Proving Preservation of Partial Correctness with ACL2: A Mechanical - - PowerPoint PPT Presentation

proving preservation of partial correctness with acl2 a
SMART_READER_LITE
LIVE PREVIEW

Proving Preservation of Partial Correctness with ACL2: A Mechanical - - PowerPoint PPT Presentation

Apr 18, 2023 17 likes •299 views

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level Correctness Proof Wolfgang Goerigk Christian-Albrechts-Universit at zu Kiel, Germany wg@informatik.uni-kiel.de wg/

slide-1
SLIDE 1

Proving Preservation of Partial Correctness with ACL2: A Mechanical Compiler Source Level Correctness Proof Wolfgang Goerigk

Christian-Albrechts-Universit¨ at zu Kiel, Germany wg@informatik.uni-kiel.de http://www.informatik.uni-kiel.de/

wg/

Outline:

➜ Background, Three Steps to Correct Realistic Compilation ➜ Source Level Verification is not Sufficient ➜ Correct Implementation, Preservation of Partial Correctness ➜ Source and Target Language, the Compiler ➜ The Correctness Proof in ACL2 ➜ Conclusions and Further Work

1 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-2
SLIDE 2

How to Construct Correct Executables

Generate correct executables from correct source programs ➜ manually ➜ using unverified compilers without verified compiling specification ➜ manually semantically checked [state-of-the-art certification] ➜ semantically checked by machine [Pnueli et al., Necula 1998, translation validation] with verified compiling specification ➜ manually syntactically checked [Goerigk,Hoffmann 1998] ➜ syntactically checked by machine [Traverso et al., 1998] ➜ using verified compilers

✁ ✂☎✄ ✆ (trusted compiler executables)

Verifix DFG research group (Karlsruhe, Kiel, Ulm) for realistic source languages and real target processors

2 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-3
SLIDE 3

How to Construct Correct Executables

Generate correct executables from correct source programs ➜ manually ➜ using unverified compilers without verified compiling specification ➜ manually semantically checked [state-of-the-art certification] ➜ semantically checked by machine [Pnueli et al., Necula 1998, translation validation] with verified compiling specification ➜ manually syntactically checked [Goerigk,Hoffmann 1998] ➜ syntactically checked by machine [Traverso et al., 1998] ➜ using verified compilers

✁ ✂☎✄ ✆ (trusted compiler executables)

Verifix DFG research group (Karlsruhe, Kiel, Ulm) for realistic source languages and real target processors

3 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-4
SLIDE 4

Verifix Goals Construct and correctly implement compilers and compiler generators

➜ for realistic imperative and object-oriented source languages ➜ for real target and host processors ➜ generating efficient code that compares to unverified compilers ➜ exploiting mechanical proof support, e.g., by PVS or ACL2 ➜ industrially approved compiler architecture and construction techniques ➜ proof methodology supplements compiler construction, not vice versa ➜ exploit runtime result verification (a posteriori program or result checking) and ➜ an initial fully trusted compiler as sound bootstrapping basis

4 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-5
SLIDE 5

Three Steps Towards Trusted Realistic Compilation

➀ Specification of a compiling relation

SL TL between abstract source and target

languages SL and TL, and compiling (specification) verification w.r.t. language semantics

✞✟✞✡✠☞☛✟☛ SL, ✞✟✞✌✠✍☛✟☛ TL and an appropriate semantics relation ✎

SL TL.

theoretical comp. sc., progr. lang. theory, [McCarthy and Painter 1967], ... ➁ Implementation of a corresponding compiler program

SL in high level

implementation language SL (close to the specification language), and high level compiler implementation verification w.r.t.

SL TL.

[Polak 1981], [Moore 1988, 1996], [Curzon 1994, 1996] software eng., formal methods like VDM, RAISE, CIP , PROSPECTRA, Z, B, ... ➂ Low level implementation of a corresponding compiler executable

TL written in

binary target machine language TL, and low level compiler implementation verification w.r.t.

✞✟✞✒✏

SL

☛✟☛ SL.

virtually nothing, only demands [Chirica and Martin 1986], [Moore 1988]

5 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-6
SLIDE 6

Three Steps Towards Trusted Realistic Compilation

➀ Specification of a compiling relation

SL TL between abstract source and target

languages SL and TL, and compiling (specification) verification w.r.t. language semantics

✞✟✞✡✠☞☛✟☛ SL, ✞✟✞✌✠✍☛✟☛ TL and an appropriate semantics relation ✎

SL TL.

theoretical comp. sc., progr. lang. theory, [McCarthy and Painter 1967], ... ➁ Implementation of a corresponding compiler program

SL in high level

implementation language SL (close to the specification language), and high level compiler implementation verification w.r.t.

SL TL.

[Polak 1981], [Moore 1988, 1996], [Curzon 1994, 1996] software eng., formal methods like VDM, RAISE, CIP , PROSPECTRA, Z, B, ... ➂ Low level implementation of a corresponding compiler executable

TL written in

binary target machine language TL, and low level compiler implementation verification w.r.t.

✞✟✞✒✏

SL

☛✟☛ SL.

virtually nothing, only demands [Chirica and Martin 1986], [Moore 1988]

6 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-7
SLIDE 7

Towards Trusted Realistic Compilation

➀ Specification of a compiling relation

SL TL between abstract source and target

languages SL and TL, and compiling (specification) verification w.r.t. language semantics

✞✟✞✡✠☞☛✟☛ SL, ✞✟✞✌✠✍☛✟☛ TL and an appropriate semantics relation ✎

SL TL.

theoretical comp. sc., progr. lang. theory, [McCarthy and Painter 1967], ... ➁ Implementation of a corresponding compiler program

SL in high level

implementation language SL (close to the specification language), and high level compiler implementation verification w.r.t.

SL TL.

[Polak 1981], [Moore 1988, 1996], [Curzon 1994, 1996] software eng., formal methods like VDM, RAISE, CIP , PROSPECTRA, Z, B, ... ➂ Low level implementation of a corresponding compiler executable

TL written in

binary target machine language TL, and low level compiler implementation verification w.r.t.

✞✟✞✒✏

SL

☛✟☛ SL.

virtually nothing, only demands [Chirica and Martin 1986], [Moore 1988]

7 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-8
SLIDE 8

Towards Trusted Realistic Compilation - Reality

➀ Specification of a compiling relation

SL TL between abstract source and target

languages SL and TL, and compiling (specification) verification w.r.t. language semantics

✞✟✞✡✠☞☛✟☛ SL, ✞✟✞✌✠✍☛✟☛ TL and an appropriate semantics relation ✎

SL TL.

theoretical comp. sc., progr. lang. theory, [McCarthy and Painter 1967], ... ➁ Implementation of a corresponding compiler program

SL in high level

implementation language SL (close to the specification language), and high level compiler implementation verification w.r.t.

SL TL.

[Polak 1981], [Moore 1988, 1996], [Curzon 1994, 1996] software eng., formal methods like VDM, RAISE, CIP , PROSPECTRA, Z, B, ... ➂ Low level implementation of a corresponding compiler executable

TL written in

binary target machine language TL, and low level compiler implementation verification w.r.t.

✞✟✞✒✏

SL

☛✟☛ SL.

virtually nothing, only demands [Chirica and Martin 1986], [Moore 1988]

8 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-9
SLIDE 9

Towards Trusted Realistic Compilation - Reality

➀ Specification of a compiling relation

SL TL between abstract source and target

languages SL and TL, and compiling (specification) verification w.r.t. language semantics

✞✟✞✡✠☞☛✟☛ SL, ✞✟✞✌✠✍☛✟☛ TL and an appropriate semantics relation ✎

SL TL.

theoretical comp. sc., progr. lang. theory, [McCarthy and Painter 1967], ... ➁ Implementation of a corresponding compiler program

SL in high level

implementation language SL (close to the specification language), and high level compiler implementation verification w.r.t.

SL TL.

[Polak 1981], [Moore 1988, 1996], [Curzon 1994, 1996] software eng., formal methods like VDM, RAISE, CIP , PROSPECTRA, Z, B, ... ➂

✓ Strong Compiler Bootstrap Test: Compile ✏

SL to

TL by a twofold bootstrapping,

using an unverified SL-compiler

. Apply

TL to

SL and test if

TL reproduces

itself. virtually nothing, only demands [Chirica and Martin 1986], [Moore 1988]

9 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-10
SLIDE 10

DEMO

10 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-11
SLIDE 11

Reasonable Semantical Relations Semantical relations

SL TL

✕✗✖✙✘✛✚

SL

✜ ✖✢✘✣✚

TL express notions of correct

  • implementation. Here are some wishes:

➜ handle non-determinism of the source program semantics ➜ handle resource limitations of the target machine ➜ allow for optimizations that require well-definedness properties of the source program ➜ handle (non-terminating) reactive programs, e.g., preserve definedness properties

  • f the source program

➜ allow for full recursion and dynamic data types, e.g. for transformational programs like compilers, ...

11 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-12
SLIDE 12

Why Non-Determinism - An Example

✤✦✥★✧✦✩✫✪✭✬✯✮✦✥★✪ ✤ ✰✲✱✴✳ ✵ ✪✷✶✹✸✛✺ ✸✛✺✢✻ ✼✽✳ ✼ ✾❀✿ ❁❃❂ ✪❄✺❃✬ ✳ ✤✦✥★✧✦✩✫✪✭✬✯✮✦✥★✪ ❅ ✰✲✱✴✳ ✵ ✪✷✶✹✸✛✺ ✸✛✺✢✻ ❆ ✳ ✤✦✥✹✸✛✺✢✻ ✰ ❆ ✱ ✪❄✺❃✬ ✳ ✵ ✪✷✶✹✸✛✺ ✤✽✰✲✱✴✳ ❅❇✰✲✱ ✪❄✺❃✬ ❈

12 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-13
SLIDE 13

Refinement vs. Preservation of Partial Correctness Specification Refinement (intuitive): The implementation should at least return every specified result, i.e., it should be at least as defined as the specification. Preservation of Partial Correctness (intuitive): The implementation should at most return specified results, i.e., we do not want to see any non-erroneous incorrect result.

13 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-14
SLIDE 14

Semantical Relations and Correct Implementation

: error outcomes,

❊ ❋ ❉

acceptable errors,

❉ ■ ❊

unacceptable (chaotic) errors

❏▲❑ ▼

SL

❏❖◆

SL TL

P◗P❀❘ ❙◗❙

SL

SemSL

✕ P◗P❀❯ ❙◗❙

TL

SemTL

✕ ❱ ❑ ▼

SL

P◗P❀❘ ❙◗❙

SL

P❲P❳❯ ❙◗❙

TL

❱ ❑ ▼TL ❏▲❑ ▼TL ✔

SL TL

❱ ◆

SL TL

Definition:

correctly implements

relative to

❊ , iff for any ❨ ❚ ❱ ❑ ▼ ❩✯❬

with

❭❪P◗P❳❘ ❙◗❙

SL

❫ ❏❴◆

SL TL

❵ ❭ ❨ ❵ ❛
❜ we have ❭ ❱ ◆

SL TL

❫ P◗P❀❯ ❙◗❙

TL

❵ ❭ ❨ ❵ ❋ ❭✹P❲P❳❘ ❙◗❙

SL

❫ ❏❝◆

SL TL

❵ ❭ ❨ ❵ ❞ ❊

[Goerigk/Langmaack 2000], [M¨ uller-Olm/Wolf 1999]

