## An Industrial Strength Theorem Prover for a Logic Based on Common Lisp (1997)

Venue: | IEEE Transactions on Software Engineering |

Citations: | 111 - 5 self |

### BibTeX

@ARTICLE{Kaufmann97anindustrial,

author = {Matt Kaufmann and J. Strother Moore and Of Boyer},

title = {An Industrial Strength Theorem Prover for a Logic Based on Common Lisp},

journal = {IEEE Transactions on Software Engineering},

year = {1997},

volume = {23},

pages = {203--213}

}

### Years of Citing Articles

### OpenURL

### Abstract

ACL2 is a re-implemented extended version of Boyer and Moore's Nqthm and Kaufmann's Pc-Nqthm, intended for large scale verification projects. This paper deals primarily with how we scaled up Nqthm's logic to an "industrial strength" programming language --- namely, a large applicative subset of Common Lisp --- while preserving the use of total functions within the logic. This makes it possible to run formal models efficiently while keeping the logic simple. We enumerate many other important features of ACL2 and we briefly summarize two industrial applications: a model of the Motorola CAP digital signal processing chip and the proof of the correctness of the kernel of the floating point division algorithm on the AMD5K 86 microprocessor by Advanced Micro Devices, Inc.

### Citations

1387 |
Symbolic Model Checking
- McMillan
(Show Context)
Citation Context ...e or two representative systems. Certainly the areas below contain considerable overlap. ffl Provers providing strong support for specification of computing systems (see below) ffl CTL model checkers =-=[29, 11]-=- ffl Geometry provers [13] ffl First-order provers [28] ffl Classical Mathematics [21], [41] ffl Constructive Mathematics [15, 16] ffl Provers with symbolic computation engines [14] ffl Meta-theoretic... |

313 | Otter 3.0 reference manual and guide
- McCune
- 1994
(Show Context)
Citation Context ...contain considerable overlap. ffl Provers providing strong support for specification of computing systems (see below) ffl CTL model checkers [29, 11] ffl Geometry provers [13] ffl First-order provers =-=[28]-=- ffl Classical Mathematics [21], [41] ffl Constructive Mathematics [15, 16] ffl Provers with symbolic computation engines [14] ffl Meta-theoretic systems [34] Provers in the first category are disting... |

207 |
Melham, editors. Introduction to HOL: A theorem proving environment for higher order logic
- Gordon, F
- 1993
(Show Context)
Citation Context ...f the other categories; conversely, some provers in the other categories could be placed in this one. The first category may be subdivided as follows. ffl Higher-order tactic-based provers, e.g., HOL =-=[20]-=- ffl Higher-order heavily-automated provers, e.g., PVS [18] ffl First-order heavily-automated provers, e.g., ACL2 and Nqthm ffl Provers integrated into program verification systems, e.g., Never/EVES [... |

145 |
Isabelle: A Generic Theorem
- Paulson
- 1994
(Show Context)
Citation Context ...etry provers [13] ffl First-order provers [28] ffl Classical Mathematics [21], [41] ffl Constructive Mathematics [15, 16] ffl Provers with symbolic computation engines [14] ffl Meta-theoretic systems =-=[34]-=- Provers in the first category are distinguished by the conveniencesthey offer for specifying computing systems. Cases could be made that each prover in the first category has capabilities in most of ... |

64 | Applying formal verification to the AAMP5 microprocessor: A case study in the industrial use of formal methods
- Srivas, Miller
- 1996
(Show Context)
Citation Context ...and traps (but excluding the hard and soft reset sequences). The CAP is much more complex than other processors recently subjected to formal modeling, namely the FM90001 [22], MC68020 [10], and AAMP5 =-=[30]-=-. In principle, a CAP single instruction can simultaneously modify well over 100 registers. Brock's ACL2 model of the CAP is bit-accurate and cycle-accurate but runs faster than Motorola's SPW model. ... |

44 | A user's manual for an interactive enhancement to the Boyer-Moore theorem prover
- Kaufmann
- 1988
(Show Context)
Citation Context ...scriptions and links to the home pages of the systems mentioned and many more. 2. History ACL2 is a direct descendant of the Boyer-Moore system, Nqthm [8, 9], and its interactive enhancement, PcNqthm =-=[23]-=-. See [7] for an introduction to the two ancestral systems, including a reasonably large set of references for accomplishments using the systems. A few particular successes are described in [4, 5, 10,... |

32 | A mechanically checked proof of the correctness of the kernel of the AMD5k86 floating-point division algorithm
- Moore, Kaufmann
- 1998
(Show Context)
Citation Context ...jobs of interest to industry. The first two important applications of ACL2 support our claims that it is up to the task. These applications, summarized below, are discussed in more detail in [12] and =-=[31]-=-, where we also detail the time and manpower resources spent on the component tasks. 7.1. Motorola CAP Digital Signal Processor Bishop Brock of CLI, working in collaboration with Motorola, Inc., produ... |

15 | Comparing verification systems: Interactive Consistency
- Young
- 1996
(Show Context)
Citation Context ...vily-automated provers, e.g., ACL2 and Nqthm ffl Provers integrated into program verification systems, e.g., Never/EVES [17] Again, space does not permit detailed comparisons here. Bill Young's paper =-=[42]-=- in this Special Issue compares PVS and ACL2 on a particular example. ACL2's ancestral system, Nqthm, is compared to NuPRL in [3]. It is extremely difficult to compare two general-purpose theorem prov... |

14 | Interaction with the Boyer-Moore and Theorem Prover: A Tutorial Study Using the Arithmetic-Geometric Mean Theorem
- Kaufmann, Pecchiari
- 1996
(Show Context)
Citation Context ...nably large set of references for accomplishments using the systems. A few particular successes are described in [4, 5, 10, 22, 32, 26, 36, 38]. A tutorial introduction to the systems may be found in =-=[24]-=-. Like Nqthm, ACL2 supports a Lisp-like, first-order, quantifier-free mathematical logic based on recursively defined total functions. Experience with the earlier systems supports the claim that such ... |

10 |
A Formal HDL and its use
- Brock
- 1992
(Show Context)
Citation Context ...Nqthm [23]. See [7] for an introduction to the two ancestral systems, including a reasonably large set of references for accomplishments using the systems. A few particular successes are described in =-=[4, 5, 10, 22, 32, 26, 36, 38]-=-. A tutorial introduction to the systems may be found in [24]. Like Nqthm, ACL2 supports a Lisp-like, first-order, quantifier-free mathematical logic based on recursively defined total functions. Expe... |

9 |
A mechanical proof of quadratic reciprocity
- Russinoff
- 1992
(Show Context)
Citation Context ...Nqthm [23]. See [7] for an introduction to the two ancestral systems, including a reasonably large set of references for accomplishments using the systems. A few particular successes are described in =-=[4, 5, 10, 22, 32, 26, 36, 38]-=-. A tutorial introduction to the systems may be found in [24]. Like Nqthm, ACL2 supports a Lisp-like, first-order, quantifier-free mathematical logic based on recursively defined total functions. Expe... |

8 | A Ramsey Theorem in Boyer-Moore Logic
- Kunen
- 1995
(Show Context)
Citation Context ...Nqthm [23]. See [7] for an introduction to the two ancestral systems, including a reasonably large set of references for accomplishments using the systems. A few particular successes are described in =-=[4, 5, 10, 22, 32, 26, 36, 38]-=-. A tutorial introduction to the systems may be found in [24]. Like Nqthm, ACL2 supports a Lisp-like, first-order, quantifier-free mathematical logic based on recursively defined total functions. Expe... |

8 |
A Mechanically Checked Proof of Correctness of the AMD5K 86 Floating-Point Square Root Microcode
- Russinoff
- 1997
(Show Context)
Citation Context ...ssemble the final results. Subsequent to our proof of the floating-point division microcode, David Russinoff used ACL2 to prove the correctness of the AMD5K 86 's floating-point square root microcode =-=[37]-=-. 8. Conclusion ACL2 is a re-implemented extended version of Boyer and Moore's Nqthm and Kaufmann's Pc-Nqthm, intended for large scale verification projects. The ACL2 logic is an extension of a large ... |

8 | Built-in Concepts
- Trybulec
- 1990
(Show Context)
Citation Context ...vers providing strong support for specification of computing systems (see below) ffl CTL model checkers [29, 11] ffl Geometry provers [13] ffl First-order provers [28] ffl Classical Mathematics [21], =-=[41]-=- ffl Constructive Mathematics [15, 16] ffl Provers with symbolic computation engines [14] ffl Meta-theoretic systems [34] Provers in the first category are distinguished by the conveniencesthey offer ... |

7 |
Architecture of a Complex Arithmetic Processor for Communication Signal Processsing
- Gilfeather, Gehman, et al.
- 1994
(Show Context)
Citation Context ...the component tasks. 7.1. Motorola CAP Digital Signal Processor Bishop Brock of CLI, working in collaboration with Motorola, Inc., produced an executable formal ACL2 specification of the Motorola CAP =-=[19]-=-, a digital signal processor designed by Motorola to execute a 1024 point complex FFT in 131 microseconds. Every well-defined behavior of the CAP is modeled, including the pipeline, I/O, interrupts, b... |

6 |
A Tutorial Introduction to PVS," presented at
- Crow, Owre, et al.
- 1995
(Show Context)
Citation Context ...er categories could be placed in this one. The first category may be subdivided as follows. ffl Higher-order tactic-based provers, e.g., HOL [20] ffl Higher-order heavily-automated provers, e.g., PVS =-=[18]-=- ffl First-order heavily-automated provers, e.g., ACL2 and Nqthm ffl Provers integrated into program verification systems, e.g., Never/EVES [17] Again, space does not permit detailed comparisons here.... |

6 |
Introduction to the OBDD Algorithm for the ATP
- Moore
- 1994
(Show Context)
Citation Context ... of Nqthm is its lack of theorem proving power: if it would quickly settle every question put to it, one could proceed more efficiently. While we are always looking for better proof techniques (e.g., =-=[33]), we do n-=-ot know how to build a significantly more powerful and automatic theorem prover for Nqthm's logic. 2 Therefore, to "scale up" Nqthm we focused on engineering issues. We decided that a good f... |

5 |
et al. draft proposed American National Standard for Information Systems
- Pitman
- 1994
(Show Context)
Citation Context ...d the first public version of ACL2 in September, 1995. See the URL http://www.cli.com. 3. The ACL2 Logic The definition of Common Lisp used in our work has been [39, 40]. We have also closely studied =-=[35]-=-. The ACL2 logic is a first-order, quantifier-free logic of total recursive functions providing mathematical induction on the ordinals up to ffl 0 and two extension principles: one for recursive defin... |

3 |
EVES: An Overview. Odyssey Research
- Craigen, Kromodimoeljo, et al.
- 1991
(Show Context)
Citation Context ...] ffl Higher-order heavily-automated provers, e.g., PVS [18] ffl First-order heavily-automated provers, e.g., ACL2 and Nqthm ffl Provers integrated into program verification systems, e.g., Never/EVES =-=[17]-=- Again, space does not permit detailed comparisons here. Bill Young's paper [42] in this Special Issue compares PVS and ACL2 on a particular example. ACL2's ancestral system, Nqthm, is compared to NuP... |

1 |
High-Level Correctness of ACL2: A Story (DRAFT
- Kaufmann, Moore
- 1995
(Show Context)
Citation Context ...y lists in a manner similar to that for arrays. 3.6. Extension Principles Finally, ACL2 has two extension principles: definition and encapsulation. Both preserve the consistency of the extended logic =-=[25]-=-. Indeed, the standard model of numbers and lists can always be extended to include the newly introduced function symbols. (Inconsistency can thus be caused only if the user adds a new axiom directly ... |

1 |
Types are Not Harmless, http://www.- research.digital.com/SRC/tla/tla.html
- Lamport
- 1995
(Show Context)
Citation Context ...ten harder to prove by induction because the induction hypothesis is weakened; ffl they are harder to use subsequently because one must relieve their hypotheses. Some of these same points are made in =-=[27]-=-. The decision that guards will not affect the definitional axioms thus has a far reaching effect. In fact, guards did play a logical role in earlier versions of ACL2, and we were driven to return to ... |

1 |
A Formal Model of AsynchronousCommunication and Its Use in Mechanically Verifying a Biphase Mark Protocol, Formal Aspects of Computing 6(1
- Moore
- 1994
(Show Context)
Citation Context |