Boyer-Moore Theorem Prover Research Articles

Meta-level features in an industrial-strength theorem prover

The ACL2 theorem prover---the current incarnation of "the" Boyer-Moore theorem prover---is a theorem prover for an extension of a first-order, applicative subset of Common Lisp. The ACL2 system provides a useful specification and modeling language as well as a useful mechanical theorem proving environment. ACL2 is in use at several major microprocessor manufacturers to verify functional correctness of important components of commercial designs. This talk explores the design of ACL2 and the tradeoffs that have turned out to be pivotal to its success.

ACL2s: “The ACL2 Sedan”

ACL2 is the latest inception of the Boyer-Moore theorem prover, the 2005 recipient of the ACM Software System Award. In the hands of experts it feels like a finely tuned race car, and it has been used to prove some of the most complex theorems ever proved about commercially designed systems. Unfortunately, ACL2 has a steep learning curve. Thus, novices tend have a very different experience: they crash and burn. As part of a project to make ACL2 and formal reasoning safe for the masses, we have developed ACL2s, the ACL2 sedan. ACL2s includes many features for streamlining the learning process that are not found in ACL2. In general, the goal is to develop a tool that is “self-teaching,”i.e., it should be possible for an undergraduate to sit down and play with it and learn how to program in ACL2 and how to reason about the programs she writes.

An ordinal measure based procedure for termination of functions

This paper describes a method for proving termination of recursively defined functions based on ordinal measure. It generalizes a termination procedure developed by Manoury and Simonot initially for an automated program synthesis system called ProPre. For that, we associate ordinal functions to formal proofs made in the system and show that they follow a decreasing property. In this way, after having translated the recursive functions in the Boyer–Moore theorem prover, it is shown that each ordinal coming from the ProPre system can be given to the theorem prover as a well-founded ordering which allows it to prove in its turn the termination.

Induction-Oriented Verification of Replicated Architectures Described in VHDL

This paper is concerned with the application of theorem proving techniques to the formal proof of hardware. More precisely, we aim at providing a methodology for applying provers like Nqthm or Acl2 to the formal verification of parameterized replicated circuits. Nqthm (the Boyer–Moore theorem prover) and its successor Acl2 are induction-based systems; their formalisms are respectively a simplified Lisp-like language and Common Lisp. Hence, the circuits we consider must be given a purely functional representation. Moreover, our work puts the emphasis on the integration of formal proof techniques in CAD (Computer Aided Design) environments which support Hardware Description Languages in which replication is expressed by iteration. Therefore, we associate with the iterative statement of the VHDL language a functional semantics that guarantees an easy translation from VHDL to Nqthm/Acl2 while simplifying the subsequent inductive proofs. The approach has been successfully applied to one-dimensional as well as two-dimensional structures.

INDUCTION-ORIENTED VERIFICATION OF REPLICATED ARCHITECTURES DESCRIBED IN VHDL

This paper is concerned with the application of theorem proving techniques to the formal proof of hardware. More precisely, we aim at providing a methodology for applying provers like Nqthm or Acl2 to the formal verification of parameterized replicated circuits. Nqthm (the Boyer–Moore theorem prover) and its successor Acl2 are induction-based systems; their formalisms are respectively a simplified Lisp-like language and Common Lisp. Hence, the circuits we consider must be given a purely functional representation. Moreover, our work puts the emphasis on the integration of formal proof techniques in CAD (Computer Aided Design) environments which support Hardware Description Languages in which replication is expressed by iteration. Therefore, we associate with the iterative statement of the VHDL language a functional semantics that guarantees an easy translation from VHDL to Nqthm/Acl2 while simplifying the subsequent inductive proofs. The approach has been successfully applied to one-dimensional as well as two-dimensional structures.

A verification method for systolic arrays using induction-based theorem provers

We proprose a method for verifying hardware design with an induction-based theorem prover such as the Boyer–Moore Theorem Prover. As a case study, we apply the method to verification of the correctness of systolic array designs. In verifying circuits, we prove that an implementation satisfies a specification, in particular their functional equivalence. In proving the equivalence, induction is applied to the variables that denote time and position in the circuit. We discuss what lemmas should be used for appropriate application of induction. The lemmas we have found reflect the characteristics of the structure of the circuit. With these lemmas, the method provides a systematic way of verification for systolic arrays and eases the user's burden with respect to the hardware verification.

The Tail-Recursive SECD Machine

One method for producing verified implementations of programming languages is to formally derive them from abstract machines. Tail-recursive abstract machines provide efficient support for iterative processes via the ordinary procedure call mechanism. This document argues that the use of tail-recursive abstract machines incurs only a small increase in theorem-proving burden when compared with what is required when using ordinary abstract machines. The position is supported by comparing correctness proofs performed using the Boyer–Moore theorem prover. A by-product of this effort is a syntactic criterion based on tail contexts for identifying which procedure calls must be implemented as tail calls. The concept of tail contexts was used in the latest Scheme Report, the only language specification known to the author that defines the requirement that its implementations must be tail recursive.

Review of: Metamathematics, Machines, and Gödels Proof by N. Shankar

This book, first published in 1994, is derived from the author's 1986 Ph.D dissertation, one of the main goals of which was to gauge the usefulness of automatic theorem proving technology in constructing and verifying proofs. The proofs chosen for this task were Gödel's first incompleteness theorem and the Church-Rosser theorem of the lambda calculus. The theorem prover used was the Boyer-Moore theorem prover which can be obtained by ftp [1]. A manual for the prover has been published as [2]. The author gives a detailed account of the more important steps leading to the mechanized verification of proofs of these theorems. The theorem prover did not discover the proofs but checked definitions and lemmas (about 2000 for the incompleteness theorem and supplied by the author) that lead to the theorems.

Theories for mechanical proofs of imperative programs

Abstract For convenient application of a first-order theorem prover to verification of imperative programs, it is important to encapsulate the operational semantics in generic theories. The possibility to do so is illustrated by two theories for the Boyer-Moore theorem prover Nqthm. The first theory is an Nqthm version of the classical while-theorem. Here the main interest is to show how one can use Nqthm's facilities to constrain and to functionally instantiate for the development and application of a generic theory. The theory is illustrated by a linear search program. The second theory is a finitary approach to progress for shared-memory concurrent programs. It is illustrated by Peterson's algorithm for mutual exclusion of two processes. The proof of progress for Peterson's algorithm is new. The assertion of bounded fairness is slightly stronger than the conventional notion of weak fairness. This new concept may have other applications.

An interactive solution to the n x n mutilated checkerboard problem

We present a method of modelling parameterized classes of finite state machines in the Boyer-Moore logic so that invariant properties can be verified interactively using the Boyer-Moore theorem prover. We illustrate our approach using an interactive proof of the impossibility of covering an n × n ‘mutilated’ checkerboard completely with dominoes. We model the problem by defining a simulator and formalize the well-known parity argument as a proof by mathematical induction on the length of action sequences executed starting with an empty board. The suitability of our approach for verifying properties depends strongly on the actual Lisp data structures and programs used in the simulation model. We explain some of the choices we made in simplifying the checkerboard problem representation and describe in detail the heuristic guidance given to the theorem prover.

Interaction with the Boyer-Moore theorem prover: A tutorial study using the arithmetic-geometric mean theorem

Interaction with the Boyer-Moore theorem prover: A tutorial study using the arithmetic-geometric mean theorem

The Boyer-Moore theorem prover and its interactive enhancement

The so-called Boyer-Moore Theorem Prover (otherwise known as Nqthm) has been used to perform a variety of verification tasks for two decades. We give an overview of both this system and an interactive enhancement of it, Pc-Nqthm, from a number of perspectives. First, we introduce the logic in which theorems are proved. Then, we briefly describe the two mechanized theorem proving systems. Next, we present a simple but illustrative example in some detail in order to give an impression of how these systems may be used successfully. Finally, we give extremely short descriptions of a large number of applications of these systems, in order to give an idea of the breadth of their uses. This paper is intended as an informal introduction to systems that have been described in detail and similarly summarized in many other books and papers; no new results are reported here. Our intention here is to present Nqthm to a new audience.

Proving Ramsey's theorem by the cover set induction: A case and comparison study

An experiment of the cover set induction method inRRL is presented with a mechanical proof of Ramsey's theorem in graph theory. The proof is similar to the proof obtained by Kaufmann using the Boyer-Moore theorem prover. We show that this similarity is not unusual, because there is a close relationship between the Boyer-Moore logic and the algebraic specification of abstract data types on which the cover set induction method is based. (This implies that many proofs done by the Boyer-Moore theorem prover can be reproduced byRRL.) Our experiment shows thatRRL can automatically prove all the lemmas in Ramsey's theorem, while the Boyer-Moore theorem prover needs several user's hints and takes much longer (CPU time) to finish.

An extension of the Boyer-Moore Theorem Prover to support first-order quantification

We describe an implementation of an extension to the Boyer-Moore Theorem Prover and logic that allows first-order quantification. The extension retains the capabilities of the Boyer-Moore system while allowing the increased flexibility in specification and proof that is provided by quantifiers. The idea is to Skolemize in an appropriate manner. We demonstrate the power of this approach by describing three successful proof-checking experiments using the system, each of which involves a theorem of set theory as translated into a first-order logic. We also demonstrate the soundness of our approach.

Machine checked proofs of the design of a fault-tolerant circuit

Abstract We describe a formally verified implementation of the “Oral Messages” algorithm of Pease, Shostak and Lamport J. ACM (1980) 27 , 228–234; ACM TOPLAS (1982) 4 , 382–401. An abstract implementation of the algorithm is proved to achieve interactive consistency in the presence of faults. This abstract characterisation is then mapped down to a hardware level implementation which inherits the fault-tolerant characteristics of the abstract version. All steps in the proof were checked with the Boyer-Moore theorem prover. A significant result of this work is the demonstration of a fault-tolerant device that is formally specified and the development of an implementation proved correct with respect to this specification. A significant simplifying assumption is that the redundant processors behave synchronously. We also describe a mechanically checked proof that the Oral Messages algorithm is “optimal” in the sense that no algorithm which achieves agreement via similar message passing can tolerate a larger proportion of faulty processors.

A mechanical proof of Quadratic Reciprocity

We describe the use of the Boyer-Moore theorem prover in mechanically generating a proof of the Law of Quadratic Reciprocity: for distinct odd primes p and q, the congruences x 2 ≡q (mod p) and x 2 ≡p (mod q) are either both solvable or both unsolvable, unless p≡q≡3 (mod 4). The proof is a formalization of an argument due to Eisenstein, based on a lemma of Gauss. The input to the theorem prover consists of nine function definitions, thirty conjectures, and various hints for proving them. The proofs are derived from a library of lemmas that includes Fermat's Theorem and the Gauss Lemma.

Generalization in the presence of free variables: A mechanically-checked correctness proof for one algorithm

We present a case study in which an automated proof assistant was used to show the correctness of an algorithm. Specifically, we document the application of an extension of the Boyer-Moore Theorem Prover to the problem of verifying the correctness of an implementation of generalization, where the proof had surprisingly many details and a previous implementation contained an error. We attempt to provide sufficient detail so that the reader can gain a realistic impression of the nature of this exercise.

The problem of finding a semantic strategy for focusing inference rules

This article is the fifteenth of a series of articles discussing various open research problems in automated reasoning. Here we focus on finding a strategy — other than a simple syntactic one — that can be used for focusing the attention of the inference rule(s) in use. The problem proposed for research asks one to find semantic criteria for selecting the clauses needed to complete the application of an inference rule. Suggestions for test problems are included. We note that Yuan Yu has solved two of these problems using a rather different approach with the Boyer-Moore theorem prover; his work is reported elsewhere in this issue of the Journal of Automated Reasoning.

Computer proofs in Group Theory

This paper reports the results of an experiment in using the Boyer-Moore Theorem Prover in seeking computer-checked proofs in Group Theory. Starting from the axioms for groups and elementary list and number theory, the theorem prover was led to the proofs of two basic theorems in Elementary Group Theory by a sequence of lemmas suggested by the author. The computer proofs illustrate the effective use of the Boyer-Moore Theorem Prover in Group Theory.

Microprocessor design verification

The verification of a microprocessor design has been accomplished using a mechanical theorem prover. This microprocessor, the FM8502, is a 32-bit general-purpose, von Neumann processor whose design-level (gate-level) specification has been verified with respect to its instruction-level specification. Both specifications were written in the Boyer—Moore logic, and the proof of correctness was carried out with the Boyer—Moore theorem prover.