We describe a macro for introducing \partial functions" into ACL2, i.e., functions not dened everywhere. The function \denitions" are actually admitted via the encapsulation principle. We discuss the basic issues surrounding partial functions in ACL2 and illustrate theorems that can be proved about such functions.

. As an alternative to commercial hardware description languages, AMD 1 has developed an RTL language for microprocessor designs that is simple enough to admit a clear semantic definition, providing a basis for formal verification. We describe a mechanical proof system for designs represented in this language, consisting of a translator to the ACL2 logical programming language and a methodology for verifying properties of the resulting programs using the ACL2 prover. As an illustration, we present a proof of IEEE compliance of the floating-point adder of the AMD Athlon processor. 1 Introduction The formal hardware verification effort at AMD has emphasized theorem proving using ACL2 [3], and has focused on the elementary floating-point operations. One of the challenges of our earlier work was to construct accurate formal models of the targeted circuit designs. These included the division and square root operations of the AMD-K5 processor [4, 6], which were implemented in microcode, a...

Abstract — We show how to verify pipelined machine models with bit-level interfaces by using a combination of deductive reasoning and decision procedures. While decision procedures such as those implemented in UCLID can be used to verify away the datapath, require the use of numerous abstractions, implement a small subset of the instruction set, and are far from executable. In contrast, we focus on verifying executable machines with bit-level interfaces. Such proofs have previously required substantial expert guidance and the use of deductive reasoning engines. We show that by integrating UCLID with the ACL2 theorem proving system, we can use ACL2 to reduce the proof that an executable, bit-level machine refines its instruction set architecture to a proof that a term level abstraction of the bit-level machine refines the instruction set architecture, which is then handled automatically by UCLID. In this way, we exploit the strengths of ACL2 and UCLID to prove theorems that are not possible to even state using UCLID and that would require prohibitively more effort using just ACL2. I.

The use of pipelines is an important technique in contemporary hardware design, particularly at the level of register-transfer logic (RTL). Earlier formal analysis (e.g., [4]) using the ACL2 theorem prover showed correctness of pipelined floating-point RTL. This paper extends that work by considering a notion of a conditional pipeline, essentially the result of sharing hardware among several distinct pipelines. We have employed a pipeline tool, written in ACL2 but completely unverified, to find a pipelinerelated bug in an industrial hardware design, which has since been corrected.

Abstract. Termination proofs are of critical importance for establishing the correct behavior of both transformational and reactive computing systems. A general setting for establishing termination proofs involves the use of the ordinal numbers, an extension of the natural numbers into the transfinite which were introduced by Cantor in the nineteenth century and are at the core of modern set theory. We present the first comprehensive treatment of ordinal arithmetic on compact ordinal notations and give efficient algorithms for various operations, including addition, subtraction, multiplication, and exponentiation. Using the ACL2 theorem proving system, we implemented our ordinal arithmetic algorithms, mechanically verified their correctness, and developed a library of theorems that can be used to significantly automate reasoning involving the ordinals. To enable users of the ACL2 system to fully utilize our work required that we modify ACL2, e.g., we replaced the underlying representation of the ordinals and added a large library of definitions and theorems. Our modifications are available starting with ACL2 version 2.8. 1.

In this paper, we present a proof in ACL2(r) of Taylor's formula with remainder.

Formal Verification History We have emphasized automated theorem proving. 1995--96: Division and square root algorithms for AMD-K5 microcode[3, 5] 1997--present: Proofs of floating-point algorithms and actual RTL that use ACL2 on the AMD Athlon processor and its derivatives [6, 7, 8] \Gamma We have a translator from our proprietary RTL to ACL2 [7] that enables RTL proofs. 2001: Completed some protocol-level proofs 5 A natural target for theorem provers [10, 4] Concise formal specifications relating outputs to inputs The RTL is relatively tractable. \Gamma While the size of an FPU may be substantial, the logic tends to decompose by operation. \Gamma The interfaces with other modules are smaller and simpler. Complexity of floating-point designs causes problems for other verification approaches. \Gamma Testing alone may be inadequate. \Gamma Decision procedures used in formal verification traditionally have capacity limitations, for example for multiplication and shiftin

ACL2 [6–8] is a powerful, industrial strength theorem proving system, which has been used on

Abstract- We describe a methodology for the formal verification of the correctness, including IEEE-compliance, of register-transfer level models of floating-point hardware designs, and its application to the floating-point units of a series of commercial microprocessors produced by Advanced Micro Devices, Inc. The methodology is based on a mechanical translator from a synthesizable subset of the Verilog hardware description language, in which the models are coded, to the formal logic of the ACL2 theorem prover. Behavioral specifications of correctness, coded in essentially the same language as the designs, are translated as well, and ultimately checked with the ACL2 prover. Keywords — Formal verification, Floating-point arithmetic, IEEE-compliance, Theorem proving, ACL2

Feature-oriented programming is a way of designing a program around the fea-tures it performs, rather than the objects or files it manipulates. This should lead to an extensible and flexible “product-line ” architecture that allows custom systems to be assembled with particular features included or excluded as needed. Composing these features together modularly, while leading to flexibility in the feature-set of the finished product, can also lead to unexpected interactions that occur between features. Robert Hall presented a manual methodology for locating these inter-actions and has used it to search for feature interactions in email[Hal00]. Li et al. performed automatic verification of Hall’s system using model-checking verifica-tions tools[LKF02a, LKF02b]. Model-checking verification is state-based, and is not well-suited for verifying recursive data structures, an area where theorem-proving verification tools excel. In this thesis, we propose a methodology for using formal theorem-proving tools for modularly verifying feature-oriented systems. The methodology presented cap-