Thoughts on a Dafny standard library? #1236
Comments
parno
added
the
kind: enhancement
|
In order to make a standard library useful, we would need to import an external dependencies in Dafny. Does anybody already do this? If it's one self-contained library adding it as a submodule and importing it would work, but should we think about how to manage a tree of dependencies, so that the standard library can itself be broken down into smaller units? With only path-based imports I think this is tricky so I'm sort of asking for a language feature here. |
|
Seq/arrays of integers: https://github.com/secure-foundations/veri-titan/blob/master/dfy_model/SeqInt.dfy |
|
Hi @parno! Sorry for the delayed response - this is very exciting and well-timed. I was just bemoaning the fact that every Dafny codebase I've ever encountered has copied around what is hopefully the same version of I agree that sharing code could become easier with additional language features, but I don't think we should let that slow down the process of collating standard library code. I'd want to make it clear to consumers that the I think IO will be one of the toughest cases to do well since it depends heavily on external code. I'd prefer to tackle that once we have a better solution for a sound and scalable FFI (see https://github.com/dafny-lang/dafny/labels/foreign-function-interface), which I intend to work on personally in the near future. In any case, please do feel free to open PRs against that repo and we can figure out the details along the way! I know of some pieces lying around we may be able to contribute as well. |
|
@robin-aws Thanks! I agree that we should move ahead with library development in parallel with thinking about how to support library discovery/inclusion at the tool level. You're also right that IO will be tedious to support with all of the different back-end languages, so I'm happy to wait on improvements to the FFI. At present, we're thinking of starting with collection lemmas (e.g., for sequences, sets, maps), then non-linear arithmetic, and then conversions between different integer widths and sequences thereof. |
|
That sounds great to me. Personally I'm dying to extract some of the functional programming staples like |
keyboardDrummer
added
part: runtime
|
I'm copying below my comments from a discussion we had about Dafny library inclusion (with some additional context added at the beginning) to do better than lots of One potential approach (called "C-style" below) is to keep things relative to the specific file being verified/compiled, or any potential include paths passed to the specific invocation (e.g., Another approach (called "Rust-style" below) is to have each library/package/project (or "crate" in Rust parlance) have a designated root, and things are referred to from this root. Thus, rather than referring to inter-project files at a file-granularity, it becomes project-granularity. Personally, I really like Rust's approach. The considerations for Dafny may be different from those for Rust, but I feel they are aligned closely enough. At a high level, I don't see any good reason for a modern system to use the C-style approach, other than it being more convenient to implement for the compiler. The cost is inconvenience to the users of the language, and in fact will just lead to repetitive re-implementation of all that include logic repeatedly in each library/crate/package and its respective build system (or lead to giant mono-repos, or copying code across repos). Given that we ourselves will be the users of the compiler, we're gonna have to face the inconvenience at some point or another- why not amortize it away? Both C-style and Rust-style are effectively path-based, but C puts the burden on the user to maintain, while Rust has the compiler figure things out. Rust does have intra-file modules, but if we discount those, then all modules are path-based. The difference, to make things easier for users, is that Rust modules are (by default) referred to from the root of the crate, and allow for clean re-exports via If we're talking about external imports, then too both are path based. C just has you declare stuff in the command line (via At a high-level, the big difference between C-style and Rust-style imports can be boiled down to what is considered a "unit". Within C, there is no notion of a "crate"/"package", and instead the compilation unit is simply a file. For Rust instead, the compilation unit is the entire crate. The include within C thus is largely a declaration of "these are the types outside the current unit". One could simply instead just have those declarations/prototypes manually included in the compilation unit, and indeed this is exactly how the pre-processor works. There is no "real" notion of includes in C, it is merely a facade. Since these includes are not "real", they (almost necessarily) have to only refer to files, and the most convenient way to refer to a file is via a file path. The idea of using Rust, in contrast, has compilation unit as the whole crate. This doesn't mean that it needs to recompile the whole crate from scratch on any change (and in fact, recompilations are triggered file-based). However, it does mean that everything within the crate is visible (to the compiler, not to be confused with visibility to the programmer- controlled via |
|
I agree we should optimise for the Dafny programmer over the Dafny compiler developer. I'm curious whether we can introduce a Dafny project configuration file, like Rust's |
|
@keyboardDrummer Yeah, that could be quite neat. Btw, I guess reading the details in the proposal would answer most of the questions I have about this Oh, and I'm sure you've thought about this, but just to make sure it isn't missed: one thing to keep in mind is how files with differing Dafny arguments are handled. For example, some projects have non-linear arithmetic disabled throughout the project except for one file within it. Non-verification situations don't usually have this thing to worry about, but in Dafny, we do need to have proper handling for this. |
|
We also want to ensure we preserve the ability to verify files in a Dafny project in parallel. That said, I like the idea of removing include directives. |
How do you currently handle this? Do you call Dafny multiple times with options specific to each set of files you call it on?
I think we should make the verification run more parallel by default. I'm also hoping to prevent verifying components that were previously verified and who's inputs haven't changed. @parno if we improve Dafny's support for consuming libraries, do you have particular dates by which that would be useful? Right now being one option. |
Yes, that's what we do at least. (Just to clarify, I'm not in Bryan Parno's group. I only have one Dafny project and it probably does weird things.) The Makefile calls Dafny once per file, producing an empty |
We should allow for method level parallelism. |
Yes, we've used various build tools (make, scons, home grown) to run Dafny on our files in parallel, to cache verification results (so we don't rerun Dafny on files where neither the file nor its dependencies have changed), and to allow per-file option customization. All three features have been pretty critical to scaling to large multi-developer projects. Most of this feels more natural to handle via a build tool than through Dafny itself, however.
|
|
@keyboardDrummer In terms of timing, we're almost ready (1-2 days?) to push out initial versions of standard libraries for sets, sequences, maps, imaps, higher-order functions, and non-linear arithmetic. Once that PR is set up, it would be great to (a) figure out how to get the standard libraries included in Dafny's CI, and (b) make it easy to include these libraries in Dafny development. The students who have been working on the libraries have been quite productive, so they could potentially help with (b) if needed. |
|
I agree we should do (a). I think one way would be to add a script I'm also wondering whether it would be better to have the standard library be in the same repository as Dafny, that's what I've seen for some other languages, but I'm not sure and there's no rush in making this change. For (b), help would be great. I happen to be writing a small proposal related to that. I'll try to share that soon. |
|
Hello everyone! For the past couple of months, we have been working on creating the standard library for Dafny. We would love to hear your feedback. The link can be found here . |
@keyboardDrummer Just checking in to see if you've been able to make progress on this. Our visiting student only has a few weeks left at this point. Please let us know if we can help in some way. |
|
The Dafny language proper only understands modules and imports. Thus, in the words of @jaybosamiya , the |
|
Hi everyone! Thanks for all of your valuable feedback on the |
@keyboardDrummer Hi we would like to follow up on including the library in the dafny CI so that new versions of Dafny won't break this. Is there some way we can help? Thanks! |
|
@yizhou7 I think by far the simplest solution would just be to add the library as a submodule of Feel free to open a PR! :) |
This summer, two undergraduates will be joining my lab for an REU program; the first one starts next week. My current plan is to have them work with me and some of my students to build up a full fledged standard library for Dafny. My hope is that this will make it easier for others to pick up and use Dafny for large-scale projects, and to reduce the amount of code duplication across such projects.
It would be great to include the library in Dafny's main CI, so that it doesn't bit rot as Dafny evolves. It looks like there's already a potential home for the library here: https://github.com/dafny-lang/libraries. Is that a reasonable place to make our contributions?
I'd be interested to hear the Dafny community's thoughts on the library's design and what should be included. I've listed some preliminary ideas below, but more ideas and pointers would be very welcome.
Style Guides
Existing Libraries
Possible Libraries
The text was updated successfully, but these errors were encountered: