Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Programas y Pruebas en Dafny 1/ 25
Programas y Pruebas en Dafny
Paqui Lucio
Dpto de Lenguajes y Sistemas Inform´aticos.
Ma...
Programas y Pruebas en Dafny 2/ 25
Outline
1. Deductive Verification
2. Dafny
3. Dafny in Teaching
4. Advantages
5. Limitat...
Programas y Pruebas en Dafny 3/ 25
Deductive Verification
Expressive (at least first-order) logic.
Logical reasoning (deduct...
Programas y Pruebas en Dafny 4/ 25
Arquitectures in deductive verification
1 On top of interactive proof assistants
Isabel...
Programas y Pruebas en Dafny 5/ 25
Pros & Cons
1 On top of interactive proof assistants
+ Higher level of assurance
- Grea...
Programas y Pruebas en Dafny 5/ 25
Pros & Cons
1 On top of interactive proof assistants
+ Higher level of assurance
- Grea...
Programas y Pruebas en Dafny 5/ 25
Pros & Cons
1 On top of interactive proof assistants
+ Higher level of assurance
- Grea...
Programas y Pruebas en Dafny 6/ 25
Dafny
Dafny is an automatic verifier of the family VCC + TP.
Dafny is being developed by...
Programas y Pruebas en Dafny 7/ 25
f u n c t i o n f ( n: i n t ) : i n t
{ n∗n∗n + 2∗n }
p r e d i c a t e divBy3 ( n: i ...
Programas y Pruebas en Dafny 8/ 25
Dafny in Teaching
M´etodos Formales de Desarrollo de Software
Optativa, 4o
Curso, 6 cr´...
Programas y Pruebas en Dafny 9/ 25
M´etodos Formales de Desarrollo de Software
Optativa, 4o
Curso, 6 cr´editos
Grado en In...
Programas y Pruebas en Dafny 10/ 25
Verification Condition Generation
VCG({ϕ}S{ψ}) = ϕ → wp(S,ψ) ∪ vc+(S, ψ)
where
wp is th...
Programas y Pruebas en Dafny 11/ 25
method RootApprox ( x: i n t ) r e t u r n s ( z: i n t )
r e q u i r e s x ≥ 0
ensure...
Programas y Pruebas en Dafny 12/ 25
M´etodos Formales de Desarrollo de Software
Optativa, 4o
Curso, 6 cr´editos
Grado en I...
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
...
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
...
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
...
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
...
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
...
Programas y Pruebas en Dafny 13/ 25
Natural Mergesort ([Knuth, 1973])
Input List
1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3
...
Programas y Pruebas en Dafny 14/ 25
Paqui Lucio Programas y Pruebas en Dafny
Programas y Pruebas en Dafny 15/ 25
Paqui Lucio Programas y Pruebas en Dafny
Programas y Pruebas en Dafny 16/ 25
Paqui Lucio Programas y Pruebas en Dafny
Programas y Pruebas en Dafny 17/ 25
Paqui Lucio Programas y Pruebas en Dafny
Programas y Pruebas en Dafny 18/ 25
DFY FILE
Paqui Lucio Programas y Pruebas en Dafny
Programas y Pruebas en Dafny 19/ 25
DFY FILE INTERMEDIATE DFY FILE CLEAN DFY FILE
Paqui Lucio Programas y Pruebas en Dafny
Programas y Pruebas en Dafny 20/ 25
M´etodos Formales de Desarrollo de Software
Optativa, 4o
Curso, 6 cr´editos
Grado en I...
Programas y Pruebas en Dafny 21/ 25
Specifications and ghost constructs are used only during
verification; the compiler omit...
Programas y Pruebas en Dafny 22/ 25
Advantages
Dafny is concise, intuitive and fast.
My Experience.pdf
The programmer can ...
Programas y Pruebas en Dafny 23/ 25
Limitations
Complex/subtle systems requires large annotations
“Not verification but spe...
Programas y Pruebas en Dafny 24/ 25
Conclusion
Development of the language and verifier is very active and
ongoing.
Dafny 1...
Programas y Pruebas en Dafny 25/ 25
The beauty of a theorem from mathematics,
the preciseness of an inference rule in logi...
Upcoming SlideShare
Loading in …5
×

Programas y Pruebas en Dafny

490 views

Published on

Conferencia impartida por la Dra. Paqui Lucio, el día 10 de Junio de 2015 en la Facultad de Informática de la Universidad Complutense de Madrid

Published in: Education
  • Be the first to comment

  • Be the first to like this

Programas y Pruebas en Dafny

  1. 1. Programas y Pruebas en Dafny 1/ 25 Programas y Pruebas en Dafny Paqui Lucio Dpto de Lenguajes y Sistemas Inform´aticos. Madrid, 10 de Junio de 2015 Paqui Lucio Programas y Pruebas en Dafny
  2. 2. Programas y Pruebas en Dafny 2/ 25 Outline 1. Deductive Verification 2. Dafny 3. Dafny in Teaching 4. Advantages 5. Limitations 6. Conclusion Paqui Lucio Programas y Pruebas en Dafny
  3. 3. Programas y Pruebas en Dafny 3/ 25 Deductive Verification Expressive (at least first-order) logic. Logical reasoning (deduction) is used to prove properties. Functional Correctness All possible runs satisfy a declarative specification of the externally observable behavior. Contract-based specifications (standard approach) Paqui Lucio Programas y Pruebas en Dafny
  4. 4. Programas y Pruebas en Dafny 4/ 25 Arquitectures in deductive verification 1 On top of interactive proof assistants Isabelle/HOL, Coq, HOL Ligth, PVS. 2 Automatic Program Verifiers 2.1 Program logics for a specific target language ACL2, KeY, KIV, VeriFun. 2.2 VCG + Automatic theorem provers (SMT-solver) Spark, Verifast, Dafny, Why, Frama-C. Paqui Lucio Programas y Pruebas en Dafny
  5. 5. Programas y Pruebas en Dafny 5/ 25 Pros & Cons 1 On top of interactive proof assistants + Higher level of assurance - Greater demand of work/Lower level of automation Paqui Lucio Programas y Pruebas en Dafny
  6. 6. Programas y Pruebas en Dafny 5/ 25 Pros & Cons 1 On top of interactive proof assistants + Higher level of assurance - Greater demand of work/Lower level of automation 2 Automatic Program Verifiers 2.1 Program Logics for a specific target language + Verification flow follows flow of execution of target system - Implementation effort for a new language is substantial Paqui Lucio Programas y Pruebas en Dafny
  7. 7. Programas y Pruebas en Dafny 5/ 25 Pros & Cons 1 On top of interactive proof assistants + Higher level of assurance - Greater demand of work/Lower level of automation 2 Automatic Program Verifiers 2.1 Program Logics for a specific target language + Verification flow follows flow of execution of target system - Implementation effort for a new language is substantial 2.2 VCG + Automatic theorem provers + Modular architecture + Exploit the progress in automated reasoning - Hard analysis of proof failures - Lower level of trust Paqui Lucio Programas y Pruebas en Dafny
  8. 8. Programas y Pruebas en Dafny 6/ 25 Dafny Dafny is an automatic verifier of the family VCC + TP. Dafny is being developed by Microsoft Research. Dafny is also a programming language with built-in specification constructs. Dafny provides Design-time feedback Fluid interaction for accessible integrated verification. Dafny generates executable (.NET) code, omitting specification (ghost) constructs. Paqui Lucio Programas y Pruebas en Dafny
  9. 9. Programas y Pruebas en Dafny 7/ 25 f u n c t i o n f ( n: i n t ) : i n t { n∗n∗n + 2∗n } p r e d i c a t e divBy3 ( n: i n t ) { n % 3 = 0 } lemma fnIsDivBy3 ( n: i n t ) r e q u i r e s 0 ≤ n ensures divBy3 ( f ( n )) +{} method M (m: i n t ) r e t u r n s ( a: array i n t ) r e q u i r e s m ≥ 0 ensures a = n u l l ensures a . Length = m+1; ensures f o r a l l i • 0 ≤ i ≤ m =⇒ ( a [ i ]=f ( i ) ∧ divBy3 ( a [ i ] ) ) +{} method Main () +{} DFY FILE EXE FILE Paqui Lucio Programas y Pruebas en Dafny
  10. 10. Programas y Pruebas en Dafny 8/ 25 Dafny in Teaching M´etodos Formales de Desarrollo de Software Optativa, 4o Curso, 6 cr´editos Grado en Ingenier´ıa Inform´atica, UPV/EHU 1 Introduction 2 Automated Reasoning and Software Development 3 Dafny 4 Verification Condition Generation 5 Datatypes and predicates 6 Lemmas, assume and calculations 7 Ghost Entities 8 Arrays and Framing 9 Object-Oriented Software Paqui Lucio Programas y Pruebas en Dafny
