Results 1  10
of
10
Running the manual: An approach to highassurance microkernel development
 In ACM SIGPLAN Haskell WS
, 2006
"... We propose a development methodology for designing and prototyping high assurance microkernels, and describe our application of it. The methodology is based on rapid prototyping and iterative refinement of the microkernel in a functional programming language. The prototype provides a precise semifo ..."
Abstract

Cited by 26 (15 self)
 Add to MetaCart
We propose a development methodology for designing and prototyping high assurance microkernels, and describe our application of it. The methodology is based on rapid prototyping and iterative refinement of the microkernel in a functional programming language. The prototype provides a precise semiformal model, which is also combined with a machine simulator to form a reference implementation capable of executing real userlevel software, to obtain accurate feedback on the suitability of the kernel API during development phases. We extract from the prototype a machinecheckable formal specification in higherorder logic, which may be used to verify properties of the design, and also results in corrections to the design without the need for full verification. We found the approach leads to productive, highly iterative development where formal modelling, semiformal design and prototyping, and end use all contribute to a more mature final design in a shorter period of time.
A Hoare Logic for CallbyValue Functional Programs
"... Abstract. We present a Hoare logic for a callbyvalue programming language equipped with recursive, higherorder functions, algebraic data types, and a polymorphic type system in the style of Hindley and Milner. It is the theoretical basis for a tool that extracts proof obligations out of programs ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present a Hoare logic for a callbyvalue programming language equipped with recursive, higherorder functions, algebraic data types, and a polymorphic type system in the style of Hindley and Milner. It is the theoretical basis for a tool that extracts proof obligations out of programs annotated with logical assertions. These proof obligations, expressed in a typed, higherorder logic, are discharged using offtheshelf automated or interactive theorem provers. Although the technical apparatus that we exploit is by now standard, its application to callbyvalue functional programming languages appears to be new, and (we claim) deserves attention. As a sample application, we check the partial correctness of a balanced binary search tree implementation. 1
Formalising a HighPerformance Microkernel
 WORKSHOP ON VERIFIED SOFTWARE: THEORIES, TOOLS, AND EXPERIMENTS (VSTTE 06), MICROSOFT RESEARCH TECHNICAL REPORT MSRTR2006117
, 2006
"... This paper argues that a pragmatic approach is needed for integrating design and formalisation of complex systems. We report on our approach to designing the seL4 operating system microkernel API and its formalisation in Isabelle/HOL. The formalisation consists of the systematic translation of signi ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
This paper argues that a pragmatic approach is needed for integrating design and formalisation of complex systems. We report on our approach to designing the seL4 operating system microkernel API and its formalisation in Isabelle/HOL. The formalisation consists of the systematic translation of significant parts of the functional programming language Haskell into Isabelle/HOL, including monadbased code. We give an account of the experience, decisions and outcomes in this translation as well as the technical problems we encountered together with our solutions. The longerterm goal is to demonstrate that formalisation and verification of a large, complex, OSlevel code base is feasible with current tools and methods and is in the order of magnitude of traditional development cost.
Translating Haskell to Isabelle
, 2007
"... Abstract. We present partial translations of Haskell programs to Isabelle that have been implemented as part of the Heterogeneous Tool Set. The the target logic is Isabelle/HOLCF, and the translation is based on a shallow embedding approach. 1 ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. We present partial translations of Haskell programs to Isabelle that have been implemented as part of the Heterogeneous Tool Set. The the target logic is Isabelle/HOLCF, and the translation is based on a shallow embedding approach. 1
Proof Tool Support for Explicit Strictness
"... Abstract. In programs written in lazy functional languages such as for example Clean and Haskell, the programmer can choose freely whether particular subexpressions will be evaluated lazily (the default) or strictly (must be specified explicitly). It is widely known that this choice affects program ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In programs written in lazy functional languages such as for example Clean and Haskell, the programmer can choose freely whether particular subexpressions will be evaluated lazily (the default) or strictly (must be specified explicitly). It is widely known that this choice affects program behavior, resource consumption and semantics in several ways. However, not much experience is available about the impact on logical program properties and formal reasoning. This paper aims to give a better understanding of the concept of explicit strictness. The impact of explicit strictness on formal reasoning will be investigated. It will be shown that this impact is bigger than expected and that tool support is needed for formal reasoning in the context of explicit strictness. We introduce the various ways in which strictness specific support is offered by the proof assistant Sparkle. 1
Verification of Parametric Counter Automata in a Dependently Typed Language
, 2010
"... Counter Automata are Finite State Automata which include a set of registers containing natural numbers, and where state transitions occur based on these register values. The contribution of our work is to extend previous work on verification of counter automata properties to cover arbitrary computab ..."
