Abstract — Realistic formal specifications of machine languages for commercial processors consist of thousands of lines of definitions. Current methods support trustworthy proofs of the correctness of programs for one such specification. However, these methods provide little or no support for reusing proofs of the same algorithm implemented in different machine languages. We describe an approach, based on proof-producing decompilation, which both makes machine-code verification tractable and supports proof reuse between different languages. We briefly present examples based on detailed models of machine code for ARM, PowerPC and x86. The theories and tools have been implemented in the HOL4 system. I.

Abstract. Few programming languages have a mathematically rigorous definition or metatheory—in part because they are perceived as too large and complex to work with. This paper demonstrates the feasibility of such undertakings: we formalize a substantial portion of the semantics of Objective Caml’s core language (which had not previously been given a formal semantics), and we develop a mechanized type soundness proof in HOL. We also develop an executable version of the operational semantics, verify that it coincides with our semantic definition, and use it to test conformance between the semantics and the OCaml implementation. We intend our semantics to be a suitable substrate for the verification of OCaml programs. 1 Mechanizing Metatheory Researchers in programming languages and program verification routinely develop their ideas in the context of core calculi and idealized models. The advantage of the core calculus approach comes from the efficacy of pencil-and-paper mathematics, both for specification and proof; however, these techniques do not scale well. Usable programming

This work develops an integrated approach to the verification of behaviourally rich programs, founded directly on operational semantics. The power of the approach is demonstrated with a stateof-the-art verification of a core piece of distributed infrastructure, involving networking, a filesystem, and concurrent OCaml code. The formalization is in higher-order logic and proof support is provided by the HOL4 theorem prover. Difficult verification problems demand a wide range of techniques. Here these include ground and symbolic evaluation, local reasoning, separation, invariants, Hoare-style assertional reasoning, rely/guarantee, inductive reasoning about protocol correctness, multiple refinement, and linearizability. While each of these techniques is useful in isolation, they are even more so in combination. The first contribution of this paper is to present the operational approach and describe how existing techniques, including all those mentioned above, may be cleanly and precisely integrated in this setting. The second contribution is to show how to combine verifications of individual library functions with arbitrary and unknown user code in a compositional manner, focusing on the problems of private state and encapsulation. The third contribution is the example verification itself. The infrastructure must behave correctly under arbitrary patterns of host and network failure, whilst for performance reasons the code also includes data races on shared state. Both features make the verification particularly challenging.

Abstract. We analyze three proof strategies commonly used in deductive verification of deterministic sequential programs formalized with operational semantics. The strategies are: (i) stepwise invariants, (ii) clock functions, and (iii) inductive assertions. We show how to formalize the strategies in the logic of the ACL2 theorem prover. Based on our formalization, we prove that each strategy is both sound and complete. The completeness result implies that given any proof of correctness of a sequential program one can derive a proof in each of the above strategies. The soundness and completeness theorems have been mechanically checked with ACL2.

To the few people who believed I could do it even when I myself didn’t Acknowledgments This dissertation has been shaped by many people, including my teachers, collabo-rators, friends, and family. I would like to take this opportunity to acknowledge the influence they have had in my development as a person and as a scientist. First and foremost, I wish to thank my advisor J Strother Moore. J is an amazing advisor, a marvellous collaborator, an insightful researcher, an empathetic teacher, and a truly great human being. He gave me just the right balance of freedom, encouragement, and direction to guide the course of this research. My stimulating discussions with him made the act of research an experience of pure enjoyment, and helped pull me out of many low ebbs. At one point I used to believe that whenever I was stuck with a problem one meeting with J would get me back on track. Furthermore, my times together with J and Jo during Thanksgivings and other occasions always made me feel part of his family. There was no problem, technical or otherwise, that I could not discuss with J, and there was no time when

Abstract. We wrote an ACL2 to VHDL translator for our verification purpose. One major problem of translation between programming languages and the ACL2 language is the semantic gap caused by the translation; it is not easy to translate one language to another while precisely preserving its semantics. Our approach is to write a translator for a small subset of the ACL2 language for which there is no loss of semantic correctness. This seemingly restricted translator turned out to be a promising approach for combining ACL2 and VHDL testing/verification tools. This paper discusses the details of the translator and the bit-vector libraries used in the translatable ACL2 functions. 1

2.1 Formal verification........................ 3 2.2 Our choice of logic........................ 4

In this paper we explain how to formalize an “operational” or “state-transition” semantics of a von Neumann programming language in a functional programming language. By adopting an “interpretive” style, one can execute the model in the functional language to “run” programs in the von Neumann language. Given the ability to reason about the functional language, one can use the model to reason about programs in the von Neumann language. In theory at least, such a formal semantics thus has a dual use: as a simulation engine and as an axiomatic basis for code proofs. The beauty of this approach is that no more logical machinery is needed than to support execution and proof in a functional language: no new program logics and no new meta-logical tools like “verification condition generators” are needed. In this paper we will illustrate the techniques by formalizing a simple programming language called “M1,” for “Machine (or Model) 1.” It is loosely based on the Java Virtual Machine but has been simplified for pedagogical purposes. We will demonstrate the executability of M1 models. We will develop several styles of code proofs, including direct (symbolic simulation) proofs based on Boyer-Moore “clock functions” and Floyd-Hoare inductive assertion proofs. We construct proofs only for the the simplest of programs, namely an iterative factorial example. But to illustrate a more realistic use of the model, we discuss the correctness proof for an M1 implementation of the Boyer-Moore fast string searching algorithm. We also define a compiler for a higher level language called “J1” and show how to do proofs about J1 code without benefit of a formal semantics for that code. Throughout we use the ACL2 logic and theorem proving system.

As computers are deployed in increasingly diverse, numerous, and critical roles, the need for confidence in their hardware and software becomes more acute. Often, however, computer technologies, such as programming languages, lack a sufficiently formal definition to allow rigorous mathematical analysis of their properties. Even in cases where a formal definition is available, the theorems to be proven and the definition itself tend to have many cases and many details that are easily overlooked when writing a proof by hand. This has created interest in the mechanization of the proof process through the use of automated proof assistants. In this report, we develop a formal definition for a programming language called IntegerPython, which is a subset of the Python language that supports integers, booleans, global variables, loops, modules, and nested functions. The definition takes the form of an operational semantics on a CEKS machine, which we embed in the Isabelle/HOL mechanized logic. We then prove an invariant of the CEKS machine in Isabelle/HOL. The report concludes with strategies for the efficient, executable implementation of the IntegerPython semantics and its extension into a semantics of