We present a semantics of a significant fragment of the C programming language as described by the C11 standard. It consists of a small step semantics of a core language, which uses a structured memory model to capture subtleties of C11, such as strict-aliasing restrictions related to unions, that have not yet been addressed by others. The semantics of actual C programs is defined by translation into this core language. We have an explicit type system for the core language, and prove type preservation and progress, as well as type correctness of the translation. Due to unspecified order of evaluation, our operational semantics is non-deterministic. To explore all defined and undefined behaviors, we present an executable semantics that computes a stream of finite sets of reachable states. It is proved sound and complete with respect to the operational semantics. Both the translation into the core language and the executable semantics are defined as Coq programs. Extraction to OCaml is used to obtain a C interpreter to run and test the semantics on actual C programs. All proofs are fully formalized in Coq.
{"title":"A Typed C11 Semantics for Interactive Theorem Proving","authors":"R. Krebbers, F. Wiedijk","doi":"10.1145/2676724.2693571","DOIUrl":"https://doi.org/10.1145/2676724.2693571","url":null,"abstract":"We present a semantics of a significant fragment of the C programming language as described by the C11 standard. It consists of a small step semantics of a core language, which uses a structured memory model to capture subtleties of C11, such as strict-aliasing restrictions related to unions, that have not yet been addressed by others. The semantics of actual C programs is defined by translation into this core language. We have an explicit type system for the core language, and prove type preservation and progress, as well as type correctness of the translation. Due to unspecified order of evaluation, our operational semantics is non-deterministic. To explore all defined and undefined behaviors, we present an executable semantics that computes a stream of finite sets of reachable states. It is proved sound and complete with respect to the operational semantics. Both the translation into the core language and the executable semantics are defined as Coq programs. Extraction to OCaml is used to obtain a C interpreter to run and test the semantics on actual C programs. All proofs are fully formalized in Coq.","PeriodicalId":187702,"journal":{"name":"Proceedings of the 2015 Conference on Certified Programs and Proofs","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130879168","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We introduce recording completion, a variant of Knuth-Bendix completion which facilitates the construction of certificates for various equational logic proofs (completion proofs, entailment proofs and dis-proofs). The approach generalizes to more powerful variants of completion such as ordered completion and AC completion. We implemented recording completion in the tools KBCV and MKBTT. Both tools allow to choose among different formats of proof certificates, namely conversions, proof trees, and conversions with history. We report on experimental results in which all generated certificates have been verified by the trustable checker CeTA.
{"title":"Recording Completion for Certificates in Equational Reasoning","authors":"Thomas Sternagel, S. Winkler, Harald Zankl","doi":"10.1145/2676724.2693171","DOIUrl":"https://doi.org/10.1145/2676724.2693171","url":null,"abstract":"We introduce recording completion, a variant of Knuth-Bendix completion which facilitates the construction of certificates for various equational logic proofs (completion proofs, entailment proofs and dis-proofs). The approach generalizes to more powerful variants of completion such as ordered completion and AC completion. We implemented recording completion in the tools KBCV and MKBTT. Both tools allow to choose among different formats of proof certificates, namely conversions, proof trees, and conversions with history. We report on experimental results in which all generated certificates have been verified by the trustable checker CeTA.","PeriodicalId":187702,"journal":{"name":"Proceedings of the 2015 Conference on Certified Programs and Proofs","volume":"74 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115027113","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This abstract introduces the C11 weak memory model, summarises known verification results, and discusses some open problems.
摘要介绍了C11弱内存模型,总结了已知的验证结果,并讨论了一些有待解决的问题。
{"title":"Formal Reasoning about the C11 Weak Memory Model","authors":"Viktor Vafeiadis","doi":"10.1145/2676724.2693181","DOIUrl":"https://doi.org/10.1145/2676724.2693181","url":null,"abstract":"This abstract introduces the C11 weak memory model, summarises known verification results, and discusses some open problems.","PeriodicalId":187702,"journal":{"name":"Proceedings of the 2015 Conference on Certified Programs and Proofs","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132680208","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Overloaded constant definitions are an important feature of the proof assistant Isabelle because they allow us to provide Haskell-like type classes to our users. There has been an ongoing question as to under which conditions we can practically guarantee that overloading is a safe theory extension, i.e., preserves consistency or is conservative. The natural condition is that a rewriting system generated by overloaded definitions must always terminate. The current system imposes restrictions on accepted overloaded definitions and decides the termination by an algorithm that is part of the trusted code base of Isabelle. Therefore we aim to prove its correctness. Thanks to our work we discovered not only completeness shortcomings but also a correctness issue---we could prove False. In our paper we present a modified version of the algorithm together with a proof of completeness and correctness of it. Although our work deals with Isabelle, our paper provides a more general result: how to practically implement overloading in proof assistants.
{"title":"Correctness of Isabelle's Cyclicity Checker: Implementability of Overloading in Proof Assistants","authors":"Ondrej Kuncar","doi":"10.1145/2676724.2693175","DOIUrl":"https://doi.org/10.1145/2676724.2693175","url":null,"abstract":"Overloaded constant definitions are an important feature of the proof assistant Isabelle because they allow us to provide Haskell-like type classes to our users. There has been an ongoing question as to under which conditions we can practically guarantee that overloading is a safe theory extension, i.e., preserves consistency or is conservative. The natural condition is that a rewriting system generated by overloaded definitions must always terminate. The current system imposes restrictions on accepted overloaded definitions and decides the termination by an algorithm that is part of the trusted code base of Isabelle. Therefore we aim to prove its correctness. Thanks to our work we discovered not only completeness shortcomings but also a correctness issue---we could prove False. In our paper we present a modified version of the algorithm together with a proof of completeness and correctness of it. Although our work deals with Isabelle, our paper provides a more general result: how to practically implement overloading in proof assistants.","PeriodicalId":187702,"journal":{"name":"Proceedings of the 2015 Conference on Certified Programs and Proofs","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132150360","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Blum's speedup theorem is a major theorem in computational complexity, showing the existence of computable functions for which no optimal program can exist: for any speedup function r there exists a function fr such that for any program computing fr we can find an alternative program computing it with the desired speedup r. The main corollary is that algorithmic problems do not have, in general, a inherent complexity. Traditional proofs of the speedup theorem make an essential use of Kleene's fix point theorem to close a suitable diagonal argument. As a consequence, very little is known about its validity in subrecursive settings, where there is no universal machine, and no fixpoints. In this article we discuss an alternative, formal proof of the speedup theorem that allows us to spare the invocation of the fix point theorem and sheds more light on the actual complexity of the function fr.
{"title":"The Speedup Theorem in a Primitive Recursive Framework","authors":"A. Asperti","doi":"10.1145/2676724.2693178","DOIUrl":"https://doi.org/10.1145/2676724.2693178","url":null,"abstract":"Blum's speedup theorem is a major theorem in computational complexity, showing the existence of computable functions for which no optimal program can exist: for any speedup function r there exists a function fr such that for any program computing fr we can find an alternative program computing it with the desired speedup r. The main corollary is that algorithmic problems do not have, in general, a inherent complexity. Traditional proofs of the speedup theorem make an essential use of Kleene's fix point theorem to close a suitable diagonal argument. As a consequence, very little is known about its validity in subrecursive settings, where there is no universal machine, and no fixpoints. In this article we discuss an alternative, formal proof of the speedup theorem that allows us to spare the invocation of the fix point theorem and sheds more light on the actual complexity of the function fr.","PeriodicalId":187702,"journal":{"name":"Proceedings of the 2015 Conference on Certified Programs and Proofs","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128738683","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Sturm sequences are a method for computing the number of real roots of a univariate real polynomial inside a given interval efficiently. In this paper, this fact and a number of methods to construct Sturm sequences efficiently have been formalised with the interactive theorem prover Isabelle/HOL. Building upon this, an Isabelle/HOL proof method was then implemented to prove interesting statements about the number of real roots of a univariate real polynomial and related properties such as non-negativity and monotonicity.
{"title":"A Decision Procedure for Univariate Real Polynomials in Isabelle/HOL","authors":"Manuel Eberl","doi":"10.1145/2676724.2693166","DOIUrl":"https://doi.org/10.1145/2676724.2693166","url":null,"abstract":"Sturm sequences are a method for computing the number of real roots of a univariate real polynomial inside a given interval efficiently. In this paper, this fact and a number of methods to construct Sturm sequences efficiently have been formalised with the interactive theorem prover Isabelle/HOL. Building upon this, an Isabelle/HOL proof method was then implemented to prove interesting statements about the number of real roots of a univariate real polynomial and related properties such as non-negativity and monotonicity.","PeriodicalId":187702,"journal":{"name":"Proceedings of the 2015 Conference on Certified Programs and Proofs","volume":"81 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122171497","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Program slicing is a well-known program transformation which simplifies a program wrt a given criterion while preserving its semantics. Since the seminal paper published by Weiser in 1981, program slicing is still widely used in various application domains. State of the art program slicers operate over program dependence graphs (PDG), a sophisticated data structure combining data and control dependences. In this paper, we follow the a posteriori validation approach to formally verify (in Coq) a general program slicer. Our validator for program slicing is efficient and validates the results of a run of an unverified program slicer. Program slicing is interesting for a posteriori validation because the correctness proof of program slicing requires to compute new supplementary information from the PDG, thus decoupling the slicing algorithm from its proof. Our semantics-preserving program slicer is integrated into the CompCert formally verified compiler. It operates over an intermediate language of the compiler having the same expressiveness as C. Our experiments show that our formally verified validator scales on large realistic programs.
{"title":"Verified Validation of Program Slicing","authors":"Sandrine Blazy, A. Maroneze, David Pichardie","doi":"10.1145/2676724.2693169","DOIUrl":"https://doi.org/10.1145/2676724.2693169","url":null,"abstract":"Program slicing is a well-known program transformation which simplifies a program wrt a given criterion while preserving its semantics. Since the seminal paper published by Weiser in 1981, program slicing is still widely used in various application domains. State of the art program slicers operate over program dependence graphs (PDG), a sophisticated data structure combining data and control dependences. In this paper, we follow the a posteriori validation approach to formally verify (in Coq) a general program slicer. Our validator for program slicing is efficient and validates the results of a run of an unverified program slicer. Program slicing is interesting for a posteriori validation because the correctness proof of program slicing requires to compute new supplementary information from the PDG, thus decoupling the slicing algorithm from its proof. Our semantics-preserving program slicer is integrated into the CompCert formally verified compiler. It operates over an intermediate language of the compiler having the same expressiveness as C. Our experiments show that our formally verified validator scales on large realistic programs.","PeriodicalId":187702,"journal":{"name":"Proceedings of the 2015 Conference on Certified Programs and Proofs","volume":"82 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116311557","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
T. Ramananandro, Zhong Shao, Shu-Chun Weng, Jérémie Koenig, Yuchen Fu
Recent ground-breaking efforts such as CompCert have made a convincing case that mechanized verification of the compiler correctness for realistic C programs is both viable and practical. Unfortunately, existing verified compilers can only handle whole programs---this severely limits their applicability and prevents the linking of verified C programs with verified external libraries. In this paper, we present a novel compositional semantics for reasoning about open modules and for supporting verified separate compilation and linking. More specifically, we replace external function calls with explicit events in the behavioral semantics. We then develop a verified linking operator that makes lazy substitutions on (potentially reacting) behaviors by replacing each external function call event with a behavior simulating the requested function. Finally, we show how our new semantics can be applied to build a refinement infrastructure that supports both vertical composition and horizontal composition.
{"title":"A Compositional Semantics for Verified Separate Compilation and Linking","authors":"T. Ramananandro, Zhong Shao, Shu-Chun Weng, Jérémie Koenig, Yuchen Fu","doi":"10.1145/2676724.2693167","DOIUrl":"https://doi.org/10.1145/2676724.2693167","url":null,"abstract":"Recent ground-breaking efforts such as CompCert have made a convincing case that mechanized verification of the compiler correctness for realistic C programs is both viable and practical. Unfortunately, existing verified compilers can only handle whole programs---this severely limits their applicability and prevents the linking of verified C programs with verified external libraries. In this paper, we present a novel compositional semantics for reasoning about open modules and for supporting verified separate compilation and linking. More specifically, we replace external function calls with explicit events in the behavioral semantics. We then develop a verified linking operator that makes lazy substitutions on (potentially reacting) behaviors by replacing each external function call event with a behavior simulating the requested function. Finally, we show how our new semantics can be applied to build a refinement infrastructure that supports both vertical composition and horizontal composition.","PeriodicalId":187702,"journal":{"name":"Proceedings of the 2015 Conference on Certified Programs and Proofs","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126779286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper describes an investigation into developing certified abstract interpreters from big-step semantics using the Coq proof assistant. We base our approach on Schmidt's abstract interpretation principles for natural semantics, and use a pretty-big-step (PBS) semantics, a semantic format proposed by Charguéraud. We propose a systematic representation of the PBS format and implement it in Coq. We then show how the semantic rules can be abstracted in a methodical fashion, independently of the chosen abstract domain, to produce a set of abstract inference rules that specify an abstract interpreter. We prove the correctness of the abstract interpreter in Coq once and for all, under the assumption that abstract operations faithfully respect the concrete ones. We finally show how to define correct-by-construction analyses: their correction amounts to proving they belong to the abstract semantics.
{"title":"Certified Abstract Interpretation with Pretty-Big-Step Semantics","authors":"Martin Bodin, T. Jensen, Alan Schmitt","doi":"10.1145/2676724.2693174","DOIUrl":"https://doi.org/10.1145/2676724.2693174","url":null,"abstract":"This paper describes an investigation into developing certified abstract interpreters from big-step semantics using the Coq proof assistant. We base our approach on Schmidt's abstract interpretation principles for natural semantics, and use a pretty-big-step (PBS) semantics, a semantic format proposed by Charguéraud. We propose a systematic representation of the PBS format and implement it in Coq. We then show how the semantic rules can be abstracted in a methodical fashion, independently of the chosen abstract domain, to produce a set of abstract inference rules that specify an abstract interpreter. We prove the correctness of the abstract interpreter in Coq once and for all, under the assumption that abstract operations faithfully respect the concrete ones. We finally show how to define correct-by-construction analyses: their correction amounts to proving they belong to the abstract semantics.","PeriodicalId":187702,"journal":{"name":"Proceedings of the 2015 Conference on Certified Programs and Proofs","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122126041","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
To perform rigorous numerical computations, one can use a generalization of interval arithmetic, namely affine arithmetic (AA), which works with zonotopes instead of intervals. Zonotopes are also widely used for reachability analysis of continuous or hybrid systems, where an important operation is the geometric intersection of zonotopes with hyperplanes. We have implemented a functional algorithm to compute the zonotope/hyperplane intersection and verified it in Isabelle/HOL. The algorithm is similar to convex hull computations, our verification is therefore inspired by Knuth's axioms for an orientation predicate of points in the plane, which have been successfully used to verify convex hull algorithms. The interesting fact is that we combine a mixture of different fields: a discrete geometrical algorithm to perform operations on the continuous sets represented by zonotopes.
{"title":"A Verified Algorithm for Geometric Zonotope/Hyperplane Intersection","authors":"Fabian Immler","doi":"10.1145/2676724.2693164","DOIUrl":"https://doi.org/10.1145/2676724.2693164","url":null,"abstract":"To perform rigorous numerical computations, one can use a generalization of interval arithmetic, namely affine arithmetic (AA), which works with zonotopes instead of intervals. Zonotopes are also widely used for reachability analysis of continuous or hybrid systems, where an important operation is the geometric intersection of zonotopes with hyperplanes. We have implemented a functional algorithm to compute the zonotope/hyperplane intersection and verified it in Isabelle/HOL. The algorithm is similar to convex hull computations, our verification is therefore inspired by Knuth's axioms for an orientation predicate of points in the plane, which have been successfully used to verify convex hull algorithms. The interesting fact is that we combine a mixture of different fields: a discrete geometrical algorithm to perform operations on the continuous sets represented by zonotopes.","PeriodicalId":187702,"journal":{"name":"Proceedings of the 2015 Conference on Certified Programs and Proofs","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132611735","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: