blob: 086a0ae023259aaa0420d317b92645129c585328 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
|
// RUN: %dafny /compile:0 /print:"%t.print" /dprint:"%t.dprint" "%s" > "%t"
// RUN: %diff "%s.expect" "%t"
module Library {
function F(): int { 5 }
function {:opaque} G(): int { 5 }
protected function H(): int { 5 }
lemma L0() {
assert F() == 5;
assert H() == 5;
}
lemma L1() {
var t := *;
if {
case true =>
assert G() == 5; // error: G() is opauqe
return;
case true =>
reveal_G();
assert G() == 5;
case true =>
reveal_G();
t := 2;
case true =>
t := 3;
}
if t != 3 {
assert G() == 5; // fine, since G() has been revealed on this path, or it's known to be 5
} else {
assert G() == 5; // error: G() may not have been revealed
}
}
lemma L2() {
assert G() == 5; // error: G() has not yet been revealed
reveal_G(); // revealing afterwards is not good enough
}
lemma L3() {
assert H() == 5; // yes, definition of H() is known, because we're inside H's defining module
}
}
module Client {
import Lib = Library
lemma L0() {
assert Lib.F() == 5; // yes, because F() is not opaque
assert Lib.G() == 5; // error: not known, since G() is opaque
}
lemma L1() {
Lib.reveal_G();
assert Lib.G() == 5; // yes, the definition has been revealed
}
lemma L2() {
assert Lib.H() == 5; // error: H() is protected, so its definition is not available
}
}
|