How Can I Do That with ACL2? Recent Enhancements to ACL2

The last several years have seen major enhancements to ACL2 functionality, largely driven by requests from its user community, including utilities now in common use such as ‘make-event’, ‘mbe’, and trust tags. In this paper we provide user-level summaries of some ACL2 enhancements introduced after the release of Version 3.5 (in May, 2009, at about the time of the 2009 ACL2 workshop) up through the release of Version 4.3 in July, 2011, roughly a couple of years later. Many of these features are not particularly well known yet, but most ACL2 users could take advantage of at least some of them. Some of the changes could affect existing proof efforts, such as a change that treats pairs of functions such as ‘member’ and ‘member-equal’ as the same function.

💡 Research Summary

The paper “How Can I Do That with ACL2? Recent Enhancements to ACL2” surveys the most important user‑level improvements that were added to ACL2 between version 3.5 (May 2009) and version 4.3 (July 2011). The authors, Matt Kaufmann and J. Strother Moore, organize the discussion into three sections—new programming features, proof‑control enhancements, and system‑level changes—each introduced as a question a typical user might ask, followed by a concise answer and a pointer to the relevant ACL2 documentation (:DOC topics).

The programming section begins with “equality variants.” Historically, functions such as member and member‑equal were distinct because they used different equality predicates (eq versus equal). The change makes member a macro that expands to a call of member‑equal inside the :logic component of an mbe form. Consequently, the prover treats both names as the same logical function, eliminating the need for separate rule libraries and allowing proofs that previously required two separate theorems to succeed automatically. The paper shows a concrete example where a theorem about member‑reverse now also proves the analogous theorem for member‑equal‑reverse.

Next, the utility defattach is described. It lets users attach a concrete executable implementation to an encapsulated function, modify the behavior of built‑in functions, or provide a refinement for execution. The authors illustrate this with a “fold” function that uses an abstract binary operation ac‑fn. By attaching the built‑in multiplication function to ac‑fn, the fold can be evaluated, while the attachment is ignored during logical proofs, preserving soundness. Defattach also enables users to replace internal prover heuristics (e.g., ancestors‑check) with custom functions, a capability that the authors encourage the community to request.

The third programming feature is return‑last, which underlies the time$ macro. In the logical world, return‑last simply returns its last argument, but in raw Lisp it expands to a call of the first argument on the remaining arguments, thereby allowing side‑effects such as timing. The paper explains how a user‑defined trust tag (via defttag) can safely extend the set of first‑argument symbols that receive this special treatment.

Guard handling is improved with with‑guard‑checking, which can suppress guard violations for calls made in program mode. Combined with ec‑call (the executable counterpart introduced in version 3.4), users can write functions that safely call potentially unsafe primitives (e.g., car on a non‑list) without triggering errors, even when the function is executed in raw Lisp.

Printing without accessing the ACL2 state is addressed through the macros observation‑cw and warning$‑cw, which behave like observation and warning$ but use wormhole‑based “context‑message pairs” instead of the state. The authors also point to fmt‑to‑string and get‑output‑stream‑string$ for string‑based formatting that does not modify the state, and they note that trust tags together with with‑local‑state allow creation of temporary state objects for advanced use cases.

Parallel evaluation is supported by the experimental ACL2(p) extension, which adds the macro spec‑mv‑let for speculative parallel evaluation of sub‑expressions. This is part of a broader effort to enable parallel proof of subgoals.

Additional programming conveniences include mv?, mv‑let?, mv‑list (for handling multiple values with a single variable or list), the embedded event form redef+ (which now permits redefinition of functions inside books), an enhanced trace$ utility, and new system functions such as pkg‑imports (to list imported symbols), file‑write‑date$, and a variadic append that gracefully handles zero or one argument.

The proof‑control section focuses on the evolution of the hint mechanism. New keys such as :instructions allow users to embed explicit prover directives inside hints. Overriding hints (override‑hints) and backtrack hints (backtrack‑hints) give finer control over hint application, enabling integration of testing frameworks with the prover. The authors reference the extensive documentation for these features.

Overall, the paper serves as a concise, user‑oriented “What’s New” guide, providing concrete examples, macro‑expansion traces, and direct links to the ACL2 documentation system. By highlighting features that are already in common use (make‑event, mbe, trust tags) as well as newer, less‑known capabilities, the authors aim to raise awareness and encourage broader adoption of the recent enhancements across the ACL2 community.