Results 1  10
of
54
A machinechecked model for a Javalike language, virtual machine and compiler
 ACM TRANSACTIONS ON PROGRAMMING LANGUAGES AND SYSTEMS
, 2004
"... We introduce Jinja, a Javalike programming language with a formal semantics designed to exhibit core features of the Java language architecture. Jinja is a compromise between realism of the language and tractability and clarity of the formal semantics. The following aspects are formalised: a big an ..."
Abstract

Cited by 108 (9 self)
 Add to MetaCart
We introduce Jinja, a Javalike programming language with a formal semantics designed to exhibit core features of the Java language architecture. Jinja is a compromise between realism of the language and tractability and clarity of the formal semantics. The following aspects are formalised: a big and a small step operational semantics for Jinja and a proof of their equivalence; a type system and a definite initialisation analysis; a type safety proof of the small step semantics; a virtual machine (JVM), its operational semantics and its type system; a type safety proof for the JVM; a bytecode verifier, i.e. data flow analyser for the JVM; a correctness proof of the bytecode verifier w.r.t. the type system; a compiler and a proof that it preserves semantics and welltypedness. The emphasis of this work is not on particular language features but on providing a unified model of the source language, the virtual machine and the compiler. The whole development has been carried out in the theorem prover Isabelle/HOL.
Random testing in isabelle/hol
 Software Engineering and Formal Methods (SEFM 2004
, 2004
"... When developing nontrivial formalizations in a theorem prover, a considerable amount of time is devoted to “debugging ” specifications and conjectures by failed proof attempts. To detect such problems early in the proof and save development time, we have extended the Isabelle theorem prover with a ..."
Abstract

Cited by 42 (2 self)
 Add to MetaCart
(Show Context)
When developing nontrivial formalizations in a theorem prover, a considerable amount of time is devoted to “debugging ” specifications and conjectures by failed proof attempts. To detect such problems early in the proof and save development time, we have extended the Isabelle theorem prover with a tool for testing specifications by evaluating propositions under an assignment of random values to free variables. Distribution of the test data is optimized via mutation testing. The technical contributions are an extension of earlier work with inductive definitions and a generic method for randomly generating elements of recursive datatypes. 1.
Formal Verification of a Java Compiler in Isabelle
, 2002
"... This paper reports on the formal proof of correctness of a compiler from a substantial subset of Java source language to Java bytecode in the proof environment Isabelle. This work is based on extensive previous formalizations of Java, which comprise all relevant features of objectorientation. W ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
This paper reports on the formal proof of correctness of a compiler from a substantial subset of Java source language to Java bytecode in the proof environment Isabelle. This work is based on extensive previous formalizations of Java, which comprise all relevant features of objectorientation. We place particular emphasis on describing the e#ects of design decisions in these formalizations on the compiler correctness proof.
A Reflective Functional Language for Hardware Design and Theorem Proving
"... This paper introduces reFLect, a functional programming language with reflection features intended for applications in hardware design and verification. The reFLect language is strongly typed and similar to ML, but has quotation and antiquotation constructs. These may be used to construct and decomp ..."
Abstract

Cited by 29 (6 self)
 Add to MetaCart
(Show Context)
This paper introduces reFLect, a functional programming language with reflection features intended for applications in hardware design and verification. The reFLect language is strongly typed and similar to ML, but has quotation and antiquotation constructs. These may be used to construct and decompose expressions in the reFLect language itself. The paper motivates and presents the syntax and type system of this language, which brings together a new combination of patternmatching and reflection features targeted specifically at our application domain. It also gives an operational semantics based on a new use of contexts as expression constructors, and it presents a scheme for compiling reFLect programs into the λcalculus using the same context mechanism.
Certifying machine code safety: Shallow versus deep embedding
 IN TPHOLS, NUMBER 3223 IN LNCS
, 2004
"... We formalise a simple assembly language with procedures and a safety policy for arithmetic overflow in Isabelle/HOL. To verify individual programs we use a safety logic. Such a logic can be realised in Isabelle/HOL either as shallow or deep embedding. In a shallow embedding logical formulas are wri ..."
Abstract

