snapshot v4 5 0 (#41)

- **Removing old latest**
- **Documentation snapshot for v4.5.0**

Author: alex-chew

Snapshots.md

@@ -7,6 +7,7 @@ layout: default
 
 - [Current development version](https://dafny.org/dafny)
 - [Latest release snapshot](https://dafny.org/latest)
+- [v4.5.0](https://dafny.org/v4.5.0)
 - [v4.4.0](https://dafny.org/v4.4.0)
 - [v4.3.0](https://dafny.org/v4.3.0)
 - [v4.2.0](https://dafny.org/v4.2.0)

latest/DafnyRef/Attributes.1.expect

@@ -1,2 +1,2 @@
-text.dfy(2,29): Error: Dafny's heuristics failed to confirm 'byte' to be a compatible native type.  Hint: try writing a newtype constraint of the form 'i:int | lowerBound <= i < upperBound && (...any additional constraints...)'
+text.dfy(2,29): Error: Dafny's heuristics failed to confirm 'byte' to be a compatible native type. Hint: try writing a newtype constraint of the form 'i: int | lowerBound <= i < upperBound && (...any additional constraints...)'.
 1 resolution/type errors detected in text.dfy

latest/DafnyRef/Attributes.4.expect

@@ -1,3 +1,3 @@
-text.dfy(1,23): Verification out of resource (f (correctness))
+text.dfy(1,23): Error: Verification out of resource (f)
 
 Dafny program verifier finished with 0 verified, 0 errors, 1 out of resource

latest/DafnyRef/Attributes.md

@@ -393,12 +393,15 @@ Print effects are enforced only with `--track-print-effects`.
 `{:priority N}` assigns a positive priority 'N' to a method or function to control the order
 in which methods or functions are verified (default: N = 1).
 
-### 11.2.14. `{:rlimit}` {#sec-rlimit}
+### 11.2.14. `{:resource_limit}` and `{:rlimit}` {#sec-rlimit}
 
-`{:rlimit N}` limits the verifier resource usage to verify the method or function at `N * 1000`.
-This is the per-method equivalent of the command-line flag `/rlimit:N`.
+`{:resource_limit N}` limits the verifier resource usage to verify the method or function to `N`.
+
+This is the per-method equivalent of the command-line flag `/rlimit:N` or `--resource-limit N`.
 If using [`{:vcs_split_on_every_assert}`](#sec-vcs_split_on_every_assert) as well, the limit will be set for each assertion.
 
+The attribute `{:rlimit N}` is also available, and limits the verifier resource usage to verify the method or function to `N * 1000`. This version is deprecated, however.
+
 To give orders of magnitude about resource usage, here is a list of examples indicating how many resources are used to verify each method:
 
 * 8K resource usage
@@ -848,6 +851,10 @@ method Test()
 
 The success message is optional but is recommended if errorMessage is set.
 
+### 11.4.6. `{:contradiction}`
+
+Silences warnings about this assertion being involved in a proof using contradictory assumptions when `--warn-contradictory-assumptions` is enabled. This allows clear identification of intentional proofs by contradiction.
+
 ## 11.5. Attributes on variable declarations
 
 ### 11.5.1. `{:assumption}` {#sec-assumption}
@@ -879,7 +886,7 @@ Here is an example:
 predicate P(i: int)
 predicate Q(i: int)
 
-lemma PHoldEvenly()
+lemma {:axiom} PHoldEvenly()
   ensures  forall i {:trigger Q(i)} :: P(i) ==> P(i + 2) && Q(i)
 
 lemma PHoldsForTwo()

latest/DafnyRef/GrammarDetails.md

@@ -584,9 +584,9 @@ MethodSignature_(isGhost, isExtreme) =
 KType = "[" ( "nat" | "ORDINAL" ) "]"
 
 Formals(allowGhostKeyword, allowNewKeyword, allowOlderKeyword, allowDefault) =
-  "(" [ GIdentType(allowGhostKeyword, allowNewKeyword, allowOlderKeyword, 
+  "(" [ { Attribute } GIdentType(allowGhostKeyword, allowNewKeyword, allowOlderKeyword,
                    allowNameOnlyKeyword: true, allowDefault)
-        { "," GIdentType(allowGhostKeyword, allowNewKeyword, allowOlderKeyword,
+        { "," { Attribute } GIdentType(allowGhostKeyword, allowNewKeyword, allowOlderKeyword,
                          allowNameOnlyKeyword: true, allowDefault) }
       ]
   ")"
@@ -1823,6 +1823,7 @@ LocalIdentTypeOptional = WildIdent [ ":" Type ]
 IdentTypeOptional = WildIdent [ ":" Type ]
 
 TypeIdentOptional =
+  { Attribute }
   { "ghost" | "nameonly" } [ NoUSIdentOrDigits ":" ] Type
   [ ":=" Expression(allowLemma: true, allowLambda: true) ]
 

latest/DafnyRef/Makefile

@@ -1,9 +1,5 @@
-XELATEXF := /usr/local/texlive/2020/bin/x86_64-darwin/xelatex
-XELATEXB := /usr/local/texlive/2020basic/bin/x86_64-darwin/xelatex
-XELATEX := $(shell (test -x ${XELATEXF} && echo ${XELATEXF}) || (test -x ${XELATEXB} && echo ${XELATEXB}) || echo "xelatex")
-
 all: features numbers options
-	./concat DafnyRef.md | sed -e '/numbered toc/d' -e '/:toc/d' -e '/PDFOMIT/d'  -e 's/<!--PDF NEWPAGE-->/\\newpage/' -e 's/<!--.*-->//' | pandoc --citeproc --toc --syntax-definition="../KDESyntaxDefinition/dafny.xml"  --syntax-definition="../KDESyntaxDefinition/grammar.xml" --highlight-style=../KDESyntaxDefinition/dafny.theme --pdf-engine=xelatex --bibliography=DafnyRef.bib --bibliography=krml250.bib --bibliography=poc.bib --bibliography=paper-full.bib --bibliography=references.bib -H head.tex -B header.tex -V colorlinks=true -t pdf -o DafnyRef.pdf
+	./concat DafnyRef.md | sed -e '/numbered toc/d' -e '/:toc/d' -e '/PDFOMIT/d'  -e 's/<!--PDF NEWPAGE-->/\\newpage/' -e 's/<!--.*-->//' | pandoc --citeproc --toc --syntax-definition="../KDESyntaxDefinition/dafny.xml"  --syntax-definition="../KDESyntaxDefinition/grammar.xml" --highlight-style=../KDESyntaxDefinition/dafny.theme --pdf-engine=tectonic --bibliography=DafnyRef.bib --bibliography=krml250.bib --bibliography=poc.bib --bibliography=paper-full.bib --bibliography=references.bib -H head.tex -B header.tex -V colorlinks=true -t pdf -o DafnyRef.pdf
 
 numbers:
 	javac Numbers.java && java Numbers -r DafnyRef.md

latest/DafnyRef/Options.txt

@@ -33,36 +33,8 @@ Usage: dafny [ option ... ] [ filename ... ]
 
   ---- Plugins ---------------------------------------------------------------
 
-  /plugin:<path-to-one-assembly[,argument]*>
-      
-      (experimental) One path to an assembly that contains at least one
-      instantiatable class extending Microsoft.Dafny.Plugin.Rewriter. It
-      can also extend Microsoft.Dafny.Plugins.PluginConfiguration to
-      receive arguments. More information about what plugins do and how
-      to define them:
-      
-      https://github.com/dafny-lang/dafny/blob/master/Source/DafnyLanguageServer/README.md#about-plugins
-
   ---- Overall reporting and printing ----------------------------------------
 
-  /dprint:<file>
-      Print Dafny program after parsing it.
-      (Use - as <file> to print to console.)
-
-  /printMode:<Everything|DllEmbed|NoIncludes|NoGhost>
-      Everything (default) - Print everything listed below.
-      DllEmbed - print the source that will be included in a compiled dll.
-      NoIncludes - disable printing of {:verify false} methods
-          incorporated via the include mechanism, as well as datatypes and
-          fields included from other files.
-      NoGhost - disable printing of functions, ghost methods, and proof
-          statements in implementation methods. It also disables anything
-          NoIncludes disables.
-
-  /rprint:<file>
-      Print Dafny program after resolving it.
-      (use - as <file> to print to console.)
-
   /showSnippets:<value>
       0 (default) - Don't show source code snippets for Dafny messages.
       1 - Show a source code snippet for each Dafny message.
@@ -105,15 +77,6 @@ Usage: dafny [ option ... ] [ filename ... ]
       `autoRevealDependencies` makes all functions not explicitly labelled as opaque to be opaque but reveals them automatically in scopes which do not have `{:autoRevealDependencies false}`. 
       `opaque` means functions are always opaque so the opaque keyword is not needed, and functions must be revealed everywhere needed for a proof.
 
-  /generalTraits:<value>
-      legacy (default) - Every trait implicitly extends 'object', and thus is a reference type. Only traits and reference types can extend traits.
-      datatype - A trait is a reference type only if it or one of its ancestor traits is 'object'. Any non-'newtype' type with members can extend traits.
-      full - (don't use; not yet completely supported) A trait is a reference type only if it or one of its ancestor traits is 'object'. Any type with members can extend traits.
-
-  /ntitrace:<value>
-      0 (default) - Don't print debug information for the new type system.
-      1 - Print debug information for the new type system.
-
   /readsClausesOnMethods:<value>
       0 (default) - Reads clauses on methods are forbidden.
       1 - Reads clauses on methods are permitted (with a default of 'reads *').
@@ -124,14 +87,6 @@ Usage: dafny [ option ... ] [ filename ... ]
       See https://github.com/dafny-lang/dafny/blob/master/Source/DafnyStandardLibraries/README.md for more information.
       Not compatible with the /unicodeChar:0 option.
 
-  /titrace:<value>
-      0 (default) - Don't print type-inference debug information.
-      1 - Print type-inference debug information.
-
-  /typeSystemRefresh:<value>
-      0 (default) - The type-inference engine and supported types are those of Dafny 4.0.
-      1 - Use an updated type-inference engine. Warning: This mode is under construction and probably won't work at this time.
-
   /unicodeChar:<value>
       0 - The char type represents any UTF-16 code unit.
       1 (default) - The char type represents any Unicode scalar value.
@@ -212,6 +167,16 @@ Usage: dafny [ option ... ] [ filename ... ]
 
   ---- Verification options -------------------------------------------------
 
+  /allowAxioms:<value>
+      Prevents a warning from being generated for axioms, such as assume statements and functions or methods without a body, that don't have an {:axiom} attribute.
+
+  /verificationLogger:<configuration>
+      Logs verification results using the given test result format. The currently supported formats are `trx`, `csv`, and `text`. These are: the XML-based format commonly used for test results for .NET languages, a custom CSV schema, and a textual format meant for human consumption. You can provide configuration using the same string format as when using the --logger option for dotnet test, such as: --format "trx;LogFileName=<...>");
+      
+      The `trx` and `csv` formats automatically choose an output file name by default, and print the name of this file to the console. The `text` format prints its output to the console by default, but can send output to a file given the `LogFileName` option.
+      
+      The `text` format also includes a more detailed breakdown of what assertions appear in each assertion batch. When combined with the isolate-assertions option, it will provide approximate time and resource use costs for each assertion, allowing identification of especially expensive assertions.
+
   /dafnyVerify:<n>
       0 - Stop after resolution and typechecking.
       1 - Continue on to verification and compilation.
@@ -223,30 +188,6 @@ Usage: dafny [ option ... ] [ filename ... ]
       Output verification results for each module separately, rather than
       aggregating them after they are all finished.
 
