431 research outputs found
Adding 32-bit Mode to the ACL2 Model of the x86 ISA
The ACL2 model of the x86 Instruction Set Architecture was built for the
64-bit mode of operation of the processor. This paper reports on our work to
extend the model with support for 32-bit mode, recounting the salient aspects
of this activity and identifying the ones that required the most work.Comment: In Proceedings ACL2 2018, arXiv:1810.0376
Incremental SAT Library Integration Using Abstract Stobjs
We describe an effort to soundly use off-the-shelf incremental SAT solvers
within ACL2 by modeling the behavior of a SAT solver library as an abstract
stobj. The interface allows ACL2 programs to use incremental SAT solvers, and
the abstract stobj model allows us to reason about the behavior of an
incremental SAT library so as to show that algorithms implemented using it are
correct, as long as the library is bug-free.Comment: In Proceedings ACL2 2018, arXiv:1810.0376
Meta-extract: Using Existing Facts in Meta-reasoning
ACL2 has long supported user-defined simplifiers, so-called metafunctions and
clause processors, which are installed when corresponding rules of class :meta
or :clause-processor are proved. Historically, such simplifiers could access
the logical world at execution time and could call certain built-in proof
tools, but one could not assume the soundness of the proof tools or the truth
of any facts extracted from the world or context when proving a simplifier
correct. Starting with ACL2 Version 6.0, released in December 2012, an
additional capability was added which allows the correctness proofs of
simplifiers to assume the correctness of some such proof tools and extracted
facts. In this paper we explain this capability and give examples that
demonstrate its utility.Comment: In Proceedings ACL2Workshop 2017, arXiv:1705.0076
A Versatile, Sound Tool for Simplifying Definitions
We present a tool, simplify-defun, that transforms the definition of a given
function into a simplified definition of a new function, providing a proof
checked by ACL2 that the old and new functions are equivalent. When appropriate
it also generates termination and guard proofs for the new function. We explain
how the tool is engineered so that these proofs will succeed. Examples
illustrate its utility, in particular for program transformation in synthesis
and verification.Comment: In Proceedings ACL2Workshop 2017, arXiv:1705.0076
Real Vector Spaces and the Cauchy-Schwarz Inequality in ACL2(r)
We present a mechanical proof of the Cauchy-Schwarz inequality in ACL2(r) and
a formalisation of the necessary mathematics to undertake such a proof. This
includes the formalisation of as an inner product space. We also
provide an application of Cauchy-Schwarz by formalising as a
metric space and exhibiting continuity for some simple functions . The Cauchy-Schwarz inequality relates the magnitude of a
vector to its projection (or inner product) with another: with equality iff the vectors are linearly
dependent. It finds frequent use in many branches of mathematics including
linear algebra, real analysis, functional analysis, probability, etc. Indeed,
the inequality is considered to be among "The Hundred Greatest Theorems" and is
listed in the "Formalizing 100 Theorems" project. To the best of our knowledge,
our formalisation is the first published proof using ACL2(r) or any other
first-order theorem prover.Comment: In Proceedings ACL2 2018, arXiv:1810.0376
A Simple Java Code Generator for ACL2 Based on a Deep Embedding of ACL2 in Java
AIJ (ACL2 In Java) is a deep embedding in Java of an executable,
side-effect-free, non-stobj-accessing subset of the ACL2 language without
guards. ATJ (ACL2 To Java) is a simple Java code generator that turns ACL2
functions into AIJ representations that are evaluated by the AIJ interpreter.
AIJ and ATJ enable possibly verified ACL2 code to run as, and interoperate
with, Java code, without much of the ACL2 framework or any of the Lisp runtime.
The current speed of the resulting Java code may be adequate to some
applications.Comment: In Proceedings ACL2 2018, arXiv:1810.0376
The x86isa Books: Features, Usage, and Future Plans
The x86isa library, incorporated in the ACL2 community books project,
provides a formal model of the x86 instruction-set architecture and supports
reasoning about x86 machine-code programs. However, analyzing x86 programs can
be daunting -- even for those familiar with program verification, in part due
to the complexity of the x86 ISA. Furthermore, the x86isa library is a large
framework, and using and/or contributing to it may not seem straightforward. We
present some typical ways of working with the x86isa library, and describe some
of its salient features that can make the analysis of x86 machine-code programs
less arduous. We also discuss some capabilities that are currently missing from
these books -- we hope that this will encourage the community to get involved
in this project.Comment: In Proceedings ACL2Workshop 2017, arXiv:1705.0076
Trapezoidal Generalization over Linear Constraints
We are developing a model-based fuzzing framework that employs mathematical
models of system behavior to guide the fuzzing process. Whereas traditional
fuzzing frameworks generate tests randomly, a model-based framework can deduce
tests from a behavioral model using a constraint solver. Because the state
space being explored by the fuzzer is often large, the rapid generation of test
vectors is crucial. The need to generate tests quickly, however, is
antithetical to the use of a constraint solver. Our solution to this problem is
to use the constraint solver to generate an initial solution, to generalize
that solution relative to the system model, and then to perform rapid,
repeated, randomized sampling of the generalized solution space to generate
fuzzing tests. Crucial to the success of this endeavor is a generalization
procedure with reasonable size and performance costs that produces generalized
solution spaces that can be sampled efficiently. This paper describes a
generalization technique for logical formulae expressed in terms of Boolean
combinations of linear constraints that meets the unique performance
requirements of model-based fuzzing. The technique represents generalizations
using trapezoidal solution sets consisting of ordered, hierarchical
conjunctions of linear constraints that are more expressive than simple
intervals but are more efficient to manipulate and sample than generic
polytopes. Supporting materials contain an ACL2 proof that verifies the
correctness of a low-level implementation of the generalization algorithm
against a specification of generalization correctness. Finally a
post-processing procedure is described that results in a restricted trapezoidal
solution that can be sampled (solved) rapidly and efficiently without
backtracking, even for integer domains. While informal correctness arguments
are provided, a formal proof of the correctness of the restriction algorithm
remains as future work.Comment: In Proceedings ACL2 2018, arXiv:1810.0376
Hint Orchestration Using ACL2's Simplifier
This paper describes a strategy for providing hints during an ACL2 proof,
implemented in a utility called use-termhint. An extra literal is added to the
goal clause and simplified along with the rest of the goal until it is stable
under simplification, after which the simplified literal is examined and a hint
extracted from it. This simple technique supports some commonly desirable yet
elusive features. It supports providing different hints to different cases of a
case split, as well as binding variables so as to avoid repeating multiply
referenced subterms. Since terms used in these hints are simplified in the same
way as the rest of the goal, this strategy is also more robust against changes
in the rewriting normal form than hints in which terms from the goal are
written out explicitly.Comment: In Proceedings ACL2 2018, arXiv:1810.0376
Initial Conflicts for Transformation Rules with Nested Application Conditions
We extend the theory of initial conflicts in the framework of M-adhesive
categories to transformation rules with ACs. We first show that for rules with
ACs, conflicts are in general neither inherited from a bigger context any more,
nor is it possible to find a finite and complete subset of finite conflicts as
illustrated for the category of graphs. We define initial conflicts to be
special so-called symbolic transformation pairs, and show that they are
minimally complete (and in the case of graphs also finite) in this symbolic
way. We show that initial conflicts represent a proper subset of critical pairs
again. We moreover demonstrate that (analogous to the case of rules without
ACs) for each conflict a unique initial conflict exists representing it. We
conclude with presenting a sufficient condition illustrating important special
cases for rules with ACs, where we do not only have initial conflicts being
complete in a symbolic way, but also find complete (and in the case of graphs
also finite) subsets of conflicts in the classical sense
- β¦