Compiler correctness is crucial to the software engineering of safety critical software. It depends on both the correctness of the compiling specification and the correctness of the compiler implementation. We will discuss compiler correctness for practically relevant source languages and target machines in order to find an adequate correctness notion for the compiling specification, i.e. for the mapping from source to target programs with respect to their standard semantics, which allows for proving both specification and implementation correctness. We will sketch our approach of proving the correctness of the compiler implementation as a binary machine program, using a special technique of bootstrapping and double checking the results. We will discuss mechanical proof support for both compiling verification and compiler implementation verification in order to make them feasible parts of the software engineering of correct compilers. Verifix is a joint project on Correct Compilers fun...

This paper sketches a rigorous correctness proof of a compiler executable. We will emphasize the central role of partial program correctness and its preservation, which captures the intuitive correctness requirements for transformational programs and in particular for compilers on real machines. Although often left out of sight, implementation verification is definitely necessary, not only but also for compilers. We will show that a rigorous compiler correctness proof also for the final binary compiler machine program is possible and feasible. Verified compiler implementations guarantee correctness properties for generated executable program implementations; we need them, not only in safety critical systems, but also for security in e.g. network computing.

Pre-Scheme is a statically typed dialect of Scheme that gives the programmer the efficiency and lowlevel machine access of C while retaining many of the desirable features of Scheme. The PreScheme compiler makes use of type inference, partial evaluation and Scheme and Lisp compiler technology to compile the problematic features of Scheme, such as closures, into C code without significant run-time overhead. Use of such features in Pre-Scheme programs is restricted to those cases that can be compiled into efficient code. Type reconstruction is done using a modified Hindley/Milner algorithm that allows overloaded user-defined functions. All top-level forms in Pre-Scheme programs are evaluated at compile time, which gives the user additional control over the compiler's partial evaluation of a program. Pre-Scheme has been implemented and used to write a byte-code interpeter and associated support code for a complete Scheme implementation. 1 Introduction High-level programming languages, su...

We report on a large formal verification effort in mechanically proving correct a compiling specification for a realistic bootstrap compiler from ComLisp (a subset of ANSI Common Lisp sufficiently expressive to serve as a compiler implementation language) to binary Transputer code using the PVS system. The compilation is carried out in five steps through a series of intermediate languages. In the first phase, ComLisp is translated into a stack intermediate language (SIL), where parameter passing is implemented by a stack technique. Expressions are transformed from a prefix notation into a postfix notation according to the stack principle. SIL is then compiled into C int where the ComLisp data structures (s-expressions) and operators are implemented in linear integer memory using a run-time stack and a heap. These two steps are machine independent. In the compiler’s backend, first control structures (loops, conditionals) of the intermediate language C int are implemented by linear assembler code with relative jumps, the infinite memory model of C int is realized on the finite Transputer memory, and the basic C int statements for accessing the stack and heap are implemented by a sequence of assembler instructions. The fourth phase consists of the implementation of

Compilers that have been formally verified in theorem provers are often not directly usable because the formalization language is not a general-purpose programming language or the formalization contains non-executable constructs. This paper takes a comprehensive, even though simplified model of Java, formalized in the Isabelle proof assistant, as starting point and shows how core functions in the translation process (type checking and compilation) are defined and proved correct. From these, Isabelle's program extraction facility generates ML code that can be directly interfaced with other, possibly "unsafe" code.

Safety critical software crucially depends on the methods and tools used in their construction process. In the project Verifix we focus on compilers which are used as tools to translate safety critical programs from a source language to machine code of a target processor. Correct compiler operation is required to assert quality properties about the machine program (and thus the whole system) which ultimately runs in the application. We follow accepted software engineering phase models to construct our compilers, so compiler correctness has to be proved on different levels in the compiler construction process. Three main levels turned out to be reasonable. First, even traditional compiler construction theory asks the question, if a mathematically defined translation function, which maps from source language programs to target language programs, respects their semantics. We call the process of proving its correctness compiling specification verification. Second, we have to answer the que...