Results 11  20
of
187
Automatic Verification of Safety and Liveness for XScaleLike Processor Models Using WEBRefinements
 In Design Automation and Test in Europe, DATE’04
, 2003
"... We show how to automatically verify that a complex XScalelike pipelined machine model is a WEBrefinement of an instruction set architecture model, which implies that the machines satisfy the same safety and liveness properties. Automation is achieved by reducing the WEBrefinement proof obligation ..."
Abstract

Cited by 21 (10 self)
 Add to MetaCart
We show how to automatically verify that a complex XScalelike pipelined machine model is a WEBrefinement of an instruction set architecture model, which implies that the machines satisfy the same safety and liveness properties. Automation is achieved by reducing the WEBrefinement proof obligation to a formula in the logic of Counter arithmetic with Lambda expressions and Uninterpreted functions (CLU). We use UCLID to transform the resulting CLU formula into a CNF formula, which is then checked with a SAT solver. We define several XScalelike models with out of order completion, including models with precise exceptions, branch prediction, and interrupts. We use two types of refinement maps. In one, flushing is used to map pipelined machine states to instruction set architecture states; in the other, we use the commitment approach, which is the dual of flushing, since partially completed instructions are invalidated. We present experimental results for all the machines modeled, including verification times. For our application, we found that the SAT solver Siege provides superior performance over Chaff and that the amount of time spent proving liveness when using the commitment approach is less than 1% of the overall verification time, whereas when flushing is employed, the liveness proof accounts for about 10% of the verification time.
A Grand Challenge Proposal for Formal Methods: A Verified Stack
"... We propose a grand challenge for the formal methods community: build and mechanically verify a practical embedded system, from transistors to software. We propose that each group within the formal methods community design and verify, by the methods appropriate to that group, an embedded system of ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
We propose a grand challenge for the formal methods community: build and mechanically verify a practical embedded system, from transistors to software. We propose that each group within the formal methods community design and verify, by the methods appropriate to that group, an embedded system of their choice. The point is not to have just one integrated formal method or just one verified application, but to encourage groups to develop the techniques and methodologies necessary for systemlevel verification.
Executable JVM Model for Analytical Reasoning: A Study
, 2003
"... To study the properties of the Java Virtual Machine(JVM) and Java programs, our research group has produced a series of JVM models written in a functional subset of Common Lisp. In this paper, we present our most complete JVM model from this series, namely, M6, which is derived from a careful study ..."
Abstract

Cited by 20 (5 self)
 Add to MetaCart
To study the properties of the Java Virtual Machine(JVM) and Java programs, our research group has produced a series of JVM models written in a functional subset of Common Lisp. In this paper, we present our most complete JVM model from this series, namely, M6, which is derived from a careful study of the J2ME KVM[16] implementation. On the one hand, our JVM model is a conventional machine emulator. M6 models accurately almost all aspects of the KVM implementation, including the dynamic class loading, class initialization and synchronization via monitors. It executes most J2ME Java programs that do not use any I/O or floating point operations. Engineers may consider M6 an implementation of the JVM. It is implemented with around 10K lines in 20+ modules. On the other hand, M6 is a novel model that allows for analytical reasoning besides conventional testing. M6 is written in an applicative (sideeffect free) subset of Common Lisp, for which we have given precise meaning in terms of axioms and inference rules. A property of M6 can be expressed as a formula. Rules of interference can be used analytically to derive properties of M6 and the Java programs that run on the model, using a mechanical theorem prover. We argue
NonStandard Analysis in ACL2
, 2001
"... ACL2 refers to a mathematical logic based on applicative Common Lisp, as well as to an automated theorem prover for this logic. The numeric system of ACL2 reflects that of Common Lisp, including the rational and complexrational numbers and excluding the real and complex irrationals. In conjunction ..."
Abstract

Cited by 18 (7 self)
 Add to MetaCart
ACL2 refers to a mathematical logic based on applicative Common Lisp, as well as to an automated theorem prover for this logic. The numeric system of ACL2 reflects that of Common Lisp, including the rational and complexrational numbers and excluding the real and complex irrationals. In conjunction with the arithmetic completion axioms, this numeric type system makes it possible to prove the nonexistence of specific irrational numbers, such as √2. This paper describes ACL2(r), a version of ACL2 with support for the real and complex numbers. The modifications are based on nonstandard analysis, which interacts better with the discrete flavor of ACL2 than does traditional analysis.
Proving theorems about Java and the JVM with ACL2
 Models, Algebras and Logic of Engineering Software
, 2003
"... We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrialstrength version of the BoyerMoore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. ..."
Abstract

Cited by 18 (9 self)
 Add to MetaCart
We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrialstrength version of the BoyerMoore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. Theorems are proved about Java methods and classes by compiling them with javac and then proving the corresponding theorem about the JVM. Certain automatically applied strategies are implemented with rewrite rules (and other proofguiding pragmas) in ACL2 “books” to control the theorem prover when operating on problems involving the JVM model. The Java Virtual Machine or JVM [27] is the basic abstraction Java [17] implementors are expected to respect. We speculate that the JVM is an appropriate level of abstraction at which to model Java programs with the intention of mechanically verifying their properties. The most complex features of the Java subset we handle – construction and initialization of new objects, synchronization, thread management, and virtual method invocation – are all supported directly and with full abstraction as single atomic instructions in the JVM. The complexity of verifying JVM bytecode program stems from the complexity of Java’s semantics, not
Detecting Errors with Configurable Wholeprogram Dataflow Analysis
, 2002
"... In this paper, we present an automatic compilerbased approach for detecting programming errors. Our system uses a configurable and scalable wholeprogram dataflow analysis engine driven by highlevel programmerwritten annotations. We show that our system can automatically detect a wide range of pro ..."
Abstract

Cited by 18 (8 self)
 Add to MetaCart
In this paper, we present an automatic compilerbased approach for detecting programming errors. Our system uses a configurable and scalable wholeprogram dataflow analysis engine driven by highlevel programmerwritten annotations. We show that our system can automatically detect a wide range of programmer errors in C programs, including improper use of libraries, information leaks, and security vulnerabilities. We show that the aggressive compiler analysis that our system performs yields precise results. Further, our system detects a wide range of errors with greater scalability than previous automatic approaches. For one important class of security vulnerabilities, our system automatically finds all known errors in five medium to large C programs without producing any false positives.
A verifying core for a cryptographic language compiler
 In Manolios, P., Wilding, M., eds.: 6th ACL2 Workshop. (2006
, 2006
"... A verifying compiler is one that emits both object code and a proof of correspondence between object and source code. 1 We report the use of ACL2 in building a verifying compiler for µCryptol, a streambased language for encryption algorithm specification that targets Rockwell Collins’ AAMP7 micropr ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
A verifying compiler is one that emits both object code and a proof of correspondence between object and source code. 1 We report the use of ACL2 in building a verifying compiler for µCryptol, a streambased language for encryption algorithm specification that targets Rockwell Collins’ AAMP7 microprocessor (and is designed to compile efficiently to hardware, too). This paper reports on our success in verifying the “core ” transformations of the compiler – those transformations over the sublanguage of µCryptol that begin after “higherorder ” aspects of the language are compiled away, and finish just before hardware or software specific transformations are exercised. The core transformations are responsible for aggressive optimizations. We have written an ACL2 macro that automatically generates both the correspondence theorems and their proofs. The compiler also supplies measure functions that ACL2 uses to automatically prove termination of µCryptol programs, including programs with mutuallyrecursive cliques of streams. Our verifying compiler has proved the correctness of its core transformations for multiple algorithms, including TEA, RC6, and AES. Finally, we describe an ACL2 book of primitive operations for the general specification and verification of encryption algorithms. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification—correctness proofs, formal methods, reliability; D.3.4 ∗ The ACL2 books associated with this paper can be retrieved at
Refinement Maps for Efficient Verification of Processor Models
 In Design Automation and Test in Europe, DATE’05
, 2005
"... While most of the effort in improving verification times for pipeline machine verification has focused on faster decision procedures, we show that the refinement maps used also have a drastic impact on verification times. We introduce a new class of refinement maps for pipelined machine verification ..."
Abstract

Cited by 15 (5 self)
 Add to MetaCart
While most of the effort in improving verification times for pipeline machine verification has focused on faster decision procedures, we show that the refinement maps used also have a drastic impact on verification times. We introduce a new class of refinement maps for pipelined machine verification, and using the stateoftheart verification tools UCLID and Siege we show that one can attain several orders of magnitude improvements in verification times over the standard flushingbased refinement maps, even enabling the verification of machines that are too complex to otherwise automatically verify. 1.
Introducing the ITP tool: a tutorial
 Journal of Universal Computer Science
, 2006
"... Abstract: We present a tutorial of the ITP tool, a rewritingbased theorem prover that can be used to prove inductive properties of membership equational specifications. We also introduce membership equational logic as a formal language particularly adequate for specifying and verifying semantic dat ..."
Abstract

Cited by 15 (6 self)
 Add to MetaCart
Abstract: We present a tutorial of the ITP tool, a rewritingbased theorem prover that can be used to prove inductive properties of membership equational specifications. We also introduce membership equational logic as a formal language particularly adequate for specifying and verifying semantic data structures, such as ordered lists, binary search trees, priority queues, and powerlists. The ITP tool is a Maude program that makes extensive use of the reflective capabilities of this system. In fact, rewritingbased proof simplification steps are directly executed by the powerful underlying Maude rewriting engine. The ITP tool is currently available as a webbased application that includes a module editor, a formula editor, and a command editor. These editors allow users to create and modify their specifications, to formalize properties about them, and to guide their proofs by filling and submitting web forms. Key Words: inductive theorem proving, semantic data structures, membership equational logic, ITP
Formal Models of Java at the JVM Level A Survey from the ACL2 Perspective
 In Proc. Workshop on Formal Techniques for Java Programs, in association with ECOOP
, 2001
"... We argue that a practical way to apply formal methods to Java is to apply formal methods to the Java Virtual Machine (JVM) instead. A Java system can be proved correct by analyzing the bytecode produced for it. We believe that this clari es the semantic issues without introducing inappropriate compl ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We argue that a practical way to apply formal methods to Java is to apply formal methods to the Java Virtual Machine (JVM) instead. A Java system can be proved correct by analyzing the bytecode produced for it. We believe that this clari es the semantic issues without introducing inappropriate complexity. We say \inappropriate" because we believe the complexity present in the JVM view of a Java class is inherent in the Java, when accurately modeled. If it is desired to model a subset of Java or to model \Java" with a slightly simpler semantics, that can be done by formalizing a suitable abstraction of the JVM. In this paper we support these contentions by surveying recent applications of the ACL2 theorem proving system to the JVM. In particular, we describe how ACL2 is used to formalize operational semantics, we describe several models of the JVM, and we describe proofs of theorems involving these models. We are using these models to explore a variety of Java issues from a formal perspective, including Java's bounded arithmetic, object manipulation via the heap, class inheritance, method resolution, singleand multithreaded programming, synchronization via monitors in the heap, and properties of the bytecode veri er.