Recursive implementation and specification of a linked list. */
-
-class Node {
- var next: Node;
- var value: int;
-
- method init(v: int)
- requires acc(next) && acc(value);
- ensures valid && size() == 1 && (forall y:int :: contains(y) <==> y==v);
- {
- next := null;
- value := v;
- fold this.valid;
- }
-
- method add(x: int)
- requires valid;
- ensures valid;
- ensures size() == old(size())+1;
- ensures (forall y:int :: contains(y)==(old(contains(y)) || x==y));
- {
- unfold this.valid;
- if(next==null) {
- var n : Node;
- n := new Node;
- call n.init(x);
- next := n;
- // unfold next.valid; fold next.valid; // makes it work
- } else {
-
- call next.add(x);
- }
- fold this.valid;
- }
-
- method addother(i:int)
- requires valid
- ensures valid && (forall x:int :: contains(x)==(old(contains(x)) || x==i))
- {
- unfold valid
- if(next!=null)
- {
- call next.addother(i)
- }
- else
- {
- next:=new Node
- next.value:=i
- next.next:=null
- fold next.valid
- }
- fold valid
- }
-
- method addFirst(x: int) returns (rt: Node)
- requires valid;
- ensures rt!=null && rt.valid;
- ensures rt.size() == old(size()) + 1;
- {
- var n: Node;
- n := new Node;
- n.value := x;
- n.next := this;
- fold n.valid;
- rt := n;
- }
-
- function at(i: int): int
- requires valid && 0<=i && i<size();
- {
- unfolding valid in i==0 ? value : next.at(i-1)
- }
-
- function size(): int
- requires valid;
- ensures result > 0
- {
- unfolding this.valid in (next!=null ? 1+ next.size() : 1)
- }
-
- function contains(i:int):bool
- requires valid
- {
- unfolding valid in i==value || (next!=null && next.contains(i))
- }
-
-
- predicate valid {
- acc(next) && acc(value) && (next!=null ==> next.valid)
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/examples/linkedlist.output.txt b/Chalice/tests/examples/linkedlist.output.txt deleted file mode 100644 index ffb5327d..00000000 --- a/Chalice/tests/examples/linkedlist.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of linkedlist.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/list-reverse.chalice b/Chalice/tests/examples/list-reverse.chalice deleted file mode 100644 index c694b4c9..00000000 --- a/Chalice/tests/examples/list-reverse.chalice +++ /dev/null @@ -1,44 +0,0 @@ -class Node {
- var next : Node;
- var val : int;
-
- predicate list {
- acc(next) && acc(val) && (next!=null ==> next.list)
- }
-
- function vals() : seq<int>
- requires list
- {
- unfolding list in (next == null ? [val] : [val] ++ next.vals())
- }
-
- function reverse_vals() : seq<int>
- requires list
- {
- unfolding list in (next == null ? [val] : next.reverse_vals() ++ [val])
- }
-
- method reverse_in_place() returns (r:Node)
- requires list;
- ensures r != null && r.list;
- ensures r.vals() == old(this.reverse_vals());
- {
- var l : Node := this;
- r := null;
-
- while (l != null)
- invariant l!=null ==> l.list;
- invariant r!=null ==> r.list;
- invariant old(this.reverse_vals()) == (l==null ? nil<int> : l.reverse_vals()) ++ (r==null ? nil<int> : r.vals());
- {
- var y: Node;
- unfold l.list;
-
- y := l.next;
- l.next := r;
- r := l;
- fold r.list;
- l := y;
- }
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/examples/list-reverse.output.txt b/Chalice/tests/examples/list-reverse.output.txt deleted file mode 100644 index 6179841d..00000000 --- a/Chalice/tests/examples/list-reverse.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of list-reverse.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/lseg.chalice b/Chalice/tests/examples/lseg.chalice deleted file mode 100644 index c7b6421a..00000000 --- a/Chalice/tests/examples/lseg.chalice +++ /dev/null @@ -1,86 +0,0 @@ -class Node {
- var next : Node;
- var val : int;
- /* ghost */ var length : int;
-
- predicate lseg {
- acc(length) && length > 0 && acc(next) && acc(val) && (length > 1 ==> next != null && next.lseg && next.lseg_length() + 1 == this.length)
- }
-
- function lseg_length() : int
- requires lseg
- {
- unfolding lseg in length
- }
-
- function elems() : seq<int>
- requires lseg
- {
- unfolding lseg in (length == 1 ? [val] : [val] ++ next.elems())
- }
-
- function end() : Node
- requires lseg
- {
- unfolding lseg in (length == 1 ? next : next.end())
- }
-
- /* ghost */ method addAtEndRec(n:Node)
- requires lseg && acc(n.*)
- ensures lseg
- ensures elems() == old(elems()) ++ [old(n.val)]
- ensures end() == old(n.next)
- ensures lseg_length() == old(lseg_length()) + 1
- {
- unfold this.lseg;
- if (length == 1) {
- this.next := n
- n.length := 1
- fold n.lseg
- } else {
- call this.next.addAtEndRec(n)
- }
- this.length := this.length + 1
- fold this.lseg
- }
-
- method addAtEnd(v: int)
- requires lseg
- requires this.end() == null
- ensures lseg
- ensures elems() == old(elems()) ++ [v]
- {
- var cur: Node := this
- unfold lseg
- while (cur.next != null)
- invariant acc(cur.*)
- invariant this != cur ==> this.lseg && this.end() == cur
- invariant cur.length > 0 && (cur.length > 1 ==> cur.next != null && cur.next.lseg) && (cur.length == 1 ? cur.next : cur.next.end()) == null
- invariant ((this == cur ? [] : this.elems())
- ++ [cur.val]
- ++ (cur.next == null ? [] : cur.next.elems())) == old(this.elems())
- {
- /* ghost */ var temp: Node := cur
- cur := cur.next
- if (this == temp) {
- this.length := 1
- fold lseg
- } else {
- call addAtEndRec(temp)
- }
- unfold cur.lseg
- }
-
- var n: Node := new Node
- n.val := v
- n.next := null
- cur.next := n
- if(cur == this) {
- this.length := 1
- fold lseg
- } else {
- call addAtEndRec(cur)
- }
- call addAtEndRec(n)
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/examples/lseg.output.txt b/Chalice/tests/examples/lseg.output.txt deleted file mode 100644 index ed31a673..00000000 --- a/Chalice/tests/examples/lseg.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of lseg.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/producer-consumer.chalice b/Chalice/tests/examples/producer-consumer.chalice deleted file mode 100644 index 25253bfb..00000000 --- a/Chalice/tests/examples/producer-consumer.chalice +++ /dev/null @@ -1,202 +0,0 @@ -class Program {
- method main(){
- var buffer := new Queue;
- call buffer.init();
- share buffer;
-
- var producer := new Producer;
- call producer.init(buffer);
- fork tkP := producer.run();
-
- var consumer := new Consumer;
- call consumer.init(buffer);
- fork tkC := consumer.run();
-
- join tkP;
- join tkC;
-
- acquire buffer;
- unshare buffer;
-
- var tmp := buffer.size();
- }
-}
-
-class Producer module Producer {
- var buffer: Queue;
-
- method init(buff: Queue)
- requires acc(buffer) && buff!=null;
- ensures valid && getBuffer()==buff;
- {
- buffer := buff;
- fold valid;
- }
-
- method run()
- requires valid && rd(getBuffer().mu) && waitlevel << getBuffer().mu;
- ensures rd(old(getBuffer()).mu);
- {
- var tmp: int;
-
- while(true)
- invariant valid && rd(getBuffer().mu) && waitlevel << getBuffer().mu;
- {
- unfold valid;
- acquire buffer;
- call buffer.enqueue(5);
- release buffer;
- fold valid;
- }
- unfold valid;
- }
-
- function getBuffer(): Queue
- requires valid;
- ensures result!=null;
- {
- unfolding valid in buffer
- }
-
- predicate valid {
- acc(buffer) && buffer!=null
- }
-}
-
-class Consumer module Consumer {
- var buffer: Queue;
-
- method init(buff: Queue)
- requires acc(buffer) && buff!=null;
- ensures valid && getBuffer()==buff;
- {
- buffer := buff;
- fold valid;
- }
-
- method run()
- requires valid && rd(getBuffer().mu) && waitlevel << getBuffer().mu;
- ensures rd(old(getBuffer()).mu);
- {
- while(true)
- invariant valid && rd(getBuffer().mu) && waitlevel << getBuffer().mu;
- {
- unfold valid;
- acquire buffer;
- if(0<=buffer.size()){
- call buffer.enqueue(5);
- }
- release buffer;
- fold valid;
- }
- unfold valid;
- }
-
- function getBuffer(): Queue
- requires valid;
- ensures result!=null;
- {
- unfolding valid in buffer
- }
-
- predicate valid {
- acc(buffer) && buffer!=null
- }
-}
-
-class Queue module Queue {
- var contents: List;
-
- invariant valid;
-
- method init()
- requires acc(contents);
- ensures valid;
- ensures size()==0;
- {
- contents := new List;
- call contents.init();
- fold valid;
- }
-
- method enqueue(x: int)
- requires valid;
- ensures valid;
- ensures size() == old(size())+1;
- {
- unfold valid;
- call contents.add(x);
- fold valid;
- }
-
- method dequeue() returns (rt: int)
- requires valid && 0<size();
- ensures valid;
- ensures size() == old(size())-1;
- {
- unfold valid;
- call rt := contents.removeFirst();
- fold valid;
- }
-
- function size(): int
- requires valid;
- {
- unfolding valid in contents.size()
- }
-
- predicate valid {
- acc(contents) && contents!=null && contents.valid
- }
-}
-
-class List module Collections {
- var contents: seq<int>;
-
- method init()
- requires acc(contents);
- ensures valid && size()==0;
- {
- contents := nil<int>;
- fold valid;
- }
-
- method add(x: int)
- requires valid;
- ensures valid && size() == old(size()+1) && get(size()-1) == x;
- ensures forall i in [0..size()-1] :: get(i) == old(get(i));
- {
- unfold valid;
- contents := contents ++ [x];
- fold valid;
- }
-
- method removeFirst() returns (rt: int)
- requires valid && 0<size();
- ensures valid && size() == old(size()-1);
- ensures forall i in [0..size()] :: get(i) == old(get(i+1));
- {
- unfold valid;
- rt := contents[0];
- contents := contents[1..];
- fold valid;
- }
-
-
- function get(index: int): int
- requires rd(valid) && 0<=index && index<size();
- {
- unfolding rd(valid) in contents[index]
- }
-
- function size(): int
- requires rd(valid);
- ensures 0<=result;
- {
- unfolding rd(valid) in |contents|
- }
-
- predicate valid {
- acc(contents)
- }
-}
diff --git a/Chalice/tests/examples/producer-consumer.output.txt b/Chalice/tests/examples/producer-consumer.output.txt deleted file mode 100644 index f3c3a28a..00000000 --- a/Chalice/tests/examples/producer-consumer.output.txt +++ /dev/null @@ -1,7 +0,0 @@ -Verification of producer-consumer.chalice using parameters=""
-
- - 42.5: The statements after the while-loop are unreachable. - 81.5: The statements after the while-loop are unreachable. - -Boogie program verifier finished with 0 errors and 2 smoke test warnings
diff --git a/Chalice/tests/examples/reg_test.bat b/Chalice/tests/examples/reg_test.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/examples/reg_test.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/examples/reg_test_all.bat b/Chalice/tests/examples/reg_test_all.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/examples/reg_test_all.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/examples/swap.chalice b/Chalice/tests/examples/swap.chalice deleted file mode 100644 index 46a6a71a..00000000 --- a/Chalice/tests/examples/swap.chalice +++ /dev/null @@ -1,20 +0,0 @@ -class C {
- method m(a, b) returns (x, y)
- ensures x == a && y == b;
- {
- x := a;
- y := b;
- }
-
- var F;
- var G;
- method n()
- requires acc(F) && acc(this.G);
- ensures acc(F) && acc(G);
- ensures F == old(G) && G == old(F);
- {
- var tmp := F;
- F := G;
- G := tmp;
- }
-}
diff --git a/Chalice/tests/examples/swap.output.txt b/Chalice/tests/examples/swap.output.txt deleted file mode 100644 index c0e86b2a..00000000 --- a/Chalice/tests/examples/swap.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of swap.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/examples/test.bat b/Chalice/tests/examples/test.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/examples/test.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/general-tests/FunctionPostcondition.chalice b/Chalice/tests/general-tests/FunctionPostcondition.chalice deleted file mode 100644 index 7fd95b05..00000000 --- a/Chalice/tests/general-tests/FunctionPostcondition.chalice +++ /dev/null @@ -1,10 +0,0 @@ -// this test is for function postconditions
-
-class FunctionPostconditions
-{
- predicate valid { true }
-
- function t1(): int
- ensures unfolding valid in true;
- { 1 }
-}
diff --git a/Chalice/tests/general-tests/FunctionPostcondition.output.txt b/Chalice/tests/general-tests/FunctionPostcondition.output.txt deleted file mode 100644 index 3244dc57..00000000 --- a/Chalice/tests/general-tests/FunctionPostcondition.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of FunctionPostcondition.chalice using parameters=""
-
-The program did not typecheck.
-8.5: the postcondition of functions cannot contain unfolding expressions at the moment
diff --git a/Chalice/tests/general-tests/ImplicitLocals.chalice b/Chalice/tests/general-tests/ImplicitLocals.chalice deleted file mode 100644 index 15ebe8e0..00000000 --- a/Chalice/tests/general-tests/ImplicitLocals.chalice +++ /dev/null @@ -1,27 +0,0 @@ -class C {
- var k: int;
-
- method MyMethod() returns (x: int, y: C)
- requires acc(k)
- ensures acc(y.k) && x < y.k
- {
- x := k - 15;
- y := this;
- }
-
- method B() {
- var c := new C;
- call a, b := c.MyMethod();
- assert a < b.k;
- }
-
- method D() {
- var ch := new Ch;
- var c := new C;
- send ch(c.k - 15, c); // give ourselves some credit
- receive a, b := ch;
- assert a < b.k;
- }
-}
-
-channel Ch(x: int, y: C) where acc(y.k) && x < y.k;
diff --git a/Chalice/tests/general-tests/ImplicitLocals.output.txt b/Chalice/tests/general-tests/ImplicitLocals.output.txt deleted file mode 100644 index 8e59a2b0..00000000 --- a/Chalice/tests/general-tests/ImplicitLocals.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of ImplicitLocals.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/general-tests/LoopLockChange.chalice b/Chalice/tests/general-tests/LoopLockChange.chalice deleted file mode 100644 index 5ccce089..00000000 --- a/Chalice/tests/general-tests/LoopLockChange.chalice +++ /dev/null @@ -1,142 +0,0 @@ -class LoopLockChange { - - method Test0() - requires rd(mu) && waitlevel << mu - lockchange this; - { - acquire this; - - var b := true; - while(b) // error: lockchange clause of loop must include all lock changes that happened before the loop - { - b := false; - } - } - - method Test1() - requires rd(mu) && waitlevel << mu - lockchange this; - { - acquire this; - - var b := true; - while(b) - lockchange this; - { - b := false; - } - } - - method Test2() - requires rd(mu) && waitlevel << mu - lockchange this; - { - var b := true; - while(b) // error: insufficient lockchange clause - invariant rd(mu); - invariant b ==> waitlevel << mu - { - acquire this; - b := false; - } - } - - method Test3() - requires rd(mu) && waitlevel << mu - lockchange this; - { - var b := true; - while(b) - invariant rd(mu); - invariant b ==> waitlevel << mu - lockchange this; - { - acquire this; - b := false; - } - } - - method Test4(p: LoopLockChange) - requires rd(p.mu) && waitlevel << p.mu - requires rd(mu) && waitlevel << mu - { - var current: LoopLockChange := this; - var b := true; - while(b) - invariant rd(current.mu) - invariant b ==> rd(p.mu); - invariant b ==> waitlevel << current.mu - lockchange current; // error: after the loop body, current does no longer point to the object whose lock was acquired - { - acquire current; - current := p; - b := false; - } - assume false; // to prevent complaint about method's lockchange clause - } - - - method Test5(p: LoopLockChange) - requires rd(p.mu) && waitlevel << p.mu - requires rd(mu) && waitlevel << mu - lockchange this; - { - var current: LoopLockChange := this; - var b := true; - while(b) - invariant rd(current.mu) - invariant b ==> rd(p.mu); - invariant b ==> current == this; - invariant b ==> waitlevel << current.mu - lockchange this; - { - acquire current; - current := p; - b := false; - } - } - - - method Test6() - requires rd(mu) && waitlevel << mu - { - var b := true; - while(b) - invariant rd(mu); - invariant b ==> waitlevel << mu - invariant b ==> !(rd holds(this)) - invariant !b ==> holds(this) - lockchange this; - { - acquire this; - b := false; - } - release this; - } - - - method Test7() - requires rd(mu) && waitlevel << mu - { - acquire this; - release this; - } - - -// The following test requires a better treatment of allocation, which we don't have yet -/* method Test8() - { - var tmp : LoopLockChange := this; - var b := false; - while(b) - { - tmp := new LoopLockChange; - share tmp; - acquire tmp; - b := false; - } - assert !holds(tmp); - } -*/ -} - diff --git a/Chalice/tests/general-tests/LoopLockChange.output.txt b/Chalice/tests/general-tests/LoopLockChange.output.txt deleted file mode 100644 index ccd9a36a..00000000 --- a/Chalice/tests/general-tests/LoopLockChange.output.txt +++ /dev/null @@ -1,12 +0,0 @@ -Verification of LoopLockChange.chalice using parameters=""
-
- 10.5: Method execution before loop might lock/unlock more than allowed by lockchange clause of loop. - 35.5: The loop might lock/unlock more than the lockchange clause allows. - 65.5: The loop might lock/unlock more than the lockchange clause allows. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 10.5: The begging of the while-body is unreachable. - 10.5: The statements after the while-loop are unreachable. - 75.5: Assumption introduces a contradiction. - -Boogie program verifier finished with 3 errors and 3 smoke test warnings
diff --git a/Chalice/tests/general-tests/RockBand-automagic.chalice b/Chalice/tests/general-tests/RockBand-automagic.chalice deleted file mode 100644 index 8a64b691..00000000 --- a/Chalice/tests/general-tests/RockBand-automagic.chalice +++ /dev/null @@ -1,112 +0,0 @@ -// chalice-parameter=-checkLeaks -defaults -autoFold -autoMagic
-// verify this program with -checkLeaks -defaults -autoFold -autoMagic
-
-class Client {
- method Main() {
- var b := new RockBand
- call b.Init()
- call b.Play()
- call b.Play()
- call b.Dispose()
- }
-}
-
-class RockBand module M {
- var gigs: int
- var gt: Guitar
- var doowops: seq<Vocalist>
- var b3: Organ
- predicate Valid {
- /*acc(gigs) &&*/ 0 <= gigs &&
- /*acc(gt) && gt != null &&*/ gt.Valid &&
- acc(gt.mu) &&
- acc(doowops) &&
- /*acc(b3) && b3 != null &&*/ b3.Valid &&
- acc(b3.mu)
- }
-
- method Init()
- requires acc(this.*)
- ensures Valid
- {
- gigs := 0
- gt := new Guitar
- call gt.Init()
- b3 := new Organ
- call b3.Init()
- }
-
- method Dispose()
- requires Valid && acc(mu)
- {
- call gt.Dispose()
- call b3.Dispose()
- free this
- }
-
- method Play()
- requires Valid
- ensures Valid
- {
- gigs := gigs + 1
- call gt.Strum()
- call b3.Grind()
- }
-}
-
-class Guitar module Musicians {
- predicate Valid { true }
- method Init()
- requires acc(this.*)
- ensures Valid
- {
- }
- method Dispose()
- requires Valid && acc(mu)
- {
- free this
- }
- method Strum()
- requires Valid
- ensures Valid
- {
- }
-}
-
-class Vocalist module Musicians {
- predicate Valid { true }
- method Init()
- requires acc(this.*)
- ensures Valid
- {
- }
- method Dispose()
- requires Valid && acc(mu)
- {
- free this
- }
- method Strum()
- requires Valid
- ensures Valid
- {
- }
-}
-
-class Organ module Musicians {
- predicate Valid { true }
- method Init()
- requires acc(this.*)
- ensures Valid
- {
- }
- method Dispose()
- requires Valid && acc(mu)
- {
- free this
- }
- method Grind()
- requires Valid
- ensures Valid
- {
- }
-}
diff --git a/Chalice/tests/general-tests/RockBand-automagic.output.txt b/Chalice/tests/general-tests/RockBand-automagic.output.txt deleted file mode 100644 index 652213d9..00000000 --- a/Chalice/tests/general-tests/RockBand-automagic.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of RockBand-automagic.chalice using parameters="-checkLeaks -defaults -autoFold -autoMagic"
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/general-tests/SmokeTestTest.chalice b/Chalice/tests/general-tests/SmokeTestTest.chalice deleted file mode 100644 index 6ff283ec..00000000 --- a/Chalice/tests/general-tests/SmokeTestTest.chalice +++ /dev/null @@ -1,121 +0,0 @@ -// This file is meant as a test for Chalice's smoke testing feature (command line switch -smoke)
-class Cell {
- var f: int;
-
- invariant acc(this.f) && f == 1
- invariant f == 2 // SMOKE: contradiction
-
- method a1()
- requires false // SMOKE: precondition is false
- {}
-
- method a2()
- requires acc(this.f,-2) // SMOKE: precondition is equivalent to false
- {}
-
- method a3()
- requires acc(this.f)
- {
- if (this.f > 0) {
- this.f := 0;
- }
- }
-
- method a4()
- requires acc(this.f)
- {
- if (false) {
- this.f := 0; // SMOKE: unreachable
- }
- }
-
- method a5()
- requires acc(this.f)
- {
- if (true) {
- this.f := 0;
- }
- }
-
- method a6()
- requires acc(this.f)
- {
- if (false) {
- this.f := 0; // SMOKE: unreachable
- } else {
- this.f := 1;
- }
- }
-
- method a7(i: int, j: int)
- requires i != j;
- {
- assume i == j; // SMOKE: introduces contradiction
- }
-
- method a8()
- requires acc(this.f)
- {
- while (true)
- invariant acc(this.f)
- {
- this.f := this.f + 1
- }
- // SMOKE: unreachable, loop does not terminate
- }
-
- method a9()
- requires acc(this.f)
- {
- call a8()
- }
-
- method a10()
- requires acc(this.f)
- {
- if (true) {
- this.f := 0;
- } else {
- this.f := 1; // SMOKE: unreachable
- }
- }
-
- function f1(): int
- requires false // SMOKE: precondition is false
- { 1 }
-
- method a11()
- {
- var i: int := 0
- if (false) {
- // SMOKE: unreachable
- } else {
- if (true) { assume false } // SMOKE: introduces contradiction
- else { assume i == 1 } // SMOKE: introduces contradiction
- }
- }
-
- method a12()
- {
- assume false // SMOKE: introduces contradiction
- while (false) {
-
- }
- }
-
- method a13()
- ensures false // ERROR: cannot prove false
- {
- }
-
- method a14()
- {
- call a13(); // SMOKE: statements afterwards not reachable anymore
- }
-
- predicate valid {
- 1 == 2 // SMOKE: contradiction
- }
-}
-
-channel C(msg: bool) where msg && !msg // SMOKE: contradiction
\ No newline at end of file diff --git a/Chalice/tests/general-tests/SmokeTestTest.output.txt b/Chalice/tests/general-tests/SmokeTestTest.output.txt deleted file mode 100644 index 1ad5f926..00000000 --- a/Chalice/tests/general-tests/SmokeTestTest.output.txt +++ /dev/null @@ -1,23 +0,0 @@ -Verification of SmokeTestTest.chalice using parameters=""
-
- 106.3: The postcondition at 107.13 might not hold. The expression at 107.13 might not evaluate to true. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 2.1: Monitor invariant is equivalent to false. - 8.3: Precondition of method a1 is equivalent to false. - 12.3: Precondition of method a2 is equivalent to false. - 27.5: The begging of the if-branch is unreachable. - 43.5: The begging of the if-branch is unreachable. - 53.5: Assumption introduces a contradiction. - 59.5: The statements after the while-loop are unreachable. - 76.5: The begging of the else-branch is unreachable. - 83.3: Precondition of function f1 is equivalent to false. - 90.5: The begging of the if-branch is unreachable. - 93.7: The begging of the else-branch is unreachable. - 93.19: Assumption introduces a contradiction. - 100.5: Assumption introduces a contradiction. - 113.5: The statements after the method call statement are unreachable. - 116.3: Predicate Cell.valid is equivalent to false. - 121.1: Where clause of channel C is equivalent to false. - -Boogie program verifier finished with 1 errors and 16 smoke test warnings
diff --git a/Chalice/tests/general-tests/VariationsOfProdConsChannel.chalice b/Chalice/tests/general-tests/VariationsOfProdConsChannel.chalice deleted file mode 100644 index 2d2f9b91..00000000 --- a/Chalice/tests/general-tests/VariationsOfProdConsChannel.chalice +++ /dev/null @@ -1,88 +0,0 @@ -class Cell {
- var val: int
-}
-
-channel Ch(c: Cell) where
- c != null ==> acc(c.val) && 0 <= c.val && credit(this)
-
-class Program {
- method Main0() { // error: debt remains after body
- var ch := new Ch
- fork tk0 := Producer(ch)
- fork tk1 := Consumer(ch)
- // join tk0
- join tk1
- }
- method Main1() {
- var ch := new Ch
- fork tk0 := Producer(ch)
- fork tk1 := Consumer(ch)
- join tk0
- // join tk1
- } // no problem
- method Producer0(ch: Ch) // error: debt remains after body
- requires ch != null
- ensures credit(ch)
- {
- var i := 0
- while (i < 25)
- {
- var x := i*i
- var c := new Cell { val := x }
- send ch(c)
- i := i + 1
- }
- // send ch(null)
- }
- method Producer1(ch: Ch)
- requires ch != null
- ensures credit(ch)
- {
- var i := 0
- while (i < 25)
- {
- var x := i*i
- var c := new Cell { val := x }
- send ch(c)
- i := i + 1 + c.val // error: can no longer read c.val
- }
- send ch(null)
- }
- method Consumer0(ch: Ch)
- requires rd(ch.mu) && waitlevel << ch.mu
- requires credit(ch)
- ensures rd(ch.mu)
- {
- var c: Cell
- receive c := ch
- while (c != null && c.val == 7) // this consumer may end early, but that's allowed
- invariant rd(ch.mu) && waitlevel << ch.mu
- invariant c != null ==> acc(c.val) && 0 <= c.val && credit(ch)
- {
- var i := c.val
- receive c := ch
- }
- }
- method Consumer1(ch: Ch)
- requires rd(ch.mu) && waitlevel << ch.mu
- requires credit(ch)
- ensures rd(ch.mu)
- {
- var c: Cell
- receive c := ch
- if (c != null) {
- assert 0 <= c.val // follows from where clause
- }
- }
- method Consumer2(ch: Ch)
- requires rd(ch.mu) && waitlevel << ch.mu
- requires credit(ch)
- ensures rd(ch.mu)
- {
- var c: Cell
- receive c := ch
- if (c != null) {
- assert c.val < 2 // error: does not follow from where clause
- }
- }
-}
diff --git a/Chalice/tests/general-tests/VariationsOfProdConsChannel.output.txt b/Chalice/tests/general-tests/VariationsOfProdConsChannel.output.txt deleted file mode 100644 index d5b9c9ee..00000000 --- a/Chalice/tests/general-tests/VariationsOfProdConsChannel.output.txt +++ /dev/null @@ -1,13 +0,0 @@ -Verification of VariationsOfProdConsChannel.chalice using parameters=""
-
-The program did not typecheck.
-11.5: call of undeclared member Producer in class Program
-<undefined position>: Invalid token type. Program does not declare a method Producer.
-12.5: call of undeclared member Consumer in class Program
-<undefined position>: Invalid token type. Program does not declare a method Consumer.
-14.10: the first argument of a join async must be a token
-18.5: call of undeclared member Producer in class Program
-<undefined position>: Invalid token type. Program does not declare a method Producer.
-19.5: call of undeclared member Consumer in class Program
-<undefined position>: Invalid token type. Program does not declare a method Consumer.
