We describe a translation validation infrastructure for the GNU C compiler. During the compilation the infrastructure compares the intermediate form of the program before and after each compiler pass and verifies the preservation of semantics. We discuss a general framework that the optimizer can use to communicate to the validator what transformations were performed. Our implementation however does not rely on help from the optimizer and it is quite successful by using instead a few heuristics to detect the transformations that take place. The main message of this paper is that a practical translation validation infrastructure, able to check the correctness of many of the transformations performed by a realistic compiler, can be implemented with about the effort typically required to implement one compiler pass. We demonstrate this in the context of the GNU C compiler for a number of its optimizations while compiling realistic programs such as the compiler itself or the Linux kernel. W...

A flow analysis collects data-flow and control-flow information about programs. A compiler can use this information to enable optimizations. The analysis described in this article unifies and extends previous work on flow analyses for higher-order languages supporting assignment and control operators. The analysis is abstract interpretation based and is parameterized over two polyvariance operators and a projection operator. These operators are used to regulate the speed and accuracy of the analysis. An implementation of the analysis is incorporated into and used in a production Scheme compiler. The analysis can process any legal Scheme program without modification. Others have demonstrated that a 0CFA analysis can enable optimizations, but a 0CFA analysis is O(n3). An O(n) instantiation of our analysis successfully enables the optimization of closure representations and procedure calls. Experiments with the cheaper instantiation show that it is as effective as 0CFA for these optimizations.

VLISP has produced a rigorously verified compiler from Scheme to byte codes, and a verified interpreter for the resulting byte codes. The official denotational semantics for Scheme provides the main criterion of correctness. The Wand-Clinger technique was used to prove correctness of the main compiler step. Then a state machine operational semantics is proved to be faithful to the denotational semantics. The remainder of the implementation is verified by a succession of state machine refinement proofs. These include proofs that garbage collection is a sound implementation strategy,

We develop formal methods for reasoning about memory usage at a level of abstraction suitable for establishing or refuting claims about the potential applications of linear logic for static analysis. In particular, we demonstrate a precise relationship between type correctness for a language based on linear logic and the correctness of a reference-counting interpretation of the primitives that the language draws from the rules for the `of course' operation. Our semantics is `low-level' enough to express sharing and copying while still being `highlevel ' enough to abstract away from details of memory layout. This enables the formulation and proof of a result describing the possible run-time reference counts of values of linear type. Contents 1 Introduction 1 2 Operational Semantics with Memory 4 3 A Programming Language Based on Linear Logic 9 4 Semantics 14 5 Properties of the Semantics 24 6 Linear Logic and Memory 27 7 Discussion 32 A Proofs of the Main Theorems 36 Acknowledgements...

We prove an occurrence property about formal parameters of continuations in Continuation-Passing Style (CPS) terms that have been automatically produced by CPS transformation of pure, call-byvalue -terms. Essentially, parameters of continuations obey a stack-like discipline. This property was introduced, but not formally proven, in an earlier work on the Direct-Style transformation (the inverse of the CPS transformation). The proof has been implemented in Elf, a constraint logic programming language based on the logical framework LF. In fact, it was the implementation that inspired the proof. Thus this note also presents a case study of machineassisted proof discovery. All the programs are available in ( ftp.daimi.aau.dk:pub/danvy/Programs/danvy-pfenning-Elf93.tar.gz ftp.cs.cmu.edu:user/fp/papers/cpsocc95.tar.gz Most of the research reported here was carried out while the first author visited Carnegie Mellon University in the Spring of 1993. Current address: Olivier Danvy, Ny Munkeg...

. This paper describes a verified compiler for PreScheme, the implementation language for the vlisp run-time system. The compiler and proof were divided into three parts: A transformational front end that translates source text into a core language, a syntax-directed compiler that translates the core language into a combinator-based tree-manipulation language, and a linearizer that translates combinator code into code for an abstract stored-program machine with linear memory for both data and code. This factorization enabled different proof techniques to be used for the different phases of the compiler, and also allowed the generation of good code. Finally, the whole process was made possible by carefully defining the semantics of vlisp PreScheme rather than just adopting Scheme's. We believe that the architecture of the compiler and its correctness proof can easily be applied to compilers for languages other than PreScheme. Table of Contents 1 Introduction : : : : : : : : : : : : : :...

. We compare the expressive power of exceptions and continuations when added to a language with local state in the setting of operational semantics. Continuations are shown to be more expressive than exceptions because they can cause a function call to return more than once, whereas exceptions only allow discarding part of the calling context. 1 Introduction Exceptions are part of nearly all modern programming languages, including mainstream ones like Java and C++. Continuations are present only in Scheme and the New Jersey dialect of ML, yet are much more intensely studied by theoreticians and logicians. The relationship between exceptions and continuations is not as widely understood as one would hope, partly because continuations, though in some sense canonical, are more powerful than would at rst appear, and because the control aspect of exceptions can be obscured by intricacies of typing and syntax. We have recently shown that exceptions and continuations, when added to a purely...

. The vlisp project has produced a rigorously verified compiler from Scheme to byte codes, and a verified interpreter for the resulting byte codes. The official denotational semantics for Scheme provides the main criterion of correctness. The Wand-Clinger technique was used to prove correctness of the primary compiler step. Then a state machine operational semantics is proved to be faithful to the denotational semantics. The remainder of the implementation is verified by a succession of state machine refinement proofs. These include proofs that garbage collection is a sound implementation strategy, and that a particular garbage collection algorithm is correct. Keywords: Scheme, verified, compiler, interpreter, denotational semantics, operational semantics, refinement, garbage collection Table of Contents 1 Introduction : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 2 1.1 Structure of the VLISP Implementation : : : : : : : : : : : : : : : : : : : : 3 1....

The Veri ed Programming Language Implementation Project developed a formally veri ed implementation of the Scheme programming language. It used a systems programming dialect of Scheme, called vlisp PreScheme, to program the vlisp Virtual Machine, a byte-code interpreter. The original compiler only accepted programs that specify iterative processes. This document describes a revision of the language and its compiler. The most important change is the compiler provides a stack to save control information for procedure calls so programs that specify recursive processes are accepted. The revision expands the systems programming tasks for which vlisp PreScheme can be used and simpli es the task of matching an algorithm with its code. Acknowledgements Leonard Monk and Vipin Swarup made important suggestions on justifying transformation rules. Jonathan Rees provided many helpful comments on an early draft of this paper. Joshua Guttman commented on the nal version. iv Contents 1

. This paper extends previous work in compiler derivation and verification to languages with true-concurrency semantics. We extend the -calculus to model process-centered concurrent computation, and give the semantics of a small language in terms of this calculus. We then define a target abstract machine whose states have denotations in the same calculus. We prove the correctness of a compiler for our language: the denotation of the compiled code is shown to be strongly bisimilar to the denotation of the source program, and the abstract machine running the compiled code is shown to be branching-bisimilar to the source program's denotation. 1 Introduction Our original goal was to verify a compiler for Linda [8], using that language as a representative of modern concurrent language design. Upon searching the literature, we found a vast amount of work on models of concurrency, but little that was obviously applicable to compiler derivation and verification. Accordingly we decided to tac...