Download the Full Version of the Ebook with Added Features ebookname.

com

Program Proofs 1st Edition K. Rustan M. Leino

https://ebookname.com/product/program-proofs-1st-edition-k-
rustan-m-leino/

OR CLICK HERE

DOWLOAD NOW

Download more ebook instantly today at https://ebookname.com

Instant digital products (PDF, ePub, MOBI) available
Download now and explore formats that suit you...

Program Evaluation 3rd Edition John M. Owen

https://ebookname.com/product/program-evaluation-3rd-edition-john-m-
owen/

ebookname.com

Maasailand Ecology K. M. Homewood

https://ebookname.com/product/maasailand-ecology-k-m-homewood/

ebookname.com

Philosophical devices proofs probabilities possibilities

and sets Papineau

https://ebookname.com/product/philosophical-devices-proofs-
probabilities-possibilities-and-sets-papineau/

ebookname.com

Formal Methods Applied to Industrial Complex Systems

Implementation of the B Method 1st Edition Jean-Louis
Boulanger
https://ebookname.com/product/formal-methods-applied-to-industrial-
complex-systems-implementation-of-the-b-method-1st-edition-jean-louis-
boulanger/
ebookname.com
Asia America and the Transformation of Geopolitics 1st
Edition William H. Overholt

https://ebookname.com/product/asia-america-and-the-transformation-of-
geopolitics-1st-edition-william-h-overholt/

ebookname.com

Judith Butler and Political Theory Troubling Politics 1st

Edition Samuel Chambers

https://ebookname.com/product/judith-butler-and-political-theory-
troubling-politics-1st-edition-samuel-chambers/

ebookname.com

The Architecture Reference Specification Book 2nd Edition

Julia Mcmorrough

https://ebookname.com/product/the-architecture-reference-
specification-book-2nd-edition-julia-mcmorrough/

ebookname.com

The Ardennes Offensive US III XII Corps Southern Sector

Bruce Quarrie

https://ebookname.com/product/the-ardennes-offensive-us-iii-xii-corps-
southern-sector-bruce-quarrie/

ebookname.com

Forensic Pathology Reviews 5 1st Edition Michael Tsokos

https://ebookname.com/product/forensic-pathology-reviews-5-1st-
edition-michael-tsokos/

ebookname.com
Coaching Mentoring For Dummies Second Edition Macleod

https://ebookname.com/product/coaching-mentoring-for-dummies-second-
edition-macleod/

ebookname.com
Program Proofs
Program Proofs

K. Rustan M. Leino

Illustrated by Kaleb Leino

The MIT Press

Cambridge, Massachusetts
London, England
© 2023 Massachusetts Institute of Technology

All rights reserved. No part of this book may be reproduced in any form by any
electronic or mechanical means (including photocopying, recording, or information
storage and retrieval) without permission in writing from the publisher.

The MIT Press would like to thank the anonymous peer reviewers who provided
comments on drafts of this book. The generous work of academic experts is essential
for establishing the authority and quality of our publications. We acknowledge with
gratitude the contributions of these otherwise uncredited readers.

This book was set in TEX Gyre Pagella, Bera Mono, and Noto Emoji by the author.
Printed and bound in the United States of America.
Illustrated by Kaleb Leino.

Library of Congress Cataloging-in-Publication Data is available.

ISBN: 978-0-262-54623-2

10 9 8 7 6 5 4 3 2 1
Contents

Preface ix
Notes for Teachers xv
0. Introduction 1
0.0. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
0.1. Outline of Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
0.2. Dafny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
0.3. Other Languages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Part 0. Learning the Ropes

1. Basics 9
1.0. Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1. Assert Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2. Working with the Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3. Control Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4. Method Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.5. Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.6. Compiled versus Ghost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.7. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2. Making It Formal 25
2.0. Program State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.1. Floyd Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.2. Hoare Triples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.3. Strongest Postconditions and Weakest Preconditions . . . . . . . . . . . . 32
2.4. WP and SP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.5. Conditional Control Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.6. Sequential Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.7. Method Calls and Postconditions . . . . . . . . . . . . . . . . . . . . . . . 46
2.8. Assert Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.9. Weakest Liberal Preconditions . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.10. Method Calls with Preconditions . . . . . . . . . . . . . . . . . . . . . . . 55
2.11. Function Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
vi

2.12. Partial Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

2.13. Method Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
2.14. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3. Recursion and Termination 63
3.0. The Endless Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.1. Avoiding Infinite Recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.2. Well-Founded Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.3. Lexicographic Tuples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.4. Default decreases in Dafny . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4. Inductive Datatypes 83
4.0. Blue-Yellow Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.1. Matching on Datatypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.2. Discriminators and Destructors . . . . . . . . . . . . . . . . . . . . . . . . 86
4.3. Structural Inclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.4. Enumerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.5. Type Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.6. Abstract Syntax Trees for Expressions . . . . . . . . . . . . . . . . . . . . . 90
4.7. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5. Lemmas and Proofs 95
5.0. Declaring a Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5.1. Using a Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5.2. Proving a Lemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.3. Back to Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.4. Proof Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.5. Example: Reduce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.6. Example: Commutativity of Multiplication . . . . . . . . . . . . . . . . . . 115
5.7. Example: Mirroring a Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
5.8. Example: Working on Abstract Syntax Trees . . . . . . . . . . . . . . . . . 122
5.9. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Part 1. Functional Programs

6. Lists 137
6.0. List Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
6.1. Length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
6.2. Intrinsic versus Extrinsic Specifications . . . . . . . . . . . . . . . . . . . . 139
6.3. Take and Drop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.4. At . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.5. Find . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
6.6. List Reversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
6.7. Lemmas in Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
6.8. Eliding Type Arguments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
6.9. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
 vii

7. Unary Numbers 161

7.0. Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
7.1. Comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
7.2. Addition and Subtraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
7.3. Multiplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
7.4. Division and Modulus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
7.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
8. Sorting 175
8.0. Specification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
8.1. Insertion Sort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
8.2. Merge Sort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
8.3. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
9. Abstraction 189
9.0. Grouping Declarations into Modules . . . . . . . . . . . . . . . . . . . . . 190
9.1. Module Imports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
9.2. Export Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
9.3. Modular Specification of a Queue . . . . . . . . . . . . . . . . . . . . . . . 194
9.4. Equality-Supporting Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
9.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
10. Data-Structure Invariants 207
10.0. Priority-Queue Specification . . . . . . . . . . . . . . . . . . . . . . . . . 208
10.1. Designing the Data Structure . . . . . . . . . . . . . . . . . . . . . . . . . 210
10.2. Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
10.3. Making Intrinsic from Extrinsic . . . . . . . . . . . . . . . . . . . . . . . . 224
10.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Part 2. Imperative Programs

11. Loops 235
11.0. Loop Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
11.1. Loop Implementations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
11.2. Loop Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
11.3. Summarizing the Loop Rule . . . . . . . . . . . . . . . . . . . . . . . . . . 250
11.4. Integer Square Root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
11.5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
12. Recursive Specifications, Iterative Programs 257
12.0. Iterative Fibonacci . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
12.1. Fibonacci Squared . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
12.2. Powers of 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
12.3. Sums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
12.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
13. Arrays and Searching 275
13.0. About Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
13.1. Linear Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
viii

13.2. Binary Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

13.3. Minimum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
13.4. Coincidence Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
13.5. Slope Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
13.6. Canyon Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
13.7. Majority Vote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
13.8. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
14. Modifying Arrays 321
14.0. Simple Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
14.1. Basic Array Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
14.2. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
15. In-situ Sorting 337
15.0. Dutch National Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
15.1. Selection Sort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
15.2. Quicksort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
15.3. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
16. Objects 351
16.0. Checksums . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
16.1. Tokenizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
16.2. Simple Aggregate Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
16.3. Full Aggregate Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
16.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
17. Dynamic Heap Data Structures 387
17.0. Lazily Initialized Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
17.1. Extensible Array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
17.2. Binary Search Tree for a Map . . . . . . . . . . . . . . . . . . . . . . . . . 403
17.3. Iterator for the Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
17.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

A. Dafny Syntax Cheat Sheet 427

B. Boolean Algebra 433
B.0. Boolean Values and Negation . . . . . . . . . . . . . . . . . . . . . . . . . 433
B.1. Conjunction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
B.2. Predicates and Well-Definedness . . . . . . . . . . . . . . . . . . . . . . . 434
B.3. Disjunction and Proof Format . . . . . . . . . . . . . . . . . . . . . . . . . 435
B.4. Implication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
B.5. Proving Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
B.6. Free Variables and Substitution . . . . . . . . . . . . . . . . . . . . . . . . 439
B.7. Universal Quantification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
B.8. Existential Quantification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
C. Answers to Select Exercises 445
References 459
Index 467
Preface

Welcome to Program Proofs!

I’ve designed this book to teach a practical understanding of what it means to write
specifications for code and what it means for code to satisfy the specifications. In this
preface, I want to tell you about the book itself and how to use it.

Programs and Proofs

When I first learned about program verification, all program developments and proofs
were done by hand. I loved it. But I think I was the only one in the class who did. Even
if you do love it, it’s not clear how to connect the activity you have mastered on paper
with the activity of sitting in front of a computer trying to get a program to work. And
if you didn’t love the proofs in the first place and didn’t get enough practice to master
them, it’s not clear you make any connection whatsoever between these two activities.
To bring the two activities closer together, you need to get experience in seeing the
proofs at work in a programming language that the computer recognizes. And playing
out the activity of writing specifications and proofs together with programs has the
additional benefit that the computer can check the proofs for you. This way, you get
instant feedback that helps you understand what the proofs are all about. Instead of
turning in your handwritten homework and getting it back from the teaching assistant
a week later (when you have forgotten what the exercises were about and the teaching
assistant’s comments on your paper seem less important than next week’s looming
assignment), you can interact with the automated verifier dozens of times in a short
sitting, all in the context of the program you’re writing!
Trying to teach program-proof concepts in the setting of an actual programming
language may seem like madness. Most languages were not designed for verification,
and trying to bolt specification and proof-authoring features onto such a language is at
best clumsy. Moreover, if you’d have to learn a separate notation for writing proofs or
interacting with the automated verifier, the burden on the learner becomes even much
greater. To really connect the program and proof activities, I argue you want to teach
verification in terms of software-engineering concepts (like preconditions, invariants,
and assertions), not in terms of induction schemas, semantics-mapping transforms,
x

and prover directives.

Luckily, there are several programming languages designed to support specifica-
tions and proofs (so-called verification-aware languages), and there are integrated devel-
opment environments (IDEs) that run the automated verifiers (sometimes known as
auto-active verifiers: automated tooling that offers interaction via the program text [82]).
Among these are the functional languages WhyML [20] and F* [53], the Ada-based
SPARK language [43, 117], the object-oriented language Eiffel [89, 44, 121], the im-
perative languages GRASShopper [126] and Whiley [109], and—what I use in this
book—Dafny [76, 78, 35]. In a similar spirit, but with annotation languages that have
been added to existing programming languages are ACL2 (for Applicative Common
LISP) [71], VeriFast (for C and Java) [64], the KeY toolset (for Java) [2], OpenJML (for
Java with JML annotations) [105, 26, 66], the Frama-C toolset (for C) [14], Stainless
(for Scala) [118], Prusti (for Rust) [5], Nagini (for Python) [45], Gobra (for Go) [4],
and LiquidHaskell (for Haskell) [86]. In the notes at the end of chapters, I occasion-
ally point out some alternative notation or other differences with these other tools, so
as to make the concepts and experiences taught in this book readily applicable to those
language settings as well.

Material
I have written this book to support the level of a second-year university course in com-
puter science. It can also be used as a comprehensive introduction for industrial soft-
ware engineers who are new to specification and verification and want to apply such
techniques in their work.
The book assumes basic knowledge of programs and programming. The style of
this prior programming (functional, imperative) and the particular prior language
used are not so important, but it is helpful if the prior programming has not completely
ignored the concept of types.
The book also assumes some basics of logic. The “and”, “or”, and “not” operators
from programming will go a long way, but some fluency with implication (logical con-
sequence) is also important. For example, a reader is expected to feel comfortable with
the meaning of a formula like
2 <= x ==> 10 <= 4 * (x + 1)

The book’s Appendix B reviews some useful logic rules, but is hardly suitable as a first
introduction to logic. For that, I would recommend a semester course in logic.
Beyond the basics of logic, concepts like mathematical induction and well-founded
orderings play a role in program proofs. The book explains these concepts as needed.
The book is divided into three parts. Part 0 covers some foundations, leading up
to writing proofs. After that, Part 1 focuses on (specifications and proofs of) func-
tional programs and Part 2 on imperative programs. Other than occasional references
between these parts, Parts 1 and 2 are independent of each other.
 xi

What the Book Is Not

Here are some things this book is not:

• It is not a beginner’s guide to programming. The book assumes the reader has
written (and compiled and run) basic programs in either a functional or impera-
tive language. This seems like a reasonable assumption for a second-year univer-
sity course in computer science.
• It is not a beginner’s guide to logic, but see Appendix B for a review of some
useful logic rules and some exercises.
• It is not a Dafny language guide or reference manual. The focus is on teaching
program proofs. The book explains the Dafny constructs in the way they are used
to support this learning, and Appendix A provides a cheat sheet for the language.
• It is not a research survey. There are many (mature or under-development) pro-
gram-reasoning techniques that are not covered. There are also many useful pro-
gramming paradigms that are not covered. The mathematics or motivations be-
hind those advanced techniques are outside the scope of this book. Instead, this
book focuses on teaching basic concepts and includes best practices for doing so.
• The book does not teach how to build a program verifier. Indeed, throughout
this book, I treat the verifier as a black box. A recurring theme is the process of
building proofs manually, which is good practice for interacting with any verifier.

How to Read This Book

Here is a rough chapter dependency graph:
xii

Sections 13.7, 15.0, and 16.1 depend on Chapter 4, but the rest of their enclosing chapters
do not. The dotted lines show recommended dependencies—it would be beneficial, but
not absolutely required, to study Chapter 7 before Chapters 8 and 12, and likewise to
study Chapter 6 before Chapter 12.

Dafny
All specifications, programs, and program proofs in the book use the Dafny program-
ming language and can be checked in the Dafny verification system. Broadly speaking,
the constructs of the Dafny language support four kinds of activities.
• There are constructs for imperative programming, such as assignment statements,
loops, arrays, and dynamically allocated objects. The simpler of these are the
bread and butter of many classic treatments of program proofs.
• There are constructs for functional programming, such as recursive functions and
algebraic datatypes. In Dafny, these behave like in mathematics; for example,
functions are deterministic and cannot change the program state.
• There are constructs for writing specifications, such as preconditions, loop invari-
ants, and termination metrics. The way these are integrated into the language
has been influenced by the pioneering Eiffel language and the Java Modeling
Language (JML). Specifications can use any of the functional-language features,
which makes them quite expressive.
• Lastly, there are constructs for proof authoring, such as lemmas and proof calcu-
lations.
These various features blend together. For example, all the constructs use the same
expression language; these expressions include chaining expressions (like 0 <= x < y
< 100), implication (==>), quantifications (forall, exists), and sets (like {2, 3, 5}),
which are often found in specifications and math, but can also be used in programs;
methods, functions, and proofs bind values to local variables in the same way; in a
method, an if statement divides up control flow, and in a lemma, it divides up proof
obligations; variables can be marked as ghost, which makes them suitable for abstrac-
tion, but otherwise behave as ordinary compiled variables; and induction is achieved
simply by calling a lemma recursively, where termination is specified and checked in
the same way as for methods and functions.
Not only is the Dafny language versatile, but so are its uses. The Dafny development
tools are quick to install and are available on Windows, MacOS, and Linux. The ver-
ifier runs automatically in the VS Code integrated development environment. Dafny
programs compile to executable code for several language platforms, including .NET,
Java, JavaScript, and Go. The toolset itself is available as open source at
github.com/dafny-lang/dafny
Even before this book, Dafny has been used in teaching for over a decade. It has also
been used in several impressive research projects (for example, at Microsoft Research,
 xiii

VMware Research, ConsenSys R&D, CMU, U. Michigan, and MIT) and is currently in
industrial use (for example, at Amazon Web Services).

