William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, 1989.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....of the logic, despite recent work on bounded quantification [Boyer and Moore 1988] The prover has done many proofs in pure mathematics, including Godel s Incompleteness Theorem. A complete computer system has been verified, both software and hardware, from a compiler down to gate level [Bevier et al. 1989]. 6.2 The Automath languages The Automath project [de Bruijn 1980] has tackled a di#erent problem: that of expressing mathematical concepts formally. First order logic is a rich language for expressing statements, but it includes nothing to make statements about. Defining even the natural numbers ....

William R. Bevier, Warren A. Hunt Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5:411--428.

....about code directly, rather than at a more abstract level, is complexity. Code proofs involve many implementation details that would be ignored when reasoning about a more abstract model. Some work has been done on techniques for solving this problem. One notable project is the CLI short stack [Bevier89, Wilding93]. A family of implementations an assembler, a compiler, a hardware design, and two applications are shown to work together and are proved correct using a theorem prover. Yuan Yu demonstrated proofs of 68020 code, many of which were compiled into machine code from higher level languges. ....

W.R. Bevier, W.A. Hunt, Jr., J S. Moore, and W.D. Young. An approach to systems verification. Journal of Automated Reasoning, 5:411--428, 1989

....must hold just at the point of exit, after those updates have occurred. Such a termination test should be avoided: it cannot be regarded as stating a property, making the loop harder to understand. II Software Engineering II 13 Slide 203 A Trivial Loop Invariant k : 0; Invariant : elements A[1], A[k] equal 0 while k N do begin k : k 1; make progress A[k] 0 restore invariant end Now k = N, so elements A[1] A[N] equal 0 This trivial loop initializes array elements to zero. It has an index variable K, and the invariant states that elements A[1] A[k] ....

....as stating a property, making the loop harder to understand. II Software Engineering II 13 Slide 203 A Trivial Loop Invariant k : 0; Invariant : elements A[1] A[k] equal 0 while k N do begin k : k 1; make progress A[k] 0 restore invariant end Now k = N, so elements A[1], A[N] equal 0 This trivial loop initializes array elements to zero. It has an index variable K, and the invariant states that elements A[1] A[k] are equal to zero. At first we have k = 0, so the assertion A[1] A[k] equal 0 holds vacuously (no array elements are in ....

[Article contains additional citation context not shown here]

William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, 1989.

....[16] but for which only elementary mechanical support is available. The Boyer Moore system, on the other hand, uses a very limited, raw logic as its specification language, but has a very powerful theorem prover that has been used to undertake several large and complete formal verifications [4]. We consider neither of these extremes to be ideal. A specification language is used for communication and should facilitate clear and straightforward expression using familiar notations. In addition, specifications tend to be large, so that mechanisms for structuring them into modules and ....

....from the laboratory, and are still difficult and time consuming to use. Although formal verification from top to bottom (e.g. from the requirements on a simple program, through the program, compiler, assembler, and hardware design down to the elementary logic gates) has been demonstrated [4], it must still be considered a tour de force rather than a routine capability. If formal verification is too expensive to apply to all levels and aspects of a design, where should it be used for maximum effectiveness In my opinion, it makes most sense to use formal techniques in circumstances ....

William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, December 1989.

....done in informal mathematics. Informal mathematics also often mixes mathematical and metamathematical argumentation, and this too is not easily mechanized. The case for mechanized verification is very strong. We now know that it is feasible to verify large systems. Bevier, Hunt, Moore, and Young [1] present a proof of a system consisting of a microprocessor, an assembler for this microprocessor, a compiler for a Pascal like language with the assembler as its target language, and an operating system kernel. This verification used the BoyerMoore theorem prover [2] There are many other ....

William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411-- 428, December 1989.

....to each of these challenges. 5. Formal Verification The goal of verification is to analyze a system model and demonstrate that a complex design has certain required properties. Such verification has been accomplished on a variety of different targets and is similar to our verification approach [WRB89A, WRB89B, RSB96, SPM96, MMW97]. In particular, the use of so called mechanical theorem provers as digital design tools is an active area of research, particularly with regard to how these tools can be integrated into the fast changing world of digital design [DSH98] Our current verification efforts are distinguished from ....

William R. Bevier, Warren A. Hunt Jr., J Strother Moore, and William D. Young, "An Approach to Systems Verification", Journal of Automated Reasoning v. 5 n. 4, December 1989.

....fields appropriately. Such simulator models can be quite fast when state data structure access is efficient and the next state function is optimized. This method for architecting simulators is similar to the interpreterstyle of specification used in many previous formal verification projects [Bevier et al. 1989]. In the interpreter style specification, a next state function is defined that accepts as input a data structure representing the current state of the machine and returns an updated machine state. A recursive stepper function repeatedly applies the next state function to an initial state to ....

Bevier, W. R., Jr., W. A. H., Moore, J. S., and Young, W. D. (1989). An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428.

....are the Boyer Moore Theorem Prover [5] and the Cambridge HOL System [18, 19] The Boyer Moore Theorem Prover has been used by researchers at Computational Logic Inc. to develop a multi level proof of correctness for a complete computer system including both hardware and software levels [3]. The Cambridge HOL System has been used by researchers at Cambridge University to verify aspects of the commercially available Viper microprocessor designed by the British Ministry of Defense for safety critical applications [13] One of the main strengths of the theorem proving approach is its ....

....and accuracy. We conclude that a promising balance of these tradeoffs can be achieved by using theorem proving at higher levels and symbolic trajectory evaluation at lower levels. Also, by integrating these two methods, we open up the possibility of verifying mixed software hardware systems[3, 22]. We believe that this work represents one of the first successful attempts to develop a hybrid approach to formal hardware verification which is mathematically rigorous to ensure integrity, sufficiently general to be useful for a variety of design methodologies, and practical for achieving ....

W. Bevier, W. Hunt, J Moore, and W. Young, "An Approach to Systems Verification", Journal of Automated Reasoning, Vol. 5, No. 4, November 1989.

....Leading tools include ACL2, HOL, and PVS, and each is increasingly finding application in industrial settings where safety or wide product distribution makes establishing design correctness imperative. Various verification projects have used theorem provers to analyze computer system models [1, 2, 4, 6, 8, 13, 14, 17]. A dramatic recent example of the possibilities of applying formal analysis to computing systems is the ACL2 checked verification of AMD s Athlon (formally K7 ) floating point operations [16] FORMAL ANALYSIS designs HLL device FABRICATION DESIGNER formal model device designs HDL device ....

William R. Bevier, Warren A. Hunt Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, December 1989.

....the presentation is quite clean, the proof is long and rather complex. On another front, proofs about computers and computer programs have been mechanically checked. Boyer s and Moore s NQTHM prover has been used to prove the correctness of a microprocessor, compilers, and operating systems. [3, 4] The checked theorems often have convoluted proofs, but they have the important advantage that NQTHM checked theorems are presumed to be very reliable. Theorems about floating point programs appear to be a good domain for mechanical checking as theorems about floating point programs are often not ....

....The floating point system model could actually be implemented. This entails writing a compiler for a portion of the logic that includes floating point operations. The target language of the compiler would probably 24 be Piton [16] so that the resulting code could be run on the verified stack. [3] The appeal of verifying a floating point program down to the level of hardware is very strong. It appears that backward error analysis of floating point programs [18] might benefit from algorithms that automate finding the consistency of sets of inequalities. Such a theorem prover might quickly ....

William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, William D. Young. "An Approach to Systems Verification". Journal of Automated Reasoning 5 (November 1989).

.... the MoD withdrew its support for the chip when doubts were cast as to the correctness and completeness of the proofs [Cohn 1989, Matthews 1991] Hunt 1989] reports on the verification of the FM8502 microprocessor using the Boyer Moore theorem prover [Boyer 1988] as part of a larger project [Bevier 1989] to verify a short stack of system components consisting of a compiler, an assembler, an operating system kernel and the FM8502 itself. Acknowledgements The author would like to thank Geoff Barrett, Geraint Jones, David Shepherd, and the anonymous referees for their helpful comments and advice ....

Bevier, W. R., Hunt, Warren A., J., Moore, J. S., and Young, W. D., 1989: An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428.

....to aircraft flight control and their influence on the design of PVS are described. Relevant is also an extensive treatment of clock synchronization protocols in PVS by Shankar [Sha92] A classical example of a hierarchical verification is the CLI short stack , which has been verified using Nqthm [BHMY89]. Most of the literature mentioned above does not give a clear methodology that can easily be used by others. Sometimes the use of a formal framework structures the specification and the verification; see for instance the use of TLA for a treatment of the Byzantine generals problem [LM94] ....

W.R. Brevier, W.A. Hunt, J.S. Moore, and W.D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, 1989.

....would then be a single recursive function. The proof of their equivalence would then require disentangling the mutual recursion, which might be quite difficult. The Boyer Moore prover has been used in several efforts at hardware verification, particularly by those most familiar with it [137, 17, 16, 25, 24]. Other theorem provers Other implementations of higher order logic that have been used include Veritas [130] and Nuprl [13] which are based on intuistionistic type theory. Another approach to hardware verification based on theorem proving is the use of a prover such as Clio [227] SBL [213] ....

.... SDVS, his state delta verification system [86] Work related to Hunt s has also been done in the area of totally verified systems where many aspects of system operation, from compilers and operating systems to hardware, are verified within a comprehensive framework in this case, Boyer Moore [17, 188, 187]. Hunt identified the contribution of his work as having verified two descriptions of a design, one at the gate level. He identified better characterization of clocks, particularly low vs. high level, and better characterization of external devices and separation of the external device ....

William R. Bevier, Warren A. Hunt Jr., J. Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5:411--28, 1989.

....representation for y , the concrete function f implements the abstract function g under the abstraction function A. That is, A(f (x) g(A(x) More elaborate diagrams, for example, that allow sequences of actions rather than single actions generalize this basic idea. The CLInc Stack case study [4] of proving the correctness of the implementation of a small programming language down to the hardware level relies fundamentally on a stack of commuting diagrams. 5.2. The Details I now turn to the nitty gritty of specification: getting the technical details right. Logical Errors Common logical ....

W.R. Bevier, W.A. Hunt, Jr., J S. Moore, and W.D. Young. An approach to systems verification. Journal of Automated Reasoning, 5:411--428, 1989.

.... the C string library and elsewhere targeted to the Motorola 68020 are proved to meet their specifications [5] Microcode for the Motorola CAP processor is proved to implement several algorithms useful for digital signal processing [6] Others verifications involve a stack of verified systems [2], an operating system kernel [1] code for simple real time systems [18] and floatingpoint microcode [6, 15] Each of these projects employed the theorem proving system Nqthm [3] or its successor ACL2 [8] The logics supported by Nqthm and ACL2 are weaker than that supported by PVS: they do not ....

William R. Bevier, Warren A. Hunt Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, December 1989.

....also been built in order to support formal computer system analysis. Most of these kinds of processor models have been created after the processor is built in order to establish the correctness of the processor design, support symbolic simulation, or to verify software for the processor to execute [2, 3, 6, 10, 8, 15, 16]. Typically, different models are built to support analysis and simulation, as formal models are not often executable, much less high performance. Work conducted while the author was on sabbatical at Rockwell Collins. We believe that the unification of simulation and analysis models has ....

....to ensure that formal analysis applies to the actual machine. With a unified model we can informally validate the formal model through its use by developers as a simulator. 1. 1 Executable Formal Models Various verification projects have used theorem provers to analyze computer system models [2, 3, 5, 6, 15, 16, 8, 22], and the use of theorem provers as digital design tools is an active area of research [12] What is not as clear is whether the languages about which theorem proving systems reason can also be used to support simulation. Execution must be extremely fast similar in speed to the models that are ....

William R. Bevier, Warren A. Hunt Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411-- 428, December 1989.

....layers of hardware and software involved in checking the proof of FLT. The top layer is a simple proof checking program for some specified formal system, coded in some programming language. The bottom layer is a physical machine. Intermediate layers include compiler, linker, operating system, etc. Bevier, Hunt, Moore and Young (1989) show that such a system can be formalised as a stack of abstract machines. Interfaces in this stack are specified, for example, by programming language semantics, operating system definition and hardware definition. Each layer implements its 8 R. Pollack specification in terms of the next layer ....

....hardware definition. Each layer implements its 8 R. Pollack specification in terms of the next layer down, and if each layer is verified then the whole stack is a verified implementation of the top layer specification in terms of the physical model of the machine at the bottom layer. The work of Bevier et al. 1989) is the limit of current technology, and in current practice, very few of these layers are formally specified, let al..one verified. Every (unverified) computer system has bugs, but we have confidence in the behavior of a general purpose computing environment because there are many users testing ....

Bevier, W., Hunt, W., Moore, J. and Young, W. (1989). An approach to systems verification, Journal of Automated Reasoning 5(4): 411--428.

....code of the translation is a nonidealized machine level architecture whose implementation has been verified with respect to a low level of the computer, see for example [17, 27] The verification of both architectures has even been automatically checked. These examples of systems verification [4] are important: they minimize the amount of distrust one need have to such a verified system. Of course, one can still suspect errors in the implementation of the gate level of the computer, or in the implementation of the theorem prover, but many other sources of errors have been eliminated. The ....

William R. Bevier, Warren A. Hunt, J. Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5:411--428, 1989.

....Systems Machine checked computer system proof has been used to build extremely reliable computer systems. Some examples of these involve compiled routines from the C string library targeted to the Motorola 68020 [5] microcode for the Motorola CAP processor [6] a stack of verified systems [3], verification of the oral messages algorithm [4, 10] code for some simple real time systems [18] floatingpoint microcode [6, 15] a verified Piton [13] program [17] floating point hardware [16] a simple scheduler [7] and partial microcode correctness of some Rockwell Collins ....

William R. Bevier, Warren A. Hunt Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411-- 428, December 1989.

....behavior of compiled Gypsy programs with the same degree of accuracy that one gets by using f(x) to make forecasts about machine language programs. Some specific examples of different models of program behavior and mathematical proofs that one logically follows from another can be found in [Bevier 89a] Hunt 89] Moore 89] and [Young 89] These examples involve three languages: Gypsy, the assembly language Piton, and FM8502 machine language. The FM8502 is a 32 bit micro processor of complexity comparable to a PDP 11. Gypsy is compiled into Piton, and Piton is compiled into FM8502 machine ....

William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, William D. Young. An Approach to Systems Verification. The Journal of Automated Reasoning 5(4), November, 1989.

....also been built in order to support formal computer system analysis. Most of these kinds of processor models have been created after the processor is built in order to establish the correctness of the processor design, support symbolic simulation, or to verify software for the processor to execute [3, 4, 8, 12, 10, 19, 20, 24], and typically multiple models are built to support analysis and simulation. Rockwell Collins approved for publication We believe that the unification of simulation and analysis models has advantages. Most obviously, it is easier to develop and maintain fewer models. An easily overlooked ....

....with this approach and details a portion of an executable model we have developed of a real processor. Rockwell Collins approved for publication 1. 2 A Theorem Prover that Supports Efficient Execution Various verification projects have used theorem provers to analyze computer system models [3, 4, 7, 8, 19, 20, 10, 24, 25], which suggests that these kinds of models are amenable to the formal verification, and the use of theorem provers as digital design tools is an active area of research [15] What is not as clear is whether the languages about which theorem proving systems reason can also be used to support ....

William R. Bevier, Warren A. Hunt Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, December 1989.

....in the formal theory and that Boyer has found several inconsistencies in Polak s axioms. 3.4.2 CLI Verified Stack Following Polak s work, Computational Logic Inc. CLI) undertook a compiler verification[72] as part of their work on a trusted stack of system components. This stack approach[73, 74] to systems verification is meant to prove the entire chain from the correctness of the source code to the correct execution of the microprocessor at register transfer level. All of the stack verification at CLI was performed using the Boyer Moore theorem prover[38] over definitions of finite ....

William R. Bevier, Jr. Warren A. Hunt, J Strother Moore, and William D. Young. An approach to systems verification. Technical Report 41, Computational Logic Inc., April 1989.

....The use of Nqthm often uncovers mistakes in hand constructed proofs. 7 Nqthm provides us the confidence associated with formal proof while shielding us somewhat from the drudgery of writing the complete proof ourselves. Nqthm has been successfully applied in computer systems verification [6]. The requirement imposed by Nqthm to get every detail of a proof exactly correct is very important in computer systems verification as any mistake can be catastrophic. Another reason Nqthm is well suited for modeling of and proof about computer systems is the executable nature of the Lisp like ....

....interpreter and the data segment calculated by running a compiled Piton program on the FM9001 are equivalent. The interpreter function serves as a precise specification for the expected behavior of a system component. This general approach to system verification has been used on other projects [6, 18]. Interpreter functions can be complex: Piton has 71 instructions and some high level features, and the definition of p in the Nqthm logic requires about 50 pages. The FM9001 [27] is a fairly conventional microprocessor with an instruction set somewhat like that on a PDP 11. Unlike most ....

William R. Bevier, Warren A. Hunt Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, December 1989.

.... to verify a system that includes a concurrent programming language and compiler, distributed and secure operating system, and reliable network [11, 12, 13] CLI verified a short stack a system that includes a microprocessor, compiler, assembler, and linker using a vertical layer proof method [5]. Their method was also applied to the proof of an operating system kernel [4] CLI s system, however, was not distributed, and their approach was not intended to handle horizontal composition. An advantage of composing modular specifications is that each module can be specified and proved ....

William R. Bevier, Warren A. Hunt, Jr., J. Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5:411--428, 1989.

....on the Piton interpreter and the data segment calculated by running a compiled Piton program on the FM9001 are identical. The interpreter function serves as a precise specification for the expected behavior of a system component. This general approach to system verification is described fully in [2]. Interpreter functions can be complex: Piton has 71 instructions and some high level features, and the definition of P in the Nqthm logic requires about 50 pages. The FM9001 is a fairly conventional microprocessor with an instruction set somewhat like that on a PDP 11 [9] Unlike most processors ....

William R. Bevier, Warren A. Hunt Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411-- 428, December 1989.

.... Inc who used the Boyer Moore theorem prover to verify that an assembler linker generates a core image equivalent with the source program [28, 52] The verified compiler was part of a completely verified system informally known as the CLInc stack including a compiler and a microprocessor [3]. Similar specification and verification techniques have been used to prove assembly language programs [5] There are several aspects in which the work surveyed above differs from the work proposed in this document. First, in all these projects except the CLInc stack the verification of ....

Beview, W. R., Hunt, W. A., Moore, J. S., and Young, W. D. An approach to systems verification. Journal of Automated Reasoning, 5 (1989), 411--428.

....semantics could be supplied to maximize interoperability, e.g. a situation where object code has a known functionality, but the implementation is not known. A number of researchers have used layered architectures to construct verification systems for programming languages and distributed systems [2, 3, 20, 21]. The Silo Project at the University of California Davis has applied a layered architecture to the formal verification of secure distributed systems and applications [20, 21] Our work advances Silo by employing a primitive process calculus (ROC) for concurrent objects as a foundation for the ....

....underlying models and standards will make seamless and secure interoperability virtually impossible. High assurance security is only achieved through a practical application of formal methods. The Silo Project [20, 21] presents a useful hierarchical verification methodology for distributed systems [2, 3]. The methodology prescribes a semantic layer for each computational substrate, from the hardware level up to the application level. Each layer can be formally specified as an abstract machine defined from the layer beneath it. The dual framework in MOOSE consists of an operational and ....

W. R. Bevier, Jr. W. A. Hunt, J. S. Moore, and W. D. Young. An approach to systems verification. Technical Report 41, Computational Logic Inc., Austin, Texas, USA, 1989.

....9 states or more. Current research is investigating ways to prove properties of infinite state systems by viewing them as finite state systems. System verification involves proving the correctness of subsystems, and of their integration, so that the whole system is proved correct. Bevier et at. [1] describe the proof of a stack of components ranging from a simple high level language to a microprocessor design. The aim is to have a computer system that is entirely free of logical errors, and that can only fail due to environmental conditions. Note that for real world applications, ....

William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, 1989.

....although the change had little to do with the substance of most of the proofs. We are working toward more robust proofs by relying on automated proof techniques. An important advance in this area is the interpreter style of proofs that has been used in a variety of verification projects, including [1, 3, 4, 13, 16]. This approach involves specifying the semantics of a computer system with an interpreter and deriving symbolic results using automatic reasoning. We have adapted this approach for use in PVS [17] and believe that its usefulness transcends the particularities of different theorem proving systems. ....

William R. Bevier, Warren A. Hunt Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411-- 428, December 1989.

....of distributed programming languages, and for stacking them as layers in distributed systems. There has been much research related to our work. CLI s work on the short stack has shown the feasibility of full sequential computer system verification using a vertical layer proof technique [3]. Joyce s work has provided a HOL based method to verify a sequential programming language implementation [10] Windley has developed a method to specify instruction set architectures and a generic interpreter model for verifying microprocessors by layered proof [13, 14] Curzon s work provides a ....

....result on the existence of a refinement mapping when one system specification implements another, under reasonable assumptions [1] These works provide us with insights into the specification of semantics and the verification of implementations, using a compositional method. Similar to [3, 5, 10, 13, 14], which provide mechanized methodologies and techniques that work very well for verifying the implementation of sequential languages (or instruction sets) but are not sufficient for distributed language implementation, we focus on the verification of programming language implementation ....

W.R. Bevier, W.A. Hunt, J.S. Moore, and W.D. Young, An approach to systems verification, Journal of Automated Reasoning, 5 (1989) 411--428.

....for modeling distributed objects. Since these layers also inherit ROC s formal foundation, they have unambiguous semantics and support verification. Layered architectures have been used by several researchers to construct verification systems for programming languages and distributed systems [2, 3, 20, 21]. The Silo Project at the University of California Davis has applied a layered architecture to the formal verification of secure distributed systems and applications [20, 21] This work advances Silo by employing a primitive process calculus (ROC) for concurrent objects as a foundation for the ....

....and providing formal security policy specifications. If the formal semantics of the service satisfies the policy specification, then the system is proven to be secure. The Silo project [20, 21] presents a useful hierarchical verification methodology for distributed systems based on formal methods [2, 3]. The methodology prescribes a semantic layer for each computational substrate, from the hardware level up to the application level. Each layer can be formally specified as an abstract machine defined from the layer beneath it. MOOSE advances the Silo effort by using a process calculus tailored to ....

W. R. Bevier, Jr. W. A. Hunt, J. S. Moore, and W. D. Young. An approach to systems verification. Technical Report 41, Computational Logic Inc., Austin, Texas, 1989.

....for y, the concrete function f implements the abstract function g under the abstraction function A. That is, A(f (x ) g(A(x) More elaborate diagrams, for example, that allow sequences of actions rather than single actions generalize this basic idea. The CLInc Stack case study [3] of proving the correctness of the implementation of a small programming language down to the hardware level relies fundamentally on a stack of commuting diagrams. 5.2 The Details I now turn to the nitty gritty of specification: getting the technical details right. Logical Errors Common logical ....

W.R. Bevier, W.A. Hunt, Jr., J S. Moore, and W.D. Young. An approach to systems verification. Journal of Automated Reasoning, 5:411--428, 1989.

....both the safety and utility properties. The requisite lemmas are given in the appendix. 8 Conclusions Nqthm proved to be an excellent tool for modeling and reasoning about this problem. Our specification took a very operational form, a style quite familiar to seasoned Nqthm users (see e.g. [2]) and well supported by the Nqthm prover. We would argue that an operational specification style such as we used is very natural for a control system such as this one where the behavior of the system is determined by a series of sensor readings taken at discrete time intervals and resulting in a ....

W.R. Bevier, W.A. Hunt, Jr., J S. Moore, and W.D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, December 1989.

....machine code. Young [Young 88] verified the correctness of a micro Gypsy compiler targeted to Piton. A forthcoming special issue of The Journal of Automated Reasoning is devoted to the description of this stack of verified systems components, including the conceptual place of Kit in this stack [Bevier, et al. 89] There are many formal specification languages other than the Boyer Moore logic some of which are supported by mechanical tools. A list of approaches to specification and verification must include Affirm [Gerhart 80] Gypsy [Good, et al. 78] HDM [Robinson Levitt 77] HOL [HOL 87] VDM [Jones ....

W.R. Bevier, W.A. Hunt, J S. Moore, W.D. Young. An Approach to Systems Verification. To appear in The Journal of Automated Reasoning. 1989

.... have been remarkably successful at designing heuristics for automating theorem proving; this is perhaps reflected in the quantitative comparison in Figure 2, 6 and it is certainly reflected in some large proof efforts that have been carried out using that system and PC NQTHM (see for example [2] and the other articles on system verification in that issue of the Journal of Automated Reasoning) It is also reflected in the total times for the proof efforts. The Nuprl effort took about 60 hours for library development and about 20 additional hours to complete the proof. However, much of ....

William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, and William D. Young. "An Approach to Systems Verification." Journal of Automated Reasoning, November, 1989.

No context found.

William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, and William D. Young. An Approach to Systems Verification. Journal of Automated Reasoning, 5(4):411--428, December 1989.

No context found.

William R. Bevier, Warren A. Hunt, Jr., J Strother Moore, and William D. Young. An approach to systems verification. Journal of Automated Reasoning, 5(4):411--428, 1989.

No context found.

W.R. Bevier, W.A. Hunt, J.S. Moore, and W.D. Young, An approach to systems verification, Journal of Automated Reasoning, 5 (1989) 411--428.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC