/*----------------------------------------------------------------------------- // // Copyright (C) Microsoft Corporation. All Rights Reserved. // //-----------------------------------------------------------------------------*/ /*--------------------------------------------------------------------------- // Dafny // Rustan Leino, first created 25 January 2008 //--------------------------------------------------------------------------*/ using System.Collections.Generic; using System.Numerics; using Microsoft.Boogie; using System.IO; using System.Text; COMPILER Dafny /*--------------------------------------------------------------------------*/ readonly Expression/*!*/ dummyExpr; readonly AssignmentRhs/*!*/ dummyRhs; readonly FrameExpression/*!*/ dummyFrameExpr; readonly Statement/*!*/ dummyStmt; readonly Attributes.Argument/*!*/ dummyAttrArg; readonly ModuleDecl theModule; readonly BuiltIns theBuiltIns; int anonymousIds = 0; struct MemberModifiers { public bool IsGhost; public bool IsStatic; } // helper routine for parsing call statements ///

/// Parses top-level things (modules, classes, datatypes, class members) from "filename" /// and appends them in appropriate form to "module". /// Returns the number of parsing errors encountered. /// Note: first initialize the Scanner. ///

public static int Parse (string/*!*/ filename, ModuleDecl module, BuiltIns builtIns) /* throws System.IO.IOException */ { Contract.Requires(filename != null); Contract.Requires(module != null); string s; if (filename == "stdin.dfy") { s = Microsoft.Boogie.ParserHelper.Fill(System.Console.In, new List()); return Parse(s, filename, module, builtIns); } else { using (System.IO.StreamReader reader = new System.IO.StreamReader(filename)) { s = Microsoft.Boogie.ParserHelper.Fill(reader, new List()); return Parse(s, filename, module, builtIns); } } } ///

/// Parses top-level things (modules, classes, datatypes, class members) /// and appends them in appropriate form to "module". /// Returns the number of parsing errors encountered. /// Note: first initialize the Scanner. ///

public static int Parse (string/*!*/ s, string/*!*/ filename, ModuleDecl module, BuiltIns builtIns) { Contract.Requires(s != null); Contract.Requires(filename != null); Contract.Requires(module != null); Errors errors = new Errors(); return Parse(s, filename, module, builtIns, errors); } ///

public static int Parse (string/*!*/ s, string/*!*/ filename, ModuleDecl module, BuiltIns builtIns, Errors/*!*/ errors) { Contract.Requires(s != null); Contract.Requires(filename != null); Contract.Requires(module != null); Contract.Requires(errors != null); byte[]/*!*/ buffer = cce.NonNull( UTF8Encoding.Default.GetBytes(s)); MemoryStream ms = new MemoryStream(buffer,false); Scanner scanner = new Scanner(ms, errors, filename); Parser parser = new Parser(scanner, errors, module, builtIns); parser.Parse(); return parser.errors.count; } public Parser(Scanner/*!*/ scanner, Errors/*!*/ errors, ModuleDecl module, BuiltIns builtIns) : this(scanner, errors) // the real work { // initialize readonly fields dummyExpr = new LiteralExpr(Token.NoToken); dummyRhs = new ExprRhs(dummyExpr, null); dummyFrameExpr = new FrameExpression(dummyExpr.tok, dummyExpr, null); dummyStmt = new ReturnStmt(Token.NoToken, null); dummyAttrArg = new Attributes.Argument(Token.NoToken, "dummyAttrArg"); theModule = module; theBuiltIns = builtIns; } bool IsAttribute() { Token x = scanner.Peek(); return la.kind == _lbrace && x.kind == _colon; } /*--------------------------------------------------------------------------*/ CHARACTERS letter = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz". digit = "0123456789". posDigit = "123456789". special = "'_?\\". glyph = "`~!@#$%^&*()-_=+[{]}|;:',<.>/?\\". cr = '\r'. lf = '\n'. tab = '\t'. space = ' '. quote = '"'. nondigit = letter + special. idchar = nondigit + digit. nonquote = letter + digit + space + glyph. /* exclude the characters in 'array' */ nondigitMinusA = nondigit - 'a'. idcharMinusA = idchar - 'a'. idcharMinusR = idchar - 'r'. idcharMinusY = idchar - 'y'. idcharMinusPosDigit = idchar - posDigit. /*------------------------------------------------------------------------*/ TOKENS ident = nondigitMinusA {idchar} /* if char 0 is not an 'a', then anything else is fine */ | 'a' [ idcharMinusR {idchar} ] /* if char 0 is an 'a', then either there is no char 1 or char 1 is not an 'r' */ | 'a' 'r' [ idcharMinusR {idchar} ] /* etc. */ | 'a' 'r' 'r' [ idcharMinusA {idchar} ] | 'a' 'r' 'r' 'a' [ idcharMinusY {idchar} ] | 'a' 'r' 'r' 'a' 'y' idcharMinusPosDigit {idchar} | 'a' 'r' 'r' 'a' 'y' posDigit {idchar} nondigit {idchar}. digits = digit {digit}. arrayToken = 'a' 'r' 'r' 'a' 'y' [posDigit {digit}]. string = quote {nonquote} quote. colon = ':'. lbrace = '{'. rbrace = '}'. COMMENTS FROM "/*" TO "*/" NESTED COMMENTS FROM "//" TO lf IGNORE cr + lf + tab /*------------------------------------------------------------------------*/ PRODUCTIONS Dafny = (. ClassDecl/*!*/ c; DatatypeDecl/*!*/ dt; ArbitraryTypeDecl at; List membersDefaultClass = new List(); ModuleDecl submodule; // to support multiple files, create a default module only if theModule is null DefaultModuleDecl defaultModule = (DefaultModuleDecl)((LiteralModuleDecl)theModule).ModuleDef; // theModule should be a DefaultModuleDecl (actually, the singular DefaultModuleDecl) Contract.Assert(defaultModule != null); bool isGhost; .) { (. isGhost = false; .) [ "ghost" (. isGhost = true; .) ] ( SubModuleDecl (. defaultModule.TopLevelDecls.Add(submodule); .) | (. if (isGhost) { SemErr(t, "a class is not allowed to be declared as 'ghost'"); } .) ClassDecl (. defaultModule.TopLevelDecls.Add(c); .) | (. if (isGhost) { SemErr(t, "a datatype/codatatype is not allowed to be declared as 'ghost'"); } .) DatatypeDecl (. defaultModule.TopLevelDecls.Add(dt); .) | (. if (isGhost) { SemErr(t, "a type is not allowed to be declared as 'ghost'"); } .) ArbitraryTypeDecl (. defaultModule.TopLevelDecls.Add(at); .) | ClassMemberDecl ) } (. // find the default class in the default module, then append membersDefaultClass to its member list DefaultClassDecl defaultClass = null; foreach (TopLevelDecl topleveldecl in defaultModule.TopLevelDecls) { defaultClass = topleveldecl as DefaultClassDecl; if (defaultClass != null) { defaultClass.Members.AddRange(membersDefaultClass); break; } } if (defaultClass == null) { // create the default class here, because it wasn't found defaultClass = new DefaultClassDecl(defaultModule, membersDefaultClass); defaultModule.TopLevelDecls.Add(defaultClass); } .) EOF . SubModuleDecl = (. ClassDecl/*!*/ c; DatatypeDecl/*!*/ dt; ArbitraryTypeDecl at; Attributes attrs = null; IToken/*!*/ id; List namedModuleDefaultClassMembers = new List();; List idRefined = null, idPath = null, idAssignment = null; bool isGhost = false; ModuleDefinition module; ModuleDecl sm; submodule = null; // appease compiler bool opened = false; .) ( "module" { Attribute } NoUSIdent [ "refines" QualifiedName ] (. module = new ModuleDefinition(id, id.val, isOverallModuleGhost, false, idRefined == null ? null : idRefined, attrs, false); .) "{" (. module.BodyStartTok = t; .) { (. isGhost = false; .) [ "ghost" (. isGhost = true; .) ] ( SubModuleDecl (. module.TopLevelDecls.Add(sm); .) | (. if (isGhost) { SemErr(t, "a class is not allowed to be declared as 'ghost'"); } .) ClassDecl (. module.TopLevelDecls.Add(c); .) | (. if (isGhost) { SemErr(t, "a datatype/codatatype is not allowed to be declared as 'ghost'"); } .) DatatypeDecl (. module.TopLevelDecls.Add(dt); .) | (. if (isGhost) { SemErr(t, "a type is not allowed to be declared as 'ghost'"); } .) ArbitraryTypeDecl (. module.TopLevelDecls.Add(at); .) | ClassMemberDecl ) } "}" (. module.BodyEndTok = t; module.TopLevelDecls.Add(new DefaultClassDecl(module, namedModuleDefaultClassMembers)); submodule = new LiteralModuleDecl(module, parent); .) | "import" ["opened" (.opened = true;.)] ( NoUSIdent ( "=" QualifiedName ";" (. submodule = new AliasModuleDecl(idPath, id, parent, opened); .) | ";" (. idPath = new List(); idPath.Add(id); submodule = new AliasModuleDecl(idPath, id, parent, opened); .) | "as" QualifiedName ["default" QualifiedName ] ";" (.submodule = new AbstractModuleDecl(idPath, id, parent, idAssignment, opened); .) ) ) ) . QualifiedName<.out List ids.> = (. IToken id; ids = new List(); .) Ident (. ids.Add(id); .) { "." Ident (. ids.Add(id); .) } . ClassDecl = (. Contract.Requires(module != null); Contract.Ensures(Contract.ValueAtReturn(out c) != null); IToken/*!*/ id; Attributes attrs = null; List typeArgs = new List(); List members = new List(); IToken bodyStart; .) SYNC "class" { Attribute } NoUSIdent [ GenericParameters ] "{" (. bodyStart = t; .) { ClassMemberDecl } "}" (. c = new ClassDecl(id, id.val, module, typeArgs, members, attrs); c.BodyStartTok = bodyStart; c.BodyEndTok = t; .) . ClassMemberDecl<.List/*!*/ mm, bool isAlreadyGhost, bool allowConstructors.> = (. Contract.Requires(cce.NonNullElements(mm)); Method/*!*/ m; Function/*!*/ f; MemberModifiers mmod = new MemberModifiers(); mmod.IsGhost = isAlreadyGhost; .) { "ghost" (. mmod.IsGhost = true; .) | "static" (. mmod.IsStatic = true; .) } ( FieldDecl | FunctionDecl (. mm.Add(f); .) | MethodDecl (. mm.Add(m); .) ) . DatatypeDecl = (. Contract.Requires(module != null); Contract.Ensures(Contract.ValueAtReturn(out dt)!=null); IToken/*!*/ id; Attributes attrs = null; List typeArgs = new List(); List ctors = new List(); IToken bodyStart = Token.NoToken; // dummy assignment bool co = false; .) SYNC ( "datatype" | "codatatype" (. co = true; .) ) { Attribute } NoUSIdent [ GenericParameters ] "=" (. bodyStart = t; .) DatatypeMemberDecl { "|" DatatypeMemberDecl } SYNC ";" (. if (co) { dt = new CoDatatypeDecl(id, id.val, module, typeArgs, ctors, attrs); } else { dt = new IndDatatypeDecl(id, id.val, module, typeArgs, ctors, attrs); } dt.BodyStartTok = bodyStart; dt.BodyEndTok = t; .) . DatatypeMemberDecl<.List/*!*/ ctors.> = (. Contract.Requires(cce.NonNullElements(ctors)); Attributes attrs = null; IToken/*!*/ id; List formals = new List(); .) { Attribute } NoUSIdent [ FormalsOptionalIds ] (. ctors.Add(new DatatypeCtor(id, id.val, formals, attrs)); .) . FieldDecl<.MemberModifiers mmod, List/*!*/ mm.> = (. Contract.Requires(cce.NonNullElements(mm)); Attributes attrs = null; IToken/*!*/ id; Type/*!