SlideShare ist ein Scribd-Unternehmen logo

Formal Verification of Programming Languages

Jason Reich
Jason Reich

The document discusses the history of formally verifying programming language compiler implementations from the 1960s to the 2000s. It summarizes early work in the 1960s and 1970s proving correctness of compilers for simple arithmetic languages. Later work in the 1980s and 1990s proved correctness for compilers targeting more complex languages and using mechanized theorem proving. Recent work in the 2000s has formally verified compilers for realistic languages to low-level targets using proof assistants like Coq.

Technologie
1 von 27
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Formal Verification of Programming Language Implementations Ph.D. Literature Seminar Jason S. Reich <jason@cs.york.ac.uk> University of York 11th January 2010
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Compiling an arithmetic language Compile from a simple arithmetic language to machine code for a simple register machine. Example taken from [McCart67]
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Compiling an arithmetic language Compile from a simple arithmetic language to machine code for a simple register machine. Source language Numeric constants Variables Addition e.g. (x + 3) + (x + (y + 2)) Example taken from [McCart67]
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Compiling an arithmetic language Compile from a simple arithmetic language to machine code for a simple register machine. Target language Source language Load Immediate into ac Numeric constants LOAD into ac from Variables address/register Addition STOre ac value to address/register e.g. (x + 3) + (x + (y + 2)) ADD register value to ac Example taken from [McCart67]
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Compiling an arithmetic language Arithmetic expression compiler in Haskell compile :: I n t → Source → Target compile t ( Const v ) = [ Li v ] compile t ( Var x ) = [ Load (Map x ) ] compile t (Sum e1 e2 ) = c o m p i l e t e1 ++ [ Sto ( Reg t ) ] ++ c o m p i l e ( t + 1 ) e2 ++ [ Add ( Reg t ) ] When compiled and executed, is the value in the accumulator the result of the source arithmetic expression?
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Compiling an arithmetic language (x + 3) + (x + (y + 2)) compiled to machine code? 1 LOAD M[x] 8 LOAD M[y] 2 STO R[t + 0] 9 STO R[t + 2] 3 LI 3 10 LI 2 4 ADD R[t + 0] 11 ADD R[t + 2] 5 STO R[t + 0] 12 ADD R[t + 1] 6 LOAD M[x] 13 ADD R[t] 7 STO R[t + 1] n.b. Where M is a mapping of variable names to memory locations and R is an indexing of registers.
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Why use high-level languages? Rapid development Easier to understand, maintain and modify Less likely to make mistakes Easier to reason about and infer properties Architecture portability But...
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Can you trust your compiler? Use a compiler to translate from a high-level language to a low-level Compilers are programs (generally) written by people People make mistakes Can silently turn “a correct program into an incorrect executable” [Leroy09] GHC 6.10.x is ≈ 800, 000 lines of code and has had 737 bugs reported in the bug tracker as of 04/12/2009 [GHC] Can we formally verify a compiler?
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions McCarthy and Painter, 1967 “Correctness of a compiler for arithmetic expressions” [McCart67] Describe, in first-order predicate logic; Source language semantics Target language semantics A compilation process Reason that the compiler maintains semantic equivalence
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions McCarthy and Painter, 1967 Semantic equivalence in [McCart67] ∀e ∈ Expressions, ∀µ ∈ Variable Mappings • source(e, µ) ≡ acValue(target(compile(e), construct(µ))) Very limited, small toy source and target language Proof performed by hand Logical framework and proof presented in under ten pages Shows that proving a compiler correct is possible
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Proving the [McCart67] compiler target (compile t x) ( construct s) Ac ≡ source x s type Abstract = Name → Value type Concrete = Address → Value construct s = λ (Map v ) → s v write k v s = λ k’ → i f k == k ’ t h e n v e l s e s k ’ −− S e m a n t i c s f o r the source language s o u r c e : : Source → A b s t r a c t → Value s o u r c e ( Const n ) = n s o u r c e ( Var v ) s = s v s o u r c e ( Add x y ) s = source x s + source y s −− S e m a n t i c s f o r t h e t a r g e t l a n g u a g e t a r g e t : : Target → Concrete → Concrete target [ ] s = s t a r g e t ( i : i s ) s = t a r g e t i s $ case i of Li n → w r i t e Ac n s Load r → w r i t e Ac ( s r ) s Sto r → w r i t e r ( s Ac ) s Sum r → w r i t e Ac ( s Ac + s r ) s
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Proving the [McCart67] compiler Proof of correctness for constants { case where ‘x = Const n’ } target (compile t (Const n)) ( construct s) Ac = { inline ‘compile’ } target [ Li n] ( construct s) Ac = { inline ‘ target ’ } write Ac n (construct s) Ac = { inline ‘ write ’ } n = { equivalent to } source (Const v) s
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Proving the [McCart67] compiler Proof of correctness for variables { case where ‘x = Var v’ } target (compile t (Var v)) ( construct s) Ac = { inline ‘compile’ } target [Load (Map v)] (construct s) Ac = { inline ‘ target ’ } write Ac (construct s (Map v)) (construct s) Ac = { inline ‘ write ’ } ( construct s) (Map v) = { inline ‘ construct ’ } s v = { equivalent to } source (Var v) s
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Assumed lemmas Untouched Registers lemma Any expression x, compiled to use registers t and above, will not write to a register less than t. Therefore; r < t ⇒ target (compile t x) s (Reg r) ≡ s (Reg r) Untouched Variables lemma The compiled form of expression x will never write to a memory location mapped to a variable. Therefore; target (compile t x) s (Map v) ≡ s (Map v)
