K. Rustan M. Leino
RiSE, Microsoft Research
17 July 2009
JML seminar
Dagstuhl, Germany
experimental language
sequential, object based (no subclassing)
specifications in the style of dynamic frames
coarse-grained frames (at the level of whole
objects, not individual memory locations)
queue
linked list with head/tail pointers
in-situ list reversal
integer set
binary tree
Schorr-Waite marking algorithm
Program ::=
Class*
Class ::=
class C<TypeParam*> { Member* }
Member ::=
Field
Method
Function
A frame is a set of locations
A dynamic frame (in the sense of Dafny) is
an expression that denotes a frame
Methods have modifies clauses
Functions have reads clauses
Dynamic-frame specifications are useful
and flexible
A language design around dynamic frames
can be simple
Thus good in teaching?
Specifications are verbose, but perhaps
simplification techniques can be applied
(like in Spec# or Chalice)
Currently missing in Dafny: scopes for
axioms
Pure methods are hard, functions are easy
SMT solvers work better with ghost fields
than with functions
Reachability is not always necessary in
specifications
Sets and sequences are nice as value
types
Generics are a cinch
Decreases bound checks can be more
liberal than naïve translation
SMT solvers can be used for functionalcorrectness verification
Inductive predicates seem useful
cases fit nicely with matching triggers
take us in the direction of the input
languages of interactive theorem provers
Need: better views/visualizations of
program states to clarify error messages
and, generally, what’s going on
Dafny is available as open source:
http://boogie.codeplex.com