From Verified Specifications to Verifiable Software∗

Declarative specifications of digital systems often contain parts that can be automatically translated into executable code. Automated code generation, as opposed to manual code writing, eliminates a potential source of errors when a prototype implementation of these models is required. Furthermore, code generation allows for better integration of formal methods into the software development process. However, for this approach to be effective, the generated code should be, ideally, as efficient as code that a normal programmer would write, and, more importantly, verifiable. We present a prototype code generator for the Prototype Verification System (PVS) that translates a subset of PVS functional specifications into an intermediate language and subsequently to multiple target languages. The generated code can be subjected to software verification tools such as verification condition generators, static analyzers, and software model-checkers, to increase the confidence that the generated code is correct. We illustrate this approach with the generation of verifiable Java code from the PVS specification of a verified distributed communication protocol.