Dafny An automatic program verifier for functional correctness K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond LPAR-16 Dakar, Senegal 27 April 2010 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Program verification functional correctness limited checking Dafny and others traditional mechanical program verification functional correctness extended static checking limited checking automatic decision procedures (SMT solvers) interactive proof assistants K. Rustan M. Leino

Formula User interaction Specification Program Program oriented: invariants, assertions, … Formula oriented: theorem-prover commands, tactics K. Rustan M. Leino

demo Dafny Binary search 1/18/2019 11:16 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Dafny Object-based language Built-in specifications generic classes, no subclassing object references, dynamic allocation sequential control Built-in specifications pre- and postconditions framing loop invariants, inline assertions termination Specification support Sets, sequences, algebraic datatypes User-defined functions Ghost variables K. Rustan M. Leino

Top-level grammar Program ::= Type* Type ::= Class | Datatype Class ::= class Name { Member* } Member ::= Field | Method | Function Datatype ::= datatype Name { Constructor* } Generic (that is, accepts type parameters) K. Rustan M. Leino

Types Booleans Mathematical integers Finite sets Sequences Class types Algebraic datatypes K. Rustan M. Leino

Dafny demo Calculator

Verification architecture Dafny Spec# C (VCC) C (HAVOC) Chalice Eiffel Java BML Region Logic Boogie Simplify Z3 SMT Lib … K. Rustan M. Leino

From Dafny to verification-condition formulas Dafny, Boogie, VC demo From Dafny to verification-condition formulas

Axiomatizing functions function F(x: T): U … { Body } (x  F(x) = Body) datatype Tree { Leaf(int); Split(Tree,Tree); } function G(x: Tree): U … { match x case Leaf(n)  n case Split(a,b)  G(a) + G(b) } (t  G(t) = if … else G(left(t)) + G(right(t))) (n  G(Leaf(n)) = n) (a,b  G(Split(a,b)) = G(a) + G(b)) K. Rustan M. Leino

Schorr-Waite algorithm Dafny root demo prev Schorr-Waite algorithm current

Verifying termination Functions Loops Methods decreases clause lexicographic tuple components of tuple can be of any types to compare, consider longest commonly typed prefix of the lexicographic tuple K. Rustan M. Leino

Using a program to prover a theorem Dafny demo Using a program to prover a theorem

Conclusions Full functional-correctness verification is becoming more automatic Interaction is moving closer to the problem domain A well-designed language and verifier, plus a great SMT solver, go a long way Dafny (and Boogie) open source: boogie.codeplex.com K. Rustan M. Leino