specsharp Discussions Rss Feed

New Post: Using a cloned object as if it were newly instantiated - verifier complaining about 'modifies' clause

paolanto — Wed, 01 May 2013 21:05:17 GMT

Hello.

As expected, it worked. Thank you very much!

Cheers,
Paolo

New Post: Using a cloned object as if it were newly instantiated - verifier complaining about 'modifies' clause

mueller — Tue, 30 Apr 2013 04:25:58 GMT

Hi,

Your reasoning is correct. All you need to add to your Clone method is

ensures result.IsNew;

Cheers,
Peter

New Post: Using a cloned object as if it were newly instantiated - verifier complaining about 'modifies' clause

paolanto — Sat, 27 Apr 2013 21:21:53 GMT

Hello.

I have a question, if anybody has a minute.

The Spec# tutorial introduces at some point a Rectangle class. This class has a Clone() method.

  public Rectangle Clone()
  {
    Rectangle res = new Rectangle();
    res.X = X;
    res.Y = Y;
    res.Dx = Dx;
    res.Dy = Dy;
    return res;
  }

Now, I am trying to do this:

// Somewhere in the code
    static void foo() {
        Rectangle rect = new Rectangle();
        rect.MoveToOrigin(); // no problems here
        Rectangle rect2 = rect.Clone();
        rect2.MoveToOrigin(); // the verifier complains here!
    }

The verifier's warning is this: method invocation may violate the modifies clause of the enclosing method

Now, I think this happens because the verifier doesn't know that the rectangle returned by clone is a new, fresh clone created on the spot and to which the previous rectangle doesn't hold any reference.

My intuition is that there must be some tag/attribute/whatever that I should add to the Clone() method which basically promises this, but I don't know how and I can't find any documentation about this. The Spec# tutorial doesn't seem to mention that. I tried [Fresh], ensures Owner.None(result) and other stuff with no luck.

Any hints?

Thank you

New Post: Collection of Different types of object

jagadeest — Thu, 17 Jan 2013 23:28:33 GMT

In Royal&Loyal model, Can we collect the detail of Customer and Customer card details based on common constraint as customer name or id??

New Post: Collection of Different types of object

rustanleino — Thu, 17 Jan 2013 18:46:37 GMT

I don't understand your question. Can you describe it in more detail or give an example?

New Post: Collection of Different types of object

jagadeest — Thu, 17 Jan 2013 14:05:48 GMT

Is there any possibility to collect the different types of object with common constraint in spec#?

New Post: Nested use of Quantifiers

ankitdixit — Sun, 13 Jan 2013 15:33:59 GMT

Thanks

New Post: Nested use of Quantifiers

mueller — Sun, 13 Jan 2013 15:26:55 GMT

After fixing the curly braces in the postcondition to

ensures (result == true) ==>
exists{ int x in (-100:100); exists{int y in (-100:100); y==10}};

the code compiles on my Spec# installation (which I built from the sources). However, it throws an exception on rise4fun. We'll try to investigate why.

Both postconditions do not verify, which is due to the weak support for existential quantifiers.

Peter

New Post: Nested use of Quantifiers

AnkitDixit — Sun, 06 Jan 2013 01:17:09 GMT

Does Spec# support nested use of quantifications.

If it does, can anyone please correct the example given below so that it gets compiled

(The postcondition i want to verify is given commented, but i cannot even get the uncommented one to compile)

public class C
{
int p11x,p11y,p12x,p12y,p21x,p21y,p22x,p22y;
public C(int p1,int p2,int p3,int p4,int p5,int p6,int p7,int p8)
{
    p11x=p1;
    p11y=p2;
    p12x=p3;
    p12y=p4;
    p21x=p5;
    p21y=p6;
    p22x=p7;
    p22y=p8;

    
 }
bool intersect()
ensures (result == true) ==> exists{ int x in (-100:100);{exists{int y in (-100:100); y==10};
//ensures (result == true) ==> exists{ int x in (-100:100);{exists{int y in (-100:100);{(y-p11y)*(p12x-p11x) -(p12y-p11y)*(x-p11x)==0 && (p11x <= x) && (x <= p12x) }}};
{
	int test1, test2;
	test1 = (( (p12x - p11x) * (p21y -p11y ))- ((p21x - p11x) * (p12y - p11y))) * (( (p12x - p11x) * (p22y -p11y ))- ((p22x - p11x) * (p12y - p11y)));
	test2 = (( (p22x - p21x) * (p11y -p21y ))- ((p11x - p21x) * (p22y - p21y))) * (( (p22x - p21x) * (p12y -p21y ))- ((p12x - p21x) * (p22y - p21y)));
	bool result =(test1 <= 0) && (test2 <= 0);
  return result;
}
}

New Post: Problem while trying to use the quantifiers in pre-post condition

ankitdixit — Fri, 04 Jan 2013 10:58:09 GMT

I am not talking about any specific example, but in general. The post-condition and example i have is pretty complex,so I am not posting it here, I tried, in all the examples provided on the page, this assertion seems to fail for all of them. It would nice of you even if you could give me any workaround,such that I could write my conditions in a different way and make them work(I tried negating, and using forall quantifier but that doesnot works ).

