6,223 research outputs found
A formally verified compiler back-end
This article describes the development and formal verification (proof of
semantic preservation) of a compiler back-end from Cminor (a simple imperative
intermediate language) to PowerPC assembly code, using the Coq proof assistant
both for programming the compiler and for proving its correctness. Such a
verified compiler is useful in the context of formal methods applied to the
certification of critical software: the verification of the compiler guarantees
that the safety properties proved on the source code hold for the executable
compiled code as well
Abstract State Machines 1988-1998: Commented ASM Bibliography
An annotated bibliography of papers which deal with or use Abstract State
Machines (ASMs), as of January 1998.Comment: Also maintained as a BibTeX file at http://www.eecs.umich.edu/gasm
Size-Change Termination as a Contract
Termination is an important but undecidable program property, which has led
to a large body of work on static methods for conservatively predicting or
enforcing termination. One such method is the size-change termination approach
of Lee, Jones, and Ben-Amram, which operates in two phases: (1) abstract
programs into "size-change graphs," and (2) check these graphs for the
size-change property: the existence of paths that lead to infinite decreasing
sequences.
We transpose these two phases with an operational semantics that accounts for
the run-time enforcement of the size-change property, postponing (or entirely
avoiding) program abstraction. This choice has two key consequences: (1)
size-change termination can be checked at run-time and (2) termination can be
rephrased as a safety property analyzed using existing methods for systematic
abstraction.
We formulate run-time size-change checks as contracts in the style of Findler
and Felleisen. The result compliments existing contracts that enforce partial
correctness specifications to obtain contracts for total correctness. Our
approach combines the robustness of the size-change principle for termination
with the precise information available at run-time. It has tunable overhead and
can check for nontermination without the conservativeness necessary in static
checking. To obtain a sound and computable termination analysis, we apply
existing abstract interpretation techniques directly to the operational
semantics, avoiding the need for custom abstractions for termination. The
resulting analyzer is competitive with with existing, purpose-built analyzers
Optimizing Abstract Abstract Machines
The technique of abstracting abstract machines (AAM) provides a systematic
approach for deriving computable approximations of evaluators that are easily
proved sound. This article contributes a complementary step-by-step process for
subsequently going from a naive analyzer derived under the AAM approach, to an
efficient and correct implementation. The end result of the process is a two to
three order-of-magnitude improvement over the systematically derived analyzer,
making it competitive with hand-optimized implementations that compute
fundamentally less precise results.Comment: Proceedings of the International Conference on Functional Programming
2013 (ICFP 2013). Boston, Massachusetts. September, 201
Renaming Global Variables in C Mechanically Proved Correct
Most integrated development environments are shipped with refactoring tools.
However, their refactoring operations are often known to be unreliable. As a
consequence, developers have to test their code after applying an automatic
refactoring. In this article, we consider a refactoring operation (renaming of
global variables in C), and we prove that its core implementation preserves the
set of possible behaviors of transformed programs. That proof of correctness
relies on the operational semantics of C provided by CompCert C in Coq.Comment: In Proceedings VPT 2016, arXiv:1607.0183
Automatic Verification of Erlang-Style Concurrency
This paper presents an approach to verify safety properties of Erlang-style,
higher-order concurrent programs automatically. Inspired by Core Erlang, we
introduce Lambda-Actor, a prototypical functional language with
pattern-matching algebraic data types, augmented with process creation and
asynchronous message-passing primitives. We formalise an abstract model of
Lambda-Actor programs called Actor Communicating System (ACS) which has a
natural interpretation as a vector addition system, for which some verification
problems are decidable. We give a parametric abstract interpretation framework
for Lambda-Actor and use it to build a polytime computable, flow-based,
abstract semantics of Lambda-Actor programs, which we then use to bootstrap the
ACS construction, thus deriving a more accurate abstract model of the input
program. We have constructed Soter, a tool implementation of the verification
method, thereby obtaining the first fully-automatic, infinite-state model
checker for a core fragment of Erlang. We find that in practice our abstraction
technique is accurate enough to verify an interesting range of safety
properties. Though the ACS coverability problem is Expspace-complete, Soter can
analyse these verification problems surprisingly efficiently.Comment: 12 pages plus appendix, 4 figures, 1 table. The tool is available at
http://mjolnir.cs.ox.ac.uk/soter
A Rational Deconstruction of Landin's SECD Machine with the J Operator
Landin's SECD machine was the first abstract machine for applicative
expressions, i.e., functional programs. Landin's J operator was the first
control operator for functional languages, and was specified by an extension of
the SECD machine. We present a family of evaluation functions corresponding to
this extension of the SECD machine, using a series of elementary
transformations (transformation into continu-ation-passing style (CPS) and
defunctionalization, chiefly) and their left inverses (transformation into
direct style and refunctionalization). To this end, we modernize the SECD
machine into a bisimilar one that operates in lockstep with the original one
but that (1) does not use a data stack and (2) uses the caller-save rather than
the callee-save convention for environments. We also identify that the dump
component of the SECD machine is managed in a callee-save way. The caller-save
counterpart of the modernized SECD machine precisely corresponds to Thielecke's
double-barrelled continuations and to Felleisen's encoding of J in terms of
call/cc. We then variously characterize the J operator in terms of CPS and in
terms of delimited-control operators in the CPS hierarchy. As a byproduct, we
also present several reduction semantics for applicative expressions with the J
operator, based on Curien's original calculus of explicit substitutions. These
reduction semantics mechanically correspond to the modernized versions of the
SECD machine and to the best of our knowledge, they provide the first syntactic
theories of applicative expressions with the J operator
- …