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Proving the [McCart67] compiler Proof of correctness for addition { case where ‘x = Add x y’ } target (compile t (Add x y)) ( construct s) Ac = { inline ‘compile’ and ‘ target ’ } let s1 = target (compile t x) ( construct s) s2 = write (Reg t) (s1 Ac) s1 s3 = target (compile (t + 1) y) s2 in write Ac (s3 Ac + s3 (Reg t)) s3 Ac = { State lemmas and inline ‘ write ’ s } target (compile t x) ( construct s) Ac + target (compile (t + 1) y) ( construct s) Ac = { inductive hypothesis − structural induction } source x s + source y s = { equivalent to } source (Add x y) s
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Milner and Weyhrauch, 1972 “Proving compiler correctness in a mechanised logic” [Milner72] Provide an LCF machine-checked proof of the McCarthy-Painter example Proceed towards mechanically proving a compiler for a more complex language to a stack machine Claim to have “no significant doubt that the remainder of the proof can be done on machine” [Milner72]
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Morris, 1973 “Advice on structuring compilers and proving them correct” [Morris73] Proves by hand the correctness of a compiler for a source language that contains assignment, conditionals, loops, arithmetic, booleans operations and local definitions “Essence” of the advice presented in [Morris73] compile Source language −−→ −− Target language    Target semantics Source semantics Source meanings ←−− −− Target meanings decode
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Thatcher, Wagner and Wright, 1980 Advice presented in [Thatch80] compile Source language −−→ −− Target language    Target semantics Source semantics Source meanings −−→ −− Target meanings encode “More on advice on structuring compilers and proving them correct” [Thatch80] Provides a different encoding of the target language to [Morris73] Claim that mechanised theorem proving tools required further development
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Syntax of source language in [Thatch80] ae ::= integer constant st ::= continue | variable | variable := ae | - ae | if be then st else st | Pr ae | st ; st | Su ae | while be do st | ae + ae be ::= boolean constant | ae − ae | even ae | ae × ae | ae ≤ ae | if be then ae else ae | ae ≥ ae | st result ae | ae = ae | let variable be ae in ae | ¬ be n.b. Similar to [Milner72] and [Morris73] | be ∧ be but with more operators and sequential | be ∨ be composition. Struggling to fit this onto one slide.
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions The “structuring compilers” series Discuss constructing algebras to describe language syntax and meaning The language abstract syntaxes as initial algebras Unique homomorphism from syntaxes to meanings, the semantics The compiler is the unique homomorphism between source and target syntaxes “... reduces to a proof that encode is a homomorphism ...” [Thatch80] “No structual induction is required ...” [Thatch80]
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Meijer, 1994 “More advice on proving a compiler correct: Improve a correct compiler” [Meijer94] Given an interpreter for a source language, can we transform it into a compiler to and residual interpreter for the target language? A functional decomposition problem (i.e. interpreter = emulator ◦ compiler ) Demonstrate this technique for a first-order imperative language compiling to a three-address code machine While quite feasible for first-order languages, becomes far more difficult for higher-order languages
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Berghofer and Stecker, 2003 “Extracting a formally verified, fully executable compiler from a proof assistant” [Bergho03] Proves a compiler for a subset of the Java source language to Java bytecode Includes typechecking, abstract syntax tree annotation and bytecode translation Isabelle/HOL used to prove properties about an abstract compiler Isabelle code extraction to produce an executable compiler
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Dave, 2003 Papers listed against decade published Maulik A. Dave’s bibliography for “Compiler Verification” [Dave03] Ninety-nine papers listed Ninety-one of those listed were published after 1990 Interestingly neither the Milner and Weyhrauch paper nor the Meijer are included
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Recent work Leroy’s “A formally verified compiler back-end” [Leroy09] Proves a compiler for Cminor to PowerPC assembler Chlipala’s “A verified compiler for an impure functional language” [Chlipa10] For a toy (but still quite feature rich) functional source language to instructions register-based machine Both use the Coq proof assistant and code extraction Both decompose the problem into compilation to several intermediate languages Both express worries that the proof assistant itself contain bugs that would invalidate correctness
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Conclusions Compilers have been proved correct for progressively larger source languages A variety of different techniques are available ensuring semantic equivalences Rapidly became apparent that some kind of proof assistant is required Decomposition of large compilers is a key factor for success Programs are only verified when all surrounding elements are verified
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Open questions What about compilers for larger target languages and more advanced compilation facilities? Are our mechanised assistants producing valid proofs? Are there other ways to decompose the problem? Are particular language paradigms more amenable to compiler verification? Why haven’t the concepts of [Meijer94] been more widely used? What other ways are there of decomposing the compiler verification problem?
Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions More information Slides and bibliography will be made available at; http://www-users.cs.york.ac.uk/~jason/ Jason S. Reich <jason@cs.york.ac.uk>

Empfohlen

Formal Verification of Programming Languages
Formal Verification of Programming LanguagesFormal Verification of Programming Languages
Formal Verification of Programming LanguagesJason Reich
 
Rcpp: Seemless R and C++
Rcpp: Seemless R and C++Rcpp: Seemless R and C++
Rcpp: Seemless R and C++Romain Francois
 
Cs6503 theory of computation april may 2017
Cs6503 theory of computation april may 2017Cs6503 theory of computation april may 2017
Cs6503 theory of computation april may 2017appasami
 
Cs2303 theory of computation november december 2015
Cs2303 theory of computation november december 2015Cs2303 theory of computation november december 2015
Cs2303 theory of computation november december 2015appasami
 
Model toc
Model tocModel toc
Model tocGUNASUNDARI C
 
Liszt los alamos national laboratory Aug 2011
Liszt los alamos national laboratory Aug 2011Liszt los alamos national laboratory Aug 2011
Liszt los alamos national laboratory Aug 2011Ed Dodds
 
Internet Safety
Internet SafetyInternet Safety
Internet Safetyguest400c7e0
 
17 FiG History
17 FiG History17 FiG History
17 FiG HistoryPaula Story
 

Empfohlen

Formal Verification of Programming Languages
Formal Verification of Programming LanguagesFormal Verification of Programming Languages
Formal Verification of Programming LanguagesJason Reich
 
Rcpp: Seemless R and C++
Rcpp: Seemless R and C++Rcpp: Seemless R and C++
Rcpp: Seemless R and C++Romain Francois
 
Cs6503 theory of computation april may 2017
Cs6503 theory of computation april may 2017Cs6503 theory of computation april may 2017
Cs6503 theory of computation april may 2017appasami
 
Cs2303 theory of computation november december 2015
Cs2303 theory of computation november december 2015Cs2303 theory of computation november december 2015
Cs2303 theory of computation november december 2015appasami
 
Model toc
Model tocModel toc
Model tocGUNASUNDARI C
 
Liszt los alamos national laboratory Aug 2011
Liszt los alamos national laboratory Aug 2011Liszt los alamos national laboratory Aug 2011
Liszt los alamos national laboratory Aug 2011Ed Dodds
 
Internet Safety
Internet SafetyInternet Safety
Internet Safetyguest400c7e0
 
17 FiG History
17 FiG History17 FiG History
17 FiG HistoryPaula Story
 
Krishna Voice July - 2016
Krishna Voice July - 2016Krishna Voice July - 2016
Krishna Voice July - 2016ISKCON Bangalore
 
Koepke farms inc
Koepke farms incKoepke farms inc
Koepke farms incUW Discovery Farms
 
Smartphone mas vendido en en 2012.
Smartphone mas vendido en en 2012.Smartphone mas vendido en en 2012.
Smartphone mas vendido en en 2012.maji_deme
 
Bridge detailed construction
Bridge detailed constructionBridge detailed construction
Bridge detailed constructionnikonikolo
 
Культура наукового мовлення педагогічних працівників (Катюк Я. Л)
Культура наукового мовлення педагогічних працівників (Катюк Я. Л) Культура наукового мовлення педагогічних працівників (Катюк Я. Л)
Культура наукового мовлення педагогічних працівників (Катюк Я. Л) Inna Gerasimenko
 
150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev final
150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev final150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev final
150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev finalWahyu Budhi, PgMD Pro, CSPM
 
Vision2music
Vision2musicVision2music
Vision2musicDirkVerhoeven
 
Використання сучасних методів навчання та інтерактивних технологій під час ви...
Використання сучасних методів навчання та інтерактивних технологій під час ви...Використання сучасних методів навчання та інтерактивних технологій під час ви...
Використання сучасних методів навчання та інтерактивних технологій під час ви...Inna Gerasimenko
 
Интерактивные технологии внз скороч Черкассы
Интерактивные технологии внз скороч ЧеркассыИнтерактивные технологии внз скороч Черкассы
Интерактивные технологии внз скороч ЧеркассыInna Gerasimenko
 
Critical System Validation in Software Engineering SE21
Critical System Validation in Software Engineering SE21Critical System Validation in Software Engineering SE21
Critical System Validation in Software Engineering SE21koolkampus
 
Секция 2. Миронова Ольга (АО «ОМК»)
Секция 2. Миронова Ольга (АО «ОМК»)Секция 2. Миронова Ольга (АО «ОМК»)
Секция 2. Миронова Ольга (АО «ОМК»)NCCV
 
Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)
Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)
Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)NCCV
 
9. Nutrition In Humans
9. Nutrition In Humans9. Nutrition In Humans
9. Nutrition In Humansrossbiology
 
МЕДІАГРАМОТНІСТЬ
МЕДІАГРАМОТНІСТЬ МЕДІАГРАМОТНІСТЬ
МЕДІАГРАМОТНІСТЬ omosvita
 
Winter DDS & Cut Plus - Esite
Winter DDS & Cut Plus - EsiteWinter DDS & Cut Plus - Esite
Winter DDS & Cut Plus - EsiteSaint-Gobain Abrasives AB
 
Prezentation final
Prezentation finalPrezentation final
Prezentation finalVolodymyr Satsyk
 
Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16
Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16
Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16Dr. I. Angelov Farooq
 
Діти потребують допомоги
Діти потребують допомоги Діти потребують допомоги
Діти потребують допомоги Валентина Сімеонова
 
Amazon Business Model
Amazon Business ModelAmazon Business Model
Amazon Business ModelVladimir Matovic
 
Amazon.com: the Hidden Empire - Update 2013
Amazon.com: the Hidden Empire - Update 2013Amazon.com: the Hidden Empire - Update 2013
Amazon.com: the Hidden Empire - Update 2013Fabernovel
 
NCCU: Statistics in the Criminal Justice System, R basics and Simulation - Pr...
NCCU: Statistics in the Criminal Justice System, R basics and Simulation - Pr...NCCU: Statistics in the Criminal Justice System, R basics and Simulation - Pr...
NCCU: Statistics in the Criminal Justice System, R basics and Simulation - Pr...The Statistical and Applied Mathematical Sciences Institute
 
Algorithm Homework Help
Algorithm Homework HelpAlgorithm Homework Help
Algorithm Homework HelpProgramming Homework Help
 

Weitere ähnliche Inhalte

Andere mochten auch

Smartphone mas vendido en en 2012.
Smartphone mas vendido en en 2012.Smartphone mas vendido en en 2012.
Smartphone mas vendido en en 2012.maji_deme
 
Bridge detailed construction
Bridge detailed constructionBridge detailed construction
Bridge detailed constructionnikonikolo
 
Культура наукового мовлення педагогічних працівників (Катюк Я. Л)
Культура наукового мовлення педагогічних працівників (Катюк Я. Л) Культура наукового мовлення педагогічних працівників (Катюк Я. Л)
Культура наукового мовлення педагогічних працівників (Катюк Я. Л) Inna Gerasimenko
 
150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev final
150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev final150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev final
150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev finalWahyu Budhi, PgMD Pro, CSPM
 
Використання сучасних методів навчання та інтерактивних технологій під час ви...
Використання сучасних методів навчання та інтерактивних технологій під час ви...Використання сучасних методів навчання та інтерактивних технологій під час ви...
Використання сучасних методів навчання та інтерактивних технологій під час ви...Inna Gerasimenko
 
Интерактивные технологии внз скороч Черкассы
Интерактивные технологии внз скороч ЧеркассыИнтерактивные технологии внз скороч Черкассы
Интерактивные технологии внз скороч ЧеркассыInna Gerasimenko
 
Critical System Validation in Software Engineering SE21
Critical System Validation in Software Engineering SE21Critical System Validation in Software Engineering SE21
Critical System Validation in Software Engineering SE21koolkampus
 
Секция 2. Миронова Ольга (АО «ОМК»)
Секция 2. Миронова Ольга (АО «ОМК»)Секция 2. Миронова Ольга (АО «ОМК»)
Секция 2. Миронова Ольга (АО «ОМК»)NCCV
 
Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)
Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)
Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)NCCV
 
9. Nutrition In Humans
9. Nutrition In Humans9. Nutrition In Humans
9. Nutrition In Humansrossbiology
 
МЕДІАГРАМОТНІСТЬ
МЕДІАГРАМОТНІСТЬ МЕДІАГРАМОТНІСТЬ
МЕДІАГРАМОТНІСТЬ omosvita
 
Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16
Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16
Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16Dr. I. Angelov Farooq
 
Amazon.com: the Hidden Empire - Update 2013
Amazon.com: the Hidden Empire - Update 2013Amazon.com: the Hidden Empire - Update 2013
Amazon.com: the Hidden Empire - Update 2013Fabernovel
 

Andere mochten auch (20)

Krishna Voice July - 2016
Krishna Voice July - 2016Krishna Voice July - 2016
Krishna Voice July - 2016
 
Koepke farms inc
Koepke farms incKoepke farms inc
Koepke farms inc
 
Smartphone mas vendido en en 2012.
Smartphone mas vendido en en 2012.Smartphone mas vendido en en 2012.
Smartphone mas vendido en en 2012.
 
Bridge detailed construction
Bridge detailed constructionBridge detailed construction
Bridge detailed construction
 
Культура наукового мовлення педагогічних працівників (Катюк Я. Л)
Культура наукового мовлення педагогічних працівників (Катюк Я. Л) Культура наукового мовлення педагогічних працівників (Катюк Я. Л)
Культура наукового мовлення педагогічних працівників (Катюк Я. Л)
 
150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev final
150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev final150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev final
150929 - Executive Summary Studi WSVA Kabupaten Lebak - Rev final
 
Vision2music
Vision2musicVision2music
Vision2music
 
Використання сучасних методів навчання та інтерактивних технологій під час ви...
Використання сучасних методів навчання та інтерактивних технологій під час ви...Використання сучасних методів навчання та інтерактивних технологій під час ви...
Використання сучасних методів навчання та інтерактивних технологій під час ви...
 
Интерактивные технологии внз скороч Черкассы
Интерактивные технологии внз скороч ЧеркассыИнтерактивные технологии внз скороч Черкассы
Интерактивные технологии внз скороч Черкассы
 
Critical System Validation in Software Engineering SE21
Critical System Validation in Software Engineering SE21Critical System Validation in Software Engineering SE21
Critical System Validation in Software Engineering SE21
 
Секция 2. Миронова Ольга (АО «ОМК»)
Секция 2. Миронова Ольга (АО «ОМК»)Секция 2. Миронова Ольга (АО «ОМК»)
Секция 2. Миронова Ольга (АО «ОМК»)
 
Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)
Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)
Секция 2. Горшенкова Наталья (Сеть Клиник Линлайн)
 
9. Nutrition In Humans
9. Nutrition In Humans9. Nutrition In Humans
9. Nutrition In Humans
 
МЕДІАГРАМОТНІСТЬ
МЕДІАГРАМОТНІСТЬ МЕДІАГРАМОТНІСТЬ
МЕДІАГРАМОТНІСТЬ
 
Winter DDS & Cut Plus - Esite
Winter DDS & Cut Plus - EsiteWinter DDS & Cut Plus - Esite
Winter DDS & Cut Plus - Esite
 
Prezentation final
Prezentation finalPrezentation final
Prezentation final
 
Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16
Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16
Comprehensive_Tax_Reform_in_California_A_Contextual_Framework_06_16
 
Діти потребують допомоги
Діти потребують допомоги Діти потребують допомоги
Діти потребують допомоги
 
Amazon Business Model
Amazon Business ModelAmazon Business Model
Amazon Business Model
 
Amazon.com: the Hidden Empire - Update 2013
Amazon.com: the Hidden Empire - Update 2013Amazon.com: the Hidden Empire - Update 2013
Amazon.com: the Hidden Empire - Update 2013
 

Ähnlich wie Formal Verification of Programming Languages

Compiler worksheet
Compiler worksheetCompiler worksheet
Compiler worksheetArthyR3
 
Class 31: Deanonymizing
Class 31: DeanonymizingClass 31: Deanonymizing
Class 31: DeanonymizingDavid Evans
 
2. R-basics, Vectors, Arrays, Matrices, Factors
2. R-basics, Vectors, Arrays, Matrices, Factors2. R-basics, Vectors, Arrays, Matrices, Factors
2. R-basics, Vectors, Arrays, Matrices, Factorskrishna singh
 
LAC2013 UNIT preTESTs!
LAC2013 UNIT preTESTs!LAC2013 UNIT preTESTs!
LAC2013 UNIT preTESTs!A Jorge Garcia
 
Introduction to Python
Introduction to Python Introduction to Python
Introduction to Python C. ASWINI
 
Scala as a Declarative Language
Scala as a Declarative LanguageScala as a Declarative Language
Scala as a Declarative Languagevsssuresh
 
SVGo: a Go Library for SVG generation
SVGo: a Go Library for SVG generationSVGo: a Go Library for SVG generation
SVGo: a Go Library for SVG generationAnthony Starks
 
Functional Design Explained (David Sankel CppCon 2015)
Functional Design Explained (David Sankel CppCon 2015)Functional Design Explained (David Sankel CppCon 2015)
Functional Design Explained (David Sankel CppCon 2015)sankeld
 
Poetry with R -- Dissecting the code
Poetry with R -- Dissecting the codePoetry with R -- Dissecting the code
Poetry with R -- Dissecting the codePeter Solymos
 
Roslyn compiler as a service
Roslyn compiler as a serviceRoslyn compiler as a service
Roslyn compiler as a serviceEugene Zharkov
 
Rcpp: Seemless R and C++
Rcpp: Seemless R and C++Rcpp: Seemless R and C++
Rcpp: Seemless R and C++Romain Francois
 
MATLAB Questions and Answers.pdf
MATLAB Questions and Answers.pdfMATLAB Questions and Answers.pdf
MATLAB Questions and Answers.pdfahmed8651
 
Microsoft Word Practice Exercise Set 2
Microsoft Word Practice Exercise Set 2Microsoft Word Practice Exercise Set 2
Microsoft Word Practice Exercise Set 2rampan
 
Numerical analysis
Numerical analysisNumerical analysis
Numerical analysisVishal Singh
 

Ähnlich wie Formal Verification of Programming Languages (20)

NCCU: Statistics in the Criminal Justice System, R basics and Simulation - Pr...
NCCU: Statistics in the Criminal Justice System, R basics and Simulation - Pr...NCCU: Statistics in the Criminal Justice System, R basics and Simulation - Pr...
NCCU: Statistics in the Criminal Justice System, R basics and Simulation - Pr...
 
Algorithm Homework Help
Algorithm Homework HelpAlgorithm Homework Help
Algorithm Homework Help
 
Compiler worksheet
Compiler worksheetCompiler worksheet
Compiler worksheet
 
Class 31: Deanonymizing
Class 31: DeanonymizingClass 31: Deanonymizing
Class 31: Deanonymizing
 
2. R-basics, Vectors, Arrays, Matrices, Factors
2. R-basics, Vectors, Arrays, Matrices, Factors2. R-basics, Vectors, Arrays, Matrices, Factors
2. R-basics, Vectors, Arrays, Matrices, Factors
 
LAC2013 UNIT preTESTs!
LAC2013 UNIT preTESTs!LAC2013 UNIT preTESTs!
LAC2013 UNIT preTESTs!
 
R Language Introduction
R Language IntroductionR Language Introduction
R Language Introduction
 
Introduction to r
Introduction to rIntroduction to r
Introduction to r
 
Introduction to Python
Introduction to Python Introduction to Python
Introduction to Python
 
Scala as a Declarative Language
Scala as a Declarative LanguageScala as a Declarative Language
Scala as a Declarative Language
 
SVGo: a Go Library for SVG generation
SVGo: a Go Library for SVG generationSVGo: a Go Library for SVG generation
SVGo: a Go Library for SVG generation
 
Functional Design Explained (David Sankel CppCon 2015)
Functional Design Explained (David Sankel CppCon 2015)Functional Design Explained (David Sankel CppCon 2015)
Functional Design Explained (David Sankel CppCon 2015)
 
Poetry with R -- Dissecting the code
Poetry with R -- Dissecting the codePoetry with R -- Dissecting the code
Poetry with R -- Dissecting the code
 
Roslyn compiler as a service
Roslyn compiler as a serviceRoslyn compiler as a service
Roslyn compiler as a service
 
Rcpp: Seemless R and C++
Rcpp: Seemless R and C++Rcpp: Seemless R and C++
Rcpp: Seemless R and C++
 
Volume computation and applications
Volume computation and applications Volume computation and applications
Volume computation and applications
 
MATLAB Questions and Answers.pdf
MATLAB Questions and Answers.pdfMATLAB Questions and Answers.pdf
MATLAB Questions and Answers.pdf
 
Microsoft Word Practice Exercise Set 2
Microsoft Word Practice Exercise Set 2Microsoft Word Practice Exercise Set 2
Microsoft Word Practice Exercise Set 2
 
R basic programs
R basic programsR basic programs
R basic programs
 
Numerical analysis
Numerical analysisNumerical analysis
Numerical analysis
 

Kürzlich hochgeladen

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Kürzlich hochgeladen (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Formal Verification of Programming Languages

