Modular Verification Scopes via Export Sets and Translucent Exports
- 288 Downloads
Following software engineering best practices, programs are divided into modules to facilitate information hiding. A variety of programming-language constructs provide ways to define a module and to classify which of its declarations are private to the module and which are available to public clients of the module.
Many declarations can be viewed as consisting of a signature and a body. For such a declaration, a module may want to export just the signature or both the signature and body. This translucency is particularly useful when formally verifying a program, because it lets a module decide how much of a declaration clients are allowed to depend on.
This article describes a module system that supports multiple export sets per module. Each export set indicates the translucency of its exported declarations. The module system is implemented as part of the verification-aware programming language Dafny. Experience with the module system suggests that translucency is useful.
Unable to display preview. Download preview PDF.
This work was done in 2016 when both of us were at Microsoft Research. We are grateful to the Ironclad team at Microsoft Research, especially Chris Hawblitzel, Jay Lorch, and Bryan Parno, who went through the pains of using the (several!) previous module systems of Dafny, and offered constant feedback and valuable suggestions. Jason Koenig and Michael Lowell Roberts were instrumental in experimenting with various module-system features that influenced the current design.
- 1.Anindya Banerjee, David A. Naumann, and Stan Rosenberg. “Regional logic for local reasoning about global invariants”. In: Jan Vitek, editor ECOOP 2008, Object-Oriented Programming 22nd European Conference Springer, 2008.Google Scholar
- 2.Margaret A. Ellis and Bjarne Stroustrup. “The Annotated C+ + Reference Manual”. In: Addison-Wesley Publishing Company, 1990.Google Scholar
- 3.Jason Koenig and K. Rustan M. Leino. “Programming language features for refinement”. In: In John Derrick, Eerke A. Boiten, and Steve Reeves, editors, Proceedings 17th International Workshop on Refinement, Refine@FM 2015 EPTCS, 2016.Google Scholar
- 4.K. Rustan M. Leino. “Accessible software verification with Dafny”. In: IEEE Software IEEE, 2017.Google Scholar
- 5.K. Rustan M. Leino. “Dafny: An automatic program verifier for functional correctness”. In: Edmund M. Clarke and Andrei Voronkov editors, LPAR-16 Springer, 2010.Google Scholar
- 6.Mark Lillibridge. “Translucent Sums: A Foundation for Higher-Order Module Systems”. In: PhD thesis Carnegie Mellon University, 1997.Google Scholar
- 7.Peter Müller, Arnd Poetzsch-Heffter, and Gary T. Leavens “Modular invariants for layered object structures”. In: Science of Computer Programming 2006.Google Scholar
- 8.Greg Nelson. “Systems Programming with Modula-3”. In: Series in Innovative Technology Prentice-Hall, Englewood Cliffs, NJ, 1991.Google Scholar
- 9.D. L. Parnas. “On the criteria to be used in decomposing systems into modules”. In: Communications of the ACM ACM, 1972.Google Scholar
- 10.Arnd Poetzsch-Heffter and Jan Schäfer. “Modular specification of encapsulated object- oriented components”. In: Formal Methods for Components and Objects, 4th International Symposium, FMCO 2005 Springer, 2005.Google Scholar
- 11.Ina Schaefer and Arnd Poetzsch-Heffter. “Compositional reasoning in model-based verification of adaptive embedded systems”. In: Sixth IEEE International Conference on Software Engineering and Formal Methods (SEFM) IEEE Computer Society 2008.Google Scholar
- 12.Ina Schaefer and Arnd Poetzsch-Heffter. “Using abstraction in modular verification of synchronous adaptive systems”. In: Workshop on Trustworthy Software of OASICS Inter nationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, 2006.Google Scholar