Yuan Yu. Automated proofs of object code for a widely used microprocessor. PhD thesis, University of Texas at Austin, April 1993.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....this was in itself an important part of the effort, we still had to prove that our invariant held over the new loop. This later stage of the verification proof did use our derived rule for while loops. Another treatment of (a slightly different version of) strcpy is available in Yuan Yu s thesis [Yu93]. Yu s approach was to verify the object code generated by a standard C compiler for the Motorola 68020 processor. This approach has the advantage of not needing to cope with any of C s underspecified wrinkles. The GNU C compiler used to produce the object code and the 68020 processor together ....

....removing the need for subsequent symbolic evaluation in the simpler domain to assess this possibility. As far as verification is concerned, we should also like to see the Cholera mechanisation applied to more examples. One appealing possibility would be to follow the example of Yuan Yu s work [Yu93], and verify an implementation of a commonly used library. Needless to say, we should also like to see the BDD example that we attempted completed. Additional verification work would also require the development of better tools. In particular, the symbolic evaluator for expressions that currently ....

Yuan Yu. Automated proofs of object code for a widely used microprocessor. PhD thesis, University of Texas at Austin, April 1993.

.... however, its use would be one of the best examples of safety in the context of a programming environment (based on a mathematical model of the hardware and on the formal semantics of the assembly language) would allow formal proofs of the correctness of the assembly code to be developed(e.g. as i [28]) Similarly, the use of C language is often discouraged; the safety of its use would be highly improved if its adoption were mandated to be complemented by the use of appropriate analysis tools to ensure a greater level of static correctness and dynamic checking (e.g. as suggested in [29] ....

Yu Yuan "Automated Proofs of Object Code for a widely used Microprocessor" Digital Systems Research Center - Research Report 114, 1993, Palo Alto, California

....part of the effort, we still had to prove that our invariant held over the new loop. This later stage of the verification proof did use our derived rule for while loops. Another treatment of (a slightly different version of) strcpy is available 108 CHAPTER 6. VERIFICATION in Yuan Yu s thesis [Yu93]. Yu s approach was to verify the object code generated by a standard C compiler for the Motorola 68020 processor. This approach has the advantage of not needing to cope with any of C s underspecified wrinkles. The GNU C compiler used to produce the object code and the 68020 processor together ....

....removing the need for subsequent symbolic evaluation in the simpler domain to assess this possibility. As far as verification is concerned, we should also like to see the Cholera mechanisation applied to more examples. One appealing possibility would be to follow the example of Yuan Yu s work [Yu93], and verify an implementation of a commonly used library. Needless to say, we should also like to see the BDD example that we attempted completed. Additional verification work would also require the development of better tools. In particular, the symbolic evaluator for expressions that currently ....

Yuan Yu. Automated proofs of object code for a widely used microprocessor. PhD thesis, University of Texas at Austin, April 1993.

.... a better one or a worse one. Even Fortran but you might not be able easily to write down the exact semantics of a Fortran program, because it depends on the inner workings of the compiler (often a better approach is to describe the compiled code instead, using the semantics of the assembler [Yu93]) But if things are so tricky that you don t know what s going on or can t say so succinctly, how on earth can you expect that your code does what you think it does In safety critical applications, for example, it s crucial to know what the code does and how, and while proofs are merely hard, ....

Y. Yu. Automated proofs of object code for a widely used microprocessor. Technical Report 114, Digital Equipment Corporation Systems Research Center, Palo Alto, California, October 1993. Revised version of the author's Ph.D. thesis at the University of Texas at Austin. 66

....has to be fixed. We decided to use logical specifications, and as such higher order logic. This decision destinguishes our approach from others like Paway and Winsborrow [PW93] who used a rather informal mapping of program code into MALPAS Intermediate Language, in mathematical rigor and Yu [Yu93], who used the quantifier free, first order logic of Nqthm, in expressiveness. Our decision was also influenced by the availability of automated theorem provers for higher order logic like HOL [GM93] and Isabelle HOL [Pau94,Pau97b] However, there are difficulties in the verification of programs ....

