This article introduces the verification tool Why. This tool produces verification conditions from annotated programs given as input.

Source-code verification works by reasoning about the semantics of the full source code of a program. Traditionally it is limited to small programs written in an academic programming language. In this paper we present the VFiasco (Verified Fiasco) project, in which we apply source-code verification to a complete operating-system kernel written in C++. The aim of the VFiasco project is to establish security relevant properties of the Fiasco microkernel using source code verification. The project's main challenges are to develop a clean semantics for the subset of C++ used by the kernel and to enable high-level reasoning about typed data starting from only low-level knowledge about the hardware. In this paper we present our ideas for tackling these challenges. We sketch a semantics of C++ and develop a type-safe object store for reasoning about C++ programs. This object store is based on a hardware model that closely resembles the IA32 virtual-memory architecture, and on guarantees provided by the kernel itself.

We present an approach to integrating the refinement relation between infinite integer types (used in specification languages) and finite integer types (used in programming languages) into software verification calculi. Since integer types in programming languages have finite ranges, in general they are not a correct data refinement of the mathematical integers usually used in specification languages. Ensuring the correctness of such a refinement requires generating and verifying additional proof obligations. We tackle this problem considering Java and UML/OCL as example. We present a sequent calculus for Java integer arithmetic with integrated generation of refinement proof obligations. Thus, there is no explicit...

Abstract. We have formal verified a number of algorithms for evaluating transcendental functions in double-extended precision floating point arithmetic in the Intel ® IA-64 architecture. These algorithms are used in the Itanium TM processor to provide compatibility with IA-32 (x86) hardware transcendentals, and similar ones are used in mathematical software libraries. In this paper we describe in some depth the formal verification of the sin and cos functions, including the initial range reduction step. This illustrates the different facets of verification in this field, covering both pure mathematics and the detailed analysis of floating point rounding. 1

Abstract. The IA-64 architecture defers floating point and integer division to software. To ensure correctness and maximum efficiency, Intel provides a number of recommended algorithms which can be called as subroutines or inlined by compilers and assembly language programmers. All these algorithms have been subjected to formal verification using the HOL Light theorem prover. As well as improving our level of confidence in the algorithms, the formal verification process has led to a better understanding of the underlying theory, allowing some significant efficiency improvements. 1

We have finished a constructive formalization in the theorem prover Coq of the Fundamental Theorem of Calculus, which states that differentiation and integration are inverse processes. In this formalization, we have closely followed Bishop's work ([4]). In this paper, we describe the formalization in some detail, focusing on how some of Bishop's original proofs had to be refined, adapted or redone from scratch.

Abstract. We discuss the formal verification of some low-level mathematical software for the Intel ® Itanium ® architecture. A number of important algorithms have been proven correct using the HOL Light theorem prover. After briefly surveying some of our formal verification work, we discuss in more detail the verification of a square root algorithm, which helps to illustrate why some features of HOL Light, in particular programmability, make it especially suitable for these applications. 1. Overview The Intel ® Itanium ® architecture is a new 64-bit architecture jointly developed by Intel and Hewlett-Packard, implemented in the Itanium® processor family (IPF). Among the software supplied by Intel to support IPF processors are some optimized mathematical functions to supplement or replace less efficient generic libraries. Naturally, the correctness of the algorithms used in such software is always a major concern. This is particularly so for division, square root and certain transcendental function kernels, which are intimately tied to the basic architecture. First, in IA-32 compatibility mode, these algorithms are used by hardware instructions like fptan and fdiv. And while in “native ” mode, division and square root are implemented in software, typical users are likely to see them as part of the basic architecture. The formal verification of some of the division algorithms is described by Harrison (2000b), and a representative verification of a transcendental function by Harrison (2000a). In this paper we complete the picture by considering a square root algorithm. Division, transcendental functions and square roots all have quite distinctive features and their formal verifications differ widely from each other. The present proofs have a number of interesting features, and show how important some theorem prover features — in particular programmability — are. The formal verifications are conducted using the freely available 1 HOL Light prover (Harrison, 1996). HOL Light is a version of HOL (Gordon and Melham, 1993), itself a descendent of Edinburgh LCF

This paper extends PVS's standard bitvector library with multiplication, division and remainder operations, together with associated results. This extension is needed to give appropriate semantics to Java's integral types in program verification. Special emphasis is therefore put on Java's widening and narrowing functions in relation to the newly defined operations on bitvectors.

Theorem proving allows the formal verification of the correctness of very large systems. In order to increase the acceptance of theorem proving systems during the design process, we implemented higher order logic proof systems for ANSI-C and Verilog within a framework for application specific proof systems. Furthermore, we implement the language of the PVS theorem prover as well-established higher order specification language. The tool allows the verification of the design languages using a PVS specification and the verification of hardware designs using a C program as specification. We implement powerful decision procedures using Model Checkers and satisfiability checkers. We provide experimental results that compare the performance of our tool with PVS on large industrial scale hardware examples.

We present a weak theory BasicReal of the real numbers in the first order specification language Casl. The aim is to provide a datatype for practical purposes, including the central notions and results of basic analysis. BasicReal captures for instance e and ; as well as the trigonometric and other standard functions. Concepts such as continuity, differentiation and integration are shown to be definable and tractable in this setting; Newton's Method is presented as an example of a numerical application. Finally, we provide a proper connection between the specified datatype BasicReal and specifications of the real numbers in higher order logic and various set theories.