Cited by 21 (3 self)
 Add to MetaCart
(Show Context)
We formalise a simple assembly language with procedures and a safety policy for arithmetic overflow in Isabelle/HOL. To verify individual programs we use a safety logic. Such a logic can be realised in Isabelle/HOL either as shallow or deep embedding. In a shallow embedding logical formulas are written as HOL predicates, whereas a deep embedding models formulas as a datatype. This paper presents and discusses both variants pointing out their specific strengths and weaknesses.
Certified sizechange termination
 In Proc. 21st CADE, volume 4603 of LNAI
, 2007
"... Abstract. We develop a formalization of the SizeChange Principle in Isabelle/HOL and use it to construct formally certified termination proofs for recursive functions automatically. 1 ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We develop a formalization of the SizeChange Principle in Isabelle/HOL and use it to construct formally certified termination proofs for recursive functions automatically. 1
An operational semantics and type safety proof for multiple inheritance in C++
 IN OOPSLA '06: PROCEEDINGS OF THE 21ST ANNUAL ACM SIGPLAN CONFERENCE ON OBJECTORIENTED PROGRAMMING SYSTEMS, LANGUAGES, AND APPLICATIONS
, 2006
"... We present an operational semantics and type safety proof for multiple inheritance in C++. The semantics models the behaviour of method calls, field accesses, and two forms of casts in C++ class hierarchies exactly, and the type safety proof was formalized and machinechecked in Isabelle/HOL. Our se ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
We present an operational semantics and type safety proof for multiple inheritance in C++. The semantics models the behaviour of method calls, field accesses, and two forms of casts in C++ class hierarchies exactly, and the type safety proof was formalized and machinechecked in Isabelle/HOL. Our semantics enables one, for the first time, to understand the behaviour of operations on C++ class hierarchies without referring to implementationlevel artifacts such as virtual function tables. Moreover, it can—as the semantics is executable—act as a reference for compilers, and it can form the basis for more advanced correctness proofs of, e.g., automated program transformations. The paper presents the semantics and type safety proof, and a discussion of the many subtleties that we encountered in modeling the intricate multiple inheritance model of C++.
Verified Bytecode Subroutines
 JOURNAL OF AUTOMATED REASONING
, 2003
"... Bytecode subroutines are a major complication for Java bytecode verification: they are difficult to fit into the data flow analysis that the JVM specification suggests. Because of that, subroutines are left out or are restricted in most formalizations of the bytecode verifier. We examine the problem ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
(Show Context)
Bytecode subroutines are a major complication for Java bytecode verification: they are difficult to fit into the data flow analysis that the JVM specification suggests. Because of that, subroutines are left out or are restricted in most formalizations of the bytecode verifier. We examine the problems that occur with subroutines and give an overview of the most prominent solutions in the literature. Using the theorem prover Isabelle/HOL, we have extended our substantial formalization of the JVM and the bytecode verifier with its proof of correctness by the most general solution for bytecode subroutines.
Flyspeck i: Tame graphs
 International Joint Conference on Automated Reasoning, volume 4130 of LNCS
, 2006
"... Abstract. We present a verified enumeration of tame graphs as defined in Hales ’ proof of the Kepler Conjecture and confirm the completeness of Hales ’ list of all tame graphs while reducing it from 5128 to 2771 graphs. 1 ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a verified enumeration of tame graphs as defined in Hales ’ proof of the Kepler Conjecture and confirm the completeness of Hales ’ list of all tame graphs while reducing it from 5128 to 2771 graphs. 1
Efficient reasoning about executable specifications in Coq, in
 Tahar (eds), Theorem Proving in HigherOrder Logics (TPHOLs 2002
, 2002
"... Abstract. We describe a package to reason efficiently about executable specifications in Coq. The package provides a command for synthesizing a customized induction principle for a recursively defined function, and a tactic that combines the application of the customized induction principle with au ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a package to reason efficiently about executable specifications in Coq. The package provides a command for synthesizing a customized induction principle for a recursively defined function, and a tactic that combines the application of the customized induction principle with automatic rewriting. We further illustrate how the package leads to a drastic reduction (by a factor of 10 approximately) of the size of the proofs in a largescale case study on reasoning about JavaCard. 1