....Isabelle HOL theorem prover. SPECIFICATION PROGRAM wCCS formula wCCS formula OBJECT CODE HOL formula HOL formula Fig. 1. Verification integrating Inference (I) and Abstraction (A) A particular assembly language has been fixed to allow the comparison of our work with others in the field (e.g. [Yu93]) We use the Motorola M68000 architecture here. 2 An algebra for processes In this section we give a brief overview of the Calculus of Communicating System (CCS) followed by the description of our variant, called CCS. The motivation for this variant is given explaining the main difficulty we ....

[Article contains additional citation context not shown here]

Yuan Yu. Automated proofs of object code for a widely used microprocessor. Research Report 114, Digital Equipment Corporation Systems Research Center, Palo Alto, CA, October 1993.

....testing can never allow (except on trivial examples) i.e. the opportunity to explore every behaviour of the target system. 3.2.1 Yu s M68020 Verifier The most complete and impressive work in the area of object code verification is that by Yu. In his thesis [36] and subsequent technical report[37] Yu describes a system to reason about the correctness of arbitrary Motorola 68020 machine code. He describes the building of a formal definitional model of most of the user level of the M68020 in NQTHM[38] the logic of the BoyerMoore theorem prover. The model is an operational semantics in the ....

Yuan Yu. Automated proofs of object code for a widely used microprocessor. Technical Report 114, Digital Systems Research Center, 5 October 1993.

....but allowing us to do something that testing can never allow (except on trivial examples) i.e. the opportunity to explore every behaviour of the target system. 3.2.1 Yu s M68020 Verifier The most complete and impressive work in the area of object code verification is that by Yu. In his thesis [36] and subsequent technical report[37] Yu describes a system to reason about the correctness of arbitrary Motorola 68020 machine code. He describes the building of a formal definitional model of most of the user level of the M68020 in NQTHM[38] the logic of the BoyerMoore theorem prover. The model ....

....TRUE on each execution of the loop: MC [ loop (ffl; fl) aeoe = if M E [ ffl] aeoe = bool v T then MC [ loop(ffl; fl) ae(M C [ fl] aeoe) else oe 5 This approach could also be used for out of range arithmetic. To overcome this, we chose to implement a method similar to that described by Yu[36]. Yu used a counter which decremented on the execution of each 68020 instruction. This counter was initially set to exactly the necessary number of instructions required to perform the computation under consideration and would cause the NQTHM interpreter function to terminate at that point. Our ....

Yuan Yu. Automated Proofs of Object Code for a Widely Used Microprocessor. PhD thesis, University of Texas at Austin, 1992.

.... a proof of the local correctness of a mutual exclusion algorithm without the atomicity assumption mentioned above (Yu, yu amax.events ) the correctness proof for the MC68020 machine code produced by the Gnu C compiler for a C program that finds the maximum value in an integer array (Yu, [Yu92], yu asm.events ) the correctness proof for the MC68020 machine code produced by the Gnu C compiler for a trivial C program that uses embedded assembly code (the object being to demonstrate that embedded assembly code can be handled) Yu, Yu92] yu bsearch.events ) the correctness proof for ....

.... finds the maximum value in an integer array (Yu, Yu92] yu asm.events ) the correctness proof for the MC68020 machine code produced by the Gnu C compiler for a trivial C program that uses embedded assembly code (the object being to demonstrate that embedded assembly code can be handled) Yu, [Yu92], yu bsearch.events ) the correctness proof for the MC68020 machine code produced by the Gnu C compiler for a binary search program written in C (Yu, Yu92] yu cstring.events ) the correctness proofs for the MC68020 machine code produced by the Gnu C compiler for 21 of the 22 C String Library ....