-20.10: the first argument of a join async must be a token
diff --git a/Chalice/tests/general-tests/cell-defaults.chalice b/Chalice/tests/general-tests/cell-defaults.chalice deleted file mode 100644 index eb826f89..00000000 --- a/Chalice/tests/general-tests/cell-defaults.chalice +++ /dev/null @@ -1,153 +0,0 @@ -// chalice-parameter=-defaults -autoFold -autoMagic
-// verify this program with -defaults -autoFold -autoMagic
-
-class Cell module Library {
- var x: int;
-
- method init(v: int)
- requires acc(this.x) && 0<=v;
- ensures valid && this.get() == v;
- {
- x := v;
- }
-
- method set(v: int)
- requires valid && 0<=v;
- ensures valid && get()==v;
- {
- x := v;
- }
-
- method increment()
- requires valid;
- ensures valid && get() == old(get()) + 1;
- {
- x := x + 1;
- }
-
- method dispose()
- requires valid && acc(mu);
- ensures true;
- {
- free this;
- }
-
- function get(): int
- requires valid;
- ensures 0<=result;
- {
- x
- }
-
- predicate valid {
- acc(this.x) && 0<=x
- }
-
- invariant valid;
-}
-
-class Interval module Library2 {
- var left: Cell;
- var right: Cell;
-
- method init(l: int, r: int)
- requires 0<=l && l <= r;
- requires acc(left) && acc(right);
- ensures valid;
- ensures getLeft()==l
- ensures getRight()==r;
- {
- left := new Cell;
- call left.init(l);
- right := new Cell;
- call right.init(r);
- }
-
- method setLeft(l: int)
- requires valid;
- requires 0<=l && l<=getRight();
- ensures valid;
- ensures getLeft()==l && getRight()==old(getRight());
- {
- call left.set(l);
- }
-
- method setRight(r: int)
- requires valid;
- requires 0<=r && getLeft()<=r;
- ensures valid;
- ensures getLeft()==old(getLeft()) && getRight()==r;
- {
- call right.set(r);
- }
-
- method shift(v: int)
- requires valid;
- requires 0<=v;
- ensures valid;
- ensures getLeft()==old(getLeft())+v && getRight()==old(getRight())+v;
- {
- call left.set(left.get()+v);
- call right.set(right.get()+v);
- }
-
- function getLeft() : int
- requires valid;
- {
- left.get() // for some reason, Boogie can't figure out the callee's heap is smaller when using defaults
- }
-
- function getRight() : int
- requires valid;
- {
- right.get() // for some reason, Boogie can't figure out the callee's heap is smaller when using defaults
- }
-
- predicate valid
- {
- left.valid && right.valid && left.get() <= right.get()
- }
-}
-
-class Program module Main {
- method main(){
- var c1 := new Cell;
- call c1.init(5);
- call c1.set(6);
-
- var c2 := new Cell;
- call c2.init(10);
- call c2.set(11);
-
- assert c1.get() == 6;
- }
-
- method main2(){
- var c: Cell;
-
- c := new Cell;
- call c.init(0);
- call c.dispose();
-
- assert c.valid; // should fail
- }
-
- method main3() returns (rt: Cell)
- ensures rt!=null && rt.valid && rt.get() == 0
- {
- rt := new Cell;
- call rt.init(0)
- }
-
- method main4() {
- var c: Cell;
-
- c := new Cell;
- call c.init(0);
- share c;
-
- acquire c;
- call c.set(1);
- release c;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/general-tests/cell-defaults.output.txt b/Chalice/tests/general-tests/cell-defaults.output.txt deleted file mode 100644 index fd748230..00000000 --- a/Chalice/tests/general-tests/cell-defaults.output.txt +++ /dev/null @@ -1,10 +0,0 @@ -Verification of cell-defaults.chalice using parameters="-defaults -autoFold -autoMagic"
-
- 97.5: The heap of the callee might not be strictly smaller than the heap of the caller. - 103.5: The heap of the callee might not be strictly smaller than the heap of the caller. - 132.5: Assertion might not hold. Insufficient fraction at 132.12 for Cell.valid. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 125.3: The end of method main2 is unreachable. - -Boogie program verifier finished with 3 errors and 1 smoke test warnings
diff --git a/Chalice/tests/general-tests/counter.chalice b/Chalice/tests/general-tests/counter.chalice deleted file mode 100644 index c15ed36b..00000000 --- a/Chalice/tests/general-tests/counter.chalice +++ /dev/null @@ -1,153 +0,0 @@ -class Counter {
- var value: int;
-
- invariant acc(value) && old(value)<=value;
-}
-
-class Program {
-
- method main1(){
- var counter := new Counter;
- counter.value := 0;
- share counter;
-
- acquire counter;
- var tmp1 := counter.value;
- release counter;
-
- acquire counter;
- var tmp2 := counter.value;
- release counter;
-
- assert tmp1 <= tmp2;
- }
-
- method main2(){
- var counter := new Counter;
- counter.value := 0;
- share counter;
-
- acquire counter;
- release counter;
-
- call bar(counter);
- }
-
- method bar(c: Counter)
- requires c!=null && acc(c.mu) && waitlevel << c.mu;
- requires eval(c.release, acc(c.value) && 0<=c.value);
- {
- lock (c) {
- assert 0 <= c.value; // ok, because of the lastSeen conjunct in the precondition
- }
- }
-
- method main3() returns (counter: Counter)
- lockchange counter;
- {
- counter := new Counter;
- counter.value := 0;
- share counter;
- acquire counter;
- call doRelease(counter, counter.value);
- }
-
- method doRelease(c: Counter, i: int)
- requires c!=null && holds(c) && acc(c.value) && eval(c.acquire, acc(c.value) && c.value <= i);
- lockchange c;
- {
- c.value := i+1
- release c; // ok, because of atAcquire conjunct in the precondition
- }
-
- method main4(){
- var counter := new Counter;
- counter.value := 0;
- share counter;
-
- acquire counter;
- counter.value := counter.value - 1;
- release counter; // error: should fail
- }
-
- method main5(){
- var counter := new Counter;
- counter.value := 10;
- share counter;
-
- call foo(counter);
-
- unshare counter;
- assert 10<=counter.value; // error: should fail
- }
-
- method foo(c: Counter)
- requires c!=null && acc(c.mu) && waitlevel << c.mu && eval(c.release, acc(c.value) && 10<=c.value);
- ensures c!=null && holds(c) && acc(c.mu) && acc(c.value);
- lockchange c;
- {
- acquire c;
- unshare c;
- c.value := 5;
- share c;
- acquire c;
- }
-
- method nestedGood0(c: Counter)
- requires c != null && acc(c.mu) && waitlevel << c.mu;
- {
- lock (c) {
- release c
- acquire c
- }
- }
-
- method nestedGood1(c: Counter)
- requires c != null && acc(c.mu) && waitlevel << c.mu;
- {
- var t: Counter := c
- lock (t) {
- t := new Counter
- share t
- acquire t
- } // this line releases the original value for t
- release t
- }
-
- method nestedBad0(c: Counter)
- requires c != null && acc(c.mu) && waitlevel << c.mu;
- {
- lock (c) {
- release c
- } // error: no longer holds c
- }
-
- method nestedBad1(c: Counter)
- requires c != null && acc(c.mu) && waitlevel << c.mu;
- {
- lock (c) {
- acquire c // error: already holds c
- }
- }
-
- method nestedBad2(c: Counter)
- requires c != null && acc(c.mu) && waitlevel << c.mu;
- {
- lock (c) {
- lock (c) { // error: already holds c
- }
- }
- }
-
- method nestedBad3(c: Counter)
- requires c != null && acc(c.mu) && waitlevel << c.mu;
- {
- var t: Counter := c
- lock (t) {
- release t
- t := new Counter
- share t
- acquire t
- } // error: this line attempts to release the original t
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/general-tests/counter.output.txt b/Chalice/tests/general-tests/counter.output.txt deleted file mode 100644 index 53bcd98d..00000000 --- a/Chalice/tests/general-tests/counter.output.txt +++ /dev/null @@ -1,17 +0,0 @@ -Verification of counter.chalice using parameters=""
-
- 70.5: Monitor invariant might hot hold. The expression at 4.27 might not evaluate to true. - 81.5: Assertion might not hold. The expression at 81.12 might not evaluate to true. - 120.5: The target of the release statement might not be locked by the current thread. - 129.7: The mu field of the target of the acquire statement might not be above waitlevel. - 137.7: The mu field of the target of the acquire statement might not be above waitlevel. - 146.5: The target of the release statement might not be locked by the current thread. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 63.3: The end of method main4 is unreachable. - 117.3: The end of method nestedBad0 is unreachable. - 129.7: The statements after the acquire statement are unreachable. - 137.7: The begging of the lock-block is unreachable. - 142.3: The end of method nestedBad3 is unreachable. - -Boogie program verifier finished with 6 errors and 5 smoke test warnings
diff --git a/Chalice/tests/general-tests/generate_reference.bat b/Chalice/tests/general-tests/generate_reference.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/general-tests/generate_reference.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/general-tests/generate_reference_all.bat b/Chalice/tests/general-tests/generate_reference_all.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/general-tests/generate_reference_all.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/general-tests/ll-lastnode.chalice b/Chalice/tests/general-tests/ll-lastnode.chalice deleted file mode 100644 index f7a44cfe..00000000 --- a/Chalice/tests/general-tests/ll-lastnode.chalice +++ /dev/null @@ -1,82 +0,0 @@ -// This test case showed a triggering problem (and potentially a matching loop).
-// The quantified assertion and postcondition that did not verify are highlighted below.
-class Node
-{
- var val:int
- var next:Node
- var break_here:bool
-
- predicate lseg
- {
- acc(break_here) && (!break_here ==> acc(val) && acc(next) && (next!=null ==> next.lseg))
- }
-
- predicate xlseg
- {
- acc(val) && acc(next) && (next!=null ==> next.lseg)
- }
-
- function length():int
- requires lseg
- ensures 0 <= result
- {
- unfolding lseg in (break_here ? 0 : (next==null ? 1 : 1+next.length()))
- }
-
- function xlength():int
- requires xlseg
- ensures 0 < result
- {
- unfolding xlseg in (next==null ? 1 : 1+next.length())
- }
-
- function get(i:int):int
- requires lseg && i>=0 && i<length()
- {
- unfolding lseg in i==0 ? val : next.get(i-1)
- }
-
- function xget(i:int):int
- requires xlseg && i>=0 && i<xlength()
- {
- unfolding xlseg in i==0 ? val : next.get(i-1)
- }
-
- function get_next_seg():Node
- requires lseg
- {
- unfolding lseg in break_here ? this : (next==null ? next : next.get_next_seg())
- }
-
- method lastNode() returns(res:Node)
- requires lseg && length()>0
- ensures res != null && lseg && res.xlseg
- ensures res.xlength()==1 && res.xget(0)==old(get(length()-1))
- ensures length() == old(length()-1)
- // Did not verify.
- ensures (forall i:int :: 0<=i && i<length() ==> get(i) == old(get(i)))
- {
- var I:int
- var h:Node
-
- res:=this
- unfold lseg
- break_here:=true
- fold lseg
- fold xlseg
-
- while(res.xlength()>1)
- invariant res!=null && lseg && res.xlseg &&
- res==get_next_seg() && // new invariant
- length() + res.xlength() == old(length()) &&
- 0 <= length() && length() < old(length()) &&
- (forall i:int :: 0<=i && i<length() ==> get(i)==old(get(i))) &&
- (forall i:int :: length()<=i && i<old(length()) ==> res.xget(i-length())==old(get(i)))
- {
- // We are not interested (at the moment) in verifying the loop.
- assume false
- }
- // Did not verify.
- assert (forall i:int :: length()<=i && i<old(length()) ==> res.xget(i-length())==old(get(i)))
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/general-tests/ll-lastnode.output.txt b/Chalice/tests/general-tests/ll-lastnode.output.txt deleted file mode 100644 index a02dd2d8..00000000 --- a/Chalice/tests/general-tests/ll-lastnode.output.txt +++ /dev/null @@ -1,6 +0,0 @@ -Verification of ll-lastnode.chalice using parameters=""
-
- - 77.9: Assumption introduces a contradiction. - -Boogie program verifier finished with 0 errors and 1 smoke test warnings
diff --git a/Chalice/tests/general-tests/nestedPredicates.chalice b/Chalice/tests/general-tests/nestedPredicates.chalice deleted file mode 100644 index 8afbff5c..00000000 --- a/Chalice/tests/general-tests/nestedPredicates.chalice +++ /dev/null @@ -1,114 +0,0 @@ -/* Recursive implementation and specification of a linked list. */
-
-class Node {
- var next: Node;
- var value: int;
-
- predicate valid {
- rd*(next) && rd*(value) && (next!=null ==> next.valid)
- }
-
- method testNestingUnfold()
- requires acc(this.valid)
- {
- unfold this.valid;
- assert this != this.next;
- if(this.next != null) {
- unfold this.next.valid;
- assert this.next != this.next.next;
- assert this != this.next.next;
- }
- }
-
- method testNestingFold() // this test shows that we build in the assumption that predicate instances with infinite expansions cannot be exist (in reachable code)
- requires rd*(this.next) && rd*(this.value) && rd*(this.next.next) && rd*(this.next.value) && this.next != null && this.next.next != null && this.next.next.valid
-
- {
- fold this.next.valid;
- assert this.next != this.next.next; // definition of valid "proves" that this.next and this.next.next cannot be aliases
- fold this.valid;
- assert this != this.next;
- assert this != this.next.next;
- }
-
- method testNestingUnfolding()
- requires acc(this.valid)
- {
- assert this != (unfolding this.valid in this.next);
- if((unfolding this.valid in this.next) != null) {
- assert (unfolding this.valid in this.next) != (unfolding this.valid in (unfolding this.next.valid in this.next.next));
- assert this != (unfolding this.valid in (unfolding this.next.valid in this.next.next));
- }
- }
-
- predicate p {
- rd*(next) && rd*(value) && (next!=null ==> next.q)
- }
-
- predicate q {
- rd*(next) && rd*(value) && (next!=null ==> next.p)
- }
-
- method testNestingUnfoldTwo()
- requires acc(this.p)
- {
- unfold this.p;
- assert this != this.next; // should fail
- if(this.next != null) {
- unfold this.next.q;
- assert this.next != this.next.next; // should fail
- assert this != this.next.next; // should succeed
- }
- }
-
- method testNestingFoldTwo() // this test shows that we build in the assumption that predicate instances with infinite expansions cannot be exist (in reachable code)
- requires rd*(this.next) && rd*(this.value) && rd*(this.next.next) && rd*(this.next.value) && this.next != null && this.next.next != null && this.next.next.p
-
- {
- fold this.next.q;
- assert this != this.next; // should fail
- assert this.next != this.next.next; // should fail
- assert this != this.next.next; // should fail
- }
-
- method testNestingFoldThree() // this test shows that we build in the assumption that predicate instances with infinite expansions cannot be exist (in reachable code)
- requires rd*(this.next) && rd*(this.value) && rd*(this.next.next) && rd*(this.next.value) && this.next != null && this.next.next != null && this.next.next.p
-
- {
- fold this.next.q;
- fold this.p;
- assert this != this.next; // should succeed, since this == this.next ==> this == this.next.next
- assert this.next != this.next.next; // should fail - we haven't seen a cycle which would follow from this fact
- assert this != this.next.next; // should succeed
- }
-
- method testNestingUnfoldingTwo()
- requires acc(this.p)
- {
- assert this != (unfolding this.p in this.next); // should fail
- if((unfolding this.p in this.next) != null) {
- assert (unfolding this.p in this.next) != (unfolding this.p in (unfolding this.next.q in this.next.next)); // should fail
- assert this != (unfolding this.p in (unfolding this.next.q in this.next.next)); // should succeed
- }
- }
-
- method testNestingUnfoldingPrecondition(x: Node)
- requires acc(this.valid) && (unfolding this.valid in this.next == x);
- {
- assert this != x;
- }
-
- function getNext() : Node
- requires this.valid;
- {
- unfolding this.valid in this.next
- }
-
- method testNestingUnfoldingPostcondition(x: Node)
- requires acc(this.valid);
- ensures acc(this.valid) && (unfolding this.valid in true) && this != this.getNext()
- {
- // nothing
- }
-
-}
\ No newline at end of file diff --git a/Chalice/tests/general-tests/nestedPredicates.output.txt b/Chalice/tests/general-tests/nestedPredicates.output.txt deleted file mode 100644 index 635ae780..00000000 --- a/Chalice/tests/general-tests/nestedPredicates.output.txt +++ /dev/null @@ -1,12 +0,0 @@ -Verification of nestedPredicates.chalice using parameters=""
-
- 56.7: Assertion might not hold. The expression at 56.14 might not evaluate to true. - 59.9: Assertion might not hold. The expression at 59.16 might not evaluate to true. - 69.7: Assertion might not hold. The expression at 69.14 might not evaluate to true. - 70.7: Assertion might not hold. The expression at 70.14 might not evaluate to true. - 71.7: Assertion might not hold. The expression at 71.14 might not evaluate to true. - 81.7: Assertion might not hold. The expression at 81.14 might not evaluate to true. - 88.7: Assertion might not hold. The expression at 88.14 might not evaluate to true. - 90.9: Assertion might not hold. The expression at 90.16 might not evaluate to true. - -Boogie program verifier finished with 8 errors and 0 smoke test warnings
diff --git a/Chalice/tests/general-tests/prog0.chalice b/Chalice/tests/general-tests/prog0.chalice deleted file mode 100644 index fb835a24..00000000 --- a/Chalice/tests/general-tests/prog0.chalice +++ /dev/null @@ -1,109 +0,0 @@ -class C {
- method m() {
- assert 4 + (a * 5) + (2 + 3) * (a + a);
- a := a + 3;
- b := a - b - c + 4 * d + 20 + --25;
- b := ((((a - b) - c) + 4 * d) + 20) + --25;
- c := a - (b - (c + (4 * d + (20 + 25))));
- assert (X ==> Y) ==> Z <==> A ==> B ==> C;
- assume A && B && (C || D || E) && F;
- var x;
- var y := 12 + !(x.f.g).h - (!x).f + (!x.f);
- var z := new C;
- y := new D;
- o.f := 5;
- (a + b).y := new T;
- reorder (2 ==(O != 3)) != O between a,b,c and x,y,z;
- reorder X ==> Y below x+5;
- reorder o.f above this, null;
- share o;
- unshare o;
- acquire o;
- release o;
- rd acquire o;
- rd release o;
- downgrade o;
- var tok: token<C.m>;
- fork tok := o.m();
- join tok;
- assert rd(x) + acc(y) + acc(z, 1/4) + old(old(k)) + null.f;
- x := this.f;
- call m(2,3,4);
- call this.m(2,3,4);
- call a,b,c := o.m();
- call x := m(200);
- reorder o above waitlevel;
- }
- method p(a,b,c) returns (x,y,z)
- requires 8 + 2 == 10;
- ensures 8 + 5 > 10;
- requires x == y+1;
- ensures old(x) < x;
- {
- if (x == 7) {
- y := y + 1; z := z + 2;
- } else if (x == 8) {
- y := 2;
- } else {
- z := 10;
- }
- { // empty block
- }
- if (x == 9) { }
- if (x == 10) { x := 10; } else { }
- var n := 0;
- while (n < 100) { n := n - 1; }
- while (n != 0)
- invariant n % 2 == 0;
- invariant sqrt2 * sqrt2 == 2;
- {
- n := n - 2;
- }
- call v,x := s.M(65);
- }
-}
-class D { }
-
-// ----- tests specifically of implicit locals in CALL and RECEIVE statements
-
-class ImplicitC {
- var k: int;
-
- method MyMethod() returns (x: int, y: ImplicitC)
- requires acc(k)
- ensures acc(y.k) && x < y.k
- {
- x := k - 15;
- y := this;
- }
-
- method B0() {
- var c := new ImplicitC;
- call a, b := c.MyMethodX(); // error: method not found (so what is done with a,b?)
- assert a < b.k;
- }
-
- method B1() {
- var c := new ImplicitC;
- call a, a := c.MyMethod(); // error: a occurs twice
- assert a < b.k;
- }
-
- method D0() {
- var ch := new Ch;
- var c := new ImplicitC;
- send ch(c.k - 15, c); // give ourselves some credit
- receive a, b := chX; // error: channel not found (so what is done with a,b?)
- assert a < b.k;
- }
-
- method D1() {
- var ch := new Ch;
- var c := new ImplicitC;
- send ch(c.k - 15, c); // give ourselves some credit
- receive a, a := ch; // error: a occurs twice
- assert a < b.k;
- }
-}
-
-channel Ch(x: int, y: ImplicitC) where acc(y.k) && x < y.k;
diff --git a/Chalice/tests/general-tests/prog0.output.txt b/Chalice/tests/general-tests/prog0.output.txt deleted file mode 100644 index 5b329874..00000000 --- a/Chalice/tests/general-tests/prog0.output.txt +++ /dev/null @@ -1,146 +0,0 @@ -Verification of prog0.chalice using parameters=""
-
-The program did not typecheck.
-3.17: undeclared member a in class C
-3.37: undeclared member a in class C
-3.41: undeclared member a in class C
-3.12: assert statement requires a boolean expression (found int)
-4.5: undeclared member a in class C
-4.10: undeclared member a in class C
-5.5: undeclared member b in class C
-5.10: undeclared member a in class C
-5.14: undeclared member b in class C
-5.18: undeclared member c in class C
-5.26: undeclared member d in class C
-6.5: undeclared member b in class C
-6.14: undeclared member a in class C
-6.18: undeclared member b in class C
-6.23: undeclared member c in class C
-6.32: undeclared member d in class C
-7.5: undeclared member c in class C
-7.10: undeclared member a in class C
-7.15: undeclared member b in class C
-7.20: undeclared member c in class C
-7.29: undeclared member d in class C
-8.13: undeclared member X in class C
-8.19: undeclared member Y in class C
-8.13: incorrect type of ==> LHS (expected bool, found int)
-8.19: incorrect type of ==> RHS (expected bool, found int)
-8.26: undeclared member Z in class C
-8.26: incorrect type of ==> RHS (expected bool, found int)
-8.33: undeclared member A in class C
-8.39: undeclared member B in class C
-8.45: undeclared member C in class C
-8.39: incorrect type of ==> LHS (expected bool, found int)
-8.45: incorrect type of ==> RHS (expected bool, found int)
-8.33: incorrect type of ==> LHS (expected bool, found int)
-9.12: undeclared member A in class C
-9.17: undeclared member B in class C
-9.12: incorrect type of && LHS (expected bool, found int)
-9.17: incorrect type of && RHS (expected bool, found int)
-9.23: undeclared member C in class C
-9.28: undeclared member D in class C
-9.23: incorrect type of || LHS (expected bool, found int)
-9.28: incorrect type of || RHS (expected bool, found int)
-9.33: undeclared member E in class C
-9.33: incorrect type of || RHS (expected bool, found int)
-9.39: undeclared member F in class C
-9.39: incorrect type of && RHS (expected bool, found int)
-11.21: undeclared member f in class int
-11.21: undeclared member g in class int
-11.21: undeclared member h in class int
-<undefined position>: not-expression requires boolean operand
-<undefined position>: incorrect type of + RHS (expected int, found bool)
-11.33: not-expression requires boolean operand
-11.33: undeclared member f in class bool
-11.43: undeclared member f in class int
-11.42: not-expression requires boolean operand
-11.42: incorrect type of + RHS (expected int, found bool)
-13.5: type mismatch in assignment, lhs=int rhs=D
-14.5: undeclared member o in class C
-14.5: undeclared member f in class int
-15.6: undeclared member a in class C
-15.10: undeclared member b in class C
-15.5: undeclared member y in class int
-15.18: undefined class or channel T used in new expression
-16.19: undeclared member O in class C
-16.14: == requires operands of the same type, found int and bool
-16.31: undeclared member O in class C
-16.13: != requires operands of the same type, found bool and int
-16.13: object in reorder statement must be of a reference type (found bool)
-16.41: undeclared member a in class C
-16.41: install bound must be of a reference type or Mu type (found int)
-16.43: undeclared member b in class C
-16.43: install bound must be of a reference type or Mu type (found int)
-16.45: undeclared member c in class C
-16.45: install bound must be of a reference type or Mu type (found int)
-16.51: install bound must be of a reference type or Mu type (found int)
-16.53: install bound must be of a reference type or Mu type (found int)
-17.13: undeclared member X in class C
-17.19: undeclared member Y in class C
-17.13: incorrect type of ==> LHS (expected bool, found int)
-17.19: incorrect type of ==> RHS (expected bool, found int)
-17.13: object in reorder statement must be of a reference type (found bool)
-17.27: install bound must be of a reference type or Mu type (found int)
-18.13: undeclared member o in class C
-18.13: undeclared member f in class int
-18.13: object in reorder statement must be of a reference type (found int)
-19.11: undeclared member o in class C
-19.11: object in share statement must be of a reference type (found int)
-20.13: undeclared member o in class C
-20.13: object in unshare statement must be of a reference type (found int)
-21.13: undeclared member o in class C
-21.13: object in acquire statement must be of a reference type (found int)
-22.13: undeclared member o in class C
-22.13: object in release statement must be of a reference type (found int)
-23.16: undeclared member o in class C
-23.16: object in rd acquire statement must be of a reference type (found int)
-24.16: undeclared member o in class C
-24.16: object in rd release statement must be of a reference type (found int)
-25.15: undeclared member o in class C
-25.15: object in downgrade statement must be of a reference type (found int)
-27.17: undeclared member o in class C
-27.5: call of undeclared member m in class int
-27.10: wrong token type
-29.12: rd expression is allowed only in positive predicate contexts
-29.15: undeclared member x in class C
-29.20: acc expression is allowed only in positive predicate contexts
-29.24: undeclared member y in class C
-29.12: incorrect type of + LHS (expected int, found bool)
-29.20: incorrect type of + RHS (expected int, found bool)
-29.29: acc expression is allowed only in positive predicate contexts
-29.33: undeclared member z in class C
-29.29: incorrect type of + RHS (expected int, found bool)
-29.51: undeclared member k in class C
-29.57: undeclared member f in class null
-29.12: assert statement requires a boolean expression (found int)
-30.10: undeclared member f in class C
-31.5: wrong number of actual in-parameters in call to C.m (3 instead of 0)
-32.5: wrong number of actual in-parameters in call to C.m (3 instead of 0)
-33.19: undeclared member o in class C
-33.5: call of undeclared member m in class int
-34.5: wrong number of actual in-parameters in call to C.m (1 instead of 0)
-34.5: wrong number of actual out-parameters in call to C.m (1 instead of 0)
-35.13: undeclared member o in class C
-35.13: object in reorder statement must be of a reference type (found int)
-58.17: undeclared member sqrt2 in class C
-58.25: undeclared member sqrt2 in class C
-62.17: undeclared member s in class C
-62.5: call of undeclared member M in class int
-82.5: call of undeclared member MyMethodX in class ImplicitC
-83.12: undefined local variable a
-83.16: undefined local variable b
-83.16: undeclared member k in class int
-88.13: the type of the formal argument is not assignable to the actual parameter (expected: ImplicitC, found: int)
-88.13: duplicate actual out-parameter: a
-89.16: undeclared member b in class ImplicitC
-89.16: undeclared member k in class int
-96.21: undeclared member chX in class ImplicitC
-96.5: receive expression (which has type int) does not denote a channel
-97.12: undefined local variable a
-97.16: undefined local variable b
-97.16: undeclared member k in class int
-104.16: the type of the formal argument is not assignable to the actual parameter (expected: ImplicitC, found: int)
-104.16: duplicate actual out-parameter: a
-105.16: undeclared member b in class ImplicitC
-105.16: undeclared member k in class int
diff --git a/Chalice/tests/general-tests/prog1.chalice b/Chalice/tests/general-tests/prog1.chalice deleted file mode 100644 index 133de36d..00000000 --- a/Chalice/tests/general-tests/prog1.chalice +++ /dev/null @@ -1,86 +0,0 @@ -// 7 errors expected
-
-class C {
- var x: int;
- invariant acc(x) && 0 <= x;
-
- method seq0() returns (r: int)
- {
- r := x; // error: cannot access this.x here (90)
- }
- method seq1() returns (r: int)
- requires acc(x);
- {
- r := x;
- }
- method seq2() returns (r: int)
- requires rd(x);
- {
- r := x;
- }
- method seq3() returns (r: int)
- requires rd(x);
- {
- r := x;
- x := x + 1; // error: cannot write to this.x here (184)
- }
-
- method main0()
- {
- var c := new C;
- c.x := 0;
- share c;
- var t := c.x; // error: cannot access c.x now (254)
- }
- method main1()
- {
- var c := new C;
- c.x := 2;
- share c;
- acquire c;
- c.x := c.x - 1;
- release c; // error: monitor invariant might not hold (362)
- }
- method main2()
- {
- var c := new C;
- c.x := 2;
- share c;
- acquire c;
- c.x := c.x + 1;
- release c; // good!
- }
- method main3()
- {
- var c := new C;
- c.x := 2;
- share c;
- rd acquire c;
- var tmp := c.x + 1; // fine
- c.x := tmp; // error: cannot write to c.x here (582)
- rd release c;
- }
- method main4()
- {
- var c := new C;
- c.x := 2;
- share c;
- acquire c;
- c.x := c.x + 1;
- unshare c;
- c.x := c.x + 1;
- }
- method main5()
- {
- var c := new C;
- unshare c; // error: cannot unshare an object that isn't shared (754)
- }
- method main6()
- {
- var c := new C;
- c.x := 0;
- share c; acquire c;
- unshare c;
- unshare c; // error: cannot unshare an object that isn't shared (862)
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/general-tests/prog1.output.txt b/Chalice/tests/general-tests/prog1.output.txt deleted file mode 100644 index c6c5fe0e..00000000 --- a/Chalice/tests/general-tests/prog1.output.txt +++ /dev/null @@ -1,19 +0,0 @@ -Verification of prog1.chalice using parameters=""
-
- 9.10: Location might not be readable. - 25.5: Location might not be writable - 33.14: Location might not be readable. - 42.5: Monitor invariant might hot hold. The expression at 5.23 might not evaluate to true. - 60.5: Location might not be writable - 76.5: The target of the unshare statement might not be shared. - 84.5: The target of the unshare statement might not be shared. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 7.3: The end of method seq0 is unreachable. - 21.3: The end of method seq3 is unreachable. - 28.3: The end of method main0 is unreachable. - 53.3: The end of method main3 is unreachable. - 73.3: The end of method main5 is unreachable. - 78.3: The end of method main6 is unreachable. - -Boogie program verifier finished with 7 errors and 6 smoke test warnings
diff --git a/Chalice/tests/general-tests/prog2.chalice b/Chalice/tests/general-tests/prog2.chalice deleted file mode 100644 index 3b6f2783..00000000 --- a/Chalice/tests/general-tests/prog2.chalice +++ /dev/null @@ -1,92 +0,0 @@ -// 4 errors expected
-
-class C {
- method M(x: int) returns (y: bool)
- requires 0 <= x;
- ensures y <==> x == 10;
- {
- y := true;
- if (x != 10) { y := !y; }
- }
-
- method Caller0()
- {
- var b: bool;
- call b := M(12);
- assert !b;
- call b := M(10);
- assert b;
- }
- method Caller1()
- {
- var b: bool;
- call b := M(11);
- assert b; // error (258)
- }
-
- var F: int;
-
- method P(n: int)
- requires acc(F);
- ensures F == old(F) + n; // error
- {
- F := F + n;
- }
- method Caller2()
- requires acc(F);
- {
- var prev := F;
- call P(2);
- }
-
- method Q(n: int)
- requires acc(F);
- ensures acc(F) && F == old(F) + n;
- {
- F := F + n;
- }
- method Caller3()
- requires acc(F);
- ensures acc(F);
- {
- var prev := F;
- call Q(2);
- assert F == prev + 2;
- }
-}
-
-class Consts {
- method M0() returns (z: int)
- ensures z == 5
- {
- const a := 5
- z := a
- }
- method M1() {
- ghost const a
- a := 5
- }
- method M2() {
- ghost const a
- a := 5
- a := 5 // error (569)
- }
- method M3(b: bool) {
- ghost const a
- if (b) { a := 5 }
- assert a < 10 // error (611)
- }
- method M4(b: bool) {
- ghost const a
- if (b) { a := 5 }
- ghost var x := a
- if (!b) { a := 7 }
- assert a < 10
- assert b ==> x == 5 // cool, huh?
- }
- method M5(b: bool) {
- ghost const a
- if (b) { a := 5 }
- assert assigned(a) ==> a == 5
- }
-}
diff --git a/Chalice/tests/general-tests/prog2.output.txt b/Chalice/tests/general-tests/prog2.output.txt deleted file mode 100644 index da8dcf22..00000000 --- a/Chalice/tests/general-tests/prog2.output.txt +++ /dev/null @@ -1,12 +0,0 @@ -Verification of prog2.chalice using parameters=""
-
- 24.5: Assertion might not hold. The expression at 24.12 might not evaluate to true. - 31.13: Location might not be readable. - 72.5: Const variable can be assigned to only once. - 77.5: Assertion might not hold. The expression at 77.12 might not evaluate to true. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 20.3: The end of method Caller1 is unreachable. - 69.3: The end of method M2 is unreachable. - -Boogie program verifier finished with 4 errors and 2 smoke test warnings
diff --git a/Chalice/tests/general-tests/prog3.chalice b/Chalice/tests/general-tests/prog3.chalice deleted file mode 100644 index de5dfad7..00000000 --- a/Chalice/tests/general-tests/prog3.chalice +++ /dev/null @@ -1,246 +0,0 @@ -// 4 errors expected
-
-class Main {
- method A() {
- var d := new Data;
- call d.Init();
- share d;
-
- var t0: T := new T; t0.d := d;
- share t0 between waitlevel and d
- var t1: T := new T; t1.d := d;
- share t1 between waitlevel and d
-
- var t0Token: token<T.run>;
- fork t0Token := t0.run();
- var t1Token: token<T.run>;
- fork t1Token := t1.run();
-
- join t0Token; acquire t0; unshare t0;
- join t1Token; acquire t1; unshare t1;
-
- acquire d; unshare d;
- assert 0 <= d.x && d.x < 100;
- }
-
- method B() returns (r: U)
- lockchange r;
- {
- var u := new U;
- share u;
-
- var uToken: token<U.run>;
- fork uToken := u.run();
-
- acquire u; // a little unusual to acquire after a fork, but allowed
- assert waitlevel == u.mu;
-
- var v := new U;
- share v; acquire v; // this line has the effect of increasing waitlevel
-
- assert waitlevel == v.mu;
- assert waitlevel != u.mu;
- assert u << v;
- assert u << waitlevel;
-
- join uToken; // material for the smoke check
- release u;
- r := v;
- }
-
- method C()
- ensures waitlevel == old(waitlevel);
- {
- var u := new U;
- share u;
- acquire u;
- release u;
- }
-
- method Mx0()
- {
- }
- method Mx1()
- lockchange this
- {
- }
- method MxCaller0()
- ensures waitlevel == old(waitlevel);
- {
- }
- method MxCaller1()
- ensures waitlevel == old(waitlevel);
- {
- call Mx0();
- }
- method MxCaller2()
- ensures waitlevel == old(waitlevel); // error
- {
- call Mx1();
- } // error: missing lockchange
-
- method D(u: U)
- requires u != null && rd(u.mu) && waitlevel << u;
- ensures waitlevel == old(waitlevel);
- {
- acquire u;
- release u;
- }
-}
-
-class Data {
- var x: int;
- invariant acc(x) && 0 <= x && x < 100;
- method Init()
- requires acc(x);
- ensures acc(x) && x == 0;
- {
- x := 0;
- }
-}
-
-class T {
- var d: Data;
- invariant rd(d) && d != null && rd(d.mu) && rd(this.mu) && this << d;
- method run()
- requires rd(mu) && waitlevel << this;
- ensures rd(mu);
- {
- acquire this;
- acquire d;
- d.x := d.x + 1;
- if (d.x == 100) { d.x := 0; }
- release d;
- release this;
- }
-}
-
-class U {
- method run()
- requires rd(mu) && waitlevel << this;
- ensures rd(mu);
- {
- }
-}
-
-// Tests that use OLD in postcondition of run:
-
-class X {
- var k: int
- var l: int
-
- method inc()
- requires acc(k)
- ensures acc(k) && k == old(k) + 1
- {
- k := k + 1
- }
- method Client0() returns (y: int)
- ensures y == 8
- {
- var x := new X
- x.k := 17 x.l := 10
- call x.inc()
- assert x.k == 18 && x.l == 10
- y := x.k - x.l
- }
-
- method run()
- requires acc(k) && 0 <= k
- ensures acc(k) && k == old(k) + 1
- {
- k := k + 1
- }
-
- method Client1() returns (y: int)
- ensures y == 8
- {
- var x := new X
- x.k := 17
- x.l := 20
- var xToken: token<X.run>;
- fork xToken := x.run();
- x.l := 10
- join xToken
- assert x.k == 18 && x.l == 10
- y := x.k - x.l
- }
- method Client2(tk: token<X.run>, x: X) returns (z: int)
- requires x!=null && tk!=null && acc(tk.joinable) && tk.joinable && eval(tk.fork x.run(), acc(x.k) && 0<=x.k);
- ensures 1 <= z
- {
- join tk
- z := x.k
- assert 1<=x.k;
- }
-}
-
-class ReadSharing {
- var x: int
-
- method Consume()
- requires rd(x,1)
- {
- // skip
- }
-
- method Divulge() // bad
- requires rd(x,1)
- {
- call Consume()
- call Consume() // error: cannot share twice (1773)
- }
-
- method Communicates() // good
- requires rd(x,3)
- ensures rd(x,1)
- {
- call Consume()
- call Consume()
- }
-
- method Gossips() // bad
- requires rd(x,3)
- ensures rd(x,1)
- {
- call Consume()
- call Consume()
- call Consume()
- } // error: does not live up to postcondition (2015)
-
- method Shares() // good
- requires rd*(x)
- ensures rd*(x)
- {
- call Consume()
- call Consume()
- call Consume()
- }
-
- method TeamPlayer(N: int) // good
- requires 0<N && rd(x,N)
- {
- var n := N
- while (1 < n)
- invariant 0<n && rd(x,n)
- {
- n := n - 1
- }
- }
-
- method Unselfish(N: int) // good
- requires rd*(x)
- ensures rd*(x)
- {
- var n := N
- if (N == 173) {
- call Unselfish(200)
- }
- while (0 < n)
- invariant rd*(x)
- {
- call Consume()
- n := n - 1
- }
- }
-}
diff --git a/Chalice/tests/general-tests/prog3.output.txt b/Chalice/tests/general-tests/prog3.output.txt deleted file mode 100644 index 286b9248..00000000 --- a/Chalice/tests/general-tests/prog3.output.txt +++ /dev/null @@ -1,11 +0,0 @@ -Verification of prog3.chalice using parameters=""
-
- 76.3: The postcondition at 77.13 might not hold. The expression at 77.13 might not evaluate to true. - 76.3: Method might lock/unlock more than allowed. - 191.5: The precondition at 182.14 might not hold. Insufficient epsilons at 182.14 for ReadSharing.x. - 202.3: The postcondition at 204.13 might not hold. Insufficient epsilons at 204.13 for ReadSharing.x. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 191.5: The statements after the method call statement are unreachable. - -Boogie program verifier finished with 4 errors and 1 smoke test warnings
diff --git a/Chalice/tests/general-tests/prog4.chalice b/Chalice/tests/general-tests/prog4.chalice deleted file mode 100644 index 3c655c71..00000000 --- a/Chalice/tests/general-tests/prog4.chalice +++ /dev/null @@ -1,53 +0,0 @@ -class LoopTargets {
- method M() returns (y) {
- y := 0
- while (y < 100) { y := y + 1 }
- assert y == 0 // error (139)
- }
- method N() returns (t: LoopTargets)
- lockchange t
- {
- t := new LoopTargets
- share t
- acquire t
- var s := true
- while (s)
- lockchange t
- {
- release t // error: loop invariant does not say holds(t) (252)
- s := false
- }
- }
- method P() {
- var t := new LoopTargets
- share t
- acquire t
- var s := true
- while (s)
- invariant acc(t.mu) && waitlevel == t.mu
- lockchange t
- {
- release t // error: loop invariant does not say holds(t) (414)
- acquire t
- s := false
- }
- release t
- }
- method Q() {
- var t := new LoopTargets
- share t
- acquire t
- var s := true
- while (s)
- invariant rd(t.mu)
- invariant holds(t) && waitlevel == t.mu
- lockchange t
- {
- release t
- acquire t
- s := false
- }
- assert holds(t) // there we are
- release t
- }
-}
diff --git a/Chalice/tests/general-tests/prog4.output.txt b/Chalice/tests/general-tests/prog4.output.txt deleted file mode 100644 index 4ab057dd..00000000 --- a/Chalice/tests/general-tests/prog4.output.txt +++ /dev/null @@ -1,14 +0,0 @@ -Verification of prog4.chalice using parameters=""
-
- 5.5: Assertion might not hold. The expression at 5.12 might not evaluate to true. - 17.7: The target of the release statement might not be locked by the current thread. - 17.7: Release might fail because the current thread might hold the read lock. - 30.7: The target of the release statement might not be locked by the current thread. - 30.7: Release might fail because the current thread might hold the read lock. - 34.5: The target of the release statement might not be locked by the current thread. - 34.5: Release might fail because the current thread might hold the read lock. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 2.3: The end of method M is unreachable. - -Boogie program verifier finished with 7 errors and 1 smoke test warnings
diff --git a/Chalice/tests/general-tests/quantifiers.chalice b/Chalice/tests/general-tests/quantifiers.chalice deleted file mode 100644 index 7377ca3f..00000000 --- a/Chalice/tests/general-tests/quantifiers.chalice +++ /dev/null @@ -1,59 +0,0 @@ -class A { - var f: int; -} - -class Quantifiers { - var bamboo: seq<A>; - - method test1(a: seq<int>, b: int) - requires b in a; - requires b > 0; - { - assert exists j in a :: true && j > 0; - assert exists j:int :: 0 <= j && j < |a| && a[j] > 0; - assert forall j in a :: exists k in a :: k > 0; - } - - method test2(a: seq<A>) - requires rd(a[*].*); - requires |a| > 0; - requires forall i in a :: i != null && i.f > 0; - { - assert a[0].f > 0; - assert forall j: A :: j in a && j != null ==> j.f > 0; - assert exists j: A :: j in a && j != null && j.f > 0; - } - - method test3(a: seq<A>) - requires |a| > 0; - requires acc(a[*].f); - { - var c := new A; - assert c != a[0]; - } -} - -class Functions { - var x: int; - var y: int; - - function test1(): int - requires acc(this.*); - { - x + y - } - - function test2(): int - requires acc(x) && acc(y); - { - x + y - } - - function test3(a: seq<A>): int - requires acc(a[*].f); - requires forall x in a :: x != null; - requires forall i,j in [0..|a|] :: i != j ==> a[i] != a[j]; - { - |a| == 0 ? 0 : a[0].f + test3(a[1..]) - } -} diff --git a/Chalice/tests/general-tests/quantifiers.output.txt b/Chalice/tests/general-tests/quantifiers.output.txt deleted file mode 100644 index f05847b6..00000000 --- a/Chalice/tests/general-tests/quantifiers.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of quantifiers.chalice using parameters=""
-
- 57.29: The heap of the callee might not be strictly smaller than the heap of the caller. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/general-tests/reg_test.bat b/Chalice/tests/general-tests/reg_test.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/general-tests/reg_test.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/general-tests/reg_test_all.bat b/Chalice/tests/general-tests/reg_test_all.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/general-tests/reg_test_all.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/general-tests/test.bat b/Chalice/tests/general-tests/test.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/general-tests/test.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/general-tests/triggers.chalice b/Chalice/tests/general-tests/triggers.chalice deleted file mode 100644 index 08a6a7dd..00000000 --- a/Chalice/tests/general-tests/triggers.chalice +++ /dev/null @@ -1,81 +0,0 @@ -// this test is for the automatic trigger generation
-
-class Triggers
-{
- var next : Triggers // to allow recursive definitions
-
- predicate valid { acc(next) && next != null && next.valid } // intentionally doesn't terminate - allows function definitions to be unknown
-
- function f(x,y,z : int):bool
- requires valid
- {
- unfolding valid in next.f(x,y,z) // unknown definition
- }
-
- function h(x,y,z : int):bool
- requires valid
- {
- unfolding valid in next.h(x,y,z) // unknown definition
- }
-
- function g(x : int) : bool
- requires valid
- {
- unfolding valid in next.g(x) // unknown definition
- }
-
- function i(x:int, y:bool) : bool
- requires valid
- {
- unfolding valid in next.i(x,y) // unknown definition
- }
-
-
- method triggers_one()
- requires valid
- requires (forall a : int :: !(g(a) ==> false))
- ensures valid
- ensures (forall b : int :: g(b))
- { }
-
- method triggers_two()
- requires valid
- requires (forall a,b,c : int :: ( g(a) && f(a,b,c)))
- ensures valid
- ensures (forall x,y,z : int :: f(x,y,z))
- ensures (forall w : int :: (g(w))) // fails because there isn't a good enough trigger for finding g(w)
- { }
-
- method triggers_three()
- requires valid
- requires (forall a : int :: ( g(a) && (forall b,c : int :: f(a,b,c))))
- ensures valid
- ensures (forall x,y,z : int :: f(x,y,z)) // fails because of the trigger chosen for a (g(a)).
- ensures (forall w : int :: (g(w)))
- { }
-
- method triggers_four()
- requires valid
- requires (forall a,b,c,d,e:int :: f(a,b,c) && h(b,c,d) && f(c,d,e))
- ensures valid
- ensures (forall x,y,z : int :: f(x,y,z)) // fails - not enough triggers
- ensures (forall x,y,z : int :: f(x,y,z) && f(z,y,x)) // succeeds - {f(a,b,c),f(c,d,e)} is one of the trigger sets which should be found
- { }
-
- method triggers_five(c : bool, d : bool)
- requires c ==> d
- requires valid
- requires (forall x : int :: i(x, (c ==> d))) // check that logical operators are suitably avoided in triggers
- ensures valid
- ensures i(4,true)
- { }
-
- method triggers_six(c : int, d : int)
- requires c > d
- requires valid
- requires (forall x : int :: i(x, (c > d))) // check that logical operators are suitably avoided in triggers
- ensures valid
- ensures i(4,true)
- { }
-
-}
\ No newline at end of file diff --git a/Chalice/tests/general-tests/triggers.output.txt b/Chalice/tests/general-tests/triggers.output.txt deleted file mode 100644 index 3fae3c21..00000000 --- a/Chalice/tests/general-tests/triggers.output.txt +++ /dev/null @@ -1,7 +0,0 @@ -Verification of triggers.chalice using parameters=""
-
- 41.3: The postcondition at 46.14 might not hold. The expression at 46.14 might not evaluate to true. - 49.3: The postcondition at 53.14 might not hold. The expression at 53.14 might not evaluate to true. - 57.3: The postcondition at 61.14 might not hold. The expression at 61.14 might not evaluate to true. - -Boogie program verifier finished with 3 errors and 0 smoke test warnings
diff --git a/Chalice/tests/permission-model/basic.chalice b/Chalice/tests/permission-model/basic.chalice deleted file mode 100644 index 53443a49..00000000 --- a/Chalice/tests/permission-model/basic.chalice +++ /dev/null @@ -1,232 +0,0 @@ -class Cell {
- var x: int;
-
- // dispose a read permission to x
- method dispose_rd()
- requires rd(x);
- ensures true;
- {
- }
-
- // return read permission
- method void()
- requires rd(x);
- ensures rd(x);
- {
- }
-
- // multiple calls to method that destroys rd(x)
- method a1()
- requires rd(x);
- ensures true;
- {
- call dispose_rd();
- call dispose_rd();
- }
-
- // call to method that destroys rd(x) really removes permission
- method a2()
- requires rd(x);
- ensures rd(x);
- {
- call dispose_rd();
- // ERROR: should fail to verify postcondition
- }
-
- // forking and method calls of dispose_rd
- method a3()
- requires rd(x);
- ensures true;
- {
- fork dispose_rd();
- call dispose_rd();
- fork dispose_rd();
- call dispose_rd();
- }
-
- // forking and method calls of dispose_rd
- method a4()
- requires rd(x);
- ensures rd(x);
- {
- fork dispose_rd();
- // ERROR: should fail to verify postcondition
- }
-
- // forking and method calls of dispose_rd
- method a5()
- requires rd(x);
- ensures rd(x,1);
- {
- fork dispose_rd();
- // OK: giving away an epsilon permission however should work
- }
-
- // forking and method calls of dispose_rd
- method a6()
- requires rd(x);
- ensures rd*(x);
- {
- fork dispose_rd();
- // OK: giving away a 'undefined' read permission however should work
- }
-
- // multiple forks of dispose_rd
- method a7()
- requires rd(x);
- ensures true;
- {
- fork dispose_rd();
- fork dispose_rd();
- fork dispose_rd();
- fork dispose_rd();
- fork dispose_rd();
- fork dispose_rd();
- }
-
- // joining to regain permission
- method a8(a: int)
- requires rd(x);
- ensures rd(x)
- {
- fork tk := void();
- join tk;
- }
-
- // joining to regain permission
- method a9(a: int)
- requires rd(x);
- ensures rd(x)
- {
- fork tk := dispose_rd();
- join tk;
- // ERROR: should fail to verify postcondition
- }
-
- // joining to regain permission
- method a10(a: int)
- requires rd(x);
- ensures a == 3 ==> rd(x)
- {
- fork tk := void();
- if (3 == a) {
- join tk;
- }
- }
-
- // finite loop of method calls, preserving rd(x)
- method a11()
- requires rd(x);
- ensures rd(x);
- {
- var i: int;
- i := 0;
- while (i < 1000)
- invariant rd(x);
- {
- call void();
- i := i+1;
- }
- }
-
- // forking dispose_rd in a loop (using rd(x,*) to denote unknown read permission)
- method a12(a: int)
- requires rd(x);
- ensures rd*(x);
- {
- var i: int;
- i := 0;
- while (i < a)
- invariant rd*(x);
- {
- fork dispose_rd();
- i := i+1;
- }
- }
-
- // forking dispose_rd in a loop (using rd(x,*) to denote unknown read permission)
- method a13(a: int)
- requires rd(x);
- ensures rd(x);
- {
- var i: int;
- i := 0;
- while (i < a)
- invariant rd*(x);
- {
- fork dispose_rd();
- i := i+1;
- }
- // ERROR: should fail to verify postcondition
- }
-
- // calling dispose_rd in a loop (using rd(x,*) to denote unknown read permission)
- method a14()
- requires rd(x);
- ensures true;
- {
- call dispose_rd();
-
- var i: int;
- i := 0;
- while (i < 1000)
- invariant rd*(x);
- {
- call dispose_rd();
- i := i+1;
- }
- }
-
- // return unknown permission
- method a15()
- requires rd(x);
- ensures rd*(x);
- {
- call dispose_rd();
- }
-
- // rd in loop invariant
- method a16()
- requires rd(x);
- ensures rd*(x);
- {
- call dispose_rd();
-
- var i: int;
- i := 0;
- while (i < 1000)
- invariant acc(x,rd);
- {
- call void();
- i := i+1;
- }
- }
-
- // rd in method contracts
- method a17()
- requires acc(x,rd);
- {
- call dispose_rd();
- call a17();
- }
-
- // multiple rd in method contracts
- method a18()
- requires rd(x);
- ensures rd(x)
- {
- call a18a()
- call a18b()
- }
- method a18a()
- requires acc(x,2*rd);
- ensures acc(x,rd+rd);
- {
- }
- method a18b()
- requires acc(x,rd+rd);
- ensures acc(x,rd*2);
- {
- }
-
-}
diff --git a/Chalice/tests/permission-model/basic.output.txt b/Chalice/tests/permission-model/basic.output.txt deleted file mode 100644 index b2bf49bd..00000000 --- a/Chalice/tests/permission-model/basic.output.txt +++ /dev/null @@ -1,8 +0,0 @@ -Verification of basic.chalice using parameters=""
-
- 28.3: The postcondition at 30.13 might not hold. Insufficient fraction at 30.13 for Cell.x. - 48.3: The postcondition at 50.13 might not hold. Insufficient fraction at 50.13 for Cell.x. - 97.3: The postcondition at 99.13 might not hold. Insufficient fraction at 99.13 for Cell.x. - 148.3: The postcondition at 150.13 might not hold. Insufficient fraction at 150.13 for Cell.x. - -Boogie program verifier finished with 4 errors and 0 smoke test warnings
diff --git a/Chalice/tests/permission-model/channels.chalice b/Chalice/tests/permission-model/channels.chalice deleted file mode 100644 index 6a4961cd..00000000 --- a/Chalice/tests/permission-model/channels.chalice +++ /dev/null @@ -1,45 +0,0 @@ -class C {
- var f: int;
-
- method t1(ch: C1)
- requires ch != null && rd(f);
- ensures true;
- {
- send ch(this) // ERROR
- }
-
- method t2(ch: C1)
- requires ch != null && acc(f);
- ensures true;
- {
- send ch(this)
- }
-
- method t3(ch: C2)
- requires ch != null && rd(f);
- ensures rd(f);
- {
- send ch(this)
- // ERROR: should fail to verify postcondition
- }
-
- method t4(ch: C1, a: C) returns (b: C)
- requires ch != null && credit(ch, 1) && rd(ch.mu) && waitlevel << ch;
- ensures rd*(b.f);
- {
- receive b := ch
- }
-
- method t5(ch: C1)
- requires ch != null && acc(f,1);
- ensures true;
- {
- send ch(this)
- send ch(this)
- send ch(this)
- }
-
-}
-
-channel C1(x: C) where rd(x.f);
-channel C2(x: C) where rd*(x.f);
diff --git a/Chalice/tests/permission-model/channels.output.txt b/Chalice/tests/permission-model/channels.output.txt deleted file mode 100644 index b2f76ab6..00000000 --- a/Chalice/tests/permission-model/channels.output.txt +++ /dev/null @@ -1,6 +0,0 @@ -Verification of channels.chalice using parameters=""
-
- 8.5: The where clause at 44.24 might not hold. Insufficient fraction at 44.24 for C.f. - 18.3: The postcondition at 20.13 might not hold. Insufficient fraction at 20.13 for C.f. - -Boogie program verifier finished with 2 errors and 0 smoke test warnings
diff --git a/Chalice/tests/permission-model/generate_reference.bat b/Chalice/tests/permission-model/generate_reference.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/permission-model/generate_reference.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/permission-model/generate_reference_all.bat b/Chalice/tests/permission-model/generate_reference_all.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/permission-model/generate_reference_all.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/permission-model/locks.chalice b/Chalice/tests/permission-model/locks.chalice deleted file mode 100644 index 5107fd38..00000000 --- a/Chalice/tests/permission-model/locks.chalice +++ /dev/null @@ -1,146 +0,0 @@ -class Cell {
- var x: int;
-
- // use starred read permission
- invariant rd*(x);
-
- method a1(c: Cell)
- requires c != null && rd(c.mu) && waitlevel << c;
- {
- acquire c;
- assert(rd*(c.x));
-
- release c;
- assert(rd*(c.x));
- }
-
- method a2(c: Cell)
- requires c != null && rd(c.mu) && waitlevel << c;
- {
- acquire c;
- assert(rd(c.x)); // ERROR: should fail
-
- release c;
- assert(rd(c.x)); // ERROR: should fail
- }
-
- method a3()
- {
- var c: Cell := new Cell;
-
- share c;
- assert(rd*(c.x));
-
- acquire c;
- unshare c;
- assert(rd*(c.x));
- }
-
- method a4()
- {
- var c: Cell := new Cell;
-
- share c;
- assert(rd(c.x)); // ERROR: should fail
- }
-
- method a5()
- {
- var c: Cell := new Cell;
-
- share c;
- acquire c;
- unshare c;
- assert(rd(c.x)); // ERROR: should fail
- }
-
-}
-
-
-class Cell2 {
- var x: int;
-
- // use normal fractional permission
- invariant rd(x);
-
- method a1(c: Cell2)
- requires c != null && rd(c.mu) && waitlevel << c;
- {
- acquire c;
- assert(rd*(c.x));
-
- release c;
- assert(rd*(c.x)); // ERROR: we gave away all permission
- }
-
- method a2(c: Cell2)
- requires c != null && rd(c.mu) && waitlevel << c;
- {
- acquire c;
- assert(rd(c.x)); // ERROR: should fail
-
- release c;
- assert(rd(c.x)); // ERROR: should fail
- }
-
- method a3()
- {
- var c: Cell2 := new Cell2;
-
- share c;
- assert(rd*(c.x));
-
- call void(c);
- assert(rd*(c.x));
-
- call dispose(c);
- assert(rd*(c.x));
-
- acquire c;
- unshare c;
- assert(rd*(c.x));
-
- assert(acc(c.x)); // ERROR: should fail
- }
-
- method a4(c: Cell2)
- requires c != null && acc(c.mu) && holds(c);
- requires rd(c.x);
- lockchange c
- {
- release c; // ERROR: should fail, we don't have enough permission
- }
-
- method a5()
- {
- var c: Cell2 := new Cell2;
-
- share c;
- acquire c;
- assert(acc(c.x));
-
- unshare c;
- assert(acc(c.x));
- }
-
- method a6(c: Cell2)
- requires acc(c.x,rd(c)) && acc(c.mu) && c.mu == lockbottom
- {
- var n: int;
-
- share c;
- rd acquire c;
- n := c.x
- rd release c;
-
- n := c.x // ERROR: no read access possible
-
- acquire c;
- unshare c;
- }
-
- method void(c: Cell2) requires rd(c.x); ensures rd(c.x); {}
-
- method dispose(c: Cell2) requires rd(c.x); {}
-
-}
diff --git a/Chalice/tests/permission-model/locks.output.txt b/Chalice/tests/permission-model/locks.output.txt deleted file mode 100644 index 6b3a7abe..00000000 --- a/Chalice/tests/permission-model/locks.output.txt +++ /dev/null @@ -1,20 +0,0 @@ -Verification of locks.chalice using parameters=""
-
- 21.5: Assertion might not hold. Insufficient fraction at 21.12 for Cell.x. - 24.5: Assertion might not hold. Insufficient fraction at 24.12 for Cell.x. - 44.5: Assertion might not hold. Insufficient fraction at 44.12 for Cell.x. - 54.5: Assertion might not hold. Insufficient fraction at 54.12 for Cell.x. - 73.5: Assertion might not hold. Insufficient fraction at 73.12 for Cell2.x. - 80.5: Assertion might not hold. Insufficient fraction at 80.12 for Cell2.x. - 83.5: Assertion might not hold. Insufficient fraction at 83.12 for Cell2.x. - 103.5: Assertion might not hold. Insufficient fraction at 103.12 for Cell2.x. - 111.5: Monitor invariant might hot hold. Insufficient fraction at 64.13 for Cell2.x. - 136.10: Location might not be readable. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 66.3: The end of method a1 is unreachable. - 76.3: The end of method a2 is unreachable. - 86.3: The end of method a3 is unreachable. - 138.5: The statements after the acquire statement are unreachable. - -Boogie program verifier finished with 10 errors and 4 smoke test warnings
diff --git a/Chalice/tests/permission-model/peculiar.chalice b/Chalice/tests/permission-model/peculiar.chalice deleted file mode 100644 index 31c4d259..00000000 --- a/Chalice/tests/permission-model/peculiar.chalice +++ /dev/null @@ -1,55 +0,0 @@ -class Cell {
- var x: int;
-
- invariant rd(x);
-
- method t1()
- requires acc(x);
- ensures rd(x) && rd(x);
- {
- }
-
- method t2()
- requires acc(x,1);
- ensures rd(x);
- {
- call void();
- }
-
- method t3()
- requires rd(x);
- {
- call t3helper();
- }
-
- method t3helper()
- requires rd(x) && rd(x);
- ensures rd(x) && rd(x);
- {}
-
- method t4()
- requires rd(x);
- {
- call dispose();
- call void(); // call succeeds, even though the precondition is also rd(x), and the next assertion fails
- assert(rd(x)); // ERROR: fails, as this check is done exactly (as it would in a postcondition)
- }
-
- method t5(n: int)
- requires acc(x);
- {
- var i: int := 0;
- call req99();
- while (i < n)
- invariant rd*(x);
- {
- call dispose();
- i := i+1
- }
- }
-
- method dispose() requires rd(x); {}
- method void() requires rd(x); ensures rd(x); {}
- method req99() requires acc(x,99); {}
-
-}
diff --git a/Chalice/tests/permission-model/peculiar.output.txt b/Chalice/tests/permission-model/peculiar.output.txt deleted file mode 100644 index 07104e77..00000000 --- a/Chalice/tests/permission-model/peculiar.output.txt +++ /dev/null @@ -1,8 +0,0 @@ -Verification of peculiar.chalice using parameters=""
-
- 35.5: Assertion might not hold. Insufficient fraction at 35.12 for Cell.x. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 30.3: The end of method t4 is unreachable. - -Boogie program verifier finished with 1 errors and 1 smoke test warnings
diff --git a/Chalice/tests/permission-model/permarith_parser.chalice b/Chalice/tests/permission-model/permarith_parser.chalice deleted file mode 100644 index 5b011d79..00000000 --- a/Chalice/tests/permission-model/permarith_parser.chalice +++ /dev/null @@ -1,37 +0,0 @@ -class Cell {
- var x: int;
- var y: Cell;
-
- method a1()
- requires acc(x,y); // ERROR: amount is not integer
- {
- }
-
- method a2()
- requires acc(x,n); // ERROR: unknown variable
- {
- }
-
- method a3()
- requires acc(x,rd(rd(1))); // ERROR: invalid permission expression
- {
- }
-
- method a4()
- requires acc(x,rd*(y)); // ERROR: invalid permission expression
- {
- }
-
- method a5()
- requires acc(x,rd(this.mu)); // ERROR: invalid type inside rd
- requires acc(x,rd(null)); // ERROR: invalid type inside rd
- requires acc(x,rd(true)); // ERROR: invalid type inside rd
- {
- }
-
- method a6()
- requires acc(x,rd(x)*rd(x)); // ERROR: permission multiplication not allowed
- {
- }
-
-}
diff --git a/Chalice/tests/permission-model/permarith_parser.output.txt b/Chalice/tests/permission-model/permarith_parser.output.txt deleted file mode 100644 index bc6598a1..00000000 --- a/Chalice/tests/permission-model/permarith_parser.output.txt +++ /dev/null @@ -1,13 +0,0 @@ -Verification of permarith_parser.chalice using parameters=""
-
-The program did not typecheck.
-6.14: fraction in permission must be of type integer
-11.20: undeclared member n in class Cell
-16.26: permission not expected here.
-16.26: type $Permission is not supported inside a rd expression.
-21.20: rd expression is allowed only in positive predicate contexts
-21.14: expression of type bool invalid in permission
-26.20: type $Mu of variable mu is not supported inside a rd expression.
-27.23: type null is not supported inside a rd expression.
-28.23: type bool is not supported inside a rd expression.
-33.14: multiplication of permission amounts not supported
diff --git a/Chalice/tests/permission-model/permission_arithmetic.chalice b/Chalice/tests/permission-model/permission_arithmetic.chalice deleted file mode 100644 index 0cdf8aae..00000000 --- a/Chalice/tests/permission-model/permission_arithmetic.chalice +++ /dev/null @@ -1,246 +0,0 @@ -class Cell {
- var x: int;
- var i: int;
- var y: Cell;
- var f: int;
- var g: int;
-
- invariant rd(x);
-
- predicate valid { rd(x) }
-
- method a1(n: int) // test various arithmetic operations on permissions
- requires acc(x,1+1) && acc(x,1) && acc(x,3) && acc(x,1-rd(5-7)+rd(3)) && rd(x) && rd(this.y);
- ensures acc(x,100-97);
- {
- }
-
- method a2(n: int)
- requires acc(x,1-rd(1)-2);
- {
- assert false; // this should verify, as the precondition contains an invalid permission
- }
-
- method a3(n: int)
- {
- assert acc(x,1-rd(1)-2); // ERROR: invalid (negative) permission
- }
-
- method a4(n: int)
- requires acc(x,rd(n));
- {
- }
-
- method a5(n: int)
- requires acc(x,rd(n)-rd(2));
- {
- }
-
- method a6()
- requires acc(x);
- {
- call a5(1); // ERROR: n=1 makes the permission in the precondition negative
- }
-
- method a7(c: Cell)
- requires acc(c.x,100-rd(c));
- requires c != null && acc(c.mu) && waitlevel << c;
- ensures acc(c.x);
- {
- acquire(c);
- unshare(c);
- }
-
- method a8()
- requires acc(x,100-rd(valid)) && valid;
- ensures acc(x);
- {
- unfold valid;
- }
-
- method a9()
- requires acc(x,rd(valid));
- ensures valid;
- {
- fold valid;
- }
-
- method a10()
- requires valid;
- ensures acc(x,rd(valid));
- {
- unfold valid;
- }
-
- method a11() // ERROR: postcondition does not hold (not enough permission)
- requires valid;
- ensures acc(x);
- {
- unfold valid;
- }
-
- method a12()
- requires rd(this.i) && this.i > 0 && acc(x,rd(this.i));
- ensures rd(this.i) && this.i > 0 && acc(x,rd(i));
- {
- }
-
- method a13(i: int) // ERROR: postcondition does not hold
- requires rd(this.i) && this.i > 0 && i > 0 && acc(x,rd(this.i));
- ensures i > 0 && acc(x,rd(i));
- {
- }
-
- method a14()
- requires acc(y) && this.y == this; // test aliasing
- requires acc(x,100-rd(y));
- requires y != null && acc(this.mu) && waitlevel << this;
- ensures acc(x);
- lockchange this;
- {
- acquire this;
- }
-
- method a15()
- requires acc(x,rd(this.i)); // ERROR: this.i is not readable
- ensures acc(x,rd(this.i));
- {
- }
-
- method a16()
- requires acc(x,rd(this.y)); // ERROR: this.y is not readable
- ensures acc(x,rd(this.y));
- {
- }
-
- method a17(tk: token<Cell.void>)
- requires acc(x,100-rd(tk)) && acc(tk.joinable) && tk.joinable;
- requires eval(tk.fork this.void(),true);
- ensures acc(x);
- {
- join tk;
- }
-
- method a18()
- requires acc(x,rd+rd-rd+10*rd-rd*(5+5))
- ensures rd(x)
- {
- call void();
- }
-
- method a19()
- requires acc(x)
- requires acc(this.mu) && lockbottom == this.mu
- ensures acc(x)
- lockchange this;
- {
- share this;
- acquire this;
- unshare this;
- }
-
- method a20()
- requires rd(x)
- requires acc(this.mu) && lockbottom == this.mu
- lockchange this;
- {
- share this; // ERROR: not enough permission
- }
-
- method a21()
- requires acc(x,rd*2)
- ensures rd(x) && rd(x)
- {
- assert acc(x,rd+rd)
- assert acc(x,(1+1)*rd)
- }
-
- method a22()
- requires acc(x,1*2*5)
- ensures acc(x,10)
- {
- }
-
- method a23(c: Cell) // ERROR: permission in postcondition not positive
- requires acc(x,rd-rd(c))
- ensures acc(x,rd(c)-rd)
- {
- }
-
- method a24()
- requires rd*(x)
- requires rd*(x)
- {
- }
-
- method a25() // ERROR: postcondition does not hold, possibly not enough permission
- requires rd*(x)
- ensures acc(x,rd)
- {
- }
-
- // interaction of monitors and predicates
- method a26()
- requires acc(x,rd(this))
- requires acc(mu) && lockbottom == this.mu
- ensures valid
- lockchange this
- {
- share this
- acquire this
- fold valid
- }
-
- method a27()
- requires acc(f,100-rd) && acc(f,rd)
- {
- assert acc(f) // ok, we have full access
- }
-
- method a28()
- requires acc(f)
- {
- call a27();
- var x: int
- x := f // ERROR: no permission left
- }
-
- method a27b()
- requires acc(f,100-rd)
- requires acc(f,rd)
- {
- assert acc(f) // ok, we have full access
- }
-
- method a28b()
- requires acc(f)
- {
- call a27b();
- var x: int
- x := f // ERROR: no permission left
- }
-
- method a29()
- requires acc(f, 100-rd) && acc(g, rd)
- { }
-
- method a30()
- requires acc(f, 100) && acc(g, rd)
- {
- call a29();
- var tmp: int := this.g;
- }
-
- method a31(c: Cell)
- requires acc(f, 100-rd) && acc(c.f, rd)
- { }
-
- method a32(c: Cell)
- requires acc(f, 100) && acc(c.f, rd)
- {
- call a31(c);
- var tmp: int := this.f;
- }
-
- method void() requires rd(x); ensures rd(x); {}
-}
diff --git a/Chalice/tests/permission-model/permission_arithmetic.output.txt b/Chalice/tests/permission-model/permission_arithmetic.output.txt deleted file mode 100644 index b9d20e08..00000000 --- a/Chalice/tests/permission-model/permission_arithmetic.output.txt +++ /dev/null @@ -1,22 +0,0 @@ -Verification of permission_arithmetic.chalice using parameters=""
-
- 26.5: Assertion might not hold. The permission at 26.12 might not be positive. - 42.5: The precondition at 35.14 might not hold. The permission at 35.14 might not be positive. - 75.3: The postcondition at 77.13 might not hold. Insufficient fraction at 77.13 for Cell.x. - 88.3: The postcondition at 90.13 might not hold. Insufficient epsilons at 90.22 for Cell.x. - 105.20: Location might not be readable. - 111.20: Location might not be readable. - 147.5: Monitor invariant might not hold. Insufficient fraction at 8.13 for Cell.x. - 164.3: The postcondition at 166.13 might not hold. The permission at 166.13 might not be positive. - 176.3: The postcondition at 178.13 might not hold. Insufficient fraction at 178.13 for Cell.x. - 205.10: Location might not be readable. - 220.10: Location might not be readable. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 18.3: Precondition of method a2 is equivalent to false. - 24.3: The end of method a3 is unreachable. - 42.5: The statements after the method call statement are unreachable. - 200.3: The end of method a28 is unreachable. - 215.3: The end of method a28b is unreachable. - -Boogie program verifier finished with 11 errors and 5 smoke test warnings
diff --git a/Chalice/tests/permission-model/predicate_error1.chalice b/Chalice/tests/permission-model/predicate_error1.chalice deleted file mode 100644 index 0726e349..00000000 --- a/Chalice/tests/permission-model/predicate_error1.chalice +++ /dev/null @@ -1,20 +0,0 @@ -class Cell {
- var x: int;
-
- // --- some predicates ---
-
- predicate write1 { acc(x) } // full permission in a predicate
- predicate write2 { acc(x,10) } // 10%
- predicate read1 { rd(x) } // fractional read permission
- predicate read2 { rd*(x) } // starred fractional read permission
- predicate read3 { rd(x,1) } // counting permission (1 epsilon)
-
- // --- invalid permission scaling ---
-
- method error()
- requires rd(read3);
- {
- unfold rd(read3); // ERROR: scaling epsilons is not possible
- }
-
-}
diff --git a/Chalice/tests/permission-model/predicate_error1.output.txt b/Chalice/tests/permission-model/predicate_error1.output.txt deleted file mode 100644 index a5e27bac..00000000 --- a/Chalice/tests/permission-model/predicate_error1.output.txt +++ /dev/null @@ -1,3 +0,0 @@ -Verification of predicate_error1.chalice using parameters=""
-
-Error: Not supported: 17.5: Scaling epsilon permissions with non-full permissions is not possible.
diff --git a/Chalice/tests/permission-model/predicate_error2.chalice b/Chalice/tests/permission-model/predicate_error2.chalice deleted file mode 100644 index cc8d7d28..00000000 --- a/Chalice/tests/permission-model/predicate_error2.chalice +++ /dev/null @@ -1,20 +0,0 @@ -class Cell {
- var x: int;
-
- // --- some predicates ---
-
- predicate write1 { acc(x) } // full permission in a predicate
- predicate write2 { acc(x,10) } // 10%
- predicate read1 { rd(x) } // fractional read permission
- predicate read2 { rd*(x) } // starred fractional read permission
- predicate read3 { rd(x,1) } // counting permission (1 epsilon)
-
- // --- invalid permission scaling ---
-
- method error()
- requires rd(read1,1);
- {
- unfold rd(read1,1); // ERROR: scaling epsilons is not possible
- }
-
-}
diff --git a/Chalice/tests/permission-model/predicate_error2.output.txt b/Chalice/tests/permission-model/predicate_error2.output.txt deleted file mode 100644 index fb660013..00000000 --- a/Chalice/tests/permission-model/predicate_error2.output.txt +++ /dev/null @@ -1,3 +0,0 @@ -Verification of predicate_error2.chalice using parameters=""
-
-Error: Not supported: 17.5: Scaling epsilon permissions with non-full permissions is not possible.
diff --git a/Chalice/tests/permission-model/predicate_error3.chalice b/Chalice/tests/permission-model/predicate_error3.chalice deleted file mode 100644 index eb1d8777..00000000 --- a/Chalice/tests/permission-model/predicate_error3.chalice +++ /dev/null @@ -1,20 +0,0 @@ -class Cell {
- var x: int;
-
- // --- some predicates ---
-
- predicate write1 { acc(x) } // full permission in a predicate
- predicate write2 { acc(x,10) } // 10%
- predicate read1 { rd(x) } // fractional read permission
- predicate read2 { rd*(x) } // starred fractional read permission
- predicate read3 { rd(x,1) } // counting permission (1 epsilon)
-
- // --- invalid permission scaling ---
-
- method error()
- requires rd(read3,1);
- {
- unfold rd(read3,1); // ERROR: scaling epsilons is not possible
- }
-
-}
diff --git a/Chalice/tests/permission-model/predicate_error3.output.txt b/Chalice/tests/permission-model/predicate_error3.output.txt deleted file mode 100644 index 9f5b503c..00000000 --- a/Chalice/tests/permission-model/predicate_error3.output.txt +++ /dev/null @@ -1,3 +0,0 @@ -Verification of predicate_error3.chalice using parameters=""
-
-Error: Not supported: 17.5: Scaling epsilon permissions with non-full permissions is not possible.
diff --git a/Chalice/tests/permission-model/predicate_error4.chalice b/Chalice/tests/permission-model/predicate_error4.chalice deleted file mode 100644 index 0726e349..00000000 --- a/Chalice/tests/permission-model/predicate_error4.chalice +++ /dev/null @@ -1,20 +0,0 @@ -class Cell {
- var x: int;
-
- // --- some predicates ---
-
- predicate write1 { acc(x) } // full permission in a predicate
- predicate write2 { acc(x,10) } // 10%
- predicate read1 { rd(x) } // fractional read permission
- predicate read2 { rd*(x) } // starred fractional read permission
- predicate read3 { rd(x,1) } // counting permission (1 epsilon)
-
- // --- invalid permission scaling ---
-
- method error()
- requires rd(read3);
- {
- unfold rd(read3); // ERROR: scaling epsilons is not possible
- }
-
-}
diff --git a/Chalice/tests/permission-model/predicate_error4.output.txt b/Chalice/tests/permission-model/predicate_error4.output.txt deleted file mode 100644 index 16da656f..00000000 --- a/Chalice/tests/permission-model/predicate_error4.output.txt +++ /dev/null @@ -1,3 +0,0 @@ -Verification of predicate_error4.chalice using parameters=""
-
-Error: Not supported: 17.5: Scaling epsilon permissions with non-full permissions is not possible.
diff --git a/Chalice/tests/permission-model/predicates.chalice b/Chalice/tests/permission-model/predicates.chalice deleted file mode 100644 index 1f752fda..00000000 --- a/Chalice/tests/permission-model/predicates.chalice +++ /dev/null @@ -1,103 +0,0 @@ -class Cell {
- var x: int;
-
- // --- some predicates ---
-
- predicate write1 { acc(x) } // full permission in a predicate
- predicate write2 { acc(x,10) } // 10%
- predicate read1 { rd(x) } // fractional read permission
- predicate read2 { rd*(x) } // starred fractional read permission
- predicate read3 { rd(x,1) } // counting permission (1 epsilon)
-
- // --- basic tests ---
-
- method b1()
- requires write1 && write2 && read1 && read2 && read3;
- ensures write1 && write2 && read1 && read2 && read3;
- {
- }
-
- method b2()
- requires write1;
- ensures read1;
- {
- unfold write1;
- fold read1;
- }
-
- method b3()
- requires read1;
- ensures read3;
- {
- unfold read1;
- fold read3;
- fold read2;
- fold read3;
- fold read2;
- fold write1; // ERROR: should fail
- }
-
- method b4()
- requires read2;
- ensures read2;
- {
- unfold read2;
- call dispose();
- fold read2;
- }
-
- method b5()
- requires read1;
- ensures read1;
- {
- unfold read1;
- call dispose();
- fold read1; // ERROR: should fail
- }
-
- method b6()
- requires acc(x);
- ensures acc(x);
- {
- fold read1;
- unfold read1;
- }
-
- method b7() // ERROR: precondition does not hold
- requires acc(x);
- ensures acc(x);
- {
- fold read2;
- unfold read2;
- }
-
- method b8()
- requires acc(x);
- ensures acc(x);
- {
- fold read3;
- unfold read3;
- }
-
- method b9()
- requires acc(x);
- ensures acc(x);
- {
- fold write1;
- unfold write1;
- }
-
- method b10()
- requires acc(x);
- ensures acc(x);
- {
- fold write2;
- unfold write2;
- }
-
- // --- helper functions ---
-
- method void() requires rd(x); ensures rd(x); {}
- method dispose() requires rd(x); {}
-
-}
diff --git a/Chalice/tests/permission-model/predicates.output.txt b/Chalice/tests/permission-model/predicates.output.txt deleted file mode 100644 index 2f4acf7b..00000000 --- a/Chalice/tests/permission-model/predicates.output.txt +++ /dev/null @@ -1,11 +0,0 @@ -Verification of predicates.chalice using parameters=""
-
- 37.5: Fold might fail because the definition of Cell.write1 does not hold. Insufficient fraction at 6.22 for Cell.x. - 55.5: Fold might fail because the definition of Cell.read1 does not hold. Insufficient fraction at 8.21 for Cell.x. - 66.3: The postcondition at 68.13 might not hold. Insufficient fraction at 68.13 for Cell.x. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 28.3: The end of method b3 is unreachable. - 49.3: The end of method b5 is unreachable. - -Boogie program verifier finished with 3 errors and 2 smoke test warnings
diff --git a/Chalice/tests/permission-model/reg_test.bat b/Chalice/tests/permission-model/reg_test.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/permission-model/reg_test.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/permission-model/reg_test_all.bat b/Chalice/tests/permission-model/reg_test_all.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/permission-model/reg_test_all.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/permission-model/scaling.chalice b/Chalice/tests/permission-model/scaling.chalice deleted file mode 100644 index ffe9aac1..00000000 --- a/Chalice/tests/permission-model/scaling.chalice +++ /dev/null @@ -1,76 +0,0 @@ -
-class Cell {
- var x: int;
-
- // --- some predicates ---
-
- predicate write1 { acc(x) } // full permission in a predicate
- predicate write2 { acc(x,10) } // 10%
- predicate read1 { rd(x) } // abstract read permission
- predicate read2 { rd*(x) } // starred read permission
- predicate read3 { rd(x,1) } // counting permission (1 epsilon)
-
- // --- permission scaling ---
-
- method s1()
- requires rd(read1);
- {
- unfold rd(read1);
- assert(rd*(x));
- assert(rd(x)); // ERROR: should fail
- }
-
- method s2() // INCOMPLETNESS: postcondition should hold, but fails at the moment
- requires rd(read1);
- ensures rd(read1);
- {
- unfold rd(read1);
- fold rd(read1);
- }
-
- method s3()
- requires acc(x);
- ensures rd(read1);
- {
- fold rd(read1);
- assert(rd*(x));
- assert(acc(x)); // ERROR: should fail
- }
-
- method s4() // ERROR: postcondition does not hold
- requires acc(x);
- ensures read1;
- {
- fold rd(read1);
- }
-
- method s5()
- requires rd(read2);
- {
- unfold rd(read2);
- assert(rd*(x));
- assert(rd(x)); // ERROR: should fail
- }
-
- method s6()
- requires acc(x);
- ensures rd(read2);
- {
- fold rd(read2);
- assert(rd*(x));
- assert(acc(x)); // ERROR: should fail
- }
-
- method s7() // ERROR: postcondition does not hold
- requires acc(x);
- ensures read2;
- {
- fold rd(read2);
- }
-
- // --- helper functions ---
-
- method void() requires rd(x); ensures rd(x); {}
- method dispose() requires rd(x); {}
-
-}
diff --git a/Chalice/tests/permission-model/scaling.output.txt b/Chalice/tests/permission-model/scaling.output.txt deleted file mode 100644 index 2ba1640a..00000000 --- a/Chalice/tests/permission-model/scaling.output.txt +++ /dev/null @@ -1,16 +0,0 @@ -Verification of scaling.chalice using parameters=""
-
- 20.5: Assertion might not hold. Insufficient fraction at 20.12 for Cell.x. - 23.3: The postcondition at 25.13 might not hold. Insufficient fraction at 25.13 for Cell.read1. - 37.5: Assertion might not hold. Insufficient fraction at 37.12 for Cell.x. - 40.3: The postcondition at 42.13 might not hold. Insufficient fraction at 42.13 for Cell.read1. - 52.5: Assertion might not hold. Insufficient fraction at 52.12 for Cell.x. - 61.5: Assertion might not hold. Insufficient fraction at 61.12 for Cell.x. - 64.3: The postcondition at 66.13 might not hold. Insufficient fraction at 66.13 for Cell.read2. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 15.3: The end of method s1 is unreachable. - 31.3: The end of method s3 is unreachable. - 55.3: The end of method s6 is unreachable. - -Boogie program verifier finished with 7 errors and 3 smoke test warnings
diff --git a/Chalice/tests/permission-model/sequences.chalice b/Chalice/tests/permission-model/sequences.chalice deleted file mode 100644 index 0560945d..00000000 --- a/Chalice/tests/permission-model/sequences.chalice +++ /dev/null @@ -1,85 +0,0 @@ -class Program {
- var x: int;
-
- method a(a: seq<A>)
- requires |a| > 2;
- requires rd(a[*].f);
- requires forall i in [0..|a|-1] :: a[i] != null;
- requires a[0].f == 1;
- ensures rd(a[*].f);
- {
- assert rd(a[*].f);
- call b(a);
- }
-
- method b(a: seq<A>)
- requires |a| > 2;
- requires rd(a[*].f);
- requires forall i in [0..|a|-1] :: a[i] != null;
- requires a[0].f == 1;
- ensures rd(a[*].f);
- {
- assert rd(a[*].f);
- }
-
- method c(a: seq<A>)
- requires |a| > 2;
- requires rd(a[*].f);
- requires forall i in [0..|a|-1] :: a[i] != null;
- requires a[0].f == 1;
- ensures rd(a[*].f);
- {
- call void(a[1]);
- call void(a[0]);
- }
-
- method c1(a: seq<A>) // ERROR: should fail to verify postcondition
- requires |a| > 2;
- requires rd(a[*].f);
- requires forall i in [0..|a|-1] :: a[i] != null;
- requires a[0].f == 1;
- ensures rd(a[*].f);
- {
- call dispose(a[1]);
- }
-
- method d(a: seq<A>)
- requires |a| > 2;
- requires rd(a[*].f);
- requires forall i in [0..|a|-1] :: a[i] != null;
- requires a[0].f == 1;
- ensures rd*(a[*].f);
- {
- call dispose(a[1]); // we don't give away all the permission, thus verification succeeds
-
- var x: int;
- call x := some_number();
- call dispose(a[x]); // slighly more interesting, but still clearly ok
- }
-
- method e(a: seq<A>) // ERROR: should fail to verify postcondition
- requires |a| > 2;
- requires acc(a[*].f,10);
- requires forall i in [0..|a|-1] :: a[i] != null;
- requires a[0].f == 1;
- ensures rd*(a[*].f);
- {
- var x: int;
- call x := some_number();
- call dispose2(a[x]);
- }
-
- method some_number() returns (a: int)
- ensures 0 <= a && a < 3;
- {
- a := 1;
- }
-
- method dispose(a: A) requires rd(a.f); {}
- method dispose2(a: A) requires acc(a.f,10); {}
- method void(a: A) requires rd(a.f); ensures rd(a.f); {}
-}
-
-class A {
- var f: int;
-}
diff --git a/Chalice/tests/permission-model/sequences.output.txt b/Chalice/tests/permission-model/sequences.output.txt deleted file mode 100644 index 7c295c9d..00000000 --- a/Chalice/tests/permission-model/sequences.output.txt +++ /dev/null @@ -1,6 +0,0 @@ -Verification of sequences.chalice using parameters=""
-
- 36.3: The postcondition at 41.13 might not hold. Insufficient permission at 41.13 for A.f - 60.3: The postcondition at 65.13 might not hold. Insufficient permission at 65.13 for A.f - -Boogie program verifier finished with 2 errors and 0 smoke test warnings
diff --git a/Chalice/tests/permission-model/test.bat b/Chalice/tests/permission-model/test.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/permission-model/test.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/predicates/FoldUnfoldExperiments.chalice b/Chalice/tests/predicates/FoldUnfoldExperiments.chalice deleted file mode 100644 index 4bead442..00000000 --- a/Chalice/tests/predicates/FoldUnfoldExperiments.chalice +++ /dev/null @@ -1,32 +0,0 @@ -class FoldUnfoldExperiments
-{
- var x:int;
- var y:int;
- predicate X { acc(x) }
- predicate Y { acc(y) }
-
- function getX():int
- requires X;
- { unfolding X in x }
-
- function getY():int
- requires Y;
- { unfolding Y in y }
-
- method setX(v:int)
- requires X;
- ensures X && getX()==v;
- {
- unfold X; x:=v; fold X;
- }
-
- method check()
- requires acc(x) && acc(y);
- ensures acc(y) && y==2 && X && getX()==3;
- {
- x:=1; y:=2;
- fold X; fold Y;
- call setX(3);
- unfold Y;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/FoldUnfoldExperiments.output.txt b/Chalice/tests/predicates/FoldUnfoldExperiments.output.txt deleted file mode 100644 index ba48d6f4..00000000 --- a/Chalice/tests/predicates/FoldUnfoldExperiments.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of FoldUnfoldExperiments.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/LinkedList-various.chalice b/Chalice/tests/predicates/LinkedList-various.chalice deleted file mode 100644 index a888b647..00000000 --- a/Chalice/tests/predicates/LinkedList-various.chalice +++ /dev/null @@ -1,176 +0,0 @@ -class Node
-{
- var v:int;
- var n:Node;
-
- predicate inv
- { acc(v) && acc(n) && (n!=null ==> n.inv) }
-
- function len():int
- requires inv;
- ensures result>0;
- {
- unfolding inv in (n==null) ? 1 : 1+n.len()
- }
-
- function get(i:int):int
- requires inv && 0<=i && i<len();
- {
- unfolding inv in (i==0) ? v : n.get(i-1)
- }
-
- method addLast(x:int)
- requires inv;
- ensures inv;
- ensures len()==old(len())+1 && get(old(len()))==x;
- ensures (forall i:int :: 0<=i && i<old(len()) ==> get(i)==old(get(i)));
- {
- unfold inv;
- if(n==null)
- {
- n:=new Node;
- n.v:=x; n.n:=null;
- fold n.inv;
- }
- else
- {
- call n.addLast(x);
- }
- fold inv;
- }
-
- method append(p:List)
- requires inv && p!=null && p.inv;
- ensures inv;
- ensures len()==old(len()+p.len());
- ensures (forall i in [0..old(len())] :: get(i)==old(get(i)));
- ensures (forall i in [old(len())..len()] :: get(i)==old(p.get(i-len())));
- {
- unfold inv;
- if(n==null)
- {
- unfold p.inv;
- n:=p.c;
- }
- else
- {
- call n.append(p);
- }
- fold inv;
- }
-
- method remove(i:int)
- requires inv && i>=0 && i<len()-1;
- ensures inv;
- ensures len()==old(len())-1;
- ensures (forall j in [0..i+1] :: get(j)==old(get(j)));
- ensures (forall j in [i+1..len()] :: get(j)==old(get(j+1)));
- {
- unfold inv;
- if(i==0)
- {
- unfold n.inv;
- n:=n.n;
- }
- else
- {
- call n.remove(i-1);
- }
- fold inv;
- }
-}
-
-class List
-{
- var c:Node;
-
- predicate inv { acc(c) && (c!=null ==> c.inv) }
-
- function len():int
- requires inv;
- ensures result>=0;
- {
- unfolding inv in (c==null) ? 0 : c.len()
- }
-
- function get(i:int):int
- requires inv && 0<=i && i<len();
- {
- unfolding inv in c.get(i)
- }
-
- method addFirst(x:int)
- requires inv;
- ensures inv;
- ensures len()==old(len())+1 && get(0)==x;
- ensures (forall i:int :: 1<=i && i<len() ==> get(i)==old(get(i-1)));
- {
- var p:Node;
-
- unfold inv;
- p:=new Node; p.v:=x; p.n:=c; c:=p;
- fold c.inv;
- assert c.len()==old(len())+1
- fold inv;
- }
-
- method addLast(x:int)
- requires inv;
- ensures inv;
- ensures len()==old(len())+1 && get(old(len()))==x;
- ensures (forall i:int :: 0<=i && i<old(len()) ==> get(i)==old(get(i)));
- {
- unfold inv;
- if(c==null)
- {
- c:=new Node;
- c.v:=x; c.n:=null;
- fold c.inv;
- }
- else
- {
- call c.addLast(x);
- }
- fold inv;
- }
-
- method append(p:List)
- requires inv && p!=null && p.inv;
- ensures inv;
- ensures len()==old(len()+p.len());
- ensures (forall i in [0..old(len())] :: get(i)==old(get(i)));
- ensures (forall i in [old(len())..len()] :: get(i)==old(p.get(i-len())));
- {
- unfold inv;
- if(c==null)
- {
- unfold p.inv;
- c:=p.c;
- }
- else
- {
- call c.append(p);
- }
- fold inv;
- }
-
- method remove(i:int)
- requires inv && i>=0 && i<len();
- ensures inv;
- ensures len()==old(len())-1;
- ensures (forall j in [0..i] :: get(j)==old(get(j)));
- ensures (forall j in [i..len()] :: get(j)==old(get(j+1)));
- {
- unfold inv;
- if(i==0)
- {
- unfold c.inv;
- c:=c.n;
- }
- else
- {
- call c.remove(i-1);
- }
- fold inv;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/LinkedList-various.output.txt b/Chalice/tests/predicates/LinkedList-various.output.txt deleted file mode 100644 index a8a90bb8..00000000 --- a/Chalice/tests/predicates/LinkedList-various.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of LinkedList-various.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/aux-info.chalice b/Chalice/tests/predicates/aux-info.chalice deleted file mode 100644 index f457c481..00000000 --- a/Chalice/tests/predicates/aux-info.chalice +++ /dev/null @@ -1,33 +0,0 @@ -class Cell {
- var value: int;
-
- predicate p { acc(value,1) }
-
- method test()
- requires p && acc(value,2)
- {
- // previously, the following sequence let to negative secondary permission
- // to the field value.
- fold p
- fold p
- call void()
- call void()
- call void2()
-
- unfold p
- var tmp: int := value
- fold p
- // make sure that at this point we can retain information about the field value
- assert tmp == unfolding p in value
- }
-
- method void()
- requires p
- {}
-
- method void2()
- requires p
- ensures p
- {}
-
-}
diff --git a/Chalice/tests/predicates/aux-info.output.txt b/Chalice/tests/predicates/aux-info.output.txt deleted file mode 100644 index 3d873f60..00000000 --- a/Chalice/tests/predicates/aux-info.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of aux-info.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/framing-fields.chalice b/Chalice/tests/predicates/framing-fields.chalice deleted file mode 100644 index 6cfd4607..00000000 --- a/Chalice/tests/predicates/framing-fields.chalice +++ /dev/null @@ -1,21 +0,0 @@ -class List
-{
- var value:int;
- var next:List;
- predicate valid { acc(value) && acc(next) && (next!=null ==> next.valid) }
-
- method set(x:int, y:int) requires valid; ensures valid; {}
-}
-
-class C
-{
- method M (x:List, y:List)
- requires x!=null && y!=null && x!=y && x.valid && y.valid;
- {
- var i: int := unfolding x.valid in x.value;
- var j: int := unfolding y.valid in y.value;
- call y.set(0,10);
- assert unfolding x.valid in (i == x.value); // succeeds
- assert unfolding y.valid in (j == y.value); // correctly fails to verify
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/framing-fields.output.txt b/Chalice/tests/predicates/framing-fields.output.txt deleted file mode 100644 index f1b426c6..00000000 --- a/Chalice/tests/predicates/framing-fields.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of framing-fields.chalice using parameters=""
-
- 19.5: Assertion might not hold. The expression at 19.12 might not evaluate to true. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/framing-functions.chalice b/Chalice/tests/predicates/framing-functions.chalice deleted file mode 100644 index 8b66a473..00000000 --- a/Chalice/tests/predicates/framing-functions.chalice +++ /dev/null @@ -1,25 +0,0 @@ -class List
-{
- var value:int;
- var next:List;
- predicate valid { acc(value) && acc(next) && (next!=null ==> next.valid) }
-
- method set(x:int, y:int) requires valid; ensures valid; {}
-
- function itemAt(i: int): int
- requires valid && 0 <= i;
- { unfolding valid in i == 0 || next == null ? value : next.itemAt(i-1) }
-}
-
-class C
-{
- method M (x:List, y:List)
- requires x!=null && y!=null && x!=y && x.valid && y.valid;
- {
- var i: int := x.itemAt(0);
- var j: int := y.itemAt(0);
- call y.set(0,10);
- assert i==x.itemAt(0); // succeeds
- assert j==y.itemAt(0); // correctly fails to verify
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/framing-functions.output.txt b/Chalice/tests/predicates/framing-functions.output.txt deleted file mode 100644 index 2a3426c9..00000000 --- a/Chalice/tests/predicates/framing-functions.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of framing-functions.chalice using parameters=""
-
- 23.5: Assertion might not hold. The expression at 23.12 might not evaluate to true. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/generate_reference.bat b/Chalice/tests/predicates/generate_reference.bat deleted file mode 100644 index 6864843c..00000000 --- a/Chalice/tests/predicates/generate_reference.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%0" %*
diff --git a/Chalice/tests/predicates/generate_reference_all.bat b/Chalice/tests/predicates/generate_reference_all.bat deleted file mode 100644 index 6864843c..00000000 --- a/Chalice/tests/predicates/generate_reference_all.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%0" %*
diff --git a/Chalice/tests/predicates/list-reverse-extra-unfold-fold.chalice b/Chalice/tests/predicates/list-reverse-extra-unfold-fold.chalice deleted file mode 100644 index 8467ce4c..00000000 --- a/Chalice/tests/predicates/list-reverse-extra-unfold-fold.chalice +++ /dev/null @@ -1,51 +0,0 @@ -class Node {
- var next : Node;
- var val : int;
-
- predicate list {
- acc(next) && acc(val) && (next!=null ==> next.list)
- }
-
- function vals() : seq<int>
- requires list
- {
- unfolding list in (next == null ? [val] : [val] ++ next.vals())
- }
-
- function reverse_vals() : seq<int>
- requires list
- {
- unfolding list in (next == null ? [val] : next.reverse_vals() ++ [val])
- }
-
- method reverse_in_place() returns (r:Node)
- requires list;
- ensures r != null && r.list;
- ensures r.vals() == old(this.reverse_vals());
- {
- var l : Node := this;
- r := null;
-
- while (l != null)
- invariant l!=null ==> l.list;
- invariant r!=null ==> r.list;
- invariant old(this.reverse_vals()) == (l==null ? nil<int> : l.reverse_vals()) ++ (r==null ? nil<int> : r.vals());
- {
- var y: Node;
- if (r != null) {
- unfold r.list; fold r.list;
- }
- unfold l.list;
- if (l.next != null) {
- unfold l.next.list; fold l.next.list;
- }
-
-
- y := l.next;
- l.next := r;
- r := l;
- fold r.list;
- l := y;
- }
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/list-reverse-extra-unfold-fold.output.txt b/Chalice/tests/predicates/list-reverse-extra-unfold-fold.output.txt deleted file mode 100644 index 6d2967f5..00000000 --- a/Chalice/tests/predicates/list-reverse-extra-unfold-fold.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of list-reverse-extra-unfold-fold.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/mutual-dependence.chalice b/Chalice/tests/predicates/mutual-dependence.chalice deleted file mode 100644 index a0939607..00000000 --- a/Chalice/tests/predicates/mutual-dependence.chalice +++ /dev/null @@ -1,24 +0,0 @@ -class Cell {
- var value: int;
- var next: Cell;
-
- predicate p { q }
- predicate q { acc(value) && acc(next) && (next != null ==> next.p) }
-
- method test()
- requires acc(this.*)
- {
- value := 1
- next := null
- fold q
- fold p
- call void()
- assert unfolding p in unfolding q in value == 1 // ERROR: should not verify
- }
-
- method void()
- requires p
- ensures p
- {}
-
-}
diff --git a/Chalice/tests/predicates/mutual-dependence.output.txt b/Chalice/tests/predicates/mutual-dependence.output.txt deleted file mode 100644 index 263084ac..00000000 --- a/Chalice/tests/predicates/mutual-dependence.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of mutual-dependence.chalice using parameters=""
-
- 16.5: Assertion might not hold. The expression at 16.12 might not evaluate to true. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/reg_test.bat b/Chalice/tests/predicates/reg_test.bat deleted file mode 100644 index 6864843c..00000000 --- a/Chalice/tests/predicates/reg_test.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%0" %*
diff --git a/Chalice/tests/predicates/reg_test_all.bat b/Chalice/tests/predicates/reg_test_all.bat deleted file mode 100644 index 6864843c..00000000 --- a/Chalice/tests/predicates/reg_test_all.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%0" %*
diff --git a/Chalice/tests/predicates/setset.chalice b/Chalice/tests/predicates/setset.chalice deleted file mode 100644 index 512c65c1..00000000 --- a/Chalice/tests/predicates/setset.chalice +++ /dev/null @@ -1,57 +0,0 @@ -class Node {
- var value: int;
-
- method init(v: int)
- requires acc(value)
- ensures valid
- {
- value := v
- fold this.valid
- }
-
- function get():int requires valid { unfolding valid in value }
-
- method set(v: int)
- requires valid
- ensures valid && get() == v
- {
- unfold valid
- value := v
- fold valid
- }
-
- predicate valid {
- acc(value)
- }
-
- method main(x: Node, y: Node)
- requires x != null && y != null
- requires x.valid && y.valid
- {
- call x.set(3)
- call y.set(3)
- call x.set(3)
- call y.set(3)
- call x.set(3)
- call y.set(3)
- call x.set(3)
- unfold x.valid
- x.value := 3
- fold x.valid
- call y.set(3)
- call x.set(3)
- call y.set(3)
- unfold x.valid
- x.value := 3
- fold x.valid
- unfold x.valid
- x.value := 3
- fold x.valid
- call x.set(3)
- call y.set(3)
- call x.set(4)
-
- assert y.get() == 3
- assert x.get() == 3 // error: should fail
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/setset.output.txt b/Chalice/tests/predicates/setset.output.txt deleted file mode 100644 index b2e963ee..00000000 --- a/Chalice/tests/predicates/setset.output.txt +++ /dev/null @@ -1,8 +0,0 @@ -Verification of setset.chalice using parameters=""
-
- 55.5: Assertion might not hold. The expression at 55.12 might not evaluate to true. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 27.3: The end of method main is unreachable. - -Boogie program verifier finished with 1 errors and 1 smoke test warnings
diff --git a/Chalice/tests/predicates/test.bat b/Chalice/tests/predicates/test.bat deleted file mode 100644 index 6864843c..00000000 --- a/Chalice/tests/predicates/test.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%0" %*
diff --git a/Chalice/tests/predicates/test.chalice b/Chalice/tests/predicates/test.chalice deleted file mode 100644 index 9477caa6..00000000 --- a/Chalice/tests/predicates/test.chalice +++ /dev/null @@ -1,35 +0,0 @@ -class List
-{
- var value:int;
- var next:List;
-
- predicate inv { acc(value) && acc(next) && (next!=null ==> next.inv) }
-
- function len():int
- requires inv;
- {
- unfolding inv in (next==null) ? 1 : (1+next.len())
- }
-
- predicate P { acc(value,50) }
-
- method skip()
- requires P; ensures P
- {}
-
- method goo()
- requires acc(value);
- {
- // mask: value=100, secmask: -
- fold P;
- // mask: value=50,p=100, secmask: value=50
- call skip();
- // mask: value=50,p=100, secmask: -
- fold P;
- // mask: value=0,p=200, secmask: value=50
- fork t:=skip();
- // mask: value=0,p=100, secmask: -
- assert unfolding P in value==old(value);
- }
-
-}
diff --git a/Chalice/tests/predicates/test.output.txt b/Chalice/tests/predicates/test.output.txt deleted file mode 100644 index 8b97e503..00000000 --- a/Chalice/tests/predicates/test.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of test.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/test1.chalice b/Chalice/tests/predicates/test1.chalice deleted file mode 100644 index 7dbde565..00000000 --- a/Chalice/tests/predicates/test1.chalice +++ /dev/null @@ -1,50 +0,0 @@ -class List
-{
- var value:int;
- var next:List;
-
- predicate inv { acc(value) && acc(next) && (next!=null ==> next.inv) }
-
- function get():int
- requires inv;
- { unfolding inv in value }
-
- // the purpose of this method is to test whether the methodology can roll back correctly the secondary mask:
- // s0 unf s1 unf s2 fold, should roll back to state s1 and not s0
- // note also the unfolding expression in the precondition: the fact that next!=null must be known in the body of the method
- // this means that the secondary mask must start off containing this.next, according to the proposal
- method foo()
- requires inv && unfolding inv in next!=null;
- ensures inv && unfolding inv in next!=null;
- {
- unfold inv;
- value:=0;
- unfold next.inv;
- next.value:=1;
- fold next.inv;
- assert next.get()==1;
- assert value==0;
- fold inv;
- assert get()==0;
- assert unfolding inv in next!=null && next.get()==1;
- assert unfolding inv in next.get()==1;
- }
-
- // this method tests whether the methodology works correctly when (un)folds happen on statically unknown objects
- method goo(a:List, b:List, c:bool)
- requires a!=null && b!=null && a.inv && b.inv;
- {
- var z:List;
- unfold a.inv;
- unfold b.inv;
- a.value:=0;
- b.value:=1;
- if(c) { z:=a } else { z:=b }
- fold z.inv;
- assert c ==> a.inv && a.get()==0;
- assert !c ==> b.inv && b.get()==1;
- unfold z.inv;
- assert a.value==0;
- assert b.value==1;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/test1.output.txt b/Chalice/tests/predicates/test1.output.txt deleted file mode 100644 index 56888ecb..00000000 --- a/Chalice/tests/predicates/test1.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of test1.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/test10.chalice b/Chalice/tests/predicates/test10.chalice deleted file mode 100644 index 7d45914c..00000000 --- a/Chalice/tests/predicates/test10.chalice +++ /dev/null @@ -1,18 +0,0 @@ -class List
-{
- var value:int;
- var next:List;
-
- predicate inv { acc(value) && acc(next) && (next!=null ==> next.inv) }
-
- function get():int
- requires inv;
- { unfolding inv in value }
-
- method foo()
- requires inv && unfolding inv in next!=null;
- ensures inv && unfolding inv in next!=null;
- {
- assert unfolding inv in unfolding next.inv in true;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/test10.output.txt b/Chalice/tests/predicates/test10.output.txt deleted file mode 100644 index c043cbed..00000000 --- a/Chalice/tests/predicates/test10.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of test10.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/test2.chalice b/Chalice/tests/predicates/test2.chalice deleted file mode 100644 index f93a1eeb..00000000 --- a/Chalice/tests/predicates/test2.chalice +++ /dev/null @@ -1,55 +0,0 @@ -class FoldUnfoldExperiments
-{
- var x:int;
- var y:int;
- var z:int;
- var w:int;
- predicate X { acc(x) }
- predicate Y { acc(y) }
- predicate Z { acc(z) }
-
- function getX():int
- requires X;
- { unfolding X in x }
-
- function getY():int
- requires Y;
- { unfolding Y in y }
-
- function getZ():int
- requires Z;
- { unfolding Z in z }
-
- method setX(v:int)
- requires X;
- ensures X && getX()==v;
- {
- unfold X; x:=v; fold X;
- }
-
- // this method checks if the methodology frames correctly around a method call: what happens with folded data and unfolded data
- // also: what happens if we have folded data during the call, that we unfold after the call
- method check()
- requires acc(x) && acc(y) && acc(z) && acc(w);
- ensures acc(y) && y==2 && X && getX()==3 && Z && getZ()==4 && acc(w) && w==10;
- {
- x:=1; y:=2; z:=4; w:=10;
- fold X; fold Y; fold Z;
- call setX(3);
- unfold Y;
- }
-
- // this method checks that method calls do not interfere with the correct handling of folds and unfolds
- method check1()
- requires X && acc(y) && y==1;
- ensures acc(y) && y==1 && X && getX()==200;
- {
- call setX(10);
- fold Y;
- call setX(100);
- unfold Y;
- fold Y;
- unfold Y;
- call setX(200);
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/test2.output.txt b/Chalice/tests/predicates/test2.output.txt deleted file mode 100644 index 780c15ef..00000000 --- a/Chalice/tests/predicates/test2.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of test2.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/test3.chalice b/Chalice/tests/predicates/test3.chalice deleted file mode 100644 index 2a364fee..00000000 --- a/Chalice/tests/predicates/test3.chalice +++ /dev/null @@ -1,29 +0,0 @@ -class Unsound
-{
- var value:int;
-
- predicate inv { acc(value) }
-
- function get():int
- requires inv;
- {
- unfolding inv in value
- }
-
- method set(newval:int)
- requires inv;
- ensures inv && get()==newval;
- {
- unfold inv;
- value:=newval;
- fold inv;
- }
-
- method test()
- requires inv;
- {
- call set(3);
- call set(4);
- // at this point, Chalice used to be able to prove false
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/test3.output.txt b/Chalice/tests/predicates/test3.output.txt deleted file mode 100644 index 2753e3f5..00000000 --- a/Chalice/tests/predicates/test3.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of test3.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/test4.chalice b/Chalice/tests/predicates/test4.chalice deleted file mode 100644 index 201b643d..00000000 --- a/Chalice/tests/predicates/test4.chalice +++ /dev/null @@ -1,56 +0,0 @@ -class Cell
-{
- var value:int;
-
- predicate P { acc(value,50) }
-
- function get():int
- requires P;
- {
- unfolding P in value
- }
-
- method boom(x:Cell, y:Cell)
- requires x!=null && y!=null && x.P && y.P;
- ensures x.P && y.P && (x==y ==> x.get()==100) && (x!=y ==> x.get()==old(x.get()));
- {
- if(x==y)
- {
- unfold x.P; unfold x.P;
- y.value:=100;
- fold y.P; fold y.P;
- }
- }
-
- method skip()
- requires P;
- ensures P;
- {}
-
- // is the bookkeeping correct when calculating the secondary mask?
- // fold happens once on a statically unknown object
- // intermediate calls to skip happen in all examples to create artificial "changes" to the heap,
- // thereby testing framing in the bookkeeping of folds/unfolds
- method foo(z:Cell)
- requires acc(value,50) && value==2 && z!=null && acc(z.value,50);
- {
- fold z.P;
- call z.skip();
- fold P;
- call boom(this, z);
- assert this!=z ==> unfolding P in value==2;
- assert this==z ==> unfolding P in value==100;
- }
-
- // must fail: give away all permission, even in pieces, and you lose all information about value
- method hoo()
- requires acc(value);
- {
- fold P;
- call skip();
- fold P;
- fork t:=skip();
- call skip ();
- assert unfolding P in value==old(value); // ERROR: should fail
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/test4.output.txt b/Chalice/tests/predicates/test4.output.txt deleted file mode 100644 index 08a565c8..00000000 --- a/Chalice/tests/predicates/test4.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of test4.chalice using parameters=""
-
- 54.2: Assertion might not hold. The expression at 54.9 might not evaluate to true. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/test7.chalice b/Chalice/tests/predicates/test7.chalice deleted file mode 100644 index 6ad8e592..00000000 --- a/Chalice/tests/predicates/test7.chalice +++ /dev/null @@ -1,109 +0,0 @@ -class C
-{
- var value:int;
-
- predicate inv { acc(value) }
-
- function get():int
- requires inv;
- {
- unfolding inv in value
- }
-
- method set(newval:int)
- requires inv;
- ensures inv && get()==newval;
- {
- unfold inv;
- value:=newval;
- fold inv;
- }
-
- method callmethod0()
- requires inv;
- ensures inv && get()==3;
- {
- call set(3);
- }
-
- method callmethod1()
- {
- call set(3); // ERROR: should fail
- }
-
- method ifc()
- requires inv;
- ensures inv && get()>old(get())
- {
- if(get()>0) { call set(get()+get()); }
- else { call set(2); }
- }
-
- method loop0() returns (r:int)
- requires inv && get()>0;
- ensures inv && r==get();
- {
- r:=0;
- while (r<unfolding inv in value)
- invariant inv && r<=get();
- { r:=r+1; }
- }
-
- method loop1() returns (r:int)
- requires inv && get()>0;
- ensures inv && r==get();
- {
- r:=0;
- while (r<get())
- invariant inv && r<=unfolding inv in value;
- { r:=r+1; }
- }
-
- method uf0()
- requires acc(value);
- {
- assert acc(value);
- fold inv;
- assert acc(value); // ERROR: should fail
- }
-
- method uf1()
- requires acc(value);
- {
- assert acc(value);
- fold inv;
- assert acc(inv);
- }
-
- method uf2()
- requires inv;
- {
- assert inv;
- unfold inv;
- assert acc(value);
- }
-
- method uf3()
- requires inv;
- {
- assert inv;
- unfold inv;
- assert acc(inv); // ERROR: should fail
- }
-
- method badframing0()
- requires get()==2; // ERROR: should fail
- {}
-
- method badframing1()
- requires value==2; // ERROR: should fail
- {}
-
- method badframing2()
- requires acc(value) && get()==2; // ERROR: should fail
- {}
-
- method badframing3()
- requires inv && value==2; // ERROR: should fail
- {}
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/test7.output.txt b/Chalice/tests/predicates/test7.output.txt deleted file mode 100644 index e66a1d75..00000000 --- a/Chalice/tests/predicates/test7.output.txt +++ /dev/null @@ -1,16 +0,0 @@ -Verification of test7.chalice using parameters=""
-
- 31.5: The precondition at 14.14 might not hold. Insufficient fraction at 14.14 for C.inv. - 67.5: Assertion might not hold. Insufficient fraction at 67.12 for C.value. - 91.5: Assertion might not hold. Insufficient fraction at 91.12 for C.inv. - 95.14: Precondition at 8.14 might not hold. Insufficient fraction at 8.14 for C.inv. - 99.14: Location might not be readable. - 103.28: Precondition at 8.14 might not hold. Insufficient fraction at 8.14 for C.inv. - 107.21: Location might not be readable. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 31.5: The statements after the method call statement are unreachable. - 62.3: The end of method uf0 is unreachable. - 86.3: The end of method uf3 is unreachable. - -Boogie program verifier finished with 7 errors and 3 smoke test warnings
diff --git a/Chalice/tests/predicates/test8.chalice b/Chalice/tests/predicates/test8.chalice deleted file mode 100644 index e824f161..00000000 --- a/Chalice/tests/predicates/test8.chalice +++ /dev/null @@ -1,55 +0,0 @@ -// fold/unfold in various combinations
-class FUFU
-{
- var value:int;
- var next:FUFU;
-
- predicate inv { acc(value) }
-
- predicate tinv { acc(value) && acc(next) && (next!=null ==> next.tinv) }
-
- function get():int
- requires tinv;
- { unfolding tinv in value }
-
- method fufu()
- requires acc(value);
- {
- fold inv;
- unfold inv;
- fold inv;
- unfold inv;
- }
-
- method fuf()
- requires acc(value);
- {
- fold inv;
- unfold inv;
- fold inv;
- }
-
- method uf()
- requires inv;
- {
- unfold inv;
- fold inv;
- }
-
- method fu()
- requires acc(value);
- {
- fold inv;
- unfold inv;
- }
-
- method t()
- requires tinv && unfolding tinv in next!=null;
- ensures tinv && unfolding tinv in next!=null;
- {
- unfold tinv;
- unfold next.tinv;
- fold next.tinv;
- fold tinv;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/predicates/test8.output.txt b/Chalice/tests/predicates/test8.output.txt deleted file mode 100644 index 567d2894..00000000 --- a/Chalice/tests/predicates/test8.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of test8.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/predicates/unfolding.chalice b/Chalice/tests/predicates/unfolding.chalice deleted file mode 100644 index 6b276a04..00000000 --- a/Chalice/tests/predicates/unfolding.chalice +++ /dev/null @@ -1,32 +0,0 @@ -class Cell {
- var value: int;
-
- predicate p { acc(value) }
-
- method test()
- requires p
- {
- var tmp: int := unfolding p in value;
- var tmp2: int := unfolding p in value;
- call void()
- assert tmp == unfolding p in value // ERROR: should fail
- }
-
- method test2()
- requires p
- ensures p
- {
- var tmp: int := unfolding p in value;
- var tmp2: int := unfolding p in value;
- call v()
- assert tmp == unfolding p in value
- }
-
- method v() requires true {}
-
- method void()
- requires p
- ensures p
- {}
-
-}
diff --git a/Chalice/tests/predicates/unfolding.output.txt b/Chalice/tests/predicates/unfolding.output.txt deleted file mode 100644 index 7ff49106..00000000 --- a/Chalice/tests/predicates/unfolding.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of unfolding.chalice using parameters=""
-
- 12.5: Assertion might not hold. The expression at 12.12 might not evaluate to true. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/readme.txt b/Chalice/tests/readme.txt deleted file mode 100644 index d6875825..00000000 --- a/Chalice/tests/readme.txt +++ /dev/null @@ -1,45 +0,0 @@ -
-Chalice Test Suite
-==================
-
-Contents
---------
-- examples: Various examples how Chalice can be used to verify concurrent
- programs. These tests represent (the core of) real problems and are therefore
- well suited for performance and comparison tests (e.g. with other tools).
-- general-tests: Regression tests for various aspects of Chalice.
-- regressions: Regression tests for fixed bugs to ensure they do not occur
- again.
-- permission-model: Regression tests specifically for the permission model of
- Chalice.
-- refinements: Regression tests for the refinement extension.
-- test-scripts: Some batch scripts that can be used to execute the tests in an
- easy and automated way. More information below.
-
-
-Test Scripts
-------------
-In the directory test-scripts are various scripts to allow the execution of the
-tests in different ways. There are launchers in the test directories (e.g. in
-examples or permission-model) to access them.
-
-Commands (sorted by relevance):
-- runalltests.bat: Executes all tests in all test folders.
-- test.bat <file> [-params]: Execute a test and output the result of the
- verification. Note: <file> must not include the file extension.
-- reg_test.bat <file> [-params]: Execute a tests as a regression test, i.e., run
- the test and compare the verification result with the reference output stored
- in <file.output.txt>. Also shows the differences if any.
-- reg_test_all.bat: Execute all tests as regression tests in the current
- directory.
-- generete_reference.bat <file> [-params]: Generate the reference output.
-- generate_reference_all.bat: Generate reference files for all tests in the
- current directory.
-- getboogieoutput.bat: File used internally by generete_reference.bat.
-
-To provide additional parameters to Chalice when verifying the tests (e.g., to
-test the autoMagic feature, see tests/examples/RockBand-automagic.chalice), one
-can start the Chalice source file with the line
- "// chalice-parameter=<list of space-separated parameters>"
-
-Note: For the refinement tests, there is a bash script test.sh.
diff --git a/Chalice/tests/refinements/AngelicExec.chalice b/Chalice/tests/refinements/AngelicExec.chalice deleted file mode 100644 index 582c3944..00000000 --- a/Chalice/tests/refinements/AngelicExec.chalice +++ /dev/null @@ -1,34 +0,0 @@ -class A0 {
- method m(b: bool) {
- var x;
- if (b) {
- spec x [0 <= x && x < 3];
- } else {
- x := 1;
- }
- }
-}
-
-class B0 refines A0 {
- refines m(b: bool) {
- var x := 1;
- }
-}
-
-class A1 refines A0 {
- transforms m(b: bool) {
- _
- if {
- replaces * by {x := 1;}
- } else {
- *
- }
- _
- }
-}
-
-class A2 refines A1 {
- refines m(b: bool) {
- var x := 1;
- }
-}
diff --git a/Chalice/tests/refinements/Answer b/Chalice/tests/refinements/Answer deleted file mode 100644 index aa387295..00000000 --- a/Chalice/tests/refinements/Answer +++ /dev/null @@ -1,50 +0,0 @@ -Processing LoopSqRoot.chalice
-
-Boogie program verifier finished with 9 verified, 0 errors
-Processing RecSqRoot.chalice
-
-Boogie program verifier finished with 11 verified, 0 errors
-Processing SpecStmt.chalice
- 12.5: Assertion might not hold. The expression at 12.12 might not evaluate to true.
- 25.5: Assertion might not hold. The expression at 25.12 might not evaluate to true.
- 33.5: Assertion might not hold. The expression at 33.12 might not evaluate to true.
-
-Boogie program verifier finished with 4 verified, 3 errors
-Processing SumCubes.chalice
-
-Boogie program verifier finished with 6 verified, 0 errors
-Processing TestTransform.chalice
-
-Boogie program verifier finished with 10 verified, 0 errors
-Processing TestRefines.chalice
- 40.5: Refinement may produce a different value for the pre-state local variable: c
- 46.21: Refinement may change a variable outside of the frame of the specification statement: k
- 52.9: Refinement may produce a different value for the pre-state local variable: k
-
-Boogie program verifier finished with 16 verified, 3 errors
-Processing RecFiniteDiff.chalice
-
-Boogie program verifier finished with 9 verified, 0 errors
-Processing LoopFiniteDiff.chalice
-
-Boogie program verifier finished with 12 verified, 0 errors
-Processing Pick.chalice
- 26.25: Sequence index might be larger than or equal to the length of the sequence.
-
-Boogie program verifier finished with 11 verified, 1 error
-Processing TestCoupling.chalice
- 35.13: The postcondition at 35.13 might not hold. Insufficient fraction at 35.13 for A1.y.
- 62.38: Location might not be readable.
- 66.5: Location might not be writable
-
-Boogie program verifier finished with 17 verified, 3 errors
-Processing Calculator.chalice
-
-Boogie program verifier finished with 15 verified, 0 errors
-Processing AngelicExec.chalice
- 14.5: Refinement may produce a different value for the declared variable: x
-
-Boogie program verifier finished with 11 verified, 1 error
-Processing RefinesLoop.chalice
-The program did not typecheck.
-2.1: a refinement cycle detected B->C->A
diff --git a/Chalice/tests/refinements/Calculator.chalice b/Chalice/tests/refinements/Calculator.chalice deleted file mode 100644 index 57c4c87d..00000000 --- a/Chalice/tests/refinements/Calculator.chalice +++ /dev/null @@ -1,69 +0,0 @@ -/* - Carrol Morgan's calculator - 7/2/2010 Kuat Dafny version - 8/22/2010 translated into Chalice -*/ - -class Calc0 { - var vals: seq<int>; - - method reset() - requires acc(vals); - ensures acc(vals); - { - vals := []; - } - - method add(x: int) - requires acc(vals); - ensures acc(vals); - { - vals := [x] ++ vals; - } - - method mean() returns (m: int) - requires acc(vals) && |vals| > 0; - ensures acc(vals); - { - m := total(vals)/|vals|; - } - - unlimited function total(s: seq<int>): int - { - |s| == 0 ? 0 : s[0] + total(s[1..]) - } -} - - - -class Calc1 refines Calc0 { - var sum: int; - var num: int; - replaces vals by acc(sum) && acc(num) && sum == total(vals) && num == |vals|; - - refines reset() - { - sum := 0; - num := 0; - } - - refines add(x: int) - { - sum := sum + x; - num := num + 1; - } - - refines mean() returns (m: int) - { - m := sum/num; - } -} - - - - - - - - - diff --git a/Chalice/tests/refinements/Celebrity.chalice b/Chalice/tests/refinements/Celebrity.chalice deleted file mode 100644 index b0d398e0..00000000 --- a/Chalice/tests/refinements/Celebrity.chalice +++ /dev/null @@ -1,48 +0,0 @@ -// Celebrity example, inspired by the Rodin tutorial
-class Person {
- function knows(other: Person): bool
- requires this != other;
-}
-
-class Celebrity0 {
- function IsCelebrity(c: Person, people: seq<Person>): bool
- requires null !in people;
- {
- c in people && forall p in people :: p != c ==> (p.knows(c)) && (! c.knows(p))
- }
-
- method Find(people: seq<Person>, /*ghost*/ c: Person) returns (r: Person)
- requires null !in people && IsCelebrity(c, people);
- {
- var r [r == c];
- }
-}
-
-/** Without theory of sets, hard to describe: "remove an element from a sequence" */
-class Celebrity1 refines Celebrity0 {
- refines Find(people: seq<Person>, c: Person) returns (r: Person)
- {
- var q:seq<Person> := people;
-
- // pick and remove a
- var a:Person := q[0]; q := q[1..]; assert people == [a] ++ q;
-
- while (|q| > 0)
- invariant forall p in q :: p in people;
- invariant a in people;
- invariant IsCelebrity(c,[a] ++ q);
- {
- // pick and remove b
- var oldq:seq<Person> := q;
- var b:Person := q[0]; q := q[1..];
- assert oldq == [b] ++ q;
-
- if (a != b && a.knows(b)) {
- a := b;
- }
- }
-
- r := a;
- }
-}
-
diff --git a/Chalice/tests/refinements/Counter.chalice b/Chalice/tests/refinements/Counter.chalice deleted file mode 100644 index d1efae76..00000000 --- a/Chalice/tests/refinements/Counter.chalice +++ /dev/null @@ -1,112 +0,0 @@ -class Counter0 { - var x: int; - - method init() - requires acc(x); - ensures acc(x) && x == 0; - { - x := 0; - } - - method inc() - requires acc(x); - ensures acc(x) && x == old(x) + 1; - { - x := x + 1; - } - - method dec() - requires acc(x); - ensures acc(x) && x == old(x) - 1; - { - x := x - 1; - } - - method magic() returns (c: Cell) - requires acc(x); - ensures acc(x) && acc(c.n) && x == old(x); - { - var c [acc(c.n)] - } -} - -class Counter1 refines Counter0 { - var y: int; - var z: int; - replaces x by acc(y) && acc(z) && x == y - z && y >= 0 && z >= 0; - - refines init() - { - this.y := 0; - this.z := 0; - } - - refines inc() - { - this.y := this.y + 1; - } - - refines dec() - { - this.z := this.z + 1; - } - - refines magic() returns (c: Cell) - { - c := new Cell; - } -} - -class Cell {var n: int} - -/** TODO: -Two-step data refinement doesn't work for the following reason: -the spec of Counter1 uses the abstract field x which disappears at the concrete method body level. -I'm not sure what a good solution to this problem... -*/ - -class Counter2 refines Counter0 { - var a: Cell; - var b: Cell; - replaces x by acc(a) && acc(b) && acc(a.n) && acc(b.n) && x == a.n - b.n; - - refines init() - { - this.a := new Cell; - this.b := new Cell; - this.a.n := 0; - this.b.n := 0; - } - - refines inc() - { - this.a.n := this.a.n + 1; - } - - refines dec() - { - var i := this.b.n + 1; - this.b := new Cell; - this.b.n := i; - } - - refines magic() returns (c: Cell) - { - c := a; - } -} - -class Client { - method main() - { - var c := new Counter0; - call c.init(); - call c.inc(); - call c.inc(); - call c.dec(); - call d := c.magic(); - d.n := 100; - assert c.x == 1; - } -} - diff --git a/Chalice/tests/refinements/CounterReverse.chalice b/Chalice/tests/refinements/CounterReverse.chalice deleted file mode 100644 index 57d87803..00000000 --- a/Chalice/tests/refinements/CounterReverse.chalice +++ /dev/null @@ -1,21 +0,0 @@ -class Counter1 { - var y: int; - var z: int; - method inc() - requires acc(y) && acc(z); - requires y >= 0 && z >= 0; - ensures acc(y) && acc(z); - ensures y >= 0 && z >= 0; - { - y := y + 1; - } -} - -class Counter0 refines Counter1 { - var x: int; - replaces y,z by acc(x) && x == y - z; - refines inc() - { - this.x := this.x + 1; - } -} diff --git a/Chalice/tests/refinements/DSW.chalice b/Chalice/tests/refinements/DSW.chalice deleted file mode 100644 index 1737df85..00000000 --- a/Chalice/tests/refinements/DSW.chalice +++ /dev/null @@ -1,119 +0,0 @@ -// Schorr-Waite algorithm in Chalice
-// (see Test/dafny1/SchorrWaite.dfy)
-
-class Node {
- var children: seq<Node>;
- var marked: bool;
- ghost var path: seq<Node>;
-
- var parent: Node;
-}
-
-class DSW0 {
- var stack: seq<Node>;
- var S: seq<Node>;
- var root: Node;
-
- function Reachable(to: Node, p:seq<Node>, from: Node): bool
- requires acc(p[*].children);
- {
- |p| == 0 ? to == from :
- (p[0] != null && to in p[0].children && Reachable(p[0], p[1..], from))
- }
-
- method IterativeMark()
- requires acc(this.*) && acc(S[*].children) && acc(S[*].marked) && acc(S[*].path);
- requires root in S;
- requires forall n in S :: n != null && (forall ch in n.children :: ch != null && ch in S);
- requires forall n in S :: ! n.marked;
- ensures acc(this.*) && acc(S[*].children) && acc(S[*].marked) && acc(S[*].path);
- // graph structure is the same
- ensures S == old(S) && root == old(root);
- ensures forall n in S :: n.children == old(n.children);
- // all nodes reachable from root are marked
- ensures root.marked;
- ensures forall n in S :: n.marked ==> (forall ch in n.children :: ch.marked);
- // all marked nodes are reachable from root
- ensures forall n in S :: n.marked ==>
- (forall m in n.path :: m in S) && Reachable(n, n.path, root);
- {
- var t:Node := root;
- t.marked := true;
- stack := nil<Node>;
- t.path := stack;
-
- // no termination check
- var stop := false;
- while(!stop)
- invariant acc(this.*) && acc(S[*].children) && acc(S[*].marked) && acc(S[*].path);
- invariant root == old(root);
- invariant S == old(S);
- invariant root.marked;
- invariant t in S && t.marked && t !in stack;
- // stack well-formed
- invariant forall i in [0..|stack|] :: forall j in [i+1..|stack|] :: stack[i] != stack[j];
- invariant forall n in stack :: n in S && n.marked;
- invariant forall i in [1..|stack|] :: stack[i-1] in stack[i].children;
- invariant 0 < |stack| ==> t in stack[0].children;
- // goal
- invariant forall n in S :: n.marked && n !in stack && n != t ==>
- (forall ch in n.children :: ch in S && ch.marked);
- invariant forall n in S :: n.marked ==>
- (forall m in n.path :: m in S) && Reachable(n, n.path, root);
- // preservation
- invariant forall n in S :: n.children == old(n.children);
- // termination
- invariant stop ==> |stack| == 0 && (forall ch in t.children :: ch.marked);
- {
- call n := PickUnmarked(t.children);
- if (n != null) {
- // push
- stack := [t] ++ stack;
- n.path := [t] ++ t.path;
- t := n;
- t.marked := true;
- assert Reachable(t.path[0], t.path[1..], root); // needed for limited function
- } else {
- // pop
- if (|stack| == 0) {
- stop := true;
- } else {
- t := stack[0];
- stack := stack[1..];
- }
- }
- }
- }
-
- method PickUnmarked(p: seq<Node>) returns (x: Node)
- requires rd(p[*].marked);
- requires forall n in p :: n != null;
- ensures rd(p[*].marked);
- ensures x != null ==> x in p && ! x.marked;
- ensures x == null ==> (forall n in p :: n.marked);
- {
- var x [(exists n in p :: !n.marked) ? (x in p && !x.marked) : (x == null)]
- }
-}
-
-class DSW1 refines DSW0 {
- replaces stack by acc(S[*].parent);
-
- transforms IterativeMark()
- {
- *
- }
-
- transforms PickUnmarked(p: seq<Node>) returns (x: Node)
- {
- replaces x by {
- if (|p| == 0) {
- x := null;
- } else if (! p[0].marked) {
- x := p[0];
- } else {
- call x := PickUnmarked(p[1..]);
- }
- }
- }
-}
diff --git a/Chalice/tests/refinements/Duplicates.chalice b/Chalice/tests/refinements/Duplicates.chalice deleted file mode 100644 index 52cdc3c3..00000000 --- a/Chalice/tests/refinements/Duplicates.chalice +++ /dev/null @@ -1,115 +0,0 @@ -class Duplicates0 {
- // 3. we can do fast set checks if we know the bounds on the elements
- method find(s: seq<int>) returns (b:bool)
- requires forall i in s :: 0 <= i && i < 100;
- {
- var b [b == (exists i in [0..|s|] :: s[i] in s[..i]) ];
- }
-}
-
-class Duplicates1 refines Duplicates0 {
- refines find(s: seq<int>) returns (b: bool)
- {
- b := false;
- // 0. need a loop
- // 1. need a set data structure
- var i := 0;
- var d := new Set0;
- call d.init();
-
- // 6. use a witness from the loop
- ghost var w;
-
- while (i < |s|)
- invariant 0 <= i && i <= |s|;
- // 5. add loop invariants using value of Set.add: equivalence as a set
- invariant acc(d.rep);
- // 6. assert equivalent as sets of d.rep and s[..i]
- invariant forall n in d.rep :: n in s[..i];
- invariant forall n in [0..i] :: s[n] in d.rep;
- // 7. devise termination conditions to satisfy the spec
- invariant b ==> 0 <= w && w < |s| && s[w] in s[..w];
- invariant !b ==> (forall j,k in [0..i] :: j != k ==> s[j] != s[k]);
- {
- call r := d.add(s[i]);
- assert r ==> d.rep[0] == s[i]; // help out sequence axioms
-
- if (! r) {
- b := true;
- w := i;
- }
-
- i := i + 1;
- }
- }
-}
-
-class Set0 {
- var rep: seq<int>;
-
- method init()
- requires acc(rep);
- ensures acc(rep) && |rep| == 0;
- {
- rep := nil<int>;
- }
-
- method add(i) returns (b:bool)
- requires acc(rep);
- requires 0 <= i && i < 100;
- ensures acc(rep);
- ensures (i in old(rep)) ==> !b && rep == old(rep);
- ensures (i !in old(rep)) ==> b && rep == [i] ++ old(rep);
- {
- // 2. need a way to compute whether element is in the set
- var c:bool [c <==> i in old(rep)];
- if (c) {
- b := false;
- } else {
- b := true;
- rep := [i] ++ rep;
- assert rep[0] == i;
- }
- }
-}
-
-class Set1 refines Set0 {
- var bitset: seq<bool>;
-
- // 4. represent a set as a bitset (provided representation invariant of the uppermost class)
- replaces rep by acc(bitset) &&
- /** representation invariant */ (forall i in rep :: 0 <= i && i < 100) && |bitset| == 100 &&
- /** coupling invariant */ (forall j in [0..100] :: bitset[j] <==> (j in rep))
-
-
- refines init()
- {
- var i := 0;
- bitset := nil<bool>;
- while (i < 100)
- invariant i <= 100 && acc(bitset);
- invariant |bitset| == i;
- invariant forall b in bitset :: ! b;
- {
- bitset := [false] ++ bitset;
- i := i + 1;
- }
- }
-
- transforms add(i) returns (b: bool)
- {
- replaces c by {var c:bool := this.bitset[i]}
- if {
- *
- } else {
- replaces * by {
- b := true;
- var s:seq<bool> := [true] ++ this.bitset[i+1..];
- assert s[0] == true; // help out sequence axioms
- s := this.bitset[..i] ++ s;
-
- this.bitset := s;
- }
- }
- }
-}
diff --git a/Chalice/tests/refinements/DuplicatesLight.chalice b/Chalice/tests/refinements/DuplicatesLight.chalice deleted file mode 100644 index 5fbe0735..00000000 --- a/Chalice/tests/refinements/DuplicatesLight.chalice +++ /dev/null @@ -1,42 +0,0 @@ -class Duplicates0 {
- method find(s: seq<int>) returns (b: bool)
- requires forall i in s :: i in [0..100];
- {
- spec b [ b <==> (exists i in [0..|s|] :: s[i] in s[..i]) ];
- }
-}
-
-class Duplicates1 refines Duplicates0 {
- refines find(s: seq<int>) returns (b: bool)
- {
- var n := 0;
- b := false;
- while (n < |s|)
- invariant 0 <= n && n <= |s|;
- invariant b <==> (exists i in [0..n] :: s[i] in s[..i]);
- {
- spec c: bool [ c <==> s[n] in s[..n] ];
- b := b || c;
- n := n + 1;
- }
- }
-}
-
-class Duplicates2 refines Duplicates1 {
- transforms find(s: seq<int>) returns (b: bool)
- {
- _
- var bitset:seq<bool> [ |bitset| == 100 && true !in bitset ];
- while
- invariant |bitset| == 100;
- invariant forall i in [0..100] :: bitset[i] <==> i in s[..n];
- {
- replaces c by {
- var c: bool := bitset[ s[n] ];
- }
- bitset := bitset[ .. s[n] ] ++ [true] ++ bitset[ s[n] + 1 ..];
- _
- }
- _
- }
-}
diff --git a/Chalice/tests/refinements/DuplicatesVideo.chalice b/Chalice/tests/refinements/DuplicatesVideo.chalice deleted file mode 100644 index 3886cb78..00000000 --- a/Chalice/tests/refinements/DuplicatesVideo.chalice +++ /dev/null @@ -1,43 +0,0 @@ -class Duplicates0 {
- method Find(s: seq<int>) returns (b: bool)
- requires forall i in s :: i in [0..100];
- {
- b := exists i in [0..|s|] :: s[i] in s[..i];
- }
-}
-
-class Duplicates1 refines Duplicates0 {
- refines Find(s: seq<int>) returns (b: bool)
- {
- var n := 0;
- b := false;
- while (n < |s|)
- invariant 0 <= n && n <= |s|;
- invariant b <==> exists i in [0..n] :: s[i] in s[..i];
- {
- var c := s[n] in s[..n];
- b := b || c;
- n := n + 1;
- }
- }
-}
-
-class Duplicates2 refines Duplicates1 {
- transforms Find(s: seq<int>) returns (b: bool)
- {
- _;
- // bitset has length 100, initially all false
- var bitset:seq<bool> [|bitset| == 100 && true !in bitset ];
- while
- invariant |bitset| == 100;
- invariant forall i in [0..n] :: bitset[ s[i] ];
- invariant forall j in [0..100] :: bitset[j] ==> j in s[..n];
- {
- replaces c by {
- var c: bool := bitset[ s[n] ];
- }
- bitset := bitset[..s[n] ] ++ [true] ++ bitset[ s[n] + 1 ..];
- _;
- }
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/refinements/List.chalice b/Chalice/tests/refinements/List.chalice deleted file mode 100644 index b13f6ee3..00000000 --- a/Chalice/tests/refinements/List.chalice +++ /dev/null @@ -1,47 +0,0 @@ -class List0 {
- var rep: seq<int>;
-
- method init()
- requires acc(rep);
- ensures acc(rep);
- {
- rep := [0];
- }
-
- method get(i) returns (v)
- requires acc(rep);
- requires 0 <= i && i < |rep|;
- ensures acc(rep);
- {
- v := rep[i];
- }
-}
-
-class List1 refines List0 {
- var sub: seq<List1>;
- var data: int;
-
- replaces rep by acc(sub) && acc(data) && acc(sub[*].sub) && acc(sub[*].data) &&
- /** valid */ |sub| >= 0 &&
- (forall i in [0..|sub|] :: sub[i] != null && sub[i].sub == sub[i+1..]) &&
- /** coupling */ |sub| + 1 == |rep| &&
- (forall i in [0..|sub|] :: sub[i].data == rep[i+1]) &&
- data == rep[0]
-
- refines init()
- {
- data := 0;
- sub := nil<List1>;
- }
-
- refines get(i) returns (v)
- {
- if (i == 0) {
- v := data;
- } else {
- var next:List1 := sub[0];
- call v := next.get(i-1);
- //v := sub[i-1].data;
- }
- }
-}
diff --git a/Chalice/tests/refinements/LoopFiniteDiff.chalice b/Chalice/tests/refinements/LoopFiniteDiff.chalice deleted file mode 100644 index bd744c89..00000000 --- a/Chalice/tests/refinements/LoopFiniteDiff.chalice +++ /dev/null @@ -1,61 +0,0 @@ -class Cube0 { - method compute(n) - requires n >= 0; - { - var v [v == n*n*n]; - } -} - -class Cube1 refines Cube0 { - transforms compute(n) - { - replaces v by { - var i := 0; - var v := 0; - while (i < n) - invariant i <= n - invariant v == i * i * i - { - i := i + 1; - var v [v == i * i * i]; - } - } - } -} - -class Cube2 refines Cube1 { - transforms compute(n) - { - _ - var w := 1; - while - invariant w == (i+1)*(i+1)*(i+1) - i*i*i - { - _ - replaces v by { - v := v + w; - var w [w == (i+1)*(i+1)*(i+1) - i*i*i]; - } - } - _ - } -} - -class Cube3 refines Cube2 { - transforms compute(n) - { - _ - var x := 0; - while - invariant x == i*i - { - _ - replaces w by { - x := x + 2*i - 1; - w := 3*x + 3*i + 1; - } - } - _ - } -} - diff --git a/Chalice/tests/refinements/LoopSqRoot.chalice b/Chalice/tests/refinements/LoopSqRoot.chalice deleted file mode 100644 index 4ea9434d..00000000 --- a/Chalice/tests/refinements/LoopSqRoot.chalice +++ /dev/null @@ -1,43 +0,0 @@ -class A0 { - method sqroot(n) returns (x) - requires n >= 0; - { - var x [x*x <= n && n < (x+1)*(x+1) && x >=0]; - } -} - -class A1 refines A0 { - transforms sqroot(n) returns (x) - { - replaces x by { - var l := 0; - var r := n + 1; - while (l + 1 != r) - invariant l >= 0 && r > l; - invariant l*l <= n && n < r*r; - { - var k [l < k && k < r]; - if (k*k <= n) { - l := k; - } else { - r := k; - } - } - x := l; - } - } -} - -class A2 refines A1 { - transforms sqroot(n) returns (x) - { - _ - while { - replaces k by { - var k [2*k <= l+r && l+r < 2*(k+1)] - } - * - } - _ - } -} diff --git a/Chalice/tests/refinements/Pick.chalice b/Chalice/tests/refinements/Pick.chalice deleted file mode 100644 index 7df2f90d..00000000 --- a/Chalice/tests/refinements/Pick.chalice +++ /dev/null @@ -1,28 +0,0 @@ -class Pick0 { - method pick(s: seq<int>) returns (x) - requires |s| > 0; - { - var x [x in s] - } -} - -class Pick1 refines Pick0 { - transforms pick(s: seq<int>) returns (x) - { - replaces x by {x := s[0]} - } -} - -class Pick2 refines Pick0 { - transforms pick(s: seq<int>) returns (x) - { - replaces * by {x := s[|s|-1]} - } -} - -class Pick3 refines Pick0 { - transforms pick(s: seq<int>) returns (x) - { - replaces x by {x := s[1]} - } -} diff --git a/Chalice/tests/refinements/RecFiniteDiff.chalice b/Chalice/tests/refinements/RecFiniteDiff.chalice deleted file mode 100644 index 1a971aed..00000000 --- a/Chalice/tests/refinements/RecFiniteDiff.chalice +++ /dev/null @@ -1,51 +0,0 @@ -// Example of a program computing cube using only addition. -// Step-wise refinement using specification statement. -// Chalice does not have termination metric for recursive methods. - -class Cube0 { - method compute(n) returns (v) - requires n >= 0; - ensures v == n*n*n; - { - var v [v == n*n*n] - } -} - -class Cube1 refines Cube0 { - transforms compute(n) returns (v, w) - // strengthen post-condition based on new output variables - ensures w == (n+1)*(n+1)*(n+1)-n*n*n; - { - replaces v by { - if (n == 0) { - v := 0; - w := 1; - } else { - call v1,w1 := compute(n-1); // rely on stronger post-condition - v := v1 + w1; - // simplified form: aha! we need n*n to compute with addition - var w [w == 3*n*n + 3*n + 1]; - } - } - } -} - -class Cube2 refines Cube1 { - transforms compute(n) returns (v, w, x) - ensures x == (n+1)*(n+1); - { - if { - _ - x := 1; - } else { - replaces v1, w1 by { - call v1,w1,x1 := compute(n-1); - } - _ - replaces w by { - w := 3*x1 + 3*n + 1; - x := x1 + 2*n + 1; - } - } - } -} diff --git a/Chalice/tests/refinements/RecSqRoot.chalice b/Chalice/tests/refinements/RecSqRoot.chalice deleted file mode 100644 index a10c1b55..00000000 --- a/Chalice/tests/refinements/RecSqRoot.chalice +++ /dev/null @@ -1,46 +0,0 @@ -class A0 { - method sqroot(n) returns (x) - requires n >= 0; - { - var x [x*x <= n && n < (x+1)*(x+1)]; - } -} - -class A1 refines A0 { - transforms sqroot(n) returns (x) - { - replaces x by {call x := rec(n,0,n+1)} - } - - method rec(n, l, r) returns (x) - requires l*l <= n && n < r*r; - requires l >= 0 && r >= 0; - ensures x*x <= n && n < (x+1)*(x+1); - { - if (l+1 == r) { - x := l; - } else { - var k [l < k && k < r]; - if (n < k*k) { - call x := rec(n,l,k); - } else { - call x := rec(n,k,r); - } - } - } -} - -class A2 refines A1 { - transforms rec(n, l, r) returns (x) - { - if { - * - } else { - replaces k by { - assert l < r; - var k := l+1; - } - * - } - } -} diff --git a/Chalice/tests/refinements/RefinesLoop.chalice b/Chalice/tests/refinements/RefinesLoop.chalice deleted file mode 100644 index 305fc164..00000000 --- a/Chalice/tests/refinements/RefinesLoop.chalice +++ /dev/null @@ -1,3 +0,0 @@ -class A refines B {} -class B refines C {} -class C refines A {} diff --git a/Chalice/tests/refinements/SpecStmt.chalice b/Chalice/tests/refinements/SpecStmt.chalice deleted file mode 100644 index 55eacdb0..00000000 --- a/Chalice/tests/refinements/SpecStmt.chalice +++ /dev/null @@ -1,35 +0,0 @@ -class Test { - var x: int; - method m(a:int) returns (b:int) - { - var c := 0; - ghost const d,c [d == c]; - var b [b == 0]; - var e [e == a]; - assert d == c; - assert e == a; - assert b == 0; - assert c == 0; // error - } - - method n() - requires acc(x); - { - x := 0; - const y [acc(x), acc(x) && x == old(x) + 1 && y == x]; - assert y == 1; - const v [acc(x), acc(x) && v == old(x) + 1]; - assert v == 2; - const z [z == 1]; - ghost var t [z == 1, true]; - assert false; // reachable - } - - method o() - { - var z [acc(x) && z == 0]; // unimplementable - x := z; - assert x == 0; - assert false; // reachable - } -} diff --git a/Chalice/tests/refinements/SumCubes.chalice b/Chalice/tests/refinements/SumCubes.chalice deleted file mode 100644 index a24a0f37..00000000 --- a/Chalice/tests/refinements/SumCubes.chalice +++ /dev/null @@ -1,29 +0,0 @@ -class SumCubes0 { - method compute(n) - requires n >= 0; - { - var i := 0; - var s := 0; - while (i < n) - invariant i <= n; - { - i := i + 1; - s := s + i*i*i; - } - } -} - -class SumCubes1 refines SumCubes0 { - transforms compute(n) - { - _ - var t := 0; - while - invariant s == t*t; - invariant 2*t == i*(i+1); - { - _ - t := t + i; - } - } -} diff --git a/Chalice/tests/refinements/TestCoupling.chalice b/Chalice/tests/refinements/TestCoupling.chalice deleted file mode 100644 index a178c9b4..00000000 --- a/Chalice/tests/refinements/TestCoupling.chalice +++ /dev/null @@ -1,74 +0,0 @@ -class A0 { - var x: int; - var n: int; - var k: int; - - method inc() - requires acc(x) && acc(n); - ensures acc(x) && x == old(x) + 1; - { - x := x + 1; - n := n + 1; - } - - method error() - requires acc(x) - ensures acc(x) - { - x := x + 1; - } -} - -class A1 refines A0 { - var y: int; - var z: int; - replaces x by acc(y) && acc(z) && x == y - z && y >= 0 && z >= 0; - - refines inc() - ensures y == old(y) + 1 - { - this.y := 1 + this.y; - this.n := this.n + 1; - } - - refines error() - ensures acc(y) - { - this.y := 1 + this.y; - } -} - -class B0 { - var x: int; - var y: int; - - method error() - requires acc(x); - ensures acc(x); - { - x := x + 1; - } - - method inc() - requires acc(x) && acc(y); - ensures acc(x) && acc(y); - { - x := x + 1; - } -} - -class B1 refines B0 { - var z: int; - replaces x,y by acc(z) && z == x + y; - - refines error() - { - this.z := this.z + 1; - } - - refines inc() - { - this.z := this.z + 1; - } -} - diff --git a/Chalice/tests/refinements/TestRefines.chalice b/Chalice/tests/refinements/TestRefines.chalice deleted file mode 100644 index 40f21cea..00000000 --- a/Chalice/tests/refinements/TestRefines.chalice +++ /dev/null @@ -1,56 +0,0 @@ -// Simple refinements -class A { - var x:int; - function f():int {1} - method m(i:int) returns (j:int) { - var j [j > 0]; - } - - method n() returns (c: bool) - { - c := true; - } - - method o() returns () - { - var k := 1; - var j := 0; - spec j [j > 0]; - } - - method p(b: bool) returns () - { - var k := 1; - if (b) { - } else { - } - } -} - -class B refines A { - // correct - transforms m(i:int) returns (j:int, k:int) - { - * - } - - // broken: c - refines n() returns (c: bool) - { - c := false; - } - - // broken: spec stmt frame, k - transforms o() returns () { - _ - replaces j by { j := 1; k := 0 } - } - - // broken: k - transforms p(b: bool) returns () { - _ - if {k := 2} else {*} - } -} - - diff --git a/Chalice/tests/refinements/TestTransform.chalice b/Chalice/tests/refinements/TestTransform.chalice deleted file mode 100644 index 2c18907f..00000000 --- a/Chalice/tests/refinements/TestTransform.chalice +++ /dev/null @@ -1,38 +0,0 @@ -class A { - method m(i: int) returns (x: int) - ensures x == i; - { - var j := 0; - var v [v == i + j]; - x := v; - } - - method n() { - var x := 0; - var y := 1; - var z := 2; - } -} - -class B refines A { - transforms m(i: int) returns (x: int, y: int) - ensures y == 0; - { - var t := 0; - _ - replaces v by { - var v := i + j; - call t, j := m(0); - y := j; - } - _ - } - - transforms n() { - replaces * by { - var x := 0; - var y := x + 1; - var z := 2*y; - } - } -} diff --git a/Chalice/tests/refinements/experiments/CounterPredicate.chalice b/Chalice/tests/refinements/experiments/CounterPredicate.chalice deleted file mode 100644 index fd35c18c..00000000 --- a/Chalice/tests/refinements/experiments/CounterPredicate.chalice +++ /dev/null @@ -1,136 +0,0 @@ -class Cell { - var n : int; -} - -class A { - var x : int; - - predicate valid { - acc(x) && x >= 0 - } - - function getX(): int requires valid - { - unfolding valid in x - } - - method init() - requires acc(this.*); - ensures valid; - { - x := 0; - fold valid; - } - - method inc() - requires valid; - ensures valid && getX() == old(getX()) + 1; - { - unfold valid; - x := x + 1; - fold valid; - } - - method dec() - requires valid && getX() > 0; - ensures valid; - { - unfold valid; - x := x - 1; - fold valid; - } - - method magic() returns (c: Cell) - requires valid; - ensures valid; - { - } -} - -class C { - ghost var x : int; - var y : Cell; - var z : Cell; - - function getX() : int - requires valid; - { - unfolding valid in y.n - z.n - } - - predicate valid { - acc(x) && acc(y) && acc(z) && acc(y.n) && acc(z.n) && - y != null && z != null && - y.n >= 0 && z.n >= 0 && - y.n - z.n == x && - x >= 0 - } - - method init() - requires acc(this.*); - ensures valid; - { - x := 0; - // - y := new Cell; - z := new Cell; - y.n := 0; - z.n := 0; - fold valid; - } - - method inc() - requires valid; - ensures valid && getX() == old(getX()) + 1; - { - unfold valid; - x := x + 1; - // - y.n := y.n + 1; - fold valid; - } - - method dec() - requires valid && getX() > 0; - ensures valid; - { - unfold valid; - x := x - 1; - // - z.n := z.n + 1; - fold valid; - } - - method magic() returns (c: Cell) - requires valid; - ensures valid; - { - unfold valid; - c := y; - fold valid; - } -} - -class Client { - method main() - { - // Abstract program - var a := new A; - call a.init(); - call a.inc(); // problem is here - call a.inc(); - call a.dec(); - call ac := a.magic(); - ac.n := 0; - - // Concrete program - var c := new C; - call c.init(); - call c.inc(); - call c.inc(); - call c.dec(); - call cc := c.magic(); - cc.n := 0; - } -} - diff --git a/Chalice/tests/refinements/experiments/DSW0.chalice b/Chalice/tests/refinements/experiments/DSW0.chalice deleted file mode 100644 index d83c5438..00000000 --- a/Chalice/tests/refinements/experiments/DSW0.chalice +++ /dev/null @@ -1,145 +0,0 @@ -// Schorr-Waite algorithm in Chalice -// (see Test/dafny1/SchorrWaite.dfy) - -// (incomplete version) Two children instead of a sequence of an array -class Node { - var left: Node; - var right: Node; - var marked: bool; - var l: bool; - var r: bool; -} - -class Main { - method RecursiveMark(root: Node, S: seq<Node>) - requires acc(S[*].marked, 50) && acc(S[*].*, 50); - requires root != null && root in S; - // S is closed under 'left' and 'right': - requires forall n in S :: n != null && - ((n.left != null ==> n.left in S) && - (n.right != null ==> n.right in S)); - requires forall n in S :: ! n.marked; - ensures acc(S[*].marked, 50) && acc(S[*].*, 50); - ensures root.marked; - // nodes reachable from 'root' are marked: - ensures forall n in S :: n.marked ==> - ((n.left != null ==> n.left in S && n.left.marked) && - (n.right != null ==> n.right in S && n.right.marked)); - { - var stack: seq<Node> := []; - call RecursiveMarkWorker(root, S, stack); - } - - method RecursiveMarkWorker(root: Node, S: seq<Node>, stack: seq<Node>) - requires acc(S[*].marked, 50) && acc(S[*].*, 50); - requires root != null && root in S; - requires forall n in S :: n != null && - ((n.left != null ==> n.left in S) && - (n.right != null ==> n.right in S)) - requires forall n in S :: n.marked ==> - (n in stack || - ((n.left != null ==> n.left.marked) && - (n.right != null ==> n.right.marked))); - requires forall n in stack :: n != null && n in S && n.marked; - ensures acc(S[*].marked, 50) && acc(S[*].*, 50); - ensures forall n in S :: n.left == old(n.left) && n.right == old(n.right); - ensures forall n in S :: n.marked ==> - (n in stack || - ((n.left != null ==> n.left.marked) && - (n.right != null ==> n.right.marked))); - ensures forall n in S :: old(n.marked) ==> n.marked; - ensures root.marked; - { - if (! root.marked) { - root.marked := true; - var next:seq<Node> := [root] ++ stack; - assert next[0] == root; - if (root.left != null) { - call RecursiveMarkWorker(root.left, S, next); - } - - if (root.right != null) { - call RecursiveMarkWorker(root.right, S, next); - } - } - } - - method IterativeMark(root: Node, S: seq<Node>) - requires acc(S[*].*); - requires root in S; - requires forall n in S :: n != null && - (n.left != null ==> n.left in S) && - (n.right != null ==> n.right in S); - requires forall n in S :: ! n.marked; - requires forall n in S :: ! n.l && ! n.r; - ensures acc(S[*].*); - ensures forall n in S :: n.left == old(n.left) && n.right == old(n.right); - ensures root.marked; - ensures forall n in S :: n.marked ==> - (n.left != null ==> n.left.marked) && - (n.right != null ==> n.right.marked); - ensures forall n in S :: ! n.l && ! n.r; - { - var t:Node := root; - t.marked := true; - var stack: seq<Node> := []; - - var stop := false; - while(!stop) - invariant acc(S[*].*); - invariant root.marked && t in S && t !in stack; - invariant forall n in stack :: n in S; - invariant forall i in [0..|stack|] :: forall j in [i+1..|stack|] :: stack[i] != stack[j]; - invariant forall n in S :: (n in stack || n == t) ==> - n.marked && - (n.r ==> n.l) && - (n.l && n.left != null ==> n.left in S && n.left.marked) && - (n.r && n.right != null ==> n.right in S && n.right.marked) - // stack is linked - invariant forall i in [1..|stack|] :: stack[i-1] == (stack[i].l ? stack[i].right : stack[i].left); - invariant 0 < |stack| ==> t == (stack[0].l ? stack[0].right : stack[0].left); - // goal - invariant forall n in S :: n.marked && n !in stack && n != t ==> - (n.left != null ==> n.left in S && n.left.marked) && - (n.right != null ==> n.right in S && n.right.marked); - // preservation - invariant forall n in S :: n !in stack && n != t ==> ! n.l && ! n.r; - invariant forall n in S :: n.left == old(n.left) && n.right == old(n.right); - invariant stop ==> |stack| == 0 && ! t.l && ! t.r && - (t.left != null ==> t.left.marked) && - (t.right != null ==> t.right.marked); - { - if (! t.l && (t.left == null || t.left.marked)) { - // advance - t.l := true; - } else if (t.l && ! t.r && (t.right == null || t.right.marked)) { - // advance - t.r := true; - } else if (t.r) { - // pop - t.l := false; - t.r := false; - if (|stack| == 0) { - stop := true; - } else { - t := stack[0]; - stack := stack[1..]; - if (t.l) {t.r := true} else {t.l := true} - } - } else if (!t.l) { - // push - stack := [t] ++ stack; - assert stack[0] == t; - t := t.left; - t.marked := true; - } else if (!t.r) { - // push - assert t.l; - stack := [t] ++ stack; - assert stack[0] == t; - t := t.right; - t.marked := true; - } - } - } -} diff --git a/Chalice/tests/refinements/experiments/DSW1.chalice b/Chalice/tests/refinements/experiments/DSW1.chalice deleted file mode 100644 index 612f21ac..00000000 --- a/Chalice/tests/refinements/experiments/DSW1.chalice +++ /dev/null @@ -1,91 +0,0 @@ -// Schorr-Waite algorithm in Chalice -// (see Test/dafny1/SchorrWaite.dfy) - -// Arbitrary number of children -// No counter for visited nodes; next node is selected non-deterministically -class Node { - var children: seq<Node>; - var marked: bool; - ghost var path: seq<Node>; -} - -class Main { - function Reachable(to: Node, p:seq<Node>, from: Node): bool - requires acc(p[*].children); - { - |p| == 0 ? to == from : - (p[0] != null && to in p[0].children && Reachable(p[0], p[1..], from)) - } - - method IterativeMark(root: Node, S: seq<Node>) - requires acc(S[*].*); - requires root in S; - requires forall n in S :: n != null && (forall ch in n.children :: ch != null && ch in S); - requires forall n in S :: ! n.marked; - ensures acc(S[*].*); - // graph structure is the same - ensures forall n in S :: n.children == old(n.children); - // all nodes reachable from root are marked - ensures root.marked; - ensures forall n in S :: n.marked ==> (forall ch in n.children :: ch.marked); - // all marked nodes are reachable from root - ensures forall n in S :: n.marked ==> - (forall m in n.path :: m in S) && Reachable(n, n.path, root); - { - var t:Node := root; - t.marked := true; - var stack: seq<Node> := []; - t.path := stack; - - // no termination check - var stop := false; - while(!stop) - invariant acc(S[*].*); - invariant root.marked; - invariant t in S && t.marked && t !in stack; - // stack well-formed - invariant forall i in [0..|stack|] :: forall j in [i+1..|stack|] :: stack[i] != stack[j]; - invariant forall n in stack :: n in S && n.marked; - invariant forall i in [1..|stack|] :: stack[i-1] in stack[i].children; - invariant 0 < |stack| ==> t in stack[0].children; - // goal - invariant forall n in S :: n.marked && n !in stack && n != t ==> - (forall ch in n.children :: ch in S && ch.marked); - invariant forall n in S :: n.marked ==> - (forall m in n.path :: m in S) && Reachable(n, n.path, root); - // preservation - invariant forall n in S :: n.children == old(n.children); - // termination - invariant stop ==> |stack| == 0 && (forall ch in t.children :: ch.marked); - { - call n := PickUnmarked(t.children); - - if (n != null) { - // push - stack := [t] ++ stack; - n.path := [t] ++ t.path; - t := n; - t.marked := true; - assert Reachable(t.path[0], t.path[1..], root); // needed for limited function - } else { - // pop - if (|stack| == 0) { - stop := true; - } else { - t := stack[0]; - stack := stack[1..]; - } - } - } - } - - method PickUnmarked(p: seq<Node>) returns (x: Node) - requires rd(p[*].marked); - requires forall n in p :: n != null; - ensures rd(p[*].marked); - ensures x != null ==> x in p && ! x.marked; - ensures x == null ==> (forall n in p :: n.marked); - { - assume false; // magic! - } -} diff --git a/Chalice/tests/refinements/experiments/DSW10.chalice b/Chalice/tests/refinements/experiments/DSW10.chalice deleted file mode 100644 index 3bf70eeb..00000000 --- a/Chalice/tests/refinements/experiments/DSW10.chalice +++ /dev/null @@ -1,120 +0,0 @@ -// Schorr-Waite algorithm in Chalice -// (see Test/dafny1/SchorrWaite.dfy) - -// Arbitrary number of children -// Added visited field to refine non-det choice with a conditional -// Added a client -class Node { - var children: seq<Node>; - var marked: bool; - var visited: int; - ghost var path: seq<Node>; -} - -class Main { - method Test() - { - var a := new Node {marked := false, visited := 0}; - var b := new Node {marked := false, visited := 0}; - var c := new Node {marked := false, visited := 0}; - var d := new Node {marked := false, visited := 0}; - a.children := [b]; - b.children := [c,a]; - c.children := [b]; - d.children := [a,b,c]; - // a <-> b <-> c - // ^ \ ^ / ^ - // d - assert [a,b,c,d][0] == a; // root is in sequence - call IterativeMark(a, [a,b,c,d]); - assert a.marked; - assert a.children[0] == b; // b should be marked - assert b.marked; - assert b.children[0] == c; // c should be marked - assert c.marked; - assert !d.marked; - } - - function Reachable(to: Node, p:seq<Node>, from: Node): bool - requires acc(p[*].children); - { - |p| == 0 ? to == from : - (p[0] != null && to in p[0].children && Reachable(p[0], p[1..], from)) - } - - method IterativeMark(root: Node, S: seq<Node>) - requires acc(S[*].*); - requires root in S; - requires forall n in S :: n != null && (forall ch in n.children :: ch != null && ch in S); - requires forall n in S :: ! n.marked; - requires forall n in S :: n.visited == 0; - ensures acc(S[*].*); - // graph structure is the same - ensures forall n in S :: n.children == old(n.children); - ensures forall n in S :: n.visited == 0; - // all nodes reachable from root are marked - ensures root.marked; - ensures forall n in S :: n.marked ==> (forall ch in n.children :: ch.marked); - // all marked nodes are reachable from root - ensures forall n in S :: n.marked ==> - (forall m in n.path :: m in S) && - Reachable(n, n.path, root); - { - var t:Node := root; - t.marked := true; - var stack: seq<Node> := []; - t.path := stack; - - var stop := false; - while(!stop) - invariant acc(S[*].*); - invariant root.marked && t in S && t.marked && t !in stack; - // no duplicates in the stack - invariant forall i in [0..|stack|] :: forall j in [i+1..|stack|] :: stack[i] != stack[j]; - // stack well-formed - invariant forall n in stack :: n in S; - invariant forall n in S :: n in stack || n == t ==> - n.marked && - 0 <= n.visited && n.visited <= |n.children| && - (forall i in [0..n.visited] :: n.children[i] in S && n.children[i].marked); - invariant forall n in stack :: n.visited < |n.children|; - // stack is linked - invariant forall i in [1..|stack|] :: stack[i-1] == stack[i].children[stack[i].visited]; - invariant 0 < |stack| ==> t == stack[0].children[stack[0].visited]; - // goal - invariant forall n in S :: n.marked && n !in stack && n != t ==> - (forall ch in n.children :: ch in S && ch.marked); - invariant forall n in S :: n.marked ==> - (forall m in n.path :: m in S) && - Reachable(n, n.path, root); - // preservation - invariant forall n in S :: n !in stack && n != t ==> n.visited == old(n.visited); - invariant forall n in S :: n.children == old(n.children); - // termination - invariant stop ==> |stack| == 0 && (forall ch in t.children :: ch.marked) && t.visited == 0; - { - if (t.visited == |t.children|) { - // pop - t.visited := 0; - if (|stack| == 0) { - stop := true; - } else { - t := stack[0]; - stack := stack[1..]; - t.visited := t.visited + 1; - } - } else if (t.children[t.visited].marked) { - // skip - t.visited := t.visited + 1; - } else { - // push - ghost var oldt:Node := t; - stack := [t] ++ stack; - t := t.children[t.visited]; - t.path := [oldt] ++ oldt.path; // TODO: in fact, this is stack - t.marked := true; - assert Reachable(oldt, oldt.path, root); // needed for limited function - } - } - } -} diff --git a/Chalice/tests/refinements/experiments/DSW2.chalice b/Chalice/tests/refinements/experiments/DSW2.chalice deleted file mode 100644 index 7438c688..00000000 --- a/Chalice/tests/refinements/experiments/DSW2.chalice +++ /dev/null @@ -1,95 +0,0 @@ -// Schorr-Waite algorithm in Chalice -// (see Test/dafny1/SchorrWaite.dfy) - -// Add arbitrary number of children, not just two. -// Remove visited field for visited nodes; next node is selected non-deterministically (verification time 30s) -// Added parent pointer p (stack remains) (verification time 8s, limited functions) -class Node { - var children: seq<Node>; - var marked: bool; - ghost var path: seq<Node>; -} - -class Main { - function Reachable(to: Node, p:seq<Node>, from: Node): bool - requires acc(p[*].children); - { - |p| == 0 ? to == from : - (p[0] != null && to in p[0].children && Reachable(p[0], p[1..], from)) - } - - method SchorrWaite(root: Node, S: seq<Node>) - requires acc(S[*].*); - requires root in S; - requires forall n in S :: n != null && (forall ch in n.children :: ch != null && ch in S); - requires forall n in S :: ! n.marked; - ensures acc(S[*].*); - // graph structure is the same - ensures forall n in S :: n.children == old(n.children); - // all nodes reachable from root are marked - ensures root.marked; - ensures forall n in S :: n.marked ==> (forall ch in n.children :: ch.marked); - // all marked nodes are reachable from root - ensures forall n in S :: n.marked ==> (forall m in n.path :: m in S) && Reachable(n, n.path, root); - { - var p:Node := null; - var t:Node := root; - t.marked := true; - var stack: seq<Node> := []; - t.path := stack; - - // no termination check - var stop := false; - while(!stop) - invariant acc(S[*].*); - invariant root.marked; - invariant t in S && t.marked && t !in stack; - // stack well-formed - invariant forall i in [0..|stack|] :: forall j in [i+1..|stack|] :: stack[i] != stack[j]; - invariant forall n in stack :: n in S && n.marked; - invariant forall i in [1..|stack|] :: stack[i-1] in stack[i].children; - invariant 0 < |stack| ==> p == stack[0] && t in p.children; - invariant 0 == |stack| ==> p == null; - // goal - invariant forall n in S :: n.marked && n !in stack && n != t ==> - (forall ch in n.children :: ch in S && ch.marked); - invariant forall n in S :: n.marked ==> - (forall m in n.path :: m in S) && Reachable(n, n.path, root); - // preservation - invariant forall n in S :: n.children == old(n.children); - // termination - invariant stop ==> |stack| == 0 && (forall ch in t.children :: ch.marked); - { - call n := PickUnmarked(t.children); - - if (n != null) { - // push - p := t; - stack := [t] ++ stack; - n.path := [t] ++ t.path; - t := n; - t.marked := true; - assert Reachable(t.path[0], t.path[1..], root); // limited function - } else { - // pop - if (p == null) { - stop := true; - } else { - t := p; - stack := stack[1..]; - p := |stack| > 0 ? stack[0] : null; - } - } - } - } - - method PickUnmarked(p: seq<Node>) returns (x: Node) - requires rd(p[*].marked); - requires forall n in p :: n != null; - ensures rd(p[*].marked); - ensures x != null ==> x in p && ! x.marked; - ensures x == null ==> (forall n in p :: n.marked); - { - assume false; // magic! - } -} diff --git a/Chalice/tests/refinements/experiments/DSW3.chalice b/Chalice/tests/refinements/experiments/DSW3.chalice deleted file mode 100644 index dbf161cd..00000000 --- a/Chalice/tests/refinements/experiments/DSW3.chalice +++ /dev/null @@ -1,106 +0,0 @@ -// Schorr-Waite algorithm in Chalice -// (see Test/dafny1/SchorrWaite.dfy) - -// Add arbitrary number of children, not just two. -// Remove visited field for visited nodes; next node is selected non-deterministically -// Added parent pointer p (stack remains) -// Note: the challenge is to update children field of nodes on stack so that we can recover -// parent pointer in pop operation -// Add parent field to Node and made stack ghost (verification time 80s, limited functions) -class Node { - var children: seq<Node>; - var marked: bool; - var parent: Node; - ghost var path: seq<Node>; -} - -class Main { - function Reachable(to: Node, p:seq<Node>, from: Node): bool - requires acc(p[*].children); - { - |p| == 0 ? to == from : - (p[0] != null && to in p[0].children && Reachable(p[0], p[1..], from)) - } - - method SchorrWaite(root: Node, S: seq<Node>) - requires acc(S[*].*); - requires root in S; - requires forall n in S :: n != null && (forall ch in n.children :: ch != null && ch in S); - requires forall n in S :: ! n.marked && n.parent == null; - ensures acc(S[*].*); - // graph structure is the same - ensures forall n in S :: n.children == old(n.children); - ensures forall n in S :: n.parent == null; - // all nodes reachable from root are marked - ensures root.marked; - ensures forall n in S :: n.marked ==> (forall ch in n.children :: ch.marked); - // all marked nodes are reachable from root - ensures forall n in S :: n.marked ==> (forall m in n.path :: m in S) && Reachable(n, n.path, root); - { - var p:Node := null; - var t:Node := root; - t.marked := true; - ghost var stack: seq<Node> := []; - t.path := stack; - - // no termination check - var stop := false; - while(!stop) - invariant acc(S[*].*); - invariant root.marked; - invariant t in S && t.marked && t !in stack; - // stack well-formed - invariant forall i in [0..|stack|] :: forall j in [i+1..|stack|] :: stack[i] != stack[j]; - invariant forall n in stack :: n in S && n.marked; - invariant forall i in [1..|stack|] :: stack[i-1] in stack[i].children; - invariant forall i in [1..|stack|] :: stack[i-1].parent == stack[i]; - invariant 0 < |stack| ==> p == stack[0] && t in p.children && stack[|stack|-1].parent == null; - invariant 0 == |stack| <==> p == null; - // goal - invariant forall n in S :: n.marked && n !in stack && n != t ==> - (forall ch in n.children :: ch in S && ch.marked); - invariant forall n in S :: n.marked ==> - (forall m in n.path :: m in S) && Reachable(n, n.path, root); - invariant forall n in S :: n !in stack ==> n.parent == null; - // preservation - invariant forall n in S :: n.children == old(n.children); - // termination - invariant stop ==> |stack| == 0 && (forall ch in t.children :: ch.marked); - { - call n := PickUnmarked(t.children); - - if (n != null) { - // push - t.parent := p; - p := t; - stack := [t] ++ stack; - n.path := [t] ++ t.path; - t := n; - t.marked := true; - assert Reachable(t.path[0], t.path[1..], root); // limited function - assert forall x in S :: x.marked ==> Reachable(x, x.path, root); - assume forall x in S :: x.marked ==> Reachable(x, x.path, root); - } else { - // pop - if (p == null) { - stop := true; - } else { - t := p; - p := t.parent; - t.parent := null; - stack := stack[1..]; - } - } - } - } - - method PickUnmarked(p: seq<Node>) returns (x: Node) - requires rd(p[*].marked); - requires forall n in p :: n != null; - ensures rd(p[*].marked); - ensures x != null ==> x in p && ! x.marked; - ensures x == null ==> (forall n in p :: n.marked); - { - assume false; - } -} diff --git a/Chalice/tests/refinements/experiments/DSW4.chalice b/Chalice/tests/refinements/experiments/DSW4.chalice deleted file mode 100644 index f594595a..00000000 --- a/Chalice/tests/refinements/experiments/DSW4.chalice +++ /dev/null @@ -1,117 +0,0 @@ -// Schorr-Waite algorithm in Chalice -// (see Test/dafny1/SchorrWaite.dfy) - -// Add arbitrary number of children, not just two. -// Remove visited field for visited nodes; next node is selected non-deterministically -// Added parent pointer p (stack remains) -// Note: the challenge is to update children field of nodes on stack so that we can recover -// parent pointer in pop operation -// Add parent field to Node and made stack ghost (verification time 80s, limited functions) -// Add Reachable that existentially quantifies over paths (verification time 23s, limited functions) -class Node { - var children: seq<Node>; - var marked: bool; - var parent: Node; - var visited: int; - ghost var path: seq<Node>; -} - -class Main { - function Reachable(to: Node, from: Node, S: seq<Node>): bool - requires acc(S[*].children); - { - exists p:seq<Node> :: (forall n in p :: n in S) && Via(to, p, from) - } - - function Via(to: Node, p:seq<Node>, from: Node): bool - requires acc(p[*].children); - { - |p| == 0 ? to == from : - (p[0] != null && to in p[0].children && Via(p[0], p[1..], from)) - } - - method SchorrWaite(root: Node, S: seq<Node>) - requires acc(S[*].*); - requires root in S; - requires forall n in S :: n != null && (forall ch in n.children :: ch != null && ch in S); - requires forall n in S :: ! n.marked && n.parent == null && n.visited == 0; - ensures acc(S[*].*); - // graph structure is the same - ensures forall n in S :: n.children == old(n.children); - ensures forall n in S :: n.parent == null && n.visited == 0; - // all nodes reachable from root are marked - ensures root.marked; - ensures forall n in S :: n.marked ==> (forall ch in n.children :: ch.marked); - // all marked nodes are reachable from root - ensures forall n in S :: n.marked ==> (forall m in n.path :: m in S) && Reachable(n, root, S); - { - var p:Node := null; - var t:Node := root; - t.marked := true; - ghost var stack: seq<Node> := []; - t.path := stack; - - // no termination check - var stop := false; - while(!stop) - invariant acc(S[*].*); - invariant root.marked; - invariant t in S && t.marked && t !in stack; - // stack well-formed - invariant forall i in [0..|stack|] :: forall j in [i+1..|stack|] :: stack[i] != stack[j]; - invariant forall n in stack :: n in S && n.marked; - invariant forall i in [1..|stack|] :: stack[i-1] in stack[i].children; - invariant forall i in [1..|stack|] :: stack[i-1].parent == stack[i]; - invariant 0 < |stack| ==> p == stack[0] && t in p.children && stack[|stack|-1].parent == null; - invariant 0 == |stack| <==> p == null; - // goal - invariant forall n in S :: n.marked && n !in stack && n != t ==> - (forall ch in n.children :: ch in S && ch.marked); - invariant forall n in S :: n.marked ==> - (forall m in n.path :: m in S) && Via(n, n.path, root); - invariant forall n in S :: n !in stack ==> n.parent == null; - // preservation - invariant forall n in S :: n.children == old(n.children) && n.visited == 0; - // termination - invariant stop ==> |stack| == 0 && (forall ch in t.children :: ch.marked); - { - call n := PickUnmarked(t, t.children); - - if (n != null) { - // push - t.parent := p; - p := t; - stack := [t] ++ stack; - n.path := [t] ++ t.path; - t := n; - t.marked := true; - assert Via(t.path[0], t.path[1..], root); // limited function - assert forall x in S :: x.marked ==> Via(x, x.path, root); - assume forall x in S :: x.marked ==> Via(x, x.path, root); - } else { - // pop - if (p == null) { - stop := true; - } else { - t := p; - p := t.parent; - t.parent := null; - stack := stack[1..]; - } - } - } - } - - method PickUnmarked(n: Node, p: seq<Node>) returns (x: Node) - requires rd(p[*].marked, 50); - requires rd(n.*, 50); - requires forall q in p :: q != null; - requires p == n.children; - ensures rd(p[*].marked, 50); - ensures rd(n.*, 50); - ensures x != null ==> x in p && ! x.marked; - ensures x == null ==> (forall q in p :: q.marked); - { - assume false; - } -} diff --git a/Chalice/tests/refinements/experiments/List.chalice b/Chalice/tests/refinements/experiments/List.chalice deleted file mode 100644 index efcec2c8..00000000 --- a/Chalice/tests/refinements/experiments/List.chalice +++ /dev/null @@ -1,159 +0,0 @@ -/**
-Interesting issues:
- * using functions in refinement to write getters
- * using functions to write coupling invariant
- * refining to a recursive implementation
- * restricting refinement (List1 must have at least one item)
- * refining a method with an output variable
-
-Do we shadows the abstract variables in the later concrete programs?
