Mixed low- and high level programming language semantics and automated verification of a small hypervisor by Shadrin, Andrey
Mixed Low- and High Level
Programming Language
Semantics and
Automated Verification of a
Small Hypervisor.
U
N I
V E R S IT A S
S
A
R A V I E N
S I
S
Dissertation
zur Erlangung des Grades
des Doktors der Ingenieurswissenschaften (Dr.-Ing.)
der Naturwissenschaftlich-Technischen Fakulta¨ten
der Universita¨t des Saarlandes
Andrey Shadrin
ashadrin@gmail.com
Saarbru¨cken, September 2012
Tag des Kolloquiums: 27. August 2012
Dekan: Prof. Dr. Mark Groves
Vorsitzender des Pru¨fungsausschusses: Prof. Dr. Reinhard Wilhelm
1. Berichterstatter: Prof. Dr. Wolfgang J. Paul
2. Berichterstatter: Prof. Dr. Andreas Podelski
Akademischer Mitarbeiter: Dr. Mark Kaminski
Eidesstattliche Versicherung
Hiermit versichere ich an Eides statt, dass ich die vorliegende Arbeit selbsta¨ndig und
ohne Benutzung anderer als der angegebenen Hilfsmittel angefertigt habe. Die aus
anderen Quellen oder indirekt u¨bernommenen Daten und Konzepte sind unter Angabe
der Quelle gekennzeichnet. Die Arbeit wurde bisher weder im In- noch im Ausland in
gleicher oder a¨hnlicher Form in einem Verfahren zur Erlangung eines akademischen
Grades vorgelegt.
Saarbru¨cken, September 2012

Danksagung
An dieser Stelle mo¨chte ich mich bei allen bedanken, die zum Gelingen der vorliegen-
den Arbeit beigetragen haben. Zuna¨chst gilt mein Dank meiner Familie, die mich stets
ermutigt hat meinen Weg zu gehen und mich wa¨hrend meines gesamten Studiums un-
terstu¨tzt hat.
Herrn Prof. Paul danke ich fur die Mo¨glichkeit in einem der weltbesten Forscherteam
im Systemverifikationsbereich mitgearbeitet zu haben.
Diese Arbeit wurde teilweise im Rahmen des Verisoft XT Vorhabens vom Bun-
desministerium fur Bildung und Forschung (BMBF) unter dem Fo¨rderkennzeichen 01
IS 07 008 und der Saarbru¨cker Graduiertenschule fu¨r Informatik gefo¨rdert.

Abstract
Hypervisors are system software programs that virtualize the architecture they run on
and are usually implemented in a mix of (macro) assembly and a high-level language
like C. To verify such a software, assembly parts as well as C parts should be verified,
where reasoning about those parts is done in different semantics. At the end, both
semantics should be brought together in an overall correctness theorem of such a soft-
ware program. The formal integration of correctness results accomplished in distinct
semantics is challenging but inevitable for systems verification.
This thesis is split into two parts. In the first one, we will present the mixed
semantics of C and macro assembly. This semantics can handle mixed-language im-
plementations where the execution context is changed by an external function call
from assembly to C and vice versa. Also, we state a step-by-step simulation theorem
between mixed programs and the compiled and assembled code.
In the second part, we present the correctness of a small hypervisor, called Baby
Hypervisor (BHV), described by the mixed semantics. BHV virtualizes a 32-bit RISC
architecture. The BHV functional verification was shown using Microsoft’s VCC, an
automatic verifier for C with contracts. BHV C portions were verified with VCC
in [AHPP10]. For making macro assembly feasible with VCC the original macro
assembly is translated to C code simulating processor. This is called the simulation
approach [MMS08].
Kurzzusammenfassung
Hypervisor sind Software-Systemprogramme, die eine Hardwarearchitektur virtuali-
sieren, eine Umgebung fu¨r die virtuelle Maschinen schaffen und gemischte Implemen-
tierungen in C- und Makroassemblerprogrammiersprachen haben. Um solche Pro-
gramme zu verifizieren, mu¨ssen Assembler- sowie C-Portionen des Quellcodes ve-
rifiziert werden, wobei die Verifikation beider Teile in den verschiedenen Semanti-
ken erfolgt. Schließlich sollten beide Semantiken zusammen in einen umfassenden
Korrektheitssatz gebracht werden. Die Aufgabe der formalen Integration der Korrekt-
heitsergebnisse aus verschiedenen semantischen Ebenen ist anspruchsvoll aber unver-
meidlich fu¨r die Systemverifikation.
Diese Arbeit ist in zwei Teile aufgeteilt. Im ersten Teil stellen wir die gemisch-
te Semantik von C- und Makroassemblerprogrammiersprache vor. Diese Semantik
kann die gemischte Implementierung beschreiben, in der der Ausfu¨hrungskontext von
einem externen Funktionsaufruf von Assembler nach C und umgekehrt wechselt. Au-
ßerdem formulieren wir einen Schritt-fu¨r-Schritt-Simulationssatz zwischen den ge-
mischten Programmen und dem u¨bersetzten Quellcode.
Im zweiten Teil pra¨sentieren wir die Korrekheit eines kleinen Hypervisors, ge-
nannt Baby Hypervisor (BHV), der in der gemischten Semantik beschrieben wird.
BHV virtualisiert eine 32-Bit RISC-Architektur. Die funktionale Verifikation des BHVs
wurde mit Hilfe des Microsoft-VCCs, eines automatischen C-Beweisers, durchgefu¨hrt.
Die C-Portionen des BHVs wurden schon mit Hilfe des VCCs in [AHPP10] verifiziert.
Um eine Verifikation des Makroassembler-Quellcodes mit Hilfe des VCC zu ermo¨-
glichen, wird der Quellcode in C-Quellcode, der den Prozessor simuliert, u¨bersetzt.
Dies wird simulation approach genannt [MMS08].
Contents
Contents viii
1 Introduction 1
2 VAMP Assembly 7
2.1 Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2 Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Transition Function . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 VAMP Macro Assembly 17
3.1 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 Assembling µASM Programs . . . . . . . . . . . . . . . . . . . . . . . 31
3.3 Simulation Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4 Abstract Intermediate Language C 47
4.1 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.2 Compiler Correctness Theory . . . . . . . . . . . . . . . . . . . . . . 57
5 Integrated Semantics µASM and C-IL 69
5.1 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.2 Simulation Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . 77
6 Small Hypervisor Correctness 87
6.1 Abstract BHV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
6.2 BHV Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 89
6.3 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
7 Assembly Verification Approach 113
7.1 Translating MX Programs To C-IL . . . . . . . . . . . . . . . . . . . 114
7.2 Simulation Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . 122
8 Automated Verification of a Small Hypervisor 127
9 Summary and Future Work 129
Appendix A: Verification Run-Time 131
Bibliography 133
viii
C
H
A
P
TE
R
1
Introduction
Computer systems become more and more complex every day. At the same time,
the growing complexity of those systems leads to an increasing number of possible
failures in them. Since those systems are used in more and more safety critical places,
for example, in automotive engineering, in security technology and in the sector of
medical technology, problems of reliability of those systems have to be solved. Hence
the absence of errors becomes crucial.
First, failures in software and hardware could lead to situations hazardous to one’s
life. Second, they could lead to a loss of a significant amount of money for companies.
There are many sad accidents caused by faulty hard- and software:
• A software bug in the operating system of the radiation therapy device Terac-25
caused at least five casualties in the years 1985 to 1987.
• A hardware bug was found in the floating-point division operation in the first
release of the Intel Pentium processor from 1993. Intel became aware of this
bug after it has already sold more then 3 million chips. That bug caused a total
loss of $475 million for Intel.
• The flight Ariane-5 flight crashes 40 seconds after launch on June 4, 1996; it
crashed due to an error in the conversion of a 64-bit floating point number into
a 16-bit integer value. The damage has been estimated with $500 million.
• Toyota issued a recall of several vehicle models, because of a problem with the
accelerator pedal. The recent (Prius) hybrid model has also been recalled due to
a software problem in the anti-lock braking system. Up to 19 U.S. crash deaths
over the past decade may be linked to accelerator-related problems at Toyota,
congressional officials have said.
How can one ensure that computer systems do what they are intended to do? One
approach to solve the problem is simply to run a system repeatedly with various inputs,
i.e. to simulate the system. For example, to reduce the probability of a failure to 10−9
1
2 Introduction
for an hour-long NASA mission, one should test for more than 114,000 years, which is
unfeasible. Another approach is the use of formal methods exploiting the expressivity
and unambiguousness of the mathematical language to specify our systems, that is,
proving correctness in a mathematical sense, by first formulating the accurate models
of these systems and then verifying the formal assertions over these models. This
approach is called formal verification. In industry formal methods are becoming more
and more familiar tools for verifying individual modules of safety-critical computer
systems.
The correctness of operating systems and hypervisors is critical for the security
and reliability of computer systems. Hypervisors1 are software programs that virtu-
alize the underlying host architecture and which allow multiple guests(also known as
operating systems together with their user processes) to run concurrently on a single
host. Formal verification can provide solid evidence in arguing about implementation
correctness of a system consisting of a hypervisor and operating systems. The code of
many operating systems and hypervisors consist of (macro-)assembly and C functions
calling each other. Formal verification of such programs must consider the correct in-
teraction of code written in these languages which can only be guaranteed by using
the same compiler calling conventions (or application binary interfaces (ABIs)).
The goals of this thesis are: (i) to present the integrated semantics of program-
ming languages like C and macro-assembly, (ii) to formally verify a small hypervisor
written in C and macro-assembly using an automatic C verifier (called VCC [Cor08]).
Related Work
The related work for this thesis is summarized in two categories: (i) macro-assembly
semantics, and (ii) kernel verification.
Macro-Assembly Semantics There are few publications that one can somehow relate
to the macro-assembly semantics. In [Fru08] Fruja specified the static and dynamic
semantics model of the Common Intermediate Language (CIL) and showed the CIL’s
type safety for a large subset of CIL. In this publication the author defined an abstract
stack-based machine for running CIL bytecode programs. In this machine the stack is
explicitly modeled as a list of call frames and a new frame is put on the stack every
time a method is called. This work might be helpful for those who are trying to do the
verification of programs written in one of .NET compliant language (cf. [NET11] for
an up-to-date list).
In [MCGW98] a stack-based typed low assembly language is proposed as a target
language for code verification. The authors can encode any compiler calling conven-
tions in their type system since everything about the stack including the stack frame
header layout is exposed. This language is too low in a sense a lot of details about the
underlying architecture and assembler are visible. These details makes the integration
of this language with a high-level programming language like C complicated.
Integrated Semantics Based on W.J.Paul’s lecture notes [Pau07], in [Tsy09] Tsyban
presented an approach how to reason formally about the code implemented in the C
dialect C0 with inline-assembly. This approach deals with inline-assembly statements
as follows: whenever an assembly portion is encountered, the compiler simulation
1also called virtual machine managers(VMMs)
Introduction 3
relation [Lei07] is applied to reach an equivalent assembly configuration and the exe-
cution continues in the assembly semantics until all assembly instructions are executed
from this assembly portion. Then, the execution switches back to the consistent C0
configuration. This approach does not treat external function calls from C to assembly.
In the dissertation [Alk09] Alkassar showed how to verify a device driver against
a realistic device and system model. For that, Alkassar used the original C0 semantics
extended with so-called atomic XCalls2(extended calls). Also, he extended the whole
language stack used in Verisoft project so that each language from the stack could deal
with device drivers. He abstracts the effect of low-level computations implemented in
assembly in these atomic XCalls of the extended C0 semantics. Alkassar said: ”An
XCall is a procedure call that makes a transition on external state and communicates
with C0 via parameter passing and return values.” In the framework developed by
Alkassar one can verify any code implemented in a mixture of C0 and inline assembly
programming languages. In comparison to work done by Tsyban in [Tsy09], Alkassar
has the aforementioned computation model that performs either C0 steps or assembly
steps which are abstracted in XCalls. We believe that is possible to implement external
assembly procedure calls from C0 in the C0 semantics with XCalls without additional
effort. But to model external C0 function calls from assembly requires additional
extensions of his model and the C0 linker [IdR09].
Kernel Verification In [Kle09] Klein summarizes approaches used presently and in
the past for the verification of operating systems. He writes that first attempts to
apply formal methods for verifying operating systems date back to the mid 1970s in
PSOS [FN79, NBF+80, NF03] and UCLA [WKP79] projects.
In the end of the 1980s, a substantial progress in kernel verification was achieved
with the KIT kernel [Bev87,Bev89] of the CIL stack [BHMY89a,BHMY89b,Moo03].
KIT (Kernel for Isolated Tasks) is a small operating-system kernel implemented in
assembly that provides services for process scheduling, error handling, single-word
message passing, IO-devices. This project is considered as groundbreaking in the
area of pervasive system verification. This project is the first example of a completely
verified kernel.
The FLINT group focuses on studying various problems in the system verifica-
tion of operating systems. They developed an assembly code verification framework
XCAP [NS06]and reported in [NYS07] and in [FSDG08] on their successful expe-
rience of applying it. So far, no integration of results into high-level programming
languages has been reported yet.
The L4.verified kernel [KEH+09] is an example of a recent operating system veri-
fication effort that has achieved impressive code verification results. A detailed mem-
ory model for low-level pointer programs in C was applied in combination with sep-
aration logic [TKN07]. The assembler portions have not been verified in conjunction
with the C code yet to our knowledge. Judging from their choice of C semantics,
however, we are certain that all gaps present can be closed with reasonable additional
effort when the right models and theories are applied.
Verisoft(XT) The Verisoft project [Vera] aimed at the pervasive formal verification
of entire computer systems. In the Verisoft a micro-kernel framework was formally
verified [APST10, Tsy09]. This framework was implemented in the C dialect C0
together with inline-assembly. This work perfectly demonstrates how to formally
2The concept of XCalls was introduced in [AHL+09].
4 Introduction
reason about mixed implementations. In this work a non-optimizing verified compiler
for C like language is considered [LP08].
Within the VerisoftXT project [Verb], Microsoft in collaboration with EMIC and
Saarland University developed an automatic verifier for low-level and concurrent C
code, called VCC [Cor08] to verify components of the Microsoft Hypervisor, the
virtualization kernel of Hyper-V( [LS09]).
The Baby Hypervisor project which is a subproject of the Microsoft Hyper-V
project played an important role of driving the development of VCC as well as ap-
plying it to system verification. As a result of this subproject the C portions of a small
hypervisor, called baby hypervisor, were verified in VCC [AHPP10].
Also, within the VerisoftXT project a simulation approach for verifying assembly
code in VCC was invented [MMS08, Mau11].
Foundations and Contributions
This work is based on a number of results achieved within the Verisoft and VerisoftXT
projects. We use the VAMP assembly semantics formally specified by Tsyban in
[Tsy09] as a target implementation language in this thesis. We use the results achieved
by Alkassar et al. [AHPP10] and then complete the formal verification of a small
hypervisor. Also, we use the idea of Maus [Mau11] how to verify assembly with a C
verifier.
This thesis presents five main contributions: (i) an approach to model macro-
assembly languages with explicit dynamic stack, (ii) an approach to integrate C- and
high-level assembly languages together in a single language developed in collabo-
ration with S.Schmaltz, (iii) the complete paper-and-pencil proof and the complete
formal proof of a small hypervisor, (iv) the soundness of a simulation approach used
to verify code written in an assembly language with a general-purpose C verifier.
Outline
The remainder of the thesis is organized in six chapters.
• Chapter 2 introduces the computational model of VAMP assembly.
• In Chapter 3, we define the high level VAMP assembly language (VAMP macro
assembly) as well as the VAMP macro assembler itself. Also, we will state the
simulation theorem justifying correctness of execution VAMP macro assembly
programs running on VAMP assembly machines.
• Chapter 4 presents the abstract C intermediate language. Also, we present the
compiler correctness theory for an optimizing C compiler.
• In Chapter 5, we define the mixed language and assuming the C compiler
correctness we state the simulation theorem which justifies the correctness of
mixed programs running on VAMP assembly machines.
• Chapter 6 presents the specification and correctness of a small hypervisor. Here,
we close the gaps in the theory developed in [AHPP10].
• In Chapter 7, we present the soundness of a translation based approach for ver-
ifying high level assembly portions with a C verifier.
Introduction 5
• In Chapter 9 we outline possible future work and conclude.
Notation
Basics types, terms and operators We define the following basis types:
N
def
= set of all natural numbers including zero,
Z
def
= set of all integer numbers,
bool def= set of boolean values {F,T},
B
def
= set of binary digits {0, 1},
S tring def= set of strings.
The restricted sets of naturals and integers are denoted by
Nn
def
= {x | x ≤ 2n − 1 ∧ x ∈ N},
Zn
def
= {x | − 2n−1 ≤ x ≤ 2n−1 − 1 ∧ x ∈ Z}.
The function i2n :: Z 7→ N converts an integer number to natural one. The
function n2i :: N 7→ Z does the conversion in the other direction. The function
bool2nat :: bool 7→ N returns a natural number corresponding to a given boolean
value, i.e. bool2nat(T) = 1 and bool2nat(F) = 0. The power set of T is denoted by
2T. We use the term A to denote an arbitrary value. We write t⊥ to extend a given type
t with some error value ⊥ (i.e. t⊥ = t ∪ {⊥}). Such a type t⊥ we call an option type.
If a value x ∈ t⊥ is a non-error value, then we write bxc to denote that x is a non-error
value.
Lists An n-tuple (t0, t1, . . . , tn−1), where t0 ∈ T, t1 ∈ T, . . . , tn−1 ∈ T, is an element of
a sequence type of the length n over a type T. We call such a sequence type a list type
of n elements over type T, and denote it by Tn. We write l ∈ Tn to denote a list l of
type Tn. To denote the empty list of any list types Tn we introduce the polymorphic
constant []. We denote a list type of arbitrary length over type T by T∗. We can
formally define this by
T∗ def=
⋃
n∈N
Tn
We construct a list from elements tn−1, tn−2, . . . , t0 of the same type by [tn−1, tn−2, . . . , t0].
Let l be a list [tn−1, tn−2, . . . , t0]. The number of elements in a list l is returned by means
of the function |l|. The functions hd(l) and tl(l) return the head and the tail of a given
list l, respectively, where the head of a list is the leftmost element of this list, i.e.
hd(l) = tn−1 and tl(l) = [tn−2, . . . , t0]. An arbitrary element i in a list l is accessed by
l[i]. We write l1 ◦ l2 to denote the concatenation of two lists l1 and l2. After concate-
nating two lists l1 and l2 the following hold:
∀i ∈ N. i < |l1| −→ l1[i] = (l1 ◦ l2)[i + |l2|].
The function rev(l) reverses a given list l. Formally,
rev([tn−1, tn−2, . . . , t1, t0])
def
= [t0, t1, . . . , tn−2, tn−1].
We flatten a list l, whose elements are lists too, by means of the function flat(l). Up-
date of the i-th element of a list l to a value v is denoted by l[i := v]. The function
sublist(l1, l2) takes a list l1 and a list l2 of indices as input and returns a sublist of
the list l1 such that it contains only those elements from the list l1 whose indices are
6 Introduction
present in the list l2. The function take(l, n) takes a list l and a natural number n as in-
put and returns the list [t|l|−1, . . . , t|l|−1−n] of n elements. The function drop(l, n) takes
a list l and a natural number n as input and returns such a list [t|l|−1−n, . . . , t0]. The
function
top def= |l| − 1
returns the index of the head element from the list l. We write a ∈ l to denote that an
element a is present in a list l.
Bit vectors A bit vector is represented as a list of binary digits, i.e. an element in
B∗, in which the leftmost bit is the most significant bit and the rightmost bit is the
least significant bit. For a bit vector bv of length n we denote by 〈bv〉n and [bv]n
the conversion to the natural number with the n-bit binary representation bv and the
integer number with the n-bit two’s complement representation bv, respectively.
For natural numbers x and n we denote by binn(x) the conversion to the n-bit
binary representation of x. For an integer number x and a natural number n we denote
by twon(x) the conversion to the n-bit two’s complement representation of x. For a
bit vector bv and two natural numbers l, h such l < h we denote by bv[h : l] the
sub-bit-vector of the bit vector from the bit l up to the bit h.
Records Record types are defined in the following way
T
def
= { f1 :: T1, f2 :: T2, . . . , fn :: Tn},
where f1, f2, . . . , fn are component(field) names of string type and T1,T2, . . . ,Tn are
types of these components. The record type T yields the set of all elements ( f1 =
v1, f2 = v2, . . . , fn = vn) with v1 ∈ T1, v2 ∈ T2, . . . , vn ∈ Tn. Let r be an instance of
the record type T. We write r. fi to access the component fi of the record r. Updating
a component fi of the record r by a value v is abbreviated by r[ fi := v].
C
H
A
P
TE
R
2
VAMP Assembly
In this section we describe the assembly language of the verified architecture micro-
processor (VAMP). The VAMP is a formally verified DLX-like processor [BJK+03,
BJK+05, DHP05, Dal06]. The VAMP implements the full DLX instruction set from
[HP96], delayed branch mechanism with one delay slot, two privilege levels (user and
system mode), single address translation in user mode and interrupt handling.
The VAMP assembly model provides a handy programming model by abstracting
some features of the VAMP machine model [Tve09]. While describing the VAMP
assembly semantics we follow the thesis [Tsy09].
2.1 Configurations
Configurations cAS M of the VAMP assembly semantics are represented by record type
CASM
J DEFINITION 2.1
VAMP Assembly ConfigurationCASM
def
= {pc :: N, dpc :: N, gpr :: Z∗, spr :: Z∗,m :: N 7→ B8}
that consists of five components:
• the program counter pc and the delayed program counter dpc. They implement
the delayed branch mechanism with one delay slot (cf. [MP00]). The delayed
program counter cAS M .dpc stores the address where the current instruction is
fetched from and the program counter cAS M .pc stores the address of the next
instruction.
• the general purpose register file gpr and the special purpose register file spr
which are modeled as list of integers. cAS M .gpr[0] is always zero as it is re-
quired by the underlying computational model not discussed in the framework
of this thesis (cf. [MP00]). Some SPRs are not used, the used SPRs are listed in
Table 2.1.
7
8 VAMP Assembly
Index Alias Usage
0 sr Status register
1 esr Exceptional status register
2 eca Exceptional cause
3 epc Exceptional program counter
4 edpc Exceptional delayed program counter
5 edata Exceptional data
9 pto Page table origin
10 ptl Page table length
11 emode Exceptional mode
16 mode Mode
Table 2.1: Special Purpose Registers
• the memory m is a mapping from memory addresses (naturals) to bytes. This
memory is to be interpreted as byte-addressable memory of bytes. In [Tsy09]
Tsyban defined the memory of VAMP assembly configurations as word-addressable.
Sure, the corresponding changes must be done in the VAMP assembly seman-
tics due to different representations of memory in Tsyban’s dissertation and
thesis, but these changes are simple and straightforward so that we omit them.
Thus, we assume that Tsyban’s VAMP assembly semantics works for the byte-
addressable memory.
We define read and write functions over the assembly memory.
DEFINITION 2.2 I
Assembly Memory Read mword(a)
def
= [m(a + 3) ◦ m(a + 2) ◦ m(a + 1) ◦ m(a)]32
DEFINITION 2.3 I
Assembly Memory Write mem-updateASM(m, a, data)
def
= m′,
such that
m′(i) =
two32(data)[8 · (i + 1) : i] if i ∈ [a, .., a + 3]m(i) otherwise
Validity of a cAS M assembly configuration is stated by means of the following
predicate.
DEFINITION 2.4 I
Valid Assembly Configuration
cAS M .pc ∈ N32 cAS M .dpc ∈ N32
|cAS M .gpr| = 32 |cAS M .spr| = 32
∀i < 32. cAS M .gpr[i] ∈ Z32 ∧ cAS M .spr[i] ∈ Z32
validasm(cAS M)
2.2 Instructions
We do not model all instructions supported by VAMP assembly. We avoid the support
for instructions which perform: (i) read and write of byte, half-word from and into
2.2. Instructions 9
Load Word / Store Word Arithmetics Logical Shift
lw rd rs imm addi rd rs imm andi rd rs imm slli rd rs sa
sw rd rs imm add rd rs1 rs2 ori rd rs imm srli rd rs sa
subi rd rs imm xori rd rs imm srai rd rs sa
sub rd rs1 rs2 lhgi rd imm sll rd rs1 rs2
and rd rs1 rs2 srl rd rs1 rs2
or rd rs1 rs2 sra rd rs1 rs2
xor rd rs1 rs2
lhg rd rs
Test Control Special
clri rd clr rd beqz rs imm movs2i rd sa
sgri rd rs imm sgr rd rs1 rs2 bnez rs imm movi2s rd sa
seqi rd rs imm seq rd rs1 rs2 jr rs
sgei rd rs imm sge rd rs1 rs2 jalr rs
slsi rd rs imm sls rd rs1 rs2 j imm
snei rd rs imm sne rd rs1 rs2 jal imm
slei rd rs imm sle rd rs1 rs2 trap imm
seti rd set rd rfe
Table 2.2: VAMP Assembly Instructions
memory, (ii) arithmetics operations causing an overflow interrupt. The instructions
we want to be supported by VAMP assembly are presented in Table 2.21.
Instructions of the VAMP assembly machine are modeled by the inductive data
type Instr. Each instruction is modeled by a separate constructor with parameters
for register names and immediate constants. Parameters to the constructors of an
instruction instr like source and destination registers or an immediate constant are
obtained like rs1(instr), rd(instr), imm(instr), etc. We omit their formal definitions as
they are straightforward and rather voluminous, the reader can consult the definitions
in Section 3.2.5. in [Tsy09].
Since memory cells are modeled as integers we need to handle that by introducing
two functions int-to-instr :: Z 7→ Instr, converting integers to assembly instructions,
and instr-to-int :: Instr 7→ Z, performing the conversion in other direction. As it
is not possible to convert every integer to an instruction the predicate decodable ::
Z 7→ bool is introduced which tests whether the given integer could be converted to
an instruction. We omit their definitions due to their simplicity, the reader can consult
the definitions in Section 3.2.5 in [Tsy09].
The current instruction of the assembly configuration cAS M is defined by the fol-
lowing function:
J DEFINITION 2.5
Current Instructioninstr(cAS M)
def
= int-to-instr(cAS M .mword(cAS M .dpc))
We introduce the predicates over instructions to determine what instruction group
or group of instructions it corresponds to. It is done for each instruction constructor,
e.g., instr-trap?, or for a group, like instr-ls? for all memory access instructions, or
1The complete list of VAMP assembly instructions is presented in Table 3.2 of [Tsy09]
10 VAMP Assembly
instr-store? only for memory write access.
2.3 Transition Function
In order to be able to define the VAMP assembly transition function we need to elab-
orate on
• address translation that takes place during VAMP assembly instruction execu-
tion,
• interrupts that suspends the execution of a VAMP assembly machine,
• interrupt mechanism that starts every time when some interrupt raises(happens).
2.3.1 Address Translation
The semantics distinguishes two execution modes: system, which is defined as
DEFINITION 2.6 I
Is System Mode? cAS M .spr[mode] = 0
sys-modeASM?(cAS M)
and user, defined as
DEFINITION 2.7 I
Is User Mode? cAS M .spr[mode] = 1
user-modeASM?(cAS M)
A memory access is subject to address translation in user mode. Hence, the seman-
tics of load/store instructions uses translated effective addresses and all instructions are
fetched from the translated delayed program counter in user mode.
In user mode all addresses for instruction fetch as well as for load/store operations
are treated as virtual ones and they are translated by the processor to physical ones
with the help of special purpose registers pto and ptl (cf. Table 2.1). Virtual address
space is divided into pages of size PAGE SIZE = 212 bytes = 210 words. The binary
representation of a virtual address va is split into two parts: (i) the most significant
bits bin32(va)[31 : 12] give the virtual page index, and (ii) the less significant bits
bin32(va)[11 : 0] give the address of the byte within the page (page offset). We in-
troduce functions extracting natural number representations of virtual page index and
page offset from a virtual address va ∈ N32, pxva :: N32 7→ N20 and bxva :: N32 7→ N12,
respectively.
DEFINITION 2.8 I
Virtual Address:
Page Index and
Byte Offset
pxva(va)
def
= va / PAGE SIZE
bxva(va)
def
= va mod PAGE SIZE
Based on the definitions of functions pxva and bxva the following holds:
va = pxva(va) · PAGE SIZE + bxva(va)
The main data structure for address translation is a page table which resides in
the processor memory. It is used to map, to translate, virtual page indices to physical
page indices, where each translation is represented by a page table entry (pte). That
is, the page table contains page table entries to support the address translation. The
2.3. Transition Function 11
                                  
              
va
31 19 11 0
px bx
ppx v
pma(casm,va)
31 19 11 0
pteasm(casm,va) p e
Figure 2.1: Address Translation
Component Notation Computation
ppx ppxPTE(pte) pte/PAGE SIZE
valid bit vPT E(pte) pte/211 mod 2
protected bit pPT E(pte) pte/2
10 mod 2
executable bit ePT E(pte) pte/29 mod 2
Table 2.3: Extracting components from a page table entry
page table origin register cAS M .spr[pto]2 and the virtual page index pxva(va) specify
one page table entry. Formally, the page table entry in an assembly configuration cAS M
for a virtual address va is:
J DEFINITION 2.9
Page Table Entry
pteASM(cAS M , va)
def
= cAS M .mword(cAS M .spr[pto] · PAGE SIZE + bxva(va) · 4)
Each page table entry is represented by a single word and it encodes: (i) physical
page index, (ii) valid bit denoting whether the page resides in memory, (iii) protected
bit indicating whether the page is allowed to be written, and (iv) executable bit denot-
ing whether the page contains executable code. Table 2.3, taken from [Sta10], defines
functions computing physical page index, valid bit, protected bit, and executable bit
from the page table entry.
A physical page index combined with a byte index yields the complete physical
memory address (Fig. 2.1 shows how a virtual address is translated to a physical one):
J DEFINITION 2.10
Physical Memory AddresspmaASM(cAS M , va)
def
= ppxPTE(pteASM(cAS M , va)) + bxva(va)
Exceptions
The page table length register cAS M .spr[ptl] is used to specify the amount of allocated
virtual memory. In case the virtual address does not belong to the user memory ad-
dress translation results in a page table length exception which is one of the supported
2The statement cAS M .spr[pto] < 220 is always true and it follows from the VAMP assembly semantics
(cf. [Tsy09])
12 VAMP Assembly
i Name Meaning Mask. Ext. Type
0 reset? Reset No Yes Abort
1 ill? Illegal instruction No No Abort
2 imal?∨dmal? Instr. / data misalignment No No Abort
3 pff? Page fault on fetch No No Repeat
4 pfls? Page fault on load/store No No Repeat
5 trap? Trap / System call No No Cont.
6 ovf? Overflow Yes No Cont.
≥ 12 eevi? Device interrupts Yes Yes Cont.
Table 2.4: Interrupts of VAMP Assembly
interrupts by VAMP assembly which we examine in the next section. Formally, in
configuration cAS M the page table length exception for a virtual address va is:
DEFINITION 2.11 I
Page-Table Length Exception
cAS M .spr[ptl] < pxva(va)
ptlexcpASM?(cAS M)
There are some situations when the translated address should not be used, either be-
cause invalid data was used for the translation, or the processor must forbid the at-
tempted operation at this address. This happens if the memory which stores an in-
struction is not tagged as executable, or protected memory is accessed for writing,
or even the page containing this address is not present in the physical memory. The
next predicate tests whether a problem, namely interrupt, occurs during the address
translation of a virtual address va in the assembly configuration cAS M . Note that the
flag is-mw indicates memory write access and the flag is-fetch indicates the instruction
fetch:
DEFINITION 2.12 I
Virtual Address Translation
Exception
ptlexcpASM?(cAS M , va) ∨ vPT E(pteASM(cAS M , va)) = 0
∨ is-fetch ∧ ePT E(pteASM(cAS M , va)) = 0
∨ is-mw ∧ pPT E(pteASM(cAS M , va)) = 1
translexcpASM?(cAS M , va, is-mw, is-fetch)
2.3.2 Interrupts
VAMP Assembly computations could be broken by interrupt signals numbered with
indices from zero to thirty one. Table 2.4 depicts interrupts supported by the VAMP
assembly model and they are classified according to the following criteria: (i) mask-
able or not maskable, (ii) internal or external, and (iii) of repeat, continue, or abort
type. Maskable interrupts can be ignored under software control. If an interrupt sig-
nal arrives during the execution of some instruction i and it is of repeat type, then the
instruction i is repeated when the program execution is resumed. If the interrupt is a
continue interrupt then the instruction that follows i in the program is executed after
the interrupt handling. In the remaining case the program execution is aborted.
The instruction misalignment interrupt occurs if the delayed program counter is
not word aligned.
DEFINITION 2.13 I
Instruction misalignment
cAS M .dpc mod 4 , 0
imal?ASM(cAS M)
2.3. Transition Function 13
The page fault on fetch happens in the user mode whenever the address translation
of the current instruction to be fetched cannot be done:
J DEFINITION 2.14
Page Fault On Fetch
¬imal?ASM(cAS M) ¬sys-modeASM?(cAS M) translexcpASM?(cAS M , cAS M .dpc,F,T)
pff?ASM(cAS M)
The illegal instruction interrupt is triggered if the current instruction cannot be de-
coded or it is an unprivileged one. An instruction is unprivileged in case the instruction
is one of the following instructions: movi2s, movs2i, or rfe, and it is executed in the
user mode.
J DEFINITION 2.15
Illegal Instruction
¬imal?ASM(cAS M) ¬translexcpASM?(cAS M , cAS M .dpc,F,T)
(¬decodable(cAS M .mword(cAS M .dpc)) ∨ ¬sys-modeASM?(cAS M) −→
(¬instr-rfe?(cAS M) ∨ ¬instr-movi2s?(cAS M) ∨ ¬instr-movsi2?(cAS M)))
ill?ASM(cAS M)
The data misalignment exceptions is raised if the effective address of the current
instruction accessing memory is not word aligned. The function ea computing the
effective address will be defined in Section 2.3.4.
J DEFINITION 2.16
Data misalignment
¬imal?ASM(cAS M) ¬translexcpASM?(cAS M , ea(cAS M), instr-sw?(cAS M),F)
¬ill?ASM(cAS M) ¬(ls-w?(instr(cAS M)) −→ ea(cAS M) mod 4 = 0)
dmal?ASM(cAS M)
The page fault on load/store is similar to the page fault on fetch, but here the
effective address of the load/store instruction is examined:
J DEFINITION 2.17
Page Fault On Load/Store
¬dmal?ASM(cAS M) ¬sys-modeASM?(cAS M) instr-mem?(cAS M)
translexcpASM?(cAS M , ea(cAS M), instr-sw?(cAS M),F)
pfls?ASM(cAS M)
The trap interrupt occurs whenever the instruction trap is executed.
J DEFINITION 2.18
Trap Interrupt¬imal?ASM(cAS M) ¬translexcpASM?(cAS M , cAS M .dpc,F,T)¬ill?ASM(cAS M) instr-trap?(cAS M)
trap?ASM(cAS M)
Remark: Since we do not use instructions which could cause an overflow we just
avoid overflow interrupts.
2.3.3 Interrupt Mechanism
So far we defined predicates indicating particular interrupts that may occur during
the execution in an assembly configuration cAS M . At this point we want to stress our
assembly model is used in the environment without any external devices. That means,
we consider a single external interrupt like reset. Here we define the JISR (Jump to
Interrupt Service Routine) signal indicating that there is an interrupt to be handled by
the interrupt mechanism.
14 VAMP Assembly
Interrupt signals raised in the configuration cAS M are collected in the cause func-
tion ca(cAS M). 3
DEFINITION 2.19 I
Cause Vector ca(cAS M)
def
= 21 · bool2nat(ill?ASM(cAS M))
+ 22 · bool2nat(imal?ASM(cAS M) ∨ dmal?ASM(cAS M))
+ 23 · bool2nat(pff?ASM(cAS M))
+ 24 · bool2nat(pfls?ASM(cAS M))
+ 25 · bool2nat(trap?ASM(cAS M)).
At this place we introduce the predicate repeat?(cAS M) indicating that an interrupt
is of repeat type.
DEFINITION 2.20 I
Is Interrupt of Repeat Type?
pff?ASM(cAS M) ∨ pfls?ASM(cAS M)
¬(ill?ASM(cAS M) ∨ imal?ASM(cAS M) ∨ dmal?ASM(cAS M))
repeat?(cAS M)
Since we do not consider maskable interrupts the definition of a function which
returns the masked cause vector is equal to the definition of the function computing
cause vector.
DEFINITION 2.21 I
Masked Cause Vector
mca(cAS M)
def
= ca(cAS M)
If mca(cAS M) is greater than zero, then the JISR signal jisr(cAS M) is activated.
DEFINITION 2.22 I
JISR Signal
0 < mca(cAS M)
jisr(cAS M)
Jump To Interrupt Service Routine Now we define the function
execjisr :: CASM 7→ CASM
which prepares the assembly machine cAS M for the execution of an interrupt service
routine (ISR) that resides at address 0 in memory.
DEFINITION 2.23 I
JISR Semantics execjisr(cAS M)
def
= c′AS M
The function execjisr(cAS M) yields an updated VAMP assembly configuration c′AS M .
The program counters of c′AS M point to the ISR start address.
c′AS M .dpc = 0
c′AS M .pc = 4
The program counters as well as the status and mode registers are saved in the
corresponding exceptional registers:
c′AS M .spr.[edpc] = cAS M .dpc
c′AS M .spr[epc] = cAS M .pc
c′AS M .spr[esr] = cAS M .spr[sr]
c′AS M .spr[emode] = cAS M .spr[mode]
3Since we do not consider maskable interrupts, like overflow and external interrupts from devices, we
omitted the second parameter to the function ca representing external interrupts vector. For the complete
definition refer to [Tsy09]
2.3. Transition Function 15
The exceptional cause register eca is set to the masked interrupt cause:
c′AS M .spr[eca] = mca(cAS M , eev)
The exceptional data register edata has the following value as it is defined below:
• the delayed program counter in case of a page fault interrupt on fetch,
• the load/store effective address in case of an interrupt on load/store,
• the immediate constant in case of a trap instruction, and
• zero in all other cases.
Formally,
c′AS M .spr[edata]
def
= edata(cAS M)
def
=

