Spec#

New Post: Using a cloned object as if it were newly instantiated - verifier complaining about 'modifies' clause

paolanto — Wed, 01 May 2013 21:05:17 GMT

Hello.

As expected, it worked. Thank you very much!

Cheers,
Paolo

New Post: Using a cloned object as if it were newly instantiated - verifier complaining about 'modifies' clause

mueller — Tue, 30 Apr 2013 04:25:58 GMT

Hi,

Your reasoning is correct. All you need to add to your Clone method is

ensures result.IsNew;

Cheers,
Peter

New Post: Using a cloned object as if it were newly instantiated - verifier complaining about 'modifies' clause

paolanto — Sat, 27 Apr 2013 21:21:53 GMT

Hello.

I have a question, if anybody has a minute.

The Spec# tutorial introduces at some point a Rectangle class. This class has a Clone() method.

  public Rectangle Clone()
  {
    Rectangle res = new Rectangle();
    res.X = X;
    res.Y = Y;
    res.Dx = Dx;
    res.Dy = Dy;
    return res;
  }

Now, I am trying to do this:

// Somewhere in the code
    static void foo() {
        Rectangle rect = new Rectangle();
        rect.MoveToOrigin(); // no problems here
        Rectangle rect2 = rect.Clone();
        rect2.MoveToOrigin(); // the verifier complains here!
    }

The verifier's warning is this: method invocation may violate the modifies clause of the enclosing method

Now, I think this happens because the verifier doesn't know that the rectangle returned by clone is a new, fresh clone created on the spot and to which the previous rectangle doesn't hold any reference.

My intuition is that there must be some tag/attribute/whatever that I should add to the Clone() method which basically promises this, but I don't know how and I can't find any documentation about this. The Spec# tutorial doesn't seem to mention that. I tried [Fresh], ensures Owner.None(result) and other stuff with no luck.

Any hints?

Thank you

Source code checked in, #9ded16cfa629

Rustan Leino — Sat, 09 Feb 2013 00:12:05 GMT

Changed non-null types in ctor signatures to be checked internally to the methods, thereby avoiding the try block with the ContractMarkerException that is causing problems with PEVerify.

Created Issue: website link for z3 on the home page should be updated [10114]

cl1motorsports — Tue, 29 Jan 2013 21:12:13 GMT

z3 has been moved to codeplex, the new uri is http://z3.codeplex.com/

New Post: Collection of Different types of object

jagadeest — Thu, 17 Jan 2013 23:28:33 GMT

In Royal&Loyal model, Can we collect the detail of Customer and Customer card details based on common constraint as customer name or id??

New Post: Collection of Different types of object

rustanleino — Thu, 17 Jan 2013 18:46:37 GMT

I don't understand your question. Can you describe it in more detail or give an example?

New Post: Collection of Different types of object

jagadeest — Thu, 17 Jan 2013 14:05:48 GMT

Is there any possibility to collect the different types of object with common constraint in spec#?

New Post: Nested use of Quantifiers

ankitdixit — Sun, 13 Jan 2013 15:33:59 GMT

Thanks

New Post: Nested use of Quantifiers

mueller — Sun, 13 Jan 2013 15:26:55 GMT

After fixing the curly braces in the postcondition to

ensures (result == true) ==>
exists{ int x in (-100:100); exists{int y in (-100:100); y==10}};

the code compiles on my Spec# installation (which I built from the sources). However, it throws an exception on rise4fun. We'll try to investigate why.

Both postconditions do not verify, which is due to the weak support for existential quantifiers.

Peter

New Post: Nested use of Quantifiers

AnkitDixit — Sun, 06 Jan 2013 01:17:09 GMT

Does Spec# support nested use of quantifications.

If it does, can anyone please correct the example given below so that it gets compiled

(The postcondition i want to verify is given commented, but i cannot even get the uncommented one to compile)

public class C
{
int p11x,p11y,p12x,p12y,p21x,p21y,p22x,p22y;
public C(int p1,int p2,int p3,int p4,int p5,int p6,int p7,int p8)
{
    p11x=p1;
    p11y=p2;
    p12x=p3;
    p12y=p4;
    p21x=p5;
    p21y=p6;
    p22x=p7;
    p22y=p8;

    
 }
bool intersect()
ensures (result == true) ==> exists{ int x in (-100:100);{exists{int y in (-100:100); y==10};
//ensures (result == true) ==> exists{ int x in (-100:100);{exists{int y in (-100:100);{(y-p11y)*(p12x-p11x) -(p12y-p11y)*(x-p11x)==0 && (p11x <= x) && (x <= p12x) }}};
{
	int test1, test2;
	test1 = (( (p12x - p11x) * (p21y -p11y ))- ((p21x - p11x) * (p12y - p11y))) * (( (p12x - p11x) * (p22y -p11y ))- ((p22x - p11x) * (p12y - p11y)));
	test2 = (( (p22x - p21x) * (p11y -p21y ))- ((p11x - p21x) * (p22y - p21y))) * (( (p22x - p21x) * (p12y -p21y ))- ((p12x - p21x) * (p22y - p21y)));
	bool result =(test1 <= 0) && (test2 <= 0);
  return result;
}
}

New Post: Problem while trying to use the quantifiers in pre-post condition

ankitdixit — Fri, 04 Jan 2013 10:58:09 GMT

I am not talking about any specific example, but in general. The post-condition and example i have is pretty complex,so I am not posting it here, I tried, in all the examples provided on the page, this assertion seems to fail for all of them. It would nice of you even if you could give me any workaround,such that I could write my conditions in a different way and make them work(I tried negating, and using forall quantifier but that doesnot works ).

For example:

class Example

{

int x;
void Inc(int y)

ensures exists{int i in (-10:10); i==0};

{ x += y;

}

New Post: Problem while trying to use the quantifiers in pre-post condition

mueller — Wed, 02 Jan 2013 22:18:22 GMT

Unfortunately, SMT solvers such as Z3, which is the prover behind Spec#, have weak support for existential quantifiers. It is sometimes possible to provide intermediate assertions that help Z3 find a witness for the quantified variable, but I have no suggestion how to fix your example. If this is part of a bigger example, you could post the entire method; maybe we can come up with a fix then.

Cheers,
Peter

New Post: Problem while trying to use the quantifiers in pre-post condition

AnkitDixit — Wed, 02 Jan 2013 03:42:58 GMT

When I try to write a simple program postcondition, which should be trivially true,I get unsatisfied postcondition as output.

Here is my postcondition:

there exists an integer i in range (-10:10), such that i==0,i.e.

ensures exists{int i in (-10:10); i==0};

according to me this postcondition should be trivially true for all examples, but thats not the case.

Please help me

Thanks, in advance

New Post: Spec# is what C# 1.0 should have been

JoanVenge — Wed, 26 Dec 2012 22:48:48 GMT

Are there anyone who feels the same way? Spec# seems like it's thought out and executed much better than C# 4.0.

If C# was Spec# with all the fluff taken out from C# 4.0, i.e. non generics, etc, extensions everthing, reference to be non-nullable by default, Maybe type, etc, and frozen in time, it would have been perfect.

Even great features of Spec# is plagued by these flaws, no? For example the non-nullable references in the language, there are still null checks done behind the scenes for these, right?

I remember watching a video where Anders was saying that they made a mistake by not making references non-nullable by default and that they could have achieved much better performance and code clarity. It seems like there is no way around this to have true non-nullable references in any .NET language due to CLR.

Anyway just thought I would get your thoughts on the subject.

New Post: Array Permutation

mueller — Tue, 27 Nov 2012 15:07:04 GMT

I think your postcondition does not verify since the second count-comprehension should range over (0:a.Length) rather than (0:i). This is probably a copy-and-paste error. The fixed condition does verify on my system. Isn't it great to have a verifier? :-)

I am sorry about the bug you ran into. We will look into this and see whether we can fix it.

Cheers,
Peter

New Post: Array Permutation

othrez — Mon, 26 Nov 2012 09:55:35 GMT

Thanks!

Your workaround permits to get rid of the error.

But I still have problems proving that the following holds after a simple swap:

  ensures forall{int k in (0:a.Length); count{int v in (0:a.Length); a[v] == b[k]} == count{int u in (0:i); b[u] == b[k]}};

So I try to prove it in the case where there is no swap by using the dummy function:

  [Pure]
  static bool Lemma(int[]! a, int[]! b)
  requires a.Length == b.Length;
  requires forall{int i in (0:a.Length); a[i] == b[i]};
//  ensures forall{int k in (0:a.Length); count{int v in (0:a.Length); a[v] == b[k]} == count{int u in (0:i); b[u] == b[k]}};
  {
    return true;
  }

But Spec# throws a quite "deep" error that starts with

"Error 1 Internal Compiler Error: System.NullReferenceException: Object reference not set to an instance of an object.
at System.Compiler.Normalizer.VisitBinaryExpression(BinaryExpression binaryExpression) in c:\codeplex_current_build\specsharp\SpecSharp\System.Compiler.Framework\Compiler\Normalizer.cs:line 752"

You can find the complete listing of the error here.

Thanks for your help!

New Post: Array Permutation

mueller — Fri, 23 Nov 2012 21:15:28 GMT

Hi,

You get the error because Spec# does not permit quantified variables within old-expressions. So the "old(a[u])" is what it complains about. Maybe as a workaround,you could pass two copies of the array (which you can express in a precondition) and modify only one of them. You can view the second array as a ghost parameter, which you use for specifications, but which is not needed to execute the program:

static void simpleSwap(int[]! a, int[]! b, int i, int j)
  requires a != b && a.Length == b.Length;
  requires forall{int i in (0:a.Length); a[i] == b[i]};
  modifies a;  // but not b

Then you can replace "old(a[u])" by "b[u]".

Cheers,
   Peter

Source code checked in, #a025f4e6cb71

CodeplexBot — Fri, 23 Nov 2012 06:03:09 GMT

SpecSharp build succeeded

New Post: Array Permutation

othrez — Thu, 22 Nov 2012 15:42:58 GMT

Hello,

My question is related to sorting algorithms, and how to fully specify them using SpecSharp (see QuickSort).

For instance I would like to be able to specify that the content of the array before and after calling the sorting function is the same.

I guess one way to do it is to use the following post-condition, giving that 'a' is the array being sorted:

  ensures forall{int k in (0:i); count{int v in (0:i); a[v] == a[k]} == count{int u in (0:i); old(a[u]) == a[k]}};

The problem is that SpecSharp throws then the following error:

C:\Windows\system32\unknown file(1,1): error CS2663: internal error: 7 name resolution errors detected

Which apparently is not well documented in this forum.

Here is the full source code:

using System;
using Microsoft.Contracts;

public class Program
{
  static void Main(string![]! args) {
    Console.WriteLine("Spec# says hello!");
  }

  static void simpleSwap(int[]! a, int i, int j)
  requires 0 <= i && i < a.Length;
  requires 0 <= j && j < a.Length;
  modifies a[i], a[j];
  ensures a[i] == old(a[i]);
  ensures a[j] == old(a[j]);
  ensures forall{int k in (0:i); count{int v in (0:i); a[v] == a[k]} == count{int u in (0:i); old(a[u]) == a[k]}};
  {
    int swapDude;
	swapDude = a[i];
	a[i] = a[j];
	a[i] = swapDude;
  }

}

Thanks!