W.D. Young. A verified code generator for a subset of gypsy. Technical Report 33, Comp. Logic. Inc., Austin, Texas, 1988.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....comparison. The second story is very closely related to Paul Curzon s work on compiler verification [2] The crucial difference is, that he uses and trusts a theorem prover (HOL) both to carry out the proofs and to execute the compiling specification, similar to the way J Moore [16, 17] and others [22] use ACL2 or its predecessor Nqthm in order to prove correctness of a compiler program which is executable within the prover. Now, that we modularized the compiler verification task into three steps, transformation verification, high level, and finally low level binary implementation ....

W.D. Young. A verified code generator for a subset of gypsy. Technical Report 33, Comp. Logic. Inc., Austin, Texas, 1988.

....an overview. paper.tex; 23 02 1998; 16:05; p. 27 28 GERHARD SCHELLHORN AND WOLFGANG AHRENDT From the work on formal system supported verification of compilers we exemplarily want to mention the work with NQTHM on the formal verification of a compiler for an imperative language ( Moore, 1988) (Young, 1988)) This work is based on the notion of interpreter equivalence which is quite similar to our notion of equivalence of ASMs. It also contains a lot of references to related work. Of specific work on the formal verification of a Prolog compiler we are aware only of the parallel work of C. Pusch ....

Young, W. D. (1988). A Verified Code Generator for a Subset of Gypsy. Technical report 33, Computational Logic Inc. available at the URL: http://www.cli.com.

....then on to transistors all worked as we expected. Finally, we wanted to validate our effort in producing a verified hardware and software computing platform. The CLI short stack [15] includes the FM9001 microprocessor as a base, upon which the Piton assembler [13, 14] the MicroGypsy compiler [22, 21, 23], and the Micro Nqthm compiler [8] have been proven to operate correctly. We find that our having actually completed this verification exercise to be compelling evidence [12] that we do not have to settle for hardware and software validated only with the conventional test oriented approaches. Upon ....

William D. Young. A Verified Code Generator for a Subset of Gypsy. Ph. D. Dissertation, University of Texas at Austin, 1988.

....semantics uses cpo theory due to D. S. Scott [Sco82] Translation verification has been done also with the help of mechanical provers. W. Polak [Pol81] did so for translating a Pascal like language into code of an idealised stack machine with unrestricted arithmetic and memory, W. D. Young [You88] for Micro Gypsy (Pascallike as well) into Piton (an assembly like language) and J S. Moore for Piton into the binary machine code of the real processor FM8501 [Moo88, Moo96] Third step: A host language H with its syntax and semantics is to be elected. As long as there is no correctly proved, ....

W.D. Young. A Verified Code Generator for a Subset of Gypsy. Technical Report 33, Comp. Logic. Inc., Austin, Texas, 1988.

....Inc. CLInc, Austin, Texas) the Boyer Moore prover is used to construct and verify a stack of components (CLInc stack) covering the compilation of the high level imperative language Micro Gypsy down to the hardware processor FM8502. This imperative language is first compiled to assembler code [18] and further to machine code [13] Compiler and assembler are specified and verified with respect to source and target language semantics. In [13] J S. Moore formulated the necessity of also proving the implementation correct. However, even in the CLInc project this gap has not been closed so far. ....

W.D. Young. A verified code generator for a subset of gypsy. Technical Report 33, Comp. Logic. Inc., Austin, Texas, 1988. Verifix

....resources and the absence of errors. New proof machinery would have to be created (via the proofs of suitable lemmas) to enable ACL2 to reason about TJVM computations in which exceptions are thrown or multiple threads are used. Our experience, notably that reported in Young s dissertation, [13] and in the author s work on Piton [11] is that when dealing with resource limitations and exceptions it is best to produce several layers of abstraction, each formally related to the next by lemmas, one of which is free of those concepts and corresponds to our tjvm. That is, we see a model like ....

W. D. Young, A Verified Code-Generator for a Subset of Gypsy, PhD Thesis, University of Texas at Austin" 1988.

....and post conditions in the (quantifier free) assertion language of the Stanford verifier. The verification work is large the compiler specification is about 70 pages, the source semantics 30 pages, the target semantics 4 pages and the proof itself takes 50 pages. It has been reported by Young[71] that there is a large collection of unproven assumptions in the formal theory and that Boyer has found several inconsistencies in Polak s axioms. 3.4.2 CLI Verified Stack Following Polak s work, Computational Logic Inc. CLI) undertook a compiler verification[72] as part of their work on a ....

William D. Young. A verified code generator for a subset of Gypsy. Technical Report 33, Computational Logic Inc., October 1988.

....KIT is a small operating system proved correct for a typical Von Neumann architecture [5] Some of the proof obligations involve showing that code correctly implements aspects of the operating system. A compiler for a subset of Gypsy [1, 44] that has as a target Piton [38] is proved correct [59]. Again, code that implements the needed functionality is proved correct. Like the nim proof in Chapter 4, timing behavior information is not dealt with in these projects as the models of computation associate with the execution of each instruction one clock tick . One project that differentiates ....

W.D. Young. A verified code generator for a subset of Gypsy. Technical Report 33, Computational Logic, Inc., 1988. Ph.D. Thesis, University of Texas at Austin.

