Dafny
AWS[citation needed] | |
| First appeared | 2009 |
|---|---|
| Stable release | 3.7.2
/ July 14, 2022 |
| Typing discipline | Static, strong, safe |
| License | MIT License |
| Filename extensions | .dfy |
| Website | dafny |
Dafny is an
Dafny is widely used in teaching[citation needed] because it provides a simple, integrated introduction to formal specification and verification; it is regularly featured in software verification competitions (e.g. VSTTE'08,[3] VSCOMP'10,[4] COST'11,[5] and VerifyThis'12[6]).
Dafny was designed as a verification-aware programming language, requiring verification along with code development. It thus fits the "Correct by Construction" software development paradigm. Verification proofs are supported by a mathematical toolbox that includes mathematical integers and reals, bit-vectors, sequences, sets, multisets, infinite sequences and sets, induction, co-induction, and calculational proofs. Verification obligations are discharged automatically, given sufficient specification. Dafny uses some program analysis to infer many specification assertions, reducing the burden on the user of writing specifications. The general proof framework is that of Hoare logic.
Dafny builds on the Boogie
Data types
 |
Dafny provides methods for implementation which may have side-effects and functions for use in specification which are pure.[9] Methods consist of sequences of statements following a familiar imperative style whilst, in contrast, the body of a function is simply an expression. Any side-effecting statements in a method (e.g. assigning an element of an array parameter) must be accounted for by noting which parameters can be mutated, using the modifies clause. Dafny also provides a range of immutable collection types including: sequences (e.g. seq<int>), sets (e.g. set<int>), maps (map<int,int>), tuples, inductive datatypes and mutable arrays (e.g. array<int>).
Imperative features
|
The following illustrates many of the features in Dafny, including the use of preconditions, postconditions, loop invariants and loop variants.
method max(arr:array<int>) returns (max:int)
// Array must have at least one element
requires arr.Length > 0
// Return cannot be smaller than any element in array
ensures forall j : int :: j >= 0 && j < arr.Length ==> max >= arr[j]
// Return must match some element in array
ensures exists j : int :: j>=0 && j < arr.Length && max == arr[j]
{
max := arr[0];
var i: int := 1;
//
while(i < arr.Length)
// Index at most arr.Length (needed to show i==arr.Length after loop)
invariant i <= arr.Length
// No element seen so far larger than max
invariant forall j:int :: j >= 0 && j < i ==> max >= arr[j]
// Some element seen so far matches max
invariant exists j:int :: j >= 0 && j < i && max == arr[j]
// arr.Length - i decreases at every step and is lower-bounded by 0
decreases arr.Length - i
{
// Update max if larger element encountered
if (arr[i] > max) {
max := arr[i];
}
// Continue through array
i := i + 1;
}
}
This example computes the maximum element of an array. The method's precondition and postcondition are given with the requires and ensures clauses (respectively). Likewise, the loop invariant and loop variant are given through the invariant and decreases clauses (respectively).
Loop invariants
The treatment of loop invariants in Dafny differs from traditional Hoare logic. Variables mutated in a loop are treated such that (most) information known about them prior to the loop is discarded. Information required to prove properties of such variables must be expressed explicitly in the loop invariant. In contrast, variables not mutated in the loop retain all information known about them beforehand. The following example illustrates using loops:
method sumAndZero(arr: array<int>) returns (sum: nat)
requires forall i :: 0 <= i < arr.Length ==> arr[i] >= 0
modifies arr
{
var i: int := 0;
sum := 0;
//
while(i < arr.Length) {
sum := sum + arr[i];
arr[i] := arr[i];
i := i + 1;
}
}
This fails verification because Dafny cannot establish that (sum + arr[i]) >= 0 holds at the assignment. From the precondition, intuitively, forall i :: 0 <= i < arr.Length ==> arr[i] >= 0 holds in the loop since arr[i] := arr[i]; is a NOP. However, this assignment causes Dafny to treat arr as a mutable variable and drop information known about it from before the loop. To verify this program in Dafny we can either (a) remove the redundant assignment arr[i] := arr[i];; or (b) add the loop invariant invariant forall i :: 0 <= i < arr.Length ==> arr[i] >= 0
Dafny additionally employs limited static analysis to infer simple loop invariants where possible. In the example above, it would seem that the loop invariant invariant i >= 0 is also required as variable i is mutated within the loop. Whilst the underlying logic does require such an invariant, Dafny automatically infers this and, hence, it can be omitted at the source level.
Proof features
Dafny includes features which further support its use as a proof assistant. Although proofs of simple properties within a function or method (as shown above) are not unusual for tools of this nature, Dafny also allows the proof of properties between one function and another. As is common for a proof assistant, such proofs are often inductive in nature. Dafny is perhaps unusual in employing method invocation as a mechanism for applying the inductive hypothesis. The following illustrates:
datatype List = Nil | Link(data: int, next: List)
function sum(l: List): int {
match l
case Nil => 0
case Link(d, n) => d + sum(n)
}
predicate isNatList(l: List) {
match l
case Nil => true
case Link(d, n) => d >= 0 && isNatList(n)
}
lemma NatSumLemma(l: List, n: int)
requires isNatList(l) && n == sum(l)
ensures n >= 0
{
match l
case Nil =>
// Discharged Automatically
case Link(data, next) => {
// Apply Inductive Hypothesis
NatSumLemma(next, sum(next));
// Check what known by Dafny
assert data >= 0;
}
}
Here, NatSumLemma proves a useful property between sum() and isNatList() (i.e. that isNatList(l) ==> (sum(l) >= 0)). The use of a ghost method for encoding lemmas and theorems is standard in Dafny with recursion employed for induction (typically, structural induction). Case analysis is performed using match statements and non-inductive cases are often discharged automatically. The verifier must also have complete access to the contents of a function or predicate in order to unroll them as necessary. This has implications when used in conjunction with access modifiers. Specifically, hiding the contents of a function using the protected modifier can limit what properties can be established about it.
See also
References
- .
- .
- .
- .
- .
- S2CID 14301377.
- ^ "Z3 Homepage". GitHub. 2019-02-07.
- .
- ^ "Dafny Programming Language". 2022-07-14.
Further reading
- Meyer, Bertrand; Nordio, Martin, eds. (2012). Tools for Practical Software Verification: International Summer School, LASER 2011, Elba Island, Italy, Revised Tutorial Lectures. ISBN 978-3642357459.
- Sitnikovski, Boro (2022). Introducing Software Verification with Dafny Language: Proving Program Correctness. Apress. ISBN 978-1484279779.
External links
- Dafny: A Language and Program Verifier for Functional Correctness - Microsoft Research
- GitHub - dafny-lang/dafny: Dafny is a verification-aware programming language
| Others | ||
|---|---|---|
- Dynamics AX
- BASIC
- Visual Basic
- Bosque
- Visual C++
- C#
- C/AL
- Dafny
- Dexterity
- F#
- F*
- Visual FoxPro
- Java
- JavaScript
- IronPython
- IronRuby
- Lean
- P
- Power Fx
- PowerShell
- Project Verona
- Q#
- Small Basic
- VPL
- XAML
frameworks
| Native | |
|---|---|
| .NET | |
| Device drivers |
| SQL Server | |
|---|---|
| SQL services | |
| Other |
debugging
| Main projects |
| ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MSR Labs applied research |
| ||||||||||||||