Skip to main content
414 questions
Newest Active Bountied Unanswered
1 vote
1 answer
107 views

Obviously, the set of nonnegative integers below n has cardinality n. But dafny seemingly can't prove it: method FirstNonnegatives(n: nat) returns (s: set<nat>) ensures |s| == n { s := ...
Frank Seidl's user avatar
  • 182
1 vote
2 answers
65 views

I'm having trouble proving this within a while loop in Dafny: assert multiset(seqa) == multiset(seqa[..i] + seqa[i..]); Note: An invariant exists ensuring that 0 <= i <= |seqa|. There are no ...
Marko K's user avatar
  • 11
1 vote
1 answer
61 views

Consider the following code: void incr(int *a, int *b) { (*a)++; (*b)++; } void f(int *a, int *b) { incr(a, b); incr(a, a); } The incr function admits two specifications: {a ↦ n * b ↦ m}...
tymmym's user avatar
  • 500
3 votes
2 answers
141 views

I have this very simple example. /*@ requires a >= 0 && a <= 2; assigns \nothing; ensures \result < 10; */ int bob(int a) { return 1 << a; } When I try to prove this ...
Henrik Sommerland's user avatar
  • 637
1 vote
1 answer
63 views

ghost predicate AllZero(a: array<int>, n: bv32) reads a { a.Length == (n as int) && (forall i :: 0 <= i < n ==> a[i] == 0) } I need to use the result of binary ...
AlumKal's user avatar
  • 63
4 votes
1 answer
122 views

I am learning about formal verification and using frama-c and the WP plug-in, and after reading some papers and following the WP Tutorial by Allan Blanchard, I decide to try to verify a function not ...
Pedro Cruz's user avatar
  • 63
0 votes
0 answers
29 views

I am trying to prove a sorting algorithm, following the KeY textbook for reference (class SortPerm in chapter 16). I started with insertion sort but tried splitting it into multiple methods to make it ...
user20218711's user avatar
  • 1
1 vote
3 answers
99 views

I apologize for the somewhat vague question title -- I honestly don't know how to ask this more precisely. Why does the following code verify? ghost function {:axiom} max(a: int, b: int) : int ...
LTB's user avatar
  • 71
0 votes
0 answers
28 views

I have a project for the Embedded System Design course where I need to model a fault-tolerant sensor reading mechanism. I have reduce the system to only the important parts. The system relies on error ...
Brenno Ferreira's user avatar
  • 25
-1 votes
2 answers
79 views

In simple words: If A and B are equivalent multisets, then elements not in A are not in B as well. lemma ElementExclusionLemma<T>(seqa: seq<T>, seqb: seq<T>, x: T) ensures multiset(...
f1sherb0y's user avatar
  • 13
1 vote
2 answers
55 views

I'm working with Dafny and trying to understand how specifications, particularly modifies and ensures multiset, affect verification. I have a method do_nothing which is specified to modify an array a ...
f1sherb0y's user avatar
  • 13
2 votes
1 answer
197 views

I am quite comfortable with Agda. I decided to experiment with Lean, but I find that propositional equality is really messing with me. Sometimes I find that rfl just works, but at other times it doesn'...
Joris KBos's user avatar
  • 57
0 votes
1 answer
79 views

I am trying to solve Halmos' handshake problem (Section 2.3) using Alloy 4 (I am required to use Alloy 4 for my university course; however this problem sheet is not part of my coursework, I am trying ...
ZarakshR's user avatar
  • 1,840
2 votes
1 answer
113 views

I'm working through Leino's nice book "Program proofs" ((c) date 2023). The book is really well-written, explains thoroughly and progresses exactly as I need. But as I'm reproducing examples ...
LTB's user avatar
  • 71
1 vote
0 answers
71 views

Motivation I'm picturing a hypothetical update process for critical services, that might work like this (using C and POSIX names): Download the new update binary, to a separate place than current ...
ijustlovemath's user avatar
  • 978

15 30 50 per page
1
2 3 4 5
28