An industrial strength theorem prover for a logic based on Common Lisp

M. Kaufmann, J.S. Moore
1997 IEEE Transactions on Software Engineering  
ACL2 is a re-implemented extended version of Boyer and Moore's Nqthm and Kaufmann's Pc-Nqthm, intended for large scale verification projects. This paper deals primarily with how we scaled up Nqthm's logic to an "industrial strength" programming language -namely, a large applicative subset of Common Lisp -while preserving the use of total functions within the logic. This makes it possible to run formal models efficiently while keeping the logic simple. We enumerate many other important features
more » ... f ACL2 and we briefly summarize two industrial applications: a model of the Motorola CAP digital signal processing chip and the proof of the correctness of the kernel of the floating point division algorithm on the AMD5¤ 86 microprocessor by Advanced Micro Devices, Inc. Index terms-formal verification, automatic theorem proving, computational logic, partial functions, total functions, type checking, microcode verification, floating point division, digital signal processing ¦ Matt Kaufmann is with Motorola @ Lakewood, Provers providing strong support for specification of computing systems (see below) © CTL model checkers [29, 11] © Geometry provers [13] © First-order provers [28] © Classical Mathematics [21], [41] © Constructive Mathematics [15, 16] © Provers with symbolic computation engines [14] © Meta-theoretic systems [34] Provers in the first category are distinguished by the convenience they offer for specifying computing systems. Cases could be made that each prover in the first category has capabilities in most of the other categories; conversely, some provers in the other categories could be placed in this one. The first category may be subdivided as follows. © Higher-order tactic-based provers, e.g., HOL [20] © Higher-order heavily-automated provers, e.g., PVS [18] © First-order heavily-automated provers, e.g., ACL2 and Nqthm © Provers integrated into program verification systems, e.g., Never/EVES [17] Again, space does not permit detailed comparisons here. Bill Young's paper [42] in this Special Issue compares PVS and ACL2 on a particular example. ACL2's ancestral system, Nqthm, is compared to NuPRL in [3] . It is extremely difficult to compare two general-purpose theorem provers at least in part because experienced users can dramatically affect system behavior by proper formulation of the problems. That said, other systems cited above support logics more powerful than that of ACL2. On the other hand, ACL2's theorem prover encourages more reliance by the user on the system's automatic aspects. For users happy with an essentially quantifier-free, first-order logic, we believe that ACL2 offers more overall convenience for the type of reasoning required to model and prove properties of digital computing systems. In addition to the sophisticated inference engine it provides, ACL2 provides extremely efficient evaluation, allowing formal models often to serve as simulators for the systems described. This, in turn, provides some immediate proof-independent payoff, e.g., requirements testing and code development. Additional reasons for ACL2's convenience can be broadly lumped into the "proof engineering" considerations discussed in Section 6. See the URL http://www-formal.stanford.edu/clt/ARS/ars-db.html for a data base of automated reasoning systems, including brief descriptions and links to the home pages of the systems mentioned and many more. ¡ We emphasize the word "significantly" here because ACL2's theorem prover is in fact more powerful than Nqthm in many ways. See Section 6. Axioms for Primitive Data Types The following primitive data types are axiomatized. ©
doi:10.1109/32.588534 fatcat:bzb42znaqrfg7jn4ybn4ptyk5y