Results 1  10
of
126
Formal certification of a compiler backend, or: programming a compiler with a proof assistant
 IN PROC. 33RD ACM SYMPOSIUM ON PRINCIPLES OF PROGRAMMING LANGUAGES (POPL ’06
, 2006
"... This paper reports on the development and formal certification (proof of semantic preservation) of a compiler from Cminor (a Clike imperative language) to PowerPC assembly code, using the Coq proof assistant both for programming the compiler and for proving its correctness. Such a certified compile ..."
Abstract

Cited by 289 (15 self)
 Add to MetaCart
(Show Context)
This paper reports on the development and formal certification (proof of semantic preservation) of a compiler from Cminor (a Clike imperative language) to PowerPC assembly code, using the Coq proof assistant both for programming the compiler and for proving its correctness. Such a certified compiler is useful in the context of formal methods applied to the certification of critical software: the certification of the compiler guarantees that the safety properties proved on the source code hold for the executable compiled code as well.
Mechanized metatheory for the masses: The POPLmark challenge
 In Theorem Proving in Higher Order Logics: 18th International Conference, number 3603 in LNCS
, 2005
"... Abstract. How close are we to a world where every paper on programming languages is accompanied by an electronic appendix with machinechecked proofs? We propose an initial set of benchmarks for measuring progress in this area. Based on the metatheory of System F<:, a typed lambdacalculus with se ..."
Abstract

Cited by 161 (14 self)
 Add to MetaCart
(Show Context)
Abstract. How close are we to a world where every paper on programming languages is accompanied by an electronic appendix with machinechecked proofs? We propose an initial set of benchmarks for measuring progress in this area. Based on the metatheory of System F<:, a typed lambdacalculus with secondorder polymorphism, subtyping, and records, these benchmarks embody many aspects of programming languages that are challenging to formalize: variable binding at both the term and type levels, syntactic forms with variable numbers of components (including binders), and proofs demanding complex induction principles. We hope that these benchmarks will help clarify the current state of the art, provide a basis for comparing competing technologies, and motivate further research. 1
Engineering formal metatheory
 In ACM SIGPLANSIGACT Symposium on Principles of Programming Languages
, 2008
"... Machinechecked proofs of properties of programming languages have become a critical need, both for increased confidence in large and complex designs and as a foundation for technologies such as proofcarrying code. However, constructing these proofs remains a black art, involving many choices in th ..."
Abstract

Cited by 116 (11 self)
 Add to MetaCart
Machinechecked proofs of properties of programming languages have become a critical need, both for increased confidence in large and complex designs and as a foundation for technologies such as proofcarrying code. However, constructing these proofs remains a black art, involving many choices in the formulation of definitions and theorems that make a huge cumulative difference in the difficulty of carrying out large formal developments. The representation and manipulation of terms with variable binding is a key issue. We propose a novel style for formalizing metatheory, combining locally nameless representation of terms and cofinite quantification of free variable names in inductive definitions of relations on terms (typing, reduction,...). The key technical insight is that our use of cofinite quantification obviates the need for reasoning about equivariance (the fact that free names can be renamed in derivations); in particular, the structural induction principles of relations
Mechanizing the metatheory of Standard ML
, 2007
"... We present an internal language with equivalent expressive power to Standard ML, and discuss its formalization in LF and the machinechecked verification of its type safety in Twelf. The internal language is intended to serve as the target of elaboration in an elaborative semantics for Standard ML ..."
Abstract

Cited by 78 (10 self)
 Add to MetaCart
We present an internal language with equivalent expressive power to Standard ML, and discuss its formalization in LF and the machinechecked verification of its type safety in Twelf. The internal language is intended to serve as the target of elaboration in an elaborative semantics for Standard ML in the style of Harper and Stone. Therefore, it includes all the programming mechanisms necessary to implement Standard ML, including translucent modules, abstraction, polymorphism, higher kinds, references, exceptions, recursive types, and recursive functions. Our successful formalization of the proof involved a careful interplay between the precise formulations of the various mechanisms, and required the invention of new representation and proof techniques of general interest.
Formal verification of a C compiler frontend
, 2006
"... This paper presents the formal verification of a compiler frontend that translates a subset of the C language into the Cminor intermediate language. The semantics of the source and target languages as well as the translation between them have been written in the specification language of the Coq pr ..."
Abstract

