-
Proceedings of the 18th International Workshop on the ACL2 Theorem Prover and Its Applications
Authors:
Alessandro Coglio,
Sol Swords
Abstract:
This volume contains the proceedings of the Eighteenth International Workshop on the ACL2 Theorem Prover and Its Applications (ACL2-2023), a two-day workshop held at the University of Texas at Austin and online, on November 13-14. These workshops provide a major technical forum for users of the ACL2 theorem prover to present research related to ACL2 and its applications.
This volume contains the proceedings of the Eighteenth International Workshop on the ACL2 Theorem Prover and Its Applications (ACL2-2023), a two-day workshop held at the University of Texas at Austin and online, on November 13-14. These workshops provide a major technical forum for users of the ACL2 theorem prover to present research related to ACL2 and its applications.
△ Less
Submitted 14 November, 2023;
originally announced November 2023.
-
Envisioning a Human-AI collaborative system to transform policies into decision models
Authors:
Vanessa Lopez,
Gabriele Picco,
Inge Vejsbjerg,
Thanh Lam Hoang,
Yufang Hou,
Marco Luca Sbodio,
John Segrave-Daly,
Denisa Moga,
Sean Swords,
Miao Wei,
Eoin Carroll
Abstract:
Regulations govern many aspects of citizens' daily lives. Governments and businesses routinely automate these in the form of coded rules (e.g., to check a citizen's eligibility for specific benefits). However, the path to automation is long and challenging. To address this, recent global initiatives for digital government, proposing to simultaneously express policy in natural language for human co…
▽ More
Regulations govern many aspects of citizens' daily lives. Governments and businesses routinely automate these in the form of coded rules (e.g., to check a citizen's eligibility for specific benefits). However, the path to automation is long and challenging. To address this, recent global initiatives for digital government, proposing to simultaneously express policy in natural language for human consumption as well as computationally amenable rules or code, are gathering broad public-sector interest. We introduce the problem of semi-automatically building decision models from eligibility policies for social services, and present an initial emerging approach to shorten the route from policy documents to executable, interpretable and standardised decision models using AI, NLP and Knowledge Graphs. Despite the many open domain challenges, in this position paper we explore the enormous potential of AI to assist government agencies and policy experts in scaling the production of both human-readable and machine executable policy rules, while improving transparency, interpretability, traceability and accountability of the decision making.
△ Less
Submitted 1 November, 2022;
originally announced December 2022.
-
Generating Mutually Inductive Theorems from Concise Descriptions
Authors:
Sol Swords
Abstract:
We describe defret-mutual-generate, a utility for proving ACL2 theorems about large mutually recursive cliques of functions. This builds on previous tools such as defret-mutual and make-flag, which automate parts of the process but still require a theorem body to be written out for each function in the clique. For large cliques, this tends to mean that certain common hypotheses and conclusions ar…
▽ More
We describe defret-mutual-generate, a utility for proving ACL2 theorems about large mutually recursive cliques of functions. This builds on previous tools such as defret-mutual and make-flag, which automate parts of the process but still require a theorem body to be written out for each function in the clique. For large cliques, this tends to mean that certain common hypotheses and conclusions are repeated many times, making proofs difficult to read, write, and maintain. This utility automates several of the most common patterns that occur in these forms, such as including hypotheses based on formal names or types. Its input language is rich enough to support forms that have some common parts and some unique parts per function. One application of defret-mutual-generate has been to support proofs about the FGL rewriter, which consists of a mutually recursive clique of 49 functions. The use of this utility reduced the size of the forms that express theorems about this clique by an order of magnitude. It also greatly has reduced the need to edit theorem forms when changing definitions in the clique, even when adding or removing functions.
△ Less
Submitted 29 September, 2020;
originally announced September 2020.
-
New Rewriter Features in FGL
Authors:
Sol Swords
Abstract:
FGL is a successor to GL, a proof procedure for ACL2 that allows complicated finitary conjectures to be translated into efficient Boolean function representations and proved using SAT solvers. A primary focus of FGL is to allow greater programmability using rewrite rules. While the FGL rewriter is modeled on ACL2's rewriter, we have added several features in order to make rewrite rules more powe…
▽ More
FGL is a successor to GL, a proof procedure for ACL2 that allows complicated finitary conjectures to be translated into efficient Boolean function representations and proved using SAT solvers. A primary focus of FGL is to allow greater programmability using rewrite rules. While the FGL rewriter is modeled on ACL2's rewriter, we have added several features in order to make rewrite rules more powerful. A particular focus is to make it more convenient for rewrite rules to use information from the syntactic domain, allowing them to replace built-in primitives and meta rules in many cases. Since it is easier to write, maintain, and prove the soundness of rewrite rules than to do the same for rules programmed at the syntactic level, these features help make it feasible for users to precisely program the behavior or the rewriter. We describe the new features that FGL's rewriter implements, discuss the solutions to some technical problems that we encountered in their implementation, and assess the feasibility of adding these features to the ACL2 rewriter.
△ Less
Submitted 29 September, 2020;
originally announced September 2020.
-
Verifying x86 Instruction Implementations
Authors:
Shilpi Goel,
Anna Slobodova,
Rob Sumners,
Sol Swords
Abstract:
Verification of modern microprocessors is a complex task that requires a substantial allocation of resources. Despite significant progress in formal verification, the goal of complete verification of an industrial design has not been achieved. In this paper, we describe a current contribution of formal methods to the validation of modern x86 microprocessors at Centaur Technology. We focus on provi…
▽ More
Verification of modern microprocessors is a complex task that requires a substantial allocation of resources. Despite significant progress in formal verification, the goal of complete verification of an industrial design has not been achieved. In this paper, we describe a current contribution of formal methods to the validation of modern x86 microprocessors at Centaur Technology. We focus on proving correctness of instruction implementations, which includes the decoding of an instruction, its translation into a sequence of micro-operations, any subsequent execution of traps to microcode ROM, and the implementation of these micro-operations in execution units. All these tasks are performed within one verification framework, which includes a theorem prover, a verified symbolic simulator, and SAT solvers. We describe the work of defining the needed formal models for both the architecture and micro-architecture in this framework, as well as tools for decomposing the requisite properties into smaller lemmas which can be automatically checked. We additionally cover the advantages and limitations of our approach. To our knowledge, there are no similar results in the verification of implementations of an x86 microprocessor.
△ Less
Submitted 21 December, 2019;
originally announced December 2019.
-
Hint Orchestration Using ACL2's Simplifier
Authors:
Sol Swords
Abstract:
This paper describes a strategy for providing hints during an ACL2 proof, implemented in a utility called use-termhint. An extra literal is added to the goal clause and simplified along with the rest of the goal until it is stable under simplification, after which the simplified literal is examined and a hint extracted from it. This simple technique supports some commonly desirable yet elusive fe…
▽ More
This paper describes a strategy for providing hints during an ACL2 proof, implemented in a utility called use-termhint. An extra literal is added to the goal clause and simplified along with the rest of the goal until it is stable under simplification, after which the simplified literal is examined and a hint extracted from it. This simple technique supports some commonly desirable yet elusive features. It supports providing different hints to different cases of a case split, as well as binding variables so as to avoid repeating multiply referenced subterms. Since terms used in these hints are simplified in the same way as the rest of the goal, this strategy is also more robust against changes in the rewriting normal form than hints in which terms from the goal are written out explicitly.
△ Less
Submitted 9 October, 2018;
originally announced October 2018.
