A collection of tools for interacting with Boogie and related languages.
Emacs package (
boogie-friends package is an experimental collection of Emacs modes for
writing verified programs in z3 and languages of the Boogie family (including Dafny).
Notable features are listed below:
- Syntax highlighting
- Real-time verification (using
In addition, the Dafny and Boogie modes offer:
- Completion (using
- Code folding (using
- Prettification (using
And the Dafny mode additionally also has:
- (A few) Snippets (using
- (Some) In-Emacs documentation
- (Experimental) Navigation between Dafny and Boogie source files
- (Some support for) jumping to a definition
- (Experimental) support for using Dafny as a verification server. This means that Emacs spawns a server process, and uses Dafny's caching facilities to (massively) improve reactivity.
A Dafny buffer
Notice the error highlighting, the symbol beautification (
forall appears as
∀), and the code folding on the last line!
A Z3 buffer
A Boogie buffer
Completion and snippets
Documentation (Dafny only)
Browsing the Boogie translation of a Dafny file
Setup MELPA by adding the following lines to your .emacs if you don't have them already (here's more information if you have trouble with this step):
(require 'package) ;; You might already have this line (add-to-list 'package-archives '("melpa" . "http://melpa.org/packages/") t) (package-initialize) ;; You might already have this line
Install the package:
M-x package-refresh-contents RET, then
M-x package-install RET boogie-friends RET
Indicate the paths to your Dafny and Boogie installations:
(setq flycheck-dafny-executable "PATH-TO-Dafny.exe") (setq flycheck-boogie-executable "PATH-TO-BOOGIE") (setq flycheck-z3-smt2-executable "PATH-TO-Z3") (setq flycheck-inferior-dafny-executable "PATH-TO-DafnyServer.exe") ;; Optional (setq boogie-friends-profile-analyzer-executable "PATH-TO-Z3-AXIOM-PROFILER") ;; Optional
On GNU/Linux or MacOS, use the path to the
dafny-serverwrapper scripts for the first two.
- C-c C-c re-verifies the current file. With a prefix argument (C-u C-c C-c), extra arguments are sent to the verifier (by default
- S-TAB manually cycles through reasonable indentation levels.
Dafny and Boogie
- C-c C-t gets a verification trace for the current file, and parses the resulting timings.
- C-c C-p prompts for a method name, generates a tracing profile of that method, and launches the profile analyzer (
boogie-friends-profile-analyzer-executable) on the resulting trace.
C-c C-? opens the Dafny docs.
<C-down-mouse-1> looks for the definition of the function under point in open buffers.
C-c C-a translates the current file to Boogie and shows the translated file.
C-c C-j or C-S-down-mouse-1 (aka Ctrl-Shift-Click) jumps to the Boogie line matching the current Dafny line.
After inserting a snippet, TAB moves to the next snippet field, and C-d removes the current field entirely.
During completion, C-h shows documentation for the current snippet, if available.
- Completion, indentation, snippets, syntax coloring, and real-time verification should work out of the box.
- Verification happens as you type, and its status is shows in the mode line (
FlyC:a/b: done with
Real-time error highlighting
Real-time error highlighting is enabled by default for all languages. You can disable it:
For just one language (say Dafny) by adding
(setq flycheck-disabled-checkers '(dafny))to your
Entirely by adding the following to your
```elisp (defun no-flycheck-in-dafny-mode () (flycheck-mode -1)) (add-hook 'dafny-mode-hook #'no-flycheck-in-dafny-mode)
If you see blocks instead of proper characters, or tall characters, or ugly characters:
Install a good font and restart Emacs (Arial Unicode, Cambria, Segoe UI Symbol, DejaVu Sans Mono, FreeMono, STIX, Unifont and Symbola should all work).
If that doesn't fix it, setup font fallback by adding the following to your
"Symbola"by the name of your font):
(set-fontset-font t 'unicode (font-spec :name "Symbola") nil 'append)
If that still doesn't work, turn of prettification entirely by adding the following to your
(defun no-prettification-in-dafny-mode () (prettify-symbols-mode -1)) (add-hook 'dafny-mode-hook #'no-prettification-in-dafny-mode)
If you don't like the way one particular symbol is rendered, you can adjust the font for just that one:
(set-fontset-font t (cons ?≔ ?≔) "FreeSerif" nil 'prepend)
Using the Dafny server
Add the following piece of code to your
.emacs and restart to try out the Dafny server. Make sure you also set
(setq dafny-verification-backend 'server)
If you run into issues,
C-c ! v (
flycheck-verify-setup) should have debugging info.
A typical profiling workflow proceeds as follows:
- Open a file for which verification is slow, or times out.
- Use C-c C-t to generate a trace (the default timeout is set to 30s; you can customize it by changing
- Use C-c C-p to profile a function. The slowest method (as determined by the trace) is presented first.
- Marvel at the intricacies of the axiom profiler.
Note: The axiom profiler works best if it has a Boogie source file to look at; thus, when profiling a Dafny source file,
boogie-friends transparently saves it as a translated Boogie file first, and then runs Boogie (with profiling enabled) on it. Thus the profiler is Boogie in all cases, and custom prover arguments need to be set for Boogie if they are to be taken into account for profiling (for tracing and translation, however, Dafny's settings apply).
Custom prover configurations
boogie-friends calls a prover, it collects arguments from four sources:
LANGUAGE-prover-args, the list of arguments passed to the prover in the default configuration (i.e.
boogie-prover-args). This has pretty good defaults, and probably shouldn't be changed.
LANGUAGE-prover-custom-args, a list of extra flags. This is empty by default, and is a good place to add your own flags.
LANGUAGE-prover-local-args, another list of extra flags. This is empty by default, and is a good place to add per-file or per-directory flags (see below).
LANGUAGE-prover-alternate-args, a list of flags added to the prover invocation when running
verify/compilewith a prefix argument (C-u C-c C-c). This is a good place to add flags that you do not always need; for example
"/compile:3"(this is the default).
An example configuration might thus look like this:
;; Don't allow assumptions (setq dafny-prover-custom-args '("/noCheating:1")) ;; Get more debug output when verifying with C-u C-c C-c (setq dafny-prover-alternate-args '("/proverWarnings:2" "/traceverify" "/z3opt:TRACE=true" "/trace" "/traceTimes" "/tracePOs"))
LANGUAGE-prover-local-args is useful if a file requires specific flags (maybe
/vcsMaxKeepGoingSplits, for example): in that case you can set the
LANGUAGE-prover-local-args in just that file or in the corresponding directory.
For example, you can add the following to the top of a file:
// -*- dafny-prover-local-args: ("/vcsMaxKeepGoingSplits:5" "/proverMemoryLimit:250") -*-
- If you're having issues with the Dafny server, try using the simpler CLI-based backend by adding the following to your
.emacsand restarting (if you run into such issues, though, we'd love to hear about them):
(setq dafny-verification-backend 'cli)
(note that you can also disable on-the-fly verification by replacing
- If the verification seems to be taking forever,
M-x inferior-dafny-resetmay help.
The documentation that ships with this package is auto-generated from the Dafny Quick Reference.
Pull requests are welcome!
Clone the repo:
mkdir -p ~/.emacs.d/lisp/ && cd ~/.emacs.d/lisp/ git clone https://github.com/boogie-org/boogie-friends
Then in your .emacs (in addition to the stuff above):
(add-to-list 'load-path "~/.emacs.d/lisp/boogie-friends/emacs/") (require 'dafny-mode) (require 'boogie-mode)