Verification of transformation rules of the higher-order transformation language TL

Fares Zuhir Fraij, University of Texas at El Paso


Because of the high cost associated with failure in high-consequence systems, it is important to produce strong evidence that these systems will not fail in the field. For software systems, such evidence cannot be obtained by traditional verification methods such as testing. Transformation-oriented programming utilizes well-defined, formal transformation sequences to refine an initial, formal specification into a final implementation. It is a long standing goal that the formal, incremental nature of this approach be used to provide convincing evidence that software systems will behave as intended. ^ The research presented here applies a formal framework for verifying transformation-based software systems. The verification framework consists of two phases: modeling and verification. In the first phase, a model of a transformation program is constructed in a formal specification language, and the correctness of this model is demonstrated. The model is correct if it accurately reflects the behavior of the original transformation program. Verification of the transformation program is achieved by mathematically proving that the model of the transformation program preserves the semantics of its input, i.e., that the output to the transformation program is semantically equivalent to its input. To prove the correctness conjecture, a semantic function M representing the interpretation of the transformation program's input language is constructed. The result of applying M to the input of the model must be identical to the result of applying M to the transformed input of the model. The successful verification of the correctness conjuncture implies that, in general, the transformation program is correctness-preserving with respect to M . ^ The approach is demonstrated on a high-consequence system, namely the Sandia Secure Processor (SSP). Designed at Sandia National Laboratories, the SSP executes a subset of the Java language and provides a general-purpose computational infrastructure suitable for use in high-consequence embedded systems. The SSP class loader takes a Java application and produces a ROM image. The ROM image consists of a collection of class file images that can be executed by the hardware of the SSP. While the Java Virtual Machine allows applications to begin execution before all class files are completely loaded, this behavior is not appropriate for embedded systems. Therefore, the SSP is a closed system in the sense that all the classes used during execution must be available before the execution starts. In this context, the functionality of the SSP class loader is well-suited to a transformation-based implementation. The SSP class loader was previously implemented using the higher-order transformation language TL. The implementation consists of five stages through which a set of class files representing a Java application is incrementally refined into a corresponding ROM image. ^ The applicability of the introduced verification approach is demonstrated by proving the correctness of parts of the SSP class loader written in TL. Specifically, the automated theorem prover ACL2 is employed to model the transformation program that represents index resolution, the first stage of the TL class loader. The semantic function Mdref is constructed to give a meaning to any index in the constant pool of a class file. Mdref denotes the transitive closure of the value obtained by following an index in the constant pool. A theorem is presented stating that Mdref yields the same value when applied to a class file or its transformed counterpart. ^

Subject Area

Computer Science

Recommended Citation

Fraij, Fares Zuhir, "Verification of transformation rules of the higher-order transformation language TL" (2005). ETD Collection for University of Texas, El Paso. AAI3181692.