cAS M .dpc if imal?ASM(cAS M) ∨ pff?ASM(cAS M)
ea(cAS M) if instr-mem?(cAS M)
i2n(imm(instr(cAS M))) if instr-trap?(cAS M)
0 otherwise
The mode and status registers are set to zero, i.e. the assembly machine c′AS M
operates in system mode and all interrupts are masked. Formally,
c′AS M .spr[mode] = 0
c′AS M .spr[sr] = 0.
Return From Exception The last instruction to be executed in the ISR must be rfe
(return from exception). This instruction restores the content of saved registers at JISR
from exceptional registers. Formally,
J DEFINITION 2.24
RFE Semanticsc′AS M .dpc = cAS M .spr[edpc],
c′AS M .pc = cAS M .spr[epc],
c′AS M .spr[sr] = cAS M .spr[esr],
c′AS M .spr[mode] = cAS M .spr[emode].
2.3.4 Transitions Without Interrupts
The execution semantics of VAMP assembly without interrupts is given by the tran-
sition function δwoiASM :: CASM 7→ CASM which yields for a configuration cAS M the next
state c′AS M = δ
woi
ASM(cAS M) = execinstr(cAS M , instr(cAS M)), where the function
J DEFINITION 2.25
Instruction Execution
Without Interrupt
execinstr :: CASM × Instr 7→ CASM
defines the effect of a single instruction execution on the assembly configuration (cf.
Sec 3.2.6 in [Tsy09]).
The definition of execinstr splits cases depending on the instruction to be executed.
We will specify the case for executing the load word instruction lw in system mode
as well as in user mode. The semantics for the remaining instructions is presented
in [Tsy09].
16 VAMP Assembly
The effective address ea(cAS M) of load/store instructions is computed as the sum
of the content of the source register one (cAS M .gpr[rs1(cAS M)]) and the immediate
constant (imm(cAS M)).
DEFINITION 2.26 I
Effective Address ea(cAS M)
def
= (cAS M .gpr[rs1(cAS M)] + imm(cAS M)) mod 232.
The effect of the execution of the load word instruction lw is that the destination
register cAS M .gpr[rd(cAS M)] is updated with the content of memory cell at the trans-
lated (or non-translated) effective address eamode(cAS M). Also, program counters are
updated correspondingly.
DEFINITION 2.27 I
Load-Word Instruction Semantics execinstr(cAS M , lw rd rs imm) = c′AS M
where the updated VAMP assembly configuration c′AS M differs from the original one
cAS M in the following components:
c′AS M .gpr[rd(cAS M)] = cAS M .mword(eamode(cAS M))
c′AS M .dpc = cAS M .pc
c′AS M .pc = (cAS M .pc + 4) mod 2
32
where the memory address eamode depends on the mode the assembly machine cAS M
is running in:
DEFINITION 2.28 I
Translated Effective Address eamode(cAS M) =
ea(cAS M) if sys-modeASM?(cAS M)pmaASM(cAS M , ea(cAS M)) otherwise
2.3.5 Transitions
The transition system of VAMP assembly is given by the next-step function δASM ::
CASM 7→ CASM. The definition of the transition function δASM splits cases depending
on interrupts. In case there is no interrupt we apply the semantics of the assembly
next step function without interrupts δwoiASM. If there is an interrupt, then we make cases
distinction on type of the interrupt.
δASM(cAS M) =

execjisr(cAS M) if jisr(cAS M) ∧ repeat?(cAS M)
execjisr(δwoiASM(cAS M)) if jisr(cAS M) ∧ ¬repeat?(cAS M)
δwoiASM(cAS M) otherwise
Several assembly steps are done by the function δnASM, which is defined by induc-
tion on n:
δ0ASM(cASM) = cASM,
δnASM(cASM) = δ
n−1
ASM(δASM(cASM)).
C
H
A
P
TE
R
3
VAMP Macro Assembly
In this section we present the high level VAMP assembly model, called VAMP macro
assembly or µASM. This µASM model is an abstracted VAMP assembly. The reason
of the abstraction is to have nice high-level control flow such that instead of using
relative and absolute offsets for branch and jump instructions in VAMP assembly,
we use labels and procedure names in µASM. Modeling procedure calls requires the
introduction of a stack in µASM, where the stack is modeled explicitly. Having such a
high level control flow simplifies the task of interfacing assembly with the model of
a high level programming language like C and we indeed want to have such a nice
interface which we present in Chapter 5. Since we have a new control flow in µASM
we need to introduce new instructions which do: jump to labels, call procedures, etc.
The VAMP macro assembly language does not support the complete set of macros
that is typically supported by a macro assembly language as we do not need them for
this thesis. The VAMP macro assembly language can be easily extended with missing
macros which implement loops, if-then-else statements, etc.
The way we want to proceed in this section is: (i) we present the semantics of
the µASM model, (ii) we examine the macro assembling of a µASM program to VAMP
assembly, and (iii) we state the correctness of the µASM assembler.
3.1 Semantics
We start the description of the µASM computation model with the introduction of in-
structions modeled in µASM.
3.1.1 Instructions
The µASM instructions are modeled by inductive type SµASM . It is the union of con-
structors of the new µASM instructions introduced later on and the VAMP assembly
instruction set modeled by inductive type Instr (introduced in Section 3.1.1 on page
17). Since we have a high level control flow in µASM in comparison to the VAMP as-
17
18 VAMP Macro Assembly
sembly we exclude all control instructions from Instr. The set of control instructions
is presented in Table 2.2. So that we obtain a reduced VAMP assembly instructions
set Instrcut4µASM defined as:
DEFINITION 3.1 I
Supported VAMP assembly instructions
in µASM
Instrcut4µASM
def
= Instr \ {control instructions}
As equivalent to VAMP assembly jump and branch instructions we introduced two
new instructions changing the control flow within a procedure: local absolute jump
goto and local absolute conditional jump ifnez r goto. There is only one possibility
to have a non-local jump in µASM: a procedure call which is implemented by a new
introduced instruction call. To read and to update parameters of a procedure new
instructions lparam and sparam are introduced, respectively. To return from the
procedure call we use a new instruction ret. Besides the instructions mentioned
above there are another two new instructions: push and pop putting and taking away
a word on and from stack, respectively. Below we list all instructions we model in
µASM:
• r, i ∈ N −→ lparam r i ∈ SµASM ∧ sparam r i ∈ SµASM
• r ∈ N −→ push r ∈ SµASM ∧ pop r ∈ SµASM
• P ∈ Pname −→ call P ∈ SµASM , where Pname ∈ S tring
• l ∈ N −→ goto l ∈ SµASM
• r, l ∈ N −→ ifnez r goto l ∈ SµASM
• Instrcut4µASM ∈ SµASM
We introduced the set of instructions supported by µASM. At this point we want
to stress that some of the introduced µASM instructions like lparam and sparam are
present in order to have a clear separation between the implementation and semantics.
These two instructions can be implemented by supported VAMP assembly instructions
like sw and lw in µASM. If we had implemented them using sw and lw in µASM, then
we would expose the stack layout. That is, exposing the implementation details that
could differ depending on the underlying architecture and the implementation of a
macro assembler itself. Definitely we do not want to expose the stack layout in the
µASM semantics as it is only assembler(compiler) relevant.
Before we present the semantics of µASM instructions we first examine how a µASM
program is defined and the definition of a µASM configuration .
3.1.2 Program
A µASM program piµASM is represented by a partial mapping of procedure names to
procedure declarations. Also, such a mapping is called procedure table.
DEFINITION 3.2 I
µASM Program ProgµASM
def
= Pname ⇀ ProcT
µASM procedure declarations are represented by record type ProcT . This record
represents a declared procedure in a µASM program and it comprises three components:
(i) the number of input arguments to the procedure (npar), (ii) the procedure body
3.1. Semantics 19
(body), if the procedure is defined outside the µASM program, then it is declared as
extern, and (iii) the list of register indices (uses), this list contains those GPR indices
whose values should be saved on the procedure entry and restored at return from this
procedure 1.
J DEFINITION 3.3
µASM Procedure DeclarationProcT
def
= (npar :: N, body :: S∗µASM ∪ {extern}, uses :: N∗)
As you might have noticed that some procedures can be declared as external ones.
In the thesis we consider a single type of external procedures, namely external C
procedure calls.
We introduce the predicate main?µASM :: Pname 7→ bool indicating whether a given
µASM procedure name is main one in the µASM program. In any µASM program there is
a single main procedure.
J DEFINITION 3.4
Is main µASM procedure?
P = ” start”
main?µASM (P)
3.1.3 Configurations
A µASM machine state cµ is modeled by record type CµASM which comprises a byte
addressable memory (M), general and special register files (gpr and spr), and an
abstract stack (stack) that can be in one of two states depending on whether the stack
is created or not.
J DEFINITION 3.5
µASM Configuration
CµASM = (M :: N 7→ B8, gpr :: Z∗, spr :: Z∗, stack :: f rame∗µ ∪ f ramenoµ )
The componentsM, gpr and spr have the same purpose as in the VAMP assembly
assembly configuration, the only new component is stack which is represented either
by a list of abstract µASM stack frames or by no-stack. If the stack exists, i.e., repre-
sented as a list of stack frames, then each stack frame from the stack corresponds to
a call to a procedure which has not yet returned, i.e. not terminated with a return in-
struction. A stack frame contains information which describes a procedure execution
context in terms of the procedure name (p) and the location counter (loc) indicating
the instruction that should be executed as next one in this procedure. So stack frames
are added and removed only at procedure calls’ entries and returns. The µASM stack
frame is modeled by record type f rameµ:
J DEFINITION 3.6
µASM Stack Frame
f rameµ
def
= (p :: Pname, loc :: N, pars :: Z∗, saved :: Z∗, li f o :: Z∗)
which comprises the following components:
• p is the name of a procedure the stack frame corresponds to,
• loc is the location of the current instruction in the body of a procedure,
• pars is a list of parameters passed to a procedure,
• saved is a list of values. It serves as a container for data to be preserved during
procedure execution. It is used to store values of those GPRs whose indices are
present in the uses component of the declaration of a procedure.
1Originally the name of uses comes from Microsoft Macro Assembler (MASM) and it is used as
described (cf. [Cor])
20 VAMP Macro Assembly
a lifo element 
a saved element 
a pars element 
0
1
2
3
Figure 3.1: µASM Stack Frame (Without Control Components)
• li f o is a list of integers representing a last in, first out (LIFO) data structure. ”By
definition, in a LIFO structured linear list, elements can be added or taken off
from only one end, called the ”top”” ( [Lip86]). The last element to be placed
on top is also the first to be taken off the top. The li f o component is used to
store temporaries and for passing input parameters to a call to a procedure.
No-stack is modeled by record f ramenoµ that comprises two components p and loc
modeling the control flow.
DEFINITION 3.7 I
µASM No-Stack
f ramenoµ
def
= (p :: Pname, loc :: N)
We introduce the function top :: CµASM 7→ N returns the index of the top-most
stack frame in the configuration cµ:
DEFINITION 3.8 I
Top Most Stack Frame Index
top(cµ)
def
= |cµ.stack| − 1
The predicate is stack indicates whether the stack of a given µASM configuration
exists or not:
DEFINITION 3.9 I
Is Stack Set Up?
cµ.stack < f ramenoµ
is stack(cµ)
The predicate last?µ :: N × Pname × ProgµASM 7→ B indicates whether the µASM
statement indicated by a given location loc is the last statement in the body of the
µASM procedure P.
DEFINITION 3.10 I
Is Last Statement? |piµASM (p).body| − 1 = loc
last?µ(loc, p, piµASM )
We introduce a few shorthands for the top stack frame and no-stack as well as for
components of the top-most stack frame and no-stack of the µASM configuration cµ.
• cµ.stacktop =
cµ.stack if ¬is stack(cµ)cµ.stack[top(cµ)] otherwise
• cµ.ptop = cµ.stacktop.p
• cµ.loctop = cµ.stacktop.loc
• cµ.parstop = cµ.stacktop.pars
3.1. Semantics 21
• cµ.savedtop = cµ.stacktop.saved
• cµ.li f otop = cµ.stacktop.li f o
Since we cannot return from the first stack frame in the µASM semantics (at least
it is not modeled) it is required that parameters and saved components of the first
stack frame of the stack of a given µASM machine cµ are empty. This and the other
well-formedness requirements over µASM configurations are stated by means of the
following predicate:
J DEFINITION 3.11
Valid µASM Configuration|cµ.gpr| = 32 |cµ.spr| = 32∀i < 32. cµ.gpr[i] ∈ Z32 ∧ cµ.spr[i] ∈ Z32
is stack(cµ) −→ cµ.stack[0].pars = [] ∧ cµ.stack[0].saved = []
validµASM (cµ)
We introduce the predicate are sregs set up which indicates that the stack reg-
isters (sp and bp from Table 3.1) of a given VAMP assembly machine cAS M are ini-
tialized. It is the case if and only if the content of stack registers equals the constant
STACK BASE ADR which denotes the stack base address.
J DEFINITION 3.12
Are Stack Registers Set Up?cAS M .gpr[sp] = cAS M .gpr[bp] = STACK BASE ADR
are sregs set up(cAS M)
We indicate the emptiness of the stack of a given µASM machine cµ if its stack has
a single stack frame whose lifo is empty.
J DEFINITION 3.13
Is Empty Stack?top(cµ) = 0 cµ.stack[0].li f o = [] is stack(cµ)
is empty stack(cµ)
The current instruction to be executed by a given µASM machine running a given
C-IL program is returned by the function defined below:
J DEFINITION 3.14
Current Instructioninstrcurr :: CµASM × ProgµASM 7→ SµASM
instrcurr(cµ, piµASM )
def
= piµASM (cµ.ptop).body[cµ.loctop]
Further, we define a few functions updating the state of a given µASM machine.
The function incloc :: CµASM 7→ CµASM increments the location counter of the top stack
frame or no-stack of a given µASM configuration cµ:
incloc(cµ)
def
=cµ[stack := cµ.stack[loc := cµ.loctop + 1]] if ¬is stack(cµ)cµ[stack := hd(cµ.stack)[loc := cµ.loctop + 1]] ◦ tl(cµ.stack)] otherwise
The function setloc :: CµASM × N 7→ CµASM sets the location of the top stack frame
of a given configuration cµ to a given location l:
setloc(cµ, l)
def
=
22 VAMP Macro Assembly
cµ[stack := cµ.stack[loc := l]] if ¬is stack(cµ)cµ[stack := hd(cµ.stack)[loc := l] ◦ tl(cµ.stack)] otherwise
The function dropframe :: CµASM 7→ CµASM removes the top stack frame in a given
µASM configuration cµ:
dropframe(cµ)
def
= cµ[stack := tl(cµ.stack)].
The function setpars :: CµASM × N × N 7→ CµASM updates the i-th parameter of the
top stack frame of a given µASM machine cµ by a given value v:
setpars(cµ, i, v)
def
=
cµ[stack := hd(cµ.stack)[pars := parstop[i := v]] ◦ tl(cµ.stack)].
The function putlifo :: CµASM ×N∗ 7→ CµASM puts on top of the lifo of the top stack
frame of a given configuration cµ a given list of integer values l:
putlifo(cµ, l)
def
=
cµ[stack := hd(cµ.stack)[li f o := l ◦ cµ.li f otop] ◦ tl(cµ.stack)].
The function droplifo :: CµASM 7→ CµASM removes the n top elements from the lifo
of the top stack frame of a given configuration cµ:
droplifo(cµ, n)
def
=
cµ[stack := hd(cµ.stack)[li f o := drop(cµ.li f otop, n)] ◦ tl(cµ.stack)].
The function setup sregs :: CµASM 7→ CµASM sets up the stack registers to the stack
base address:
DEFINITION 3.15 I
Set Up Stack Registers setup sregs(cµ)
def
= cµ[gpr := cµ.gpr
[
bp := STACK BASE ADR,
sp := STACK BASE ADR
]
]
In order to examine the semantics of µASM instructions there is still a convention
to be discussed, called compiler calling convention.
3.1.4 Compiler Calling Convention
The compiler calling convention describes the interface between the caller and the
callee, namely: (i) how parameters are passed from the caller to the callee (placed in
registers, pushed on the stack, or a mix of both), (ii) how a result is returned from
the callee to the caller, and (iii) who is responsible for cleaning up the stack from
parameters after a procedure call. The µASM compiler calling convention consists of
the following rules:
1. The first four input parameters are passed through GPRs i0, . . . i3 (Table 3.1)
3.1. Semantics 23
Alias Index Usage
0 zero always zero
1 . . . 13 t0 . . . t12 temporary
14 rv return value
15 . . . 18 i0 . . . i3 input arguments
19 . . . 28 t13 . . . t22 temporary
29 sp stack pointer
30 bp stack frame base pointer
31 t23 temporary
Table 3.1: Special Usage of GPRs
before the call instruction is executed,
• Caller does not expect to have the same values in those registers after
callee returns.
2. The rest of input parameters, if existent at all, is passed on the lifo of the caller’s
stack frame in right-to-left order before the call instruction is executed, i.e. a
parameter with the lowest index is on the top of the lifo and a parameter with
the highest index is put first on the lifo,
• Moreover, we reserve a space on the lifo for parameters passed in GPRs.
It is done for two main reasons: (i) if callee wants to call a procedure, then
it should save values of these parameters to the reserved space on the lifo,
and (ii) if callee ran out of available GPRs.
3. Callee passes a return value to caller in GPR rv (Table 3.1),
4. Callee is responsible for cleaning up the stack from parameters.
In the thesis we refer to this compiler calling convention as CCL and to rules of CCL
as CCL .1, CCL .2, CCL .3 and CCL .4.
3.1.5 Transition Function
The transition function
δµASM :: CµASM × ProgµASM 7→ CµASM⊥
of the µASM semantics maps, with respect to a program piµASM , a configuration cµ to its
successor c′µ, such that bc′µc = δµASM (cµ, piµASM ) or, in case of an error to ⊥ (i.e. the
execution got stuck). At some places we write
piµASM ` cµ →µASM bc′µc
to denote δµASM (cµ, piµASM ) = bc′µc.
The transition function is defined by induction on the µASM instruction constructor
type of the current statement to be executed. We split the µASM instructions by their
functionality into four groups: (i) VAMP assembly, (ii) goto, (iii) load and store pa-
rameters, and (iv) stack - instructions. For instructions from the group (i) we apply
the semantics of the assembly next step function without interrupt execinstr which was
introduced in Section 2.3.4.
24 VAMP Macro Assembly
Vamp Assembly Instructions
If the current instruction to be executed by the µASM machine is of VAMP assembly
type and it does not modify the content of the stack pointer and base pointer registers
(i.e. the return destination register of this instruction is neither sp nor bp (cf. Table
3.1)), and it does not read stack registers when the stack of the µASM machine is set up,
then we simply apply the VAMP assembly semantics over a VAMP assembly machine
constructed from the µASM machine and map changes done at VAMP assembly level
back to µASM level. Program counters of the constructed VAMP assembly machine
have arbitrary values as VAMP assembly instructions we model in µASM do not change
the control flow. Also, after applying the VAMP assembly semantics the location
counter of the top stack frame is increased so that it points to the next instruction to
be executed at the next µASM step.
DEFINITION 3.16 I
µASM Semantics For VAMP
Assembly Instructions
I = instrcurr(cµ, piµASM ) I ∈ Instrcut4µASM ¬(rd(I) ∈ {sp, bp})
rs1(I) ∈ {sp, bp} ∨ rs2(I) ∈ {sp, bp} −→ ¬is stack(cµ)
cAS M = execinstr((A,A, cµ.gpr, cµ.spr, cµ.M), I)
piµASM ` cµ →µASM bincloc(cµ)
 M := cAS M .M,gpr := cAS M .gpr,spr := cAS M .spr
c
However, there is a software condition stating that this VAMP assembly instruction
must not write in a memory region where the stack resides. In the µASM semantics
we do not know where the stack resides in memory, but we know it when a µASM
program gets assembled. Thus, we state this software condition as a precondition to a
µASM program in Section 3.3.3 in which we will talk about the correctness of the µASM
assembler.
In case the execution of the VAMP assembly instruction modeled in µASM accesses
(either reads or writes) the content of one of the stack registers we distinguish on
whether the stack of the µASM machine
• was not set up before executing this instruction. Here we consider the write
case. If the content of stack registers indicates that the stack is set up after ex-
ecuting this instruction, then the no-stack of a µASM configuration is substituted
by the corresponding empty stack. This stack frame is constructed based on
the no-stack in the following way: (i) the procedure name is the same as in the
no-stack, (ii) the location counter contains the location counter of the no-stack
incremented by 1, (iii) the rest of components of the stack frame are left empty.
DEFINITION 3.17 I
µASM Semantics For VAMP
Stack Set-Up
I = instrcurr(cµ, piµASM ) I ∈ Instrcut4µASM
rd(I) ∈ {sp, bp} ¬is stack(cµ)
cAS M = execinstr((A,A, cµ.gpr, cµ.spr, cµ.M), I)
are sregs set up(cAS M)
piµASM ` cµ →µASM bcµ

M := cAS M .M,
gpr := cAS M .gpr,
spr := cAS M .spr,
stack := [(cµ.ptop, cµ.loctop + 1, [], [], [])]
c
Here we want to stress that after performing the rule presented above the stack
registers are still present in the µASM configuration with the set up stack. In the µASM
3.1. Semantics 25
semantics any try to access them when the stack is set up and not empty yields the
execution of an instruction performing this access to an error state. In this way we
keep the stack registers ”invisible” artificially in the µASM semantics when the stack
of a µASM machine cµ being executed is set up and not empty. But it is possible to
access the stack registers when the stack is set up and empty. In this situation we can
simply construct the corresponding µASM machine with no-stack and with set up stack
registers. If two µASM machines c1µ and c
2
µ have different type of stacks, i.e. one has a
set up stack which is empty and another has no-stack, then we call them semantically
equivalent machines if and only if the following conditions hold:
¬is stack(c1µ) ∧ is stack(c2µ) ∧ is empty stack(c2µ) ∧
c1µ.gpr = setup sregs(c
2
µ).gpr ∧ c1µ.spr = c2µ.spr ∧ c1µ.M = c2µ.M
• was set up and it is empty before executing this instruction. Before applying the
VAMP assembly semantics to a given µASM machine cµ we set its stack registers
to stack base address. Here we consider two cases whether the content of stack
registers still indicates that the stack is set up after executing this instruction or
not:
a) If the content of these registers indicates that the stack is set up, i.e. their
content is the same as it was before executing the instruction, then the
µASM machine still has the set up stack. The reader might wonder why me
map changes done at the assembly level back to the µASM level: it could
be that the executed instruction read one of stack registers and saved it in
either GPRs, SPRs or memory.
J DEFINITION 3.18
µASM Semantics For VAMP
Stack Register Update
From Empty Stack To Empty Stack
I = instrcurr(cµ, piµASM ) I ∈ Instrcut4µASM
rd(I) ∈ {sp, bp} ∨ rs1(I) ∈ {sp, bp} ∨ rs2(I) ∈ {sp, bp}
is stack(cµ) is empty stack(cµ)
c′µ = setup sregs(cµ)
cAS M = execinstr((A,A, c′µ.gpr, c′µ.spr, c′µ.M), I)
are sregs set up(cAS M)
piµASM ` cµ →µASM bcµ

M := cAS M .M,
gpr := cAS M .gpr,
spr := cAS M .spr,
stack := [(cµ.ptop, cµ.loctop + 1, [], [], [])]
c
b) If the content of these registers does not indicate that the stack is set up, then
the empty stack of µASM machine is substituted by the corresponding no-stack
with the incremented location counter.
26 VAMP Macro Assembly
DEFINITION 3.19 I
µASM Semantics For VAMP
Stack Register Update
From Empty Stack To No-Stack
I = instrcurr(cµ, piµASM ) I ∈ Instrcut4µASM
rd(I) ∈ {sp, bp} ∨ rs1(I) ∈ {sp, bp} ∨ rs2(I) ∈ {sp, bp}
is stack(cµ) is empty stack(cµ)
setup sregs(cµ, c′µ)
cAS M = execinstr((A,A, c′µ.gpr, c′µ.spr, c′µ.M), I)
¬are sregs set up(cAS M)
piµASM ` cµ →µASM bc′µ

M := cAS M .M,
gpr := cAS M .gpr,
spr := cAS M .spr,
stack := (cµ.ptop, cµ.loctop + 1)
c
In case the execution of the VAMP assembly instruction tries either to modify the
content of one of the stack registers or to read it when the stack of the µASM machine
is set up and not empty, the execution of this instruction in the µASM semantics yields
to an error.
DEFINITION 3.20 I
µASM Semantics For VAMP
Assembly Instructions
Run-Time Error
I = instrcurr(cµ, piµASM ) ∈ Instrcut4µASM
rd(I) ∈ {sp, bp} ∨ rs1(I) ∈ {sp, bp} ∨ rs2(I) ∈ {sp, bp} −→
is stack(cµ) ∧ ¬is empty stack(cµ)
piµASM ` cµ →µASM ⊥
Goto Instructions
There are two µASM goto instructions: goto l and ifnez r goto l performing an
unconditional(direct) jump and a conditional jump to the target label l, respectively.
Thus, these instructions affect only the location counter of the current stack frame (or
no-stack). That is, these instructions can be also executed in the µASM semantics even
though the stack is not set up.
If the target label l points outside the current procedure body, then the instruction
executions yields to an error state. This is reflected in the semantics of both instruc-
tions.
The instruction goto l This instruction jumps directly to a location indicated by the
target label l if the target location is within the current procedure body.
DEFINITION 3.21 I
goto l Semantics instrcurr(cµ, piµASM ) = goto l l < |piµASM (cµ.ptop).body|
piµASM ` cµ →µASM bsetloc(cµ, l)c
Else, the execution ends up with an error state.
DEFINITION 3.22 I
goto l Semantics
Run-Time Error
instrcurr(cµ, piµASM ) = goto l |piµASM (cµ.ptop).body| ≤ l
piµASM ` cµ →µASM ⊥
3.1. Semantics 27
The instruction ifnez r goto l This instruction jumps to the location indicated by
the target label l in case GPR r does not equal 0.
J DEFINITION 3.23
ifnez r goto l Semantics
Condition Succeeds
instrcurr(cµ, piµASM ) = ifnez r goto l cµ.gpr[r] , 0
l < |piµASM (cµ.ptop).body| r < {sp, bp}
piµASM ` cµ →µASM bsetloc(cµ, l)c
Else, the location counter is increased by 1. So, it has the same effects as a no-
operation instruction.
J DEFINITION 3.24
ifnez r goto l Semantics
Condition Fails
instrcurr(cµ, piµASM ) = ifnez r goto l cµ.gpr[r] = 0
l < |piµASM (cµ.ptop).body| r < {sp, bp}
piµASM ` cµ →µASM bincloc(cµ, l)c
In case the target label l points to outside of the current procedure body, the exe-
cution yields to an error state.
J DEFINITION 3.25
ifnez r goto l Semantics
Run-Time Error
instrcurr(cµ, piµASM ) = ifnez r goto l|piµASM (cµ.ptop).body| ≤ l ∨ r ∈ {sp, bp}
piµASM ` cµ →µASM ⊥
Instructions Loading and Storing Procedure Parameters
The instruction lparam r i reads the i-th parameter from the top-most stack frame and
loads it to GPR r.
J DEFINITION 3.26
lparam Semantics
instrcurr(cµ, piµASM ) = lparam r i i < |cµ.parstop|
is stack(cµ) r < {sp, bp}
piµASM ` cµ →µASM bincloc(c′µ)c
where
c′µ = cµ[gpr[r := cµ.parstop[i]]]
If the parameter index i is greater than the number of parameters that are passed to the
current procedure, then the execution yields to an error state.
J DEFINITION 3.27
lparam Semantics
Run-Time Error
instrcurr(cµ, piµASM ) = lparam r i|cµ.parstop| ≤ i ∨ ¬is stack(cµ) ∨ r ∈ {sp, bp}
piµASM ` cµ →µASM ⊥
The instruction sparam r i updates the i-th parameter of the current stack frame
with the value of GPR r.
J DEFINITION 3.28
sparam Semantics
instrcurr(cµ, piµASM ) = sparam r i i < |cµ.parstop|
is stack(cµ) r < {sp, bp}
piµASM ` cµ →µASM bsetpars(incloc(c′µ), i, cµ.gpr[r])c
28 VAMP Macro Assembly
In case the parameter index i is greater than the number of passed parameters, then the
execution yields to an error state.
DEFINITION 3.29 I
sparam Semantics
Run-Time Error
instrcurr(cµ, piµASM ) = sparam r i|cµ.parstop| ≤ i ∨ ¬is stack(cµ) ∨ r ∈ {sp, bp}
piµASM ` cµ →µASM ⊥
Stack Instructions
The instruction push r It puts the value of GPR r on the top of the top-most stack
frame lifo of a given µASM machine cµ if the stack of this machine is set up.
DEFINITION 3.30 I
push Semantics instrcurr(cµ, piµASM ) = push r is stack(cµ) r < {sp, bp}
piµASM ` cµ →µASM bputlifo(incloc(cµ), [cµ.gpr[r]])c
Any try to execute a push instruction by a given µASM machine cµ without stack
and with non set up stack registers yields to an error state.
DEFINITION 3.31 I
push Semantics
Run-Time Error
instrcurr(cµ, piµASM ) = push r ¬is stack(cµ) ∨ r ∈ {sp, bp}
piµASM ` cµ →µASM ⊥
The instruction pop r It removes the top item from the top stack frame lifo of the
µASM machine cµ and saves it in GPR r.
DEFINITION 3.32 I
pop Semantics instrcurr(cµ, piµASM ) = pop r 0 < |cµ.li f otop|
is stack(cµ) r < {sp, bp}
piµASM ` cµ →µASM bdroplifo(incloc(c′µ), 1)c
where
c′µ = cµ[gpr[r := hd(cµ.li f otop)]]
If the top-most stack frame lifo is empty, i.e. nothing to be ”popped” out, then the
µASM execution gets stuck.
DEFINITION 3.33 I
pop Semantics
Run-Time Error
instrcurr(cµ, piµASM ) = pop r
cµ.li f otop = [] ∨ ¬is stack(cµ) ∨ r ∈ {sp, bp}
piµASM ` cµ →µASM ⊥
The instruction call P The call to a procedure P is successful if and only if the pro-
cedure to be called is declared and defined in the procedure table piµASM and the lifo of
the top stack frame of the machine cµ contains at least so many elements as the number
of parameters passed on the stack. As a result of the successful call a new stack frame
f ramenew is created and is put on top of the stack of the machine cµ. Also, the location
counter of a stack frame corresponding to the calling procedure is increased by 1. So
that, the execution resumes at the next instruction after the call instruction whenever
3.1. Semantics 29
a lifo element 
a pars element 
|
p5
pn−1
p4
pn−1
lifo |−1
0
...
...
| lifo |−1−k
0
...
| |lifo ' −1
lifo '=dropk , lifo
0
n−1
p0
p4
p3
...
...
... ...
top
top
before call after call
top−1
Figure 3.2: Moving Parameters From Callee Frame To Caller at CALL
the called procedure P returns. Constraints on the new created stack frame and the up-
dated lifo are captured in the predicate Call-Constraints(cµ, piµASM , P, framenew, li f o
′)
that we present a bit later.
DEFINITION 3.34 I
call Semantics
instrcurr(cµ, piµASM ) = call P is stack(cµ) piµASM (P).npar − 4 ≤ |cµ.li f otop|
piµASM (P) , None piµASM (P).body , extern
Call-Constraints(cµ, piµASM , P, framenew, li f o
′)
piµASM ` cµ →µASM b cµ[stack := framenew ◦ incloc(putlifo(cµ, li f o′)).stack] c
The predicate Call-Constraints(cµ, piµASM , P, framenew, li f o
′) enforces constraints
over a new stack frame and an updated lifo. The procedure name, location counter
and lifo of a new stack frame are initialized as:
f ramenew.p = P f ramenew.loc = 0 f ramenew.li f o = []
The list of saved registers of the new stack frame contains those GPRs whose
indices are in the uses list of the declaration of the procedure P to be called.
f ramenew.saved = sublist(cµ.gpr, piµASM (P).uses)
The list of parameters of a new stack frame is set up in a way following compiler
calling conventions CCL . 1 and CCL . 2. Note that before the call instruction the
programmer passes input parameters on lifo in right-to-left order (CCL . 2). Moving
parameters passed on lifo to the parameters component of the new created stack frame
at call requires the index preservation. That is, the parameter found on top of the lifo
of the top stack frame before call corresponds to the parameter with the highest index
in the parameters component of the new created stack frame after call. (cg. Figure 3.2
30 VAMP Macro Assembly
depicts how it is done). Formally,
f ramenew.pars =

rev(take(kp,piµASM , cµ.li f otop)) ◦ [A,A,A,A] if 4 < piµASM (p).npar
piµASM (p).npar︷      ︸︸      ︷
[A, . . . ,A] otherwise
.
where kp,piµASM is the number of parameters passed on the stack to a procedure p to be
called. This number is defined as:
kp,piµASM
def
=
piµASM (p).npar − 4 if 4 < piµASM (p).npar0 otherwise
If there are parameters passed on the stack, then this number of elements is dropped
from the lifo component of the calling stack frame as these elements are already in the
parameter component of the new stack frame.
0 < kp,piµASM −→ li f o′ = drop(kp,piµASM , cµ.li f otop)
In case we want to call a procedure P which is undeclared in the procedure table
piµASM , then the µASM execution ends up with an error state.
DEFINITION 3.35 I
call Semantics
Run-Time Error
instrcurr(cµ, piµASM ) = call P (piµASM (P) = None ∨ ¬is stack(cµ))
piµASM ` cµ →µASM ⊥
The instruction ret If there is a frame to return to in a given µASM configuration
cµ, then the execution returns to a procedure corresponding to the stack frame next
to the top-most one. In the µASM semantics this return is done by removing the top
stack frame from the stack. Following the rule CCL .4 the parameters passed to the
procedure corresponding to the top stack frame are removed at return. Note that these
parameters have been moved from the lifo to the parameter component at a call (see
the call instruction semantics defined before). So that, by removing the top stack
frame we also follow the rule CCL . 4. Also, we restore the values of those GPRs
whose indices are in the uses component of the declaration of the procedure which
corresponds to the top-most stack frame. The constraints on the new values of GPRs
are captured in the predicate Return-Constraints(cµ, piµASM , l, gpr
′).
DEFINITION 3.36 I
ret Semantics
instrcurr(cµ, piµASM ) = ret 2 ≤ |cµ.stack| is stack(cµ)
Return-Constraints(cµ, piµASM , gpr
′)
piµASM ` cµ →µASM dropframe(cµ[gpr := gpr′])
The Return-Constraints(cµ, piµASM , gpr
′) enforces the following constraints:
gpr′[i] =

cµ.savedtop[ j] if ∃ j < |piµASM (cµ.ptop).uses|.
piµASM (cµ.ptop).uses[ j] = i
cµ.gpr[i] otherwise
Any try to return from the first stack frame yields to an error state.
DEFINITION 3.37 I
ret Semantics
Run-Time Error
instrcurr(cµ, piµASM ) = ret (|cµ.stack| = 1 ∨ ¬is stack(cµ))
piµASM ` cµ →µASM ⊥
3.2. Assembling µASM Programs 31
Offset Full Name Description
0 previous base pointer start address of the previous frame base pointer
4 return address where to jump after completion
of the corresponding procedure
Table 3.2: Stack Frame Header Layout
Multiple Step Transition Function
The n-step transition function δµASM :: N × CµASM × ProgµASM 7→ CµASM⊥ is defined
by induction on n:
δ0µASM (cµ, piµASM )
def
= bcµc
δnµASM (cµ, piµASM )
def
=
δµASM (c′µ, piµASM ) if δn−1µASM (cµ, piµASM ) = bc′µc⊥ if δn−1µASM (cµ, piµASM ) = ⊥
3.2 Assembling µASM Programs
In this section we present one of possible ways to implement the µASM assembler.
The crucial points in such a code generation is the stack layout of the compiled µASM
program and the way we manipulate on the stack. First, we will expose the stack
layout as well as we mention resources we need to implement operations on stack.
Finally, we will examine the µASM code generation itself.
3.2.1 Stack Layout
The stack layout used by the µASM assembler is presented in Figure 3.3. Our stack
grows downwards from its origin, i.e. the stack grows in the opposite direction
than memory addresses grow. The first stack frame is found at a stack base address
STACK BASE ADR which is a parameter to the µASM assembler and thus treated as a
constant here. The base address of an active frame, or most of time we refer to it as
top stack frame, is indicated by GPR bp (Table 3.1). The address of a most recently
referenced location on the stack is indicated by GPR sp (Table 3.1). So we use two
GPRs: bp and sp, to implement the operations on stack2.
Each stack frame has a so-called stack frame header which occupies two words
and stores the previous base pointer and return address. The offsets to the base address
of a stack frame and the meaning of stack frame header fields are explained in Table
3.2.
3.2.2 Extending Compiler Calling Convention
There exists another rule in CCL which is not visible in the µASM semantics, but it
becomes visible in the implementation of the µASM assembler. This rule splits up the
task of setting up for and restoring the stack after a procedure call between the caller
and the callee, respectively.
• What the caller should do for setting up the stack for a procedure call:
2Intel X86 uses two registers esp and ebp for the same purpose to implement operations on stack.
32 VAMP Macro Assembly
dummy (4 words)
ra
pbpcasm . gpr [bp]
casm . gpr [ sp ]
top
stack frame
frame header
High Memory
Low Memory
saved
register area
stack 
frame
STACK_BASE_ADR
lifo
saved
register area
ra
pbp
...
lifo
paramnpar−1
param4
...
dummy (4 words)
Figure 3.3: µASM Stack Layout
– reserve space on stack for parameters passed in registers (CCL .2),
– set up the return address field of the frame header.
They are colored as brown in Figure 3.3.
• What the callee should do for setting up the stack for a procedure call, i.e. for
itself:
– set up the previous base pointer field of the frame header,
– set up the base pointer register (GPR bp)
– save registers on stack whose values should preserved during the callee
execution.
They are colored as blue in Figure 3.3.
• What the callee should do for restoring the stack before return from a call:
– restore register values from the stack and clean up the stack from these
values,
– set up GPR bp to its old value it had at the procedure entry, and clean up
the stack from it,
– clean up the stack from the return destination in the frame header,
– remove the passed parameters from the stack (CCL .4).
It is easy to notice that unwinding the stack at a return is completely complementary
to setting up the stack at a procedure call.
3.2. Assembling µASM Programs 33
Code Generation
Here we introduce the function codeµ :: ProgµASM × N × N × N 7→ in f oT that
takes a program piµASM , a program base address PROG BASE ADR, a stack base address
STACK BASE ADR and a stack length STACK MAX SIZE in words and produces static
information in f oµ describing the macro-assembled program3. This static information
comprises the following components:
codeµ(piµASM , PROG BASE ADR, STACK BASE ADR, STACK MAX SIZE) = in f oµ
• in f oµ.code :: Instr∗ is a list of VAMP assembly instructions which represents
the compiled µASM program,
• in f oµ.codeia :: Pname × N 7→ N maps pairs of procedure names and locations,
indicating instructions, to base addresses of those assembled instructions,
• in f oµ.Padr :: Pname 7→ N ∪ ⊥maps a procedure (if exists in the procedure table)
to their compiled start addresses,
• in f oµ.codeba :: N is the base address at which the compiled program starts,
• in f oµ.stackba :: N is the stack base address,
• in f oµ.stacklen :: N is the maximum stack size in words.
To present how the µASM assembler static information is generated we first intro-
duce auxiliary functions needed for that. We start with the definition of the function
codeSµ(instr, p, piµASM ) that generates the list of VAMP assembly instructions which
implements a given µASM statement instr, where this µASM statement is found in the
body of the procedure p implemented in a given µASM program piµASM .
J DEFINITION 3.38
µASM Statement Code GenerationcodeSµ :: SµASM × Pname × ProgµASM 7→ Instr∗
We define this function by case distinctions on a given µASM statements instr. Note
that for some statements we use already pre-computed data, i.e. the µASM assembler
static information is generated in a multi-pass fashion. In our case it is a two-pass
assembler.
VAMP Assembly instructions The code generation of VAMP assembly instructions
modeled in µASM is trivial as nothing extra should be generated besides the instruction
itself. Formally, for instr ∈ Instrcut4µASM :
codeSµ(instr, p, piµASM )
def
= [instr]
3in this thesis we refer to the static information of a macro-assembled (or compiled) program as static
info(-rmation)
34 VAMP Macro Assembly
Goto instructions To generate the corresponding code for goto instructions we need
to know the absolute address where we need to jump to. That is, we need to translate
the target location of a µASM goto statement to the corresponding absolute address. We
denote this address as al and it is computed as
al = adr4loc(in f oµ.Padr(p), p, l, piµASM )
where the function adr4loc computes the desirable address. The definition of this
function will be presented in this section after we treated all instructions. This func-
tion takes a procedure base address in f oµ.Padr(p) as input which is pre-computed data
from the first µASM assembler pass. In the end of this section we will talk about the
order of computations done during the µASM assembling. After computing the address
we can generate the VAMP assembly code corresponding to goto l (cf. Listing 3.1).
But there is still something to discuss, namely, how to load a 32-bit constant repre-
senting this address in a register. There is no special instruction that can load a 32-bit
constant in a register (cf. VAMP assembly semantics examined in Chapter 2). So we
split up the computed address al into two parts each 16-bits wide and load it with the
help of two instructions4 (lines 1-2 of Listing 3.1). In line 3 of Listing 3.1 the jump is
performed to the translated target location.
codeSµ(goto l, p, piµASM )
def
=
Listing 3.1: goto l
1 lhgi t20 abv[15] ⊕ abv[31 : 16] // load 32−bit constant(1)
2 xori t20 t20 abv[15 : 0] // load 32−bit constant(2)
3 jr t20 // jump to l
4 add zero zero zero // delay slot filled with nop
where the bit vector abv is the binary representation of the address al, i.e. abv =
bin32(al)
The code generation for the instruction ifnez r goto l is similar to the previous
instruction except for the zero test on the value of GPR r. In case GPR r does not equal
zero we jump to the last instruction of the generated code (Listing 3.2). Otherwise,
the same steps are performed as for the instruction goto l.
codeSµ(ifnez r goto l, p, piµASM )
def
=
Listing 3.2: ifnez r goto l
1 beqz r 20 // conditinonal test on zero of r
2 add zero zero zero // delay slot filled with nop
3 lhgi t20 abv[15] ⊕ abv[31 : 16] // load 32−bit constant(1)
4 xori t20 t20 abv[15 : 0] // load 32−bit constant(2)
5 jr t20 // jump to l
6 add zero zero zero // delay slot filled with nop
where the bit vector abv is bin32(al).
4Note that immediate constant is always sign extended in the VAMP assembly semantics.
3.2. Assembling µASM Programs 35
Load and Store Parameters The instructions from this group read and store param-
eters which belong to the active stack frame. The code generation is pretty simply.
We read and store parameters with the corresponding relative offsets to the frame base
pointer (GPR bp).
codeSµ(lparam r j, p, piµASM )
def
=
Listing 3.3: lparam r j
1 lw r bp 4 · (2 + j)
codeSµ(sparam r j, p, piµASM )
def
=
Listing 3.4: sparam r j
1 sw r bp 4 · (2 + j)
Push and Pop instructions As the stack pointer GPR sp points to the lowest word
in the stack. The generated code for the µASM statement push r first decrements the
stack pointer by the size of a single word in bytes as the stack grows downwards. Then
the value is stored on the stack. The corresponding the code generation is presented
below.
Listing 3.5: push r
1 subi sp zero 4 // decrement stack pointer
2 sw r sp 0 // put r on top of stack
The generated code for the µASM statement pop r is complementary to push r.
Listing 3.6: pop r
1 lw r sp 0 // read value from top of stack and save it into r
2 addi sp zero 4 // increase stack pointer
The call instruction The µASM instruction call gets translated to code which must
follow the extended CCL. The space is reserved in the stack for parameters passed in
registers (CCL .2). The number of parameters passed in registers is (cf. the compiler
calling convention CCL .1):
parregs(p, piµASM )
def
=
4 if 4 < piµASM (p).nparpiµASM (p).npar otherwise
Also, a single word is reserved on the stack for the return address component of the
frame header of a procedure P. This component is updated by the instruction at line
5. Next, instructions load the start address of the procedure P (lines 2-5). Then the
jump to the procedure P is performed (line 6). The delay slot of this jump instruction
is filled with the instruction saving the return address in the frame header on the stack.
36 VAMP Macro Assembly
ra
bp sp
st
ac
k 
fr
am
e
H
ig
h 
M
em
or
y
Lo
w
 M
em
or
y
lif
o
sa
ve
d
ra pb
p
...
pa
ra
m
4
du
m
m
y 
(4
 w
or
ds
)
pa
ra
m
np
ar
−
1
... pb
p
G
PR
u
se
s 0

...
pa
rs
sa
ve
d
fr
am
e 
he
ad
er
ra
bp sp
to
p
st
ac
k 
fr
am
e
lif
o
sa
ve
d
ra pb
p
...
pa
ra
m
4
du
m
m
y 
(4
 w
or
ds
)
pa
ra
m
np
ar
−
1
...
bp sp
sa
ve
d
ra pb
p
...
du
m
m
y 
(4
 w
or
ds
)
...
lif
o
St
ac
k
pa
ra
m
4
pa
ra
m
np
ar
−
1
...
be
fo
re
 c
al
l
af
te
r c
al
l
w
/o
 p
ro
lo
gu
e
af
te
r c
al
l
w
ith
 p
ro
lo
gu
e
du
m
m
y 
(4
 w
or
ds
)
du
m
m
y 
(4
 w
or
ds
)
du
m
m
y 
(4
 w
or
ds
)
G
PR
u
se
s l−
1
Figure 3.4: Stack states before and after a call
3.2. Assembling µASM Programs 37
Figure 3.4 depicts the stack state before and after executing the code generated for a
µASM call instruction.
Listing 3.7: call P
1 subi sp sp 4 · (parregs(P, piµASM ) + 1) // reserve dummy space on stack
2 lhgi t20 abv[15] ⊕ abv[31 : 16] // load 32−bit constant(1)
3 xori t20 t20 abv[15 : 0] // load 32−bit constant(2)
4 jal t20 // jumping to P
5 sw 31 sp 0 // delay slot: save return address in the frame header
where the bit vector abv is bin32(in f oµ.Padr(P)).
The code generated for a µASM call instruction does not do the whole work what
must be done. Like, setting up the base pointer to a new value, saving registers on the
stack, etc. This missing code, called prologue, is generated and put at the beginning
of each µASM procedure from a µASM program being assembled. That is, we can say
that the code generated for a µASM call instruction is split up into two parts where the
first part is present on the caller side and the second part is present on the callee side.
Next, we examine how exactly the µASM procedure prologue gets generated.
Prologue The prologue is generated for every procedure of a µASM program except
for main one. The prologue code we generate has two parts, where the first is always
generated, and the second is generated in case the uses component of the procedure
declaration is not empty. The first part of the generated prologue is a part of the call
instruction but on the callee side. Here we put the caller GPR bp on the stack. So
we have stored GPR bp in the callee frame header. Then we set up a new frame base
pointer GPR bp for the callee. It is equal to the stack pointer GPR sp decremented
by 4 as the previous instruction which stored GPR bp on stack did not decrement the
stack pointer GPR sp.
The second part of the generated prologue saves those values of GPRs whose
indices are in the list uses = piµASM (p).uses of the procedure declaration, where l =|uses| is the length of this list. This code consists of chunk of store word instructions
which save GPR usesi in order of appearance in the list uses starting from the very
first element. Figure 3.4 depicts the stack state after executing the prologue code.
Listing 3.8: Prologue
1 sw bp sp −4 // save bp in previous base pointer component
2 subi bp sp 4 // switch base pointers (with adjuststed stack poiner)
3 sw uses0 sp −8
4 sw uses1 sp −12
5 ...
6 sw usesl−1 sp −(l · 4 + 4)
7 subi sp sp (l · 4 + 4)
The ret instruction A µASM return instruction gets translated to code that consists
of two parts. The first part is generated in case the uses component of the procedure
declaration of a procedure p we return from is not empty (In Listing. 3.9 lines 1-7
represent this first part). This first part restores values of those GPRs whose indices
are in the uses component. The second part is always generated and it performs the
38 VAMP Macro Assembly
following: (i) adjusts the stack pointer and cleans up the stack from parameters (line
7), (ii) restores the old value of GPR bp (line 5 and line 8), (iii) reads the return address
(line 6) and returns the control to the caller (line 9).
Listing 3.9: ret
1 lw usesl−1 sp 0
2 ...
3 lw uses0 sp (l − 1) · 4
4 addi sp sp l · 4
5 lw tr0 bp 0 // load pbp
6 lw tr1 bp 4 // load ra
7 addi sp sp 8 + 4 · piµASM (p).npar // adjust the stack pointer
8 add bp tr0 zero // restore old bp
9 jr tr1 // return control to caller
10 add zero zero zero // nop in delay slot
The function numSµ(instr, p, piµASM ) returns the number of VAMP assembly in-
structions needed to implement a given µASM instruction instr. After we introduce the
code generation for each µASM instruction it would be easy to check it.
DEFINITION 3.39 I
Size of Assembled µASM Statement in
Instructions
numSµ :: Sµ × Pname × ProgµASM 7→ N
numSµ(instr, p, piµASM )
def
=

1 if instr ∈ Instr
1 if instr ∈ {lparam r i, sparam r i}
2 if instr ∈ {push r, pop r}
6 if instr = goto l
8 if instr = ifnez r goto l
7 if instr = call P
6 if instr = ret ∧ l = 0
7 + l if instr = ret ∧ 0 < l
where l = |piµASM (p).uses|.
The function sizeSµ(instr, p, piµASM ) returns the number of bytes needed to repre-
sent the µASM instruction instr after assembling it to VAMP assembly instructions.
Recall that from Chapter 2 each VAMP assembly instruction is represented by 4 bytes
in memory.
DEFINITION 3.40 I
Size of Assembled µASM Statement in
Bytes
sizeSµ(instr, p, piµASM )
def
= 4 · numSµ(instr, p, piµASM )
Also, we define the function sizeprol(p, piµASM ) returning the size of code in bytes
needed to store the generated prologue for a given procedure p implemented in a given
µASM program piµASM . This size depends on whether a given procedure p is the main
one and on the length of the component uses in the declaration of the procedure p.
DEFINITION 3.41 I
Prologue Size in Bytes sizeprol(p, piµASM )
def
=
3.3. Simulation Theorem 39

0 if main?µASM (p)
8 ¬main?µASM (p) ∧ piµASM (p).uses = []
12 + 4 · |piµASM (p).uses| otherwise
The function adr4loc computes the start address at which the assembled version of
a µASM instruction resides in memory. This µASM instruction is indicated by the location
counter loc and by the procedure P, where the assembled code of the procedure P
starts at address procba.
J DEFINITION 3.42
Address For µASM Statement
Location
adr4loc :: N × Pname × N × ProgµASM 7→ N
adr4loc(procba, p, loc, piµASM )
def
=
procba + sizeprol(p, piµASM ) +
∑loc
i=0 sizeSµ(piµASM (p).body[i], p, piµASM )
The function last(p, piµASM ) :: Pname × ProgµASM 7→ N returns the location of the
last statement of a given procedure P.
last(p, piµASM )
def
= |piµASM [p].body| − 1
Using definitions defined before in this section we define the function codeµ as
follows
in f oµ.code = ©∀ p∈Pname
(
codeprol(p, piµASM ) ◦
©∀ i<last(p,piµASM ) codeSµ(piµASM [p].body[i], p, piµASM )
)
in f oµ.Padr(p) = PROG BASE ADR +
∑
p′<p
(
sizeprol(p′, piµASM ) +∑
i<|piµASM (p′).body| sizeSµ(piµASM (p
′).body[i], p′, piµASM )
)
in f oµ.codeia(p, i) = in f oµ.Padr(p) + sizeprol(p, piµASM ) +∑
j≤i sizeSµ(piµASM (p).body[i], p, piµASM )
in f oµ.codeba = PROG BASE ADR
in f oµ.stackba = STACK BASE ADR
in f oµ.stacklen = STACK MAX SIZE
Here the order of computations is: First the component in f oµ.Padr is computed during
the first pass of the µASM assembler, and during the second pass the rest of the µASM
assembler static information is computed.
It is not presented in the definition presented above, but we assume that the first
µASM procedure generated is the main one. Formally,
in f oµ.Padr(” start”) = PROG BASE ADR
3.3 Simulation Theorem
In this section we present the simulation theorem which states the correctness of the
µASM assembler defined in the previous section. An important aspect of the simulation
theorem5 is the simulation relation between states of the µASM semantics and states
5the motivation of the simulation relation is described in Section 8.2.1 in [Lei07]
40 VAMP Macro Assembly
of VAMP assembly semantics. To guarantee the semantically equivalent execution
of µASM and VAMP assembly machines running a µASM program and its assembled
version, respectively, we define the simulation relation consisµ indicating that both
machines are consistent. We also call this simulation relation assembler consistency.
Then we can prove the correctness of this theorem by a stepwise simulation between
both semantics.
The simulation relation consisµ(cµ, in f oµ, cAS M) states that the VAMP assembly
configuration cAS M encodes the µASM configuration cµ via the µASM static information
in f oµ. It comprises the control consistency consiscontrolµ (cµ, in f oµ, cAS M) and the data
consistency consisdataµ (cµ, in f oµ, cAS M).
DEFINITION 3.43 I
Consistency µASM consiscontrolµ (cµ, in f oµ, cAS M) consis
data
µ (cµ, in f oµ, cAS M)
consisµ(cµ, in f oµ, cAS M)
Before we start with the formal definition of the simulation relation we introduce
some auxiliary functions. We first introduce the function
distbpµASM :: N × f rame∗µ 7→ N
returning the distance (number of bytes) between frame base addresses of the i-th and
(i+1)-th stack frames of the list of stack frames s. The number of passed parameters
to the (i+1)-th stack frame should be taken into account in the computation of the
distance between i-th and (i+1)-th stack frames as well as the size of a stack frame
header (8 bytes) (cf. Figure 3.3). If the i-th stack frame is the top one, then we do not
take into account the number of passed parameters to this stack frame as it is already
taken into account for the computation of distance between i-th and (i−1)-th stack
frames. Formally,
DEFINITION 3.44 I
Distance Between Stack
Frame Base Addresses
distbpµASM (i, s)
def
=4 · (|s[i].li f o|+|s[i].saved|) if i = |s| − 18+4 · (|s[i].li f o|+|s[i].saved|+|s[i+1].pars|) otherwise
Next we define a function
f rameba :: f rame∗µ × N 7→ N
computing an absolute frame base address for the i-th stack frame from the stack
frame list s, where the base address of the first stack frame is identified by the con-
stant STACK BASE ADR introduced in the previous section. This function is based on
the function distbpµASM defined above which computes relative offsets between base ad-
dresses of adjacent stack frames.
DEFINITION 3.45 I
Stack Frame Base Address f rame
ba(s, i) def= STACK BASE ADR −
j<i∑
j=0
(distbpµASM ( j, s))
Having a function computing a stack frame base address and knowing the stack
layout itself (including the frame header) we can define functions reading frame head-
ers of stack frames in memory. First, we define a function
stackword :: f rame∗µ × N × N × (N 7→ B8) 7→ Z
3.3. Simulation Theorem 41
consis
consis
control
consis
data
consis
pc
consis IL
ra
consis
code
consis
mem
consis
s tack
consis
regs
Figure 3.5: µASM Consistency
reading the j-th word belonging to i-th stack frame from VAMP assembly machine
memory m (cf. Figure 3.3).
J DEFINITION 3.46
Reading Word From Stackstackword(s, i, j,m) def= mword( f rameba(s, i) − 4 · j)
Having such a function like stackword(s, i, j,m) we can easily define functions
reading the previous base pointer and return address components from the frame
header of the i-th stack frame.
J DEFINITION 3.47
Reading Frame Headersstackpbp(s, i,m) def= stackword(s, i, 0,m)
stackra(s, i,m) def= stackword(s, i,−1,m)
3.3.1 Control Consistency
The control consistency comprises the program counter consistency consispcµ (cµ, in f oµ, cAS M)
and the return address consistency consisraµ (cµ, in f oµ, cAS M).
J DEFINITION 3.48
Control Consistency
consispcµ (cµ, in f oµ, cAS M) consisraµ (cµ, in f oµ, cAS M)
consiscontrolµ (cµ, in f oµ, cAS M)
The program counter consistency states that the delayed program counter dpc of
the assembly machine cAS M points to the current instruction in the µASM machine cµ.
Also, it states that the normal program counter of the assembly machine cAS M points
to the next instruction.
J DEFINITION 3.49
Program Counter Consistencyconsispcµ :: CµASM × in f oT ×CASM 7→ B
cAS M .dpc = in f oµ.codeia(cµ.ptop, cµ.loctop)
cAS M .pc = cAS M .dpc + 4
consispcµ (cµ, in f oµ, cAS M)
42 VAMP Macro Assembly
The return address consistency states that return address components of frame
headers of all stack frames (except for 0-th one) of the µASM machine cµ point directly
behind the code of call instructions which generated these stack frames. The return
address of i-th stack frame is saved in the memory of the assembly machine cAS M at
address identified by stackra(cµ.stack, i). The next instruction of a procedure which
called a procedure corresponding to the i-th stack frame is identified by the procedure
name and the current location counter of (i−1)-th stack frame of the machine cµ.
DEFINITION 3.50 I
Return Address Consistency
¬is stack(cµ)
∀0 < i ≤ top(cµ). cAS M .mword(stackra(cµ.stack, i)) =
in f oµ.codeia(cµ.stack[i − 1].p, cµ.stack[i − 1].loc)
consisraµ (cµ, in f oµ, cAS M)
3.3.2 Data Consistency
The data consistency comprises the register consistency consisregsµ , code consistency
consiscodeµ , stack consistency consis
stack
µ and memory consistency consis
mem
µ .
DEFINITION 3.51 I
Data Consistency
consisregsµ (cµ, cAS M) consiscodeµ (cµ, in f oµ, cAS M)
consisstackµ (cµ, in f oµ, cAS M) consis
mem
µ (cµ, in f oµ, cAS M)
consisdataµ (cµ, in f oµ, cAS M)
The register consistency argues about the content GPRs and SPRs in the µASM
machine cµ and in the assembly machine cAS M . Here we do not argue about program
counters as we did it in the program counter consistency. There are two GPRs (sp
and bp) which are used for stack operations and whose content should have values
according to their intended meaning from Table 3.1. GPR bp should point to the
base address of the top stack frame of the µASM machine cµ. The difference between
the values stored in GPRs sp and bp of the assembly machine cAS M is the distance
returned by the function distbpµASM for the top stack frame (cf. Figure 3.3). Next, we do
not require the equality of GPRs sp and bp as they are invisible6 in the µASM semantics
as long as there is a stack, but we do require the equality for the other registers.
DEFINITION 3.52 I
Register Consistency is stack(cµ) −→ cAS M .gpr[bp] = f rame
ba(cµ.stack, top(cµ))
∧ cAS M .gpr[sp] = cAS M .gpr[bp] − distbpµASM (top(cµ), cµ.stack)¬is stack(cµ) −→ cµ.gpr[sp] = cAS M .gpr[sp] ∧ cµ.gpr[bp] = cAS M .gpr[bp]
∀i < 32. i < {sp, bp} =⇒ cµ.gpr[i] = cAS M .gpr[i]
∀i < 32. cµ.spr[i] = cAS M .spr[i]
consisregsµ (cµ, cAS M)
The code consistency requires that the compiled code of a µASM program is stored
in the memory of the assembly configuration cAS M at address PROG BASE ADR. In
other words, the code modification is not allowed.
DEFINITION 3.53 I
Code Consistency
6In the µASM semantics the stack registers are artificially invisible. Their invisibility is guaranteed by
the following: any try access them when the stack is created and non-empty yields to an error state.
3.3. Simulation Theorem 43
∀i < |in f oµ.code|. in f oµ.code[i] =
int-to-instr(cAS M .mword(in f oµ.codeba + 4 · i))
consiscodeµ (cµ, in f oµ, cAS M)
The stack consistency comprises the previous base pointer consistency consispbpµ
and the item consistency consisitemµ .
J DEFINITION 3.54
Stack Consistencyconsis
pbp
µ (cµ, cAS M) consisitemµ (cµ, in f oµ, cAS M)
consisstackµ (cµ, in f oµ, cAS M)
The previous base pointer consistency states that previous base pointer compo-
nents of frame headers of stack frames (except for 0-th one) of µASM machine cµ to be
consistent with their intended meaning from Table 3.2, i.e they point to base addresses
of prior stack frames.
J DEFINITION 3.55
Previous Base Pointer Consistency
¬is stack(cµ)
∀0 < i ≤ top(cµ). stackpbp(cµ.stack, i, cAS M .m) = f rameba(cµ.stack, i − 1)
consisstackµ (cµ, in f oµ, cAS M)
After presenting the item consistency we will completely expose the stack layout,
namely how it is represented in memory (cf. Figure 3.3). Note that we do not state
the consistency for components of stack frame headers as it is already covered by the
return address and frame header consistencies. Here we state the relation between
values stored in memory corresponding to a µASM stack frame and their abstracted
equivalents from that stack frame: saved, li f o and pars.
We introduce a few shorthands
savedi = cµ.stack[i].saved
li f oi = cµ.stack[i].li f o
parsi = cµ.stack[i].pars
for the sake of easy understanding of the consistency defined below.
J DEFINITION 3.56
Item Consistency
is stack(cµ) −→
∀ i ≤ top(cµ). ∀ j < distbpµASM (i, cµ.stack).
stackword(cµ.stack, i, j + 1, cAS M .m) =
savedi[ j] if 0 ≤ j < |savedi|
li f oi[ j − |savedi|] if |savedi| ≤ j < |savedi| + |li f oi|
parsi+1[|parsi+1| − ( j − |savedi| − |li f oi|)] otherwise
consisitemµ (cµ, in f oµ, cAS M)
Please note that for the top stack frame the third case is never considered (by definition
of the function distbpµASM ).
44 VAMP Macro Assembly
The memory consistency states that the memory content of both machines is the
same except for memory regions where the stack and the assembled code reside.
DEFINITION 3.57 I
Memory Consistency ∀a ∈ N32.
a < [in f oµ.stackba : in f oµ.stackba − in f oµ.stackmax−size]
∧ a < [in f oµ.codeba : in f oµ.codeba + 4 · |in f oµ.code|]
=⇒ cAS M .m(a) = cµ.M(a)
consismemµ (cµ, in f oµ, cAS M)
3.3.3 Simulation Theorem
In order to succeed with µASM executions that could be simulated by VAMP assembly
machine steps, preconditions have to be fulfilled by a µASM program. These precondi-
tions are stated as predicates over: (i) a µASM program , and (ii) a µASM machine execut-
ing this program. These preconditions are divided into static and dynamic properties.
Static Properties They can be shown by a static check without any execution of the
µASM program. Hence, they are stated for a given µASM program piµASM . Namely, they
are stated over declared and defined procedures in this program and these properties
are: (i) declared indices in the uses component of the procedure declaration should be
unique, (ii) the last statement should be a return instruction in each defined procedure
(except for the main one) (iii) there exists a single return statement for each µASM
procedure, except for the main one, and (iv) all µASM goto instructions do not jump out
of the body of the µASM procedure it belongs to, this property indicates whether the
procedure can be translated to VAMP assembly or not. Formally,
DEFINITION 3.58 I
Static Properties On µASM Program
∀ p ∈ Pname. piµASM (p) , ⊥ ∧ piµASM (p).body , extern −→
dstnct?(piµASM (p).uses)∧ (¬main?µASM (p) −→ ∃!i. piµASM (p).body[i] = ret ∧ i = piµASM (p).body − 1)∧ ∀ loc < |piµASM (p).body|. piµASM (p).body[loc] ∈ {goto l, ifnez r goto l} −→
0 ≤ l < |piµASM (p).body|
stat-propµASM (piµASM )
Dynamic Properties The µASM semantics does not react anyhow on a stack over-
flow. Thus we cannot guarantee equivalent execution between µASM program and its
assembled version in this case. We fill this gap in the same way as Leinenbach did
in [Lei07] by introducing a predicate avail-stackµASM which checks whether a given
µASM machine cµ runs out of the stack memory or not.
DEFINITION 3.59 I
Enough stack available avail-stackµASM :: CµASM × N × N 7→ B∑i<|cµ.stack|
i=0 dist
bp
µASM (i, cµ.stack) < STACK MAX SIZE
avail-stackµASM (cµ)
Also, we require that the µASM program does not modify itself as well as the stack.
We use the following shortcuts I = instrcurr(cµ, piµASM ) and eadr = cµ.gpr[rs(I)] +
imm(I).
DEFINITION 3.60 I
No Self Modification
I ∈ Instrcut4µASM ∧ instr-store?(I) −→ ¬(adr ≤ eadr ∧ eadr < adr + 4 · len)
no-self-modµASM (cµ, piµASM , adr, len)
3.3. Simulation Theorem 45
where adr is the program base address and len is the program length.
J DEFINITION 3.61
No Stack UpdateI ∈ Instrcut4µASM ∧ instr-store?(I) −→¬(STACK BASE ADR ≤ eadr ∧ eadr < STACK BASE ADR + STACK MAX SIZE)
no-stack-modµASM (cµ, piµASM )
A µASM program could produce an interrupt in case the effective address of memory
instructions is not word aligned.
J DEFINITION 3.62
No Data MisalignmentI ∈ Instrcut4µASM instr-ls?(I) −→ eadr mod 4 = 0
no-dmalµASM (cµ, piµASM )
Before we state the dynamic properties, we join all step properties together in the
predicate step-propµASM .
J DEFINITION 3.63
Step Propertiesstep-propµASM :: CµASM × ProgµASM × N × N × N × N 7→ B
no-self-modµASM (cµ, adr, len) no-stack-modµASM (cµ, piµASM )
no-dmalµASM (cµ, piµASM ) cµ.spr[mode] = 0
step-propµASM (cµ, piµASM , adr, len)
The µASM dynamic properties are stated by the predicate dyn-props?µASM defined
below:
J DEFINITION 3.64
Dynamic Propertiesdyn-props?µASM :: CµASM × ProgµASM × N × N × N 7→ B
∀ i < n. δiµASM (cµ, piµASM ) = bciµc −→
avail-stackµASM (c
i
µ) ∧ step-propµASM (cµ, piµASM , adr, len)
dyn-props?µASM (cµ, piµASM , adr, len, n)
J THEOREM 3.65
µASM simulates VAMP Assembly
Let piµASM be a µASM program, and cAS M be the initial state of the VAMP assembly
machine. Then for any number of steps n of the µASM machine executing program
piµASM there exists such a number of steps of the VAMP assembly machine such that the
µASM machine after n steps is still consistent with the VAMP assembly machine after
T steps. However, new machine states are consistent if the following requirements
about the µASM and VAMP assembly machines are fulfilled:
• The µASM program satisfies static properties,
• The µASM configuration cµ and VAMP assembly configuration cAS M are valid
and they are consistent,
• After performing n steps the µASM machine cµ did not get stuck,
• For all steps of the µASM machine up to step n the dynamic properties hold.
Formally, this theorem is stated as follows:
46 VAMP Macro Assembly
stat-propµASM (piµASM )∧ validasm(cAS M)
∧ validµASM (cµ)∧ consisµ(cµ, in f oµ, cAS M)
∧ δnµASM (cµ, piµASM ) = bc′µc∧ dyn-props?µASM (cµ, piµASM , adr, len, n)
=⇒
∃ T, c′AS M .
δTASM(cAS M) = c
′
AS M∧ validasm(c′AS M)∧ validµASM (c′µ)
∧ consisµ(c′µ, in f oµ, c′AS M)
Proof: We prove this theorem by induction on the step number n of the µASM
machine.
We start the induction with n equals zero. As nothing was changed, preconditions
conclude the validity of both machines and the assembler consistency.
For the induction step we have to conclude from step n to n+1. We prove this case
by a case distinction on the instruction to be executed at step i+1 by the µASM machine.
For all µASM statements the proof follows from the µASM assembler implementation
presented in the previous section.

C
H
A
P
TE
R
4
Abstract Intermediate Language C
An intermediate representation (IR) is the ”heart” of every compiler. It acts as central
structure around which compilers are built. The compiler front-end translates a source
program into its IR, some set of optimizations is performed over the IR if needed, then
the back-end of the compiler generates from that IR a target code that can be run on
the target processor [ASU86]. Figure 4.1 illustrates a usual compilation process.
What kind of advantages we get from using an IR in compilers:
• Compiler front- and back-ends are separated that allows to support re-targeting
(in other words, cross-platform compilation),
• Compiler performs most optimizations on IR as IR is machine-independent.
In this chapter, as the next formal contribution in terms of C Semantics to the
model stack, the semantics of a very low-level unstructured intermediate represen-
tation of a programming language C is presented, called Abstract C-Intermediate-
Language, short, C-IL (pronounced ”c i l”), not to be confused with Common Inter-
mediate Language (CIL)1. The C-IL semantics was invented by S.Schmaltz and was
presented in our joint paper [SS12]. So, this semantics is not considered as a contri-
bution to this thesis.
C-IL is an intermediate language that has a rich type system while at the same
time being as short as possible regarding control flow and number of instructions. The
main goal S.Schmaltz wants to achieve is not have a nice language for programming
and optimizations but instead to be an intermediate representation language used for
proofs, e.g. of low-level operating systems and hypervisors, optimizing C compilers,
etc., and for combining with high-level assembly languages, like µASM.
The C-IL language is a goto-language defined in form of a labeled transition sys-
tem, like µASM presented in the previous chapter. C-IL is defined using an abstract
syntax that can be extracted from a concrete syntax tree in a straight forward way.
C-IL operates on a global byte-addressable memory and on an abstract stack. The
1formerly called Microsoft Intermediate Language (MSIL)
47
48 Abstract Intermediate Language C
Source Code
Front-End
Intermediate Representation Optimizations
Back-End
Binary
Figure 4.1: Typical Compilation Process
heap is not considered as a separate memory since the notion of a heap only exists
when there is some form of memory allocation system available (e.g. provided by the
standard library or the operating system). Pointer arithmetics is allowed on pointers to
the global memory, but for local variables it is restricted to calculating offsets inside
local memories. In C-IL every memory access corresponds to dereferencing a left
value, where the left value is a pointer to the global memory or a reference to some
offset in a local variable. There is an issue regarding C-IL, namely it is dependent on
the underlying architecture and compiler. So that, C-IL is parameterizable to make it
applicable to at least the most common cases.
The way we proceed in this chapter is we first introduce Schmalzt’s C-IL seman-
tics. At last we present the compiler correctness theory for C-IL compiled down to
the target language VAMP assembly. We assume that the compilation is performed
by an optimizing C compiler, which we refer to as the C compiler in question. To be
able to present such a theory we will introduce an information about the C compiler
in question which can be extracted from its specification. We want to stress that the
compiler correctness theory is joint work with S.Schmaltz.
4.1 Semantics
4.1.1 Types
The C-IL type system supports:
Primitive Types
Depending on the compiler and underlying architecture, different primitive types may
be provided. For a given instance of C-IL, the set of primitive types TP must be defined
as a finite subset of the set of possible primitive types TPP.
The set of possible primitive types TPP is defined as follows:
• n ∈ N ∧ n ∈ {8, 16, 32, 64} ⇒ in ∈ TPP - signed integer types of size n-bit
• n ∈ N ∧ n ∈ {8, 16, 32, 64} ⇒ un ∈ TPP - unsigned integer types of size n-bit
• void ∈ TPP
4.1. Semantics 49
Note that a primitive type size in bits must be a multiple of 8.
In C-IL there is no direct support of boolean type, like in any C. This type is
implicitly modeled as one of the primitive types of C-IL.
Complex Types
We inductively define the set of complex types T as follows:
• Primitive types: t ∈ TP ⇒ t ∈ T
• Pointers: t ∈ T⇒ ptr(t) ∈ T
• Array types: t ∈ T ∧ n ∈ N⇒ array(t, n) ∈ T
• Function pointers: t, t1, . . . , tn ∈ T⇒ funptr(t, [t1, . . . , tn]) ∈ T
• Struct types: tC ∈ TC ⇒ struct tC ∈ T
Here, TC is a set of struct type names. This set is defined individually for each
C-IL-program we consider. A struct type itself is a type that consists of so-called
fields modeled by the set of field names F. This set contains all possible field names.
A struct is always identified by a unique name, the composite type name. These are
from the set of composite type names TC . The struct type declarations are part of the
C-IL program declaration which we examine later on.
Type Predicates We define predicates is-ptr?, is-funptr?, and is-array? which in-
dicate whether a given type represents either a pointer, an array or function pointer,
respectively.
is-ptr? :: T→ bool
∃t′. t = ptr(t′)
is-ptr?(t)
is-array? :: T→ bool
∃t′, n′. t = array(t′, n′))
is-array?(t)
is-funptr? :: T→ bool
∃t, t1, . . . , tn, n′.
t = funptr(t, [t1, . . . , tn])
is-funptr?(t)
4.1.2 Values
In C-IL values consist of an actual value and a type information. The value is repre-
sented as a byte-string The type tells us in what way the value needs to be interpreted.
We define the set of values val as the union of the following sets:
val def= {valuk ∪ valik | k ∈ N} ∪ valstruct ∪ valptr ∪ valfunptr ∪ valfun ∪ vallref
where definitions of the aforementioned sets are:
• Set of primitive values:
– n ∈ N ∧ b ∈ Bn ⇒ val(b,un) ∈ valun
– n ∈ N ∧ b ∈ Bn ⇒ val(b, in) ∈ valin
where n ∈ {8, 16, 32, 64} is the number of bits.
We introduce functions val2Int :: val 7→ Z and val2Nat :: val 7→ N which
convert C-IL values of signed and unsigned integer types to integer and natural
numbers, respectively. We omit their definitions due to their simplicity.
50 Abstract Intermediate Language C
• Set of structs:
– tC ∈ TC ∧ B ∈ (B8)∗ ⇒ val(B, struct tC) ∈ valstruct
• Set of pointers2:
– a ∈ Bsizeptr∧t ∈ T∧(is-ptr?(t)∨is-array?(t))⇒ val(a, t) ∈ valptr(t) ⊆ valptr
– a ∈ B8sizeptr ⇒ val(a, fptr) ∈ valfunptr
Here, for pointers the type information is the one from the pointer itself and
not the type of the value the pointer points to. Note that array values are also
pointers, thus, we allow them to occur as pointer values. (They will be used syn-
onymous to a pointer to the first element of the array in expression evaluation).
Note that, in the case of function pointers, to define operational semantics, we
do not attach the type of the function pointed to to the value of the function
pointer since we can get this information easily from the function table which
we will define in this chapter later on. Instead, we just use fptr to denote that
this value represents some function pointer (which can then be looked up in the
function table).
• Set of local references:
– v ∈ V∧o ∈ N∧i ∈ N∧t ∈ T∧(is-ptr?(t)∨is-array?(t))⇒ lref((v, o), i, t) ∈
vallref
where V is the set of variable names.
Note that we differentiate between pointers to the global memory and pointers
to local memories (on the stack) here. The latter ones we call local references
and they can only occur as intermediate values during expression evaluation or
as return destinations. A local reference contains information about the local
variable name v, byte-offset in that variable o, and the stack frame number i it
belongs to. Worth to note that function pointers are never local references.
• Set of symbolic function values:
– f ∈ Fname ⇒ fun( f ) ∈ valfun
In a C-IL-program, inline functions may occur or the function pointer address
may not be defined in the context for a given function for other reasons. Ob-
viously, then a function pointer value cannot be computed during expression
evaluation. Thus, for these cases we introduce the symbolic value standing for
the function. This is used in the operational semantics to call such functions.
4.1.3 Expressions
We inductively define the set of expressions E as follows:
• Constants: c ∈ val⇒ c ∈ E
• Variable names: v ∈ V⇒ v ∈ E
• Function names: f ∈ Fname ⇒ f ∈ E
2 sizeptr ∈ N - is a constant describing the size of a pointer in bytes and that depends on the compiler.
4.1. Semantics 51
• Binary operation on expressions: e0, e1 ∈ E ∧ ⊕ ∈ O2 ⇒ (e0 ⊕ e1) ∈ E.
Here we assume that the C compiler translates C code to C-IL representation
in such a fashion that all values passed to operators are correctly typed (where
addition of pointer with any unsigned integer or integer type value counts as
correctly typed). The set of binary operators O2 is
O2
def
= {+,−, ∗, /,%, <<, >>, <, >, <=, >=,==, ! =, & , |, ,ˆ && , ||}
• Unary operation on expression: e ∈ E ∧ 	 ∈ O1 ⇒ 	e ∈ E. The set of unary
operators O1 is
O1
def
= {−,∼, !}
• Ternary operator: e, e0, e1 ∈ E⇒ (e ? e0 : e1) ∈ E
• Type cast: t ∈ T, e ∈ E⇒ (t)e ∈ E
• Dereferencing pointer: e ∈ E⇒ ∗e ∈ E
• Address of expression: e ∈ E⇒ &e ∈ E
• Field access: e ∈ E ∧ f ∈ F⇒ (e). f ∈ E
• Size of type: t ∈ T⇒ sizeof(t) ∈ val
• Size of expression: e ∈ E⇒ sizeof(e) ∈ val
• Offset in type: tc ∈ TC ∧ f ∈ F⇒ offsetof(tc, f ) ∈ val
Note, we do not support array access and pointer field access here directly, instead,
they simply are translated:
• a[k] to ∗(a + k)
• a→ b to (∗a).b
4.1.4 Statements
We define the set of C-IL-statements S as follows:
• Assignment: e0, e1 ∈ E⇒ e0 = e1 ∈ S,
• Goto: l ∈ N⇒ goto l ∈ S,
• If-Not-Goto: e ∈ E ∧ l ∈ N⇒ ifnot e goto l ∈ S,
• Function Call: e0, e ∈ E, E ∈ E∗ ⇒ e0 = call e(E) ∈ S,
• Procedure Call: e ∈ E, E ∈ E∗ ⇒ call e(E) ∈ S,
• Return: e ∈ E⇒ return e ∈ S and return ∈ S.
52 Abstract Intermediate Language C
4.1.5 Program
A C-IL-program pi is represented by record type ProgIL defined as follows:
J DEFINITION 4.1
C-IL ProgramProgIL
def
= {VG :: (V × T)∗,TF :: TC → (F × T)∗,F :: Fname → FunT }.
where the purpose of components of this record is:
• VG - a list of global variable declarations,
• TF - a type table for struct types. Given a composite type name tC , the function
returns the list of field declarations for that struct type. A field declaration is a
pair of field name and type. In case there is no type declared for composite type
name tC , the function returns the empty list [].
• F - a function table that is represented as a partial function from the set of func-
tion names Fname to function table entries. A function table entry is represented
by record type FunT that will be defined now.
Function table entry A function table entry is defined as follows:
DEFINITION 4.2 I
C-IL Function Declaration
FunT def= {rettype :: T, npar :: N,V : (V × T)∗,P : (S∗ ∪ {extern})}.
where the purpose of components of that record type is:
• rettype - a return value type,
• npar - a number of input parameters,
• V - a parameter and local variable declaration list, in which the first npar ele-
ments are parameters,
• P - a function body represented as the list of C-IL statements. If function is not
defined within a C-IL program, then it is marked by a special keyword extern.
It means that the function is implemented outside the C-IL program, e.g. in an
assembly program.
4.1.6 System Parameters
C-IL is such a low-level language that its semantics cannot be fully specified without
knowledge about the system parameters it runs under. These system parameters de-
pend on the compiler itself as well on the underlying architecture. In this thesis we
are interested in the following system parameters grouped in record S ystemIL:
• endianness :: {little,big} - indicates the endianness of the underlying architec-
ture, i.e. the order in which bytes are stored in memory,
• Gadr :: V→ valptr - returning the address for a given global variable name.
• Fadr :: Fname ⇀ valptr - is a partial mapping from a function name to a function
pointer address. Note that for any given program, this mapping is injective and
only yields addresses from the code range. For functions declared extern and
for inline functions this function need not be defined.
4.1. Semantics 53
• sizeptr :: N - size of the pointer type in bytes,
• sizestruct :: TC → N - size of struct types in bytes,
• offset :: TC × F⇀ N - returning the byte-offset of a field in a struct type,
• cast :: val × T→ val - which performs type cast for values,
• size t :: TP - the type of the value returned by the sizeof-operator,
Size of Types
For each type, there is an associated number that describes the number of bytes needed
to store a value of that type in memory, the size of the type. We define the function
size :: T × S ystemIL → N that returns the size of a given C-IL type t that depends on
given system parameters θ.
sizeθ(t) =

k
8 t = ik ∨ t = uk
θ.sizeptr is-ptr?(t) ∨ is-funptr?(t)
n · size(t′) t = array(t′, n)
θ.sizestruct(tC) t = struct tC
4.1.7 Configurations
C-IL configurations are represented by record type CIL that consists of a byte-addressable
memory (M) and an abstract stack (stack), where the latter one is represented as a list
of C-IL stack frames. Obviously, we do not need to model a no-stack in C-IL as it was
done in the µASM semantics examined in Chapter 3.
J DEFINITION 4.3
C-IL Configuration
CIL
def
= {M :: Bsizeptr 7→ B8, stack :: f rame∗C-IL}
A stack frame in C-IL corresponds to a function (procedure) which has not yet
been terminated with return, like in µASM. It is represented by record type f rameC-IL
that is defined as follows:
J DEFINITION 4.4
C-IL Stack Frame
f rameC-IL
def
= {ME :: V 7→ (B8)∗, rds :: valptr ∪ vallref ∪ {⊥}, f :: Fname, loc :: N}
where the components of this record are:
• ME is a local variable environment mapping variable names to local byte-offset-
addressable memories (represented as list of bytes).
• rds is a return value destination describing where the result value returned to
the current frame has to be stored. It is either a pointer to where the return
value of the function is going to be stored, a local reference to a variable of the
stack frame ”below” at which offset the return value has to be written to, or ⊥
denoting the absence of a return destination.
• f and loc is a function name and a statement location counter, respectively. Like
it was done in µASM, these two components describe the control flow of a C-IL
program.
54 Abstract Intermediate Language C
Memory Semantics
On the one hand we have byte-addressable memories, on the other we have typed
values. The function readθ(cIL, a) derefences a given pointer value v in a given con-
figuration cIL and returns it.
readθ :: CIL × (valptr ∪ vallref) 7→ val
The function writeθ(cIL, a, v) writes a given value v to a given address a in memory
of a given configuration cIL.
writeθ :: CIL × val × (valptr ∪ vallref) 7→ CIL
To specify the effect, similar functions readθE and write
θ
E are provided to read and
write a local variable/parameter (identified by variable name) from a stack frame.
They have the following signatures:
readθE :: f rameC-IL × V→ val
writeθE :: f rameC-IL × V × val→ f rameC-IL
Note that, since addresses of local variables are not explicitly modeled (this would
either expose stack layout) the C-IL semantics carries the limitation that pointers to
local variables cannot be stored in memory.
We have omitted their definitions because it is too detailed for this thesis.
4.1.8 Operational Semantics
Expression Evaluation
Expressions are evaluated by a function that returns either a C-IL-value or the special
value ⊥ that denotes that the expression cannot be evaluated:
[e]pi,θc ∈ val ∪ {⊥}
Depending on the expression, we may need the complete state, i.e. configuration,
program and system parameters, to evaluate it. We omitted its definition as it is too
detailed for this thesis.
Statement Execution
In defining the semantics of C-IL we will use the following shorthand notation:
cIL. fi
def
= cIL.stack[i]. f
cIL.loci
def
= cIL.stack[i].loc
As shorthands for the members of the top stack frame in a C-IL-configuration:
• cIL.MEtop def= hd(cIL.stack).ME
• cIL.rdstop def= hd(cIL.stack).rds
• cIL. ftop def= hd(cIL.stack). f
• cIL.loctop def= hd(cIL.stack).loc
4.1. Semantics 55
The next statement to be executed by a C-IL machine running some C-IL program
is identified by the control components of the top stack frame of the stack of this
machine. We define the function
stmtcurr :: f rame∗C-IL × ProgIL 7→ S
that takes a C-IL stack s (instead of a C-IL configuration) and a C-IL program pi as
input and returns the next statement to be executed by a C-IL machine whom the stack
s belongs to. This function is defined as
J DEFINITION 4.5
Current Statement
stmtcurr(s, pi)
def
= pi.F (hd(s). f ).P[hd(s).loc]
The function top :: CIL 7→ N returns the index of the top stack frame in a given
configuration cIL:
J DEFINITION 4.6
Top Stack Frame Index
top(cIL)
def
= |cIL.stack| − 1
Further, we define the functions
incloc :: CIL 7→ CIL
incloc(cIL)
def
= cIL[stack := hd(cIL.stack)[loc := cIL.loctop + 1] ◦ tl(cIL.stack)]
which increments the location of the top stack frame of a given C-IL configuration cIL,
and
setloc :: CIL × N 7→ CIL
setloc(cIL, l)
def
= cIL[stack := hd(cIL.stack)[loc := l] ◦ tl(cIL.stack)]
which sets the location of the top stack frame to location l, and
drop f rame :: CIL 7→ CIL
drop f rame(cIL)
def
= cIL[stack := tl(cIL.stack)]
which removes the top stack frame from a given C-IL configuration cIL, and
setrds :: CIL × val 7→ CIL
setrds(cIL, v)
def
= cIL[stack := hd(cIL.stack)[rds := v] ◦ tl(cIL.stack)]
which sets the return destination of the top stack frame to a given value v.
The predicate zero :: val 7→ bool indicates whether a given value represents a zero
value.
The predicate is-function :: valptr × Fname × S ystemIL 7→ bool indicates whether a
given function pointer address corresponds to a given function name
θ.Fadr(v) = f
is-function(v, f , θ)
4.1.9 Transition Function
We denote a C-IL configuration cIL making a step to configuration c′IL under the pro-
gram pi in the context θ by
56 Abstract Intermediate Language C
DEFINITION 4.7 I
C-IL Transition Function pi, θ ` cIL →IL c′IL.
It is defined by treating each C-IL statement.
Assignment As an effect of such a statement execution the evaluated right hand
expression of this statement is stored in the memory of the C-IL configuration cIL at
address that is the evaluated left hand side expression of this statement. Also, the
location counter of the top stack frame of a C-IL configuration gets increased by one.
Formally,
stmtcurr(cIL.stack, pi) = e0 = e1
pi, θ ` cIL →IL incloc(writeθ(cIL, [&e1]θ,picIL , [e0]θ,picIL ))
Goto This statement performs a so-called unconditional jump to the target location
and it is defined as follows:
stmtcurr(cIL.stack, pi) = goto l
pi, θ ` cIL →IL setloc(cIL, l)
If-Not-Goto In comparison to the goto statement this statement performs a condi-
tional jump. That is, there are two cases: (i) if the evaluated logical test expression e
of the statement is equal zero, then the same happens as it just were a goto statement
with the same target location,
stmtcurr(cIL.stack, pi) = ifnot e goto l zero([e]θ,picIL )
pi, θ ` cIL →IL setloc(cIL, l)
(ii) in case the evaluated test expression e fails, i.e. it is not equal zero, then the
execution of such a statement does not change anything except for the location counter
of the top stack frame of the configuration cIL which gets increased by one. That is, it
operates like a no-operation statement. Formally,
stmtcurr(cIL.stack, pi) = ifnot e goto l ¬zero([e]θ,picIL )
pi, θ ` cIL →IL incloc(cIL)
Call A call statement is treated here if it is not external and it either is a function or
procedure call. The function name string identifer is obtained from the expression e
of the call statement (the expression e represents the function f ). As a result of the
call statement execution a new stack frame is created and is put on the top of the stack.
Also, the location counter of the original top stack frame gets increased by one. So
that, the execution will resume at the next statement after the call statement whenever
the called function(procedure) returns.
stmtcurr(cIL.stack, pi) ∈ {call e(E), e0 = call e(E)}
is-function([e]pi,θcIL , f , θ) pi.F ( f ).P , extern
callframe(cIL, f , E, f ramenew)
pi, θ ` cIL →IL setrds(cIL, [&e0]θ,pic )[stack := f ramenew ◦ incloc(cIL).stack]
4.2. Compiler Correctness Theory 57
consisIL consisIL
casm c ' asm
c IL c ' IL
Figure 4.2: CIL Compiler Consistency at IO-points
The new stack frame is chosen nondeterministically according to the following
constraints captured in the predicate callframe(cIL, f , E, f ramenew):
∀0 ≤ i < npar : readθE(framenew, vi) = [E[i]]θ,pic
∀npar ≤ i < len(V) : len(framenew.ME(vi)) = size(ti)
framenew.loc = 0, framenew. f = f , framenew.rds = ⊥
Here, npar = pi.F ( f ).npar is the number of input parameters of the function f ,
V = pi.F ( f ).V is the declaration list of parameters and local variables of the func-
tion f , and (vi, ti) = V[i] is the i-th declaration in that declaration list. Note that
we only place a strict constraint on the parameter values. The initial content of local
variables is chosen nondeterministically with appropriate size for the declared type.
Return There are two return statements: (i) return from a function call, i.e. return
with result, and (ii) return from a procedure call, i.e. return without result. In the first
case the evaluated result expression [e]θ,picIL of the return statement is stored in the mem-
ory at the address identified by the return destination component drop f rame(cIL).rdstop.
Also, for both statements the top stack frame of a C-IL configuration is removed.
J DEFINITION 4.8
Return With Resultstmtcurr(cIL.stack, pi) = return e drop f rame(cIL).rdstop , ⊥
pi, θ ` cIL →IL writeθ(drop f rame(cIL), [e]θ,picIL , drop f rame(cIL).rdstop)
J DEFINITION 4.9
Return Without Result
stmtcurr(cIL.stack, pi) = return
pi, θ ` C-IL→IL drop f rame(cIL)
4.2 Compiler Correctness Theory
In this section we introduce CIL simulation relation, called compiler consistency, for
an optimizing C compiler. The simulation relation consisIL(cIL, in f oIL, cAS M) states
that the VAMP assembly configuration cAS M encodes the C-IL configuration cIL via
the C-IL static information in f oIL at IO points. An IO point3 is a point indicating
3the notion of IO points was introduced in [DPS09]
58 Abstract Intermediate Language C
Return Address
Old bpbp
sp
Function 
Args
Top Stack 
Frame
High Memory
Low Memory
Callee Save
Regs
STACK_BASE_ADR
Local Vars
Caller Save
Regs
Old bp
...
Local Vars
Return Address
Return Destination
Callee Save
Regs
Temporaries
Temporaries
Function 
Args
Stack Frame
Figure 4.3: C-IL Stack Layout
a statement in the execution sequence of statements of the source code at which the
execution effect of preceding instructions in the compiled code with optimizations is
the same as it had been compiled without optimizations. IO points we are interested in
are function and external function calls. At this place we assume that the optimizing
C compiler in question does not perform interprocedural optimizations. We need such
an assumption to guarantee that an IO point like a function call in a source code will
not be removed, e.g. inlined, after compiling it to target code. Also, we assume the
evaluation of parameters to a call is done within the code generated for this call. So
that, any pre-computations for evaluating parameters of a call cannot be done before
the code generated for this call. In order to allow for an optimizing C compiler in
question to generate these pre-computations we would need to split the call and return
statements of the original C-IL semantics into the sequence of new statements. By
that we obtain a new semantics, called C-IL-Minor. That will be a future work for
extending the compiler correctness theory.
In order to be able to state the simulation theorem we need at least to agree how the
stack layout looks like of the generated code by an optimizing C compiler in question.
4.2. Compiler Correctness Theory 59
4.2.1 Stack Layout
The stack layout we use for C-IL is depicted in Figure 4.3. This stack layout dif-
fers from the stack layout depicted in Figure 3.3 at some places, but they have the
same frame headers and the region containing passed parameters is found at the same
place in both stack layouts. This is an important aspect to a technically sound model
coupling the µASM and C-IL languages.
Having fixed the stack layout it is not difficult to figure out what the code generated
for a call by the compiler is doing. However, let us go through blocks of a stack frame
depicted in 4.3 which are saved at a call. Before a call temporaries are on top of the
stack. Temporaries in a C-IL stack frame corresponds to lifo in a µASM stack frame.
The code generated for a call puts first caller-save registers on stack, then it puts
the return destination address in case a result value must be returned from the call.
Next, input arguments are put on the stack as well as the return address at which the
execution will resume when the called function returns. That is what is done by the
code generated for a call at the caller side. The code generated for a call at the callee
side, called prologue, puts first the frame base pointer on the stack, then reserves the
space for local variables, and at last stores callee-save registers.
Static Information Describing Compiled C-IL Program
Here we introduce the function codeIL :: ProgIL × N × N × N 7→ in f oTIL that
takes a program pi, a program base address PROG BASE ADR, a stack base address
STACK BASE ADR and the stack length STACK MAX SIZE and produces static informa-
tion in f oIL describing the compiled C-IL program. This static information comprises
the following components:
• in f oIL.code : Instr∗ is the list of VAMP assembly instructions that represents
the compiled C-IL program,
• in f oIL.codeba : N is the base address of the compiled code,
• in f oIL.stackba : N is the stack base address,
• in f oIL.stacklen : N is the stack size in words,
• in f oIL.codeia : (Fname × N) → N maps pairs of function names and locations,
indicating statements, to base addresses of those compiled statements,
• in f oIL. f unba : Fname → N ∪ {⊥} maps functions (if declared and defined in the
C-IL program) to their compiled start addresses,
• in f oIL.iop : Fname × N → bool indicates whether the statement identified by a
given location and function name is an IO point.
• in f oIL.lvarreg : V × Fname × N → N ∪ {⊥}maps a given local variable name
that belongs to the function identified by a given function name and a given IO
point index to the index of a assembly machine register that contains the value
of this local variable.
• in f oIL.lvaro f f : V × Fname → N maps local variables and function names to
offsets where local variable (input parameter) values are stored in stack frames
which corresponds to the function names. This offset is relative to the base
address of a stack frame.
60 Abstract Intermediate Language C
• in f oIL.sizecaller−save : Fname × N → N returns the number of bytes that will be
used on the stack after executing the statement identified by a given pair of the
location counter and the function name (cf. Figure 4.4). Here we want to stress
that the number of bytes that is used to store caller’s data on the stack can differ
for the same function call called from different places within the C-IL program.
Here we introduce two lists caller and callee containing caller- and callee-save
GPR indices, respectively, which are compiler dependent. Typically, the con-
catenation of both lists should contain all GPR indices. But we do not rely
anyhow on that.
• in f oIL.sizeparams : Fname → N returns the number of bytes that is occupied by
input parameters passed on the stack to a call to the function identified by a
given function name (cf. Figure 4.4).
• in f oIL.sizelvars : Fname → N returns the number of bytes that is occupied by
local variables stored on the stack for a given function.
• in f oIL.distbp : Fname × N → N is a mapping that returns the number of bytes
occupied in a stack frame by a given function at the statement indicated by a
given location, where this statement must be an IO point (cf. Figure 4.4).
Note that we do not present the definition of the function codeIL as it completely
depends on the specification of an optimizing C compiler which is another topic that
is not a part of this thesis.
Before we present the C-IL compiler consistency we first introduce a few auxiliary
functions. We first define the function
distbpIL :: N × f rame∗C-IL × in f oTIL 7→ N
computing the distance (number of bytes) between stack frame base addresses of the
i-th and (i+1)-th stack frames from a given list of stack frames s with respect to the
information in f oIL about the compiled code. In the definition of this function we make
case distinctions on whether the i-th stack frame from the list of stack frames s is the
top one or not.
• If the i-th stack frame is the top one, then the distance returned by this function
is identified by the static information component in f oIL.distbp (cf Figure 4.4).
• Else, i.e. i-th stack frame is not the top one, the distance is computed as the sum
of (cf. Figure 4.4):
– the stack frame size before a call that created the (i +1)-th stack frame.
Recall that after executing a call statement in the C-IL semantics the loca-
tion counter of the stack frame corresponding to caller is incremented. So
that, when the called function terminates the execution resumes at the next
statement. Because of this incrementing in ”advance”, in the definition of
the function distbpIL , the location counter of the i-th non-top stack frame
is adjusted by decrementing it so that it points to a call statement(whose
execution created the (i+1)-th stack frame) that is an IO point.
– the caller-save block size in the i-th stack frame,
– 4 bytes containing a return destination. These four bytes are added to the
distance in case the return destination is defined for the i-th stack frame,
4.2. Compiler Correctness Theory 61
ra
pbpbp
sp
Function 
Args
Top Stack 
Frame
High Memory
Low Memory
Callee Save
Regs
Stack Frame
STACK_BASE_ADR
Local Vars
Caller Save
Regs
...
Local Vars
Return Destination
Callee Save
Regs
Temporaries
Temporaries
infoIL .distbp..
infoIL .distbp..
Function 
Args
infoIL . sizecaller−save ..
infoIL . size params ..
distbp
IL ..
distbp
IL ..
ra
pbp
8
4
Figure 4.4: C-IL Stack Layout
– the size of a block containing the parameters passed to a function call
corresponding to the (i+1)-th stack frame,
– 4 bytes representing the return address of the frame header corresponding
to the (i+1)-th stack frame, and
– 8 bytes representing the frame header corresponding to the (i+1)-th stack
frame
So the function distbpIL is defined as
J DEFINITION 4.10
Distance Between Frame Base
Addresses
distbpIL (i, s, in f oIL)
def
=
62 Abstract Intermediate Language C

in f oIL.distbp(s[i]. f , s[i].loc) if i = top(s)
in f oIL.distbp(s[i]. f , s[i].loc − 1)
+ in f oIL.sizecaller−save(s[i]. f , s[i].loc − 1)
+
4 if s[i].rds , ⊥0 otherwise
+ in f oIL.sizeparams(s[i + 1]. f )
+ 8
otherwise
where f is a function name obtained from the C-IL call-statement identified by the
function name s[i]. f and the location counter s[i].loc − 1 in a C-IL program.
Next we define the function
f ramebaIL :: N ×CIL × in f oTIL 7→ N
that computes the absolute memory address of the i-th stack frame of a given C-IL
configuration cIL, where the stack base address is identified by the component stackba
of a given static information in f oIL. Recall that the stack grows downwards.
DEFINITION 4.11 I
Frame Base Address f ramebaIL (i, cIL, in f oIL)
def
= in f oIL.stackba −
∑
j<i
distbpIL ( j, cIL.stack[ j], in f oIL)
We define two functions with the same signature which read the return addresses
and previous stack pointers from stack frame headers. Let i be a stack frame number,
m the memory of an assembly configuration, in f oIL a static information. Then, the
following functions read frame header information from the i-th stack frame of a given
C-IL configuration cIL.
DEFINITION 4.12 I
Reading frame headers stackpbpIL (i, cIL,m, in f oIL)
def
= mword( f ramebaIL (i, cIL, in f oIL) + 0)
stackraIL(i, cIL,m, in f oIL)
def
= mword( f ramebaIL (i, cIL, in f oIL) + 4)
Next we define the function stackrdsIL reading the return destination put on the stack
at a function(procedure) call that created the (i+1)-th stack frame (cf. Figure 4.4).
DEFINITION 4.13 I
Reading return destination stackrdsIL (i, cIL,m, in f oIL)
def
= mword( f ramebaIL (i + 1, cIL, in f oIL) + 8
+ in f oIL.sizeparams(cIL.stack[i + 1]. f ))
4.2.2 Simulation Relation
We define a simulation relation consisIL between states of C-IL and VAMP assembly
machines.
The simulation relation consisIL(cIL, in f oIL, cAS M) states that the assembly config-
uration cAS M encodes the C-IL configuration cIL via the static information in f oIL. It
comprises (i) control consistency consiscontrolIL (cIL, in f oIL, cAS M), and (ii) data consis-
tency consisdataIL (cIL, in f oIL, cAS M).
4.2. Compiler Correctness Theory 63
consis IL
consis IL
control
consis IL
data
consis IL
pc
consis IL
ra
consis IL
code
consis IL
mem
consis IL
stack
consis IL
regs
Figure 4.5: C-IL Compiler Consistency
J DEFINITION 4.14
C-IL Compiler Consistency
consiscontrolIL (cIL, in f oIL, cAS M) consis
data
IL (cIL, in f oIL, cAS M)
consisIL(cIL, in f oIL, cAS M)
Control Consistency
Control consistency comprises program counter consistency consispcIL (cIL, in f oIL, cAS M)
and return address consistency consisraIL(cIL, in f oIL, cAS M).
J DEFINITION 4.15
Control Consistencyconsis
pc
IL (cIL, in f oIL, cAS M) consis
ra
IL(cIL, in f oIL, cAS M)
consiscontrolIL (cIL, in f oIL, cAS M)
The program counter consistency states that the assembly configuration’s program
counters point to the current C-IL instruction.
J DEFINITION 4.16
Program Counter ConsistencyconsispcIL :: CIL × in f oT ×CASM 7→ B
cAS M .pc = cAS M .dpc + 4
cAS M .dpc = in f oIL.codeia(cIL. ftop, cIL.loctop)
consispcIL (cIL, in f oIL, cAS M)
The return address consistency states that return addresses of all stack frames point
directly behind the code of call instructions which generated these stack frames.
J DEFINITION 4.17
Return Address Consistency∀0 < i < |cIL.stack|. cAS M .mword(stackraIL(i, cIL, cAS M .m, in f oIL) =
in f oIL.codeia(cIL. fi−1, cIL.loci−1)
consisraIL(cIL, in f oIL, cAS M)
Data Consistency
The data consistency comprises code consistency consiscodeIL , memory consistency
consismemIL , register consistency consis
regs
IL , and stack consistency consis
stack
IL .
64 Abstract Intermediate Language C
DEFINITION 4.18 I
Data Consistency
consiscodeIL (cIL, cAS M) consis
mem
IL (cIL, in f oIL, cAS M)
consisstackIL (cIL, in f oIL, cAS M) consis
regs
IL (cIL, in f oIL, cAS M)
consisdataIL (cIL, in f oIL, cAS M)
The code consistency requires that the compiled code is stored at address progbase
in the assembly configuration.
DEFINITION 4.19 I
Code Consistency ∀i < |in f oIL.code|. in f oIL.code[i] = int-to-instr(cAS M .mword(in f oIL.codeba + 4 · i))
consiscodeIL (cIL, in f oIL, cAS M)
The memory consistency states that the memory content of both machines is the
same. Since the stack is abstracted in C-IL we do not state memory equality for the
region where the stack resides. As well we do not state the memory equality for the
region where the compiled code is allocated.
DEFINITION 4.20 I
Memory Consistency
∀a ∈ N32.
a < [in f oIL.stackba : in f oIL.stackba − in f oIL.stackmax−size)
∧ a < [in f oIL.codeba : in f oIL.codeba + 4 · |in f oIL.code|)
=⇒
cIL.M(a) = cAS M .m(a)
consismemIL (cIL, in f oIL, cAS M)
The register consistency argues about the content of the stack pointer and base
pointer registers of the assembly configuration. We do not argue about the content of
the other registers like GPRs and SPRs. Do not forget that we have already argued
about the content of program counter in the program counter consistency before. The
stack- and base pointer registers should have values according to their intended mean-
ing from Table 3.1. Namely, GPR bp of the assembly machine cAS M should point to
the base address of the top-most stack frame of the C-IL machine cIL. The difference
between values stored in GPRs sp and bp of the assembly machine is the distance
between frame base addresses for the top stack frame of the machine cIL (cf. Figure
4.4).
DEFINITION 4.21 I
Register Consistency
cAS M .gpr[bp] = f ramebaIL (top(cIL), cIL, in f oIL)
cAS M .gpr[sp] = cAS M .gpr[bp] − distbpIL (top(cIL), cIL.stack, in f oIL)
consisregsIL (cIL, in f oIL, cAS M)
4.2. Compiler Correctness Theory 65
consis IL
fhconsis IL
stack
consis IL
top
consis IL
rds
Figure 4.6: C-IL Compiler Stack Consistency
The stack consistency comprises return destination consistency consisrdsIL , frame
header consistency consis f hIL , and top stack frame consistency consis
top
IL (cf. Figure
4.6).
J DEFINITION 4.22
Stack Consistency
consisrdsIL (cIL, in f oIL, cAS M) consis
f h
IL (cIL, in f oIL, cAS M) consis
top
IL (cIL, in f oIL, cAS M)
consisstackIL (cIL, in f oIL, cAS M)
The return destination consistency states that for all abstract stack frames (except
for the top stack frame) with defined return destinations the memory of an assembly
machine contains these return destinations in the corresponding representation.
J DEFINITION 4.23
Return Destination
Consistency
∀ 0 ≤ i < |cIL.stack| − 1.
cIL.stack[i].rds , ⊥ −→
stackrdsIL (i, cIL, cAS M .m, in f oIL) = val2Int(read
θ(cIL, cIL.stack[i].rds))
consisrdsIL (cIL, in f oIL, cAS M)
The frame header consistency requires the values in the frame headers of the stack
frames to be consistent with their intended meaning (cf. Table 3.2). We do not argue
about the return addresses in this consistency as it is already covered by the return
address consistency.
J DEFINITION 4.24
Frame Header
Consistency
∀ 0 < i < |cIL.stack|.
stackpbpIL (i, cIL, cAS M .m, in f oIL) = f rame
ba
IL (i − 1, cIL, in f oIL)
consis f hIL (cIL, in f oIL, cAS M)
The top stack frame consistency states where input parameters and local variables
of the function call are saved. The value of an input parameter (local variable) is either
saved in the register or put on the stack.
J DEFINITION 4.25
Top Stack Frame
Consistency
∀ i < |cIL. ftop.V|.
in f oIL.lvarreg(vi, cIL. ftop, cIL.ltop) = ⊥ −→
cIL.MEtop(vi) = mword(cAS M .gpr[bp] + in f oIL.lvaro f f (vi, ftop) ∧
in f oIL.lvarreg(vi, cIL. ftop, cIL.loctop) , ⊥ −→
cIL.MEtop(vi) = cAS M .gpr[in f oIL.lvarreg(vi, cIL. ftop, cIL.loctop))]
consistopIL (cIL, in f oIL, cAS M)
where (vi, ti) = cIL. ftop.V(i) is the i-the declaration in the list of parameters and local
variables of the function corresponding to the top most stack frame.
66 Abstract Intermediate Language C
On the one hand we are done with the definition of the C-IL compiler consistency,
but on the other hand one we are not. The reason why we are still not done with the
definition is that some relations are not defined, but it is not possible to define them in
C-IL as it is. These relations must talk about the content preservation of callee-save
registers. The content of registers is not visible in C-IL (but it is only true as long
as interrupts are not modeled in C-IL). In order to be able to talk about the content
of registers we add to the record f rameC-IL modeling C-IL stack frames a specifica-
tion(ghost) component, called gregs. This newly added component represents a copy
of GPRs before a function(procedure) call.
DEFINITION 4.26 I
C-IL Stack Frame
(with gregs)
f rameC-IL
def
= {.., gregs :: Z∗}
So we need to extend the call-rule in the C-IL semantics with the initialization of
the component gregs of the newly created stack frame f ramenew. Since we do not see
values of registers in C-IL we initialized this component with non-deterministically
chosen values so that we can instantiate the corresponding values in the correctness
proof of a C compiler later on.
In the following we state the theorem talking about the preservation of callee-save
registers in code generated by an optimizing C compiler in question.
THEOREM 4.27 I
gregs Content
Let pi be a C-IL program, c0AS M be the initial state of a target machine. Then for any
sequence of a target machine: c0AS M , c
1
AS M , . . ., there exists a C-IL machine sequence
c0IL, c
1
IL, . . . that does not get stuck and does not produce a stack overflow. Moreover,
for any number steps i of a C-IL machine there exists the corresponding host machine
state cs(i)AS M , such that if the current statement to be executed by the C-IL machine at
step i is:
• a call statement, then the callee-save ghost registers gregs of the new created
stack frame of the machine ci+1IL (as an effect of the execution of this call state-
ment) must be the same as the callee-save GPRs of the host machine cs(i)AS M (i.e.
before a call),
• a return statement, then the callee-save ghost registers gregs of the top stack
frame of the machine ciIL must be the same as the callee-save GPRs of the ma-
chine cs(i+1)AS M (the state corresponding to the state c
i+1
IL with the executed return
statement).
Formally, this theorem is stated as follows:
∃ in f oIL. ∀ (ciAS M)i,∃(ciIL)i.
(∀ i. ci+1AS M = δASM(ciAS M)∧ pi, θ ` ciIL →IL ci+1IL∧ the execution of cIL does not get stuck
∧ there is no stack overflow)
∧ ∃ s :: N 7→ N.
(∀ i. in f oIL.iop(ciIL. ftop, ciIL.loctop)).∀ j. j ∈ callee.
∧ stmtcurr(ciIL.stack, pi) ∈ {call e(E), e0 = call e(E)}
−→ ci+1IL .stacktop.gregs[ j] = cs(i)AS M .gpr[ j]∧ stmtcurr(ciIL.stack, pi) ∈ {return, return e}
−→ ciIL.stacktop.gregs[ j] = cs(i+1)AS M .gpr[ j])
4.2. Compiler Correctness Theory 67
We did not prove this theorem as without knowing the implementation of an op-
timizing C compiler being used we are not able to do that. So we assume that this
theorem holds for an optimizing C compiler in question. But one important argu-
ment to prove this theorem is that the callee-save registers must not be changed by
code generated for a call and the callee-save registers must be restored before a return
statement if changed.
J THEOREM 4.28
Compiler Correctness
Let pi be a C-IL program, c0AS M be the initial state of a target machine. Then for any
sequence of a target machine: c0AS M , c
1
AS M , . . ., there exists a C-IL machine sequence
c0IL, c
1
IL, . . . that does not get stuck and does not produce a stack overflow. Moreover,
for any number steps i of a C-IL machine there exists the corresponding target machine
state cs(i)AS M , such that the compiler consistency consisIL(c
i
IL, in f oIL, c
s(i)
AS M) holds if the
statement to be executed at step i by the C-IL machine is an IO point. However, these
states are consistent if the following requirements about the C-IL and VAMP assembly
machines are fulfilled:
• The C-IL program pi is translatable,
• The C-IL configuration cIL and VAMP assembly configuration cAS M are valid
and they are consistent,
• After performing i steps the machine cIL did not get stuck,
Formally, this theorem is stated as follows:
∃ in f oIL. ∀ (ciAS M)i,∃(ciIL)i.
(∀ i. ci+1AS M = δASM(ciAS M)∧ pi, θ ` ciIL →IL ci+1IL∧ the execution of cIL does not get stuck
∧ there is no stack overflow)
∧ ∃ s :: N 7→ N.
(∀ i. in f oIL.iop(ciIL. ftop, ciIL.loctop)
−→ consisIL(ciIL, in f oIL, cs(i)AS M))
Proof: We sketch a proof for this theorem. So the proof is done by induction on
the step number i of the C-IL machine.
We start the induction with i equals zero. In this case we need to show that the
target machine cs(0)AS M after performing s(0) steps will be valid and consistent with the
C-IL machine c0IL. The proof for similar case is shown in Leinenbach’s dissertion
[Lei07] for non-optimizing C compiler.
For the induction step we have to conclude from step i to i + 1. We prove this
case by a case distinction on the C-IL statement to be executed at step i + 1 by the
C-IL machine. For all C-IL statements the proof must follow from the implementation
of an optimizing C compiler in question and the theorem talking about the content
preservation of callee-save registers across calls.


C
H
A
P
TE
R
5
Integrated Semantics µASM and C-IL
In this section we present a model, called MX (from mixed), obtained by integrat-
ing (”mixing”) the µASM and C-IL semantics previously examined in this thesis. This
model was invented in collaboration with S.Schmaltz which resulted in our joint pub-
lication [SS12] presenting this model. To achieve such an integration, we use the
compiler calling convention introduced in Section 3.1.4 and apply it to interface the
two languages. The goal of this integration is to ’slice’ the model stack horizon-
tally, providing a self-contained model to argue about a system layer that involves
both C-IL and µASM code executions. As a result, in the mixed semantics we can im-
plement a non-concurrent software written in two different programming languages:
C-IL and µASM. Considering verification engineering as a social process, providing in-
tegrated semantics offers certain benefits: The person who does soundness proofs for
code-verification tools no longer needs to consider the inner workings of compilers -
instead, they can use the integrated semantics as foundation of their proofs.
We do not introduce a new set of statements in MX as it is done in the µASM and
C-IL models as we do not consider a so-called inter-language statement execution in
the frame of this thesis. That is, programs we want to describe by the MX semantics
do not contain inline assembly portions. However, we model so-called inter-language-
call and -return statements. In the combined semantics MX µASM and C-IL execution
sequences are interleaved at external calls and -returns. That is why the two languages
must follow the same compiler calling convention in the mixed semantics.
5.1 Semantics
We start the description of the MX semantics with the definition of an MX program.
5.1.1 Program
An MX-program pi is simply a record consisting of a C-IL-program piC-IL and µASM-
program piµASM .
69
70 Integrated Semantics µASM and C-IL
DEFINITION 5.1 I
MX-program ProgMX
def
= {piC-IL :: ProgIL, piµASM :: ProgµASM }
5.1.2 System Parameters
Since we need the information about the compiler to execute C-IL we keep the system
parameters θ from C-IL.
5.1.3 Configurations
The most basic way to define an MX configuration is to consider a list of alternating
C-IL- and µASM-configurations that represents the stack between two languages. The
top-most stack configuration we consider active while the rest of them inactive. Ob-
servations that can be made, however, is that (i) in both semantics we use the same
byte-addressable memory, which can be shared, and (ii) we know that SPRs are mod-
eled as a part of µASM configuration and they might also be relevant for C-IL execu-
tions1, which can be shared as well.
In order to eliminate redundancy, we introduce the notion of execution context for
C-IL and µASM in the MX semantics. We distinguish between active and inactive exe-
cution contexts for each language in the MX semantics. After defining these contexts
we will present how MX configurations are modeled.
Active Execution Context An active execution context is a configuration of the cor-
responding language without memory. So the C-IL active execution context is repre-
sented by a list of abstract C-IL frames.
DEFINITION 5.2 I
Active C-IL Execution Context
contextC-IL
def
= f rame∗C-IL
The µASM active execution context has the same components as the µASM configu-
ration besides the memory and SPRs. As we have already told that SPRs are shared
between two languages in the MX semantics. Hence, there is no need to model them
twice. So the µASM active execution context is defined as
DEFINITION 5.3 I
Active µASM Execution Context contextµASM
def
= {gpr :: Z∗, s :: f rame∗µ ∪ f ramenoµ }
Inactive Execution Context An inactive execution context must contain information
needed to continue the execution as expected after becoming active again.
We first define the inactive µASM execution context. Here we make an observation
that it is not meaningful to store values of all GPRs in the inactive µASM execution
context, with one exception: we can keep the values of callee-save registers, since,
assuming C-IL compiler respects the calling conventions, they will be restored when
control is returned back to this inactive context. So the inactive µASM execution context
is defined as
DEFINITION 5.4 I
Inactive µASM Execution Context
1The reader might wonder how it can be relevant for C-IL executions: In case interrupts are modeled
at the C-IL level, i.e interrupts are visible in the C-IL semantics. From the VAMP assembly semantics
presented in Chapter 2 we know that some SPRs gets updated when an interrupt happens. Right now,
interrupts are invisible in the C-IL semantics.
5.1. Semantics 71
contextinactiveµASM
def
= {gprcallee :: Z∗, s :: f rame∗µ}
consisting of a callee-save register file gprcallee that holds values of callee-save regis-
ters of the execution context, and a µASM stack s.
The inactive C-IL execution context definitely must contain a C-IL stack. Another
observation we made is that in order to integrate the two semantics we need to have
the following component to be a part of inactive C-IL execution contexts:
• a callee-save register file that contains values of callee-save registers. The C-IL
compiler relies on the callee-save convention being respected by the program-
mer: in case callee-save registers have modified values when the C-IL execution
context becomes active again, there is no guarantee whatsoever that C-IL exe-
cutions will continue as expected.
So we define the inactive C-IL-execution context as record
J DEFINITION 5.5
Inactive C-IL Execution ContextcontextinactiveC-IL
def
= {gprcallee :: Z∗, s :: f rame∗C-IL}
which consists of a callee-save general purpose register file gprcallee that contains val-
ues of those registers expected when the control is returned to the execution context,
and a C-IL stack s.
Configuration MX configurations are represented by record type CMX defined as
J DEFINITION 5.6
MX-Configuration
CMX
def
=
{ M :: N 7→ B8,
spr :: Z∗,
ac :: contextC-IL ∪ contextµASM ,
sc :: (contextinactiveC-IL ∪ contextinactiveµASM ) ∗}
that consists of the same byte-addressable memoryM we have seen in the µASM and
C-IL semantics, shared special purpose register file spr within two languages (in this
thesis it is used only for µASM language), active execution context ac, and an abstract
stack of inactive(suspended) execution contexts sc. Note that the i-th and (i+1)-th
elements of an abstract stack of inactive execution contexts must be of different types.
This and all other properties about MX configurations are captured in the predicate
validMX stating the well-formedness of a given MX configuration cMX. This predicate
is defined with sc = cMX.sc and l = |sc| as
cMX.ac ∈ contextC-IL −→ l = 0 ∨ sc[l − 1] ∈ contextinactiveµASM
cMX.ac ∈ contextµASM −→ l = 0 ∨ sc[l − 1] ∈ contextinactiveC-IL∀ i + 1 < l. sc[i] ∈ contextinactiveC-IL ←→ sc[i + 1] ∈ contextinactiveµASM∀ i + 1 < l. sc[i] ∈ contextinactiveµASM ←→ sc[i + 1] ∈ contextinactiveC-IL|cMX.spr| = 32
cMX.ac ∈ contextµASM −→ |cMX.ac.gpr| = 32∀i < l.sc[i] ∈ contextinactiveC-IL −→ |sc[i].gprcallee| = |callee|∀i < l.sc[i] ∈ contextinactiveµASM −→ |sc[i].gprcallee| ≤ |callee|¬is stack(cMX) −→ sc = []
validMX(cMX)
72 Integrated Semantics µASM and C-IL
where the predicate is stack :: CMX 7→ bool indicates whether the stack is created or
not in a given MX configuration cMX and it is defined as
cMX.ac ∈ contextµASM −→ cMX.ac.s < f ramenoµ
is stack(cMX)
5.1.4 Auxiliary Functions and Shorthands
Here we introduce the definition of functions which help to describe the MX semantics
and compiler consistency in a brief way.
We define the function
stack f lat :: CMX 7→ ( f rameµ ∪ f rameC-IL)∗
flattening stack frames of the active and inactive contexts for a given MX configura-
tion. Note that stack frames of the active execution context must be on top of the list of
flattened stack frames reconstructed from inactive contexts by means of the function
flat-inact-ctx. In case the stack is not created in a given MX configuration cMX this
function returns an empty list.
stack f lat(cMX)
def
=
cMX.ac.s ◦ flat-inact-ctx(cMX.sc) if is stack(cMX)[] otherwise
where the function flat-inact-ctx is defined as
flat-inact-ctx(sc) def=
hd(sc).s ◦ flat-inact-ctx(tl(sc)) if tl(sc) , [][] otherwise
The function top :: CMX 7→ N returns the index of the top stack frame in the
flattened list of stack frames of a given MX configuration.
top(cMX)
def
= |cMX.stack f lat | − 1
We denote by cMX.stacktop the top stack frame or no-stack of an MX configuration
cMX depending on whether the stack is created in this MX configuration:
cMX.stacktop
def
=
cMX.ac.s if ¬is stack(cMX)hd(cMX.ac.s) otherwise
Based on the above introduced shorthand we denote by cMX. ftop and cMX.loctop the
function name and location counter components of the top stack frame or no-stack of
a MX configuration, respectively.
We introduce another two shorthands cMX. fi and cMX.loci to denote the function
(procedure) name and the location counter, respectively, of i-th stack frame in the
flattened list of stack frames of a given configuration cMX.
cMX. fi
def
=
cMX.stack f lat[i]. f if cMX.stack f lat[i] ∈ f rameC-ILcMX.stack f lat[i].p otherwise
cMX.loci
def
= cMX.stack f lat[i].loc
5.1. Semantics 73
The function
incloc :: f ramenoµ ∪ f rame∗µ ∪ f rame∗C-IL 7→ f ramenoµ ∪ f rame∗µ ∪ f rame∗C-IL
increments the location counter of either the top stack frame of a given list of µASM or
C-IL stack frames or no-stack.
incloc(s)
def
=s[loc := s.loc + 1]] if s ∈ f ramenoµs[top(s) := hd(s)[loc := hd(s).loc + 1]] if s ∈ f rame∗µ ∪ f rame∗C-IL
The function droplifo :: f rame∗µ 7→ f rame∗µ removes the n top elements from the
top stack frame of a given list of µASM stack frames.
droplifo(s, n)
def
=
s[top(s) := hd(s)[li f o := drop(hd(s).li f o, n)]]
The function setrds :: f rame∗C-IL × val 7→ f rame∗C-IL sets the return destination of
the top stack frame of a given list of C-IL stack frames to a given value v.
setrds(s, v)
def
= s[top(s) := hd(s)[rds := v]]
5.1.5 Expression Evaluation
In MX the expression evaluation is performed if and only if the active context of a
configuration cMX is of C-IL type and its definition is based on the C-IL expression
evaluation function:
J DEFINITION 5.7
C-IL Expression Evaluation in MX
[e]θ,picMX
def
= [e]θ,pi.piC-IL(cMX.M,cMX.ac)
5.1.6 Transition Function
We denote an MX configuration cMX making a step to a configuration c′MX under the
program pi and system parameters θ by:
pi, θ ` cMX →MX c′MX.
In the transition function there are six cases we need to consider: two cases for
pure language steps, two cases for inter-language call, and another two cases for inter-
language return.
Considering a given MX configuration, it is easy to decide which of these has to
happen next. Calling a function which is declared as external in the function table
of one language and as defined(non-external) in the function of another language is
considered as an inter-language call causing the exchange of the execution context.
Executing a return statement when the stack of the active stack frame is empty should
activate the last context which was put on a stack of inactive contexts. Everything else
is considered as a pure language step for which we have already defined the semantics.
Let ext(cMX, pi) denotes a predicate that checks in the described way whether the next
step is an inter-language step. There are four cases that make this predicate true. We
do not define this predicate, one can look it up these conditions in cases 3-6. First, we
treat non-external cases (1-2), called pure steps, in the transition function, and then
we treat external ones, called inter-language steps.
74 Integrated Semantics µASM and C-IL
1. Pure C-IL Step It is the case when the active context is of C-IL type and the
current statement of the MX configuration to be executed does not cause the exchange
of the execution context. So that, we consider only steps which are handled by the
C-IL semantics. For this case the MX semantics is defined as follows:
cMX.ac ∈ contextC-IL cMX.ac = s ¬ext(s, pi)
pi.piC-IL, θ ` (cMX.M, s)→IL c′IL
pi, θ ` cMX →MX cMX
[ M := c′IL.M,
ac := c′IL.s
]
2. Pure µASM Step This case is similar to the previous one in a sense that a pure step
is performed here, too. The case presented before covers a pure C-IL step and here a
pure µASM step is considered.
cMX.ac ∈ contextµASM cMX.ac = (gpr, s) ¬ext(s, pi)
pi.piµASM ` (cMX.M, gpr, cMX.spr, s)→µASM c′µ
pi, θ ` cMX →MX cMX
[ M := c′µ.M,
ac := (c′µ.gpr, c′µ.spr, c′µ.s)
]
3. Call from C-IL To µASM This case is identified by the following preconditions:
(i) the active context is of C-IL type, (ii) the current statement of the cMX machine
is either a function or procedure call, (iii) the function (or procedure) to be called is
represented either by a function pointer or a symbolic name, and (iv) the function to
be called is declared as external in the C-IL function table and as non-external in the
µASM procedure table.
If all aforementioned preconditions are fulfilled, then a new µASM context is cre-
ated, initialized according to the calling convention. The currently active C-IL context
is retired to stack of inactive contexts of the MX configuration. Constraints on the
nondeterministically chosen new context and callee-save registers to be remembered
by the active C-IL context to be retired are captured in the predicate CIL2MAS M.
cMX.ac ∈ contextC-IL cMX.ac = s
stmtcurr(s, pi.piC-IL) ∈ {call e(E), e0 = call e(E)}
is-function([e]θ,picMX , f , θ)
pi.piC-IL.F ( f ).P = extern pi.piµASM ( f ).body , extern
CIL2MAS M(cMX, f , E, gprcallee, rds, contextnew)
pi, θ ` cMX →MX cMX
[
ac := contextnew,
sc := (gprcallee, setrds(incloc(s), rds)) ◦ cMX.sc
]
The predicate CIL2MAS M(cMX, f , E, gprcallee, rds, contextnew) enforces the fol-
lowing constraints with n = pi.piµASM ( f ).npar:
• The content of GPRs of the new µASM active context is chosen non-deterministically
except for input registers. According to the calling convention CCL .1 the first
four parameters are passed in registers, the remaining parameters are passed on
the stack.
contextnew.gpr[i j+1] = [E[ j]]θ,pi.piC-ILcMX if 0 ≤ j < 4 ∧ j < n
5.1. Semantics 75
• The stack of the new µASM active context has a single stack frame
contextnew.stack = [framenew]
where the content of this stack frame is defined as follows
framenew.p = f
framenew.loc = 0
∀ i < n. framenew.pars[i] =
[E[i]]θ,picMX if 4 ≤ i ∧ i < nA otherwise
framenew.saved = sublist(gpr, pi.piµASM ( f ).uses)
framenew.li f o = []
• The callee-save registers expected by the retired C-IL-execution context are the
same that reside in the new µASM-execution-context:
gprcallee = sublist(contextnew.gpr, callee \ pi.piC-IL( f ).uses)
Note that those GPRs whose indices are declared in pi.piµASM ( f ).uses will be
restored at return. It is guaranteed by the µASM semantics. Thus, there is no need
to remember them in gprcallee of the C-IL execution context to be retired.
• The return destination component of the retired C-IL-execution-context is:
rds =
[&e0]θ,pi.piC-ILcMX function call⊥ procedure call
4. Return From µASM To C-IL This case is complementary to the previous one. The
preconditions for this case are: (i) the active context is of µASM type, (ii) the statement
to be executed is a return instruction, (iii) there is only one stack frame in the stack of
the active context, (iv) in order to return to the previously active context it must exists
in the stack of inactive contexts, and (v) callee-save registers must have the values
expected by the C-IL context we return to.
If the preconditions are fulfilled, then the return statement performs an inter-
language return such that the C-IL execution context that has created the current ac-
tive µASM context becomes active again. This is done by substituting the current active
µASM context with the C-IL execution context found on the top of inactive execution
contexts. Also, the content of the return value register rv2 of the current active µASM
context is written to the return destination rds given in the C-IL context we return to.
cMX.ac ∈ contextµASM cMX.ac = (gpr, s) s < f ramenoµ
instrcurr(s, pi.piµASM ) = ret
0 < |cMX.sc| hd(c.sc) = (gprcallee, s′)
sublist(gpr, callee \ pi.piµASM (cMX. ftop).uses) =
sublist(gprcallee, callee \ pi.piµASM (cMX. ftop).uses)
c′MX = write
θ((cMX.M, s′),hd(s′).rds, gpr[rv])
pi, θ ` cMX →MX cMX
 M := c
′
MX.M,
ac := c′MX.s,
sc := tl(cMX.sc)

2rv is the index of the return value register (cf. Table 3.1). Note that in the µASM semantics the return
value register contains the result value (cf. compiler calling convention in Section 3.1.4).
76 Integrated Semantics µASM and C-IL
5. Call From µASM To C-IL This case is indicated by the following preconditions: (i)
the active context is of µASM type, (ii) the next instruction to be executed is a procedure
call, (iii) the procedure to be called is declared as external in the µASM procedure table
and as non-external in the C-IL procedure table, and (iv) the lifo of the top stack frame
of the active µASM context is big enough to contain parameters passed on stack.
If all of the aforementioned preconditions are fulfilled, then a new C-IL context is
created and it becomes active in the MX machine. The current active µASM context is
put on the stack of inactive contexts. Also, the location counter of the top stack of the
current active µASM context is incremented. Constraints on the non-deterministically
chosen new C-IL context are captured in the predicate MAS M2CIL. Here it is as-
sumed that the indices listed in the uses component of the procedure being called
must be callee-save registers, i.e.
∀ r ∈ pi.piµASM (P).uses. r ∈ callee
After all this case is treated with npar = pi.piµASM (P).npar,V = pi.piµASM (P).V and
li f o = hd(s.stack).li f o as
cMX.ac ∈ contextµASM cMX.ac = (gpr, s) s < f ramenoµ
instrcurr(s, pi.piµASM ) = call P k = max{npar − 4, 0} k ≤ |li f o|
pi.piµASM (P).body = extern pi.piC-IL.F (P).P , extern
gprcallee = sublist(gpr, callee)
MAS M2CIL(P, npar, gpr, li f o, contextnew)
pi, θ ` cMX →MX cMX
[
ac := contextnew,
sc := (gprcallee, dropli f o(incloc(s), k)) ◦ cMX.sc
]
The predicate MAS M2CIL(P, npar,V, gpr, li f o, contextnew) enforces the follow-
ing constraints:
contextnew = [framenew]
where a single stack frame framenew of the new context is constrained with (v j, t j) =
V[ j] by the following:
• The first four parameters are taken from the corresponding GPRs of the µASM
context to be retired. The values stored in those GPRs are converted to C-IL-
values of the type expected by the function and store them at the corresponding
places in the local memory environment of the stack frame framenew.
∀0 ≤ j < 4 : j < npar −→ readθE(framenew, v j) = Int2val(gpr[i j+1], t j)
• The remaining input parameters (if existent) are taken from the lifo of the top
stack frame of the current active µASM context to be retired. Recall the rule
CCL . 2 introduced in Section 3.1.4 that first parameters are passed on stack
(li f o) in right-to-left order.
∀4 ≤ j < npar : readθE(framenew, v j) = Int2val(lifo[|lifo| − 1 − j], t j)
• The space is reserved for local variables in the newly created frame:
∀npar ≤ j < |V| : |framenew.ME(v j)| = size(t j)
• The components modeling the execution flow are constrained by the following:
f ramenew. f = P
f ramenew.loc = 0
5.2. Simulation Theorem 77
• The return destination component is always left undefined as the active µASM
context, namely the µASM semantics, does not have any notion of such a compo-
nent.
f ramenew.rds = ⊥
6. Return From C-IL To µASM This case is complementary to the previous one. The
preconditions indicating this case are: (i) the active context is of C-IL type, (ii) the
statement to be executed is return, (iii) there is only one stack frame in the active
context, (iv) there exists at least one context in the stack of inactive contexts, and (v)
callee-save registers must have the values expected by the µASM context we return to.
If the preconditions are fulfilled, then the previously active context becomes active
again. In the new context the caller-save GPRs are assigned non-deterministically
except for the return value register rv. The result value is returned from the current
active C-IL context to the µASM context to be activated and is stored in the return value
register rv of this µASM context.
cMX.ac ∈ contextC-IL cMX.ac = s
stmtcurr(s, pi.piC-IL) = return e
0 < |cMX.sc| hd(cMX.sc) = (gprcallee, s′)
sublist(gpr′, callee) = gprcallee
gpr′[rv] = val2Int([e]pi,θcMX )
pi, θ ` cMX →MX cMX
[
ac := (gpr′, s′),
sc := tl(c.sc)
]
5.2 Simulation Theorem
Here we present the simulation relation between MX and VAMP assembly configura-
tions. We defined similar relations for µASM and C-IL in Chapters 3 and 4, respectively.
In order to be able to state the simulation relation between the MX and VAMP assem-
bly execution sequences, where the latter runs the compiled MX execution sequence.
We need to have an additional information about the compiler code, like the C-IL static
information introduced in Section 4.2. Since we have C-IL executions sequences as
well as µASM together in the MX semantics and the C-IL static information can describe
the µASM ones3, we keep the static information from C-IL in MX.
The MX compiler meta information in f oTMX is described by record type
3it is assumed that Pname ⊂ Fname
78 Integrated Semantics µASM and C-IL
DEFINITION 5.8 I
MX Compiler Meta Info in f oTMX
def
= in f oTIL
We define the function distbpMX(i, s, in f oMX) returning the distance between frame
base addresses of i-th and (i+1)-th stack frames from a list s of C-IL- and µASM stack
frames. To define it we use the functions distbpµASM and dist
bp
IL defined in Sections 3.3
and 4.2, respectively. Here we need to consider six cases: if the i-th stack frame is
• the top stack frame and it is of C-IL type, then we apply the function distbpIL to a
list containing a single element which is the top stack frame from the list s (cf.
the top stack frame in Figure 3.3).
• the top stack frame of µASM type, then we apply the function distbpµASM to a list
containing a single element which is the top stack frame from the list s (cf. the
top stack frame in Figure 4.4).
• a non-top stack frame and it is of C-IL type and the (i+1)-th stack frame is of
C-IL type, then we apply the function distbpIL (cf. the non-top stack frame in
Figure 4.4), then we apply the function distbpIL to a list containing two elements
([s[i + 1]] ◦ s[i]]).
• a non-top stack frame and it is of C-IL type and the (i+1)-th stack frame is of
µASM type, then we compute the distance by summing up the following (cf. the
non-top C-IL frame in Figure 5.1(a)):
– the size of the local variables block, callee-save registers block and tempo-
raries of the i-th stack frame. This size is computed by the function distbpIL
on a list containing a single element which is the i-th stack frame from the
list s.
– 4 bytes representing a return destination (in case of a function call),
– caller-save registers block,
– 8 bytes representing a stack frame header, and
– the size of all parameters passed to the (i+1)-th µASM stack frame.
• a non-top stack frame and it is of µASM type and the (i+1)-th stack frame is of
µASM type, then we apply the function dist
bp
µASM (cf. the non-top stack frame in
Figure 3.3).
• a non-top stack frame and it is of µASM type and the (i+1)-th stack frame is of
C-IL type, then we compute the distance by summing up the following (cf. the
non-top µASM frame in Figure 5.1(b)):
– the size of the save register block and lifo of the i-th stack frame. This size
is computed by the function distbpµASM on a list containing a single element
which is the i-th stack frame from the list s.
– 8 bytes representing a stack frame header, and
– the size of all parameters passed to the (i+1)-th C-IL stack frame.
5.2. Simulation Theorem 79
J DEFINITION 5.9
Distance Between
Frame Base Addresses
distbpMX(i, s, in f oMX)
def
=
distbpIL (0, [s[i]], in f oMX) if top(s) = i ∧ s[i] ∈ f rameC-IL
distbpµASM (0, [s[i]]) if top(s) = i ∧ s[i] ∈ f rameµ
distbpIL (0, [s[i + 1]] ◦ [s[i]], in f oMX) if s[i] ∈ f rameC-IL ∧ s[i + 1] ∈ f rameC-IL
distbpIL (0, [s[i]], in f oMX)
+
4 if s[i].rds , ⊥0 otherwise
+ in f oIL.sizecaller−save(s[i]. f , s[i].loc − 1)
+ 8 + 4 · n
if s[i] ∈ f rameC-IL ∧ s[i + 1] ∈ f rameµ
distbpµASM (0, s[i + 1] ◦ s[i]) if s[i] ∈ f rameµ ∧ s[i + 1] ∈ f rameµ
distbpµASM (0, [s[i]]) + 8 + 4 · n otherwise
where n is the number of input parameters passed on stack to a call to the function
s[i + 1]. f :
n = max{pi.piC-IL.F (s[i + 1]. f ).npar − 4, 0}.
Next we define a function
f ramebaMX :: f rame
∗
µ × N 7→ N
computing an absolute frame base address for the i-th stack frame from the stack frame
list s, where the base address of the first stack frame is identified by the component
in f oMX.stackba. This function is based on the function dist
bp
MX defined above which
computes relative offsets between frame base addresses of adjacent stack frames.
J DEFINITION 5.10
Frame Base Address
f ramebaMX(i, s, in f oMX)
def
= in f oMX.stackba −
j<i∑
j=0
(distbpMX(i, s, in f oMX))
We define functions reading frame headers with the same signature as we did for
µASM and C-IL in previous chapters. Note that the previous stack pointer and return
address components of the frame header of µASM and C-IL stack frames are located in
memory at the same relative offsets to the base address of a stack frame (cf. Table 3.2
and Figure 5.1).
J DEFINITION 5.11
Reading frame headersstackpbpMX (i, s,m, in f oMX)
def
= mword( f ramebaMX(i, s, in f oMX) + 0)
stackraMX(i, s,m, in f oMX)
def
= mword( f ramebaMX(i, s, in f oMX) + 4)
Next we define the function stackrdsMX reading the return destination put on the stack
at a function(procedure) call that created the (i+1)-th stack frame.
J DEFINITION 5.12
Reading return destinationstackrdsMX(i, s,m, in f oMX)
def
= mword( f ramebaIL (i + 1, s, in f oMX) + 8
+ in f oMX.sizeparams(s[i + 1]. f ))
80 Integrated Semantics µASM and C-IL
du
m
m
y 
(4
 w
or
ds
)
ra pb
p
H
ig
h 
M
em
or
y
Lo
w
 M
em
or
y
b)lifosav
ed
re
gi
st
er
 a
re
a
ra pb
p
...
pa
ra
m
np
ar
−
1
pa
ra
m
4
...
du
m
m
y 
(4
 w
or
ds
)
ra pb
p
Fu
nc
tio
n 
A
rg
s
Lo
ca
l V
ar
s
C
al
le
r S
av
e
R
eg
s
R
et
ur
n 
D
es
tin
at
io
n
C
al
le
e 
Sa
ve
R
eg
s
Te
m
po
ra
rie
s
Te
m
po
ra
rie
s
St
ac
k 
Fr
am
e
...
St
ac
k 
Fr
am
e

as
m
C
−
IL
di
st
bpM
X
..

di
st
bp
as
m
..

4∗
n
8
ra pb
p
Fu
nc
tio
n 
A
rg
s
Lo
ca
l V
ar
s
C
al
le
r S
av
e
R
eg
s
R
et
ur
n 
D
es
tin
at
io
n
C
al
le
e 
Sa
ve
R
eg
s
Te
m
po
ra
rie
s
St
ac
k 
Fr
am
e
C
−
IL
4∗
n
8
...
Fu
nc
tio
n 
A
rg
s

as
m
St
ac
k 
Fr
am
e
lif
o
sa
ve
d
re
gi
st
er
 a
re
a
ra pb
p
du
m
m
y 
(4
 w
or
ds
)
pa
ra
m
np
ar
−
1
pa
ra
m
4
... ra pb
p
4
di
st
bpIL
..

... ... a)
ST
A
C
K
_B
A
SE
_A
D
R
Figure 5.1: MX Stack Layout
5.2. Simulation Theorem 81
The function
stackitemMX :: f rame
∗
µ × N × N × N × (N 7→ Z) 7→ Z
returns the value of j-th word stored on the i-th stack frame (cf. Figure 5.1).
J DEFINITION 5.13
Reading Items From Stack FramesstackitemMX (s, i, j,m, in f oMX)
def
= mword( f ramebaMX(s, i, in f oMX) − 4 · ( j + 1))
5.2.1 Simulation Relation
We define a simulation relation consisMX between states of MX and VAMP assembly
machines.
The simulation relation consisMX(cMX, in f oMX, cAS M) states that the assembly con-
figuration cAS M encodes the MX configuration cMX via the compiler information in f oMX.
It has the similar structure as the simulation relation introduced for C-IL.
J DEFINITION 5.14
Compiler ConsistencyconsisMX :: CMX × in f oTMX ×CASM 7→ bool
consiscontrolMX (cMX, in f oMX, cAS M) consis
data
MX (cMX, in f oMX, cAS M)
consisMX(cMX, in f oMX, cAS M)
Control Consistency
Control consistency comprises program counter consistency consispcMX(cMX, in f oMX, cAS M)
and return address consistency consisraMX(cMX, in f oMX, cAS M).
J DEFINITION 5.15
Control Consistencyconsis
pc
MX(cMX, in f oMX, cAS M) consis
ra
MX(cMX, in f oMX, cAS M)
consiscontrolMX (cMX, in f oMX, cAS M)
The program counter consistency states that the assembly configuration’s program
counters point to the current MX statement(instruction) to be executed in a given MX
machine.
J DEFINITION 5.16
Program Counter Consistency
cAS M .pc = cAS M .dpc + 4
cAS M .dpc = in f oMX.codeia(cMX. ftop, cMX.loctop)
consispcMX(cMX, in f oMX, cAS M)
The return address consistency states that return addresses of all stack frames point
directly behind the code of call instructions which generated these stack frames.
J DEFINITION 5.17
Return Address Consistency∀0 < i < |cMX.stack f lat |. cAS M .mword(stackraMX(i, cMX.stack f lat, cAS M .m, in f oMX) =
in f oMX.codeia(cMX. fi−1, cMX.loci−1)
consisraMX(cMX, in f oMX, cAS M)
82 Integrated Semantics µASM and C-IL
Data Consistency
The data consistency comprises code consistency consiscodeMX , memory consistency
consismemMX , stack consistency consis
stack
MX , and register consistency consis
regs
MX .
DEFINITION 5.18 I
Data Consistency consiscodeMX (cMX, in f oMX, cAS M) consis
mem
MX (cMX, in f oMX, cAS M)
consisstackMX (cMX, in f oMX, cAS M) consis
regs
MX (cMX, in f oMX, cAS M)
consisdataMX (cMX, in f oMX, cAS M)
The code consistency requires that the compiled code is stored at the program
base address in memory of a VAMP assembly configuration. That is, the compiled
MX program must not be changed by statements(instructions) being executed by a
MX machine.
DEFINITION 5.19 I
Code Consistency ∀i < |in f oMX.code|. in f oMX.code[i] = int-to-instr(cAS M .mword(in f oMX.codeba + 4 · i))
consiscodeMX (cMX, in f oMX, cAS M)
The memory consistency states that the memory content of both machines is the
same. Since the stack is abstracted we do not state memory equality for the region
where the stack resides. As well we do not state the memory equality for the region
where the compiled code is allocated.
DEFINITION 5.20 I
Memory Consistency
∀a ∈ N32.
a < [in f oMX.stackba : in f oMX.stackba − in f oMX.stackmax−size)
∧ a < [in f oMX.codeba : in f oMX.codeba + 4 · |in f oMX.code|)
=⇒
cMX.M(a) = cAS M .mword(a)
consismemMX (cMX, in f oMX, cAS M)
The register consistency argues about the content of the stack pointer and base
pointer registers of the assembly configuration cAS M . Do not forget that we have al-
ready argued about the content of program counter in the program counter consistency
before. The stack- and base pointer registers should have values according to their in-
tended meaning from Table 2.2. Namely, GPR bp should point to the base address
of the top stack frame in the MX machine cMX. The difference between values stored
in GPRs sp and bp of the assembly machine is the distance between frame base ad-
dresses for the top stack frame of the MX machine (cf. Figure 5.1). This consistency
requires the equality of all GPRs (except for sp and bp) of the assembly machine and
the µASM active context of the MX machine. Also, it requires the equality of all SPRs
of the assembly and MX machines. In case the stack of the MX exists the aforemen-
tioned statements hold. The aforementioned conditions hold in case the stack of the
MX machine is set up and they are grouped in the register sub-consistency consisregs(1)MX .
DEFINITION 5.21 I
Register Consistency
Stack Is Set Up
is stack(cMX)
cAS M .gpr[bp] = f ramebaMX(top(cMX), cMX.stack
f lat, in f oMX)
cAS M .gpr[sp] = cAS M .gpr[bp] − distbpMX(top(cMX), cMX.stack f lat, in f oMX)
cMX.stacktop ∈ f rameµ =⇒ ∀i < 32. i < {sp, bp} =⇒ cMX.ac.gpr[i] = cAS M .gpr[i]
∀i < 32. cMX.spr[i] = cAS M .spr[i]
consisregs(1)MX (cMX, in f oMX, cAS M)
5.2. Simulation Theorem 83
If there is no stack in the MX configuration, then all corresponding registers of the
MX and VAMP assembly machines must have the same values. This is expressed in
the register sub-consistency consisregs(2)MX .
J DEFINITION 5.22
Register Consistency
(No Stack)
cMX.ac ∈ contextµASM ¬is stack(cMX)∀i < 32. cMX.ac.gpr[i] = cAS M .gpr[i] ∧ cMX.spr[i] = cAS M .spr[i]
consisregs(2)MX (cMX, in f oMX, cAS M)
The above defined register consistencies form the MX register consistency in the
following way:
J DEFINITION 5.23
Register Consistency
consisregs(1)MX (cMX, in f oMX, cAS M) ∨ consisregs(2)MX (cMX, in f oMX, cAS M)
consisregsMX (cMX, in f oMX, cAS M)
The stack consistency comprises frame header consistency consis f hMX, item con-
sistency consisitemMX , and top stack frame consistency consis
top
MX. The top stack frame
consistency is considered only in case the active context of a given MX machine cMX
is of C-IL type.
J DEFINITION 5.24
Stack Consistency
consis f hMX(cMX, cAS M) consis
item
MX (cMX, in f oMX, cAS M)
cMX.stacktop ∈ f rameC-IL =⇒ consistopMX(cMX, in f oMX, cAS M)
consisstackMX (cMX, in f oMX, cAS M)
The frame header consistency requires the values in the frame headers of the stack
frames to be consistent with their intended meaning (cf. Table 3.2). We do not argue
about the return addresses in this consistency as it is already covered by the return
address consistency. As there is no return destination component in frame headers of
µASM stack frames we do not state the corresponding consistency in this case. Note
that for the first stack frame there is nothing to be stated as there is nothing behind the
first stack frame.
J DEFINITION 5.25
Frame Header Consistency
∀ 0 ≤ i ≤ top(cMX).
i , 0 −→ stackpbpMX (i, cMX.stack f lat, cAS M .m, in f oMX) =
f ramebaMX(i − 1, cMX.stack f lat, in f oMX)∧ i , top(cMX) ∧ cMX.stack f lat[i] ∈ f rameC-IL ∧ cMX.stack f lat[i].rds , ⊥ −→
stackrdsMX(i, cMX.stack
f lat, cAS M .m, in f oMX) =
val2Int(readθ(cMX, cMX.stack f lat[i].rds))
consis f hMX(cMX, in f oMX, cAS M)
The top stack frame consistency states where input parameters and local variables
of the function call are saved. The value of an input parameter (local variable) is either
saved in the register or put on the stack.
J DEFINITION 5.26
Top Stack Frame Consistency
∀ i < |cMX.Ptop.V|.
in f oMX.lvarreg(vi, cMX. ftop, cMX.loctop, in f oMX) = ⊥ −→
cMX.MEtop(vi) = cAS M .mword(cAS M .gpr[bp] + in f oMX.lvaro f f (vi, cMX. ftop))
∧
in f oMX.lvarreg(vi, cMX. ftop, cMX.loctop, in f oMX) , ⊥ −→
cMX.MEtop(vi) = cAS M .gpr[in f oMX.lvarreg(vi, cMX. ftop, cMX.loctop)]
consistopMX(cMX, in f oMX, cAS M)
84 Integrated Semantics µASM and C-IL
where (vi, ti) = cMX.Ptop.V(i) is the i-th declaration in the list of parameters and local
variables of the function corresponding to the top most stack frame.
The item consistency exposes the complete stack layout of µASM stack frames of the
MX machine in memory of the assembly machine Figure (cf. 5.1). Note that we do not
state the consistency for components of stack frame headers as it is already covered by
the return address and frame header consistencies. Here we state the relation between
each value stored in the memory region corresponding to a µASM stack frame and its
abstracted version. This consistency is similar to the µASM item consistency, here we
need to consider additional case to state the consistency for passed parameters on
stack. That case is, if a stack frame on top 4 of a µASM stack frame is of C-IL type, then
the values of parameters are read from the local memory environment of that C-IL
stack frame.
We introduce a few shorthands
s = cMX.stack f lat
si = cMX.stack f lat[i]
savedi = si.saved
li f oi = si.li f o
parsi = si.pars
vi j = cMX.Pi.V( j)
that are used in the definition of the item consistency defined as follows:
DEFINITION 5.27 I
Item Consistency ∀i ≤ top(cMX). si ∈ f rameµ −→
∀ j < distbpMX(i, s, in f oMX).
stackitemMX (s, i, j, cAS M .m, in f oMX.stackba) =
savedi[ j] if 0 ≤ j < |savedi|
li f oi[ j − |savedi|] if |savedi| ≤ j < |savedi| + |li f oi|
parsi+1[|parsi+1| − 1 − ( j − |savedi| − |li f oi|)] if si+1 ∈ f rameµ
val2Int(readθE(si+1, vi j)) otherwise, i.e. si+1 ∈ f rameC-IL
consisitemMX (cMX, in f oMX, cAS M)
Please note that for the top stack frame the third case is never considered (by definition
of the function distbpMX).
In the following we state the mixed compiler correctness and sketch its proof.
THEOREM 5.28 I
Mixed Compiler Correctness
Let pi be a MX program, c0AS M be the initial state of a target machine. Then for any
sequence of a target machine: c0AS M , c
1
AS M , . . ., there exists a cMX machine sequence
c0MX, c
1
MX, . . . that does not get stuck and does not produce a stack overflow. Moreover,
for any number steps i of a MX machine there exists the corresponding host machine
state cs(i)AS M , such that the compiler consistency consisIL(c
i
MX, in f oMX, c
s(i)
AS M) holds if the
statement to be executed at step i by the cMX machine is an IO point. However, these
states are consistent if the following requirements about the MX and VAMP assembly
machines are fulfilled:
• The MX program pi is translatable,
• The µASM configuration cµ and VAMP assembly configuration cAS M are valid
and they are consistent,
4here top does not mean the top stack frame, it means the stack frame above.
5.2. Simulation Theorem 85
• After performing i steps the machine cMX did not get stuck,
Formally, this theorem is stated as follows:
∃ in f oMX. ∀ (ciAS M)i,∃(ciMX)i.
(∀ i. ci+1AS M = δASM(ciAS M)∧ pi, θ ` ciMX →MX ci+1MX∧ the execution of cMX does not get stuck
∧ there is no stack overflow)
∧ ∃ s :: N 7→ N.
(∀ i. in f oMX.iop(ciMX. ftop, ciMX.loctop)
−→ consisMX(ciMX, in f oMX, cs(i)AS M))
Proof: We prove this theorem by induction on the number of steps i performed by
the MX machine.
For the induction start we have to show that both machines are consistent, i.e.
consisMX(c0MX, in f oMX, c
s(0)
AS M). We need to show that the target machine cAS M exe-
cutes instructions that perform the corresponding initializations and achieves the cor-
responding consistent state. If the MX machine starts its execution in the C-IL context,
then the first statement to be executed by the MX machine c0MX must be an IO point. At
this place we assume that the C compiler does not perform any kind of optimizations
before the first statement in the main C function.
For the induction step we have to conclude from step i to i+1. Here we distinguish
three cases:
• C-IL or µASM pure steps: In this case we apply the correctness of the correspond-
ing compiler(macro-assembler).
• inter-language statement: We list main arguments which must show this case:
– the compiled inter-language statements (instructions) and non-external-
calls and -returns obey the same compiler calling convention,
– the content preservation of callee-save registers are preserved across C-IL
function calls (cf. Theorem 4.27).
– the content preservation of callee-save registers across C-IL to µASM calls.
These registers can be changed during the execution µASM context. From
the MX semantics we know that if µASM context changes one of callee-
save registers then the MX execution gets stuck at return to the C-IL ex-
ecute context whose callee-registers were overwritten (the rule: Return
from µASM to C-IL). If the MX semantics had not give guarantees on the
callee-save registers in this case, then the work-around would be to have
the indices of these callee-save registers in the uses declaration list of the
procedure corresponding to this µASM execution context. In this case their
content preservation is guaranteed by the µASM semantics.


C
H
A
P
TE
R
6
Small Hypervisor Correctness
In this chapter we present the paper-and-pencil proof of the correctness of a simple
hypervisor, called baby hypervisor (BHV) in [AHPP10]. The baby hypervisor is a
small software system implemented in two programming languages: C and VAMP
macro assembly, and it virtualizes VAMP ISA ( [Tve09], [Tsy09]) and allows to run
a number of guest machines, called partitions, on a single so-called host processor.
Note that VAMP ISA was abstracted to VAMP assembly in Chapter 2 and VAMP
assembly differs from VAMP ISA only in data representations, but they are semanti-
cally equivalent (proven by Tsyban in [Tsy09]). Thus, it suffices to show that the baby
hypervisor virtualizes VAMP assembly.
The baby hypervisor always lets the guests run in user mode on the host. Hence,
the guests run translated and unprivileged, i.e. every memory access performed by
guests is the subject of the address translation of the host and it is forbidden for them
to execute privileged instructions on the host. So that, the baby hypervisor has the
full control over the guests. The guests of the baby hypervisor have their own notion
of execution mode1, i.e. there are guest user mode and guest system mode. That is,
each guest can think that it runs in system mode on the host, indeed it runs in guest
system mode in its own ”virtual world” and in user mode on the host. The presence of
two guest execution modes means that there are two address translations (one for each
mode) that are performed for the running guests on the host. Two address translations
for guests means that there are two virtual memories for them. These guest virtual
memories are supported by so-called host- and shadow page tables [ACH+10] that are
set-up for guests running in guest system mode and in guest user mode, respectively.
In [AHPP10] on 9 page the authors write: ”The host page tables will map injectively
into host memory with different regions allocated for each guest. The shadow page
table of a guest is set up as the concatenation of the guest’s own page table and its host
page table. To make sure that the guest cannot break this invariant, we map all host or
shadow page table entries to the guest page table read-only. Thus, attempts of a guest
1this differs hypervisors from kernels as the guests(processes) of kernels run only in user mode on the
host while the guests of hypervisors can run in user mode and in system mode on the host
87
88 Small Hypervisor Correctness
to edit its page table or perform a privileged operation (e.g., change the page-table
origin) will cause an exception on the host and be intercepted by the hypervisor. The
hypervisor will then emulate the exception operation in software.”
The way we proceed in this chapter is we first specify the abstract baby hyper-
visor. Next we examine the baby hypervisor implementation data structures used
in [AHPP10] and invariants stated over them defined in [AHPP10]. Then we present
intended invariants defined in [AHPP10] for the simulation of guests on the host. It
is mainly the generalization of the B-relation from [GHLP05]. In [Tsy09] Tsyban
presented the detailed definition of such a relation and its application for showing
the correctness of the CVM microkernel. In [AHPP10] the authors showed two main
proof’s obligations: (i) the functional correctness of the baby hypervisor’s main func-
tion implemented in C, and (ii) the simulation of guests while they run without excep-
tions on the host. In the end we will state the baby hypervisor correctness theorem
where we treat the µASM code of the BHV program and the compiler calling conven-
tion. Note that the µASM code and the compiler calling convention were neither treated
nor presented in [AHPP10].
In the rest of the thesis we refer to the baby hypervisor as BHV.
6.1 Abstract BHV
6.1.1 Configurations
The abstract(spec) BHV configurations cHV are represented by the record type CHV
DEFINITION 6.1 I
BHV Configuration CHV
def
= {gs :: N 7→ CASM, cg :: N}
comprising two components:
• gs is the mapping of guest ids to VAMP assembly machines representing guests,
• cg is the id of a guest that is currently making steps (called active guest). The
other guests do not make any progress at all, they wait until they will be sched-
uled (become active). So we call them sleeping guests.
Valid Configurations The requirements over BHV configurations are: (i) the number
of modeled guests is restricted by a given number ng, and (ii) each modeled guest gid
has at most gptl(gid) PTEs. These requirements are captured by the predicate validBHV
defined below.
DEFINITION 6.2 I
Valid BHV Configuration validBHV :: CHV × N × (N 7→ Z) 7→ bool
cHV.cg < ng ∀ gid < ng. cHV.gs(gid).spr[ptl] ≤ gptl(gid)
validBHV (cHV, ng, gptl)
Init Configuration We denote by cinitHV the initial BHV configuration that is defined as
in [AHPP10]. It is not explicitly defined in [AHPP10], there is a link to BHV sources
and there one can look it up.
6.2. BHV Implementation 89
6.1.2 Transition Function
The BHV transition function δHV :: CHV × N 7→ CHV takes a BHV configuration cHV
and the number ng of modeled guests as input and yields an updated BHV configu-
ration c′HV. This transition function lets the active guest to perform a single step. The
next guest is scheduled to be active if the currently active guest is running in system
mode and it tries to execute the trap instruction. Such a step is considered as a hyper-
call. BHV supports a single hypercall like this to schedule the next guest to run. We
introduce the predicate is-hypercall to indicate this case:
J DEFINITION 6.3
Is Hypercall
trap(cAS M) ∧ system?(cAS M .spr[mode]))
is-hypercall(cAS M)
We denote by g˜ the active guest configuration of cHV, i.e., g˜ = cHV.gs(cHV.cg). The
BHV transition function is specified as follows:
J DEFINITION 6.4
BHV Steps Without Hypercalls
¬is-hypercall(g˜)
δHV(cHV, ng) = cHV[gs := cHV.gs[cg := δASM(g˜)]]
J DEFINITION 6.5
BHV Steps With Hypercalls
is-hypercall(g˜)
δHV(cHV, ng) = cHV
[
gs := cHV.gs[cg := δASM(g˜)],
cg := cHV.cg + 1 mod ng
]
6.2 BHV Implementation
Here we examine BHV implementation details presented in [AHPP10]. We first ex-
amine data structures used in the BHV implementation.
6.2.1 Data Structures
The C data structure proc t represents the state of the sleeping guests. Such a state
is called program control block (PCB). This structure comprises all components of
an abstract guest (besides the memory component) represented by a VAMP assembly
configuration.
Listing 6.1: Data Structure proc t
1 struct proc t {
2 unsigned int32 gpr[32]; // general−purpose register file
3 unsigned int32 spr[32]; // special−purpose register file
4 unsigned int32 dpc; // delayed PC
5 unsigned int32 pcp; // primed PC
6 };
The C data structure guest t comprises the guest PCB C data structure and addi-
tional components describing the guest: (i) the pointer to a guest memory (represented
as array of unsigned integers) and the base page index of this memory (called the guest
memory origin), (ii) the pointer to an array of host PTEs representing host page table,
the base page index of this table (called the host page table origin) and the maximum
90 Small Hypervisor Correctness
number of PTEs in this array, (iii) the pointer to an array of shadow PTEs represent-
ing shadow page table, the base page index of this table (called the shadow page table
origin) and the maximum number of PTEs in this array.
Listing 6.2: Data Structure guest t
1 struct guest t {
2 struct proc t pcb;
3 unsigned int32 ∗gm; // guest memory (array)
4 unsigned int32 gmo; // guest memory origin
5 unsigned int32 ∗hpt, // array of host PTEs
6 unsigned int32 hpto; // host page−table origin
7 unsigned int32 ∗spt; // array of shadow PTEs
8 unsigned int32 spto; // shadow page−table origin
9 unsigned int32 max ppx; // maximum number of physical PTEs
10 unsigned int32 max vpx; // maximum number of shadow PTEs
11 };
The C data structure hv t is considered as main one and it comprises: (i) the
number of modeled guests in BHV, (ii) the stack base address of the BHV program,
(iii) the pointer to an array of guest C data structures, and (iv) the pointer to the active
guest C data structure.
In [AHPP10] the structure hv t is defined without the stack base address field.
Listing 6.3: Data Structure hv t
1 struct hv t {
2 unsigned int32 ng; // number of guests
3 unsigned int32 sba; // stack base address
4 struct guest t ∗cg; // pointer to current guest
5 struct guest t ∗g; // array of guests
6 };
6.2.2 Parameters
BHV is configured at boot time by a few parameters encoded in four bytes at the
beginning of its data segment base address.
• DS START = 8192 : is the base address in the memory at which the BHV C data
structure hv t resides. In [AHPP10] this constant is 4096. The reason why we
changed it is that we need to have a scratch memory for boot code and macro-
assembly portions.
• DS SIZE the data segment size. The data segment contains allocated BHV C
data structures and the stack used by BHV.
• NG = 8 : is the number of guests in BHV,
• MAX PPX = 220 : is the maximum number of PTEs per host page table,
• MAX VPX = 220 : is the maximum number of PTEs per guest page table,
6.2. BHV Implementation 91
Note that the size of a memory page is PAGE SIZE = 1024. We use the constant
LOG PAGE SIZE to denote the binary logarithm of PAGE SIZE, i.e.
LOG PAGE SIZE = log2(PAGE SIZE) = 10
The stack base address is not passed a parameter to the BHV program, but it is
computed as the sum of DS START and DS SIZE.
hv
uint32     max_vpx;
uint32     max_ppx; 
uint32     spto;
uint32     hpto;
uint32     gmo;
proc_t     pcb;
hv->g[0]
guest_t   *g
guest_t   *cg;
uint32     sba;
uint32     ng;
hv->g[hv->ng -1]
*
*
*
HPTEs of 
hv->g[0].hpto
Guest memory
hv->g[0].gmo
hv->g[0].max_ppx * PAGE_SIZE
*
*
*
g0
DS_START
DS_SIZE
Stack
STACK_BA
uint32     max_vpx;
uint32     max_ppx; 
uint32     spto;
uint32     hpto;
uint32     gmo;
proc_t     pcb;
hv->g[0].spto
SPTEs of g0
HPTs of    
hv->g[hv->ng-1].hpto
g NG−1
SPTs of    g NG−1
hv->g[hv->ng-1].spto
Guest memory
hv->g[hv->ng-1].gmo
hv->g[hv->ng-1].max_ppx * PAGE_SIZE
Figure 6.1: Memory Layout of BHV Data Structure
6.2.3 Implementation
The BHV program allocates its data structures in the data segment every time right
after the reset signal happens. Fig. 6.1 depicts the memory layout of the data segment
92 Small Hypervisor Correctness
after BHV allocated its data structures in that segment. In the figure the constant hv is
used and it is defined as
#typedef hv ((struct hv t *)DS START)
The data segment should be big enough to contain BHV data structures and the
stack being used by the BHV program. The stack base address is the highest address
that belongs to the data segment in memory. We are not going to present the complete
BHV C implementation, the reader can look it up in [AHPP10].
Here we present the implementation of a mixed code from the BHV program.
Note that it is not a part of the BHV program presented in [AHPP10]. This code
is always executed if any interrupt happens during the execution of the guest on the
host. This code is the interrupt service routine of the BHV program and it is split into
4 parts:
1. Save Guest. In lines 1-9 GPRs of the last running guest on the host are saved
to the PCB corresponding to the last interrupted guest. Namely, the instruc-
tion at line 1 saves temporary the value of GPR register 2 in scratch memory
since a free register is needed to contain the PCB base address. In line 2 the
base address of the PCB is loaded to the GPR register 2. In lines 3-4 the GPR
registers 0 and 1 of the host are saved in the corresponding GPRs of the PCB
in memory. In lines 5-6 this value is restored in GPR 1 of the host and then
saved in GPR register 2 of the PCB in memory. Starting from line 7 until line 9
the GPR registers 3-31 of the host are saved in the corresponding GPRs of the
PCB in memory. In lines 10-13 the exception DPC and PC registers of the host
machine are saved to the corresponding normal (i.e. non-exception) registers of
the same PCB as before.
2. Set Up Stack Pointers, Parameters Passing and Handler Invocation. In lines 15-
23 the stack pointer and base pointer are initialized. In case of the reset interrupt
the stack base address is read from the scratch memory. Otherwise, it is read
from the BHV data structure. In lines 26-27 exception cause and exception data
registers are passed in first two input registers (i.e. we follow the CCL defined in
Sec.3.1.4) to the BHV C function hv dispatch that handles the caused interrupt.
This function gets invoked with a call macro in line 29.
3. Guest Restore. After handling the interrupt the execution mode of the scheduled
guest is checked in lines 31-34. If the execution mode of the scheduled guest
is user mode, then the shadow page table is loaded on the host (lines 35-38)
Otherwise, in lines 42-45 the host page table is loaded on the host.
In lines 48-51 DPC and PC registers of the PCB corresponding to the scheduled
guest are written to the corresponding exception registers of the host. In lines
53-58 GPRs of the scheduled guest PCB are saved to GPRs of the host.
4. Return From Exception. In line 56 the instruction rfe starts the execution of
the loaded (restored) guest on the host.
Later in this chapter we refer to code consisting of lines 1-23 and lines 31-58 from
Listing 6.4 as interrupt service routines 1 (ISR1) and 2 (ISR2), respectively.
6.2. BHV Implementation 93
Listing 6.4: BHV Context Switch Implementation
1 sw r2 r0 4096 // store r2 in scratch memory
2 lw r2 r0 8200 // get PCB address, 8200 = &(HV−>cg)
3 sw r0 r2 0
4 sw r1 r2 4
5 lw r1 r0 4096 // restore r2 and save it to r1
6 sw r1 r2 8 // save it to PCB
7 sw r3 r2 12
8 ...
9 sw r31 r2 124
10 movs2i EPC r7 // save EPC to PCB
11 sw r7 r2 140 // OFFSET(proc t, spr[EPC] = 140)
12 movs2i EDPC r7 // save EDPC to PCB
13 sw r7 r2 144 // OFFSET(proc t, spr[EDPC] = 144)
14
15 movs2i ECA r1
16 ifnez r1 goto LSBA BHV
17 lw r1 r0 4100 // read sba from scratch memory
18 goto LSBA BHV SKIP
19
20 LSBA BHV:
21 lw r1 r0 8196 // read sba from BHV DS, 8196 = &(HV−>sba)
22 add r30 r0 r1 // initialize bp
23 add r29 r0 r1 // initialize sp (bp = sp)
24
25 LSBA BHV SKIP:
26 movs2i ECA r6 // fst input arg
27 movs2i EDATA r7 // snd input arg
28
29 CALL hv dispatch // invoke BHV handler
30
31 lw r2 r0 8200 // load adr of current guest (r2 := &(HV−>cg)))
32 addi r3 r2 0 // r3 := r2
33 lw r4 r2 192 // r4 := pcb−>spr[MODE], OFFSET(proc t, spr[MODE] = 192
34 ifnez r4 goto LHOST // if (r4 != 0) jump to LHOST
35 lw r5 r2 164 // r5 := pcb−>spr[PTL], OFFSET(proc t, spr[PTL] = 164
36 movi2s PTL r5
37 lw r5 r3 168 // r5 := cg−>spto, OFFSET(proc t, spr[PT0]) = 168
38 movi2s PTO r5
39 goto LHOST SKIP
40
41 LHOST:
42 lw r5 r3 288 // r5 := cg−>max ppx, OFFSET(guest t, max ppx) = 288
43 movi2s PTL r5
44 lw r5 r3 276 // r5 := cg−>hpto , OFFSET(guest t, hpto) = 276
45 movi2s PTO r5
46
47 LHOST SKIP:
48 lw r5 r2 256 // r5 := pcb−>dpc, OFFSET(proc t, dpc) = 256
49 movi2s EDPC r5
50 lw r5 r2 260 // r5 := pcb−>pcp, OFFSET(proc t, pcp) = 260
51 movi2s EPC r5
52
53 lw r0 r2 0
54 lw r1 r2 4
55 lw r3 r2 12
56 //...
57 lw r31 r2 124
58 lw r2 r2 8
59 rfe
94 Small Hypervisor Correctness
6.3 Correctness
In this section we examine correctness criteria and a theorem of the baby hypervisor.
We define criteria as invariants between the BHV C implementation, simulated guests,
the host and the abstract BHV. In order to be able to talk about the BHV implemen-
tation we assume the followings: (i) the BHV program is properly encoded in MX
program pi, and (ii) the information about the C compiler being used to compile this C
program is encoded in system parameters θ.
We first define an invariant called B-relation that reconstructs virtual guests for
every guest supported by the BHV implementation and check whether they match
the corresponding guests of the abstract BHV. Then we examine the implementation
invariants of the BHV implementation. Before we introduce auxiliary functions for
reading guest components of the BHV data structures stored in memory of the MX
configuration cMX. Note that in [Tsy09] Tsyban defined similar functions reading C
variables in memory of the host machine.
6.3.1 Reading Guest Components
We define the function PCB :: N×CMX 7→ CASM that returns for a given gid an assem-
bly machine constructed from registers of the corresponding PCB in the memory of a
given MX machine cMX. Right now we are interested in the PCB of a guest. Thus, the
memory of the assembly configuration returned by that function is left untouched.
PCB(gid, cMX)
def
= g
where the assembly machine g is constructed as follows2:
g.dpc = val2Nat([hv → g[gid] → pcb.dpc]pi,θcMX )
g.pc = val2Nat([hv → g[gid] → pcb.pcp]pi,θcMX )
g.gpr[i] = val2Int([hv → g[gid] → pcb.gpr[i]]pi,θcMX )
g.spr[i] = val2Int([hv → g[gid] → pcb.spr[i]]pi,θcMX )
Below we list the definition of functions which return for a given guest gid the
components of the corresponding C guest data structure stored in memory of a given
MX machine cMX:
• host page table entry (HPTE) x of the guest gid:
HPTE(x, gid, cMX)
def
= val2Nat([hv → g[gid] → hpt[x]]pi,θcMX )
where x ∈ N is a HPTE index.
• shadow page table (SPTE) x of the guest gid:
SPTE(x, gid, cMX)
def
= val2Nat([hv → g[gid] → spt[x]]pi,θcMX )
where x ∈ N is a SPTE index.
• maximum number of PTEs for the host page table of the guest gid:
MPPX(gid, cMX)
def
= val2Nat([hv → g[gid] → max ppx]pi,θcMX )
2Here and in the rest of this chapter we assume the implicit conversions from natural and integer
numbers that appear within C-IL expressions to the corresponding C-IL expressions.
6.3. Correctness 95
• maximum number of PTEs for the shadow page table of the guest gid:
MVPX(gid, cMX)
def
= val2Nat([hv → g[gid] → max vpx]pi,θcMX )
• HPT origin of the guest gid:
HPTO(gid, cMX)
def
= val2Nat([hv → g[gid] → hpto]pi,θcMX )
• SPT origin of the guest gid:
SPTO(gid, cMX)
def
= val2Nat([hv → g[gid] → spto]pi,θcMX )
• guest memory origin of the guest gid:
GMO(gid, cMX)
def
= val2Nat([hv → g[gid] → gmo]pi,θcMX )
6.3.2 B-Relation
The B-relation binds the guest processes configurations cHV.gs and virtual guest ma-
chines reconstructed from the MX configuration cMX and the host configuration cAS M .
This relation is considered as a correctness criterion of guest processes. In order to
define this relation we need to introduce a few functions performing:
• virtual guest machine reconstruction,
• VAMP assembly machines comparison.
Virtual Machines
We introduce the function G(gid, cMX, cAS M)
G :: N ×CMX ×CASM 7→ CASM
to construct a virtual assembly machine corresponding to a given guest gid which
might be either running on the host cAS M or be sleeping (suspended). That is, in the
definition of the function G we distinguish two cases whether the guest gid is active or
not. The guest gid is active if and only if the host machine cAS M operates in user mode
and the pointer [hv → cg]pi,θcMX points to the guest data structure corresponding to the
guest gid. Note that the MX machine cMX runs the BHV program pi and this machine
is bound with the host machine cAS M via the compiler consistency consisMX defined
in Section 5.2.
Let us first consider the case when the guest gid is active, i.e. the guest gid is cur-
rently running on the host cAS M . In this case the function G(gid, cMX, cAS M) returns the
virtual guest representation corresponding to the guest gid which is reconstructed from
registers (except for SPRs)3 of the host machine cAS M and SPRs from the correspond-
ing PCB stored in the memory of the MX configuration cMX by means of the function
Gactive. In another case, i.e. when the guest gid is sleeping, its virtual representation is
reconstructed from the corresponding PCB stored in the memory of the MX configu-
ration cMX with the help of the function Gsleeping. In both cases the memory of a virtual
assembly machine is reconstructed from the cMX memory by the function mem. The
definition of the functions Gactive, Gsleeping and mem will follow.
3In the baby hypervisor SPRs are virtualized. That is, SPRs of the host machine are not a part of the
guest being executed on this host. Moreover, the guest cannot access SPRs while it is being executed on
the host as the host operates in user mode (by the VAMP assembly semantics presented in Chapter 2)
96 Small Hypervisor Correctness
DEFINITION 6.6 I
Virtual Guest Machine G(gid, cMX, cAS M) def=
Gactive(gid, cMX, cAS M) if user?(cAS M .spr[mode]) ∧
[hv → cg]pi,θcMX = [&(hv → g[gid])]pi,θcMX
Gsleeping(gid, cMX) otherwise
The definition of the function G was constructed from the abstraction functions
abs and abs gh defined in [AHPP10].
Reconstructing VM: Active Guest Since the machine MX does not make any steps
while the guest is running on the host the memory of the virtual guest is reconstructed
from the host memory. For that, the memory of the MX machine is substituted with
the memory of the host machine.
Gactive(gid, cMX, cAS M) def= g
where the assembly machine g is constructed as:
g.dpc = cAS M .dpc
g.pc = cAS M .pc
g.gpr[i] = cAS M .gpr[i]
g.spr[i] = PCB(gid, cMX).spr[i]
g.m = mem(gid, cMX[M := cAS M .m])
The definition of this function corresponds to the abstraction function abs gh de-
fined in [AHPP10].
Reconstructing VM: Sleeping Guest
Gsleeping(gid, cMX) def= g
where the assembly machine g is constructed in the following way:
g.dpc = PCB(gid, cMX).dpc
g.pc = PCB(gid, cMX).pc
g.gpr[i] = PCB(gid, cMX).gpr[i]
g.spr[i] = PCB(gid, cMX).spr[i]
g.m = mem(gid, cMX)
The definition of this function corresponds to the abstraction function abs defined
in [AHPP10].
Reconstructing Virtual Memory The virtual memory of a guest gid is reconstructed
by the function mem directly from the memory of the configuration cMX running the
BHV program pi. It does not matter whether a given guest gid is active or not. The
definition of this function relies on the following facts:
• the BHV program maintains the linear address translation for guests. This fact
is expressed as a part of the host page table invariant presented later.
• the size of a guest memory does not change (after the memory was allocated),
i.e. the memory cannot be dynamically allocated for guests (by the design of
the BHV program).
6.3. Correctness 97
Thus, the function mem is defined as
mem :: N ×CMX 7→ (N 7→ B8)
mem(gid, cMX)
def
= m
where the content of the virtual memory m at word address
a ∈ [0, . . . , val2Nat([hv → g[gid] → max ppx]pi,θcMX ) · PAGE SIZE)
is
mword(a) = val2Int([hv → g[gid] → gm[a]]pi,θcMX )
The definition of this function corresponds to the abstraction function abs m de-
fined in [AHPP10].
Identical VAMP Assembly Configurations
Two given VAMP assembly machines are identical(equal) if and only if the following
is true:
• the content of memory at some restricted address space of both machines is the
same. For that we introduce the equality function for byte addressable memories
at addresses [base, .., base + size)
J DEFINITION 6.7
Assembly Memory Equality
∀a. base ≤ a < base + size −→ m1(a) = m2(a)
m1 =base,size m2
• the content of PCs, DPCs, all GPRs and four SPRs (status register, page table
origin, page table length and mode) of both machines are the same.
So that, the VAMP assembly machines equality function takes two assembly ma-
chines (c1AS M and c
2
AS M) and the number size of bytes to be compared in memories of
both machines starting from address 0.
J DEFINITION 6.8
Assembly Configurations Equality
c1AS M .dpc = c
2
AS M .dpc c
1
AS M .pc = c
2
AS M .pc
c1AS M .gpr = c
2
AS M .gpr c
1
AS M .spr[sr, pto, ptl,mode] = c
2
AS M .spr[sr, pto, ptl,mode]
c1AS M .m =0,size c
2
AS M .m
c1AS M =size c
2
AS M
This function corresponds to the function asm-equal defined in [Tsy09].
B Relation The B-relation is stated as the parameterized equality with the right
amount of virtual memory between abstract guest machines gs and virtual guests re-
constructed from a given configuration cMX and from a given host machine cAS M . The
right amount of virtual memory is computed as PAGE SIZE ·(MAX PPX+1) as we know
that each guest has such an amount of memory (from the implementation details of
the BHV program [AHPP10])
J DEFINITION 6.9
B RelationB :: (N 7→ CASM) ×CMX ×CASM × N 7→ bool)
∀ gid < ng. G(gid, cMX, cAS M) =PAGE SIZE·(MAX PPX+1) gs(gid)
B(gs, cMX, cAS M , ng)
98 Small Hypervisor Correctness
6.3.3 Implementation Invariants
We require a number of invariants to be hold over the BHV data structures during
the execution of BHV code and guests. That is why we call them implementation
invariants and we formally define them in the following.
Almost all implementation invariants examined here have been stated in [AHPP10].
Here we present them in our framework.
Page Table Entries Invariants
We first define auxiliary functions before presenting page table invariants. The func-
tions
PX(a) def= a / PAGE SIZE
and
PA(x) def= x · PAGE SIZE
defined in [AHPP10] return the page index of a given address a and the start address
of the page indicated by a given page index x, respectively.
The predicate v bus error(a, ptl) described in [AHPP10] indicates whether a given
address a is outside of the page table with a given length ptl.
DEFINITION 6.10 I
Bus Error
v bus error :: N × N 7→ bool
ptl < PX(a)
v bus error(a, ptl)
The predicate in-pt(x, pto, ptl) defined in [AHPP10] indicates whether a given
page index x falls into the page table identified by a given page table origin pto and a
given page table length ptl.4
DEFINITION 6.11 I
In Page Table
in-pt :: N × N × N 7→ bool
x ∈ {pto, . . . , pto + ptl/1024}
in-pt(x, pto, ptl)
The function ptea vpx(pto, x) defined in [AHPP10] computes the address of PTE
corresponding to a given page index x in the page table with a given page table origin
pto.
DEFINITION 6.12 I
PTE Physical Address
ptea vpx :: N × N 7→ N
ptea vpx(pto, x) def= PA(pto) + 4 · x
Host PTE Invariant The invariant is indicated by the predicate inv hpt entry(x, gid, cMX)
defined in [AHPP10]. It states a few conditions on the host PTE with index x of the
guest gid of the BHV implementation configuration cMX. We introduce a few short-
hands:
• hpte = HPTE(x, gid, cMX) is a host PTE,
4The size of a single memory page is 1024 words (4096 bytes) and the size of a single page table entry
(PTE) is 1 word (4 bytes). So that, there are 1024 PTEs per a single page.
6.3. Correctness 99
• spr = PCB(gid, cMX).spr is SPRs from the PCB corresponding to the guest gid.
to make nice and brief the host PTE invariant definition. The invariant states that the
host PTE hpte must
• c1: be valid (vPT E(hpte)),
• c2: point to the guest page x as stored on the host
ppxPTE(hpte) = GMO(gid, cMX) + x.
This condition indicates that the BHV program maintains the linear address
translation for guests.
• c3: be protected if covered by the guest’s page table
pPT E(hpte)←→ in-pt(x, spr[pto], spr[ptl])
The listed above conditions build the host PTE invariant which are gathered to-
gether in the predicate defined below.
J DEFINITION 6.13
Host PTE Invariantc1 c2 c3
inv hpt entry(x, gid, cMX)
Shadow PTE Invariant The invariant is covered by the predicate inv spt entry(x, gid, cMX)
that was defined in [AHPP10]. We introduce a few shorthands
• spr = PCB(gid, cMX).spr is SPRs from the PCB corresponding the guest gid
• spte is a shadow PTE corresponding to the page index x of the guest gid and is
computed as SPTE(x, gid, cMX),
• gpte vpx = ptea vpx(spr[pto], x) is the address of the guest PTE x, and
• gpte = [hv → g[gid] → gm[gpte vpx]]pi,θcMX is the guest PTE.
to define this invariant in a nice and brief way. So the invariant states that the shadow
PTE spte must:
• c1 : The shadow SPT spte is valid if and only if the translation yields no guest
bus error, the page index of the guest PTE does not exceed the maximum num-
ber of page indices allowed for the guest gid, and the guest PTE is valid.
vPT E(spte) ←→ ¬v bus error(gpte vpx,MVPX(gid, cMX))
∧ ppxPTE(gpte) ≤ MVPX(gid, cMX)
∧ vPT E(gpte)
• if the shadow PTE is valid, then
– c2: it points to the host page designated by guest
ppxPTE(spte) = ppxPTE(HPTE(ppxPTE(gpte), gid, cMX))
– c3: it is protected if the guest page is protected or part of the guest page
table.
pPT E(gpte) ∨ in-pt(ppxPTE(gpte), spr[pto], spr[ptl]) −→ pPT E(spte)
100 Small Hypervisor Correctness
Based on the conditions c1, c2 and c3 introduced above the shadow PTE invariant
defined as:
DEFINITION 6.14 I
Shadow PTE Invariant
c1 vPT E(spte) −→ c2 ∧ c3
inv spt entry(x, gid, cMX)
The invariants presented above are stated over a single PTE. Thus, we define the
predicate pt-inv(cMX, cAS M , ng), called page table (or address manager) invariant, that
requires host PTE and shadow PTE invariants to hold over all host- and shadow PTEs
of all guests supported by BHV.
DEFINITION 6.15 I
Address Manager Invariant
∀ gid < ng. ∀ x < MPPX(gid, cMX). inv hpt entry(x, gid, cMX,G(gid, cMX, cAS M))
∀ gid < ng. ∀ x < PCB(gid, cMX).spr[ptl]. inv spt entry(x, gid, cMX,G(gid, cMX, cAS M))
pt-inv(cMX, cAS M , ng)
Code Invariant
The code invariant states that a given compiled program code in f oMX.code resides at
address in f oMX.codeba in the memory of the host machine cAS M and a given compiled
boot code codeboot resides at the first memory page in memory of the host machine.
Both codes are represented as a list of assembly instructions.
DEFINITION 6.16 I
Code Invariant
∀ i < |codeboot |. int-to-instr(cAS M .mword(i · 4)) = codeboot[i]
∀ i < |in f oMX.code|. int-to-instr(cAS M .mword(in f oMX.codeba + i · 4)) = in f oMX.code[i]
code-inv?(in f oMX, codeboot, cAS M)
Guest Steps
Here we present the invariant when the guest gid is being executed on the host machine
cAS M . This invariant is captured by the predicate
guest-inv(gid, cMX, cAS M) :: N ×CMX ×CASM 7→ bool
and this predicate guest-inv(gid, cMX, cAS M) comprises the following conditions:
• c1: A given guest id gid is indeed the current one. It is checked by looking up
the pointer to the current guest PCB and comparing it with the address of the
PCB corresponding to the guest gid.
[hv → cg]pi,θcMX = [hv → g[gid]]pi,θcMX
• c2: The stack base address stored in the BHV program equals to the sum of
DS START and DS SIZE, i.e.
val2Nat([hv → sba]pi,θcMX ) = DS START + DS SIZE
• An active guest runs either in guest system mode or in guest user mode. The
content of SPRs pto and ptl of the host machine cAS M depends on the execution
mode of the guest gid. The execution mode of the guest is stored in the SPR
mode in the PCB corresponding to the guest gid.
If the guest gid runs in guest system mode, then
6.3. Correctness 101
– c3: SPRs pto and ptl of the host cAS M have values of the host PTO and the
maximum number of PTEs per HPT, respectively, which are stored in the
PCB corresponding to the guest gid
cAS M .spr[pto] = HPTO(gid, cMX)
cAS M .spr[ptl] = MPPX(gid, cMX)
In case the guest gid runs in guest user mode the following holds:
– c4: SPRs pto and ptl of the host have values of the shadow PTO and the
SPR ptl, respectively. The latter is stored in the PCB corresponding to the
guest gid.
cAS M .spr[pto] = SPTO(gid, cMX)
cAS M .spr[ptl] = PCB(gid, cMX).spr[ptl])
• c5: memory of the cMX and cAS M machines are the same in:
– the address space not intersecting with the memory address space of a
given guest gid:
a < [GMO(gid, cMX), ..,GMO(gid, cMX) + PA(MAX PPX + 1))
−→ cMX.M(a) = cAS M .m(a)
– the address space where the guest page table of a given guest gid resides:
a ∈ [PCB(gid, cMX).spr[pto], .., PCB(gid, cMX).spr[pto] + PA(PCB(gid, cMX).spr[ptl])]
−→ cMX.M(a) = cAS M .m(a)
The conditions c1, c2, c3, c4 and c5 form the guest implementation invariants de-
fined as follows:
J DEFINITION 6.17
Guest Execution
Implementation Invariants
c1 c2 c5
system?(PCB(gid, cMX).spr[mode]) −→ c3
user?(PCB(gid, cMX).spr[mode]) −→ c4
guest-inv(gid, cMX, cAS M)
6.3.4 Putting Implementation Invariants Together
We gather all implementation invariants that must hold during guest steps in the pred-
icate impl-invuser. So during the guest steps the following must hold: code invariant,
page table(address manager) invariants, and guest execution invariants.
J DEFINITION 6.18
Guest Execution Invariantscode-inv?(in f oMX, codeboot, cAS M)
pt-inv(cMX, cAS M , ng)
guest-inv(cHV.cg, cMX, cAS M)
impl-invuser(cHV, cMX, in f oMX, codeboot, cAS M , ng)
The predicate impl-invhv contains all implementation invariants that must hold dur-
ing the BHV execution: code invariant, page table(address manager) invariants, and
the MX compiler consistency. Where the MX compiler consistency must hold if the
active context of a given MX machine is of µASM type or if the active context of a given
102 Small Hypervisor Correctness
MX machine is of C-IL type and the current statement to be executed by the MX ma-
chine is an IO point.
DEFINITION 6.19 I
BHV Execution Invariants code-inv?(in f oMX.code, in f oMX.codeba, codeboot, cAS M)
pt-inv(cMX, cAS M , ng)
cMX.ac ∈ contextµASM −→ consisMX(cMX, in f oMX, cAS M)
cMX.ac ∈ contextC-IL ∧ in f oMX.iop(cMX. ftop, cMX.loctop) −→ consisMX(cMX, in f oMX, cAS M)
impl-invhv(cHV, cMX, in f oMX, codeboot, cAS M , ng)
We collect all implementation invariants that must hold during guest and hypervi-
sor steps in the predicate impl-inv? defined as:
DEFINITION 6.20 I
Implementation Invariants user?(cAS M .spr[mode]) −→ impl-invuser(cHV, cMX, cAS M , cHV.cg)
system?(cAS M .spr[mode]) −→ impl-invhv(cHV, cMX, cAS M)
impl-inv?(cHV, cMX, in f oMX, codeboot, cAS M , ng)
6.3.5 Correctness Theorem
THEOREM 6.21 I
BHV Correcntess
Let pi be a MX program representing a given BHV program, c0AS M be the initial state
of a host and c0HV = c
init
HV be the initial state of a BHV machine. Then for any sequence
of the BHV machine c0HV, c
1
HV, . . ., there exists a host machine sequence: c
0
AS M , c
1
AS M ,
. . . and a mixed machine sequence c0MX, c
1
MX, . . . that does not get stuck and does not
produce a stack overflow. Moreover, for any number steps i of the BHV machine there
exists a corresponding mixed machine state cs(i)MX and a host machine state c
t(i)
AS M , such
that the B relation and the implementation invariants hold. However, the B relation
and the implementation invariants holds if the following preconditions on the BHV
program pi, the mixed machine cMX, and the host machine cAS M hold:
• the µASM procedure ” main” is declared in the BHV program pi and it resides at
the program base address in f oMX.codeba in memory. Formally,
in f oMX.codeba = in f oMX. f unba(” main”)
• the BHV handler C-IL function ”hv disptach” is declared as external in the µASM
procedure table and as non-external in the C-IL function table of the program pi.
Formally,
pi.piµASM (”hv disptach”).body = extern
and
pi.piC-IL.F (”hv disptach”).P , extern
• the number of input parameters to the BHV handler is 2 and they are of integer
types. Since parameters passed at external calls in the MX semantics can only
be of integer types we do not state the second condition.
pi.piC-IL.npar = 2
6.3. Correctness 103
• The following constraints are put on the BHV parameters:
NG ≤ 8
∧ DS START + DS SIZE < 232 − 1
2∧ DS SIZE ≥ sizeθ(hv t) + 4096 + 4096+
NG · (sizeθ(guest t)+
((MAX PPX + 1) · 4 + 4096 + (MAX VPX + 1) · 4+
4096 + (MAX PPX + 1) · PAGE SIZE · 4 + 4096))
Note the data segment must be big enough to contain the BHV data structures
as well as the stack for the BHV program (cf. Fig. 6.1).
• a boot code codeboot ∈ Instr∗ must be residing in the first memory page of the
host machine cAS M .
∀ i < |codeboot |. int-to-instr(cAS M .mword(i · 4)) = codeboot[i]
Here we do not present how the boot code is exactly implemented but we de-
scribe how it must be implemented for the proof.
Formally, this theorem is stated as follows:
∃ in f oMX. ∀ (ciAS M)i,∃(ciMX)i,∃(ciHV)i).
(∀ i. ci+1AS M = δASM(ciAS M)∧ pi, θ ` ciMX →MX ci+1MX∧ ci+1HV = δHV(ciHV, NG)
∧ the execution of cMX does not get stuck
∧ there is no stack overflow)
∧ ∃ s :: N 7→ N. ∃ t :: N 7→ N.
(∀ i. (B(ciHV, cs(i)MX, ct(i)AS M , NG))
∧ impl-inv?(ciHV, cs(i)MX, in f oMX, codeboot, ct(i)AS M , NG))
Proof : We split the proof according to various types of steps which can take place
in the BHV model: guest and hypervisor steps which are performed in host user- and
-system modes, respectively (cf. Fig. 7.5).
We prove the theorem by induction on the number BHV steps i:
• Base case (i = 0). The BHV configuration c0HV is in the init state (from pre-
conditions to the theorem). The corresponding to the MX machine state is at
the point when the first guest loaded on the host starts to run on the host.5 For
that, we need to argue about all steps done by the host machine and the mixed
machine before this point. The proof of this case will be presented later on.
• Induction step (i −→ i + 1). There are two possible steps that can take place
at (i+1)-th step of the BHV machine: guest step or hypercall. Hypercalls are
invoked through trap interrupts during guest steps. Right now, in the BHV
model a single hypercall is supported that schedules the next guest to run. To
prove the induction step we need to show that the (i+1)-th step made by the
5the execution of the whole system starts from the beginning after the reset signal happens
104 Small Hypervisor Correctness
Boot ISR 2JISR
user  mode user modesystem mode
hv_dispatch()
RFEcasm
chv
consisMX
cMX
ISR1
call
consisMX
Figure 6.2: Guest and BHV Steps
BHV machine is consistent with the MX machine and the host after s(i + 1) and
t(i + 1) steps, respectively.
6.3.6 Reset Case
After the reset signal has occurred the host machine c0AS M starts the execution from
address 0. We know that the boot code resides in memory starting from address 0. So
the host machine starts the execution with the boot code. After executing boot code
for the reset case the host jumps into the middle of the first part of the BHV interrupt
service routine that sets up the stack pointers. Next the BHV handler is invoked to
handle reset interrupt. After handling the reset interrupt the registers of the scheduled
guest gets loaded on the host. After all the return from exception instruction is exe-
cuted by the host machine and the guest loaded before starts its execution. Figures 6.3
and 6.6 depict the aforementioned execution scenario6:
• c0AS M is the host machine state after reset signal, but before execution of any
instructions from the boot code,
• c1AS M is the host machine state after executing the boot code,
• c2AS M is the host machine state after setting up stack pointers and c2MX is a MX
machine state that is consistent with the host machine state c2AS M .
• c3MX is the MX machine state after passing input parameters to the BHV handler,
but before the call.
• c4MX is the MX machine state after the reset interrupt was handled by the BHV
handler, and
6indexed machine states do not correspond to indexed machine states from the theorem
6.3. Correctness 105
bootJISR
system mode
casm
1
cMX
2
setup stack
CALL
consisMX
casm casm
2
cMX
3cMX
1
consisMX
Figure 6.3: Boot + ISR1 (Reset)
• c5AS M is the host machine state after loading the scheduled guest on the host and
executing the instruction rfe.
From preconditions we know that initially the memory of the host machine look
likes as it is depicted in Fig. 6.4a.
Boot
First instructions of the boot code perform the test on reset interrupt. The test is
done by reading the value of the special cause register. In case of reset the boot
code stores the compiled BHV code at address PROG BASE ADR. Also it saves BHV
parameters which BHV will use to initialize its data structures. As a result of the
boot code execution for the reset case we have: (i) the compiled code of the BHV
program pi resides at the base address PROG BASE ADR, (ii) the BHV parameters are
encoded in the first word of the data segment in memory (cf. Figure 6.5), (iii) the boot
code computes the stack base address and saves it in the second word of the scratch
memory (second physical memory page), (iii) the memory region which is reserved
for BHV data structures including the stack region do not intersect with the memory
region where the compiled BHV code resides. After executing the boot code the host
machine gets updated and we denote the state of the update host machine as c1AS M
and the memory of the update host machine looks like as it is depicted in Fig. 6.4b.
Formally, Lemma 6.22 states what was updated in the host machine.
J LEMMA 6.22
After Booting
Reset Case
system?(c1AS M .spr[mode])
code-inv?(in f oMX, codeboot, c1AS M)∧ 〈c1AS M .m(DS START)〉8 = NG∧ 〈c1AS M .m(DS START + 1)〉8 = MAX PPX/212∧ 〈c1AS M .m(DS START + 2)〉8 = MAX VPX/212∧ 〈c1AS M .m(DS START + 3)〉8 = DS SIZE/224∧ 〈c1AS M .mword(4100)〉32 = DS SIZE + DS START∧ [DS START, .., DS START + DS SIZE] ∩
[in f oMX.codeba, .., in f oMX.codeba + 4 · |in f oMX.code|) = 
106 Small Hypervisor Correctness
BOOT
SISR
scratch
4k
8k
(a) Before Boot
BOOT
SISR
scratch
4k
8k
BHV Parameters
BHV Code
PROG_BASE
(b) After Boot
BOOT
SISR
Scratchy
memory4k
8k
BHV Data 
Structures
STACK_BA
DS_START
BHV Stack
BHV Code
....
PROG_BASE
DS_START + DS_SIZE
(c) Initialized BHV
Figure 6.4: Memory Snapshots
0
MAX_PPX / 2^12MAX_VPX /2^12 NGDS_SIZE / 2^24
123bytes
Figure 6.5: BHV Parameters Encoded in a Single Word
ISR1: Set Up Stack Pointers
After the boot code performed the initialization it jumps to the compiled BHV pro-
gram by skipping a few instructions (lines 1-13 in Listing 6.4) which are not relevant
for handling reset interrupt. Moreover their execution can destroy the code invariant
as these instructions writes to non-existing PCB in memory and we cannot predict
what will be updated without providing additional instructions (i.e. extending the im-
plementation with new instructions). Note that PCBs of guests are allocated and ini-
tialized after the handling the reset interrupt by the BHV handler that was not called
yet.
After jumping to the interrupt service routine we can easily construct the MX ma-
chine c1MX (without stack) corresponding to (consistent with) the host machine c
1
AS M .
c1MX.M = c1AS M .m
c1MX.ac.gpr = c
1
AS M .gpr
c1MX.spr = c
1
AS M .spr
c1MX.stack = (” main”, 39),
c1MX.sc = []
The procedure name and location counter of no-stack of the newly constructed
MX machine is the µASM procedure ” main” of the BHV program pi and 39, respec-
tively. The implementation of the µASM procedure ” main” is listed in Listing 6.4. The
6.3. Correctness 107
location 39 in this procedure corresponds to the instruction at line 15 in Listing 6.4.7
Before we can proceed further we need to show that the MX configuration c1MX and
the host machine c1AS M are consistent, i.e. consisMX(c
1
MX, in f oMX, c
1
AS M) holds. We go
through all sub-consistencies of the MX consistency and show them:
• The program counter consistency follows from the assumption over the static
info in f oMX, the construction of the MX configuration c1MX and the content of
the program counters of the host machine c1AS M .
• The return address consistency holds by the construction of the MX configura-
tion c2MX (as the stack is not set up in the configuration c
1
MX).
• The register consistency: By the construction of the MX configuration c1MX all
GPRs and SPRs of the MX configuration c1MX and of the host machine c
1
AS M are
the same. Thus this consistency holds, too.
• The code consistency follows from the code invariant (lemma 6.22).
• The stack consistency holds as the stack is not set up in the configuration c1MX.
• The memory consistency holds as memories of c1MX and c1AS M are identical (by
the construction of c1MX).
After jumping from the boot code to the interrupt service routine and constructing
the MX machine the following lemma must hold:
J LEMMA 6.23
Constructed MX MachineconsisMX(c1MX, in f oMX, c
1
AS M)∧ ¬is stack(c1MX)∧ lemma 6.22 for c1AS M
So after executing the code (lines 16-23 in Listing 6.4) that sets up stack pointer
registers of the MX machine and frame header in memory of this machine the follow-
ing lemma must hold
J LEMMA 6.24
After Setting Up
Stack Pointers
c2AS M .gpr[bp] = DS START + DS SIZE∧ c2AS M .gpr[sp] = DS START + DS SIZE∧ consisMX(c2MX, in f oMX, c2AS M)∧ is stack(c2MX)∧ lemma 6.22 for c2AS M
ISR1: Pass Parameters
Further we continue the execution of instructions in lines 26-27 in Listing 6.4. These
instructions save the cause and exception data registers in the input registers i0 and i1 ,
respectively, of the MX machine and we get an update machine c3MX. Here we followed
the rule CCL.1 before calling a function that will be handling the reset interrupt. After
passing parameters the lemma 6.25 must hold.
J LEMMA 6.25
Input Parameters
Are Passed
c3MX.ac.gpr[i1] = c
2
MX.spr[eca]∧ c3MX.ac.gpr[i0] = c2MX.spr[edata]∧ lemma 6.24 for c3MX and c3AS M
7There are 27 instructions which are represented as dots at line 8 in Listing 6.4.
108 Small Hypervisor Correctness
system mode
casm
4
cMX
4
rfe
consisMX
restore guest
casm
5
Figure 6.6: ISR2
ISR1: Call BHV Handler
The next instruction to be executed (line 29 in Listing 6.4) by c3MX is a call instruction.
The external C-IL function hv dispatch gets called from the µASM context of the MX
machine c3MX. In order to perform such a call to the function it is enough to have this
function declared as external in the µASM procedure table and non-external in the C-IL
function table of the BHV program pi. At this place we can see what we gain from hav-
ing the MX semantics: no additional argumentions and proves are required to perform
this external call. During the execution of the called function hv dispatch the host is
still operating in system mode, the code invariant holds, and the MX consistency holds
at IO points.
ISR2: After Handling the Reset Interrupt
After handling the reset interrupt by the BHV handler the following is done: (i) the
BHV data structures are allocated, (ii) guest data structures including PCBs, host PTEs
and shadow PTEs are initialized, (iii) the first guest is scheduled to run on the host.
Lemma 6.26 states what must hold after returning from the BHV handler.
LEMMA 6.26 I
After Handling Reset
by BHV C Function
system?(c4AS M .spr[mode])∧ code-inv?(in f oMX, codeboot, c4AS M)∧ consisMX(c4MX, in f oMX, c4AS M)∧ B(cinitHV .gs, c4MX, c4AS M , NG)∧ pt-inv(c4MX, c4AS M , NG)∧ conditions c1, c2 and c5 of guest-inv(cinitHV .cg, c4MX, c4AS M)∧ is stack(c4MX)∧ |c4MX.ac.s| = 1∧ c4MX.ac.s[0].li f o = []
6.3. Correctness 109
ISR2: Load Guest and RFE (Common to Reset and Non-Reset)
Next, a guest, scheduled to be run on the host, gets loaded on the host, i.e. the guest
context from the corresponding PCB gets restored on the host machine. It is per-
formed by instructions in lines 31-59 in Listing 6.4. After loading the guest context
from the corresponding PCB residing in memory of the MX machine c4MX on the host
the stack pointers of the host machine gets overwritten, i.e. the stack of the MX ma-
chine gets destroyed. But it does not prevent to continue the execution in the µASM
semantics since the stack of the MX machine was empty before the stack pointers
were overwritten (by Lemma 6.26 and the µASM semantics).
The next instruction to be executed by the host is a return from exception instruc-
tion that switches the host execution mode to user and restores exception registers to
normal ones. From [AHPP10] we know that cinitHV .cg = 0. After restoring the guest on
the host and performing the return from the exception (cf. Figure 6.6) Lemma 6.27
must hold.
J LEMMA 6.27
After RFEuser?(c5AS M .spr[mode])∧ code-inv?(in f oMX, codeboot, c5AS M)∧ B(cinitHV .gs, c5MX, c5AS M , NG)∧ pt-inv(c5MX, c5AS M , NG)∧ guest-inv(cinitHV .cg, c5MX, c5AS M)∧ ¬is stack(c5MX)
The reset case was completely considered from the reset signal until the scheduled
guest starts to run on the host. At this point the proof of the BHV program for the reset
case is completed and with that we have proven the base case of the theorem.
6.3.7 Induction Step
The lemma stated below is the statement that we need to prove for the induction step
of the main theorem.
J LEMMA 6.28
Statement for Induction Step
(Without Preconditions)
B(ci+1HV ), cs(i+1)MX , ct(i+1)AS M , NG)
∧ impl-inv?(ci+1HV , cs(i+1)MX , in f oMX, codeboot, ct(i+1)AS M , NG))
We conclude this statement from the main theorem holding for i and all precondi-
tions to the main theorem. Here we make case distinctions on what will be executed
by the active guest ciHV.cg of the BHV machine state c
i
HV:
• it invokes a hypercall. This case is indicated by the followings:
– the active guest runs in system mode:
system?(cHV.gs(cHV.cg).spr[mode])
– the instruction to be executed by the guest ciHV.gs(ciHV.cg) is a trap instruc-
tion.
In this case we need to show that the BHV implementation saves the context of
the currently running guest ciHV.cg and schedules the next guest to run (c
i+1
HV =
ciHV.cg + 1 mod NG). The detailed proof for this case will be presented later on.
110 Small Hypervisor Correctness
save guestJISR
system mode
casm
0
cMX
2
setup stack
CALL
boot
consisMX
casm
1 casm
2
cMX
1
consisMX
Figure 6.7: Boot + ISR1 (Non Reset)
• it executes an instruction (that is not a hypercall). Since the guest step emulation
is not visible in the BHV model, but it is visible in the BHV implementation. We
consider the effect of the instruction execution on the host machine ct(i)AS M . The
host machine ct(i)AS M will be executing the same instruction as the active guest
of the BHV machine ciHV (by the induction hypothesis). If the execution of this
instruction by ct(i)AS M does not cause any interrupt, then we can easily conclude
that Lemma 6.28 holds with s(i + 1) = s(i) and t(i + 1) = t(i) + 1 from the
following:
– Any try to change SPRs of the host will result into an interrupt as the host
machine ct(i)AS M operates in user mode (by the BHV implementation and the
VAMP assembly semantics).
– The data structures of the BHV implementation, the compiled code of
the BHV program pi with the boot code residing in memory cannot be
corrupted as the guest running on the host works in its own memory space.
That is, it is shown by the address manager invariants.
– The HPTEs and SPTEs are protected with the corresponding bit for each
valid PTE. Thus, any try to change them causes a page-fault.
If the execution of the instruction by the host machine ct(i)AS M causes an inter-
rupt, then we need to show that the BHV implementation correctly emulates (or
injects) the caused interrupt so that Lemma 6.28 holds.
In the following we present the proof for the case when the execution of the in-
struction causes an interrupt. Here we also treat the case with a hypercall as the only
way to invoke a hypercall is possible with the execution of a trap instruction which
causes a trap interrupt. Recall the VAMP assembly semantics from Chapter 2 that
JISR is performed when an interrupt happens.
JISR
After an interrupt occurred the host machine performs JISR and we denote the new
host state by c0AS M (cf. Figure 6.7). The host starts to operate in system mode, before
6.3. Correctness 111
it was operating in user mode. Since we have proven the correctness of the BHV
program for the reset case we assume here that the happened interrupt is not a reset
interrupt. After JISR we have almost the same invariants as in guest steps, except
for the B-relation and the host execution mode. In case of a non-continue interrupt
the exception program counters of host machine point to the instruction caused this
interrupt. In this case we still have B-relation holding with undone effect of JISR on
the host machine.
That is,
B(c0HV.gs[c0HV.cg := jisr−1(c0HV.gs(c0HV.cg))], c0MX, jisr−1(c0AS M), NG)
where the function jisr−1 is undoing the effect of JISR over a given VAMP assembly
configuration c:
jisr−1(c) def= c

pc := c.spr[epc],
dpc := c.spr[edpc],
spr :=
[
mode := c.spr[emode],
sr := c.spr[esr]
]

In case of a continue interrupt after performing JISR the exception program coun-
ters of the host machine point to an instruction following the instruction caused this
interrupt. Formally,
B(c0HV.gs[c0HV.cg := g′], c0MX, jisr−1(c0AS M), NG)
where g′ is the active guest with the increased program counters after the effect JISR
was undone. We define g′ with g = jisr−1(c0HV.gs(c
0
HV.cg)) as
g′ = g
[
dpc := g.pc,
pc := g.pc + 4
]
After JISR was performed by the host Lemma 6.29 must hold:
J LEMMA 6.29
After JISR
system?(c0AS M .spr[mode])∧ code-inv?(in f oMX, codeboot, c0AS M)∧ non-continute interrupt −→
B(c0HV.gs[c0HV.cg := jisr−1(c0HV.gs(c0HV.cg))], c0MX, jisr−1(c0AS M), NG)∧ continue interrupt −→
B(c0HV.gs[c0HV.cg := g′], c0MX, jisr−1(c0AS M), NG)∧ pt-inv(cMX, c0AS M)∧ guest-inv(cHV.cg, c0MX, c0AS M)
Boot
Next, the boot code performs the check on reset interrupt as it was done in the reset
case. Since it is assumed that a non-reset interrupt happened the boot code jumps to
the beginning of the interrupt service routine of the BHV program. The host machine
c1AS M corresponds to point at which the boot code was executed for the non-reset case
(cf. Figure 6.3). Lemma 6.30 states what must hold after executing the boot code for
a non-reset interrupt.
J LEMMA 6.30
After Booting
Non-Reset Interrupt
lemma 6.29 for c1AS M
112 Small Hypervisor Correctness
ISR1: Save Guest and Set Up Stack Pointers
After jumping to the interrupt service routine of the BHV program we construct the
MX machine corresponding to the host machine state c1MX.
The execution of the MX machine proceeds with instructions from Listing 6.4
(lines 1-14). These instructions save the guest context from the host machine into the
PCB corresponding to the active guest so that we do not change any other guests’ PCB
as well as the other components of the BHV components. Thus, the address manager
invariants are not destroyed because HPTEs and SPTEs of all guests are not changed.
The next instructions to be executed set up the stack pointers. So after saving the
guest context in the corresponding PCB in memory and setting up the stack pointers
(cf. Figure 6.3) the following lemma must hold
LEMMA 6.31 I
Save Guests and
Set Up Stack Pointers
system?(c2AS M .spr[mode])∧ code-inv?(in f oMX, codeboot, c2AS M)∧ consisMX(c2MX, in f oMX, c2AS M)∧ non-continute interrupt −→
B(c0HV.gs[c0HV.cg := jisr−1(c0HV.gs(c0HV.cg))], c2MX, c2AS M , NG)∧ continue interrupt −→ B(c0HV.gs[c0HV.cg := g′], c2MX, c2AS M , NG)∧ pt-inv(c2MX, c2AS M , NG)∧ guest-inv(cHV.cg, c2MX, c2AS M)
ISR1: Pass Parameters and Call BHV Handler
The next step to be performed is to pass exception data and cause registers in the cor-
responding input registers and only then the BHV handler is called. We have already
seen these steps when we have treated the reset case.
ISR2: After Handling Non-Reset Interrupt
After handling a non-reset interrupt by the BHV handler the following lemma must
hold
LEMMA 6.32 I
After Handling Interrupt
by BHV C Function
system?(c3AS M .spr[mode])∧ code-inv?(in f oMX, codeboot, c3AS M)∧ consisMX(c3MX, in f oMX, c3AS M)∧ B(cinitHV .gs, c3MX, c3AS M , NG)∧ pt-inv(c3MX, c3AS M , NG)
ISR2: Restore Guest and RFE
We have already treated instructions that restores the guest context on the host in the
proof of the base case of the theorem.

C
H
A
P
TE
R
7
Assembly Verification Approach
S.Schmaltz and me initially started to work on the soundness of an assembly verifica-
tion approach like presented in [MMS08] two years ago. By this time there were no
semantics for languages like µASM and MX and there was not so much progress done
on this topic except for ideas that motivated S.Schmaltz and me to invent the afore-
mentioned semantics. The rest of this chapter is considered as a contribution to the
thesis.
Here we present our translation-based approach for verifying programs, written in
a low-level C programming language (like C-IL) and high-level assembly (like µASM),
with a general purpose C verifier (like VCC1). Using this approach we can verify µASM
code portions together with C code portions using VCC, where C functions call µASM
procedures and vice versa. This approach is not about how to verify C code, but it
is about how to create an environment in which the correctness of the µASM assembly
portions can be shown and then can be used to show the correctness of a complete
mixed program without any additional effort.
During the work on this topic two meaningful approaches were pointed out to ver-
ify µASM portions of mixed programs. The first approach based on a hardware simula-
tor implemented in C. This simulator should completely correspond to the hardware
we want to operate on. Note that the hardware simulator uses the same C memory as
the C portions of mixed programs. The assembly verification itself concludes in the
execution of the hardware simulator (golden model) implemented in C running over
the assembly code located in C memory. That is, no translation of assembly instruc-
tions to C statements is required. The advantage of this approach is the verification of
self-modifying code. But the disadvantage is that the assembly verification becomes
less transparent to a verification engineer. Definitely, such a disadvantage destroys
what a verification engineer really wants to have, namely the verification transparency
for searching bugs and stating top level correctness statements.
The second approach, called simulation approach, is based on the translation of
1VCC is an automatic verifier for low-level and concurrent C with contracts developed at Microsoft
[Cor08]
113
114 Assembly Verification Approach
(macro) assembly instructions into C statements which must simulate these instruc-
tions. The simulating statements operate on registers modeled in a so-called hybrid
memory2. Note that the simulating statements operate on the hybrid memory as well
as on the C memory. This approach was pioneered by Maus in [Mau11], but he didn’t
mention the hybrid memory which is one of important aspects to show the soundness
of this approach. The advantage of this approach is easy understanding and verifica-
tion of translated assembly code. A complicated soundness argument on this verifica-
tion approach can be considered as disadvantage in general. Maus didn’t provide any
formal specification of this approach and therefore no correctness proof was done.
We used the simulation approach to verify assembly and macro-assembly portions
of the simple hypervisor examined in Chapter 6. To justify the correctness of this
approach we first specify how we translate a MX program to a C-IL program. Then
the step-by-step simulation theorem is stated between MX programs and translated
programs with a sketch of this theorem’s proof.
7.1 Translating MX Programs To C-IL
Here we specify the translation of MX programs to C-IL programs which we will refer
to as translated programs in the rest of this chapter. As a result of this translation any
C verifier can be applied to verify these translated programs.
To have semantically equivalent MX and translated programs we need to model
all registers and stack frame components that can be accessed during the execution
of MX programs on MX machines. For that purpose we add a few global variables to
translated C-IL programs. These global variables are allocated in a memory region
that cannot be accessed by MX programs. Namely, this memory region must not
be accessed by any instructions(statements) of MX programs. To guarantee this we
assume that the working memory address space of MX programs is [0, .., 232) and the
newly added global variables to translated programs are allocated in memory within
the high memory address space (for instance it can be the region [232, .., 233)). We call
these global variables hybrid global variables and the memory where these hybrid
global variables are allocated hybrid memory.
7.1.1 Modeling Registers and Stack Frame Components
As it was already mentioned we model registers and components of abstract µASM stack
frames of a MX configuration with global hybrid variables in translated programs.
Obviously, there is no need to model components of C-IL stack frames in the translated
programs.
We model GPRs and SPRs of a MX machine in a straightforward way by two
hybrid global arrays gprhyb and sprhyb of size 32, respectively, whose elements are of
C-IL type i32.
We model components of µASM stack frames in the following way: there are three
components li f o, pars and saved of abstract µASM stack frames that we need to model
in the translated programs. The other components like the location counter and the
procedure name are modeled by the C-IL semantics itself. Each of three µASM stack
2The notion of a hybrid memory was introduced in the Verisoft XT project. This memory is used to
model some components like processor registers and stack which are not visible in a pure C code. It is a
counterpart to XCalls introduced in the Verisoft project.
7.1. Translating MX Programs To C-IL 115
ab
g
h
a
c
f
e
asm
C-IL
asm
asm
i
j
k
l
m
n
o
q
r
n o q r
n o q ri j k l m
n o q ra b c d e n o qf g h
d
a lifo element 
a saved element 
a pars element 
0-th stack frame
top stack frame
0
1
2
0
1
2
0
1
2
MX machine abstract stack
lifohyb
cnt lifo
cnt saved
saved hyb
parshyb
cnt pars
0 cnt pars−1
0 cnt saved−1
0 cnt lifo−1
Figure 7.1: Representation µASM Stack Components by Hybrid Variables
frame components that is needed to be modeled in the translated programs is repre-
sented by a pair of hybrid global variables representing a fixed size array and a counter
containing the number of ”meaningful” elements in this array.
• The component li f o is modeled by hybrid global variables li f ohyb and cntli f o.
• The component pars is modeled by hybrid global variables parshyb and cntpars.
• The component saved is modeled by hybrid global variables savedhyb and cntsaved.
Figure 7.1 depicts an example of the abstract call stack of an MX machine and the
content of these hybrid global variables. Note that the abstract call stack depicted in
this figure grows from bottom to top as well as the components of µASM stack frames.
7.1.2 Translation Function
Here we define the function
τMX2IL :: ProgMX 7→ ProgIL
that (i) first translates the implementation of all defined µASM procedures in the µASM
procedure table pi.piµASM of a given mixed program pi into the corresponding (and hope-
fully) equivalent C-IL implementations, (ii) updates the bodies of the corresponding
C-IL functions from the C-IL function pi.piC-IL table with these new translated imple-
mentations, (iii) adds hybrid global variables discussed in the previous section to the
116 Assembly Verification Approach
declaration list of global variables in the C-IL program pi.piC-IL, and (iv) returns the
updated C-IL program.
We first compute a new C-IL function table F ′ which contains the translated µASM
procedures and the original C-IL functions from a given MX program pi.
F ′( f ) =
F if pi.piµASM ( f ).body , externpi.piC-IL.F ( f ) otherwise
where F is a new C-IL function declaration obtained by the translation of a µASM
procedure f entity in the following way:
F =

rettype := void,
npar := n,
V :=
n︷                             ︸︸                             ︷
(pn−1, i32) ◦ . . . ◦ (p0, i32),
P := τµasm2c(pi.piµASM ( f ).body, f , pi.piµASM ))