14 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-15
SLIDE 15

L-Simulation - Preservation of Partial Correctness Choose

❉ ❍❢❡❤❣❥✐✹❦♠❧ ♥ and ❊ ❍♦❡♣❣❥✐✹❦q❧ ♥ P ❍sr
❉ ■ ❊ ❍ ❜ ❙ . ❏▲❑ t☎✉❇✈

SL

❏ ◆

SL TL

P◗P❀❘ ❙◗❙

SL

SemSL

✕ P◗P❀❯ ❙◗❙

TL

SemTL

✕ ❱ ❑ t☎✉❇✈

SL

P◗P❀❘ ❙◗❙

SL

P❲P❳❯ ❙◗❙

TL

❱ ❑ t☎✉❇✈

TL

❏ ❑ t☎✉❇✈

TL

SL TL

❱ ◆

SL TL

Definition: We say that

L-simulates

( or that the step

❘ ✇① ❯

preserves partial correctness ) iff

❭ ❱ ◆

SL TL

❫ P◗P❀❯ ❙◗❙

TL

❵ ❋ ❭❪P◗P❳❘ ❙◗❙

SL

❫ ❏❝◆

SL TL

[Goerigk et al. 1996], [M¨ uller-Olm 1996]

15 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-16
SLIDE 16

Source Language Syntax:

::=

✰✗✰ ❨④③ ⑤⑥⑤▲⑤⑦❨⑨⑧ ✱⑩✰❷❶ ③ ⑤▲⑤▲⑤ ❶❹❸✙✱ ❺✭✱ ❨

::=

✰✡✬❻✪✭❼✯✮✗✺ ❽ ✰❷❶ ③ ⑤▲⑤⑥⑤ ❶ ⑧ ✱ ❺✭✱ ❺

::=

❾ ❿ ❶ ❿ ✰❖✸q❼ ❺ ③ ❺➁➀➂❺✣➃✷✱ ❿ ✰➄❽ ❺ ③ ⑤▲⑤⑥⑤ ❺ ⑧ ✱ ❿ ✰ op ❺ ③ ⑤⑥⑤▲⑤ ❺ ⑧ ✱

A Sample Program - Factorial:

✰✗✰✗✰✡✬❻✪✭❼✯✮✗✺ ❼✦➅❻✩ ✰❳✺❹✱ ✰❝✸q❼ ✰✡✿ ✺ ➆➇✱ ➈ ✰❴➉ ✺ ✰✡❼✦➅❻✩ ✰✛➈➋➊ ✺❹✱✗✱✗✱✗✱✗✱✗✱ ✰❳✺❹✱ ✰✡❼✦➅❻✩ ✺❹✱✗✱

Operational Semantics (interpreter function):

✰✡✬❻✪✭❼✯✮✗✺ ✪♠➌★➅✙➍❄✮➇➅✷✻④✪ ✰✡✬❻✪✭❼➇➎ ➌★➅✯✥✹➎ ➏➐➅❃✸✛✺ ✸✛✺✗✤✗✮✢✻➑➎ ✺❹✱ ❈✗❈✗❈➒✱

Semantics of forms (expressions):

✰✡✬❻✪✭❼✯✮✗✺ ✪♠➌④➍ ✰✡❼❻✧✷✥♠➏ ✶★✪❄✺✢➌ ✪❄✺✢➌ ✺❹✱ ❈✗❈✗❈➒✱ ✥★✪♠✻➓✮✦✥✫✺➔➎ ✰ P❲P ❼❻✧✷✥♠➏ ❙◗❙ ✱ ✧✷✥ ✪✷✥✗✥★✧✷✥ ✰✡✬❻✪✭❼✯✮✗✺ ✪♠➌④➍❻✸✗➎→✻ ✰✡❼❻✧✷✥♠➏⑩➎ ✶★✪❄✺✢➌ ✪❄✺✢➌ ✺❹✱ ❈✗❈✗❈➒✱

16 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-17
SLIDE 17

The Target Machine and Code

➣▲↔ ➣❄↕

top of stack

➣▲➙ ➣✣➛➝➜➟➞ ➠✌➡▲➢❖➤✌➥ ➤➧➦☎➨▲➩

code of

➫ ↔

code of

➫ ↕

code of

➫ ➙

main program

➣▲➭ ➫ ↔➲➯ ➫ ↕ ➯ ➫ ➙ ➯

Machine Instructions

✰➵➳✭➸✹➺✷➻❻➼ ❾ ✱ ✰➵➳✭➸✹➺✷➻⑨➽ ➾➚✱ ✰➵➳④➪♠➳ ➶➹✱ ✰❖➘➁➴ ❯ ③ ❯ ➀q✱ ✰➒➪♠➳✗➷ ➬ ② ✱ ✰☎➼✫➮✗➱✗➱ ❽✃✱

Operational Semantics (interpreter function):

✰✡✬❻✪✭❼✯✮✗✺ ✪✷✼★✪✦✩➁✮✢✻④✪ ✰❳✤✦✥★✧✷✶ ➎→✻★➅❻✩→❐ ✺❹✱ ❈✗❈✗❈➒✱

Stepwise Execution of Machine Instructions:

✰✡✬❻✪✭❼✯✮✗✺ ➏⑩➎→✻④✪❄✤ ✰❝✸✛✺➔➎→✻✙✥ ✩✫✧✭✬❻✪ ➎→✻★➅❻✩→❐ ✺❹✱ ❈✗❈✗❈ ✱ ✰✡✬❻✪✭❼✯✮✗✺ ➏⑩➎→✻④✪❄✤➔➎ ✰❝✸✛✺➔➎→✻✙✥★➊❻➎✭✪✫❅ ✩✫✧✭✬❻✪ ➎→✻★➅❻✩→❐ ✺❹✱ ❈✗❈✗❈ ✱

17 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-18
SLIDE 18

Compiling Programs

current stack frame

❒➹❮ ❰ cells ➠✌➡⑥➢❝➤✌➥ Ï ↔ÑÐ Ò➒ÓÕÔ❤Ö❴×✹Ø Ï ↕ Ð Ò➒ÓÕÔ❤Ö❴×✹Ø❝Ù ↕ Ï Ø❝Ù ↕ Ð Ò ÓÚÔ❤Ö❴× ↕ Ï ØÛÐ Ò ÓÚÔ❤Ö

top of stack

Ð Ò ↔ Ü Ý❀Þ

auxiliary cells

We compile expressions according to the stack principle: The instruction sequence

for the expression

❺ pushes the value ß of ❺ onto the stack. Operators and functions consume their arguments.

Variable Access For any

❶ ❱ in ✰❷❶➐à ⑤⑥⑤▲⑤ ❶ ❸ ✱ we find the value of ❶ ❱ at position á ➬ ② â ❿ ❶ ❱ ⑤▲⑤⑥⑤ ❶❹❸ ❿➁ã ä on the stack.

18 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-19
SLIDE 19

Compiling Expressions

current stack frame

❒➹❮ ❰ cells ➠✌➡⑥➢❝➤✌➥ Ï ↔ÑÐ Ò➒ÓÕÔ❤Ö❴×✹Ø Ï ↕ Ð Ò➒ÓÕÔ❤Ö❴×✹Ø❝Ù ↕ Ï Ø❝Ù ↕ Ð Ò ÓÚÔ❤Ö❴× ↕ Ï ØÛÐ Ò ÓÚÔ❤Ö

top of stack

Ð Ò✌↔ Ü Ý❀Þ

auxiliary cells

åçæ❄è é✹êìëîí ã✫ï æqð➧è ❭ ï æqð❴è ñ ❭ ❶➐à ⑤⑥⑤▲⑤ ❶ ❸ ❵ ñ á æ➄é ❵ ❍ ï æqð❴è ò óõô❀ö ❍ å ✇① ❭✌❭ ➳✭➸✹➺✷➻❻➼ ✩ ❵✌❵ ÷qø ✇① ❭✌❭ ➳✭➸✹➺✷➻⑨➽ á æ➧é â ❿ ❶ ❱ ⑤▲⑤▲⑤ ❶ ❸ ❿➁ã ä ❵✡❵ ❭ ✸q❼ ❺ ③ ❺ ➀ ❺ ➃ ❵ ✇① ❺ ò ③➚ù óúô❀ö û ❭ ➘➁➴ ❺ ò ➀ ù óõô✍ö ❺ ò ➃ ù óõô❀ö ❵ ❭ ❽ ❺ à ⑤▲⑤⑥⑤ ❺ ⑧ ❵ ✇① ❺ ò à ù óúô❀ö û ⑤▲⑤⑥⑤ û ❺ ò ⑧✢ù óúô❀ö♠ü ⑧ û ❭ ➼✫➮✗➱✗➱ ❽ ❵ ❭ æ➧é ❺ à ⑤▲⑤⑥⑤ ❺ ⑧ ❵ ✇① ❺ ò à ù óúô❀ö û ⑤▲⑤⑥⑤ û ❺ ò ⑧✢ù óúô❀ö♠ü ⑧ û ❭ ➪♠➳✗➷ æ➧é ❵

19 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-20
SLIDE 20

Compiling Expressions - Variable Access

current stack frame

❒➹❮ ❰ cells ➠✌➡⑥➢❝➤✌➥ Ï ↔ÑÐ Ò➒ÓÕÔ❤Ö❴×✹Ø Ï ↕ Ð Ò➒ÓÕÔ❤Ö❴×✹Ø❝Ù ↕ Ï Ø❝Ù ↕ Ð Ò ÓÚÔ❤Ö❴× ↕ Ï ØÛÐ Ò ÓÚÔ❤Ö

top of stack

Ð Ò ↔ Ü Ý❀Þ

auxiliary cells

✪❄✺✢➌ ❍ ❭ ✵ ✸✛✺❃✬ ❭ ❶ à ⑤▲⑤⑥⑤ ❶ý❸ ❵ ❭ ✥★✪♠➌ ❭ ✶★✪♠✻ ã ➎→✻★➅❻✩→❐ ã ❼➓✥❃➅➁➏➔✪ ❭ ❶ à ⑤▲⑤⑥⑤ ❶❹❸ ❵ á æ➧é þ ❵✌❵✌❵ ❍ ❭✡❭ ❶ à ⑤ þ óõô✍ö♠ü ❸ ❵ ⑤▲⑤⑥⑤ ❭ ❶ ❸ ⑤ þ óõô❀ö ❵✌❵

Lemma 1 (Variable access). For any

✺ ÿ ä , ✰➒✪♠➌④➍ ❶ ❱ ✶★✪❄✺✢➌ ✪❄✺✢➌ ✺❹✱ is defined

and

þ ó ❏✁ ü ❸✄✂ ❱ û þ ☎ ✆✞✝ ✟ = ✰❴✩✭➅✯✥ ✰➒✪♠➌④➍ ❶ ❱ ✶★✪❄✺✢➌ ✪❄✺✢➌ ✺❹✱✗✱ û þ

=

✠☛✡✌☞✎✍✑✏✓✒ ✠✕✔✗✖✙✘✓✚✜✛ ✢✤✣✦✥ ✧ ★✪✩ ➭✬✫✭✫✮✫ ✩ Ø ★✓✯ ✰✗✱ ✲✜✲✳✲ ✴ ✵✶✱

=

✠☛✡✌☞✎✍✑✏✓✒✷☞ ✠✦✸✺✹✭✡✑✒✷✻✺✼✄✏✾✽❀✿❁✹❀❂✓✡ ✩ ➭ ✠❃✩ ↔ ✫✭✫✭✫ ✩ Ø ✱ ✢✤✣✦✥❄✱ ✲✳✲✳✲ ✴ ✵✶✱

20 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-21
SLIDE 21

Compiling Expressions - Constants

current stack frame

❒➹❮ ❰ cells ➠✌➡⑥➢❝➤✌➥ Ï ↔ Ð Ò ÓÕÔ❤Ö❴×✹Ø Ï ↕✃Ð Ò ÓÕÔ❤Ö❴×✹Ø❝Ù ↕ Ï Ø❝Ù ↕ Ð Ò ÓÚÔ❤Ö❴× ↕ Ï ØÛÐ Ò ÓÚÔ❤Ö

top of stack

Ð Ò ↔ Ü Ý❀Þ

auxiliary cells

✪❄✺✢➌ ❍ ❭ ✵ ✸✛✺❃✬ ❭ ❶➐à ⑤▲⑤⑥⑤ ❶ ❸ ❵ ❭ ✥★✪♠➌ ❭ ✶★✪♠✻ ã ➎→✻★➅❻✩→❐ ã ❼➓✥❃➅➁➏➔✪ ❭ ❶➑à ⑤▲⑤⑥⑤ ❶ ❸ ❵ á æ➧é þ ❵✌❵✌❵ ❍ ❭✡❭ ❶➐à ⑤ þ óõô✍ö♠ü ❸ ❵ ⑤▲⑤⑥⑤ ❭ ❶ ❸ ⑤ þ óõô❀ö ❵✌❵

Lemma 2 (Constants). For any

✺ ÿ ä , ✰➒✪♠➌④➍ ❾ ✶★✪❄✺✢➌ ✪❄✺✢➌ ✺❹✱ is defined and ❾ û þ ☎ ✆✞✝ ✟ = ✰❴✩✭➅✯✥ ✰➒✪♠➌④➍ ❾ ✶★✪❄✺✢➌ ✪❄✺✢➌ ✺❹✱✗✱ û þ

=

✠☛✡✌☞✎✍✑✏✓✒ ✠✕✔✗✖✙✘✓✚❁❅ ❆✓✱ ✲✜✲✳✲ ✴ ✵✶✱

=

✠☛✡✌☞✎✍✑✏✓✒✷☞ ✠✦✸✺✹✭✡✑✒✷✻✺✼✄✏✾✽❀✿❁✹❀❂✓✡ ❆ ✠✁✩ ↔ ✫✭✫✭✫ ✩ Ø ✱ ✢❇✣❈✥❄✱ ✲✜✲✳✲ ✴ ✵✶✱

21 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-22
SLIDE 22

Correct Compilation of Expression Lists - Informally Theorems 1 and 2 (Compiler correctness for forms (form lists)) If the machine, executed on a compiled

❼❻✧✷✥♠➏

(list), is defined on a

➎→✻★➅❻✩→❐

for an

✺ , then the following three conjectures hold:
  • 1. The semantics of the
❼❻✧✷✥♠➏

(list) – in the given function environment and with the free variables bound to their values in the current stack-frame – is defined for the same

✺ .
  • 2. The machine returns a new stack with the value(s) of the
❼❻✧✷✥♠➏ (s) on top (in

reverse order).

  • 3. The stack just below the result value(s) remains unchanged.

22 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-23
SLIDE 23

Preservation of Partial Correctness for SL Programs

SExpr

Sexpr

❉ ❊ Ó ➜●❋

Sexpr

❉ ✠ ✏■❍❏✏❁✸▲❑❏✍✑✏ ✑ ✠ ✵▼✱ ❊ Ó ➜●❋ ✠●✴ ➙ ✫✮✫✭✫ ✴ ↕ ✫✮✫✭✫ ✱ ✠●✴ ↕ ✫✭✫▲✫ ✴ ➙ ✱ ◆ ✠●✴ ✫✮✫✭✫ ✱ ✠ ✏✺❖❁P✳✼✓❑◗P❀✍✑✏ ❘ ✠ ✵✶✱ ◆ ✠●✴✗✱

SExpr

Theorem 3 (Compiler preserves partial correctness)

✠✁❙✑✏■✿✄✍■❚✺✡ ✸✺✹▲✡✑✒❯✻✺✼✄✏■❂❱✽❏✸✺✹❀❂✜❂✑✏❁✸✎✍■✵◗✏❱☞✳☞✄✽❀✿✑✹✺❂❲✽✎✒✑❂❁✹✺❳✜❂❁P✭✡❨☞ ✠❩✼✄✏✺✍ ✠✳✠✤✵◗✏✞❬◗✽❏☞✎✍❱P✑✸▲❭ ✠ ✏■❍❏✏❁✸▲❑❏✍✑✏ ✠✦✸✺✹▲✡✑✒❯✻✺✼✄✏❏✽✎✒❏❂❁✹❀❳✜❂❁P✭✡ ❙❏✏■✿◗☞ ❖❁P❀❂❪☞ ✡✷P✑✻✭✵✶✱ ✠❩P✓✒✳✒❲✏✓✵✑❙ ✠✁❂✑✏✺❖ ✻✭✵✳✒✳❑❏✍❪☞✾✱ ☞✎✍❁P✑✸❫❭✷✱ ✵✶✱✳✱ ✠❃❖❱P✳✼❴❑❲✏ ✠✦✸■P❀❂ ✠ ✏✺❖❱P✳✼❴❑◗P❀✍❁✏ ❙❏✏■✿◗☞ ❖❁P❀❂❪☞ ✡✷P✑✻✭✵ ✻✭✵✳✒✳❑❏✍❪☞ ✵✶✱✳✱✳✱✳✱ ✠✦✻❵✡✑✒◗✼✑✻❀✏❱☞ ✠❩P❴✵✑❙ ✠❛❬❱✏✾✼✳✼✺✿✑✹❀❂✞✡❜✏■❙❁✽✎✒✑❂❁✹❀❳✳❂❲P✭✡ ❙❏✏■✿◗☞ ❖❁P❀❂✙☞ ✡❯P❁✻✭✵✶✱ ✠✁❙❏✏■✿✙✻✭✵❲✏■❙ ✵◗✏✞❬◗✽❏☞✎✍❱P✑✸▲❭✷✱ ✠❃✍✳❂✗❑❲✏✾✽✄✼✑✻✜☞✎✍■✒ ✻▲✵✳✒✳❑❏✍✙☞❏✱ ✠❝✏■❞✺❑◗P✜✼ ✠●✼✄✏✓✵ ❖❁P❀❂✙☞❏✱ ✠●✼✄✏✓✵ ✻✭✵✳✒✳❑✑✍✙☞✾✱✳✱✳✱ ✠❝✏■❞✺❑✙P✳✼ ✵❲✏✞❬◗✽❏☞❴✍❁P✑✸▲❭ ✠❈✸✺✹❴✵❯☞ ❖❁P✳✼✓❑❲✏ ☞✎✍❁P✑✸▲❭✶✱✳✱✳✱✳✱✳✱

23 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-24
SLIDE 24

Correct Compilation of Expressions - Formally Theorem 1 (Compiler correctness for forms)

✠✁❙❏✏■✿✄✍✗❚✺✡ ✸✺✹✭✡✑✒✷✻✺✼✄✏✺❂❱✽✑✸✺✹❀❂✳❂✑✏❱✸✎✍■✵❲✏❲☞✳☞■✽✺✿❁✹❀❂❲✽❀✿❁✹✺❂✓✡✌☞ ✠❩✼✳✏✺✍ ✠✳✠❃❖❁P✳✼✓❑❲✏ ☞ ✠❩✏✺❖❁✼ ✻✳☞✎✍ ✿✑✹❀❂✓✡ ☞ ✠✦✸✺✹❴✵✷☞✎✍✳❂■❑❯✸❴✍❱✽✞❳✑✏✓✵✑❖ ❙◗✸✺✼❁☞✾✱ ✠✤❡❯✻✭✵❁❙ ✸✺✏✓✵❏❖ ✠❃❂✑✏✺❖ ✠❃❳✑✏■✍❱✽❏☞✎✍❁P❁✸▲❭◗✽❀✿✄❂❱P✭✡❜✏ ✸❀✏✓✵❏❖ ✍❁✹❴✒ ☞✎✍❱P✑✸▲❭✷✱✳✱ ✏✓✵✑❖❜✱ ✵✶✱✳✱ ✠✤✵❲✏✞❬✙✽❏☞✎✍❁P✑✸❫❭ ✠❢✡✌☞✎✍❁✏✓✒❯☞ ✠✦✸✺✹▲✡✑✒❯✻✺✼✄✏❏✽❀✿✑✹❀❂✓✡ ☞ ✿❁✹❀❂✓✡ ☞ ✸✺✏✓✵❏❖ ✍❁✹❴✒✶✱ ✠✁❙✑✹✞❬✄✵◗✼✳✹✳P■❙ ✠✦✸✺✹✭✡✑✒✷✻✺✼✄✏✾✽❀❙✑✏■✿◗☞ ❙✙✸✺✼✑☞✾✱✳✱ ☞❴✍❁P✑✸▲❭ ✵✶✱✳✱✜✱ ✠✦✻❵✡✑✒◗✼✑✻❀✏❱☞ ✠❩P❴✵✑❙ ✠✤✵◗P✺✍■✒ ✍❁✹❴✒✶✱ ✠❛❬❱✏✾✼✳✼✺✿✑✹❀❂✞✡❜✏■❙❁✽❀❙✑✏■✿◗☞ ❙◗✸✺✼✑☞ ✠✦✸✺✹✓✵❯☞✎✍✳❂■❑✷✸✎✍❱✽✞❳✑✏✞✵❏❖ ❙✙✸✺✼✑☞✾✱✳✱ ✠❛❬❱✏✾✼✳✼✺✿✑✹❀❂✞✡❜✏■❙❁✽❀✿❁✹❀❂✓✡ ☞ ✿❁✹❀❂✓✡ ☞ ✠✦✸■✹❴✵❯☞✎✍✳❂✗❑❯✸✎✍❱✽✞❳❁✏✓✵❏❖ ❙◗✸✺✼✑☞✾✱ ✸❀✏✞✵❏❖❜✱ ✠✁❙❏✏✗✿◗✻✭✵❲✏■❙ ✵❲✏✞❬◗✽❏☞❴✍❁P✑✸▲❭✷✱✜✱ ✠❩P❴✵✑❙ ✠✁❙❏✏✗✿◗✻✭✵❲✏■❙ ❖❁P✳✼❴❑❲✏ ☞ ✱ ✠❝✏■❞■❑◗P✳✼ ✵❲✏✞❬✙✽❏☞✎✍❁P✑✸❫❭ ✠✦✸✺✹❴✵✷☞ ✠❈✸✺P❀❂ ❖❁P✳✼❴❑❲✏◗✱ ☞✎✍❁P✑✸▲❭✶✱✳✱✳✱✳✱✳✱✜✱

24 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-25
SLIDE 25

Correct Compilation of Expression Lists - Formally Theorem 2 (Compiler correctness for form lists)

