Abstract. Proofs of termination are essential for establishing the correct behavior of computing systems. There are various ways of establishing termination, but the most general involves the use of ordinals. An example of a theorem proving system in which ordinals are used to prove termination is ACL2. In ACL2, every function defined must be shown to terminate using the ordinals up to ɛ0. We use a compact notation for the ordinals up to ɛ0 (exponentially more succinct than the one used by ACL2) and define efficient algorithms for ordinal addition, subtraction, multiplication, and exponentiation. In this paper we describe our notation and algorithms, prove their correctness, and analyze their complexity. 1

Abstract. We show that adding a total order to ACL2, via new axioms, allows for simpler and more elegant definitions of functions and libraries of theorems. We motivate the need for a total order with a simple example and explain how a total order can be used to simplify existing libraries of theorems (i.e., ACL2 books) on finite set theory and records. These ideas have been incorporated into ACL2 Version 2.6, which includes axioms positing a total order on the ACL2 universe. 1 Introduction ACL2 [7, 6, 8] is a logic of total functions. One particularly pleasant consequence is that many properties of functions can be stated as unconditional rewrite rules. For example, we can prove (equal ( * y ( * x z)) ( * x ( * y z))) without having to establish that x, y, and z are numbers. Such unconditional rewrite rules lead to simpler libraries of theorems, which in turn improve the ability of ACL2 to reduce large terms automatically and efficiently. Unfortunately, it is problematic to exploit fully the totality of functions in ACL2 Version 2.5. One is often forced to use rewrite rules with hypotheses because of the lack of a definable total order on the ACL2 universe.

Abstract. Termination proofs are of critical importance for establishing the correct behavior of both transformational and reactive computing systems. A general setting for establishing termination proofs involves the use of the ordinal numbers, an extension of the natural numbers into the transfinite which were introduced by Cantor in the nineteenth century and are at the core of modern set theory. We present the first comprehensive treatment of ordinal arithmetic on compact ordinal notations and give efficient algorithms for various operations, including addition, subtraction, multiplication, and exponentiation. Using the ACL2 theorem proving system, we implemented our ordinal arithmetic algorithms, mechanically verified their correctness, and developed a library of theorems that can be used to significantly automate reasoning involving the ordinals. To enable users of the ACL2 system to fully utilize our work required that we modify ACL2, e.g., we replaced the underlying representation of the ordinals and added a large library of definitions and theorems. Our modifications are available starting with ACL2 version 2.8. 1.

We give a useful set of unconditional rewrite rules for reasoning about record structures, which are essentially finite functions. The problem, then, is to define functions for which these rules are true and then prove the rules. We begin with a series of definitions that attempt to satisfy these rules but fall short for various reasons. Then we give two solutions, one of which generalizes to other finite structures. The definitions of our access and update functions are somewhat subtle, complex, and ineffecient, but they return the expected values and the theorems exported are elegant and efficient for automatic, unconditional rewriting.

We present a tool-supported methodology for proving predicates invariant over all time for any behavior of a given system. We prove invariants by exploring a finite graph generated from the definition of the predicate using rewrite rules from proven ACL2 theorems. The methodology provides a means for proving invariants which avoids the complexity and cost of defining an inductive invariant while still allowing the proof of invariants for reactive systems modeled in an expressive language. We present two examples of the application of the methodology: a simple critical section example, and a slightly more complex ESI cache coherence model. 1

In the tenure of a graduate student, one often has the distinct pleasure to interact and work with a number of different colleagues with different perspectives in general and on research problems in particular. This has certainly been the case with my time as a full-time and part-time graduate student. Unfortunately, while the length of my tenure has thankfully increased the number of colleagues whom I have had the opportunity to work with, it has also increased the likelihood that I will forget to acknowledge those whom I truly should. To those individuals whom I do not include here, I offer my apology. I wish to first acknowledge the members of my committee: Don Fussell, Adnan Aziz, Warren Hunt, J Strother Moore, and Jacob Abraham. I am thankful to each of the committee members for their consideration and examination of my work and in general, for their time and patience. I wish to thank J Moore for his continued interest and support. I have been truly inspired by J’s focus, energy, and standards in the his work on ACL2. I also wish to thank my supervisor Jacob Abraham. Jacob has demonstrated an impressive amount of patience and allowed me the freedom to explore areas which we may not have otherwise considered. I have always been impressed with Jacob’s imagination and he has provided keen insights and constructive advice on my work which have proven very useful over the years.

Abstract—We develop a framework for certifying behavioral synthesis flows. Certification is decomposed into verified and verifying components, which are discharged by theorem proving and model checking respectively. The bridge between these components is provided by a new formal structure, clocked control data flow graph (CCDFG), that serves as the golden circuit model used in this framework. We discuss how CCDFGs facilitate both theorem proving and model checking. The semantics of CCDFGs have been formalized with the ACL2 theorem prover, and the formalization used to certify generic synthesis transformations. Finally, we extend GSTE to model check synthesized netlists with respect to CCDFG specifications. I.

To the few people who believed I could do it even when I myself didn’t Acknowledgments This dissertation has been shaped by many people, including my teachers, collabo-rators, friends, and family. I would like to take this opportunity to acknowledge the influence they have had in my development as a person and as a scientist. First and foremost, I wish to thank my advisor J Strother Moore. J is an amazing advisor, a marvellous collaborator, an insightful researcher, an empathetic teacher, and a truly great human being. He gave me just the right balance of freedom, encouragement, and direction to guide the course of this research. My stimulating discussions with him made the act of research an experience of pure enjoyment, and helped pull me out of many low ebbs. At one point I used to believe that whenever I was stuck with a problem one meeting with J would get me back on track. Furthermore, my times together with J and Jo during Thanksgivings and other occasions always made me feel part of his family. There was no problem, technical or otherwise, that I could not discuss with J, and there was no time when

We present an efficient term simplifier written in ACL2 and interfaced with ACL2 as an untrusted clause processor. We also demonstrate how an advanced user can extend this simplifier in a sound manner by proving rewrite rules with special annotations and programmed constraints on their application. For problems requiring extensive case analysis, the simplifier is more efficient than ACL2 built-in simplification and we demonstrate this on some relevant examples. In addition, we discuss the issue of user control over predictable simplification and conclude the paper with the proposed implementation of invariant discovery using the simplifier.