programas y pruebas en dafny

Programas y Pruebas en Dafny 1/ 25

Programas y Pruebas en Dafny

Paqui Lucio

Dpto de Lenguajes y Sistemas Informaticos.

Madrid, 10 de Junio de 2015

Paqui Lucio Programas y Pruebas en Dafny 1/ 25


Outline

1. Deductive Verification2. Dafny3. Dafny in Teaching4. Advantages5. Limitations6. Conclusion



Deductive Verification

Expressive (at least first-order) logic.

Logical reasoning (deduction) is used to prove properties.

Functional Correctness

All possible runs satisfy a declarative specification of theexternally observable behavior.

Contract-based specifications (standard approach)



Arquitectures in deductive verification

1 On top of interactive proof assistants

Isabelle/HOL, Coq, HOL Ligth, PVS.

2 Automatic Program Verifiers

2.1 Program logics for a specific target language

ACL2, KeY, KIV, VeriFun.

2.2 VCG + Automatic theorem provers (SMT-solver)

Spark, Verifast, Dafny, Why, Frama-C.



Pros & Cons

1 On top of interactive proof assistants

+ Higher level of assurance- Greater demand of work/Lower level of automation

2 Automatic Program Verifiers2.1 Program Logics for a specific target language

+ Verification flow follows flow of execution of target system- Implementation effort for a new language is substantial

2.2 VCG + Automatic theorem provers

+ Modular architecture+ Exploit the progress in automated reasoning- Hard analysis of proof failures- Lower level of trust



Dafny

Dafny is an automatic verifier of the family VCC + TP.

Dafny is being developed by Microsoft Research.

Dafny is also a programming language with built-inspecification constructs.

Dafny provides

Design-time feedbackFluid interaction

for accessible integrated verification.

Dafny generates executable (.NET) code, omittingspecification (ghost) constructs.



f u n c t i o n f ( n : i n t ) : i n t{ n∗n∗n + 2∗n }

p r e d i c a t e divBy3 ( n : i n t ){ n % 3 = 0 }

lemma f n I s D i v B y 3 ( n : i n t )r e q u i r e s 0 ≤ ne n s u r e s divBy3 ( f ( n ) )+{}

method M (m: i n t ) r e t u r n s ( a : a r r a y 〈 i n t 〉 )r e q u i r e s m ≥ 0e n s u r e s a 6= n u l le n s u r e s a . Length = m+1;e n s u r e s f o r a l l i • 0 ≤ i ≤ m =⇒ ( a [ i ]=f ( i ) ∧ divBy3 ( a [ i ] ) )+{}

method Main ( )+{}

DFY FILE EXE FILE



Dafny in Teaching

Metodos Formales de Desarrollo de Software

Optativa, 4o Curso, 6 creditos

Grado en Ingenierıa Informatica, UPV/EHU

1 Introduction

2 Automated Reasoning and Software Development

3 Dafny

4 Verification Condition Generation

5 Datatypes and predicates

6 Lemmas, assume and calculations

7 Ghost Entities

8 Arrays and Framing

9 Object-Oriented Software






1 Introduction


3 Dafny




7 Ghost Entities





Verification Condition Generation

VCG({ϕ}S{ψ}) = ϕ→ wp(S,ψ) ∪ vc+(S, ψ)

where

wp is the well known weakest precondition and

vc+ is defined as follows

vc+(x:=t, ψ) = vc+(skip,ψ) = ∅vc+(S1;S2, ψ) = vc+(S1, wp(S2, ψ)) ∪ vc+(S2, ψ)vc+(if b then S1 else S2, ψ) = vc+(S1, ψ) ∪ vc+(S2, ψ)vc+(while b invariant α { S },ψ) =

{(α ∧ b) → wp(S,α), (α ∧ ¬b) → ψ} ∪ vc+(S,α)



method RootApprox ( x : i n t ) r e t u r n s ( z : i n t )r e q u i r e s x ≥ 0e n s u r e s z ≤ x∗x < z+1

{z := 0 ;w h i l e ( z+1 ≤ x∗x )

i n v a r i a n t z ≤ x∗x// d e c r e a s e s x∗x−z{z := z +1;}

}

RootApprox.dfy






1 Introduction


3 Dafny




7 Ghost Entities





Natural Mergesort ([Knuth, 1973])

Input List

1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3

taking advantage of the ascending and descending chains

1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3

splits the data in as many ascending sublists as required

[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]

merge pairwise

[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]

merge pairwise again

[0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3]


[0, 1, 1, 1, 1, 2, 3, 4, 5, 5, 6, 6, 7, 8]



Natural Mergesort ([Knuth, 1973])

Input List

1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3

taking advantage of the ascending and descending chains

1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3

splits the data in as many ascending sublists as required

[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]

merge pairwise

[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]


[0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3]


[0, 1, 1, 1, 1, 2, 3, 4, 5, 5, 6, 6, 7, 8]Paqui Lucio Programas y Pruebas en Dafny 13/ 25


DFY FILE



DFY FILE INTERMEDIATE DFY FILE CLEAN DFY FILE






1 Introduction


3 Dafny




7 Ghost Entities





Specifications and ghost constructs are used only duringverification; the compiler omits them from the executablecode.

lemma is equivalent to ghost method.By default, functions are ghost.

Ghost variables are useful when to compute a value x allowsto specify something interesting, but x is not really needed inthe real code. For example:

ghost value with some interesting property that can bespecified and used to prove a property.termination proofsto specify class invariants in OO programmingetc.

Demo: DFY FILE FINAL DFY FILE



Advantages

Dafny is concise, intuitive and fast.

My Experience.pdf

The programmer can interact with Dafny in the same way aswith the compiler.

The Dafny language syntax itself is not difficult to get usedto, as it is quite similar to other languages, such as Java andC#, Haskell, etc.

Executable code generation.

Ghosting: one can include verification code without affectingthe performance of the executable program itself.

Dafny (i.g. VCG+TP) benefits from ATP improvements.


Experience.pdf


Limitations

Complex/subtle systems requires large annotations

“Not verification but specification could be the real bottleneckfor verification of large software systems.”

Correctness is relative to a given specification

Example: forgot permutation property of a sorting algorithm

Some violations asserts depends on the efficiency/heuristics ofthe SMT-solver

Example: DFY FILE

The verifier does not produce useful information forverification attempts that time out. Difficult problem.



Conclusion

Development of the language and verifier is very active andongoing.

Dafny 1.9.5 (May 11, 2015) is the 11th stablerelease, since Oct 30, 2012.

Promising tool for the automatic, statical verification of fullfunctional correctness of programming code.

Dafny (and similar tools) are

not only useful tools for helping us in teachingverification to undergraduate students,

but also one of the reasons why software verificationshould be mandatory in the SE undergraduatecurriculum.



The beauty of a theorem from mathematics,the preciseness of an inference rule in logic,the intrigue of a puzzle,and the challenge of a game – all are presentin the field of automated reasoning.

(Larry Wos, 1988)


programas y pruebas en dafny

Education