ACL2 Theorems About Commercial Microprocessors

ACL2 is a mechanized mathematical logic intended for use in specifying and proving properties of computing machines. In two independent projects, industrial engineers have collaborated with researchers at Computational Logic, Inc. (CLI), to use ACL2 to model and prove properties of state-of-the-art commercial microprocessors prior to fabrication. In the rst project, Motorola, Inc., and CLI collaborated to specify Motorola's complex arithmetic processor (CAP), a single-chip, digital signal processor (DSP) optimized for communications signal processing. Using the speciication, we proved the correctness of several CAP mi-crocode programs. The second industrial collaboration involving ACL2 was between Advanced Micro Devices, Inc. (AMD) and CLI. In this work we proved the correctness of the kernel of the oating-point division operation on AMD's rst Pentium-class microprocessor, the AMD5K86. In this paper, we discuss ACL2 and these industrial applications, with particular attention to the microcode veriication work. 1 ACL2 ACL2 stands for \A Computational Logic for Applicative Common Lisp." ACL2 is both a mathematical logic and system of mechanical tools which can be used to construct proofs in the logic. The logic, which formalizes a subset of Common Lisp, is a high level programming language which can be executed eeciently on many host platforms. Thus, programmers can deene models of computational systems and these models can be executed (\simulated") to test them on concrete data. But because the language is also a formal mathematical logic it is possible to reason about the models symbolically. Indeed, it is possible to prove theorems establishing properties of the models and to check these proofs with mechanical