文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Dafny:复制数组区域方法验证

Dafny:复制数组区域方法验证
EN

Stack Overflow用户
提问于 2015-12-02 23:05:20
回答 1查看 1.2K关注 0票数 3

我正在研究几种语言的语言比较,这些语言都考虑到了验证(Whiley,Dafny和Frama-C等)。给出了一个函数的示例,该函数将一个数组的区域复制到另一个数组中,在目标数组中具有不同的位置。我想出的规范在Dafny中是这样的:

代码语言:javascript
复制
method copy( src: array<int>, sStart: nat, dest: array<int>, dStart: nat, len: nat)
    returns (r: array<int>)
  // both arrays cannot be null
   requires dest != null && src != null
  // Source array must contain enough elements to be copied
   requires src.Length >= sStart + len
  // Destination array must have enough space for copied elements
   requires dest.Length >= dStart + len
  // Result is same size as dest
  ensures r != null
  ensures r.Length == dest.Length
  // All elements before copied region are same
   ensures r[..dStart] == dest[..dStart]
  // All elements above copied region are same
   ensures r[dStart + len..] == dest[dStart + len..]
  // All elements in copied region match src
   ensures forall k: nat :: k < len ==> r[dStart + k] == src[sStart + k]

{
    if len == 0 { return dest; }
    assert len > 0;
    var i: nat := 0;
    r := new int[dest.Length];
    while (i < r.Length)
      invariant i <= r.Length
      decreases r.Length - i
      invariant r.Length == dest.Length
      invariant forall k: nat :: k < i ==> r[k] == dest[k]
    {
        r[i] := dest[i];
        i := i + 1;
    }
    assume r[..] == dest[..];
    i := 0;
    while (i < len)
      invariant i <= len
      decreases len - i
      invariant r.Length == dest.Length
      invariant r.Length >= dStart + i
      invariant src.Length >= sStart + i
      invariant r[..dStart] == dest[..dStart]
      invariant r[(dStart + len)..] == dest[(dStart + len)..]
      invariant forall k: nat :: k < i ==> r[dStart + k] == src[sStart + k]
    {
        r[dStart + i] := src[sStart + i];
        i := i + 1;
    }
}

在上面的第二个while循环中,可能有一些不必要的不变量,因为我已经尝试涵盖了我所能想到的一切。但是,是的,这并不能证实,我很困惑为什么.

代码语言:javascript
复制
Dafny/copy.dfy(35,4): Error BP5003: A postcondition might not hold on this return path.
Dafny/copy.dfy(17,11): Related location: This is the postcondition that might not hold.
Execution trace:
    (0,0): anon0
    (0,0): anon19_Else
    Dafny/copy.dfy(24,5): anon20_LoopHead
    (0,0): anon20_LoopBody
    Dafny/copy.dfy(24,5): anon21_Else
    (0,0): anon23_Then
    Dafny/copy.dfy(35,5): anon24_LoopHead
    (0,0): anon24_LoopBody
    Dafny/copy.dfy(35,5): anon25_Else
    (0,0): anon27_Then
Dafny/copy.dfy(43,16): Error BP5005: This loop invariant might not be maintained by the loop.
Execution trace:
    (0,0): anon0
    (0,0): anon19_Else
    Dafny/copy.dfy(24,5): anon20_LoopHead
    (0,0): anon20_LoopBody
    Dafny/copy.dfy(24,5): anon21_Else
    (0,0): anon23_Then
    Dafny/copy.dfy(35,5): anon24_LoopHead
    (0,0): anon24_LoopBody
    Dafny/copy.dfy(35,5): anon25_Else
    Dafny/copy.dfy(35,5): anon27_Else

Dafny program verifier finished with 1 verified, 2 errors
arrays
verification
dafny
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2015-12-04 22:13:25

您可以通过增加一个不变量来验证它。

代码语言:javascript
复制
invariant r[dStart .. dStart + i] == src[sStart .. sStart + i]

如:

代码语言:javascript
复制
while (i < len)
  invariant i <= len
  decreases len - i
  invariant r.Length == dest.Length
  invariant r.Length >= dStart + i
  invariant src.Length >= sStart + i
  invariant r[..dStart] == dest[..dStart]
  invariant r[(dStart + len)..] == dest[(dStart + len)..]
  invariant r[dStart .. dStart + i] == src[sStart .. sStart + i]
  invariant forall k: nat :: k < i ==> r[dStart + k] == src[sStart + k]

顺便说一句,如果你想的话,我想你可以去掉很多不变量。

代码语言:javascript
复制
method copy( src: array<int>, sStart: nat, dest: array<int>, dStart: nat, len: nat)
    returns (r: array<int>)
  // both arrays cannot be null
   requires dest != null && src != null
  // Source array must contain enough elements to be copied
   requires src.Length >= sStart + len
  // Destination array must have enough space for copied elements
   requires dest.Length >= dStart + len
  // Result is same size as dest
  ensures r != null
  ensures r.Length == dest.Length
  // All elements before copied region are same
   ensures r[..dStart] == dest[..dStart]
  // All elements above copied region are same
   ensures r[dStart + len..] == dest[dStart + len..]
  // All elements in copied region match src
   ensures forall k: nat :: k < len ==> r[dStart + k] == src[sStart + k]

{
    if len == 0 { return dest; }
    var i: nat := 0;
    r := new int[dest.Length];
    while (i < r.Length)
      invariant i <= r.Length
      invariant r[..i] == dest[..i]
    {
        r[i] := dest[i];
        i := i + 1;
    }

    i := 0;
    while (i < len)
      invariant i <= len
      invariant r[..dStart] == dest[..dStart]
      invariant r[(dStart + len)..] == dest[(dStart + len)..]
      invariant r[dStart .. dStart + i] == src[sStart .. sStart + i]
      {
        r[dStart + i] := src[sStart + i];
        i := i + 1;
    }
}
票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/34054804

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档