  11. 11. Programas y Pruebas en Dafny 9/ 25 M´etodos Formales de Desarrollo de Software Optativa, 4o Curso, 6 cr´editos Grado en Ingenier´ıa Inform´atica, UPV/EHU 1 Introduction 2 Automated Reasoning and Software Development 3 Dafny 4 Verification Condition Generation 5 Datatypes and predicates 6 Lemmas, assume and calculations 7 Ghost Entities 8 Arrays and Framing 9 Object-Oriented Software Paqui Lucio Programas y Pruebas en Dafny
  12. 12. Programas y Pruebas en Dafny 10/ 25 Verification Condition Generation VCG({ϕ}S{ψ}) = ϕ → wp(S,ψ) ∪ vc+(S, ψ) where wp is the well known weakest precondition and vc+ is defined as follows vc+ (x:=t, ψ) = vc+ (skip,ψ) = ∅ vc+ (S1; S2, ψ) = vc+ (S1, wp(S2, ψ)) ∪ vc+ (S2, ψ) vc+ (if b then S1 else S2, ψ) = vc+ (S1, ψ) ∪ vc+ (S2, ψ) vc+ (while b invariant α { S },ψ) = {(α ∧ b) → wp(S,α), (α ∧ ¬b) → ψ} ∪ vc+ (S,α) Paqui Lucio Programas y Pruebas en Dafny
  13. 13. Programas y Pruebas en Dafny 11/ 25 method RootApprox ( x: i n t ) r e t u r n s ( z: i n t ) r e q u i r e s x ≥ 0 ensures z ≤ x∗x < z+1 { z:= 0; while ( z+1 ≤ x∗x ) i n v a r i a n t z ≤ x∗x // d e c r e a s e s x∗x−z { z := z +1; } } RootApprox.dfy Paqui Lucio Programas y Pruebas en Dafny
  14. 14. Programas y Pruebas en Dafny 12/ 25 M´etodos Formales de Desarrollo de Software Optativa, 4o Curso, 6 cr´editos Grado en Ingenier´ıa Inform´atica, UPV/EHU 1 Introduction 2 Automated Reasoning and Software Development 3 Dafny 4 Verification Condition Generation 5 Datatypes and predicates 6 Lemmas, assume and calculations 7 Ghost Entities 8 Arrays and Framing 9 Object-Oriented Software Paqui Lucio Programas y Pruebas en Dafny
  15. 15. Programas y Pruebas en Dafny 13/ 25 Natural Mergesort ([Knuth, 1973]) Input List 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 Paqui Lucio Programas y Pruebas en Dafny
  16. 16. Programas y Pruebas en Dafny 13/ 25 Natural Mergesort ([Knuth, 1973]) Input List 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 taking advantage of the ascending and descending chains 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 Paqui Lucio Programas y Pruebas en Dafny
  17. 17. Programas y Pruebas en Dafny 13/ 25 Natural Mergesort ([Knuth, 1973]) Input List 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 taking advantage of the ascending and descending chains 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 splits the data in as many ascending sublists as required [1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3] Paqui Lucio Programas y Pruebas en Dafny
  18. 18. Programas y Pruebas en Dafny 13/ 25 Natural Mergesort ([Knuth, 1973]) Input List 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 taking advantage of the ascending and descending chains 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 splits the data in as many ascending sublists as required [1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3] merge pairwise [1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3] Paqui Lucio Programas y Pruebas en Dafny
  19. 19. Programas y Pruebas en Dafny 13/ 25 Natural Mergesort ([Knuth, 1973]) Input List 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 taking advantage of the ascending and descending chains 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 splits the data in as many ascending sublists as required [1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3] merge pairwise [1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3] merge pairwise again [0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3] Paqui Lucio Programas y Pruebas en Dafny
  20. 20. Programas y Pruebas en Dafny 13/ 25 Natural Mergesort ([Knuth, 1973]) Input List 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 taking advantage of the ascending and descending chains 1, 2, 8, 6, 5, 1, 7, 6, 5, 4, 1, 0, 1, 3 splits the data in as many ascending sublists as required [1, 2, 8], [1, 5, 6], [0, 1, 4, 5, 6, 7], [1, 3] merge pairwise [1, 1, 2, 5, 6, 8], [0, 1, 4, 5, 6, 7], [1, 3] merge pairwise again [0, 1, 1, 1, 2, 4, 5, 5, 6, 6, 7, 8], [1, 3] merge pairwise again [0, 1, 1, 1, 1, 2, 3, 4, 5, 5, 6, 6, 7, 8] Paqui Lucio Programas y Pruebas en Dafny
  21. 21. Programas y Pruebas en Dafny 14/ 25 Paqui Lucio Programas y Pruebas en Dafny
  22. 22. Programas y Pruebas en Dafny 15/ 25 Paqui Lucio Programas y Pruebas en Dafny
  23. 23. Programas y Pruebas en Dafny 16/ 25 Paqui Lucio Programas y Pruebas en Dafny
  24. 24. Programas y Pruebas en Dafny 17/ 25 Paqui Lucio Programas y Pruebas en Dafny
  25. 25. Programas y Pruebas en Dafny 18/ 25 DFY FILE Paqui Lucio Programas y Pruebas en Dafny
  26. 26. Programas y Pruebas en Dafny 19/ 25 DFY FILE INTERMEDIATE DFY FILE CLEAN DFY FILE Paqui Lucio Programas y Pruebas en Dafny
  27. 27. Programas y Pruebas en Dafny 20/ 25 M´etodos Formales de Desarrollo de Software Optativa, 4o Curso, 6 cr´editos Grado en Ingenier´ıa Inform´atica, UPV/EHU 1 Introduction 2 Automated Reasoning and Software Development 3 Dafny 4 Verification Condition Generation 5 Datatypes and predicates 6 Lemmas, assume and calculations 7 Ghost Entities 8 Arrays and Framing 9 Object-Oriented Software Paqui Lucio Programas y Pruebas en Dafny
  28. 28. Programas y Pruebas en Dafny 21/ 25 Specifications and ghost constructs are used only during verification; the compiler omits them from the executable code. lemma is equivalent to ghost method. By default, functions are ghost. Ghost variables are useful when to compute a value x allows to specify something interesting, but x is not really needed in the real code. For example: ghost value with some interesting property that can be specified and used to prove a property. termination proofs to specify class invariants in OO programming etc. Demo: DFY FILE FINAL DFY FILE Paqui Lucio Programas y Pruebas en Dafny
  29. 29. Programas y Pruebas en Dafny 22/ 25 Advantages Dafny is concise, intuitive and fast. My Experience.pdf The programmer can interact with Dafny in the same way as with the compiler. The Dafny language syntax itself is not difficult to get used to, as it is quite similar to other languages, such as Java and C#, Haskell, etc. Executable code generation. Ghosting: one can include verification code without affecting the performance of the executable program itself. Dafny (i.g. VCG+TP) benefits from ATP improvements. Paqui Lucio Programas y Pruebas en Dafny
  30. 30. Programas y Pruebas en Dafny 23/ 25 Limitations Complex/subtle systems requires large annotations “Not verification but specification could be the real bottleneck for verification of large software systems.” Correctness is relative to a given specification Example: forgot permutation property of a sorting algorithm Some violations asserts depends on the efficiency/heuristics of the SMT-solver Example: DFY FILE The verifier does not produce useful information for verification attempts that time out. Difficult problem. Paqui Lucio Programas y Pruebas en Dafny
  31. 31. Programas y Pruebas en Dafny 24/ 25 Conclusion Development of the language and verifier is very active and ongoing. Dafny 1.9.5 (May 11, 2015) is the 11th stable release, since Oct 30, 2012. Promising tool for the automatic, statical verification of full functional correctness of programming code. Dafny (and similar tools) are not only useful tools for helping us in teaching verification to undergraduate students, but also one of the reasons why software verification should be mandatory in the SE undergraduate curriculum. Paqui Lucio Programas y Pruebas en Dafny
  32. 32. Programas y Pruebas en Dafny 25/ 25 The beauty of a theorem from mathematics, the preciseness of an inference rule in logic, the intrigue of a puzzle, and the challenge of a game – all are present in the field of automated reasoning. (Larry Wos, 1988) Paqui Lucio Programas y Pruebas en Dafny

×