Results 1  10
of
20
ACL2: An Industrial Strength Version of Nqthm
, 1996
"... ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" ..."
Abstract

Cited by 65 (7 self)
 Add to MetaCart
ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" programming language as the foundation of the mathematical logic is crucial to our advocacy of ACL2 in the application of formal methods to large systems. However, one of the key reasons Nqthm has been so successful, we believe, is its insistence that functions be total. Common Lisp functions are not total and this is one of the reasons Common Lisp is so efficient. This paper explains how we scaled up Nqthm's logic to Common Lisp, preserving the use of total functions within the logic but achieving Common Lisp execution speeds. 1 History ACL2 is a direct descendent of the BoyerMoore system, Nqthm [8, 12], and its interactive enhancement, PcNqthm [21, 22, 23]. See [7, 25] for introductions to the two ancestr...
Design Goals for ACL2
, 1994
"... ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the BoyerMoore system, Nqthm, and its interactive enhancement, PcNqthm, based on our perceptions of some of the inadequacies of Nqthm when used in largescale verification projects. Foremost among th ..."
Abstract

Cited by 37 (5 self)
 Add to MetaCart
(Show Context)
ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the BoyerMoore system, Nqthm, and its interactive enhancement, PcNqthm, based on our perceptions of some of the inadequacies of Nqthm when used in largescale verification projects. Foremost among those inadequacies is the fact that Nqthm's logic is an inefficient programming language. We now recognize that the efficiency of the logic as a programming language is of great importance because the models of microprocessors, operating systems, and languages typically constructed in verification projects must be executed to corroborate them against the realities they model. Simulation of such large scale systems stresses the logic in ways not imagined when Nqthm was designed. In addition, Nqthm does not adequately support certain proof techniques, nor does it encourage the reuse of previously developed libraries or the collaboration of semiautonomous workers on different parts of a verifica...
The BoyerMoore Theorem Prover and Its Interactive Enhancement
, 1995
"... . The socalled "BoyerMoore Theorem Prover" (otherwise known as "Nqthm") has been used to perform a variety of verification tasks for two decades. We give an overview of both this system and an interactive enhancement of it, "PcNqthm," from a number of perspectives. F ..."
Abstract

Cited by 32 (0 self)
 Add to MetaCart
. The socalled "BoyerMoore Theorem Prover" (otherwise known as "Nqthm") has been used to perform a variety of verification tasks for two decades. We give an overview of both this system and an interactive enhancement of it, "PcNqthm," from a number of perspectives. First we introduce the logic in which theorems are proved. Then we briefly describe the two mechanized theorem proving systems. Next, we present a simple but illustrative example in some detail in order to give an impression of how these systems may be used successfully. Finally, we give extremely short descriptions of a large number of applications of these systems, in order to give an idea of the breadth of their uses. This paper is intended as an informal introduction to systems that have been described in detail and similarly summarized in many other books and papers; no new results are reported here. Our intention here is merely to present Nqthm to a new audience. This research was supported in part by ONR Contract N...
A Theorem Prover for a Computational Logic
, 1990
"... We briefly review a mechanical theoremprover for a logic of recursive functions over finitely generated objects including the integers, ordered pairs, and symbols. The prover, known both as NQTHM and as the BoyerMoore prover, contains a mechanized principle of induction and implementations of line ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
(Show Context)
We briefly review a mechanical theoremprover for a logic of recursive functions over finitely generated objects including the integers, ordered pairs, and symbols. The prover, known both as NQTHM and as the BoyerMoore prover, contains a mechanized principle of induction and implementations of linear resolution, rewriting, and arithmetic decision procedures. We describe some applications of the prover, including a proof of the correct implementation of a higher level language on a microprocessor defined at the gate level. We also describe the ongoing project of recoding the entire prover as an applicative function within its own logic.
Program Verification using HOLUNITY
 Higher Order Logic Theorem Proving and Its Applications: HUG ’93, LNCS 780
, 1994
"... . HOLUNITY is an implementation of Chandy and Misra's UNITY theory in the HOL88 and HOL90 theorem provers. This paper shows how to verify safety and progress properties of concurrent programs using HOLUNITY. As an example it is proved that a liftcontrol program satisfies a given progress pro ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
. HOLUNITY is an implementation of Chandy and Misra's UNITY theory in the HOL88 and HOL90 theorem provers. This paper shows how to verify safety and progress properties of concurrent programs using HOLUNITY. As an example it is proved that a liftcontrol program satisfies a given progress property. The proof is compositional and partly automated. The progress property is decomposed into basic safety and progress properties, which are proved automatically by a developed tactic based on a combination of Gentzenlike proof methods and Pressburger decision procedures. The proof of the decomposition which includes induction is done mechanically using the inference rules of the UNITY logic implemented as theorems in HOL. The paper also contains some empirical results of running the developed tactic in HOL88 and HOL90, respectively. It turns out that HOL90 in average is about 9 times faster than HOL88. Finally, we discuss various ways of improving the tactic. 1 Introduction This paper pres...
Mechanical Verification of Distributed Algorithms in HigherOrder Logic
 The Computer Journal
, 1995
"... this paper we explain how to do so using HOLan interactive proof assistant for higherorder logic developed by Gordon and others [18]. First, we describe how to build an infrastructure in HOL that supports reasoning about distributed algorithms, including formal theories of predicates, temporal l ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
this paper we explain how to do so using HOLan interactive proof assistant for higherorder logic developed by Gordon and others [18]. First, we describe how to build an infrastructure in HOL that supports reasoning about distributed algorithms, including formal theories of predicates, temporal logic, labeled transition systems, simulation of programs, translation of properties, and graphs. Then we demonstrate, via an example, how to use the powerful intuition about events and causality to guide and structure correctness proofs of distributed algorithms. The example used is the verification of PIF (propagation of information with feedback), which is a simple but typical distributed algorithm due to Segall [33]. 1 INTRODUCTION
A Survey on Kernel Specification and Verification
 TR 97654 of CS at USC
, 1997
"... Formal methods have been traditionally used to model and verify operating systems. Different methods verify different operating systems properties, such as process management, mutual exclusion and interprocess communication. Moreover, various methods may capture different design errors, such as dea ..."
Abstract