-  /verificationLogger:<configuration string>
-      Logs verification results to the given test result logger. The
-      currently supported loggers are `trx`, `csv`, and `text`. These are
-      the XML-based format commonly used for test results for .NET
-      languages, a custom CSV schema, and a textual format meant for human
-      consumption. You can provide configuration using the same string
-      format as when using the --logger option for dotnet test, such as:
-  
-          /verificationLogger:trx;LogFileName=<...>.
-  
-      The exact mapping of verification concepts to these formats is
-      experimental and subject to change!
-  
-      The `trx` and `csv` loggers automatically choose an output file name
-      by default, and print the name of this file to the console. The
-      `text` logger prints its output to the console by default, but can
-      send output to a file given the `LogFileName` option.
-  
-      The `text` logger also includes a more detailed breakdown of what
-      assertions appear in each assertion batch. When combined with the
-      `/vcsSplitOnEveryAssert` option, it will provide approximate time
-      and resource use costs for each assertion, allowing identification
-      of especially expensive assertions.
-  
   /noCheating:<n>
       0 (default) - Allow assume statements and free invariants.
       1 - Treat all assumptions as asserts, and drop free.
@@ -338,16 +279,10 @@ Usage: dafny [ option ... ] [ filename ... ]
 
   /extractCounterexample
       If verification fails, report a detailed counterexample for the
-      first failing assertion. Requires specifying the /mv:<file> option as well
-      as /proverOpt:O:model_compress=false (for z3 version < 4.8.7) or
-      /proverOpt:O:model.compact=false (for z3 version >= 4.8.7), and
-      /proverOpt:O:model.completion=true.
+      first failing assertion (experimental).
 
   ---- Compilation options ---------------------------------------------------
 
-  /compileSuffix:<value>
-      Add the suffix _Compile to module names without :extern
-
   /compileTarget:<language>
       cs (default) - Compile to .NET via C#.
       go - Compile to Go.
@@ -380,6 +315,16 @@ Usage: dafny [ option ... ] [ filename ... ]
   /out:<file>
       Specify the filename and location for the generated target language files.
 
+  /runAllTests:<n>
+      0 (default) - Annotates compiled methods with the {:test}
+              attribute such that they can be tested using a testing framework
+              in the target language (e.g. xUnit for C#).
+          1 - Emits a main method in the target language that will execute
+              every method in the program with the {:test} attribute. Cannot
+              be used if the program already contains a main method. Note that
+              /compile:3 or 4 must be provided as well to actually execute
+              this main method!
+
   /compile:<n>
       0 - Do not compile Dafny program.
       1 (default) - Upon successful verification of the Dafny program,
@@ -400,15 +345,6 @@ Usage: dafny [ option ... ] [ filename ... ]
       When running a Dafny file through /compile:3 or /compile:4, '--args' provides
       all arguments after it to the Main function, at index starting at 1.
       Index 0 is used to store the executable's name if it exists.
-  /runAllTests:<n> (experimental)
-      0 (default) - Annotates compiled methods with the {:test}
-          attribute such that they can be tested using a testing framework
-          in the target language (e.g. xUnit for C#).
-      1 - Emits a main method in the target language that will execute
-          every method in the program with the {:test} attribute. Cannot
-          be used if the program already contains a main method. Note that
-          /compile:3 or 4 must be provided as well to actually execute
-          this main method!
 
   /compileVerbose:<n>
       0 - Don't print status of compilation to the console.
@@ -669,12 +605,14 @@ Usage: dafny [ option ... ] [ filename ... ]
                 the SMT theory of arrays. This option allows the use of axioms instead.
   /reflectAdd   In the VC, generate an auxiliary symbol, elsewhere defined
                 to be +, instead of +.
-  /prune
-                Turn on pruning. Pruning will remove any top-level Boogie declarations 
-                that are not accessible by the implementation that is about to be verified.
-                Without pruning, due to the unstable nature of SMT solvers,
-                a change to any part of a Boogie program has the potential 
-                to affect the verification of any other part of the program.
+  /prune:<n>
+                0 - Turn off pruning.
+                1 - Turn on pruning (default). Pruning will remove any top-level
+                Boogie declarations that are not accessible by the implementation
+                that is about to be verified. Without pruning, due to the unstable
+                nature of SMT solvers, a change to any part of a Boogie program
+                has the potential to affect the verification of any other part of
+                the program.
 
