This article describes the development and formal verification (proof of semantic preservation) of a compiler back-end from Cminor (a simple imperative intermediate language) to PowerPC assembly code, using the Coq proof assistant both for programming the compiler and for proving its correctness. Such a verified compiler is useful in the context of formal methods applied to the certification of critical software: the verification of the compiler guarantees that the safety properties proved on the source code hold for the executable compiled code as well. Categories and Subject Descriptors: F.3.1 [Logics and meanings of programs]: Specifying and verifying and reasoning about programs—Mechanical verification; D.2.4 [Software engineering]: Software/program verification—Correctness proofs, formal methods, reliability; D.3.4 [Programming languages]: Processors—Compilers, optimization

Abstract not found

Abstract not found

This article presents the formal verification, using the Coq proof assistant, of a memory model for low-level imperative languages such as C and compiler intermediate languages. Beyond giving semantics to pointer-based programs, this model supports reasoning over transformations of such programs. We show how the properties of the memory model are used to prove semantic preservation for three passes of the Compcert verified compiler.

A verifying compiler is one that emits both object code and a proof of correspondence between object and source code. 1 We report the use of ACL2 in building a verifying compiler for µCryptol, a stream-based language for encryption algorithm specification that targets Rockwell Collins’ AAMP7 microprocessor (and is designed to compile efficiently to hardware, too). This paper reports on our success in verifying the “core ” transformations of the compiler – those transformations over the sub-language of µCryptol that begin after “higher-order ” aspects of the language are compiled away, and finish just before hardware or software specific transformations are exercised. The core transformations are responsible for aggressive optimizations. We have written an ACL2 macro that automatically generates both the correspondence theorems and their proofs. The compiler also supplies measure functions that ACL2 uses to automatically prove termination of µCryptol programs, including programs with mutually-recursive cliques of streams. Our verifying compiler has proved the correctness of its core transformations for multiple algorithms, including TEA, RC6, and AES. Finally, we describe an ACL2 book of primitive operations for the general specification and verification of encryption algorithms. Categories and Subject Descriptors D.2.4 [Software Engineering]: Software/Program Verification—correctness proofs, formal methods, reliability; D.3.4 ∗ The ACL2 books associated with this paper can be retrieved at

There has been a lot of interest of late for programming languages that incorporate features from dependent type systems and proof assistants, in order to capture important invariants of the program in the types. This allows type-based program verification and is a promising compromise between plain old types and full blown Hoare logic proofs. The introduction of GADTs in GHC (and more recently type families) made such dependent typing available in an industry-quality implementation, making it possible to consider its use in large scale programs. We have undertaken the construction of a complete compiler for System F, whose main property is that the GHC type checker verifies mechanically that each phase of the compiler properly preserves types. Our particular focus is on “types rather than proofs”: reasonably few annotations that do not overwhelm the actual code. We believe it should be possible to write such a type-preserving compiler with an amount of extra code comparable to what is necessary for typical typed intermediate languages, but with the advantage of static checking. We will show in this paper the remaining hurdles to reach this goal.

Abstract. This paper gives a high-level introduction to the topic of formal, interactive, machine-checked software verification in general, and the verification of operating systems code in particular. We survey the state of the art, the advantages and limitations of machinechecked code proofs, and describe two specific ongoing larger-scale verification projects in more detail.

Abstract. We introduce Erasure Pure Type Systems, anextensionto Pure Type Systems with an erasure semantics centered around a type constructor ∀ indicating parametric polymorphism. The erasure phase is guided by lightweight program annotations. The typing rules guarantee that well-typed programs obey a phase distinction between erasable (compile-time) and non-erasable (run-time) terms. The erasability of an expression depends only on how its value is used in the rest of the program. Despite this simple observation, most languages treat erasability as an intrinsic property of expressions, leading to code duplication problems. Our approach overcomes this deficiency by treating erasability extrinsically. Because the execution model of EPTS generalizes the familiar notions of type erasure and parametric polymorphism, we believe functional programmers will find it quite natural to program in such a setting. 1

C minor is a mid-level imperative programming language (just below C), and there exist proved-correct optimizing compilers from C to C minor and from C minor to machine language. We have redesigned C minor so that it is suitable for Hoare-logic reasoning, we have designed a Separation Logic for C minor, we have given a small-step operational semantics so that extensions to concurrent C minor will be possible, and we have a machine-checked proof of soundness of our Separation Logic. This is the first large-scale machine-checked proof of a Hoare logic w.r.t. a small-step semantics. Our sequential soundness proof of the sequential Separation Logic for the sequential language features will be usable without change within a soundness proof of Concurrent Separation Logic w.r.t. Concurrent C minor. In addition, we have a machine-checked proof of the relation between our small-step semantics and Leroy’s original big-step semantics; thus sequential programs can be compiled by Leroy’s compiler with formal end-to-end correctness guarantees.

Abstract. We give an overview of a proof-producing compiler which translates recursion equations, defined in higher order logic, to assembly language. The compiler is implemented and validated with a mix of translation validation and compiler verification techniques. Both the design of the compiler and its mechanical verification are implemented in the same logic framework.