217 research outputs found
Compiler verification meets cross-language linking via data abstraction
Many real programs are written in multiple different programming languages, and supporting this pattern creates challenges for formal compiler verification. We describe our Coq verification of a compiler for a high-level language, such that the compiler correctness theorem allows us to derive partial-correctness Hoare-logic theorems for programs built by linking the assembly code output by our compiler and assembly code produced by other means. Our compiler supports such tricky features as storable cross-language function pointers, without giving up the usual benefits of being able to verify different compiler phases (including, in our case, two classic optimizations) independently. The key technical innovation is a mixed operational and axiomatic semantics for the source language, with a built-in notion of abstract data types, such that compiled code interfaces with other languages only through axiomatically specified methods that mutate encapsulated private data, represented in whatever formats are most natural for those languages.National Science Foundation (U.S.) (Grant CCF-1253229)United States. Defense Advanced Research Projects Agency (Agreement FA8750-12-2-0293)United States. Dept. of Energy. Office of Science (Award DE-SC0008923
A Rational Deconstruction of Landin's SECD Machine with the J Operator
Landin's SECD machine was the first abstract machine for applicative
expressions, i.e., functional programs. Landin's J operator was the first
control operator for functional languages, and was specified by an extension of
the SECD machine. We present a family of evaluation functions corresponding to
this extension of the SECD machine, using a series of elementary
transformations (transformation into continu-ation-passing style (CPS) and
defunctionalization, chiefly) and their left inverses (transformation into
direct style and refunctionalization). To this end, we modernize the SECD
machine into a bisimilar one that operates in lockstep with the original one
but that (1) does not use a data stack and (2) uses the caller-save rather than
the callee-save convention for environments. We also identify that the dump
component of the SECD machine is managed in a callee-save way. The caller-save
counterpart of the modernized SECD machine precisely corresponds to Thielecke's
double-barrelled continuations and to Felleisen's encoding of J in terms of
call/cc. We then variously characterize the J operator in terms of CPS and in
terms of delimited-control operators in the CPS hierarchy. As a byproduct, we
also present several reduction semantics for applicative expressions with the J
operator, based on Curien's original calculus of explicit substitutions. These
reduction semantics mechanically correspond to the modernized versions of the
SECD machine and to the best of our knowledge, they provide the first syntactic
theories of applicative expressions with the J operator
Modular, Fully-abstract Compilation by Approximate Back-translation
A compiler is fully-abstract if the compilation from source language programs
to target language programs reflects and preserves behavioural equivalence.
Such compilers have important security benefits, as they limit the power of an
attacker interacting with the program in the target language to that of an
attacker interacting with the program in the source language. Proving compiler
full-abstraction is, however, rather complicated. A common proof technique is
based on the back-translation of target-level program contexts to
behaviourally-equivalent source-level contexts. However, constructing such a
back- translation is problematic when the source language is not strong enough
to embed an encoding of the target language. For instance, when compiling from
STLC to ULC, the lack of recursive types in the former prevents such a
back-translation.
We propose a general and elegant solution for this problem. The key insight
is that it suffices to construct an approximate back-translation. The
approximation is only accurate up to a certain number of steps and conservative
beyond that, in the sense that the context generated by the back-translation
may diverge when the original would not, but not vice versa. Based on this
insight, we describe a general technique for proving compiler full-abstraction
and demonstrate it on a compiler from STLC to ULC. The proof uses asymmetric
cross-language logical relations and makes innovative use of step-indexing to
express the relation between a context and its approximate back-translation.
The proof extends easily to common compiler patterns such as modular
compilation and it, to the best of our knowledge, it is the first compiler full
abstraction proof to have been fully mechanised in Coq. We believe this proof
technique can scale to challenging settings and enable simpler, more scalable
proofs of compiler full-abstraction
Emerging trends proceedings of the 17th International Conference on Theorem Proving in Higher Order Logics: TPHOLs 2004
technical reportThis volume constitutes the proceedings of the Emerging Trends track of the 17th International Conference on Theorem Proving in Higher Order Logics (TPHOLs 2004) held September 14-17, 2004 in Park City, Utah, USA. The TPHOLs conference covers all aspects of theorem proving in higher order logics as well as related topics in theorem proving and verification. There were 42 papers submitted to TPHOLs 2004 in the full research cate- gory, each of which was refereed by at least 3 reviewers selected by the program committee. Of these submissions, 21 were accepted for presentation at the con- ference and publication in volume 3223 of Springer?s Lecture Notes in Computer Science series. In keeping with longstanding tradition, TPHOLs 2004 also offered a venue for the presentation of work in progress, where researchers invite discussion by means of a brief introductory talk and then discuss their work at a poster session. The work-in-progress papers are held in this volume, which is published as a 2004 technical report of the School of Computing at the University of Utah
Lessons from Formally Verified Deployed Software Systems (Extended version)
The technology of formal software verification has made spectacular advances,
but how much does it actually benefit the development of practical software?
Considerable disagreement remains about the practicality of building systems
with mechanically-checked proofs of correctness. Is this prospect confined to a
few expensive, life-critical projects, or can the idea be applied to a wide
segment of the software industry?
To help answer this question, the present survey examines a range of
projects, in various application areas, that have produced formally verified
systems and deployed them for actual use. It considers the technologies used,
the form of verification applied, the results obtained, and the lessons that
can be drawn for the software industry at large and its ability to benefit from
formal verification techniques and tools.
Note: a short version of this paper is also available, covering in detail
only a subset of the considered systems. The present version is intended for
full reference.Comment: arXiv admin note: text overlap with arXiv:1211.6186 by other author
TypeâPreserving CPS Translation of ÎŁ and Î Types is Not Not Possible
International audienceDependently typed languages like Coq are used to specify and prove functional correctness of source programs,but what we ultimately need are guarantees about correctness of compiled code. By preserving dependenttypes through each compiler pass, we could preserve source-level specifications and correctness proofs intothe generated target-language programs. Unfortunately, type-preserving compilation of dependent types isnontrivial. In 2002, Barthe and Uustalu showed that type-preserving CPS is not possible for languages likeCoq. Specifically, they showed that for strong dependent pairs (ÎŁ types), the standard typed call-by-name CPSis not type preserving. They further proved that for dependent case analysis on sums, a class of typed CPStranslationsâincluding the standard translationâis not possible. In 2016, Morrisett noticed a similar problemwith the standard call-by-value CPS translation for dependent functions (Î types). In essence, the problem isthat the standard typed CPS translation by double-negation, in which computations are assigned types of theform (A â â„) â â„, disrupts the term/type equivalence that is used during type checking in a dependentlytyped language.In this paper, we prove that type-preserving CPS translation for dependently typed languages is not notpossible. We develop both call-by-name and call-by-value CPS translations from the Calculus of Constructionswith both Î and ÎŁ types (CC) to a dependently typed target language, and prove type preservation andcompiler correctness of each translation. Our target language is CC extended with an additional equivalencerule and an additional typing rule, which we prove consistent by giving a model in the extensional Calculus ofConstructions. Our key observation is that we can use a CPS translation that employs answer-type polymorphism,where CPS-translated computations have type âα.(A â α) â α. This type justifies, by a free theorem,the new equality rule in our target language and allows us to recover the term/type equivalences that CPStranslation disrupts. Finally, we conjecture that our translation extends to dependent case analysis on sums,despite the impossibility result, and provide a proof sketch
Calculating correct compilers
In this article we present a new approach to the problem of calculating compilers. In particular, we develop a simple but general technique that allows us to derive correct compilers from high- level semantics by systematic calculation, with all details of the implementation of the compilers falling naturally out of the calculation process. Our approach is based upon the use of standard equational reasoning techniques, and has been applied to calculate compilers for a wide range of language features and their combination, including arithmetic expressions, exceptions, state, various forms of lambda calculi, bounded and unbounded loops, non-determinism, and interrupts. All the calculations in the article have been formalised using the Coq proof assistant, which serves as a convenient interactive tool for developing and verifying the calculations
- âŠ