Results 1  10
of
16
The BoyerMoore Theorem Prover and Its Interactive Enhancement
, 1995
"... . The socalled "BoyerMoore Theorem Prover" (otherwise known as "Nqthm") has been used to perform a variety of verification tasks for two decades. We give an overview of both this system and an interactive enhancement of it, "PcNqthm," from a number of perspectives. First we introduce the logic in ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
. The socalled "BoyerMoore Theorem Prover" (otherwise known as "Nqthm") has been used to perform a variety of verification tasks for two decades. We give an overview of both this system and an interactive enhancement of it, "PcNqthm," from a number of perspectives. First we introduce the logic in which theorems are proved. Then we briefly describe the two mechanized theorem proving systems. Next, we present a simple but illustrative example in some detail in order to give an impression of how these systems may be used successfully. Finally, we give extremely short descriptions of a large number of applications of these systems, in order to give an idea of the breadth of their uses. This paper is intended as an informal introduction to systems that have been described in detail and similarly summarized in many other books and papers; no new results are reported here. Our intention here is merely to present Nqthm to a new audience. This research was supported in part by ONR Contract N...
A Verified Compiler for an Impure Functional Language
, 2009
"... We present a verified compiler to an idealized assembly language from a small, untyped functional language with mutable references and exceptions. The compiler is programmed in the Coq proof assistant and has a proof of total correctness with respect to bigstep operational semantics for the source a ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
We present a verified compiler to an idealized assembly language from a small, untyped functional language with mutable references and exceptions. The compiler is programmed in the Coq proof assistant and has a proof of total correctness with respect to bigstep operational semantics for the source and target languages. Compilation is staged and includes standard phases like translation to continuationpassing style and closure conversion, as well as a common subexpression elimination optimization. In this work, our focus has been on discovering and using techniques that make our proofs easy to engineer and maintain. While most programming language work with proof assistants uses very manual proof styles, all of our proofs are implemented as adaptive programs in Coq’s tactic language, making it possible to reuse proofs unchanged as new language features are added. In this paper, we focus especially on phases of compilation that rearrange the structure of syntax with nested variable binders. That aspect has been a key challenge area in past compiler verification projects, with much more effort expended in the statement and proof of binderrelated lemmas than is found in standard pencilandpaper proofs. We show how to exploit the representation technique of parametric higherorder abstract syntax to avoid the need to prove any of the usual lemmas about binder manipulation, often leading to proofs that are actually shorter than their pencilandpaper analogues. Our strategy is based on a new approach to encoding operational semantics which delegates all concerns about substitution to the meta language, without using features incompatible with generalpurpose type theories like Coq’s logic.
A Grand Challenge Proposal for Formal Methods: A Verified Stack
"... We propose a grand challenge for the formal methods community: build and mechanically verify a practical embedded system, from transistors to software. We propose that each group within the formal methods community design and verify, by the methods appropriate to that group, an embedded system of ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
We propose a grand challenge for the formal methods community: build and mechanically verify a practical embedded system, from transistors to software. We propose that each group within the formal methods community design and verify, by the methods appropriate to that group, an embedded system of their choice. The point is not to have just one integrated formal method or just one verified application, but to encourage groups to develop the techniques and methodologies necessary for systemlevel verification.
Proving Theorems about Javalike Byte Code
 CORRECT SYSTEM DESIGN { RECENT INSIGHTS AND ADVANCES
, 1999
"... We describe a formalization of an abstract machine very similar to the Java Virtual Machine but far simpler. We develop techniques for specifying the properties of classes and methods for this machine. We ..."
Abstract

Cited by 17 (9 self)
 Add to MetaCart
We describe a formalization of an abstract machine very similar to the Java Virtual Machine but far simpler. We develop techniques for specifying the properties of classes and methods for this machine. We
Proof styles in operational semantics
 Proceedings of the 5th International Conference on Formal Methods in ComputerAided Design (FMCAD 2004), volume 3312 of LNCS
, 2004
"... Abstract. We relate two wellstudied methodologies in deductive verification of operationally modeled sequential programs, namely the use of inductive invariants and clock functions. We show that the two methodologies are equivalent and one can mechanically transform a proof of a program in one meth ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
Abstract. We relate two wellstudied methodologies in deductive verification of operationally modeled sequential programs, namely the use of inductive invariants and clock functions. We show that the two methodologies are equivalent and one can mechanically transform a proof of a program in one methodology to a proof in the other. Both partial and total correctness are considered. This mechanical transformation is compositional; different parts of a program can be verified using different methodologies to achieve a complete proof of the entire program. The equivalence theorems have been mechanically checked by the ACL2 theorem prover and we implement automatic tools to carry out the transformation between the two methodologies in ACL2.
An Executable Formal Java Virtual Machine Thread Model
, 2001
"... We discuss an axiomatic description of a simple abstract machine similar to the Java Virtual Machine (JVM). Our model supports classes, with fields and bytecoded methods, and a representative sampling of JVM bytecodes for basic operations for both data and control. The GETFIELD and PUTFIELD instru ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
We discuss an axiomatic description of a simple abstract machine similar to the Java Virtual Machine (JVM). Our model supports classes, with fields and bytecoded methods, and a representative sampling of JVM bytecodes for basic operations for both data and control. The GETFIELD and PUTFIELD instructions accurately model inheritance, as does the INVOKEVIRTUAL instruction. Our model supports multiple threads, synchronized methods, and monitors. Our current model is inadequate or inaccurate
Testing the FM9001 Microprocessor
 Jan.), Computational Logic, Inc
, 1995
"... The FM9001 is a generalpurpose 32bit microprocessor that was fabricated for Computational Logic, Inc., by LSI Logic, Inc., as an ASIC. Prior to fabrication, the FM9001 netlist was formally and mechanically proved to implement its userlevel specification by Brock and Hunt using the Nqthm theorem pr ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
The FM9001 is a generalpurpose 32bit microprocessor that was fabricated for Computational Logic, Inc., by LSI Logic, Inc., as an ASIC. Prior to fabrication, the FM9001 netlist was formally and mechanically proved to implement its userlevel specification by Brock and Hunt using the Nqthm theorem prover. In this report, we document our postfabrication testing of the physical device. The testing included both executing FM9001 machine code and also lowlevel testing with a Tektronix LV500 chip tester. To date, all tests have confirmed that the FM9001 behaves as formally specified. 1 Introduction The FM9001 is a general purpose CMOS, 32bit microprocessor that was fabricated for us by LSI Logic in 1991. Prior to fabrication, the netlist design of the FM9001 that we later supplied to LSI Logic was formally proven, using the mechanical theorem prover Nqthm [7, 5], to implement its userlevel, i.e., machinecode level, specification. (See the report "The FM9001 Microprocessor Proof" [7] fo...
Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level Correctness Proof
 PROCEEDING OF THE ACL2'2000 WORKSHOP, UNIVERSITY OF TEXAS
, 2000
"... In this paper we present an exercise in compiler source level verification. Actually, the source and target language and the compiler have already been used in our article for the ACL2 Case Studies book [Goe00a], where we prove that source level correctness is not at all sufficient to prove compi ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
In this paper we present an exercise in compiler source level verification. Actually, the source and target language and the compiler have already been used in our article for the ACL2 Case Studies book [Goe00a], where we prove that source level correctness is not at all sufficient to prove compiler executables correct. However, the proof is interesting for itself and the fact, that the compiler used in [Goe00a] is indeed proved correct, is essential for the message of that article. So we want to give a more detailed documentation of that proof. The main point is that we use ACL2 to formally and mechanically prove preservation of partial program correctness, which is a very practically motivated implementation correctness notion that allows for trusted machine program execution even if the source program is not proved to be totally correct. As far as we know, a mechanical proof of preservation of partial correctness has not yet been documented, at least not in ACL2.
A mechanized program verifier
 In IFIP Working Conference on the Program Verifier Challenge
, 2005
"... Abstract. In my view, the “verification problem ” is the theorem proving problem, restricted to a computational logic. My approach is: adopt a functional programming language, build a general purpose formal reasoning engine around it, integrate it into a program and proof development environment, an ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. In my view, the “verification problem ” is the theorem proving problem, restricted to a computational logic. My approach is: adopt a functional programming language, build a general purpose formal reasoning engine around it, integrate it into a program and proof development environment, and apply it to model and verify a wide variety of computing artifacts, usually modeled operationally within the functional programming language. Everything done in this approach is software verification since the models are runnable programs in a subset of an ANSI standard programming language (Common Lisp). But this approach is of interest to proponents of other approaches (e.g., verification of procedural programs or synthesis) because of the nature of the mathematics of computing. I summarize the progress so far using this approach, sketch the key research challenges ahead and describe my vision of the role and shape of a useful verification system. 1
MachineChecked RealTime System Verificatio
, 1996
"... System Lemma : : : : : : : : : : : : : : : : : : 108 7.4.2 FM9001 Reasonableness Proof : : : : : : : : : : : : : : : 109 7.4.3 FM9001 Program Proof : : : : : : : : : : : : : : : : : : 111 7.4.4 Deriving the Final Theorem : : : : : : : : : : : : : : : : 112 7.5 Invariants Proved in the Quizshow Proo ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
System Lemma : : : : : : : : : : : : : : : : : : 108 7.4.2 FM9001 Reasonableness Proof : : : : : : : : : : : : : : : 109 7.4.3 FM9001 Program Proof : : : : : : : : : : : : : : : : : : 111 7.4.4 Deriving the Final Theorem : : : : : : : : : : : : : : : : 112 7.5 Invariants Proved in the Quizshow Proof : : : : : : : : : : : : : 113 7.5.1 Abstract System Lemma Invariants : : : : : : : : : : : : 114 7.5.2 FM9001 Reasonableness Lemma Invariants : : : : : : : : 117 7.5.3 Program Correctness Lemma Invariants : : : : : : : : : : 118 7.6 The LightSwitch Example : : : : : : : : : : : : : : : : : : : : : 122 7.6.1 A Correctness Lemma : : : : : : : : : : : : : : : : : : : 122 7.6.2 A LightSwitch Program Specification : : : : : : : : : : : 125 7.6.3 Example Execution of the LightSwitch System : : : : : 126 8. Some Implications of the Proved Realtime System 128 8.1 Execution on the FM9001 Singleboard Computer : : : : : : : : 128 8.2 Comparison with Scheduling Theorem : : : : : : : : : : : : :...