ACL2 is a re-implemented extended version of Boyer and Moore's Nqthm and Kaufmann's Pc-Nqthm, intended for large scale verification projects. This paper deals primarily with how we scaled up Nqthm's logic to an "industrial strength" programming language --- namely, a large applicative subset of Common Lisp --- while preserving the use of total functions within the logic. This makes it possible to run formal models efficiently while keeping the logic simple. We enumerate many other important features of ACL2 and we briefly summarize two industrial applications: a model of the Motorola CAP digital signal processing chip and the proof of the correctness of the kernel of the floating point division algorithm on the AMD5K 86 microprocessor by Advanced Micro Devices, Inc.

ACL2 is a mechanized mathematical logic intended for use in specifying and proving properties of computing machines. In two independent projects, industrial engineers have collaborated with researchers at Computational Logic, Inc. (CLI), to use ACL2 to model and prove properties of state-of-the-art commercial microprocessors prior to fabrication. In the first project, Motorola, Inc., and CLI collaborated to specify Motorola's complex arithmetic processor (CAP), a single-chip, digital signal processor (DSP) optimized for communications signal processing. Using the specification, we proved the correctness of several CAP microcode programs. The second industrial collaboration involving ACL2 was between Advanced Micro Devices, Inc. (AMD) and CLI. In this work we proved the correctness of the kernel of the floating-point division operation on AMD's first Pentium-class microprocessor, the AMD5K 86. In this paper, we discuss ACL2 and these industrial applications, with particular attention ...

ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's Pc-Nqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" programming language as the foundation of the mathematical logic is crucial to our advocacy of ACL2 in the application of formal methods to large systems. However, one of the key reasons Nqthm has been so successful, we believe, is its insistence that functions be total. Common Lisp functions are not total and this is one of the reasons Common Lisp is so efficient. This paper explains how we scaled up Nqthm's logic to Common Lisp, preserving the use of total functions within the logic but achieving Common Lisp execution speeds. 1 History ACL2 is a direct descendent of the Boyer-Moore system, Nqthm [8, 12], and its interactive enhancement, Pc-Nqthm [21, 22, 23]. See [7, 25] for introductions to the two ancestr...

ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the Boyer-Moore system, Nqthm, and its interactive enhancement, Pc-Nqthm, based on our perceptions of some of the inadequacies of Nqthm when used in large-scale verification projects. Foremost among those inadequacies is the fact that Nqthm's logic is an inefficient programming language. We now recognize that the efficiency of the logic as a programming language is of great importance because the models of microprocessors, operating systems, and languages typically constructed in verification projects must be executed to corroborate them against the realities they model. Simulation of such large scale systems stresses the logic in ways not imagined when Nqthm was designed. In addition, Nqthm does not adequately support certain proof techniques, nor does it encourage the reuse of previously developed libraries or the collaboration of semi-autonomous workers on different parts of a verifica...

We have developed a verified application proved to be both effective and efficient. The application generates moves in the puzzlegame Nim and is coded in Piton, a language with a formal semantics and a compiler verified to preserve its semantics on the underlying machine. The Piton compiler is targeted to the FM9001, a recently fabricated verified microprocessor. The Nim program correctness proof makes use of the language semantics that the compiler is proved to implement. Like the Piton compiler proof and FM9001 design proof, the Nim correctness proof is generated using Nqthm, a proof system sometimes known as the Boyer-Moore theorem prover.

in this document are those of the author(s) and should not be interpreted as representing the official policies, either

System Lemma : : : : : : : : : : : : : : : : : : 108 7.4.2 FM9001 Reasonableness Proof : : : : : : : : : : : : : : : 109 7.4.3 FM9001 Program Proof : : : : : : : : : : : : : : : : : : 111 7.4.4 Deriving the Final Theorem : : : : : : : : : : : : : : : : 112 7.5 Invariants Proved in the Quiz-show Proof : : : : : : : : : : : : : 113 7.5.1 Abstract System Lemma Invariants : : : : : : : : : : : : 114 7.5.2 FM9001 Reasonableness Lemma Invariants : : : : : : : : 117 7.5.3 Program Correctness Lemma Invariants : : : : : : : : : : 118 7.6 The Light-Switch Example : : : : : : : : : : : : : : : : : : : : : 122 7.6.1 A Correctness Lemma : : : : : : : : : : : : : : : : : : : 122 7.6.2 A Light-Switch Program Specification : : : : : : : : : : : 125 7.6.3 Example Execution of the Light-Switch System : : : : : 126 8. Some Implications of the Proved Real-time System 128 8.1 Execution on the FM9001 Single-board Computer : : : : : : : : 128 8.2 Comparison with Scheduling Theorem : : : : : : : : : : : : :...

ruct (mod trigger d) (list 'sequential (inputs mod) (collect-outputs mod d) (collect-modes mod) (collect-delays mod d) trigger (collect-locals mod) (collect-state mod d) (minimum-period mod d) (collect-setups mod d) (collect-holds mod d))) ()) (if (member out (inputs mod)) f (if (sequentialp (find-submodule out mod)) t (if (zerop d) f (check-outputs$ 'list (find-inputs out mod) mod (sub1 d)))))) ((ord-lessp (lex (list d (count out)))))) (defn check-seq-struct (mod trigger d) (and (check-outputs$ 'list (outputs mod) mod d) (check-internal mod (submodules mod) (subinputs mod) (suboutputs mod) (car (inputs mod)) trigger d))) ;;The minimum clock period is bounded by the maximum of the periods of ;;the sequential components. It also must be long enough to allow ;;internal signals to stabilize in order to respect setup times: (defn minimum-period$ (submods subouts mod d) (if (listp submods) (if (sequentialp (car submods)) (max (max (period (car submods)) (fmaxl (add-max-delays

named-struct (mod trigger d) (list 'sequential (inputs mod) (collect-outputs mod d) (collect-modes mod) (collect-delays mod d) trigger (collect-locals mod) (collect-state mod d) (minimum-period mod d) (collect-setups mod d) (collect-holds mod d))) 85 ()) (if (member out (inputs mod)) f (if (sequentialp (find-submodule out mod)) t (if (zerop d) f (check-outputs$ 'list (find-inputs out mod) mod (sub1 d)))))) ((ord-lessp (lex (list d (count out)))))) (defn check-seq-struct (mod trigger d) (and (check-outputs$ 'list (outputs mod) mod d) (check-internal mod (submodules mod) (subinputs mod) (suboutputs mod) (car (inputs mod)) trigger d))) ;;The minimum clock period is bounded by the maximum of the periods of ;;the sequential components. It also must be long enough to allow ;;internal signals to stabilize in order to respect setup times: (defn minimum-period$ (submods subouts mod d) (if (listp submods) (if (sequentialp (car submods)) (max (max (period (car submods)) (fmaxl (a