Dynamic-frame specifications in DafnyK. Rustan M. LeinoRiSE, Microsoft Research

17 July 2009JML seminarDagstuhl, Germany

Dafnyexperimental languagesequential, object based (no subclassing)specifications in the style of dynamic framescoarse-grained frames (at the level of whole objects, not individual memory locations)

Functional-correctness verifications

queuelinked list with head/tail pointers

in-situ list reversalinteger set

binary treeSchorr-Waite marking algorithm

Dafny grammarProgram ::=

Class*Class ::=class C<TypeParam*> { Member* }

Member ::=FieldMethodFunction

Dynamic framesA frame is a set of locationsA dynamic frame (in the sense of Dafny) is an expression that denotes a frameMethods have modifies clausesFunctions have reads clauses

Demo

Lessons, 0Dynamic-frame specifications are useful and flexibleA language design around dynamic frames can be simpleThus good in teaching?Specifications are verbose, but perhaps simplification techniques can be applied (like in Spec# or Chalice)Currently missing in Dafny: scopes for axioms

Lessons, 1Pure methods are hard, functions are easySMT solvers work better with ghost fields than with functionsReachability is not always necessary in specificationsSets and sequences are nice as value typesGenerics are a cinchDecreases bound checks can be more liberal than naïve translation

Lessons, 2SMT solvers can be used for functional-correctness verificationInductive predicates seem useful

cases fit nicely with matching triggerstake us in the direction of the input languages of interactive theorem provers

Need: better views/visualizations of program states to clarify error messages and, generally, what’s going on

Try it for yourselfDafny is available as open source:

http://boogie.codeplex.com