programas y pruebas en dafny
TRANSCRIPT
Programas y Pruebas en Dafny 1/ 25
Programas y Pruebas en Dafny
Paqui Lucio
Dpto de Lenguajes y Sistemas Informaticos.
Madrid, 10 de Junio de 2015
Paqui Lucio Programas y Pruebas en Dafny 1/ 25
Programas y Pruebas en Dafny 2/ 25
Outline
1. Deductive Verification2. Dafny3. Dafny in Teaching4. Advantages5. Limitations6. Conclusion
Paqui Lucio Programas y Pruebas en Dafny 2/ 25
Programas y Pruebas en Dafny 3/ 25
Deductive Verification
Expressive (at least first-order) logic.
Logical reasoning (deduction) is used to prove properties.
Functional Correctness
All possible runs satisfy a declarative specification of theexternally observable behavior.
Contract-based specifications (standard approach)
Paqui Lucio Programas y Pruebas en Dafny 3/ 25
Programas y Pruebas en Dafny 4/ 25
Arquitectures in deductive verification
1 On top of interactive proof assistants
Isabelle/HOL, Coq, HOL Ligth, PVS.
2 Automatic Program Verifiers
2.1 Program logics for a specific target language
ACL2, KeY, KIV, VeriFun.
2.2 VCG + Automatic theorem provers (SMT-solver)
Spark, Verifast, Dafny, Why, Frama-C.
Paqui Lucio Programas y Pruebas en Dafny 4/ 25
Programas y Pruebas en Dafny 5/ 25
Pros & Cons
1 On top of interactive proof assistants
+ Higher level of assurance- Greater demand of work/Lower level of automation
2 Automatic Program Verifiers2.1 Program Logics for a specific target language
+ Verification flow follows flow of execution of target system- Implementation effort for a new language is substantial
2.2 VCG + Automatic theorem provers
+ Modular architecture+ Exploit the progress in automated reasoning- Hard analysis of proof failures- Lower level of trust
Paqui Lucio Programas y Pruebas en Dafny 5/ 25
Programas y Pruebas en Dafny 5/ 25
Pros & Cons
1 On top of interactive proof assistants
+ Higher level of assurance- Greater demand of work/Lower level of automation
2 Automatic Program Verifiers2.1 Program Logics for a specific target language
+ Verification flow follows flow of execution of target system- Implementation effort for a new language is substantial
2.2 VCG + Automatic theorem provers
+ Modular architecture+ Exploit the progress in automated reasoning- Hard analysis of proof failures- Lower level of trust
Paqui Lucio Programas y Pruebas en Dafny 5/ 25
Programas y Pruebas en Dafny 5/ 25
Pros & Cons
1 On top of interactive proof assistants
+ Higher level of assurance- Greater demand of work/Lower level of automation
2 Automatic Program Verifiers2.1 Program Logics for a specific target language
+ Verification flow follows flow of execution of target system- Implementation effort for a new language is substantial
2.2 VCG + Automatic theorem provers
+ Modular architecture+ Exploit the progress in automated reasoning- Hard analysis of proof failures- Lower level of trust
Paqui Lucio Programas y Pruebas en Dafny 5/ 25
Programas y Pruebas en Dafny 6/ 25
Dafny
Dafny is an automatic verifier of the family VCC + TP.
Dafny is being developed by Microsoft Research.
Dafny is also a programming language with built-inspecification constructs.
Dafny provides
Design-time feedbackFluid interaction
for accessible integrated verification.
Dafny generates executable (.NET) code, omittingspecification (ghost) constructs.
Paqui Lucio Programas y Pruebas en Dafny 6/ 25
Programas y Pruebas en Dafny 7/ 25
f u n c t i o n f ( n : i n t ) : i n t{ n∗n∗n + 2∗n }
p r e d i c a t e divBy3 ( n : i n t ){ n % 3 = 0 }
lemma f n I s D i v B y 3 ( n : i n t )r e q u i r e s 0 ≤ ne n s u r e s divBy3 ( f ( n ) )+{}
method M (m: i n t ) r e t u r n s ( a : a r r a y 〈 i n t 〉 )r e q u i r e s m ≥ 0e n s u r e s a 6= n u l le n s u r e s a . Length = m+1;e n s u r e s f o r a l l i • 0 ≤ i ≤ m =⇒ ( a [ i ]=f ( i ) ∧ divBy3 ( a [ i ] ) )+{}
method Main ( )+{}
DFY FILE EXE FILE
Paqui Lucio Programas y Pruebas en Dafny 7/ 25
Programas y Pruebas en Dafny 8/ 25
Dafny in Teaching
Metodos Formales de Desarrollo de Software
Optativa, 4o Curso, 6 creditos
Grado en Ingenierıa Informatica, UPV/EHU
1 Introduction
2 Automated Reasoning and Software Development
3 Dafny
4 Verification Condition Generation
5 Datatypes and predicates
6 Lemmas, assume and calculations
7 Ghost Entities
8 Arrays and Framing
9 Object-Oriented Software
Paqui Lucio Programas y Pruebas en Dafny 8/ 25
Programas y Pruebas en Dafny 9/ 25
Metodos Formales de Desarrollo de Software
Optativa, 4o Curso, 6 creditos
Grado en Ingenierıa Informatica, UPV/EHU
1 Introduction
2 Automated Reasoning and Software Development
3 Dafny
4 Verification Condition Generation
5 Datatypes and predicates
6 Lemmas, assume and calculations
7 Ghost Entities
8 Arrays and Framing
9 Object-Oriented Software
Paqui Lucio Programas y Pruebas en Dafny 9/ 25
Programas y Pruebas en Dafny 10/ 25
Verification Condition Generation
VCG({ϕ}S{ψ}) = ϕ→ wp(S,ψ) ∪ vc+(S, ψ)
where
wp is the well known weakest precondition and
vc+ is defined as follows
vc+(x:=t, ψ) = vc+(skip,ψ) = ∅vc+(S1;S2, ψ) = vc+(S1, wp(S2, ψ)) ∪ vc+(S2, ψ)vc+(if b then S1 else S2, ψ) = vc+(S1, ψ) ∪ vc+(S2, ψ)vc+(while b invariant α { S },ψ) =
{(α ∧ b) → wp(S,α), (α ∧ ¬b) → ψ} ∪ vc+(S,α)
Paqui Lucio Programas y Pruebas en Dafny 10/ 25
Programas y Pruebas en Dafny 11/ 25
method RootApprox ( x : i n t ) r e t u r n s ( z : i n t )r e q u i r e s x ≥ 0e n s u r e s z ≤ x∗x < z+1
{z := 0 ;w h i l e ( z+1 ≤ x∗x )
i n v a r i a n t z ≤ x∗x// d e c r e a s e s x∗x−z{z := z +1;}
}
RootApprox.dfy
Paqui Lucio Programas y Pruebas en Dafny 11/ 25
Programas y Pruebas en Dafny 12/ 25
Metodos Formales de Desarrollo de Software
Optativa, 4o Curso, 6 creditos
Grado en Ingenierıa Informatica, UPV/EHU
1 Introduction
2 Automated Reasoning and Software Development
3 Dafny
4 Verification Condition Generation
5 Datatypes and predicates
6 Lemmas, assume and calculations
7 Ghost Entities
8 Arrays and Framing
9 Object-Oriented Software
Paqui Lucio Programas y Pruebas en Dafny 12/ 25
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
taking advantage of the ascending and descending chains
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
splits the data in as many ascending sublists as required
[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise
[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise again
[0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3]
merge pairwise again
[0, 1, 1, 1, 1, 2, 3, 4, 5, 5, 6, 6, 7, 8]
Paqui Lucio Programas y Pruebas en Dafny 13/ 25
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
taking advantage of the ascending and descending chains
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
splits the data in as many ascending sublists as required
[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise
[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise again
[0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3]
merge pairwise again
[0, 1, 1, 1, 1, 2, 3, 4, 5, 5, 6, 6, 7, 8]
Paqui Lucio Programas y Pruebas en Dafny 13/ 25
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
taking advantage of the ascending and descending chains
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
splits the data in as many ascending sublists as required
[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise
[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise again
[0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3]
merge pairwise again
[0, 1, 1, 1, 1, 2, 3, 4, 5, 5, 6, 6, 7, 8]
Paqui Lucio Programas y Pruebas en Dafny 13/ 25
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
taking advantage of the ascending and descending chains
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
splits the data in as many ascending sublists as required
[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise
[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise again
[0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3]
merge pairwise again
[0, 1, 1, 1, 1, 2, 3, 4, 5, 5, 6, 6, 7, 8]
Paqui Lucio Programas y Pruebas en Dafny 13/ 25
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
taking advantage of the ascending and descending chains
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
splits the data in as many ascending sublists as required
[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise
[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise again
[0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3]
merge pairwise again
[0, 1, 1, 1, 1, 2, 3, 4, 5, 5, 6, 6, 7, 8]
Paqui Lucio Programas y Pruebas en Dafny 13/ 25
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
taking advantage of the ascending and descending chains
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
splits the data in as many ascending sublists as required
[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise
[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise again
[0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3]
merge pairwise again
[0, 1, 1, 1, 1, 2, 3, 4, 5, 5, 6, 6, 7, 8]Paqui Lucio Programas y Pruebas en Dafny 13/ 25
Programas y Pruebas en Dafny 19/ 25
DFY FILE INTERMEDIATE DFY FILE CLEAN DFY FILE
Paqui Lucio Programas y Pruebas en Dafny 19/ 25
Programas y Pruebas en Dafny 20/ 25
Metodos Formales de Desarrollo de Software
Optativa, 4o Curso, 6 creditos
Grado en Ingenierıa Informatica, UPV/EHU
1 Introduction
2 Automated Reasoning and Software Development
3 Dafny
4 Verification Condition Generation
5 Datatypes and predicates
6 Lemmas, assume and calculations
7 Ghost Entities
8 Arrays and Framing
9 Object-Oriented Software
Paqui Lucio Programas y Pruebas en Dafny 20/ 25
Programas y Pruebas en Dafny 21/ 25
Specifications and ghost constructs are used only duringverification; the compiler omits them from the executablecode.
lemma is equivalent to ghost method.By default, functions are ghost.
Ghost variables are useful when to compute a value x allowsto specify something interesting, but x is not really needed inthe real code. For example:
ghost value with some interesting property that can bespecified and used to prove a property.termination proofsto specify class invariants in OO programmingetc.
Demo: DFY FILE FINAL DFY FILE
Paqui Lucio Programas y Pruebas en Dafny 21/ 25
Programas y Pruebas en Dafny 22/ 25
Advantages
Dafny is concise, intuitive and fast.
My Experience.pdf
The programmer can interact with Dafny in the same way aswith the compiler.
The Dafny language syntax itself is not difficult to get usedto, as it is quite similar to other languages, such as Java andC#, Haskell, etc.
Executable code generation.
Ghosting: one can include verification code without affectingthe performance of the executable program itself.
Dafny (i.g. VCG+TP) benefits from ATP improvements.
Paqui Lucio Programas y Pruebas en Dafny 22/ 25
Programas y Pruebas en Dafny 23/ 25
Limitations
Complex/subtle systems requires large annotations
“Not verification but specification could be the real bottleneckfor verification of large software systems.”
Correctness is relative to a given specification
Example: forgot permutation property of a sorting algorithm
Some violations asserts depends on the efficiency/heuristics ofthe SMT-solver
Example: DFY FILE
The verifier does not produce useful information forverification attempts that time out. Difficult problem.
Paqui Lucio Programas y Pruebas en Dafny 23/ 25
Programas y Pruebas en Dafny 24/ 25
Conclusion
Development of the language and verifier is very active andongoing.
Dafny 1.9.5 (May 11, 2015) is the 11th stablerelease, since Oct 30, 2012.
Promising tool for the automatic, statical verification of fullfunctional correctness of programming code.
Dafny (and similar tools) are
not only useful tools for helping us in teachingverification to undergraduate students,
but also one of the reasons why software verificationshould be mandatory in the SE undergraduatecurriculum.
Paqui Lucio Programas y Pruebas en Dafny 24/ 25