• Top
  • Documentation
  • Books
  • Boolean-reasoning
  • Projects
  • Debugging
  • Std
  • Community
  • Proof-automation
  • Macro-libraries
  • ACL2
    • Theories
    • Rule-classes
    • Proof-builder
    • Recursion-and-induction
    • Hons-and-memoization
    • Events
    • Parallelism
    • History
    • Programming
    • Operational-semantics
    • Real
    • Start-here
      • Gentle-introduction-to-ACL2-programming
      • ACL2-tutorial
      • About-ACL2
        • Recursion-and-induction
        • Operational-semantics
        • Soundness
        • Release-notes
          • Note-2-8
          • Note-2-7
          • Note-8-6
            • Note-8-6-books
            • Whats-new-in-ACL2-2025
          • Note-8-7
          • Note-8-2
          • Note-7-0
          • Note-8-5
          • Note-8-3
          • Note-8-1
          • Note-8-0
          • Note-7-1
          • Note-6-4
          • Note-2-9-3
          • Note-2-9-1
          • Note-8-4
          • Note-7-2
          • Note-6-5
          • Note-4-0
          • Note-2-9-2
          • Note-3-6
          • Note-3-3
          • Note-3-2-1
          • Note-3-0-1
          • Note-2-9-5
          • Note-2-5
          • Note-1-5
          • Note-6-1
          • Note-4-3
          • Note-4-2
          • Note-4-1
          • Note-3-5
          • Note-3-4
          • Note-3-2
          • Note-3-0-2
          • Note-2-9-4
          • Note-2-9
          • Note-1-8
          • Note-1-7
          • Note-1-6
          • Note-1-4
          • Note-1-3
          • Note-7-4
          • Note-7-3
          • Note-6-3
          • Note-6-2
          • Note-6-0
          • Note-5-0
          • Note-1-9
          • Note-2-2
          • Note-1-8-update
          • Note-3-5(r)
          • Note-2-3
          • Release-notes-books
          • Note-3-6-1
          • Note-1-2
          • Note-2-4
          • Note-2-6
          • Note-2-0
          • Note-3-0
          • Note-3-2(r)
          • Note-2-7(r)
          • Note-1-1
          • Note-3-4(r)
          • Note-3-1
          • Note-2-8(r)
          • Note-2-1
          • Note-2-9(r)
          • Note-2-6(r)
          • Note-3-1(r)
          • Note-3-0(r)
          • Note-3-0-1(r)
          • Note-2-5(r)
          • Note-4-3(r)
          • Note-4-2(r)
          • Note-4-1(r)
          • Note-4-0(r)
          • Note-3-6(r)
          • Note-3-3(r)
          • Note-3-2-1(r)
        • Version
        • Acknowledgments
        • Pre-built-binary-distributions
        • Common-lisp
        • Git-quick-start
        • Copyright
        • Building-ACL2
        • ACL2-help
        • Bibliography
    • Debugging
    • Miscellaneous
    • Output-controls
    • Macros
    • Interfacing-tools
  • Interfacing-tools
  • Hardware-verification
  • Software-verification
  • Math
  • Testing-utilities

• Note-8-6
• Release-notes-books

Note-8-6-books

Release notes for the ACL2 Community Books for ACL2 8.6

The following is a brief summary of changes made to the community-books between the releases of ACL2 8.5 and 8.6.

See also note-8-6 for the changes made to ACL2 itself. For additional details, you may also see the raw commit log.

New Libraries

AleoBFT

Formal specification and correctness proofs of AleoBFT, a Byzantine-fault-tolerant consensus protocol, used in the Aleo blockchain.

CSV Library (kestrel/csv/)

This library contains a parser for CSV (comma separated value) files and utilities for handling parsed CSV files.

Ethereum Virtual Machine

A (partial) formal specification of the Ethereum Virtual Machine (EVM) has been added as kestrel/ethereum/evm/. This is a work in progress.

Floating-Point Arithmetic

A new, cleanroom formalization of IEEE-754 floating point arithmetic has been added as kestrel/floats/. This is a work-in-progress. It was previously part of Kestrel's JVM model. An initial specification for floating-point rounding has been added, and various proofs have been added to show that some notions from this library agree with the corresponding notions in the RTL library.

FM9801

Jun Sawada's 1998-1999 dissertation work, consisting of verification for the FM9801 pipelined microprocessor design, has been added as directory projects/fm9801/.

Gaussian Elimination Library

This is a work in progress for solving Ax = b, for sparse matrices A.

Group Theory Library

Added seven books to projects/groups/ on the topics of homomorphisms, direct products, the Fundamental Theorem of Finite Abelian Groups, symmetric groups, group actions, the Sylow theorems, and simple groups.

Kestrel Hints Library

A new library (kestrel/hints/) has been added for manipulating hints (combining, removing, applying renamings, etc.). This gathers and improves existing utilities, and adds new ones.

A new hint, :casesx, has been added to make a :cases hint with all possible combinations of a given set of cases.

Leo Library

An initial ACL2 library for Leo, Provable Inc.'s language for zero-knowledge applications.

M6

Hanbing Liu's 2006 dissertation work on a "defensive JVM" has been added as directory models/jvm/m6/.

Machine Learning Library

Added support and testing for generation of *__acl2data.out files for machine learning. The idea is to break proofs systematically and record resulting information, including checkpoints. See kestrel/acl2data/README and kestrel/acl2data/gather/README.

Schroder-Bernstein Library

This added a proof of the Schroder-Bernstein theorem. See projects/schroder-bernstein/README.md.

World Light Library

A new library (kestrel/world-light/) has been added to collect lightweight world utilities (querying the world, gathering event names, etc.).

XML Library (kestrel/xml/)

This library contains a simple XML parser.

Zipfile Library

A new library (kestrel/zip/) has been added for handling .zip files.

Changes to Existing Libraries

ABNF Library

This library has been moved from [books]/kestrel/abnf/ to [books]/projects/abnf.

The library has been refactored to organize its constituents more clearly. Some parts of the documentation have also been improved and extended in the process of doing this refactoring.

The parsing generation tools have been significantly extended and improved.

New tools have been added to read grammars from files into formal ACL2 representations, to prove properties of the grammars, and to generate functions and theorems about the grammars.

ACL2 Arrays Library (kestrel/acl2-arrays/)

Various rules and tests have been added/improved, and library organization has been improved.

ACL2 Programming Language Library

Some fixtype names have been improved and made more consistent.

Alists Light Library (kestrel/alists-light/)

Various rules have been added/improved, some new functions and books have been added, and library organization has been improved. A few functions have been deprecated, including lookup-equal-lst (use map-lookup-equal and clear-key (use remove-assoc-equal).

APT Library

The apt::simplify transformation no longer breaks when certain default-hints or override-hints are present.

The apt::simplify transformation uses the new heavy-linear-p capability (see note-8-6 to strengthen the use of linear-arithmetic during rewriting.

The apt::simplify transformation, when called with option :untranslate t, removes some unused let bindings and let* bindings that formerly remained.

The apt::restrict transformation has been improved to generate more robust proofs, which get around certain ACL2 heuristics.

Minor improvements were made to rename-params (fixed handling of ignores), finite-difference (e.g., :extra-guard option), wrap-output, drop-irrelevant-params, and rename-params.

Documentation was improved.

The def utility for wrapping calls to transformations was added.

Arithmetic Light Library (kestrel/arithmetic-light/)

Various rules have been added/improved, proofs have been sped up, new books have been added, and library organization has been improved. Dependence on other libraries, such as ihs, has been reduced. Some work was done to get more books working with ACL2(r).

Axe Toolkit

Many improvements have been made to the Axe toolkit. These include improvements to the legacy Axe tools (Rewriter, Prover, and Equivalence checker) as well as to the new tools (rewriters, provers, etc.) that we are creating. These new tools are generated from a template for various applications, and we sometimes refer to them as generated rewriters, generated provers, etc. Improvements specific to individual Axe variants (for x86, JVM, and R1CS reasoning) are discussed in further sections, below.

Various Axe-specific rewrite rules have been added, improved, organized, and renamed. Rule-lists have also been improved in many ways (e.g., to build in more simplifications).

Axe rewriters were improved in various ways (most of these improvements apply to the new, generated rewriters). Handling of if was improved when the test can be resolved. Rewriting of bvif now assumes the test when rewriting the then-branch (and assumes the negation of the test when rewriting the else-branch). When rewriting a DAG node that is an if or myif, replacements of the test that preserve iff are allowed. Non-nil branches of boolifs now rewrite to t (since boolif bool-fixes them). Equality assumptions are interpreted as directed equalities and used to replace terms as indicated. A new variant of hit-counting efficiently counts only the total number of hits, not the number per rule. Generate rewriters now use (approximate) internal context information.

When memoization is enabled, generated rewriters now do two rewrites, first with memoization and then a second one using node contexts (but no memoization, for soundness). We sometimes need to use the node contexts, but we also want memoization turned on when most of the work is being done (this can make a huge difference in the speed of large rewrites). When a rewriter does makes two passes, it now ensures the reduced rule limits from pass 1 are passed to pass 2.

Axe rules now support binding hypotheses. These must be wrapped in calls of the identity function axe-binding-hyp.

Lambdas are no longer always expanded in normal hypotheses of Axe rules. Instead, we call pre-simplify-term to apply various theory-independent simplifications to them (e.g., removing unnecessary lambda bindings, such as those that bind variables to constants). The same simplifications are also now applied to the right hand sides of Axe rules.

Various theorems were proved about the implementation of Axe itself, and theorems were added to justify some of Axe's operations (e.g., simplifications it makes). Many skip-proofs in the legacy Axe tools were removed, and more code was put into :logic mode. Many guards were added, improved, or strengthened, and more code has been guard verified. Proofs about the implementation (e.g., termination, guard, and return type proofs) were sped up and made more robust. Many clarifications were made to the code, and code style was modernized.

Generated provers now support the :var-ordering option to prevent undesirable substitutions. The new prover tactic :rewrite-top causes rewriting only of literals whose top nodes match rewrite rules. A rare completeness issue was fixed, and each generated prover can now have its own set of default-global-rules. The :extra-global-rules and :count-hits options were also added. Handling of empty clauses was improved. Some quadratic prover behaviors (in the number of literals) are now avoided.

The dependencies of Axe were reduced, as were the rules exported when Axe is included (e.g., rules Axe uses to reason about its own implementation).

The Tactic Prover now applies a set of rewrite rules before calling STP on a goal. These prepare the proof for STP by rewriting unsupported constructs into supported ones (e.g., splitting rotations with non-constant rotation amounts into cases). Also, a :sweep-and-merge tactic is being added (currently it just prints the probable facts). Improvements have also been made to probable fact finding.

At least one fix was made to the STP translation, and supporting analyses, such as type inference, were improved and clarified. The formalization of Axe types was improved (including some long awaited changes), and better error checking is now done. STP calls record the time taken. The environment variable STP can now override the default location of STP. More options have been added to the stp-clause-processor.

The ACL2_STP_VARIETY environment variable now controls how STP is to be called, specifically the max conflicts option. The default is 2, and a value of 3 should work with the latest STP. See stp.

A :max-conflicts option was added to the query tool.

The prove-equivalence2 tool was renamed to prove-equal-with-tactics.

Evaluation was improved to build more functions into the evaluators.

Tests and examples were added and improved (e.g., when new tool options reduce user input required). New examples include some Axe verifications of AES implementations. Documentation has also been improved.

Pruning of unreachable if branches has been improved (evaluating additional ground terms and supporting boolif and bvif). More assumptions are now used when pruning as well.

The implementation was optimized in various ways, e.g. by using stobjs and fast-alists, by using tshell-call instead of sys-call (much faster), and by having the memoization use a tree hash that is less likely to have collisions. Generated rewriters were optimized to gather groups of common arguments into a stobjs, to reduce the number of arguments that have to be pushed for each call. A second rewriting pass (to use internal contextual information) is now avoided when there are no ifs (or similar functions).

The Equivalence Checker now allows the :types argument (usually an alist) to be just :bits or :bytes, which is taken to describe all variables. The :prove-theorem option (default nil) was added to control whether an ACL2 theorem is generated after the proof. Also, bv-array-if can now appear in pure DAGs. Finally, after proving a node is constant, the tool doesn't then try to merge it with a smaller node.

The unroll-spec-basic tool now uses a better set of rules, and the :assumptions argument can now be :bytes or :bits, meaning to assume all variables have those types.

Printing was significantly improved (e.g., to print elapsed times, to print more information for failures, and to elide uninteresting output). Counterexample printing has also been improved, as has printing when monitoring rules (only printing relevant DAG nodes and suppressing printing of huge assumptions) and when printing assumptions (adding the ability to elide given function calls).

Axe JVM toolkit (kestrel/axe/jvm/)

The Java Formal Unit Tester now analyzes all methods whose names start with test or fail_test, with the latter former expected to pass and the latter expected to fail. The Formal Unit Tester was improved in other ways (e.g., handling of type assumptions for arrays), and several examples of using it have been added. The unroll-java-code tool has been improved in several ways, and the model of exception handling was also improved.

Axe R1CS toolkit (kestrel/axe/r1cs/)

The R1CS variant of Axe has benefited from many of the general Axe improvements mentioned above, especially scalability improvements to generated provers. Also, more global rules have been built in.

Axe x86 toolkit (kestrel/axe/x86/)

Many improvements were made to the x86 variant of Axe, including incorporation of improved rules and normal forms from the kestrel/x86 library (described below). Some of these improvements are in-progress and are currently being further improved. Further Caveat: Some improvements described in this section apply only to lifting of 64-bit code, or only to the Lifter variant that unrolls loops.

The x86 Axe tools now use an Axe Rewriter variant specialized for x86 reasoning.

A new tool, prove-functions-equivalent, can be used to directly show equivalence of two (simple) x86 binary functions.

Support for parsing and lifting ELF files was added, as was a :position-independent option.

Lifting of x86 code into logic was improved in many ways, including new rules, new normal forms, improved rule-lists, better support for floating-point operations, better debugging, more ways to indicate which components of the final state should be extracted, and improved generation of assumptions for lifting. The :assumptions option has been renamed to :extra-assumptions (these augment, not replace, the assumptions added by the tool). A new :untranslatep option controls whether to untranslate terms when printing.

Lifting has been optimized (e.g., by avoiding passing in unhelpful assumptions when pruning). Also, the Lifter avoids opening fetch-decode-execute unless it can resolve the next instruction byte. This can make failures easier to read. The Lifter now ensures that the result is simplified, even in the special case when pruning finished the run by pruning away all non-finished branches. The Lifter no longer generates a theorem by default (since the theorem assumptions mention the program, printing the theorem can crash the pretty printer if the program is large). However, when the theorem is generated, the automatically generated assumptions are now included.

The ability to name and describe the types of inputs was added. This can help the tools put in some assumptions automatically. If this option is used, the Lifter puts in assumptions about the inputs being separate from the code and the saved return address. Also, the assumptions about inputs being disjoint from subsequent stack slots are now sensitive to the number of stack slots specified. For an array input, variables can now be introduced for individual elements. The scheme for introducing variable for registers has been improved, and type assumptions are now generated for these variables. Initial support for Lifter :output-indicators that are SIMD registers has been added.

The order of parameters in generated functions has been improved (to match x86 calling conventions), and the :non-executable option can now take the value :auto.

The Axe x86 tools now always use if, not myif. Since ACL2 rewrite rules can now target calls of if, myif is less important and may be deprecated.

An executable to be lifted must now be indicated by giving its path. Passing in an entire parsed executable, as was previously done, is now deprecated.

Examples were added, including a proof of an x86 implementation of the TEA block cipher, and an example of lifting and verifying a recursive x86 factorial program.

A Formal Unit Tester for x86 binaries was added. This can be used to augment unit test suites with small proofs about binary programs.

Bit-vector Library (kestrel/bv/)

A large number of bit-vector rules were added, collected, improved, and renamed. One focus was on rules that introduce BV operators by rewriting arithmetic or bitops or rtl terms. Add new scheme for splitting leftrotate into cases was introduced. Quite a few rules have been disabled by default. Some proofs were sped up (especially the adder proofs). Library organization was improved. Some definitions were split into separate books, to support including them without all of the corresponding rules.

Functions bvxor2, bvor2, and bvand2 have been renamed to bvxorn, bvorn, and bvandn.

New functions bitxor$, bitand$, and bitor$ have been added (faster, via stricter guards).

The book logand2.lisp was renamed to logand-b.lisp.

A typed bit-vector equality operation bvequal was added, as was the function putbyte to replace a byte in a bit-vector.

The functions bvshl and bvshr have been improved to support nicer type theorems.

Bit-vector Lists Library (kestrel/bv-lists/)

Various rules have been added/improved (e.g., rules about bit packing), the function packbvs-little was added, a book about reading contiguous chunks of elements from BV arrays has been added, and library organization has been improved.

Booleans Library (kestrel/booleans/)

Various rules have been added/improved, and library organization has been improved.

C Library

C Language Formalization

The language formalization has been simplified and moved out of ATC and into the C formalization proper, i.e. into the deep embedding of C in ACL2, which is now independent from the shallow embedding of C in ACL2.

Support has been added for external object definitions (i.e. global variables) of array types.

Support has been added for structures with flexible array members.

An initial simple model of preprocessing has been added, along with support for file sets consisting of headers and source files.

An ABNF grammar for a subset of C has been added.

Tool-Oriented C Syntax

A new sub-library has been added, which contains an abstract syntax, and accompanying concrete syntax formulation, intended for use by tools like code generators and transformers. This sub-library also includes a parser from the concrete to the abstract syntax, a printer from the abstract syntax to the concrete syntax, and other tools to operate on this syntax.

ATC, the C Code Generator for ACL2

Support has been added for external object definitions (i.e. global variables) of array types, via a new c::defobject event macro.

The user documentation of c::defstruct has been extended and improved.

The event macro c::defstruct has been extended to support flexible array members. This macro has also been extended to generate struct constructors as well as whole-array-member readers and writers.

Support has been added to represent and generate code that handles structures by value, in addition to code that handles structures by pointer.

An option to generate header files has been added. The previous keyed option to specify the output file path has been replaced with two keyed options to specify the output directory path and the file name without the extension.

A new proof generation approach has been started, where smaller, more modular proofs are generated for each generated C construct. This new approach will co-exist with the current one, until the former will replace the latter.

C Transformation Tools

A new sub-library has been added, which contains tools to perform C-to-C transformations.

Centaur Library

A soundness issue was fixed in tshell-call, which was modified to take and return state. To accommodate users who do not wish to refactor to this new stateful variant, the old version was retained and moved to a new book under the name tshell-call-unsound.

