## No full-text available

To read the full-text of this research,

you can request a copy directly from the author.

ACL2 is a first-order, essentially quantifier free logic of computable recursive functions based on an applicative subset
of Common Lisp. It supports lists as a primitive data structure. We describe how we have formalized a practical finite set
theory for ACL2. Our finite set theory “book” includes set equality, set membership, the subset relation, set manipulation
functions such as union, intersection, etc., a choice function, a representation of finite functions as sets of ordered pairs
and a collection of useful functions for manipulating them (e.g., domain, range, apply) and others. The book provides many
lemmas about these primitives, as well as macros for dealing with set comprehension and some other “higher order” features
of set theory, and various strategies or tactics for proving theorems in set theory. The goal of this work is not to provide
“heavy duty set theory” - a task more suited to other logics - but to allow the ACL2 user to use sets in a “light weight”
fashion in specifications, while continuing to exploit ACL2’s efficient executability, built in proof techniques for certain
domains, and extensive lemma libraries.

To read the full-text of this research,

you can request a copy directly from the author.

... Why reimplement set theory in ACL2? After all, the standard implementation [7] is already well distributed, documented, and quite good. Its congruence-oriented reasoning is extensible to a user's functions, and its defx macro provides access to more advanced proof strategies. ...

... In particular, functions like union and intersection, which are quite easy to reason about in the list world (where order and duplication matter but are simply ignored), become quite difficult to reason about in the set world, where most of the attention is paid to the sorting of the output with respect to the total ordering. " [7] Beneath these words lies a challenging problem: how can the realities of an ordered implementation be abstracted away into the traditional view of sets as unordered collections? Success here is crucial: reasoning about union and intersection should not be based on the underlying implementation, but rather through an abstract, membership-based approach. ...

... ACL2 functions are total, so set operations must be defined not only for sets, but also for non-set objects. As in [7] , we adopt the non-set convention: if a function is passed a non-set object where a set is expected, we treat the object as the empty set. As a result of this decision, many theorems need not have extra hypotheses. ...

We present a new finite set theory implementation for ACL2 wherein sets are implemented as fully ordered lists. This order unifies the notions of set equality and element equality by creating a unique represen-tation for each set, which in turn enables nested sets to be trivially supported and eliminates the need for congruence rules. We demonstrate that ordered sets can be reasoned about in the traditional style of membership argu-ments. Using this technique, we prove the classic properties of set operations in a natural and effort-less manner. We then use the exciting new MBE feature of ACL2 to provide linear-time implementa-tions of all basic set operations. These optimizations are made "behind the scenes" and do not adversely impact reasoning ability. We finally develop a framework for reasoning about quantification over set elements. We also begin to provide common higher-order patterns from func-tional programming. The net result is an efficient library that is easy to use and reason about.

... Still, conses are flexible enough that we can imagine representing sets in many different ways (e.g., lists or trees, ordered or unordered, with duplicates permitted or not). Moore [5] has implemented finite set theory in ACL2 using unordered lists that permit duplicates. In his library a set may have many representations, e.g., the set {1, 2} can be represented either by any of the lists (1 2), (2 1), (1 1 2), etc., so a new function is needed to test if sets are equivalent. ...

... Like setp, our other set operations (e.g., union) must return some value not only when they are applied to sets, but also when they are given non-sets as inputs. As in [5], we adopt a sweeping non-set convention: if one of our functions is passed a non-set object where a set is expected, we treat the object as the empty set, nil. This is a fairly standard trick among ACL2 users, and essentially it amounts to mapping the universe of ACL2 objects into the universe of sets such that all of the sets map to themselves, and anything which is not a set is mapped to some sensible default. ...

We present a finite set theory implementation for ACL2. Our library represents sets as fully ordered lists, and provides efficient implementations of the typical set theory operations such as insertion, deletion, union, intersection, difference, cardinality, and sorting lists to create sets. It also includes facilities for quantifying predicates over sets, filtering sets by some criteria, and taking images of sets. We demonstrate that despite our insistence on full order, it is possible to mirror traditional set theoretic proof techniques and reason through membership. At the same time, we are able to benefit from having a unique representation for each set, which unifies the notions of set and element equality and allows us to handle nested sets trivially.

... In Section 3, we define sorting functions that satisfy the above properties. In Section 4 we show how to simplify J Moore's finite set theory book [12]. In Section 5, we show how to simplify a book on records due to Kaufmann and Sumners [14,10]. ...

... (See the discussion of pairs of socks in Section 2.3.) In this section, we examine J Moore's book on finite set theory [12] and show how it can be simplified with the use of a total order. J Moore's books on set theory, which can also be found in the ACL2 distribution in directory books/finite-set-theory/, are included in the supporting books. ...

We show that adding a total order to ACL2, via new axioms, allows for simpler and more elegant de nitions of functions and libraries of theorems. We motivate the need for a total order with a simple example and explain how a total order can be used to simplify existing libraries of theorems (i.e., ACL2 books) on nite set theory and records. These ideas have been incorporated into ACL2 Version 2.6, which includes axioms positing a total order on the ACL2 universe.

... TLA + is based in set theory, so we need an effective framework to reason about sets in ACL2. Our translation scheme builds upon the finite set theory work developed by Moore [7]; we will assume familiarity with it. (We also assume familiarity with ACL2 [3] and with TLA + [5].) ...

We describe the use of the ACL2 theorem prover to model and verify properties of TLA + specifications. We have written a trans-lator whose input is a TLA + specification along with conjectures and structured proofs of properties of the specification. The translator's out-put is an ACL2 model of the specification, and a list of ACL2 conjectures corresponding to those sections of the proof outlines flagged for mechan-ical verification. We have used our tools to translate the Disk Synod algorithm, and to verify two invariants of the algorithm.

... We would like to prove the basic " record theorems " about memtrees. To eliminate some hypotheses, we can redesign the load and store functions so that they " fix " their arguments as in [1, 5]. We treat bad depths and addresses as if they were zero, and ill-formed memtrees as if they were nil. ...

We have written a new records library for modelling fixed- size arrays and linear memories. Our implementation pro- vides fixnum-optimized O(log2 n) reads and writes from ad- dresses 0,1,...,n 1. Space is not allocated until locations are used, so large address spaces can be represented. We do not use single-threaded objects or ACL2 arrays, which frees the user from syntactic restrictions and slow-array warnings. Finally, we can prove the same hypothesis-free rewrite rules found in misc/records for ecient rewriting during theo- rem proving.

A logic for specification and verification is derived from the axioms of Zermelo-Fraenkel set theory. The proofs are performed using the proof assistant Isabelle. Isabelle is generic, supporting several different logics. Isabelle has the flexibility to adapt to variants of set theory. Its higher-order syntax supports the definition of new binding operators. Unknowns in subgoals can be instantiated incrementally. The paper describes the derivation of rules for descriptions, relations and functions, and discusses interactive proofs of Cantor 's Theorem, the Composition of Homomorphisms challenge [9], and Ramsey 's Theorem [5]. A generic proof assistant can stand up against provers dedicated to particular logics. Key words. Isabelle, set theory, generic theorem proving, Ramsey's Theorem, higher-order syntax Copyright c fl 1998 by Lawrence C. Paulson Research funded by the SERC (grants GR/G53279, GR/H40570) and by the ESPRIT Basic Research Actions 3245 `Logical Frameworks' and ...

this article is to construct a language of the ZF set theory and to develop a notational and conceptual base which facilitates a convenient usage of the language. MML Identifier: ZFLANG.

Computer-Aided Reasoning: ACL2 Case Studies illustrates how the computer-aided reasoning system ACL2 can be used in productive and innovative ways to design, build, and maintain hardware and software systems. Included here are technical papers written by twenty-one contributors that report on self-contained case studies, some of which are sanitized industrial projects. The papers deal with a wide variety of ideas, including floating-point arithmetic, microprocessor simulation, model checking, symbolic trajectory evaluation, compilation, proof checking, real analysis, and several others.
Computer-Aided Reasoning: ACL2 Case Studies is meant for two audiences: those looking for innovative ways to design, build, and maintain hardware and software systems faster and more reliably, and those wishing to learn how to do this. The former audience includes project managers and students in survey-oriented courses. The latter audience includes students and professionals pursuing rigorous approaches to hardware and software engineering or formal methods. Computer-Aided Reasoning: ACL2 Case Studies can be used in graduate and upper-division undergraduate courses on Software Engineering, Formal Methods, Hardware Design, Theory of Computation, Artificial Intelligence, and Automated Reasoning.
The book is divided into two parts. Part I begins with a discussion of the effort involved in using ACL2. It also contains a brief introduction to the ACL2 logic and its mechanization, which is intended to give the reader sufficient background to read the case studies. A more thorough, textbook introduction to ACL2 may be found in the companion book, Computer-Aided Reasoning: An Approach.
The heart of the book is Part II, where the case studies are presented. The case studies contain exercises whose solutions are on the Web. In addition, the complete ACL2 scripts necessary to formalize the models and prove all the properties discussed are on the Web. For example, when we say that one of the case studies formalizes a floating-point multiplier and proves it correct, we mean that not only can you read an English description of the model and how it was proved correct, but you can obtain the entire formal content of the project and replay the proofs, if you wish, with your copy of ACL2.
ACL2 may be obtained from its home page. The results reported in each case study, as ACL2 input scripts, as well as exercise solutions for both books, are available from this page.

We are motivated not by an abstract ideal of elegance, but by the practical problem of reasoning about real algorithms. Rigorous reasoning is the only way to avoid subtle errors in concurrent algorithms, and we want to make reasoning as simple as possible by making the underlying formalism simple. How can we abandon conventional programming,languages in favor of logic if the algorithm must be coded as a program to be executed?The answer is that we almost always reason about an abstract algorithm, not about a concurrent program that is actually executed. A typical example is the distributed spanning-tree algorithm used in the Autonet local area network [Schroeder et al. 1990]. The algorithm can be described in about one page of pseudo-code, but its implementation required Author’s address: Systems Research Center, Digital Equipment Corporation, 130 Lytton Avenue,

The temporal logic of actions (TLA) is a logic for specifying and reasoning about concurrent systems. Systems and their properties are represented in the same logic, so the assertion that a system meets its specification and the assertion that one system implements another are both expressed by logical implication. TLA is very simple; its syntax and complete formal semantics are summarized in about a page. Yet, TLA is not just a logician's toy; it is extremely powerful, both in principle and in practice. This report introduces TLA and describes how it is used to specify and verify concurrent algorithms. The use of TLA to specify and reason about open systems will be described elsewhere.

The majority of general purpose mechanised proof assistants support versions of typed higher order logic, even though set theory is the standard foundation for mathematics. For many applications higher order logic works well and provides, for specification, the benefits of type-checking that are well-known in programming. However, there are areas where types get in the way or seem unmotivated. Furthermore, most people with a scientific or engineering background already know set theory, but not higher order logic. This paper discusses some approaches to getting the best of both worlds: the expressiveness and standardness of set theory with the efficient treatment of functions provided by typed higher order logic.

Experience has shown that large or multi-user interactive proof efforts can benefit significantly from structuring mechanisms, much like those available in many modern programming languages. Such a mechanism can allow some lemmas and definitions to be exported, and others not. In this paper we address two such structuring mechanisms for the ACL2 theorem prover: encapsulation and books. After presenting an introduction to ACL2, this paper justifies the implementation of ACL2's structuring mechanisms and, more generally, formulates and proves high-level correctness properties of ACL2. The issues in the present paper are relevant not only for ACL2 but also for other theorem-proving environments.

We use the ACL2 theorem prover to verify invariants of a distributed algorithm specified in TLA (Temporal Logic of Actions). The algorithm, Disk Synod, achieves consensus among a set of processors communicating through disks. We discuss the translation of TLA specifications into a finite set theory framework in ACL2, as well as the proof of two invariant properties of Disk Synod.

Recursion by choose In http:// www. cs. utexas. edu/ users/ moore/ publications/ finite-set-theory/ recursion-by-choose. lisp

- J S Moore