Cited by 73 (16 self)
 Add to MetaCart
(Show Context)
This paper presents the formal verification of a compiler frontend that translates a subset of the C language into the Cminor intermediate language. The semantics of the source and target languages as well as the translation between them have been written in the specification language of the Coq proof assistant. The proof of observational semantic equivalence between the source and generated code has been machinechecked using Coq. An executable compiler was obtained by automatic extraction of executable Caml code from the Coq specification of the translator, combined with a certified compiler backend generating PowerPC assembly code from Cminor, described in previous work.
Oracle semantics for concurrent separation logic
 In Proc. European Symp. on Programming (ESOP 2008
, 2008
"... Abstract. We define (with machinechecked proofs in Coq) a modular operational semantics for Concurrent C minor—a language with shared memory, spawnable threads, and firstclass locks. By modular we mean that one can reason about sequential control and dataflow knowing almost nothing about concurre ..."
Abstract

Cited by 72 (12 self)
 Add to MetaCart
Abstract. We define (with machinechecked proofs in Coq) a modular operational semantics for Concurrent C minor—a language with shared memory, spawnable threads, and firstclass locks. By modular we mean that one can reason about sequential control and dataflow knowing almost nothing about concurrency, and one can reason about concurrency knowing almost nothing about sequential control and dataflow constructs. We present a Concurrent Separation Logic with firstclass locks and threads, and prove its soundness with respect to the operational semantics. Using our modularity principle, we proved the sequential C.S.L. rules (those inherited from sequential Separation Logic) simply by adapting Appel & Blazy’s machinechecked soundness proofs. Our Concurrent C minor operational semantics is designed to connect to Leroy’s optimizing (sequential) C minor compiler; we propose our modular semantics as a way to adapt Leroy’s compilercorrectness proofs to the concurrent setting. Thus we will obtain endtoend proofs: the properties you prove in Concurrent Separation Logic will be true of the program that actually executes on the machine. 1
Coinductive bigstep operational semantics
, 2006
"... This paper illustrates the use of coinductive definitions and proofs in bigstep operational semantics, enabling the latter to describe diverging evaluations in addition to terminating evaluations. We show applications to proofs of type soundness and to proofs of semantic preservation for compilers ..."
Abstract

Cited by 51 (6 self)
 Add to MetaCart
(Show Context)
This paper illustrates the use of coinductive definitions and proofs in bigstep operational semantics, enabling the latter to describe diverging evaluations in addition to terminating evaluations. We show applications to proofs of type soundness and to proofs of semantic preservation for compilers.
Formal Verification of Translation Validators  A Case Study on Instruction Scheduling Optimizations
, 2008
"... Translation validation consists of transforming a program and a posteriori validating it in order to detect a modification of its semantics. This approach can be used in a verified compiler, provided that validation is formally proved to be correct. We present two such validators and their Coq proof ..."
Abstract

Cited by 40 (6 self)
 Add to MetaCart
Translation validation consists of transforming a program and a posteriori validating it in order to detect a modification of its semantics. This approach can be used in a verified compiler, provided that validation is formally proved to be correct. We present two such validators and their Coq proofs of correctness. The validators are designed for two instruction scheduling optimizations: list scheduling and trace scheduling.
Flowsensitive, contextsensitive, and objectsensitive information flow control based on program dependence graphs
 INTERNATIONAL JOURNAL OF INFORMATION SECURITY
, 2009
"... Information flow control (IFC) checks whether a program can leak secret data to public ports, or whether critical computations can be influenced from outside. But many IFC analyses are imprecise, as they are flowinsensitive, contextinsensitive, or objectinsensitive; resulting in false alarms. We ..."
Abstract

Cited by 35 (2 self)
 Add to MetaCart
(Show Context)
Information flow control (IFC) checks whether a program can leak secret data to public ports, or whether critical computations can be influenced from outside. But many IFC analyses are imprecise, as they are flowinsensitive, contextinsensitive, or objectinsensitive; resulting in false alarms. We argue that IFC must better exploit modern program analysis technology, and present an approach based on program dependence graphs (PDG). PDGs have been developed over the last 20 years as a standard device to represent information flow in a program, and today can handle realistic programs. In particular, our dependence graph generator for full Java bytecode is used as the basis for an IFC implementation which is more precise and needs less annotations than traditional approaches. We explain PDGs for sequential and multithreaded programs, and explain precision gains due to flow, context, and objectsensitivity. We then augment PDGs with a lattice of security levels and introduce the flow equations for IFC. We describe algorithms for flow computation in detail and prove their correctness. We then extend flow equations to handle declassification, and prove that our algorithm respects monotonicity of release. Finally, examples demonstrate that our implementation can check realistic sequential programs in full Java bytecode.