A Veriied Vista Implementation Final Report

Specification Implementation Refine Algorithm Figure 1.3: The Re nement Hierarchy concerns whether the algorithm is correct with respect to the abstract speci cation, that is, whether the semantics of a source program is preserved in the code that the algorithm speci es should be produced. By far the majority of compiler correctness work described in the literature is concerned with this form of correctness. Given the object code that a compiler must produce for a particular source program, there are many di erent ways it could be produced. A compiler implementation is a concrete program which produces the object code. It speci es not only what the object program should be, but also how it is produced. The implementation is given in a programming language, that is, an executable language. A compiler implementation can be veri ed against either an algorithm or an abstract speci cation. Ultimately, we wish to know that an implementation preserves the semantics of the source language. This suggests we should verify it against the abstract speci cation. This was the approach adopted by Polak [45]. However, a simpler alternative is to use a veri ed algorithm as a re nement step towards obtaining a veri ed implementation (see Figure 1.3). The algorithm is rst shown to satisfy the abstract speci cation. Next the implementation is shown to satisfy the algorithm. It can then be deduced that the implementation satis es the abstract speci cation. This split of the problem is similar to that used by Boyer and Yu to verify machine code programs [4]. A similar split has also been used in the veri cation of protocols [8]. Proving that an algorithm satis es an abstract speci cation is simpler than proving that the implementation does. This is because the semantics of the implementation language does not need to be considered in the reasoning. Instead we reason about the logical constructs of the algorithm. When comparing the implementation with the algorithm, the semantics of the programming language in which the compiler is implemented must be 8 Equal Compiler Implementation Source Syntax Object Syntax Object Syntax Compiler Algorithm Figure 1.4: Verifying a Compiler Implementation against an Algorithm considered. However, here the semantics of the source and target languages of the compiler do not need to be considered. Only their syntax is important. What is required is that the implementation produces syntactically the same program as indicated by the speci cation. This approach was followed by Chirica and Martin [10], Simpson [49] and Buth et al. [5]. It is illustrated in Figure 1.4. In this approach, we rst prove that the algorithm, CompilerAlgorithm, satis es the abstract compiler speci cation given by AbstractCompilerSpec: ` AbstractCompilerSpec CompilerAlgorithm Of the implementation we prove that for all programs the code it produces, (CompilerImpl p), is equal to that speci ed by the algorithm, (CompilerAlgorithm p). ` 8p. CompilerImpl p = CompilerAlgorithm p Combining these we obtain the required theorem, which states that the implementation CompilerImpl satis es the abstract compiler speci cation. ` AbstractCompilerSpec CompilerImpl This is illustrated in Figure 1.5. Splitting the proof into two parts in this way not only simpli es the programming and veri cation task, but also allows proofs to be reused. If di erent implementations of the same speci cation are produced, or the veri ed one is modi ed, only the compiler implementation correctness theorem needs to be reproved. The compiler speci cation theorem can be reused. Of course, the new compiler will have to generate the same code as the old one to ful l the speci cation. However, the compiler itself can be more e cient, or contain better error detection. Some exibility may be left by making the algorithmic speci cation non-deterministic. However, leaving such choices open to the programmer may make the compiler speci cation proof harder. It also has 9 Compare Equal Compiler Implementation Source Meanings Source Syntax Object Semantics Object Meanings Object Syntax Object Syntax Source Semantics Compiler Algorithm Figure 1.5: Combining Speci cation Correctness and Implementation Correctness Abstract Specification Implementation Refine Deterministic Algorithm Nondeterministic Algorithm Figure 1.6: The Re nement Hierarchy with Non-deterministic Speci cations 10 disadvantages if we wish to execute some form of the speci cation as discussed later. It is therefore advisable to use a deterministic speci cation when verifying a particular implementation. This does not preclude verifying the deterministic speci cation against a more general non-deterministic one. We would then have three re nement steps as shown in Figure 1.6.