-
-How do we handle generic sequence in List2
-*/
-
-class List0 {
- var rep: seq<int>;
-
- method init()
- requires acc(this.*);
- ensures acc(rep);
- {
- rep := [0];
- }
-
- function length(): int
- requires acc(rep);
- {
- |rep|
- }
-
- method get(i: int) returns (v: int)
- requires acc(rep);
- requires 0 <= i && i < length();
- ensures acc(rep);
- {
- v := rep[i];
- }
-
- method pick() returns (v: int)
- requires acc(rep);
- ensures acc(rep);
- {
- var i: int;
- assume 0 <= i && i < length();
- v := rep[i];
- }
-}
-
-class List1 {
- ghost var rep: seq<int>;
-
- var data: int;
- var l: seq<List1>;
-
- function inv(): bool
- requires acc(rep) && acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l);
- {
- /** valid */ |l| >= 0 &&
- (forall i in [0..|l|] :: l[i] != null && l[i].l == l[i+1..]) &&
- /** coupling */ |l| + 1 == |rep| &&
- (forall i in [0..|l|] :: l[i].data == rep[i+1]) &&
- data == rep[0]
- }
-
- method init()
- requires acc(this.*);
- ensures acc(rep) && acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && inv();
- {
- rep := [0];
- data := 0;
- l := nil<List1>;
- }
-
- function length(): int
- requires acc(rep) && acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && inv();
- {
- |l| + 1
- }
-
- method checkLength()
- requires acc(rep) && acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && inv();
- {
- assert |l| + 1 == |rep|;
- }
-
- method get(i: int) returns (v: int)
- requires acc(rep) && acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && inv();
- requires 0 <= i && i < length();
- ensures acc(rep) && acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && inv();
- {
- if (i == 0) {
- v := data;
- } else {
- v := l[i-1].data;
- }
- assert v == rep[i];
- }
-}
-
-class List2 {
- // ghost var rep: seq<int>;
- ghost var l: seq<List2>;
-
- var data: int;
- var next: List2;
- var size: int;
-
- function inv(): bool
- requires acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && acc(size) && acc(next) && acc(l[*].size) && acc(l[*].next);
- {
- /** valid */ |l| >= 0 &&
- (forall i in [0..|l|] :: l[i] != null && l[i].l == l[i+1..]) &&
- /** new coupling */ size == |l| + 1 &&
- (next == null ==> |l| == 0) &&
- (next != null ==> |l| > 0 && next == l[0] && l[|l|-1].next == null) &&
- (forall i in [0..|l|] :: l[i].size == size - i - 1) &&
- (forall i in [0..|l|-1] :: l[i].next == l[i+1])
- }
-
- method init()
- requires acc(this.*);
- ensures acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && acc(size) && acc(next) && acc(l[*].size) && acc(l[*].next) && inv();
- {
- data := 0;
- l := nil<List2>;
- next := null;
- size := 1;
- }
-
- function length(): int
- requires acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && acc(size) && acc(next) && acc(l[*].size) && acc(l[*].next) && inv();
- {
- size
- }
-
- method checkLength()
- requires acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && acc(size) && acc(next) && acc(l[*].size) && acc(l[*].next) && inv();
- {
- assert size == |l| + 1;
- }
-
- method get(i: int) returns (v: int)
- requires acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && acc(size) && acc(next) && acc(l[*].size) && acc(l[*].next) && inv();
- requires 0 <= i && i < length();
- ensures acc(l) && acc(data) && acc(l[*].data) && acc(l[*].l) && acc(size) && acc(next) && acc(l[*].size) && acc(l[*].next) && inv();
- /** loop invariant: assertion on coupling of abstract and concrete outputs */
- ensures i == 0 ==> v == data;
- ensures i > 0 ==> i-1 < |l| && l[i-1] != null && v == l[i-1].data;
- {
- if (i == 0) {
- v := data;
- } else {
- assert next != null;
- assert l == [next] ++ next.l;
- call w := next.get(i-1);
- v := w;
- }
- }
-}
-
diff --git a/Chalice/tests/refinements/experiments/ListNode.chalice b/Chalice/tests/refinements/experiments/ListNode.chalice deleted file mode 100644 index ae72fe67..00000000 --- a/Chalice/tests/refinements/experiments/ListNode.chalice +++ /dev/null @@ -1,163 +0,0 @@ -/**
-Interesting issues:
- * recursive functions should either use read accesses or provide frame conditions of operating on the same state
- * carrying super-abstract state might be beneficial for the proof in the concrete program
- * proofs of function refinement might be needed as lemmas in places where they are used
-*/
-
-class List0 {
- var rep: seq<int>;
-
- method init()
- requires acc(this.*);
- ensures acc(rep);
- {
- rep := [0];
- }
-
- function length(): int
- requires acc(rep);
- {
- |rep|
- }
-
- method get(i: int) returns (v: int)
- requires acc(rep);
- requires 0 <= i && i < length();
- ensures acc(rep);
- {
- v := rep[i];
- }
-
- method pick() returns (v: int)
- requires acc(rep);
- ensures acc(rep);
- {
- var i: int;
- assume 0 <= i && i < length();
- v := rep[i];
- }
-}
-
-class Node1 {
- var data;
-}
-
-class List1 {
- ghost var rep: seq<int>;
- var l: seq<Node1>;
-
- function inv(): bool
- requires acc(rep) && acc(l) && acc(l[*].data);
- {
- /** valid */ (forall i in [0..|l|] :: l[i] != null) &&
- /** coupling */ |l| == |rep| && (forall i in [0..|l|] :: l[i].data == rep[i])
- }
-
- method init()
- requires acc(this.*);
- ensures acc(rep) && acc(l) && acc(l[*].data) && inv();
- {
- rep := nil<int>;
- l := nil<Node1>;
- }
-
- function length(): int
- requires acc(rep) && acc(l) && acc(l[*].data) && inv();
- {
- |l|
- }
-
- method checkLength()
- requires acc(rep) && acc(l) && acc(l[*].data) && inv();
- {
- assert length() == |rep|;
- }
-
- method get(i: int) returns (v: int)
- requires acc(rep) && acc(l) && acc(l[*].data) && inv();
- requires 0 <= i && i < length();
- ensures acc(rep) && acc(l) && acc(l[*].data) && inv();
- {
- v := l[i].data;
- assert v == rep[i];
- }
-}
-
-class Node2 {
- var data;
- var next: Node2;
-}
-
-class List2 {
- ghost var rep: seq<int>;
- ghost var l: seq<Node2>;
-
- var head: Node2;
- var size: int;
-
- function inv(): bool
- requires acc(rep) && acc(l) && acc(l[*].data) && acc(l[*].next) && acc(head) && acc(size)
- {
- /** valid */ (forall i in [0..|l|] :: l[i] != null) &&
- /** coupling */ |l| == |rep| && (forall i in [0..|l|] :: l[i].data == rep[i]) &&
- /** new coupling */ size == |l| &&
- (head == null ==> |l| == 0) &&
- (head != null ==> |l| > 0 && head == l[0] && l[|l|-1].next == null) &&
- (forall i in [0..|l|-1] :: l[i].next == l[i+1])
- }
-
- method init()
- requires acc(this.*);
- ensures acc(rep) && acc(l) && acc(l[*].data) && acc(l[*].next) && acc(head) && acc(size) && inv();
- {
- rep := nil<int>;
- l := nil<Node2>;
- head := null;
- size := 0;
- }
-
- function length(): int
- requires acc(rep) && acc(l) && acc(l[*].data) && acc(l[*].next) && acc(head) && acc(size) && inv();
- {
- size
- }
-
- method checkLength()
- requires acc(rep) && acc(l) && acc(l[*].data) && acc(l[*].next) && acc(head) && acc(size) && inv();
- {
- assert length() == |l|;
- }
-
- method get(i: int) returns (v: int)
- requires acc(rep) && acc(l) && acc(l[*].data) && acc(l[*].next) && acc(head) && acc(size) && inv();
- requires 0 <= i && i < length();
- ensures acc(rep) && acc(l) && acc(l[*].data) && acc(l[*].next) && acc(head) && acc(size) && inv();
- {
- call v := getrec(i, head, 0);
- assert v == l[i].data;
- }
-
- method getrec(i: int, n: Node2, /* ghost */ j: int) returns (v: int)
- requires acc(rep) && acc(l) && acc(l[*].data) && acc(l[*].next) && acc(head) && acc(size) && inv();
- requires length() == |l|;
- requires 0 <= i && i < length();
- requires 0 <= j && j <= i;
- requires l[j] == n;
- ensures acc(rep) && acc(l) && acc(l[*].data) && acc(l[*].next) && acc(head) && acc(size) && inv();
- // frame
- ensures l == old(l);
- ensures forall x in l :: x != null && x.data == old(x.data) && x.next == old(x.next);
- ensures size == old(size);
- ensures head == old(head);
- ensures rep == old(rep);
- ensures v == l[i].data;
- ensures l == old(l);
- {
- if (i == j) {
- v := n.data;
- } else {
- call v := getrec(i, n.next, j+1);
- }
- }
-}
diff --git a/Chalice/tests/refinements/experiments/ListPredicate.chalice b/Chalice/tests/refinements/experiments/ListPredicate.chalice deleted file mode 100644 index af334093..00000000 --- a/Chalice/tests/refinements/experiments/ListPredicate.chalice +++ /dev/null @@ -1,109 +0,0 @@ -/* Recursive implementation and specification of a linked list. */
-
-class Node {
- var next: Node;
- var value: int;
-
- method init(v: int)
- requires acc(next) && acc(value);
- ensures valid && size() == 1;
- {
- next := null;
- value := v;
- fold this.valid;
- }
-
- method append(x: int)
- requires valid;
- ensures valid;
- ensures size() == old(size())+1;
- {
- unfold this.valid;
- if(next==null) {
- var n : Node;
- n := new Node;
- call n.init(x);
- next := n;
- } else {
- call next.append(x);
- }
- fold this.valid;
- }
-
- method prepend(x: int) returns (rt: Node)
- requires valid;
- ensures rt!=null && rt.valid;
- ensures rt.size() == old(size()) + 1;
- {
- var n: Node;
- n := new Node;
- n.value := x;
- n.next := this;
- fold n.valid;
- rt := n;
- }
-
- function at(i: int): int
- requires valid && 0<=i && i<size();
- {
- unfolding valid in i==0 ? value : next.at(i-1)
- }
-
- function size(): int
- requires valid;
- {
- unfolding this.valid in (next!=null ? 1 + next.size() : 1)
- }
-
- predicate valid {
- acc(next) && acc(value) &&
- (next!=null ==> next.valid)
- }
-}
-
-// abstract sequence of integers
-class LinkedList {
- ghost var rep: seq<int>;
-
- var first: Node;
-
- method init()
- requires acc(this.*);
- ensures valid;
- {
- first := null;
- assert coupling(rep, first);
- fold valid;
- }
-
- method append(x: int)
- requires valid;
- ensures valid;
- {
- unfold valid;
- rep := rep ++ [x];
- fold valid;
- }
-
- method prepend(x: int)
- requires valid;
- ensures valid;
- {
- unfold valid;
- rep := [x] ++ rep;
- fold valid;
- }
-
- predicate valid {
- acc(rep) && acc(first) && (first != null ==> first.valid)
- }
-
- function coupling(a: seq<int>, c: Node) : bool
- requires c != null ==> c.valid;
- {
- c == null ? a == nil<int> :
- (|a| > 0 && a[0] == c.value && coupling(a[1..], c.next))
- }
-
-
-}
diff --git a/Chalice/tests/refinements/experiments/StringBuilder.chalice b/Chalice/tests/refinements/experiments/StringBuilder.chalice deleted file mode 100644 index d73f8373..00000000 --- a/Chalice/tests/refinements/experiments/StringBuilder.chalice +++ /dev/null @@ -1,67 +0,0 @@ -class Char {} -class StringBuilder0 { - var rep: seq<Char>; - method Init() - requires acc(rep); - ensures acc(rep); - { rep := nil<Char>; } - function ToString(): seq<Char> - requires rd(rep); - { rep } - method Append(chars: seq<Char>) - requires acc(rep); - ensures acc(rep); - ensures ToString() == old(ToString()) ++ chars; - { rep := rep ++ chars; } -} - -class Chunk0 { - var rep: seq<Char>; - ghost var start; -} - - -class StringBuilder1 refines StringBuilder0 { - var chunks: seq<Chunk0>; - - replaces rep by acc(chunks) && acc(chunks[*].rep) && acc(chunks[*].start) && - /** representation invariant */ null !in chunks && |chunks| > 0 && - chunks[0].start == 0 && - (forall i in [0..|chunks|-1] :: chunks[i+1].start == chunks[i].start + |chunks[i].rep|) && - /** coupling invariant */ (forall c in chunks :: c.rep == rep[c.start..c.start + |c.rep|]) - - refines Init() - { - var c := new Chunk0; - c.rep := nil<Char>; - c.start := 0; - chunks := [c]; - rep := nil<Char>; - } - - - refines Append(chars: seq<Char>) - { - rep := rep ++ chars; - var i; assume 0 <= i && i < |chars|; - if (i > 0) { - call AppendChunk(chunks[|chunks|-1], chars[..i]); - } - if (i < |chars| - 1) { - call ExpandByABlock(); - call AppendChunk(chunks[|chunks|-1], chars[i..]); - } - } - - method AppendChunk(ch: Chunk0, chars: seq<Char>) - { - ch.rep := ch.rep ++ chars; - } - - method ExpandByABlock() - { - var c := new Chunk0; - c.rep := nil<Char>; - chunks := chunks ++ [c]; - } -}
\ No newline at end of file diff --git a/Chalice/tests/refinements/test.bat b/Chalice/tests/refinements/test.bat deleted file mode 100644 index 986647d6..00000000 --- a/Chalice/tests/refinements/test.bat +++ /dev/null @@ -1,47 +0,0 @@ -@echo off - -REM Regression tests for the refinement extension to Chalice -REM Author: Kuat Yessenov - -setlocal EnableDelayedExpansion - -set chalice="%~dp0\..\..\chalice.bat" -set output=Output -set answer=Answer -set parameters="-noTermination" -set tests=LoopSqRoot,RecSqRoot,SpecStmt,SumCubes,TestTransform,TestRefines,RecFiniteDiff,LoopFiniteDiff,Pick,TestCoupling,Calculator,AngelicExec,RefinesLoop - -REM Remove stale output file -if exist %output% del %output% - -echo ------------------------------------- -echo Refinement extension regression tests -echo ------------------------------------- - -REM Process each test -for %%f in (%tests%) do ( - echo Processing %%f.chalice >> %output% - echo Processing %%f - - if exist out.bpl del out.bpl - call %chalice% "%%f.chalice" "%parameters%" >> %output% 2>&1 -) - -echo ------------------------------------- - -REM Compare with the reference - -fc %answer% %output% > nul -if not errorlevel 1 goto passTest -goto failTest - -:passTest -echo Passed -if exist %output% del %output% -if exist out.bpl del out.bpl -exit /b 0 - -:failTest -echo Failed (see Output) -exit /b 1 - diff --git a/Chalice/tests/regressions/generate_reference.bat b/Chalice/tests/regressions/generate_reference.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/regressions/generate_reference.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/regressions/generate_reference_all.bat b/Chalice/tests/regressions/generate_reference_all.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/regressions/generate_reference_all.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/regressions/internal-bug-1.chalice b/Chalice/tests/regressions/internal-bug-1.chalice deleted file mode 100644 index 10caeebb..00000000 --- a/Chalice/tests/regressions/internal-bug-1.chalice +++ /dev/null @@ -1,16 +0,0 @@ -class Test {
- var next: Test;
- var elem: int;
-
- predicate valid {
- acc(elem) && acc(next) &&
- (next != null ==> next.valid)
- }
-
- function get(index:int):int
- requires valid
- // on 2012-02-21, a bug was reported that caused Chalice to crash with an
- // InternalError for the following precondition.
- requires unfolding valid in true
- {0}
-}
diff --git a/Chalice/tests/regressions/internal-bug-1.output.txt b/Chalice/tests/regressions/internal-bug-1.output.txt deleted file mode 100644 index 7685b77a..00000000 --- a/Chalice/tests/regressions/internal-bug-1.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of internal-bug-1.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/internal-bug-2.chalice b/Chalice/tests/regressions/internal-bug-2.chalice deleted file mode 100644 index ac6b5a09..00000000 --- a/Chalice/tests/regressions/internal-bug-2.chalice +++ /dev/null @@ -1,13 +0,0 @@ -class Lala {
- var x;
-
- predicate inv { acc(x) }
-
- method koko()
- requires inv
- {
- x := x + 1;
- assert (unfolding inv in x) == old(unfolding inv in x)
- }
-}
-
diff --git a/Chalice/tests/regressions/internal-bug-2.output.txt b/Chalice/tests/regressions/internal-bug-2.output.txt deleted file mode 100644 index 8724af64..00000000 --- a/Chalice/tests/regressions/internal-bug-2.output.txt +++ /dev/null @@ -1,8 +0,0 @@ -Verification of internal-bug-2.chalice using parameters=""
-
- 9.9: Location might not be writable - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 6.5: The end of method koko is unreachable. - -Boogie program verifier finished with 1 errors and 1 smoke test warnings
diff --git a/Chalice/tests/regressions/internal-bug-3.chalice b/Chalice/tests/regressions/internal-bug-3.chalice deleted file mode 100644 index 17b6dd25..00000000 --- a/Chalice/tests/regressions/internal-bug-3.chalice +++ /dev/null @@ -1,8 +0,0 @@ -class C
-{
- var f: int
- method M ()
- requires acc(f, 100-rd(non_existing_field))
- {
- }
-}
diff --git a/Chalice/tests/regressions/internal-bug-3.output.txt b/Chalice/tests/regressions/internal-bug-3.output.txt deleted file mode 100644 index 5f5ebd08..00000000 --- a/Chalice/tests/regressions/internal-bug-3.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of internal-bug-3.chalice using parameters=""
-
-The program did not typecheck.
-5.28: undeclared member non_existing_field in class C
diff --git a/Chalice/tests/regressions/internal-bug-4.chalice b/Chalice/tests/regressions/internal-bug-4.chalice deleted file mode 100644 index af850d49..00000000 --- a/Chalice/tests/regressions/internal-bug-4.chalice +++ /dev/null @@ -1,17 +0,0 @@ -class C
-{
- var f: int;
- predicate valid { acc(f) }
-
- function foo1(): int
- ensures valid;
- { 1 }
-
- function foo2(): int
- ensures acc(f);
- { 1 }
-
- function foo3(): int
- ensures rd(f);
- { 1 }
-}
diff --git a/Chalice/tests/regressions/internal-bug-4.output.txt b/Chalice/tests/regressions/internal-bug-4.output.txt deleted file mode 100644 index a985df28..00000000 --- a/Chalice/tests/regressions/internal-bug-4.output.txt +++ /dev/null @@ -1,6 +0,0 @@ -Verification of internal-bug-4.chalice using parameters=""
-
-The program did not typecheck.
-7.3: the postcondition of functions cannot contain accessibility predicates (permissions are returned automatically)
-11.3: the postcondition of functions cannot contain accessibility predicates (permissions are returned automatically)
-15.3: the postcondition of functions cannot contain accessibility predicates (permissions are returned automatically)
diff --git a/Chalice/tests/regressions/internal-bug-5.chalice b/Chalice/tests/regressions/internal-bug-5.chalice deleted file mode 100644 index 35dfcb88..00000000 --- a/Chalice/tests/regressions/internal-bug-5.chalice +++ /dev/null @@ -1,38 +0,0 @@ -class Cell {
- var x: int;
- var b: bool;
-
- predicate valid {
- acc(this.b) && (this.b ==> acc(this.x,50))
- }
-
- method m()
- requires this.valid && (unfolding valid in this.b) && acc(this.mu) && waitlevel << mu
- {
- acquire this;
-
- var c := (unfolding valid in this.x);
- release this;
- acquire this;
- assert c == this.x;
- call n();
- c := (unfolding valid in this.x);
- release this;
- acquire this;
- // ERROR: this is not supposed to verify (it did in previous versions of Chalice)
- assert c == this.x;
- release this;
- }
-
- method n()
- requires this.valid
- ensures this.valid
- {
- unfold this.valid;
- this.b := false;
- fold this.valid;
- }
-
- invariant acc(this.x,50)
-}
-
diff --git a/Chalice/tests/regressions/internal-bug-5.output.txt b/Chalice/tests/regressions/internal-bug-5.output.txt deleted file mode 100644 index 3b6cc316..00000000 --- a/Chalice/tests/regressions/internal-bug-5.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of internal-bug-5.chalice using parameters=""
-
- 23.5: Assertion might not hold. The expression at 23.12 might not evaluate to true. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/internal-bug-6.chalice b/Chalice/tests/regressions/internal-bug-6.chalice deleted file mode 100644 index b02c1a65..00000000 --- a/Chalice/tests/regressions/internal-bug-6.chalice +++ /dev/null @@ -1,10 +0,0 @@ -class Cell {
-
- function foo(): Cell
- { this }
-
- method m(b: bool)
- {
- var c: Cell := b ? null : foo()
- }
-}
diff --git a/Chalice/tests/regressions/internal-bug-6.output.txt b/Chalice/tests/regressions/internal-bug-6.output.txt deleted file mode 100644 index 5b7560cd..00000000 --- a/Chalice/tests/regressions/internal-bug-6.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of internal-bug-6.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/internal-bug-7.chalice b/Chalice/tests/regressions/internal-bug-7.chalice deleted file mode 100644 index 9f7d474d..00000000 --- a/Chalice/tests/regressions/internal-bug-7.chalice +++ /dev/null @@ -1,26 +0,0 @@ -class Node { - var n: Node - - predicate P { acc(n) && (n != null ==> acc(n.P)) } - - function length(): int - requires rd(P) - ensures result >= 1 - { unfolding rd(P) in 1 + (n == null ? 0 : n.length()) } - -} - -class Test { - method test(node: Node) - requires node != null - requires acc(node.P) - { - assert node.length() >= 1 - assert (unfolding rd(node.P) in node.n == null) ==> (node.length() == 1) /* Holds in Chalice and Syxc */ - //assert (unfolding rd(node.P) in node.n != null) ==> (unfolding rd(node.P) in node.n.length() >= 1) /* Holds in Chalice and Syxc */ - assert (unfolding rd(node.P) in node.n != null) ==> (node.length() > 1) /* Holds in Chalice and Syxc */ - assert (node.length() == 1) ==> (unfolding rd(node.P) in node.n == null) /* Fails in Chalice and Syxc */ - assert (node.length() == 1) <==> (unfolding rd(node.P) in node.n == null) - // assert n.length() > 1 <==> unfolding rd(n.P) in n.n != null /* Fails in Chalice and Syxc */ - } -}
\ No newline at end of file diff --git a/Chalice/tests/regressions/internal-bug-7.output.txt b/Chalice/tests/regressions/internal-bug-7.output.txt deleted file mode 100644 index 78ae95fd..00000000 --- a/Chalice/tests/regressions/internal-bug-7.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of internal-bug-7.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/reg_test.bat b/Chalice/tests/regressions/reg_test.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/regressions/reg_test.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/regressions/reg_test_all.bat b/Chalice/tests/regressions/reg_test_all.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/regressions/reg_test_all.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/regressions/test.bat b/Chalice/tests/regressions/test.bat deleted file mode 100644 index c9b04fcd..00000000 --- a/Chalice/tests/regressions/test.bat +++ /dev/null @@ -1,2 +0,0 @@ -@echo off
-call "..\test-scripts\%~nx0" %*
diff --git a/Chalice/tests/regressions/workitem-10147.chalice b/Chalice/tests/regressions/workitem-10147.chalice deleted file mode 100644 index eb6f31c7..00000000 --- a/Chalice/tests/regressions/workitem-10147.chalice +++ /dev/null @@ -1,22 +0,0 @@ -class Cell {
-
- var x: int;
-
- // the declaration of a method with the same name for a parameter
- // as well as a result alone does not yet cause a problem, but ...
- method problematic_method(c: Cell) returns (c: Cell)
- requires acc(c.x);
- {
- }
-
- // ... calling it leads to various 'undeclared identifier' errors
- // in boogie. (previously. now fixed by not allowing c as both in and out parameter)
- method error()
- {
- var a: Cell := new Cell;
- var b: Cell;
-
- call b := problematic_method(a);
- }
-
-}
diff --git a/Chalice/tests/regressions/workitem-10147.output.txt b/Chalice/tests/regressions/workitem-10147.output.txt deleted file mode 100644 index 63bb3c9c..00000000 --- a/Chalice/tests/regressions/workitem-10147.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of workitem-10147.chalice using parameters=""
-
-The program did not typecheck.
-7.3: duplicate parameter c of method problematic_method in class Cell
diff --git a/Chalice/tests/regressions/workitem-10189.chalice b/Chalice/tests/regressions/workitem-10189.chalice deleted file mode 100644 index b37b83f2..00000000 --- a/Chalice/tests/regressions/workitem-10189.chalice +++ /dev/null @@ -1,23 +0,0 @@ -class Node { - var v: int - var next: Node - - predicate V { - acc(v) - && acc(next) - && (next != null ==> next.V) - } - - unlimited function length(): int - requires rd(V) - { 1 + unfolding rd(V) in next == null ? 0 : next.length() } - - unlimited function at(i: int): int - requires rd(V) - requires i >= 0 - requires i < length() // XXXX - { - unfolding rd(V) in i == 0 ? v : next.at(i - 1) - // Precondition at XXX might not hold - } -}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-10189.output.txt b/Chalice/tests/regressions/workitem-10189.output.txt deleted file mode 100644 index 96f05468..00000000 --- a/Chalice/tests/regressions/workitem-10189.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of workitem-10189.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10190.chalice b/Chalice/tests/regressions/workitem-10190.chalice deleted file mode 100644 index ad84553a..00000000 --- a/Chalice/tests/regressions/workitem-10190.chalice +++ /dev/null @@ -1,6 +0,0 @@ -// previously resulted in a StackOverFlowError of the Chalice parser -class Node { -/* -Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. -*/ -}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-10190.output.txt b/Chalice/tests/regressions/workitem-10190.output.txt deleted file mode 100644 index e314cbd3..00000000 --- a/Chalice/tests/regressions/workitem-10190.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of workitem-10190.chalice using parameters=""
-
- -Boogie program verifier finished with 0 verified, 1 error -
diff --git a/Chalice/tests/regressions/workitem-10192.chalice b/Chalice/tests/regressions/workitem-10192.chalice deleted file mode 100644 index 06ff5881..00000000 --- a/Chalice/tests/regressions/workitem-10192.chalice +++ /dev/null @@ -1,19 +0,0 @@ -class Sequences { - var xs: seq<int> - - method append(a: int) - requires acc(xs) - ensures acc(xs) - ensures size() == old(size()) + 1 /* verifies */ - ensures |xs| == old(|xs|) + 1 /* previously failed */ - { xs := xs ++ [a] } - - /* this heap-independent version also verifies. */ - method append0(ins: seq<int>, a: int) returns (outs: seq<int>) - ensures |outs| == |ins| + 1 - { outs := ins ++ [a] } - - function size(): int - requires rd(xs) - { |xs| } -} diff --git a/Chalice/tests/regressions/workitem-10192.output.txt b/Chalice/tests/regressions/workitem-10192.output.txt deleted file mode 100644 index f2a5b539..00000000 --- a/Chalice/tests/regressions/workitem-10192.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of workitem-10192.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10194.chalice b/Chalice/tests/regressions/workitem-10194.chalice deleted file mode 100644 index 5828b0bf..00000000 --- a/Chalice/tests/regressions/workitem-10194.chalice +++ /dev/null @@ -1,37 +0,0 @@ -class Test { - var x: int - var tk: token<Test.incX> - - predicate V { acc(x) } - - method incX() - requires V - ensures V - { - unfold V - x := x + 1 - fold V - } - - method joinTk() - requires acc(tk) && tk != null && acc(tk.joinable) && tk.joinable - requires eval(tk.fork this.incX(), true) - ensures V - ensures unfolding V in x == old(x) // ERROR: old(x) is not readable (no error here, previously) - { - join tk - assert V - } - - method test() - requires acc(x) && x == 0 - requires acc(tk) - { - fold V - fork tklocal := incX() - tk := tklocal - call joinTk() - unfold V - assert x == old(x) // this verified previously (without any errors anywhere in the file) - } -}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-10194.output.txt b/Chalice/tests/regressions/workitem-10194.output.txt deleted file mode 100644 index 23114b0a..00000000 --- a/Chalice/tests/regressions/workitem-10194.output.txt +++ /dev/null @@ -1,6 +0,0 @@ -Verification of workitem-10194.chalice using parameters=""
-
- 20.35: Location might not be readable. - 35.3: Assertion might not hold. The expression at 35.10 might not evaluate to true. - -Boogie program verifier finished with 2 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10195.chalice b/Chalice/tests/regressions/workitem-10195.chalice deleted file mode 100644 index 99ea69f8..00000000 --- a/Chalice/tests/regressions/workitem-10195.chalice +++ /dev/null @@ -1,38 +0,0 @@ -class Test { - method fails() - { - assert forall j in [10..5] :: true // ERROR: min > max - assert false // failed previously, now we get a smoke warning - } - - method succeeds1() - { - assert forall j in [10..5] :: f(j) == 0 // ERROR: min > max - assert false // failed previously, now we get a smoke warning - } - - method fails1() - { - assert forall j in [5..10] :: f(j) == 0 - } - - method succeeds2(a: int, b: int) - requires 0 <= a && 0 <= b - requires f(a) < f(b) - { - assert forall j in [f(b)..f(a)] :: f(j) == 0 // ERROR: min > max - assert false // holds - } - - method fails2(a: int, b: int) - requires 0 <= a && 0 <= b - requires 0 < f(a) - requires f(a) < f(b) - { - assert forall j in [f(a)..f(b)] :: f(j) == 0 - } - - function f(i: int): int - requires 0 <= i - { 0 } - }
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-10195.output.txt b/Chalice/tests/regressions/workitem-10195.output.txt deleted file mode 100644 index 6e8b3556..00000000 --- a/Chalice/tests/regressions/workitem-10195.output.txt +++ /dev/null @@ -1,12 +0,0 @@ -Verification of workitem-10195.chalice using parameters=""
-
- 4.14: Range minimum might not be smaller or equal to range maximum. - 10.14: Range minimum might not be smaller or equal to range maximum. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 2.5: The end of method fails is unreachable. - 8.5: The end of method succeeds1 is unreachable. - 19.9: Precondition of method succeeds2 is equivalent to false. - 27.9: Precondition of method fails2 is equivalent to false. - -Boogie program verifier finished with 2 errors and 4 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10196.chalice b/Chalice/tests/regressions/workitem-10196.chalice deleted file mode 100644 index 9257e5c2..00000000 --- a/Chalice/tests/regressions/workitem-10196.chalice +++ /dev/null @@ -1,11 +0,0 @@ -class C { - method singleWarning() - { assert forall i in [] :: true } // previously, quantification over the empty list resulted in Boogie errors - - method multipleWarnings() - { assert forall i in [] :: reqIGt0(i) == i } // previously, quantification over the empty list resulted in Boogie errors - - function reqIGt0(i: int): int - requires i >= 0 - { i } -}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-10196.output.txt b/Chalice/tests/regressions/workitem-10196.output.txt deleted file mode 100644 index 26199999..00000000 --- a/Chalice/tests/regressions/workitem-10196.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of workitem-10196.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10197.chalice b/Chalice/tests/regressions/workitem-10197.chalice deleted file mode 100644 index 7212581c..00000000 --- a/Chalice/tests/regressions/workitem-10197.chalice +++ /dev/null @@ -1,7 +0,0 @@ -class Cell { var x: int } - -class Test { - method noop() - ensures old(waitlevel) == waitlevel // previously resulted in Boogie errors - {} -}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-10197.output.txt b/Chalice/tests/regressions/workitem-10197.output.txt deleted file mode 100644 index c83bbfe0..00000000 --- a/Chalice/tests/regressions/workitem-10197.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of workitem-10197.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10198.chalice b/Chalice/tests/regressions/workitem-10198.chalice deleted file mode 100644 index fd51977d..00000000 --- a/Chalice/tests/regressions/workitem-10198.chalice +++ /dev/null @@ -1,17 +0,0 @@ -class Cell { var x: int } - -class Test { - method get() returns (c: Cell) - ensures c != null - lockchange c /* previosly, this introduced errors */ - { - c := new Cell - } - - /* method was needed to get Boogie errors */ - method testRd() // expected ERROR: method might lock/unlock more than allowed - { - var x: Cell - call x := get() - } -}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-10198.output.txt b/Chalice/tests/regressions/workitem-10198.output.txt deleted file mode 100644 index c3b59307..00000000 --- a/Chalice/tests/regressions/workitem-10198.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of workitem-10198.chalice using parameters=""
-
- 12.2: Method might lock/unlock more than allowed. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10199.chalice b/Chalice/tests/regressions/workitem-10199.chalice deleted file mode 100644 index 678ed078..00000000 --- a/Chalice/tests/regressions/workitem-10199.chalice +++ /dev/null @@ -1,21 +0,0 @@ -class Test { - var z: int - - predicate Z { acc(z) } - predicate ZZ { Z } // XXX - - method useZZ() - requires ZZ - { - // (ZZ,100) - unfold acc(ZZ, 40) - // (ZZ, 60), (Z, 40) - unfold acc(Z, 20) - // (ZZ, 60), (Z, 20), (z, 20) - fold acc(Z, 10) - // (ZZ, 60), (Z, 30), (z, 10) - fold acc(ZZ, 30) - // previoulsy: Fold might fail because the definition of Test.ZZ does not hold. Insufficient fraction at XXX for Test.Z. - // Should be (ZZ, 90), (z, 10) - } -}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-10199.output.txt b/Chalice/tests/regressions/workitem-10199.output.txt deleted file mode 100644 index 660fd6ae..00000000 --- a/Chalice/tests/regressions/workitem-10199.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of workitem-10199.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10200.chalice b/Chalice/tests/regressions/workitem-10200.chalice deleted file mode 100644 index a7394793..00000000 --- a/Chalice/tests/regressions/workitem-10200.chalice +++ /dev/null @@ -1,25 +0,0 @@ -class Test { - var f: int; - - function fib(n: int): int - requires n >= 0 - { - n < 2 ? n : fib(n - 1) + fib(n - 2) // incompletness: termination not atomatically proven - } - - method fibSeq(n: int) returns (r: int) - requires n >= 0 - requires acc(this.f) - ensures acc(this.f) - ensures r == fib(n) // previous error: the postcondition might not hold - { - if (n < 2) { - r := n - } else { - var f1: int; var f2: int - call f1 := fibSeq(n - 1) - call f2 := fibSeq(n - 2) - r := f1 + f2 - } - } -}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-10200.output.txt b/Chalice/tests/regressions/workitem-10200.output.txt deleted file mode 100644 index 90d5b467..00000000 --- a/Chalice/tests/regressions/workitem-10200.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of workitem-10200.chalice using parameters=""
-
- 7.15: The heap of the callee might not be strictly smaller than the heap of the caller. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10208.chalice b/Chalice/tests/regressions/workitem-10208.chalice deleted file mode 100644 index ae1a7d89..00000000 --- a/Chalice/tests/regressions/workitem-10208.chalice +++ /dev/null @@ -1,41 +0,0 @@ -class Test {
- var f1: int;
- var f2: int;
-
- predicate valid {
- acc(f1) && acc(f2) && f1 == f2
- }
-
- method test()
- requires valid
- {
- unfold valid
- f1 := 2
- f2 := 2
- fold valid
-
- /* --- not strictly necessary */
- unfold valid
- assert f1 == 2
- fold valid
- /* --- */
-
- call test2()
-
- unfold valid
- assert f1 == 2 // BUG: this should not verify (1)
- assert false // BUG: this should not verify (2)
- }
-
- method test2()
- requires valid
- ensures valid
- ensures unfolding valid in f1 == 1 // line (1) above verifies also without this postcondition
- {
- unfold valid
- f1 := 1
- f2 := 1
- fold valid
- }
-
-}
diff --git a/Chalice/tests/regressions/workitem-10208.output.txt b/Chalice/tests/regressions/workitem-10208.output.txt deleted file mode 100644 index 0666393a..00000000 --- a/Chalice/tests/regressions/workitem-10208.output.txt +++ /dev/null @@ -1,8 +0,0 @@ -Verification of workitem-10208.chalice using parameters=""
-
- 26.5: Assertion might not hold. The expression at 26.12 might not evaluate to true. - -The program did not fully verify; the smoke warnings might be misleading if contradictions are introduced by failing proof attempts of the verification. - 9.3: The end of method test is unreachable. - -Boogie program verifier finished with 1 errors and 1 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10221.chalice b/Chalice/tests/regressions/workitem-10221.chalice deleted file mode 100644 index 2a8ae723..00000000 --- a/Chalice/tests/regressions/workitem-10221.chalice +++ /dev/null @@ -1,158 +0,0 @@ -// In this example, additional unfold/fold pairs make the verification of the last three methods fail.
-
-class Node {
- var next : Node;
- var val : int;
-
- predicate list {
- acc(next) && acc(val) && (next!=null ==> next.list)
- }
-
- function vals() : seq<int>
- requires list
- {
- unfolding list in (next == null ? [val] : [val] ++ next.vals())
- }
-
- function reverse_vals() : seq<int>
- requires list
- {
- unfolding list in (next == null ? [val] : next.reverse_vals() ++ [val])
- }
-
- method reverse_in_place() returns (r:Node)
- requires list;
- ensures true;
- {
- var l : Node := this;
- r := null;
-
- var rev : seq<int> := this.reverse_vals();
-
- while (l != null)
- invariant l!=null ==> l.list;
- invariant r!=null ==> r.list;
- invariant rev == (l==null ? nil<int> : l.reverse_vals()) ++ (r==null ? nil<int> : r.vals());
- {
- var y: Node;
-// if (r != null) {
-// unfold r.list; fold r.list;
-// }
- unfold l.list;
-// if (l.next != null) {
-// unfold l.next.list; fold l.next.list;
-// }
-
- y := l.next;
- l.next := r;
- r := l;
- fold r.list;
- l := y;
- }
- assert r.vals() == rev; // should be the post-condition
- }
-
-
- method reverse_in_place_01() returns (r:Node)
- requires list;
- ensures true;
- {
- var l : Node := this;
- r := null;
-
- var rev : seq<int> := this.reverse_vals();
-
- while (l != null)
- invariant l!=null ==> l.list;
- invariant r!=null ==> r.list;
- invariant rev == (l==null ? nil<int> : l.reverse_vals()) ++ (r==null ? nil<int> : r.vals());
- {
- var y: Node;
-// if (r != null) {
-// unfold r.list; fold r.list;
-// }
- unfold l.list;
- if (l.next != null) {
- unfold l.next.list; fold l.next.list;
- }
-
- y := l.next;
- l.next := r;
- r := l;
- fold r.list;
- l := y;
- }
- assert r.vals() == rev; // should be the post-condition
- }
-
-
-
- method reverse_in_place_10() returns (r:Node)
- requires list;
- ensures true;
- {
- var l : Node := this;
- r := null;
-
- var rev : seq<int> := this.reverse_vals();
-
- while (l != null)
- invariant l!=null ==> l.list;
- invariant r!=null ==> r.list;
- invariant rev == (l==null ? nil<int> : l.reverse_vals()) ++ (r==null ? nil<int> : r.vals());
- {
- var y: Node;
- if (r != null) {
- unfold r.list; fold r.list;
- }
- unfold l.list;
-// if (l.next != null) {
-// unfold l.next.list; fold l.next.list;
-// }
-
- y := l.next;
- l.next := r;
- r := l;
- fold r.list;
- l := y;
- }
- assert r.vals() == rev; // should be the post-condition
- }
-
-
-
-
- method reverse_in_place_11() returns (r:Node)
- requires list;
- ensures true;
- {
- var l : Node := this;
- r := null;
-
- var rev : seq<int> := this.reverse_vals();
-
- while (l != null)
- invariant l!=null ==> l.list;
- invariant r!=null ==> r.list;
- invariant rev == (l==null ? nil<int> : l.reverse_vals()) ++ (r==null ? nil<int> : r.vals());
- {
- var y: Node;
- if (r != null) {
- unfold r.list; fold r.list;
- }
- unfold l.list;
- if (l.next != null) {
- unfold l.next.list; fold l.next.list;
- }
-
- y := l.next;
- l.next := r;
- r := l;
- fold r.list;
- l := y;
- }
- assert r.vals() == rev; // should be the post-condition
- }
-
-
-}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-10221.output.txt b/Chalice/tests/regressions/workitem-10221.output.txt deleted file mode 100644 index e209c3c1..00000000 --- a/Chalice/tests/regressions/workitem-10221.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of workitem-10221.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-10222.chalice b/Chalice/tests/regressions/workitem-10222.chalice deleted file mode 100644 index a01253c9..00000000 --- a/Chalice/tests/regressions/workitem-10222.chalice +++ /dev/null @@ -1,8 +0,0 @@ -class Test { - var t: Test; - - // previously, mentioning "waitlevel" in a predicate did not cause an error - predicate inv { - acc(t) && acc(t.mu) && t.mu << waitlevel - } -} diff --git a/Chalice/tests/regressions/workitem-10222.output.txt b/Chalice/tests/regressions/workitem-10222.output.txt deleted file mode 100644 index eac18363..00000000 --- a/Chalice/tests/regressions/workitem-10222.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of workitem-10222.chalice using parameters=""
-
-The program did not typecheck.
-6.9: predicate body is not allowed to mention 'waitlevel'
diff --git a/Chalice/tests/regressions/workitem-10223.chalice b/Chalice/tests/regressions/workitem-10223.chalice deleted file mode 100644 index eb4bd00b..00000000 --- a/Chalice/tests/regressions/workitem-10223.chalice +++ /dev/null @@ -1,8 +0,0 @@ -class Lala { - var next: Lala; - var x: int; - predicate inv { - acc(next) && acc(x) && - (next != null ==> (next.inv && unfolding next.inv in this.x > next.x)) - } -} diff --git a/Chalice/tests/regressions/workitem-10223.output.txt b/Chalice/tests/regressions/workitem-10223.output.txt deleted file mode 100644 index b65fbc0c..00000000 --- a/Chalice/tests/regressions/workitem-10223.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of workitem-10223.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-8234.chalice b/Chalice/tests/regressions/workitem-8234.chalice deleted file mode 100644 index 5fbcea02..00000000 --- a/Chalice/tests/regressions/workitem-8234.chalice +++ /dev/null @@ -1,26 +0,0 @@ -class Test{
- var tests : seq<Test>;
- var total : int;
-
- invariant acc(tests, 100);
- invariant acc(total, 50);
-
- function at(loc : int) : Test
- requires acc(tests);
- requires loc >= 0 && loc < size();
- {
- tests[loc]
- }
-
-
- function size() : int
- requires acc(tests);
- ensures result >= 0;
- ensures result == |tests|; // previously, there was a nullpointer exception here
- {
- |tests|
- }
-
- predicate pre
- { acc(total, 50) }
-}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-8234.output.txt b/Chalice/tests/regressions/workitem-8234.output.txt deleted file mode 100644 index 14175fd2..00000000 --- a/Chalice/tests/regressions/workitem-8234.output.txt +++ /dev/null @@ -1,4 +0,0 @@ -Verification of workitem-8234.chalice using parameters=""
-
- -Boogie program verifier finished with 0 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-8236.chalice b/Chalice/tests/regressions/workitem-8236.chalice deleted file mode 100644 index 819bdb74..00000000 --- a/Chalice/tests/regressions/workitem-8236.chalice +++ /dev/null @@ -1,16 +0,0 @@ -class Bug{
-
- method Main() // expected ERROR: method might lock/unlock more than allowed
- {
- var a : Bug;
- call a:= m();
- }
-
- method m() returns (a : Bug)
- lockchange a // resulted previously in Boogie errors
- {
- a := new Bug;
- share a;
- acquire a;
- }
-}
\ No newline at end of file diff --git a/Chalice/tests/regressions/workitem-8236.output.txt b/Chalice/tests/regressions/workitem-8236.output.txt deleted file mode 100644 index 6f1994d3..00000000 --- a/Chalice/tests/regressions/workitem-8236.output.txt +++ /dev/null @@ -1,5 +0,0 @@ -Verification of workitem-8236.chalice using parameters=""
-
- 3.2: Method might lock/unlock more than allowed. - -Boogie program verifier finished with 1 errors and 0 smoke test warnings
diff --git a/Chalice/tests/regressions/workitem-9978.chalice b/Chalice/tests/regressions/workitem-9978.chalice deleted file mode 100644 index 02cd2e66..00000000 --- a/Chalice/tests/regressions/workitem-9978.chalice +++ /dev/null @@ -1,9 +0,0 @@ -class C {
- method nullPointerException()
- {
- while (true)
- {
- fork nullPointerException(); // previously, fork without token inside a while loop introduced a nullpointer exception.
- }
- }
-}
diff --git a/Chalice/tests/regressions/workitem-9978.output.txt b/Chalice/tests/regressions/workitem-9978.output.txt deleted file mode 100644 index e6086625..00000000 --- a/Chalice/tests/regressions/workitem-9978.output.txt +++ /dev/null @@ -1,6 +0,0 @@ -Verification of workitem-9978.chalice using parameters=""
-
- - 4.5: The statements after the while-loop are unreachable. - -Boogie program verifier finished with 0 errors and 1 smoke test warnings
diff --git a/Chalice/tests/runalltests.bat b/Chalice/tests/runalltests.bat deleted file mode 100644 index eb26d4ec..00000000 --- a/Chalice/tests/runalltests.bat +++ /dev/null @@ -1,37 +0,0 @@ -@echo off
-
-setlocal EnableDelayedExpansion
-
-:: no-summary command line parameter
-set nosummary=0
-if "%1"=="-no-summary" (
- set nosummary=1
- SHIFT
-)
-
-set t=0
-set c=0
-for %%f in (examples permission-model general-tests regressions predicates) do (
- echo Running tests in %%f ...
- echo ------------------------------------------------------
- cd %%f
- set tt=0
- for %%f in (*.chalice) do set /A tt+=1
- call reg_test_all.bat -no-summary %1 %2 %3 %4 %5
- set /A c=!c!+!errorlevel!
- set /A t=!t!+!tt!
- cd ..
- echo ------------------------------------------------------
-)
-
-REM Run refinement regression tests
-cd refinements
-REM call test.bat
-cd ..
-
-if !nosummary!==0 (
- echo.
- if !c!==0 (echo SUMMARY: completed !t! tests successfully.) else (echo SUMMARY: !c! of !t! tests failed.)
-)
-
-exit /b !c!
diff --git a/Chalice/tests/test-scripts/diff.bat b/Chalice/tests/test-scripts/diff.bat deleted file mode 100644 index 87fa935f..00000000 --- a/Chalice/tests/test-scripts/diff.bat +++ /dev/null @@ -1,21 +0,0 @@ -@echo off
-
-set differ="C:\Program Files\TortoiseSVN\bin\TortoiseMerge.exe"
-if exist %differ% goto :diff
-if not exist %differ% goto :txtdiff
-
-:txtdiff
-echo ====================================
-echo Reference output: %1
-echo ------------------------------------
-type "%1"
-echo ====================================
-echo Currenct output: %2
-echo ------------------------------------
-type "%2"
-echo ====================================
-goto :eof
-
-:diff
-%differ% "%1" "%2"
-goto :eof
diff --git a/Chalice/tests/test-scripts/generate_reference.bat b/Chalice/tests/test-scripts/generate_reference.bat deleted file mode 100644 index 0c480e5c..00000000 --- a/Chalice/tests/test-scripts/generate_reference.bat +++ /dev/null @@ -1,7 +0,0 @@ -@echo off
-set getboogieoutput="%~dp0\getboogieoutput.bat"
-
-echo Generating reference for %1.chalice ...
-call %getboogieoutput% %1 %2 %3 %4 %5 %6 %7
-
-exit /b 0
diff --git a/Chalice/tests/test-scripts/generate_reference_all.bat b/Chalice/tests/test-scripts/generate_reference_all.bat deleted file mode 100644 index 1e9e7cfb..00000000 --- a/Chalice/tests/test-scripts/generate_reference_all.bat +++ /dev/null @@ -1,9 +0,0 @@ -@echo off
-
-set generatereference="%~dp0\generate_reference.bat"
-
-for /F %%f in ('dir *.chalice /b') do (
- call %generatereference% %%~nf %1 %2 %3 %4 %5 %6 %7
-)
-
-exit /b 0
diff --git a/Chalice/tests/test-scripts/getboogieoutput.bat b/Chalice/tests/test-scripts/getboogieoutput.bat deleted file mode 100644 index 76af1fcf..00000000 --- a/Chalice/tests/test-scripts/getboogieoutput.bat +++ /dev/null @@ -1,33 +0,0 @@ -@echo off
-set chalice="%~dp0\..\..\chalice.bat"
-set getparams="%~dp0\getparams.bat"
-
-set output="%1.output.txt"
-
-:: get parameters
-set chaliceparameters=
-setlocal EnableDelayedExpansion
-set done=0
-set key=a
-FOR /F "usebackq tokens=1,2 delims==" %%i in (%1.chalice) do (
-
- if !done!==0 (
- set key=%%i
- set param=%%j
- )
-
- set done=1
-)
-set str=// chalice-parameter
-if "!key!"=="!str!" (
- set chaliceparameters=!param!
-)
-
-echo Verification of %1.chalice using parameters="%chaliceparameters%" > %output%
-echo.>> %output%
-call %chalice% "%1.chalice" -smoke -time:0 %chaliceparameters% %2 %3 %4 %5 %6 %7 >> %output% 2>&1
-
-set o=%~dp1%out.bpl
-if exist "%o%" copy "%o%" "%1.bpl">nul
-if exist "%o%" del "%~dp1%out.bpl"
-goto :eof
diff --git a/Chalice/tests/test-scripts/readme.txt b/Chalice/tests/test-scripts/readme.txt deleted file mode 100644 index d4f408e8..00000000 --- a/Chalice/tests/test-scripts/readme.txt +++ /dev/null @@ -1,3 +0,0 @@ -
-The scripts in this directory are NOT meant for direct execution, but rather
-provide the implementation of the same-named scripts in the actual test folders.
diff --git a/Chalice/tests/test-scripts/reg_test.bat b/Chalice/tests/test-scripts/reg_test.bat deleted file mode 100644 index 54549afc..00000000 --- a/Chalice/tests/test-scripts/reg_test.bat +++ /dev/null @@ -1,75 +0,0 @@ -@echo off
-setlocal
-set chalice="%~dp0\..\..\chalice.bat"
-set diff="%~dp0\diff.bat"
-
-:: no-diff command line parameter
-set nodiff=0
-if "%1"=="-no-diff" (
- set nodiff=1
- SHIFT
-)
-
-if not exist "%1.chalice" goto errorNotFound
-if not exist "%1.output.txt" goto errorNoRef
-
-:: get parameters
-set chaliceparameters=
-setlocal EnableDelayedExpansion
-set done=0
-set key=a
-FOR /F "usebackq tokens=1,2 delims==" %%i in (%1.chalice) do (
-
- if !done!==0 (
- set key=%%i
- set param=%%j
- )
-
- set done=1
-)
-set str=// chalice-parameter
-if "!key!"=="!str!" (
- set chaliceparameters=!param!
-)
-
-set output=output.txt
-echo Verification of %1.chalice using parameters="%chaliceparameters%" > %output%
-echo.>> %output%
-call %chalice% "%1.chalice" -smoke -time:3 %chaliceparameters% %2 %3 %4 %5 %6 %7 1>> %output% 2> time.log
-set /p extime= < time.log
-del time.log
-
-fc "%1.output.txt" output.txt > nul
-if not errorlevel 1 goto passTest
-goto failTest
-
-:passTest
-echo OK: %1.chalice (%extime% seconds)
-goto end
-
-:failTest
-echo FAIL: %1.chalice (%extime% seconds)
-if %nodiff%==0 (
- call %diff% "%1.output.txt" output.txt
-)
-goto errorEnd
-
-:errorEnd
-if exist out.bpl del out.bpl
-if exist output.txt del output.txt
-endlocal
-exit /b 1
-
-:end
-if exist out.bpl del out.bpl
-if exist output.txt del output.txt
-endlocal
-exit /b 0
-
-:errorNotFound
-echo ERROR: %1.chalice not found.
-goto errorEnd
-
-:errorNoRef
-echo ERROR: %1.output.txt (reference output) not found.
-goto errorEnd
diff --git a/Chalice/tests/test-scripts/reg_test_all.bat b/Chalice/tests/test-scripts/reg_test_all.bat deleted file mode 100644 index 23aca316..00000000 --- a/Chalice/tests/test-scripts/reg_test_all.bat +++ /dev/null @@ -1,24 +0,0 @@ -@echo off
-
-setlocal EnableDelayedExpansion
-
-:: no-summary command line parameter
-set nosummary=0
-if "%1"=="-no-summary" (
- set nosummary=1
- SHIFT /1
-)
-
-set regtest="%~dp0\reg_test.bat"
-set t=0
-set c=0
-for /F %%f in ('dir *.chalice /b') do (
- call %regtest% -no-diff %%~nf %1 %2 %3 %4 %5 %6 %7 %8
- set /A c=!c!+!errorlevel!
- set /A t=!t!+1
-)
-if !nosummary!==0 (
- echo.
- if !c!==0 (echo SUMMARY: completed !t! tests successfully.) else (echo SUMMARY: failed !c! of !t! tests.)
-)
-exit /b !c!
diff --git a/Chalice/tests/test-scripts/test.bat b/Chalice/tests/test-scripts/test.bat deleted file mode 100644 index 8572dc6b..00000000 --- a/Chalice/tests/test-scripts/test.bat +++ /dev/null @@ -1,37 +0,0 @@ -@echo off
-
-set chalice="%~dp0\..\..\chalice.bat"
-set getparams="%~dp0\getparams.bat"
-
-if not exist "%1.chalice" goto errorNotFound
-
-:: get parameters
-set chaliceparameters=
-setlocal EnableDelayedExpansion
-set done=0
-set key=a
-FOR /F "usebackq tokens=1,2 delims==" %%i in (%1.chalice) do (
-
- if !done!==0 (
- set key=%%i
- set param=%%j
- )
-
- set done=1
-)
-set str=// chalice-parameter
-if "!key!"=="!str!" (
- set chaliceparameters=!param!
-)
-
-set output=output.txt
-echo Verification of %1.chalice using parameters="%chaliceparameters%" > %output%
-echo.>> %output%
-call %chalice% "%1.chalice" -smoke -time:0 %chaliceparameters% %2 %3 %4 %5 %6 %7 >> %output% 2>&1
-type %output%
-
-exit /B 0
-
-:errorNotFound
-echo ERROR: %1.chalice not found.
-exit /B 1
|