R. S. Boyer and J S. Moore. Mechanized formal reasoning about programs and computing machines. In R. Vero, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos, pages 147-176. MIT Press, 1996.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....to the environment, the input variables are read from the environment, and the sequence of instructions in the program is executed. An initialization phase precedes the cycle. The execution of gem programs has been modeled using a machinery inspired by the Boyer and Moore s small machine ([Boyer and J S. Moore, 1996]) A state of a gem program is composed of a program counter, of a memory and of the program itself. The semantics of each gem instruction consists of a state transforming function called its semantic function. A single step of a gem program is executed by applying the semantic function ....

....through a stepper function. We have extended the machinery to describe the I O operations. Input is modeled by updating the values of the input variables in the memory with those from a given sequence. Output is modeled by extracting the output variables of the memory. A further di erence with ([Boyer and J S. Moore, 1996]) regards the modeling of memories. We model gem memories as associative lists, where each variable identi er is paired, other than to its value, to its type and attribute. Our memory model allows duplicate key entries; only the rst entry of a variable is relevant to the content of the state. The ....

Boyer, R. S. and J S. Moore (1996). Mechanized formal reasoning about programs and computing machines. In ????, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos, page ???? MIT Press.

....requiring logical reasoning. Such programs already have been used successfully in several application areas, including, for ex6 ample, solving open questions in mathematics and formal logic (see, for example, 22] and solving a variety of verification and design problems (see, for example, [4]) There are several different approaches to the automation of reasoning, depending on the underlying logical foundations and the general approach taken for manipulating and reasoning about logical constructs. In this paper, we consider an application of first order refutation ....

Boyer, R., and Moore, J, "Mechanized formal reasoning about programs and computing machines", R. Veroff (ed.), Automated Reasoning and Its Applications, MIT Press, Cambridge, 1997, 147--176.

....theorems in Hol may introduce inconsistencies into Hol, so the authors of translations must be careful to avoid this problem. The danger of this is reduced if users mainly rely on the automated transfer of de nitions from ACl2. Section 2 has an example of this for ACL2 s small machine theory [2, 10]. In Section 3 we describe how to specify and hand code translations. Section 4 lists the main commands for importing results into Hol. We discuss other work in Section 5 before presenting concluding remarks in Section 6. Appendix A presents a Hol theory of s expressions, which can be used for ....

....session. Appendix D describes ACL2PII s architecture and code structure. Appendix E gives the source scripts for the small machine example presented in Section 2. 2 Example: Small Machine Here we demonstrate how to make a link from ACL2 to Hol. We use as an example ACL2 s small machine theory [2, 10], which is an operational de nition of a simple microcomputer. The theory showcases ACL2 s facilities for symbolic simulation and the fast execution of concrete machines. We proceed as follows: 1. identify base ACL2 syntax required for our Hol investigation, 2. de ne base Hol constants for that ....

[Article contains additional citation context not shown here]

Bob Boyer and J Moore. Mechanized formal reasoning about programs and computing machines. In R. Vero, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos. MIT Press, 1996.

....highlights several aspects of this proof that are generally useful for this kind of analysis, and points out particularly some advanced features of ACL2 s simplifier that are useful. Most or all of these techniques have been introduced or presented in various publications, most comprehensively in [Boyer and Moore, 1996]. 26 USING THE ACL2 THEOREM PROVER Assembly Comment .ORG 18 Origin Program at address 18 VAL 0 value MODU 0 modulus (assumed positive) REM pop MODU pop VAL LOOP pushs VAL repeated subtraction loop pushs MODU sub dup jumpz DOSUB end loop when VAL = MODU pop VAL jump LOOP DOSUB pushs ....

....The following rule simplifies expressions that we will encounter that 3 This technique has been used many times previously. Bevier was perhaps the first to do a proof of this type for his KIT operating system kernel. Explicitly using a clock function to control the prover was introduced in [Boyer and Yu, 1996], and these same ideas work using the PVS theorem prover [Wilding, 1997] The idea is documented fully in [Boyer and Moore, 1996] 30 USING THE ACL2 THEOREM PROVER contain c in their clock expressions by decomposing their execution into constituent parts. defthm tiny c (equal (tiny s (c x ....

[Article contains additional citation context not shown here]

Boyer, R. S. and Moore, J. S. (1996). Mechanized formal reasoning about programs and computing machines. In Veroff, R., editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos. MIT Press.

....Leading tools include ACL2, HOL, and PVS, and each is increasingly finding application in industrial settings where safety or wide product distribution makes establishing design correctness imperative. Various verification projects have used theorem provers to analyze computer system models [1, 2, 4, 6, 8, 13, 14, 17]. A dramatic recent example of the possibilities of applying formal analysis to computing systems is the ACL2 checked verification of AMD s Athlon (formally K7 ) floating point operations [16] FORMAL ANALYSIS designs HLL device FABRICATION DESIGNER formal model device designs HDL device ....

Robert S. Boyer and J Strother Moore. Mechanized formal reasoning about programs and computing machines. In R. Veroff, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos. MIT Press, 1996.

....Machine Interpreter In order to make the ideas of this paper concrete we introduce a PVS computing machine formalization that supports examples in later sections. We present sm, a slightly modified version of John Rushby s formalization of Bob Boyer s and J Moore s simple machine level language [4, 14]. An sm state is composed of five elements: a program counter, a stack containing subroutine call return addresses, a data memory that maps natural number addresses to natural number values, a flag whose boolean value indicates whether the processor is halted, and a program memory that maps ....

Robert S. Boyer and J Strother Moore. Mechanized formal reasoning about programs and computing machines. In R. Veroff, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos. MIT Press, 1996.

....to ensure that formal analysis applies to the actual machine. With a unified model we can informally validate the formal model through its use by developers as a simulator. 1. 1 Executable Formal Models Various verification projects have used theorem provers to analyze computer system models [2, 3, 5, 6, 15, 16, 8, 22], and the use of theorem provers as digital design tools is an active area of research [12] What is not as clear is whether the languages about which theorem proving systems reason can also be used to support simulation. Execution must be extremely fast similar in speed to the models that are ....

Robert S. Boyer and J Strother Moore. Mechanized formal reasoning about programs and computing machines. In R. Veroff, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos. MIT Press, 1996.

....with this approach and details a portion of an executable model we have developed of a real processor. Rockwell Collins approved for publication 1. 2 A Theorem Prover that Supports Efficient Execution Various verification projects have used theorem provers to analyze computer system models [3, 4, 7, 8, 19, 20, 10, 24, 25], which suggests that these kinds of models are amenable to the formal verification, and the use of theorem provers as digital design tools is an active area of research [15] What is not as clear is whether the languages about which theorem proving systems reason can also be used to support ....

....counter, a memory of integers, a data stack top of stack pointer, a call stack top of stack pointer, and a halt flag. Figure 1 lists the TINY instructions. The TINY model is represented in the ACL2 logic as an interpreter, following the convention of many previous formal verification projects [7, 8, 25]. We introduce ACL2 (and hence, Common Lisp) definitions that interpret instructions with respect to their effect on the TINY state. The ACL2 term (tiny s n) evaluates to a TINY state that reflects the effect of executing n instructions on an initial TINY state s. The function tiny models the TINY ....

[Article contains additional citation context not shown here]

Robert S. Boyer and J Strother Moore. Mechanized formal reasoning about programs and computing machines. In R. Veroff, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos. MIT Press, 1996.

....although the change had little to do with the substance of most of the proofs. We are working toward more robust proofs by relying on automated proof techniques. An important advance in this area is the interpreter style of proofs that has been used in a variety of verification projects, including [1, 3, 4, 13, 16]. This approach involves specifying the semantics of a computer system with an interpreter and deriving symbolic results using automatic reasoning. We have adapted this approach for use in PVS [17] and believe that its usefulness transcends the particularities of different theorem proving systems. ....

Robert S. Boyer and J Strother Moore. Mechanized formal reasoning about programs and computing machines. In R. Veroff, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos. MIT Press, 1996.

No context found.

R. S. Boyer and J S. Moore. Mechanized formal reasoning about programs and computing machines. In R. Vero, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos, pages 147-176. MIT Press, 1996.

....many subtle static semantics issues. Second, the operational semantics of the JVM can be executed, meaning it is possible to test the semantics against accepted implementations of the JVM. Third, the operational semantics is easily unwound by standard symbolic evaluation and induction techniques [3]. Fourth, and most important, the semantics is rendered formally, so it can be inspected by language experts and used directly by the veri er. 7 Acknowledgments Our JVM models owe much to Rich Cohen who used ACL2 to formalize a singlethreaded version of the defensive JVM [6] We are grateful ....

R. S. Boyer and J S. Moore. Mechanized formal reasoning about programs and computing machines. In R. Vero, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos, pages 147-176. MIT Press, 1996.

....the JVM. The single threaded predecessor to M4 is discussed in [18] with more background about proofs, including proofs of methods that modify inherited elds in objects and illustrate method resolution. The de nitive paper for describing how to model machines in the Boyer Moore tradition is [4], where Boyer and Moore describe their so called small machine model, which formed the basis of much early work on veri ed microprocessors and the CLI Stack [1, 12, 10, 22, 16] M4 omits many features of the JVM. Among the more glaring omissions are accurate support for the JVM primitive ....

R. S. Boyer and J S. Moore. Mechanized formal reasoning about programs and computing machines. In R. Vero, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos, pages 147-176. MIT Press, 1996.

....computing the expected results. Furthermore, Yu formally speci ed what these 21 programs were supposed to do and used the Boyer Moore theorem prover to prove mechanically that the binaries met the speci cations [6] For an introduction to the modeling and proof methods used in these projects, see [4]. We merely hint at the techniques as we brie y describe our model of the JVM. Of particular historical importance to the present work is Rich Cohen s ACL2 model of a single threaded JVM [7] The so called defensive JVM is an accurate and complete model of a subset of the JVM instruction set. ....

R. S. Boyer and J S. Moore. Mechanized formal reasoning about programs and computing machines. In R. Vero, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos, pages 147-176. MIT Press, 1996.

....theorem characterizes the correctness (or some other property) of the microcode program in question. Other memory configurations are possible under the model and are indeed studied with theorems about other programs. These theorems can then be combined to prove facts about systems of programs. See [5, 17] for some simple examples of how this is done and citations of applications of industrial interest. In [27] the question is raised, in regard to linear logic, whether mentioning state explicitly is a pain or a boon; 27] says additional experience is necessary to determine the answer. Our ....

R. S. Boyer and J S. Moore. Mechanized Formal Reasoning about Programs and Computing Machines. In R. Veroff (ed.), Automated Reasoning and Its Applications: Essays in Honor of Larry Wos, MIT Press, 1996.

....step, just as though (invokestatic Math fact 1) were a primitive instruction that computed the factorial of the top of the stack, except costing (fact clock n) primitive steps. For details about the TJVM model, see [26] For details about how ACL2 is configured to prove such theorems, see [5]. 8 Nondeterminism and Distributed Computation Within this basic framework it is possible to formalize machines that are nondeterministic by incorporating into the model an oracle that provides random input for each step. An example of this, as well as of the modeling of distributed ....

R. S. Boyer and J S.Moore. Mechanized formal reasoning about programs and computing machines. In R. Veroff, editor, Automated Reasoning and Its Applications: Essays in Honor of Larry Wos, pages 147--176. MIT Press, 1996.

....Because we are interested in formal, mechanically checked proofs, we formalize the TJVM in a formal, mechanized logic, namely ACL2: A Computational Logic for Applicative Common Lisp. The tradition of formalizing machines in ACL2, and its predecessor, Boyer and Moore s Nqthm, is well established [1, 14, 11, 3, 5] and we follow in those well trodden footsteps. Indeed, our TJVM is just a simplification of Rich Cohen s defensive JVM, 6] which was formalized at Computational Logic, Inc. in the standard ACL2 Nqthm style. That style employs an operational semantics, in which the state of the machine is ....

....prior to the attempt, together with goal specific hints provided by the user. Of great importance is the set of lemmas the system has already proved. Those lemmas determine how ACL2 simplifies expressions. To configure ACL2 to prove theorems about TJVM we followed the example described in [3]. Roughly speaking, we did the following: ffl We proved half a dozen simple arithmetic lemmas; we could have loaded any of several standard ACL2 arithmetic books. ffl We proved lemmas that let ACL2 manipulate the data structures used on the TJVM, including stacks, frames, and states, as ....

R. S. Boyer and J S. Moore. Mechanized Formal Reasoning about Programs and Computing Machines. In R. Veroff (ed.), Automated Reasoning and Its Applications: Essays in Honor of Larry Wos, MIT Press, 1996.

....2 Formalizing Computing Machines Consider a simple computing machine whose state is given by a program counter, a control stack of suspended program counters, a memory, a status flag, and a program ROM. How might we formalize such a machine in ACL2 The most commonly used approach is described in [4]. We only sketch the formal model here. The ACL2 script corresponding to the results of this paper is available at http: www.cs.utexas.edu moore publications symsim script index.html. We represent the state of the machine as a 5 tuple. The five components of the state are accessed by functions ....

....to help authors codify their strategies. It takes a lot of expertise to develop books. It is not unlike trying to teach a new class. A lot of material must be organized in ways that, when done, seem obvious; but many other, less effective organizations are available and have to be considered. In [4] we describe such a book for sm. We show how to lead ACL2 to a proof of the following theorem about the TIMES program. defthm times correct (implies (and (statep s0) 2 (len (mem s0) equal i (get 0 (mem s0) equal j (get 1 (mem s0) 0 i) equal (current instruction s0) CALL ....

[Article contains additional citation context not shown here]

R. S. Boyer and J S. Moore. Mechanized Formal Reasoning about Programs and Computing Machines. In R. Veroff (ed.), Automated Reasoning and Its Applications: Essays in Honor of Larry Wos, MIT Press, 1996.

No context found.

R.S. Boyer and J S. Moore. Mechanized Formal Reasoning about Programs and Computing Machines. In Automated Reasoning and Its Applications: Essays in Honor of Larry Wos. MIT Press, 1996.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC