Dafny Example, Boogie Compilation, and Weakest Preconditions ============================================================ Cell example to motivate framing ================================ class Cell { var contents: int; function Valid(): bool reads this; { contents > 0 } method Init() modifies this; ensures Valid(); ensures contents == 1; { contents := 1; } method Mutate() requires Valid(); modifies this; ensures Valid(); ensures contents > old(contents); { contents := contents * 2; } } method TestCell() { var cell := new Cell; var cell2 := new Cell; cell.Init(); cell2.Init(); cell.Mutate(); assert cell.contents > 1; assert cell2.contents == 1; assert cell2.Valid(); } Boogie version of TestCell() { // we know Heap[cell,contents] == 1 && Valid(cell, Heap) // we know Heap[cell2,contents] == 1 && Valid(cell2, Heap) assume cell != cell2 != null // call to Mutate here assert cell != null assert Valid(cell, Heap) var oldHeap = Heap; havoc Heap; // Heap = **complete randomness** assume forall l : Heap[l] == oldHeap[l] || l == cell assume Valid(cell, Heap) assume Heap[cell,contents] > oldHeap[cell,contents] assert Heap[cell,contents] > 1 assert Heap[cell2,contents] == 1; assert Valid(cell2, Heap) } Weakest Precondition Analysis of the Boogie Client Code ------------------------------------------------------- wp("...; assume forall l : Heap[l] == oldHeap[l] || l == cell", Heap[cell2,contents] == 1) = wp("...; havoc Heap", forall l : Heap[l] == oldHeap[l] || l == cell ==> Heap[cell2,contents] == 1 = wp("...; var oldHeap = Heap", forall Heap, forall l : Heap[l] == oldHeap[l] || l == cell ==> Heap[cell2,contents] == 1 = wp("...; assume cell != cell2", forall newHeap, forall l : newHeap[l] == Heap[l] || l == cell ==> newHeap[cell2,contents] == 1 = wp("...; assume Heap[cell2,contents] == 1", cell != cell2 && forall newHeap, forall l : newHeap[l] == Heap[l] || l == cell ==> newHeap[cell2,contents] == 1 = Heap[cell2,contents] == 1 && cell != cell2 && forall newHeap, forall l : newHeap[l] == Heap[l] || l == cell ==> newHeap[cell2,contents] == 1