  • 1. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Formal Verification of Programming Language Implementations Ph.D. Literature Seminar Jason S. Reich <jason@cs.york.ac.uk> University of York 11th January 2010
  • 2. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Compiling an arithmetic language Compile from a simple arithmetic language to machine code for a simple register machine. Example taken from [McCart67]
  • 3. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Compiling an arithmetic language Compile from a simple arithmetic language to machine code for a simple register machine. Source language Numeric constants Variables Addition e.g. (x + 3) + (x + (y + 2)) Example taken from [McCart67]
  • 4. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Compiling an arithmetic language Compile from a simple arithmetic language to machine code for a simple register machine. Target language Source language Load Immediate into ac Numeric constants LOAD into ac from Variables address/register Addition STOre ac value to address/register e.g. (x + 3) + (x + (y + 2)) ADD register value to ac Example taken from [McCart67]
  • 5. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Compiling an arithmetic language Arithmetic expression compiler in Haskell compile :: I n t → Source → Target compile t ( Const v ) = [ Li v ] compile t ( Var x ) = [ Load (Map x ) ] compile t (Sum e1 e2 ) = c o m p i l e t e1 ++ [ Sto ( Reg t ) ] ++ c o m p i l e ( t + 1 ) e2 ++ [ Add ( Reg t ) ] When compiled and executed, is the value in the accumulator the result of the source arithmetic expression?
  • 6. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Compiling an arithmetic language (x + 3) + (x + (y + 2)) compiled to machine code? 1 LOAD M[x] 8 LOAD M[y] 2 STO R[t + 0] 9 STO R[t + 2] 3 LI 3 10 LI 2 4 ADD R[t + 0] 11 ADD R[t + 2] 5 STO R[t + 0] 12 ADD R[t + 1] 6 LOAD M[x] 13 ADD R[t] 7 STO R[t + 1] n.b. Where M is a mapping of variable names to memory locations and R is an indexing of registers.
  • 7. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Why use high-level languages? Rapid development Easier to understand, maintain and modify Less likely to make mistakes Easier to reason about and infer properties Architecture portability But...
  • 8. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Can you trust your compiler? Use a compiler to translate from a high-level language to a low-level Compilers are programs (generally) written by people People make mistakes Can silently turn “a correct program into an incorrect executable” [Leroy09] GHC 6.10.x is ≈ 800, 000 lines of code and has had 737 bugs reported in the bug tracker as of 04/12/2009 [GHC] Can we formally verify a compiler?
  • 9. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions McCarthy and Painter, 1967 “Correctness of a compiler for arithmetic expressions” [McCart67] Describe, in first-order predicate logic; Source language semantics Target language semantics A compilation process Reason that the compiler maintains semantic equivalence
  • 10. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions McCarthy and Painter, 1967 Semantic equivalence in [McCart67] ∀e ∈ Expressions, ∀µ ∈ Variable Mappings • source(e, µ) ≡ acValue(target(compile(e), construct(µ))) Very limited, small toy source and target language Proof performed by hand Logical framework and proof presented in under ten pages Shows that proving a compiler correct is possible
  • 11. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Proving the [McCart67] compiler target (compile t x) ( construct s) Ac ≡ source x s type Abstract = Name → Value type Concrete = Address → Value construct s = λ (Map v ) → s v write k v s = λ k’ → i f k == k ’ t h e n v e l s e s k ’ −− S e m a n t i c s f o r the source language s o u r c e : : Source → A b s t r a c t → Value s o u r c e ( Const n ) = n s o u r c e ( Var v ) s = s v s o u r c e ( Add x y ) s = source x s + source y s −− S e m a n t i c s f o r t h e t a r g e t l a n g u a g e t a r g e t : : Target → Concrete → Concrete target [ ] s = s t a r g e t ( i : i s ) s = t a r g e t i s $ case i of Li n → w r i t e Ac n s Load r → w r i t e Ac ( s r ) s Sto r → w r i t e r ( s Ac ) s Sum r → w r i t e Ac ( s Ac + s r ) s
  • 12. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Proving the [McCart67] compiler Proof of correctness for constants { case where ‘x = Const n’ } target (compile t (Const n)) ( construct s) Ac = { inline ‘compile’ } target [ Li n] ( construct s) Ac = { inline ‘ target ’ } write Ac n (construct s) Ac = { inline ‘ write ’ } n = { equivalent to } source (Const v) s
  • 13. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Proving the [McCart67] compiler Proof of correctness for variables { case where ‘x = Var v’ } target (compile t (Var v)) ( construct s) Ac = { inline ‘compile’ } target [Load (Map v)] (construct s) Ac = { inline ‘ target ’ } write Ac (construct s (Map v)) (construct s) Ac = { inline ‘ write ’ } ( construct s) (Map v) = { inline ‘ construct ’ } s v = { equivalent to } source (Var v) s
  • 14. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Assumed lemmas Untouched Registers lemma Any expression x, compiled to use registers t and above, will not write to a register less than t. Therefore; r < t ⇒ target (compile t x) s (Reg r) ≡ s (Reg r) Untouched Variables lemma The compiled form of expression x will never write to a memory location mapped to a variable. Therefore; target (compile t x) s (Map v) ≡ s (Map v)
