Abstract. We present a method to convert (i) an operational semantics for a given machine language, and (ii) an off-the-shelf theorem prover, into a high assurance verification condition generator (VCG). Given a program annotated with assertions at cutpoints, we show how to use the theorem prover directly on the operational semantics to generate verification conditions analogous to those produced by a custom-built VCG. Thus no separate VCG is necessary, and the theorem prover can be employed both to generate and to discharge the verification conditions. The method handles both partial and total correctness. It is also compositional in that the correctness of a subroutine needs to be proved once, rather than at each call site. The method has been used to verify several machine-level programs using the ACL2 theorem prover. 1

Abstract. We describe a tutorial that demonstrates the use of the ACL2 theorem prover. We have three goals: to enable a motivated reader to start on a path towards effective use of ACL2; to provide ideas for other interactive theorem prover projects; and to elicit feedback on how we might incorporate features of other proof tools into ACL2. 1

Existing meta-programming languages operate on encodings of programs as data. This paper presents a new meta-programming language, based on an untyped lambda calculus, in which structurally reflective programming is supported directly, without any encoding. The language features call-by-value and call-by-name lambda abstractions, as well as novel reflective features enabling the intensional manipulation of arbitrary program terms. The language is scope safe, in the sense that variables can neither be captured nor escape their scopes. The expressiveness of the language is demonstrated by showing how to implement quotation and evaluation operations, as proposed by Wand. The language’s utility for meta-programming is further demonstrated through additional representative examples. A prototype implementation is described and evaluated.

To my parents, Henry and Karen Reeber, and my fiancée, Carrie Pankrast, for all their love, guidance, and support. Acknowledgments Most of all, I would like to thank my thesis advisor, Warren Hunt. Warren always has the amazing ability to give me what I need, before I even ask for it. Furthermore, Warren has been a source of constant encouragement and guidance, without which I never would have started this dissertation, let alone completed it. I would also like to thank the rest of my dissertation committee, Allen Emerson, Steve Keckler, J Moore, and Anna Slobodova, for all the time and energy they spent re-viewing my research and for their great feedback both on the dissertation itself and the earlier dissertation proposal. Anna in particular provided me with copious notes that have significantly improved the quality of this dissertation. Thanks also to Sandip Ray, Simha Sethumadhavan, and Jun Sawada for providing excellent feedback on portions of this dis-sertation. A number of professors at the University of Texas have influenced my work. My

We describe how we guide ACL2 to follow a divide-andconquer strategy for proving inequalities of the type |P (⃗e) | ≤ C. P (⃗e) is a polynomial in variables ⃗e and C is a constant. Our approach involves (1) writing an ACL2 program to estimate the upper-bound of such polynomials and (2) using the bind-free mechanism to integrate the upper-bound estimation program to guide rewriting. We think it is interesting to showcase how we extract the relevant information from the hypothesis and how such information is used to influence rewriting. Techniques like ours can be useful to ACL2 users who want to better control rewriting when their problems share specific characteristics with our |P (⃗e) | ≤ C type problem.