ACL2 in DrScheme Dale Vaillancourt Rex Page Matthias Felleisen Northeastern University School of Computer Science Northeastern University Boston, MA 02115 University of Oklahoma Boston, MA 02115 [email protected] 200 Felgar St, Room 119 [email protected] Norman, OK 73019-6151 [email protected] ABSTRACT 1. TEACHING FORMAL METHODS Teaching undergraduates to develop software in a formal Over the past four years, the second author has designed framework such as ACL2 poses two immediate challenges. and implemented a senior-level course sequence on the con- First, students typically do not know applicative program- struction of sound software at Oklahoma University [16]. The ming and are often unfamiliar with ACL2’s syntax. Second, courses employ ACL2 as a programming language and the- for motivational reasons, students prefer to work on projects orem prover. The first semester course teaches applicative that involve designing interactive, graphical applications. programming and the basics of theorem proving. The second In this paper, we present DRACULA, a pedagogic pro- course focuses on a single project, continuing the training in gramming environment that partially solves these problems. formal methods in this larger context and also developing The environment adds a subset of Applicative Common Lisp software management skills. to DRSCHEME, an integrated programming environment for Both students and external industry observers consider the Scheme. DRACULA thus inherits DRSCHEME’s pedagogic course a success. Students give the course high scores in capabilities, especially its treatment of syntax and run-time evaluations, and industrial observers praise how much stu- errors. Further, DRACULA also comes with a library for dents learn about managing a large project and producing programming interactive, graphical games. The library in- reliable software. terface forces students to think of a graphical user interface Unfortunately, two problems recur every year. First, stu- in terms of state-transition functions, enabling them later to dents have little or no background in applicative program- prove theorems about their games in ACL2. DRACULA pro- ming. Although the syntax of Applicative Common Lisp is vides a graphical front-end to the ACL2 theorem prover for relatively simple compared to conventional languages, stu- this purpose. In short, DRACULA allows the formulation dents have serious difficulties writing well-designed applica- of student projects that represent an important intermediate tive programs and tracking down errors in their programs. point between data structure exercises in theorem proving Second, due to ACL2’s nature, the homework assignments and industrial applications. and projects in this course are small or old-fashioned. Exist- ing case studies [15] are either too complex for undergrad- Categories and Subject Descriptors uate courses or require domain knowledge that is beyond a typical computer science undergraduate. What students D.2.4 [Software Engineering]: Software/Program Verifica- want is a language rich enough to build programs with in- tion; D.2.6 [Software Engineering]: Integrated Programming teractive, graphical user interfaces, such as computer games. Environments; F.3.1 [Logics and Meanings of Programs]: The result is that even though the undergraduate students Specifying and Verifying and Reasoning about Programs; like the course, they remain deeply skeptical about formal K.3.2 [Computers and Education]: Computer and Informa- methods in the software development process. The students tion Science Education are left with the impression that formal methods are inap- plicable for the kind of software development they have en- General Terms countered before and that the applicative style of program- ming does not scale to modern software development. DRSCHEME, ACL2, formal methods, pedagogy In this paper, we present a software tool for correcting this impression, and we report on teaching experiences with the Keywords tool. In a sense, the problems of teaching Applicative Com- DRSCHEME, ACL2, TeachScheme! mon Lisp are exactly the same as the problems of teaching Scheme or functional programming in a first semester course. The PLT research team under the direction of the third au- thor has responded to this challenge with the development of DRSCHEME, a pedagogic and graphical programming envi- Permission to make digital or hard copies of all or part of this work for ronment, and TeachScheme!, a design-oriented curriculum. personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies Based on the positive experience with DRSCHEME and Teach- bear this notice and the full citation on the first page. To copy otherwise, to Scheme!, we have developed DRACULA, an embedding of republish, to post on servers or to redistribute to lists, requires prior specific Applicative Common Lisp into DRSCHEME, with a connec- permission and/or a fee. tion to its theorem-prover companion, ACL2. Copyright 200X ACM X-XXXXX-XX-X/XX/XX ...$5.00. DRSCHEME looks to a novice student of applicative, paren- thesized programming. There are three panels. The bottom panel is called an Interactions Window, roughly the famil- iar read-eval-print (REPL) loop from interactive Lisps, ACL2, and Scheme. The middle panel is a Definitions Window; we encourage students to define their functions and variables there instead of the REPL. The top panel is a “control” panel, with four carefully selected buttons: Run evaluates the definitions in the editor and makes them available in the Interactions Window. There students can explore the workings of a function through experi- ments in the familiar Lisp manner. Stop enables students to stop a run-away evaluation. Check Syntax analyzes the syntax and the scope of the pro- gram in the editor. After a syntax check, the student can inspect the binding structure of the program. When the cursor moves over an identifier, DRSCHEME draws an arrow from the binding occurrence to the bound occur- Figure 1: DRSCHEME rence. As figure 1 shows, students can also tack these arrows as they explore the program. Finally, with a right click students can perform α-renamings of bound DRACULA consists of two components: (1) an implemen- variables. tation of Applicative Common Lisp inside DRSCHEME for running programs, and (2) a graphical interface between DR- Step allows students to step through the algebraic evalua- SCHEME and a conventional ACL2 implementation for rea- tion of an expression. In contrast to conventional step- soning about programs. The language implementation pro- pers, DRSCHEME’s stepper explains an execution via vides a novice-oriented fragment of Applicative Common a reduction sequence in the spirit of Plotkin’s call-by- Lisp, and the graphical interface to ACL2 obviates the need value λ-calculus [18]. Of course, to novices, this form of for students to interact with the ACL2 REPL for theorem semantics looks just like their eighth-grade pre-algebra proving activities. homework, though enriched with algebraic datatypes. Because DRACULA is inspired by DRSCHEME’s support Figure 2 displays one such reduction step. The redex for teaching programming, the next section reviews the de- on the left is green, and the contractum on the right is sign of DRSCHEME. Section 3 describes DRACULA, and sec- purple. tion 4 reports on our first classroom experiences with this new environment. The remaining sections sketch implemen- A fifth button (Save) shows up when the program in the Def- tation techniques and discuss related work. initions Window is modified and hasn’t been saved yet. 2. A TOUR OF DRSCHEME DRSCHEME is a graphical and pedagogic programming en- vironment for PLT1 Scheme [12, 13], originally intended for college freshmen courses and high school courses on pro- gram design. PLT constructed the environment in response to two observations. First, high school students are already used to applications with graphical user interfaces; they only reluctantly accept Emacs, the preferred programming envi- ronment in academia. Second, most available programming environments are too complex and confuse students. They represent a steep obstacle rather than a gentle slope to the novice programmer. Putting them in front of those is compa- rable to putting novice pilots into a Boeing 747 or Airbus 380 simulator rather than in a small twin-engine plane simulator. This section provides a high-level overview of DRSCHEME. Readers who are familiar with the software and its role in teaching [5, 9] may safely skip it. Figure 1 shows a screenshot of DRSCHEME, with a student program running a simple version of the well-known worm (or snake) game. The screenshot demonstrates how simple 1PLT is a loosely coupled research group, founded by the third author during his time at Rice University. Figure 2: Algebraic Stepping with DRSCHEME Figure 3: Safety check violation in DRACULA In addition to being a graphical programming environ- 3. Those portions of a program that students’ test suites ment, DRSCHEME supports graphical programming in two do not evaluate are highlighted in red. Instructors are senses. First, it supports images as first-class values; that encouraged to label such red portions as “errors.” is, images have roughly the same status as numbers, strings, and other first-order (“flat”) values. In the screen shot of fig- 4. The Interactions Window is transparent. Every click on ure 1, the variable FOOD is just bound to an image value. Run re-initializes it so that students don’t get confused In this case, the image is an imported GIF file. Programs can about the state of the REPL. also build images from primitive image-generating functions 5. Lastly the environment also supports a one-click Help and composition operators such as overlay. Second, DR- Desk facility. A single key press brings up the help SCHEME supports event-based GUI programming in a func- page for the function or variable on which the cursor tional style. This makes it easy to design interactive games currently rests, and the documentation produced is tai- such as the worm program.