Cited by 8 (7 self)
 Add to MetaCart
(Show Context)
Formal methods have been traditionally used to model and verify operating systems. Different methods verify different operating systems properties, such as process management, mutual exclusion and interprocess communication. Moreover, various methods may capture different design errors, such as deadlocks or unspecified receptions. The system kernel supports higherlevel system services. Hence, kernel verification is essential for the proper operation of the system. In addition, providing clear kernel specification improves the interoperability between its various implementations. In this paper, we describe commonly used methods for kernel specification and verification. Some methods provide a mathematical model, and use logic to prove properties of interest. These include PVS and BoyerMoore logic. Others use a programming language to simulate the system, then apply verification tools to capture system errors. These include the SPIN tool. Distributed operating systems are susceptible ...
A Proof Environment for Concurrent Programs
 In In Proceedings FME93 Symposium
, 1993
"... . Unity [CM88, Mer92, Kna90], as action systems approach [BS91], is a formal method that attempts to decouple a program from its implementation. Therefore, Unity separates logical behaviour from implementation, it provides predicates for specifications, and proof rules for deriving specifications di ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
. Unity [CM88, Mer92, Kna90], as action systems approach [BS91], is a formal method that attempts to decouple a program from its implementation. Therefore, Unity separates logical behaviour from implementation, it provides predicates for specifications, and proof rules for deriving specifications directly from the program text. This type of proof strategy is often clearer and more succinct than argument about a program's operational behaviour. Our research fits into Unity's methodology. Its aims to develop a proof environment suitable for mechanical proof of concurrent programs. This proof is based on Unity [CM88], and may be used to specify and verify both safety and liveness properties. Our verification method is based on theorem proving, so that an axiomatization of the operational semantics is needed. We use Dijkstra's wpcalculus to formalize the Unity logic, so we can always derive a sound relationship between the operational semantics of a given Unity specification and the axio...
Simplification of Boolean verification conditions
, 1999
"... The correctness problem for hardware and software systems can often be reduced to the validity problem for propositional or predicate logic. However, the size of the formulas to be validated grows faster than the size of the system under investigation, and the complexity of the validation procedure ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
The correctness problem for hardware and software systems can often be reduced to the validity problem for propositional or predicate logic. However, the size of the formulas to be validated grows faster than the size of the system under investigation, and the complexity of the validation procedure makes this approach practically intractable for large programs. We introduce a strategy for dealing with this problem in the propositional case, corresponding e.g. to digital circuits and concurrent synchronization algorithms. Efficiently computable criteria are used to assess the mutual relevance of formulas and subformulas. They are based on the notions of interpolation and polarity, and allow to detect and discard provably irrelevant parts of boolean verification conditions. These criteria lead to a simplification and validation method, whose efficiency is investigated both theoretically and practically. 1 Introduction Several techniques have been developed for the systematic verification...
Mechanically Verifying Safety and Liveness Properties of Delay Insensitive Circuits
 the BoyerMoore Prover. 1991 International Workshop on Formal Methods in VLSI Design
, 1994
"... This paper describes, by means of an example, how one may mechanically verify delay insensitive circuits on an automated theorem prover. It presents the verification of both the safety and liveness properties of an nnode delay insensitive FIFO circuit[20]. The proof system used is a mechanized impl ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
This paper describes, by means of an example, how one may mechanically verify delay insensitive circuits on an automated theorem prover. It presents the verification of both the safety and liveness properties of an nnode delay insensitive FIFO circuit[20]. The proof system used is a mechanized implementation of Unity[7] on the BoyerMoore prover[4], described in [12]. This paper describes the circuit formally in the BoyerMoore logic and presents the mechanically verified correctness theorems. The formal description also captures the protocol that the circuit expects its environment to obey and specifies a class of suitable initial states. This paper demonstrates how a general purpose automated proof system for concurrent programs may be used to mechanically verify both the safety and liveness properties of arbitrary sized delay insensitive circuits. Keywords: Automated theorem proving, hardware verification, delay insensitive circuits. Author's Address: Naval Research Laboratory, C...