Article

# Adding a Total Order to ACL2

Authors:
To read the full-text of this research, you can request a copy directly from the author.

## Abstract

We show that adding a total order to ACL2, via new axioms, allows for simpler and more elegant de nitions of functions and libraries of theorems. We motivate the need for a total order with a simple example and explain how a total order can be used to simplify existing libraries of theorems (i.e., ACL2 books) on nite set theory and records. These ideas have been incorporated into ACL2 Version 2.6, which includes axioms positing a total order on the ACL2 universe.

## No full-text available

... To do this, we first need a notion of a total order on ACL2 objects. The details [13] are not relevant, so simply assume that the function is a total order, i.e., it is irreflexive, asymmetric, transitive, and can compare any two ACL2 objects. Like Common Lisp, ACL2 is dynamically typed. ...
Article
We present a finite set theory implementation for ACL2. Our library represents sets as fully ordered lists, and provides efficient implementations of the typical set theory operations such as insertion, deletion, union, intersection, difference, cardinality, and sorting lists to create sets. It also includes facilities for quantifying predicates over sets, filtering sets by some criteria, and taking images of sets. We demonstrate that despite our insistence on full order, it is possible to mirror traditional set theoretic proof techniques and reason through membership. At the same time, we are able to benefit from having a unique representation for each set, which unifies the notions of set and element equality and allows us to handle nested sets trivially.
... We now turn our attention to defining the basic set operations. Our first task is to define the representation of sets. A total order on ACL2 objects, <<, was recently introduced and is available as a standard ACL2 book, misc/total-order. [8] We adopt this order verbatim, but the particular order is unimportant , and we will later consider the possibility of using alternate orders (Section 5). We initially implemented the set recognizer using two functions: unique ensured that the list contained no duplicates, and ordered ensured that all of the elements were in order. Sets ...
Article
We present a new finite set theory implementation for ACL2 wherein sets are implemented as fully ordered lists. This order unifies the notions of set equality and element equality by creating a unique represen-tation for each set, which in turn enables nested sets to be trivially supported and eliminates the need for congruence rules. We demonstrate that ordered sets can be reasoned about in the traditional style of membership argu-ments. Using this technique, we prove the classic properties of set operations in a natural and effort-less manner. We then use the exciting new MBE feature of ACL2 to provide linear-time implementa-tions of all basic set operations. These optimizations are made "behind the scenes" and do not adversely impact reasoning ability. We finally develop a framework for reasoning about quantification over set elements. We also begin to provide common higher-order patterns from func-tional programming. The net result is an efficient library that is easy to use and reason about.
... For example, when a new flag is added, which changes the result of the computation, it is desirable to prove that as long as this flag is turned off, the previous functionality is maintained. Formally verifying the equivalence of programs is an old challenge in the theorem-proving community (see some recent examples in101112 ). The current work can assist such proofs since it offers rules that handle recursive procedures while decomposing the verification task: specifically, the size of each verification condition is proportional to the size of two individual procedures . ...
Chapter
Full-text available
We present two proof rules for the equivalence of recursive procedures, in the style of Hoare’s rule for recursive invocation of procedures. The first rule can be used for proving partial equivalence of programs; the second can be used for proving their mutual termination. There are various applications to these rules, such as proving backward compatibility.
... It is a rather old challenge in the theorem-proving community. A lot of attention has been given to this problem in the ACL2 community (see, e.g., [11, 12]). These works are mostly concerned with program equivalence as a case study for using proof techniques that are generic (i.e., not specific for proving equivalence ). ...
Conference Paper
Full-text available
Proving the equivalence of successive, closely related versions of a program has the potential of being easier in practice than functional verification, although both problems are undecidable. There are two main reasons for this claim: it circumvents the problem of specifying what the program should do, and in many cases it is computationally easier. We study theoretical and practical aspects of this problem, which we call regression verification.
... The virtues of hypothesis-free, equal-based rewrite rules have been promoted in previous workshop papers. To support such rules, a total order was added to ACL2 [7] , leading to the misc/records library and also to my ordered sets library [1] . The memories presented here follow this tradition . ...
Conference Paper
We have written a new records library for modelling fixed- size arrays and linear memories. Our implementation pro- vides fixnum-optimized O(log2 n) reads and writes from ad- dresses 0,1,...,n 1. Space is not allocated until locations are used, so large address spaces can be represented. We do not use single-threaded objects or ACL2 arrays, which frees the user from syntactic restrictions and slow-array warnings. Finally, we can prove the same hypothesis-free rewrite rules found in misc/records for ecient rewriting during theo- rem proving.
... The following simple insertion sort function will serve as the logical view of sorting a list. Here, << is a total order on the ACL2 universe [34]. Defining an efficient in-place quicksort requires the fast random access and fast random (destructive) update of an array. ...
Article
Full-text available
We describe a method to permit the user of a mathematical logic to write elegant logical definitions while allowing sound and efficient execu- tion. We focus on the ACL2 logic and automated reasoning environment. ACL2 is used by industrial researchers to describe microprocessor designs and other complicated digital systems. Properties of the designs can be formally established with the theorem prover. But because ACL2 is also a functional programming language, the formal models can be executed as simulation engines. We implement features that afford these dual ap- plications, namely formal proof and execution on industrial test suites. In particular, the features allow the user to install, in a logically sound way, alternative executable counterparts for logically-defined functions. These alternatives are often much more efficient than the logically equivalent terms they replace. We discuss several applications of these features.
... Our Quicksort implementation sorts its input according to the total order << on all ACL2 objects [5] defined in the book "books/misc/total-order". While the choice of this order is not critical for our implementation of Quicksort, the fact that the total order applies to all ACL2 objects does enable us to design a function that can be proved to sort arbitrary ACL2 objects without any assumption about their types. ...
Article
We present a proof of an efficient, in-place Quicksort implementation [1] using single-threaded objects (stobjs) in ACL2 [3, 4]. We demonstrate that the Quicksort implementation is equivalent to a simple insertion-sort function that is shown to produce an ordered permutation of its input. For ease of reasoning, the demonstration is carried out by verifying a series of "intermediate" sorting functions. The intermediate functions are equivalent to the efficient Quicksort implementation, but written in a more applicative style, and hence easier to reason about. We then decompose the proof into a verification of the equivalence of the ecient implementation with an intermediate implementation, and a proof of correctness of the intermediate implementation. We show how this decomposition allows us to simplify our reasoning about stobjs and obtain a cleaner proof of the implementation.
Article
We present a data definition framework that enables the convenient specification of data types in ACL2s, the ACL2 Sedan. Our primary motivation for developing the data definition framework was pedagogical. We were teaching undergraduate students how to reason about programs using ACL2s and wanted to provide them with an effective method for defining, testing, and reasoning about data types in the context of an untyped theorem prover. Our framework is now routinely used not only for pedagogical purposes, but also by advanced users. Our framework concisely supports common data definition patterns, e.g. list types, map types, and record types. It also provides support for polymorphic functions. A distinguishing feature of our approach is that we maintain both a predicative and an enumerative characterization of data definitions. In this paper we present our data definition framework via a sequence of examples. We give a complete characterization in terms of tau rules of the inclusion/exclusion relations a data definition induces, under suitable restrictions. The data definition framework is a key component of counterexample generation support in ACL2s, but can be independently used in ACL2, and is available as a community book.
Conference Paper
Inspired by Hoare's rule for recursive procedures, we present three proof rules for the equivalence between recursive programs. The first rule can be used for proving partial equivalence of programs; the second can be used for proving their mutual termination; the third rule can be used for proving the equivalence of reactive programs. There are various applications to such rules, such as proving equivalence of programs after refactoring and proving backward compatibility.
Article
Not available Electrical and Computer Engineering
Article
Full-text available
We show a macro for introducing operations on typed records. The underlying theorems proved about these records include what is proved about records introduced using the standard ACL2 record book [2], as well as an additional theorem about the type of the elements.
Article
We give a useful set of unconditional rewrite rules for reasoning about record structures, which are essentially finite functions. The problem, then, is to define functions for which these rules are true and then prove the rules. We begin with a series of definitions that attempt to satisfy these rules but fall short for various reasons. Then we give two solutions, one of which generalizes to other finite structures. The definitions of our access and update functions are somewhat subtle, complex, and ineffecient, but they return the expected values and the theorems exported are elegant and efficient for automatic, unconditional rewriting.
Book
Chapter
When people talk about “theorems” and “proofs” most of us either think of the elementary results of high school geometry, e.g., “If two distinct lines intersect, then they intersect in exactly one point,” or famous unsolved problems, such as Goldbach’s question, “Is there an even number greater than 2 that is not the sum of two primes?”.
Article
The axiom of choice is crucial not only in logic (set theory and model theory) but also in other modern disciplines as well such as point set topology, algebra, functional analysis, and measure theory. This chapter presents examples of fundamental theorems of abstract algebra and topology whose proofs use the axiom of choice. In some instances, the theorems are as strong as the axiom of choice—an example of a statement equivalent to the axiom of choice is the Tychonoff product theorem in point set topology. Some objections to the axiom of choice are based on the fact that the axiom has paradoxical consequences. The most famous example is Banach–Tarspkai paradox. The Banach–Tarspkai paradox states that using the axiom of choice, one can cut a ball into a finite number of pieces that can be so rearranged that one obtains two balls of the same size as the original ball. The chapter also sketches the proof of this paradox to show how the axiom of choice is used and that there is nothing paradoxical about this theorem.
Conference Paper
ACL2 is a first-order, essentially quantifier free logic of computable recursive functions based on an applicative subset of Common Lisp. It supports lists as a primitive data structure. We describe how we have formalized a practical finite set theory for ACL2. Our finite set theory “book” includes set equality, set membership, the subset relation, set manipulation functions such as union, intersection, etc., a choice function, a representation of finite functions as sets of ordered pairs and a collection of useful functions for manipulating them (e.g., domain, range, apply) and others. The book provides many lemmas about these primitives, as well as macros for dealing with set comprehension and some other “higher order” features of set theory, and various strategies or tactics for proving theorems in set theory. The goal of this work is not to provide “heavy duty set theory” - a task more suited to other logics - but to allow the ACL2 user to use sets in a “light weight” fashion in specifications, while continuing to exploit ACL2’s efficient executability, built in proof techniques for certain domains, and extensive lemma libraries.
Article
Experience has shown that large or multi-user interactive proof efforts can benefit significantly from structuring mechanisms, much like those available in many modern programming languages. Such a mechanism can allow some lemmas and definitions to be exported, and others not. In this paper we address two such structuring mechanisms for the ACL2 theorem prover: encapsulation and books. After presenting an introduction to ACL2, this paper justifies the implementation of ACL2's structuring mechanisms and, more generally, formulates and proves high-level correctness properties of ACL2. The issues in the present paper are relevant not only for ACL2 but also for other theorem-proving environments.
Article
We present an incremental refinement proof in ACL2 which demonstrates the reduction of the observable behaviors of a concurrent program to those of a much simpler program. In particular, we document the proof of correctness of a concurrent program which implements the operations of a double-ended queue in the application of a work-stealing algorithm. The demonstration is carried out by proving a refinement from the implementation to a specification via an intermediate model. We document the use of the intermediate model in dividing the verification problem into more manageable steps which in turn allow for more effective proof reductions in ACL2. In both steps, the more abstract system is allowed finite stuttering and this is important in correlating refinement proof with progress in the more concrete system.
ACL2 homepage. See URL http
• M Kaufmann
• J S Moore
M. Kaufmann and J. S. Moore. ACL2 homepage. See URL http://www.cs.utexas.edu/users/moore/acl2.
Defstructure for ACL2
• B Brock
B. Brock. Defstructure for ACL2, 1997. See URL http://www.cs.utexas.edu/-users/moore/publications/acl2-papers.html#Utilities.