                 Only use this if your program contains uses clauses
                 where required, otherwise pruning will break your program.
@@ -708,6 +646,11 @@ Usage: dafny [ option ... ] [ filename ... ]
                 report. This generalizes and replaces the previous
                 (undocumented) `/printNecessaryAssertions` option.
 
+  /keepQuantifier
+                If pool-based quantifier instantiation creates instances of a quantifier
+                then keep the quantifier along with the instances. By default, the quantifier
+                is dropped if any instances are created.
+
   ---- Verification-condition splitting --------------------------------------
 
   /vcsMaxCost:<f>

latest/DafnyRef/README.md

@@ -30,7 +30,7 @@ subfolders. In order to render files locally you must
 * set the working directly (`cd`) to the `docs` folder (Windows or Ruby 3.0 users, see below for some tweaks)
 * run the jekyll server: `bundle exec jekyll server`
 * open a browser on the page http://localhost:4000 or directly to http://localhost:4000/DafnyRef/DafnyRef
-* the server rerenders when files are changed -- but not always quite completely. Sometimes one must kill the server process, delete all the files in the _saite folder, and restart the server.
+* the server rerenders when files are changed -- but not always quite completely. Sometimes one must kill the server process, delete all the files in the _site folder, and restart the server.
 
 In order to convert markdown to pdf, you must be able to execute the Makefile, which requires installing pandoc and LaTeX, and being on a Linux-like platform.
 
@@ -64,12 +64,11 @@ definition file.
 ## On-line RM through github
 Github uses rouge, via Jekyll. The syntax definition is a ruby-based file
 maintained in the rouge github repo.
-To modify the definition, follow the directions in
-[https://rouge-ruby.github.io/docs/file.LexerDevelopment.html]
-(https://rouge-ruby.github.io/docs/file.LexerDevelopment.html)
-after setting up a development environment according to
-[https://rouge-ruby.github.io/docs/file.DevEnvironment.html]
-(https://rouge-ruby.github.io/docs/file.DevEnvironment.html).
+To modify the definition, follow
+[these](https://rouge-ruby.github.io/docs/file.LexerDevelopment.html)
+directions after [setting
+up](https://rouge-ruby.github.io/docs/file.DevEnvironment.html) a
+development environment.
 The file itself, `dafny.rb` is in Ruby. Details of the Ruby Regular
 Expression language can be found many places online, such as
 [here](https://www.princeton.edu/~mlovett/reference/Regular-Expressions.pdf).
@@ -113,4 +112,4 @@ file as well.
 ## LSP
 
 Many IDEs interact with Language Servers (via LSP). Possibly an LSP protocol
-will be generated in the future.
+will be generated in the future.

latest/DafnyRef/Refinement.md

@@ -152,7 +152,7 @@ Method declarations can be refined as in the following example.
 
 <!-- %check-verify -->
 ```dafny
-module A {
+abstract module A {
   method ToImplement(x: int) returns (r: int)
     ensures r > x
 
@@ -225,7 +225,7 @@ the following example.
 
 <!-- %check-verify -->
 ```dafny
-module A {
+abstract module A {
   function F(x: int): (r: int)
     ensures r > x
 

latest/DafnyRef/Specifications.md

@@ -67,7 +67,7 @@ A requires clause can have [custom error and success messages](#sec-error-attrib
 Examples:
 <!-- %check-resolve -->
 ```dafny
-method m(i: int) returns (r: int)
+method {:axiom} m(i: int) returns (r: int)
   ensures r > 0
 ```
 
@@ -914,7 +914,7 @@ method Test(a: array<int>) returns (j: int)
 Dafny will split the verification in two [assertion batches](#sec-assertion-batches)
 that will roughly look like the following lemmas:
 
-<!-- %check-verify -->
+<!-- %check-verify %options --allow-axioms -->
 ```dafny
 lemma Test_WellFormed(a: array?<int>)
 {