compcert.bib

@inproceedings{Blazy-Leroy-05,
  author = {Sandrine Blazy and Xavier Leroy},
  title = {Formal verification of a memory model for
                         {C}-like imperative languages},
  booktitle = {International Conference on
                         Formal Engineering Methods (ICFEM 2005)},
  year = 2005,
  volume = 3785,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  pages = {280--299},
  url = {http://xavierleroy.org/publi/memory-model.pdf},
  urlpublisher = {http://www.springerlink.com/openurl.asp?genre=article&id=doi:10.1007/11576280_20},
  hal = {http://hal.inria.fr/inria-00077921/},
  abstract = {
This paper presents a formal verification with the Coq proof assistant
of a memory model for C-like imperative languages. This model defines
the memory layout and the operations that manage the memory. The model
has been specified at two levels of abstraction and implemented as
part of an ongoing certification in Coq of a moderately-optimising C
compiler. Many properties of the memory have been verified in the
specification. They facilitate the definition of precise formal
semantics of C pointers. A certified OCaml code implementing the
memory model has been automatically extracted from the
specifications.},
  xtopic = {compcert}
}
@inproceedings{2006-Leroy-Bertot-Gregoire,
  author = {Yves Bertot and Benjamin Grégoire and Xavier Leroy},
  title = {A structured approach to proving compiler
                         optimizations based on dataflow analysis},
  booktitle = {Types for Proofs and Programs, Workshop TYPES 2004},
  year = 2006,
  volume = 3839,
  pages = {66-81},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  url = {http://xavierleroy.org/publi/proofs_dataflow_optimizations.pdf},
  urlpublisher = {http://www.springerlink.com/openurl.asp?genre=article&id=doi:10.1007/11617990_5},
  hal = {http://hal.inria.fr/inria-00289549/},
  abstract = {
This paper reports on the correctness proof of compiler optimizations
based on data-flow analysis.  We formulate the optimizations and
analyses as instances of a general framework for data-flow analyses and
transformations, and prove that the optimizations preserve the
behavior of the compiled programs.  This development is a part of a
larger effort of certifying an optimizing compiler by proving semantic
equivalence between source and compiled code.}
}
@inproceedings{2006-Leroy-compcert,
  author = {Xavier Leroy},
  title = {Formal certification of a compiler back-end, or:
                   programming a compiler with a proof assistant},
  booktitle = {33rd ACM symposium on Principles of Programming Languages},
  year = 2006,
  publisher = {ACM Press},
  pages = {42--54},
  url = {http://xavierleroy.org/publi/compiler-certif.pdf},
  urlpublisher = {http://doi.acm.org/10.1145/1111037.1111042},
  hal = {http://hal.inria.fr/inria-00000963/},
  abstract = {This paper reports on the development and formal certification (proof
of semantic preservation) of a compiler from Cminor (a C-like
imperative language) to PowerPC assembly code, using the Coq proof
assistant both for programming the compiler and for proving its
correctness.  Such a certified compiler is useful in the context of
formal methods applied to the certification of critical software: the
certification of the compiler guarantees that the safety properties
proved on the source code hold for the executable compiled code as well.},
  pubkind = {conf-int-mono}
}
@inproceedings{2006-Leroy-coindsem,
  author = {Xavier Leroy},
  title = {Coinductive big-step operational semantics},
  booktitle = {European Symposium on Programming (ESOP'06)},
  year = 2006,
  publisher = {Springer},
  series = {Lecture Notes in Computer Science},
  volume = 3924,
  pages = {54-68},
  url = {http://xavierleroy.org/publi/coindsem.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/11693024_5},
  hal = {http://hal.inria.fr/inria-00289545/},
  abstract = {This paper illustrates the use of co-inductive definitions and proofs
in big-step operational semantics, enabling the latter to describe
diverging evaluations in addition to terminating evaluations. We show
applications to proofs of type soundness and to proofs of semantic
preservation for compilers.  (See
\verb|http://gallium.inria.fr/~xleroy/publi/coindsem/|
for the Coq on-machine formalization of these results.)},
  pubkind = {conf-int-mono}
}
@inproceedings{2006-Leroy-Blazy-Dargaye,
  author = {Sandrine Blazy and Zaynah Dargaye and Xavier Leroy},
  title = {Formal Verification of a {C} Compiler Front-End},
  booktitle = {FM 2006: Int. Symp. on Formal Methods},
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  volume = 4085,
  year = 2006,
  pages = {460--475},
  url = {http://xavierleroy.org/publi/cfront.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/11813040_31},
  hal = {http://hal.inria.fr/inria-00106401/},
  abstract = {This paper presents the formal verification of a compiler front-end
that translates a subset of the C language into the Cminor
intermediate language.  The semantics of the source and target
languages as well as the translation between them have been written in
the specification language of the Coq proof assistant. The proof of
observational semantic equivalence between the source and generated
code has been machine-checked using Coq.  An executable compiler was
obtained by automatic extraction of executable Caml code from the Coq
specification of the translator, combined with a certified compiler
back-end generating PowerPC assembly code from Cminor, described in
previous work.},
  pubkind = {conf-int-multi}
}
@techreport{2006-Leroy-Appel-listmachine-tr,
  author = {Appel, Andrew W.  and  Leroy, Xavier},
  title = {A list-machine benchmark for mechanized metatheory},
  year = {2006},
  institution = {INRIA},
  number = {5914},
  type = {Research report},
  hal = {http://hal.inria.fr/inria-00077531/},
  abstract = {We propose a benchmark to compare theorem-proving systems
on their ability to express proofs of compiler correctness.
In contrast to the first POPLmark, we emphasize the connection
of proofs to compiler implementations, and we point out
that much can be done without binders or alpha-conversion.
We propose specific criteria for evaluating the utility
of mechanized metatheory systems; we have constructed
solutions in both Coq and Twelf metatheory, and
we draw conclusions about those two systems in particular.}
}
@inproceedings{2007-Blazy-Appel-Cminor-sos,
  author = {Andrew W. Appel and Sandrine Blazy},
  title = {Separation logic for small-step {Cminor}},
  booktitle = {Theorem Proving in Higher Order Logics, 20th
                         Int. Conf. TPHOLs 2007},
  publisher = {Springer},
  series = {Lecture Notes in Computer Science},
  volume = 4732,
  pages = {5--21},
  year = 2007,
  mon = sep,
  url = {http://www.ensiie.fr/~blazy/AppelBlazy07.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/978-3-540-74591-4_3},
  hal = {http://hal.inria.fr/inria-00165915/},
  pubkind = {conf-int-mono}
}
@inproceedings{2007-Blazy-C-semantics,
  author = {Sandrine Blazy},
  title = {Experiments in validating formal semantics for {C}},
  booktitle = {Proceedings of the C/C++ Verification Workshop},
  pages = {95--102},
  year = 2007,
  mon = jul,
  url = {http://www.ensiie.fr/~blazy/C07Blazy.pdf},
  hal = {http://hal.inria.fr/inria-00292043/},
  publisher = {Technical report ICIS-R07015, Radboud University Nijmegen},
  pubkind = {conf-int-mono}
}
@inproceedings{2007-Dargaye-JFLA,
  author = {Zaynah Dargaye},
  title = {Décurryfication certifiée},
  booktitle = {Journées Francophones des Langages Applicatifs (JFLA'07)},
  pages = {119--134},
  publisher = {INRIA},
  year = {2007},
  url = {http://gallium.inria.fr/~dargaye/publications/certdec.pdf},
  hal = {http://hal.inria.fr/inria-00338974/},
  pubkind = {conf-fr-mono}
}
@inproceedings{2007-Dargaye-Leroy-LPAR,
  author = {Zaynah Dargaye and Xavier Leroy},
  title = {Mechanized verification of {CPS} transformations},
  booktitle = {Logic for Programming,
                     Artificial Intelligence and Reasoning,
                     14th Int. Conf. LPAR 2007},
  year = 2007,
  series = {Lecture Notes in Artificial Intelligence},
  volume = 4790,
  publisher = {Springer},
  pages = {211--225},
  url = {http://xavierleroy.org/publi/cps-dargaye-leroy.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/978-3-540-75560-9_17},
  hal = {http://hal.inria.fr/inria-00289541/},
  abstract = {
Transformation to continuation-passing style (CPS) is often performed
by optimizing compilers for functional programming languages.  As part
of the development and proof of correctness of a compiler for the
mini-ML functional language, we have mechanically verified the
correctness of two CPS transformations for a call-by-value
$\lambda$-calculus with $n$-ary functions, recursive functions, data
types and pattern-matching.  The transformations generalize Plotkin's
original call-by-value transformation and Danvy and Nielsen's
optimized transformation, respectively.  We used the Coq proof
assistant to formalize the transformations and conduct and check the
proofs.  Originalities of this work include the use of big-step
operational semantics to avoid difficulties with administrative
redexes, and of two-sorted de Bruijn indices to avoid difficulties
with $\alpha$-conversion.},
  pubkind = {conf-int-mono}
}
@inproceedings{2007-Doligez-Bonichon-Delahaye,
  author = {Richard Bonichon and David Delahaye and Damien Doligez},
  title = {{Zenon}: an Extensible Automated Theorem Prover Producing Checkable Proofs},
  booktitle = {Logic for Programming,
                     Artificial Intelligence and Reasoning,
                     14th Int. Conf. LPAR 2007},
  year = 2007,
  series = {Lecture Notes in Artificial Intelligence},
  volume = 4790,
  publisher = {Springer},
  pages = {151--165},
  url = {http://focal.inria.fr/zenon/zenlpar07.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/978-3-540-75560-9_13},
  hal = {http://hal.inria.fr/inria-00315920/},
  abstract = {
We present Zenon, an automated theorem prover for first order
classical logic (with equality), based on the tableau method. Zenon is
intended to be the dedicated prover of the Focal environment, an
object-oriented algebraic specification and proof system, which is
able to produce OCaml code for execution and Coq code for
certification. Zenon can directly generate Coq proofs (proof
scripts or proof terms), which can be reinserted in the Coq
specifications produced by Focal. Zenon can also be extended,
which makes specific (and possibly local) automation possible
in Focal.},
  pubkind = {conf-int-multi}
}
@inproceedings{2007-Leroy-Appel-listmachine-lfmtp,
  author = {Appel, Andrew W.  and  Leroy, Xavier},
  title = {A list-machine benchmark for mechanized metatheory
                       (extended abstract)},
  booktitle = {Proc. Int. Workshop on Logical
                       Frameworks and Meta-Languages (LFMTP'06)},
  year = {2007},
  series = {Electronic Notes in Computer Science},
  volume = {174/5},
  pages = {95--108},
  url = {http://xavierleroy.org/publi/listmachine-lfmtp.pdf},
  urlpublisher = {http://dx.doi.org/10.1016/j.entcs.2007.01.020},
  hal = {http://hal.inria.fr/inria-00289543/},
  abstract = {Short version of \cite{2006-Leroy-Appel-listmachine-tr}.},
  pubkind = {conf-int-mono}
}
@article{2007-Leroy-Grall,
  author = {Xavier Leroy and Hervé Grall},
  title = {Coinductive big-step operational semantics},
  journal = {Information and Computation},
  volume = 207,
  number = 2,
  pages = {284--304},
  year = 2009,
  url = {http://xavierleroy.org/publi/coindsem-journal.pdf},
  urlpublisher = {http://dx.doi.org/10.1016/j.ic.2007.12.004},
  hal = {http://hal.inria.fr/inria-00309010/},
  abstract = {Using a call-by-value functional language as an example, this article
illustrates the use of coinductive definitions and proofs in big-step
operational semantics, enabling it to describe diverging evaluations
in addition to terminating evaluations.  We formalize the connections
between the coinductive big-step semantics and the standard small-step
semantics, proving that both semantics are equivalent.  We then study
the use of coinductive big-step semantics in proofs of type soundness
and proofs of semantic preservation for compilers.
