K. Rustan M. Leino RiSE, Microsoft Research 1 Dec 2008 Invited talk, working group meeting COST Action IC0701, Formal Verification of Object-Oriented Software Madrid, Spain

experimental language sequential, object based (no subclassing) specifications in the style of dynamic frames coarse-grained frames (at the level of whole objects, not individual memory locations)

queue linked list with head/tail pointers in-situ list reversal integer set binary tree Schorr-Waite marking algorithm

Program ::= Class* Class ::= class C { Member* } Member ::= Field Method Function

var x : T;

T ::= bool int set seq C object

method M (Param*) returns (Param*) Spec* { Stmt* }

Stmt ::= var x: T; x := E; E.f := E’; x := new C ; call x* := E.M(E*); if (E) { Stmt* } else { Stmt* } while (E) invariant J; decreases F; { Stmt* } foreach (x in S) { x.f := E; }

Spec ::= requires E; modifies S; ensures E; where “modifies S” means modifies Heap ensures (  o,f  Heap[o,f] = old(Heap)[o,f]  o  old(S)  ¬ old(Heap)[o,alloc]) modifies clauses are enforced at every update

function F (Param*): T reads Rd; { Expr } produces definitional axiom: (  Heap,this,x  F(Heap,this,x) = Expr)

ensures definitional axioms are consistent reading o.f requires o  Rd calling a function G requires Rd G  Rd produces frame axiom: (  h0,h1,this,x  (  o,f  o  Rd  h0[o,f] = h1[o,f])  F(h0,this,x) = F(h1,this,x))

*) well, pretty much… *

class C { var footprint: set ; function Valid(): bool reads {this},footprint; { this  footprint  … } …

method Init() modifies {this}; ensuresValid()  fresh(footprint – {this});

method M() requires Valid(); modifies footprint; ensuresValid()  fresh(footprint – old(footprint));

:Queue:Queue :Node:Node:Node:Node:Node:Node:Node:Node head tail

Specification (excerpt): ensures root.marked; ensures (  n, i  n.marked  0 ≤ i < |n.children|  n.children[i] = null  n.children[i].marked); Loop invariant (excerpt): invariant t.marked; invariant (  n, i  n.marked  0 ≤ i < |n.children|  n  nodeStack  n.children[i] = null  n.children[i].marked);

decreases { n | ¬ n.marked }, |nodeStack|, |t.children| – t.childrenVisited;

ensures root.marked; ensures (  n, i  n.marked  0 ≤ i < |n.children|  n.children[i] = null  n.children[i].marked); ensures (  n  Reach(root,n)  ¬n.marked);

Dynamic-frame specifications are useful and flexible A language design around dynamic frames can be simple Thus good in teaching? Specifications are verbose, but perhaps simplification techniques can be applied (like in Spec# or Chalice) Currently missing in Dafny: scopes for axioms

Pure methods are hard, functions are easy SMT solvers work better with ghost fields than with functions Reachability is not always necessary in specifications Sets and sequences are nice as value types Generics are a cinch Decreases bound checks can be more liberal than naïve translation

SMT solvers can be used for functional- correctness verification Inductive predicates seem useful cases fit nicely with matching triggers take us in the direction of the input languages of interactive theorem provers Need: better views/visualizations of program states to clarify error messages and, generally, what’s going on

Try it for yourself: