\start
Date: Tue, 6 Nov 2018 17:39:50 -0500
From: Tim Daly <axiomcas@gmail.com>
To: axiom-dev <axiom-developer@nongnu.org>, Tim Daly <daly@axiom-developer.org>
Subject: [Axiom-developer] axiom-developer is not down

axiom-developer is up and has been for years.

The problem is spam. Certain subnets have been filtered because
spam is being generated from that subnet. If you send me your IP
\begin{verbatim}address I can fix the filter to be more specific.

\start
Date: Wed, 7 Nov 2018 14:54:14 -0500
From: Tim Daly <axiomcas@gmail.com>
To: Frank Pfenning <fp@cs.cmu.edu>, Tim Daly <daly@axiom-developer.org>, 
	axiom-dev <axiom-developer@nongnu.org>
Subject: [Axiom-developer] parametricity

Reynolds is stated as the inventor of parametricity. But it seems to me
that the
same idea is stated quite clearly by Dijkstra in 1970 in this note:
https://vanemden.wordpress.com/2018/10/29/history-of-structured-programming/#EWD288

In addition, Dijkstra broaches the interesting idea that proofs ought to be
constructed
at the level of the flowchart first. Once that is done, using high level
steps, it can be
refined into code. But the proof of the code is essentially a refinement of
the proof of
the flowchart. This idea is interesting in that it is often the case that a
flowchart might
say "find the largest value such that...", which when reduced to code would
involve a loop.
A proof that the largest value exists at the abstract "flowchart" level
would be easier
to prove than a low-level inductive proof of a program loop that implements
the search
and involving issues such as finding invariants.

To my mind, this "hierarchical proof technique" (my words, not Dijkstra's)
is rather
interesting.

Tim

\start
Date: Wed, 7 Nov 2018 20:18:33 -0500
From: Frank Pfenning <fp@cs.cmu.edu>
To: Tim Daly <axiomcas@gmail.com>
Subject: Re: [Axiom-developer] parametricity

I don't see where parametricity is stated in this note; you'll have to be
more
specific.

Reynolds credits Christopher Strachey for distinguishing ad hoc
and parametric polymorphism.  What Reynolds realized and proved is the
parametricity theorem: every function in the polymorphic lambda calculus
(and a few other type constructors) is parametric.  Giving a technical
formulation of this (related values of related types are mapped to related
results) is a major advance in our understanding of how to reason about
programming languages as a whole and individual programs, too.  Among
other things, data abstraction (a concept Reynolds certainly did not invent)
is a consequence of the parametricity theorem.

  - Frank

On Wed, Nov 7, 2018 at 2:54 PM Tim Daly <axiomcas@gmail.com> wrote:

> Reynolds is stated as the inventor of parametricity. But it seems to me
> that the
> same idea is stated quite clearly by Dijkstra in 1970 in this note:
>
> https://vanemden.wordpress.com/2018/10/29/history-of-structured-programming/#EWD288
>
> In addition, Dijkstra broaches the interesting idea that proofs ought to
> be constructed
> at the level of the flowchart first. Once that is done, using high level
> steps, it can be
> refined into code. But the proof of the code is essentially a refinement
> of the proof of
> the flowchart. This idea is interesting in that it is often the case that
> a flowchart might
> say "find the largest value such that...", which when reduced to code
> would involve a loop.
> A proof that the largest value exists at the abstract "flowchart" level
> would be easier
> to prove than a low-level inductive proof of a program loop that
> implements the search
> and involving issues such as finding invariants.
>
> To my mind, this "hierarchical proof technique" (my words, not Dijkstra's)
> is rather
> interesting.
>
> Tim
>
>

-- 
Frank Pfenning, Professor
Computer Science Department
Carnegie Mellon University
Pittsburgh, PA 15213-3891

http://www.cs.cmu.edu/~fp
+1 412 268-6343
GHC 6017

\start
Date: Sun, 11 Nov 2018 19:09:53 -0500
From: Tim Daly <axiomcas@gmail.com>
To: axiom-dev <axiom-developer@nongnu.org>, Tim Daly <daly@axiom-developer.org>,
	Prof Robert Harper <rwh@cs.cmu.edu>
Subject: [Axiom-developer] ISA Semantics for ARMv8-A, RISC-V, and CHERI-MIPS

All,

This paper about ISA Semantics for ARMv8-A, RISC-V, and CHERI-MIPS
https://alastairreid.github.io/papers/popl19-isasemantics.pdf
is interesting. It seems to provide a "base case" for proving programs
correct. In particular, they seem to be able to generate proof code for
various provers, including Coq.

One of the criticisms about "proven programs" is that they tend to
ignore implementation details. But given a lisp variant, Milaw, that
is proven to the hardware instructions this new step is really important.

A proof of the machine instructions, a proof of milawa on top of those
instructions, a proof of lisp extensions on top of milawa, and a proof
of Axiom's spad language on top of lisp turns into a fully validated
tower.

It appears that all of this (and it is an impressive pile) can be developed
in Coq.

Also of interest, while I was part of the CMU CERT effort I developed
the ISA for the Intel 32 bit processor [0]. My program reads Intel binary
and generates "Conditional-Concurrent Assignment" semantics. I may
be able to re-target the back end to their Sail language which would
provide ISA semantics for Intel 32 in Coq.

Tim

[0]

Daly, Timothy Intel Instruction Semantics Generator
<http://daly.axiom-developer.org/TimothyDaly_files/publications/sei/intel/intel.pdf>
SEI/CERT Research Report, March 2012

\start
Date: Mon, 12 Nov 2018 07:45:16 -0500
From: Tim Daly <axiomcas@gmail.com>
To: axiom-dev <axiom-developer@nongnu.org>, Tim Daly <daly@axiom-developer.org>,
	Prof Robert Harper <rwh@cs.cmu.edu>
Subject: Re: [Axiom-developer] ISA Semantics for ARMv8-A, RISC-V,
 and CHERI-MIPS

> John writes:
> This "only" proves down to the binary API. Is there proven hardware?

Their effort is only "proven to binary" but they do manage to run Linux on
it.

There is a language called Verilog to specify "down to the wires and
transistors"
See https://www.utdallas.edu/~gxm112130/papers/iscas15.pdf

There is "Project Oberon" which is designing a "complete desktop computer
from
scratch" staring from the wires and transistors. Their lowest layer is in
Verilog on
a Field Programmable Gate Array (FPGA):
http://www.projectoberon.com/
https://www.inf.ethz.ch/personal/wirth/FPGA-relatedWork/RISC.pdf

<https://www.inf.ethz.ch/personal/wirth/FPGA-relatedWork/RISC.pdf>
The proof game at this level involve mealy/moore state machines since
everything happens all at once on real hardware.

I have an Altera Cyclone FPGA that can run their RISC-V Verilog
http://daly.axiom-developer.org/AlteraCyclone.jpg
but haven't yet had the time to run the Oberon code.

So eventually the Coq proof runs from FPGA <-> Binary <-> Jitawa <->
Milawa <-> ACL2 / lisp <-> Axiom spad <-> algorithm spec <-> Coq proof.
It will take longer than I expect but all of the parts are there.

On Sun, Nov 11, 2018 at 7:09 PM Tim Daly <axiomcas@gmail.com> wrote:

> All,
>
> This paper about ISA Semantics for ARMv8-A, RISC-V, and CHERI-MIPS
> https://alastairreid.github.io/papers/popl19-isasemantics.pdf
> is interesting. It seems to provide a "base case" for proving programs
> correct. In particular, they seem to be able to generate proof code for
> various provers, including Coq.
>
> One of the criticisms about "proven programs" is that they tend to
> ignore implementation details. But given a lisp variant, Milaw, that
> is proven to the hardware instructions this new step is really important.
>
> A proof of the machine instructions, a proof of milawa on top of those
> instructions, a proof of lisp extensions on top of milawa, and a proof
> of Axiom's spad language on top of lisp turns into a fully validated
> tower.
>
> It appears that all of this (and it is an impressive pile) can be developed
> in Coq.
>
> Also of interest, while I was part of the CMU CERT effort I developed
> the ISA for the Intel 32 bit processor [0]. My program reads Intel binary
> and generates "Conditional-Concurrent Assignment" semantics. I may
> be able to re-target the back end to their Sail language which would
> provide ISA semantics for Intel 32 in Coq.
>
> Tim
>
> [0]
>
> Daly, Timothy Intel Instruction Semantics Generator
> <http://daly.axiom-developer.org/TimothyDaly_files/publications/sei/intel/intel.pdf>
> SEI/CERT Research Report, March 2012
>

\documentclass{book}
%\newcommand{\VolumeName}{Volume 2: Axiom Users Guide}
%\input{bookheader.tex}
\pagenumbering{arabic}
\mainmatter
\setcounter{chapter}{0} % Chapter 1

\usepackage{makeidx}
\makeindex
\begin{document}


\end{verbatim}
\eject
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\cleardoublepage
%\phantomsection
\addcontentsline{toc}{chapter}{Bibliography}
\bibliographystyle{axiom}
\bibliography{axiom}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\cleardoublepage
%\phantomsection
\addcontentsline{toc}{chapter}{Index}
\printindex
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\end{document}
