UNCERTIFIED-BOOKS.html -- ACL2 Version 6.3

UNCERTIFIED-BOOKS

invalid certificates and uncertified books

Major Section:  BOOKS

For relevant background see books, see certificate, and see portcullis.

Include-book has a special provision for dealing with an uncertified book, i.e., a file with no certificate or an invalid certificate (i.e., one whose check sums describe files other than the ones actually read). In this case, a warning is printed and the book is otherwise processed much as though it were certified and had an open portcullis.

If a book B.lisp is uncertified and a file B.port exists, then the forms in B.port are evaluated before the forms in B.lisp. Such a file B.port is typically created calling certify-book on book "B" with argument :write-port t, so that B.port contains the portcullis commands for B (the commands present in the world when that certification was attempted).

Inclusion of uncertified books can be handy, but it can have disastrous consequences.

The provision allowing uncertified books to be included can have disastrous consequences, ranging from hard lisp errors, to damaged memory, to quiet logical inconsistency.

It is possible for the inclusion of an uncertified book to render the logic inconsistent. For example, one of its non-local events might be (defthm t-is-nil (equal t nil)). It is also possible for the inclusion of an uncertified book to cause hard errors or breaks into raw Common Lisp. For example, if the file has been edited since it was certified, it may contain too many open parentheses, causing Lisp to read past ``end of file.'' Similarly, it might contain non-ACL2 objects such as 3.1415 or ill-formed event forms that cause ACL2 code to break.

Even if a book is perfectly well formed and could be certified (in a suitable extension of ACL2's initial world), its uncertified inclusion might cause Lisp errors or inconsistencies! For example, it might mention packages that do not exist in the host world, especially if the .port file (discussed above) does not exist from an earlier certification attempt. The portcullis of a certified book ensures that the correct defpkgs have been admitted, but if a book is read without actually raising its portcullis, symbols in the file, e.g., acl2-arithmetic::fn, could cause ``unknown package'' errors in Common Lisp. Perhaps the most subtle disaster occurs if the host world does have a defpkg for each package used in the book but the host defpkg imports different symbols than those required by the portcullis. In this case, it is possible that formulas which were theorems in the certified book are non-theorems in the host world, but those formulas can be read without error and will then be quietly assumed.

In short, if you include an uncertified book, all bets are off regarding the validity of the future behavior of ACL2.

That said, it should be noted that ACL2 is pretty tough and if errors don't occur, the chances are that deductions after the inclusion of an uncertified book are probably justified in the (possibly inconsistent) logical extension obtained by assuming the admissibility and validity of the definitions and conjectures in the book.