## A verified runtime for a verified theorem prover

Citations: | 13 - 7 self |

### BibTeX

@MISC{Myreen_averified,

author = {Magnus O. Myreen and Jared Davis},

title = {A verified runtime for a verified theorem prover},

year = {}

}

### OpenURL

### Abstract

rely on the correctness of runtime systems for programming languages like ML, OCaml or Common Lisp. These runtime systems are complex and critical to the integrity of the theorem provers. In this paper, we present a new Lisp runtime which has been formally verified and can run the Milawa theorem prover. Our runtime consists of 7,500 lines of machine code and is able to complete a 4 gigabyte Milawa proof effort. When our runtime is used to carry out Milawa proofs, less unverified code must be trusted than with any other theorem prover. Our runtime includes a just-in-time compiler, a copying garbage collector, a parser and a printer, all of which are HOL4-verified down to the concrete x86 code. We make heavy use of our previously developed tools for machine-code verification. This work demonstrates that our approach to machine-code verification scales to non-trivial applications. 1

### Citations

397 |
A Computational Logic Handbook
- Boyer, Moore
- 1988
(Show Context)
Citation Context ...wa also performs I/O by making calls to C functions for reading and writing standard input and output (Section 5.3). 2 The Milawa system Milawa [5] is a theorem prover styled after systems like NQTHM =-=[1]-=- and ACL2 [13]. The Milawa logic has three kinds of objects: natural numbers, symbols, and conses. It also has twelve primitive functions like if, equal, cons, and +, and eleven macros like list, and,... |

355 | Recursive functions of symbolic expressions and their computation by machine, part i
- McCarthy
- 1960
(Show Context)
Citation Context ..., and so on. We eventually (Section 5.4) prove Jitawa’s machine code implements this specification, and we regard this as a proof of “Jitawa is correct.” 4.1 Syntax Milawa uses a typical s-expression =-=[15]-=- syntax. While Jitawa’s parser has to deal with these expressions at the level of individual characters, it is easier to modelthese expressions as a HOL datatype, sexp ::= Val num (natural numbers) |... |

264 |
Computer-Aided Reasoning: An Approach
- Kaufmann, Monolios, et al.
- 2000
(Show Context)
Citation Context ...rms I/O by making calls to C functions for reading and writing standard input and output (Section 5.3). 2 The Milawa system Milawa [5] is a theorem prover styled after systems like NQTHM [1] and ACL2 =-=[13]-=-. The Milawa logic has three kinds of objects: natural numbers, symbols, and conses. It also has twelve primitive functions like if, equal, cons, and +, and eleven macros like list, and, let*, and con... |

223 | Formal Certification of a Compiler Back-End, or: Programming a Compiler with a Proof Assistant
- Leroy
- 2006
(Show Context)
Citation Context ...e updates and I/O. However, their formalisation and proofs did not reach as far as machine or assembly level, as we have done here and in previous work [18]. Recently, Leroy’s Coq-verified C compiler =-=[14]-=-, which targets PowerPC, ARM and 32-bit x86 assembly, has been extended with new front-ends that makes it compile MiniML [4] and a garbage-collected source language [16]. The latter extension has been... |

131 |
Edinburgh LCF: A mechanised logic of computation
- Gordon, Milner, et al.
- 1979
(Show Context)
Citation Context ...into HOL nearly verbatim by having valid sexp use our parser to read the string into its datatype representation.7 Discussion and related work Theorem provers are generally very trustworthy. The LCF =-=[7]-=- approach has long been used to minimize the amount of code that must be trusted. Harrison [11] has even formally proved—using an altered version of HOL Light—theorems suggesting HOL Light’s LCF-style... |

55 | Metatheory and Reflection in Theorem Proving: A Survey and Critique,Technical Report CRC-053
- Harrison
- 1995
(Show Context)
Citation Context ...o execute the prover, we further increase our confidence in these systems. Runtime correctness may be particularly important for theorem provers that employ reflective techniques. In a separate paper =-=[9]-=-, Harrison remarks: “ [...] the final jump from an abstract function inside the logic to a concrete implementation in a serious programming language which appears to correspond to it is a glaring leap... |

51 |
Program Verification: the Very Idea
- Fetzer
- 1988
(Show Context)
Citation Context ...previously developed tools for machine-code verification. This work demonstrates that our approach to machine-code verification scales to non-trivial applications. 1 Introduction We can never be sure =-=[6]-=- a computer has executed a theorem prover (or any other program) correctly. Even if we could prove a processor design implements its instruction set, we have no way to ensure it will be manufactured c... |

45 | VLISP: A verified implementation of Scheme
- Guttman, Ramsdell, et al.
- 1995
(Show Context)
Citation Context ... such a proof. Most of this paper has dealt with the question: how do we create a verified Lisp system that is usable and scales well? The most closely related work on this topic is the VLISP project =-=[8]-=-, which produced a “comprehensively” (not formally) verified Scheme implementation. The subset of Scheme which they address is impressive: it includes strings, destructive updates and I/O. However, th... |

30 | A brief overview of HOL4
- Slind, Norrish
- 2008
(Show Context)
Citation Context ...bit x86 machine code, garbage collection, expression printing, and an “abort with error message” capability. (Section 3) – We consider what it means for Jitawa to be correct. We develop a formal HOL4 =-=[21]-=- specification (400 lines) of how the runtime should operate. This covers expression evaluation, parsing, and printing. (Section 4) – We explain how Jitawa is implemented and verified. We build heavil... |

24 | A verified compiler for an impure functional language
- Chlipala
- 2010
(Show Context)
Citation Context ...ts are directly concerned with verification of our garbage collector and interfacing with it; our approach to this is unchanged from our previous paper [18]. Unrelated to Leroy’s C compiler, Chlipala =-=[3]-=- has done some interesting verification work, in Coq, on compilation of a functional language: he verified a compiler from a functional language with references and exceptions to a toy assembly langua... |

17 | Verified just-in-time compiler on x86
- Myreen
- 2010
(Show Context)
Citation Context ...ne code for call [rdx-120], i.e. an instruction which makes a procedure call to a code pointer stored at memory address rdx-120. For each of these byte sequences, we prove a machine-code Hoare triple =-=[17]-=- which states that it correctly implements the intended behaviour of the bytecode instruction in question with respect to a heap invariant lisp bytecode inv. compile (name, params, body, s) = s ′ =⇒ {... |

16 | Towards self-verification of hol light
- Harrison
- 2006
(Show Context)
Citation Context ...is a Boyer-Moore style prover whose trusted core is 2,000 lines of Common Lisp. These cores are so simple we may be able to prove their faithfulness socially, or perhaps even mechanically as Harrison =-=[11]-=- did for HOL Light. On the other hand, to actually use these theorem provers we need a runtime environment that can parse source code, infer types, compile functions, collect garbage, and so forth. Th... |

13 | A certified framework for compiling and executing garbage-collected languages
- McCreight, Chevalier, et al.
- 2010
(Show Context)
Citation Context ...eroy’s Coq-verified C compiler [14], which targets PowerPC, ARM and 32-bit x86 assembly, has been extended with new front-ends that makes it compile MiniML [4] and a garbage-collected source language =-=[16]-=-. The latter extension has been connected to intermediate output from the Glasgow Haskell Compiler. Our runtime uses a verified copying garbage collector similar to the sample collector in McCreight e... |

13 | Extensible proof-producing compilation - Myreen, Slind, et al. - 2009 |

13 | A mechanically verified, sound and complete theorem prover for first order logic
- Ridge, Margetson
- 2005
(Show Context)
Citation Context ... are no other reasonable doubts? Any theorem prover is based on a formal mathematical logic. Logical soundness is well-studied. It is usually established with social proofs, but some soundness proofs =-=[20, 10]-=- have even been checked by computers. If we accept the logic is sound, the question boils down to whether the theorem prover is faithful to its logic: does it only claim to prove formulas that are ind... |

9 |
Formalizing basic first order model theory
- Harrison
- 1998
(Show Context)
Citation Context ... are no other reasonable doubts? Any theorem prover is based on a formal mathematical logic. Logical soundness is well-studied. It is usually established with social proofs, but some soundness proofs =-=[20, 10]-=- have even been checked by computers. If we accept the logic is sound, the question boils down to whether the theorem prover is faithful to its logic: does it only claim to prove formulas that are ind... |

9 |
Hol light: An overview
- Harrison
(Show Context)
Citation Context ...gic: does it only claim to prove formulas that are indeed theorems? In many theorem provers, the trusted core—the code that must be right to ensure faithfulness—is quite small. As examples, HOL Light =-=[12]-=- is an LCF-style system whose trusted core is 400 lines of Objective Caml, and Milawa [5] is a Boyer-Moore style prover whose trusted core is 2,000 lines of Common Lisp. These cores are so simple we m... |

7 |
Function memoization and unique object representation for ACL2 functions
- Boyer, Hunt
- 2006
(Show Context)
Citation Context ... total size of 8 GB. The proofs in these files—especially the lowest-level proofs that proofp checks— can be very large and repetitive. As a simple but crucial optimization, an abbreviation mechanism =-=[2]-=- lets us reuse parts of formulas and proofs. For instance, (append (cons (cons a b) c) (cons (cons a b) c)) could be more compactly written using an abbreviation as (append #1=(cons (cons a b) c) #1#)... |

5 |
A “self-verifying” theorem prover
- Davis
- 2010
(Show Context)
Citation Context ...s, the trusted core—the code that must be right to ensure faithfulness—is quite small. As examples, HOL Light [12] is an LCF-style system whose trusted core is 400 lines of Objective Caml, and Milawa =-=[5]-=- is a Boyer-Moore style prover whose trusted core is 2,000 lines of Common Lisp. These cores are so simple we may be able to prove their faithfulness socially, or perhaps even mechanically as Harrison... |

4 | X.: Mechanized verification of CPS transformations
- Dargaye, Leroy
(Show Context)
Citation Context ... here and in previous work [18]. Recently, Leroy’s Coq-verified C compiler [14], which targets PowerPC, ARM and 32-bit x86 assembly, has been extended with new front-ends that makes it compile MiniML =-=[4]-=- and a garbage-collected source language [16]. The latter extension has been connected to intermediate output from the Glasgow Haskell Compiler. Our runtime uses a verified copying garbage collector s... |