Abstract not found

ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's Pc-Nqthm, intended for large scale verification projects. However, the logic supported by ACL2 is compatible with the applicative subset of Common Lisp. The decision to use an "industrial strength" programming language as the foundation of the mathematical logic is crucial to our advocacy of ACL2 in the application of formal methods to large systems. However, one of the key reasons Nqthm has been so successful, we believe, is its insistence that functions be total. Common Lisp functions are not total and this is one of the reasons Common Lisp is so efficient. This paper explains how we scaled up Nqthm's logic to Common Lisp, preserving the use of total functions within the logic but achieving Common Lisp execution speeds. 1 History ACL2 is a direct descendent of the Boyer-Moore system, Nqthm [8, 12], and its interactive enhancement, Pc-Nqthm [21, 22, 23]. See [7, 25] for introductions to the two ancestr...

Kernel Implements Processes The relationship between the abstract kernel and an individual task is pictured in Figure 4, and is formalized by the theorem AK-IMPLEMENTS-PARALLEL-TASKS. Intuitively, this theorem says that for a given good abstract kernel state AK and abstract kernel oracle ORACLE, the final state reached by task I can equivalently be achieved by running TASK-PROCESSOR on the initial task state, with an oracle constructed by the function CONTROL-ORACLE. The oracle constructed for TASK-PROCESSOR accounts for the precise sequence of delays to task I in the abstract kernel. Task project AK Figure 4: AK Implements Parallel Tasks THEOREM AK-IMPLEMENTS-PARALLEL-TASKS (IMPLIES (AND (GOOD-AK AK) (FINITE-NUMBERP I (LENGTH (AK-PSTATES AK)))) (EQUAL (PROJECT I (AK-PROCESSOR AK ORACLE)) (TASK-PROCESSOR (PROJECT I AK) I (CONTROL-ORACLE I AK ORACLE)))) 6. The Target Machine The target machine TM is a simple von Neumann computer. It is not based on an existing physical machine becaus...

ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the Boyer-Moore system, Nqthm, and its interactive enhancement, Pc-Nqthm, based on our perceptions of some of the inadequacies of Nqthm when used in large-scale verification projects. Foremost among those inadequacies is the fact that Nqthm's logic is an inefficient programming language. We now recognize that the efficiency of the logic as a programming language is of great importance because the models of microprocessors, operating systems, and languages typically constructed in verification projects must be executed to corroborate them against the realities they model. Simulation of such large scale systems stresses the logic in ways not imagined when Nqthm was designed. In addition, Nqthm does not adequately support certain proof techniques, nor does it encourage the reuse of previously developed libraries or the collaboration of semi-autonomous workers on different parts of a verifica...

We have formally specified a substantial subset of the MC68020, a widely used microprocessor built by Motorola, within the mathematical logic of the automated reasoning system Nqthm, i.e., the Boyer-Moore Theorem Prover [4]. Using this MC68020 specification, we have mechanically checked the correctness of MC68020 machine code programs for Euclid's GCD, Hoare's Quick Sort, binary search, and other well-known algorithms. The machine code for these examples was generated using the Gnu C and the Verdix Ada compilers. We have developed an extensive library of proven lemmas to facilitate automated reasoning about machine code programs. We describe a two stage methodology we use to do our machine code proofs.

. The so-called "Boyer-Moore Theorem Prover" (otherwise known as "Nqthm") has been used to perform a variety of verification tasks for two decades. We give an overview of both this system and an interactive enhancement of it, "Pc-Nqthm," from a number of perspectives. First we introduce the logic in which theorems are proved. Then we briefly describe the two mechanized theorem proving systems. Next, we present a simple but illustrative example in some detail in order to give an impression of how these systems may be used successfully. Finally, we give extremely short descriptions of a large number of applications of these systems, in order to give an idea of the breadth of their uses. This paper is intended as an informal introduction to systems that have been described in detail and similarly summarized in many other books and papers; no new results are reported here. Our intention here is merely to present Nqthm to a new audience. This research was supported in part by ONR Contract N...

A VERIFIED CODE GENERATOR FOR A SUBSET OF GYPSY Publication No. William David Young, Ph.D. The University of Texas at Austin, 1988 Supervising Professors: Robert S. Boyer, J Strother Moore This report describes the specification and mechanical proof of a code generator for a subset of Gypsy 2.05 called Micro-Gypsy. Micro-Gypsy is a high-level language containing many of the Gypsy control structures, simple data types and arrays, and predefined and user-defined procedure definitions including recursive procedure definitions. The language is formally specified by a recognizer and interpreter written as functions in the Boyer-Moore logic. The target language for the Micro-Gypsy code generator is the Piton high-level assembly language verified by J Moore to be correctly implemented on the FM8502 hardware. The semantics of Piton is specified by another interpreter written in the logic. A Boyer-Moore function maps a Micro-Gypsy state containing program and data structures into an initial Pit...

We briefly review a mechanical theorem-prover for a logic of recursive functions over finitely generated objects including the integers, ordered pairs, and symbols. The prover, known both as NQTHM and as the Boyer-Moore prover, contains a mechanized principle of induction and implementations of linear resolution, rewriting, and arithmetic decision procedures. We describe some applications of the prover, including a proof of the correct implementation of a higher level language on a microprocessor defined at the gate level. We also describe the ongoing project of recoding the entire prover as an applicative function within its own logic.

We propose a grand challenge for the formal methods community: build and mechanically verify a practical embedded system, from transistors to software. We propose that each group within the formal methods community design and verify, by the methods appropriate to that group, an embedded system of their choice. The point is not to have just one integrated formal method or just one verified application, but to encourage groups to develop the techniques and methodologies necessary for system-level verification.

We describe a methodology for proving theorems mechanically about Java methods. The theorem prover used is the ACL2 system, an industrial-strength version of the Boyer-Moore theorem prover. An operational semantics for a substantial subset of the Java Virtual Machine (JVM) has been defined in ACL2. Theorems are proved about Java methods and classes by compiling them with javac and then proving the corresponding theorem about the JVM. Certain automatically applied strategies are implemented with rewrite rules (and other proof-guiding pragmas) in ACL2 “books” to control the theorem prover when operating on problems involving the JVM model. The Java Virtual Machine or JVM [27] is the basic abstraction Java [17] implementors are expected to respect. We speculate that the JVM is an appropriate level of abstraction at which to model Java programs with the intention of mechanically verifying their properties. The most complex features of the Java subset we handle – construction and initialization of new objects, synchronization, thread management, and virtual method invocation – are all supported directly and with full abstraction as single atomic instructions in the JVM. The complexity of verifying JVM bytecode program stems from the complexity of Java’s semantics, not