boogie Discussions Rss Feed

New Post: Boogie Grammar

schaef — Tue, 07 May 2013 23:01:05 GMT

Now, I have a parser that follows http://research.microsoft.com/en-us/um/people/leino/papers/krml178.pdf. But it disagrees with Boogie on the following line:

I generate:

const unique java.lang.SecurityManager : JavaType <: unique java.lang.Object complete;

Boogie wants it be

const unique java.lang.SecurityManager : JavaType extends unique java.lang.Object complete;

Can I safely assume that "<:" is now called "extends"?

PS: mod ("%") is not accepted either. What should I use instead?

New Post: Instantiation in Boogie

ligianistor — Tue, 07 May 2013 03:54:52 GMT

I have a question that I think is related to the way Z3 does the instantiation of quantified variables. The first example below verifies OK, while the second one is not verified correctly by Boogie, although they are very similar. The only difference is that for the second example, in the axiom related to the function Range(...) I quantify over the global variable "next" (representing the next field of a cell in a linked list). Although the procedure addModulo11 makes "next[this] := null;" and hence the axiom about Range(...) should help to prove the post-condition of addModulo11, this does not happen.

In the first example, "next[this]" is simply given as a parameter to the function Range(...), so there is no instantiation of "next". I think that's why the first example works.

Does anyone know why this instantiation of "next" doesn't work in the second example?

//First example
//it works
//type Ref is intended to represent object references
type Ref;
const null:Ref;
var val: [Ref]int;
var next: [Ref]Ref;

function Range(this: Ref, val:[Ref]int, next:[Ref]Ref, x:int, y:int) returns (bool);

axiom (forall this:Ref, x:int, y:int, val: [Ref]int, next: [Ref]Ref :: 
{Range(this,val,next,x,y)}
  ((this == null)  ==> Range(this,val,next,x,y) == true ) 
   && 
  ((this != null)==> Range(this,val,next,x,y) == false)  
 );
         
procedure addModulo11(this: Ref) 
modifies val, next;
requires  Range(this,val,next,0,8);
ensures  Range(next[this],val,next,0,8) ;
{ 
  next[this] := null;
}
//end of first example

//second example
//doesn't work
//type Ref is intended to represent object references
type Ref;
const null:Ref;
var val: [Ref]int;
var next: [Ref]Ref;

function Range(this: Ref, val:[Ref]int, next:[Ref]Ref, x:int, y:int) returns (bool);

axiom (forall this:Ref, x:int, y:int, val: [Ref]int, next: [Ref]Ref :: 
{Range(this,val,next,x,y)}
  (next[this] == null)  ==> 
     Range(this,val,next,x,y) == true  
   && 
    (next[this] != null)==> 
     Range(this,val,next,x,y) == false);
         

procedure addModulo11(this: Ref) 
modifies val, next;
requires  Range(this,val,next,0,8);
ensures  Range(this,val,next,0,8);
{ 
  next[this] := null;
}

New Post: [Dafny]Cannot verify the assertion which is the loop invariant

Yuyan — Wed, 24 Apr 2013 12:51:10 GMT

Hi Rustan,

After checking some information about e-matching, it is making lots of sense to me. I appreciate your detailed explaination.

Thanks
Yuyan

New Post: Boogie Grammar

schaef — Wed, 24 Apr 2013 03:42:56 GMT

Well, yes there would be a lot of work to make it work with Java. Anyway, we borrowed a JavaCC grammar from Freiburg, which is now in the Joogie repository in case you are interested.

New Post: Boogie Grammar

rustanleino — Wed, 24 Apr 2013 00:20:58 GMT

The grammar is pretty stable. But, if you want to change the .atg file so that it instead produces Java, I would have expected many more changes than just out-parameters. Moreover, what would be a good rewrite of the code in Java without out-parameters?

New Post: [Dafny]Cannot verify the assertion which is the loop invariant

rustanleino — Wed, 24 Apr 2013 00:17:32 GMT

Hi Yuyan,

The problem you have encountered has to do with triggering. But before I explain it, let me just remark about the loops. My remark is that I think it's much easier to understand the problem from just look at the Dafny code itself, without going into the details of how loops are translated from Dafny into Boogie (and, as you have included above, even inside Boogie when Boogie cuts back-edges). To get started debugging your program in the context of Dafny, you don't need to know the translation of loops; you just need to know that a loop invariant is assumed on entry to the loop body (and is checked again at the end of the loop body).

Here's the issue you have encountered. You have a loop invariant that you have written as follows:

invariant (forall z :: 0 <= z  && z < result ==> a[x+z] == a[y+z]);

While I think this is the most natural (and most symmetric) way to express this property, it doesn't work well with Z3. The reason is that, to use this quantifier, Z3 wants to instantiate it, and it instantiates quantifiers based on matching patterns. As expressed here, the quantifier has no matching pattern, and therefore Z3 is not able to make use of it.

I cannot give full justice to understanding matching patterns here, but let me say what matters in this situation. The matching pattern is a term that includes the bound variable (z), is larger than the bound variable itself (that is, z is not a valid matching pattern), and is not so large that it includes an interpreted symbol (here, +). Intuitively, if there were a matching pattern T(z), then if Z3 happened to encounter a term of the form T(m) for some term m, then it would instantiate the quantifier with z := m.

To rewrite your loop invariant so that Z3 can find a matching pattern for it, you can write:

invariant forall z :: x <= z < x + result ==> a[z] == a[z-x+y];

Here, the term a[z] is a good matching pattern. If you change your loop invariant to this one, then your program will verify (even without the assert in the loop body).

See http://rise4fun.com/Dafny/XKuk.

Rustan

New Post: [Dafny]Cannot verify the assertion which is the loop invariant

Yuyan — Sat, 20 Apr 2013 14:01:14 GMT

I specified the LCP problem: (http://rise4fun.com/Dafny/QPa8).

I think we translate a while statement (while(E) invariant J; {S}) as:

  assert J;
  havoc xs;
  assume J;
  if (E){ 
     S; 
     assert J;
     assume false;
  } else {}

Hence I would like to know why I cannot verify the assertion which is exactly the loop invariant.

According the execution traces at the end, I think the assertion (assertion1) below failed at anon23:

assert (forall z#5: int :: true ==> 0 <= z#5 && z#5 < result#3 ==> $Unbox(read($Heap, a#0, IndexField(x#1 + z#5))): int == $Unbox(read($Heap, a#0, IndexField(y#2 + z#5))): int);

However, the assertion(assertion2) below has been asserted in the loop head at anon0:

assert $w0 ==> (forall z#4: int :: true ==> 0 <= z#4 && z#4 < result#3 ==> $Unbox(read($Heap, a#0, IndexField(x#1 + z#4))): int == $Unbox(read($Heap, a#0, IndexField(y#2 + z#4))): int);

I am thinking assertion2 would be taken as an assumption in the following proof, which could entail assertion1. Therefore I am confused why the assertion1 failed.

Execution traces:

anon0:
    $_Frame := (lambda<alpha> $o: ref, $f: Field alpha :: $o != null && read($Heap, $o, alloc) ==> false);
    // ----- assignment statement ----- C:\Docs\2013SpringWork\paperreview\lcp.dfy(11,10)
    assume true;
    assume true;
    result#3 := 0;
    assume {:captureState "C:\Docs\2013SpringWork\paperreview\lcp.dfy(11,10)"} true;
    // ----- while statement ----- C:\Docs\2013SpringWork\paperreview\lcp.dfy(12,3)
    $PreLoopHeap0 := $Heap;
    $decr0$init$0 := _System.array.Length(a#0) - result#3;
    havoc $w0;
    goto anon25_LoopHead;

  anon25_LoopHead:
    assume $w0 ==> (0 <= result#3 ==> true) && (0 <= result#3 && result#3 + x#1 <= _System.array.Length(a#0) ==> true) && (0 <= result#3 && result#3 + x#1 <= _System.array.Length(a#0) && result#3 + y#2 <= _System.array.Length(a#0) ==> true);
    assert $w0 ==> 0 <= result#3;
    assert $w0 ==> result#3 + x#1 <= _System.array.Length(a#0);
    assert $w0 ==> result#3 + y#2 <= _System.array.Length(a#0);
    assert $w0 ==> x#1 != y#2;
    assume $w0 ==> (forall z#4: int :: true ==> (0 <= z#4 ==> true) && (0 <= z#4 && z#4 < result#3 ==> true));
    assert $w0 ==> (forall z#4: int :: true ==> 0 <= z#4 && z#4 < result#3 ==> $Unbox(read($Heap, a#0, IndexField(x#1 + z#4))): int == $Unbox(read($Heap, a#0, IndexField(y#2 + z#4))): int);
    assume (forall<alpha> $o: ref, $f: Field alpha :: { read($Heap, $o, $f) } $o != null && read(old($Heap), $o, alloc) ==> read($Heap, $o, $f) == read($PreLoopHeap0, $o, $f));
    assume $HeapSucc($PreLoopHeap0, $Heap);
    assume (forall<alpha> $o: ref, $f: Field alpha :: { read($Heap, $o, $f) } $o != null && read($PreLoopHeap0, $o, alloc) ==> read($Heap, $o, $f) == read($PreLoopHeap0, $o, $f) || $_Frame[$o, $f]);
    assume _System.array.Length(a#0) - result#3 <= $decr0$init$0 && (_System.array.Length(a#0) - result#3 == $decr0$init$0 ==> true);
    goto anon25_LoopDone, anon25_LoopBody;

  anon25_LoopBody:
    assume {:partition} true;
    goto anon26_Then, anon26_Else;

  anon26_Else:
    assume {:partition} $w0;
    goto anon13;

  anon13:
    assert a#0 != null;
    goto anon32_Then, anon32_Else;

  anon32_Then:
    assume {:partition} x#1 + result#3 < _System.array.Length(a#0);
    assert a#0 != null;
    goto anon15;

  anon15:
    goto anon33_Then, anon33_Else;

  anon33_Then:
    assume {:partition} x#1 + result#3 < _System.array.Length(a#0) && y#2 + result#3 < _System.array.Length(a#0);
    assert a#0 != null;
    assert 0 <= x#1 + result#3 && x#1 + result#3 < _System.array.Length(a#0);
    assert a#0 != null;
    assert 0 <= y#2 + result#3 && y#2 + result#3 < _System.array.Length(a#0);
    goto anon17;

  anon17:
    assume (x#1 + result#3 < _System.array.Length(a#0) ==> true) && (x#1 + result#3 < _System.array.Length(a#0) && y#2 + result#3 < _System.array.Length(a#0) ==> true);
    goto anon34_Then, anon34_Else;

  anon34_Else:
    assume {:partition} x#1 + result#3 < _System.array.Length(a#0) && y#2 + result#3 < _System.array.Length(a#0) && $Unbox(read($Heap, a#0, IndexField(x#1 + result#3))): int == $Unbox(read($Heap, a#0, IndexField(y#2 + result#3))): int;
    goto anon19;

  anon19:
    assume {:captureState "C:\Docs\2013SpringWork\paperreview\lcp.dfy(12,3): loop entered"} true;
    $decr0$0 := _System.array.Length(a#0) - result#3;
    // ----- assert statement ----- C:\Docs\2013SpringWork\paperreview\lcp.dfy(18,5)
    havoc z#13;
    goto anon35_Then, anon35_Else;

  anon35_Then:
    assume {:partition} 0 <= z#13;
    goto anon21;

 anon21:
    goto anon36_Then, anon36_Else;

anon36_Then:
    assume {:partition} 0 <= z#13 && z#13 < result#3;
    assert a#0 != null;
    assert {:subsumption 0} 0 <= x#1 + z#13 && x#1 + z#13 < _System.array.Length(a#0);
    assert a#0 != null;
    assert {:subsumption 0} 0 <= y#2 + z#13 && y#2 + z#13 < _System.array.Length(a#0);
    goto anon23;

  anon23:
    assume (forall z#5: int :: true ==> (0 <= z#5 ==> true) && (0 <= z#5 && z#5 < result#3 ==> true));
    assert (forall z#5: int :: true ==> 0 <= z#5 && z#5 < result#3 ==> $Unbox(read($Heap, a#0, IndexField(x#1 + z#5))): int == $Unbox(read($Heap, a#0, IndexField(y#2 + z#5))): int);
    // ----- assignment statement ----- C:\Docs\2013SpringWork\paperreview\lcp.dfy(20,12)
    assume true;
    assume true;
    result#3 := result#3 + 1;
    assume {:captureState "C:\Docs\2013SpringWork\paperreview\lcp.dfy(20,12)"} true;
    assert 0 <= $decr0$0 || _System.array.Length(a#0) - result#3 == $decr0$0;
    assert _System.array.Length(a#0) - result#3 < $decr0$0;
    assume (0 <= result#3 ==> true) && (0 <= result#3 && result#3 + x#1 <= _System.array.Length(a#0) ==> true) && (0 <= result#3 && result#3 + x#1 <= _System.array.Length(a#0) && result#3 + y#2 <= _System.array.Length(a#0) ==> true);
    assume (forall z#4: int :: true ==> (0 <= z#4 ==> true) && (0 <= z#4 && z#4 < result#3 ==> true));
    goto anon25_LoopHead;

New Post: Documentation of BVD

rustanleino — Tue, 16 Apr 2013 00:04:23 GMT

Have you ever used a dynamic debugger to figure out what's going wrong with the execution of a program? BVD is a bit similar. Do not expect it to explicitly advise you on how you must change your program to make it correct. Rather, think of it as dreaming up a counterexample to the correctness of your program and showing you that counterexample, and your job is then to prevent the verifier from thinking about this counterexample, either by fixing your program to render the counterexample impossible or to strengthen your specifications (typically, a loop invariant or a precondition) to constrain the verifier's dreams.

Perhaps you'll find the Dafny Guide useful in explaining how the verifier deals with loops and recursion.

Rustan

New Post: Documentation of BVD

asiif — Mon, 15 Apr 2013 23:54:18 GMT

Hi,

many thanks ! i already read that paper, but couldn't understand that "how to figure out the failing condition" , in particular how the values on different states in the program can help us to verify the program (as BVD is showing the memory values in different states of the program).

many thanks in advance !
-asif

New Post: Documentation of BVD

rustanleino — Mon, 15 Apr 2013 23:20:14 GMT

I recommend starting with the following BVD paper, "The Boogie Verification Debugger".

Rustan

New Post: Documentation of BVD

asiif — Wed, 10 Apr 2013 13:55:48 GMT

any help about documentation..

thanks
-asif

New Post: Documentation of BVD

asiif — Tue, 09 Apr 2013 11:35:34 GMT

Hi,

i am looking for more documentation in order to learn the BVD tool, I have only manage to found one paper on BVD. Any comments !

many thanks!

New Post: Boogie Grammar

schaef — Sun, 07 Apr 2013 05:33:46 GMT

Great, thanks. But running the latest version through Coco(.jar) gives me an error in:

ProcFormals<bool incoming, bool allowWhereClauses, out VariableSeq/*!*/ ds>

Coco/R (Apr 19, 2011)
-- line 224 col 52: ">" expected
-- line 224 col 75: "|" expected
2 errors detected

And I don't see the problem yet. Maybe, the Java version is outdated. Is this grammar working for C#?

New Post: Boogie Grammar

rustanleino — Fri, 05 Apr 2013 00:13:07 GMT

Yes, the Boogie grammar is recorded in the Coco parser-generator file Source/Core/BoogiePL.atg.

Rustan

New Post: Boogie Grammar

schaef — Fri, 05 Apr 2013 00:10:49 GMT

Hi,
Is there a grammar for Boogie readable by some parser generator? Didn't find it in the repository. I'm building a tool in Java which takes Boogie as input and I don't want to come up with yet another IVL, but writting the grammar by hand is somehow painful as well. So it would be cool to have s.th. that is "really" compatible.
-Martin

New Post: Inconsistency is reported when two conditions are conjuncted in an assertion.

Nightrise — Sat, 23 Mar 2013 00:01:14 GMT

In fact, I do not know why this happens, but I am very interested in this issue..

Nightrise

New Post: Refinement in Chalice

stefanheule — Wed, 06 Mar 2013 00:50:12 GMT

Hi Joao,

Stepwise refinement has stopped being supported when a major change to how functions and predicates are handled has been implemented (fixing a soundness issue). I believe the latest revision before this change was 1233b86dbd15.

Note however, that we have fixed several bugs and made other improvements to Chalice in the mean-time. You might find certain things not working correctly.

Best,
Stefan

PS: Also note that Chalice now has its own repository at chalice.codeplex.com.

New Post: Refinement in Chalice

jff — Tue, 05 Mar 2013 17:13:11 GMT

Hi,

I would like to experiment with Chalice to do some stepwise refinement, but when I run chalice on my example, I get an error message stating that stepwise refinements are currently not supported. I am using the default development version (default branch).

Which version do I have to use to experiment with stepwise refinement?

Many thanks in advance,
Joao

New Post: Inconsistency is reported when two conditions are conjuncted in an assertion.

Yuyan — Sun, 03 Mar 2013 23:09:21 GMT

Inconsistency is reported when two conditions (n.data == 5 and n.Valid()) are conjuncted in the assertion in a method Main. However It is fine if the two conditions are asserted separately.

class Node<T> {
  var list: seq<T>;
  var footprint: set<Node<T>>;

  var data: T;
  var next: Node<T>;

  function Valid(): bool
    reads this, footprint;
  {
    this in this.footprint && null !in this.footprint &&
    (next == null ==> list == [data]) &&
    (next != null ==>
        next in footprint && next.footprint <= footprint &&
        this !in next.footprint &&
        list == [data] + next.list &&
        next.Valid())
  }

  method Init(d: T)
    modifies this;
    ensures Valid() && fresh(footprint - {this});
    ensures list == [d];
    ensures data == d;
  {
    data := d;
    next := null;
    list := [d];
    footprint := {this};
  }

 method Main()
  {
    var n :=  new Node<int>.Init(5);
    //assert n.data == 5;
    //assert n.Valid();
    assert n.data == 5 && n.Valid(); // inconsistency occurs
  }
}

Thanks
Yuyan

New Post: How to use function's attribute?

Yuyan — Tue, 26 Feb 2013 12:14:30 GMT

OK.

Thanks
Yuyan