Dafny: Difference between revisions
m Minor text tweak |
Add discussion of Dafny in Verification Competitions |
||
| Line 13: | Line 13: | ||
}} |
}} |
||
'''Dafny''' is an imperative language |
'''Dafny''' is an imperative [[compiled programming language|compiled language]] that targets [[C Sharp (programming language)|C#]] and supports [[formal specification]] through [[preconditions]], [[postconditions]], [[loop invariant]]s and [[loop variant]]s. The language combines ideas primarily from the [[functional programming|Functional]] and [[imperative programming|Imperative]] paradigms, and includes limited support for [[object-oriented programming|Object-Oriented Programming]]. Features include ''generic classes'', ''dynamic allocation'', ''inductive datatypes'' and a variation of [[separation logic]] known as ''implicit dynamic frames''<ref>{{cite conference|title=Implicit Dynamic Frames: Combining Dynamic Frames and Separation Logic | doi=10.1007/978-3-642-03013-0_8 | conference=Proceedings of the Conference on European Conference on Object Oriented Programming | pages=148--172 | year=2009}}</ref> for reasoning about side effects<ref>{{cite conference|title=Dafny: An Automatic Program Verifier for Functional Correctness | doi=10.1007/978-3-642-17511-4_20 | conference=Proceedings of the Conference on Logic for Programming, Artificial Intelligence, and Reasoning | pages=348--370 | year=2010}}</ref>. Dafny was created by Rustan Leino at [[Microsoft Research]] after his previous work on developing ESC/Modula-3, [[ESC/Java]], and [[Spec Sharp|Spec#]]. Dafny is been used widely in teaching and features regularly in software verification competitions (e.g. VSTTE'08<ref>{{cite conference|title=Dafny Meets the Verification Benchmarks Challenge | doi=10.1007/978-3-642-15057-9_8 | conference=International Conference on Verified Software: Theories, Tools, and Experiments | pages=112--116 | year=2010}}</ref>, VSCOMP'10<ref>{{cite conference|title=The 1st verified software competition: experience report | doi=10.1007/978-3-642-21437-0_14 | conference=Proceedings of the Conference on Formal Methods | pages=154--168 | year=2011}}</ref>, COST'11<ref>{{cite conference|title=The COST IC0701 Verification Competition 2011 | doi=10.1007/978-3-642-31762-0_2 | conference=Proceedings of the Conference on Formal Verification of Object-Oriented Software| pages=3--21 | year=2011}}</ref>, and VerifyThis'12<ref>{{cite journal|title=VerifyThis 2012: A Program Verification Competition | doi=10.1007/s10009-015-0396-8 | journal=Journal on Software Tools for Technology Transfer | volume=17 | number=6 | pages=647--657 | year=2015}}</ref>). |
||
Dafny was designed to provide a simple introduction to formal specification and verification and has been used widely in teaching. Dafny follows in the lineage of many previous tools, including [[SPARK (programming language)|SPARK/Ada]], [[ESC/Java]], [[Spec Sharp|Spec#]], [[Whiley (programming language)|Whiley]], Why3<ref>{{cite web|url=http://why3.lri.fr/|title=Why3 --- Where Programs Meet Provers}}</ref> and [[Frama-C]]. Such tools rely on the use of [[automated theorem proving]] to discharge proof obligations unlike, for example, those based on [[Dependent type|dependent types]] (e.g. [[Idris (programming language)|Idris]], [[Agda (programming language)|Agda]]) which require more human intervention. Dafny builds on the Boogie intermediate language which uses the Z3<ref>{{cite web|url=https://github.com/Z3Prover/z3|title=Z3 Homepage}}</ref><ref>{{cite conference|title=Z3: An Efficient {SMT} Solver | doi=10.1007/978-3-540-78800-3_24 | conference=Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis | pages=337--340 | year=2008}}</ref> automated theorem prover for discharging proof obligations. |
Dafny was designed to provide a simple introduction to formal specification and verification and has been used widely in teaching. Dafny follows in the lineage of many previous tools, including [[SPARK (programming language)|SPARK/Ada]], [[ESC/Java]], [[Spec Sharp|Spec#]], [[Whiley (programming language)|Whiley]], Why3<ref>{{cite web|url=http://why3.lri.fr/|title=Why3 --- Where Programs Meet Provers}}</ref> and [[Frama-C]]. Such tools rely on the use of [[automated theorem proving]] to discharge proof obligations unlike, for example, those based on [[Dependent type|dependent types]] (e.g. [[Idris (programming language)|Idris]], [[Agda (programming language)|Agda]]) which require more human intervention. Dafny builds on the Boogie intermediate language which uses the Z3<ref>{{cite web|url=https://github.com/Z3Prover/z3|title=Z3 Homepage}}</ref><ref>{{cite conference|title=Z3: An Efficient {SMT} Solver | doi=10.1007/978-3-540-78800-3_24 | conference=Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis | pages=337--340 | year=2008}}</ref> automated theorem prover for discharging proof obligations. |
||
Revision as of 21:14, 21 December 2017
| Paradigm | Imperative, Functional |
|---|---|
| Designed by | K. Rustan M. Leino |
| First appeared | 2009 |
| Stable release | 2.0.0
/ September 23, 2017 |
| Typing discipline | Static, strong, safe |
| License | MIT |
| Website | research |
Dafny is an imperative compiled language that targets C# and supports formal specification through preconditions, postconditions, loop invariants and loop variants. The language combines ideas primarily from the Functional and Imperative paradigms, and includes limited support for Object-Oriented Programming. Features include generic classes, dynamic allocation, inductive datatypes and a variation of separation logic known as implicit dynamic frames[1] for reasoning about side effects[2]. Dafny was created by Rustan Leino at Microsoft Research after his previous work on developing ESC/Modula-3, ESC/Java, and Spec#. Dafny is been used widely in teaching and features regularly in software verification competitions (e.g. VSTTE'08[3], VSCOMP'10[4], COST'11[5], and VerifyThis'12[6]).
Dafny was designed to provide a simple introduction to formal specification and verification and has been used widely in teaching. Dafny follows in the lineage of many previous tools, including SPARK/Ada, ESC/Java, Spec#, Whiley, Why3[7] and Frama-C. Such tools rely on the use of automated theorem proving to discharge proof obligations unlike, for example, those based on dependent types (e.g. Idris, Agda) which require more human intervention. Dafny builds on the Boogie intermediate language which uses the Z3[8][9] automated theorem prover for discharging proof obligations.
Design
Dafny provides methods for implementation which may have side-effects and functions for use in specification which are pure. Methods consist of sequences of statements following a familiar imperative style whilst, in contrast, the body of a function is simply an expression. Any side-effecting statements in a method (e.g. assigning an element of an array parameter) must be accounted for by noting which parameters can be mutated in the modifies clause. Dafny also provides a range of immutable collection types including: sequences (e.g. seq<int>), sets (e.g. set<int>) and maps (map<int,int>). In addition, mutable arrays (e.g. array<int>) are provided.
Example
The following example illustrates many of the interesting features in Dafny, including the use of preconditions, postconditions, loop invariants and loop variants.
method max(arr:array<int>) returns(max:int)
// Array must have at least one element
requires arr!=null && arr.Length > 0;
// Return cannot be smaller than any element in array
ensures (forall j :int :: (j >= 0 && j < arr.Length ==> max >= arr[j]));
// Return must match some element in array
ensures (exists j : int :: j>=0 && j < arr.Length && max==arr[j]);
{
max:=arr[0];
var i:int :=1;
//
while(i < arr.Length)
// Indent at most arr.Length (needed to show i==arr.Length after loop)
invariant (i<=arr.Length);
// No element seen so far larger than max
invariant (forall j:int :: j>=0 && j<i ==> max >= arr[j]);
// Some element seen so far matches max
invariant (exists j:int :: j>=0 && j<i && max == arr[j]);
// Terminate when i == arr.Length
decreases (arr.Length-i);
{
// Update max if larger element encountered
if(arr[i] > max){max := arr[i];}
// Continue through array
i := i + 1;
}
}
This examples computes the maximum element of an array. The method's precondition and postcondition are given with the requires and ensures clauses (respectively). Likewise, the loop invariant and loop variant are given through the invariant and decreases clauses (respectively).
References
- ^ Implicit Dynamic Frames: Combining Dynamic Frames and Separation Logic. Proceedings of the Conference on European Conference on Object Oriented Programming. 2009. pp. 148--172. doi:10.1007/978-3-642-03013-0_8.
- ^ Dafny: An Automatic Program Verifier for Functional Correctness. Proceedings of the Conference on Logic for Programming, Artificial Intelligence, and Reasoning. 2010. pp. 348--370. doi:10.1007/978-3-642-17511-4_20.
- ^ Dafny Meets the Verification Benchmarks Challenge. International Conference on Verified Software: Theories, Tools, and Experiments. 2010. pp. 112--116. doi:10.1007/978-3-642-15057-9_8.
- ^ The 1st verified software competition: experience report. Proceedings of the Conference on Formal Methods. 2011. pp. 154--168. doi:10.1007/978-3-642-21437-0_14.
- ^ The COST IC0701 Verification Competition 2011. Proceedings of the Conference on Formal Verification of Object-Oriented Software. 2011. pp. 3--21. doi:10.1007/978-3-642-31762-0_2.
- ^ "VerifyThis 2012: A Program Verification Competition". Journal on Software Tools for Technology Transfer. 17 (6): 647--657. 2015. doi:10.1007/s10009-015-0396-8.
- ^ "Why3 --- Where Programs Meet Provers".
- ^ "Z3 Homepage".
- ^ Z3: An Efficient {SMT} Solver. Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis. 2008. pp. 337--340. doi:10.1007/978-3-540-78800-3_24.