Mechanized Operational Semantics: The M1 Story

In this paper we explain how to formalize an “operational” or “state-transition” semantics of a von Neumann programming language in a functional programming language. By adopting an “interpretive” style, one can execute the model in the functional language to “run” programs in the von Neumann language. Given the ability to reason about the functional language, one can use the model to reason about programs in the von Neumann language. In theory at least, such a formal semantics thus has a dual use: as a simulation engine and as an axiomatic basis for code proofs. The beauty of this approach is that no more logical machinery is needed than to support execution and proof in a functional language: no new program logics and no new meta-logical tools like “verification condition generators” are needed. In this paper we will illustrate the techniques by formalizing a simple programming language called “M1,” for “Machine (or Model) 1.” It is loosely based on the Java Virtual Machine but has been simplified for pedagogical purposes. We will demonstrate the executability of M1 models. We will develop several styles of code proofs, including direct (symbolic simulation) proofs based on Boyer-Moore “clock functions” and Floyd-Hoare inductive assertion proofs. We construct proofs only for the the simplest of programs, namely an iterative factorial example. But to illustrate a more realistic use of the model, we discuss the correctness proof for an M1 implementation of the Boyer-Moore fast string searching algorithm. We also define a compiler for a higher level language called “J1” and show how to do proofs about J1 code without benefit of a formal semantics for that code. Throughout we use the ACL2 logic and theorem proving system.