Nqthm

Abstract: 1. Introduction and History. 2. The Nqthm Logic. 3. An Informal Sketch of Piton. 4. Big Number Addition. 5. A Sketch of FM9001. 6. The Correctness of Piton on FM9001. 7. The Implementation of Piton on FM9001. 8. Proof of the Correctness Theorem. Appendices: Summary of Piton Instructions The Formal Definition of Piton The Formal Definition of FM9001 The Formal Implementation The Formal Correctness Theorem.

Abstract: Automated and interactive theorem proving are the two main directions in the field of deduction. Most chapters of this book belong to either the one or the other, whether focusing on theory, on methods or on systems. This reflects the fact that, for a long time, research in computer-aided reasoning was divided into these two directions, driven forward by different communities. Both groups offer powerful tools for different kinds of tasks, with different solutions, leading to different performance and application profiles. Some important examples are: ACL2 (Kaufmann and Moore, 1988), HOL (Gordon, 1988), IMPS (Farmer et al., 1996), Isabelle (Paulson, 1994), KIV (Reif et al., 1997) (see also Chapter II.1.1), NQTHM (Boyer and Moore, 1979), and PVS (Owre et al., 1992) for the interactive (or tactical) theorem proving community; and KoMeT (Bibel et al., 1994), Otter (Wos et al., 1992), Protein (Baumgartner and Furbach, 1994), Setheo (Goller et al., 1994), Spass (Weidenbach et al., 1996), and 3 TAP (Beckert et al., 1996) for the automated theorem proving community.

Abstract: In this paper, we investigate analogy-driven proof plan construction in inductive theorem proving. The intention is to produce a plan for a target theorem that is similar to a given source theorem. We identify second-order mappings from the source to the target that preserve induction-specific proof- relevant abstractions dictating whether the source plan can be replayed. We replay the planning decisions taken in the source if the reasons or justifications for these decisions still hold in the target. If the source and target plan differ significantly at some isolated point, additional reformulations are invoked to add, delete, or modify planning steps. These reformulations are not ad hoc but are triggered by peculiarities of the mappings and by failed justifications. Employing analogy on top of the proof planner CLAM has extended the problem-solving horizon of CLAM: With analogy, some theorems could be proved automatically that neither CLAM nor NQTHM could prove automatically.

Abstract: Derivation and verification represent alternate approaches to design. Derivation aims at deriving a "correct by construction" design while verification aims at constructing a post factum "proof of correctness" for a design. However, as researchers and engineers gain design experience in a formal framework, both approaches are emerging as interdependent facets of design. The thesis of this work is that alternate forms of formal reasoning must be integrated if formal methods are to support the natural analytical and generative reasoning that takes place in engineering practice. As a vehicle for this research, the DDD digital design derivation system was implemented to study formal hardware design in an algebraic framework. DDD is a first-order transformation system which mechanizes a basic design algebra for synthesizing digital circuit descriptions from high-level functional specifications. The system is a collection of correctness preserving transformations that promote a top-down design methodology where the discipline of applicative programming is adapted to hardware verification. As a non-trivial illustration of these ideas, the derivation of the DDD-FM9001 is presented. The DDD-FM9001 is a 32-bit general purpose microprocessor mechanically derived directly from Hunt's Boyer-Moore Logic FM9001 microprocessor specification. The derivation involved the use of three mechanical verification tools: the DDD digital design derivation system, the Nqthm theorem prover, and the COSMOS boolean tautology checker. The DDD digital design derivation system was used to derive a significant portion of the design leaving relatively small portions to be verified by the other verification tools. The result of this experiment was a derived FM9001 defined by a rigorous path to hardware.