Improvements to decomposition proof methodology in VL/SVTV framework. New support for reasoning about FSMs based on SVTV symbolic simulations. New efficient method for equivalence checking two different evaluations of the same SVEX. Improvements to SVTV-CHASE debugging tool including mode for comparing two runs.

Improved AIGNET transforms -- new BDD parametrization transform, updates to allow AIG pointer arguments to transformation configs

Add exhaustive AIG simulation as a SAT checking option in FGL

Clean up and add various improvements to def-bounds tool

Clause Processors Library (kestrel/clause-processors/)

Library organization was improved and a :well-formedness-guarantee was added.

Cryptography Library (kestrel/crypto/)

Formal specifications have been added for the AES block cipher, the TEA block cipher, and the SHA-3 hash function. Proofs have been done to connect the SHA-3 spec to the Keccak spec.

The formalization of rank-1 constraint systems (R1CSes) has been improved in various ways (e.g., added/generalized rules, added dense form of R1CSes, imported primep into the package).

Demos Library

See directory demos/include-raw-examples/ for examples demonstrating the use of include-raw and partial-encapsulate.

Digits Library

Several theorems have been added.

The defdigits tool has been extended to generate additional theorems.

Evaluators Library (kestrel/evaluators/)

The defevaluator+ tool has been improved in various ways, and a related tool (defevaluator-theorems) has been added.

File IO Light Library (kestrel/file-io-light/)

Various rules have been added/improved (e.g., rules about princ$, prin1$, open-output-channel, and open-output-channel!), and library organization has been improved. New books have been added (e.g., about close-input-channel, close-output-channel, typed-io-listp, print-object$-fn, and newline. Functions read-objects-from-file-with-pkg, read-file-into-line-list, and read-file-into-line-list-no-error have been added, and channel-headerp has been removed (now built-in). Function read-objects-from-channel-aux has been simplified.

Fixtype Library

In the library of result types, some names have been improved.

A fixtype pos-set for sets of positive integers has been added, along with some operations on these sets.

Helpers Library (kestrel/helpers/)

The Helpers Library has been significantly improved.

A new Proof Advice tool has been added to help create and repair ACL2 proofs. The tool can get proof help over the web, from machine learning models running on servers. It also applies some proof search heuristics. Tools have also added to experimentally evaluate how well the Proof Advice tool performs.

A new tool, repair-book, has been added to repair failed ACL2 proofs based on information previously saved during successful proofs.

The improve-book tool has been improved. It has also been used to improve various other books and libraries.

A new utility, speed-up-book, has been added. It attempts to speed up a given book in various ways. It has been used to speed up the certification of various other books and libraries.

An ACL2 Linter tool was improved and moved to this library.

Hypertext Client Library (kestrel/htclient/)

A lightweight variant of HTTP post has been added.

JSON Parser (kestrel/json-parser/)

The parser now uses more tail recursion. Function parse-string-as-json and macro defconst-from-json-file have been added. Some rules and tests have been added/improved, proofs have been sped up, and library organization has been improved.

JVM Models (models/jvm/)

A few new example proof files were added to models/jvm/guard-verified-m1/m1.lisp to illustrate reasoning about non-terminating programs. These files were already included in the unguarded version of m1 on the directory models/jvm/m1/m1.lisp so no new proof techniques are demonstrated.

A new subdirectory, models/jvm/m2/, was added. M2 is like m1 but also formalizes versions of the JVM's invokevirtual, invokestatic, return, and the instructions for allocating and manipulating Objects. No claim is made that m2 is exactly compliant with the JVM spec, but the model does show a way to model subroutine call and object manipulation (with inheritance). The directory also includes example proofs of programs involving these features.

JVM Model (Kestrel) (kestrel/jvm/)

Various small improvements and fixes were made. The load-class-XXX utilities were renamed to read-class-XXX. Error reporting in the class file parser was improved. Support for reading code directly from .jar files was added.

Kestrel Utilities Library

Added utility show-books, which returns a tree representing the books included in the current ACL2 session.

The utility checkpoint-list and related utilities now show top-level checkpoints even in the case of reverting to prove the original goal by induction, and label them accordingly.

Various new utilities have been added, including most-recent-failed-theorem-goal, translatable-term-listp, dir-of-path, all-included-books, defthms-in-world, extend-pathnames$, sys-call-event, split-path, reduce-print-level, pack-in-package, eval-tests, setenv$-event, prove$-nice-trying-hints, prove$-nice-with-time-and-steps, last-prover-steps$, merge-sort-string<, and utilities for parsing strings.

New data structures have been added, including fast-alist-set (an efficient implementation of sets using fast-alists) and array-stobj (a stobj containing a single array, of elements of any type)

New books on have been created about read-acl2-oracle, update-acl2-oracle, invariant-risk, getenv$, get-serialize-character, plist-worldp, char-code, widening margins, strip-cadrs, >=-len, our-digit-char-p, read-run-time, get-cpu-time, get-real-time, put-global and get-global, ppr2, doublet-listp, and add-prefix and add-prefix-to-fn.

Various rules have been added (e.g., about world, state, channels, assoc-keyword setting margins, coerce, non-trivial-bindings, map-symbol-name, merge-sort-symbol<, and acl2-count).

Library organization has been improved (e.g., splitting out material on byte-array-stobj and unquote-list into new books. Also, more tests have been added.

Various improvement have been made, including to prove$-nice and prove$+, the declare-handling utilities, defxdoc-for-macro, ubi, the utilities dealing with temporary directories, and to material about conjuncts/disjuncts, acl2-count, my-get-event (add support for defmacro and deftheory), print-to-hundredths (support negative values), and ld-history.

The utility defopeners-mut-rec has been deprecated (just use defopeners).

The utility archive-topics-for-books-tree has a new option, :include-defxdoc-raw-topicsp.

The defmergesort utility has been improved (:extra-theorems option), and the first two arguments of defmergesort have been swapped (putting the name of the sorting function, not the merging function, first).

New utilities shuffle-array-stobj, shuffle-array-stobj2, shuffle-list, and shuffle-list2 were added. These use a Fisher-Yates shuffle.

The defstobj+ utility has been improved. It generates more theorems (e.g., about hash-table fields, although these are still not fully supported) and puts in better hints. More tests have been added.

The utility make-var-name-range has been renamed to make-var-names-from.

Lists Light Library (kestrel/lists-light/)

Various rules about list functions have been added or collected (e.g., rules about union-equal and remove-equal). Various books have been added (e.g., about position-equal-ac and position-equal). Various list utilities have been added (e.g., filter-non-members and union-equal-alt (which keeps earlier duplicates)). Library organization has been improved.

Meta-reasoning Library (kestrel/meta/)

Some experiments have been added verifying rewriter-like tools using :meta-extract.

Number Theory Library

The library projects/quadratic-reciprocity/, which was originally dedicated to a proof of the theorem of that name, is being extended with a variety of number-theoretic results. Therefore, the path to the directory has been changed to projects/numbers/.

Number Theory Library (Kestrel) (kestrel/number-theory/)

Some new symbols have been imported into the PRIMES package, notably dm::primep.

Ordered Bags (Obags) Library

Renamed obag::empty to obag::emptyp.

Ordered Maps (Omaps) Library

This library have been moved from [books]/kestrel/utilities/omaps/ to [books]/std/omaps/. So omaps are now part of the Std library, as the Std/omaps sub-library.

Added some theorems.

Disabled some rules.

Improved documentation and organization.

Renamed omap::empty to omap::emptyp.

Renamed omap::in to omap::assoc.

PFCS (Prime Field Constraint System) Library

The library has been moved from [books]/kestrel/crypto/pfcs to [books]/projects/pfcs.

A concrete syntax for PFCSes, in the form of an ABNF grammar, has been defined.

The abstract syntax has been improved by using strings instead of symbols for names of relations and variables. This is more consistent with the concrete syntax.

Convenience constructors for the abstract syntax have been added.

Utilities have been added to build indexed names, useful for defining families of PFCS gadgets. The utilities are accompanied by theorems, useful to prove certain properties about the gadget families.

The formal notion of system (in the PFCS sense) has been improved, to be more in line with the general notion of constraint system.

Some arguments of semantic functions have been put into a more natural order.

Some theorems have been added and other theorems have been improved.

The documentation has been extended and improved.

A translator from R1CSes to PFCSes has been added, along with a checker for PFCSes that are in the R1CS subset, and along with a notion of structured R1CSes.

General rules have been added to support reasoning about PFCSes in a compositional way, and without having to deal explicitly with the proof trees used to define the PFCS semantics. See pfcs::proof-support for details.

A proof-generating lifter from deeply to shallowly embedded PFCSes has been added, so that one can more easily reason about the shallowly embedded form and mechanically transfer the reasoning to the deeply embedded form.

Prime Fields Library (kestrel/prime-fields/)

Some new symbols have been imported into the PFIELD package, notably dm::primep. Code has been simplified and rules have been added/improved.

RTL Library

Some proofs have been significantly sped up.

Sequences Library (kestrel/sequences/)

The tools defforall and defforall-simple have been improved to put generated names in the same package as the main function.

Standard Basic Library

The Std/basic books extensions in [books]/kestrel/std/basic have been integrated into [books]/std/basic.

Standard IO Library

A lightweight version of read-string, read-string-light, was added.

Some file-measure proofs were greatly sped up.

Standard Lists Library

The std::deflist utility now adds -compound-recognizer to some rule names, to avoid name clashes.

Standard IO Library

Read-string and read-string-light-fn now take a required package argument, which can be nil to represent the current-package, thus providing the previous behavior.

Standard Strings Library

The Std/strings books extensions in [books]/kestrel/std/strings have been integrated into [books]/std/strings.

The recognizers of digit characters in various bases have been renamed to have the suffix -list*p, because they are loose list recognizers. New recognizers have been added with suffix -listp for true lists of such digit characters.

Standard System Library

The Std/system books extensions in [books]/kestrel/std/system have been integrated into [books]/std/system.

A new utility untranslate$ has been added, which is a logic-mode guard-verified version of untranslate. See the documentation for details, including functional differences with untranslate.

A new utility genvar$ has been added, which is a logic-mode guard-verified version of genvar. See the documentation for details, including functional differences with genvar.

A new utility one-way-unify$ has been added, which is a logic-mode guard-verified version of the built-in one-way-unify. See the documentation for details, including functional differences with one-way-unify.

A new utility termination-theorem$ has been added, which is a logic-mode guard-verified version of the built-in termination-theorem. See the documentation for details, including functional differences with termination-theorem.

A new utility guard-theorem-no-simplify has been added, which is based on the built-in guard-theorem but does no simplification and does not take a state argument. See the documentation for details, and for why it may be useful.

A new utility guard-theorem-no-simplify$ has been added, which is a logic-mode guard-verified version of the built-in guard-theorem-no-simplify. See the documentation for details, including functional differences with guard-theorem-no-simplify.

Theorems about the built-in fsubcor-var have been added.

Standard Osets Library

The set::empty function has been renamed to set::emptyp.

A variant without backchain limit of the set::double-containment rule has been added, disabled by default.

Standard Typed Alists Library

Some theorems have been added.

Standard Utilities Library

The Std/util books extensions in [books]/kestrel/std/util have been integrated into [books]/std/util.

The er binder of b* has been extended with an option :iferr to return an alternative value in the error triple in case of error. See the latest documentation for details.

New utilities for error-value tuples have been added, to facilitate the generation, propagation, and catching of errors in statically strongly typed code that implements tools.

A new event macro defirrelevant has been added, which automates some of the boilerplate related to defining an irrelevant value of a given type (usable as a dummy value, but of appropriate type). Typically useful for irrelevant values of structured fixtypes.

The defines macro was extended to allow the :verify-guards :after-returns option. As in define, this option delays the guard proof until just after the std::returns-specifiers.

The std::defaggregate utility has been improved to allow its calls to be local. Also, its proofs have been made more robust.

The define utility has been prevented from turning on error output if that output was already inhibited.

Strings Light Library (kestrel/strings-light/)

New functions have been added, including strnthcdr, strip-suffix-from-string, strip-suffix-from-strings, decimal-digit-to-char, decimal-digit-to-string, string-starts-withp, add-prefix-to-strings, split-string-last strip-prefix-from-string, strings-starting-with, functions to parse strings as decimal numbers, and functions to remove/collapse whitespace. The function string-ends-inp has been renamed string-ends-withp. A new book about the function char was added. Various rules have been added/improved, and tests have been added.

Terms Light Library (kestrel/terms-light/)

A variety of term-processing utilities have been added, improved, or collected. These involve things like free variables, substitution, getting rid of various kinds of unnecessary lambdas or lambda bindings, etc. Several of the utilities have had various properties proved, including that they preserve the meaning of terms, preserve various well-formedness properties of terms, do not introduce free variables, etc. The function pre-simplify-term (previously called simplify-lambdas) combines several helpful simplifications. New books have been added about functions such as all-fnnames1, get-conjuncts, get-hyps-and-conc, etc.

Tools Library

The tool, with-supporters, has been substantially enhanced.

The tool, prove$, now treats hard errors as ordinary failures by default, just as for soft errors. It also now suppresses time-limit and theory-invariant error printing as it does for step-limit error printing.

The time-tracker capability and ‘Hons-Note’ printing are now turned off by the run-script tool, to avoid output that differs from what is expected (say, due to running on a slow machine, or with many threads when few are available).

Tools functions-after and macros-after return names of functions and macros, respectively, that were introduced after a given name.

Make-flag now causes a user-friendly error when the formal parameters list is changed by an alternative definition specified by the :BODY argument.

A new tools/top book was created and included in the manual instead of individual tools.

Typed Lists Light Library (kestrel/typed-lists-light/)

New books were added about subseq, strcar, strcdr, symbol-alist-listp, symbol-term-alist-listp, alist-listp, map-strip-cdrs, and all-digit-charsp. Various rules have been added, as has the function (e.g., string-list-listp). Dependencies were reduced and organization improved.

Unicode Light Library (kestrel/unicode-light/)

New functions code-point-to-utf-8-bytes and code-point-to-utf-8-string have been added. Also, the relationship between code-point-to-utf-8-bytes and code-point-to-utf-8-chars was proved.

Untranslated Terms Library (kestrel/untranslated-terms/)

Library organization has been improved (legacy utilities have been moved). More utilities on untranslated terms have been added, including ones to get conjuncts and disjuncts and to collect free variables. Support for let, mv-let, b*, case, case-match, and cond has been improved.

X86ISA Library

Support has been added for the following VEX instructions:

• SHL, SHRX, SARX
• VMOVUPS
• VZEROUPPER
• VANDPD, VANDPS, VANDNPD, VANDNPS, VORPD, VORPS, VXORPD, VXORPS, VPAND, VPANDN, VPOR, VPXOR
• VPADDB, VPADDW, VPADDD, VPADDQ (VEX versions)
• VPSUBB, VPSUBW, VPSUBD, VPSUBQ (VEX versions)

Support has been added for the following instructions:

• MOVDQA
• PADDB, PADDW, PADDD, PADDQ (SSE versions)
• PSUBB, PSUBW, PSUBD, PSUBQ (SSE versions)
• PSLLDQ, PSRLDQ (SSE versions)

Some memory accessing functions for larger sizes have been added.

A number of improvements were made to the model in support of booting a slightly modified Linux kernel on it. These include various instruction bug fixes, a handful of new instructions, a translation lookaside buffer (TLB), and support for exception/interrupt handling, a timer peripheral, and a TTY peripheral. Additionally, there is a new validation mechanism that uses co-simulation with a virtual machine running in KVM to find bugs in the model. All these changes, along with instructions on how to boot Linux on the model are documented in the x86isa documentation.

X86 Library (Kestrel) (kestrel/x86/)

A large number of changes have been made to this library, including adding, improving, and organizing many rules supporting Axe's symbolic execution of x86 code, especially in 64-bit mode. These include rules about flags, branch conditions, reading and writing to memory, and floating-point computations. Also added/improved were rules for introducing alternate definitions and normal forms, for the purposes of readability, compatibility with Axe, or more efficient or more predictable symbolic execution.

Utilities for generating assumptions for symbolic execution were also improved.

A great many additions to the X package were made.

Improvements were made to the ELF parser and related tools, and a new tool, elf-info, was added to print information about ELF files.

XDOC Library

There is now XDOC support for Greek letters and more mathematical symbols. See xdoc::entities.

ZCash Library (kestrel/zcash/)

A :var-ordering option has been added to verify-zcash-r1cs, and primep has been imported into the package.

Documentation

Doc topics builtin-defthms and builtin-defaxioms have been added.

A new doc topic, 100-theorems, was added to collect ACL2 proofs of theorems from the Formalizing 100 Theorems project. Several proofs of additional theorems from the list have also been added by the ACL2 community.

Licensing Changes

Build System Updates

Support for ‘make’ variable ACL2_COMP has been removed. This variable was used for automating the creation of compiled files for books, for host Lisps other than the one that was used when certifying the books. The include-book keyword value :load-compiled-file :comp may still be used with an individual book for this purpose.

A new build::cert_param, non-acl2p, has been added. It can be used to exclude books from ACL2(p) builds.

The build::cert.pl tool now checks the FAILURE_LINES environment variable. This can be used to override the number of lines printed for a failed (or interrupted) certification (which is 300, by default). These lines come from the cert.out file.

`The Makefile and scripts used by the Jenkins continuous integration system were improved (especially comments and printing). The CPU load is now limited to the value of the BOOK_PARALLELISM_LEVEL variable.

Testing

Miscellaneous

The utilities install-not-normalized and install-not-normalized-event have been tweaked to use the so-called unnormalized body, which can avoid errors for functions that call wormhole-eval.

The utilities er-soft-logic and er-soft+ are unchanged. But one might consider avoiding those two utilities now that (er soft ...) may be used in :logic mode (however, at the cost of generating guard proof obligations).

The book system/top.lisp has changed, the main effect being that although it still includes the book fmx-cw in that directory, that book has changed significantly. The lemmas formerly in fmx-cw are now in a new book, fmx-cw-support, which is not included in system/top.lisp.

The behavior of function computed-hint-rewrite in community-book books/misc/computed-hint-rewrite.lisp has been tweaked to be properly in sync with that of source function simplify-clause.

For textual rendering of documentation, added blank lines between list items within <ul>..</ul> or <ol>..</ol>. This affects both documentation displays at the terminal with the :doc command as well as displays in the ACL2-doc browser.

The SEO optimized copy of the web based XDOC manual has been updated to take the `xkey` corresponding to the current page as a query parameter instead of part of the path. This allows all the pages to be ratelimited as a single page by `mod_evasive`.

Several developments have been put into more appropriate packages, including projects/numbers, projects/curve25519, projects/shnf, and workshops/2022/russinoff-groups (now all in the DM package), workshops/2022/russinoff-calendar (now in the ACL2 package), and some utilities from rtl (now in the ACL2 package).