Programas y Pruebas en Dafny

Programas y Pruebas en Dafny 1/ 25
Programas y Pruebas en Dafny
Paqui Lucio
Dpto de Lenguajes y Sistemas Inform´aticos.
Madrid, 10 de Junio de 2015
Paqui Lucio Programas y Pruebas en Dafny

Outline
1. Deductive Veriﬁcation
2. Dafny
3. Dafny in Teaching
4. Advantages
5. Limitations
6. Conclusion

Deductive Verification
Expressive (at least first-order) logic.
Logical reasoning (deduction) is used to prove properties.
Functional Correctness
All possible runs satisfy a declarative specification of the
externally observable behavior.
Contract-based specifications (standard approach)

Arquitectures in deductive verification
1 On top of interactive proof assistants
Isabelle/HOL, Coq, HOL Ligth, PVS.
2 Automatic Program Veriﬁers
2.1 Program logics for a speciﬁc target language
ACL2, KeY, KIV, VeriFun.
2.2 VCG + Automatic theorem provers (SMT-solver)
Spark, Verifast, Dafny, Why, Frama-C.

Pros & Cons
+ Higher level of assurance
- Greater demand of work/Lower level of automation

Pros & Cons
2.1 Program Logics for a specific target language
+ Verification flow follows flow of execution of target system
- Implementation effort for a new language is substantial

Pros & Cons
2.1 Program Logics for a specific target language
+ Verification flow follows flow of execution of target system
- Implementation effort for a new language is substantial
2.2 VCG + Automatic theorem provers
+ Modular architecture
+ Exploit the progress in automated reasoning
- Hard analysis of proof failures
- Lower level of trust

Dafny
Dafny is an automatic verifier of the family VCC + TP.
Dafny is being developed by Microsoft Research.
Dafny is also a programming language with built-in
specification constructs.
Dafny provides
Design-time feedback
Fluid interaction
for accessible integrated verification.
Dafny generates executable (.NET) code, omitting
specification (ghost) constructs.

f u n c t i o n f ( n: i n t ) : i n t
{ n∗n∗n + 2∗n }
p r e d i c a t e divBy3 ( n: i n t )
{ n % 3 = 0 }
lemma fnIsDivBy3 ( n: i n t )
r e q u i r e s 0 ≤ n
ensures divBy3 ( f ( n ))
+{}
method M (m: i n t ) r e t u r n s ( a: array i n t )
r e q u i r e s m ≥ 0
ensures a = n u l l
ensures a . Length = m+1;
ensures f o r a l l i • 0 ≤ i ≤ m =⇒ ( a [ i ]=f ( i ) ∧ divBy3 ( a [ i ] ) )
+{}
method Main ()
+{}
DFY FILE EXE FILE

Dafny in Teaching
Métodos Formales de Desarrollo de Software
Optativa, 4o
Curso, 6 créditos
Grado en Ingenier´ıa Informática, UPV/EHU
1 Introduction
2 Automated Reasoning and Software Development
3 Dafny
4 Verification Condition Generation
5 Datatypes and predicates
6 Lemmas, assume and calculations
7 Ghost Entities
8 Arrays and Framing
9 Object-Oriented Software

Optativa, 4o
Curso, 6 cr´editos
1 Introduction
3 Dafny
7 Ghost Entities

Veriﬁcation Condition Generation
VCG({ϕ}S{ψ}) = ϕ → wp(S,ψ) ∪ vc+(S, ψ)
where
wp is the well known weakest precondition and
vc+ is deﬁned as follows
vc+
(x:=t, ψ) = vc+
(skip,ψ) = ∅
vc+
(S1; S2, ψ) = vc+
(S1, wp(S2, ψ)) ∪ vc+
(S2, ψ)
vc+
(if b then S1 else S2, ψ) = vc+
(S1, ψ) ∪ vc+
(S2, ψ)
vc+
(while b invariant α { S },ψ) =
{(α ∧ b) → wp(S,α), (α ∧ ¬b) → ψ} ∪ vc+
(S,α)

method RootApprox ( x: i n t ) r e t u r n s ( z: i n t )
r e q u i r e s x ≥ 0
ensures z ≤ x∗x < z+1
{
z:= 0;
while ( z+1 ≤ x∗x )
i n v a r i a n t z ≤ x∗x
// d e c r e a s e s x∗x−z
{
z := z +1;
}
}
RootApprox.dfy

Optativa, 4o
Curso, 6 cr´editos
1 Introduction
3 Dafny
7 Ghost Entities

Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3

Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
taking advantage of the ascending and descending chains
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3

Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
splits the data in as many ascending sublists as required
[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]

Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise
[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]

Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise
[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise again
[0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3]

Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
[1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3]
merge pairwise
[1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3]
[0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3]
[0, 1, 1, 1, 1, 2, 3, 4, 5, 5, 6, 6, 7, 8]

DFY FILE

DFY FILE INTERMEDIATE DFY FILE CLEAN DFY FILE

Optativa, 4o
Curso, 6 cr´editos
1 Introduction
3 Dafny
7 Ghost Entities

Specifications and ghost constructs are used only during
verification; the compiler omits them from the executable
code.
lemma is equivalent to ghost method.
By default, functions are ghost.
Ghost variables are useful when to compute a value x allows
to specify something interesting, but x is not really needed in
the real code. For example:
ghost value with some interesting property that can be
specified and used to prove a property.
termination proofs
to specify class invariants in OO programming
etc.
Demo: DFY FILE FINAL DFY FILE

Advantages
Dafny is concise, intuitive and fast.
My Experience.pdf
The programmer can interact with Dafny in the same way as
with the compiler.
The Dafny language syntax itself is not difficult to get used
to, as it is quite similar to other languages, such as Java and
C#, Haskell, etc.
Executable code generation.
Ghosting: one can include verification code without affecting
the performance of the executable program itself.
Dafny (i.g. VCG+TP) benefits from ATP improvements.

Limitations
Complex/subtle systems requires large annotations
“Not verification but specification could be the real bottleneck
for verification of large software systems.”
Correctness is relative to a given specification
Example: forgot permutation property of a sorting algorithm
Some violations asserts depends on the efficiency/heuristics of
the SMT-solver
Example: DFY FILE
The verifier does not produce useful information for
verification attempts that time out. Difficult problem.

Conclusion
Development of the language and verifier is very active and
ongoing.
Dafny 1.9.5 (May 11, 2015) is the 11th stable
release, since Oct 30, 2012.
Promising tool for the automatic, statical verification of full
functional correctness of programming code.
Dafny (and similar tools) are
not only useful tools for helping us in teaching
verification to undergraduate students,
but also one of the reasons why software verification
should be mandatory in the SE undergraduate
curriculum.

The beauty of a theorem from mathematics,
the preciseness of an inference rule in logic,
the intrigue of a puzzle,
and the challenge of a game – all are present
in the ﬁeld of automated reasoning.
(Larry Wos, 1988)

Programas y Pruebas en Dafny

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (6)

Similaire à Programas y Pruebas en Dafny

Similaire à Programas y Pruebas en Dafny (20)

Plus de Facultad de Informática UCM

Plus de Facultad de Informática UCM (20)

Dernier

Dernier (20)

Programas y Pruebas en Dafny