[Article contains additional citation context not shown here]

Y. Yu. Automated Proofs of Object Code for a Widely Used Microprocessor. PhD thesis, University of Texas, 1992.

....program correctness prover decides that it cannot complete the proof, it might turn the problem over to the system administrator. A certifier may take an arbitrary amount of time to validate a given component. It will usually be done off line. This allows experimental object code provers like [13] that usually tend to take more time than, for example, sandboxing. This does not exclude on line certification by the kernel. The certification and delegation mechanisms are similar to those found in the Taos operating system where they are used for secure communication [4, 12] In our system ....

Y. Yu, Automated Proofs of Object Code for a Widely Used Microprocessor, SRC 114, Digital Equipment Corporation, Oct. 1993.

....followed the style of earlier Nqthm work on modeling microprocessors, e.g. 19, 20, 28, 4] Readers unfamiliar with that style need merely imagine defining, as a Lisp function, an interpreter for the intended machine language. We owe a special debt of gratitude to Yuan Yu, whose techniques in [39] we followed closely. Our behavioral level specification describes every well defined behavior of the CAP including all legal instructions, I O [21] traps, and interrupts. Only a few hardware and software initiated reset sequences are not modeled by our specification; these sequences were ....

....the corresponding part of the ACL2 model [18] this involved the hand translation into ACL2 (in a very mechanical fashion) of the SPW description of the hardware. We believe that CAP is the most complex processor for which a complete formal specification has been produced. The MC68020 modeled in [39], the first commercial processor for which a substantially complete formal model was produced, has only sixteen general purpose registers and a simple instruction set, albeit one with 18 addressing modes. Until the CAP work, the most complicated commercial processor subjected to formal modeling at ....

Y. Yu. Automated Proofs of Object Code for a Widely used Microprocessor, Technical Report 92, Computational Logic, Inc., 1717 W. 6th, Austin, TX 78703, May, 1993. URL http://www.cli.com/reports/files/92.ps. This article was processed using the L A T E X macro package with LLNCS style

....low level machine languages, lying somewhere between architecture and language, is lagging behind. It is perhaps due to the size and intricacies of most processors that the formalisation is so difficult. For instance, the specification of a large portion of the MC68020 instruction set described in [2] took approximately 80 pages of text. This difficulty is unfortunate, as a manageable specification has many uses: 1. The specification can serve as a rigorous hardware description of the architecture. The formal meaning given to the machine code in this way eliminates ambiguities. This can then ....

....and schedulling of code to be correct. 5 Future Work There is much related work in the area of hardware description and modelling languages. However, much of this work is based on a lower level of description, for instance VHDL or Boyer Moore theorem provers applied to low level descriptions [2, 10]. Recently there has been work on hardware description languages with a good formal semantic footing, for instance HML [14] and [13] where functional languages are used as description languages. We believe that a gap exists in the specification languages lying between languages and hardware, and ....

R. S. Boyer and Y. Yu. Automated proofs of object code for a widely used microprocessor. Journal of the ACM, 43(1):166--192, 1996.

....code running in an address space can potentially modify any memory location in that address space. While, in theory, it is possible to prove that certain pieces of code only modify a restricted set of memory locations, in practice this is very difficult for languages like C and assembly language [3, 28], and cannot be fully automated. In contrast, the type system and the linker in a safe language restrict what operations a particular piece of code is allowed to perform on which memory locations. The term namespace can be used to express this restriction: a namespace is a partial function mapping ....

R. S. Boyer, and Y. Yu. Automated proofs of object code for a widely used microprocessor. J. ACM 43, 1 (Jan.

....exist for building such proofs. Our technique is based on Floyd s verification conditions [6] because they are powerful enough to deal with unstructured assembly language programs and a broad range of safety invariants. Similar techniques have been used before to verify assembly language programs [2, 3]. Certification of programs involves two steps: 1. Compute the safety predicate for the program. This essentially encodes the semantic meaning of the program in logical form and constitutes a formal statement that the program, when executed, will not violate any typing assertions. 2. Generate a ....

....to use standard verification techniques to check type safety at the assembly language level. This is important for certifying extensions to safe programming languages and as a main building block in constructing certifying compilers. Similar techniques have been applied to assembly language before [2, 3] but neither as a basis for creating safety proofs nor for checking type safety. We show an encoding of safety proofs as first order logic derivations in LF. Our contribution in this area is to identify a fragment of LF which is both sufficient for many applications of PCC and also admits a simple ....

Boyer, R. S., and Yu, Y. Automated proofs of object code for a widely used microprocessor. J. ACM 43, 1 (Jan. 1996), 166--192.

....use standard verification techniques to check type safety at the assemblylanguage level. This is important for certifying extensions to safe programming languages and as a main building block in constructing certifying compilers. Similar techniques have been applied to assembly lan10 guage before [2, 3] but neither as a basis for creating safety proofs nor for checking type safety. We show an encoding of safety proofs as first order logic derivations in LF. Our contribution in this area is to identify a fragment of LF which is both sufficient for many applications of PCC and also admits a simple ....

Boyer, R. S., and Yu, Y. Automated proofs of object code for a widely used microprocessor. J. ACM 43, 1 (Jan. 1996), 166--192.

....machine languages, lying somewhere between architecture and language, is lagging behind. It is perhaps due to the size and intricacies of most processors that the formalisation is so difficult. For instance, the specification of a large portion of the MC68020 instruction set described in Boyer Yu (1996) took approximately 80 pages of text. This difficulty is unfortunate, as a manageable specification has many uses: 1. The specification can serve as a rigorous hardware description of the architecture. The formal meaning given to the machine code in this way eliminates ambiguities. This can then ....

....be used to verify the behaviour of physical architectures. There is much related work in the area of hardware description and modelling languages. However, much of this work is based on a lower level of description, for instance VHDL or Boyer Moore theorem provers applied to low level descriptions (Boyer Yu 1996, Hunt Brock 1989) Recently there has been work on hardware description languages with a good formal semantic footing, for instance HML (O Leary, Linderman, Leeser Aagaard 1993) and (O Donnell 1992) where functional languages are used as description languages. We believe that a gap exists in ....

Boyer, R. S. & Yu, Y. (1996), `Automated proofs of object code for a widely used microprocessor', Journal of the ACM 43(1), 166--192.

....(mc pc s) mc mem s) gcd code) ram addrp (sub 32 12 (read sp s) mc mem s) 24) equal a (iread mem (add 32 (read sp s) 4) mc mem s) 4) equal b (iread mem (add 32 (read sp s) 8) mc mem s) 4) numberp a) numberp b) Multiple intermediate lemmas here are omitted. See [BY92] and [Yu92, Yu93] for details. the correctness of gcd. prove lemma gcd correctness (rewrite) let ( sn (stepn s (gcd t a b) implies (gcd statep s a b) and (equal (mc status sn) running) equal (mc pc sn) rts addr s) equal (read rn 32 14 (mc rfile sn) read rn 32 14 (mc rfile s) equal (read rn 32 ....

Yuan Yu. Automated Proofs of Object Code for a Widely Used Microprocessor. PhD thesis, University of Texas at Austin, Dec. 1992. Available from University Microfilms, Ann Arbor, Michigan.

....Algorithms based on BDDs are used to check the equivalence of the state transition functions for different design levels. ffl Motorola 68020. In 1991 Boyer and Yu constructed an Nqthm [BM79, BM88] specification of the Motorola 68020 microprocessor (including 80 of the user mode instructions) BY96] They used the specification to prove the correctness of many binary machine code programs produced by commercial compilers from source code in such high level languages as Ada, Lisp, and C. For example, Yu verified the MC68020 binary code produced by the gcc compiler for 21 of the 22 C ....

R.S. Boyer and Y. Yu. Automated proofs of object code for a widely used microprocessor. Journal of the ACM, 43(1):166--192, January 1996.

....Using the tripartition of computing systems into requirements specifications, software, and hardware, I turn to an example of practical consequence. Is it possible to prove the match between formal spec and supposed use for interesting examples I consider an example due to Boyer and Yu [BY92] Yu93] The specification and proof of this example in Nqthm is available in the note [BY95] adapted from [BY92] It shows a specification of a GCD calculator that employs the Euclidean algorithm, compiled into assembly code for an MC68020. The specification of the MC68020, which runs to about 100 ....

Yuan Yu. Automated proofs of object code for a widely used microprocessor. Research Report 114, Digital Equipment Corporation Systems Research Center, Palo Alto, California, Oct. 5 1993.

....code [2] 1.9. CONCLUSIONS 23 At the other extreme, one can model the host machine semantics and then verify machine code programs (got, for example, by running production Ada compilers) by reasoning about processor transitions. Impressive work of this sort has been done by Yuan and Boyer [6]. Between these two extremes lies the work presented here. The techniques are in the spirit of Yuan and Boyer in that they are based on a semantics derived from the execution of machine instructions (though Yuan and Boyer use a real machine in the 68000 family, whereas an enormously simpler ....

Y. Yu. Automated Proofs of Object Code for a Widely Used Microprocessor. PhD thesis, The University of Texas at Austin, yuanyu@com.dec.src, 1992.

....microprocessor. To give the reader a clear picture of this project, we provide, in their verbatim form, our formal specification for the MC68020 microprocessor and our lemma library for machine code reasoning in Appendix B. The complete script of all the program proofs presented here is given in [53]. The following is an outline of this report. Chapter 2 outlines our general approach to formal specification and verification, and gives a nontechnical account of this project. For uninitiated readers, we also provide a very brief introduction to the Boyer Moore automated reasoning system. ....

....None of the multiprocessor instructions have been considered. Our formal specification is about 128; 000 bytes long, which takes up approximately 80 pages of text when printed. It consists of 569 function definitions in the Nqthm logic. The full text of this formal specification is given in [53]. The semantics of any machine code program written in this subset of MC68020 instructions is given formally by our MC68020 model. The complexity of this model is not particularly surprising to us. Rather, we believe the complexity is intrinsic for a CISC architecture like the MC68020. 2.2 ....

[Article contains additional citation context not shown here]

Yuan Yu. Automated Proofs of Object Code For a Widely Used Microprocessor. PhD thesis, University of Texas at Austin, 1992.

.... addition, our student Matt Wilding implemented some applications programs on the FM9001 (using the link assembler) and proved them correct [23] Finally, in 1991, our student Yuan Yu used Nqthm to formalize 80 of the user mode instruction set of a commercial microprocessor, the Motorola MC68020 [25, 5] and then used the formal model to verify many binary machine code programs produced by commercial compilers from source code in such high level languages Mechanized Formal Reasoning about Programs and Computing Machines 3 as Ada, Lisp and C. For example, Yu verified the MC68020 binary code ....

....taught this method of formalization via examples very similar to this one, primarily in our graduate class, Recursion and Induction, at the University of Texas at Austin. That this technique scales up to languages that are many orders of magnitude more complicated than this one is demonstrated by [5, 9]. Therefore, simplicity here should be looked upon as a virtue. We will use ACL2 as the formal system in which the semantics is expressed and the proof advice is given. ACL2 is merely an axiomatization of an applicative subset of Common Lisp. The reader familiar with some Lisp will have no ....

R. S. Boyer and Y. Yu. Automated Proofs of Object Code for a Widely Used Microprocessor. JACM, 43(1):166--192, January 1996. http://www.cs.utexas.edu/users/boyer/mc-rev3.ps.Z.

No context found.

Y. Yu. Automated Proofs of Object Code for a Widely used Microprocessor, Technical Report 92, Computational Logic, Inc., 1717 W. 6th, Austin, TX 78703, May, 1993. See URL http://www.cli.com/reports/.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC