Results 1  10
of
11
ACL2: An Industrial Strength Version of Nqthm
, 1996
"... ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" ..."
Abstract

Cited by 60 (7 self)
 Add to MetaCart
ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" programming language as the foundation of the mathematical logic is crucial to our advocacy of ACL2 in the application of formal methods to large systems. However, one of the key reasons Nqthm has been so successful, we believe, is its insistence that functions be total. Common Lisp functions are not total and this is one of the reasons Common Lisp is so efficient. This paper explains how we scaled up Nqthm's logic to Common Lisp, preserving the use of total functions within the logic but achieving Common Lisp execution speeds. 1 History ACL2 is a direct descendent of the BoyerMoore system, Nqthm [8, 12], and its interactive enhancement, PcNqthm [21, 22, 23]. See [7, 25] for introductions to the two ancestr...
Set theory for verification: I. From foundations to functions
 J. Auto. Reas
, 1993
"... A logic for specification and verification is derived from the axioms of ZermeloFraenkel set theory. The proofs are performed using the proof assistant Isabelle. Isabelle is generic, supporting several different logics. Isabelle has the flexibility to adapt to variants of set theory. Its higherord ..."
Abstract

Cited by 45 (17 self)
 Add to MetaCart
A logic for specification and verification is derived from the axioms of ZermeloFraenkel set theory. The proofs are performed using the proof assistant Isabelle. Isabelle is generic, supporting several different logics. Isabelle has the flexibility to adapt to variants of set theory. Its higherorder syntax supports the definition of new binding operators. Unknowns in subgoals can be instantiated incrementally. The paper describes the derivation of rules for descriptions, relations and functions, and discusses interactive proofs of Cantor’s Theorem, the Composition of Homomorphisms challenge [9], and Ramsey’s Theorem [5]. A generic proof assistant can stand up against provers dedicated to particular logics. Key words. Isabelle, set theory, generic theorem proving, Ramsey’s Theorem,
Design Goals for ACL2
, 1994
"... ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the BoyerMoore system, Nqthm, and its interactive enhancement, PcNqthm, based on our perceptions of some of the inadequacies of Nqthm when used in largescale verification projects. Foremost among th ..."
Abstract

Cited by 36 (5 self)
 Add to MetaCart
ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the BoyerMoore system, Nqthm, and its interactive enhancement, PcNqthm, based on our perceptions of some of the inadequacies of Nqthm when used in largescale verification projects. Foremost among those inadequacies is the fact that Nqthm's logic is an inefficient programming language. We now recognize that the efficiency of the logic as a programming language is of great importance because the models of microprocessors, operating systems, and languages typically constructed in verification projects must be executed to corroborate them against the realities they model. Simulation of such large scale systems stresses the logic in ways not imagined when Nqthm was designed. In addition, Nqthm does not adequately support certain proof techniques, nor does it encourage the reuse of previously developed libraries or the collaboration of semiautonomous workers on different parts of a verifica...
Interaction with the BoyerMoore Theorem Prover: A Tutorial Study Using the ArithmeticGeometric Mean Theorem
, 1994
"... ..."
The Role of Automated Reasoning in Integrated System Verification Environments
, 1992
"... in this document are those of the author(s) and should not be interpreted as representing the official policies, either ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
in this document are those of the author(s) and should not be interpreted as representing the official policies, either
NonConstructive Computational Mathematics
 Journal of Automated Reasoning
, 1995
"... We describe a nonconstructive extension to Primitive Recursive Arithmetic, both abstractly, and as implemented on the BoyerMoore prover. Abstractly, this extension is obtained by adding the unbounded ¯ operator applied to primitive recursive functions; doing so, one can define the Ackermann functi ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
We describe a nonconstructive extension to Primitive Recursive Arithmetic, both abstractly, and as implemented on the BoyerMoore prover. Abstractly, this extension is obtained by adding the unbounded ¯ operator applied to primitive recursive functions; doing so, one can define the Ackermann function and prove the consistency of Primitive Recursive Arithmetic. The implementation does not mention the ¯ operator explicitly, but has the strength to define the ¯ operator through the builtin functions EVAL$ and V&C$. x1. INTRODUCTION This paper is a mixture of theory and practice. The theory begins with the notions of constructivism and finitism in the philosophy of mathematics. As with all philosophical notions, these cannot appear directly in a mathematical theorem or a computer program, but they have been useful guides over the past hundred years to discovering mathematical results, and more recently, to designing computer implementations. Informally, a constructivist only believes in...
Quantification in Nqthm: a Recognizer and Some Constructive Implementations
, 1992
"... N0001491C0130. The views and conclusions contained in this document are those of the author(s) and should not be interpreted as representing the official policies, either expressed or implied, of Computational Logic, Inc., the Office of Naval Research or the U.S. Government. ABSTRACT: We present ..."
Abstract
 Add to MetaCart
N0001491C0130. The views and conclusions contained in this document are those of the author(s) and should not be interpreted as representing the official policies, either expressed or implied, of Computational Logic, Inc., the Office of Naval Research or the U.S. Government. ABSTRACT: We present an implementation of a recognizer for quantified notions in the BoyerMoore Theorem Prover, Nqthm. That is, we provide a method for checking that a given function does indeed represent a quantified notion. We also present methods for generating constructivelypresented functions that represent quantified notions, including definitions using only bounded quantifiers. 1.
Predicting Failures of and Repairing Inductive Proof Attempts ∗
"... Abstract Inductive reasoning is critical for ensuring reliability of computational descriptions, especially of algorithms defined on recursive data structures. Despite advances made in automating inductive reasoning, proof attempts by theorem provers frequently fail while performing inductive reason ..."
Abstract
 Add to MetaCart
Abstract Inductive reasoning is critical for ensuring reliability of computational descriptions, especially of algorithms defined on recursive data structures. Despite advances made in automating inductive reasoning, proof attempts by theorem provers frequently fail while performing inductive reasoning. A user of such a system must scrutinize a failed proof attempt and do intensive debugging to understand the cause of failure, and then provide additional information to make a failed proof attempt succeed. A method for predicting a priori failure of proof attempts by induction is proposed. It is based on analyzing the definitions of function symbols appearing in a conjecture. Further, failure analysis is shown to provide information that can be used to make those proof attempts succeed for valid conjectures. The failure of proof attempts could be because of a number of reasons even when a conjecture is believed to be valid. It might be that an induction scheme used in a proof attempt is not powerful enough to yield useful induction hypotheses which can be applied effectively. Or, even when induction hypotheses are applicable, the proof attempt might not succeed because of missing lemmas. A method for speculating intermediate lemmas which can make induction hypotheses applicable and/or lead to simplification obtaining validity is proposed. The analysis can be automated and is illustrated on several examples. A preliminary implementation demonstrates the effectiveness of the proposed approach. 1
Predicting Failures of Inductive Proof Attempts
"... Abstract. Reasoning about recursively defined data structures and functions defined on them typically requires proofs by induction. Despite advances made in automating inductive reasoning, proof attempts by theorem provers frequently fail while performing inductive reasoning. A user of such a system ..."
Abstract
 Add to MetaCart
Abstract. Reasoning about recursively defined data structures and functions defined on them typically requires proofs by induction. Despite advances made in automating inductive reasoning, proof attempts by theorem provers frequently fail while performing inductive reasoning. A user of such a system must scrutinize a failed proof attempt and do intensive debugging to understand the cause of failure. The failure of proof attempts could be because of a number of reasons even when a conjecture is believed to be valid. One reason is that an induction scheme used in a proof attempt is not powerful enough to yield useful induction hypotheses which can be applied effectively. Or the proof attempt might need intermediate lemmas. The focus of the research reported in this paper is to analyze possible failures of proof attempts due to inapplicability of induction hypotheses and predict failure a priori before even attempting a proof, so as to avoid failed attempts. Definitions of functions appearing in a conjecture are analyzed to determine whether their interaction in the conjecture guarantees a proof attempt to get stuck. The analysis relies on the concept of blocking of a function definition by another function definition. If, in a conjecture, a function g appears as an argument to another function f such that when the definition of g is expanded, f blocks a function symbol resulting from the definition of g, then a proof attempt of the conjecture based on expanding the definition of g is likely to get stuck. The concept of a flawed induction scheme is introduced capturing this idea. It is shown that if a proof of a conjecture is attempted using only flawed induction schemes, then, under certain conditions, such proof attempts are guaranteed to fail. The analysis can be easily automated and is illustrated on several examples. 1
Modeling and Verification of a Simple RealTime Railroad Gate Controller
, 1995
"... We address the formal specification and verification of a simple train crossing gate system using the Nqthm logic and automated proof system of Boyer and Moore. This problem has been suggested as a benchmark for evaluating the performance of specification tools and automated reasoning systems in the ..."
Abstract
 Add to MetaCart
We address the formal specification and verification of a simple train crossing gate system using the Nqthm logic and automated proof system of Boyer and Moore. This problem has been suggested as a benchmark for evaluating the performance of specification tools and automated reasoning systems in the area of safetycritical systems. The system specification is presented and the proof of safety and utility properties is outlined. The performance of Nqthm on this problem is evaluated. The complete specification is provided in an appendix.