Dafny: Postcondition error in constructor
Question
The following constructor does not work and fails at
parent !in Repr
Why can't Dafny proof the postcondition, that parent is not part of the Repr set?
constructor Init(x: HashObj, parent:Node?)
ensures Valid() && fresh(Repr - {this, data})
ensures Contents == {x.get_hash()}
ensures Repr == {this, data};
ensures left == null;
ensures right == null;
ensures data == x;
ensures parent != null ==> parent !in Repr;
ensures this in Repr;
{
data := x;
left := null;
right := null;
Contents := {x.get_hash()};
Repr := {this} + {data};
}
1 answers
solution1
0 ACCPTED 2020-05-26 17:42:02
I'm guessing that HashObj is a trait ? (If it's a class , then your example verifies for me.) The verification fails because the verifier thinks x might equal parent .
The verifier ought to know that Node is not a HashObj (unless, of course, your class Node really does extend HashObj ), but it doesn't. You may file this as an Issue on https://github.com/dafny-lang/dafny to get that corrected.
In the meantime, you can write a precondition that says x and parent are different. Here, there's a wrinkle, too. You'd like to write
requires x != parent
but (unless Node really does extend HashObj ) this does not type check. So, you would want to cast parent to object? . There's no direct syntax for such an up-cast, but you can do it with a let expression:
requires x != var o: object? := parent; o
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.