An Architecture for Veri ed

machine term rewriting graph rewriting traversal techniques . . . prefabricated parts generated from specifications Compiler executes Figure3. Implementation architecture 4.3 An Initial Correct Compiler The discussion in the previous subsection relies on the availability of a correct compiler for the implementation language. This problem must be dealt with in order to continue. The aim of this subsection is to provide a technique for the construction of an initial correct compiler C that compiles a high-level language S into a machine language T . Suppose C is running on a machine with machine languageM . It would seem that the implementation of the compiler in language M must be considered for the veri cation. However, the same arguments on the veri cation of machine programs as in the previous subsection apply here as well. Therefore, we want to avoid this kind of veri cation. The basic idea is to implement C in source language S, choose the target language M , verify the correctness of C written in S using the rst approach discussed in the previous subsection. Then it is necessary to use a bootstrapping technique to construct a compiler which compiles S to M , such that the correctness of this compiler is ensured. For the further purpose of the discussion, CS denotes the veri ed compiler written in S. CM is used to denote the veri ed compiler written in M . The foundation of the bootstrapping is based on the following observation: An unveri ed compiler from S to M can be used to compile CS into a machine language program C0 M. It is only necessary to check whether this compilation was correct. If the check proves successful, then C0M is correct. However, the checkhas to be performed manually, because every tool used for the check must beveri ed as well. A clever choice of intermediate representations modularizes thismanual check into smaller parts, and, even more important, it separates crucialcompilation steps from each other. This makes every single checking proof stepeasier. [8] looks at this bootstrapping approach in more detail.5 ConclusionsIn existing approaches of compiler veri cation, the speci cation and its correct-ness proof determine the implementation. The translation of language constructsis speci ed and veri ed without considering the commonly accepted subtasks ofcompiler construction. This makes the implementation and the correctness proofunnecessarily di cult. Realistic compiler construction for practical programminglanguages requires an architecture where speci cation and veri cation tasks areintegrated into the well-known traditional construction process. It closes the gapbetween the veri er and the software engineer and shows that realistic compilerconstruction with traditional techniques can be related to veri cation tasks.The integration of veri cation processes ts to the traditional constructionprocess of a compiler. Though there are language speci c parts which must beveri ed for each programming language, the classi cation of speci cation tasksshows that a lot of work in compiler veri cation must be performed only once.Additionally, we identi ed components which can be used in their unveri edform, because their results can be checked for correctness algorithmically. Fur-thermore, we showed that the use of compiler construction tools, like generators,simpli es implementation and implementation veri cation tasks. In particular,our vision is that language dependent speci cations can be implemented by gen-erators, while all other implementations only need to be veri ed once.The architecture does not explicitly contain veri cation components becausewe concentrate on compiler architecture. Nevertheless, the quality of veri cationtechniques is crucial for the successful construction of correct compilers. In gen-eral, mechanic proof support is necessary. But the instantiation of the frameworkdecides which methods are adequate. The discussion of the veri cation details isbeyond the subject of this paper. The interested reader is referred to [7] or [17].This research is part of the Veri x-project on "Veri ed Compilers\ jointlyperformed at the Universities of Karlsruhe, Kiel and Ulm and partially sup-ported by the Deutsche Forschungsgemeinschaft (DFG). The overall goal of thisproject is the development of general techniques for the realistic construction ofveri ed compilers. To validate our principal approach, we translate a subset ofC (IS) with procedures, functions, and value types as well as reference types toDecAlpha code and a subset of CommonLisp (ComLisp) to Transputer code.The semantics of the languages are described operationally and denotationally,respectively. The compiling veri cation for IS to DecAlpha has already beenperformed. For the compilation of ComLisp to Transputer code, the compiler implementation veri cation exists. Some techniques for mechanic proof supportusing PVS [13] exist.We thank all members of the Veri x team for their contributions which ledto this conceptualization of compiler veri cation.References1. Egon Boerger, Igor Durdanovic, and Dean Rosenzweig. Occam: Speci cation andCompiler Correctness.Part I: The Primary Model. In U. Montanari and E.-R.Olderog, editors, Proc. Procomet'94 (IFIP TC2 Working Conference on Program-ming Concepts, Methods and Calculi). North-Holland, 1994.2. E. Borger and D. Rosenzweig. The WAM-de nition and Compiler Correctness.Technical Report TR-14/92, Dip. di informatica, Univ. Pisa, Italy, 1992.3. D. F. Brown, H. Moura, and D. A. Watt. Actress: an action semantics directedcompiler generator. In Compiler Compilers 92, volume 641 of Lecture Notes inComputer Science, 1992.4. M. Broy. Experiences with software speci cation and veri cation using lp, thelarch proof assistant. Technical report, Digital Systems Research Center, 1992.5. B. Buth, K.-H. Buth, M. Franzle, B. v. Karger, Y. Lakhneche, H. Langmaack, andM. Muller-Olm. Provably correct compiler development and implementation. InU. Kastens and P. Pfahler, editors, Compiler Construction, volume 641 of LectureNotes in Computer Science. Springer-Verlag, 1992.6. Bettina Buth and Markus Muller-Olm. Provably Correct Compiler Implementa-tion. In Tutorial Material { Formal Methods Europe '93, pages 451{465, Denmark,April 1993. IFAD Odense Teknikum.7. A. Dold. Representing, Verifying and Applying Software Development Steps us-ing the PVS System. In V.S. Alagar and M. Nivat, editors, Proceedings of theFourth International Conference on Algebraic Methodology and Software Technol-ogy, AMAST'95, Montreal, volume 936 of LNCS. Springer Verlag, 1995.8. Wolfgang Goerigk, Axel Dold, Thilo Gaul, Gerhard Goos, Andreas Heberle,Friedrich W. von Henke, Ulrich Ho mann, Hans Langmaack, Holger Pfeifer, HaraldRuess, and Wolf Zimmermann. Compiler Correctness and Implementation Veri-cation: The Veri x Approach. In CC '96 Int. Conf. on Compiler Construction(poster session), Link ping, Sweden, 1996.9. C.A.R. Hoare, He Jifeng, and A. Sampaio. Normal Form Approach to CompilerDesign. Acta Informatica, 30:701{739, 1993.10. P. Lee. Realistic Compiler Generation. MIT Press, 1989.11. J. McCarthy and J.A. Painter. Correctness of a compiler for arithmetical expres-sions. In J.T. Schwartz, editor, Proceedings of a Symposium in Applied Mathe-matics, 19, Mathematical Aspects of Computer Science. American MathematicalSociety, 1967.12. P. D. Mosses. Abstract semantic algebras. In D. Bj rner, editor, Formal descrip-tion of programming concepts II, pages 63{88. IFIP IC-2 Working Conference,North Holland, 1982.13. S. Owre, J. M. Rushby, and N. Shankar. PVS: A Prototype Veri cation System.In Deepak Kapur, editor, Proceedings 11th International Conference on AutomatedDeduction CADE, volume 607 of Lecture Notes in Arti cial Intelligence, pages 748{752, Saratoga, NY, October 1992. Springer-Verlag. 14. J. Palsberg. An automatically generated and provably correct compiler for a subsetof ada. In IEEE International Conference on Computer Languages, 1992.15. L. Paulson. A compiler generator for semantic grammars. PhD thesis, StanfordUniversity, 1981.16. Deborah Weber-Wul . Proof movie { a proof with the boyer-moore prover. FormalAspects of Computing, 5(2):121{151, 1993.17. W. Zimmermann, A. Dold, and T. Gaul. On the Construction of Correct Com-piler Back{Ends. Submitted to IFIP TC2 Working Conference on AlgorithmicLanguages and Calculi, 1997, 1996.