• Top
  • Documentation
    • Xdoc
    • ACL2-doc
    • Recursion-and-induction
    • Loop$-primer
    • Operational-semantics
      • Operational-semantics-3__annotated-bibliography
        • Bib::bhmy89
        • Bib::liu06
        • Bib::bm96
        • Bib::plotkin04b
        • Bib::bgm90
        • Bib::hkms17
        • Bib::bkm96
        • Bib::moore15
        • Bib::bh99
        • Bib::wilding93
        • Bib::plotkin04a
        • Bib::moore03b
        • Bib::mp02
        • Bib::moore19
        • Bib::manolios00
        • Bib::flatau92
        • Bib::hb92
        • Bib::bm05
        • Bib::goel16
        • Bib::bm73
        • Bib::ghk17
        • Bib::wilding92
        • Bib::moore17
        • Bib::moore96
        • Bib::ghkg14
        • Bib::yu92
        • Bib::hunt85
        • Bib::boh03
        • Bib::mmrv06
        • Bib::bm80
        • Bib::bh97
        • Bib::moore99b
        • Bib::moore14
        • Bib::rm04
        • Bib::by96
        • Bib::sawada00
        • Bib::mccarthy62
        • Bib::bm79
        • Bib::moore99a
        • Bib::sh98
        • Bib::rhmm07
        • Bib::kmm00a
        • Bib::ghk13
        • Bib::moore03a
        • Bib::hk12
        • Bib::mp67
        • Bib::young88
        • Bib::bm97
        • Bib::moore73
        • Bib::kmm00b
        • Bib::bevier87
      • Operational-semantics-1__simple-example
      • Operational-semantics-2__other-examples
      • Operational-semantics-5__history-etc
      • Operational-semantics-4__how-to-find-things
    • Pointers
    • Doc
    • Documentation-copyright
    • Course-materials
    • Args
    • ACL2-doc-summary
    • Finding-documentation
    • Broken-link
    • Doc-terminal-test-2
    • Doc-terminal-test-1
  • Books
  • Boolean-reasoning
  • Projects
  • Debugging
  • Std
  • Proof-automation
  • Macro-libraries
  • ACL2
  • Interfacing-tools
  • Hardware-verification
  • Software-verification
  • Math
  • Testing-utilities

• Operational-semantics-3__annotated-bibliography

Bib::bm05

B. Brock and J S. Moore, “A Mechanically Checked Proof of a Comparator Sort Algorithm”, in M. Broy, J. Gruenbauer, D. Harel, and C. A. R. Hoare, editors, Engineering Theories of Software Intensive Systems, Springer NATO Science Series II, 195, pp. 141-175, 2005.



Relevance: an example of proving that the state transformation effected by running a CAP model on commercial microcode implements the high level specification

———

Abstract

We describe a mechanically checked correctness proof for the comparator sort algorithm underlying a microcode program in a commercially designed digital signal processing chip. The abstract algorithm uses an unlimited number of systolic comparator modules to sort a stream of data. In addition to proving that the algorithm produces an ordered permutation of its input, we prove two theorems that are important to verifying the microcode implementation. These theorems describe how positive and negative “infinities” can be streamed into the array of comparators to achieve certain effects. Interesting generalizations are necessary in order to prove these theorems inductively. The mechanical proofs were carried out with the ACL2 theorem prover. We find these proofs both mathematically interesting and illustrative of the kind of mathematics that must be done to verify software.

———

For the 1997 ACL2 proof script see books/misc/csort.lisp. The long delay between when the work was done (1997) and when it was published (2005) is due both to the understandable sensitivity of companies to permit publication of anything that might reveal proprietary intellectual property, combined with the rarity of suitable venues to describe exceedingly practical formal methods applications. (Despite this phenomenon, working closely with industry is the only way to build tools that meet their needs.)

See the discussion of the CAP DSP project in operational-semantics-2__other-examples.