• Top
    • Documentation
    • Books
    • Boolean-reasoning
    • Projects
    • Debugging
    • Std
    • Proof-automation
    • Macro-libraries
    • ACL2
      • Theories
      • Rule-classes
      • Proof-builder
      • Recursion-and-induction
      • Hons-and-memoization
      • Events
      • Parallelism
      • History
      • Programming
        • Defun
        • Declare
        • System-utilities
        • Stobj
        • State
        • Mutual-recursion
        • Memoize
        • Mbe
        • Io
        • Defpkg
        • Apply$
        • Loop$
        • Programming-with-state
        • Arrays
        • Characters
        • Time$
        • Loop$-primer
        • Fast-alists
        • Defconst
        • Defmacro
        • Evaluation
        • Guard
          • Verify-guards
          • Mbe
          • Set-guard-checking
          • Ec-call
          • Print-gv
          • The
          • Guards-and-evaluation
          • Guard-debug
          • Set-check-invariant-risk
          • Guard-evaluation-table
          • Guard-evaluation-examples-log
          • Guard-example
          • Defthmg
          • Invariant-risk
          • With-guard-checking
          • Guard-miscellany
          • Guard-holders
          • Guard-formula-utilities
          • Set-verify-guards-eagerness
          • Guard-quick-reference
          • Set-register-invariant-risk
          • Guards-for-specification
          • Guard-evaluation-examples-script
          • Guard-introduction
          • Program-only
          • Non-exec
          • Set-guard-msg
          • Safe-mode
            • Safe-mode-cheat-sheet
          • Set-print-gv-defaults
          • Guard-theorem-example
          • With-guard-checking-event
          • With-guard-checking-error-triple
          • Guard-checking-inhibited
          • Extra-info
        • Equality-variants
        • Compilation
        • Hons
        • ACL2-built-ins
        • Developers-guide
        • System-attachments
        • Advanced-features
        • Set-check-invariant-risk
        • Numbers
        • Irrelevant-formals
        • Efficiency
        • Introduction-to-programming-in-ACL2-for-those-who-know-lisp
        • Redefining-programs
        • Lists
        • Invariant-risk
        • Errors
        • Defabbrev
        • Conses
        • Alists
        • Set-register-invariant-risk
        • Strings
        • Program-wrapper
        • Get-internal-time
        • Basics
        • Packages
        • Oracle-eval
        • Defmacro-untouchable
        • Primitive
        • <<
        • Revert-world
        • Unmemoize
        • Set-duplicate-keys-action
        • Symbols
        • Def-list-constructor
        • Easy-simplify-term
        • Defiteration
        • Fake-oracle-eval
        • Defopen
        • Sleep
      • Operational-semantics
      • Real
      • Start-here
      • Debugging
      • Miscellaneous
      • Output-controls
      • Macros
      • Interfacing-tools
    • Interfacing-tools
    • Hardware-verification
    • Software-verification
    • Math
    • Testing-utilities
  • Guard
  • Macros

Safe-mode

A mode that avoids guard violations on primitives

ACL2 has a special mode, called ``safe mode'', that guarantees that built-in ACL2 primitives check their guards even even when set-guard-checking has turned off guard-checking. This mode is used for macroexpansion as well as in processing a few other kinds of forms, notably defconst, defpkg, and value-triple events.

Use of this mode avoids the possibility of certain errors when loading a compiled file for a book. Consider the following definitions.

(defun foo (x) (declare (xargs :guard (consp x))) (car x))
(defmacro bar () (foo 3))

Then we can see safe-mode in action as follows.

ACL2 !>(set-guard-checking nil)

Masking guard violations but still checking guards except for self-
recursive calls.  To avoid guard checking entirely, :SET-GUARD-CHECKING
:NONE.  See :DOC set-guard-checking.

ACL2 >(bar)


ACL2 Error in TOP-LEVEL:  In the attempt to macroexpand the form (BAR),
evaluation of the macro body caused the following error:

The guard for the function call (CAR X), which is
(OR (CONSP X) (EQUAL X NIL)), is violated by the arguments in the call
(CAR 3).  The guard is being checked because this function is a primitive
and a "safe" mode is being used for defconst, defpkg, macroexpansion,
or another operation where safe mode is required.  To debug see :DOC
print-gv, see :DOC trace, and see :DOC wet.

ACL2 >

Notice that because of the set-guard-checking call above, no guard violation was reported for foo. However, safe-mode caused the call of the primitive, car, to be guard-checked, and a violation was reported.

To understand how safe-mode works we refer to the notion of ``executable-counterpart''; see evaluation for relevant background. ACL2 arranges for that for the executable-counterpart of any program mode function, F, then for every called subroutine G of F that is in program mode, the executable-counterpart of G is called rather than the raw Lisp function for G. This may result in an attempt to evaluate a so-called ``program-only'' function in safe-mode, which is illegal. See safe-mode-cheat-sheet for possible workarounds.

Subtopics

Safe-mode-cheat-sheet
Working around ``program-only'' issues