Online Information
Some additional information about this book is available online at
www.program-proofs.com

Acknowledgments
I have many to thank for helping make this book possible.
I extend my deep gratitude to Rajeev Joshi, Rosemary Monahan, Bryan Parno, Ce-
sare Tinelli, and especially Graeme Smith, who used earlier drafts of this book in teach-
ing their university courses. The book has greatly benefited from their feedback, and
from feedback of their students.
The detailed comments from Rajeev Joshi, Yannick Moy, Jean-Christophe Filliâtre,
Peter Müller, and Ran Ettinger were much beyond the call of duty and were really
helpful! I’ve also received good feedback from Nada Amin, Nathan Chong, David
Cok, Josh Cowper, Mikaël Mayer, Gaurav Parthasarathy, and Robin Salkeld.
I’m grateful for the encouragement of Byron Cook and Reto Kramer in the Auto-
mated Reasoning Group where I work at Amazon Web Services.
The term “program proofs” as a rubric for the kind of science and engineering that
this book is about was suggested by Nik Swamy.
To write and typeset this book, I used the Madoko system, and I thank Daan Leijen
for creating Madoko and for helping me with customizations.
A big shout-out to Kaleb, who drew the cheerful chapter illustrations.
Lastly, thank you, Gwen, for your loving support and the countless weekends we
spent at coffee shops while I was writing.
Thank you all!
K.R.M.L.
Exploring the Variety of Random
Documents with Different Content
 1.E.5. Do not copy, display, perform, distribute or redistribute
this electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the
Project Gutenberg™ License.

1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must, at
no additional cost, fee or expense to the user, provide a copy, a
means of exporting a copy, or a means of obtaining a copy upon
request, of the work in its original “Plain Vanilla ASCII” or other
form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.

1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™
works unless you comply with paragraph 1.E.8 or 1.E.9.

1.E.8. You may charge a reasonable fee for copies of or

providing access to or distributing Project Gutenberg™
electronic works provided that:

• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
 about donations to the Project Gutenberg Literary Archive
Foundation.”

• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt that
s/he does not agree to the terms of the full Project Gutenberg™
License. You must require such a user to return or destroy all
copies of the works possessed in a physical medium and
discontinue all use of and all access to other copies of Project
Gutenberg™ works.

• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.

• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.

1.E.9. If you wish to charge a fee or distribute a Project

Gutenberg™ electronic work or group of works on different
terms than are set forth in this agreement, you must obtain
permission in writing from the Project Gutenberg Literary
Archive Foundation, the manager of the Project Gutenberg™
trademark. Contact the Foundation as set forth in Section 3
below.

1.F.

1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on,
transcribe and proofread works not protected by U.S. copyright
law in creating the Project Gutenberg™ collection. Despite
these efforts, Project Gutenberg™ electronic works, and the
medium on which they may be stored, may contain “Defects,”
such as, but not limited to, incomplete, inaccurate or corrupt
data, transcription errors, a copyright or other intellectual
property infringement, a defective or damaged disk or other
medium, a computer virus, or computer codes that damage or
cannot be read by your equipment.

1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES -

Except for the “Right of Replacement or Refund” described in
paragraph 1.F.3, the Project Gutenberg Literary Archive
Foundation, the owner of the Project Gutenberg™ trademark,
and any other party distributing a Project Gutenberg™ electronic
work under this agreement, disclaim all liability to you for
damages, costs and expenses, including legal fees. YOU
AGREE THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE,
STRICT LIABILITY, BREACH OF WARRANTY OR BREACH
OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH
1.F.3. YOU AGREE THAT THE FOUNDATION, THE
TRADEMARK OWNER, AND ANY DISTRIBUTOR UNDER
THIS AGREEMENT WILL NOT BE LIABLE TO YOU FOR
ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE
OR INCIDENTAL DAMAGES EVEN IF YOU GIVE NOTICE OF
THE POSSIBILITY OF SUCH DAMAGE.

1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If

you discover a defect in this electronic work within 90 days of
receiving it, you can receive a refund of the money (if any) you
paid for it by sending a written explanation to the person you
received the work from. If you received the work on a physical
medium, you must return the medium with your written
explanation. The person or entity that provided you with the
defective work may elect to provide a replacement copy in lieu
of a refund. If you received the work electronically, the person or
entity providing it to you may choose to give you a second
opportunity to receive the work electronically in lieu of a refund.
If the second copy is also defective, you may demand a refund
in writing without further opportunities to fix the problem.

1.F.4. Except for the limited right of replacement or refund set

forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’,
WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR
ANY PURPOSE.

1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of
damages. If any disclaimer or limitation set forth in this
agreement violates the law of the state applicable to this
agreement, the agreement shall be interpreted to make the
maximum disclaimer or limitation permitted by the applicable
state law. The invalidity or unenforceability of any provision of
this agreement shall not void the remaining provisions.

1.F.6. INDEMNITY - You agree to indemnify and hold the

Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and
distribution of Project Gutenberg™ electronic works, harmless
from all liability, costs and expenses, including legal fees, that
arise directly or indirectly from any of the following which you do
or cause to occur: (a) distribution of this or any Project
Gutenberg™ work, (b) alteration, modification, or additions or
deletions to any Project Gutenberg™ work, and (c) any Defect
you cause.

Section 2. Information about the Mission of

Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new
computers. It exists because of the efforts of hundreds of
volunteers and donations from people in all walks of life.

Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™
collection will remain freely available for generations to come. In
2001, the Project Gutenberg Literary Archive Foundation was
created to provide a secure and permanent future for Project
Gutenberg™ and future generations. To learn more about the
Project Gutenberg Literary Archive Foundation and how your
efforts and donations can help, see Sections 3 and 4 and the
Foundation information page at www.gutenberg.org.

Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-
profit 501(c)(3) educational corporation organized under the
laws of the state of Mississippi and granted tax exempt status by
the Internal Revenue Service. The Foundation’s EIN or federal
tax identification number is 64-6221541. Contributions to the
Project Gutenberg Literary Archive Foundation are tax
deductible to the full extent permitted by U.S. federal laws and
your state’s laws.

The Foundation’s business office is located at 809 North 1500

West, Salt Lake City, UT 84116, (801) 596-1887. Email contact
links and up to date contact information can be found at the
Foundation’s website and official page at
www.gutenberg.org/contact

Section 4. Information about Donations to

the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission
of increasing the number of public domain and licensed works
that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated
equipment. Many small donations ($1 to $5,000) are particularly
important to maintaining tax exempt status with the IRS.

The Foundation is committed to complying with the laws

regulating charities and charitable donations in all 50 states of
the United States. Compliance requirements are not uniform
and it takes a considerable effort, much paperwork and many
fees to meet and keep up with these requirements. We do not
solicit donations in locations where we have not received written
confirmation of compliance. To SEND DONATIONS or
determine the status of compliance for any particular state visit
www.gutenberg.org/donate.

While we cannot and do not solicit contributions from states

where we have not met the solicitation requirements, we know
of no prohibition against accepting unsolicited donations from
donors in such states who approach us with offers to donate.

International donations are gratefully accepted, but we cannot

make any statements concerning tax treatment of donations
received from outside the United States. U.S. laws alone swamp
our small staff.

Please check the Project Gutenberg web pages for current

donation methods and addresses. Donations are accepted in a
number of other ways including checks, online payments and
credit card donations. To donate, please visit:
www.gutenberg.org/donate.

Section 5. General Information About Project

Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.

Project Gutenberg™ eBooks are often created from several

printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.

Most people start at our website which has the main PG search
facility: www.gutenberg.org.

This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookname.com