Results 1  10
of
41
A trustworthy monadic formalization of the armv7 instruction set architecture
 In Proc. 23rd Int. Conf˙on Interactive Theorem Proving (ITP’10), LNCS
, 2010
"... Abstract. This paper presents a new HOL4 formalization of the current ARM instruction set architecture, ARMv7. This is a modern RISC architecture with many advanced features. The formalization is detailed and extensive. Considerable tool support has been developed, with the goal of making the model ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a new HOL4 formalization of the current ARM instruction set architecture, ARMv7. This is a modern RISC architecture with many advanced features. The formalization is detailed and extensive. Considerable tool support has been developed, with the goal of making the model accessible and easy to work with. The model and supporting tools are publicly available – we wish to encourage others to make use of this resource. This paper explains our monadic specification approach and gives some details of the endeavours that have been made to ensure that the sizeable model is valid and trustworthy. A novel and efficient testing approach has been developed, based on automated forward proof and communication with ARM development boards. 1
Verified JustInTime Compiler on x86
"... This paper presents a method for creating formally correct justintime (JIT) compilers. The tractability of our approach is demonstrated through, what we believe is the first, verification of a JIT compiler with respect to a realistic semantics of selfmodifying x86 machine code. Our semantics inclu ..."
Abstract

Cited by 23 (5 self)
 Add to MetaCart
(Show Context)
This paper presents a method for creating formally correct justintime (JIT) compilers. The tractability of our approach is demonstrated through, what we believe is the first, verification of a JIT compiler with respect to a realistic semantics of selfmodifying x86 machine code. Our semantics includes a model of the instruction cache. Two versions of the verified JIT compiler are presented: one generates all of the machine code at once, the other one is incremental i.e. produces code ondemand. All proofs have been performed inside the HOL4 theorem prover.
Quantified multimodal logics in simple type theory
, 2009
"... We present a straightforward embedding of quantified multimodal logic in simple type theory and prove its soundness and completeness. Modal operators are replaced by quantification over a type of possible worlds. We present simple experiments, using existing higherorder theorem provers, to demonstr ..."
Abstract

Cited by 23 (15 self)
 Add to MetaCart
(Show Context)
We present a straightforward embedding of quantified multimodal logic in simple type theory and prove its soundness and completeness. Modal operators are replaced by quantification over a type of possible worlds. We present simple experiments, using existing higherorder theorem provers, to demonstrate that the embedding allows automated proofs of statements in these logics, as well as meta properties of them.
PsiCalculi in Isabelle
 In Proc of the 22nd Conference on Theorem Proving in Higher Order Logics (TPHOLs), volume 5674 of LNCS
"... Abstract. Psicalculi are extensions of the picalculus, accommodating arbitrary nominal datatypes to represent not only data but also communication channels, assertions and conditions, giving it an expressive power beyond the applied picalculus and the concurrent constraint picalculus. We have for ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
Abstract. Psicalculi are extensions of the picalculus, accommodating arbitrary nominal datatypes to represent not only data but also communication channels, assertions and conditions, giving it an expressive power beyond the applied picalculus and the concurrent constraint picalculus. We have formalised psicalculi in the interactive theorem prover Isabelle using its nominal datatype package. One distinctive feature is that the framework needs to treat binding sequences, as opposed to single binders, in an efficient way. While different methods for formalising single binder calculi have been proposed over the last decades, representations for such binding sequences are not very well explored. The main effort in the formalisation is to keep the machine checked proofs as close to their penandpaper counterparts as possible. We discuss two approaches to reasoning about binding sequences along with their strengths and weaknesses. We also cover custom induction rules to remove the bulk of manual alphaconversions. 1
A verified runtime for a verified theorem prover
"... rely on the correctness of runtime systems for programming languages like ML, OCaml or Common Lisp. These runtime systems are complex and critical to the integrity of the theorem provers. In this paper, we present a new Lisp runtime which has been formally verified and can run the Milawa theorem pro ..."
Abstract

Cited by 14 (8 self)
 Add to MetaCart
(Show Context)
rely on the correctness of runtime systems for programming languages like ML, OCaml or Common Lisp. These runtime systems are complex and critical to the integrity of the theorem provers. In this paper, we present a new Lisp runtime which has been formally verified and can run the Milawa theorem prover. Our runtime consists of 7,500 lines of machine code and is able to complete a 4 gigabyte Milawa proof effort. When our runtime is used to carry out Milawa proofs, less unverified code must be trusted than with any other theorem prover. Our runtime includes a justintime compiler, a copying garbage collector, a parser and a printer, all of which are HOL4verified down to the concrete x86 code. We make heavy use of our previously developed tools for machinecode verification. This work demonstrates that our approach to machinecode verification scales to nontrivial applications. 1
VeriML: Typed computation of logical terms inside a language with effects
, 2010
"... Modern proof assistants such as Coq and Isabelle provide high degrees of expressiveness and assurance because they support formal reasoning in higherorder logic and supply explicit machinecheckable proof objects. Unfortunately, large scale proof development in these proof assistants is still an ex ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
(Show Context)
Modern proof assistants such as Coq and Isabelle provide high degrees of expressiveness and assurance because they support formal reasoning in higherorder logic and supply explicit machinecheckable proof objects. Unfortunately, large scale proof development in these proof assistants is still an extremely difficult and timeconsuming task. One major weakness of these proof assistants is the lack of a single language where users can develop complex tactics and decision procedures using a rich programming model and in a typeful manner. This limits the scalability of the proof development process, as users avoid developing domainspecific tactics and decision procedures. In this paper, we present VeriML—a novel language design that couples a typesafe effectful computational language with firstclass support for manipulating logical terms such as propositions and proofs. The main idea behind our design is to integrate a rich logical framework—similar to the one supported by Coq—inside a computational language inspired by ML. The language design is such that the added features are orthogonal to the rest of the computational language, and also do not require significant additions to the logic language, so soundness is guaranteed. We have built a prototype implementation of VeriML including both its typechecker and an interpreter. We demonstrate the effectiveness of our design by showing a number of typesafe tactics and decision procedures written in VeriML.
Monotonicity Inference for HigherOrder Formulas
, 2010
"... Formulas are often monotonic in the sense that if the formula is satisfiable for given domains of discourse, it is also satisfiable for all larger domains. Monotonicity is undecidable in general, but we devised two calculi that infer it in many cases for higherorder logic. The stronger calculus has ..."
Abstract

Cited by 12 (9 self)
 Add to MetaCart
(Show Context)
Formulas are often monotonic in the sense that if the formula is satisfiable for given domains of discourse, it is also satisfiable for all larger domains. Monotonicity is undecidable in general, but we devised two calculi that infer it in many cases for higherorder logic. The stronger calculus has been implemented in Isabelle’s model finder Nitpick, where it is used to prune the search space, leading to dramatic speed improvements for formulas involving many atomic types.
Automatic Proof and Disproof in Isabelle/HOL
, 2011
"... Isabelle/HOL is a popular interactive theorem prover based on higherorder logic. It owes its success to its ease of use and powerful automation. Much of the automation is performed by external tools: The metaprover Sledgehammer relies on resolution provers and SMT solvers for its proof search, the c ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Isabelle/HOL is a popular interactive theorem prover based on higherorder logic. It owes its success to its ease of use and powerful automation. Much of the automation is performed by external tools: The metaprover Sledgehammer relies on resolution provers and SMT solvers for its proof search, the counterexample generator Quickcheck uses the ML compiler as a fast evaluator for ground formulas, and its rival Nitpick is based on the model finder Kodkod, which performs a reduction to SAT. Together with the Isar structured proof format and a new asynchronous user interface, these tools have radically transformed the Isabelle user experience. This paper provides an overview of the main automatic proof and disproof tools.
Formal verification of machinecode programs
, 2009
"... Formal program verification provides mathematical means of increasing assurance for the correctness of software. Most approaches to program verification are either fully automatic and prove only weak properties, or alternatively are manual and labour intensive to apply; few target realistically mode ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
(Show Context)
Formal program verification provides mathematical means of increasing assurance for the correctness of software. Most approaches to program verification are either fully automatic and prove only weak properties, or alternatively are manual and labour intensive to apply; few target realistically modelled machine code. The work presented in this dissertation aims to ease the effort required in proving properties of programs on top of detailed models of machine code. The contributions are novel approaches for both verification of existing programs and methods for automatically constructing correct code. For program verification, this thesis presents a new approach based on translation: the problem of proving properties of programs is reduced, via fullyautomatic deduction, to a problem of proving properties of recursive functions. The translation from programs to recursive functions is shown to be implementable in a theorem prover both for simple whileprograms as well as real machine code. This verificationaftertranslation approach has several advantages over established approaches of verification condition generation. In particular, the new approach does not require annotating the program with assertions. More
M.: Verified, executable parsing
 In: European Symposium on Programming (ESOP
, 2009
"... Abstract. We describe the mechanisation of SLR parsing, covering background properties of contextfree languages and grammars, as well as the construction of an SLR automaton. Among the various properties proved about the parser we show, in particular, soundness: if the parser results in a parse tre ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We describe the mechanisation of SLR parsing, covering background properties of contextfree languages and grammars, as well as the construction of an SLR automaton. Among the various properties proved about the parser we show, in particular, soundness: if the parser results in a parse tree on a given input, then the parse tree is valid with respect to the grammar, and the leaves of the parse tree match the input; completeness: if the input is in the language of the grammar then the parser constructs the correct parse tree for the input with respect to the grammar; and nonambiguity: grammars successfully converted to SLR automata are unambiguous. We also develop versions of the algorithms that are executable by automatic translation from HOL to SML. These alternative versions of the algorithms require some interesting termination proofs. 1