Matt Kaufmann and J Strother Moore. Design goals of acl2. Technical Report 101, Computational Logic, Inc., August 1994.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....result in the following theorem, and we hope that the reader can imagine the adjustments necessary to exactly meet the requirements. There will be a formal proof of this theorem for a non trivial real compiler into the code of an abstract machine in [4] using the Boyer Moore theorem prover ACL2 [12], although that article will also not contain the entire compiler correctness proof. Theorem3 (No source level verification will protect us) There exists a provably correct compiler program CSL from SL to TL written in SL, a compiler machine program m o written in TL, a particular SL program L ....

M. Kaufmann and J S. Moore. Design Goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

.... of compilers and compiler generators for realistic imperative and object oriented programming languages and real world target and host processors which generate ecient code that compares to unveri ed compilers and which, by help of mechanical proof support, e.g. by PVS [35] or ACL2 [26], are rigorously veri ed even in real world host machine code. Veri x uses practically and industrially approved compiler construction methods and proof methodology supplements compiler construction, not vice versa. Veri x assumes hardware, i.e. target and host processors, to work ....

....strong compiler test, TL is not necessarily correct. Ken Thompson s Trojan Horse, originally hidden in 0 , might have survived so that we nd it both in TL and in TL (and also in 2 ) In [13] we prove this fact mechanically using M. Kaufmann s and J Moore s logic and theorem prover ACL2 [26]. Realistic Low Level Compiler Veri cation Let us now drop our assumption that 0 is correct. By twofold bootstrapping of SL resp. on machine M 0 we generate an output string s which is supposed to be a string representation of TL . Since 0 and hence 2 might be incorrect, we ....

M. Kaufmann and J S. Moore. Design Goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

.... of compilers and compiler generators for realistic imperative and object oriented programming languages and real world target and host processors which generate ecient code that compares to unveri ed compilers and which, by help of mechanical proof support, e.g. by PVS [56] or ACL2 [41], are rigorously veri ed even in real world host machine code. Veri x uses practically and industrially approved compiler construction methods proof methodology supplements compiler construction, not vice versa. Veri x assumes hardware, i.e. target and host processors, to work ....

....compiler test, TL is not necessarily correct. Ken Thompson s Trojan Horse, originally hidden in 0 , might have survived so that we nd it both in TL and in TL (and also in 2 ) In [21, 22] we prove this fact mechanically using M. Kaufmann s and J Moore s logic and theorem prover ACL2 [41]. Ken Thompson s Trojan Horse can be expressed in high level language, even in the clean and abstract Boyer Moore logic of rst order total recursive functions. We need no ugly machine code to construct such a malicious program part. The situation is even more delicate if we consider preceeding or ....

M. Kaufmann and J S. Moore. Design Goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

.... methods for constructing correct compilers and compiler generators for realistic, industrially applicable imperative and object oriented source programming languages and real world target and host processors which, by help of mechanical proof support (e.g. by PVS [ORS92] or ACL2 [KM94] and by exploiting the idea of a posteriori result checking are rigorously veri ed as executable host machine programs and which nevertheless generate ecient code that compares to unveri ed compilers. Veri x uses practically and industrially approved compiler construction methods and ....

....test, TL is not necessarily correct. Ken Thompson s Trojan Horse, originally hidden in 0 , might have survived so that we nd it both in TL and in TL (and also in 2 ) In [Goe00a, Goe00b] we prove this fact mechanically using M. Kaufmann s and J Moore s logic and theorem prover ACL2 [KM94] Ken Thompson s Trojan Horse can be expressed in high level language, even in the clean and abstract Boyer Moore logic of rst order total recursive functions. We need no ugly machine code to construct such a malicious program part. The situation is even more delicate if we consider preceeding ....

M. Kaufmann and J S. Moore. Design Goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

....the proposed modularization in source level and compiler correctness. For that we use two examples which t together. In section 2 we sketch an industrial project on the veri cation of a safety critical expert system. Its correctness proof has actually been checked by the ACL2 theorem prover [24]. Safety can be proved by a technique which we call (veri ed) runtime result veri cation [13] In section 3 we informally collect requirements for realistic correct compilation. Section 4 will yield a mathematical framework which enables us to precisely de ne compiler correctness by ....

....give us true propositions about individually tested single elements. 5. Finally, we check that indeed every circuit element is individually tested. If not, the checker aborts. The checker is written in the subset of applicative Common Lisp supported by the Boyer Moore theorem prover ACL2 [24]. More details on the checker and on the correctness proof can be found in [3, 2] The crucial part (step 4) can be seen as a problem speci c tautology or model checking [7, 23] Successful hardwarein the loop test according to the generated set T of measurements will guarantee a circuit ....

[Article contains additional citation context not shown here]

M. Kaufmann and J S. Moore. Design Goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

....[GDG 96, MO97, GH98b, Goe00a] cf. section 2) This paper is to formally and mechanically prove preservation of partial correctness for a compiler from a subset SL of ACL2 to the machine code TL of an abstract machine. We use M. Kaufmann s and J Moore s ACL2 logic and theorem prover [KM94] to formalize the SL semantics (section 3) and the abstract stack machine (section 4) And we mechanically prove a Lisp (SL) compiler (section 5) to preserve partial correctness (L simulation [Eng97] section 6) 2 Compiler Correctness for Transformational Programs Before we actually start ....

M. Kaufmann and J S. Moore. Design Goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

....The idea is to perform the environment manipulations, etc. directly in ML, while the basic values being manipulated are logical terms. This approach should produce a fast evaluator that also allows some symbolic entities. Kaufmann and Moore take a different approach in the ACL2 theorem prover [15]; their logic is an applicative sublanguage of Common Lisp, so their terms are inherently executable. The drawback is that this language lacks the expressive power of higher order logic. The ML functions to evaluate the semantic definitions in the logic are functions that map a logical term to an ....

M. Kaufmann and J S. Moore. Design goals of ACL2. Technical Report 101, Computational Logic, Inc., 1717 West Sixth St., Suite 290, Austin, Texas 787034776, USA, August 1994.

....had been necessary. The subset ComLisp of Common Lisp has carefully been selected as a bootstrapping kernel, as both source and implementation language. Additionally, its applicative part (the pure functional sub language of ComLisp) also coincides with the logic of the new Boyer Moore prover ACL2 [17]. This links mechanical program veri cation to the work described here [5] and allows for proving the (partial) correctness of the real thing. For the initial implementation correctness proof we use a very specialized technique in a very particular situation. This technique is not intended to be ....

M. Kaufmann and J S. Moore. Design Goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

.... describes the necessary translation between terms and ML programs, and the current author has described a theorem proving framework in which the use of a hybrid evaluator can be mixed with normal logical inferences [Bou94] Kaufmann and Moore take a different approach in the ACL2 theorem prover [KM94] their logic is an applicative sublanguage of 9 Common Lisp, so their terms are inherently executable. The drawback is that this language lacks the expressive power of higher order logic. The ML functions to evaluate the semantic definitions in the logic are functions that map a logical term ....

M. Kaufmann and J S. Moore. Design goals of ACL2. Technical Report 101, Computational Logic, Inc., 1717 West Sixth St., Suite 290, Austin, Texas 78703-4776, USA, August 1994.

....correct compiler executable. The subset ComLisp of Common Lisp has carefully been selected as a bootstrapping kernel, as both source and implementation language. Its applicative part (the pure functional sub language of ComLisp) also coincides with the logic of the new Boyer Moore prover ACL2 [16, 21]. This links mechanical program correctness proofs to the work described here [3, 6] allowing for partial correctness proofs of executable programs. We have implemented the ComLisp compiler as a ComLisp program. The complete compiler has been bootstrapped successfully as executable machine ....

M. Kaufmann and J S. Moore. Design Goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

....correct compiler executable. The subset ComLisp of CommonLisp has carefully been selected as a bootstrapping kernel, as both source and implementation language. Its applicative part (the pure functional sub language of ComLisp) also coincides with the logic of the new Boyer Moore prover ACL2 [16, 19]. This links mechanical program correctness proofs to the work described here [5] allowing for partial correctness proofs of executable programs. We have implemented the ComLisp compiler as a ComLisp program. The complete compiler has been bootstrapped successfully as executable machine program ....

M. Kaufmann and J S. Moore. Design Goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

....Ideally, there would be tools that allow the engineer to start with an abstract system model and then apply successive refinements in a way that allows the automatic insertion of abstract event announcements into the final code. Although our Maribila language is formally defined (using the ACL2 [18] theorem proving system) our project did not develop the proof techniques for proving properties of Maribila programs. With the recent popularity of Java TM , efforts are being made to provide it with a formal definition (e.g. see [8] and it is to be expected that techniques for proving Java ....

M. Kaufmann and J. S. Moore. Design goals of acl2. Technical Report 101, Computational Logic, Inc., August 1994.

....[12] that the features of EHDM and PVS highlighted by these efforts are either necessary or highly desirable in a modern specification and proof system. It is that implied suggestion that we question. We have duplicated Rushby s formalization and proof of the Oral Messages algorithm using ACL2[7, 11], the successor to Nqthm. The formalization of the algorithm in ACL2, the statement of its correctness properties and their proof are very similar to Rushby s. We make the argument that the advantages of Rushby s version over the earlier Bevier Young proof are due much more to cleverness in the ....

M. Kaufmann and J S. Moore. Design goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

....correct compiler executable. The subset ComLisp of CommonLisp has carefully been selected as a bootstrapping kernel, as both source and implementation language. Its applicative part (the pure functional sub language of ComLisp) also coincides with the logic of the new Boyer Moore prover ACL2 [15, 18]. This links mechanical program correctness proofs to the work described here [4] allowing for partial correctness proofs of executable programs. We have implemented the ComLisp compiler as a ComLisp program. The complete compiler has been bootstrapped successfully as executable machine program on ....

M. Kaufmann and J S. Moore. Design Goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

....are done in classical logic, where the connectives are commutative (and indeed have all their familiar properties) To our knowledge, no other tool for Z has adopted a similar approach to undefinedness. Other theorem provers and formal methods tools have analogous mechanisms. The ACL2 prover [10] (for a subset of Common Lisp) uses a notion of guards, although. The PVS system [12] uses an undecidable type system, with all functions total over their types. The type checker generates type correctness conditions that appear to be similar to guards. However, we have not explored the ....

Matt Kaufmann and J Strother Moore. Design goals for ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

....of PROMELA is most completely and accurately defined by the C implementation of SPIN. It would be preferable to have a formal definition of PROMELA semantics independent of this implementation. This report describes an operational semantic definition for most of PROMELA in the logic of ACL2 [KM94]. It should be considered a preliminary version, which can be refined in response to public scrutiny. Natarajan and Holzmann have described an operational semantics for a smaller subset of PROMELA. Their semantics is based on labeled transition systems [NH96] The semantic definition presented ....

M.J. Kaufmann and J S. Moore. Design goals of ACL2. Technical Report 101, Computational Logic, Inc., August 1994.

No context found.

Matt Kaufmann and J Strother Moore. Design goals of acl2. Technical Report 101, Computational Logic, Inc., August 1994.

No context found.

M. Kaufmann and J. Moore. Design goals of acl. Technical Report 101, Computational Logic, Inc., August 1994.

No context found.

Matt Kaufmann and J Strother Moore. Design goals for ACL2. Technical Report 101, Computational Logic, Inc., 1994.

No context found.

Matt Kaufmann and J Strother Moore. Design goals for ACL2. Technical Report 101, Computational Logic, Inc., 1994.

No context found.

Matt Kaufmann and J Strother Moore. Design goals of acl2. Technical Report 101, Computational Logic, Inc., August 1994.

No context found.

Kaufmann, M., Moore J: Design goals for ACL2. Computational Logic, Inc. Tech. Rep. 101. (1994)

No context found.

Kaufmann, M., Moore J: Design goals for ACL2. Computational Logic, Inc. Tech. Rep. 101. (1994)

No context found.

Matt Kaufmann and J Strother Moore. Design goals for ACL2. Technical Report 101, Computational Logic, Inc., 1994.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC