No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
Finite set theory based on fully ordered lists
Abstract
We present a new finite set theory implementation for ACL2 wherein sets are implemented as fully ordered lists. This order unifies the notions of set equality and element equality by creating a unique represen-tation for each set, which in turn enables nested sets to be trivially supported and eliminates the need for congruence rules. We demonstrate that ordered sets can be reasoned about in the traditional style of membership argu-ments. Using this technique, we prove the classic properties of set operations in a natural and effort-less manner. We then use the exciting new MBE feature of ACL2 to provide linear-time implementa-tions of all basic set operations. These optimizations are made "behind the scenes" and do not adversely impact reasoning ability. We finally develop a framework for reasoning about quantification over set elements. We also begin to provide common higher-order patterns from func-tional programming. The net result is an efficient library that is easy to use and reason about.
... @BULLET The std/osets [5] library functions treat non-sets as nil. ...
... " As a result, fixing conventions were used liberally in their new theorem prover, e.g., throughout its completion axioms for primitive functions on numbers, characters, strings, etc. Since then, many ACL2 libraries such as std/osets [5] and bitops, have made heavy use of the technique. Perhaps the most extreme examples are found in misc/records [14] and related work such as typed records [11], defexec-enhanded records [12], memories [6], and defrstobj, which each use sophisticated, convoluted fixing functions to achieve hypothesis-free read-over-write theorems. ...
When using existing ACL2 datatype frameworks, many theorems require type
hypotheses. These hypotheses slow down the theorem prover, are tedious to
write, and are easy to forget. We describe a principled approach to types that
provides strong type safety and execution efficiency while avoiding type
hypotheses, and we present a library that automates this approach. Using this
approach, types help you catch programming errors and then get out of the way
of theorem proving.
... We would like to prove the basic " record theorems " about memtrees. To eliminate some hypotheses, we can redesign the load and store functions so that they " fix " their arguments as in [1, 5]. We treat bad depths and addresses as if they were zero, and ill-formed memtrees as if they were nil. ...
... The virtues of hypothesis-free, equal-based rewrite rules have been promoted in previous workshop papers. To support such rules, a total order was added to ACL2 [7] , leading to the misc/records library and also to my ordered sets library [1] . The memories presented here follow this tradition . ...
We have written a new records library for modelling fixed- size arrays and linear memories. Our implementation pro- vides fixnum-optimized O(log2 n) reads and writes from ad- dresses 0,1,...,n 1. Space is not allocated until locations are used, so large address spaces can be represented. We do not use single-threaded objects or ACL2 arrays, which frees the user from syntactic restrictions and slow-array warnings. Finally, we can prove the same hypothesis-free rewrite rules found in misc/records for ecient rewriting during theo- rem proving.
... Bash [2] is used to simplify formulae before and during pattern matching. This method is strictly more powerful than that employed by Davis' pick-a-point strategy [1], though perhaps similar to the method employed by Moore in his :consider hints library [3]. ...
ACL2 allows users to define predicates whose logical behavior mimics that of universally or existentially quantified formulae. Proof support for such quantification, however, is quite limited. We present an ACL2 framework that employs tables, computed hints and clause processing to identify quantified formulae and to skolemize or instantiate them when possible. We demonstrate how the framework can be used to prove automatically the forall-p-append example presented in the ACL2 documentation.
... To reason about AIGEQUIV in ACL2, we use the witness 1 clause processor, which is much like Greve's quant system [19] for automatically Skolemizing and instantiating quantified formulas. When ACL2 tries to prove a conclusion of the form AIGEQUIV(a, b), this clause processor reduces the problem to showing that a and b have the same evaluation under a particular env, similar to the pick-apoint strategy used in Davis' osets library [13]. Going further, when we have a hypothesis of the form AIGEQUIV(a, b), the clause processor will add a witnessing environments env for which a and b are known to produce the same evaluation. ...
And-Inverter Graphs (AIGs) are a popular way to represent Boolean functions
(like circuits). AIG simplification algorithms can dramatically reduce an AIG,
and play an important role in modern hardware verification tools like
equivalence checkers. In practice, these tricky algorithms are implemented with
optimized C or C++ routines with no guarantee of correctness. Meanwhile, many
interactive theorem provers can now employ SAT or SMT solvers to automatically
solve finite goals, but no theorem prover makes use of these advanced,
AIG-based approaches.
We have developed two ways to represent AIGs within the ACL2 theorem prover.
One representation, Hons-AIGs, is especially convenient to use and reason
about. The other, Aignet, is the opposite; it is styled after modern AIG
packages and allows for efficient algorithms. We have implemented functions for
converting between these representations, random vector simulation, conversion
to CNF, etc., and developed reasoning strategies for verifying these
algorithms.
Aside from these contributions towards verifying AIG algorithms, this work
has an immediate, practical benefit for ACL2 users who are using GL to
bit-blast finite ACL2 theorems: they can now optionally trust an off-the-shelf
SAT solver to carry out the proof, instead of using the built-in BDD package.
Looking to the future, it is a first step toward implementing verified AIG
simplification algorithms that might further improve GL performance.
... However, while inductive invariants are defined by a user for a specific system, rewrite rules are proven facts about the functions used to model the system and can be used in other systems using the same functions. It is customary for the users of a theorem prover to design rules that simplify terms which arise during proofs [2] [3]. We found that most of the rules necessary for our work are generic, and already available as proven theorems in a deductive setting. ...
We present a deductive method for proving invariants of reactive systems. Our approach uses term rewriting to reduce invariant proofs to reachability analysis on a finite graph. This substantially auto-mates invariant proofs by obviating the need to define inductive invariants while still benefitting from the expressiveness of deductive methods. We implement a procedure supporting this approach which interfaces with the ACL2 theorem prover. The interface affords sound extension of our procedure with rewrite rules based on proven theorems. We demonstrate the method in the verification of cache coherence protocols.
... Mergesort splits the data into symmetric chunks for computation, so we increment the depth argument during the recursive call on both the car and cdr. A parallelized version of mergesort based on Davis's Ordered Sets library [5] can be found in the supportive scripts. A less intrusive method involves analyzing the data itself for structural properties. ...
We have implemented parallelism primitives that permit an ACL2 programmer to parallelize execution of ACL2 func- tions. We (1) introduce logical definitions for these primi- tives, (2) explain the features of our extension, (3) give an evaluation strategy for our implementation, and (4) use the parallelism primitives in examples to show speedup.
... Matthews and Vroon [40] also use mbt to define an efficient machine simulator. Davis [19] implements efficient finite set theory operations using mbe. ...
We describe a method to permit the user of a mathematical logic to write elegant logical definitions while allowing sound and efficient execu- tion. We focus on the ACL2 logic and automated reasoning environment. ACL2 is used by industrial researchers to describe microprocessor designs and other complicated digital systems. Properties of the designs can be formally established with the theorem prover. But because ACL2 is also a functional programming language, the formal models can be executed as simulation engines. We implement features that afford these dual ap- plications, namely formal proof and execution on industrial test suites. In particular, the features allow the user to install, in a logically sound way, alternative executable counterparts for logically-defined functions. These alternatives are often much more efficient than the logically equivalent terms they replace. We discuss several applications of these features.
... by Jared Davis and Sorin Stratulat, of a conjecture on sorted lists, done resp. by Jared Davis and Sorin Stratulat, with ACL2 using a library for ordered sets [12] and with SPIKE [6,1,17]. Both proofs require the addition of non-trivial lemmas whereas our procedure can prove the conjecture without additional lemma. ...
We propose a procedure for automated implicit inductive theorem proving for equational specifications made of rewrite rules with conditions and constraints. The constraints are interpreted over constructor terms (representing data values), and may express syntactic equality, disequality, ordering and also membership in a fixed tree language. Constrained equational axioms between constructor terms are supported and can be used in order to specify complex data structures like sets, sorted lists, trees, powerlists...
Our procedure is based on tree grammars with constraints, a formalism which can describe exactly the initial model of the given specification (when it is sufficiently complete and terminating). They are used in the inductive proofs first as an induction scheme for the generation of subgoals at induction steps, second for checking validity and redundancy criteria by reduction to an emptiness problem, and third for defining and solving membership constraints.
We show that the procedure is sound and refutationally complete. It generalizes former test set induction techniques and yields natural proofs for several non-trivial examples presented in the paper, these examples are difficult (if not impossible) to specify and carry on automatically with other induction procedures.
... A proof of Conjecture (2) was done by Jared Davis 4 with the ACL2 theorem prover, using his library osets for finite set theory [15]. In this library, sets are implemented on fully ordered lists (wrt an ordering <<). ...
We propose a procedure for automated implicit inductive theorem proving for equational specifications made of rewrite rules with conditions and constraints. The constraints are interpreted over constructor terms (representing data values), and may express syntactic equality, disequality, ordering and also membership in a fixed tree language. Constrained equational axioms between constructor terms are supported and can be used in order to specify complex data structures like sets, sorted lists, trees, powerlists... Our procedure is based on tree grammars with constraints, a formalism which can describe exactly the initial model of the given specification (when it is sufficiently complete and terminating). They are used in the inductive proofs first as an induction scheme for the generation of subgoals at induction steps, second for checking validity and redundancy criteria by reduction to an emptiness problem, and third for defining and solving membership constraints. We show that the procedure is sound and refutationally complete. It generalizes former test set induction techniques and yields natural proofs for several non-trivial examples presented in the paper, these examples are difficult to specify and carry on automatically with related induction procedures.
A method for analyzing designs and their specifications is presented. The method makes essential use of an interactive theorem prover, but is fully automatic. Given a design and a specification, the method returns one of three possible answers. It can report that the design does not satisfy the specification, in which case a concrete counterexample is provided. It can report that the design does satisfy the specification, in which case a formal proof to that effect is provided. If neither of these cases hold, then a summary of the analysis is reported. We have implemented and experimentally validated the method in ACL2s, the ACL2 Sedan.
We present a framework for the specification and verification of reactive concurrent programs using general-purpose mechanical theorem proving. We define specifications for concurrent programs by formalizing a notion of refinements analogous to stuttering trace containment. The formalization supports the definition of intuitive specifications of the intended behavior of a program. We present a collection of proof rules that can be effectively orchestrated by a theorem prover to reason about complex programs using refinements. The proof rules systematically reduce the correctness proof for a concurrent program to the definition and proof of an invariant. We include automated support for discharging this invariant proof with a predicate abstraction tool that leverages the existing theorems proven about the components of the concurrent programs. The framework is integrated with the ACL2 theorem prover and we demonstrate its use in the verification of several concurrent programs in ACL2.
Not available Electrical and Computer Engineering
In some cases, when we develop a formal theory in ACL2, it would be desirable that the definitions and theorems of the theory be as independent of a concrete implementation as possible. This is particularly interesting when we design theories about basic data types, making those developments more general, reusable and extensible. At the same time, it would also be desirable to be able to instantiate (in a convenient way) the definitions and theorems of the theory, for a concrete implementation. In this paper we present the development of a particular generic theory, and a tool to instantiate its events. As a case study we have chosen to describe a generic theory about finite multisets. It is also shown how this generic theory can be instantiated (using several macros we have defined) to build a theory about two diferent implementations of multisets. Finally we propose some directions for further research in this topic.
ACL2 is a first-order, essentially quantifier free logic of computable recursive functions based on an applicative subset
of Common Lisp. It supports lists as a primitive data structure. We describe how we have formalized a practical finite set
theory for ACL2. Our finite set theory “book” includes set equality, set membership, the subset relation, set manipulation
functions such as union, intersection, etc., a choice function, a representation of finite functions as sets of ordered pairs
and a collection of useful functions for manipulating them (e.g., domain, range, apply) and others. The book provides many
lemmas about these primitives, as well as macros for dealing with set comprehension and some other “higher order” features
of set theory, and various strategies or tactics for proving theorems in set theory. The goal of this work is not to provide
“heavy duty set theory” - a task more suited to other logics - but to allow the ACL2 user to use sets in a “light weight”
fashion in specifications, while continuing to exploit ACL2’s efficient executability, built in proof techniques for certain
domains, and extensive lemma libraries.
ACL2 is a reimplemented extended version of R.S. Boyer and J.S.
Moore's (1979; 1988) Nqthm and M. Kaufmann's (1988) Pc-Nqthm, intended
for large scale verification projects. The paper deals primarily with
how we scaled up Nqthm's logic to an industrial strength”
programming language-namely, a large applicative subset of Common
Lisp-while preserving the use of total functions within the logic. This
makes it possible to run formal models efficiently while keeping the
logic simple. We enumerate many other important features of ACL2 and we
briefly summarize two industrial applications: a model of the Motorola
CAP digital signal processing chip and the proof of the correctness of
the kernel of the floating point division algorithm on the AMD5<sub>K
</sub>86 microprocessor by Advanced Micro Devices, Inc
ACL2 is a theorem proving system under development at Computational Logic, Inc., by the authors of the Boyer-Moore system, Nqthm, and its interactive enhancement, Pc-Nqthm, based on our perceptions of some of the inadequacies of Nqthm when used in large-scale verification projects. Foremost among those inadequacies is the fact that Nqthm's logic is an inefficient programming language. We now recognize that the efficiency of the logic as a programming language is of great importance because the models of microprocessors, operating systems, and languages typically constructed in verification projects must be executed to corroborate them against the realities they model. Simulation of such large scale systems stresses the logic in ways not imagined when Nqthm was designed. In addition, Nqthm does not adequately support certain proof techniques, nor does it encourage the reuse of previously developed libraries or the collaboration of semi-autonomous workers on different parts of a verifica...
We show that adding a total order to ACL2, via new axioms, allows for simpler and more elegant de nitions of functions and libraries of theorems. We motivate the need for a total order with a simple example and explain how a total order can be used to simplify existing libraries of theorems (i.e., ACL2 books) on nite set theory and records. These ideas have been incorporated into ACL2 Version 2.6, which includes axioms positing a total order on the ACL2 universe.
We give a useful set of unconditional rewrite rules for reasoning about record structures, which are essentially finite functions. The problem, then, is to define functions for which these rules are true and then prove the rules. We begin with a series of definitions that attempt to satisfy these rules but fall short for various reasons. Then we give two solutions, one of which generalizes to other finite structures. The definitions of our access and update functions are somewhat subtle, complex, and ineffecient, but they return the expected values and the theorems exported are elegant and efficient for automatic, unconditional rewriting.