ACL2 is a mechanized mathematical logic intended for use in specifying and proving properties of computing machines. In two independent projects, industrial engineers have collaborated with researchers at Computational Logic, Inc. (CLI), to use ACL2 to model and prove properties of state-of-the-art commercial microprocessors prior to fabrication. In the first project, Motorola, Inc., and CLI collaborated to specify Motorola's complex arithmetic processor (CAP), a single-chip, digital signal processor (DSP) optimized for communications signal processing. Using the specification, we proved the correctness of several CAP microcode programs. The second industrial collaboration involving ACL2 was between Advanced Micro Devices, Inc. (AMD) and CLI. In this work we proved the correctness of the kernel of the floating-point division operation on AMD's first Pentium-class microprocessor, the AMD5K 86. In this paper, we discuss ACL2 and these industrial applications, with particular attention ...

ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's Pc-Nqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" programming language as the foundation of the mathematical logic is crucial to our advocacy of ACL2 in the application of formal methods to large systems. However, one of the key reasons Nqthm has been so successful, we believe, is its insistence that functions be total. Common Lisp functions are not total and this is one of the reasons Common Lisp is so efficient. This paper explains how we scaled up Nqthm's logic to Common Lisp, preserving the use of total functions within the logic but achieving Common Lisp execution speeds. 1 History ACL2 is a direct descendent of the Boyer-Moore system, Nqthm [8, 12], and its interactive enhancement, Pc-Nqthm [21, 22, 23]. See [7, 25] for introductions to the two ancestr...

ly every instruction will have an opcode and two arguments, a and b. (defun opcode (ins) (nth 0 ins)) (defun a (ins) (nth 1 ins)) (defun b (ins) (nth 2 ins)) Because nth, like put, extends its list argument with nils, we can write instructions in three formats: (op), (op a), and (op a b) and omitted arguments default to nil. For example, the constant (times (movi 2 0) ; 0 mem[2] / 0 (jumpz 0 5) ; 1 if mem[0]=0, go to 5 (add 2 1) ; 2 mem[2] / mem[1] + mem[2] (subi 0 1) ; 3 mem[0] / mem[0] - 1 (jump 1) ; 4 go to 1 (ret))) ; 5 return to caller defines one program in our language. The constant is a list of seven elements. The first, times, is the name of the program and the other six elements are the 8 Chapter 4 instructions. For example, the first instruction is (movi 2 0), which has an opcode of movi, an a argument of 2 and a b argument of 0; the last instruction is (ret), which has an opcode of ret and a and b arguments of nil. A typical code memory will contain many such ...