Dafny: An Automatic Program Verifier for Functional Correctness

Traditionally, the full verification of a program's functional correctness has been obtained with pen and paper or with interactive proof assistants, whereas only reduced verification tasks, such as extended static checking, have enjoyed the automation offered by satisfiability-modulo-theories (SMT) solvers. More recently, powerful SMT solvers and well-designed program verifiers are starting to break that tradition, thus reducing the effort involved in doing full verification. This paper gives a tour of the language and verifier Dafny, which has been used to verify the functional correctness of a number of challenging pointer-based programs. The paper describes the features incorporated in Dafny, illustrating their use by small examples and giving a taste of how they are coded for an SMT solver. As a larger case study, the paper shows the full functional specification of the Schorr-Waite algorithm in Dafny.

[1]  William M. Waite,et al.  An efficient machine-independent procedure for garbage collection in various list structures , 1967, CACM.

[2]  Manfred Broy,et al.  Combining Algebraic and Algorithmic Reasoning: An Approach to the Schorr-Waite Algorithm , 1982, TOPL.

[3]  簡聰富,et al.  物件導向軟體之架構(Object-Oriented Software Construction)探討 , 1989 .

[4]  K. R Leino,et al.  Towards Reliable Modular Programs , 1995 .

[5]  Georges Gonthier Verifying the Safety of a Practical Concurrent Garbage Collector , 1996, CAV.

[6]  Steve Schneider Specification and Verification in Timed CSP , 1996 .

[7]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[8]  James Noble,et al.  Ownership types for flexible alias protection , 1998, OOPSLA '98.

[9]  K. Rustan M. Leino,et al.  Data groups: specifying the modification of extended state , 1998, OOPSLA '98.

[10]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[11]  J. Saxe,et al.  Extended static checking for Java , 2002, PLDI '02.

[12]  John C. Reynolds,et al.  Separation logic: a logic for shared mutable data structures , 2002, Proceedings 17th Annual IEEE Symposium on Logic in Computer Science.

[13]  Frank D. Valencia,et al.  Formal Methods for Components and Objects , 2002, Lecture Notes in Computer Science.

[14]  Sophia Drossopoulou,et al.  Ownership, encapsulation and the disjointness of type and effect , 2002, OOPSLA '02.

[15]  K. Rustan M. Leino,et al.  Data abstraction and information hiding , 2002, TOPL.

[16]  Stefania Gnesi,et al.  FME 2003: Formal Methods: International Symposium of Formal Methods Europe, Pisa, Italy, September 8-14, 2003. Proceedings , 2003, Lecture Notes in Computer Science.

[17]  Jean-Raymond Abrial Event Based Sequential Program Development: Application to Constructing a Pointer Program , 2003, FME.

[18]  Perdita Stevens,et al.  Modelling Recursive Calls with UML State Diagrams , 2003, FASE.

[19]  John Tang Boyland,et al.  Checking Interference with Fractional Permissions , 2003, SAS.

[20]  Michael D. Ernst,et al.  An overview of JML tools and applications , 2003, International Journal on Software Tools for Technology Transfer.

[21]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[22]  K. Rustan M. Leino,et al.  Verification of Object-Oriented Programs with Invariants , 2003, J. Object Technol..

[23]  David R. Cok,et al.  ESC/Java2: Uniting ESC/Java and JML , 2004, CASSIS.

[24]  Stephen Gilmore,et al.  Mobile Resource Guarantees for Smart Devices , 2004, CASSIS.

[25]  J Strother Moore System verification , 2004, Journal of Automated Reasoning.

[26]  Claude Marché,et al.  Multi-prover Verification of C Programs , 2004, ICFEM.

[27]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[28]  J. Strother Moore,et al.  An approach to systems verification , 1989, Journal of Automated Reasoning.

[29]  Gavin M. Bierman,et al.  Separation logic and abstraction , 2005, POPL '05.

[30]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[31]  David R. Cok,et al.  ESC/Java2: Uniting ESC/Java and JML Progress and Issues in Building and Using ESC/Java2, Including a Case Study Involving the Use of the Tool to Verify Portions of an Internet Voting Tally System , 2005 .

[32]  Claude Marché,et al.  A case study of C source code verification: the Schorr-Waite algorithm , 2005, Third IEEE International Conference on Software Engineering and Formal Methods (SEFM'05).

[33]  David Detlefs,et al.  Simplify: a theorem prover for program checking , 2005, JACM.

[34]  Tobias Nipkow,et al.  Proving pointer programs in higher-order logic , 2005, Inf. Comput..

[35]  Tobias Nipkow,et al.  FM 2006: Formal Methods, 14th International Symposium on Formal Methods, Hamilton, Canada, August 21-27, 2006, Proceedings , 2006, FM.

[36]  Gary T. Leavens,et al.  Modular invariants for layered object structures , 2006, Sci. Comput. Program..

[37]  Ioannis T. Kassios Dynamic Frames: Support for Framing, Dependencies and Sharing Without Restrictions , 2006, FM.

[38]  Albert L. Baker,et al.  Preliminary design of JML: a behavioral interface specification language for java , 2006, SOEN.

[39]  Richard Bubel The Schorr-Waite-Algorithm , 2007, The KeY Approach.

[40]  Bernhard Beckert,et al.  Verification of Object-Oriented Software. The KeY Approach - Foreword by K. Rustan M. Leino , 2007, The KeY Approach.

[41]  Holger Hermanns,et al.  Computer Aided Verification, 19th International Conference, CAV 2007, Berlin, Germany, July 3-7, 2007, Proceedings , 2007, CAV.

[42]  Claude Marché,et al.  The Why/Krakatoa/Caduceus Platform for Deductive Program Verification , 2007, CAV.

[43]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[44]  Frank Piessens,et al.  VeriCool: An Automatic Verifier for a Concurrent Object-Oriented Language , 2008, FMOODS.

[45]  Anindya Banerjee,et al.  Regional Logic for Local Reasoning about Global Invariants , 2008, ECOOP.

[46]  Jan Vitek,et al.  ECOOP 2008 - Object-Oriented Programming, 22nd European Conference, Paphos, Cyprus, July 7-11, 2008, Proceedings , 2008, ECOOP.

[47]  Ajitha Rajan,et al.  Requirements Coverage as an Adequacy Measure for Conformance Testing , 2008, ICFEM.

[48]  Murali Sitaraman,et al.  Incremental Benchmarks for Software Verification Tools and Techniques , 2008, VSTTE.

[49]  K. Rustan M. Leino,et al.  Using the Spec# Language, Methodology, and Tools to Write Bug-Free Programs , 2008, LASER Summer School.

[50]  Yann Régis-Gianas,et al.  A Hoare Logic for Call-by-Value Functional Programs , 2008, MPC.

[51]  Frank Piessens,et al.  The VeriFast program verifier , 2008 .

[52]  Viktor Kuncak,et al.  Full functional verification of linked data structures , 2008, PLDI '08.

[53]  Frank Piessens,et al.  An Automatic Verifier for Java-Like Programs Based on Dynamic Frames , 2008, FASE.

[54]  K. Rustan M. Leino,et al.  Verification of Equivalent-Results Methods , 2008, ESOP.

[55]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[56]  Ãdám Péter Darvas,et al.  Reasoning about data abstraction in contract languages , 2009 .

[57]  Jochen Hoenicke,et al.  It's Doomed; We Can Prove It , 2009, FM.

[58]  C. A. R. Hoare,et al.  The verified software initiative: A manifesto , 2009, CSUR.

[59]  Tobias Nipkow,et al.  Theorem Proving in Higher Order Logics, 22nd International Conference, TPHOLs 2009, Munich, Germany, August 17-20, 2009. Proceedings , 2009, TPHOLs.

[60]  K. Rustan M. Leino,et al.  A Basis for Verifying Multi-threaded Programs , 2009, ESOP.

[61]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[62]  Ana Cavalcanti,et al.  FM 2009: Formal Methods, Second World Congress, Eindhoven, The Netherlands, November 2-6, 2009. Proceedings , 2009, FM.

[63]  Frank Piessens,et al.  Implicit Dynamic Frames: Combining Dynamic Frames and Separation Logic , 2009, ECOOP.

[64]  Sophia Drossopoulou ECOOP 2009 - Object-Oriented Programming, 23rd European Conference, Genoa, Italy, July 6-10, 2009. Proceedings , 2009, ECOOP.

[65]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[66]  K. Rustan M. Leino,et al.  Reasoning about comprehensions with first-order SMT solvers , 2009, SAC '09.

[67]  Peter Müller Advanced Lectures on Software Engineering, LASER Summer School 2007/2008 , 2010, LASER Summer School.

[68]  K. Rustan M. Leino,et al.  A Polymorphic Intermediate Verification Language: Design and Logical Encoding , 2010, TACAS.

[69]  K. Rustan M. Leino,et al.  Dafny Meets the Verification Benchmarks Challenge , 2010, VSTTE.

[70]  MüllerPeter,et al.  Specification and verification , 2011 .