Results 1  10
of
36
Formal certification of a compiler backend, or: programming a compiler with a proof assistant
 IN PROC. 33RD ACM SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES (POPL ’06
, 2006
"... This paper reports on the development and formal certification (proof of semantic preservation) of a compiler from Cminor (a Clike imperative language) to PowerPC assembly code, using the Coq proof assistant both for programming the compiler and for proving its correctness. Such a certified compile ..."
Abstract

Cited by 229 (15 self)
 Add to MetaCart
This paper reports on the development and formal certification (proof of semantic preservation) of a compiler from Cminor (a Clike imperative language) to PowerPC assembly code, using the Coq proof assistant both for programming the compiler and for proving its correctness. Such a certified compiler is useful in the context of formal methods applied to the certification of critical software: the certification of the compiler guarantees that the safety properties proved on the source code hold for the executable compiled code as well.
Oracle semantics for concurrent separation logic
 In Proc. European Symp. on Programming (ESOP 2008
, 2008
"... Abstract. We define (with machinechecked proofs in Coq) a modular operational semantics for Concurrent C minor—a language with shared memory, spawnable threads, and firstclass locks. By modular we mean that one can reason about sequential control and dataflow knowing almost nothing about concurre ..."
Abstract

Cited by 58 (12 self)
 Add to MetaCart
Abstract. We define (with machinechecked proofs in Coq) a modular operational semantics for Concurrent C minor—a language with shared memory, spawnable threads, and firstclass locks. By modular we mean that one can reason about sequential control and dataflow knowing almost nothing about concurrency, and one can reason about concurrency knowing almost nothing about sequential control and dataflow constructs. We present a Concurrent Separation Logic with firstclass locks and threads, and prove its soundness with respect to the operational semantics. Using our modularity principle, we proved the sequential C.S.L. rules (those inherited from sequential Separation Logic) simply by adapting Appel & Blazy’s machinechecked soundness proofs. Our Concurrent C minor operational semantics is designed to connect to Leroy’s optimizing (sequential) C minor compiler; we propose our modular semantics as a way to adapt Leroy’s compilercorrectness proofs to the concurrent setting. Thus we will obtain endtoend proofs: the properties you prove in Concurrent Separation Logic will be true of the program that actually executes on the machine. 1
Formal Verification of Translation Validators  A Case Study on Instruction Scheduling Optimizations
, 2008
"... Translation validation consists of transforming a program and a posteriori validating it in order to detect a modification of its semantics. This approach can be used in a verified compiler, provided that validation is formally proved to be correct. We present two such validators and their Coq proof ..."
Abstract

Cited by 24 (5 self)
 Add to MetaCart
Translation validation consists of transforming a program and a posteriori validating it in order to detect a modification of its semantics. This approach can be used in a verified compiler, provided that validation is formally proved to be correct. We present two such validators and their Coq proofs of correctness. The validators are designed for two instruction scheduling optimizations: list scheduling and trace scheduling.
Separation logic for smallstep Cminor
 IN: THEOREM PROVING IN HIGHER ORDER LOGICS, 20TH INT. CONF. TPHOLS 2007
, 2007
"... ..."
Verified Validation of Lazy Code Motion
, 2008
"... Translation validation establishes a posteriori the correctness of a run of a compilation pass or other program transformation. In this paper, we develop an efficient translation validation algorithm for the Lazy Code Motion (LCM) optimization. LCM is an interesting challenge for validation because ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Translation validation establishes a posteriori the correctness of a run of a compilation pass or other program transformation. In this paper, we develop an efficient translation validation algorithm for the Lazy Code Motion (LCM) optimization. LCM is an interesting challenge for validation because it is a global optimization that moves code across loops. Consequently, care must be taken not to move computations that may fail before loops that may not terminate. Our validator includes a specific check for anticipability to rule out such incorrect moves. We present a mechanicallychecked proof of correctness of the validation algorithm, using the Coq proof assistant. Combining our validator with an unverified implementation of LCM, we obtain a LCM pass that is provably semanticspreserving and was integrated in the CompCert formally verified compiler.
HOLBoogie  An Interactive Prover for the Boogie ProgramVerifier
"... Boogie is a program verification condition generator for an imperative core language. It has frontends for the programming languages C# and C enriched by annotations in firstorder logic. Its verification conditions — constructed via a wp calculus from these annotations — are usually transferred to ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Boogie is a program verification condition generator for an imperative core language. It has frontends for the programming languages C# and C enriched by annotations in firstorder logic. Its verification conditions — constructed via a wp calculus from these annotations — are usually transferred to automated theorem provers such as Simplify or Z3. In this paper, however, we present a proofenvironment, HOLBoogie, that combines Boogie with the interactive theorem prover Isabelle/HOL. In particular, we present specific techniques combining automated and interactive proof methods for codeverification. We will exploit our proofenvironment in two ways: First, we present scenarios to "debug" annotations (in particular: invariants) by interactive proofs. Second, we use our environment also to verify "background theories", i.e. theories for datatypes used in annotations as well as memory and machine models underlying the verification method for C.
Trusted source translation of a total function language
 In 14th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS
, 2008
"... Abstract. We present a trusted source translator that transforms total functions defined in the specification language of the HOL theorem prover to simple intermediate code. This translator eliminates polymorphism by code specification, removes higherorder functions through closure conversion, inte ..."
Abstract

Cited by 9 (8 self)
 Add to MetaCart
Abstract. We present a trusted source translator that transforms total functions defined in the specification language of the HOL theorem prover to simple intermediate code. This translator eliminates polymorphism by code specification, removes higherorder functions through closure conversion, interprets pattern matching as conditional expressions, etc. The target intermediate language can be further translated by proof to a simple imperative language. Each transformation is proven to be correct automatically. The formalization, implementation and mechanical verification of all transformations are done in HOL4. 1
Structure of a proofproducing compiler for a subset of higher order logic
 16th European Symposium on Programming (ESOP’07
, 2007
"... Abstract. We give an overview of a proofproducing compiler which translates recursion equations, defined in higher order logic, to assembly language. The compiler is implemented and validated with a mix of translation validation and compiler verification techniques. Both the design of the compiler ..."
Abstract

Cited by 8 (6 self)
 Add to MetaCart
Abstract. We give an overview of a proofproducing compiler which translates recursion equations, defined in higher order logic, to assembly language. The compiler is implemented and validated with a mix of translation validation and compiler verification techniques. Both the design of the compiler and its mechanical verification are implemented in the same logic framework.
Separation logic for smallstep C minor
 IN 20TH INTERNATIONAL CONFERENCE ON THEOREM PROVING IN HIGHERORDER LOGICS (TPHOLS
, 2007
"... C minor is a midlevel imperative programming language (just below C), and there exist provedcorrect optimizing compilers from C to C minor and from C minor to machine language. We have redesigned C minor so that it is suitable for Hoarelogic reasoning, we have designed a Separation Logic for C ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
C minor is a midlevel imperative programming language (just below C), and there exist provedcorrect optimizing compilers from C to C minor and from C minor to machine language. We have redesigned C minor so that it is suitable for Hoarelogic reasoning, we have designed a Separation Logic for C minor, we have given a smallstep operational semantics so that extensions to concurrent C minor will be possible, and we have a machinechecked proof of soundness of our Separation Logic. This is the first largescale machinechecked proof of a Hoare logic w.r.t. a smallstep semantics. Our sequential soundness proof of the sequential Separation Logic for the sequential language features will be usable without change within a soundness proof of Concurrent Separation Logic w.r.t. Concurrent C minor. In addition, we have a machinechecked proof of the relation between our smallstep semantics and Leroy’s original bigstep semantics; thus sequential programs can be compiled by Leroy’s compiler with formal endtoend correctness guarantees.