-
Incremental SAT Library Integration Using Abstract Stobjs
Authors:
Sol Swords
Abstract:
We describe an effort to soundly use off-the-shelf incremental SAT solvers within ACL2 by modeling the behavior of a SAT solver library as an abstract stobj. The interface allows ACL2 programs to use incremental SAT solvers, and the abstract stobj model allows us to reason about the behavior of an incremental SAT library so as to show that algorithms implemented using it are correct, as long as t…
▽ More
We describe an effort to soundly use off-the-shelf incremental SAT solvers within ACL2 by modeling the behavior of a SAT solver library as an abstract stobj. The interface allows ACL2 programs to use incremental SAT solvers, and the abstract stobj model allows us to reason about the behavior of an incremental SAT library so as to show that algorithms implemented using it are correct, as long as the library is bug-free.
△ Less
Submitted 9 October, 2018;
originally announced October 2018.
-
Term-Level Reasoning in Support of Bit-blasting
Authors:
Sol Swords
Abstract:
GL is a verified tool for proving ACL2 theorems using Boolean methods such as BDD reasoning and satisfiability checking. In its typical operation, GL recursively traverses a term, computing a symbolic object representing the value of each subterm. In older versions of GL, such a symbolic object could use Boolean functions to compactly represent many possible values for integer and Boolean subfie…
▽ More
GL is a verified tool for proving ACL2 theorems using Boolean methods such as BDD reasoning and satisfiability checking. In its typical operation, GL recursively traverses a term, computing a symbolic object representing the value of each subterm. In older versions of GL, such a symbolic object could use Boolean functions to compactly represent many possible values for integer and Boolean subfields, but otherwise needed to reflect the concrete structure of all possiblealues that its term might take. When a term has many possible values that can't share such a representation, this can easily cause blowups because GL must then case-split. To address this problem, we have added several features to GL that allow it to reason about term-like symbolic objects using various forms of rewriting. These features allow GL to be programmed with rules much like the ACL2 rewriter, so that users may choose a better normal form for terms for which the default, value-like representation would otherwise cause case explosions. In this paper we describe these new features; as a motivating example, we show how to program the rewriter to reason effectively about the theory of records.
△ Less
Submitted 2 May, 2017;
originally announced May 2017.
-
Meta-extract: Using Existing Facts in Meta-reasoning
Authors:
Matt Kaufmann,
Sol Swords
Abstract:
ACL2 has long supported user-defined simplifiers, so-called metafunctions and clause processors, which are installed when corresponding rules of class :meta or :clause-processor are proved. Historically, such simplifiers could access the logical world at execution time and could call certain built-in proof tools, but one could not assume the soundness of the proof tools or the truth of any facts…
▽ More
ACL2 has long supported user-defined simplifiers, so-called metafunctions and clause processors, which are installed when corresponding rules of class :meta or :clause-processor are proved. Historically, such simplifiers could access the logical world at execution time and could call certain built-in proof tools, but one could not assume the soundness of the proof tools or the truth of any facts extracted from the world or context when proving a simplifier correct. Starting with ACL2 Version 6.0, released in December 2012, an additional capability was added which allows the correctness proofs of simplifiers to assume the correctness of some such proof tools and extracted facts. In this paper we explain this capability and give examples that demonstrate its utility.
△ Less
Submitted 2 May, 2017;
originally announced May 2017.
-
Fix Your Types
Authors:
Sol Swords,
Jared Davis
Abstract:
When using existing ACL2 datatype frameworks, many theorems require type hypotheses. These hypotheses slow down the theorem prover, are tedious to write, and are easy to forget. We describe a principled approach to types that provides strong type safety and execution efficiency while avoiding type hypotheses, and we present a library that automates this approach. Using this approach, types help…
▽ More
When using existing ACL2 datatype frameworks, many theorems require type hypotheses. These hypotheses slow down the theorem prover, are tedious to write, and are easy to forget. We describe a principled approach to types that provides strong type safety and execution efficiency while avoiding type hypotheses, and we present a library that automates this approach. Using this approach, types help you catch programming errors and then get out of the way of theorem proving.
△ Less
Submitted 20 September, 2015;
originally announced September 2015.
-
Verified AIG Algorithms in ACL2
Authors:
Jared Davis,
Sol Swords
Abstract:
And-Inverter Graphs (AIGs) are a popular way to represent Boolean functions (like circuits). AIG simplification algorithms can dramatically reduce an AIG, and play an important role in modern hardware verification tools like equivalence checkers. In practice, these tricky algorithms are implemented with optimized C or C++ routines with no guarantee of correctness. Meanwhile, many interactive t…
▽ More
And-Inverter Graphs (AIGs) are a popular way to represent Boolean functions (like circuits). AIG simplification algorithms can dramatically reduce an AIG, and play an important role in modern hardware verification tools like equivalence checkers. In practice, these tricky algorithms are implemented with optimized C or C++ routines with no guarantee of correctness. Meanwhile, many interactive theorem provers can now employ SAT or SMT solvers to automatically solve finite goals, but no theorem prover makes use of these advanced, AIG-based approaches.
We have developed two ways to represent AIGs within the ACL2 theorem prover. One representation, Hons-AIGs, is especially convenient to use and reason about. The other, Aignet, is the opposite; it is styled after modern AIG packages and allows for efficient algorithms. We have implemented functions for converting between these representations, random vector simulation, conversion to CNF, etc., and developed reasoning strategies for verifying these algorithms.
Aside from these contributions towards verifying AIG algorithms, this work has an immediate, practical benefit for ACL2 users who are using GL to bit-blast finite ACL2 theorems: they can now optionally trust an off-the-shelf SAT solver to carry out the proof, instead of using the built-in BDD package. Looking to the future, it is a first step toward implementing verified AIG simplification algorithms that might further improve GL performance.
△ Less
Submitted 30 April, 2013;
originally announced April 2013.
-
Bit-Blasting ACL2 Theorems
Authors:
Sol Swords,
Jared Davis
Abstract:
Interactive theorem proving requires a lot of human guidance. Proving a property involves (1) figuring out why it holds, then (2) coaxing the theorem prover into believing it. Both steps can take a long time. We explain how to use GL, a framework for proving finite ACL2 theorems with BDD- or SAT-based reasoning. This approach makes it unnecessary to deeply understand why a property is true, an…
▽ More
Interactive theorem proving requires a lot of human guidance. Proving a property involves (1) figuring out why it holds, then (2) coaxing the theorem prover into believing it. Both steps can take a long time. We explain how to use GL, a framework for proving finite ACL2 theorems with BDD- or SAT-based reasoning. This approach makes it unnecessary to deeply understand why a property is true, and automates the process of admitting it as a theorem. We use GL at Centaur Technology to verify execution units for x86 integer, MMX, SSE, and floating-point arithmetic.
△ Less
Submitted 20 October, 2011;
originally announced October 2011.
-
Formation of molecular hydrogen on amorphous silicate surfaces
Authors:
Ling Li,
Giulio Manico,
Emanuele Congiu,
Joe Roser,
Sol Swords,
Hagai B. Perets,
Adina Lederhendler,
Ofer Biham,
John Robert Brucato,
Valerio Pirronello,
Gianfranco Vidali
Abstract:
Experimental results on the formation of molecular hydrogen on amorphous silicate surfaces are presented and analyzed using a rate equation model. The energy barriers for the relevant diffusion and desorption processes are obtained. They turn out to be significantly higher than those obtained for polycrystalline silicates, demonstrating the importance of grain morphology. Using these barriers we…
▽ More
Experimental results on the formation of molecular hydrogen on amorphous silicate surfaces are presented and analyzed using a rate equation model. The energy barriers for the relevant diffusion and desorption processes are obtained. They turn out to be significantly higher than those obtained for polycrystalline silicates, demonstrating the importance of grain morphology. Using these barriers we evaluate the efficiency of molecular hydrogen formation on amorphous silicate grains under interstellar conditions. It is found that unlike polycrystalline silicates, amorphous silicate grains are efficient catalysts of H_2 formation in diffuse interstellar clouds.
△ Less
Submitted 16 September, 2007;
originally announced September 2007.
-
Molecular Hydrogen Formation on Amorphous Silicates Under Interstellar Conditions
Authors:
Hagai B. Perets,
Adina Lederhendler,
Ofer Biham,
Gianfranco Vidali,
Ling Li,
Sol Swords,
Emanuele Congiu,
Joe Roser,
Giulio Manico,
John Robert Brucato,
Valerio Pirronello
Abstract:
Experimental results on the formation of molecular hydrogen on amorphous silicate surfaces are presented for the first time and analyzed using a rate equation model. The energy barriers for the relevant diffusion and desorption processes are obtained. They turn out to be significantly higher than those obtained earlier for polycrystalline silicates, demonstrating the importance of grain morpholo…
▽ More
Experimental results on the formation of molecular hydrogen on amorphous silicate surfaces are presented for the first time and analyzed using a rate equation model. The energy barriers for the relevant diffusion and desorption processes are obtained. They turn out to be significantly higher than those obtained earlier for polycrystalline silicates, demonstrating the importance of grain morphology. Using these barriers we evaluate the efficiency of molecular hydrogen formation on amorphous silicate grains under interstellar conditions. It is found that unlike polycrystalline silicates, amorphous silicate grains are efficient catalysts of H$_{2}$ formation within a temperature range which is relevant to diffuse interstellar clouds. The results also indicate that the hydrogen molecules are thermalized with the surface and desorb with low kinetic energy. Thus, they are unlikely to occupy highly excited states.
△ Less
Submitted 18 April, 2007; v1 submitted 11 March, 2007;
originally announced March 2007.
-
Molecular Hydrogen Formation on Ice Under Interstellar Conditions
Authors:
Hagai B. Perets,
Ofer Biham,
Giulio Manico,
Valerio Pirronello,
Joe Roser,
Sol Swords,
Gianfranco Vidali
Abstract:
The results of experiments on the formation of molecular hydrogen on low density and high density amorphous ice surfaces are analyzed using a rate equation model. The activation energy barriers for the relevant diffusion and desorption processes are obtained. The more porous morphology of the low density ice gives rise to a broader spectrum of energy barriers compared to the high density ice. In…
▽ More
The results of experiments on the formation of molecular hydrogen on low density and high density amorphous ice surfaces are analyzed using a rate equation model. The activation energy barriers for the relevant diffusion and desorption processes are obtained. The more porous morphology of the low density ice gives rise to a broader spectrum of energy barriers compared to the high density ice. Inserting these parameters into the rate equation model under steady state conditions we evaluate the production rate of molecular hydrogen on ice-coated interstellar dust grains.
△ Less
Submitted 29 March, 2005; v1 submitted 9 December, 2004;
originally announced December 2004.
-
High quality factor measured in fused silica
Authors:
Steven D. Penn,
Gregory M. Harry,
Andri M. Gretarsson,
Scott E. Kittelberger,
Peter R. Saulson,
John J. Schiller,
Joshua R. Smith,
Sol O. Swords
Abstract:
We have measured the mechanical dissipation in a sample of fused silica drawn into a rod. The sample was hung from a multiple-bob suspension, which isolated it from rubbing against its support, from recoil in the support structure, and from seismic noise. The quality factor, Q, was measured for several modes with a high value of 57 million found for mode number 2 at 726 Hz. This result is about…
▽ More
We have measured the mechanical dissipation in a sample of fused silica drawn into a rod. The sample was hung from a multiple-bob suspension, which isolated it from rubbing against its support, from recoil in the support structure, and from seismic noise. The quality factor, Q, was measured for several modes with a high value of 57 million found for mode number 2 at 726 Hz. This result is about a factor 2 higher than previous room temperature measurements. The measured Q was strongly dependent on handling, with a pristine flame-polished surface yielding a Q 3-4 times higher than a surface which had been knocked several times against a copper tube.
△ Less
Submitted 11 September, 2000;
originally announced September 2000.
