Kaufmann, M. and J. Strother Moore. ACL2: an industrial strength version of Nqthm. Proc. 11th Annual Conf. on Computer Assurance, pp. 23-34, 1996.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....and proof strategy into mathematical logic, often a very tedious task. Our approach is to implement a simple proof checker where the results from specialized verification tools can be combined to produce a complete proof. Similar to theorem proving environments such as ACL2, HOL, ISABELLE or PVS [13, 10, 19, 18], a (backwards style) proof in our proof checker is represented as a sequence of proof states. A proof state in turn is implemented by an abstract data type, and consists essentially of a formula (the claim) a list of formulas (the pending obligations) as well as some book keeping information. ....

.... be used to discharge obligations, we also support proof rules where the justification of a proof step involves a non trivial amount of computation (rather than a fairly simple rewrite of an obligation) In contrast to the more traditional embedding of decision procedures such as in ACL2 or PVS [13, 18], our system encourages the development of domain specific decision procedures, allowing the controlled introduction of sound, but not formally verified reasoning into proofs. The system has been implemented in SML NJ [3] The parameterization of the core checker is realized by its implementation ....

M. Kaufmann and J. S. Moore. ACL2: an industrial strength version of Nqthm. In Proc. 11th Annual Conference on Computer Assurance (COMPASS '96), pages 23--34. IEEE Computer Society Press, June 1996.

....Because of the high cost of design faults, theorem proving is already common in this area. Examples include the formal verification of a fault tolerant communication bus protocol [PSvH99, Pfe00] using PVS or the verification of tools for train borne control software systems [BT00] using ACL2 [KM96] In case of the chip industry, design faults are expensive due to shortening time to market. A well known example is the bug in Intel s Pentium floating point unit [V. 95] Despite of the progress of symbolic Model Checking, state of the art microprocessors are still too complex for completely ....

Matt Kaufmann and J. S. Moore. ACL2: An industrial strength version of nqthm. In Proc. of the Eleventh Annual Conference on Computer Assurance, pages 23--34. IEEE Computer Society Press, 1996.

....(binary decision diagrams) 4, 17] Velev and Bryant [24] verify a dual issue in order DLX with speculation by automating the Burch and Dill pipeline flushing approach. The function units are abstracted by means of uninterpreted functions. Theorem proving systems such as HOL [5] PVS [8] or ACL2 [13] do not suffer from the state space explosion problem. There has been much success in verifying complete, complex systems using theorem provers [2, 11, 22] However, theorem proving systems involve much manual work. Recently, Clarke [3] McMillan [18, 19] and Dill et.al. 1] apply classical ....

M. Kaufmann and J. Moore. ACL2: An industrial strength version of nqthm. In In Proc. of the Eleventh Annual Conference on Computer Assurance, pages 23--34. IEEE, 1996.

....theorem proving, on the other hand, provides a greater con dence in the proven algorithm by systematically checking every detail of the algorithm. There are a number of formal veri cation studies on the oating point unit of industrial microprocessors. Moore et al. used the ACL2 theorem prover [KM96] to verify the microcode for the divide algorithm used in the AMD K5 processor [MLK98] Russino later veri ed the microcode for the square root algorithms in the same processor [Rus99] Our work is very similar to these works, as we verify the divide and square root algorithms that are encoded ....

Matt Kaufmann and J Strother Moore. ACL2: An industrial strength version of nqthm. In Eleventh Annual Conference on Computer Assurance (COMPASS-96), pages 23-34. IEEE Computer Society Press, June 1996.

....behavior of our pipelined design on speculative execution and exceptions. Using this model, we wrote an invariant condition that meets several requirements, and show that these requirements are strong enough to prove the correctness criterion. The proof has been carried out with ACL2 theorem prover[9]. A brief proof sketch is given Sect. 5. The verification of the invariant condition is in progress. 2 Hardware Specifications Our processor model has been specified at two levels: its micro architecture (MA) and its instruction set architecture (ISA) At the ISA level, we only describe the ....

M. Kaufmann, J S. Moore. ACL2: An Industrial Strength Version of Nqthm, Proceedings of the Eleventh Annual Conference on Computer Assurance (COMPASS96) , pages 23-34 , IEEE Computer Society Press, June 1996.

....It has various features such as out of order issue and completion of instructions with Tomasulo s algorithm, speculative execution with branch prediction, precise handling of internal exceptions and external interrupts, and supervisor user modes. The FM9801 is formally specified in the ACL2 logic[KM96] at the instructionset architecture (ISA) level and the microarchitecture (MA) level. These formal definitions are publicly available along with the FM9801 verification scripts[Saw] The ISA sequentially executes instructions. Its behavior is specified with function ISA step(ISA; intr) which ....

Matt Kaufmann and J Strother Moore. ACL2: An industrial strength version of nqthm. In Eleventh Annual Conference on Computer Assurance (COMPASS-96), pages 23--34. IEEE computer Society Press, June 1996.

....an instruction is issued, it is guaranteed that no hazard will occur due to the instruction. The scheduling registers shown in Fig. 2 keep track of the instructions in the execution units, and the issuing logic refers to them when deciding whether it can issue an instruction. Using the ACL2 logic[2, 9], we have de ned a ISA level next state function, ISA state step( as an instruction interpreter and a micro architectural nextstate function, micro state step( as a clock by clock cycle interpreter. The control of the pipeline is speci ed concretely, while the data path is speci ed with ....

M. Kaufmann, J S. Moore, ACL2: An Industrial Strength Version of Nqthm, Proceedings of the Eleventh Annual Conference on Computer Assurance (COMPASS96) , pages 23-34 , IEEE Computer Society Press, June 1996.

....may add additional invariant conditions to S 0 until we can prove C. 4. Prove C for initial MA states. 5. Remove C from S 0 and add it to S. 6. Goto 3 if S 0 is not empty. 7. Return S. We carried out this process manually while proving each invariant condition C using the ACL2 theorem prover [7]. The set of conditions returned by the procedure satisfies the six requirements given above. This procedure is not an algorithm in a strict sense, because adding a new condition to set S 0 is done by hand. When we encounter a condition C that we are unable to prove from S 0 [ S, we have to ....

M. Kaufmann and J S. Moore. ACL2: An Industrial Strength Version of Nqthm. Proceedings of the Eleventh Annual Conference on Computer Assurance (COMPASS-96), pages 23-34, IEEE Computer Society Press, June 1996.

....specification. This is arranged roughly to correspond to the order of presentation in [1] Also, reading Maribila assumes some familiarity with C . Some Maribila specifications are executable via translation to an interpreted language called L4 for which an implementation exists in the ACL2 logic[3]. However, though the current specifications passes the syntactic checks of the Maribila parser, it is not executable. Our model leaves some units undefined and uses some Maribila constructs which do not have L4 correlates. One of our goals is to extend and refine our model into an executable ....

J S. Moore and M. Kaufmann. ACL2: An industrial strength version of Nqthm. In Proceedings of COMPASS '96, June 1996.

....of an existing general purpose theorem prover adapted for use with ASTRAL. PVS was considered ideal for ASTRAL given its powerful typing system, higher order facilities, heavily automated decision procedures, and ease of use. Other theorem provers were also considered, including HOL [12] and ACL2 [15]. HOL does not have the usability of PVS and its decision procedures are not as powerful [11] ACL2 is also not as usable as PVS and has limited or no support for arbitrary quantification and real numbers [20] 3 PVS The Prototype Verification System (PVS) 8] is a powerful interactive theorem ....

Kaufmann, M. and J. Strother Moore. ACL2: an industrial strength version of Nqthm. Proc. 11th Annual Conf. on Computer Assurance, pp. 23-34, 1996.

....are verified using the theorem proving system PVS [2] Related Work Recent papers show the correctness of complex designs or schedulers in theorem proving systems such as PVS. Hosabettu et al. 3] prove both safety and liveness of Tomasulo s algorithm using PVS. Swada and Hunt [4] provide an ACL2 [5] proof of a complete design implementing a Tomasulo scheduler with reorder buffer. Henzinger et al. 6] verify a simple pipelined processor using a model checker. McMillan [7] partly automates the proof by refinement of Tomasulo s algorithm presented in [8] with the help of compositional model ....

Matt Kaufmann and J. S. Moore. ACL2: An industrial strength version of nqthm. In Proc. of the Eleventh Annual Conference on Computer Assurance, pages 23--34. IEEE Computer Society Press, 1996.

....the proofs, make sure that PVS version 2.3 is used. Related Work Recent papers show the correctness of complex designs or schedulers in theorem proving systems such as PVS. Hosabettu et al. 10] prove both safety and liveness of Tomasulo s Algorithm with PVS. Swada and Hunt [17] provide an ACL2 [11] proof of a complete design implementing a Tomasulo scheduler with reorder buffer. Henzinger et al. 8] verify a simple pipelined processors with a model checker. McMillan [13] partly automates the proof presented in [6] with the help of compositional model checking. This technique is improved in ....

Matt Kaufmann and J. S. Moore. ACL2: An industrial strength version of nqthm. In In Proc. of the Eleventh Annual Conference on Computer Assurance, pages 23--34. IEEE Computer Society Press, 1996.

....an implementation of a rich higher order logic, including predicate subtypes, and is notable for its excellent interactive environment, powerful integrated decision procedures and pragmatic approach to integrating model checking. It has not been widely applied to operational semantics. ffl ACL2 [KM96] ACL2 implements an integrated collection of rules for defining 6 Don Syme (or axiomatizing) recursive functions, stating properties of those functions, and rigorously establishing those properties. It is notable for its use of decision procedures, its pioneering use of rewriting, its underlying ....

Matt Kaufmann and J Strother Moore. ACL2: An industrial strength version of nqthm. In Compass'96: Eleventh Annual Conference on Computer Assurance, page 23, Gaithersburg, Maryland, 1996. National Institute of Standards and Technology.

....hand, are based on deductive techniques, typically have a very expressive speci cation language, provide di erent powerful abstraction mechanisms including the use of uninterpreted functions, and can handle generic implementation models. Notable examples of theorem provers include PVS [40] ACL2 [36] and HOL [20] A disadvantage of theorem provers is that they typically require user guidance to accomplish the proof. One way to increase the automation in theorem provers is to rely on proof strategies that are centered on the use of decision procedures [39, 49] for certain theories (or their ....

Kaufmann, M., and Moore, J. S. ACL2: an industrial strength version of Nqthm. In Eleventh Annual Conference on Computer Assurance (june 1996), IEEE Computer SocietyPress, pp. 23-34.

....on some large case studies and explore the related issues of specification, automation, interaction. This has led to the three outlining constructs described in this paper. Some of the other systems that have most influenced our work are HOL [GM93] Isabelle [Pau94] PVS [COR 95] and Nqthm [KM96] Many of the specification and automation techniques we utilize in Declare are derived from ideas found in the above systems. However, we do not use the proof description techniques from these systems (e.g. the HOL tactic language, or PVS strategies) 1.2 Declarative and Inferential Proof ....

Matt Kaufmann and J. Strother Moore. ACL2: An industrial strength version of Nqthm. COMPASS --- Proceedings of the Annual Conference on Computer Assurance, pages 23--34, 1996. IEEE catalog number 96CH35960.

....machine completes an instruction 3 before starting another, it is easier to specify the effect of a single instruction with a sequential machine model than with a pipelined machine. The behavioral description of the sequential and pipelined machines are given by executable ACL2 functions. ACL2 [13] is both an executable specification language and a theorem proving system, and it can be considered a next generation Boyer Moore theorem prover [1] The ACL2 logic is a subset of Common Lisp. In the body of this paper, we do not use the Common Lisp style syntax, although the appendices ....

M. Kaufmann, J S. Moore, ACL2: An Industrial Strength Version of Nqthm, Proceedings of the Eleventh Annual Conference on Computer Assurance (COMPASS-96), pages 23-34 , IEEE Computer Society Press, June 1996.

....an instruction is issued, it is guaranteed that no hazard will occur due to the instruction. The scheduling registers shown in Fig. 2 keep track of the instructions in the execution units, and the issuing logic refers to them when deciding whether it can issue an instruction. Using the ACL2 logic[2, 9], we have defined a ISA level next state function, ISA state step( as an instruction interpreter and a micro architectural nextstate function, micro state step( as a clock by clock cycle interpreter. The control of the pipeline is specified concretely, while the data path is specified with ....

M. Kaufmann, J S. Moore, ACL2: An Industrial Strength Version of Nqthm, Proceedings of the Eleventh Annual Conference on Computer Assurance (COMPASS96) , pages 23-34 , IEEE Computer Society Press, June 1996.

....pipeline correctness diagram can be easily extended to our second example machine, even if the machine performs speculative execution and out of order execution. We successfully verified the diagrams for this machine using our methodology. The proof was mechanically checked by ACL2 theorem prover[10]. The major difficulty in this verification exercise was proving the properties about out of order and speculative execution. The clarity of the instruction table in expressing abstract concepts greatly helped us to verify their correctness. With respect to the pipeline control logic, this example ....

M. Kaufmann, J S. Moore, ACL2: An Industrial Strength Version of Nqthm, Proceedings of the Eleventh Annual Conference on Computer Assurance (COMPASS-96), pages 23-34 , IEEE Computer Society Press, June 1996.

.... for digital signal processing [6] Others verifications involve a stack of verified systems [2] an operating system kernel [1] code for simple real time systems [18] and floatingpoint microcode [6, 15] Each of these projects employed the theorem proving system Nqthm [3] or its successor ACL2 [8]. The logics supported by Nqthm and ACL2 are weaker than that supported by PVS: they do not conveniently support higher order functions and quantification. The style of proof encouraged by the theorem proving system is also quite different: Nqthm and ACL2 provide several automatic proof techniques ....

Matthew Kaufmann and J S. Moore. ACL2: An industrial strength version of Nqthm. In Proceedings of the Eleventh Annual Conference on Computer Assurance (COMPASS-96), pages 23-- 31, June 1996.

....correct compiler executable. The subset ComLisp of Common Lisp has carefully been selected as a bootstrapping kernel, as both source and implementation language. Its applicative part (the pure functional sub language of ComLisp) also coincides with the logic of the new Boyer Moore prover ACL2 [16, 21]. This links mechanical program correctness proofs to the work described here [3, 6] allowing for partial correctness proofs of executable programs. We have implemented the ComLisp compiler as a ComLisp program. The complete compiler has been bootstrapped successfully as executable machine ....

J S. Moore and M. Kaufmann. ACL2: An industrial strength version of Nqthm. In Proceedings of COMPASS '96, June 1996.

....correct compiler executable. The subset ComLisp of CommonLisp has carefully been selected as a bootstrapping kernel, as both source and implementation language. Its applicative part (the pure functional sub language of ComLisp) also coincides with the logic of the new Boyer Moore prover ACL2 [16, 19]. This links mechanical program correctness proofs to the work described here [5] allowing for partial correctness proofs of executable programs. We have implemented the ComLisp compiler as a ComLisp program. The complete compiler has been bootstrapped successfully as executable machine program ....

J S. Moore and M. Kaufmann. ACL2: An industrial strength version of Nqthm. In Proceedings of COMPASS '96, June 1996.

No context found.

Kaufmann, M. and J. Strother Moore. ACL2: an industrial strength version of Nqthm. Proc. 11th Annual Conf. on Computer Assurance, pp. 23-34, 1996.

No context found.

M. Kaufmann and J. S. Moore. ACL2: An industrial strength version of Nqthm. In Proceedings of the 11th Annual Conference on Computer Assurance (COMPASS-96), pages 23-34, June 1996.

No context found.

M. Kaufmann and J.S. Moore, ACL2: An Industrial Strength Version of Nqthm, Proc. 11th Ann. Conf. Computer Assurrance, COMPASS-96, IEEE Computer Society Press, June 1996, pp. 23-34.

No context found.

M. Kaufmann, J S. Moore, ACL2: An Industrial Strength Version of Nqthm, Proceedings of the Eleventh Annual Conference on Computer Assurance (COMPASS-96), pages 23-34 , IEEE Computer Society Press, June 1996.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC