We have designed, implemented, and proved the correctness of a compiler generator that accepts action semantic descriptions of imperative programming languages. The generated compilers emit absolute code for an abstract RISC machine language that currently is assembled into code for the SPARC and the HP Precision Architecture. Our machine language needs no run-time type-checking and is thus more realistic than those considered in previous compiler proofs. We use solely algebraic specifications; proofs are given in the initial model. 1 Introduction The previous approaches to proving correctness of compilers for non-trivial languages all use target code with run-time type-checking. The following semantic rule is typical for these target languages: (FIRST : C; hv 1 ; v 2 i : S) ! (C; v 1 : S) The rule describes the semantics of an instruction that extracts the first component of the top-element of the stack, provided that the top-element is a pair. If not, then it is implicit that the...

We describe the automatic generation of a provably correct compiler for a non-trivial subset of Ada. The compiler is generated from an action semantic description; it emits absolute code for an abstract RISC machine language that currently is assembled into code for the SPARC and the HP Precision Architecture. The generated code is an order of magnitude better than what is produced by compilers generated by the classical systems of Mosses, Paulson, and Wand. The use of action semantics makes the processable language specification easy to read and pleasant to work with. In Proc. ICCL'92, Fourth IEEE International Conference on Computer Languages, pages 117--126. 1 Introduction The purpose of a language designer's workbench, envisioned by Pleban, is to drastically improve the language design process. The major components in such a workbench are: ffl A specification language whose specifications are easily maintainable, and accessible without knowledge of the underlying theory; and f...

We describe the verification of a compiler for a subset of the Vista language: a structured assembly language for the Viper microprocessor. This proof has been mechanically checked using the HOL system. We consider how the compiler correctness theorem could be used to deduce safety and liveness properties of compiled code from theorems stating that these properties hold of the source code. We also show how secure compilation can be achieved using automated theorem proving techniques. 1 Introduction In this paper, we describe the verification of a compiler for a subset of the Vista language[10]. Our motivation for verifying the compiler is to allow us to infer properties about the code which is actually executed from properties we prove about Vista programs. Previous work on the formal verification of compilers has largely considered the compiler correctness theorem itself to be the ultimate goal. Consequently, little attention has been given to identifying the way in which the correc...

We report on a large formal verification effort in mechanically proving correct a compiling specification for a realistic bootstrap compiler from ComLisp (a subset of ANSI Common Lisp sufficiently expressive to serve as a compiler implementation language) to binary Transputer code using the PVS system. The compilation is carried out in five steps through a series of intermediate languages. In the first phase, ComLisp is translated into a stack intermediate language (SIL), where parameter passing is implemented by a stack technique. Expressions are transformed from a prefix notation into a postfix notation according to the stack principle. SIL is then compiled into C int where the ComLisp data structures (s-expressions) and operators are implemented in linear integer memory using a run-time stack and a heap. These two steps are machine independent. In the compiler’s backend, first control structures (loops, conditionals) of the intermediate language C int are implemented by linear assembler code with relative jumps, the infinite memory model of C int is realized on the finite Transputer memory, and the basic C int statements for accessing the stack and heap are implemented by a sequence of assembler instructions. The fourth phase consists of the implementation of

Theorem-proving and symbolic trajectory evaluation are both described as methods for the formal verification of hardware. They are both used to achieve a common goal---correctly designed hardware---and both are intended to be an alternative to conventional methods based on non-exhaustive simulation. However, they have different strengths and weaknesses. The main significance of this paper is the description of a two-level approach to formal hardware verification, where the HOL theorem prover is combined with the Voss verification system. From symbolic trajectory evaluation we inherit a high degree of automation and accurate models of circuit behavior and timing. From interactive theorem-proving we gain access to powerful mathematical tools such as induction and abstraction. The interface between the HOL and Voss is, however, more than just an ad hoc translation of verification results obtained by one tool into input for the other tool. We have developed a "mathematical" inte...

This paper presents a new, alternate technique for automatically generating system-level requirements-based test specifications. The proposed technique does not require the construction of a mathematical model of the requirements. Instead, a parsable structuring of textual requirements is used to capture the logical relationships between conditions. The dramatic reduction in modeling effort together with automating a substantial portion of the test generation process provides the potential for reducing costs in system-level testing.

datatype Expr and an evaluation function eval ( 77 ) then define syntax and semantics of expressions where the state (SState) is defined as a mapping from identifiers to values. 77 % --- semantics of expressions --- eval(e:Expr)(s:SState) : RECURSIVE Value = CASES e OF const(val) : val, varid(name) : s(name), unopr(op,arg) : MUnop(op)(eval(arg)(s)), binopr(op,left,right) : MBinop(op)(eval(left)(s), eval(right)(s)) ENDCASES MEASURE e BY !! Since boolean expressions are treated in a similar way as expressions, we do not define them explicitly but instead suppose that an (uninterpreted) type BExp together with an evaluation function eval bexp : [BExp -? [SState -? bool]] is given. Syntax and semantics of statements are defined by importing the generic theories for simple statements and control structures: % --- import syntax and semantics of simple statements IMPORTING simplestatements[VarId, Expr, Value, eval] % --- import syntax and semantics of control structures IMPORTING ctrlstruc[B...

Program verification is normally performed on source code. However, it is the object code which is executed and so which ultimately must be correct. The compiler used to produce the object code must not introduce bugs. The majority of the compiler correctness literature is concerned with the verification of compiler specifications rather than executable implementations. We discuss different ways that verified specifications can be used to obtain implementations with varying degrees of security. In particular, we describe how a specification can be executed by proof. We discuss how this method can be used in conjunction with an insecure production compiler so as to retain security without slowing the development cycle of application programs. A verified implementation of a compiler in a high-level language is not sufficient to obtain correct object code. The compiler must itself be compiled into a low-level language before it can be executed. At first sight it appears we need an already...

We give a new treatment of Maslov's class K in the framework of resolution. More specifically, we show that K and the class DK consisting of disjunction of formulae in K can be decided by a resolution refinement based on liftable orderings. We also discuss relationships to other solvable and unsolvable classes. Maslov's class K [Mas71] is one of the most important solvable fragments of first-order logic. It contains a variety of classical solvable fragments including the Monadic class, firstorder logic with two variables (FO 2 ), the initially extended Skolem class and the Godel class [FLTZ93]. It also encompasses a range of non-classical logics, like a number of extended modal logics, many description logics used in the field of knowledge representation [HS98, FLTZ93, chap. 7], and some reducts of representable relational algebras. For this reason practical decision procedures for the class K are of general interest. According to Maslov [Mas71] the inverse method provides a means to decide the validity of disjunctions of formulae in the class K. Although Kuehner [Kue71] noted in 1971 that there is a one-to-one correspondence between derivations in the inverse method and resolution, only in 1993 a decision procedure for a subclass of the dual of K based on a refinement of resolution is described by Zamov [FLTZ93, chap. 6]. His techniques are based on non-liftable orderings which have limitations regarding the application of some standard simplification rules and the completeness proof relies on a -ordering. Regarding completeness, it is not clear whether the problems with -orderings as discussed in [Wei94] are avoided. In this paper we are concerned with the problem of deciding satisfiability for the dual class of K, which we call K, as well as the class DK consi...