For example:

class Example

{

int x;
void Inc(int y)

ensures exists{int i in (-10:10); i==0};

{ x += y;

}

New Post: Problem while trying to use the quantifiers in pre-post condition

mueller — Wed, 02 Jan 2013 22:18:22 GMT

Unfortunately, SMT solvers such as Z3, which is the prover behind Spec#, have weak support for existential quantifiers. It is sometimes possible to provide intermediate assertions that help Z3 find a witness for the quantified variable, but I have no suggestion how to fix your example. If this is part of a bigger example, you could post the entire method; maybe we can come up with a fix then.

Cheers,
Peter

New Post: Problem while trying to use the quantifiers in pre-post condition

AnkitDixit — Wed, 02 Jan 2013 03:42:58 GMT

When I try to write a simple program postcondition, which should be trivially true,I get unsatisfied postcondition as output.

Here is my postcondition:

there exists an integer i in range (-10:10), such that i==0,i.e.

ensures exists{int i in (-10:10); i==0};

according to me this postcondition should be trivially true for all examples, but thats not the case.

Please help me

Thanks, in advance

New Post: Spec# is what C# 1.0 should have been

JoanVenge — Wed, 26 Dec 2012 22:48:48 GMT

Are there anyone who feels the same way? Spec# seems like it's thought out and executed much better than C# 4.0.

If C# was Spec# with all the fluff taken out from C# 4.0, i.e. non generics, etc, extensions everthing, reference to be non-nullable by default, Maybe type, etc, and frozen in time, it would have been perfect.

Even great features of Spec# is plagued by these flaws, no? For example the non-nullable references in the language, there are still null checks done behind the scenes for these, right?

I remember watching a video where Anders was saying that they made a mistake by not making references non-nullable by default and that they could have achieved much better performance and code clarity. It seems like there is no way around this to have true non-nullable references in any .NET language due to CLR.

Anyway just thought I would get your thoughts on the subject.

New Post: Array Permutation

mueller — Tue, 27 Nov 2012 15:07:04 GMT

I think your postcondition does not verify since the second count-comprehension should range over (0:a.Length) rather than (0:i). This is probably a copy-and-paste error. The fixed condition does verify on my system. Isn't it great to have a verifier? :-)

I am sorry about the bug you ran into. We will look into this and see whether we can fix it.

Cheers,
Peter

New Post: Array Permutation

othrez — Mon, 26 Nov 2012 09:55:35 GMT

Thanks!

Your workaround permits to get rid of the error.

But I still have problems proving that the following holds after a simple swap:

  ensures forall{int k in (0:a.Length); count{int v in (0:a.Length); a[v] == b[k]} == count{int u in (0:i); b[u] == b[k]}};

So I try to prove it in the case where there is no swap by using the dummy function:

  [Pure]
  static bool Lemma(int[]! a, int[]! b)
  requires a.Length == b.Length;
  requires forall{int i in (0:a.Length); a[i] == b[i]};
//  ensures forall{int k in (0:a.Length); count{int v in (0:a.Length); a[v] == b[k]} == count{int u in (0:i); b[u] == b[k]}};
  {
    return true;
  }

But Spec# throws a quite "deep" error that starts with

"Error 1 Internal Compiler Error: System.NullReferenceException: Object reference not set to an instance of an object.
at System.Compiler.Normalizer.VisitBinaryExpression(BinaryExpression binaryExpression) in c:\codeplex_current_build\specsharp\SpecSharp\System.Compiler.Framework\Compiler\Normalizer.cs:line 752"

You can find the complete listing of the error here.

Thanks for your help!

New Post: Array Permutation

mueller — Fri, 23 Nov 2012 21:15:28 GMT

Hi,

You get the error because Spec# does not permit quantified variables within old-expressions. So the "old(a[u])" is what it complains about. Maybe as a workaround,you could pass two copies of the array (which you can express in a precondition) and modify only one of them. You can view the second array as a ghost parameter, which you use for specifications, but which is not needed to execute the program:

static void simpleSwap(int[]! a, int[]! b, int i, int j)
  requires a != b && a.Length == b.Length;
  requires forall{int i in (0:a.Length); a[i] == b[i]};
  modifies a;  // but not b

Then you can replace "old(a[u])" by "b[u]".

