Mechanical verification of compiler correctness

A large investment is made in the development, testing, validation and veri cation of source code for critical applications. But there remains a semantic gap between the source code produced and the object code which is executed. Standards for the development of critical systems recognize this, and mandate either the use of a trusted compiler (one that has been proven to produce correct object code) or the demonstration that the object code is a correct re nement of the source code (a lengthy and complex process). This thesis examines: 1. the extent to which tool support is an essential ingredient in proofs of compiler correctness; 2. the extent to which these proofs may be automated; 3. the relationship between the complexity of the source language and the proof e ort required; 4. the scalability of a mechanical method of compiler veri cation. To do this, we present the development of the proof of correctness of a compiler for a small imperative language Tosca, targeted at an imaginary assembler Aida. The work presented here is an extension of the Z speci cation and hand proof presented in Stepney's book \High Integrity Compilation | A Case Study", recasting the speci cation and proofs within the framework of the PVS speci cation and veri cation system from SRI International. We also assess the lessons learnt in the translation of a hand treatment of the problem in a partial logic, to an automatic treatment in a total logic with a richly expressive type system; from hand proof to automatic checking, and the inter-relationship between the speci cation and the ability to automate the proof process.

[1]  W. J. Cullyer Implementing Safety-Critical Systems: The VIPER Microprocessor , 1988 .

[2]  Piotr Rudnicki,et al.  An Overview of the MIZAR Project , 1992 .

[3]  Peter Lee,et al.  An automatically generated, realistic compiler for imperative programming language , 1988, PLDI '88.

[4]  Sreeranga P. Rajan Executing HOL Specifications: Towards an Evaluation Semantics for Classical Higher Order Logic , 1992, TPHOLs.

[5]  Randal E. Bryant,et al.  Symbolic Boolean manipulation with ordered binary-decision diagrams , 1992, CSUR.

[6]  A. Leisenring Mathematical logic and Hilbert's ε-symbol , 1971 .

[7]  Peter Lee,et al.  A realistic compiler generator based on high-level semantics: another progress report , 1987, POPL '87.

[8]  Lawrence C. Paulson,et al.  Designing a Theorem Prover , 1993, LICS 1993.

[9]  Neil D. Jones,et al.  A partial evaluator for the untyped lambda-calculus , 1991, Journal of Functional Programming.

[10]  R. Bryant Graph-Based Algorithms for Boolean Function Manipulation12 , 1986 .

[11]  Christopher Strachey,et al.  Toward a mathematical semantics for computer languages , 1971 .

[12]  Xiaorong Huang,et al.  Presenting Machine-Found Proofs , 1996, CADE.

[13]  Alfred V. Aho,et al.  LR Parsing , 1974, ACM Comput. Surv..

[14]  Patrick Lincoln,et al.  A Formally Verified Algorithm for Interactive Consistency Under a Hybrid Fault Model , 1993, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[15]  Mandayam K. Srivas,et al.  A Tutorial Introduction to PVS , 1998 .

[16]  Yves Bertot,et al.  The Ctcoq Experience , 1996 .

[17]  Henry Ledgard,et al.  Reference Manual for the ADA® Programming Language , 1983, Springer New York.

[18]  Dino P. Oliva,et al.  Advice On Structuring Compiler Back Ends And Proving Them Correct , 1994 .

[19]  Yann Coscoy A Natural Language Explanation for Formal Proofs , 1996, LACL.

[20]  Mitchell Wand,et al.  VLISP: A verified implementation of Scheme , 1995, LISP Symb. Comput..

[21]  E. Schmidt,et al.  Lex—a lexical analyzer generator , 1990 .

[22]  Peter Lee,et al.  On the use of LISP in implementing denotational semantics , 1986, LFP '86.

[23]  Hanan Samet,et al.  Automatically proving the correctness of translations involving optimized code - research sponsored by Advanced Research Projects Agency, ARPA order no. 2494 , 1975, Stanford Artificial Intelligence Laboratory: Memo AIM.

[24]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[25]  Jeffrey S. Moore Piton: a verified assembly level language , 1988 .

[26]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[27]  C. A. R. Hoare,et al.  An Algebraic Approach to Verifiable Compiling Specification and Prototyping of the Procos Level 0 Programming Language , 1990 .

[28]  Robert B. Garner,et al.  SPARC: A scalable processor architecture , 1992, Future Gener. Comput. Syst..

[29]  Lawrence C. Paulson A semantics-directed compiler generator , 1982, POPL '82.

[30]  Paul Curzon A Programming Logic for a Verified Structured Assembly Language , 1992, LPAR.

[31]  Brian Randell,et al.  The origins of digital computers: Selected papers , 1975 .

[32]  Susan Stepney,et al.  High integrity compilation - a case study , 1993 .

[33]  C. A. R. Hoare,et al.  Provably Correct Systems , 1994, FTRTFT.

[34]  Wolf Zimmermann,et al.  On the Construction of Correct Compiler Back-Ends: An ASM-Approach , 1997, J. Univers. Comput. Sci..

[35]  Charles N. Fischer,et al.  Crafting a Compiler , 1988 .

[36]  James W. Thatcher,et al.  More on Advice on Structuring Compilers and Proving them Correct , 1979, Theor. Comput. Sci..

[37]  Susan Stepney,et al.  Using PVS to Prove a Z Refinement: A Case Study , 1997, FME.

[38]  Gerhard Goos,et al.  Modular Compiler Verification: A Refinement-Algebraic Approach Advocating Stepwise Abstraction , 1997 .

[39]  Mark Saaltink,et al.  The Z/EVES System , 1997, ZUM.

[40]  Jens Palsberg An automatically generated and provably correct compiler for a subset of Ada , 1992, Proceedings of the 1992 International Conference on Computer Languages.

[41]  Peter D. Mosses Unified Algebras and Action Semantics , 1989, STACS.

[42]  Sheldon B. Akers,et al.  Binary Decision Diagrams , 1978, IEEE Transactions on Computers.

[43]  Jens Palsberg,et al.  Provably Correct Compiler Generation , 1992 .

[44]  Jonathan Rees,et al.  A tractable Scheme implementation , 1994, LISP Symb. Comput..

[45]  Mitchell Wand Semantics-directed machine architecture , 1982, POPL '82.

[46]  Jonathan P. Bowen,et al.  A shallow embedding of Z in HOL , 1995, Inf. Softw. Technol..

[47]  Paul Curzon A Verified Compiler For A Structured Assembly Language , 1991, 1991., International Workshop on the HOL Theorem Proving System and Its Applications.

[48]  David A. Watt Programming language syntax and semantics , 1991, Prentice Hall International Series in Computer Science.

[49]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[50]  Robert S. Boyer,et al.  Automated proofs of object code for a widely used microprocessor , 1996, JACM.

[51]  Robert E. Shostak,et al.  An algorithm for reasoning about equality , 1977, CACM.

[52]  Mitchell Wand,et al.  The VLISP verified PreScheme compiler , 1995, LISP Symb. Comput..

[53]  A. M. Turing,et al.  Checking a large routine , 1989 .

[54]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.

[55]  Mitchell Wand A semantic prototyping system , 1984, SIGPLAN '84.

[56]  Peter J. Landin,et al.  PROGRAMS AND THEIR PROOFS: AN ALGEBRAIC APPROACH, , 1968 .

[57]  Philip A. Collier Simple Compiler correctness - A Tutorial on the Algebraic Approach , 1986, Aust. Comput. J..

[58]  Ricky W Butler An Elementary Tutorial on Formal Specification and Verification Using PVS , 1993 .

[59]  David F. Martin,et al.  Toward compiler implementation correctness proofs , 1986, TOPL.

[60]  G. Stålmarck,et al.  Modeling and Verifying Systems and Software in Propositional Logic , 1990 .

[61]  Natarajan Shankar,et al.  An Integration of Model Checking with Automated Proof Checking , 1995, CAV.

[62]  Samuel H. Valentine Inconsistency and Undefinedness in Z - A Practical Guide , 1998, ZUM.

[63]  J. Rushby,et al.  Formal verification of an interactive consistency algorithm for the Draper FTP architecture under a hybrid fault model , 1994, Proceedings of COMPASS'94 - 1994 IEEE 9th Annual Conference on Computer Assurance.

[64]  F. Lockwood Morris,et al.  Advice on structuring compilers and proving them correct , 1973, POPL.

[65]  Mitchell Wand,et al.  Proving the correctness of storage representations , 1992, LFP '92.

[66]  Natarajan Shankar,et al.  Effective Theorem Proving for Hardware Verification , 1994, TPCD.

[67]  D. J. Pavey,et al.  Demonstrating Equivalence of Source Code and PROM Contents , 1993, Comput. J..

[68]  Vipin Swarup,et al.  The VLISP verified Scheme system , 1995, LISP Symb. Comput..

[69]  Jonathan P. Bowen,et al.  Z and HOL , 1994, Z User Workshop.

[70]  Jens Palsberg A Provably Correct Compiler Generator , 1992 .

[71]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[72]  Gilles Kahn,et al.  Extracting Text from Proofs , 1995, TLCA.

[73]  John Rushby,et al.  A Less Elementary Tutorial for the PVS Specification and Verification System , 1996 .

[74]  P. Curzon The Verified Compilation of Vista Programs , 1994 .

[75]  P. M. Melliar-Smith,et al.  STP: A Mechanized Logic for Specification and Verification , 1982, CADE.

[76]  Hanan Samet,et al.  Proving the correctness of heuristically optimized code , 1978, CACM.

[77]  Mandayam K. Srivas,et al.  Formal verification of the AAMP5 microprocessor: a case study in the industrial use of formal methods , 1995, Proceedings of 1995 IEEE Workshop on Industrial-Strength Formal Specification Techniques.

[78]  Robert S. Boyer,et al.  A verified code generator for a subset of gypsy , 1988 .

[79]  Robin Milner,et al.  Proving compiler correctness in a mechanised logic , 1972 .