Abstract
 Add to MetaCart
Counter Automata are Finite State Automata which include a set of registers containing natural numbers, and where state transitions occur based on these register values. The contribution of our work is to extend previous work on verification of counter automata properties to cover arbitrary computable functions and predicates (in principle). In order to achieve this, we use the dependently typed language Agda to verify properties. The advantage of this approach is that it allows us to verify both functional and extrafunctional properties such as resource consumption, in the presence of iteration and control parameters. However, we are not able to achieve fully automatic verification. We illustrate our approach using three examples: i) verifying that a particular finite state automaton accepts exactly those binary sequences divisible by 3, if they are interpreted as numbers; ii) verifying the worstcase execution time of a system of three boxes, depending on an unknown control parameter; and iii) verifying the number of box executions for a system of two boxes, which is nonlinear.
Static Contract Checking via FirstOrder Logic
"... Abstract. We enrich the static semantics of Haskell in order to give stronger static guarantees about the input/output behavior of programs. Our approach has two parts: a contract system for Haskell, and a novel strategy for statically checking that a term satisfies a contract. The contract system ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We enrich the static semantics of Haskell in order to give stronger static guarantees about the input/output behavior of programs. Our approach has two parts: a contract system for Haskell, and a novel strategy for statically checking that a term satisfies a contract. The contract system includes refinement types, which refine Haskell types by arbitrary Booleanvalued Haskell expressions, and a “crash free ” predicate, which is true of expressions that can’t cause a runtime exception in any “safe ” context. Our novel contractchecking strategy is to translate a contractannotated source program into a theorem in firstorder logic, and then invoke an automatic theorem prover to prove (or refute) the theorem. 1
Verification of an Optimisation Algorithm of Stack Machine in Functional Programming Languages
, 2006
"... Software verification is a significant part of software engineering which is used to ensure that the programs meet their specification and deliver the functionality expected by the users. Pure functional programs can be directly verified by tools. This dissertation focuses on implementing an optimi ..."
Abstract
 Add to MetaCart
(Show Context)
Software verification is a significant part of software engineering which is used to ensure that the programs meet their specification and deliver the functionality expected by the users. Pure functional programs can be directly verified by tools. This dissertation focuses on implementing an optimisation algorithm of stack machine in functional program languages, and verifying its correctness with two verification tools, QuickCheck and HOL Light. QuickCheck is used for testing and HOLLight is used for proof. The optimisation algorithm transfers the instruction code to replace loads and stores with stack manipulation to reduce the memory accesses. The correctness of the optimisation is verified by showing the code before a transformation is semantically equivalent to the transformed code. The verification method is generalised, which is useful for further verifications of stack algorithms. iDeclaration I declare that this thesis was composed by myself, that the work contained herein is my own except where explicitly stated otherwise in the text, and that this work has not been submitted for any other degree or professional qualification except as specified. (Guanhua He) ii
Certified HLints with Isabelle/HOLCFPrelude
"... We present the HOLCFPrelude, a formalization of a large part of Haskell’s standard prelude in Isabelle/HOLCF. Applying this formalization to the hints suggested by HLint allows us to certify them formally. In pure functional languages such as Haskell, equational reasoning is a valuable tool for ref ..."
Abstract
 Add to MetaCart
(Show Context)
We present the HOLCFPrelude, a formalization of a large part of Haskell’s standard prelude in Isabelle/HOLCF. Applying this formalization to the hints suggested by HLint allows us to certify them formally. In pure functional languages such as Haskell, equational reasoning is a valuable tool for refactoring, to improve both efficiency and aesthetics. For example, an experienced programmer would replace reverse ".txt " `isPrefixOf ` reverse filename with the more readable (and more efficient) ".txt " `isSuffixOf ` filename. In this paper we call such a replacement a rewrite. We only want to apply rewrites that are valid and thus some natural questions arise: Is the original expression equivalent to the replaced expression? With a language like Haskell, this entails the question: What about when infinite or undefined values are involved? To highlight some of the issues, consider another example. Assuming the definition reverse [] = [] reverse (x:xs) = reverse xs ++ [x] can we safely apply the following rewrite?