Proving Correctness for Pointer Programs in a Verifying Compiler

This research describes a component-based approach to proving the correctness of programs involving pointer behavior. The approach supports modular reasoning and is designed to be used within the larger context of a verifying compiler. The approach consists of two parts. When a system component requires the direct manipulation of pointer operations in its implementation, we implement it using a built-in component specifically designed to capture the functional and performance behavior of pointers. When a system component requires pointer behavior via a linked data structure, we ensure that the complexities of the pointer operations are encapsulated within the data structure and are hidden to the client component. In this way, programs that rely on pointers can be verified modularly, without requiring special rules for pointers. The ultimate objective of a verifying compiler is to prove-with as little human intervention as possible-that proposed program code is correct with respect to a full behavioral specification. Full verification for software is especially important for an agency like NASA that is routinely involved in the development of mission critical systems

of object-based reasoning ∗

CleanJava: Language design for the simplificatio

Direct Reasoning

References are indispensable to computing practice. Unlike deep copying, reference copying permits constant-time data assignment and parameter passing for all objects. Unfortunately, reference copying introduces aliasing among mutable objects and complicates software behavior by requiring developers to distinguish between references and values of objects for sound reasoning. The objective of this dissertation is to preserve the benefits of reference copying but simplify reasoning. It introduces a notion of conceptually direct reasoning, in which programmers may ignore references and treat all variables directly as object values. It explains how this notion can be applied without compromising soundness. It proposes a new approach to parameter passing that avoids both aliasing and deep copying. It explains how to segregate the few components that require aliasing from the many that do not. It contains formal specifications of components and appropriate proof rules. As a proof of concept, it applies the principles to the design of DirectJava, a prototype language that is syntactically similar to Java but facilitates conceptually direct reasoning without resorting to copying