  • 15. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Proving the [McCart67] compiler Proof of correctness for addition { case where ‘x = Add x y’ } target (compile t (Add x y)) ( construct s) Ac = { inline ‘compile’ and ‘ target ’ } let s1 = target (compile t x) ( construct s) s2 = write (Reg t) (s1 Ac) s1 s3 = target (compile (t + 1) y) s2 in write Ac (s3 Ac + s3 (Reg t)) s3 Ac = { State lemmas and inline ‘ write ’ s } target (compile t x) ( construct s) Ac + target (compile (t + 1) y) ( construct s) Ac = { inductive hypothesis − structural induction } source x s + source y s = { equivalent to } source (Add x y) s
  • 16. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Milner and Weyhrauch, 1972 “Proving compiler correctness in a mechanised logic” [Milner72] Provide an LCF machine-checked proof of the McCarthy-Painter example Proceed towards mechanically proving a compiler for a more complex language to a stack machine Claim to have “no significant doubt that the remainder of the proof can be done on machine” [Milner72]
  • 17. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Morris, 1973 “Advice on structuring compilers and proving them correct” [Morris73] Proves by hand the correctness of a compiler for a source language that contains assignment, conditionals, loops, arithmetic, booleans operations and local definitions “Essence” of the advice presented in [Morris73] compile Source language −−→ −− Target language    Target semantics Source semantics Source meanings ←−− −− Target meanings decode
  • 18. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Thatcher, Wagner and Wright, 1980 Advice presented in [Thatch80] compile Source language −−→ −− Target language    Target semantics Source semantics Source meanings −−→ −− Target meanings encode “More on advice on structuring compilers and proving them correct” [Thatch80] Provides a different encoding of the target language to [Morris73] Claim that mechanised theorem proving tools required further development
  • 19. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Syntax of source language in [Thatch80] ae ::= integer constant st ::= continue | variable | variable := ae | - ae | if be then st else st | Pr ae | st ; st | Su ae | while be do st | ae + ae be ::= boolean constant | ae − ae | even ae | ae × ae | ae ≤ ae | if be then ae else ae | ae ≥ ae | st result ae | ae = ae | let variable be ae in ae | ¬ be n.b. Similar to [Milner72] and [Morris73] | be ∧ be but with more operators and sequential | be ∨ be composition. Struggling to fit this onto one slide.
  • 20. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions The “structuring compilers” series Discuss constructing algebras to describe language syntax and meaning The language abstract syntaxes as initial algebras Unique homomorphism from syntaxes to meanings, the semantics The compiler is the unique homomorphism between source and target syntaxes “... reduces to a proof that encode is a homomorphism ...” [Thatch80] “No structual induction is required ...” [Thatch80]
  • 21. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Meijer, 1994 “More advice on proving a compiler correct: Improve a correct compiler” [Meijer94] Given an interpreter for a source language, can we transform it into a compiler to and residual interpreter for the target language? A functional decomposition problem (i.e. interpreter = emulator ◦ compiler ) Demonstrate this technique for a first-order imperative language compiling to a three-address code machine While quite feasible for first-order languages, becomes far more difficult for higher-order languages
  • 22. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Berghofer and Stecker, 2003 “Extracting a formally verified, fully executable compiler from a proof assistant” [Bergho03] Proves a compiler for a subset of the Java source language to Java bytecode Includes typechecking, abstract syntax tree annotation and bytecode translation Isabelle/HOL used to prove properties about an abstract compiler Isabelle code extraction to produce an executable compiler
  • 23. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Dave, 2003 Papers listed against decade published Maulik A. Dave’s bibliography for “Compiler Verification” [Dave03] Ninety-nine papers listed Ninety-one of those listed were published after 1990 Interestingly neither the Milner and Weyhrauch paper nor the Meijer are included
  • 24. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Recent work Leroy’s “A formally verified compiler back-end” [Leroy09] Proves a compiler for Cminor to PowerPC assembler Chlipala’s “A verified compiler for an impure functional language” [Chlipa10] For a toy (but still quite feature rich) functional source language to instructions register-based machine Both use the Coq proof assistant and code extraction Both decompose the problem into compilation to several intermediate languages Both express worries that the proof assistant itself contain bugs that would invalidate correctness
  • 25. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Conclusions Compilers have been proved correct for progressively larger source languages A variety of different techniques are available ensuring semantic equivalences Rapidly became apparent that some kind of proof assistant is required Decomposition of large compilers is a key factor for success Programs are only verified when all surrounding elements are verified
  • 26. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions Open questions What about compilers for larger target languages and more advanced compilation facilities? Are our mechanised assistants producing valid proofs? Are there other ways to decompose the problem? Are particular language paradigms more amenable to compiler verification? Why haven’t the concepts of [Meijer94] been more widely used? What other ways are there of decomposing the compiler verification problem?
  • 27. Motivation 1960s Proof 1970s 1980s 1990s 2000s Conclusions More information Slides and bibliography will be made available at; http://www-users.cs.york.ac.uk/~jason/ Jason S. Reich <jason@cs.york.ac.uk>