✠✁❙❏✏■✿✄✍✗❚✺✡ ✸✺✹✭✡✑✒✷✻✺✼✄✏✺❂❱✽✑✸✺✹❀❂✳❂✑✏❱✸✎✍■✵❲✏❲☞✳☞■✽✺✿❁✹❀❂❲✽❀✿❁✹✺❂✓✡ ✽✳✼✑✻✜☞❴✍✙☞ ✠❩✼✳✏✺✍ ✠✳✠❃❖❁P✳✼✓❑❲✏ ☞ ✠❩✏✺❖❁✼ ✻✳☞✎✍ ✿✑✹❀❂✓✡ ☞ ✠✦✸✺✹❴✵✷☞✎✍✳❂■❑❯✸❴✍❱✽✞❳✑✏✓✵✑❖ ❙◗✸✺✼❁☞✾✱ ✠✤❡❯✻✭✵❁❙ ✸✺✏✓✵❏❖ ✠❃❂✑✏✺❖ ✠❃❳✑✏■✍❱✽❏☞✎✍❁P❁✸▲❭◗✽❀✿✄❂❱P✭✡❜✏ ✸❀✏✓✵❏❖ ✍❁✹❴✒ ☞✎✍❱P✑✸▲❭✷✱✳✱ ✏✓✵✑❖❜✱ ✵✶✱✳✱ ✠✤✵❲✏✞❬✙✽❏☞✎✍❁P✑✸❫❭ ✠❢✡✌☞✎✍❁✏✓✒❯☞ ✠✦✸✺✹▲✡✑✒❯✻✺✼✄✏❏✽❀✿✑✹❀❂✓✡ ☞ ✿❁✹❀❂✓✡ ☞ ✸✺✏✓✵❏❖ ✍❁✹❴✒✶✱ ✠✁❙✑✹✞❬✄✵◗✼✳✹✳P■❙ ✠✦✸✺✹✭✡✑✒✷✻✺✼✄✏✾✽❀❙✑✏■✿◗☞ ❙✙✸✺✼✑☞✾✱✳✱ ☞❴✍❁P✑✸▲❭ ✵✶✱✳✱✜✱ ✠✦✻❵✡✑✒◗✼✑✻❀✏❱☞ ✠❩P❴✵✑❙ ✠✤✵◗P✺✍■✒ ✍❁✹❴✒✶✱ ✠❛❬❱✏✾✼✳✼✺✿✑✹❀❂✞✡❜✏■❙❁✽❀❙✑✏■✿◗☞ ❙◗✸✺✼✑☞ ✠✦✸✺✹✓✵❯☞✎✍✳❂■❑✷✸✎✍❱✽✞❳✑✏✞✵❏❖ ❙✙✸✺✼✑☞✾✱✳✱ ✠❛❬❱✏✾✼✳✼✺✿✑✹❀❂✞✡❜✏■❙❁✽❀✿❁✹❀❂✓✡ ☞ ✿❁✹❀❂✓✡ ☞ ✠✦✸■✹❴✵❯☞✎✍✳❂✗❑❯✸✎✍❱✽✞❳❁✏✓✵❏❖ ❙◗✸✺✼✑☞✾✱ ✸❀✏✞✵❏❖❜✱ ✠✁❙❏✏✗✿◗✻✭✵❲✏■❙ ✵❲✏✞❬◗✽❏☞❴✍❁P✑✸▲❭✷✱✜✱ ✠❩P❴✵✑❙ ✠✁❙❏✏✗✿◗✻✭✵❲✏■❙ ❖❁P✳✼❴❑❲✏ ☞ ✱ ✠❝✏■❞■❑◗P✳✼ ✵❲✏✞❬✙✽❏☞✎✍❁P✑✸❫❭ ✠❩P❴✒✳✒◗✏✓✵✑❙ ✠❃❂✑✏✺❖ ❖❁P✜✼❴❑❲✏❁☞✾✱ ☞❴✍❁P✑✸▲❭✷✱✜✱✳✱✳✱✳✱✳✱

25 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-26
SLIDE 26

Combined Computational and Structural Induction Induction on n and the structural depth of forms

✠✁❙✑✏■✿✺❑✳✵ ✸✺✹✭✡❁✒❯✻✺✼✄✏✺❂❲✽❏✻✭✵✑❙✺❑✷✸✎✍✙✻✺✹❴✵ ✠✁✿❁✼✳P❀❳ ❍ ✸✺✏✓✵❏❖ ✏✓✵❏❖ ✍❁✹❴✒ ❙◗✸✺✼✑☞ ☞✎✍❱P✑✸▲❭ ✵ ✱ ✠✁❙❏✏❁✸✺✼✜P❀❂✑✏ ✠✁❍✑P✺❂✳❳✙☞ ❣❤✡❜✏✾P✑☞✭❑❏❂✑✏ ✠❈✸✺✹❴✵❯☞ ✠❥✐❫❦ ✠❩P❁✸✺✼✳❧✜✽❏✸■✹❴❑✳✵❏✍ ✵▼✱ ✱ ✠●P✑✸✺✼✳❧✜✽✑✸✺✹❴❑✳✵❏✍ ❍❪✱ ✱✳✱✜✱ ✠✦✻❴✿ ✠❩✹❀❂ ✠✁♠✺✒ ✵✶✱ ✠❩P❀✍❁✹▲✡ ❍❜✱✳✱ ✠●✼✑✻✳☞✎✍ ❍ ✸❀✏✓✵❏❖ ✏✓✵❏❖ ✍❁✹❴✒ ❙◗✸■✼✑☞ ☞❴✍❁P✑✸▲❭ ✵✶✱ ✲✳✲✳✲ ♥✳♥ ✿✺❑✳✵✷✸✎✍✙✻✺✹❴✵ ✸■P✳✼✳✼ ✠❩✼❁✻✳☞✎✍ ✠✦✸✺✹✭✡❁✒❯✻✺✼✄✏✺❂❲✽❏✻✭✵✑❙✺❑✷✸✎✍✙✻✺✹✞✵ ✵❯✻■✼ ✠❈✸❴❙✄❂ ❍❪✱ ✸❀✏✓✵❏❖ ✏✓✵❏❖ ✍❁✹❴✒ ❙◗✸✺✼❁☞ ☞❴✍❁P✑✸▲❭ ✵✶✱ ✠✦✸✺✹✭✡❁✒❯✻✺✼✄✏✺❂❲✽❏✻✭✵✑❙✺❑✷✸✎✍✙✻✺✹✞✵ ✍ ✠✁❳✑✏✺✍❱✽✎❡✙✹✺❙✄♦ ✠✦✸✺P✺❂ ❍❜✱ ✠✦✸■✹❴✵❯☞✎✍✳❂✗❑❯✸✎✍❱✽✞❳❁✏✓✵❏❖ ❙◗✸✺✼✑☞✾✱✜✱ ✠✁❳✑✏✺✍❱✽✞❖❱P❀❂✙☞ ✠✦✸✺P✺❂ ❍❜✱ ✠✦✸■✹❴✵❯☞✎✍✳❂✗❑❯✸✎✍❱✽✞❳❁✏✓✵❏❖ ❙◗✸✺✼✑☞✾✱✜✱ ✠❛❡❯✻✭✵✑❙ ✸❀✏✓✵✑❖ ✠✁❂✑✏✺❖ ✠❃❳✑✏✺✍❲✽❏☞✎✍❁P✑✸❫❭◗✽❀✿✄❂❁P▲✡❜✏ ✸✺✏✓✵❏❖ ✍❁✹❴✒ ☞✎✍❁P✑✸❫❭✷✱✳✱ ✏✓✵❏❖❯✱ ♣ ❙◗✸✺✼❁☞ ✠☛✡✌☞✎✍✑✏✓✒✷☞ ✠✦✸✺✹✭✡✑✒✷✻✺✼✄✏✾✽❀✿❁✹❀❂✓✡✌☞ ✠✦✸❴❙✄❂ ❍❪✱ ✸❀✏✓✵❏❖ ✍❁✹✓✒✶✱ ✠✁❙✑✹✓❬✄✵✙✼✳✹✳P✺❙ ✠✦✸■✹✭✡✑✒❯✻✺✼✳✏✾✽❀❙❏✏■✿✙☞ ❙◗✸✺✼❁☞✾✱✳✱ ☞✎✍❁P✑✸▲❭ ✵✶✱ ✠✮✐✓✽ ✵▼✱ ✱✳✱✳✱✳✱✜✱ ✲✳✲✳✲q✱ ✲✳✲✜✲r✱

