Results 1  10
of
12
Efficient execution in an automated reasoning environment
 Journal of Functional Programming
, 2006
"... Abstract We describe a method to permit the user of a mathematical logic to write elegant logical definitions while allowing sound and efficient execution. We focus on the ACL2 logic and automated reasoning environment. ACL2 is used by industrial researchers to describe microprocessor designs and ot ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Abstract We describe a method to permit the user of a mathematical logic to write elegant logical definitions while allowing sound and efficient execution. We focus on the ACL2 logic and automated reasoning environment. ACL2 is used by industrial researchers to describe microprocessor designs and other complicated digital systems. Properties of the designs can be formally established with the theorem prover. But because ACL2 is also a functional programming language, the formal models can be executed as simulation engines. We implement features that afford these dual applications, namely formal proof and execution on industrial test suites. In particular, the features allow the user to install, in a logically sound way, alternative executable counterparts for logicallydefined functions. These alternatives are often much more efficient than the logically equivalent terms they replace. We discuss several applications of these features. 1 Introduction This paper is about a way to permit the functional programmer to prove efficientprograms correct. The idea is to allow the provision of two definitions of the program: an elegant definition that supports effective reasoning by a mechanizedtheorem prover, and an efficient definition for evaluation. A bridge of this sort,
Automated Induction with Constrained Tree Automata ⋆,⋆⋆
"... Abstract. We propose a procedure for automated implicit inductive theorem proving for equational specifications made of rewrite rules with conditions and constraints. The constraints are interpreted over constructor terms (representing data values), and may express syntactic equality, disequality, o ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
Abstract. We propose a procedure for automated implicit inductive theorem proving for equational specifications made of rewrite rules with conditions and constraints. The constraints are interpreted over constructor terms (representing data values), and may express syntactic equality, disequality, ordering and also membership in a fixed tree language. Constrained equational axioms between constructor terms are supported and can be used in order to specify complex data structures like sets, sorted lists, trees, powerlists... Our procedure is based on tree grammars with constraints, a formalism which can describe exactly the initial model of the given specification (when it is sufficiently complete and terminating). They are used in the inductive proofs first as an induction scheme for the generation of subgoals at induction steps, second for checking validity and redundancy criteria by reduction to an emptiness problem, and third for defining and solving membership constraints. We show that the procedure is sound and refutationally complete. It generalizes former test set induction techniques and yields natural proofs for several nontrivial examples presented in the paper, these examples are difficult (if not impossible) to specify and carry on automatically with other induction procedures. 1
Adding parallelism capabilities to ACL2
 In Proceedings of the Sixth International Workshop on the ACL2 Theorem Prover and its applications
, 2006
"... We have implemented parallelism primitives that permit an ACL2 programmer to parallelize execution of ACL2 functions. We (1) introduce logical definitions for these primitives, (2) explain the features of our extension, (3) give an evaluation strategy for our implementation, and (4) use the parallel ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
We have implemented parallelism primitives that permit an ACL2 programmer to parallelize execution of ACL2 functions. We (1) introduce logical definitions for these primitives, (2) explain the features of our extension, (3) give an evaluation strategy for our implementation, and (4) use the parallelism primitives in examples to show speedup. Categories and Subject Descriptors D.1 [Programming Techniques]: Concurrent Programming—parallel programming; D.2.4 [Software Engineering]: Software/Program Verification—correctness proofs, formal methods; D.3.2 [Programming Languages]: Language Classifications—applicative (functional) languages
Automated induction for complex data structures. Research Report LSV0511, Laboratoire Spécification et Vérification, 2005. personal communication
 of Joe Hendrix Adel Bouhoula and Florent Jacquemard inria00579017, version 1  22 Mar 2011
"... Abstract. We propose a procedure for automated implicit inductive theorem proving for equational specifications made of rewrite rules with conditions and constraints. The constraints are interpreted over constructor terms (representing data values), and may express syntactic equality, disequality, o ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
Abstract. We propose a procedure for automated implicit inductive theorem proving for equational specifications made of rewrite rules with conditions and constraints. The constraints are interpreted over constructor terms (representing data values), and may express syntactic equality, disequality, ordering and also membership in a fixed tree language. Constrained equational axioms between constructor terms are supported and can be used in order to specify complex data structures like sets, sorted lists, trees, powerlists... Our procedure is based on tree grammars with constraints, a formalism which can describe exactly the initial model of the given specification (when it is sufficiently complete and terminating). They are used in the inductive proofs first as an induction scheme for the generation of subgoals at induction steps, second for checking validity and redundancy criteria by reduction to an emptiness problem, and third for defining and solving membership constraints. We show that the procedure is sound and refutationally complete. It generalizes former test set induction techniques and yields natural proofs for several nontrivial examples presented in the paper, these examples are difficult to specify and carry on automatically with related induction procedures.
Proving Invariants via Rewriting and Abstraction
, 2005
"... We present a deductive method for proving invariants of reactive systems. Our approach uses term rewriting to reduce invariant proofs to reachability analysis on a finite graph. This substantially automates invariant proofs by obviating the need to define inductive invariants while still benefitting ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
We present a deductive method for proving invariants of reactive systems. Our approach uses term rewriting to reduce invariant proofs to reachability analysis on a finite graph. This substantially automates invariant proofs by obviating the need to define inductive invariants while still benefitting from the expressiveness of deductive methods. We implement a procedure supporting this approach which interfaces with the ACL2 theorem prover. The interface affords sound extension of our procedure with rewrite rules based on proven theorems. We demonstrate the method in the verification of cache coherence protocols. 1
Automated Specification Analysis Using an Interactive Theorem Prover
"... Abstract—A method for analyzing designs and their specifications is presented. The method makes essential use of an interactive theorem prover, but is fully automatic. Given a design and a specification, the method returns one of three possible answers. It can report that the design does not satisfy ..."
Abstract
 Add to MetaCart
Abstract—A method for analyzing designs and their specifications is presented. The method makes essential use of an interactive theorem prover, but is fully automatic. Given a design and a specification, the method returns one of three possible answers. It can report that the design does not satisfy the specification, in which case a concrete counterexample is provided. It can report that the design does satisfy the specification, in which case a formal proof to that effect is provided. If neither of these cases hold, then a summary of the analysis is reported. We have implemented and experimentally validated the method in ACL2s, the ACL2 Sedan. I.
Verified AIG Algorithms in ACL2
"... AndInverter Graphs (AIGs) are a popular way to represent Boolean functions (like circuits). AIG simplification algorithms can dramatically reduce an AIG, and play an important role in modern hardware verification tools like equivalence checkers. In practice, these tricky algorithms are implemented ..."
Abstract
 Add to MetaCart
AndInverter Graphs (AIGs) are a popular way to represent Boolean functions (like circuits). AIG simplification algorithms can dramatically reduce an AIG, and play an important role in modern hardware verification tools like equivalence checkers. In practice, these tricky algorithms are implemented with optimized C or C++ routines with no guarantee of correctness. Meanwhile, many interactive theorem provers can now employ SAT or SMT solvers to automatically solve finite goals, but no theorem prover makes use of these advanced, AIGbased approaches. We have developed two ways to represent AIGs within the ACL2 theorem prover. One representation, HonsAIGs, is especially convenient to use and reason about. The other, Aignet, is the opposite; it is styled after modern AIG packages and allows for efficient algorithms. We have implemented functions for converting between these representations, random vector simulation, conversion to CNF, etc., and developed reasoning strategies for verifying these algorithms. Aside from these contributions towards verifying AIG algorithms, this work has an immediate, practical benefit for ACL2 users who are using GL to bitblast finite ACL2 theorems: they can now optionally trust an offtheshelf SAT solver to carry out the proof, instead of using the builtin BDD package. Looking to the future, it is a first step toward implementing verified AIG simplification algorithms that might further improve GL performance. 1
Journal of Automated Reasoning manuscript No. (will be inserted by the editor) The Right Tools for the Job: Correctness of Cone of Influence Reduction Proved Using
"... Abstract We present a case study illustrating how to exploit the expressive power of higherorder logic to complete a proof whose main lemma is already proved in a firstorder theorem prover. Our proof exploits a link between the HOL4 and ACL2 proof systems to show correctness of a cone of influence ..."
Abstract
 Add to MetaCart
Abstract We present a case study illustrating how to exploit the expressive power of higherorder logic to complete a proof whose main lemma is already proved in a firstorder theorem prover. Our proof exploits a link between the HOL4 and ACL2 proof systems to show correctness of a cone of influence reduction algorithm, implemented in ACL2, with respect to the classical semantics of linear temporal logic, formalized in HOL4.
Proving Invariants via Rewriting and Abstraction \Lambda
, 2005
"... Abstract We present a deductive method for proving invariants of reactive systems. Our approach uses term rewriting to reduce invariant proofs to reachability analysis on a finite graph. This substantially automates invariant proofs by obviating the need to define inductive invariants while still be ..."
Abstract
 Add to MetaCart
Abstract We present a deductive method for proving invariants of reactive systems. Our approach uses term rewriting to reduce invariant proofs to reachability analysis on a finite graph. This substantially automates invariant proofs by obviating the need to define inductive invariants while still benefitting from the expressiveness of deductive methods. We implement a procedure supporting this approach which interfaces with the ACL2 theorem prover. The interface affords sound extension of our procedure with rewrite rules based on proven theorems. We demonstrate the method in the verification of cache coherence protocols. 1 Motivation The goal of invariant proving is to show that a certain target property of a reactive system is an invariant. Invariant proving is a key problem in formal verification. Verification of safety properties can be reduced to the proof of an invariant. Even in the proofs of liveness properties, one typically needs to establish some auxiliary invariance condition. Invariant proving is difficult for both model checking and theorem proving. The model checking approach involves a (symbolic or explicit) search to check if all the reachable system states satisfy the target property. If the number of states is tractable, the process is automatic usually with the additional benefit of counterexample generation when the verification fails. However, the method is limited in practice by state explosion. The theorem proving approach involves strengthening the target property to an inductive invariant. This approach is generally insensitive to state explosion but in practice can require significant user interaction for defining the inductive invariant. In addition, inductive invariants are brittle and often require extensive modification to match design changes. However, theorem provers support expressive logics which allow users to succinctly define systems, properties, and any additional functions and lemmas that enable efficient proofs.