summaryrefslogtreecommitdiff
path: root/Test/dafny1
Commit message (Collapse)AuthorAge
* Change behavior of 'decreases *', which can be applied to loops and methods. ↵Gravatar Rustan Leino2014-08-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now, loops that may possibly do an infinite number of iterations (that is, loops marked with 'decreases *') and calls to methods marked with 'decreases *' are allowed only in methods that themselves are marked with 'decreases *'. As before, ghost loops and ghost methods are not allowed to be marked with 'decreases *'. Previously, 'decreases *' was allowed on a method only if the method was tail recursive; this is no longer so. Note, however, that if the method is not tail recursive and engages in infinite recursion, then it will eventually run out of stack space. Previously, a 'decreases *' was not inherited in a refining module; this is no longer so. That is, 'decreases *' is now inherited. To refine a possibly non-terminating method or loop, the refining version simply provides a decreases clause that does not mention '*'. Note that if the refined method is not recursive, it still needs to have _some_ decreases clause in order not to inherit the 'decreases *' from the refined method, but the expression stated in the decreases clause can be arbitrary (for example, one can write 'decreases true' or 'decreases 7' or 'decreases x' for some 'x' in scope). Note, in the new design, a method needs to be declared with 'decreases *' if it may recurse forever _or_ if it contains a possibly infinite loop. Note that the absence of 'decreases *' on a loop does not mean the loop will terminate, but it does mean that the loop will iterate a finite number of times (the subtle distinction here is that a loop without a 'decreases *' is allowed to contain a nested loop that has a 'decreases *' -- provided the enclosing method is also declared with 'decreases *', as previously mentioned).
* Add higher-order-functions and some other goodiesGravatar Dan Rosén2014-08-11
| | | | | | | | | | | | | | | | * The reads clause now needs to be self framing. * The requires clause now needs to be framed by the reads clause. * There are one-shot lambdas, with a single arrow, but they will probably be removed. * There is a {:heapQuantifier} attribute to quantifiers, but they will probably be removed. * Add smart handling of type variables * Add < and > for datatype & type parameter
* MergeGravatar Dan Rosén2014-07-07
|\
* | New logical encoding of types with Is and IsAllocGravatar Dan Rosén2014-07-07
| |
| * MergeGravatar leino2014-07-01
| |\
| | * Removed the old test infrastructure.Gravatar wuestholz2014-07-01
| |/ |/|
| * Clarified a refinement point in a test fileGravatar leino2014-06-16
|/
* Set up the same test infrastructure as in Boogie.Gravatar wuestholz2014-05-29
|
* Minor clean-up in a couple of test files.Gravatar Rustan Leino2014-02-24
|
* Add support for the /verifySeparately flag in Boogie and change most tests ↵Gravatar wuestholz2013-12-18
| | | | to use it.
* Deactivated VC splitting in the tests.Gravatar wuestholz2013-07-05
|
* Changed ranking function for Seq, so that it's compatible with data types.Gravatar Unknown2013-06-26
|
* Made Test/vstte2012/RingBuffer.dfy and Test/dafny1/ExtensibleArray.dfy more ↵Gravatar Rustan Leino2013-04-22
| | | | | | | similar to RingBufferAuto.dfy and ExtensibleArrayAuto.dfy, respectively, so that the effect of {:autocontracts} is more easily seen.
* The "choose" statement, hacky and specialized as it was, is now gone. Use ↵Gravatar Rustan Leino2013-03-27
| | | | the assign-such-that statement instead. For example: x :| x in S;
* Updated two test files.Gravatar Rustan Leino2013-03-22
|
* Adjustments in the /vcsMaxKeepGoingSplits flag in the test suiteGravatar Rustan Leino2013-03-09
|
* Renamed "parallel" statement to "forall" statement, and made the parentheses ↵Gravatar Rustan Leino2013-03-06
| | | | around the bound variables optional.
* Frame expressions are now checked to be well formed.Gravatar Rustan Leino2013-02-13
| | | | (A nice consequence of this is that the method IsTotal is no longer needed.)
* Fixed another specification bug in a test case.Gravatar Rustan Leino2013-01-23
|
* Fixed bug in translation of method termination checks, and also fixed a ↵Gravatar Rustan Leino2013-01-23
| | | | (previously undetected) specification bug in the test suite.
* Beefed up loop invariant to prove a functional postcondition in a test case.Gravatar Rustan Leino2012-11-24
|
* Beautified a test programGravatar Rustan Leino2012-11-19
|
* renamed "abstract module" to "module facade"Gravatar Rustan Leino2012-10-22
| | | | renamed "ghost module" to "abstract module", adding a keyword "abstract"
* Fixed some goof-ups in the test script editsGravatar Rustan Leino2012-10-04
| | | | Changed the test output to make it easier to spot (in the console output) that everything passed with success or if there were any failures
* Added Test/dafny3 and another test file for iterators (hey, you can even run ↵Gravatar Rustan Leino2012-10-04
| | | | | | Iter.dfy!) Fixed migration issues
* Dafny: fixed mergeGravatar Rustan Leino2012-10-04
|
* Dafny: removed allocated, changed semantics of freshGravatar Jason Koenig2012-07-29
| | | | | -allocated(x) removed, as really only useful in old(...) -old(allocated(x)) and !fresh(x) are equivalent (for x with type ref, set, sequence, and datatype).
* Dafny: reinstated autocontractsGravatar Jason Koenig2012-07-02
|
* Dafny: fixed up test suite (temporarily removed autocontract tests)Gravatar Jason Koenig2012-06-28
|
* Dafny: fixed some test casesGravatar Jason Koenig2012-06-28
|
* Dafny: MergeGravatar Jason Koenig2012-06-27
|\
| * Undo bad merge.Gravatar afd2012-06-27
| |
| * MergeGravatar Unknown2012-06-25
| |\
| | * Dafny: Since it's no longer true that all types support equality at run-time ↵Gravatar Unknown2012-06-21
| | | | | | | | | | | | (in particular, codatatypes), Dafny needs to check this. In these changes, Dafny supports the "(==)" suffix to type parameters, infers that suffix in some cases, and enforces equality support in many places. Refinement and datatypes still need more attention in the Dafny implementation.
| * | MergeGravatar Unknown2012-06-21
| |\|
| | * Dafny: improved refinement features; added staged version of the proof of ↵Gravatar Unknown2012-06-19
| |/ |/| | | | | the Schorr-Waite algorithm (the staging features, as well as the newly added comments, make the verification much more digestible)
| * Merged with default.Gravatar chmaria2012-06-18
| |\ | |/ |/|
* | Dafny: cleaned up test scripts a littleGravatar Unknown2012-06-14
| |
| * Dafny: Added tests.Gravatar chmaria2012-06-12
|/
* Dafny: fixed regression testsGravatar Unknown2012-05-29
|
* Dafny: Added maps to regression tests.Gravatar Unknown2012-05-29
|
* Dafny: added experimental feature {:autocontracts} to de-clutter idiomatic ↵Gravatar Unknown2012-03-05
| | | | specifications
* Dafny: fixed bug in compilation of let expressions.Gravatar Rustan Leino2012-01-26
|
* Dafny: allow definitions and uses of parameter-less predicates to go without ↵Gravatar Rustan Leino2012-01-10
| | | | parentheses
* MergeGravatar Rustan Leino2011-11-22
|\
| * Dafny: call C# compiler directly from inside Dafny, and optionally produce a ↵Gravatar Rustan Leino2011-11-22
| | | | | | | | .cs file with the new /spillTargetCode switch
* | Dafny: Added "type" declaration (syntax: "type X;"), which introduces an ↵Gravatar Rustan Leino2011-11-21
|/ | | | arbitrary type (like a global type parameter). In the future, a refined module may allow such types to be instantiated.
* Dafny: Cleaned up proof of RevConcat in test caseGravatar Rustan Leino2011-11-08
|
* Dafny: in test suite (Rippling.dfy), replaced an inline lemma with a call to ↵Gravatar Rustan Leino2011-11-04
| | | | a previous lemma
* Added some Dafny and Boogie test cases, including Turing's factorial ↵Gravatar Rustan Leino2011-11-03
| | | | program, Hoare's classic FIND, and some induction tests for negative integers
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-06 19:54:43 +0000