26 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-27
SLIDE 27

Simultaneous Proof of Theorems 1 and 2 Prove Theorems 1 and 2 simultaneously:

✠✁❙✑✏■✿❴✡❯P✑✸❴❂❁✹ ✍■❚❲✏✜✹✺❂✑✏▲✡✷✽❲✐ ✠✁✿✑✹❀❂✓✡ ✸❀✏✞✵❏❖ ✏✓✵❏❖ ✍❁✹❴✒ ❙◗✸✺✼✑☞ ☞✎✍❁P❁✸▲❭ ✵✶✱ ✲✜✲✳✲r✱ ✠✁❙✑✏■✿❴✡❯P✑✸❴❂❁✹ ✍■❚❲✏✜✹✺❂✑✏▲✡✷✽✄❧ ✠✁✿✑✹❀❂✓✡s☞ ✸✺✏✓✵❏❖ ✏✓✵❏❖ ✍❁✹❴✒ ❙◗✸✺✼❁☞ ☞❴✍❁P✑✸▲❭ ✵✶✱ ✲✳✲✳✲r✱ ✠✁❙✑✏■✿✄✍■❚✺✡ ✸✺✹▲✡✑✒❯✻✺✼✄✏■❂❱✽❏✸✺✹❀❂✜❂✑✏❁✸✎✍■✵◗✏❱☞✳☞✄✽❀✿✑✹✺❂✞✡✷✽✺✿✑✹✺❂✞✡✌☞ ✠✦✻❴✿ ✿✑✼✳P❀❳ ✠❃✍■❚❲✏✾✹❀❂✑✏▲✡✷✽◗✐ ❍ ✸❀✏✞✵❏❖ ✏✓✵❏❖ ✍❁✹❴✒ ❙◗✸✺✼✑☞ ☞✎✍❱P✑✸▲❭ ✵✶✱ ✠❃✍✗❚❲✏✜✹❀❂✑✏❫✡✷✽✄❧ ❍ ✸❀✏✓✵❏❖ ✏✓✵❏❖ ✍❁✹✓✒ ❙◗✸■✼✑☞ ☞✎✍❁P✑✸▲❭ ✵✶✱✜✱ ❣❢❚❯✻✭✵❏✍❪☞ ✠✳✠❫t❥✉✾✹✜P✳✼❯t ❣❩✻✭✵❁❙✺❑❯✸✎✍ ✠✦✸■✹✭✡✑✒❯✻✺✼✳✏✺❂❱✽❏✻✭✵❁❙✺❑❯✸✎✍✙✻■✹✓✵ ✿✑✼✳P❀❳ ❍ ✸❀✏✓✵❏❖ ✏✓✵❏❖ ✍❁✹❴✒ ❙◗✸■✼✑☞ ☞❴✍❁P✑✸▲❭ ✵✶✱ ✲✳✲✳✲q✱✳✱✳✱ ✠✁❙✑✏■✿✄✍■❚✺✡ ✸✺✹▲✡✑✒❯✻✺✼✄✏■❂❱✽❏✸✺✹❀❂✜❂✑✏❁✸✎✍■✵◗✏❱☞✳☞✄✽❀✿✑✹✺❂❲✽✗✏✗❍✺✒✑❂❁✏❁☞✳☞✾✻✺✹✓✵✷☞ ✠❃✍■❚❲✏✜✹✺❂✑✏▲✡✷✽❲✐ ❍ ✸❀✏✞✵❏❖ ✏✓✵❏❖ ✍❁✹❴✒ ❙◗✸✺✼✑☞ ☞✎✍❁P❁✸▲❭ ✵✶✱ ❣❢❚❯✻✭✵❏✍❪☞ ✠✳✠❫t❥✉✾✹✜P✳✼❯t ❣❢❡❏♦ ✠❁❣❩✻✭✵❯☞✎✍❱P❴✵❯✸❀✏ ✸■✹✭✡✑✒❯✻✺✼✳✏✺❂❱✽❏✸✺✹✺❂✳❂✑✏❁✸✎✍✗✵❲✏❁☞✜☞✗✽❀✿❁✹❀❂✞✡✶✽❀✿✑✹■❂✓✡✌☞ ✠✁✿✑✼✜P❀❳ ✍❜✱✳✱✳✱✳✱✜✱

27 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik

slide-28
SLIDE 28

Conclusions and Further Work Conclusions

➜ We seriously and rigorously have to tackle target level implementation verification as well ➜ Source level verification and testing or validation alone are not sufficient! ➜ As it stands, this fact is now mechanically proved in ACL2. [Goerigk 1999, 2000]. ➜ There is a repeatable technique for constructing initial, fully verified compiler implementations from the scratch and for realistic systems implementation languages [Goerigk and Hoffmann 1998, Hoffmann 1998]

✈✇

a major Goal of Verifix ➜ The known gap between high level verification and software integration [Verifix, since 1994, BSI, 1996] can be closed

Some Future Work

➜ Formalize further compilation phases, i.e., data refinement, code linearization, machine code generation ➜ Prove full compiler correctness formally and mechanically in ACL2 (including target level implementation correctness)

28 Wolfgang Goerigk - ACL2 2000 Workshop, University of Texas at Austin, Oct. 31, 2000 Christian-Albrechts-Universit¨ at zu Kiel - Institut f¨ ur Informatik und Praktische Mathematik