Compiler correctness is crucial to the software engineering of safety critical software. It depends on both the correctness of the compiling specification and the correctness of the compiler implementation. We will discuss compiler correctness for practically relevant source languages and target machines in order to find an adequate correctness notion for the compiling specification, i.e. for the mapping from source to target programs with respect to their standard semantics, which allows for proving both specification and implementation correctness. We will sketch our approach of proving the correctness of the compiler implementation as a binary machine program, using a special technique of bootstrapping and double checking the results. We will discuss mechanical proof support for both compiling verification and compiler implementation verification in order to make them feasible parts of the software engineering of correct compilers. Verifix is a joint project on Correct Compilers fun...

Abstract. Much of the work on verifying software has been done on simple, often artificial, languages or subsets of existing languages to avoid difficult details. In trying to verify a secure application written in C, we have encountered and overcome some semantically complicated uses of the language. We present inference rules for assignment statements with pre- and postevaluation side effects and while loops with arbitrary pre-evaluation side effects in the test expression. We also discuss the need to abstract the semantics of program functions and present an inference rule for abstraction.

This paper generalizes an algebraic method for the design of a correct compiler to tackle specification and verification of an optimized compiler. The main optimization issues of concern here include the use of existing contents of registers where possible and the identification of common expressions. A register table is introduced in the compiling specification predicates to map each register to an expression whose value is held by it. We define different kinds of predicates to specify compilation of programs, expressions and Boolean tests. A set of theorems relating to these predicates, acting as a correct compiling specification, are presented and an example proof within the refinement algebra of the programming language is given. Based on these theorems, a prototype compiler in Prolog is produced.

We formally verify that a particular web server written in C is secure, that is, a remote user cannot get files he shouldn't or change the server's files. Although the code was thoroughly reviewed and tested, the verification located some heretofore unknown behavioral weaknesses. To verify this code, we invented new inference rules for reasoning about expressions with side effects, which occur often in C. We also formalized aspects of Unix file systems and processes, operating system and library calls, parts of the C language, and security properties. We propose an architecture for a software verification system which could be widely useful, and argue that our proof demonstrates that real world software written in real world languages can be verified.

. This paper presents a technique for specifying and reasoning about the operational semantics of distributed programming languages. We formalize the concept of "vertical stacking" of distributed systems, an extension of Joyce's, Windley's and Curzon's stacking methodologies for sequential systems and of the CLI "short stack" which stacks interpreters for object code, assembly code, and a high-level sequential language. We use a state transition model to account for the issues of atomicity, concurrency and nondeterminism at all levels in our stack. A correctness definition is given, which for each pair of adjacent language semantics and mappings between them, produces proof obligations corresponding to the correctness of the language implementation. We present an application of the method to a two-level stack: the microSR distributed programming language and a multi-processor instruction set, which is the target language for a compiler for microSR. We also present the development of a ...

. In this paper we show that the critical part of a correctness proof for implementations of higher--order functional languages is amenable to machine--assisted proof. An extended version of the lambdacalculus is considered, and the congruence between its direct and continuation semantics is proved. The proof has been constructed with the help of a generic theorem prover --- Isabelle. The major part of the problem lies in establishing the existence of predicates which describe the congruence. This has been solved using Milne's inclusive predicate strategy [5]. The most important intermediate results and the main theorem as derived by Isabelle are quoted in the paper. Keywords: Compiler Correctness, Theorem Prover, Congruence Proof, Denotational Semantics, Lambda Calculus 1 Introduction Much of the work done previously in compiler correctness concerns restricted subsets of imperative languages. Some studies involve machine--checked correctness---e.g. Cohn [1], [2]. A lot of research h...

This paper describes an investigation into the proof facilities within the BToolkit based on a study of the specification and refinement of low level code in the control systems domain. We describe the problems we encountered and some means by which these problems can be tackled within the existing framework. We conclude with some more general guidelines by which the proof facilities could be enhanced to improve the effectiveness of the provers for industrial scale verification of formal developments. 1 Introduction Formal development has been advocated for use in industrial control systems design, especially for safety-critical applications. Formal proof is an important source of confidence in such developments. However, it is perceived as an expensive and highly specialised task. If the full benefit of the formal approach is to be attained, the development of viable methods to aid the production of proofs is essential. In a reference to programming, Kowalski[13] coined a fam...

Theorem-proving and symbolic trajectory evaluation are both described as methods for the formal verification of hardware. They are both used to achieve a common goal---correctly designed hardware---and both are intended to be an alternative to conventional methods based on non-exhaustive simulation. However, they have different strengths and weaknesses. The main significance of this paper is the description of a two-level approach to formal hardware verification, where the HOL theorem prover is combined with the Voss verification system. From symbolic trajectory evaluation we inherit a high degree of automation and accurate models of circuit behavior and timing. From interactive theorem-proving we gain access to powerful mathematical tools such as induction and abstraction. The interface between the HOL and Voss is, however, more than just an ad hoc translation of verification results obtained by one tool into input for the other tool. We have developed a "mathematical" inte...

This book presents some results of research into techniques to aid the formal verification of mixed hardware/software systems.

Our work on the verification of real hardware designs using HOL has resulted in very large proof scripts. Consequently, problems were encountered that are not an issue in smaller verification efforts. In particular, we have found that the maintainability of proofs is of paramount importance. There are many reasons why proof scripts in LCF style theorem provers may be reused. This can be in order to maintain and understand old proofs as well as to speed the creation of new ones. Consequently, proofs should be written in styles that ease their maintainability and make them easier to reuse. Furthermore, proof tools and interfaces should be designed with proof reuse as well as proof creation in mind. Many of the problems could be prevented from occurring in the first place with suitable support. 1 Introduction The recent Fairisle switching fabric verification project [3] entailed using HOL [5] to verify real hardware designs. The resulting proofs consist of several hundred theories, the s...