Cheers,
   Peter

New Post: Array Permutation

othrez — Thu, 22 Nov 2012 15:42:58 GMT

Hello,

My question is related to sorting algorithms, and how to fully specify them using SpecSharp (see QuickSort).

For instance I would like to be able to specify that the content of the array before and after calling the sorting function is the same.

I guess one way to do it is to use the following post-condition, giving that 'a' is the array being sorted:

  ensures forall{int k in (0:i); count{int v in (0:i); a[v] == a[k]} == count{int u in (0:i); old(a[u]) == a[k]}};

The problem is that SpecSharp throws then the following error:

C:\Windows\system32\unknown file(1,1): error CS2663: internal error: 7 name resolution errors detected

Which apparently is not well documented in this forum.

Here is the full source code:

using System;
using Microsoft.Contracts;

public class Program
{
  static void Main(string![]! args) {
    Console.WriteLine("Spec# says hello!");
  }

  static void simpleSwap(int[]! a, int i, int j)
  requires 0 <= i && i < a.Length;
  requires 0 <= j && j < a.Length;
  modifies a[i], a[j];
  ensures a[i] == old(a[i]);
  ensures a[j] == old(a[j]);
  ensures forall{int k in (0:i); count{int v in (0:i); a[v] == a[k]} == count{int u in (0:i); old(a[u]) == a[k]}};
  {
    int swapDude;
	swapDude = a[i];
	a[i] = a[j];
	a[i] = swapDude;
  }

}

Thanks!

New Post: Object invariant - a simple subset relationship

rustanleino — Wed, 17 Oct 2012 21:59:07 GMT

Sounds like a nice exercise. Are you hoping to (statically) verify properties about the program, or is your focus the writing of the specifications (and perhaps getting run-time checks)?

If it's the latter, then Spec# is probably fine. The ownership of the tiles will require some care. I don't remember, but I think Spec# does this better (or only?) for single-dimensional arrays. If it is possible for you to represent the tiles as integers, you'll avoid both the == vs. .Equals issue as well as ownership issues.

If it's the former (that is, you want to verify the program statically), then Dafny will be a much better choice. You can also compile and execute Dafny programs, but there are no UI libraries, for example. (I'd be delighted if someone would write such libraries for Dafny, even simple ones.)

Rustan

New Post: Object invariant - a simple subset relationship

Ergotron — Tue, 16 Oct 2012 15:24:47 GMT

Hi Rustan,

Thanks for your thoughts. I was thinking about having a class that
represents the state of a scrabble game. Thinking about it in Z
terminology, there is a set of tiles in a bag (or even a bag of tiles
in a bag), two size-7 sets on two racks and a partial function from
{0..WIDTH-1} x {0..WIDTH-1} to tile, commonly called a 2D array. Tiles
could be characters but perhaps should be tagged to keep tiles unique
eg the 1st A, 2nd A etc. An important decision but one yet to be made.
I'm keeping it open because maybe Spec# would be better with
primitives, though counting the A's would be a bit tricky.

I don't know whether this is an appropriate use of Spec# but you could
have an object invariant that says every tile must have been in the
bag originally and every tile that was in the bag has not "fallen
under the table" ie it's still in the bag, on a rack or on the board.
Except for the board, I certainly want sets (but I think they were
introduced to C# later than 2.0 and I can't use later libraries).
However, even if I can't have sets, I want to model sets as 1D arrays
and be able to test for subset inclusion. I thought I would write a
method to check for this, so I could then use it in the object
invariant. That's why you see the method I've shown you.

I'm not really experienced enough with Spec# to know what I can expect
it to do for me but maybe you can tell me how this sounds. Also, on a
minor, more easily correctable point, I don't know if I should be
using == or Equals, but I had no luck with == either; I'm sure I have
bigger problems that just that though.

Ian

New Post: Difficulty running Spec# at all

Ergotron — Tue, 16 Oct 2012 15:24:07 GMT

HI,

Thanks. We'll try that, and look for the possible error message I
might get from the link that Rustan posted.

Ian

On 12 October 2012 09:22, wuestholz <notifications@codeplex.com> wrote:
> From: wuestholz
>
> Hi Ian,
>
> that's very strange since I've been using it on Windows 7 for quite some
> time without any problems. Could you maybe try to run Spec# from the command
> line to see if it's Visual Studio that causes the problem?
>
> Best regards,
>
> Valentin
>
> Read the full discussion online.
>
> To add a post to this discussion, reply to this email
> ([email removed])
>
> To start a new discussion for this project, email
> [email removed]
>
> You are receiving this email because you subscribed to this discussion on
> CodePlex. You can unsubscribe on CodePlex.com.
>
> Please note: Images and attachments will be removed from emails. Any posts
> to this discussion will also be available online at CodePlex.com