## Mechanized semantics with applications to program proof and compiler verification

Citations: | 1 - 0 self |

### BibTeX

@MISC{Leroy_mechanizedsemantics,

author = {Xavier Leroy},

title = {Mechanized semantics with applications to program proof and compiler verification},

year = {}

}

### OpenURL

### Abstract

Abstract. The goal of this lecture is to show how modern theorem provers—in this case, the Coq proof assistant—can be used to mechanize the specification of programming languages and their semantics, and to reason over individual programs and over generic program transformations, as typically found in compilers. The topics covered include: operational semantics (small-step, big-step, definitional interpreters); a simple form of denotational semantics; axiomatic semantics and Hoare logic; generation of verification conditions, with application to program proof; compilation to virtual machine code and its proof of correctness; an example of an optimizing program transformation (dead code elimination) and its proof of correctness.

### Citations

955 |
Advanced Compiler Design and Implementation
- Muchnick
- 1997
(Show Context)
Citation Context ...ce(c, a), s1 ⇒ ∞. 4.4. Further reading Dozens of compiler optimizations are known, each targeting a particular class of inefficiencies. See Appel [3] for an introduction to optimization, and Muchnick =-=[39]-=- for a catalogue of classic optimizations. The results of liveness analysis can be exploited to perform register allocation (a crucial optimization performance-wise), following Chaitin’s approach [17]... |

605 |
The Definition of Standard ML (Revised
- Milner, Tofte, et al.
- 1997
(Show Context)
Citation Context ...An example of use of semantics is to define a programming language with much greater precision than standard language specifications written in English. (See for example the definition of Standard ML =-=[35]-=-.) In turn, semantics enable us to formally verify some programs, proving that they satisfy their specifications. Finally, semantics are also necessary to establish the correctness of algorithms and i... |

470 |
P.: Interactive Theorem Proving and Program Development. Coq’Art: The Calculus of Inductive Constructions
- Bertot, Castéran
- 2004
(Show Context)
Citation Context ...g challenges in this area (section 6). We use the Coq proof assistant to specify semantics and program transformations, and conduct all proofs. The best reference on Coq is Bertot and Castéran’s book =-=[13]-=-, but for the purposes of this lecture, Bertot’s short tutorial [11] is largely sufficient. The Coq software and documentation is available as free software at http://coq.inria.fr/. By lack of time, w... |

416 |
Register allocation and spilling via graph coloring
- Chaitin
- 2004
(Show Context)
Citation Context ...k [42] for a catalog of classic optimizations. The results of liveness analysis can be exploited to perform register allocation (a crucial optimization performance-wise), following Chaitin’s approach =-=[17]-=- [3, chap. 11]: coloring of an interference graph. A mechanized proof of correctness for graph coloring-based register allocation, extending the proof given in this section, is described by Leroy [31,... |

308 | A unified approach to global program optimization
- Kildall
- 1973
(Show Context)
Citation Context ... of the program called the control-flow graph. Dataflow equations are set up between the nodes of this graph, then solved by one global fixpoint iteration, often based on Kildall’s worklist algorithm =-=[25]-=-. This is more efficient than the approach we described (computing a local fixpoint for each loop), which can be exponential in the nesting degree of loops. Kildall’s worklist algorithm has been mecha... |

302 | Natural semantics
- Kahn
- 1987
(Show Context)
Citation Context ... irreducible state that is not skip. [goes_wrong] (c, s) → · · · → (c ′ , s ′ ) ̸→ with c ̸= skip 1.3. Natural semantics An alternative to structured operational semantics is Kahn’s natural semantics =-=[24]-=-, also called big-step semantics. Instead of describing terminating executions as sequences of reductions, natural semantics aims at giving a direct axiomatization of executions using inference rules.... |

268 | Local reasoning about programs that alter data structures
- O’Hearn, Reynolds, et al.
- 2001
(Show Context)
Citation Context ... + 1) + (s(r) − s(b))which are easy to prove by purely arithmetic reasoning. 2.4. Further reading The material in this section follows Nipkow [41] (in HOL) and Bertot [11] (in Coq). Separation logic =-=[42,48]-=- extends axiomatic semantics with a notion of local reasoning: assertions carry a domain (in our case, a set of variable; in pointer programs, a set of store locations) and the logic enforces that not... |

228 | Foundational proof-carrying code
- Appel
- 2001
(Show Context)
Citation Context ...strel.edu/home/projects/ java/). • Formal verification of the ARM6 processor micro-architecture against the ARM instruction set specification [21] • The “foundational” approach to Proof-Carrying Code =-=[4]-=-. • The CLI stack: a formally verified microprocessor and compiler from an assembly-level language (http://www.cs.utexas.edu/~moore/ best-ideas/piton/index.html) [40]. Here are some active research to... |

177 |
An introduction to inductive definitions
- Aczel
- 1977
(Show Context)
Citation Context ...ht and Felleisen [54] and is very popular to reason about type systems [48]. Definitions and proofs by coinduction can be formalized in two ways: as greatest fixpoints in a set-theoretic presentation =-=[1]-=- or as infinite derivation trees in proof theory [13, chap. 13]. Grall and Leroy [32] connect the two approaches. The definitional interpreter approach was identified by Reynolds in 1972. See [50] for... |

153 |
The Java Virtual Machine Specification. The Java Series
- Lindholm, Yellin
- 1997
(Show Context)
Citation Context ...n, for all instruction sequences C1, C2 and stacks σ, 3.5. Further reading C1; comp(c); C2 ⊢ (|C1|, σ, s) ⇑ The virtual machine used in this section matches a small subset of the Java Virtual Machine =-=[32]-=-. Other examples of mechanized verification of nonoptimizing compilers producing virtual machine code include Bertot [10] (for the IMP language), Klein and Nipkow [27] (for a subset of Java), and Gral... |

146 |
Component-Based Semantics
- Mosses
- 2009
(Show Context)
Citation Context ...rp] If c, s ⇒ s ′ , there exists an n such that I(n, c, s) = ⌊s ′ ⌋. Lemma 12 [execinf_interp] If c, s ⇒ ∞, then I(n, c, s) = ⊥ for all n. 1.5. Denotational semantics A form of denotational semantics =-=[38]-=- can be obtained by “letting n goes to infinity” in the definitional interpreter. Lemma 13 [interp_limit_dep] For every c, there exists a function [c] from states to evaluation results such that ∀s, ∃... |

137 | Mechanized metatheory for the masses: The PoplMark challenge
- Aydemir, Bohannon, et al.
- 2005
(Show Context)
Citation Context ...cs and advanced type systems is the handling of bound variables and the fact that terms containing binders are equal modulo α-conversion of bound variables. The POPLmark challenge explores this issue =-=[6]-=-. Shared-memory concurrency. Shared-memory concurrency raises major semantic difficulties, ranging from formalizing the “weakly-consistent” memory models implemented by today’s multicore processors [5... |

131 |
Modern Compiler Implementation in ML
- Appel
- 1998
(Show Context)
Citation Context ...diverging] If c, s ⇒ ∞ and s ≈ s1 dce(c, A), s1 ⇒ ∞. : live(c, A), then 5.4. Further reading Dozens of compiler optimizations are known, each targeting a particular class of inefficiencies. See Appel =-=[3]-=- for an introduction to optimization, and Muchnick [42] for a catalog of classic optimizations. The results of liveness analysis can be exploited to perform register allocation (a crucial optimization... |

84 | Correctness of a compiler for arithmetic expressions
- McCarthy, Painter
- 1967
(Show Context)
Citation Context ...calculus. Theorem 23 (correctness of compilation of arithmetic expression to stack machine code) is historically important: it is the oldest published compiler correctness proof (McCarthy and Painter =-=[34]-=-, in 1967) and the oldest mechanized compiler correctness proof (Milner and Weyhrauch, [36], in 1972). Since then, a great many correctness proofs for compilers and compilation passes have been publis... |

69 | Formal verification of a realistic compiler
- Leroy
(Show Context)
Citation Context ... [17] [3, chap. 11]: coloring of an interference graph. A mechanized proof of correctness for graph coloringbased register allocation, extending the proof given in this section, is described by Leroy =-=[29,28]-=-. Liveness analysis is an instance of a more general class of static analyses called dataflow analyses [3, chap. 17], themselves being a special case of abstract interpretation. Bertot et al. [14] and... |

58 | Oracle semantics for concurrent separation logic
- Hobor, Appel, et al.
- 2008
(Show Context)
Citation Context ...ties, ranging from formalizing the “weakly-consistent” memory models implemented by today’s multicore processors [49] to mechanizing program logics appropriate for proving concurrent programs correct =-=[20,23]-=-. • Progressing towards fully-verified development and verification environments for high-assurance software. Beyond verifying compilers and other code generation tools, we’d like to gain formal assur... |

54 | A formally verified compiler back-end
- Leroy
(Show Context)
Citation Context ... [17] [3, chap. 11]: coloring of an interference graph. A mechanized proof of correctness for graph coloringbased register allocation, extending the proof given in this section, is described by Leroy =-=[29,28]-=-. Liveness analysis is an instance of a more general class of static analyses called dataflow analyses [3, chap. 17], themselves being a special case of abstract interpretation. Bertot et al. [14] and... |

51 | Winskel is (almost) right: Towards a mechanized semantics
- Nipkow
- 1998
(Show Context)
Citation Context ... s ⇒ s ′ if and only if [c] s = ⌊s ′ ⌋. Theorem 15 [denot_execinf] [execinf_denot] c, s ⇒ ∞ if and only if [c] s = ⊥. 1.6. Further reading The material presented in this section is inspired by Nipkow =-=[41]-=- (in Isabelle/HOL, for the IMP language) and by Grall and Leroy [30] (in Coq, for the call-by-value λ-calculus). We followed Plotkin’s “SOS” presentation [46] of reduction semantics, characterized by ... |

45 | Extracting a data flow analyser in constructive logic
- Cachera, Jensen, et al.
(Show Context)
Citation Context ...Bertot et al. [14] and Leroy [30] prove, in Coq, the correctness ofseveral optimizations based on dataflow analyses, such as constant propagation and common subexpression elimination. Cachera et al. =-=[16]-=- present a reusable Coq framework for dataflow analyses. Dataflow analyses are generally carried on an unstructured representation of the program called the control-flow graph. Dataflow equations are ... |

40 | On the relationship between concurrent separation logic and assume guarantee reasoning
- Feng, Ferreira, et al.
- 2007
(Show Context)
Citation Context ...ties, ranging from formalizing the “weakly-consistent” memory models implemented by today’s multicore processors [49] to mechanizing program logics appropriate for proving concurrent programs correct =-=[20,23]-=-. • Progressing towards fully-verified development and verification environments for high-assurance software. Beyond verifying compilers and other code generation tools, we’d like to gain formal assur... |

36 | Coinductive big-step operational semantics
- Leroy, Grall
- 2006
(Show Context)
Citation Context ...emma 2 [red_preserves_exec] If (c, s) → (c ′ , s ′ ) and c ′ , s ′ ⇒ s ′′ , then c, s ⇒ s ′′ . Theorem 3 [terminates_exec] If (c, s) ∗ → (skip, s ′ ), then c, s ⇒ s ′ . As observed by Grall and Leroy =-=[30]-=-, diverging executions can also be described in the style of natural semantics. Define the infinite execution relation c, s ⇒ ∞ (from initial state s, the command c diverges). [execinf] c1, s ⇒ ∞ [exe... |

33 |
Compiler verification: a bibliography
- Dave
(Show Context)
Citation Context ...s proof (Milner and Weyhrauch, [36], in 1972). Since then, a great many correctness proofs for compilers and compilation passes have been published, some of them being mechanized: Dave’s bibliography =-=[19]-=- lists 99 references up to 2002.4. An example of optimizing program transformation: dead code elimination The purpose of dead code elimination is to remove assignments x := e (turning them into skip ... |

30 |
Certificate translation for optimizing compilers
- BARTHE, GRÉGOIRE, et al.
- 2009
(Show Context)
Citation Context ... compilation. Given a source program annotated with assertions and a proof in axiomatic semantics, can we produce machine code annotated with the corresponding assertions and the corresponding proof? =-=[8,33]-=-. Binders and α-conversion. A major obstacle to the mechanization of rich language semantics and advanced type systems is the handling of bound variables and the fact that terms containing binders are... |

27 |
Formal Specification and Verification of ARM6
- Fox
- 2003
(Show Context)
Citation Context ...ew/Bicolano, and the Kestrel Institute project http://www.kestrel.edu/home/projects/java/. • Formal verification of the ARM6 processor micro-architecture against the ARM instruction set specification =-=[21]-=- • The “foundational” approach to Proof-Carrying Code [4]. • The CLI stack: a formally verified microprocessor and compiler from an assembly-level language http://www.cs.utexas.edu/~moore/ best-ideas/... |

24 | Verification of the heap manager of an operating system using separation logic
- Marti, Affeldt, et al.
- 2006
(Show Context)
Citation Context ...ointer programs, a set of store locations) and the logic enforces that nothing outside the domain of the triple changes during execution. Examples of mechanized separation logics include Marti et al. =-=[33]-=- in Coq, Tuch et al. [50] in Isabelle/HOL, Appel and Blazy [5] in Coq, and Myreen and Gordon [40] in HOL4. 3. Compilation to a virtual machine 3.1. The IMP virtual machine Instruction set: [instructio... |

21 | Separation logic for small-step Cminor
- Appel, Blazy
(Show Context)
Citation Context ...es that nothing outside the domain of the triple changes during execution. Examples of mechanized separation logics include Marti et al. [35] in Coq, Tuch et al. [53] in Isabelle/HOL, Appel and Blazy =-=[5]-=- in Coq, and Myreen and Gordon [43] in HOL4. The generation of verification conditions (section 3.3) is an instance of a more general technique known as “proof by reflection”, which aims at replacing ... |

21 |
Proving compiler correctness in a mechanized logic
- Milner, Weyrauch
- 1972
(Show Context)
Citation Context ...code) is historically important: it is the oldest published compiler correctness proof (McCarthy and Painter [34], in 1967) and the oldest mechanized compiler correctness proof (Milner and Weyhrauch, =-=[36]-=-, in 1972). Since then, a great many correctness proofs for compilers and compilation passes have been published, some of them being mechanized: Dave’s bibliography [19] lists 99 references up to 2002... |

18 | X.: A structured approach to proving compiler optimizations based on dataflow analysis
- Bertot, Grégoire, et al.
- 2006
(Show Context)
Citation Context ... [31,30]. Liveness analysis is an instance of a more general class of static analyses called dataflow analyses [3, chap. 17], themselves being a special case of abstract interpretation. Bertot et al. =-=[14]-=- and Leroy [30] prove, in Coq, the correctness ofseveral optimizations based on dataflow analyses, such as constant propagation and common subexpression elimination. Cachera et al. [16] present a reu... |

18 | M.: Hoare logic for realistically modelled machine code
- Myreen, Gordon
- 2007
(Show Context)
Citation Context ... of the triple changes during execution. Examples of mechanized separation logics include Marti et al. [33] in Coq, Tuch et al. [50] in Isabelle/HOL, Appel and Blazy [5] in Coq, and Myreen and Gordon =-=[40]-=- in HOL4. 3. Compilation to a virtual machine 3.1. The IMP virtual machine Instruction set: [instruction] [code] i ::= const(n) push n on stack | var(x) push value of x | setvar(x) pop value and assig... |

12 |
Toolassisted specification and verification of the javacard platform
- Barthe, Courtieu, et al.
- 2002
(Show Context)
Citation Context ...omplete embedded system, from hardware to application. • Formal specifications of the Java / Java Card virtual machines and mechanized verifications of the Java bytecode verifier: Ninja [29], Jakarta =-=[7]-=-, Bicolano (http://mobius.inria.fr/twiki/bin/view/Bicolano), and the Kestrel Institute project (http://www.kestrel.edu/home/projects/ java/). • Formal verification of the ARM6 processor micro-architec... |

12 | Some domain theory and denotational semantics in coq
- Benton, Kennedy, et al.
(Show Context)
Citation Context ...s we followed avoids the complexity of Scott domains. Mechanizations of domain theory with applications to denotational semantics include Agerholm [2] (in HOL), Paulin [46] (in Coq) and Benton et al. =-=[9]-=- (in Coq).3. Axiomatic semantics and program verification Operational semantics as in section 2 focuses on describing actual executions of programs. In contrast, axiomatic semantics (also called Hoar... |

10 |
A uniform and certified approach for two static analyses
- Coupet-Grimal, Delobel
- 2004
(Show Context)
Citation Context ...n the approach we described (computing a local fixpoint for each loop), which can be exponential in the nesting degree of loops. Kildall’s worklist algorithm has been mechanically verified many times =-=[14,18,29]-=-. The effective computation of fixpoints is a central issue in static analysis. Theorems such as Knaster-Tarski’s show the existence of fixpoints in many cases, and can be mechanized [47,15], but fail... |

9 | A certified compiler for an imperative language
- Bertot
- 1998
(Show Context)
Citation Context ...achine used in this section matches a small subset of the Java Virtual Machine [32]. Other examples of mechanized verification of nonoptimizing compilers producing virtual machine code include Bertot =-=[10]-=- (for the IMP language), Klein and Nipkow [27] (for a subset of Java), and Grall and Leroy [30] (for call-by-value λ-calculus). The latter two show forward simulation results; Bertot shows both forwar... |

8 |
Domain Theory in HOL
- Agerholm
- 1993
(Show Context)
Citation Context ...erspective. The presentation of denotational semantics we followed avoids the complexity of Scott domains. Mechanizations of domain theory with applications to denotational semantics include Agerholm =-=[2]-=- (in HOL), Paulin [46] (in Coq) and Benton et al. [9] (in Coq).3. Axiomatic semantics and program verification Operational semantics as in section 2 focuses on describing actual executions of program... |

8 |
Fixed point semantics and partial recursion in Coq
- Bertot, Komendantsky
- 2008
(Show Context)
Citation Context ... times [14,18,29]. The effective computation of fixpoints is a central issue in static analysis. Theorems such as Knaster-Tarski’s show the existence of fixpoints in many cases, and can be mechanized =-=[47,15]-=-, but fail to provide effective algorithms. Noetherian recursion can be used if the domain of the analysis is well founded (no infinite chains) [13, chap. 15], but this property is difficult to ensure... |

8 | Structure of a proof-producing compiler for a subset of higher order logic
- Li, Owens, et al.
- 2007
(Show Context)
Citation Context ... compilation. Given a source program annotated with assertions and a proof in axiomatic semantics, can we produce machine code annotated with the corresponding assertions and the corresponding proof? =-=[8,31]-=-. • A major obstacle to the mechanization of rich language semantics and advanced type systems is the handling of bound variables and the fact that terms containing binders are equal modulo α-conversi... |

6 |
Functional runtimes within the lambdasigma calculus
- Hardin, Maranget, et al.
- 1998
(Show Context)
Citation Context ...ard and backward simulation, and concludes that backward simulation is considerably more difficult to prove. Other examples of difficult backward simulation arguments (not mechanized) can be found in =-=[22]-=-, for call-by-name and call-by-value λ-calculus. Theorem 23 (correctness of compilation of arithmetic expression to stack machine code) is historically important: it is the oldest published compiler c... |

6 |
Piton: a mechanically verified assembly-language
- Moore
- 1996
(Show Context)
Citation Context ...nal” approach to Proof-Carrying Code [4]. • The CLI stack: a formally verified microprocessor and compiler from an assembly-level language http://www.cs.utexas.edu/~moore/ best-ideas/piton/index.html =-=[37]-=-. Some active research topics in this area: • Combining static analysis and program proof. Static analysis can be viewed as the automatic generation of logical assertions, enabling the results of stat... |

4 | Theorem proving support in programming language semantics
- Bertot
- 2007
(Show Context)
Citation Context ...ollowed, in the while case, by an inner induction on the value of the associated measure expression. 3.5. Further reading The material in this section follows Nipkow [44] (in Isabelle/HOL) and Bertot =-=[12]-=- (in Coq), themselves following Gordon [37]. Separation logic [45,51] extends axiomatic semantics with a notion of local reasoning: assertions carry a domain (in our case, a set of variable; in pointe... |

4 |
Operating system verification — an overview. Sādhanā 34(1
- Klein
- 2009
(Show Context)
Citation Context ...rspectives Some recent achievements using mechanized semantics (in reverse chronological order): • The verification of the seL4 secure micro-kernel http://nicta.com.au/ research/projects/l4.verified/ =-=[26]-=-.• The CompCert verified compiler: a realistic, moderately-optimizing compiler for a large subset of the C language down to PowerPC and ARM assembly code. http://compcert.inria.fr/ [29]. • The Veriso... |

1 |
Coq in a hurry. Tutorial available at http://cel.archives-ouvertes.fr/ inria-00001173
- Bertot
- 2008
(Show Context)
Citation Context ...t to specify semantics and program transformations, and conduct all proofs. The best reference on Coq is Bertot and Castéran’s book [13], but for the purposes of this lecture, Bertot’s short tutorial =-=[11]-=- is largely sufficient. The Coq software and documentation is available as free software at http://coq.inria.fr/. By lack of time, we will not attempt to teach how to conduct interactive proofs in Coq... |