Schedule Details

Fall, 2011

• Professor: J Strother Moore
• Unique Id: 52575
• Meets: TT 3:30-5:00 pm
• Classroom: WEL 3.266
• Office Hours: TT 2:30-3:30
• Office: MAI 2014
• Midterm Exam: in class, October 20, 2011
• Final Exam: project reports due by December 1, 2011

Supplemental Material

• `PLUS`, `TIMES`, `MOVE-DISKS`, `HANOI`, and the definition of `QUICKSORT`
• our definition and proof that `QUICKSORT` produces ordered output
• I do NOT recommend trying to prove that `QUICKSORT` produces a `PERM` of its argument -- yet! Instead, define `(HM E X)` to count how many times `E` occurs as an element of `X` and prove that `(hm e (quicksort x))` is `(hm e x)`.
• our proof of the relation between `HM` and `QUICKSORT`
• defuns of `PERM` and `HM`
• In class on Oct 4, I showed how to use theorem `PERM-HM` to convert a `PERM` problem into a ``how-many'' problem. Then I showed how to exploit that converstion to prove that `QUICKSORT` produces a permutation of its input, by proving that it preserves the ``how-many'' question on an arbitrary `E`. Here is the promised script, `perm-quicksort-via-hm.lisp`.
• In class on Oct 4, I also discussed how to use the fact that `PERM` is an equivalence relation enjoying certain congruence properties. Here is the `PERM-QUICKSORT` proof again, using that approach, `perm-quicksort-via-congruence.lisp`.
• Here are two challenge problems to solve with ACL2. Warning: You will find the first challenge pretty straightforward. But the second challenge requires some work! My solution to the second challenge required one new definition and ten lemmas before reaching the final theorem.
• Here is another challenge. On Oct 6, in class, Cuong Chau said he had defined `set-equal` and tried to prove a particular theorem about it. I explained that his definition was correct and reasonable, but not the way I would have defined `set-equal`. Nevertheless, we decided to try to prove his theorem in class. The resulting script is here. You will note that we failed to complete the proof. Search for `(i-am-here)` in the script and figure out how to get ACL2 to prove the remaining checkpoint.
• Here are my answers to the midterm, in the form of an ACL2 script. You should replay the events in this script to see the proofs.
• The Rotate Challenge as presented and solved interactively by Matt Kaufmann in class on November 1, 2011. The page also contains the simpler `rev-app` Matt worked in class.
• My example of mutual recursion definitions and proofs presented in class on November 8, 2011.
• Operational Semantics and Inductive Invariants

Syllabus

In this class we use a formal logic of recursive functions to study fundamental ideas in computing. The logic is a subset of applicative Common Lisp. However, no familiarity with Lisp is assumed.

The logic could be replaced with practically any other formalization of primitive recursive arithmetic with lists without changing the character of the course except for one major aspect of it: You will learn to use (a small subset of) ACL2, a mechanized formal modeling and verification tool.

The course will proceed in a top-down way: after a brief and, I hope, thought-provoking tour of some applications of machine-checked reasoning about hardware and software, we will discuss suggestions for what we might model and prove during the semester. These discussions will highlight strengths and weaknesses of formality and the mechanization of mathematical reasoning. We will ultimately settle on some team projects. The bulk of the semester will consist of individuals and teams discussing their problems with modeling and proving things. These discussions will most often lead to mathematical insights about formal specification and inductive proof techniques, e.g., the role of recursion, definition, termination, appropriate inductive hypotheses, generalizations, invention of auxiliary concepts necessary to state inductively provable facts, meta-reasoning, useful lemmas about domain-specific concepts, etc.

Prerequisites

While only graduate standing is required, this course is a `diversity course' in the Theory area of our Ph.D. program. Historically, almost all of the students who have taken the course have been in the Ph.D. program.

Textbooks and Tools

• You will be required to purchase Computer-Aided Reasoning: An Approach, by Kaufmann, Manolios, and Moore, 2000. (A limited number of copies will be available in class from the instructor at the same price.)

• You will be required to use the ACL2 theorem prover. You might wish to install it on the computer you are most comfortable using. ACL2 is distributed without cost and is available in several binary image formats as well as source code form. ACL2 is already installed on the CS Department Linux machines. We will restrict our use of ACL2 to a tiny fraction of that system.

While I tend to use ACL2 running in a shell buffer under Emacs, many find it convenient to use the Eclipse interface to ACL2, known as the The ACL2 Sedan for Eclipse or ACL2s. It's called the “sedan” for good reason: driving full ACL2 is like driving a race car; one mistake and you're in the ditch.

ACL2s is installed on all the department's public machines. See for explicit instructions on using the Sedan on department machines.

I will assign reading from the textbook above weekly. I regard your reading as a critical background activity: no formal logic can be “picked up” by random trial-and-error. And you must learn how to express yourself in the logic in order to use it to model and prove anything.

The textbook is full of problems and I expect you to do a representative sample of them from the reading. I will call upon students in class to present solutions to unannounced problems from the assigned reading, especially if no team needs to discuss their current difficulties!

But learning the logic should be a background activity for you. Each student will be in a team working on some half-semester-scale project and most class sessions should consist of team members discussing problems with the entire class. The projects are not meant to be competitive with each other. A student's contribution of some key insight to another team's project is highly valued. Successfully proving the ``goal theorem'' of a project matters less to me than what the class learned along the way from the attempt.