Design Goals for ACL�
Matt Kaufmann and J Strother Mo ore
Technical Rep ort ��� August� ����
Computational Logic� Inc�
���� West Sixth Street� Suite ���
Austin� Texas ����������
TEL� �� ��� ��� ����
FAX� �� ��� ��� ����
EMAIL� kaufmann�cli�com and mo ore�cli�com
This work was supp orted in part at Computational Logic� Inc�� by the Defense
Advanced Research Pro jects Agency� ARPA Order ����� The views and con�
clusions contained in this do cument are those of the author�s� and should not
b e interpreted as representing the o�cial p olicies� either expressed or implied�
of Computational Logic� Inc�� the Defense Advanced Research Pro jects Agency
or the U�S� Government�
Design Goals for ACL� �
CLI Technical Rep ort ����
Abstract
ACL� is a theorem proving system under development at Computational Logic�
Inc�� by the authors of the Boyer�Mo ore system� Nqthm� and its interactive en�
hancement� Pc�Nqthm� based on our p erceptions of some of the inadequacies of
Nqthm when used in large�scale veri�cation pro jects� Foremost among those in�
adequacies is the fact that Nqthm�s logic is an ine�cient programming language�
We now recognize that the e�ciency of the logic as a programming language is
of great imp ortance b ecause the mo dels of micropro cessors� op erating systems�
and languages typically constructed in veri�cation pro jects must b e executed
to corrob orate them against the realities they mo del� Simulation of such large
scale systems stresses the logic in ways not imagined when Nqthm was designed�
In addition� Nqthm do es not adequately supp ort certain pro of techniques� nor
do es it encourage the reuse of previously develop ed libraries or the collab oration
of semi�autonomous workers on di�erent parts of a veri�cation pro ject� Finally�
Nqthm is implemented in an informally sp eci�ed programming language �Com�
mon Lisp� and hence is not sub ject to mechanical veri�cation� ACL� is our
resp onse to these p erceived inadequacies� While the logic of Nqthm is based
on pure Lisp� the logic of ACL� is based on the applicative subset of Common
Lisp� By adding to the applicative subset of Common Lisp a single�threaded
notion of state� fast applicative arrays and prop erty lists� and e�ciently im�
plemented multiple values� an e�cient and practical applicative programming
language is pro duced� By axiomatizing the primitives and intro ducing appro�
priate rules of inference and extension principles� that language can b e turned
into a logic� A premise of the ACL� Pro ject is that the Nqthm pro of heuristics
allow the mechanization of the discovery of pro ofs in the ACL� logic with the
same degree of success that Nqthm has for its logic� The ACL� system may
b e viewed as an extended re�implementation of Nqthm for extended applicative
Common Lisp� ACL� is written using the logic it supp orts� It provides all of
Nqthm�s pro of techniques �except those for V�C��� as well as several that Nqthm
do es not provide� including forward chaining and congruence�based rewriting�
An incremental data base extension facility� based on hierarchically structured
�b o oks� and several scoping mechanisms� is provided to address the problems
of reusability and collab orative pro of e�orts� We discuss the inadequacies of
Nqthm motivating the design of ACL�� we brie�y describ e the ACL� logic� the�
orem prover� interface� implementation� and some applications� and we discuss
some of our concerns and misgivings ab out the current design� Because ACL�
is not yet ready for public distribution� we make no claims as to its sup eriority
to Nqthm or other theorem proving systems�
� Disclaimer
ACL� is b eing develop ed by Rob ert S� Boyer� Matt Kaufmann� and J Strother
Mo ore� at Computational Logic� Inc� �CLI�� It is the intention of the authors
�
and CLI to release ACL� for public use� without fee� when its reliability and
do cumentation are up to our standards� Those levels have not yet b een reached�
To our colleagues who wish to try out ACL� for themselves� we ap ologize and
ask for their continued patience� Visitors to CLI are welcome to use it� but we
do not want preliminary versions �oating around the net�
If geographical exploration is taken as a metaphor for theorem proving re�
search� then the present pap er should b e read merely as a scouting rep ort of
where we are headed and why� It should not b e taken as a recommendation
that anyone follow our trail� much less as an advertisement to buy parcels of
the land we have surveyed�
Because of his role in the ongoing development of ACL�� it would have b een
entirely appropriate for Boyer to b e a co�author of this pap er� He declined for
fear of seeming hyp o critical after his recent exhortations to the ATP community
not to publish pap ers ab out theorem proving systems unavailable for public
scrutiny� We supp ort his p osition when the pap er in question claims that the
describ ed system has b een found empirically to b e sup erior to existing systems�
We make no such claims ab out ACL� in this pap er�
� Mathematical Mo deling of Digital Systems
The mathematics of computation was identi�ed in the �����s by the collective
work of Church� Kleene and Turing� They established that recursive functions
can b e used to mo del digital computation� By op erating within a logical frame�
work� deductions ab out computational mo dels can b e carried out formally� By
mechanizing the formal logic� one can assist the human user in the pro of dis�
covery pro cess as well as eliminate logical errors from conjectures and pro ofs�
Following the way mathematics is generally used in engineering� system ver�
i�cation pro ceeds in three steps� First� a formal mo del of the desired digital
system is constructed� Second� the mo del is corrob orated� usually by execut�
ing it on concrete test data� to con�rm that it exhibits the desired b ehavior on
some �nite set of tests� Often these �rst two steps are iterated until the mo del is
deemed a suitably accurate sp eci�cation of the requirements� Finally� theorems
are proved ab out the mo del to establish some of the interesting prop erties of the
mo deled system� Since the state space of mo dels of digital systems is often ex�
ceedingly large or even in�nite �in the case of some higher�level sp eci�cations��
pro of is often the only practical means of con�rming prop erties of a mo del�
In our work� we use a logic based on recursive functions� In the �rst step�
ab ove� we exploit the fact that recursive functions can mo del any computation�
In the second we exploit the fact that recursive functions can b e executed� In the
third we exploit the fact that recursive functions can b e emb edded in a logical
framework so as to provide formal �and hence machine�checkable� notions of
deduction and pro of�
Our mo dels usually take the form of abstract machines de�ned as recursive
Design Goals for ACL� �
CLI Technical Rep ort ����
functions in the formal logic� Generally sp eaking� these functions take two in�
puts� a �state� and some �signals� that impinge up on the machine over �time��
Such an abstract machine returns the �nal state of the machine after pro cessing
all of the signals� It do es this by �stepping� through a sequence of states� each
successive state b eing obtained by applying the machine�s �step function� to
the current state and the signal �if any� that arrives at that �time��
Such machines are commonly used as formalizations of programming lan�
guages� However� they have also b een used to mo del other asp ects of the digital
systems problem� including hardware description languages� op erating systems�
concurrent programs� physical systems interacting with digital ones� and re�
quirements mo deling�
� Nqthm� The Prototyp e of ACL�
To de�ne abstract machines formally and reason ab out them� one must have a
mathematical logic that provides inductively constructed ob jects such as num�
b ers� sequences� and trees� and principles of recursive de�nition and inductive
pro of� The �Nqthm� system� develop ed by Boyer and Mo ore� provides such a
logic and a mechanized theorem prover for it ��� ���� Nqthm is widely used in
the formal mo deling of digital systems� Nqthm is well known for its robustness
and the extensive b o dy of veri�cation work done with it�
However� for the past �ve years the two authors and Rob ert S� Boyer have
b een developing a new logic and theorem prover� called �ACL��� ACL� has
adopted �and often attempted to improve� almost all of the ideas b ehind Nqthm�
ACL� was designed to correct the �aws uncovered by two decades of use of
Nqthm� Those �aws primarily concern the scale of the pro jects to b e undertaken
with the system�
Because Nqthm is the prototyp e of ACL�� we b egin our discussion of ACL�
by brie�y reviewing Nqthm and some of its applications and �aws�
��� The Nqthm System
The Nqthm logic is a �rst order� quanti�er�free logic resembling pure Lisp� The
logic provides for the schematic intro duction of new inductively de�ned data
typ es� mathematical induction on the ordinals up to � � the de�nition of total
0
recursive functions� and the witnessed constraint of new function symb ols cou�
pled with a derived rule of functional instantiation giving the logic some of the
features of a higher�order logic� In addition� the logic provides an axiomatiza�
tion of a nonconstructive function� V�C�� which is an interpreter for the logic
and allows the intro duction of any partial recursive function� See ���� �� for
details�
The mechanization of the Nqthm logic is a system of Common Lisp programs
allowing the user to de�ne functions in the logic� execute them on concrete
�
data� and state and prove theorems ab out such functions� The user interface
to Nqthm is the Common Lisp read�eval�print lo op� Common Lisp forms are
typ ed to de�ne functions in the logic� invoke the theorem prover� etc� A sp ecial
environment is provided in which forms in the logic may b e executed� The
Nqthm theorem prover uses a variety of pro of techniques� e�g�� simpli�cation
and induction� These techniques are sensitive to rules in a data base� Hundreds
of heuristics orchestrate the application these rules� An interactive pro of checker
for Nqthm� called �Pc�Nqthm� has also b een develop ed ���� ����
Imp ortant to Nqthm�s success has b een the fact that when a new user�
supplied theorem is proved� rules are derived from it and stored in its data
base� these rules change the way the system b ehaves� By stating an appro�
priate collection of lemmas the user can e�ectively program Nqthm to prove
theorems in a given domain� A well chosen sequence of lemmas can lead Nqthm
to the pro ofs of very deep theorems� Target theorems can often b e changed
and �re�proved� automatically b ecause pro of scripts tend to describ e p owerful
and general�purp ose rules for manipulating the concepts rather than particular
pro ofs� That is� the user programs Nqthm to deal with the concepts and ex�
p ects Nqthm to �ll in the gaps b etween application�sp eci�c lemmas describing
the pro of at a high level� This makes it easy to �maintain� an evolving sys�
tem of de�nitions and theorems if the system was initially veri�ed with Nqthm�
That� in turn� has allowed Nqthm to accumulate a vast quantity of b enchmark
theorems�
The latest version of Nqthm� named �Nqthm������� was released in �����
A companion �Pc�Nqthm������ was also released� To obtain Nqthm������ con�
nect to Internet site ftp�cli�com by anonymous ftp� giving your email address
as the password� �get� the �le �pub�nqthm�nqthm������README� and follow the
instructions therein� �Analogous instruction apply to Pc�Nqthm������� Nqthm
is do cumented in two b o oks ��� ���� and Pc�Nqthm is do cumented in ���� ��� ����
Both systems and many of their applications are brie�y describ ed in ���� A de�
tailed tutorial intro duction to Nqthm and Pc�Nqthm may b e found in ����� The
recent Nqthm����� release includes ��� megabytes of up dated do cumentation
consisting of new versions of the �ve most imp ortant chapters in ����� In addi�
tion� the releases include more than �� megabytes of example input for Nqthm
and Pc�Nqthm� including most of the imp ortant b enchmarks listed b elow�
��� Some of Nqthm�s Applications
Space do es not allow even a brief but exhaustive summary of theorems proved
with Nqthm� we therefore only describ e a few� The theorems alluded to b elow
were selected to illustrate the expressivity� �exibility� and p ower of Nqthm to
deal with digital systems and the related mathematics� Why do we dwell on
Nqthm�s successes when we are here interested in its �aws� The relative weak�
ness of Nqthm�s quanti�er�free� �rst order logic could b e regarded as a �aw to b e
corrected but we cite these examples to establish the fact that the expressivity
Design Goals for ACL� �
CLI Technical Rep ort ����
of the logic is not a serious b ottleneck�
� Mathematics for Computation Among the well�known Nqthm b ench�
marks are Gauss� law of quadratic recipro city ���� and G�odel�s incom�
pleteness theorem for Sho en�eld�s �rst order logic extended with Cohen�s
axioms for hereditarily �nite set theory� Z�� ����� The �rst illustrates
Nqthm�s use in deep reasoning ab out integers� p erhaps the most com�
monly used mathematical construct in computing� The second illustrates
Nqthm�s use in mo deling other formal systems� a capability that has often
b een exploited to use Nqthm to do pro ofs �in� other computational log�
ics� Nqthm has proved the soundness and completeness of a prop ositional
calculus decision pro cedure ���� the Turing completeness of pure Lisp �����
the Church�Rosser theorem for lamb da calculus ����� and the soundness
of the pro of rules of Misra and Chandy�s Unity logic ���� ����
� System Veri�cation Perhaps most representative of digital systems ver�
i�cation is the now classic example� the �CLI short stack�� which com�
bines b oth hardware and software veri�cation� The short stack consists of
a chain of abstract machines starting with a micropro cessor �the FM�����
describ ed at the gate�level and ending with an op erational semantics for
a simple high�level programming language �Micro�Gypsy�� Between each
pair of machines in this chain is an Nqthm function implementing the
higher machine on the lower one� At the highest level the implementing
function is a ��cross��compiler�� as one descends the implementing func�
tion is called an �assembler�� a �linker� and eventually a �downloader��
Nqthm has done the pro ofs necessary to establish that each higher�level
machine is correctly implemented on the next lower�level machine� Be�
cause of the constructive nature of the Nqthm logic� the statement of each
such theorem involves the de�nition of a �clo ck function� which calculates
the numb er of low�level steps necessary to carry out a given numb er of
high�level steps� Nqthm has also done the pro ofs necessary to �glue� these
results together� Thus� assuming the soundness of the Nqthm theorem
prover and the correctness of our mo dels� it is known with mathemati�
cal certainty that the results of any given Micro�Gypsy program on any
given data can b e computed by running the micropro cessor on the result
of compiling� assembling� linking� and downloading the initial high�level
program and data� Furthermore� the clo ck functions can b e comp osed
so that it is p ossible to say how many micro cycles are necessary to do a
given high�level computation� This work consumed several man years and
is describ ed in ����
� Hardware Veri�cation and System Maintenance Since the publi�
cation of the short stack work� CLI has designed� veri�ed� and fabricated
another micropro cessor� called the FM���� ����� This involved formaliz�
ing the NDL hardware description language ���� of LSI Logic Inc�� and
�
verifying that a certain collection of NDL hardware mo dules implemented
a formally describ ed machine language� In what we regard as a signi�cant
demonstration of Nqthm�s ability to supp ort the maintenance of veri�ed
systems� the CLI short stack was p orted to the FM���� in less than one
man�week by retargetting the assembler and linker from the FM���� to
the FM���� and then �re��verifying them� We say ��re��verifying� b ecause
the theorems proved had not actually b een proved b efore but were merely
analogous to those proved in the FM���� work� This required relatively
minor mo di�cation of the pro of scripts develop ed for the FM���� and
relied up on Nqthm�s theorem prover to �ll in the gaps�
� Software A substantial subset of the MC������ a widely used micropro�
cessor built by Motorola� has b een formalized within Nqthm� Roughly
��� of the user available instructions were formalized� �Most of the re�
maining instructions have unde�ned e�ects on the machine state�� All
eighteen MC����� addressing mo des were formalized� Using this formal
description of the machine it is p ossible to analyze formally the b ehavior
of given MC����� ob ject co de programs� Consider� for example� the C
program
isqrt�int i�
�
int j�
j � �i � ���
while ��i � j� � j�
j � �j � �i � j�� � ��
return �j��
�
which computes the integer square ro ot of a given nonnegative integer� By
compiling this program with the Gnu C compiler� gcc �O� one may obtain
MC����� ob ject co de� One can then state and prove the theorem that
if a suitably con�gured MC����� is executed a certain numb er of steps
starting from an invo cation of the isqrt ob ject co de on suitable input�
i� the result left in D� is the greatest integer whose square is less than or
equal to i� In addition� one can prove that execution pro ceeds without
error and that the �nal machine state is suitable for continued execution
�e�g�� A�� used by LINK� is unchanged��
The correctness of MC����� ob ject co de programs for binary search�
Hoare�s Quick Sort� and some other well known algorithms have b een
mechanically checked with Nqthm� The ob ject co de for these examples
was generated using the Gnu C� the Verdix Ada� and the AKCL Common
Lisp compilers� Perhaps most imp ortantly� �� of the �� programs in the
Berkeley Unix C string library were mechanically veri�ed� See ���� ����
Design Goals for ACL� �
CLI Technical Rep ort ����
In related work by Yuan Yu at DEC�s Systems Research Center in Palo
Alto� California� Nqthm is b eing used to sp ecify part of the DEC Alpha
architecture�
� Fault Tolerance A mo del of asynchronous communication was develop ed
in Nqthm and used to prove the reliability of the biphase mark commu�
nications proto col ����� The mo del transduces the waveform written by
one pro cessor into that read by an indep endently�clo cked pro cessor� as a
function of the phases and rates of the two clo cks and the communications
delay� The correcntess of a gate�level design of a device implementing the
biphase mark proto col has b een proved ����� The correctness of a gate�level
design of a device implementing an ��bit parallel io Byzantine agreement
pro cessor has b een proved ����� In addition� it was proved that the algo�
rithm implemented by the Byzantine agreement pro cessor correctly solves
the �oral messages� problem ���� Finally� the correctness of the interactive
convergence clo ck synchronization algorithm was proved �����
� Scheduling� Concurrency� and Distributed Computing Nqthm has
b een used to prove that an op erating system implemented in machine co de
on a unipro cessor correctly provides multitasking and task isolation and
communication ���� An Nqthm formalization of Misra and Chandy�s Unity
language ���� is describ ed in ���� ��� along with the pro ofs of several Unity
programs� An Nqthm�checked pro of that an earliest�deadline��rst �EDF�
scheduler is optimal is proved in ����� The �nal theorem is the classic
theorem ab out EDF schedulers�
��� The Role of Executability
The executability of Nqthm�s logic played a signi�cant role in the development
and use of the computational mo dels describ ed ab ove� We reconsider brie�y
several of the applications�
����� The CLI Short Stack
Consider the Piton task in the CLI short stack pro ject ���� The task was to de�
sign an assembly�level language for the FM���� suitable as the target language
for high�level language compilers� implement the language via an assembler and
linker� and verify the correctness of the implementation mechanically� A stack�
based abstract machine was chosen as the mo del for the resulting language�
which was named �Piton�� The mo del was formalized in Nqthm as an inter�
preter� In the present context this formal mo del may b e b est thought of as a
�� page system of Lisp de�nitions�
Having formalized the language semantics� the Piton interpreter was used
to run several Piton programs on test data� The purp ose of this exercise was
two�fold� By hand�compiling some high level language programs and testing
�
them we found that some useful features had b een omitted from the original
Piton prototyp e� In addition� we discovered bugs in the formal mo del� i�e��
oversights or other errors in the formal de�nitions that caused the mo del to
describ e a di�erent language than the one intended� Such testing eventually led
us to conclude that Piton was sp eci�ed as intended and required�
The next phase was to implement Piton on FM���� by de�ning an assembler
and linker� This required ab out �� pages of Lisp� We then tested the imple�
mentation by using it to run the previously generated Piton programs� b oth on
the Piton mo del and the FM���� mo del �which� recall� was another system of
executable Nqthm de�nitions�� In some cases we ran Piton programs for thou�
sands of FM���� steps� We found several gross bugs in the implementation this
way�
Eventually� such testing convinced us the implementation was �probably
correct� and we were prepared to invest the e�ort in proving it� �In fact� the
implementation was not correct but the bugs were hard to �nd� such as errors
arising only if �maliciously chosen� systems of names or lab els were used�� For�
mulating the correctness theorem required de�ning various mapping functions
b etween the high level Piton state and the low level FM���� state� Again�
testing was done to verify the corresp ondence claimed b etween the states� Test�
ing was also done to check that the statement of the main theorem held for
particular Piton programs and test data�
The pro of involved breaking the implementation down into steps and de�ning
several machines intermediate b etween Piton and FM����� such as a symb olic
FM���� with a program space separate from its data space� The design of these
machines� the mapping functions b etween them� and the formal statements of
the lemmas relating them were all supp orted by additional testing�
����� FM����
The FM���� pro ject required the formalization of a mo del of digital circuits�
The mo del is based on the NDL language of LSI Logic� Inc�� and is essentially
a formalization of a commercial NDL simulator with which one of the FM����
designers was very familiar� The Nqthm mo del is a recursive function named
dual�eval � so named b ecause it computes either the output lines of the circuit
or the �nal states of the various state�holding devices within it� Dual�eval takes
among its inputs a �netlist�� an Nqthm constant describing a tree of hardware
mo dules and their interconnections via named input�output lines� The leaf
no des of these trees are primitive logical gates�
Dual�eval can b e thought of as a logic simulator �without� however� the
graphic and debugging facilities of commercial simulators�� It is ab out �� pages
of Lisp co de� Running dual�eval on a concrete netlist and data involves sim�
ulating in the prop er sequence the input�output b ehavior of every logical gate
in the design and is a computationally intensive activity�
The implementation of FM���� was a concrete netlist� It was proved cor�
Design Goals for ACL� �
CLI Technical Rep ort ����
rect in the sense that its dual�eval semantics was shown to corresp ond ap�
propriately to the formal mo del of the FM���� as a machine co de interpreter�
Dual�eval was executed on the FM���� netlist to help debug the netlist� the
mapping functions� and the statement of the correctness theorem�
But extensive testing played a more imp ortant role later in the pro ject� after
the FM���� had b een fabricated by LSI Logic� Inc�� from the veri�ed netlist�
Up on delivery of the fabricated devices� CLI tested them for conformance to the
design� One reason p ost�fabrication testing is imp ortant is to check the relia�
bility of the unveri�ed layout to ols involved in the lower levels of the hardware
design pro cess� Another motivation of such testing is to check for pro duction
�aws such as malfunctioning gates caused� p erhaps� by material imp erfections�
The FM���� was tested against its dual�eval mo del �rather than the higher
level machine co de mo del� b ecause the dual�eval mo del contained output pins
designed explicitly for testing � outputs that were not part of the machine co de
mo del�
Note that the p ost�fabrication testing of veri�ed devices changes the role
of mo del execution� Heretofore execution was merely an e�cient way to avoid
�premature� pro of attempts� An instantaneous pro of oracle would obviate the
need for the kind of mo del execution done in the Piton pro ject b ecause that kind
of execution was done merely in answer to a purely mathematical question� �is
this conjecture always true�� or� equivalently� �do these two mathematical ex�
pressions give the same answers�� But the p ost�fabrication testing of a veri�ed
device is not a purely mathematical question� On the one hand one has a phys�
ical ob ject� On the other one has a mathematical expression� The question is
whether the b ehavior of the ob ject is accurately predicted by the mathemat�
ical expression� The b ehavior of the ob ject can only b e manifested by giving
it concrete data and observing its concrete output� Thus� one is forced to give
concrete data to the mathematical expression and derive its concrete output�
That is� one must compute with the formal mo del and compare the results with
those pro duced physically� Execution of the mathematical mo del is inherent
in p ost�fabrication testing� Often� at least for devices for which veri�cation is
needed� the required computations are so large and the test cases so numerous
that we exp ect the e�ciency with which the mo del can b e executed b ecomes an
imp ortant issue�
����� The MC�����
We conclude this discussion of executability by considering the programmer
level mo del of the Motorola MC������ The mo del is ab out �� pages of Lisp
and was written using the MC����� programmer�s manual ���� as the primary
source� While the MC����� can b e regarded as a formal artifact in as much as�
ideally� its b ehavior is exactly as sp eci�ed by its gate�level design� that design
was unavailable to the author of the Nqthm mo del� In e�ect� the Nqthm mo del
was �reverse engineered� from the artifact�
��
It was necessary therefore to corrob orate the mo del� To do so� CLI tested
it against an MC����� chip in the form of a Sun � workstation� Over ������
test vectors were executed b oth in the Nqthm mo del of the MC����� and on an
actual chip ���� Again� the imp ortance of the executability of the Nqthm mo del
is obvious�
This might b e considered a sorry state of a�airs given the fact that the
circuit design of the MC����� can b e regarded as a mathematical ob ject �as
FM�����s netlist was� and its corresp ondence to the machine co de mo del is
therefore sub ject to formal pro of� But this state of a�airs is common and the
reasons go b eyond the mere technical� Even after it b ecomes practical to verify
such large designs� a variety of economic� legal� and other obstacles stand in the
way of the publication or distribution of the �proprietary mathematical mo dels�
of commercial pro ducts by their manufacturers� The eventual promulgation of
formal standards �e�g�� for VHDL or Ada� can mitigate this problem for some
pro ducts� But after veri�cation has b ecomes more practical and cost�e�ective�
we sp eculate that there will b e commercial trade in �reverse engineered� for�
mal mo dels and those mo dels will have b een corrob orated against the mo deled
pro ducts exactly as though those pro ducts had no other mathematical mo dels�
��� Some of Nqthm�s Flaws
Despite our success with Nqthm we are aware of many shortcomings� Most of
these shortcomings relate to the scale of the pro ject to b e undertaken� When
Nqthm was designed �primarily in the �����s� the most impressive theorem
proved by it was the uniqueness of prime factorizations� which required ab out
��� lines to state starting from Peano�s axioms� By ����� Nqthm was b eing
used to prove theorems requiring ����� lines to state �G�odel�s theorem and the
correctness of the FM���� micropro cessor ������ By ���� it was b eing used to
prove theorems requiring almost ����� lines to state �FM������ This is almost
two orders of magnitude larger than the �inspirational� theorems of Nqthm�s
design stage�
Below we list those �aws of Nqthm that we b elieved could and should b e
1
�xed by a new design�
� Prototyping Formal Mo dels Admitting functions to the logic requires
theorem proving� But users prefer to prototyp e their formal mo dels �rst�
testing them on concrete data until convinced that the mo del is accurate
enough to warrant the investment in pro of�
� Execution Sp eed Testing a formal mo del on concrete data presupp oses
the logic is executable� i�e�� that the value of a variable�free term or formula
1
Of course� the most troubling ��aw� of Nqthm is the weakness and slowness of its theorem
prover� If the theorem prover would instantly recognize any Nqthm formula that was a theorem
and recognize no non�theorems� the other �aws would cause little trouble�
Design Goals for ACL� ��
CLI Technical Rep ort ����
can b e computed� Nqthm�s logic is executable �unless unde�ned function
symb ols are present�� But Nqthm�s logic executes less e�ciently than we
would like� This must b e understo o d in the context of the large mo dels and
numerous test cases discussed ab ove� Perhaps the main reason Nqthm�s
logic executes slowly is the need for runtime typ e checking� Another is
the presence of user�de�ned shells and other abstract ob jects �e�g�� �TRUE�
and �FALSE�� in the logic for which no corresp onding data typ es exist in
the underlying execution engine� If some Common Lisp conses must b e
set aside for the representation of the logic�s shells� then those conses
are not available for the representation of their natural counterparts in
the logic� The result is that the implementations of all of the logic�s
constructors and accessors are complicated by runtime typ e checking and
the provision for various �escap e� mechanisms� Furthermore� b ecause of
these complications� calls to the logic�s accessor functions are compiled
into pro cedure calls rather than handled more e�ciently in�line�
� Useful Pro of Techniques There are many useful pro of techniques not
supp orted by Nqthm� Consider for example the notion of �quotient struc�
ture�� Traditionally this notion refers to a set�theoretic construction in
which a new structure is formed from the equivalence classes of an existing
structure� for a particular equivalence relation� A typical use of such struc�
tures in our work is the partitioning of the set of states of some formalized
machine into equivalence classes by a pro jection that ignores hidden re�
sources� In suitable circumstances � formally describ ed by a congruence
rule � one can regard two nonidentical states as equivalent vis�a�vis the
b ehavior of some higher level machine� The �rst�order� non�set�theoretic
setting of Nqthm makes this sort of construction inconvenient for us� The
identity relation �Nqthm�s EQUAL� is the only equivalence relation with
which Nqthm�s heuristics will do replacement or substitution during sim�
pli�cation� To get Nqthm to replace a term by a nonidentical but suitably
equivalent term is quite awkward� requiring one to arrange for all of the
corresp onding congruence and transitivity rules to b e explicitly used by
the simpli�er during backchaining� Other pro of techniques that Nqthm
users have from time to time requested include forward chaining� the use
of alternative de�nitions of a concept� and �forcing� a hyp othesis to b e
true in back chaining by assuming its truth temp orarily and bringing the
full resources of the system to b ear on it later� when the pro of is otherwise
complete�
� User Control of the Theorem Prover Nqthm is guided in its search
for a pro of by the enabled rules of its data base� Few �lo cal� scoping
mechanisms are available to the Nqthm user� The user must thus manip�
ulate the global state of the data base in a sequential way to con�gure it
for each theorem� This �at structure pro duces complicated pro of scripts
that are highly dep endent up on an implicit notion of the current status of
��
all rules� It also complicates the task of combining two indep endently de�
velop ed pro of scripts� Furthermore� many heuristics are b eyond the user�s
control and arcane tricks are sometimes necessary to provoke the desired
b ehavior� Finally� the hints available to the Nqthm user for directing the
system�s search explicitly are quite limited�
� The Command Language Nqthm�s command language is Common
Lisp� A strength of the arrangement is that Lisp is a p owerful command
language� by the suitable de�nition of Common Lisp macros users can tai�
lor their command environments to their tastes� But typical commands
consist of a mix of Common Lisp and Nqthm terms and formulas� This
can b e quite confusing� esp ecially when dealing with function symb ols
such as CAR and APPEND which are de�ned slightly di�erently in the two
languages� Furthermore� b ecause the con�guration of the host Lisp is not
part of Nqthm� pro of scripts develop ed by one user are not always readable
by another�
� State Saving� Reusability� and Collab oration Nqthm allows the user
to save the data base into a �le� called a �library� �le� and thus start a sub�
sequent session in the same state� Nqthm libraries for many domains have
b een develop ed� e�g�� natural numb ers� list pro cessing� MC����� ob ject
co de programs� But it is not p ossible to combine two libraries b ecause
each is a complete snapshot of the Common Lisp image� Nevertheless�
such combination is exactly what one would want to do if one needed a
numb er theoretic result while constructing the pro of of an MC����� pro�
gram� This makes it quite di�cult to build on the work of others or one�s
own past work� except by having Nqthm repro cess the old script� This
raises the cost of veri�cation by encouraging the rep eated redevelopment
of foundational work and tends to linearize the development of a veri�
�ed system into a monolithic pro ject by a single p erson who has complete
knowledge of the state� Because of the growing size of veri�cation pro jects�
we b elieve that veri�cation systems should encourage the collab orative ef�
forts of many p eople working semi�autonomously on di�erent parts of the
system�
� Practicing What We Preach It has always struck us as hyp o critical
that we would� on the one hand� advo cate the use of formally de�ned
programming languages and machine�checked formal pro of as a means
of assuring correctness while� on the other hand� programming our own
system� Nqthm� in an informally sp eci�ed language and relying entirely
on informal arguments that we had done our job correctly� Would it not
b e more convincing if we programmed the system in a formal language
and could� at least� state its correctness� Should we not aspire someday
to prove the correctness of the system and to somehow check that pro of
mechanically�
Design Goals for ACL� ��
CLI Technical Rep ort ����
� ACL�
ACL� is an extended� reimplemented analogue of Nqthm that supp orts an ex�
tension of the applicative subset of Common Lisp as its logic� �ACL�� stands
for �A Computational Logic for an Applicative Core Language�� By �core lan�
guage� we mean a formalism that can b e used � as Nqthm was � to mo del
many di�erent computing systems� Common Lisp is such a language� By for�
malizing a logic around applicative Common Lisp we can take advantage of the
exceptionally go o d optimizing compilers for Common Lisp to get� in many cases�
execution sp eeds comparable to C� Two guiding tenets of the ACL� pro ject
have b een to conform to all compliant Common Lisp implementations and to
add nothing to the logic that violates the understanding that the user�s input
can b e submitted directly to a Common Lisp compiler and then executed �in an
environment where suitable ACL��sp eci�c macros and functions are de�ned��
The de�nition of Common Lisp used in our work has b een ���� ���� We
comment on the draft prop osed ANSI standard for Common Lisp ���� in the
conclusion�
Just as Nqthm is more than a veri�cation to ol for pure Lisp � in particular�
it has b een used as a mo deling to ol for a wide variety of digital systems �
ACL� is intended to b e more than a veri�cation to ol for Common Lisp� Its
current applications range from hardware veri�cation to mo dels of high level
programming languages such as Ada�
��� Logic
The ACL� logic is a �rst�order� quanti�er�free logic of recursive functions pro�
viding mathematical induction on the ordinals up to � and two extension prin�
0
ciples� one for recursive de�nition and one for constrained intro duction of new
function symb ols� here called encapsulation�
The syntax of ACL� is that of Common Lisp� Formally� an ACL� term
is either a variable symb ol� a quoted constant� or the application of an n�ary
function symb ol or lamb da expression� f � to n terms� written �f t ���t �� This
1 n
formal syntax is extended by a facility for de�ning constants and macros� We
discuss macros later�
The rules of inference are those of Nqthm� namely prop ositional calculus with
equality together with instantiation and mathematical induction up to � � Two
0
extension principles� recursive de�nition and encapsulation� are also provided�
The following primitive data typ es are axiomatized�
� ACL� Numb ers� The numb ers consist of the rationals and complex
numb ers with rational comp onents� Examples are ��� ����� and �c�� ���
� Character Ob jects� ACL� supp orts Common Lisp�s �standard charac�
ters� including ��A� ��a� ��� and ��Newline� as well as three of Common
Lisp�s �nonstandard characters�� ��Page� ��Tab and ��Rubout�
��
� Strings� ACL� supp orts strings of standard characters� e�g�� �Arithmetic
Overflow��
� Symb ols� ACL� supp orts Common Lisp�s symb ols� In general� symb ols
are ob jects consisting of two parts� a package and a name� The symb ol
EXEC in the package �MC������ is written MC�������EXEC� One package
is always selected as �current� and its name need not b e written� Thus� if
�MC������ is the current package� the symb ol ab ove may b e more simply
written as EXEC� Packages may �imp ort� symb ols from other packages
�although in ACL� all imp ortation must b e done at the time a package is
de�ned�� If MC�������EXEC is imp orted into the �STRING�LIB� package
then STRING�LIB��EXEC is in fact the same as MC�������EXEC�
� Lists� ACL� supp orts arbitrary ordered pairs of ACL� ob jects� e�g�� �X
MC�������X ��Hello�� �� � ��������
It is our intention that all of the Common Lisp functions on the ab ove data
typ es are axiomatized or de�ned as functions or macros in ACL�� By �Common
Lisp functions� here we mean the programs sp eci�ed in ���� or ���� that are �i�
applicative� �ii� not dep endent on state� implicit parameters� or data typ es other
than those in ACL�� and �iii� completely sp eci�ed� unambiguously� in a host�
indep endent manner� Approximately ��� such symb ols are axiomatized�
Common Lisp functions are partial� they are not de�ned for all p ossible
inputs� Consider for example the primitive function car� Page ��� of ���� says
that the argument to car �must b e� a cons or nil� On page � we learn �In
places where it is stated that �so�and�so �must� or �must not� or �may not� b e the
case� then it �is an error� if the stated requirement is not met�� On page � we
learn that �it is an error� means that �No valid Common Lisp program should
cause this situation to o ccur� but that �If this situation o ccurs� the e�ects and
results are completely unde�ned� and �No Common Lisp implementation is
required to detect such an error��
This raises some problems with the direct emb edding of applicative Common
Lisp into a logic� The situation is far worse than merely not knowing the value
of �car ��� We do not know that the value is an ob ject in the logic� �car ��
might b e � � for example� Worse still� we do not know that car is a function�
the form �equal �car �� �car ���� which is an instance of the axiom �equal
x x�� might evaluate to nil in some Common Lisps b ecause the �rst �car ��
might return t and the second might return nil� The �story� relating our
logic to Common Lisp is complicated and we explain it after completing the
description of the logic�
In supp ort of the �story� we formalize in ACL� the notion of �guards�� Each
ACL� function symb ol has a guard� which is a term that sp eci�es the domain
of the function� The guard of car is �or �consp x� �equal x nil��� Appli�
cations of a function outside its guarded domain pro duce unsp eci�ed results�
We have identi�ed a guard for each of the Common Lisp primitives in ACL�
Design Goals for ACL� ��
CLI Technical Rep ort ����
and made sure that our axioms do not constrain the primitives outside of their
guarded domains�
To applicative Common Lisp we add four imp ortant new features�
� We add a notion of �state�� containing� among other things� the �le system
and input�output �channels� to �les� Syntactic checks in the language
insure that the state is single�threaded� thus giving rise to a well�de�ned
notion of the �current state��
� We add fast applicative arrays� These are implemented� b ehind the scenes�
with Common Lisp arrays in a manner that always returns values in accor�
dance with our axioms and op erates e�ciently provided certain program�
ming disciplines are followed �namely� they are used in a single�threaded
way so that only the most recently up dated version of an array is used��
� We add fast applicative prop erty lists in a manner similar to that for
arrays�
� We add new multiply�valued function call and return primitives that are
syntactically more restrictive than those of Common Lisp �requiring a
function always to return the same numb er of values and always to b e
called in the appropriate manner� but which can admit a faster imple�
mentation than Common Lisp�s�
Finally� ACL� has two extension principles� de�nition and encapsulation�
Both preserve the consistency of the extended logic� Indeed� the standard mo del
of numb ers and lists can always b e extended to include the newly intro duced
function symb ols� �Inconsistency can thus b e caused only if the user adds a new
axiom directly rather than via an extension principle�� The de�nitional principle
insures consistency by requiring a pro of that each de�ned function terminates�
This is done� as in Nqthm� by the identi�cation of some ordinal measure of
the formals that decreases in recursion� In ��� we show �for Nqthm� that this
insures that one and only one set�theoretic function satis�es the recursive de��
nition and that pro of carries over to the ACL� case� with appropriate treatment
of the nonuniqueness of the constrained functions used in the de�nition� The
encapsulation principle preserves consistency by requiring the exhibition of wit�
ness functions that have the alleged prop erties�
The form of a function de�nition is as in Common Lisp�
�defun f �x ���x � �declare ���� body �
1 n
ACL� extends Common Lisp�s declare so as to p ermit the sp eci�cation of a
guard expression� �g x ���x �� as well as to p ermit the optional sp eci�cation of
1 n
an ordinal measure and other �hints�� If the required termination theorems can
b e proved�
��
Axiom�
�g x ���x � � �f x ���x � � body
1 n 1 n
is added as a new axiom� Observe that the value of the function outside of its
guarded domain is unsp eci�ed� Logically� our guards are just terms that app ear
as hyp otheses in many axioms�
Encapsulation allows the intro duction of new function symb ols satisfying
arbitrary constraints provided one can exhibit de�nitions of those symb ols that
make those constraints theorems� This allows for abstractions to b e intro duced
conservatively� An encapsulation command takes the form of an arbitrary se�
quence of commands� e�g�� de�nitions and theorems� some of which are lab eled
�lo cal�� When an encapsulation command is veri�ed for admissibility� all of
the sub commands are executed and each must b e successful� But the e�ects of
the command are obtained by executing only the non�lo cal sub commands� To
constrain a new function symb ol f of one argument so that it always returns
a rational numb er� it su�ces to de�ne �f x� lo cally to b e ����� say� and then
to prove and �exp ort� the theorem �rationalp �f x��� The lo cal de�nition
of f is merely a witness to the consistency of the constraint� �Outside� the
encapsulation� �f x� is known only to b e rational�
A derived rule of inference� called �functional instantiation�� ���� gives ACL�
some of the features of a higher order logic by allowing one to instantiate the
function symb ols of a previously proved theorem� replacing them with other
function symb ols or lamb da�expressions� provided one can prove that the re�
placements satisfy the constraints on the old symb ols� For example� any theorem
proved ab out the rational f ab ove could later b e used to obtain the analogous
theorem ab out any rational function or expression�
ACL��s logic is strictly weaker than Nqthm�s b ecause ACL��s logic do es not
contain an analogue of Nqthm�s nonconstructive V�C�� The logical tendrils of
V�C� are p ervasive and the heuristics for dealing with it are very complicated
�and hence invite implementation errors�� Whether it is a comment on the
utility of V�C� or �more likely� on the weakness of our heuristics for handling
it� it is a fact that Nqthm users avoid V�C�� Little substantial use of it app ears
in Nqthm�s b enchmarks� and since the intro duction of functional instantiation�
some of those uses have b een replaced by the use of constrained functions and
functional instantiation� as illustrated in ���� where the two metho ds are used
to prove the termination of Knuth�s generalized ���function ����� In any case�
we decided not to burden ACL� or its users with an analogue of V�C�� We
are optimistic that this do es not seriously lessen the applicability of ACL� to
practical veri�cation problems�
��� Metatheoretic Considerations
Lisp and ACL� exploit the fact that there is a straightforward mapping from
terms in the logic to the ob jects of the logic� For example� the term �f t ���t �
1 n
Design Goals for ACL� ��
CLI Technical Rep ort ����
can b e identi�ed with the list structure ��f t ���t �� The latter is said to b e
1 n
the quotation of the former� To make this p ossible we insist that if f is a
function symb ol in the syntax� then �f is a symb ol ob ject� The mapping is so
straightforward that one often forgets it and thinks of terms as b eing ob jects in
the logic� though this is technically a categorical mistake�
One way this mapping is exploited is in the macro facility� Macros allow
the syntax of the logic to b e extended� Macros are functions� If f is a macro
and x � ���� x are arbitrary ob jects� then �f x ���x � may b e used as a term
1 n 1 n
and denotes the term �whose quotation is� obtained by applying f to the x �
i
For example� by the appropriate macro de�nition of case one might arrange
for �case x �� �a�� �� �b�� �otherwise �c��� to �macro expand� to �if
�equal x �� �a� �if �equal x �� �b� �c���� Thus� the syntactic denota�
tion of an expression is determined by computation and the p ower of recursive
functions can b e used �for b etter or worse� to intro duce essentially arbitrary no�
tation� By intro ducing well�designed application�sp eci�c notation one can make
sp eci�cations more succinct and easy to grasp�
Like Nqthm� the ACL� theorem prover also exploits the identi�cation of
terms and ob jects� It is p ossible to de�ne �term transforming� functions �which
actually op erate on the quotations of terms�� If one then proves that such a
transformer preserves semantic identity �i�e�� that the ob ject denoted by the
input term is the same as the ob ject denoted by the output term�� the trans�
formation can b e incorp orated soundly into the simpli�cation routines of the
theorem prover� See ����
The link b etween terms and ob jects means that some system design and user
interface issues impact the choice of axioms� For example� execution e�ciency
dictates that the quotation of a function symb ol b e an ob ject in the logic that
can b e concretely and uniquely represented by that symb ol� Thus� while theo�
retical considerations p ermit one to enco de the quotations of function symb ols
as integers� e�ciency suggests including in the logic some suitable ob jects�
Nowhere is the impact of the user interface on the choice of axioms more
apparent than in the provision of packages for symb ol ob jects� Why are our
symb ol ob jects complicated by the notion of a package comp onent� Nqthm�s
symb ols �the LITATOMs� were not so complicated� The answer is that we care
less that the symb ol ob jects of the logic have packages than we care that their
�dequotations� as function symb ols have packages� We want to make it easy
to combine theories develop ed by di�erent users� Packages allow indep endent
users to create disjoint systems of function de�nitions� For example� each of two
users� Smith and Jones� can de�ne the function step� Provided the two users
work in di�erently named current packages� say �SMITH� and �JONES�� their
two systems can b e combined without logical con�ict and each can continue
to reference his or her own step by that name while referencing the other
by pre�xing it with the appropriate package� e�g�� JONES��step� But b ecause
function symb ols are identi�ed with the symb ol ob jects� �JONES��step must b e
a symb ol ob ject and the axioms must make explicit the package comp onent of
��
a symb ol and the relationships b etween packages�
��� Execution E�ciency� Guard Veri�cation and Colors
The implicit guards of Common Lisp allow great e�ciency� The implementation
of the function car may assume its actual is a cons or nil� By a suitable
representation of data� the implementation of car can simply fetch the contents
of the memory lo cation at which the actual is stored� No typ e checks are
necessary� Similarly� append� whose guard requires that the �rst argument b e a
list ending in nil� can recur down the cdr of that argument until it encounters
nil� without typ e checking� Of course� if car or append is applied to � the
results are unpredictable� There are implementations of Common Lisp� for
example� Gnu Common Lisp �which used to b e called Austin Kyoto Common
Lisp�� in which the p erformance of the compiled co de generated for arithmetic
and list pro cessing functions is comparable to hand�co ded C arithmetic and
p ointer manipulation� Exceptional execution e�ciency on a wide variety of
platforms� combined with clear applicative semantics when used prop erly� was
one of the great attractions of basing the ACL� logic on Common Lisp�
Because guards are explicit in ACL�� two choices are p ossible when consid�
ering how to evaluate a function call� ACL� could check at runtime that the
actuals satisfy the guard or it could glibly execute the Common Lisp function�
taking a chance that anything might happ en if the guard were not actually sat�
is�ed� Because we are in a logical setting� however� we could arrange also for
ACL� to do the latter only if it had proved� from the context of the function
call� that the guard must b e true� For example� one might show that if the
guard to a given de�ned function is true of the formals� then every guard that
will b e encountered in the execution of the b o dy of that function will also b e
satis�ed� If one marked such functions then their safe evaluation would b e fast�
check the guard up on the �rst entry from an �unsafe� context and then execute
the b o dy with no checking �and no risk�� If an entire system were so marked�
the only runtime check would b e of the initial inputs�
We co dify this marking scheme with what we call �colors�� Colors� however�
are also connected to another asp ect of ACL� function de�nition� namely the
issue of prototyping and testing b efore admission to the logic�
At any moment� every ACL� function has one of four colors� The colors
and their signi�cance are describ ed b elow� Colors are not part of the logic but
merely a feature of our implementation of it� Facilities are provided for changing
the color of a function� Functions of all colors can b e compiled�
� Red A function symb ol has the color red if the symb ol has b een de�ned
for computational purp oses but not admitted to the logic� When such a
function is de�ned� syntax checks are done �to insure that the de�nition
is in the ACL� language� but no termination pro of is done and no axiom
is added� Thus� the logic remains consistent� Calls of the function can
Design Goals for ACL� ��
CLI Technical Rep ort ����
b e evaluated at the command level and thus tested� The function can
b e freely rede�ned b ecause no nontrivial results ab out it could have b een
proved or entered into the data base� Finally� the guard of a red function
is ignored at runtime� so execution can cause Common Lisp errors but
optimal p erformance is obtained� Red functions are useful for prototyping
a formal mo del for b oth b ehavior and p erformance b efore any pro of burden
is incurred� red functions are also useful as utility functions �e�g�� for use
in macros or for data base query��
� Pink Pink functions are like red ones except that the guards are checked at
runtime� After prototyping a system of red de�nitions one might convert
it to pink to con�rm that� on the given tests� the functions are b eing
used in accordance with their guards� Since pink functions can b e freely
rede�ned �along with their guards�� guards can b e prototyp ed without
pro of burdens�
� Blue A function symb ol is blue if the symb ol has b een de�ned for compu�
tational purp oses and also admitted to the logic� To make a symb ol blue�
a termination pro of must b e done� Theorems can b e proved ab out blue
functions� Blue functions can b e executed on concrete data� but guards
are checked at runtime� After a function has b een prototyp ed in a �hot�
color �red or pink�� its conversion to blue at the cost of termination pro ofs
adds an axiom and thus enables one to undertake pro ofs of correctness
and other prop erties�
� Gold A function symb ol is gold if the symb ol has b een de�ned computa�
tionally and admitted to the logic �i�e�� was blue� and� in addition� every
subfunction called in the b o dy is gold and theorems have b een proved es�
tablishing that when the guard of the function is true the guards of every
subfunction are also true on their actuals� This is called �guard veri�ca�
tion�� When a gold function is called �from outside a gold function�� its
guard is checked at runtime but then the b o dy is executed without any
guard checking� Thus� gold functions run as fast as red ones but with
no risk of runtime error �except� p ossibly� resource exhaustion�� After a
blue formal mo del has b een proved correct� one could undertake to make
it gold by proving all of the guard conjectures� When that is done� the
mo del will run e�ciently�
Because guards are arbitrary expressions� guard veri�cation is� in general�
undecidable� But if guards are primitive typ e expressions on the formals� guard
veri�cation is usually a trivial theorem proving problem and can b e done by
sp ecial syntactic means� Some work is this direction has already b een done ����
Admissibility do es not require guard veri�cation� termination of the recursion
can b e proved without necessarily showing that all subfunctions are well�de�ned�
Indeed� it is often necessary to admit a function to the logic in color blue� prove
theorems ab out its value� and then convert it to gold�
��
��� The Story Relating the Logic to Common Lisp
We make the following claim ab out ACL�� Supp ose f is a function symb ol
of one argument de�ned in some certi�ed b o ok �as describ ed b elow�� that the
guard of f is t� that f is gold� and that �equal �f x� t� is a theorem of ACL�
proved in that b o ok� Consider any Common Lisp compliant to ���� into which
the ACL� kernel has b een loaded� Load the b o ok into that Lisp� Let x b e a
Common Lisp ob ject that is also an ACL� ob ject �i�e�� an ACL� numb er� ACL�
character ob ject� an ACL� string� a symb ol in some ACL� package� or the cons
of two ACL� ob jects�� Then the application in that Lisp of f to x returns t or
else causes a resource error �e�g�� stack over�ow or memory exhaustion��
Given the lack of details of the logic in this pap er� it is imp ossible to argue
the truth of this claim here� Nor have we written down a rigorous argument
elsewhere at this p oint� though we can explain the idea here as follows� �f x�
must evaluate to t �b ecause of the soundness of the logic�� and the computation
will at no step exercise a function symb ol outside of its guarded domain �b ecause
f is gold�� where the logic and Common Lisp agree�
This claim can b e generalized considerably� The most useful generalization
intro duces the notion of a �gold formula� which is� roughly put� a formula in
which the guards of all function symb ols are true in the context in which they
o ccur and claims� roughly� that any ACL� instance of a gold theorem evaluates
to non�nil in any compliant Common Lisp�
��� Theorem Prover
The ACL� theorem prover is a reimplementation of the Nqthm theorem prover
for the ACL� logic� Most of the pro of techniques of Nqthm have b een imple�
mented in ACL�� Many have b een extended signi�cantly�
One of the driving forces b ehind our design of ACL� is that its architec�
ture should b e op en so users can con�gure it in di�erent ways� ACL��s pro of
techniques are sensitive to a hierarchically structured data base of rules derived
initially from previously certi�ed �b o oks�� Furthermore� an evolving �theory��
which is computationally determined by the user as a function of the current
data base and goal� sp eci�es �views� of the data base� Bo oks and theories are
discussed later�
����� Pro of Techniques
Most of the pro of techniques are allowed to �force� hyp otheses� by assuming
them true� The theorem prover is organized so that if the main goal is proved
but hyp otheses are forced� the forced hyp otheses are addressed in appropriate
contexts in a later �round� of pro of� Typically� guards are forced when they are
not �obviously� true� since otherwise we cannot use the functions�s de�nitions�
This means that it is p ossible to submit simple �but false� conjectures ab out
Design Goals for ACL� ��
CLI Technical Rep ort ����
ACL� functions to the system and b e informed� explicitly by the system� that
the conjecture holds provided some previously unrelieved guard �or� �typ e��
checking can b e done�
While guards are forced by default� the user may actually sp ecify which
hyp otheses are to b e forced� By delaying the consideration of forced hyp otheses
ACL� can combine them to reduce the total pro of e�ort� For example� while a
particular function call might b e op ened many times in di�erent contexts� the
validity of its guard might b e addressed just once in a suitably general context�
Here now is a description of the ACL� theorem prover� Readers familiar
with Nqthm will recognize that system�s structure and techniques�
The user�s conjecture is translated via macro expansion into a formal term
and converted to a set of clauses� each of which must b e proved� The clauses are
added to a p o ol of goals and extracted one at a time for further consideration
by a succession of pro of techniques� If an extracted goal is proved� the size of
the p o ol shrinks by one� When the p o ol is empty� the user�s conjecture has b een
proved� If a pro of technique reduces the given goal to several subgoals� it puts
the subgoals into the p o ol� Otherwise� the pro of technique passes the extracted
goal to the next pro of technique�
The pro of techniques� in order of application are�
� prepro cessing� This pro cess expands some prop ositional functions and
uses IF�normalization� tautology checking� recognition of common cases�
and equivalence closure� An ordered binary decision diagram �OBDD�
algorithm has b een co ded for ACL� ���� and we hop e to integrate it into
the prepro cessor�
� simpli�cation� By far the most complicated pro of technique� simpli�
�cation combines primitive typ e checking� forward chaining� backward
chaining� forcing� congruence based rewriting under arbitrary equivalence
relations and their re�nements� generalized alternative recursive de�ni�
tions� veri�ed conditional metatheoretic simpli�ers� tautology checking�
congruence closure� and generalized linear arithmetic�
Because of its imp ortance we illustrate brie�y the role of equivalence re�
lations here� The rewriter has a �goal equivalence relation� which sp eci�
�es the required relation b etween its input term and its output� For ex�
ample� at the top�level the rewriter maintains prop ositional equivalence�
i�e�� the rewritten term must b e prop ositionally equivalent to the input
term� As the rewriter descends through the structure of the term b eing
rewritten� it changes the goal equivalence relation according to congruence
rules previously proved� Supp ose for example that a member expression
is b eing rewritten� and that the data base contains the rule establish�
ing that prop ositionally equivalent member expressions are pro duced when
set�equal lists are substituted into the second argument of member� Then
when rewriting the second argument of the target member expression the
��
system will allow itself to maintain set�equal� This means that a rule
such as �set�equal �append a b� �append b a�� can b e used as a re�
placement rule to commute the arguments of append� even though append
is not in general commutative� The user can prove new relations to b e
equivalence relations and prove appropriate congruence rules� Thus� even
when nonunique concrete representations are used for abstract entities�
the user can enjoy the simplicity of �substitution of equals for equals�
at the exp ense of setting up the appropriate equivalence and congruence
rules�
� destructor elimination� This pro cess trades �bad� terms for �go o d�
ones by a �change of variables� technique driven from the data base� For
example� under suitable conditions� �� i j� might b e reduced to k by
replacing i everywhere by �� k j��
� cross�fertilization� Equivalence hyp otheses are used and p ossibly dis�
carded� Such hyp otheses are used by replacing certain o ccurrences �de�
p ending on available congruence rules� of one side of the equivalence by
the other�
� generalization� This pro cess selects certain o ccurrences of terms involved
on b oth sides of equivalence relations or in the hyp othesis and conclusion
of the goal and then replaces them with new variable symb ols� Restrictive
hyp otheses ab out the new variables may b e added�
� elimination of irrelevance� Irrelevant hyp otheses are thrown out� based
on variable isolation and deduced typ e information�
� mathematical induction� This pro cess attempts to �nd an induction
scheme appropriate for the conjecture� based on the terms in the conjec�
ture� The analysis involves the arbitrary well�founded relations used to
justify recursive functions� user supplied rules linking function symb ols to
additional schemes� various techniques for merging and otherwise combin�
ing schemes� and selection heuristics�
����� The Data Base� Bo oks� Rules and Theories
A book is a �le of de�nitions and theorems and references to other b o oks whose
contents are recursively included� ACL��s data base may b e extended rep eatedly
by the �inclusion� of b o oks� �Views� of the data base are sp eci�ed by �theories��
as describ ed b elow�
The b o ok mechanism is related to the encapsulation mechanism� a b o ok can
hide the details of its pro ofs �lo cally� while exp orting p owerful collections of
rules� That is� the contents of a b o ok app ears di�erent to its author than to
its readers� All events are visible to the author� or more precisely� to the agent
�certifying� the b o ok� as discussed b elow� But to the reader� only �non�lo cal�
Design Goals for ACL� ��
CLI Technical Rep ort ����
events are visible� Thus� the author might include in a b o ok many �intermedi�
ate� theorems whose only purp ose is to lead ACL� to the pro ofs of the �main�
theorems in the b o ok� By marking the intermediate theorems as �lo cal� the
author can hide them from readers� Hiding is imp ortant in collab orative work
since the tactical choices made by one user are often counterpro ductive in the
context of the tactical choices of another�
Bo oks can also de�ne packages and declare a given package �current� for
the purp oses of the b o ok� thus providing the namespace protection of packages�
Bo oks can also de�ne theories and theory manipulation functions� as discussed
b elow� When two b o oks are loaded together� syntactic checks are done to insure
their logical compatibility�
Bo oks can b e certi�ed� which involves pro cessing them and their subb o oks
so as to determine that every de�nition and encapsulation is admissible and
every alleged theorem is provable� Certi�cation lo oks at every event in a b o ok�
b oth the lo cal and the non�lo cal ones� Certi�cates containing details of the
certi�cation� including the checksums of the relevant b o oks� are generated by
the certi�cation pro cess� When a b o ok is later included in a session only its
non�lo cal events are seen and their pro ofs are not reconstructed but just as�
sumed� provided the certi�cation data is consistent� Inconsistent certi�cates
cause informative warnings to the user� Attention to directory structures allows
b o oks to b e moved b etween directories on the host system without requiring
recerti�cation� The checksum computation is insensitive to comments in the
�le so that certi�ed b o oks can b e do cumented or reformatted without requiring
recerti�cation� The certi�cation pro cess provides a means of version control
that is integrated into the pro of system� This is particularly imp ortant if multi�
ple users are developing a system� �Strictly sp eaking� logical soundness requires
that only one ACL� pro cess have write p ermission for the duration of a pro of
on all of the b o oks involved and that certi�cation of all b o oks b e p erformed by
that pro cess at the b eginning of the pro of� Given the fundamental insecurity
of most host �le systems� it was thought that checksums provide an acceptable
level of assurance to detect accidental corruption by co op erative colleagues� Fi�
nal formal assurance is obtained by a ro ot�and�branch stand�alone certi�cation
at the end of the pro ject��
As with Nqthm� proved theorems generate rules that are added to the data
base� Unlike Nqthm� ACL� do es not require the syntactic form of a theorem
to sp ecify how it will b e used as a rule� Instead� every rule generated from a
theorem is derived from a �corollary� formula� optionally sp eci�ed by the user
�and defaulting to the theorem itself �� which is implied by the theorem and
whose syntax describ es the rule�
Including a b o ok into an ACL� session adds all the rules derived from the
non�lo cal events in the b o ok� Each rule in ACL� has a unique name� A rule can
b e used only if it is �enabled�� Whenever ACL� go es to the data base to obtain
information an appropriate rule name is found� checked for b eing enabled� and
tracked in a �tag tree�� a structure that follows the evolving pro of construction
��
and records relevant information� Pervasive tracking and use of enabled rule
names provides the ACL� user with much �ner grained control of ACL� as well
as more information� if desired� ab out the evolving pro of�
To b e �enabled� a name must b e in the current theory� where a theory is a
list of rule names� A theory thus gives a view of the data base in the sense that
a rule is seen only if its name is in the current theory�
Theories are just ob jects in the logic� namely lists� Since a theory is just a
list of ACL� ob jects� theories can b e computed and manipulated by ACL� func�
tions� Utility functions for manipulating theories include functions for unioning
together theories �enabling all the rules in each�� taking the set di�erence of two
theories �disabling all the rules in the latter theory�� and computing the current
theory as of some previous pro of� The user may de�ne theory manipulation
functions� Daemons can b e installed on names to insure that incompatible rules
do not co exist within a derived theory� Bo oks may provide alternative sets of
rules and make them conveniently available via theories and theory functions
provided in the b o oks� The author�s advice ab out how rules are used in concert
may b e co di�ed into daemons�
����� Pro of Trees and Commentary
The ACL� theorem prover prints a running commentary on its evolving pro of
attempt� explaining each transformation� the derivation of forced hyp otheses�
the use of hints� etc� In addition� if Emacs is available� ACL� sketches the
evolving pro of tree as it go es� pruning branches that are proved� The pro of tree
facility is linked to the evolving commentary so that the commentary asso ciated
with any p oint in the tree can b e conveniently obtained� This allows the user to
ignore ACL��s scrolling commentary �indeed� many users simply do not display
that bu�er� and simply jump directly to the trouble sp ots �the �checkp oints�
of ���� and of the to ol describ ed in ������
����� Do cumentation
ACL� is do cumented via an online do cumentation facility that is part of ACL��
The ACL� do cumentation is maintained in a hyp ertext�like structure which
may b e browsed via ACL� do cumentation commands� In addition� it may b e
browsed via Emacs� Info mo de and via Mosaic� Roughly �� megabytes of on�
line do cumentation is available ab out ACL�� including tutorials� Instructional
materials are b eing prepared as part of this do cumentation�
The ACL� user may wish to do cument his or her formal mo dels and browse
that do cumentation with the facilities provided� ACL� supp orts this use of
its do cumentation facilities� In particular� Common Lisp allows do cumentation
strings to b e included in the de�nitions of constants� macros and functions and
ACL� extends that to the commands that intro duce other names� such as theo�
rems and theories� ACL� recognizes do cumentation strings that are formatted
Design Goals for ACL� ��
CLI Technical Rep ort ����
in a certain way and links them into its browser� Facilities are provided to con�
vert ACL��s graph into �les suitable for browsing with Info mo de and Mosaic�
Thus� when a b o ok is included in a session � p ossibly intro ducing many new
function symb ols and rules � the author�s do cumentation of those new names
also b ecomes available�
����� The User Interface
ACL� presents itself to the user as a read�eval�print lo op in which ACL� forms
are read and evaluated� Up on re�ection� this is a dizzying statement� b ecause it
implies that the command to de�ne a function� for example� is an ACL� form�
We discuss this in the next section�
We here fo cus on three interesting asp ects of this interface� First� as with
traditional Common Lisp interfaces� the user may freely mix the de�nition of
functions with their evaluation� typing only Common Lisp� Indeed� the only
language one must know to use ACL� is ACL� �applicative Common Lisp�� We
�nd this unity pleasing� Indeed� the asp ects of ACL� relating to logic and pro of
are transparent as long as one is merely prototyping and testing a red system�
A window based interface could b e engineered from this base with ab out the
same di�culty as one could b e engineered for a traditional Common Lisp�
Second� b ecause the command language is ACL�� the user can de�ne macros
to tailor the command environment� Here are three illustrative command�level
macros�
� A macro form might automatically �disable� all the rules generated by a
theorem emb edded in the form�
� A macro form might generate schematically a collection of theorems from
some data structure provided in the form� Such a macro might implement
some sp ecialized metho dology for proving certain kinds of prop erties ab out
the ob ject mo del�
� A macro form might submit a given theorem for pro of and compute au�
tomatically a certain style hint known by the user to b e necessary when
theorems of the given kind are proved�
In Nqthm� such macros were de�ned in Common Lisp� But pro of scripts
using those macros were unreadable by unmo di�ed Nqthm images� In ACL��
such macros may b e included in the pro of scripts in which they are used �p erhaps
by the recursive inclusion of a customization b o ok�� Checks made when b o oks
are loaded insure that the macros used by a collection of b o oks are compatible�
It is our intention that the provision of macros at the command level will give
ACL� an advantage over Nqthm when using the system as a �shell� in which to
construct veri�cation environments for sp ecialized domains precisely b ecause it
allows one to co dify� formally� the metho dology required�
��
Third� ACL� can b e used to query the data base� Sophisticated users of
Nqthm frequently use this asp ect of Nqthm� as to collect all the names de�ned
since a given name was intro duced� etc� But in Nqthm the use of Common Lisp
can p otentially render the system unsound� as would happ en if the user rede�ned
the Common Lisp function prove or destructively mo di�ed the prop erty lists
while insp ecting them� But in ACL�� such utility functions can b e de�ned
without having to program in a new language and without risking damage to
the system� b ecause of ACL��s applicative nature and the checks made by its
de�nitional principle� Indeed� users can de�ne useful utilities and exchange
them via b o oks� without rendering the system unsound�
��� Practicing What We Preach
ACL� is coded in ACL�� That is� the ACL� system is a collection of b o oks
containing de�nitions of ACL� functions� The typ e mechanism� the rewriter�
the linear arithmetic pro cedure� the induction heuristic� the error checkers� the
error handlers� the mechanism for reading and pro cessing b o oks� the top�level
read�eval�print lo op � all are ACL� functions� To b o ot the system� the compiled
co de is loaded into any Common Lisp and then the system reads and pro cesses
its own source �les� �rst in the color red and then gold� �At the moment� only
part of the system� ab out a tenth of it� has b een pro cessed in gold� Among
our goals is to pro cess the entire system in gold�� The system currently stands
at ��� megabytes �or ab out ������� lines of co de�� making it one of the largest
applicative programs in the world�
The discipline of using ACL� as its own implementation language has had a
remarkable impact on the language� the theorem prover� and the system supp ort
to ols� Simply expressing ACL� in itself stretched the applicative language from
the rather con�ning natural subset of Common Lisp to a practical applicative
programming language� Our concern for the e�ciency of our software drove
us to make ACL� e�cient� Array access and change are essentially constant�
time op erations� that op erate at ab out half the sp eed of the array access and
change in C� Appropriately declared simple arithmetic expressions execute at
C sp eeds� However� unlike other practical applicative languages� ACL� includes
an axiomatization and a mechanical theorem proving environment�
The discipline of pro cessing our source co de with the de�nitional princi�
ple has yielded imp ortant improvements to the heuristics originally taken from
Nqthm� For example� one ��� line de�nition in our source co de expanded un�
der Nqthm�s de�nition normalization routines to �� megabytes of formal co de�
ACL� do es not normalize de�nitions� which on the one hand forces its theorem
prover to do so but on the other allows context�sensitive normalization to re�
duce the numb er of cases� Whether ACL� can manage to prove things ab out
de�nitions of practical size �e�g�� its own source co de� remains to b e seen� but
the exp eriment has at least established that the heuristics of Nqthm could not�
By �practicing what we preach� we have b een forced to confront in ACL�
Design Goals for ACL� ��
CLI Technical Rep ort ����
the same problems of scale� e�g�� e�ciency� problem size� do cumentation� ver�
sion control� distributed development� etc�� that Nqthm users were b eginning to
confront� Furthermore� solving these problems has b een on our �critical path��
Some of the other side�e�ects of our choice of ACL� as implementation lan�
guage are noted brie�y b elow�
� Because it is written in that subset of applicative Common Lisp that
is host�indep endent� ACL� is p ortable to any compliant Common Lisp
platform�
� The ACL� state� and in particular the data base� is an ACL� ob ject that
may b e insp ected by ACL� functions and the user� It is p ossible to save
versions of the data base for later retrieval and otherwise take advantage of
the ��rst class� nature of the data base� Theory manipulation functions
get the data base as an argument� Metafunctions could in principle b e
sensitive to the data base�
� Metafunctions can b e co ded more e�ciently�
� It is p ossible for ACL� to reason ab out its own b ehavior since its source
co de is among the axioms� So far� only trivial use of this has b een made�
namely� to verify the guards of hundreds of ACL� system functions� �It
should b e noted that until ACL� constructs indep endently checked formal
pro of ob jects � the direction in which our tag tree mechanism is headed
� a pro of by ACL� ab out its own source co de has to b e regarded with
the same skepticism one is inclined toward when someone says �I would
never lie to you���
� It is p ossible to state in ACL� that the system is sound�
� It is in principle p ossible to prove that ACL� is sound� This is among our
long�term goals�
� The Asso ciativity of App end
In this section we exhibit a Common Lisp de�nition of list concatenation and
prove that it is asso ciative� We avoid using the built�in function append b ecause
it is de�ned as a macro that takes two or more arguments�
The function app b elow concatenates two lists� However� the �rst argument
must b e a true�listp� which is to say� it must end in nil� Note the declared
�guard b elow� This allows the de�nition of app to terminate with a null check�
which is more e�cient than the typ e check atom�
�defun app �x y�
�declare �xargs �guard �true�listp x���
��
�cond ��null x� y�
�t �cons �car x� �app �cdr x� y�����
This function is asso ciative provided its guard is satis�ed� Here is a state�
ment of the theorem�
�implies �and �true�listp a�
�true�listp b��
�equal �app �app a b� c� �app a �app b c�����
The pro of of this theorem� constructed by the current version of ACL� �Ver�
sion ����� is shown b elow� The Common Lisp reader generally converts lower
case input to upp er case �except in strings and in certain delimited symb ols�
and thus the formulas printed b elow are in upp er case�
Of sp ecial interest is the �forcing round�� The main pro of pro ceeds by
an induction on A� The term �APP �APP A B� C� in the induction conclu�
sion expands� using the de�nition of APP on the innermost APP term� to �APP
�CONS �CAR A� �APP �CDR A� B�� C�� This expansion is p ermitted b ecause
the guard for that term� �TRUE�LISTP A�� is known to b e true by hyp othesis�
But to expand the outermost APP in �APP �CONS �CAR A� �APP �CDR A� B��
C� we must know that its �rst argument is a TRUE�LISTP and this is problem�
atic b ecause it involves an inductive argument ab out the innermost APP� But
the pro of pro ceeds by �forcing� this guard �in Subgoal ����� b elow�� At the
successful conclusion of the main pro of� ACL� undertakes a �Forcing Round�
to show� by induction� that under the given hyp otheses the innermost APP term
returns a TRUE�LISTP�
Name the formula above ���
Perhaps we can prove �� by induction� Five induction schemes are suggested
by this conjecture� Subsumption reduces that number to four� These
merge into two derived induction schemes� However� one of these is
flawed and so we are left with one viable candidate�
We will induct according to a scheme suggested by �APP A B�� If we
let ��P A B C� denote �� above then the induction scheme we�ll use
is
�AND �IMPLIES �NOT �TRUE�LISTP A��
��P A B C��
�IMPLIES �AND �TRUE�LISTP A�
�NOT �NULL A��
��P �CDR A� B C��
��P A B C��
�IMPLIES �AND �TRUE�LISTP A� �NULL A��
��P A B C����
This induction is justified by the same argument used to admit APP�
namely� the measure �ACL��COUNT A� is decreasing according to the relation
E��ORD�� �which is known to be well�founded on the domain recognized
by E��ORDINALP�� When applied to the goal at hand the above induction
scheme produces the following three nontautological subgoals�
Design Goals for ACL� ��
CLI Technical Rep ort ����
Subgoal ����
�IMPLIES �AND �TRUE�LISTP A�
�NOT �NULL A��
�EQUAL �APP �APP �CDR A� B� C�
�APP �CDR A� �APP B C���
�TRUE�LISTP B��
�EQUAL �APP �APP A B� C�
�APP A �APP B C�����
By the simple �definition of NULL we reduce the conjecture to
Subgoal �����
�IMPLIES �AND �TRUE�LISTP A�
�NOT �EQUAL A NIL��
�EQUAL �APP �APP �CDR A� B� C�
�APP �CDR A� �APP B C���
�TRUE�LISTP B��
�EQUAL �APP �APP A B� C�
�APP A �APP B C�����
But forced simplification reduces this to T� using primitive type reasoning�
the �rewrite rules CDR�CONS and CAR�CONS and the �definitions of TRUE�
LISTP and APP �forced��
Subgoal ����
�IMPLIES �AND �TRUE�LISTP A�
�NOT �NULL A��
�NOT �TRUE�LISTP �CDR A���
�TRUE�LISTP B��
�EQUAL �APP �APP A B� C�
�APP A �APP B C�����
But we reduce the conjecture to T� by primitive type reasoning�
Subgoal ����
�IMPLIES �AND �TRUE�LISTP A�
�NULL A�
�TRUE�LISTP B��
�EQUAL �APP �APP A B� C�
�APP A �APP B C�����
By the simple �definition of NULL we reduce the conjecture to
Subgoal �����
�IMPLIES �AND �TRUE�LISTP A�
�NOT A�
�TRUE�LISTP B��
�EQUAL �APP �APP A B� C�
�APP A �APP B C�����
But simplification reduces this to T� using primitive type reasoning�
the �definition of APP and the �executable�counterpart s of TRUE�LISTP�
NOT and EQUAL�
��
That completes the proof of ���
q�e�d� �given one forced hypothesis�
Modulo the following forced goal� that completes the proof of the input
Goal� See �DOC forcing�round�
���Goal� below� will focus on
�TRUE�LISTP �APP �CDR A� B���
which was forced in
Subgoal ������ above�
by applying ��DEFINITION APP� to
�APP �CONS �CAR A� �APP �CDR A� B�� C��
We now undertake Forcing Round ��
���Goal
�IMPLIES �AND �CONSP A�
�TRUE�LISTP �CDR A��
�TRUE�LISTP B��
�TRUE�LISTP �APP �CDR A� B����
The destructor terms �CAR A� and �CDR A� can be eliminated by using
CAR�CDR�ELIM to replace A by �CONS A� A��� generalizing �CAR A� to
A� and �CDR A� to A�� This produces the following goal�
���Goal�
�IMPLIES �AND �CONSP �CONS A� A���
�TRUE�LISTP A��
�TRUE�LISTP B��
�TRUE�LISTP �APP A� B����
This simplifies� using primitive type reasoning� to
���Goal��
�IMPLIES �AND �TRUE�LISTP A�� �TRUE�LISTP B��
�TRUE�LISTP �APP A� B����
Name the formula above ������
Perhaps we can prove ����� by induction� Three induction schemes are
suggested by this conjecture� These merge into two derived induction
schemes� However� one of these is flawed and so we are left with one
viable candidate�
We will induct according to a scheme suggested by �APP A� B�� If we
let ��P A� B� denote ����� above then the induction scheme we�ll use
is
�AND �IMPLIES �NOT �TRUE�LISTP A���
��P A� B��
�IMPLIES �AND �TRUE�LISTP A��
�NOT �NULL A���
��P �CDR A�� B��
��P A� B��
�IMPLIES �AND �TRUE�LISTP A�� �NULL A���
Design Goals for ACL� ��
CLI Technical Rep ort ����
��P A� B����
This induction is justified by the same argument used to admit APP�
namely� the measure �ACL��COUNT A�� is decreasing according to the
relation E��ORD�� �which is known to be well�founded on the domain
recognized by E��ORDINALP�� When applied to the goal at hand the above
induction scheme produces the following three nontautological subgoals�
���Subgoal ����
�IMPLIES �AND �TRUE�LISTP A��
�NOT �NULL A���
�TRUE�LISTP �APP �CDR A�� B��
�TRUE�LISTP B��
�TRUE�LISTP �APP A� B����
By the simple �definition of NULL we reduce the conjecture to
���Subgoal �����
�IMPLIES �AND �TRUE�LISTP A��
�NOT �EQUAL A� NIL��
�TRUE�LISTP �APP �CDR A�� B��
�TRUE�LISTP B��
�TRUE�LISTP �APP A� B����
But simplification reduces this to T� using the �definitions of TRUE�
LISTP and APP and primitive type reasoning�
���Subgoal ����
�IMPLIES �AND �TRUE�LISTP A��
�NOT �NULL A���
�NOT �TRUE�LISTP �CDR A����
�TRUE�LISTP B��
�TRUE�LISTP �APP A� B����
But we reduce the conjecture to T� by primitive type reasoning�
���Subgoal ����
�IMPLIES �AND �TRUE�LISTP A��
�NULL A��
�TRUE�LISTP B��
�TRUE�LISTP �APP A� B����
By the simple �definition of NULL we reduce the conjecture to
���Subgoal �����
�IMPLIES �AND �TRUE�LISTP A��
�NOT A��
�TRUE�LISTP B��
�TRUE�LISTP �APP A� B����
But simplification reduces this to T� using the �definition of APP
and the �executable�counterparts of TRUE�LISTP� NOT and EQUAL�
That completes the proof of ������ Q�E�D�
��
Summary
Form� � THM ����
Rules� ���DEFINITION IMPLIES�
��REWRITE CDR�CONS�
��REWRITE CAR�CONS�
��ELIM CAR�CDR�ELIM�
��DEFINITION TRUE�LISTP�
��FAKE�RUNE�FOR�TYPE�SE T NIL�
��DEFINITION NULL�
��DEFINITION NOT�
��EXECUTABLE�COUNTERPAR T TRUE�LISTP�
��EXECUTABLE�COUNTERPAR T NOT�
��EXECUTABLE�COUNTERPAR T EQUAL�
��DEFINITION APP��
Warnings� None
Time� ���� seconds �prove� ����� print� ����� proof tree� ����� other� �����
� Applications of ACL�
We list brie�y some of the ongoing applications of ACL�� Most of these pro jects
are still in the formalization stage and have not yet gotten to the most signi�cant
pro ofs� However� this collection of ACL� pro jects already includes over �����
theorems proved� not counting those pro ofs p erformed during the admission of
the blue and gold de�nitions in the systems describ ed b elow�
� The ACL� system is b eing built in ACL�� The construction involves
termination pro ofs and guard veri�cation of ACL� functions� The source
co de now stands at ��� megabytes of ACL��
� The Nqthm package is b eing develop ed� Roughly sp eaking� this is a b o ok
that emb eds the Nqthm logic into the ACL� logic and causes ACL��s
theorem prover to emulate Nqthm�s� With the exception of Nqthm�s
V�C� and its sup eriors� all primitive Nqthm functions are now de�ned
within the �NQTHM� package and the relevant Nqthm axioms ab out them
have b een proved as ACL� theorems by ACL�� For example after ap�
propriately de�ning such symb ols as NQTHM��CAR� the formula �IMPLIES
�NOT �LISTP X�� �EQUAL �CAR X� ��� is an ACL� theorem� provided
it is read while in the current package �NQTHM�� This is one of the ax�
ioms of Nqthm� The Nqthm de�nitional principle and shell principle
have b een implemented� A b o ok of rules causing the ACL� theorem
prover to emulate the Nqthm theorem prover is b eing develop ed� It is
hop ed that with this b o ok most of the �� megabytes of Nqthm b ench�
marks will �replay� automatically in ACL�� This pro ject is still under
way but results so far are promising� We have pro cessed roughly ��� of
the �le �nqthm������examples�basic�proveall�events� which includes
Design Goals for ACL� ��
CLI Technical Rep ort ����
such theorems as the correctness of a simple optimizing expression com�
piler� Euclid�s theorem� and the soundness of a tautology checker� We
exp ect the Acl� emulation of Nqthm to result in an overall degradation
of p erformance �compared to b oth Nqthm�s pro of engine and its execu�
tion environment�� However� the Nqthm package will provide a migration
pathway for Nqthm users to ACL�� Furthermore� the Nqthm package will
provide an imp ortant collection of b enchmark theorems on which we can
tune Acl� p erformance�
� Many low�level b o oks are b eing develop ed with the exp ectation that they
will �nd widespread use� Among them are b o oks for natural� integer�
mo dulo� rational and complex arithmetic� groups� hardware sp eci�cations�
and metatheoretic reasoning�
� The Nqthm work related to the Motorola MC����� is b eing recast into
ACL�� In particular� an ACL� de�nition of the ob ject co de interpreter
is b eing develop ed from the Nqthm mo del and the Nqthm library used
in the program correctness pro ofs will b e develop ed as an ACL� b o ok�
Initially� our aim is to repro duce the Nqthm pro ofs with Acl� � a goal
that could p erhaps b e achieved more easily via the Nqthm package� But
ultimately we hop e to tune to ACL� mo del so that the simulation of ob ject
co de programs is faster than via the Nqthm mo del or its emulation in the
Nqthm package�
� The semantics of a subset of Ada is b eing co ded in ACL� in the form of
an Ada interpreter� Some simple Ada programs have b een veri�ed with
resp ect to this semantics� A b o ok of useful Ada rules is b eing develop ed�
The intent of these and other �high�level� b o oks ab out a given sub ject
formalism �in this case Ada� is to con�gure ACL� so that the pro ofs ab out
ob jects in the sub ject formalism �here� Ada programs� are straightforward
when certain paradigms are followed�
� A top�level sp eci�cation of a proprietary Motorola digital signal pro cessing
�DSP� micropro cessor is b eing develop ed� When complete� the sp eci�ca�
tion will b e used to prove the correctness of some DSP algorithms and to
develop a high�level b o ok ab out the pro cessor� This work is analogous to
the Nqthm work on the MC����� and the C string library�
� The semantics of VHDL is b eing co ded in ACL� in the form of a VHDL
interpreter or simulator� When completed it will b e� in principle� p ossible
to prove theorems ab out the b ehavior of VHDL systems� Because of the
size and complexity of VHDL� such pro ofs will b e an interesting challenge
to ACL� and its users�
��
� Conclusions and Criticisms
The ACL� pro ject is now �ve years old� The system has not b een released
b ecause we are still �nding bugs in it and we are not happy yet with its do c�
umentation� Within CLI� ACL� is used more than Nqthm� although this is
probably more due to so cial reasons than technical ones �one hears more talk
ab out ACL� than Nqthm around the co�ee p ot�� ACL� now has ab out a dozen
users� all of whom have exp erience with Nqthm�
We have many concerns ab out ACL��s viability�
��� Guards
Perhaps the most p ervasive concern is the feeling that guards are not yet ad�
equately handled� Guard checking is slow b ecause so many common cases are
handled by full�blown theorem proving rather than fast syntactic checkers� More
problematic is that guards complicate the statement of theorems� Nqthm�s logic
gets incredible mileage out of the notion that functions � esp ecially arithmetic
functions � default �unexp ected� input to reasonable values so that many the�
orems are stated without hyp otheses� In ACL� one must b e careful to restrict
every variable appropriately so that the guards of all functions are satis�ed�
�Macros can b e written to supply restrictive hyp otheses based on variable names�
so the syntactic burden is not the issue�� For example� Common Lisp makes no
guarantee that �� i j� is �� j i� unless b oth i and j are numb ers� This means
not only that theorems are more cumb ersome to state but rules � esp ecially
rewrite rules and de�nitions � are more restrictive� cause more backchaining
and fail to apply more often� A consideration is that sometimes rules fail to
apply even though the hyp otheses are true� b ecause the system is to o weak to
establish their truth without additional help�
In the original version of ACL� we made no sp ecial provisions for guards
and found that many rules� esp ecially de�nitions� could not b e applied under
Nqthm�s heuristics b ecause hyp otheses �namely guards� could not b e relieved
at the time they were needed� This is illustrated by the pro of ab ove of the
asso ciativity of APP� the hyp othesis required induction to prove�
Our �rst attempt to handle guards sp ecially was suggested by Nqthm�s han�
dling of guard�like hyp otheses in its linear arithmetic decision pro cedure� where
a new case split is intro duced whenever the pro cedures �needs� a hyp othesis it
cannot establish� With ACL� this generated pro ofs that were hard to follow b e�
cause of the numerous and apparently sp ontaneous case splits� While this may
seem like mere carping� the e�ect was quite deleterious on the user�s ability to
�debug� a pro of attempt and guide the system to successful pro ofs�
In addition� it is imp ortant to realize that most pro of attempts fail b ecause
the goal conjecture is not a theorem� This happ ens �in Nqthm� in ACL�� and�
we susp ect� in most mechanized theorem proving systems used for similar tasks�
b ecause the user is still grappling with the mo deling and formalization problems�
Design Goals for ACL� ��
CLI Technical Rep ort ����
The guard�generated case splits� even those eventually dispatched successfully�
merely delayed the user�s discovery of the �real� reason the pro of attempt failed�
The intro duction of �forcing rounds� was our second attempt to try to mit�
igate the problem of guards� Unlike the approach in our �rst attempt� forcing
rounds delay the consideration of the �typ e�like� guard conjectures until after
the �gist� of the pro of has b een successfully done� Forcing rounds were regarded
by the users as an improvement over the earlier scheme� But users still remem�
b er fondly the Nqthm days when such details simply did not arise� Of course�
guards allow execution e�ciency� Therefore� the trade�o� is whether the added
complexity in pro ofs is worth the sp eedup in the simulation sp eeds of large for�
mal mo dels� The results are not yet in b ecause we have not completed suitably
large scale exp eriments yet�
When we are discouraged ab out the ability of the system to handle guards�
we are sometimes tempted to change slightly the story relating ACL� to Com�
mon Lisp� Rather than maintain that ACL� functions are unde�ned outside
their guarded domains we could de�ne them explicitly as is done in Nqthm�s
logic� The result would b e a particular implementation of a Common Lisp� which
we sometimes refer to as �completed Common Lisp�� In completed Common
Lisp functions would co erce unexp ected arguments to natural values� Thus� for
example� arithmetic functions would co erce non�numeric arguments to �� This
would simplify many axioms and theorems� De�nitions could b e used uncondi�
tionally� Some unusual theorems would hold� e�g�� �equal �car �� nil�� that
would surprise some Common Lisp programmers� But the story relating the
completed Common Lisp logic to Common Lisp would b e the same as it is now�
gold theorems are true in all compliant Common Lisps� We are reluctant to go
this route just now� cho osing instead to pro ceed �rst by evaluating ACL� on
big examples�
Perhaps a natural question at this p oint is� �Why don�t the Acl� imple�
mentors do away with this notion of guards and instead take a more standard
approach to the same issue� i�e�� using some kind of decidable typ e checking��
Our most imp ortant reason� we have already decided to stay compliant with the
Common Lisp language� and we are not aware of any simple way of inventing
a decidable typ e system that lets us do this in a reasonable fashion� Also� we
are encouraged by the progress we have made in the handling of guards �sp ecif�
ically� in the success of the �forcing round� technique�� and users have b egun
considering their use in sp eci�cations� If guards are found to b e useful this way�
they will enjoy a decided advantage over decidable typ e systems that we have
seen� b ecause they are as expressive as the Common Lisp language itself� any
predicate may b e used as a guard� Most decidable typ e systems do not even
allow typ es other than conjunctions of calls of unary predicates� At any rate�
even if we ultimately feel that we must give up the present notion of guards�
the �completed Common Lisp� idea discussed ab ove provides a route for elim�
inating much of the pro of burden intro duced by guards� without eliminating
the connection to Common Lisp or the ability to use guards as a sp eci�cation
��
device�
��� Draft Prop osed ANSI Standard
We are aware of one area in which ACL� is at o dds with the draft prop osed
ANSI standard for Common Lisp ���� and that is in connection with the �gen�
eralized Bo olean� functions of the prop osed standard� In ACL�� equal� for
example� is a Bo olean valued function� meaning that it returns either nil or
t� But in ���� equal is a �generalized Bo olean� valued function� meaning that
it may return any non�nil value to indicate truth� Many functions that re�
turn Bo oleans in traditional Lisp implementations return generalized Bo oleans
in ����� including equal� �� symbolp� and subsetp� Apparently programs are
not to use such functions in contexts other than those in which their values are
tested as prop ositions�
As ACL� now stands there are gold theorems that are not true of the lan�
guage describ ed in ����� One example is �equal �equal nil nil� �equal nil
nil��� In ACL�� b oth of the interior equal terms return t and so the theorem
follows from the axiom �equal x x�� But in ���� the �rst �equal nil nil�
might return t and the second might return �� and the two are not equal� This
formula violates the spirit of ����� generalized Bo oleans are to b e used only in
prop ositional tests� To conform to ���� we might intro duce a new attribute of
function symb ols� namely whether they have generalized Bo olean values� and
narrow the class of gold formulas to exclude those where generalized Bo oleans
are �misused��
��� The Complexity of ACL�
The proliferation of ACL� rule classes may b e a mistake� For example� the cur�
rent ACL� supp orts rewrite rules� linear rules� linear alias rules� well�founded
relation rules� built�in clause rules� comp ound recognizer rules� destructor elimi�
nation rules� generalization rules� meta rules� forward chaining rules� equivalence
rules� re�nement rules� congruence rules� typ e�prescription rules� alternative def�
inition rules� induction rules� and typ e�set inverter rules� This is an asp ect of
ACL��s op en architecture� it is easy to program ACL��s theorem prover� But
it is easy to program it very ine�ciently� Moreover� the plethora of rule classes
can b e intimidating to new users �though we exp ect that improved� �layered�
do cumentation may help in this regard��
Programming disciplines �p erhaps augmented by some additional heuristics�
need to b e develop ed so that users can create rule sets that are e�ective and
e�cient� We may �nd the plethora of rule classes simply to o complicated for the
development of adequate disciplines and b e forced to abandon some of these�
More likely� we may develop disciplines that essentially recommend that only
�exp erts� employ all but the few well�understo o d rule classes�
Design Goals for ACL� ��
CLI Technical Rep ort ����
More generally� we are concerned ab out the intellectual complexity of the
ACL� pro of engine and environment� We �nd its applicative de�nition wonder�
fully clear� but ��� megabytes of source co de � even very clear source co de � is
di�cult to keep in mind� An ACL� image is ab out �� megabytes� We estimate
that ab out �� of that is devoted to the initial prop erty list world which contains
the results of pro cessing the ��� megabytes of ACL� source co de� For example�
one of the de�nitional axioms of ACL� is the formula that equates �prove term
pspv hints wrld ctx state� to its b o dy� i�e�� the initial axioms include the
de�nition of our heuristic theorem prover� Along these same lines� it is p ossible
to insp ect the initial data base and see the de�nition of the rewriter with its
�� formal parameters and its �� mutually recursive entries� There is a lot of
complexity here�
While soundness is� of course� an issue� it is not the main obstacle� Ulti�
mately� soundness could b e b e insured� we hop e� by having the system generate
pro of ob jects which are checked� Our concern is that if the system is to o com�
plex it will b e imp ossible for us to co ordinate its various parts so that they
op erate harmoniously� i�e�� so that it discovers any pro ofs at all� It would b e
very reassuring to us to see ACL� repro duce the pro ofs in Nqthm�s b enchmark
�les� simply as evidence that ACL��s abundance of pro of techniques interop erate
harmoniously �enough��
��� Performance
Finally� ACL� feels sluggish� One must� of course� ask �Compared to what��
Since all of its users are former Nqthm users� the answer is that ACL� feels
sluggish compared to Nqthm�
One p ossible explanation is that ACL��s p erformance is degraded by its ap�
plicative implementation� We b elieve this conjecture is false� Exp eriments with
isolated co de fragments indicate that the applicative expression of Nqthm�s al�
gorithms generally execute as fast or faster than their Nqthm implementation�
This is not surprising� Nqthm�s co ding style is heavily in�uenced by its pre�
vious expression in Interlisp where the p erformance trade�o�s b etween global
variables� sp ecial variables� and lo cal variables were di�erent than in Common
Lisp� We exp ect that if we were to reco de Nqthm applicatively it would sp eed
up by p erhaps as much as ����
But ACL� is not such a reco ding of Nqthm� its logic is much more com�
plicated and its heuristics are sometimes di�erent� The di�erences in the logic
make it di�cult even to present the two systems with the �same problem�� To
do so one must emb ed the relevant fragment of one logic in the other and prove
the rules necessary to cause one system to emulate the other� But even when
that is done� the pro ofs generated for identical problems sometimes diverge
b ecause of the heuristic di�erences in the two systems�
These considerations make it very di�cult to pro duce a meaningful quanti�
tative comparison of the two systems� Rather than pursue comparisons then it
��
is our intention to try to sp eed up ACL�� We know that its applicative printing
functions are quite slow compared to the Common Lisp primitives� sp eeding
up these functions would make ACL� feel faster� But the p erformance of the
theorem prover can also b e improved� b oth by reconsidering some heuristics and
by reco ding some p o or implementations of individual functions� This kind of
tuning� of which Nqthm has had a great deal� comes only after a very large col�
lection of b enchmark theorems is available for test purp oses� Therefore� we are
inclined at this stage simply to use ACL� �and to ignore� for the time b eing� our
qualms ab out its p erformance�� The Nqthm package� which will make Nqthm�s
b enchmark �les available to ACL�� is esp ecially imp ortant for p erformance tun�
ing� as it will allow us to compare various �tunings� of ACL� on thousands of
theorems�
References
��� R� L� Akers� Strong Static Typ e Checking for Functional Common Lisp�
Ph�D� Thesis� University of Texas at Austin� ����� Also available through
Computational Logic� Inc�� Suite ���� ���� West Sixth Street� Austin�
TX ������
��� K� Albin� ����� Mo del Validation Testing� CLI Note ���� August �����
��� W� R� Bevier� A Veri�ed Op erating System Kernel� Ph�D� Thesis� Uni�
versity of Texas at Austin� ����� Also available through Computational
Logic� Inc�� Suite ���� ���� West Sixth Street� Austin� TX ������
��� W� R� Bevier� W� A� Hunt� J S� Mo ore� and W�D� Young� Sp ecial Issue
on System Veri�cation� Journal of Automated Reasoning� ����� ��������
�����
��� W� R� Bevier and W� D� Young� Machine Checked Pro ofs of the Design of
a Fault�Tolerant Circuit� Formal Aspects of Computing� Vol� �� pp� ����
���� ����� Also available as Technical Rep ort ��� Computational Logic�
Inc�� Suite ���� ���� West Sixth Street� Austin� TX ������ August� �����
and as NASA CR�������� Novemb er� �����
��� R� S� Boyer� D� Goldschlag� M� Kaufmann� and J S� Mo ore� Functional
Instantiation in First Order Logic� In Arti�cial Intel ligence and Math�
ematical Theory of Computation� Papers in Honor of John McCarthy�
Academic Press� ����� pp� �����
��� Rob ert S� Boyer� Matt Kaufmann� and J Strother Mo ore� �The Boyer�
Mo ore Theorem Prover and Its Interactive Enhancement�� �Submitted��
��� R� S� Boyer and J S� Mo ore� A Computational Logic� Academic Press�
New York� �����
Design Goals for ACL� ��
CLI Technical Rep ort ����
��� R� S� Boyer and J S� Mo ore� Metafunctions� Proving Them Correct
and Using Them E�ciently as New Pro of Pro cedures� In R� S� Boyer
and J S� Mo ore� editors� The Correctness Problem in Computer Science�
Academic Press� �����
���� R� S� Boyer and J S� Mo ore� A Mechanical Pro of of the Turing Com�
pleteness of Pure Lisp� In W� W� Bledso e and D� W� Loveland� editors�
Automated Theorem Proving� After �� Years� American Mathematical
So ciety� Providence� R�I�� ����� pp� ��������
���� R� S� Boyer and J S� Mo ore� A Computational Logic Handbook� Academic
Press� New York� �����
���� R� S� Boyer and Y� Yu� Automated Correctness Pro ofs of Machine Co de
Programs for a Commercial Micropro cessor� In D� Kapur� editor� Auto�
mated Deduction � CADE���� Lecture Notes in Computer Science ����
Springer�Verlag� �������� �����
���� B� C� Bro ck� W� A� Hunt� Jr� and W� D� Young� Intro duction to a For�
mally De�ned Hardware Description Language� In Theorem Provers in
Circuit Designs� Numb er A�� in IFIP Transactions� North Holland� �����
���� K� M� Chandy and J� Misra� Paral lel Program Design� A Foundation�
Addison�Wesley� Massachusetts� �����
���� J� Cowles� Meeting a Challenge of Knuth� Internal Note ���� Computa�
tional Logic� Inc�� Austin� Texas� Septemb er� �����
���� D� M� Goldschlag� Mechanizing Unity� In M� Broy and C� B� Jones� edi�
tors� Programming Concepts and Methods� North Holland� Amsterdam�
�����
���� D� M� Goldschlag� Mechanically Verifying Concurrent Programs with
the Boyer�Mo ore Prover� IEEE Transactions on Software Engineering�
��� Septemb er� �����
���� W� A� Hunt� Jr� FM����� A Veri�ed Micropro cessor� Ph�D� Thesis� The
University of Texas at Austin� Decemb er� ����� Also available through
Computational Logic� Inc�� as Technical Rep ort ICSCA�CMP���� Insti�
tute for Computing Science and Computer Applications� University of
Texas at Austin� Decemb er� �����
���� W� A� Hunt� Jr� and B� Bro ck� A Formal HDL and its use in the FM����
Veri�cation� Proceedings of the Royal Society� �����
���� M� Kaufmann� A User�s Manual for an Interactive Enhancement to
the Boyer�Mo ore Theorem Prover� Technical rep ort ��� Computational
Logic� Inc�� May� �����
��
���� M� Kaufmann� Addition of Free Variables to an Interactive Enchance�
ment of the Boyer�Mo ore Theorem Prover� Technical Rep ort ��� Com�
putational Logic� Inc�� �����
���� M� Kaufmann� An extension of the Boyer�Mo ore theorem prover to
supp ort �rst�order quanti�cation� Journal of Automated Reasoning�
������������� Decemb er �����
���� M� Kaufmann� An Assistant for Reading Nqthm Pro of Output� Technical
Rep ort ��� Computational Logic� Inc�� Novemb er� �����
���� M� Kaufmann and P� Pecchiari� Interaction with the Boyer�Mo ore The�
orem Prover� A Tutorial Study Using the Arithmetic�Geometric Mean
Theorem� Technical Rep ort ���� Computational Logic� Inc�� �����
���� D� E� Knuth� Textb o ok examples of recursion� In V� Lifschitz� editor�
Arti�cial Intel ligence and Mathematical Theory of Computation� Papers
in Honor of John McCarthy� Academic Press� San Diego� CA� ��������
�����
���� J S� Mo ore� Veri�ed Hardware Implementing an ��Bit Parallel InO
Byzantine Agreement Pro cessor� Technical Rep ort ��� Computational
Logic� Inc�� Austin� Texas� August� �����
���� J S� Mo ore� A Formal Mo del of Asynchronous Communication and Its
Use in Mechanically Verifying a Biphase Mark Proto col� Formal Aspects
of Computing ����� ������ �����
���� J S� Mo ore� Intro duction to the OBDD Algorithm for the ATP Commu�
nity� Journal of Automated Reasoning ��� ������ �����
���� Motorola� Inc� MC����� ���bit Microprocessor User�s Manual� Prentice
Hall� New Jersey� �����
���� K� M� Pitman et al� draft proposed American National Standard for Infor�
mation Systems � Programming Language � Common Lisp� X�J������
���� Global Engineering Do cuments� Inc�� �����
���� D� M� Russino�� A Mechanical Pro of of Quadratic Recipro city� Journal
of Automated Reasoning� ����� ����� �����
���� D� M� Russino�� Sp eci�cation and Veri�cation of Gate�Level VHDL
Mo dels of Synchronous and Asynchronous Circuits� Technical Rep ort
��� Computational Logic� Inc�� Austin� Texas� May� �����
���� N� Shankar� A Mechanical Pro of of the Church�Rosser Theorem� JACM
������ �������� �����
Design Goals for ACL� ��
CLI Technical Rep ort ����
���� N� Shankar� Metamathematics� Machines� and G�odel�s Proof� Cambridge
University press� �����
���� G� L� Steele Jr� Common LISP� The Language� Digital Press� Bedford�
MA� �����
���� G� L� Steele� Jr� Common Lisp The Language� Second Edition� Digital
Press� �� North Avenue� Burlington� MA ������ �����
���� M� Wilding� An optimal real�time scheduler based on a simple mo del of
computation� Internal Note ���� Computational Logic� Inc�� July �����
���� W�D� Young� Verifying the Interactive Convergence Clo ck Synchroniza�
tion Algorithm using the Boyer�Mo ore Theorem Prover� Contractor Re�
p ort ������� NASA� April �����
���� Y� Yu� Automated Pro ofs of Ob ject Co de for a Widely Used Micro�
pro cessor� Ph�D� Thesis� The University of Texas at Austin� ����� Also
available through Systems Research Center� Digital Equipment Corp o�
ration� ��� Lytton Avenue� Palo Alto� California� ������