where n = piµASM ( f ).npar is the number of input parameters to a µASM procedure f
and τµasm2c(il, f , pi) is a function that translates a given list of µASM instructions il that
represents the body of a given µASM procedure f from a given µASM procedure table pi
to its C-IL equivalent representation. We will define this function in the next section.
The translation function τMX2IL is defined as follows:
τMX2IL(pi)
def
= pi.piC-IL
[ VG := varshybrid ◦ pi.piC-IL.VG
F := F ′
]
where a list varshybrid of C-IL variable declarations contains the declaration of all
hybrid global variables modeling µASM stack components in C-IL:
varshybrid = (gprhyb, array(i32, 32)) ◦ (sprhyb, array(i32, 32)) ◦
(cntli f o,u32) ◦ (cntpars,u32) ◦ (cntsaved,u32) ◦
(li f ohyb, array(i32, LIFO SIZE)) ◦
(parshyb, array(i32, PARS SIZE)) ◦
(savedhyb, array(i32, SAVED SIZE))
Note that the constants LIFO SIZE, PARS SIZE, SAVED SIZE are parameters in
our approach and they represent the maximum size of the corresponding hybrid array.
These constants must be big enough to avoid a so-called buffer overflow that can
happen at an array access. We will return to this issue in Section 7.2 where we will
state the translation correctness.
The counters cntli f o, cntpars and cntsaved must be initialized with zeros before a
C-IL machine will start to run a translated program.
7.1.3 Translating µASM Procedure Bodies To C-IL
Here we define the recursive function
τµasm2c :: S∗µASM × Pname × ProgµASM → S∗
which was already introduced in Section 7.1.2. This function produces a list of C-IL
statements that must simulate a given list of µASM instructions. Also, this function
takes a procedure name and a µASM procedure table as input.
This recursive function starts the translation from the last instruction3 from a given
list of µASM instructions il and then makes recursion on the tail of the list il. A µASM
3Recall that hd(il) = il[|il| − 1]
7.1. Translating MX Programs To C-IL 117
instruction is translated into a list of C-IL statements by means of the function τµasmi2c.
When all instructions from the list il were translated this function adds the prologue
returned by the function prologue( f , pi). We define the functions τµasmi2c in the next
section. So that, the function τµasm2c is defined in the following way:
τµasm2c(il, f , pi)
def
=
τµasmi2c(hd(il), f , pi) ◦ τµasm2c(tl(il), f , pi) if il , []prologue( f , pi) otherwise
Translating a µASM Instruction To C-IL Statements
A single µASM instruction is translated into either a single C-IL statement or many C-IL
statements which we call simulating statements. The simulating statements perform
accesses to: (1) registers modeled by hybrid global arrays gprhyb and sprhyb, (2) mem-
ory, and (3) stack components modeled by hybrid global arrays li f ohyb, parshyb, and
savedhyb and counters cntli f o, cntpars and cntsaved.
The translation of a single µASM instruction is performed by the following function
τµasmi2c :: SµASM × Pname × ProgµASM → S∗.
This function takes a µASM instruction, a µASM procedure name and a µASM procedure
table as input and produces a list of C-IL statements whose execution must simulate
the execution of this µASM instruction. We will talk about the equivalent execution of
a µASM instruction and simulating C-IL statements in Section 7.2.
In the following we define the function τµasmi2c by case split on µASM instructions:
(i) VAMP assembly instructions modeled in µASM, (ii) goto instructions, (iii) push
and pop instructions, (iv) load and store parameter instructions, and (v) a call to a
procedure instruction, and (vi) a return from a call instruction. Note that the translation
of each instruction must obey the semantics defined in Chapters 3 and 5.
VAMP Assembly Instructions We define the function τµasmi2c for two VAMP assem-
bly instructions like add rd rs1 rs2 and sw rd rs1 imm. The rest of VAMP assembly
instructions modeled in µASM can also be easily translated into the corresponding C-IL
statements. Therefore, we omit their translations.
In Chapter 3 we defined the semantics when VAMP assembly instructions try to
change the content of one of GPRs bp and sp (cf. Table 3.1). In this case the stack
of a µASM machine is either created or destroyed. We model this effect by setting the
content of all hybrid counters to zeros and translating in translated programs.
The VAMP assembly instruction add rd rs1 rs2 gets translated into a single C-IL
statement that reads values stored at positions rs1 and rs2 in the hybrid array gprhyb,
sums up these read values, and updates the hybrid array gprhyb at position rd with this
computed sum. Here it is assumed that the destination register is neither GPR bp nor
GPR sp.
τµasmi2c(add rd rs1 rs2, p, pi) =
[
gprhyb[rd] = gprhyb[rs1] + gprhyb[rs2]]
]
If an instruction is going to change the content of one of GPRs bp and sp, then the
sequence of the simulating C-IL statements obtained by the translation of this VAMP
assembly instruction is extended with three C-IL statements setting hybrid counters
to zeros. For example, If the destination register of a VAMP assembly addition in-
struction is either GPR bp or GPR sp, then this instruction will be translated to the
following sequence of C-IL statements:
118 Assembly Verification Approach
n o q n o q
cnt lifo
...
cnt lifo−10
lifohyb
n o q n o q
cnt ' lifo
...
cnt ' lifo−10
lifohyb
cnt ' lifo=cnt lifo1
Before push
Afer push
Figure 7.2: Simulating Push in C-IL
Listing 7.1: C-IL Statements simulating a VAMP assembly instruction updating a
stack register
1 gprhyb[rd] = gprhyb[rs1] + gprhyb[rs2]
2 cntli f o = 0
3 cntpars = 0
4 cntsaved = 0
The VAMP assembly instruction sw rd rs1 imm gets translated into a single C-IL
statement that updates the memory at address gprhyb[rs1] + imm with the value stored
in gprhyb[rd]. Here it is assumed that rd < {bp, sp}.
τµasmi2c(sw rd rs1 imm, p, pi) =
[
∗((ptr(i32))(gprhyb[rs1] + imm)) = gprhyb[rd]
]
Goto Instructions The µASM goto instructions are translated to their equivalent C-IL
statements with translated target locations. The translation of a target location l is
done by means of the function LocationMX2IL(l, p, pi) which we will define later.
τµasmi2c(goto l, p, pi) =
[
goto LocationMX2IL(l, p, pi)
]
τµasmi2c(ifnez r goto l, p, pi) =
[
ifnot (gprhyb[r] == 0) goto LocationMX2IL(l, p, pi)
]
Push and Pop Instructions The instruction push r is translated into two C-IL state-
ments. The first C-IL statement updates the hybrid array li f ohyb at the position cntli f o
and the second C-IL statement increments the hybrid lifo counter cntli f o. Figure 7.3
depicts the corresponding changes done by these C-IL statements and we list these
C-IL statements below:
τµasmi2c(push r, p, pi) =
Listing 7.2: C-IL Statements Simulating the push r instruction
1 li f ohyb[cntli f o] = gprhyb[r]
7.1. Translating MX Programs To C-IL 119
...
6,33cm
pn−1p0 ...
0 cnt pars−1
parshyb
cnt pars11,33cm
n
cnt pars−n1
p1
Figure 7.3: µASM Parameters in C-IL
2 cntli f o = cntli f o + 1
The instruction pop r is translated into two C-IL statements that remove the last
saved element in the hybrid array li f ohyb, save it in the hybrid array of GPRs gprhyb at
the position r, and decrement the hybrid lifo counter cntli f o.
τµasmi2c(pop r, p, pi) =
Listing 7.3: C-IL Statements Simulating the pop r instruction
1 cntli f o = cntli f o − 1
2 gprhyb[r] = li f ohyb[cntli f o]
Load and Store Parameter Instructions The load parameter instruction lparam r i
is translated into a single C-IL statement that updates the hybrid array of GPRs gprhyb
at the position r with the value stored in the hybrid array of parameters parshyb at the
position corresponding to the i-th parameter4 of a given procedure p that is declared
in a given µASM procedure table pi. This position of an element to be read in the array
is computed as
cntpars − (n + 1) + i,
where n = piµASM (p).npar is the number of input parameters to a µASM procedure p.
Note that the hybrid array parshyb at the position cntpars − 1 contains the value of
the parameter with the highest index. Thus, the hybrid array parshyb at the position
cntpars − (n + 1) is the parameter with index 0 (cf. Figure 7.3).
τµasmi2c(lparam r i, p, pi) =
[
gprhyb[r] = parshyb[cntpars − (n + 1) + i]
]
The store parameter instruction sparam r i is translated into a single C-IL state-
ment that updates the hybrid array of parameters parshyb at the position corresponding
to the i-th parameter with the value stored in gprhyb[r].
τµasmi2c(sparam r i, p, pi) =
[
parshyb[cntpars − (n + 1) + i] = gprhyb[r]
]
Call Instruction We split the translation of the CALL f instruction into portions. The
first portion is present on the caller side, and the second portion, called prologue, is
present on the callee side. The prologue is added to the beginning of the C-IL function
4Recall that we index parameters from zero, i.e. i ∈ [0, .., pi( f ).npar − 1]
120 Assembly Verification Approach
n o...
cnt ' lifo=cnt lifo1
lifohyb q
cnt lifo
...
cnt lifo−10
k
...lifohyb
0 cnt ' lifo−1
cnt ' lifo
cnt ' lifo=cnt lifo−k
Figure 7.4: Decreasing the lifo counter
implementation obtained by the translation from a µASM procedure f . You can see it
in the definition of the function τµasm2c examined in Section 7.1.3.
On the caller side the CALL f instruction is translated into two C-IL statements. It
does not matter whether this is either a call to a µASM procedure or an inter-language
call to a C-IL function in a MX program. Thus for both cases we have the same C-IL
statements. The first statement decreases the lifo counter cntli f o by
k def=
0 if 4 < piµASM ( f ).nparpiµASM ( f ).npar − 4 otherwise ,
where k is the number of values passed through the hybrid lifo to a procedure f . The
second C-IL statement performs the invocation of a procedure f . The place where
input values to this call are stored is defined by the compiler calling convention CCL
introduced in Chapter 3. That is, the first four input values are taken from the input
registers and the rest is taken from the hybrid array li f ohyb. Note that before decre-
menting the lifo counter the parameter with the highest index was stored in the hybrid
array li f ohyb at the position cntli f o − k + 1 and the 4-th parameter was stored in the
same hybrid array at the position cntli f o − 1 (cf. Figure 7.4)
τµasmi2c(CALL f , p, pi) =
Listing 7.4: C-IL Statements Simulating the CALL f instruction
1 cntli f o = cntli f o − k
2 call f (gprhyb[i0], . . . , gprhyb[i3], li f ohyb[cntli f o + k − 1], .., li f ohyb[cntli f o])
On the callee side the instruction CALL f is translated to C-IL statements that
represent a prologue of a procedure f . The execution effect of these C-IL statements
is:
• values of hybrid GPRs whose indices are listed in the list uses = piµASM ( f ).uses
are saved in the hybrid array savedhyb starting from the position identified by
the saved counter cntsaved,
7.1. Translating MX Programs To C-IL 121
• the first four input parameters (if existent) of a given procedure f are saved in
the hybrid GPRs in the input registers,
• the rest of input parameters (if existent) are saved in right-to-left order in the
hybrid array of parameters parshyb starting from the position cntpars + 4. Note
that the positions cntpars, .., cntpars + 3 in the hybrid array of parameters are
reserved for input values passed in input registers gprhyb[i0], . . . , gprhyb[i3].
• the hybrid counters cntsaved and cntpars are increased by the number of elements
in the list uses and of input parameters to a procedure f , respectively.
prologue( f , pi) =
Listing 7.5: C-IL Statements Simulating the effect of the CALL f instruction on the
callee side
1 savedhyb[cntsaved] = gprhyb[uses0]
2 . . .
3 savedhyb[cntsaved + |uses| − 1] = gprhyb[uses|uses|−1]
4 gprhyb[i0] = p0
5 . . .
6 gprhyb[i3] = p3
7 parshyb[cntpars + 4] = p4
8 . . .
9 parshyb[cntpars + n − 1] = pn−1
10 cntsaved = cntsaved + |uses|
11 cntpars = cntpars + n
Return Instruction The ret instruction is translated to C-IL statements that perform
the following steps:
• it restores values of registers whose indices are listed in the list uses = piµASM ( f ).uses
from the hybrid array savedhyb,
• it decreases the hybrid parameter- and saved counters by the number of input
parameters taken by a given procedure p and the number of elements in the list
uses, respectively.
• it returns from a call.
τµasmi2c(ret, p, pi) =
Listing 7.6: C-IL Statements Simulating the ”inter-language” ret instruction
1 gprhyb[uses0] = savedhyb[cntsaved − |uses| + 1]
2 . . .
3 gprhyb[uses|uses|−1] = savedhyb[cntsaved − 1]
4 cntpars = cntpars − n
5 cntsaved = cntsaved − |uses|
6 return
122 Assembly Verification Approach
Recomputing Locations
After translating MX programs to C-IL programs we would like to have a function
that maps locations of instructions of µASM procedures from MX programs to the cor-
responding locations of simulating statements of translated procedures from translated
programs. This mapping is done by means of the function
LocationMX2IL :: N × Pname × ProgµASM 7→ N.
The definition of this function is based on the definition of functions
sizeMX2IL :: SµASM × Pname × ProcT → N,
and
sizeprologueMX2IL :: Pname × ProgµASM 7→ N
that return the number of C-IL statements needed to implement a given µASM instruc-
tion and a prologue for a given procedure p from a given µASM procedure table pi,
respectively. We first define the function sizeMX2IL by case split on µASM instructions:
• I ∈ Instrcut4µASM ∪ {goto l, ifnez r goto l}
sizeMX2IL(I, p, pi)
def
= 1
• I ∈ {push r, pop r, sparam r i, lparam r i, CALL f }
sizeMX2IL(I, p, pi)
def
= 2
• I = ret
sizeMX2IL(ret, p, pi)
def
= 3 + |uses|
The function sizeprologueMX2IL is defined as follows
sizeprologueMX2IL (p, pi)
def
= 2 + |uses| + npar.
In the following we can easily define the function LocationMX2IL as
LocationMX2IL(loc, p, pi)
def
= sizeprologueMX2IL (p, pi)+∑
i<loc sizeMX2IL(pi( f ).body[i], p, pi)
7.2 Simulation Theorem
In this section we present the simulation theorem which states the correctness of the
translation function τMX2IL defined in the previous section. An important aspect of the
simulation theorem is the simulation relation between states of the MX semantics and
states of C-IL semantics. To guarantee the semantically equivalent execution of MX
and C-IL machines running a MX program and its translated version, respectively, we
define the simulation relation relMX−IL indicating that both machines are consistent.
We also call this simulation relation translater consistency. Then we can prove the
correctness of this theorem by a stepwise simulation between both semantics.
The translater consistency relMX−IL comprises the register consistency rel
regs
MX−IL,
memory consistency relmemMX−IL, stack consistency rel
stack
MX−IL and control consistency
relcontrolMX−IL. The first three consistencies form a so-called data consistency. Note that
the memory consistency does not cover the content of hybrid variables in a C-IL ma-
chine memory. But the register and stack consistencies cover their content.
7.2. Simulation Theorem 123
cMX
c IL
rel
asmC-IL C-IL
Figure 7.5: Simulation Relation MX To C-IL
cMX.stacktop ∈ f rameµ −→ relregsMX−IL(cMX, cIL)
relstackMX−IL(cMX, cIL) rel
mem
MX−IL(cMX, cIL) rel
control
MX−IL(cMX, pi, cIL)
relMX−IL(cMX, cIL)
If the top stack frame of a MX machine cMX is of µASM type, then the register
consistency relregsMX−IL states that the content of registers of the two given MX- and
C-IL machines are the same. Recall that we model registers in the hybrid memory of
a C-IL machine with arrays. We do not require equality between stack registers of the
MX and C-IL machines in case the MX machine has a stack.
cMX.stacktop ∈ f rameµ
∀ i < 32. i < {sp, bp} −→ cMX.ac.gpr[i] = [gprhyb[i]]θ,picIL
∀ i < 32. cMX.spr[i] = [sprhyb[i]]θ,picIL
¬is stack(cMX) −→ cMX.ac.gpr[sp] = [gprhyb[sp]]θ,picIL ∧ cMX.ac.gpr[bp] = [gprhyb[bp]]θ,picIL
relregsMX−IL(cMX, cIL)
The memory consistency relmemMX−IL states that the content of non-hybrid memories
of both machines is the same.
∀ a < 232 − 1. cMX.M(a) = cIL.M(a)
relmemMX−IL(cMX, cIL)
The stack consistency relstackMX−IL states that the content of components of all stack
frames of two given MX and C-IL machines is the same. If the i-th stack frame of
the MX machine cMX is of C-IL type, then it must be completely the same as the
i-th stack frame of the C-IL machine cIL. Otherwise, values stored in components
li f o, pars and saved of the i-th stack frame of the MX machine cMX are the same
as values stored in the hybrid global variables li f ohyb, parshyb and savedhyb of the
C-IL machine cIL, respectively, at the corresponding positions. Figure 7.6 depicts
the relation between the lifo of µASM stack frames of some particular stack of a MX
machine and the corresponding parts of the hybrid lifo of a C-IL machine.
In the following we define the relation relstackMX−IL with s = cMX.stack
f lat, si = s[i],
s′ = filter(λ a. a ∈ f rameµ, s) and s′i = s′[i] as
124 Assembly Verification Approach
ab
g
h
a
c
f
e
asm
C-IL
asm
asm
lifohyb n o q ra b c d e n o qf g h
d
Filtertering Out 
C-IL stack frames
top
0
1
2
0
1
0
1
2
s
cnt lifo=323=8
ab
g
h
a
c
f
e
asm
asm
asm
d
0
1
2
0
1
0
1
2
s '
top
n o qa b c
lifohyb[0..2]
rd e
lifohyb[3..4]
n o qf g h
lifohyb[5..7]
j3 s0 . lifo [ j ]=lifohyb [ j ]
j2 s2 . lifo[ j ]=lifohyb[∣s ' 0 . lifo∣ j ]
j3 s3 . lifo [ j ]=lifohyb [∣s '0 . lifo∣∣s '1 . lifo∣ j ]
s0
s1
s2
s3
s ' 0
s '1
s ' 2
a lifo element
cnt lifo
Figure 7.6: Relation between µASM Lifo and Hybrid Lifo
(∀ i < |s|. (si ∈ f rameC-IL −→ si = cIL.stack[i]))
∧
(∀ i < |s′|. (∀ j < |s′i .li f o|. s′i .li f o[ j] = [ li f ohyb[ j +
∑
t<i |s′t .li f o|] ]θ,picIL )
∧ (∀ j < |s′i .pars|. s′i .pars[ j] = [ parshyb[ j +
∑
t<i |s′t .pars|] ]θ,picIL )
∧ (∀ j < |s′i .saved|. s′i .saved[ j] = [ savedhyb[ j +
∑
t<i |s′t .saved|] ]θ,picIL ))
relstackMX−IL(cMX, cIL)
The control consistency relcontrolMX−IL states that the location counter and the function
name of the i-the stack frame of the both machines are the same. In case the i-th stack
frame of the MX machine is of µASM type the location counter of this stack frame must
be recomputed with the help of the function LocationMX2IL.
∀ i < |cMX.stack f lat |.
cMX. fi = cIL.stack[i]. f
∧ (cMX.stack f lat[i] ∈ f rameC-IL −→ cMX.loci = cIL.stack[i].loc)
∧ ( cMX.stack f lat[i] ∈ f rameµ −→
LocationMX2IL(cMX. fi, cMX.loci, pi) = cIL.stack[i].loc)
relcontrolMX−IL(cMX, pi, cIL)
Simulation Theorem
After defining the simulation relation we can finally state the simulation theorem:
THEOREM 7.1 I
Simulation Theorem
Let pi be a MX program, θ be system properties. Then for all steps i of the MX
machine cMX executing program pi there exists a step number s(i) of the C-IL machine
cIL executing the translated version of the program pi, such that the MX machine after
7.2. Simulation Theorem 125
i steps is consistent with the C-IL machine after s(i) steps. However, it is true if the
following requirements over pi, cMX and cIL are fulfilled:
1. The MX program pi must be translatable,
2. cIL and cMX machines start their executions in same functions at the correspond-
ing locations (for the cIL machine it can be a translated function),
3. The registers of the initial configuration of MX machine c0IL and the hybrid reg-
isters modeled in the hybrid memory of the C-IL machine cs(0)IL have the same
content as well as the content of non-hybrid memories of both machines is the
same.
4. All µASM procedures called from C-IL functions in the MX program do not
change the callee-save registers or they restore them before the return if changed.
5. The hybrid counters are initialized with zeros in the machine C-IL,
6. For all steps of the MX machine up to step i this machine does not get stuck,
7. Regions allocated for hybrid variables do not intersect with each other, and
8. For all steps of the C-IL machine up to step s(i) there is no buffer overflow when
accessing hybrid arrays.
∀ i. ∃ s :: N 7→ N. ∃ c′MX.∃ pi′.
pi, θ ` cMX →iMX bc′MXc (precondition 6)∧ pi′ = τMX2IL(pi)
∧ preconditions 1,2,3,4,5,7,8,
−→ ∃ c′IL. pi′, θ ` cIL →s(i)IL c′IL∧ relMX−IL(c′MX, pi.piµASM , c′IL)
Proof: We prove this theorem by induction on the number of steps i performed by the
MX machine.
For the induction start we have to show that both machines are consistent. From
the precondition 2, we know that both machines will start their execution in the same
function (procedure). Here we distinguish on type of a function (procedure) to be
executed by the cMX machine.
• If the cMX machine starts the execution in a C-IL function from the program
pi, then the C-IL machine starts with the execution with the same statement in
the same C-IL function of the translated program pi′, too. By the definition of
the τMX2IL function it preserves the implementation of original C-IL functions
from the program pi in the translated program pi′. Therefore, both machines are
consistent at the start.
• In case the cMX machine starts with the execution of a µASM procedure, then the
C-IL machine starts with the execution of this translated procedure. To show
that both machines are consistent we need to show a single consistency, namely
the control consistency. The other consistencies hold as the MX machine starts
its execution with a completely empty stack, the registers in both machines have
the same values (precondition 3), the non-hybrid memories are the same in both
machines. The control consistency must hold by the definition of the function
sizeMX2IL.
126 Assembly Verification Approach
For the induction step we have to conclude from step i to i+1. Here we distinguish
on the type of a C-IL statement (a µASM instruction) to be executed at step i + 1 by the
cMX machine.
• a C-IL statement. Here we distinguish three cases whether this statement makes
– a pure step. Since after translating the MX program pi to the C-IL program
pi′ the original implementation of C-IL functions from the program pi stays
the same in the translated programs. Therefore, after executing the C-IL
statement both machines are still consistent after performing this step.
– an inter-language return (from C-IL to µASM). This case is proven by the
definition of the translation function τµasm2c.
– an inter-language call (from C-IL to µASM). This case is shown by the
definition of the translation function τµasm2c.
• a µASM instruction. We distinguish on the type of a µASM instruction to be ex-
ecuted. All cases can be shown by the definition of the translation function
τµasm2c except for the case when the µASM instruction to be executed at step i + 1
by the MX machine is an inter-language return (from µASM to C-IL) where we
need to apply the precondition 4. Recall that this precondition states that the
µASM procedures called from C-IL do not change the callee-save registers or
they restore them before the return if changed.
Let us consider the case when a µASM instruction to be executed is of VAMP
assembly type and its execution will update the content of one of stack registers
bp and sp. We know from preconditions to the main theorem that the execution
of the MX machine can not get stuck. Thus, the execution of this instruction by
the MX machine does not yield to an error state. That means, after updating one
of these stack registers there are three possible cases :
– Stack is created: It is the case when two stack registers are properly set
put in the cMX machine. From the definition of the function τµasm2c we
know that the corresponding C-IL statements simulating this instruction
will set up hybrid counters to zeros (cf. Listing 7.1). After the stack is
created as the side effect of the instruction execution in the MX machine
all components of the first stack frame of this machine are empty. And
after executing the C-IL statements simulating this instruction all hybrid
counters contain zeros. With that we can simply show that the translater
consistency holds after executing this VAMP assembly instruction and the
simulating C-IL statements by the MX and C-IL machines, respectively.
– One of stack registers is set up: In this case the hybrid counters contain
zeros after executing the corresponding C-IL statements (cf. Listing 7.1).
– Stack is destroyed: The stack destruction in the MX machine also means
that all hybrid counters must be zeros after executing the corresponding
C-IL statements (cf. Listing 7.1).

C
H
A
P
TE
R
8
Automated Verification of a Small
Hypervisor
In [AHPP10] the authors have formally proven Lemmata 6.26 and 6.32 (cf. Table 8.1)
and assumed Lemmata 6.22, 6.30 (cf. Table 8.1) in VCC [CDH+09]. From [Cor08]:
”VCC is a mechanical verifier for concurrent C programs. VCC takes a C program,
annotated with function specifications, data invariants, loop invariants, and ghost code,
and tries to prove these annotations correct. If it succeeds, VCC promises that your
program actually meets its specifications.”. That is, they shown the correctness of
C code of the BHV program and guest steps in VCC. For that, they have created a
simulation framework in which verification engineers can reason on overall system
correctness in an efficient and pervasive manner. In [AHPP10] they left a few gaps
for future work: (i) the implementation of an interrupt service routine (like presented
in Listing 6.4), (ii) the verification of this interrupt service routine which they have
just specified but partially (we will come to it a bit later). In [AHPP10] the authors
did not talk about the boot code at all, but they have assumed that the interrupt service
routine is located in memory starting from address zero. In Chapter 6 we assumed that
the boot code is located in memory starting from address zero and the context switch
(which they called an interrupt service routine) is a part of the baby hypervisor code.
As practical work for this thesis we have formally proven Lemmata 6.25, 6.24,
6.27 and 6.31 in VCC (cf. Table 8.1). So we have shown the functional correctness of
BHV µASM code presented in Listing 6.4. To verify this µASM code we first translated
it to C and then applied the automatic C verifier VCC to show the correctness of
the translated code. Previously, we have shown the correctness of the translation we
used here. Here we want to stress that each instruction from the macro-assembly
code is translated to the corresponding call of a C function wrapping its simulating C
statements. Doing the translation this way we save a number of annotations in VCC
and reduce the run-time of the verification.
After we were done with the formal verification of the context switch of the BHV
we have successfully integrated formal proofs done within this thesis into the sim-
127
128 Automated Verification of a Small Hypervisor
Paper/Pencil Status Function File
Statements in VCC
Lemma 6.22 assumed sim sim.c
Lemma 6.30 assumed sim sim.c
Lemma 6.26 verified hv dispatch contracts baby.c
Lemma 6.32 verified hv dispatch contracts baby.c
Lemma 6.25 verified save guest block 4 sim masm.c
Lemma 6.24 verified save guest block 5 sim masm.c
Lemma 6.27 verified restore guest contracts sim masm.c
Lemma 6.31 verified save guest contracts sim masm.c
BHV Theorem verified sim loop-inv sim.c
Table 8.1: BHV Paper/Pencil Vs Formal Proofs
ulation framework in which the authors of [AHPP10] have successfully verified C
portions of the BHV. In order to accomplish this integration we extended the spec-
ification of the BHV context switch which authors presented in [AHPP10] and we
extended all corresponding loop invariants and function contracts. For example, the
authors left contracts of the function page alloc for the allocated number of bytes im-
precise (it should be a multiple of a page size (4Kbytes)), but the authors of [AHPP10]
made a note about that.
As a result of this integration there is a simulation framework1 in which proofs of
authors of [AHPP10] run together with our proofs in VCC. In this simulation frame-
work we made notes at all places where we added conditions needed for this integra-
tion.
1Verified source is available at http://dl.dropbox.com/u/5648134/BHV.rar
C
H
A
P
TE
R
9
Summary and Future Work
This thesis presents to the best of our knowledge
• the first macro-assembly (high-level assembly) languages semantics with ex-
plicit dynamic stack. The ability to model stack explicitly in an assembly lan-
guage is critical for supporting procedure calls.
• the first mixed semantics to integrate C- and high-level assembly languages
together in a single language. So we presented a so-called mixed semantics
which describes this language and which offers certain benefits: the person who
does soundness proofs for code-verification tools no longer needs to consider
the inner workings of compilers- instead, they can use integrated semantics as
foundation of their proofs.
• the first complete paper-and-pencil proof of a hypervisor programmed in C and
macro-assembly. The mixed semantics shows how it really becomes simple to
reason about the functional correctness of mixed implementations.
• the first detailed justification of a simulation approach used to verify code writ-
ten in an assembly language with a general-purpose C verifier. We conclude
the following that the simulation approach as it sketched in [MMS08, Mau11]
is sound if and only if the assembly code to be verified does not update stack
registers when the stack is set up.
• the first completely formally proven functional correctness of a hypervisor. The
C portions of the small hypervisor were formally shown in [AHPP10]. The
implementation of this hypervisor is sequential and non-preemptive and the ar-
chitecture it virtualizes has a single core.
The work created by the authors of [AHPP10] consists of four component: VAMP
specification and simulator, hypervisor implementation, and system program. This
work comprises ca. 2.5k C code tokens and ca. 7.7k annotation tokens, which com-
prise function contracts, assertions, data and loop invariants, and spec(ghost) code.
129
130 Summary and Future Work
After extending this work with macro-assembly verification environment (implemented
in C) it comprises ca. 2.7k C code tokens and ca. 8.2k annotation tokens. Overall proof
time is about 1.5-2 hours on one core of a 2.4 GHz Intel Core Duo machine (cf. Ap-
pendix A) in the second version of VCC1.
Finally, we point out possible directions of future work.
• Generalize the high-level assembly and the integrated semantics for any kind of
compiler calling conventions.
• Consider interprocedural optimizations in the optimizing C compiler correct-
ness theory.
• Extend the high-level assembly and the integrated semantics so that it would be
possible to describe implementations doing a stack switch (a part of the thread
switch).
• To extend the framework presented in [AHPP10] to more complex hardware
and software designs (as it is proposed in [AHPP10]): modeling of multi-core
systems, translation-look aside buffers (TLBs), and devices (i.e. external inter-
rupts), and verification of multi-threaded or pre-emptive kernels.
• To adapt the baby hypervisor annotations (pre- and post-conditions, data struc-
ture invariants, assertions, etc.) written for the second version of VCC to the
third version of VCC.
• To verify boot code and integrate the achieved correctness results into the over-
all formal correctness proof. But it requires to model the VAMP architecture
with devices in VCC.
• To justify the simulation framework created by the authors of [AHPP10] which
is presented in Sections 5 and 6 of [AHPP10]. This framework is used to verify
a system software, like the BHV, with a C verifier, like VCC. Namely, this sim-
ulation framework is used to express top-level system correctness of the baby
hypervisor as a system program whose execution models the system behavior
by an infinite loop of host machine steps. The top-level system correctness is
then expressed as an invariant of this loop.
1there is a third version of VCC which is available since 2011
Appendix A: Verification Run-Time
of a Small Hypervisor in Seconds
Verification of proc_t#adm succeeded. [3,89]
Verification of guest_t#adm succeeded. [0,48]
Verification of hv_t#adm succeeded. [0,30]
Verification of compute_ea succeeded. [0,03]
Verification of systemmode succeeded. [0,02]
Verification of asm_lw succeeded. [0,22]
Verification of asm_lw_guest_t_ptr succeeded. [0,16]
Verification of asm_sw succeeded. [0,05]
Verification of asm_addi succeeded. [0,09]
Verification of asm_andi succeeded. [0,08]
Verification of asm_movs2i succeeded. [0,09]
Verification of asm_movi2s succeeded. [0,25]
Verification of asm_rfe succeeded. [0,14]
Verification of save_guest succeeded. [61,69]
Verification of restore_guest succeeded. [24,63]
Verification of sim_inner succeeded. [39,95]
Verification of sim succeeded. [57,08]
Verification of asm_sw#bv_lemma#0 succeeded. [0,45]
Verification of restore_guest#bv_lemma#0 succeeded. [0,38]
Verification of restore_guest#bv_lemma#1 succeeded. [0,44]
Verification of restore_guest#block#0 succeeded. [5,66]
Verification of restore_guest#block#1 succeeded. [2,88]
Verification of restore_guest#block#2 succeeded. [3,36]
Verification of restore_guest#block#3 succeeded. [4,95]
Verification of save_guest#block#0 succeeded. [1,70]
Verification of save_guest#block#1 succeeded. [4,20]
Verification of save_guest#block#2 succeeded. [4,11]
Verification of save_guest#block#3 succeeded. [3,98]
Verification of sim#block#0 succeeded. [2,00]
Verification of sim_inner#block#0 succeeded. [0,33]
Verification of sim_inner#block#1 succeeded. [465,00]
Verification of sim_inner#block#1#0 succeeded. [0,88]
Verification of proc_t#adm succeeded. [3,89]
Verification of guest_t#adm succeeded. [0,31]
Verification of hv_t#adm succeeded. [0,19]
Verification of page_alloc_t#adm succeeded. [0,05]
131
132 Appendix A: Verification Run-Time
Verification of compute_ea succeeded. [0,02]
Verification of systemmode succeeded. [0,02]
Verification of min succeeded. [0,00]
Verification of ptea_vpx succeeded. [0,02]
Verification of hv_dispatch succeeded. [1498,03]
Verification of update_spt succeeded. [8,25]
Verification of handle_movi2pto succeeded. [52,66]
Verification of handle_movi2ptl succeeded. [57,72]
Verification of handle_pf succeeded. [103,20]
Verification of page_alloc_init succeeded. [0,38]
Verification of page_alloc succeeded. [1,70]
Verification of reset_guest succeeded. [431,72]
Verification of wrap_hv_test succeeded. [0,81]
Verification of handle_reset succeeded. [1636,11]
Verification of handle_illegal succeeded. [75,56]
Verification of handle_movi2ptl#bv_lemma#0 succeeded. [0,45]
Verification of handle_movi2ptl#bv_lemma#1 succeeded. [0,42]
Verification of handle_movi2ptl#bv_lemma#2 succeeded. [0,38]
Verification of handle_movi2ptl#bv_lemma#3 succeeded. [0,42]
Verification of handle_movi2ptl#bv_lemma#4 succeeded. [0,48]
Verification of handle_movi2ptl#bv_lemma#5 succeeded. [0,38]
Verification of handle_movi2ptl#bv_lemma#6 succeeded. [0,39]
Verification of handle_movi2ptl#bv_lemma#7 succeeded. [0,41]
Verification of handle_movi2pto#bv_lemma#0 succeeded. [0,41]
Verification of handle_movi2pto#bv_lemma#1 succeeded. [0,44]
Verification of handle_movi2pto#bv_lemma#2 succeeded. [0,38]
Verification of handle_movi2pto#bv_lemma#3 succeeded. [0,41]
Verification of handle_movi2pto#bv_lemma#4 succeeded. [0,38]
Verification of handle_movi2pto#bv_lemma#5 succeeded. [0,41]
Verification of handle_movi2pto#bv_lemma#6 succeeded. [0,42]
Verification of handle_pf#bv_lemma#0 succeeded. [0,42]
Verification of hv_dispatch#bv_lemma#0 succeeded. [0,47]
Verification of page_alloc#bv_lemma#0 succeeded. [0,50]
Verification of reset_guest#bv_lemma#0 succeeded. [0,44]
Verification of reset_guest#bv_lemma#1 succeeded. [0,44]
Verification of reset_guest#bv_lemma#2 succeeded. [0,39]
Verification of reset_guest#bv_lemma#3 succeeded. [0,42]
Verification of update_spt#bv_lemma#0 succeeded. [0,39]
Verification of update_spt#bv_lemma#1 succeeded. [0,42]
Verification of update_spt#bv_lemma#2 succeeded. [0,38]
Verification of update_spt#bv_lemma#3 succeeded. [0,44]
Verification of update_spt#bv_lemma#4 succeeded. [0,39]
Time: 4581,92s total, 10,25s compiler, 0,00s boogie, 4571,67s verification
Bibliography
[ACH+10] E. Alkassar, E. Cohen, M. Hillebrand, M. Kovalev, and W. Paul. Ver-
ifying shadow page table algorithms. In Formal Methods in Computer
Aided Design (FMCAD) 2010, pages 267–270, Lugano, Switzerland,
2010. IEEE.
[AHL+09] E. Alkassar, M. A. Hillebrand, D. C. Leinenbach, N. W. Schirmer,
A. Starostin, and A. Tsyban. Balancing the load: Leveraging seman-
tics stack for systems verification. In Journal of Automated Reasoning:
Special Issue on Operating Systems Verification. Springer, 2009.
[AHPP10] E. Alkassar, M. Hillebrand, W. Paul, and E. Petrova. Automated ver-
ification of a small hypervisor. In Third International Conference on
Verified Software: Theories, Tools, and Experiments (VSTTE’10), vol-
ume 6217 of LNCS, pages 40–54, Edinburgh, UK, 2010. Springer.
[Alk09] Eyad Alkassar. OS Verification Extended. On the Formal Verification
of Device Drivers and the Correctness of Client/Server Software. PhD
thesis, Saarland University, Computer Science Department, 2009.
[APST10] Eyad Alkassar, Wolfgang J. Paul, Artem Starostin, and Alexandra Tsy-
ban. Pervasive verification of an os microkernel: inline assembly, mem-
ory consumption, concurrent devices. In Proceedings of the Third inter-
national conference on Verified software: theories, tools, experiments,
VSTTE’10, pages 71–85, Berlin, Heidelberg, 2010. Springer-Verlag.
[ASU86] Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman. Compilers: princi-
ples, techniques, and tools. Addison-Wesley Longman Publishing Co.,
Inc., Boston, MA, USA, 1986.
[Bev87] W. R. Bevier. A Verified Operating System Kernel. PhD thesis, Univer-
sity of Texas at Austin, 1987.
[Bev89] William R. Bevier. Kit and the short stack. J. Autom. Reasoning,
5(4):519–530, 1989.
[BHMY89a] William R. Bevier, Warren A. Hunt, Jr., J S. Moore, and William D.
Young. An approach to systems verification. 5(4):411–428, December
1989.
[BHMY89b] W.R. Bevier, W.A. Hunt, J. Strother Moore, and W.D. Young. Spe-
cial issue on system verification. Journal of Automated Reasoning,
5(4):409–530, 1989.
133
134 Bibliography
[BJK+03] S. Beyer, C. Jacobi, D. Kro¨ning, D. Leinenbach, and W.J. Paul. Instan-
tiating uninterpreted functional units and memory system: functional
verification of the vamp. In CHARME 2003, volume 2860 of LNCS,
pages 51–65. Springer, 2003.
[BJK+05] S. Beyer, C. Jacobi, D. Kro¨ning, D. Leinenbach, and W.J. Paul. Putting
it all together - formal verification of the vamp. 2005.
[CDH+09] Ernie Cohen, Markus Dahlweid, Mark Hillebrand, Dirk Leinenbach,
Michael Moskal, Thomas Santen, Wolfram Schulte, and Stephan To-
bies. Vcc: A practical system for verifying concurrent c. In Stefan
Berghofer, Tobias Nipkow, Christian Urban, and Makarius Wenzel, edi-
tors, Theorem Proving in Higher Order Logics, 22nd International Con-
ference. International Conference on Theorem Proving in Higher Order
Logics (TPHOLs-09), August 17-20, Munich, Germany, volume 5674
of Lecture Notes in Computer Science, LNCS, pages 23–42. Springer, 8
2009.
[Cor] Microsft Corp. Programmer’s Guide Microsft MASM Version 6.1.
[Cor08] Microsfot Corp. Vcc: A c verifier, 2008.
[Dal06] Iakov Dalinger. Formal Verification of a Processor with Memory Man-
agement Units. PhD thesis, Saarland University, Computer Science De-
partment, July 2006.
[DHP05] Iakov Dalinger, Mark Hillebrand, and Wolfgang Paul. On the verifica-
tion of memory management mechanisms. In D. Borrione and W. Paul,
editors, Proceedings of the 13th Advanced Research Working Confer-
ence on Correct Hardware Design and Verification Methods (CHARME
2005), volume 3725, pages 301–316. Springer, 2005.
[DPS09] Ulan Degenbaev, Wolfgang J. Paul, and Norbert Schirmer. Pervasive
theory of memory. In Susanne Albers, Helmut Alt, and Stefan Na¨her,
editors, Efficient Algorithms – Essays Dedicated to Kurt Mehlhorn on
the Occasion of His 60th Birthday, volume 5760 of Lecture Notes in
Computer Science, pages 74–98. Springer, 2009.
[FN79] R. Feiertag and P. Neumann. The foundations of a provably secure
operating system (PSOS). In Proceedings of the National Computer
Conference 48, pages 329–334, 1979.
[Fru08] Nicu G. Fruja. Towards proving type safety of .net cil. Sci. Comput.
Program., 72:176–219, August 2008.
[FSDG08] Xinyu Feng, Zhong Shao, Yuan Dong, and Yu Guo. Certifying low-
level programs with hardware interrupts and preemptive threads. In
2008 ACM SIGPLAN Conference on Programming Language Design
and Implementation (PLDI’08), New York, NY, USA, June 2008. ACM.
[GHLP05] Mauro Gargano, Mark Hillebrand, Dirk Leinenbach, and Wolfgang
Paul. On the correctness of operating system kernels. In J. Hurd and
T. F. Melham, editors, 18th International Conference on Theorem Prov-
ing in Higher Order Logics (TPHOLs 2005), volume 3603, pages 1–16.
Springer, 2005.
Bibliography 135
[HP96] John L. Hennessy and David A. Patterson. Computer Architecture: A
Quantitative Approach. Morgan Kaufmann, San Mateo, CA, second
edition, 1996.
[IdR09] Thomas In der Rieden. Verified Linking for Modular Kernel Veri
fication. PhD thesis, Saarland University, Saarbrcken, 2009.
[KEH+09] Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick,
David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt,
Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and
Simon Winwood. seL4: Formal verification of an OS kernel. In Proc.
22nd ACM Symposium on Operating Systems Principles (SOSP), pages
207–220, Big Sky, MT, USA, October 2009. ACM.
[Kle09] Gerwin Klein. Operating system verification — an overview. Sa¯dhana¯,
34(1):27–69, February 2009.
[Lei07] Dirk Leinenbach. Compiler Verification in the Context of Pervasive
System Verification. PhD thesis, Saarland University, Computer Science
Department, 2007.
[Lip86] Seymour Lipschutz. Schaum’s Outline of Theory and Problems of Data
Structures. McGraw-Hill, New York, 1986.
[LP08] D. Leinenbach and E. Petrova. Pervasive compiler verification – from
verified programs to verified systems. In 3rd intl Workshop on Systems
Software Verification (SSV08). Elsevier Science B. V., 2008.
[LS09] D. Leinenbach and T. Santen. Verifying the microsoft hyper-v hyper-
visor with vcc. In 16th International Symposium on Formal Methods
(FM 2009), volume 5850 of Lecture Notes in Computer Science, pages
806–809, Eindhoven, the Netherlands, 2009. Springer.
[Mau11] Stefan Maus. Verification of Hypervisor Subroutines written in Assem-
bler. PhD thesis, Freiburg University, Computer Science Department,
2011.
[MCGW98] J. Gregory Morrisett, Karl Crary, Neal Glew, and David Walker. Stack-
based typed assembly language. In Types in Compilation, pages 28–52,
1998.
[MMS08] Stefan Maus, Michal Moskal, and Wolfram Schulte. Vx86: x86 assem-
bler simulated in c powered by automated theorem proving. In AMAST,
pages 284–298, 2008.
[Moo03] J Strother Moore. A grand challenge proposal for formal methods: A
verified stack. In Bernhard K. Aichernig and T. S. E. Maibaum, edi-
tors, 10th Anniversary Colloquium of UNU/IIST, volume 2757 of LNCS,
pages 161–172. Springer, 2003.
[MP00] Silvia M. Mueller and Wolfgang J. Paul. Computer Architecture: Com-
plexity and Correctness. Springer, 2000.
136 Bibliography
[NBF+80] P.G. Neumann, R.S Boyer, R.J. Feiertag, K.N. Levitt, and L. Robinson.
A provably secure operating system: The system, its applications, and
proofs. Technical Report CSL-116. Computer Science Laboratory, SRI
International, Menlo Park, California, May 1980.
[NET11] .net languages, web pages at, 2011.
[NF03] P. Neumann and R. Feiertag. PSOS revisited. In 19th Annual Computer
Security Applications Conference, 2003.
[NS06] Zhaozhong Ni and Zhong Shao. Certified assembly programming with
embedded code pointers. In POPL ’06: Conference record of the
33rd ACM SIGPLAN-SIGACT symposium on Principles of program-
ming languages, pages 320–333, New York, NY, USA, 2006. ACM.
[NYS07] Zhaozhong Ni, Dachuan Yu, and Zhong Shao. Using xcap to certify re-
alistic systems code: Machine context management. In TPHOLs, pages
189–206, 2007.
[Pau07] Wolfgang Paul. System architecture. lecture notes.
http://busserver.cs.uni-sb.de/lehre/vorlesung/info2/
ss08/material/mitschrift07.pdf, 2007.
[SS12] Sabine Schmaltz and Andrey Shadrin. Integrated semantics of
intermediate-language-c+macro-assembler for pervasive formal verifi-
cation of operating systems and hypervisors from verisoftxt. In The
Fourth International Conference on Verified Software: Verified Soft-
ware: Theories, Tools, and Experiments (VSTTE 2012) (to appear),
January 2012.
[Sta10] Artem Starostin. Formal Verification of Demand Paging. PhD thesis,
Saarland University, Saarbrcken, 2010.
[TKN07] Harvey Tuch, Gerwin Klein, and Michael Norrish. Types, bytes,
and separation logic. In POPL ’07: Proceedings of the 34th an-
nual ACM SIGPLAN-SIGACT symposium on Principles of program-
ming languages, pages 97–108, New York, NY, USA, 2007. ACM.
[Tsy09] Alexandra Tsyban. Formal Verification of a Framework for Microker-
nel Programmes. PhD thesis, Saarland University, Computer Science
Department, 2009.
[Tve09] Sergey Tverdyshev. Formal Verification of Gate-Level Computer Sys-
tems. PhD thesis, Saarland University, Computer Science Department,
2009.
[Vera] Verisoft Consortium. The Verisoft Project.
http://www.verisoft.de/.
[Verb] VerisoftXT Consortium. The VerisoftXT Project.
http://www.verisoftxt.de/.
Bibliography 137
[WKP79] Bruce J. Walker, Richard A. Kemmerer, and Gerald J. Popek. Speci-
fication and verification of the UCLA Unix security kernel. In SOSP
’79: Proceedings of the seventh ACM symposium on Operating systems
principles, pages 64–65, New York, NY, USA, 1979. ACM.
