Results 1 
9 of
9
ACL2: An Industrial Strength Version of Nqthm
, 1996
"... ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" programming languag ..."
Abstract

Cited by 58 (5 self)
 Add to MetaCart
ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" programming language as the foundation of the mathematical logic is crucial to our advocacy of ACL2 in the application of formal methods to large systems. However, one of the key reasons Nqthm has been so successful, we believe, is its insistence that functions be total. Common Lisp functions are not total and this is one of the reasons Common Lisp is so efficient. This paper explains how we scaled up Nqthm's logic to Common Lisp, preserving the use of total functions within the logic but achieving Common Lisp execution speeds. 1 History ACL2 is a direct descendent of the BoyerMoore system, Nqthm [8, 12], and its interactive enhancement, PcNqthm [21, 22, 23]. See [7, 25] for introductions to the two ancestr...
A formally verified algorithm for interactive consistency under a hybrid fault model
 IN FAULT TOLERANT COMPUTING SYMPOSIUM 23
, 1993
"... ..."
Design Goals for ACL2
, 1994
"... ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the BoyerMoore system, Nqthm, and its interactive enhancement, PcNqthm, based on our perceptions of some of the inadequacies of Nqthm when used in largescale verification projects. Foremost among th ..."
Abstract

Cited by 36 (5 self)
 Add to MetaCart
ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the BoyerMoore system, Nqthm, and its interactive enhancement, PcNqthm, based on our perceptions of some of the inadequacies of Nqthm when used in largescale verification projects. Foremost among those inadequacies is the fact that Nqthm's logic is an inefficient programming language. We now recognize that the efficiency of the logic as a programming language is of great importance because the models of microprocessors, operating systems, and languages typically constructed in verification projects must be executed to corroborate them against the realities they model. Simulation of such large scale systems stresses the logic in ways not imagined when Nqthm was designed. In addition, Nqthm does not adequately support certain proof techniques, nor does it encourage the reuse of previously developed libraries or the collaboration of semiautonomous workers on different parts of a verifica...
The Formal Verification of an Algorithm for Interactive Consistency under a Hybrid Fault Model
 IN COSTAS COURCOUBETIS, EDITOR, COMPUTERAIDED VERIFICATION, CAV '93, VOLUME 697 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1993
"... Modern verification systems such as PVS are now reaching the stage of development where the formal verification of critical algorithms is feasible with reasonable effort. This paper describes one such verification in the field of fault tolerance. The distribution of singlesource data to replicated ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
Modern verification systems such as PVS are now reaching the stage of development where the formal verification of critical algorithms is feasible with reasonable effort. This paper describes one such verification in the field of fault tolerance. The distribution of singlesource data to replicated computing channels (Interactive Consistency or Byzantine Agreement) is a central problem in this field. The classic Oral Messages (OM) algorithm solves this problem under the assumption that all channels are either nonfaulty or arbitrarily (Byzantine) faulty. Thambidurai and Park have introduced a "hybrid" fault model that distinguishes additional fault modes, along with a modified version of OM. They gave an informal proof that their algorithm withstands the same number of arbitrary faults, but more "nonmalicious" faults than OM. We detected a flaw in this algorithm while undertaking its formal verification using PVS. The discipline of mechanicallychecked formal verification helped us to d...
Formal Verification of an Interactive Consistency Algorithm for the Draper FTP . . .
 IN COMPASS ’94 (PROCEEDINGS OF THE NINTH ANNUAL CONFERENCE ON COMPUTER ASSURANCE
, 1994
"... Faulttolerant systems for critical applications should tolerate as many kinds of faults and as large a number of faults as possible, while using as little hardware as feasible. And they should be provided with strong assurances for their correctness. Byzantine ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
Faulttolerant systems for critical applications should tolerate as many kinds of faults and as large a number of faults as possible, while using as little hardware as feasible. And they should be provided with strong assurances for their correctness. Byzantine
Comparing Verification Systems: Interactive Consistency in ACL2
 PROCEEDINGS OF 11TH ANNUAL CONFERENCE ON COMPUTER ASSURANCE
, 1996
"... Achieving interactive consistency among processors in the presence of faults is an important problem in fault tolerant computing, first cleanly formulated by Lamport, Pease and Shostak and solved in selected cases with their Oral Messages (OM) Algorithm. Several machinesupported verifications of th ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
Achieving interactive consistency among processors in the presence of faults is an important problem in fault tolerant computing, first cleanly formulated by Lamport, Pease and Shostak and solved in selected cases with their Oral Messages (OM) Algorithm. Several machinesupported verifications of this algorithm have been presented, including a particularly elegant formulation and proof by John Rushby using EHDM and PVS. Rushby proposes interactive consistency as a benchmark problem for specification and verification systems. We present a formalization of the OM algorithm in the ACL2 logic and compare our formalization and proof to his. We draw some conclusions concerning the range of desirable features for verification systems. In particular, while higherorder functions, strong typing, lambda abstraction and full quantification have some value they come with a cost; moreover, many uses of such feature can be easily translated into simpler logical constructs which facilitate more autom...
Invariant Performance: A Statement of Task Isolation Useful for Embedded Application Integration
 In Dependable Computing for Critical Applications, DCCA7
, 1999
"... . We describe the challenge of embedded application integration and argue that the conventional formal verification approach of proving abstract behavior is not useful in this domain. We introduce invariant performance, a formulation of task isolation useful for application integration. We demonstra ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
. We describe the challenge of embedded application integration and argue that the conventional formal verification approach of proving abstract behavior is not useful in this domain. We introduce invariant performance, a formulation of task isolation useful for application integration. We demonstrate invariant performance by formalizing it in the logic of PVS for a simple yet realistic embedded system. 1 Introduction Integration of multiple realtime embedded applications onto a single processor is increasingly attractive because the capacity of computing devices continues to grow. The use of fewer devices reduces space and power consumption that can be very valuable in an embedded environment, and fewer device connections increase reliability. Greater integration can also simplify the development of faulttolerant architectures. Integration of applications poses daunting challenges as well, because integrated applications may interact. Applications that share computing resources can...
Tutorial: Analyzing the FaultTolerant Algorithm OM(1
"... The resources of SAL allow many kinds of systems to be modeled and analyzed. However, it requires skill and experience to exploit the capabilities of SAL to the best effect in any given problem domain. This tutorial provides an introduction to the use of SAL in modeling and analyzing faulttolerant ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
The resources of SAL allow many kinds of systems to be modeled and analyzed. However, it requires skill and experience to exploit the capabilities of SAL to the best effect in any given problem domain. This tutorial provides an introduction to the use of SAL in modeling and analyzing faulttolerant systems. The example considered here is a simple variant on the classical oneround Oral Messages algorithm OM(1) for Byzantine agreement and will be familiar to many computer scientists. The SAL model developed here is available for download, so that users can repeat the analyses described, and exercises are suggested for additional experiments.
Modeling and Verification of a Simple RealTime Railroad Gate Controller
, 1995
"... We address the formal specification and verification of a simple train crossing gate system using the Nqthm logic and automated proof system of Boyer and Moore. This problem has been suggested as a benchmark for evaluating the performance of specification tools and automated reasoning systems in the ..."
Abstract
 Add to MetaCart
We address the formal specification and verification of a simple train crossing gate system using the Nqthm logic and automated proof system of Boyer and Moore. This problem has been suggested as a benchmark for evaluating the performance of specification tools and automated reasoning systems in the area of safetycritical systems. The system specification is presented and the proof of safety and utility properties is outlined. The performance of Nqthm on this problem is evaluated. The complete specification is provided in an appendix.