....also provides global arrays that are implemented in the memory of FM8502, which is a large array. Piton provides two stacks which are also implemented in the FM8502 memory. One of the most difficult parts of the Piton proof is verifying the correct implementation of the stacks on FM8502. Young [30] compiles a subset of Gypsy 2.05 [14] called Micro Gypsy, into Piton. Micro Gypsy is a von Neumann language similar to a subset of Pascal. The principal difference between Young s work and this one are: 6 A Verified Implementation of an Applicative Language with Dynamic Storage Allocation 1. ....

William D. Young. A verified code generator for a subset of gypsy. Technical Report 33, Computational Logic, Inc., 1988. Ph.D. Thesis, University of Texas at Austin. 142 A Verified Implementation of an Applicative Language with Dynamic Storage Allocation

....loop (with S 0 (c) the bottom element of A) the theorem tells us nothing about the meaning of the translation. It would be nice to prove a strict equality between the two meanings, but appears difficult. Young proves a similarly weak theorem about his code generator for micro Gypsy [2]. One defense of these weak theorems is that we intend to compile proven programs, where we have shown that the execution terminates and that run time errors are absent. For such programs, the weak theorems completely specify the meaning of the generated code. 9 Optimizing the translation The ....

William D. Young. A Verified Code Generator for a Subset of Gypsy. Computational Logic Inc. Technical Report 33, October 1988.

....proving a number of theorems relating the hardware operations of the FM8502 to abstract functions defining natural number and integer arithmetic. The complete specification of the FM8502 enabled the development of a formally verified system which includes a verified assembler and verified compiler [Moo88,You88]. 3.2 The Major State Machine The next lower level of abstraction in the VIPER specification is the majorstate machine. The major state level abstracts VIPER as a cyclic graph whose nodes represent different phases of instruction execution, e.g. instruction fetch, perform ALU operation, or ....

William D. Young. A Verified Code Generator for a Subset of Gypsy. Technical Report 33, Computational Logic, Inc., 1988. Ph.D. Thesis, University of Texas at Austin.

....theorem prover are similar to those illustrated here the normalization of symbolic states, expansion of complicated functions only under strict controls, the provision of rules that work or fail quickly. Examples of these techniques are described in some of our larger scale projects, such as [19, 24, 25, 6, 7, 8]. We offer three pieces of general advice. First, start small. Most successful projects have started with a toy version of the machine and refined the basic approach. For example, start with 5 instructions and add the other 195 later. To add new features, such as interrupts or a pipeline, return ....

W. D. Young. A Verified Code-Generator for a Subset of Gypsy. PhD thesis, University of Texas, 1988.

.... protocols for independently clocked processors [8] Turing machines [9] Lambda calculus [10] a simple but usable machine code [11] a large part of the machine code for the MC68020 [12] a stack based assembly language [5] several high level languages including Micro Gypsy [13], Middle Gypsy [14] the Nqthm logic itself [2] and a small subset of Ada [15] a home grown separation kernel (implementing multi processing on a uniprocessor) 16] 6 . a requirements model for the Mach micro kernel, and . the Unity system (a model of the Misra Chandy language for ....

W. Young, "A Verified Code-Generator for a Subset of Gypsy", PhD Thesis, University of Texas at Austin, 1988, Also available through Computational Logic, Inc., Suite 290, 1717 West Sixth Street, Austin, TX 78703.

....subset of Gypsy is a list of events in the computational logic of Boyer and Moore [4, 5] That list is sufficient to lead the Boyer Moore theorem prover enhanced with an interactive interface by Matt Kaufmann [14] to the proof of our main theorem. This paper is a summary of a much longer report [26] which contains that list and in which we . present a language recognizer and operational semantics for a subset of Gypsy which we call Micro Gypsy, describe the operational semantics for a subset of the Piton assembly level language, implement as functions in the Boyer Moore logic a code ....

....inelegant program description language. Much of the inelegance arises from the fact the abstract syntax allows only variables and simple literals as expressions. Complex expressions are translated in preprocessing into a sequence of calls to predefined procedures. The syntax is fully described in [26]. Figure 2 2 displays an annotated Micro Gypsy program for computing the product of two numbers. The translation of this into the Micro Gypsy abstract syntax form yields the two procedures shown in figure 2 3. The semantics of Micro Gypsy programs is defined with respect to an execution ....

[Article contains additional citation context not shown here]

W.D. Young. A Verified Code Generator for a Subset of Gypsy. Ph.D. Th., The University of Texas at Austin, December 1988.

....Bliss which was then compiled. 20] Most current uses of Gypsy in the development of secure system applications, however, have been for specification at the design level. There is currently no Gypsy compiler available except a prototype verified compiler for a very small subset of the language [25]. The result is that Gypsy design level specifications are translated by hand into C or some other suitable implementation language, an error prone process [26] Arguably, Gypsy has an advantage over Z in this process in that there is a clearer mapping from procedural Gypsy code to an ....

....and code. The VC s often bear little obvious relation to the code. However, this seems to be a necessary price for having procedural constructs in the language. It is possible to reason about procedural programs directly with respect to a formal semantics, but it is much more difficult to do so [25]. 5. Conclusions We have compared and contrasted two specification languages Gypsy and Z in light of a common example. Each provided some obvious advantages and disadvantages. Z allows the construction of very clear and elegant specifications. It has been used with good results in ....

W.D. Young. A Verified Code Generator for a Subset of Gypsy. Tech. Rept. CLI-33, CLInc, November, 1988.

No context found.

W.D. Young. A Verified Code Generator for a Subset of Gypsy. Technical Report CLI-33, Computational Logic, Inc., 1717 W. 6th St., Suite 290, Austin, TX, 78703, November, 1988.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC