ACL2 is a re-implemented extended version of Boyer and Moore's Nqthm and Kaufmann's Pc-Nqthm, intended for large scale verification projects. This paper deals primarily with how we scaled up Nqthm's logic to an "industrial strength" programming language --- namely, a large applicative subset of Common Lisp --- while preserving the use of total functions within the logic. This makes it possible to run formal models efficiently while keeping the logic simple. We enumerate many other important features of ACL2 and we briefly summarize two industrial applications: a model of the Motorola CAP digital signal processing chip and the proof of the correctness of the kernel of the floating point division algorithm on the AMD5K 86 microprocessor by Advanced Micro Devices, Inc.

ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's Pc-Nqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" programming language as the foundation of the mathematical logic is crucial to our advocacy of ACL2 in the application of formal methods to large systems. However, one of the key reasons Nqthm has been so successful, we believe, is its insistence that functions be total. Common Lisp functions are not total and this is one of the reasons Common Lisp is so efficient. This paper explains how we scaled up Nqthm's logic to Common Lisp, preserving the use of total functions within the logic but achieving Common Lisp execution speeds. 1 History ACL2 is a direct descendent of the Boyer-Moore system, Nqthm [8, 12], and its interactive enhancement, Pc-Nqthm [21, 22, 23]. See [7, 25] for introductions to the two ancestr...

Software bugs are very difficult to detect even in small units of code. Several techniques to debug or prove correct such units are based on the generation of a set of formulae whose unsatisfiability reveals the presence of an error. These techniques assume the availability of a theorem prover capable of automatically discharging the resulting proof obligations. Building such a tool is a difficult, long, and error-prone activity. In this paper, we describe techniques to build provers which are highly automatic and flexible by combining state-of-the-art superposition theorem provers and BDDs. We report experimental results on formulae extracted from the debugging of C functions manipulating pointers showing that an implementation of our techniques can discharge proof obligations which cannot be handled by Simplify (the theorem prover used in the ESC/Java tool) and performs much better on others. 1.

ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the Boyer-Moore system, Nqthm, and its interactive enhancement, Pc-Nqthm, based on our perceptions of some of the inadequacies of Nqthm when used in large-scale verification projects. Foremost among those inadequacies is the fact that Nqthm's logic is an inefficient programming language. We now recognize that the efficiency of the logic as a programming language is of great importance because the models of microprocessors, operating systems, and languages typically constructed in verification projects must be executed to corroborate them against the realities they model. Simulation of such large scale systems stresses the logic in ways not imagined when Nqthm was designed. In addition, Nqthm does not adequately support certain proof techniques, nor does it encourage the reuse of previously developed libraries or the collaboration of semi-autonomous workers on different parts of a verifica...

The correctness problem for hardware and software systems can often be reduced to the validity problem for propositional or predicate logic. However, the size of the formulas to be validated grows faster than the size of the system under investigation, and the complexity of the validation procedure makes this approach practically intractable for large programs. We introduce a strategy for dealing with this problem in the propositional case, corresponding e.g. to digital circuits and concurrent synchronization algorithms. Efficiently computable criteria are used to assess the mutual relevance of formulas and subformulas. They are based on the notions of interpolation and polarity, and allow to detect and discard provably irrelevant parts of boolean verification conditions. These criteria lead to a simplification and validation method, whose efficiency is investigated both theoretically and practically. 1 Introduction Several techniques have been developed for the systematic verification...