*/ ty; .) SYNC "var" (. if (mmod.IsStatic) { SemErr(t, "fields cannot be declared 'static'"); } .) { Attribute } IdentType (. mm.Add(new Field(id, id.val, mmod.IsGhost, ty, attrs)); .) { "," IdentType (. mm.Add(new Field(id, id.val, mmod.IsGhost, ty, attrs)); .) } SYNC ";" . ArbitraryTypeDecl = (. IToken/*!*/ id; Attributes attrs = null; var eqSupport = TypeParameter.EqualitySupportValue.Unspecified; .) "type" { Attribute } NoUSIdent [ "(" "==" ")" (. eqSupport = TypeParameter.EqualitySupportValue.Required; .) ] (. at = new ArbitraryTypeDecl(id, id.val, module, eqSupport, attrs); .) SYNC ";" . GIdentType /* isGhost always returns as false if allowGhostKeyword is false */ = (. Contract.Ensures(Contract.ValueAtReturn(out id)!=null); Contract.Ensures(Contract.ValueAtReturn(out ty)!=null); isGhost = false; .) [ "ghost" (. if (allowGhostKeyword) { isGhost = true; } else { SemErr(t, "formal cannot be declared 'ghost' in this context"); } .) ] IdentType . IdentType = (.Contract.Ensures(Contract.ValueAtReturn(out id) != null); Contract.Ensures(Contract.ValueAtReturn(out ty) != null);.) WildIdent ":" Type . LocalIdentTypeOptional = (. IToken/*!*/ id; Type/*!*/ ty; Type optType = null; .) WildIdent [ ":" Type (. optType = ty; .) ] (. var = new VarDecl(id, id.val, optType == null ? new InferredTypeProxy() : optType, isGhost); .) . IdentTypeOptional = (. Contract.Ensures(Contract.ValueAtReturn(out var)!=null); IToken/*!*/ id; Type/*!*/ ty; Type optType = null; .) WildIdent [ ":" Type (. optType = ty; .) ] (. var = new BoundVar(id, id.val, optType == null ? new InferredTypeProxy() : optType); .) . TypeIdentOptional = (.Contract.Ensures(Contract.ValueAtReturn(out id)!=null); Contract.Ensures(Contract.ValueAtReturn(out ty)!=null); Contract.Ensures(Contract.ValueAtReturn(out identName)!=null); string name = null; isGhost = false; .) [ "ghost" (. isGhost = true; .) ] TypeAndToken [ ":" (. /* try to convert ty to an identifier */ UserDefinedType udt = ty as UserDefinedType; if (udt != null && udt.TypeArgs.Count == 0) { name = udt.Name; } else { SemErr(id, "invalid formal-parameter name in datatype constructor"); } .) Type ] (. if (name != null) { identName = name; } else { identName = "#" + anonymousIds++; } .) . /*------------------------------------------------------------------------*/ GenericParameters<.List/*!*/ typeArgs.> = (. Contract.Requires(cce.NonNullElements(typeArgs)); IToken/*!*/ id; TypeParameter.EqualitySupportValue eqSupport; .) "<" NoUSIdent (. eqSupport = TypeParameter.EqualitySupportValue.Unspecified; .) [ "(" "==" ")" (. eqSupport = TypeParameter.EqualitySupportValue.Required; .) ] (. typeArgs.Add(new TypeParameter(id, id.val, eqSupport)); .) { "," NoUSIdent (. eqSupport = TypeParameter.EqualitySupportValue.Unspecified; .) [ "(" "==" ")" (. eqSupport = TypeParameter.EqualitySupportValue.Required; .) ] (. typeArgs.Add(new TypeParameter(id, id.val, eqSupport)); .) } ">" . /*------------------------------------------------------------------------*/ MethodDecl = (. Contract.Ensures(Contract.ValueAtReturn(out m) !=null); IToken/*!*/ id; Attributes attrs = null; List/*!*/ typeArgs = new List(); IToken openParen; List ins = new List(); List outs = new List(); List req = new List(); List mod = new List(); List ens = new List(); List dec = new List(); Attributes decAttrs = null; Attributes modAttrs = null; BlockStmt body = null; bool isConstructor = false; bool signatureOmitted = false; IToken bodyStart = Token.NoToken; IToken bodyEnd = Token.NoToken; .) SYNC ( "method" | "constructor" (. if (allowConstructor) { isConstructor = true; } else { SemErr(t, "constructors are only allowed in classes"); } .) ) (. if (isConstructor) { if (mmod.IsGhost) { SemErr(t, "constructors cannot be declared 'ghost'"); } if (mmod.IsStatic) { SemErr(t, "constructors cannot be declared 'static'"); } } .) { Attribute } NoUSIdent ( [ GenericParameters ] Formals [ "returns" (. if (isConstructor) { SemErr(t, "constructors cannot have out-parameters"); } .) Formals ] | "..." (. signatureOmitted = true; openParen = Token.NoToken; .) ) { MethodSpec } [ BlockStmt ] (. if (isConstructor) { m = new Constructor(id, id.val, typeArgs, ins, req, new Specification(mod, modAttrs), ens, new Specification(dec, decAttrs), body, attrs, signatureOmitted); } else { m = new Method(id, id.val, mmod.IsStatic, mmod.IsGhost, typeArgs, ins, outs, req, new Specification(mod, modAttrs), ens, new Specification(dec, decAttrs), body, attrs, signatureOmitted); } m.BodyStartTok = bodyStart; m.BodyEndTok = bodyEnd; .) . MethodSpec<.List/*!*/ req, List/*!*/ mod, List/*!*/ ens, List/*!*/ decreases, ref Attributes decAttrs, ref Attributes modAttrs.> = (. Contract.Requires(cce.NonNullElements(req)); Contract.Requires(cce.NonNullElements(mod)); Contract.Requires(cce.NonNullElements(ens)); Contract.Requires(cce.NonNullElements(decreases)); Expression/*!*/ e; FrameExpression/*!*/ fe; bool isFree = false; Attributes ensAttrs = null; .) SYNC ( "modifies" { IF(IsAttribute()) Attribute } [ FrameExpression (. mod.Add(fe); .) { "," FrameExpression (. mod.Add(fe); .) } ] SYNC ";" | [ "free" (. isFree = true; .) ] ( "requires" Expression SYNC ";" (. req.Add(new MaybeFreeExpression(e, isFree)); .) | "ensures" { IF(IsAttribute()) Attribute } Expression SYNC ";" (. ens.Add(new MaybeFreeExpression(e, isFree, ensAttrs)); .) ) | "decreases" { IF(IsAttribute()) Attribute } DecreasesList SYNC ";" ) . Formals<.bool incoming, bool allowGhostKeyword, List/*!*/ formals, out IToken openParen.> = (. Contract.Requires(cce.NonNullElements(formals)); IToken/*!*/ id; Type/*!*/ ty; bool isGhost; .) "(" (. openParen = t; .) [ GIdentType (. formals.Add(new Formal(id, id.val, ty, incoming, isGhost)); .) { "," GIdentType (. formals.Add(new Formal(id, id.val, ty, incoming, isGhost)); .) } ] ")" . FormalsOptionalIds<.List/*!*/ formals.> = (. Contract.Requires(cce.NonNullElements(formals)); IToken/*!*/ id; Type/*!*/ ty; string/*!*/ name; bool isGhost; .) "(" [ TypeIdentOptional (. formals.Add(new Formal(id, name, ty, true, isGhost)); .) { "," TypeIdentOptional (. formals.Add(new Formal(id, name, ty, true, isGhost)); .) } ] ")" . /*------------------------------------------------------------------------*/ Type = (. Contract.Ensures(Contract.ValueAtReturn(out ty) != null); IToken/*!*/ tok; .) TypeAndToken . TypeAndToken = (. Contract.Ensures(Contract.ValueAtReturn(out tok)!=null); Contract.Ensures(Contract.ValueAtReturn(out ty) != null); tok = Token.NoToken; ty = new BoolType(); /*keep compiler happy*/ List/*!*/ gt; .) ( "bool" (. tok = t; .) | "nat" (. tok = t; ty = new NatType(); .) | "int" (. tok = t; ty = new IntType(); .) | "set" (. tok = t; gt = new List(); .) GenericInstantiation (. if (gt.Count != 1) { SemErr("set type expects exactly one type argument"); } ty = new SetType(gt[0]); .) | "multiset" (. tok = t; gt = new List(); .) GenericInstantiation (. if (gt.Count != 1) { SemErr("multiset type expects exactly one type argument"); } ty = new MultiSetType(gt[0]); .) | "seq" (. tok = t; gt = new List(); .) GenericInstantiation (. if (gt.Count != 1) { SemErr("seq type expects exactly one type argument"); } ty = new SeqType(gt[0]); .) | "map" (. tok = t; gt = new List(); .) GenericInstantiation (. if (gt.Count != 2) { SemErr("map type expects exactly two type arguments"); } else { ty = new MapType(gt[0], gt[1]); } .) | ReferenceType ) . ReferenceType = (. Contract.Ensures(Contract.ValueAtReturn(out tok) != null); Contract.Ensures(Contract.ValueAtReturn(out ty) != null); tok = Token.NoToken; ty = new BoolType(); /*keep compiler happy*/ List/*!*/ gt; List path; .) ( "object" (. tok = t; ty = new ObjectType(); .) | arrayToken (. tok = t; gt = new List(); .) GenericInstantiation (. if (gt.Count != 1) { SemErr("array type expects exactly one type argument"); } int dims = 1; if (tok.val.Length != 5) { dims = int.Parse(tok.val.Substring(5)); } ty = theBuiltIns.ArrayType(tok, dims, gt[0], true); .) | Ident (. gt = new List(); path = new List(); .) { (. path.Add(tok); .) "." Ident } [ GenericInstantiation ] (. ty = new UserDefinedType(tok, tok.val, gt, path); .) ) . GenericInstantiation<.List/*!*/ gt.> = (. Contract.Requires(cce.NonNullElements(gt)); Type/*!*/ ty; .) "<" Type (. gt.Add(ty); .) { "," Type (. gt.Add(ty); .) } ">" . /*------------------------------------------------------------------------*/ FunctionDecl = (. Contract.Ensures(Contract.ValueAtReturn(out f)!=null); Attributes attrs = null; IToken/*!*/ id = Token.NoToken; // to please compiler List typeArgs = new List(); List formals = new List(); Type/*!*/ returnType = new BoolType(); List reqs = new List(); List ens = new List(); List reads = new List(); List decreases; Expression body = null; bool isPredicate = false; bool isCoPredicate = false; bool isFunctionMethod = false; IToken openParen = null; IToken bodyStart = Token.NoToken; IToken bodyEnd = Token.NoToken; bool signatureOmitted = false; .) /* ----- function ----- */ ( "function" [ "method" (. isFunctionMethod = true; .) ] (. if (mmod.IsGhost) { SemErr(t, "functions cannot be declared 'ghost' (they are ghost by default)"); } .) { Attribute } NoUSIdent ( [ GenericParameters ] Formals ":" Type | "..." (. signatureOmitted = true; openParen = Token.NoToken; .) ) /* ----- predicate ----- */ | "predicate" (. isPredicate = true; .) [ "method" (. isFunctionMethod = true; .) ] (. if (mmod.IsGhost) { SemErr(t, "predicates cannot be declared 'ghost' (they are ghost by default)"); } .) { Attribute } NoUSIdent ( [ GenericParameters ] [ Formals [ ":" (. SemErr(t, "predicates do not have an explicitly declared return type; it is always bool"); .) ] ] | "..." (. signatureOmitted = true; openParen = Token.NoToken; .) ) /* ----- copredicate ----- */ | "copredicate" (. isCoPredicate = true; .) (. if (mmod.IsGhost) { SemErr(t, "copredicates cannot be declared 'ghost' (they are ghost by default)"); } .) { Attribute } NoUSIdent ( [ GenericParameters ] [ Formals [ ":" (. SemErr(t, "copredicates do not have an explicitly declared return type; it is always bool"); .) ] ] | "..." (. signatureOmitted = true; openParen = Token.NoToken; .) ) ) (. decreases = isCoPredicate ? null : new List(); .) { FunctionSpec } [ FunctionBody ] (. if (isPredicate) { f = new Predicate(id, id.val, mmod.IsStatic, !isFunctionMethod, typeArgs, openParen, formals, reqs, reads, ens, new Specification(decreases, null), body, Predicate.BodyOriginKind.OriginalOrInherited, attrs, signatureOmitted); } else if (isCoPredicate) { f = new CoPredicate(id, id.val, mmod.IsStatic, typeArgs, openParen, formals, reqs, reads, ens, body, attrs, signatureOmitted); } else { f = new Function(id, id.val, mmod.IsStatic, !isFunctionMethod, typeArgs, openParen, formals, returnType, reqs, reads, ens, new Specification(decreases, null), body, attrs, signatureOmitted); } f.BodyStartTok = bodyStart; f.BodyEndTok = bodyEnd; .) . FunctionSpec<.List/*!*/ reqs, List/*!*/ reads, List/*!*/ ens, List decreases.> = (. Contract.Requires(cce.NonNullElements(reqs)); Contract.Requires(cce.NonNullElements(reads)); Contract.Requires(decreases == null || cce.NonNullElements(decreases)); Expression/*!*/ e; FrameExpression/*!*/ fe; .) ( SYNC "requires" Expression SYNC ";" (. reqs.Add(e); .) | "reads" [ PossiblyWildFrameExpression (. reads.Add(fe); .) { "," PossiblyWildFrameExpression (. reads.Add(fe); .) } ] SYNC ";" | "ensures" Expression SYNC ";" (. ens.Add(e); .) | "decreases" (. if (decreases == null) { SemErr(t, "'decreases' clauses are meaningless for copredicates, so they are not allowed"); decreases = new List(); } .) DecreasesList SYNC ";" ) . PossiblyWildExpression = (. Contract.Ensures(Contract.ValueAtReturn(out e)!=null); e = dummyExpr; .) /* A decreases clause on a loop asks that no termination check be performed. * Use of this feature is sound only with respect to partial correctness. */ ( "*" (. e = new WildcardExpr(t); .) | Expression ) . PossiblyWildFrameExpression = (. Contract.Ensures(Contract.ValueAtReturn(out fe) != null); fe = dummyFrameExpr; .) /* A reads clause can list a wildcard, which allows the enclosing function to * read anything. In many cases, and in particular in all cases where * the function is defined recursively, this makes it next to impossible to make * any use of the function. Nevertheless, as an experimental feature, the * language allows it (and it is sound). */ ( "*" (. fe = new FrameExpression(t, new WildcardExpr(t), null); .) | FrameExpression ) . FrameExpression = (. Contract.Ensures(Contract.ValueAtReturn(out fe) != null); Expression/*!*/ e; IToken/*!*/ id; string fieldName = null; IToken feTok = null; fe = null; .) (( Expression (. feTok = e.tok; .) [ "`" Ident (. fieldName = id.val; feTok = id; .) ] (. fe = new FrameExpression(feTok, e, fieldName); .) ) | ( "`" Ident (. fieldName = id.val; .) (. fe = new FrameExpression(id, new ImplicitThisExpr(id), fieldName); .) )) . FunctionBody = (. Contract.Ensures(Contract.ValueAtReturn(out e) != null); e = dummyExpr; .) "{" (. bodyStart = t; .) Expression "}" (. bodyEnd = t; .) . /*------------------------------------------------------------------------*/ BlockStmt = (. Contract.Ensures(Contract.ValueAtReturn(out block) != null); List body = new List(); .) "{" (. bodyStart = t; .) { Stmt } "}" (. bodyEnd = t; block = new BlockStmt(bodyStart, body); .) . Stmt<.List/*!*/ ss.> = (. Statement/*!*/ s; .) OneStmt (. ss.Add(s); .) . OneStmt = (. Contract.Ensures(Contract.ValueAtReturn(out s) != null); IToken/*!*/ x; IToken/*!*/ id; string label = null; s = dummyStmt; /* to please the compiler */ BlockStmt bs; IToken bodyStart, bodyEnd; int breakCount; .) SYNC ( BlockStmt (. s = bs; .) | AssertStmt | AssumeStmt | PrintStmt | UpdateStmt | VarDeclStatement | IfStmt | WhileStmt | MatchStmt | ParallelStmt | "label" (. x = t; .) NoUSIdent ":" OneStmt (. s.Labels = new LList(new Label(x, id.val), s.Labels); .) | "break" (. x = t; breakCount = 1; label = null; .) ( NoUSIdent (. label = id.val; .) | { "break" (. breakCount++; .) } ) SYNC ";" (. s = label != null ? new BreakStmt(x, label) : new BreakStmt(x, breakCount); .) | ReturnStmt | SkeletonStmt ";" ) . SkeletonStmt = (. List names = null; List exprs = null; IToken tok, dotdotdot, whereTok; Expression e; .) "..." (. dotdotdot = t; .) ["where" (. names = new List(); exprs = new List(); whereTok = t;.) Ident (. names.Add(tok); .) {"," Ident (. names.Add(tok); .) } ":=" Expression (. exprs.Add(e); .) {"," Expression (. exprs.Add(e); .) } (. if (exprs.Count != names.Count) { SemErr(whereTok, exprs.Count < names.Count ? "not enough expressions" : "too many expressions"); names = null; exprs = null; } .) ] (. s = new SkeletonStatement(dotdotdot, names, exprs); .) . ReturnStmt = (. IToken returnTok = null; List rhss = null; AssignmentRhs r; .) "return" (. returnTok = t; .) [ Rhs (. rhss = new List(); rhss.Add(r); .) { "," Rhs (. rhss.Add(r); .) } ] ";" (. s = new ReturnStmt(returnTok, rhss); .) . UpdateStmt = (. List lhss = new List(); List rhss = new List(); Expression e; AssignmentRhs r; Expression lhs0; IToken x; Attributes attrs = null; IToken suchThatAssume = null; Expression suchThat = null; .) Lhs (. x = e.tok; .) ( { Attribute } ";" (. rhss.Add(new ExprRhs(e, attrs)); .) | (. lhss.Add(e); lhs0 = e; .) { "," Lhs (. lhss.Add(e); .) } ( ":=" (. x = t; .) Rhs (. rhss.Add(r); .) { "," Rhs (. rhss.Add(r); .) } | ":|" (. x = t; .) [ "assume" (. suchThatAssume = t; .) ] Expression ) ";" | ":" (. SemErr(t, "invalid statement (did you forget the 'label' keyword?)"); .) ) (. if (suchThat != null) { s = new AssignSuchThatStmt(x, lhss, suchThat, suchThatAssume); } else { if (lhss.Count == 0 && rhss.Count == 0) { s = new BlockStmt(x, new List()); // error, give empty statement } else { s = new UpdateStmt(x, lhss, rhss); } } .) . Rhs = (. Contract.Ensures(Contract.ValueAtReturn(out r) != null); IToken/*!*/ x, newToken; Expression/*!*/ e; List ee = null; Type ty = null; CallStmt initCall = null; List args; r = dummyRhs; // to please compiler Attributes attrs = null; .) ( "new" (. newToken = t; .) TypeAndToken [ "[" (. ee = new List(); .) Expressions "]" (. // make sure an array class with this dimensionality exists UserDefinedType tmp = theBuiltIns.ArrayType(x, ee.Count, new IntType(), true); .) | "." Ident "(" (. // This case happens when we have type.Constructor(args) // There is no ambiguity about where the constructor is or whether one exists. args = new List(); .) [ Expressions ] ")" (. initCall = new CallStmt(x, new List(), receiverForInitCall, x.val, args); .) | "(" (. var udf = ty as UserDefinedType; if (udf != null && 0 < udf.Path.Count && udf.TypeArgs.Count == 0) { // The parsed name had the form "A.B.Ctr", so treat "A.B" as the name of the type and "Ctr" as // the name of the constructor that's being invoked. x = udf.tok; ty = new UserDefinedType(udf.Path[0], udf.Path[udf.Path.Count-1].val, new List(), udf.Path.GetRange(0,udf.Path.Count-1)); } else { SemErr(t, "expected '.'"); x = null; } args = new List(); .) [ Expressions ] ")" (. if (x != null) { initCall = new CallStmt(x, new List(), receiverForInitCall, x.val, args); } .) ] (. if (ee != null) { r = new TypeRhs(newToken, ty, ee); } else { r = new TypeRhs(newToken, ty, initCall); } .) /* One day, the choose expression should be treated just as a special case of a method call. */ | "choose" (. x = t; .) Expression (. r = new ExprRhs(new UnaryExpr(x, UnaryExpr.Opcode.SetChoose, e)); .) | "*" (. r = new HavocRhs(t); .) | Expression (. r = new ExprRhs(e); .) ) { Attribute } (. r.Attributes = attrs; .) . VarDeclStatement<.out Statement/*!*/ s.> = (. IToken x = null, assignTok = null; bool isGhost = false; VarDecl/*!*/ d; AssignmentRhs r; IdentifierExpr lhs0; List lhss = new List(); List rhss = new List(); IToken suchThatAssume = null; Expression suchThat = null; .) [ "ghost" (. isGhost = true; x = t; .) ] "var" (. if (!isGhost) { x = t; } .) LocalIdentTypeOptional (. lhss.Add(d); .) { "," LocalIdentTypeOptional (. lhss.Add(d); .) } [ ":=" (. assignTok = t; lhs0 = new IdentifierExpr(lhss[0].Tok, lhss[0].Name); lhs0.Var = lhss[0]; lhs0.Type = lhss[0].OptionalType; // resolve here .) Rhs (. rhss.Add(r); .) { "," Rhs (. rhss.Add(r); .) } | ":|" (. assignTok = t; .) [ "assume" (. suchThatAssume = t; .) ] Expression ] ";" (. ConcreteUpdateStatement update; if (suchThat != null) { var ies = new List(); foreach (var lhs in lhss) { ies.Add(new IdentifierExpr(lhs.Tok, lhs.Name)); } update = new AssignSuchThatStmt(assignTok, ies, suchThat, suchThatAssume); } else if (rhss.Count == 0) { update = null; } else { var ies = new List(); foreach (var lhs in lhss) { ies.Add(new AutoGhostIdentifierExpr(lhs.Tok, lhs.Name)); } update = new UpdateStmt(assignTok, ies, rhss); } s = new VarDeclStmt(x, lhss, update); .) . IfStmt = (. Contract.Ensures(Contract.ValueAtReturn(out ifStmt) != null); IToken/*!*/ x; Expression guard = null; bool guardOmitted = false; BlockStmt/*!*/ thn; BlockStmt/*!*/ bs; Statement/*!*/ s; Statement els = null; IToken bodyStart, bodyEnd; List alternatives; ifStmt = dummyStmt; // to please the compiler .) "if" (. x = t; .) ( ( Guard | "..." (. guardOmitted = true; .) ) BlockStmt [ "else" ( IfStmt (. els = s; .) | BlockStmt (. els = bs; .) ) ] (. if (guardOmitted) { ifStmt = new SkeletonStatement(new IfStmt(x, guard, thn, els), true, false); } else { ifStmt = new IfStmt(x, guard, thn, els); } .) | AlternativeBlock (. ifStmt = new AlternativeStmt(x, alternatives); .) ) . AlternativeBlock<.out List alternatives.> = (. alternatives = new List(); IToken x; Expression e; List body; .) "{" { "case" (. x = t; .) Expression "=>" (. body = new List(); .) { Stmt } (. alternatives.Add(new GuardedAlternative(x, e, body)); .) } "}" . WhileStmt = (. Contract.Ensures(Contract.ValueAtReturn(out stmt) != null); IToken/*!*/ x; Expression guard = null; bool guardOmitted = false; List invariants = new List(); List decreases = new List(); Attributes decAttrs = null; Attributes modAttrs = null; List mod = null; BlockStmt/*!*/ body = null; bool bodyOmitted = false; IToken bodyStart = null, bodyEnd = null; List alternatives; stmt = dummyStmt; // to please the compiler .) "while" (. x = t; .) ( ( Guard (. Contract.Assume(guard == null || cce.Owner.None(guard)); .) | "..." (. guardOmitted = true; .) ) LoopSpec ( BlockStmt | "..." (. bodyOmitted = true; .) ) (. if (guardOmitted || bodyOmitted) { if (mod != null) { SemErr(mod[0].E.tok, "'modifies' clauses are not allowed on refining loops"); } if (body == null) { body = new BlockStmt(x, new List()); } stmt = new WhileStmt(x, guard, invariants, new Specification(decreases, decAttrs), new Specification(null, null), body); stmt = new SkeletonStatement(stmt, guardOmitted, bodyOmitted); } else { // The following statement protects against crashes in case of parsing errors body = body ?? new BlockStmt(x, new List()); stmt = new WhileStmt(x, guard, invariants, new Specification(decreases, decAttrs), new Specification(mod, modAttrs), body); } .) | LoopSpec AlternativeBlock (. stmt = new AlternativeLoopStmt(x, invariants, new Specification(decreases, decAttrs), new Specification(mod, modAttrs), alternatives); .) ) . LoopSpec<.out List invariants, out List decreases, out List mod, ref Attributes decAttrs, ref Attributes modAttrs.> = (. FrameExpression/*!*/ fe; invariants = new List(); MaybeFreeExpression invariant = null; decreases = new List(); mod = null; .) { Invariant SYNC ";" (. invariants.Add(invariant); .) | SYNC "decreases" { IF(IsAttribute()) Attribute } DecreasesList SYNC ";" | SYNC "modifies" { IF(IsAttribute()) Attribute } (. mod = mod ?? new List(); .) [ FrameExpression (. mod.Add(fe); .) { "," FrameExpression (. mod.Add(fe); .) } ] SYNC ";" } . Invariant = (. bool isFree = false; Expression/*!*/ e; List ids = new List(); invariant = null; Attributes attrs = null; .) SYNC ["free" (. isFree = true; .) ] "invariant" { IF(IsAttribute()) Attribute } Expression (. invariant = new MaybeFreeExpression(e, isFree, attrs); .) . DecreasesList<.List decreases, bool allowWildcard.> = (. Expression/*!*/ e; .) PossiblyWildExpression (. if (!allowWildcard && e is WildcardExpr) { SemErr(e.tok, "'decreases *' is only allowed on loops"); } else { decreases.Add(e); } .) { "," PossiblyWildExpression (. if (!allowWildcard && e is WildcardExpr) { SemErr(e.tok, "'decreases *' is only allowed on loops"); } else { decreases.Add(e); } .) } . Guard /* null represents demonic-choice */ = (. Expression/*!*/ ee; e = null; .) "(" ( "*" (. e = null; .) | Expression (. e = ee; .) ) ")" . MatchStmt = (. Contract.Ensures(Contract.ValueAtReturn(out s) != null); Token x; Expression/*!*/ e; MatchCaseStmt/*!*/ c; List cases = new List(); .) "match" (. x = t; .) Expression "{" { CaseStatement (. cases.Add(c); .) } "}" (. s = new MatchStmt(x, e, cases); .) . CaseStatement = (. Contract.Ensures(Contract.ValueAtReturn(out c) != null); IToken/*!*/ x, id; List arguments = new List(); BoundVar/*!*/ bv; List body = new List(); .) "case" (. x = t; .) Ident [ "(" IdentTypeOptional (. arguments.Add(bv); .) { "," IdentTypeOptional (. arguments.Add(bv); .) } ")" ] "=>" { Stmt } (. c = new MatchCaseStmt(x, id.val, arguments, body); .) . /*------------------------------------------------------------------------*/ AssertStmt = (. Contract.Ensures(Contract.ValueAtReturn(out s) != null); IToken/*!*/ x; Expression e = null; Attributes attrs = null; .) "assert" (. x = t; .) { IF(IsAttribute()) Attribute } ( Expression | "..." ) ";" (. if (e == null) { s = new SkeletonStatement(new AssertStmt(x, new LiteralExpr(x, true), attrs), true, false); } else { s = new AssertStmt(x, e, attrs); } .) . AssumeStmt = (. Contract.Ensures(Contract.ValueAtReturn(out s) != null); IToken/*!*/ x; Expression e = null; Attributes attrs = null; .) "assume" (. x = t; .) { IF(IsAttribute()) Attribute } ( Expression | "..." ) (. if (e == null) { s = new SkeletonStatement(new AssumeStmt(x, new LiteralExpr(x, true), attrs), true, false); } else { s = new AssumeStmt(x, e, attrs); } .) ";" . PrintStmt = (. Contract.Ensures(Contract.ValueAtReturn(out s) != null); IToken/*!*/ x; Attributes.Argument/*!*/ arg; List args = new List(); .) "print" (. x = t; .) AttributeArg (. args.Add(arg); .) { "," AttributeArg (. args.Add(arg); .) } ";" (. s = new PrintStmt(x, args); .) . ParallelStmt = (. Contract.Ensures(Contract.ValueAtReturn(out s) != null); IToken/*!*/ x; List bvars = null; Attributes attrs = null; Expression range = null; var ens = new List(); bool isFree; Expression/*!*/ e; BlockStmt/*!*/ block; IToken bodyStart, bodyEnd; .) "parallel" (. x = t; .) "(" [ (. List bvarsX; Attributes attrsX; Expression rangeX; .) QuantifierDomain (. bvars = bvarsX; attrs = attrsX; range = rangeX; .) ] (. if (bvars == null) { bvars = new List(); } if (range == null) { range = new LiteralExpr(x, true); } .) ")" { (. isFree = false; .) [ "free" (. isFree = true; .) ] "ensures" Expression ";" (. ens.Add(new MaybeFreeExpression(e, isFree)); .) } BlockStmt (. s = new ParallelStmt(x, bvars, attrs, range, ens, block); .) . /*------------------------------------------------------------------------*/ Expression = EquivExpression . /*------------------------------------------------------------------------*/ EquivExpression = (. Contract.Ensures(Contract.ValueAtReturn(out e0) != null); IToken/*!*/ x; Expression/*!*/ e1; .) ImpliesExpression { EquivOp (. x = t; .) ImpliesExpression (. e0 = new BinaryExpr(x, BinaryExpr.Opcode.Iff, e0, e1); .) } . EquivOp = "<==>" | '\u21d4'. /*------------------------------------------------------------------------*/ ImpliesExpression = (. Contract.Ensures(Contract.ValueAtReturn(out e0) != null); IToken/*!*/ x; Expression/*!*/ e1; .) LogicalExpression [ ImpliesOp (. x = t; .) ImpliesExpression (. e0 = new BinaryExpr(x, BinaryExpr.Opcode.Imp, e0, e1); .) ] . ImpliesOp = "==>" | '\u21d2'. /*------------------------------------------------------------------------*/ LogicalExpression = (. Contract.Ensures(Contract.ValueAtReturn(out e0) != null); IToken/*!*/ x; Expression/*!*/ e1; .) RelationalExpression [ AndOp (. x = t; .) RelationalExpression (. e0 = new BinaryExpr(x, BinaryExpr.Opcode.And, e0, e1); .) { AndOp (. x = t; .) RelationalExpression (. e0 = new BinaryExpr(x, BinaryExpr.Opcode.And, e0, e1); .) } | OrOp (. x = t; .) RelationalExpression (. e0 = new BinaryExpr(x, BinaryExpr.Opcode.Or, e0, e1); .) { OrOp (. x = t; .) RelationalExpression (. e0 = new BinaryExpr(x, BinaryExpr.Opcode.Or, e0, e1); .) } ] . AndOp = "&&" | '\u2227'. OrOp = "||" | '\u2228'. /*------------------------------------------------------------------------*/ RelationalExpression = (. Contract.Ensures(Contract.ValueAtReturn(out e) != null); IToken x, firstOpTok = null; Expression e0, e1, acc = null; BinaryExpr.Opcode op; List chain = null; List ops = null; int kind = 0; // 0 ("uncommitted") indicates chain of ==, possibly with one != // 1 ("ascending") indicates chain of ==, <, <=, possibly with one != // 2 ("descending") indicates chain of ==, >, >=, possibly with one != // 3 ("illegal") indicates illegal chain // 4 ("disjoint") indicates chain of disjoint set operators bool hasSeenNeq = false; .) Term (. e = e0; .) [ RelOp (. firstOpTok = x; .) Term (. e = new BinaryExpr(x, op, e0, e1); if (op == BinaryExpr.Opcode.Disjoint) acc = new BinaryExpr(x, BinaryExpr.Opcode.Add, e0, e1); // accumulate first two operands. .) { (. if (chain == null) { chain = new List(); ops = new List(); chain.Add(e0); ops.Add(op); chain.Add(e1); switch (op) { case BinaryExpr.Opcode.Eq: kind = 0; break; case BinaryExpr.Opcode.Neq: kind = 0; hasSeenNeq = true; break; case BinaryExpr.Opcode.Lt: case BinaryExpr.Opcode.Le: kind = 1; break; case BinaryExpr.Opcode.Gt: case BinaryExpr.Opcode.Ge: kind = 2; break; case BinaryExpr.Opcode.Disjoint: kind = 4; break; default: kind = 3; break; } } e0 = e1; .) RelOp (. switch (op) { case BinaryExpr.Opcode.Eq: if (kind != 0 && kind != 1 && kind != 2) { SemErr(x, "chaining not allowed from the previous operator"); } break; case BinaryExpr.Opcode.Neq: if (hasSeenNeq) { SemErr(x, "a chain cannot have more than one != operator"); } if (kind != 0 && kind != 1 && kind != 2) { SemErr(x, "this operator cannot continue this chain"); } hasSeenNeq = true; break; case BinaryExpr.Opcode.Lt: case BinaryExpr.Opcode.Le: if (kind == 0) { kind = 1; } else if (kind != 1) { SemErr(x, "this operator chain cannot continue with an ascending operator"); } break; case BinaryExpr.Opcode.Gt: case BinaryExpr.Opcode.Ge: if (kind == 0) { kind = 2; } else if (kind != 2) { SemErr(x, "this operator chain cannot continue with a descending operator"); } break; case BinaryExpr.Opcode.Disjoint: if (kind != 4) { SemErr(x, "can only chain disjoint (!!) with itself."); kind = 3; } break; default: SemErr(x, "this operator cannot be part of a chain"); kind = 3; break; } .) Term (. ops.Add(op); chain.Add(e1); if (op == BinaryExpr.Opcode.Disjoint) { e = new BinaryExpr(x, BinaryExpr.Opcode.And, e, new BinaryExpr(x, op, acc, e1)); acc = new BinaryExpr(x, BinaryExpr.Opcode.Add, acc, e1); //e0 has already been added. } else e = new BinaryExpr(x, BinaryExpr.Opcode.And, e, new BinaryExpr(x, op, e0, e1)); .) } ] (. if (chain != null) { e = new ChainingExpression(firstOpTok, chain, ops, e); } .) . RelOp = (. Contract.Ensures(Contract.ValueAtReturn(out x) != null); x = Token.NoToken; op = BinaryExpr.Opcode.Add/*(dummy)*/; IToken y; .) ( "==" (. x = t; op = BinaryExpr.Opcode.Eq; .) | "<" (. x = t; op = BinaryExpr.Opcode.Lt; .) | ">" (. x = t; op = BinaryExpr.Opcode.Gt; .) | "<=" (. x = t; op = BinaryExpr.Opcode.Le; .) | ">=" (. x = t; op = BinaryExpr.Opcode.Ge; .) | "!=" (. x = t; op = BinaryExpr.Opcode.Neq; .) | "!!" (. x = t; op = BinaryExpr.Opcode.Disjoint; .) | "in" (. x = t; op = BinaryExpr.Opcode.In; .) | /* The next operator is "!in", but Coco evidently parses "!in" even when it is a prefix of, say, "!initialized". * The reason for this seems to be that the first character of "!in" is not a letter. So, here is the workaround: */ "!" (. x = t; y = Token.NoToken; .) [ "in" (. y = t; .) ] (. if (y == Token.NoToken) { SemErr(x, "invalid RelOp"); } else if (y.pos != x.pos + 1) { SemErr(x, "invalid RelOp (perhaps you intended \"!in\" with no intervening whitespace?)"); } else { x.val = "!in"; op = BinaryExpr.Opcode.NotIn; } .) | '\u2260' (. x = t; op = BinaryExpr.Opcode.Neq; .) | '\u2264' (. x = t; op = BinaryExpr.Opcode.Le; .) | '\u2265' (. x = t; op = BinaryExpr.Opcode.Ge; .) ) . /*------------------------------------------------------------------------*/ Term = (. Contract.Ensures(Contract.ValueAtReturn(out e0) != null); IToken/*!*/ x; Expression/*!*/ e1; BinaryExpr.Opcode op; .) Factor { AddOp Factor (. e0 = new BinaryExpr(x, op, e0, e1); .) } . AddOp = (. Contract.Ensures(Contract.ValueAtReturn(out x) != null); x = Token.NoToken; op=BinaryExpr.Opcode.Add/*(dummy)*/; .) ( "+" (. x = t; op = BinaryExpr.Opcode.Add; .) | "-" (. x = t; op = BinaryExpr.Opcode.Sub; .) ) . /*------------------------------------------------------------------------*/ Factor = (. Contract.Ensures(Contract.ValueAtReturn(out e0) != null); IToken/*!*/ x; Expression/*!*/ e1; BinaryExpr.Opcode op; .) UnaryExpression { MulOp UnaryExpression