* Added decreases clauses to functions

* If no decreases clause is given, the decreases clause defaults to the set of objects denoted by the reads clause, which was the previous Dafny behavior

* Made Dafny check loops for termination by default.  Previously, this was done only if the loop had a decreases clause.  To indicate that a loop is to be checked only for partial correctness, Dafny now allows "decreases *".

* Allow "reads *" to say that the function may read anything at all (sound, but not very useful)

* Adjusted frame axioms of functions to speak of allocated objects more liberally; and also added antecedents about the heaps being well-formed and the parameters being allocated

* Added some previously omitted well-definedness checks.

* Fixed some bugs in the resolver that caused some type errors not to be reported

* Added some messages to go with some (previously rather opaquely reported) errors

* Fixed some test cases that previously had ordered conjuncts incorrectly to prove termination and reads checks (such checks were previously omitted)

* Beefed up Test/dafny0/SchorrWaite.dfy to use datatypes to specify that no garbage gets marked.  The full-functional total-correctness verification of this Schorr-Waite method now takes about 3.2 seconds.

1 files changed, 4 insertions, 2 deletions

diff --git a/Test/dafny0/Datatypes.dfy b/Test/dafny0/Datatypes.dfy
index 61ae9cb6..8492f217 100644
--- a/Test/dafny0/Datatypes.dfy
+++ b/Test/dafny0/Datatypes.dfy
@@ -8,7 +8,8 @@ class Node {
   var next: Node;

 

   function Repr(list: List<int>): bool

-    reads this;

+    reads *;

+    decreases list;

   { match list

     case Nil =>

       next == null

@@ -38,7 +39,8 @@ class AnotherNode {
   var next: AnotherNode;

 

   function Repr(n: AnotherNode, list: List<int>): bool

-    reads n;

+    reads *;

+    decreases list;

   { match list

     case Nil =>

       n == null