A methodological originality of this paper is that all results
have been proved using the Coq proof assistant.  We explain the
proof-theoretic presentation of coinductive definitions and proofs
offered by Coq, and show that it facilitates the discovery and the
presentation of the results.},
  pubkind = {journal-int-mono}
}
@article{2007-Blazy-C-chronique,
  author = {Sandrine Blazy},
  title = {Comment gagner confiance en {C} ?},
  journal = {Technique et Science Informatiques},
  year = {2007},
  volume = {26},
  number = {9},
  pages = {1195-1200},
  url = {http://www.ensiie.fr/~blazy/TSI07Blazy.pdf},
  hal = {http://hal.inria.fr/inria-00292049/},
  pubkind = {journal-fr-mono}
}
@inproceedings{2007-Blazy-JGA,
  author = {Sandrine Blazy and Benoît Robillard and Eric Soutif},
  title = {Coloration avec préférences dans les graphes triangulés},
  booktitle = {Journées Graphes et Algorithmes (JGA'07)},
  year = {2007},
  month = nov,
  url = {http://www.liafa.jussieu.fr/jga07/JGA07.pdf},
  pubkind = {conf-fr-mono}
}
@techreport{2007-Blazy-Appel-Cminor-sosRR,
  author = {Andrew W. Appel and Sandrine Blazy},
  title = {Separation logic for small-step {Cminor} (extended version)},
  note = {29 pages},
  year = 2007,
  mon = mar,
  institution = {INRIA},
  number = {6138},
  type = {Research report},
  hal = {http://hal.inria.fr/inria-00134699/}
}
@article{2008-Leroy-Blazy-memory-model,
  author = {Xavier Leroy and Sandrine Blazy},
  title = {Formal verification of a {C}-like memory model
                 and its uses for verifying program transformations},
  journal = {Journal of Automated Reasoning},
  volume = 41,
  number = 1,
  pages = {1--31},
  url = {http://xavierleroy.org/publi/memory-model-journal.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/s10817-008-9099-0},
  hal = {http://hal.inria.fr/inria-00289542/},
  year = 2008,
  pubkind = {journal-int-multi}
}
@article{2008-Leroy-Rideau-Serpette-pmov,
  author = {Laurence Rideau and Bernard Paul Serpette and
                  Xavier Leroy},
  title = {Tilting at windmills with {Coq}:
                 Formal verification of a compilation algorithm
                 for parallel moves},
  journal = {Journal of Automated Reasoning},
  volume = 40,
  number = 4,
  pages = {307--326},
  url = {http://xavierleroy.org/publi/parallel-move.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/s10817-007-9096-8},
  hal = {http://hal.inria.fr/inria-00289709/},
  year = 2008,
  pubkind = {journal-int-multi}
}
@inproceedings{2008-Tristan-Leroy-POPL,
  author = {Jean-Baptiste Tristan and Xavier Leroy},
  title = {Formal verification of translation validators:
                 A case study on instruction scheduling optimizations},
  booktitle = {Proceedings of the 35th {ACM} Symposium on Principles of
                  Programming Languages (POPL'08)},
  pages = {17--27},
  publisher = {ACM Press},
  year = 2008,
  month = jan,
  url = {http://xavierleroy.org/publi/validation-scheduling.pdf},
  hal = {http://hal.inria.fr/inria-00289540/},
  urlpublisher = {http://doi.acm.org/10.1145/1328897.1328444},
  pubkind = {conf-int-mono},
  abstract = {Translation validation consists of transforming a program and a
posteriori validating it in order to detect a modification of its
semantics. This approach can be used in a verified compiler, provided
that validation is formally proved to be correct. We present two such
validators and their Coq proofs of correctness.  The validators are
designed for two instruction scheduling optimizations: list
scheduling and trace scheduling.}
}
@inproceedings{2008-Blazy-JFLA,
  author = {Sandrine Blazy and Benoît Robillard and Eric Soutif},
  title = {Vérification formelle d'un algorithme d'allocation de registres par coloration de graphes},
  booktitle = {Journées Francophones des Langages Applicatifs (JFLA'08)},
  year = 2008,
  address = {Étretat, France},
  month = jan,
  pages = {31--46},
  url = {http://www.ensiie.fr/~blazy/JFLABRS08.pdf},
  hal = {http://hal.inria.fr/inria-00202713/},
  pubkind = {conf-fr-mono}
}
@techreport{2007-Bertot-progsem-tr,
  author = {Yves Bertot},
  title = {Theorem proving support in programming language semantics},
  year = {2007},
  institution = {INRIA},
  type = {Research report},
  number = {6242},
  hal = {http://hal.inria.fr/inria-00160309/}
}
@incollection{2009-Bertot-progsem,
  author = {Yves Bertot},
  title = {Theorem proving support in programming language semantics},
  booktitle = {From Semantics to Computer Science -- Essays in Honour of {Gilles} {Kahn}},
  editor = {Y. Bertot and G. Huet and J.-J. Lévy and G. Plotkin},
  publisher = {Cambridge University Press},
  pages = {337-362},
  year = {2009},
  urlpublisher = {http://www.cambridge.org/catalogue/catalogue.asp?isbn=9780521518253}
}
@unpublished{2006-Bertot-Tarski,
  title = {Extending the Calculus of Constructions
                         with {Tarski}'s fix-point theorem},
  author = {Yves Bertot},
  abstract = {We propose to use Tarski's least fixpoint theorem as a basis to define recursive functions in the calculus of inductive constructions. This widens the class of functions that can be modeled in type-theory based theorem proving tool to potentially non-terminating functions. This is only possible if we extend the logical framework by adding the axioms that correspond to classical logic. We claim that the extended framework makes it possible to reason about terminating and non-terminating computations and we show that common facilities of the calculus of inductive construction, like program extraction can be extended to also handle the new functions.},
  year = {2006},
  hal = {http://hal.inria.fr/inria-00105529/}
}
@inproceedings{2008-Bertot-Komendantsky,
  title = {Fixed point semantics and partial recursion in {Coq}},
  author = {Yves Bertot and Vladimir Komendantsky},
  booktitle = {10th int. ACM SIGPLAN conference on
                         Principles and Practice of Declarative Programming
                         (PPDP 2008)},
  publisher = {ACM Press},
  year = 2008,
  pages = {89-96},
  abstract = {We propose to use the least fixed point theorem as a basis to define recursive functions in the Calculus of Inductive Constructions. This widens the class of functions that can be modeled in type-theory based theorem proving tools to potentially non-terminating functions. This is only possible if we extend the logical framework by adding some axioms of classical logic. We claim that the extended framework makes it possible to reason about terminating or non-terminating computations and we show that extraction can also be extended to handle the new functions.},
  hal = {http://hal.inria.fr/inria-00190975/},
  urlpublisher = {http://doi.acm.org/10.1145/1389449.1389461},
  pubkind = {conf-int-mono}
}
@inproceedings{2008-Blazy-ROADEF,
  author = {Sandrine Blazy and Benoît Robillard and Éric Soutif},
  title = {Coloration avec préférences: complexité,
                         inégalités valides et vérification formelle},
  booktitle = {ROADEF'08, 9e congrès de la Société Française de
                         Recherche Opérationnelle et d'Aide à la Décision},
  year = {2008},
  hal = {http://hal.inria.fr/inria-00260712/},
  pubkind = {conf-fr-mono}
}
@article{Leroy-backend,
  author = {Xavier Leroy},
  title = {A formally verified compiler back-end},
  journal = {Journal of Automated Reasoning},
  volume = 43,
  number = 4,
  pages = {363--446},
  year = 2009,
  url = {http://xavierleroy.org/publi/compcert-backend.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/s10817-009-9155-4},
  hal = {http://hal.inria.fr/inria-00360768/},
  pubkind = {journal-int-mono}
}
@article{Blazy-Leroy-Clight-09,
  author = {Sandrine Blazy and Xavier Leroy},
  title = {Mechanized semantics for the {Clight}
                         subset of the {C} language},
  year = 2009,
  journal = {Journal of Automated Reasoning},
  url = {http://xavierleroy.org/publi/Clight.pdf},
  hal = {http://hal.inria.fr/inria-00352524/},
  urlpublisher = {http://dx.doi.org/10.1007/s10817-009-9148-3},
  volume = 43,
  number = 3,
  pages = {263-288}
}
@inproceedings{Tristan-Leroy-LCM,
  author = {Jean-Baptiste Tristan and Xavier Leroy},
  title = {Verified Validation of {Lazy} {Code} {Motion}},
  booktitle = {Proceedings of the 2009 ACM SIGPLAN Conference on
                         Programming Language Design and Implementation
                         (PLDI'09)},
  year = 2009,
  pages = {316--326},
  url = {http://xavierleroy.org/publi/validation-LCM.pdf},
  urlpublisher = {http://doi.acm.org/10.1145/1542476.1542512},
  hal = {http://hal.archives-ouvertes.fr/inria-00415865/},
  pubkind = {conf-int-mono}
}
@inproceedings{Blazy-Robillard-splitting,
  author = {Sandrine Blazy and Benoît Robillard},
  title = {Live-range Unsplitting for Faster Optimal Coalescing},
  booktitle = {Proceedings of the ACM SIGPLAN/SIGBED 2009
                         conference on Languages,
                         Compilers, and Tools for Embedded Systems
                         (LCTES 2009)},
  pages = {70--79},
  publisher = {ACM Press},
  year = 2009,
  url = {http://www.ensiie.fr/~blazy/LCTES09.pdf},
  urlpublisher = {http://doi.acm.org/10.1145/1542452.1542462},
  hal = {http://hal.inria.fr/inria-00387749/},
  pubkind = {conf-int-mono}
}
@inproceedings{Letouzey-CiE-08,
  author = {Letouzey, Pierre},
  booktitle = {Logic and Theory of Algorithms, Fourth Conference on Computability in Europe, CiE 2008},
  title = {Extraction in {Coq}: An Overview},
  pages = {359--369},
  year = 2008,
  urlpublisher = {http://dx.doi.org/10.1007/978-3-540-69407-6_39},
  hal = {http://hal.archives-ouvertes.fr/hal-00338973/},
  volume = 5028,
  series = {Lecture Notes in Computer Science},
  publisher = {Springer},
  pubkind = {conf-int-mono}
}
@incollection{Bertot-absint-08,
  author = {Yves Bertot},
  title = {Structural abstract interpretation:
                         A formal study using {Coq}},
  booktitle = {Language Engineering and Rigorous
                         Software Development,
                         International LerNet ALFA Summer School 2008},
  editor = {Ana Bove and Jorge Sousa Pinto},
  series = {Lecture Notes in Computer Science},
  volume = 5520,
  publisher = {Springer},
  year = 2009,
  pages = {153-194},
  urlpublisher = {http://dx.doi.org/10.1007/978-3-642-03153-3_4},
  hal = {http://hal.inria.fr/inria-00329572/}
}
@phdthesis{Blazy-HDR,
  author = {Sandrine Blazy},
  title = {Sémantiques formelles},
  type = {Habilitation à diriger les recherches},
  school = {Université Évry Val d'Essone},
  year = 2008,
  month = oct,
  url = {http://www.ensiie.fr/~blazy/hdr.html},
  hal = {http://tel.archives-ouvertes.fr/tel-00336576/}
}
@inproceedings{Glondu-JFLA09,
  author = {Stéphane Glondu},
  title = {Extraction certifiée dans {Coq}-en-{Coq}},
  booktitle = {Journées Francophones des Langages Applicatifs (JFLA'09)},
  publisher = {INRIA},
  year = {2009},
  pages = {105--118},
  url = {http://stephane.glondu.net/jfla09.pdf},
  hal = {http://hal.inria.fr/inria-00362717/},
  pubkind = {conf-fr-mono}
}
@article{Dargaye-Leroy-uncurrying,
  author = {Zaynah Dargaye and Xavier Leroy},
  title = {A verified framework for higher-order uncurrying optimizations},
  journal = {Higher-Order and Symbolic Computation},
  url = {http://xavierleroy.org/publi/higher-order-uncurrying.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/s10990-010-9050-z},
  year = 2009,
  volume = 22,
  number = 3,
  pages = {199--231}
}
@article{Leroy-Compcert-CACM,
  author = {Xavier Leroy},
  title = {Formal verification of a realistic compiler},
  journal = {Communications of the ACM},
  year = 2009,
  volume = 52,
  number = 7,
  pages = {107--115},
  url = {http://xavierleroy.org/publi/compcert-CACM.pdf},
  urlpublisher = {http://doi.acm.org/10.1145/1538788.1538814},
  hal = {http://hal.archives-ouvertes.fr/inria-00415861/},
  pubkind = {journal-int-mono},
  abstract = {This paper reports on the development and formal verification (proof
of semantic preservation) of CompCert, a compiler from Clight (a
large subset of the C programming language) to PowerPC assembly code,
using the Coq proof assistant both for programming the compiler and
for proving its correctness.  Such a verified compiler is useful in
the context of critical software and its formal verification: the
verification of the compiler guarantees that the safety properties
proved on the source code hold for the executable compiled code as
well.}
}
@inproceedings{Tristan-Leroy-softpipe,
  author = {Jean-Baptiste Tristan and Xavier Leroy},
  title = {A simple, verified validator for software pipelining},
  booktitle = {Proceedings of the 37th {ACM} Symposium on Principles of
               Programming Languages (POPL'10)},
  pages = {83--92},
  publisher = {ACM Press},
  year = 2010,
  url = {http://xavierleroy.org/publi/validation-softpipe.pdf},
  urlpublisher = {http://doi.acm.org/10.1145/1706299.1706311}
}
@phdthesis{Dargaye-these,
  author = {Zaynah Dargaye},
  title = {Vérification formelle d'un compilateur pour langages fonctionnels},
  school = {Université Paris 7 Diderot},
  year = 2009,
  month = jul,
  hal = {http://tel.archives-ouvertes.fr/tel-00452440/}
}
@phdthesis{Tristan-these,
  author = {Jean-Baptise Tristan},
  title = {Formal verification of translation validators},
  school = {Université Paris 7 Diderot},
  month = nov,
  year = 2009,
  hal = {http://tel.archives-ouvertes.fr/tel-00437582/}
}
@article{Leroy-La-Recherche-10,
  author = {Xavier Leroy},
  title = {Comment faire confiance à un compilateur?},
  journal = {La Recherche},
  note = {Les cahiers de l'INRIA},
  year = {2010},
  month = apr,
  volume = 440,
  url = {http://xavierleroy.org/publi/cahiers-inria-2010.pdf},
  urlpublisher = {http://www.lescahiersinria.fr/sites/default/files/inria-n440-avril10.pdf},
  xtopic = {compcert},
  popularscience = {yes},
  abstract = {(In French.)  A short introduction to compiler verification, published in the French popular science magazine La Recherche.}
}
@inproceedings{Rideau-Leroy-regalloc,
  author = {Silvain Rideau and Xavier Leroy},
  title = {Validating register allocation and spilling},
  booktitle = {Compiler Construction (CC 2010)},
  year = 2010,
  publisher = {Springer},
  series = {Lecture Notes in Computer Science},
  volume = 6011,
  pages = {224-243},
  xtopic = {compcert},
  url = {http://xavierleroy.org/publi/validation-regalloc.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/978-3-642-11970-5_13},
  abstract = {Following the translation validation approach to high-assurance
compilation, we describe a new algorithm for validating {\em a
posteriori} the results of a run of register allocation.  The
algorithm is based on backward dataflow inference of
equations between variables, registers and stack locations, and can
cope with sophisticated forms of spilling and live range splitting, as
well as many forms of architectural irregularities such as overlapping
registers.  The soundness of the algorithm was mechanically proved
using the Coq proof assistant.}
}
@incollection{Leroy-Marktoberdorf-09,
  author = {Xavier Leroy},
  title = {Mechanized semantics},
  booktitle = {Logics and languages for reliability and security},
  editors = {J. Esparza and B. Spanfelner and O. Grumberg},
  series = {NATO Science for Peace and Security Series D: Information and Communication Security},
  volume = 25,
  pages = {195--224},
  publisher = {IOS Press},
  year = {2010},
  url = {http://xavierleroy.org/courses/Marktoberdorf-2009/notes.pdf},
  urlpublisher = {http://dx.doi.org/10.3233/978-1-60750-100-8-195},
  xtopic = {mechsem},
  abstract = {The goal of this lecture is to show how modern theorem provers---in
this case, the Coq proof assistant---can be used to mechanize the specification
of programming languages and their semantics, and to reason over
individual programs and over generic program transformations,
as typically found in compilers.  The topics covered include:
operational semantics (small-step, big-step, definitional
interpreters); a simple form of denotational semantics; axiomatic
semantics and Hoare logic; generation of verification conditions, with
application to program proof; compilation to virtual machine code and
its proof of correctness; an example of an optimizing program
transformation (dead code elimination) and its proof of correctness.}
}
@inproceedings{Leroy-PPES-2011,
  author = {Ricardo {Bedin França} and Denis Favre-Felix and Xavier Leroy
            and Marc Pantel and Jean Souyris},
  title = {Towards Optimizing Certified Compilation in Flight Control Software},
  booktitle = {Workshop on Predictability and Performance in Embedded Systems (PPES 2011)},
  pages = {59--68},
  series = {OpenAccess Series in Informatics},
  volume = 18,
  publisher = {Dagstuhl Publishing},
  year = {2011},
  url = {http://hal.archives-ouvertes.fr/inria-00551370/},
  urlpublisher = {http://dx.doi.org/10.4230/OASIcs.PPES.2011.59},
  xtopic = {compcert},
  abstract = {
This work presents a preliminary evaluation of the use of the CompCert formally specified and verified  optimizing compiler for the development of level A critical flight control software. First, the motivation for choosing CompCert is presented, as well as the requirements and constraints for safety-critical avionics software. The main point is to allow optimized code generation by relying on the formal proof of correctness instead of the current un-optimized generation required to produce assembly code structurally similar to the algorithmic language (and even the initial models) source code. The evaluation of its performance (measured using WCET) is presented and the results are compared to those obtained with the currently used compiler. Finally, the paper discusses verification and certification issues that are raised when one seeks to use CompCert for the development of such critical software. }
}
@inproceedings{Leroy-POPL11,
  author = {Xavier Leroy},
  title = {Verified squared: does critical software deserve verified tools?},
  booktitle = {38th symposium Principles of Programming Languages},
  pages = {1--2},
  year = 2011,
  publisher = {ACM Press},
  note = {Abstract of invited lecture},
  url = {http://xavierleroy.org/publi/popl11-invited-talk.pdf},
  urlpublisher = {http://dx.doi.org/10.1145/1926385.1926387},
  xtopic = {compcert},
  abstract = {
The formal verification of programs have progressed tremendously in
the last decade.  Principled but once academic approaches such as
Hoare logic and abstract interpretation finally gave birth to quality
verification tools, operating over source code (and not just idealized
models thereof) and able to verify complex real-world applications.
In this talk, I review some of the obstacles that
remain to be lifted before source-level verification tools can be
taken really seriously in the critical software industry: not just as
sophisticated bug-finders, but as elements of absolute confidence in
the correctness of a critical application.
}
}
@inproceedings{Bedin-Franca-ERTS-2012,
  author = {Ricardo {Bedin França} and Sandrine Blazy and Denis Favre-Felix
            and Xavier Leroy and Marc Pantel and Jean Souyris},
  title = {Formally verified optimizing compilation in {ACG}-based
           flight control software},
  booktitle = {Embedded Real Time Software and Systems (ERTS 2012)},
  year = 2012,
  url = {http://hal.inria.fr/hal-00653367/},
  xtopic = {compcert},
  abstract = {This work presents an evaluation of the CompCert formally specified
and verified optimizing compiler for the development of DO-178 level A
flight control software. First, some fundamental characteristics of
flight control software are presented and the case study program is
described. Then, the use of CompCert is justified: its main point is
to allow optimized code generation by relying on the formal proof of
correctness and additional compilation information instead of the
current un-optimized generation required to produce predictable
assembly code patterns. The evaluation of its performance (measured
using WCET and code size) is presented and the results are compared to
those obtained with the currently used compiler.}
}
@inproceedings{Jourdan-Pottier-Leroy,
  author = {Jacques-Henri Jourdan and François Pottier and Xavier Leroy},
  title = {Validating {LR(1)} Parsers},
  booktitle = {Programming Languages and Systems -- 21st European Symposium on Programming, ESOP 2012},
  url = {http://xavierleroy.org/publi/validated-parser.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/978-3-642-28869-2_20},
  year = 2012,
  pages = {397--416},
  series = {Lecture Notes in Computer Science},
  volume = 7211,
  publisher = {Springer},
  xtopic = {compcert},
  abstract = {
An LR(1) parser is a finite-state automaton, equipped with a stack,
which uses a combination of its current state and one lookahead symbol
in order to determine which action to perform next.  We present a
validator which, when applied to a context-free grammar G and an
automaton A, checks that A and G agree.  This validation of the parser
provides the correctness guarantees required by verified compilers and
other high-assurance software that involves parsing.  The validation
process is independent of which technique was used to construct A. The
validator is implemented and proved correct using the Coq proof
assistant. As an application, we build a formally-verified parser for
the C99 language.}
}
@inproceedings{Leroy-APLAS-2012,
  author = {Xavier Leroy},
  title = {Mechanized Semantics for Compiler Verification},
  note = {Abstract of invited talk},
  booktitle = {Programming Languages and Systems, 10th Asian Symposium, APLAS 2012},
  editor = {Ranjit Jhala and Atsushi Igarashi},
  year = {2012},
  pages = {386--388},
  series = {Lecture Notes in Computer Science},
  volume = 7705,
  publisher = {Springer},
  url = {http://xavierleroy.org/publi/mechanized-semantics-aplas-cpp-2012.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/978-3-642-35182-2_27},
  xtopic = {mechsem},
  refereed = {no},
  abstract = {The formal verification of compilers and related programming tools
depends crucially on the availability of appropriate mechanized
semantics for the source, intermediate and target languages.  In this
invited talk, I review various forms of operational semantics and
their mechanization, based on my experience with the formal
verification of the CompCert~C compiler.}
}
@inproceedings{Robert-Leroy-2012,
  author = {Valentin Robert and Xavier Leroy},
  title = {A Formally-Verified Alias Analysis},
  booktitle = {Certified Programs and Proofs (CPP 2012)},
  year = 2012,
  series = {Lecture Notes in Computer Science},
  volume = 7679,
  pages = {11-26},
  publisher = {Springer},
  urlpublisher = {http://dx.doi.org/10.1007/978-3-642-35308-6_5},
  url = {http://xavierleroy.org/publi/alias-analysis.pdf},
  xtopic = {compcert},
  abstract = {This paper reports on the formalization and proof of soundness, using
the Coq proof assistant, of an alias analysis: a static analysis that
approximates the flow of pointer values.  The alias analysis
considered is of the points-to kind and is intraprocedural,
flow-sensitive, field-sensitive, and untyped.  Its soundness proof
follows the general style of abstract interpretation.
The analysis is designed to fit in the CompCert C verified compiler,
supporting future aggressive optimizations over memory accesses.}
}
@techreport{Leroy-Appel-Blazy-Stewart-memory-v2,
  author = {Xavier Leroy and Andrew W. Appel and Sandrine Blazy and Gordon Stewart},
  title = {The {CompCert} Memory Model, Version 2},
  institution = {INRIA},
  type = {Research report},
  number = {RR-7987},
  year = {2012},
  month = jun,
  url = {http://hal.inria.fr/hal-00703441},
  xtopic = {compcert},
  abstract = {A memory model is an important component of the formal semantics of imperative programming languages: it specifies the behavior of operations over memory states, such as reads and writes. The formally verified CompCert C compiler uses a sophisticated memory model that is shared between the semantics of its source language (the CompCert subset of C) and intermediate languages. The algebraic properties of this memory model play an important role in the proofs of semantic preservation for the compiler. The initial design of the CompCert memory model is described in an article by Leroy and Blazy (J. Autom. Reasoning 2008). The present research report describes version 2 of this memory model, improving over the main limitations of version 1. The first improvement is to expose the byte-level, in-memory representation of integers and floats, while preserving desirable opaqueness properties of pointer values. The second improvement is the integration of a fine-grained mechanism of permissions (access rights), which supports more aggressive optimizations over read-only data, and paves the way towards shared-memory, data-race-free concurrency in the style of Appel's Verified Software Toolchain project.}
}
@inproceedings{Boldo-Jourdan-Leroy-Melquiond-2013,
  title = {A Formally-Verified {C} Compiler Supporting Floating-Point Arithmetic},
  author = {Boldo, Sylvie and Jourdan, Jacques-Henri and Leroy, Xavier and Melquiond, Guillaume},
  booktitle = {ARITH, 21st IEEE International Symposium on Computer Arithmetic},
  pages = {107-115},
  publisher = {IEEE Computer Society Press},
  url = {http://hal.inria.fr/hal-00743090},
  year = 2013,
  xtopic = {compcert},
  abstract = {Floating-point arithmetic is known to be tricky: roundings, formats,
exceptional values. The IEEE-754 standard was a push towards
straightening the field and made formal reasoning about floating-point
computations easier and flourishing. Unfortunately, this is not
sufficient to guarantee the final result of a program, as several
other actors are involved: programming language, compiler,
architecture.  The CompCert formally-verified compiler provides a
solution to this problem: this compiler comes with a mathematical
specification of the semantics of its source language (a large subset
of ISO C90) and target platforms (ARM, PowerPC, x86-SSE2), and with a
proof that compilation preserves semantics.  In this paper, we report
on our recent success in formally specifying and proving correct
CompCert's compilation of floating-point arithmetic.  Since CompCert
is verified using the Coq proof assistant, this effort required a
suitable Coq formalization of the IEEE-754 standard; we extended the
Flocq library for this purpose.  As a result, we obtain the first
formally verified compiler that provably preserves the semantics of
floating-point programs.}
}
@incollection{Leroy-Appel-Blazy-Stewart-memory,
  author = {Leroy, Xavier and Appel, Andrew W. and Blazy, Sandrine and Stewart, Gordon},
  title = {The {CompCert} memory model},
  year = {2014},
  month = apr,
  booktitle = {Program Logics for Certified Compilers},
  editor = {Appel, Andrew W.},
  publisher = {Cambridge University Press},
  url = {http://vst.cs.princeton.edu/}
}
@article{Boldo-Jourdan-Leroy-Melquiond-JAR,
  title = {Verified Compilation of Floating-Point Computations},
  author = {Boldo, Sylvie and Jourdan, Jacques-Henri and Leroy, Xavier and Melquiond, Guillaume},
  journal = {Journal of Automated Reasoning},
  year = 2015,
  volume = 54,
  number = 2,
  pages = {135--163},
  xtopic = {compcert},
  url = {http://xavierleroy.org/publi/floating-point-compcert.pdf},
  urlpublisher = {http://dx.doi.org/10.1007/s10817-014-9317-x},
  abstract = {Floating-point arithmetic is known to be tricky: roundings, formats,
exceptional values. The IEEE-754 standard was a push towards
straightening the field and made formal reasoning about floating-point
computations easier and flourishing. Unfortunately, this is not
sufficient to guarantee the final result of a program, as several
other actors are involved: programming language, compiler, and
architecture.  The CompCert formally-verified compiler provides a
solution to this problem: this compiler comes with a mathematical
specification of the semantics of its source language (a large subset
of ISO C99) and target platforms (ARM, PowerPC, x86-SSE2), and with a
proof that compilation preserves semantics.  In this paper, we report
on our recent success in formally specifying and proving correct
CompCert's compilation of floating-point arithmetic.  Since CompCert
is verified using the Coq proof assistant, this effort required a
suitable Coq formalization of the IEEE-754 standard; we extended the
Flocq library for this purpose.  As a result, we obtain the first
formally verified compiler that provably preserves the semantics of
floating-point programs.}
}
@inproceedings{Kastner-LBSSF-2017,
  title = {Closing the gap -- The formally verified optimizing compiler {CompCert}},
  author = {K{\"a}stner, Daniel and Leroy, Xavier and Blazy, Sandrine and Schommer, Bernhard and Schmidt, Michael and Ferdinand, Christian},
  urllocal = {http://xavierleroy.org/publi/compcert-SSS2017.pdf},
  hal = {https://hal.inria.fr/hal-01399482},
  urlpublisher = {http://scsc.org.uk/p135},
  booktitle = {SSS'17: Developments in System Safety Engineering: Proceedings of the Twenty-fifth Safety-critical Systems Symposium},
  year = {2017},
  publisher = {CreateSpace},
  pages = {163--180},
  xtopic = {compcert},
  abstract = {CompCert is the first commercially available optimizing compiler that is formally verified, using machine-assisted mathematical proofs, to be free from miscompilation. The executable code it produces is proved to behave exactly as specified by the semantics of the source C program. CompCert's intended use is the compilation of safety-critical and mission-critical software meeting high levels of assurance. This article gives an overview of the design of CompCert and its proof concept, summarizes the resulting confidence argument, and gives an overview of relevant tool qualification strategies. We briefly summarize practical experience and give an overview of recent CompCert developments.}
}
@inproceedings{Leroy-BKSPF-2016,
  author = {Xavier Leroy and Sandrine Blazy and Daniel K\"astner
            and Bernhard Schommer and Markus Pister and Christian Ferdinand},
  title = {CompCert -- A Formally Verified Optimizing Compiler},
  booktitle = {ERTS 2016: Embedded Real Time Software and Systems},
  publisher = {SEE},
  year = 2016,
  url = {http://xavierleroy.org/publi/erts2016_compcert.pdf},
  hal = {https://hal.inria.fr/hal-01238879},
  xtopic = {compcert},
  abstract = {CompCert is the first commercially available 
optimizing compiler that is formally verified, using machine-assisted
mathematical proofs, to be exempt from mis-compilation.
The executable code it produces is proved
to behave exactly as specified by the semantics of the
source C program. This article gives an overview of
the design of CompCert and its proof concept and then
focuses on aspects relevant for industrial application.
We briefly summarize practical experience and give an
overview of recent CompCert development aiming at industrial usage.
CompCert’s intended use is the compilation of life-critical
and mission-critical software meeting high levels of assurance.
In this context tool qualification is of paramount importance. We
summarize the confidence argument of CompCert and give an overview of
relevant qualification strategies.}
}
@inproceedings{Jourdan-LBLP-2015,
  author = {Jacques-Henri Jourdan and Vincent Laporte and
            Sandrine Blazy and Xavier Leroy and David Pichardie},
  title = {A Formally-Verified {C} Static Analyzer},
  booktitle = {POPL 2015: 42nd symposium Principles of Programming Languages},
  publisher = {ACM Press},
  year = 2015,
  url = {http://xavierleroy.org/publi/verasco-popl2015.pdf},
  urlpublisher = {http://dx.doi.org/10.1145/2676726.2676966},
  pages = {247-259},
  xtopic = {analysis},
  abstract = {This paper reports on the design and soundness proof, using the Coq
proof assistant, of Verasco, a static analyzer based on abstract
interpretation for most of the ISO~C~1999 language (excluding
recursion and dynamic allocation).  Verasco establishes the absence of
run-time errors in the analyzed programs.  It enjoys a modular
architecture that supports the extensible combination of multiple
abstract domains, both relational and non-relational.  Verasco
integrates with the CompCert formally-verified C~compiler so that not
only the soundness of the analysis results is guaranteed with
mathematical certitude, but also the fact that these guarantees carry
over to the compiled code.}
}
@phdthesis{jourdan:tel-01327023,
  title = {{Verasco: a Formally Verified C Static Analyzer}},
  author = {Jourdan, Jacques-Henri},
  hal = {https://hal.archives-ouvertes.fr/tel-01327023},
  school = {{Universit\'e Paris 7 Diderot}},
  year = {2016},
  month = may,
  type = {PhD thesis},
  hal_id = {tel-01327023},
  hal_version = {v1}
}
@inproceedings{Bourke-BDLPR-2017,
  title = {A formally verified compiler for {Lustre}},
  author = {Timothy Bourke and
            Lélio Brun and
            Pierre-Évariste Dagand and
            Xavier Leroy and
            Marc Pouzet and
            Lionel Rieg},
  booktitle = {PLDI 2017: Programming Language Design and Implementation},
  pages = {586-601},
  publisher = {ACM Press},
  year = 2017,
  url = {http://xavierleroy.org/publi/velus-pldi17.pdf},
  hal = {https://hal.inria.fr/hal-01512286/},
  urlpublisher = {https://doi.org/10.1145/3062341.3062358},
  xtopic = {compcert},
  abstract = {The correct compilation of block diagram languages like Lustre, Scade, and a discrete subset of Simulink is important since they are used to program critical embedded control software. We describe the specification and verification in an Interactive Theorem Prover of a compilation chain that treats the key aspects of Lustre: sampling, nodes, and delays. Building on CompCert, we show that repeated execution of the generated assembly code faithfully implements the dataflow semantics of source programs. We resolve two key technical challenges. The first is the change from a synchronous dataflow semantics, where programs manipulate streams of values, to an imperative one, where computations manipulate memory sequentially. The second is the verified compilation of an imperative language with encapsulated state to C code where the state is realized by nested records. We also treat a standard control optimization that eliminates unnecessary conditional statements.}
}
@inproceedings{CompCert-ERTS-2018,
  author = {Daniel Kästner and
            Ulrich Wünsche and
            Jörg Barrho and 
            Marc Schlickling and
            Bernhard Schommer and
            Michael Schmidt and
            Christian Ferdinand and
            Xavier Leroy and
            Sandrine Blazy},
  title = {{CompCert}: Practical experience on integrating and qualifying
           a formally verified optimizing compiler},
  booktitle = {ERTS 2018: Embedded Real Time Software and Systems},
  publisher = {SEE},
  year = 2018,
  month = jan,
  hal = {https://hal.inria.fr/hal-01643290},
  url = {http://xavierleroy.org/publi/erts2018_compcert.pdf},
  xtopic = {compcert},
  abstract = {CompCert is the first commercially available optimizing compiler that is formally verified, using machine-assisted mathematical proofs, to be exempt from mis-compilation. The executable code it produces is proved to behave exactly as specified by the semantics of the source C program. This article gives an overview of the use of CompCert to gain certification credits for a highly safety-critical industry application, certified according to IEC 60880. We will briefly introduce the target application, illustrate the process of changing the existing compiler infrastructure to CompCert, and discuss performance characteristics. The main part focuses on the tool qualification strategy, in particular on how to take advantage of the formal correctness proof in the certification process.}
}
@inproceedings{AIS-annot-WCET-2018,
  title = {Embedded Program Annotations for {WCET} Analysis},
  author = {Schommer, Bernhard and Cullmann, Christoph and Gebhard, Gernot and Leroy, Xavier and Schmidt, Michael and Wegener, Simon},
  hal = {https://hal.inria.fr/hal-01848686},
  booktitle = {WCET 2018: 18th International Workshop on Worst-Case Execution Time Analysis},
  publisher = {Dagstuhl Publishing},
  series = {OASIcs},
  volume = 63,
  year = {2018},
  month = jul,
  urlpublisher = {http://dx.doi.org/10.4230/OASIcs.WCET.2018.8},
  doi = {10.4230/OASIcs.WCET.2018.8},
  abstract = {We present \verb'__builtin_ais_annot()', a user-friendly, versatile way to transfer annotations (also known as flow facts) written on the source code level to the machine code level. To do so, we couple two tools often used during the development of safety-critical hard real-time systems, the formally verified C compiler CompCert and the static WCET analyzer aiT. CompCert stores the AIS annotations given via \verb'__builtin_ais_annot()' in a special section of the ELF binary, which can later be extracted automatically by aiT.}
}

This file was generated by bibtex2html 1.99.