# Warren A. Hunt's research while affiliated with University of Texas at Austin and other places

**What is this page?**

This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.

It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.

If you're a ResearchGate member, you can follow this page to keep up with this author's work.

If you are this author, and you don't want us to display this page anymore, please let us know.

It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.

If you're a ResearchGate member, you can follow this page to keep up with this author's work.

If you are this author, and you don't want us to display this page anymore, please let us know.

## Publications (53)

JTAG, an IEEE-standard test protocol, is widely used for testing commercial and experimental CMOS chips but appears unused for testing superconducting chips. The test-access-port (TAP) controller described here facilitates the use of JTAG to reduce the cost – in time and effort – of testing superconductive circuits. Our RSFQ-based TAP controller sh...

We present means to initialize, to propagate, and to examine states in an RSFQ circuit that are useful for design as well as for functional test and analysis. Our RSFQ test strategy distinguishes states by the information they carry from computation to computation, and saves costs by ignoring information-free states. To start, stop, and stall opera...

We have developed an algorithm, S-C-Rewriting, that can automatically and very efficiently verify arithmetic modules with embedded multipliers. These include ALUs, dot-product, multiply-accumulate designs that may use Booth encoding, Wallace-trees, and various vector adders. Outputs of the target multiplier designs might be truncated, right-shifted...

The automatic formal verification of multiplier designs has been pursued since the introduction of BDDs. We present a new rewriter-based method for efficient and automatic verification of signed and unsigned integer multiplier designs. We have proved the soundness of this method using the ACL2 theorem prover, and we can verify integer multiplier de...

Self-timed circuits can be modeled in a link-joint style using a formally defined hardware description language. It has previously been shown how functional properties of these models can be formally verified with the ACL2 theorem prover using a scalable, hierarchical method. Here we extend that method to parameterized circuit families that may hav...

This paper presents a methodology for formally verifying the functional correctness of self-timed circuits whose data flows are free of feedback loops. In particular, we formalize the relationship between their input and output sequences. We use the DE system, a formal hardware description language built using the ACL2 theorem-proving system, to sp...

Formal verification of asynchronous circuits is known to be challenging due to highly non-deterministic behavior exhibited in these systems. One of the main challenges is that it is very difficult to come up with a systematic approach to establishing invariance properties, which are crucial in proving the correctness of circuit behavior. Non-determ...

The ACL2 theorem prover has seen sustained industrial use since the mid-1990s. Companies that have used ACL2 regularly include AMD, Centaur Technology, IBM, Intel, Kestrel Institute, Motorola/Freescale, Oracle and Rockwell Collins. This paper introduces ACL2 and focuses on how and why ACL2 is used in industry. ACL2 is well-suited to its industrial...

Satisfiability (SAT) solvers—and software in general—sometimes have serious bugs. We mitigate these effects by validating the results. Today’s SAT solvers emit proofs that can be checked with reasonable efficiency. However, these checkers are not trivial and can have bugs as well. We propose to check proofs using a formally verified program that ad...

Clausal proofs have become a popular approach to validate the results of SAT solvers. However, validating clausal proofs in the most widely supported format (DRAT) is expensive even in highly optimized implementations. We present a new format, called LRAT, which extends the DRAT format with hints that facilitate a simple and fast validation algorit...

Construction of a formal model of a computing system is a necessary practice in formal verification. The results of formal analysis can only be valued to the same degree as the model itself. Model development is error-prone, not only due to the complexity of the system being modeled, but also because it involves addressing disparate requirements. F...

Clausal proofs have become a popular approach to validate the results of SAT solvers. However, validating clausal proofs in the most widely supported format (DRAT) is expensive even in highly optimized implementations. We present a new format, called LRAT, which extends the DRAT format with hints that facilitate a simple and fast validation algorit...

We formalize some basic properties of Fourier series in the logic of ACL2(r), which is a variant of ACL2 that supports reasoning about the real and complex numbers by way of non-standard analysis. More specifically, we extend a framework for formally evaluating definite integrals of real-valued, continuous functions using the Second Fundamental The...

An effective SAT preprocessing technique is the addition of symmetry-breaking predicates: auxiliary clauses that guide a SAT solver away from needless exploration of isomorphic sub-problems. Symmetry-breaking predicates have been in use for over a decade. However, it was not known how to express the addition of these predicates in proofs of unsatis...

Several proof formats have been used to verify refutations produced by satisfiability (SAT) solvers. Existing formats are either costly to check or hard to implement. This paper presents a practical approach that facilitates checking of unsatisfiability results in a time similar to proof discovery by embedding clause deletion information into claus...

The DRAT-trim tool is a satisfiability proof checker based on the new DRAT proof format. Unlike its predecessor, DRUP-trim, all presently known SAT solving and preprocessing techniques can be validated using DRAT-trim. Checking time of a proof is comparable to the running time of the proof-producing solver. Memory usage is also similar to solving m...

Conflict-driven clause learning (CDCL) satisfiability solvers can emit more than a satisfiability result; they can also emit clausal proofs, resolution proofs, unsatisfiable cores, and Craig interpolants. Such additional results may require substantial modifications to a solver, especially if preprocessing and inprocessing techniques are used; howe...

We present a mechanically-verified proof checker developed with the ACL2 theorem-proving system that is general enough to support the growing variety of increasingly complex satisfiability (SAT) solver techniques, including those based on extended resolution. A common approach to assure the correctness of SAT solvers is to emit a proof of unsatisfi...

In order to take best advantage of modern multi-core systems, interactive theorem provers need to parallelize execution effectively. We describe our modification to a particular theorem prover, ACL2, to use parallel execution automatically in its proof process. Since the ACL2 prover is written primarily in the ACL2 programming language, our approac...

Modern SAT solvers use preprocessing and inprocessing techniques that are not solely based on resolution; existing unsatisfiability proof formats do not support SAT solvers using such techniques. We present a new proof format for checking unsatisfiability proofs produced by SAT solvers that use techniques such as extended resolution and blocked cla...

The validation and application of formal processor models benefits fundamentally from both efficient execution and automated reasoning about the models. We present a memory model written in the ACL2 logic, with both reasoning support and a runtime environment, that accomplishes these objectives. Our memory model provides a space-efficient implement...

Recent work demonstrates that interactive ray tracing is possible on desktop systems, but there is still much debate as to how to most efficiently support advanced visual effects such as soft shadows, smooth freeform surfaces, complex shading, and animated scenes. With these challenges in mind, we reconsider the options for designing a rendering sy...

In recent years, leading microprocessor companies have made huge investments to improve the reliability of their products. Besides expanding their validation and CAD tools teams, they have incorporated formal verification methods into their design flows. Formal verification (FV) engineers require extensive training, and FV tools from CAD vendors ar...

A key problem in applications such as soft shadows and defocus blur is to identify points or primitives which are inside a volume of space. For example, the soft shadow computation involves finding surfaces which pass in front of an area light as viewed from a point p in the scene. The desired surfaces are those which are inside a frustum defined b...

We describe the formal methodology we are using to verify components of a commercial 64-bit, x86-compatible microprocessor design at Centaur Technology. This methodology is based on the ACL2 theorem prover. In this methodology, we mechanically translate the RTL design into a formal HDL for which we have an interpreter in ACL2. We use AIG-and BDD-ba...

Ray tracing has long been a method of choice for off-line rendering, but traditionally was too slow for interactive use. With faster hardware and algorithmic improvements this has recently changed, and real-time ray tracing is finally within reach. However, real-time capability also opens up new problems that do not exist in an off-line environment...

Monte Carlo ray tracing remains a simple and elegant method for generating robust shadows. This approach, however, is often hampered by the time needed to evaluate the numerous shadow ray queries required to generate a high-quality image. We propose the use of volumetric occluders stored within a kd-tree in order to accelerate shadow rays cast on a...

We have verified floating-point addition/subtraction instructions for the media unit from Centaur’s 64-bit, X86-compatible microprocessor. This unit implements over one hundred instructions, with the most complex being floating-point addition/subtraction. This media unit can add/subtract four pairs of floating-point numbers every clock cycle with a...

We have created an experimental extension to ACL2 that provides a means to symbolically evaluate ACL2 expres-sions. This modified implementation can be used to compute the 'general' application of an ACL2 function to generalized data. In particular, we use uBDDs to represent functions from Boolean variables to finite sets of ACL2 objects, and for g...

We introduce a straightforward, robust, and efficient algorithm for rendering high-quality soft shadows in dynamic scenes. Each frame, points in the scene visible from the eye are inserted into a spatial acceleration structure. Shadow umbrae are computed by sampling the scene from the light at the image plane coordinates given by the stored points....

This paper discusses four primitives supporting parallel eval-uation for a functional subset of LISP, specifically that subset supported by the ACL2 theorem prover. These primitives can be used to provide parallel execution for functions free from side effects without considering race conditions, deadlocks, and other common parallelism pitfalls. We...

The surface area heuristic is the standard method for producing high quality acceleration structures for ray-tracing. High quality acceleration structures minimize per-ray costs for ray-tracing and thus rendering times. However, the metric used by the surface area heuristic makes several assumptions that do not hold in practice. Much work has been...

The key to efficient ray tracing is the use of effective acceleration data structures. Traditionally, acceleration structures have been constructed under the assumption that rays approach from any direction with equal probability. However, we observe that for any particular frame the system has significant knowledge about the rays, especially eye r...

Traversal efficiency of ray tracing acceleration structures can be improved by specializing them, each frame, for the rays that are traced in that frame. A companion paper to this one demonstrates that extremely high traversal performance for eye and hard shadow rays can be obtained by transforming rays and geometry with a perspective transform, th...

In this paper we show how to use structural information about a scene such as is contained in a scene graph to build SAH-based acceleration structures more efficiently. We provide a general method for doing so together with asymptotic analyses for both standard and lazy variants of our method. In particular, we show bounds of O(n) for full k-d tree...

A link between the ACL2 and HOL4 proof assistants is described. This allows each system to be deployed smoothly within a single formal development. Several applications are being considered: using ACL2's execution environment for simulating HOL models; using ACL2's proof automation to discharge HOL proof obligations; and using HOL to specify and ve...

Construction of effective acceleration structures for ray tracing is a well studied problem. The highest quality acceleration structures are generally agreed to be those built using greedy cost optimization based on a surface area heuristic (SAH). This technique is most often applied to the construction of kd-trees, as in this work, but is equally...

Abstract We have developed,a formal verification approach,that permits the mechanical,verification of circuit generators and hardware,optimiza- tion procedures, as well as existing hardware designs. Our approach is based on deeply embedding,the DE2 HDL into the ACL2 logic [3]; we use the ACL2 theorem-proving,system,to verify the circuit gen- erator...

We describe a semantically coherent link between HOL, the higher-order logic supported by the HOL4 proof assistant, and the first order logic supported by ACL2. The key idea is to define a theory of s-expressions in HOL which contains definitions of the ACL2 primitive constants and functions. This theory is an intermediate layer that serves as a st...

To the few people who believed I could do it even when I myself didn’t Acknowledgments This dissertation has been shaped by many people, including my teachers, collabo-rators, friends, and family. I would like to take this opportunity to acknowledge the influence they have had in my development as a person and as a scientist. First and foremost, I...

State-OK (s ) -> Int (s , n) = Map (Int (Map (s ), k)). A A A C A Figure 1 illustrates this theorem. The theorem says that given an initial legal abstract state s as defined by A -1 Abstract-State-OK, and time n, there exists a time k such that Map of the concrete interpreter result is identical to the final state reached by the abstract interprete...

this document are those of the author(s) and

Exposing and exploiting instruction-level parallelism (ILP) is a key component of high perfor-mance for modern processors. For example, wide-issue superscalar, VLIW, and dataflow processors only attain high performance when they execute nearby instructions in parallel. This paper shows how to use and modify the Huffman coding tree weight minimizati...

We present two preliminary formalizations of router networks, both expressed in the logic of the ACL2 theorem prover. One formalization focuses on connectivity requirements by formalizing validity, visibility, and a trivial example routing policy, and demonstrates the ability to execute specifications. The other formalization focuses on network sec...

We develop a framework for mechanized certification of secure hardware systems built out of commercial off-the-shelf (COTS) components purchased from untrusted vendors. Certification of secure systems requires the interaction between designers, consumers, and regulatory evaluators to guarantee that the fabricated system satisfies the requisite safe...

We are developing analysis and verication mechanisms for models com- posed of hierarchically specied, cooperating nite-state machines (FSM) inter- operating with continuous physical systems modeled by dierential equations. Validation of such hybrid systems is generally well beyond simulation tech- niques and often beyond analytical techniques, both...

## Citations

... Approaches based on satisfiability checking (SAT) do not scale [3]. Recently, progress has been made using theorem provers [39]. However, the multipliers have to be given as hierarchical SVL netlists, which rely on preservation of information of the circuits. ...

... Other formal techniques in the literature range from verification of hazardfreedom (e.g., [4]) and deadlock-freedom (e.g., [5]), to more general notions of equivalence between gate level implementations, handshaking-level specifications [6][7][8][9], and abstract asynchronous communication primitives [10]. Several researchers focus on verifying general properties of asynchronous designs using model checkers [11][12][13] and proof assistants, including ACL2 [14,15]. This paper makes several key contributions. ...

... We use ACL2 [1], [2], [3] to model self-timed circuits at the gate level and to verify that those models exhibit specified functional properties. We build on our previous work [4] that demonstrated a hierarchical approach to support efficient, scalable proof, including support for substitution of functionally equivalent submodules without the need to rework proofs. In this paper we extend that methodology to circuits that may be parameterized by data width, contain loops, and/or provide non-deterministic outputs. ...

... We have chosen the link-joint model as the basis for our ACL2 formalization of self-timed circuits and systems. That model, originally proposed by Roncken et al. [5], [6], is a universal generalization for a number of self-timed circuit models (e.g., Click [7], Mousetrap [8], Micropipeline [9], and GasP [10]). The link-joint model of self-timing manages communication locally via links on an individual joint-to-joint basis. ...

... Unrolling the circuit to capture its behavior, in this case, is not straightforward. Formal analysis of such fully asynchronous circuits is a topic of ongoing research [20] and outside the scope of this paper. ...

... There is a large body of work in software verification with ACL2, where Moore stresses the fact that even hardware verification is software verification in ACL2 as it reduces to the verification of Common Lisp functions [141]. Hunt et al emphasizes that the success of using ACL2 in verification comes from the fact that the user base is mostly industrial and cohesive, and the goal of the project is to make hardware/software verification practical [99]. In this paper, its weakness is reported as it is incovenient as a scripting language, some parts are inefficient, and that it does not have a GUI, but not the lack of strong typing or explicit quantifiers, partial or higher order functions. ...

... The associated DRAT format [55] combines clause addition based on RAT steps and clause deletion. Independent checking tools can validate proofs in the DRAT format; they have been used to check the results of the SAT competitions since 2014 [55] and in industry [20]. Enriching DRAT proofs with hints is the main technique for developing efficient verified proof checkers, e.g., existing verified checkers use the enriched proof formats LRAT [10] and GRAT [39]. ...

... Independent checking tools can validate proofs in the DRAT format; they have been used to check the results of the SAT competitions since 2014 [55] and in industry [20]. Enriching DRAT proofs with hints is the main technique for developing efficient verified proof checkers, e.g., existing verified checkers use the enriched proof formats LRAT [10] and GRAT [39]. ...

... Previous work has developed hand-written sequential semantics for some aspects of address translation in Arm [58,60,59,61,44,38,41] and x86 [34,35,29,63], but these are at best lightly validated formalisations, and there is no well-validated relaxed-memory concurrency semantics of virtual memory. In the absence of that (and of proof techniques above it), previous OS and hypervisor verification work, e.g. on seL4, CertiKOS, KCore, Hyper-V, the PROSPER hypervisor, and SeKVM [25,40,37,44,11,38,43,62] has had to make major simplifying assumptions, either assuming correctness of TLB management and a single-threaded setting (seL4), or assuming sequentially consistent concurrency with one of those hand-written sequential semantics, or assuming an extended notion of data-race-freedom (we return to the related work in §9). ...

... While formal verification of solvers is typically impractical, trust in a solver's output can be established by having it generate a proof trace that can be externally validated. This is already standard in SAT solving with the DRAT proof system [39], for which even formally verified checkers are available [15]. A key requirement for standard proof formats like DRAT is that they simulate all current and emerging proof techniques. ...

Reference: Towards Uniform Certification in QBF