Friedrich W. von Henke

ANNA: a language for annotating Ada programs

ANNA is a proposed language extension of Ada to include facilities for formally specifying the intended behavior of Ada programs (or portions thereof) at all stages of program development. Anna programs are Ada programs extended by formal comments. Formal comments in ANNA consist of virtual Ada text and annotations. Anna provides annotations for all Ada constructs, including declarative annotations (for variables, subtypes, subprograms, and packages), statement annotations, annotations of generic units, exception annotations and visibility annotations. (The current Anna design does not include extensions for annotating Ada multi-tasking constructs.) Anna also includes a small number of new predefined attributes, which may appear only in annotations, e.g. the collection attribute of an access type. Since all Anna extensions appear as Ada comments, Anna programs are also legal Ada programs and acceptable by Ada translators. The semantics of annotations are defined in terms of Ada concepts; in particular, many kinds of annotations are generalizations of the Ada constraint concept. This simplifies the training of Ada programmers to use Anna for formal specification of Ada programs. Anna provides a formal framework within which different theories of formal specification may be applied to Ada. This manual also describes a translation of annotations into Ada text for run-time check of consistency with annotations.

Mechanical Verification of Clock Synchronization Algorithms

Clock synchronization algorithms play a crucial role in a variety of fault-tolerant distributed architectures. Although those algorithms are similar in their basic structure, the particular designs differ considerably, for instance in the way clock adjustments are computed. This paper develops a formal generic theory of clock synchronization algorithms which extracts the commonalities of specific algorithms and their correctness arguments; this generalizes previous work by Shankar and Miner by covering non-averaging adjustment functions, in addition to averaging algorithms. The generic theory is presented as a set of parameterized PVS theories, stating the general assumptions on parameters and demonstrating the verification of generic clock synchronization. The generic theory is then specialized to the class of algorithms using averaging functions, yielding a theory that corresponds to those of Shankar and Miner. As examples of the verification of concrete, published algorithms, the formal verification of an instance of an averaging algorithms (by Welch and Lynch [3]) and of a non-averaging algorithm (by Srikanth and Toueg [14]) is discussed.

Case Studies in Meta-Level Theorem Proving

We describe an extension of the PVS system that provides a reasonably efficient and practical notion of reflection and thus allows for soundly adding formalized and verified new proof procedures. These proof procedures work on representations of a part of the underlying logic and their correctness is expressed at the object level using a computational reflection function. The implementation of the PVS system has been extended with an efficient evaluation mechanism, since the practicality of the approach heavily depends on careful engineering of the core system, including efficient normalization of functional expressions. We exemplify the process of applying meta-level proof procedures with a detailed description of the encoding of cancellation in commutative monoids and of the kernel of a BDD package.

A Completely Verified Realistic Bootstrap Compiler

This paper reports on a large verification effort in constructing an initial fully trusted bootstrap compiler executable for a realistic system programming language and real target processor. The construction and verification process comprises three tasks: the verification of the compiling specification (a relation between abstract source and target programs) with respect to the language semantics and a realistic correctness criterion. This proof has been completely mechanized using the PVS verification system and is one of the largest case-studies in formal verification we are aware of. Second, the implementation of the specification in the high-level source language following a transformational approach, and finally, the implementation and verification of a binary executable written in the compilers target language. For the latter task, a realistic technique has been developed, which is based on rigorous a-posteriori syntactic code inspection and which guarantees, for the first time, trusted execution of generated machine programs. The context of this work is the joint German research effort Verifix aiming at developing methods for the construction of correct compilers for realistic source languages and real target processors.

Construction and Deduction Methods for the Formal Development of Software

In this paper we present an approach towards a framework based on the type theory ECC (Extended Calculus of Constructions) in which specifications, programs and operators for modular development by stepwise refinement can be formally described and reasoned about. We demonstrate how generic software development steps can be expressed as higher-order functions and how proofs about their asserted effects can be carried out in the underlying logical calculus.

Formal Verification for Fault-Tolerant Architectures: Some Lessons Learned

In collaboration with NASAs Langley Research Center, we are developing mechanically verified formal specifications for the fault-tolerant architecture, algorithms, and implementations of a “reliable computing platform” (RCP) for digital flight-control applications.

Formal analysis for dependability properties: the time-triggered architecture example

This paper describes the mechanized formal verification we have performed on some of the crucial algorithms used in the Time-Triggered Architecture (ITA) for safety-critical distributed control. We outline the approach taken to formally analyse the dock synchronization algorithm and the group membership service of TTA, summarize our experience and describe remaining challenges.

Formal Verification of Transformations for Peephole Optimization

In this paper we describe a formal verification of transformations for peephole optimization using the PVS system [12]. Our basic approach is to develop a generic scheme to mechanize these kinds of verifications for a large class of machine architectures. This generic scheme is instantiated with a formalization of a non-trivial stack machine [14] and a PDP-11 like two-address machine [2], and we prove the correctness of more than 100 published peephole optimization rules for these machines. In the course of verifying these transformations we found several errors in published peephole transformation steps [14]. From the information of failed proof attempts, however, we were able to discover strengthened preconditions for correcting the erroneous transformations.

Formalizing fixed-point theory in PVS

We describe an encoding of major parts of domain theory in the PVS extension of the simply typed calculus these encodings consist of Formalizations of basic structures like partial orders and complete partial orders domains Various domain constructions Notions related to monotonic functions and continuous functions Knaster Tarski xed point theorems for monotonic and continuous functions the proof of this theorem requires Zorn s lemma which has been derived from Hilbert s choice operator Scott s xed point induction for admissible predicates and various variations of xed point induction like Park s lemma Altogether these encodings form a conservative extension of the underlying PVS logic since all developments are purely de nitional Most of our proofs are straightforward transcriptions of textbook knowledge The purpose of this work however was not to merely reproduce textbook knowledge To the contrary our main motivation derived from our work on fully mechanized compiler correctness proofs which requires a full treatment of xed point induction in PVS these requirements guided our selection of which elements of domain theory were formalized A major problem of embedding mathematical theories like domain theory lies in the fact that developing and working with those theories usually generates myriads of applicability and type correctness conditions Our approach to exploiting the PVS device of judgements to establish many applicability conditions behind the scenes leads to a considerable reduction in the number of the conditions that actually need to be proved Finally we exemplify the application of mechanized xed point induction in PVS by a mechanized proof in the context of relating di erent semantics of imperative programming constructs This paper appeared as the technical report UIB from the Universit at Ulm Fakult at f ur Infor matik This research has been funded in part by the Deutsche Forschungsgemeinschaft DFG under project Veri x

Mechanized semantics of simple imperative programming constructs

In this paper a uniform formalization in PVS of various kinds of semantics of imper ative programming language constructs is presented Based on a comprehensive de velopment of xed point theory the denotational semantics of elementary constructs of imperative programming languages are de ned as state transformers These state transformers induce corresponding predicate transformers providing a means to for mally derive both a weakest liberal precondition semantics and an axiomatic semantics in the style of Hoare Moreover algebraic laws as used in re nement calculus proofs are validated at the level of predicate transformers Simple reformulations of the state transformer semantics yield both a continuation style semantics and rules similar to those used in Structural Operational Semantics This formalization provides the foundations on which formal speci cation of program ming languages and mechanical veri cation of compilation steps are carried out within the Veri x project This research has been funded in part by the Deutsche Forschungsgemeinschaft DFG under project Veri x