This paper reports on the development and formal certification (proof of semantic preservation) of a compiler from Cminor (a C-like imperative language) to PowerPC assembly code, using the Coq proof assistant both for programming the compiler and for proving its correctness. Such a certified compiler is useful in the context of formal methods applied to the certification of critical software: the certification of the compiler guarantees that the safety properties proved on the source code hold for the executable compiled code as well.

This paper presents the formal verification of a compiler front-end that translates a subset of the C language into the Cminor intermediate language. The semantics of the source and target languages as well as the translation between them have been written in the specification language of the Coq proof assistant. The proof of observational semantic equivalence between the source and generated code has been machine-checked using Coq. An executable compiler was obtained by automatic extraction of executable Caml code from the Coq specification of the translator, combined with a certified compiler back-end generating PowerPC assembly code from Cminor, described in previous work.

Abstract not found

C minor is a mid-level imperative programming language (just below C), and there exist proved-correct optimizing compilers from C to C minor and from C minor to machine language. We have redesigned C minor so that it is suitable for Hoare-logic reasoning, we have designed a Separation Logic for C minor, we have given a small-step operational semantics so that extensions to concurrent C minor will be possible, and we have a machine-checked proof of soundness of our Separation Logic. This is the first large-scale machine-checked proof of a Hoare logic w.r.t. a small-step semantics. Our sequential soundness proof of the sequential Separation Logic for the sequential language features will be usable without change within a soundness proof of Concurrent Separation Logic w.r.t. Concurrent C minor. In addition, we have a machine-checked proof of the relation between our small-step semantics and Leroy’s original big-step semantics; thus sequential programs can be compiled by Leroy’s compiler with formal end-to-end correctness guarantees.

Abstract. We give an overview of a proof-producing compiler which translates recursion equations, defined in higher order logic, to assembly language. The compiler is implemented and validated with a mix of translation validation and compiler verification techniques. Both the design of the compiler and its mechanical verification are implemented in the same logic framework.

Boogie is a verification condition generator for an imperative core language. It has front-ends for the programming languages C# and C enriched by annotations in first-order logic, i. e. pre- and postconditions, assertions, and loop invariants. Moreover, concepts like ghost fields, ghost variables, ghost code and specification functions have been introduced to support a specific modeling methodology. Boogie’s verification conditions — constructed via a wp calculus from annotated programs — are usually transferred to automated theorem provers such as Simplify or Z3. This also comprises the expansion of language-specific modeling constructs in terms of a theory describing memory and elementary operations on it; this theory is called a machine/memory model. In this paper, we present a proof environment, HOL-Boogie, that combines Boogie with the interactive theorem prover Isabelle/HOL, for a specific C front-end and a machine/memory model. In particular, we present specific techniques combining automated and interactive proof methods for code verification. The main goal of our environment is to help program verification engineers in their task to “debug” annotations and to find combined proofs where purely automatic proof attempts fail.

Abstract. Static analysis is a difficult task, partly because programming languages are extremely rich, and have intricate semantics with architecture-dependent aspects. We have therefore chosen to design Newspeak, a kernel language dedicated to the purpose of static analysis. And, we have implemented a front-end, C2Newspeak, that translates C programs into Newspeak. Thus, any static analysis algorithm that uses this front-end, is preserved from the aforementioned sources of complexity. This paper fully presents the syntax and precise semantics of Newspeak. The design rationale of the language is explained and the advantages for static analysis highlighted. The various details of the translation from C to Newspeak are shown on examples. C2Newspeak was made to compile embedded C programs of a few million lines of code. It is, as well as a few other utilities, provided as free software under the LGPL. 1

The development of software systems may be facilitated through modelling at different levels of abstraction. Various factors conspire to de-emphasise modelling in a commercial development process, such as pressure to deliver production code and its supporting documentation, the perception that modelling is an unstructured or opaque process, and the propensity of modelling artifacts to becoming rapidly and silently obsolete. While modern programming environments do allow and even encourage an implementation to include components at more than one level of abstraction, the maintained components are naturally those that are executable. This can result in the loss of vital information such as intentions and constraints. This dissertation explores an approach for including and naturally maintaining model-level abstractions linked to implementation code. The various obstacles raised are used to inform the development of a lightweight tool intended to lower the cost of the approach in the Java environment. The approach and tool are validated against a simple example used during the exploration, and the tool itself. ii Acknowledgments I am indebted to my supervisor Professor Jim Davies and the other lecturers and staff of the Software Engineering Programme at the University of Oxford for their energy and encouragement in this project and the learning that preceded it. I would also like to thank Neil Kipling, CEO of IDBS, and my line manager Kevin Gill for sponsoring my MSc and for cheerfully tolerating my absences from paid work. All of this was made possible by the patience and support of my wife Beth and daughter Abigail. Thank you. The author confirms that: this dissertation does not contain material previously submitted for another degree or academic award; and the work presented here is the author's own, except where otherwise stated.

Abstract not found

Abstract not found