Proof-transforming compilation of eiffel programs

Abstract

In modern development schemes the processing of programs often involves an intermediate step of translation to some intermediate bytecode, complicating the verification task. Expanding on the ideas of Proof-Carrying Code (PCC), we have built a proof-transforming compiler which translates a contract-equipped program and its proof into bytecode representing both the program and the proof; before execution starts, the program will be run through a proof checker. The proofs address not only security properties, as in the original PCC work, but full functional correctness as expressed by the original contracts. The task of the proof-transforming compiler is made particularly challenging by the impedance mismatch between the source language, Eiffel, and the target code,.NET CIL, which does not directly support such important Eiffel mechanisms as multiple inheritance and contract-based exceptions. We present the overall proof-transforming compilation architecture, the issues encountered, and the solutions that have been devised to bridge the impedance mismatch.