(BOOT-STRAP NQTHM) [ 0.1 0.1 0.0 ] GROUND-ZERO (ADD-SHELL ST NIL STP ((PC (NONE-OF) ZERO) (STK (NONE-OF) ZERO) (MEM (NONE-OF) ZERO) (HALTEDP (NONE-OF) ZERO) (DEFS (NONE-OF) ZERO))) [ 0.0 0.0 0.0 ] ST (DEFN ADD1-PC (PC) (CONS (CAR PC) (ADD1 (CDR PC)))) From the definition we can conclude that (LISTP (ADD1-PC PC)) is a theorem. [ 0.0 0.0 0.0 ] ADD1-PC (DEFN GET (N LST) (IF (ZEROP N) (CAR LST) (GET (SUB1 N) (CDR LST)))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT N) decreases according to the well-founded relation LESSP in each recursive call. Hence, GET is accepted under the principle of definition. [ 0.0 0.0 0.0 ] GET (DEFN PUT (N V LST) (IF (ZEROP N) (CONS V (CDR LST)) (CONS (CAR LST) (PUT (SUB1 N) V (CDR LST))))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to show that the measure (COUNT N) decreases according to the well-founded relation LESSP in each recursive call. Hence, PUT is accepted under the definitional principle. Observe that (LISTP (PUT N V LST)) is a theorem. [ 0.0 0.0 0.0 ] PUT (DEFN FETCH (PC DEFS) (GET (CDR PC) (CDR (ASSOC (CAR PC) DEFS)))) [ 0.0 0.0 0.0 ] FETCH (DEFN MOVE (ADDR1 ADDR2 S) (ST (ADD1-PC (PC S)) (STK S) (PUT ADDR1 (GET ADDR2 (MEM S)) (MEM S)) F (DEFS S))) From the definition we can conclude that (STP (MOVE ADDR1 ADDR2 S)) is a theorem. [ 0.0 0.0 0.0 ] MOVE (DEFN MOVI (ADDR VAL S) (ST (ADD1-PC (PC S)) (STK S) (PUT ADDR VAL (MEM S)) F (DEFS S))) Observe that (STP (MOVI ADDR VAL S)) is a theorem. [ 0.0 0.0 0.0 ] MOVI (DEFN ADD (ADDR1 ADDR2 S) (ST (ADD1-PC (PC S)) (STK S) (PUT ADDR1 (PLUS (GET ADDR1 (MEM S)) (GET ADDR2 (MEM S))) (MEM S)) F (DEFS S))) From the definition we can conclude that (STP (ADD ADDR1 ADDR2 S)) is a theorem. [ 0.0 0.0 0.0 ] ADD (DEFN SUBI (ADDR VAL S) (ST (ADD1-PC (PC S)) (STK S) (PUT ADDR (DIFFERENCE (GET ADDR (MEM S)) VAL) (MEM S)) F (DEFS S))) Observe that (STP (SUBI ADDR VAL S)) is a theorem. [ 0.0 0.0 0.0 ] SUBI (DEFN JUMPZ (ADDR PC S) (ST (IF (ZEROP (GET ADDR (MEM S))) (CONS (CAR (PC S)) PC) (ADD1-PC (PC S))) (STK S) (MEM S) F (DEFS S))) Observe that (STP (JUMPZ ADDR PC S)) is a theorem. [ 0.0 0.0 0.0 ] JUMPZ (DEFN JUMP (PC S) (ST (CONS (CAR (PC S)) PC) (STK S) (MEM S) F (DEFS S))) Note that (STP (JUMP PC S)) is a theorem. [ 0.0 0.0 0.0 ] JUMP (DEFN CALL (SUBR S) (ST (CONS SUBR 0) (CONS (ADD1-PC (PC S)) (STK S)) (MEM S) F (DEFS S))) Observe that (STP (CALL SUBR S)) is a theorem. [ 0.0 0.0 0.0 ] CALL (DEFN RET (S) (IF (NLISTP (STK S)) (ST (PC S) (STK S) (MEM S) T (DEFS S)) (ST (CAR (STK S)) (CDR (STK S)) (MEM S) F (DEFS S)))) Observe that (STP (RET S)) is a theorem. [ 0.0 0.0 0.0 ] RET (DEFN EXECUTE (INS S) (IF (EQUAL (CAR INS) 'MOVE) (MOVE (CADR INS) (CADDR INS) S) (IF (EQUAL (CAR INS) 'MOVI) (MOVI (CADR INS) (CADDR INS) S) (IF (EQUAL (CAR INS) 'ADD) (ADD (CADR INS) (CADDR INS) S) (IF (EQUAL (CAR INS) 'SUBI) (SUBI (CADR INS) (CADDR INS) S) (IF (EQUAL (CAR INS) 'JUMPZ) (JUMPZ (CADR INS) (CADDR INS) S) (IF (EQUAL (CAR INS) 'JUMP) (JUMP (CADR INS) S) (IF (EQUAL (CAR INS) 'CALL) (CALL (CADR INS) S) (IF (EQUAL (CAR INS) 'RET) (RET S) S))))))))) Note that (OR (STP (EXECUTE INS S)) (EQUAL (EXECUTE INS S) S)) is a theorem. [ 0.0 0.0 0.0 ] EXECUTE (DEFN STEP (S) (IF (HALTEDP S) S (EXECUTE (FETCH (PC S) (DEFS S)) S))) Observe that (OR (STP (STEP S)) (EQUAL (STEP S) S)) is a theorem. [ 0.0 0.0 0.0 ] STEP (DEFN SM (S N) (IF (ZEROP N) S (SM (STEP S) (SUB1 N)))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT N) decreases according to the well-founded relation LESSP in each recursive call. Hence, SM is accepted under the principle of definition. From the definition we can conclude that: (OR (STP (SM S N)) (EQUAL (SM S N) S)) is a theorem. [ 0.0 0.0 0.0 ] SM (PROVE-LEMMA STEP-OPENER (REWRITE) (AND (IMPLIES (HALTEDP S) (EQUAL (STEP S) S)) (IMPLIES (LISTP (FETCH (PC S) (DEFS S))) (EQUAL (STEP S) (IF (HALTEDP S) S (EXECUTE (FETCH (PC S) (DEFS S)) S))))) ((DISABLE EXECUTE))) WARNING: Note that the rewrite rule STEP-OPENER will be stored so as to apply only to terms with the nonrecursive function symbol STEP. WARNING: Note that the rewrite rule STEP-OPENER will be stored so as to apply only to terms with the nonrecursive function symbol STEP. WARNING: Note that the proposed lemma STEP-OPENER is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This conjecture can be simplified, using the abbreviations IMPLIES and AND, to two new formulas: Case 2. (IMPLIES (HALTEDP S) (EQUAL (STEP S) S)), which simplifies, opening up the function STEP, to: T. Case 1. (IMPLIES (LISTP (FETCH (PC S) (DEFS S))) (EQUAL (STEP S) (IF (HALTEDP S) S (EXECUTE (FETCH (PC S) (DEFS S)) S)))), which simplifies, expanding FETCH and STEP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] STEP-OPENER (DISABLE STEP) [ 0.0 0.0 0.0 ] STEP-OFF (PROVE-LEMMA SM-PLUS (REWRITE) (EQUAL (SM S (PLUS I J)) (SM (SM S I) J))) Call the conjecture *1. Perhaps we can prove it by induction. Three inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (ZEROP I) (p S I J)) (IMPLIES (AND (NOT (ZEROP I)) (p (STEP S) (SUB1 I) J)) (p S I J))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definition of ZEROP can be used to prove that the measure (COUNT I) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for S. The above induction scheme leads to two new goals: Case 2. (IMPLIES (ZEROP I) (EQUAL (SM S (PLUS I J)) (SM (SM S I) J))), which simplifies, opening up the definitions of ZEROP, EQUAL, PLUS, and SM, to two new conjectures: Case 2.2. (IMPLIES (AND (EQUAL I 0) (NOT (NUMBERP J))) (EQUAL (SM S 0) (SM S J))), which again simplifies, unfolding the functions EQUAL and SM, to: T. Case 2.1. (IMPLIES (AND (NOT (NUMBERP I)) (NOT (NUMBERP J))) (EQUAL (SM S 0) (SM S J))), which again simplifies, opening up the functions EQUAL and SM, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP I)) (EQUAL (SM (STEP S) (PLUS (SUB1 I) J)) (SM (SM (STEP S) (SUB1 I)) J))) (EQUAL (SM S (PLUS I J)) (SM (SM S I) J))), which simplifies, applying the lemma SUB1-ADD1, and opening up ZEROP, PLUS, and SM, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] SM-PLUS (PROVE-LEMMA SM-ADD1 (REWRITE) (EQUAL (SM S (ADD1 I)) (SM (STEP S) I))) This conjecture simplifies, applying SUB1-ADD1, and unfolding the function SM, to the formula: (IMPLIES (NOT (NUMBERP I)) (EQUAL (SM (STEP S) 0) (SM (STEP S) I))). This again simplifies, expanding EQUAL and SM, to: T. Q.E.D. [ 0.0 0.0 0.0 ] SM-ADD1 (PROVE-LEMMA SM-0 (REWRITE) (EQUAL (SM S 0) S)) This conjecture simplifies, unfolding the definitions of EQUAL and SM, to: T. Q.E.D. [ 0.0 0.0 0.0 ] SM-0 (DISABLE SM) [ 0.0 0.0 0.0 ] SM-OFF (DEFN TIMES-PROGRAM NIL '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) From the definition we can conclude that (LISTP (TIMES-PROGRAM)) is a theorem. [ 0.0 0.0 0.0 ] TIMES-PROGRAM (DEFN TIMES-FN (I J ANS) (IF (ZEROP I) ANS (TIMES-FN (SUB1 I) J (PLUS ANS J)))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT I) decreases according to the well-founded relation LESSP in each recursive call. Hence, TIMES-FN is accepted under the definitional principle. From the definition we can conclude that: (OR (NUMBERP (TIMES-FN I J ANS)) (EQUAL (TIMES-FN I J ANS) ANS)) is a theorem. [ 0.0 0.0 0.0 ] TIMES-FN (PROVE-LEMMA TIMES-FN-IS-TIMES (REWRITE) (IMPLIES (NUMBERP ANS) (EQUAL (TIMES-FN I J ANS) (PLUS (TIMES I J) ANS)))) Call the conjecture *1. We will try to prove it by induction. There are two plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP I) (p I J ANS)) (IMPLIES (AND (NOT (ZEROP I)) (p (SUB1 I) J (PLUS ANS J))) (p I J ANS))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT I) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for ANS. The above induction scheme generates two new goals: Case 2. (IMPLIES (AND (ZEROP I) (NUMBERP ANS)) (EQUAL (TIMES-FN I J ANS) (PLUS (TIMES I J) ANS))), which simplifies, opening up the functions ZEROP, EQUAL, TIMES-FN, TIMES, and PLUS, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP I)) (EQUAL (TIMES-FN (SUB1 I) J (PLUS ANS J)) (PLUS (TIMES (SUB1 I) J) ANS J)) (NUMBERP ANS)) (EQUAL (TIMES-FN I J ANS) (PLUS (TIMES I J) ANS))), which simplifies, expanding ZEROP, TIMES-FN, and TIMES, to the conjecture: (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (EQUAL (TIMES-FN (SUB1 I) J (PLUS ANS J)) (PLUS (TIMES (SUB1 I) J) ANS J)) (NUMBERP ANS)) (EQUAL (TIMES-FN (SUB1 I) J (PLUS ANS J)) (PLUS (PLUS J (TIMES (SUB1 I) J)) ANS))). But this again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] TIMES-FN-IS-TIMES (PROVE-LEMMA PLUS-RIGHT-ID (REWRITE) (EQUAL (PLUS X 0) (FIX X))) This simplifies, unfolding FIX, to two new formulas: Case 2. (IMPLIES (NOT (NUMBERP X)) (EQUAL (PLUS X 0) 0)), which again simplifies, unfolding NUMBERP, PLUS, and EQUAL, to: T. Case 1. (IMPLIES (NUMBERP X) (EQUAL (PLUS X 0) X)), which again simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] PLUS-RIGHT-ID (DEFN TIMES-CLOCK (I) (PLUS 2 (TIMES I 4) 2)) From the definition we can conclude that (NUMBERP (TIMES-CLOCK I)) is a theorem. [ 0.0 0.0 0.0 ] TIMES-CLOCK (PROVE-LEMMA TIMES-CORRECT-LEMMA (REWRITE) (IMPLIES (AND (NUMBERP I) (EQUAL (ASSOC 'TIMES DEFS) (TIMES-PROGRAM))) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST I J ANS R3 R4) F DEFS) (TIMES I 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (TIMES-FN I J ANS) R3 R4) F DEFS)))) This conjecture can be simplified, using the abbreviations AND, IMPLIES, and TIMES-PROGRAM, to: (IMPLIES (AND (NUMBERP I) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET)))) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST I J ANS R3 R4) F DEFS) (TIMES I 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (TIMES-FN I J ANS) R3 R4) F DEFS))). This simplifies, applying TIMES-FN-IS-TIMES and PC-ST, and opening up TIMES-FN, to two new goals: Case 2. (IMPLIES (AND (NUMBERP I) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL I 0))) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST I J ANS R3 R4) F DEFS) (TIMES I 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (PLUS (TIMES (SUB1 I) J) ANS J) R3 R4) F DEFS))). Applying the lemma SUB1-ELIM, replace I by (ADD1 X) to eliminate (SUB1 I). We rely upon the type restriction lemma noted when SUB1 was introduced to restrict the new variable. This produces: (IMPLIES (AND (NUMBERP X) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (ADD1 X) 0))) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST (ADD1 X) J ANS R3 R4) F DEFS) (TIMES (ADD1 X) 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (PLUS (TIMES X J) ANS J) R3 R4) F DEFS))), which further simplifies, rewriting with SUB1-ADD1, DEFS-ST, PC-ST, HALTEDP-ST, MEM-ST, CAR-CONS, STK-ST, STEP-OPENER, CDR-CONS, SM-0, SM-ADD1, and SM-PLUS, and opening up the functions TIMES, LISTP, FETCH, CDR, CAR, GET, JUMPZ, ADD1-PC, EQUAL, EXECUTE, ADD, SUB1, NUMBERP, PUT, SUBI, DIFFERENCE, JUMP, and CONS, to the following two new formulas: Case 2.2. (IMPLIES (AND (NUMBERP X) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL X 0))) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST X J (PLUS ANS J) R3 R4) F DEFS) (TIMES X 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (PLUS (TIMES X J) ANS J) R3 R4) F DEFS))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (AND (NUMBERP I) (EQUAL (ASSOC 'TIMES DEFS) (TIMES-PROGRAM))) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST I J ANS R3 R4) F DEFS) (TIMES I 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (TIMES-FN I J ANS) R3 R4) F DEFS))), which we named *1 above. We will appeal to induction. Three inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions, both of which are unflawed. So we will choose the one suggested by the largest number of nonprimitive recursive functions. We will induct according to the following scheme: (AND (IMPLIES (ZEROP I) (p STK1 I J ANS R3 R4 DEFS)) (IMPLIES (AND (NOT (ZEROP I)) (p STK1 (SUB1 I) J (PLUS ANS J) R3 R4 DEFS)) (p STK1 I J ANS R3 R4 DEFS))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT I) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for ANS. The above induction scheme leads to the following two new goals: Case 2. (IMPLIES (AND (ZEROP I) (NUMBERP I) (EQUAL (ASSOC 'TIMES DEFS) (TIMES-PROGRAM))) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST I J ANS R3 R4) F DEFS) (TIMES I 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (TIMES-FN I J ANS) R3 R4) F DEFS))). This simplifies, rewriting with SM-0, and expanding ZEROP, NUMBERP, TIMES-PROGRAM, TIMES, EQUAL, and TIMES-FN, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP I)) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST (SUB1 I) J (PLUS ANS J) R3 R4) F DEFS) (TIMES (SUB1 I) 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (TIMES-FN (SUB1 I) J (PLUS ANS J)) R3 R4) F DEFS)) (NUMBERP I) (EQUAL (ASSOC 'TIMES DEFS) (TIMES-PROGRAM))) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST I J ANS R3 R4) F DEFS) (TIMES I 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (TIMES-FN I J ANS) R3 R4) F DEFS))), which simplifies, rewriting with the lemmas PC-ST, DEFS-ST, HALTEDP-ST, MEM-ST, CAR-CONS, STK-ST, STEP-OPENER, CDR-CONS, SM-0, SM-ADD1, and SM-PLUS, and expanding the functions ZEROP, TIMES-PROGRAM, TIMES, LISTP, FETCH, CDR, CAR, GET, JUMPZ, ADD1-PC, EQUAL, EXECUTE, ADD, SUB1, NUMBERP, PUT, SUBI, DIFFERENCE, JUMP, CONS, and TIMES-FN, to: (IMPLIES (AND (NOT (EQUAL I 0)) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST (SUB1 I) J (PLUS ANS J) R3 R4) F DEFS) (TIMES (SUB1 I) 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (TIMES-FN (SUB1 I) J (PLUS ANS J)) R3 R4) F DEFS)) (NUMBERP I) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (EQUAL (SUB1 I) 0)) (EQUAL (SM (ST '(TIMES . 1) STK1 (LIST 0 J (PLUS ANS J) R3 R4) F DEFS) (TIMES (SUB1 I) 4)) (ST '(TIMES . 1) STK1 (LIST 0 J (TIMES-FN (SUB1 I) J (PLUS ANS J)) R3 R4) F DEFS))). This again simplifies, clearly, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] TIMES-CORRECT-LEMMA (PROVE-LEMMA TIMES-CORRECT (REWRITE) (IMPLIES (AND (EQUAL (FETCH PC DEFS) '(CALL TIMES)) (EQUAL (ASSOC 'TIMES DEFS) (TIMES-PROGRAM)) (NUMBERP I)) (EQUAL (SM (ST PC STK (LIST I J R2 R3 R4) F DEFS) (TIMES-CLOCK I)) (ST (ADD1-PC PC) STK (LIST 0 J (TIMES I J) R3 R4) F DEFS)))) This formula can be simplified, using the abbreviations AND, IMPLIES, SM-0, SM-ADD1, SM-PLUS, TIMES-CLOCK, and TIMES-PROGRAM, to the new conjecture: (IMPLIES (AND (EQUAL (FETCH PC DEFS) '(CALL TIMES)) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NUMBERP I)) (EQUAL (STEP (STEP (SM (STEP (STEP (ST PC STK (LIST I J R2 R3 R4) F DEFS))) (TIMES I 4)))) (ST (ADD1-PC PC) STK (LIST 0 J (TIMES I J) R3 R4) F DEFS))), which simplifies, applying DEFS-ST, PC-ST, HALTEDP-ST, STK-ST, MEM-ST, STEP-OPENER, CDR-CONS, CAR-CONS, PLUS-RIGHT-ID, TIMES-FN-IS-TIMES, and TIMES-CORRECT-LEMMA, and expanding the definitions of FETCH, LISTP, CALL, CONS, ADD1-PC, CDR, EQUAL, CAR, EXECUTE, GET, MOVI, SUB1, NUMBERP, PUT, TIMES-PROGRAM, JUMPZ, and RET, to: T. Q.E.D. [ 0.0 0.0 0.0 ] TIMES-CORRECT (DISABLE TIMES-CLOCK) [ 0.0 0.0 0.0 ] TIMES-CLOCK-OFF (DEFN EXP (I J) (IF (ZEROP J) 1 (TIMES (EXP I (SUB1 J)) I))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT J) decreases according to the well-founded relation LESSP in each recursive call. Hence, EXP is accepted under the definitional principle. From the definition we can conclude that (NUMBERP (EXP I J)) is a theorem. [ 0.0 0.0 0.0 ] EXP (DEFN EXP-PROGRAM NIL '(EXP (MOVE 3 0) (MOVE 4 1) (MOVI 1 1) (JUMPZ 4 9) (MOVE 0 3) (CALL TIMES) (MOVE 1 2) (SUBI 4 1) (JUMP 3) (RET))) Observe that (LISTP (EXP-PROGRAM)) is a theorem. [ 0.0 0.0 0.0 ] EXP-PROGRAM (DEFN EXP-FN (R0 R1 R2 R3 R4) (IF (ZEROP R4) R1 (EXP-FN 0 (TIMES R3 R1) (TIMES R3 R1) R3 (SUB1 R4)))) WARNING: R0 and R2 are in the arglist but not in the body of the definition of EXP-FN. Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to show that the measure (COUNT R4) decreases according to the well-founded relation LESSP in each recursive call. Hence, EXP-FN is accepted under the definitional principle. Observe that: (OR (NUMBERP (EXP-FN R0 R1 R2 R3 R4)) (EQUAL (EXP-FN R0 R1 R2 R3 R4) R1)) is a theorem. [ 0.0 0.0 0.0 ] EXP-FN (PROVE-LEMMA ASSOCIATIVITY-OF-TIMES (REWRITE) (EQUAL (TIMES (TIMES I J) K) (TIMES I (TIMES J K)))) Call the conjecture *1. Perhaps we can prove it by induction. Three inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (ZEROP I) (p I J K)) (IMPLIES (AND (NOT (ZEROP I)) (p (SUB1 I) J K)) (p I J K))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to prove that the measure (COUNT I) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to two new goals: Case 2. (IMPLIES (ZEROP I) (EQUAL (TIMES (TIMES I J) K) (TIMES I J K))), which simplifies, opening up the definitions of ZEROP, EQUAL, and TIMES, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP I)) (EQUAL (TIMES (TIMES (SUB1 I) J) K) (TIMES (SUB1 I) J K))) (EQUAL (TIMES (TIMES I J) K) (TIMES I J K))), which simplifies, expanding ZEROP and TIMES, to: (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (EQUAL (TIMES (TIMES (SUB1 I) J) K) (TIMES (SUB1 I) J K))) (EQUAL (TIMES (PLUS J (TIMES (SUB1 I) J)) K) (PLUS (TIMES J K) (TIMES (SUB1 I) J K)))). Appealing to the lemma SUB1-ELIM, we now replace I by (ADD1 X) to eliminate (SUB1 I). We rely upon the type restriction lemma noted when SUB1 was introduced to constrain the new variable. This generates: (IMPLIES (AND (NUMBERP X) (NOT (EQUAL (ADD1 X) 0)) (EQUAL (TIMES (TIMES X J) K) (TIMES X J K))) (EQUAL (TIMES (PLUS J (TIMES X J)) K) (PLUS (TIMES J K) (TIMES X J K)))). This further simplifies, trivially, to: (IMPLIES (AND (NUMBERP X) (EQUAL (TIMES (TIMES X J) K) (TIMES X J K))) (EQUAL (TIMES (PLUS J (TIMES X J)) K) (PLUS (TIMES J K) (TIMES X J K)))). We use the above equality hypothesis by substituting (TIMES (TIMES X J) K) for (TIMES X J K) and throwing away the equality. This generates the goal: (IMPLIES (NUMBERP X) (EQUAL (TIMES (PLUS J (TIMES X J)) K) (PLUS (TIMES J K) (TIMES (TIMES X J) K)))). We will try to prove the above formula by generalizing it, replacing (TIMES X J) by Y. We restrict the new variable by recalling the type restriction lemma noted when TIMES was introduced. We thus obtain: (IMPLIES (AND (NUMBERP Y) (NUMBERP X)) (EQUAL (TIMES (PLUS J Y) K) (PLUS (TIMES J K) (TIMES Y K)))), which has an irrelevant term in it. By eliminating the term we get: (IMPLIES (NUMBERP Y) (EQUAL (TIMES (PLUS J Y) K) (PLUS (TIMES J K) (TIMES Y K)))), which we will finally name *1.1. Perhaps we can prove it by induction. Three inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (ZEROP J) (p J Y K)) (IMPLIES (AND (NOT (ZEROP J)) (p (SUB1 J) Y K)) (p J Y K))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definition of ZEROP establish that the measure (COUNT J) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to the following two new formulas: Case 2. (IMPLIES (AND (ZEROP J) (NUMBERP Y)) (EQUAL (TIMES (PLUS J Y) K) (PLUS (TIMES J K) (TIMES Y K)))). This simplifies, unfolding ZEROP, EQUAL, PLUS, and TIMES, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP J)) (EQUAL (TIMES (PLUS (SUB1 J) Y) K) (PLUS (TIMES (SUB1 J) K) (TIMES Y K))) (NUMBERP Y)) (EQUAL (TIMES (PLUS J Y) K) (PLUS (TIMES J K) (TIMES Y K)))). This simplifies, applying SUB1-ADD1, and opening up the functions ZEROP, PLUS, and TIMES, to the formula: (IMPLIES (AND (NOT (EQUAL J 0)) (NUMBERP J) (EQUAL (TIMES (PLUS (SUB1 J) Y) K) (PLUS (TIMES (SUB1 J) K) (TIMES Y K))) (NUMBERP Y)) (EQUAL (PLUS K (TIMES (PLUS (SUB1 J) Y) K)) (PLUS (PLUS K (TIMES (SUB1 J) K)) (TIMES Y K)))). This again simplifies, using linear arithmetic, to: T. That finishes the proof of *1.1, which finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] ASSOCIATIVITY-OF-TIMES (PROVE-LEMMA TIMES-RIGHT-ID (REWRITE) (EQUAL (TIMES I 1) (FIX I))) This simplifies, unfolding FIX, to two new formulas: Case 2. (IMPLIES (NOT (NUMBERP I)) (EQUAL (TIMES I 1) 0)), which again simplifies, unfolding TIMES and EQUAL, to: T. Case 1. (IMPLIES (NUMBERP I) (EQUAL (TIMES I 1) I)), which we will name *1. We will appeal to induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP I) (p I)) (IMPLIES (AND (NOT (ZEROP I)) (p (SUB1 I))) (p I))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT I) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates the following two new goals: Case 2. (IMPLIES (AND (ZEROP I) (NUMBERP I)) (EQUAL (TIMES I 1) I)). This simplifies, opening up the definitions of ZEROP, NUMBERP, TIMES, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP I)) (EQUAL (TIMES (SUB1 I) 1) (SUB1 I)) (NUMBERP I)) (EQUAL (TIMES I 1) I)). This simplifies, expanding the definitions of ZEROP and TIMES, to: (IMPLIES (AND (NOT (EQUAL I 0)) (EQUAL (TIMES (SUB1 I) 1) (SUB1 I)) (NUMBERP I)) (EQUAL (PLUS 1 (SUB1 I)) I)), which again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] TIMES-RIGHT-ID (PROVE-LEMMA EXP-FN-IS-EXP (REWRITE) (IMPLIES (NUMBERP R1) (EQUAL (EXP-FN R0 R1 R2 R3 R4) (TIMES (EXP R3 R4) R1)))) Give the conjecture the name *1. Let us appeal to the induction principle. The recursive terms in the conjecture suggest two inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP R4) (p R0 R1 R2 R3 R4)) (IMPLIES (AND (NOT (ZEROP R4)) (p 0 (TIMES R3 R1) (TIMES R3 R1) R3 (SUB1 R4))) (p R0 R1 R2 R3 R4))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to show that the measure (COUNT R4) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for R0, R1, and R2. The above induction scheme generates the following two new conjectures: Case 2. (IMPLIES (AND (ZEROP R4) (NUMBERP R1)) (EQUAL (EXP-FN R0 R1 R2 R3 R4) (TIMES (EXP R3 R4) R1))). This simplifies, opening up the functions ZEROP, EQUAL, EXP-FN, and EXP, to the following two new goals: Case 2.2. (IMPLIES (AND (EQUAL R4 0) (NUMBERP R1)) (EQUAL R1 (TIMES 1 R1))). But this again simplifies, using linear arithmetic, to: T. Case 2.1. (IMPLIES (AND (NOT (NUMBERP R4)) (NUMBERP R1)) (EQUAL R1 (TIMES 1 R1))), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP R4)) (EQUAL (EXP-FN 0 (TIMES R3 R1) (TIMES R3 R1) R3 (SUB1 R4)) (TIMES (EXP R3 (SUB1 R4)) R3 R1)) (NUMBERP R1)) (EQUAL (EXP-FN R0 R1 R2 R3 R4) (TIMES (EXP R3 R4) R1))), which simplifies, applying ASSOCIATIVITY-OF-TIMES, and opening up ZEROP, EXP-FN, and EXP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] EXP-FN-IS-EXP (DEFN EXP-CLOCK (I J) (PLUS 4 (TIMES J (PLUS 2 (TIMES-CLOCK I) 3)) 2)) From the definition we can conclude that (NUMBERP (EXP-CLOCK I J)) is a theorem. [ 0.0 0.0 0.0 ] EXP-CLOCK (PROVE-LEMMA EXP-CORRECT-LEMMA (REWRITE) (IMPLIES (AND (NUMBERP R3) (NUMBERP R4) (EQUAL (ASSOC 'EXP DEFS) (EXP-PROGRAM)) (EQUAL (ASSOC 'TIMES DEFS) (TIMES-PROGRAM))) (EQUAL (SM (ST '(EXP . 3) STK (LIST R0 R1 R2 R3 R4) F DEFS) (TIMES R4 (PLUS 2 (TIMES-CLOCK R3) 3))) (ST '(EXP . 3) STK (IF (ZEROP R4) (LIST R0 R1 R2 R3 R4) (LIST 0 (TIMES (EXP R3 R4) R1) (TIMES (EXP R3 R4) R1) R3 0)) F DEFS))) ((INDUCT (EXP-FN R0 R1 R2 R3 R4)))) This conjecture can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, AND, TIMES-PROGRAM, and EXP-PROGRAM, to two new formulas: Case 2. (IMPLIES (AND (ZEROP R4) (NUMBERP R3) (NUMBERP R4) (EQUAL (ASSOC 'EXP DEFS) '(EXP (MOVE 3 0) (MOVE 4 1) (MOVI 1 1) (JUMPZ 4 9) (MOVE 0 3) (CALL TIMES) (MOVE 1 2) (SUBI 4 1) (JUMP 3) (RET))) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET)))) (EQUAL (SM (ST '(EXP . 3) STK (LIST R0 R1 R2 R3 R4) F DEFS) (TIMES R4 (PLUS 2 (TIMES-CLOCK R3) 3))) (ST '(EXP . 3) STK (IF (ZEROP R4) (LIST R0 R1 R2 R3 R4) (CONS 0 (CONS (TIMES (EXP R3 R4) R1) (CONS (TIMES (EXP R3 R4) R1) (CONS R3 '(0)))))) F DEFS))), which simplifies, applying SM-0, and opening up ZEROP, NUMBERP, CONS, EQUAL, and TIMES, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL R4 0)) (NUMBERP R4) (IMPLIES (AND (NUMBERP R3) (NUMBERP (SUB1 R4)) (EQUAL (ASSOC 'EXP DEFS) '(EXP (MOVE 3 0) (MOVE 4 1) (MOVI 1 1) (JUMPZ 4 9) (MOVE 0 3) (CALL TIMES) (MOVE 1 2) (SUBI 4 1) (JUMP 3) (RET))) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET)))) (EQUAL (SM (ST '(EXP . 3) STK (LIST 0 (TIMES R3 R1) (TIMES R3 R1) R3 (SUB1 R4)) F DEFS) (TIMES (SUB1 R4) (PLUS 2 (TIMES-CLOCK R3) 3))) (ST '(EXP . 3) STK (IF (ZEROP (SUB1 R4)) (LIST 0 (TIMES R3 R1) (TIMES R3 R1) R3 (SUB1 R4)) (CONS 0 (CONS (TIMES (EXP R3 (SUB1 R4)) R3 R1) (CONS (TIMES (EXP R3 (SUB1 R4)) R3 R1) (CONS R3 '(0)))))) F DEFS))) (NUMBERP R3) (EQUAL (ASSOC 'EXP DEFS) '(EXP (MOVE 3 0) (MOVE 4 1) (MOVI 1 1) (JUMPZ 4 9) (MOVE 0 3) (CALL TIMES) (MOVE 1 2) (SUBI 4 1) (JUMP 3) (RET))) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET)))) (EQUAL (SM (ST '(EXP . 3) STK (LIST R0 R1 R2 R3 R4) F DEFS) (TIMES R4 (PLUS 2 (TIMES-CLOCK R3) 3))) (ST '(EXP . 3) STK (IF (ZEROP R4) (LIST R0 R1 R2 R3 R4) (CONS 0 (CONS (TIMES (EXP R3 R4) R1) (CONS (TIMES (EXP R3 R4) R1) (CONS R3 '(0)))))) F DEFS))). This simplifies, rewriting with the lemmas PC-ST, DEFS-ST, HALTEDP-ST, MEM-ST, CDR-CONS, CAR-CONS, STK-ST, STEP-OPENER, SM-0, SM-ADD1, TIMES-CORRECT, SM-PLUS, ASSOCIATIVITY-OF-TIMES, and PLUS-RIGHT-ID, and opening up the functions EQUAL, AND, ZEROP, CONS, IMPLIES, TIMES, LISTP, FETCH, CDR, CAR, GET, JUMPZ, SUB1, NUMBERP, ADD1-PC, EXECUTE, MOVE, PUT, TIMES-PROGRAM, SUBI, DIFFERENCE, JUMP, and EXP, to: T. Q.E.D. [ 0.0 0.1 0.0 ] EXP-CORRECT-LEMMA (PROVE-LEMMA EXP-CORRECT (REWRITE) (IMPLIES (AND (NUMBERP I) (NUMBERP J) (EQUAL (FETCH PC DEFS) '(CALL EXP)) (EQUAL (ASSOC 'EXP DEFS) (EXP-PROGRAM)) (EQUAL (ASSOC 'TIMES DEFS) (TIMES-PROGRAM))) (EQUAL (SM (ST PC STK (LIST I J R2 R3 R4) F DEFS) (EXP-CLOCK I J)) (ST (ADD1-PC PC) STK (IF (ZEROP J) (LIST I (EXP I J) R2 I 0) (LIST 0 (EXP I J) (EXP I J) I 0)) F DEFS)))) This conjecture can be simplified, using the abbreviations AND, IMPLIES, SM-0, SM-ADD1, SM-PLUS, EXP-CLOCK, TIMES-PROGRAM, and EXP-PROGRAM, to: (IMPLIES (AND (NUMBERP I) (NUMBERP J) (EQUAL (FETCH PC DEFS) '(CALL EXP)) (EQUAL (ASSOC 'EXP DEFS) '(EXP (MOVE 3 0) (MOVE 4 1) (MOVI 1 1) (JUMPZ 4 9) (MOVE 0 3) (CALL TIMES) (MOVE 1 2) (SUBI 4 1) (JUMP 3) (RET))) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET)))) (EQUAL (STEP (STEP (SM (STEP (STEP (STEP (STEP (ST PC STK (LIST I J R2 R3 R4) F DEFS))))) (TIMES J (PLUS 2 (TIMES-CLOCK I) 3))))) (ST (ADD1-PC PC) STK (IF (ZEROP J) (CONS I (CONS (EXP I J) (CONS R2 (CONS I '(0))))) (CONS 0 (CONS (EXP I J) (CONS (EXP I J) (CONS I '(0)))))) F DEFS))). This simplifies, rewriting with the lemmas DEFS-ST, PC-ST, HALTEDP-ST, STK-ST, MEM-ST, STEP-OPENER, CAR-CONS, CDR-CONS, TIMES-RIGHT-ID, and EXP-CORRECT-LEMMA, and unfolding the definitions of FETCH, LISTP, CALL, CONS, ADD1-PC, CDR, EQUAL, CAR, EXECUTE, GET, MOVE, SUB1, NUMBERP, PUT, MOVI, TIMES-PROGRAM, EXP-PROGRAM, ZEROP, and EXP, to the following two new conjectures: Case 2. (IMPLIES (AND (NUMBERP I) (NUMBERP J) (EQUAL (GET (CDR PC) (CDR (ASSOC (CAR PC) DEFS))) '(CALL EXP)) (EQUAL (ASSOC 'EXP DEFS) '(EXP (MOVE 3 0) (MOVE 4 1) (MOVI 1 1) (JUMPZ 4 9) (MOVE 0 3) (CALL TIMES) (MOVE 1 2) (SUBI 4 1) (JUMP 3) (RET))) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL J 0))) (EQUAL (STEP (STEP (ST '(EXP . 3) (CONS (CONS (CAR PC) (ADD1 (CDR PC))) STK) (CONS 0 (CONS (EXP I J) (CONS (EXP I J) (CONS I '(0))))) F DEFS))) (ST (CONS (CAR PC) (ADD1 (CDR PC))) STK (CONS 0 (CONS (EXP I J) (CONS (EXP I J) (CONS I '(0))))) F DEFS))). This again simplifies, appealing to the lemmas DEFS-ST, PC-ST, HALTEDP-ST, MEM-ST, CDR-CONS, STK-ST, STEP-OPENER, and CAR-CONS, and unfolding the functions LISTP, FETCH, CDR, CAR, GET, JUMPZ, SUB1, NUMBERP, CONS, EQUAL, EXECUTE, and RET, to: T. Case 1. (IMPLIES (AND (NUMBERP I) (NUMBERP J) (EQUAL (GET (CDR PC) (CDR (ASSOC (CAR PC) DEFS))) '(CALL EXP)) (EQUAL (ASSOC 'EXP DEFS) '(EXP (MOVE 3 0) (MOVE 4 1) (MOVI 1 1) (JUMPZ 4 9) (MOVE 0 3) (CALL TIMES) (MOVE 1 2) (SUBI 4 1) (JUMP 3) (RET))) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (EQUAL J 0)) (EQUAL (STEP (STEP (ST '(EXP . 3) (CONS (CONS (CAR PC) (ADD1 (CDR PC))) STK) (CONS I (CONS 1 (CONS R2 (CONS I '(0))))) F DEFS))) (ST (CONS (CAR PC) (ADD1 (CDR PC))) STK (CONS I (CONS 1 (CONS R2 (CONS I '(0))))) F DEFS))), which again simplifies, rewriting with DEFS-ST, PC-ST, HALTEDP-ST, MEM-ST, CDR-CONS, STK-ST, STEP-OPENER, and CAR-CONS, and expanding the functions NUMBERP, LISTP, FETCH, CDR, CAR, GET, JUMPZ, SUB1, CONS, EQUAL, EXECUTE, and RET, to: T. Q.E.D. [ 0.0 0.0 0.0 ] EXP-CORRECT (DEFN LENGTH (LST) (IF (NLISTP LST) 0 (ADD1 (LENGTH (CDR LST))))) Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of NLISTP inform us that the measure (COUNT LST) decreases according to the well-founded relation LESSP in each recursive call. Hence, LENGTH is accepted under the principle of definition. From the definition we can conclude that (NUMBERP (LENGTH LST)) is a theorem. [ 0.0 0.0 0.0 ] LENGTH (PROVE-LEMMA PUT-PUT-0 (REWRITE) (IMPLIES (AND (LESSP ADDR (LENGTH MEM)) (EQUAL (GET ADDR MEM) VAL)) (EQUAL (PUT ADDR VAL MEM) MEM))) Call the conjecture *1. Let us appeal to the induction principle. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM)))) (p ADDR MEM)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM))))) (OR (EQUAL ADDR 0) (NOT (NUMBERP ADDR)))) (p ADDR MEM)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM))))) (NOT (OR (EQUAL ADDR 0) (NOT (NUMBERP ADDR)))) (p (SUB1 ADDR) (CDR MEM))) (p ADDR MEM))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT inform us that the measure (COUNT ADDR) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for MEM. The above induction scheme produces four new formulas: Case 4. (IMPLIES (AND (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM)))) (LESSP ADDR (LENGTH MEM))) (EQUAL (PUT ADDR (GET ADDR MEM) MEM) MEM)), which simplifies, opening up the definitions of LENGTH, NOT, OR, EQUAL, and LESSP, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM))))) (OR (EQUAL ADDR 0) (NOT (NUMBERP ADDR))) (LESSP ADDR (LENGTH MEM))) (EQUAL (PUT ADDR (GET ADDR MEM) MEM) MEM)), which simplifies, applying CONS-CAR-CDR, and expanding the definitions of LENGTH, NOT, OR, EQUAL, LESSP, GET, and PUT, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM))))) (NOT (OR (EQUAL ADDR 0) (NOT (NUMBERP ADDR)))) (NOT (LESSP (SUB1 ADDR) (LENGTH (CDR MEM)))) (LESSP ADDR (LENGTH MEM))) (EQUAL (PUT ADDR (GET ADDR MEM) MEM) MEM)). This simplifies, rewriting with SUB1-ADD1, and opening up LENGTH, NOT, OR, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM))))) (NOT (OR (EQUAL ADDR 0) (NOT (NUMBERP ADDR)))) (EQUAL (PUT (SUB1 ADDR) (GET (SUB1 ADDR) (CDR MEM)) (CDR MEM)) (CDR MEM)) (LESSP ADDR (LENGTH MEM))) (EQUAL (PUT ADDR (GET ADDR MEM) MEM) MEM)), which simplifies, applying SUB1-ADD1 and CONS-CAR-CDR, and unfolding LENGTH, NOT, OR, LESSP, GET, and PUT, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] PUT-PUT-0 (PROVE-LEMMA PUT-PUT-1 (REWRITE) (EQUAL (PUT ADDR V2 (PUT ADDR V1 MEM)) (PUT ADDR V2 MEM))) Call the conjecture *1. Perhaps we can prove it by induction. Three inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP ADDR) (p ADDR V2 V1 MEM)) (IMPLIES (AND (NOT (ZEROP ADDR)) (p (SUB1 ADDR) V2 V1 (CDR MEM))) (p ADDR V2 V1 MEM))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to prove that the measure (COUNT ADDR) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for MEM. The above induction scheme leads to two new goals: Case 2. (IMPLIES (ZEROP ADDR) (EQUAL (PUT ADDR V2 (PUT ADDR V1 MEM)) (PUT ADDR V2 MEM))), which simplifies, applying the lemma CDR-CONS, and opening up the definitions of ZEROP, EQUAL, and PUT, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP ADDR)) (EQUAL (PUT (SUB1 ADDR) V2 (PUT (SUB1 ADDR) V1 (CDR MEM))) (PUT (SUB1 ADDR) V2 (CDR MEM)))) (EQUAL (PUT ADDR V2 (PUT ADDR V1 MEM)) (PUT ADDR V2 MEM))), which simplifies, rewriting with CDR-CONS and CAR-CONS, and opening up the functions ZEROP and PUT, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] PUT-PUT-1 (PROVE-LEMMA PUT-PUT-2 (REWRITE) (IMPLIES (AND (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2))) (EQUAL (PUT ADDR2 V2 (PUT ADDR1 V1 MEM)) (PUT ADDR1 V1 (PUT ADDR2 V2 MEM))))) Give the conjecture the name *1. We will appeal to induction. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP ADDR2) (p ADDR2 V2 ADDR1 V1 MEM)) (IMPLIES (AND (NOT (ZEROP ADDR2)) (p (SUB1 ADDR2) V2 (SUB1 ADDR1) V1 (CDR MEM))) (p ADDR2 V2 ADDR1 V1 MEM))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT ADDR2) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for ADDR1 and MEM. The above induction scheme generates the following three new formulas: Case 3. (IMPLIES (AND (ZEROP ADDR2) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2))) (EQUAL (PUT ADDR2 V2 (PUT ADDR1 V1 MEM)) (PUT ADDR1 V1 (PUT ADDR2 V2 MEM)))). This simplifies, unfolding ZEROP, NUMBERP, PUT, and EQUAL, to: (IMPLIES (AND (EQUAL ADDR2 0) (NUMBERP ADDR1) (NOT (EQUAL ADDR1 0))) (EQUAL (PUT 0 V2 (CONS (CAR MEM) (PUT (SUB1 ADDR1) V1 (CDR MEM)))) (PUT ADDR1 V1 (CONS V2 (CDR MEM))))), which again simplifies, applying CDR-CONS and CAR-CONS, and unfolding the definitions of EQUAL and PUT, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP ADDR2)) (EQUAL (SUB1 ADDR1) (SUB1 ADDR2)) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2))) (EQUAL (PUT ADDR2 V2 (PUT ADDR1 V1 MEM)) (PUT ADDR1 V1 (PUT ADDR2 V2 MEM)))). This simplifies, using linear arithmetic, to the following two new conjectures: Case 2.2. (IMPLIES (AND (EQUAL ADDR2 0) (NOT (ZEROP ADDR2)) (EQUAL (SUB1 ADDR1) (SUB1 ADDR2)) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2))) (EQUAL (PUT ADDR2 V2 (PUT ADDR1 V1 MEM)) (PUT ADDR1 V1 (PUT ADDR2 V2 MEM)))). However this again simplifies, unfolding the definition of ZEROP, to: T. Case 2.1. (IMPLIES (AND (EQUAL ADDR1 0) (NOT (ZEROP ADDR2)) (EQUAL (SUB1 ADDR1) (SUB1 ADDR2)) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2))) (EQUAL (PUT ADDR2 V2 (PUT ADDR1 V1 MEM)) (PUT ADDR1 V1 (PUT ADDR2 V2 MEM)))), which again simplifies, applying CDR-CONS and CAR-CONS, and opening up ZEROP, SUB1, NUMBERP, EQUAL, and PUT, to: (IMPLIES (AND (EQUAL 0 (SUB1 ADDR2)) (NUMBERP ADDR2) (NOT (EQUAL 0 ADDR2))) (EQUAL (CONS V1 (CONS V2 (CDDR MEM))) (PUT 0 V1 (CONS (CAR MEM) (PUT (SUB1 ADDR2) V2 (CDR MEM)))))), which again simplifies, applying CDR-CONS, and opening up the definitions of EQUAL and PUT, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP ADDR2)) (EQUAL (PUT (SUB1 ADDR2) V2 (PUT (SUB1 ADDR1) V1 (CDR MEM))) (PUT (SUB1 ADDR1) V1 (PUT (SUB1 ADDR2) V2 (CDR MEM)))) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2))) (EQUAL (PUT ADDR2 V2 (PUT ADDR1 V1 MEM)) (PUT ADDR1 V1 (PUT ADDR2 V2 MEM)))). This simplifies, applying the lemmas CAR-CONS and CDR-CONS, and expanding the definitions of ZEROP and PUT, to the following two new formulas: Case 1.2. (IMPLIES (AND (NOT (EQUAL ADDR2 0)) (EQUAL (PUT (SUB1 ADDR2) V2 (PUT (SUB1 ADDR1) V1 (CDR MEM))) (PUT (SUB1 ADDR1) V1 (PUT (SUB1 ADDR2) V2 (CDR MEM)))) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2)) (NOT (EQUAL ADDR1 0))) (EQUAL (PUT ADDR2 V2 (CONS (CAR MEM) (PUT (SUB1 ADDR1) V1 (CDR MEM)))) (CONS (CAR MEM) (PUT (SUB1 ADDR1) V1 (PUT (SUB1 ADDR2) V2 (CDR MEM)))))). But this again simplifies, rewriting with CDR-CONS and CAR-CONS, and opening up PUT, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL ADDR2 0)) (EQUAL (PUT (SUB1 ADDR2) V2 (PUT (SUB1 ADDR1) V1 (CDR MEM))) (PUT (SUB1 ADDR1) V1 (PUT (SUB1 ADDR2) V2 (CDR MEM)))) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2)) (EQUAL ADDR1 0)) (EQUAL (PUT ADDR2 V2 (CONS V1 (CDR MEM))) (CONS V1 (PUT (SUB1 ADDR2) V2 (CDR MEM))))). But this again simplifies, rewriting with CAR-CONS and CDR-CONS, and expanding the definitions of SUB1, EQUAL, PUT, and NUMBERP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] PUT-PUT-2 (PROVE-LEMMA GET-PUT (REWRITE) (IMPLIES (AND (NUMBERP ADDR1) (NUMBERP ADDR2)) (EQUAL (GET ADDR1 (PUT ADDR2 VAL MEM)) (IF (EQUAL ADDR1 ADDR2) VAL (GET ADDR1 MEM))))) This conjecture simplifies, trivially, to the following two new formulas: Case 2. (IMPLIES (AND (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2))) (EQUAL (GET ADDR1 (PUT ADDR2 VAL MEM)) (GET ADDR1 MEM))). Name the above subgoal *1. Case 1. (IMPLIES (AND (NUMBERP ADDR1) (NUMBERP ADDR2) (EQUAL ADDR1 ADDR2)) (EQUAL (GET ADDR1 (PUT ADDR2 VAL MEM)) VAL)). This again simplifies, obviously, to: (IMPLIES (NUMBERP ADDR2) (EQUAL (GET ADDR2 (PUT ADDR2 VAL MEM)) VAL)), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (IMPLIES (AND (NUMBERP ADDR1) (NUMBERP ADDR2)) (EQUAL (GET ADDR1 (PUT ADDR2 VAL MEM)) (IF (EQUAL ADDR1 ADDR2) VAL (GET ADDR1 MEM)))), named *1. Let us appeal to the induction principle. There are three plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP ADDR1) (p ADDR1 ADDR2 VAL MEM)) (IMPLIES (AND (NOT (ZEROP ADDR1)) (p (SUB1 ADDR1) (SUB1 ADDR2) VAL (CDR MEM))) (p ADDR1 ADDR2 VAL MEM))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to establish that the measure (COUNT ADDR1) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for ADDR2 and MEM. The above induction scheme leads to the following two new formulas: Case 2. (IMPLIES (AND (ZEROP ADDR1) (NUMBERP ADDR1) (NUMBERP ADDR2)) (EQUAL (GET ADDR1 (PUT ADDR2 VAL MEM)) (IF (EQUAL ADDR1 ADDR2) VAL (GET ADDR1 MEM)))). This simplifies, opening up ZEROP, NUMBERP, PUT, EQUAL, and GET, to the following four new goals: Case 2.4. (IMPLIES (AND (EQUAL ADDR1 0) (NUMBERP ADDR2) (NOT (EQUAL 0 ADDR2)) (NOT (EQUAL ADDR2 0))) (EQUAL (CAR (CONS (CAR MEM) (PUT (SUB1 ADDR2) VAL (CDR MEM)))) (CAR MEM))). But this again simplifies, applying CAR-CONS, to: T. Case 2.3. (IMPLIES (AND (EQUAL ADDR1 0) (NUMBERP ADDR2) (NOT (EQUAL 0 ADDR2)) (EQUAL ADDR2 0)) (EQUAL (CAR (CONS VAL (CDR MEM))) (CAR MEM))). This again simplifies, trivially, to: T. Case 2.2. (IMPLIES (AND (EQUAL ADDR1 0) (NUMBERP ADDR2) (EQUAL 0 ADDR2) (NOT (EQUAL ADDR2 0))) (EQUAL (CAR (CONS (CAR MEM) (PUT (SUB1 ADDR2) VAL (CDR MEM)))) VAL)). This again simplifies, obviously, to: T. Case 2.1. (IMPLIES (AND (EQUAL ADDR1 0) (NUMBERP ADDR2) (EQUAL 0 ADDR2) (EQUAL ADDR2 0)) (EQUAL (CAR (CONS VAL (CDR MEM))) VAL)). But this again simplifies, applying CAR-CONS, and unfolding NUMBERP and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP ADDR1)) (EQUAL (GET (SUB1 ADDR1) (PUT (SUB1 ADDR2) VAL (CDR MEM))) (IF (EQUAL (SUB1 ADDR1) (SUB1 ADDR2)) VAL (GET (SUB1 ADDR1) (CDR MEM)))) (NUMBERP ADDR1) (NUMBERP ADDR2)) (EQUAL (GET ADDR1 (PUT ADDR2 VAL MEM)) (IF (EQUAL ADDR1 ADDR2) VAL (GET ADDR1 MEM)))). This simplifies, unfolding the definitions of ZEROP, PUT, and GET, to the following eight new formulas: Case 1.8. (IMPLIES (AND (NOT (EQUAL ADDR1 0)) (NOT (EQUAL (SUB1 ADDR1) (SUB1 ADDR2))) (EQUAL (GET (SUB1 ADDR1) (PUT (SUB1 ADDR2) VAL (CDR MEM))) (GET (SUB1 ADDR1) (CDR MEM))) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2)) (NOT (EQUAL ADDR2 0))) (EQUAL (GET ADDR1 (CONS (CAR MEM) (PUT (SUB1 ADDR2) VAL (CDR MEM)))) (GET (SUB1 ADDR1) (CDR MEM)))). This again simplifies, applying CDR-CONS, and opening up the definition of GET, to: T. Case 1.7. (IMPLIES (AND (NOT (EQUAL ADDR1 0)) (NOT (EQUAL (SUB1 ADDR1) (SUB1 ADDR2))) (EQUAL (GET (SUB1 ADDR1) (PUT (SUB1 ADDR2) VAL (CDR MEM))) (GET (SUB1 ADDR1) (CDR MEM))) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2)) (EQUAL ADDR2 0)) (EQUAL (GET ADDR1 (CONS VAL (CDR MEM))) (GET (SUB1 ADDR1) (CDR MEM)))). But this again simplifies, rewriting with CDR-CONS, and opening up the definitions of SUB1, EQUAL, PUT, NUMBERP, and GET, to: T. Case 1.6. (IMPLIES (AND (NOT (EQUAL ADDR1 0)) (NOT (EQUAL (SUB1 ADDR1) (SUB1 ADDR2))) (EQUAL (GET (SUB1 ADDR1) (PUT (SUB1 ADDR2) VAL (CDR MEM))) (GET (SUB1 ADDR1) (CDR MEM))) (NUMBERP ADDR1) (NUMBERP ADDR2) (EQUAL ADDR1 ADDR2) (NOT (EQUAL ADDR2 0))) (EQUAL (GET ADDR1 (CONS (CAR MEM) (PUT (SUB1 ADDR2) VAL (CDR MEM)))) VAL)). This again simplifies, clearly, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL ADDR1 0)) (NOT (EQUAL (SUB1 ADDR1) (SUB1 ADDR2))) (EQUAL (GET (SUB1 ADDR1) (PUT (SUB1 ADDR2) VAL (CDR MEM))) (GET (SUB1 ADDR1) (CDR MEM))) (NUMBERP ADDR1) (NUMBERP ADDR2) (EQUAL ADDR1 ADDR2) (EQUAL ADDR2 0)) (EQUAL (GET ADDR1 (CONS VAL (CDR MEM))) VAL)). This again simplifies, trivially, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL ADDR1 0)) (EQUAL (SUB1 ADDR1) (SUB1 ADDR2)) (EQUAL (GET (SUB1 ADDR1) (PUT (SUB1 ADDR2) VAL (CDR MEM))) VAL) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2)) (NOT (EQUAL ADDR2 0))) (EQUAL (GET ADDR1 (CONS (CAR MEM) (PUT (SUB1 ADDR2) VAL (CDR MEM)))) (GET (SUB1 ADDR1) (CDR MEM)))). But this again simplifies, using linear arithmetic, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL ADDR1 0)) (EQUAL (SUB1 ADDR1) (SUB1 ADDR2)) (EQUAL (GET (SUB1 ADDR1) (PUT (SUB1 ADDR2) VAL (CDR MEM))) VAL) (NUMBERP ADDR1) (NUMBERP ADDR2) (NOT (EQUAL ADDR1 ADDR2)) (EQUAL ADDR2 0)) (EQUAL (GET ADDR1 (CONS VAL (CDR MEM))) (GET (SUB1 ADDR1) (CDR MEM)))), which again simplifies, applying the lemmas CAR-CONS and CDR-CONS, and expanding the definitions of SUB1, EQUAL, PUT, GET, and NUMBERP, to: (IMPLIES (AND (EQUAL (SUB1 ADDR1) 0) (NUMBERP ADDR1) (NOT (EQUAL ADDR1 0))) (EQUAL (CADR MEM) (GET (SUB1 ADDR1) (CDR MEM)))). This again simplifies, unfolding the definitions of EQUAL and GET, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL ADDR1 0)) (EQUAL (SUB1 ADDR1) (SUB1 ADDR2)) (EQUAL (GET (SUB1 ADDR1) (PUT (SUB1 ADDR2) VAL (CDR MEM))) VAL) (NUMBERP ADDR1) (NUMBERP ADDR2) (EQUAL ADDR1 ADDR2) (NOT (EQUAL ADDR2 0))) (EQUAL (GET ADDR1 (CONS (CAR MEM) (PUT (SUB1 ADDR2) VAL (CDR MEM)))) VAL)), which again simplifies, rewriting with the lemma CDR-CONS, and opening up GET, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL ADDR1 0)) (EQUAL (SUB1 ADDR1) (SUB1 ADDR2)) (EQUAL (GET (SUB1 ADDR1) (PUT (SUB1 ADDR2) VAL (CDR MEM))) VAL) (NUMBERP ADDR1) (NUMBERP ADDR2) (EQUAL ADDR1 ADDR2) (EQUAL ADDR2 0)) (EQUAL (GET ADDR1 (CONS VAL (CDR MEM))) VAL)), which again simplifies, clearly, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] GET-PUT (PROVE-LEMMA LENGTH-PUT (REWRITE) (IMPLIES (LESSP ADDR (LENGTH MEM)) (EQUAL (LENGTH (PUT ADDR VAL MEM)) (LENGTH MEM)))) Name the conjecture *1. Perhaps we can prove it by induction. Four inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM)))) (p ADDR VAL MEM)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM))))) (OR (EQUAL ADDR 0) (NOT (NUMBERP ADDR)))) (p ADDR VAL MEM)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM))))) (NOT (OR (EQUAL ADDR 0) (NOT (NUMBERP ADDR)))) (p (SUB1 ADDR) VAL (CDR MEM))) (p ADDR VAL MEM))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT inform us that the measure (COUNT ADDR) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for MEM. The above induction scheme leads to the following four new conjectures: Case 4. (IMPLIES (AND (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM)))) (LESSP ADDR (LENGTH MEM))) (EQUAL (LENGTH (PUT ADDR VAL MEM)) (LENGTH MEM))). This simplifies, opening up LENGTH, NOT, OR, EQUAL, and LESSP, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM))))) (OR (EQUAL ADDR 0) (NOT (NUMBERP ADDR))) (LESSP ADDR (LENGTH MEM))) (EQUAL (LENGTH (PUT ADDR VAL MEM)) (LENGTH MEM))). This simplifies, rewriting with CDR-CONS, and expanding the functions LENGTH, NOT, OR, EQUAL, LESSP, and PUT, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM))))) (NOT (OR (EQUAL ADDR 0) (NOT (NUMBERP ADDR)))) (NOT (LESSP (SUB1 ADDR) (LENGTH (CDR MEM)))) (LESSP ADDR (LENGTH MEM))) (EQUAL (LENGTH (PUT ADDR VAL MEM)) (LENGTH MEM))), which simplifies, rewriting with SUB1-ADD1, and unfolding LENGTH, NOT, OR, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH MEM) 0) (NOT (NUMBERP (LENGTH MEM))))) (NOT (OR (EQUAL ADDR 0) (NOT (NUMBERP ADDR)))) (EQUAL (LENGTH (PUT (SUB1 ADDR) VAL (CDR MEM))) (LENGTH (CDR MEM))) (LESSP ADDR (LENGTH MEM))) (EQUAL (LENGTH (PUT ADDR VAL MEM)) (LENGTH MEM))). This simplifies, applying SUB1-ADD1 and CDR-CONS, and expanding LENGTH, NOT, OR, LESSP, and PUT, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-PUT (DISABLE GET) [ 0.0 0.0 0.0 ] GET-OFF (DISABLE PUT) [ 0.0 0.0 0.0 ] PUT-OFF (PROVE-LEMMA DIFFERENCE-1 (REWRITE) (EQUAL (DIFFERENCE X 1) (SUB1 X))) This simplifies, using linear arithmetic, to: (IMPLIES (LESSP X 1) (EQUAL (DIFFERENCE X 1) (SUB1 X))). Appealing to the lemma SUB1-ELIM, we now replace X by (ADD1 Z) to eliminate (SUB1 X). We employ the type restriction lemma noted when SUB1 was introduced to constrain the new variable. We must thus prove three new formulas: Case 3. (IMPLIES (AND (EQUAL X 0) (LESSP X 1)) (EQUAL (DIFFERENCE X 1) (SUB1 X))), which further simplifies, expanding the functions LESSP, DIFFERENCE, SUB1, and EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (NUMBERP X)) (LESSP X 1)) (EQUAL (DIFFERENCE X 1) (SUB1 X))), which further simplifies, appealing to the lemma SUB1-NNUMBERP, and unfolding the functions NUMBERP, EQUAL, LESSP, and DIFFERENCE, to: T. Case 1. (IMPLIES (AND (NUMBERP Z) (NOT (EQUAL (ADD1 Z) 0)) (LESSP (ADD1 Z) 1)) (EQUAL (DIFFERENCE (ADD1 Z) 1) Z)), which further simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] DIFFERENCE-1 (PROVE-LEMMA DIFFERENCE-ELIM (ELIM) (IMPLIES (AND (NUMBERP I) (NOT (LESSP I J))) (EQUAL (PLUS J (DIFFERENCE I J)) I))) This conjecture simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] DIFFERENCE-ELIM (PROVE-LEMMA ASSOCIATIVITY-OF-PLUS (REWRITE) (EQUAL (PLUS (PLUS I J) K) (PLUS I (PLUS J K)))) This simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] ASSOCIATIVITY-OF-PLUS (PROVE-LEMMA COMMUTATIVITY-OF-PLUS (REWRITE) (EQUAL (PLUS I J) (PLUS J I))) WARNING: the newly proposed lemma, COMMUTATIVITY-OF-PLUS, could be applied whenever the previously added lemma ASSOCIATIVITY-OF-PLUS could. WARNING: the newly proposed lemma, COMMUTATIVITY-OF-PLUS, could be applied whenever the previously added lemma PLUS-RIGHT-ID could. This formula simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] COMMUTATIVITY-OF-PLUS (PROVE-LEMMA COMMUTATIVITY2-OF-PLUS (REWRITE) (EQUAL (PLUS I (PLUS K J)) (PLUS K (PLUS I J)))) WARNING: the previously added lemma, COMMUTATIVITY-OF-PLUS, could be applied whenever the newly proposed COMMUTATIVITY2-OF-PLUS could! This simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] COMMUTATIVITY2-OF-PLUS (DEFN TIMES-MEM-FN-LOOP (MEM) (IF (ZEROP (GET 0 MEM)) MEM (TIMES-MEM-FN-LOOP (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM)))) ((LESSP (GET 0 MEM)))) Linear arithmetic, the lemmas GET-PUT and COMMUTATIVITY-OF-PLUS, and the definitions of EQUAL and ZEROP inform us that the measure (GET 0 MEM) decreases according to the well-founded relation LESSP in each recursive call. Hence, TIMES-MEM-FN-LOOP is accepted under the definitional principle. Observe that: (OR (LISTP (TIMES-MEM-FN-LOOP MEM)) (EQUAL (TIMES-MEM-FN-LOOP MEM) MEM)) is a theorem. [ 0.0 0.0 0.0 ] TIMES-MEM-FN-LOOP (DEFN TIMES-MEM-FN (MEM) (TIMES-MEM-FN-LOOP (PUT 2 0 MEM))) Observe that (LISTP (TIMES-MEM-FN MEM)) is a theorem. [ 0.0 0.0 0.0 ] TIMES-MEM-FN (PROVE-LEMMA TIMES-MEM-FN-LOOP-IS-TIMES (REWRITE) (IMPLIES (AND (NUMBERP (GET 0 MEM)) (NUMBERP (GET 2 MEM)) (LESSP 2 (LENGTH MEM))) (EQUAL (TIMES-MEM-FN-LOOP MEM) (PUT 0 0 (PUT 2 (PLUS (TIMES (GET 0 MEM) (GET 1 MEM)) (GET 2 MEM)) MEM))))) This formula simplifies, rewriting with the lemma COMMUTATIVITY-OF-PLUS, to the formula: (IMPLIES (AND (NUMBERP (GET 0 MEM)) (NUMBERP (GET 2 MEM)) (LESSP 2 (LENGTH MEM))) (EQUAL (TIMES-MEM-FN-LOOP MEM) (PUT 0 0 (PUT 2 (PLUS (GET 2 MEM) (TIMES (GET 0 MEM) (GET 1 MEM))) MEM)))). Give the above formula the name *1. Perhaps we can prove it by induction. There are two plausible inductions, both of which are unflawed. So we will choose the one suggested by the largest number of nonprimitive recursive functions. We will induct according to the following scheme: (AND (IMPLIES (ZEROP (GET 0 MEM)) (p MEM)) (IMPLIES (AND (NOT (ZEROP (GET 0 MEM))) (p (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM)))) (p MEM))). Linear arithmetic, the lemmas GET-PUT and COMMUTATIVITY-OF-PLUS, and the definitions of EQUAL and ZEROP can be used to establish that the measure (GET 0 MEM) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates five new conjectures: Case 5. (IMPLIES (AND (ZEROP (GET 0 MEM)) (NUMBERP (GET 0 MEM)) (NUMBERP (GET 2 MEM)) (LESSP 2 (LENGTH MEM))) (EQUAL (TIMES-MEM-FN-LOOP MEM) (PUT 0 0 (PUT 2 (PLUS (GET 2 MEM) (TIMES (GET 0 MEM) (GET 1 MEM))) MEM)))), which simplifies, using linear arithmetic, rewriting with COMMUTATIVITY-OF-PLUS and PUT-PUT-0, and unfolding ZEROP, NUMBERP, TIMES-MEM-FN-LOOP, EQUAL, TIMES, and PLUS, to: T. Case 4. (IMPLIES (AND (NOT (ZEROP (GET 0 MEM))) (NOT (NUMBERP (GET 0 (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM))))) (NUMBERP (GET 0 MEM)) (NUMBERP (GET 2 MEM)) (LESSP 2 (LENGTH MEM))) (EQUAL (TIMES-MEM-FN-LOOP MEM) (PUT 0 0 (PUT 2 (PLUS (GET 2 MEM) (TIMES (GET 0 MEM) (GET 1 MEM))) MEM)))). This simplifies, applying COMMUTATIVITY-OF-PLUS and GET-PUT, and unfolding the functions ZEROP and EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP (GET 0 MEM))) (NOT (NUMBERP (GET 2 (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM))))) (NUMBERP (GET 0 MEM)) (NUMBERP (GET 2 MEM)) (LESSP 2 (LENGTH MEM))) (EQUAL (TIMES-MEM-FN-LOOP MEM) (PUT 0 0 (PUT 2 (PLUS (GET 2 MEM) (TIMES (GET 0 MEM) (GET 1 MEM))) MEM)))), which simplifies, applying COMMUTATIVITY-OF-PLUS and GET-PUT, and expanding the functions ZEROP and EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP (GET 0 MEM))) (NOT (LESSP 2 (LENGTH (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM))))) (NUMBERP (GET 0 MEM)) (NUMBERP (GET 2 MEM)) (LESSP 2 (LENGTH MEM))) (EQUAL (TIMES-MEM-FN-LOOP MEM) (PUT 0 0 (PUT 2 (PLUS (GET 2 MEM) (TIMES (GET 0 MEM) (GET 1 MEM))) MEM)))). This simplifies, using linear arithmetic, applying COMMUTATIVITY-OF-PLUS and LENGTH-PUT, and expanding ZEROP, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP (GET 0 MEM))) (EQUAL (TIMES-MEM-FN-LOOP (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM))) (PUT 0 0 (PUT 2 (PLUS (GET 2 (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM))) (TIMES (GET 0 (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM))) (GET 1 (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM))))) (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM))))) (NUMBERP (GET 0 MEM)) (NUMBERP (GET 2 MEM)) (LESSP 2 (LENGTH MEM))) (EQUAL (TIMES-MEM-FN-LOOP MEM) (PUT 0 0 (PUT 2 (PLUS (GET 2 MEM) (TIMES (GET 0 MEM) (GET 1 MEM))) MEM)))), which simplifies, rewriting with the lemmas COMMUTATIVITY-OF-PLUS, GET-PUT, COMMUTATIVITY2-OF-PLUS, PUT-PUT-1, and PUT-PUT-2, and unfolding the definitions of ZEROP, EQUAL, TIMES-MEM-FN-LOOP, and TIMES, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] TIMES-MEM-FN-LOOP-IS-TIMES (PROVE-LEMMA TIMES-MEM-FN-IS-CORRECT NIL (IMPLIES (AND (NUMBERP (GET 0 MEM)) (LESSP 2 (LENGTH MEM))) (EQUAL (TIMES-MEM-FN MEM) (PUT 0 0 (PUT 2 (TIMES (GET 0 MEM) (GET 1 MEM)) MEM))))) This conjecture can be simplified, using the abbreviations AND, IMPLIES, and TIMES-MEM-FN, to: (IMPLIES (AND (NUMBERP (GET 0 MEM)) (LESSP 2 (LENGTH MEM))) (EQUAL (TIMES-MEM-FN-LOOP (PUT 2 0 MEM)) (PUT 0 0 (PUT 2 (TIMES (GET 0 MEM) (GET 1 MEM)) MEM)))). This simplifies, using linear arithmetic, applying LENGTH-PUT, GET-PUT, COMMUTATIVITY-OF-PLUS, PUT-PUT-1, and TIMES-MEM-FN-LOOP-IS-TIMES, and expanding NUMBERP, EQUAL, and PLUS, to: T. Q.E.D. [ 0.0 0.0 0.0 ] TIMES-MEM-FN-IS-CORRECT (DEFN TIMES-STEP (S) (ST (ADD1-PC (PC S)) (STK S) (PUT 0 0 (PUT 2 (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))) (MEM S))) F (DEFS S))) Observe that (STP (TIMES-STEP S)) is a theorem. [ 0.0 0.0 0.0 ] TIMES-STEP (PROVE-LEMMA TIMES-CORRECT-LEMMA-REVISITED (REWRITE) (IMPLIES (AND (NUMBERP (GET 0 MEM)) (EQUAL (ASSOC 'TIMES DEFS) (TIMES-PROGRAM))) (EQUAL (SM (ST '(TIMES . 1) STK1 MEM F DEFS) (TIMES (GET 0 MEM) 4)) (ST '(TIMES . 1) STK1 (TIMES-MEM-FN-LOOP MEM) F DEFS))) ((INDUCT (TIMES-MEM-FN-LOOP MEM)))) This conjecture can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, AND, and TIMES-PROGRAM, to two new formulas: Case 2. (IMPLIES (AND (ZEROP (GET 0 MEM)) (NUMBERP (GET 0 MEM)) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET)))) (EQUAL (SM (ST '(TIMES . 1) STK1 MEM F DEFS) (TIMES (GET 0 MEM) 4)) (ST '(TIMES . 1) STK1 (TIMES-MEM-FN-LOOP MEM) F DEFS))), which simplifies, rewriting with the lemma SM-0, and opening up the definitions of ZEROP, NUMBERP, TIMES, EQUAL, and TIMES-MEM-FN-LOOP, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL (GET 0 MEM) 0)) (NUMBERP (GET 0 MEM)) (IMPLIES (AND (NUMBERP (GET 0 (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM)))) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET)))) (EQUAL (SM (ST '(TIMES . 1) STK1 (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM)) F DEFS) (TIMES (GET 0 (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM))) 4)) (ST '(TIMES . 1) STK1 (TIMES-MEM-FN-LOOP (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 2 MEM) (GET 1 MEM)) MEM))) F DEFS))) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET)))) (EQUAL (SM (ST '(TIMES . 1) STK1 MEM F DEFS) (TIMES (GET 0 MEM) 4)) (ST '(TIMES . 1) STK1 (TIMES-MEM-FN-LOOP MEM) F DEFS))), which simplifies, applying COMMUTATIVITY-OF-PLUS, GET-PUT, PC-ST, DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, STEP-OPENER, DIFFERENCE-1, SM-0, SM-ADD1, SM-PLUS, and ST-EQUAL, and expanding the functions EQUAL, AND, IMPLIES, TIMES, LISTP, FETCH, CDR, CAR, GET, JUMPZ, ADD1-PC, EXECUTE, ADD, SUBI, JUMP, and CONS, to the new goal: (IMPLIES (AND (NOT (EQUAL (GET 0 MEM) 0)) (NUMBERP (GET 0 MEM)) (EQUAL (SM (ST '(TIMES . 1) STK1 (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 1 MEM) (GET 2 MEM)) MEM)) F DEFS) (TIMES (SUB1 (GET 0 MEM)) 4)) (ST '(TIMES . 1) STK1 (TIMES-MEM-FN-LOOP (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 1 MEM) (GET 2 MEM)) MEM))) F DEFS)) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET)))) (EQUAL (TIMES-MEM-FN-LOOP (PUT 0 (SUB1 (GET 0 MEM)) (PUT 2 (PLUS (GET 1 MEM) (GET 2 MEM)) MEM))) (TIMES-MEM-FN-LOOP MEM))), which again simplifies, rewriting with PC-ST and COMMUTATIVITY-OF-PLUS, and opening up the definition of TIMES-MEM-FN-LOOP, to: T. Q.E.D. [ 0.0 0.1 0.0 ] TIMES-CORRECT-LEMMA-REVISITED (PROVE-LEMMA TIMES-CORRECT-LEMMA-REVISITED-AND-GENERALIZED (REWRITE) (IMPLIES (AND (EQUAL R0 (GET 0 MEM)) (NUMBERP (GET 0 MEM)) (EQUAL (ASSOC 'TIMES DEFS) (TIMES-PROGRAM))) (EQUAL (SM (ST '(TIMES . 1) STK1 MEM F DEFS) (TIMES R0 4)) (ST '(TIMES . 1) STK1 (TIMES-MEM-FN-LOOP MEM) F DEFS)))) This conjecture can be simplified, using the abbreviations AND, IMPLIES, and TIMES-PROGRAM, to: (IMPLIES (AND (EQUAL R0 (GET 0 MEM)) (NUMBERP (GET 0 MEM)) (EQUAL (ASSOC 'TIMES DEFS) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET)))) (EQUAL (SM (ST '(TIMES . 1) STK1 MEM F DEFS) (TIMES R0 4)) (ST '(TIMES . 1) STK1 (TIMES-MEM-FN-LOOP MEM) F DEFS))). This simplifies, appealing to the lemma TIMES-CORRECT-LEMMA-REVISITED, and expanding EQUAL and TIMES-PROGRAM, to: T. Q.E.D. [ 0.0 0.0 0.0 ] TIMES-CORRECT-LEMMA-REVISITED-AND-GENERALIZED (PROVE-LEMMA TIMES-CORRECT-REVISITED NIL (IMPLIES (AND (EQUAL (FETCH (PC S) (DEFS S)) '(CALL TIMES)) (EQUAL (ASSOC 'TIMES (DEFS S)) (TIMES-PROGRAM)) (LESSP 2 (LENGTH (MEM S))) (EQUAL R0 (GET 0 (MEM S))) (NUMBERP R0) (NOT (LESSP N (TIMES-CLOCK R0))) (NOT (HALTEDP S))) (EQUAL (SM S N) (SM (TIMES-STEP S) (DIFFERENCE N (TIMES-CLOCK R0))))) ((DISABLE COMMUTATIVITY-OF-PLUS COMMUTATIVITY2-OF-PLUS) (ENABLE TIMES-CLOCK))) This conjecture can be simplified, using the abbreviations NOT, AND, IMPLIES, TIMES-CLOCK, and TIMES-PROGRAM, to the conjecture: (IMPLIES (AND (EQUAL (FETCH (PC S) (DEFS S)) '(CALL TIMES)) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (LESSP 2 (LENGTH (MEM S))) (EQUAL R0 (GET 0 (MEM S))) (NUMBERP R0) (NOT (LESSP N (PLUS 2 (TIMES R0 4) 2))) (NOT (HALTEDP S))) (EQUAL (SM S N) (SM (TIMES-STEP S) (DIFFERENCE N (PLUS 2 (TIMES R0 4) 2))))). This simplifies, opening up the definitions of FETCH, ADD1-PC, and TIMES-STEP, to: (IMPLIES (AND (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) '(CALL TIMES)) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (LESSP 2 (LENGTH (MEM S))) (NUMBERP (GET 0 (MEM S))) (NOT (LESSP N (PLUS 2 (TIMES (GET 0 (MEM S)) 4) 2))) (NOT (HALTEDP S))) (EQUAL (SM S N) (SM (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT 0 0 (PUT 2 (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))) (MEM S))) F (DEFS S)) (DIFFERENCE N (PLUS 2 (TIMES (GET 0 (MEM S)) 4) 2))))). Applying the lemma DIFFERENCE-ELIM, replace N by: (PLUS (PLUS 2 (TIMES (GET 0 (MEM S)) 4) 2) X) to eliminate (DIFFERENCE N (PLUS 2 (TIMES (GET 0 (MEM S)) 4) 2)). We use the type restriction lemma noted when DIFFERENCE was introduced to restrict the new variable. We would thus like to prove the following two new conjectures: Case 2. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) '(CALL TIMES)) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (LESSP 2 (LENGTH (MEM S))) (NUMBERP (GET 0 (MEM S))) (NOT (LESSP N (PLUS 2 (TIMES (GET 0 (MEM S)) 4) 2))) (NOT (HALTEDP S))) (EQUAL (SM S N) (SM (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT 0 0 (PUT 2 (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))) (MEM S))) F (DEFS S)) (DIFFERENCE N (PLUS 2 (TIMES (GET 0 (MEM S)) 4) 2))))). However this further simplifies, applying SM-0, and unfolding the functions LESSP and DIFFERENCE, to the new formula: (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) '(CALL TIMES)) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (LESSP 2 (LENGTH (MEM S))) (NUMBERP (GET 0 (MEM S))) (EQUAL (PLUS 2 (TIMES (GET 0 (MEM S)) 4) 2) 0) (NOT (HALTEDP S))) (EQUAL (SM S N) (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT 0 0 (PUT 2 (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))) (MEM S))) F (DEFS S)))), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NUMBERP X) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) '(CALL TIMES)) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (LESSP 2 (LENGTH (MEM S))) (NUMBERP (GET 0 (MEM S))) (NOT (LESSP (PLUS (PLUS 2 (TIMES (GET 0 (MEM S)) 4) 2) X) (PLUS 2 (TIMES (GET 0 (MEM S)) 4) 2))) (NOT (HALTEDP S))) (EQUAL (SM S (PLUS (PLUS 2 (TIMES (GET 0 (MEM S)) 4) 2) X)) (SM (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT 0 0 (PUT 2 (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))) (MEM S))) F (DEFS S)) X))), which further simplifies, using linear arithmetic, rewriting with ASSOCIATIVITY-OF-PLUS, STEP-OPENER, DEFS-ST, PC-ST, HALTEDP-ST, STK-ST, MEM-ST, SM-0, SM-ADD1, GET-PUT, LENGTH-PUT, PLUS-RIGHT-ID, PUT-PUT-1, TIMES-MEM-FN-LOOP-IS-TIMES, TIMES-CORRECT-LEMMA-REVISITED-AND-GENERALIZED, CAR-CONS, CDR-CONS, and SM-PLUS, and unfolding LISTP, FETCH, CALL, CONS, ADD1-PC, CDR, EQUAL, CAR, EXECUTE, GET, MOVI, TIMES-PROGRAM, NUMBERP, JUMPZ, and RET, to: T. Q.E.D. [ 0.0 0.1 0.0 ] TIMES-CORRECT-REVISITED (PROVE-LEMMA VERIFICATION-CONDITIONS-FOR-TIMES NIL (AND (IMPLIES (AND (NUMBERP I0) (NUMBERP I1)) (AND (NUMBERP 0) (EQUAL (TIMES I0 I1) (PLUS 0 (TIMES I0 I1))))) (IMPLIES (AND (NUMBERP R2) (EQUAL (TIMES I0 I1) (PLUS R2 (TIMES R0 R1))) (NOT (ZEROP R0))) (AND (NUMBERP (PLUS R2 R1)) (EQUAL (TIMES I0 I1) (PLUS (PLUS R2 R1) (TIMES (SUB1 R0) R1))))) (IMPLIES (AND (NUMBERP R2) (EQUAL (TIMES I0 I1) (PLUS R2 (TIMES R0 R1))) (ZEROP R0)) (EQUAL R2 (TIMES I0 I1))))) This conjecture can be simplified, using the abbreviations ZEROP, NOT, IMPLIES, AND, and ASSOCIATIVITY-OF-PLUS, to three new formulas: Case 3. (IMPLIES (AND (NUMBERP I0) (NUMBERP I1)) (AND (NUMBERP 0) (EQUAL (TIMES I0 I1) (PLUS 0 (TIMES I0 I1))))), which simplifies, expanding the definitions of NUMBERP, EQUAL, PLUS, and AND, to: T. Case 2. (IMPLIES (AND (NUMBERP R2) (EQUAL (TIMES I0 I1) (PLUS R2 (TIMES R0 R1))) (NOT (EQUAL R0 0)) (NUMBERP R0)) (AND (NUMBERP (PLUS R2 R1)) (EQUAL (TIMES I0 I1) (PLUS R2 R1 (TIMES (SUB1 R0) R1))))), which simplifies, rewriting with COMMUTATIVITY2-OF-PLUS and COMMUTATIVITY-OF-PLUS, and unfolding the functions TIMES and AND, to: T. Case 1. (IMPLIES (AND (NUMBERP R2) (EQUAL (TIMES I0 I1) (PLUS R2 (TIMES R0 R1))) (ZEROP R0)) (EQUAL R2 (TIMES I0 I1))). This simplifies, unfolding the function ZEROP, to the following two new goals: Case 1.2. (IMPLIES (AND (NUMBERP R2) (EQUAL (TIMES I0 I1) (PLUS R2 (TIMES R0 R1))) (EQUAL R0 0)) (EQUAL R2 (TIMES I0 I1))). However this again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NUMBERP R2) (EQUAL (TIMES I0 I1) (PLUS R2 (TIMES R0 R1))) (NOT (NUMBERP R0))) (EQUAL R2 (TIMES I0 I1))), which again simplifies, applying COMMUTATIVITY-OF-PLUS, and expanding TIMES, EQUAL, and PLUS, to: T. Q.E.D. [ 0.0 0.0 0.0 ] VERIFICATION-CONDITIONS-FOR-TIMES (CONSTRAIN P-STEP (REWRITE) (IMPLIES (P S) (P (STEP S))) ((P (LAMBDA (S) T)))) We will verify the consistency and the conservative nature of this constraint by attempting to prove (IMPLIES T T). This simplifies, clearly, to: T. Q.E.D. [ 0.0 0.0 0.0 ] P-STEP (PROVE-LEMMA P-INVARIANT (REWRITE) (IMPLIES (P S0) (P (SM S0 N))) ((ENABLE SM))) Call the conjecture *1. We will try to prove it by induction. There is only one suggested induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP N) (p S0 N)) (IMPLIES (AND (NOT (ZEROP N)) (p (STEP S0) (SUB1 N))) (p S0 N))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to establish that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for S0. The above induction scheme generates the following three new formulas: Case 3. (IMPLIES (AND (ZEROP N) (P S0)) (P (SM S0 N))). This simplifies, applying SM-0, and expanding the functions ZEROP and SM, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP N)) (NOT (P (STEP S0))) (P S0)) (P (SM S0 N))), which simplifies, appealing to the lemma P-STEP, and unfolding the function ZEROP, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP N)) (P (SM (STEP S0) (SUB1 N))) (P S0)) (P (SM S0 N))), which simplifies, unfolding the definitions of ZEROP and SM, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] P-INVARIANT (DEFN R0 (S) (GET 0 (MEM S))) [ 0.0 0.0 0.0 ] R0 (DEFN R1 (S) (GET 1 (MEM S))) [ 0.0 0.0 0.0 ] R1 (DEFN R2 (S) (GET 2 (MEM S))) [ 0.0 0.0 0.0 ] R2 (DEFN TIMESP (I0 I1 S) (AND (NUMBERP I0) (NUMBERP I1) (STP S) (NLISTP (STK S)) (EQUAL (ASSOC 'TIMES (DEFS S)) (TIMES-PROGRAM)) (EQUAL I1 (R1 S)) (IF (EQUAL (PC S) '(TIMES . 0)) (EQUAL I0 (R0 S)) (IF (EQUAL (PC S) '(TIMES . 1)) (AND (NUMBERP (R2 S)) (EQUAL (TIMES I0 I1) (PLUS (R2 S) (TIMES (R0 S) (R1 S))))) (IF (EQUAL (PC S) '(TIMES . 2)) (AND (NOT (ZEROP (R0 S))) (NUMBERP (R2 S)) (EQUAL (TIMES I0 I1) (PLUS (R2 S) (TIMES (R0 S) (R1 S))))) (IF (EQUAL (PC S) '(TIMES . 3)) (AND (NOT (ZEROP (R0 S))) (NUMBERP (R2 S)) (EQUAL (PLUS I1 (TIMES I0 I1)) (PLUS (R2 S) (TIMES (R0 S) (R1 S))))) (IF (EQUAL (PC S) '(TIMES . 4)) (AND (NUMBERP (R2 S)) (EQUAL (TIMES I0 I1) (PLUS (R2 S) (TIMES (R0 S) (R1 S))))) (IF (EQUAL (PC S) '(TIMES . 5)) (EQUAL (R2 S) (TIMES I0 I1)) F)))))))) From the definition we can conclude that: (OR (FALSEP (TIMESP I0 I1 S)) (TRUEP (TIMESP I0 I1 S))) is a theorem. [ 0.0 0.0 0.0 ] TIMESP (PROVE-LEMMA TIMESP-STEP (REWRITE) (IMPLIES (TIMESP I0 I1 S) (TIMESP I0 I1 (STEP S)))) WARNING: Note that the rewrite rule TIMESP-STEP will be stored so as to apply only to terms with the nonrecursive function symbol TIMESP. This formula can be simplified, using the abbreviations R2, R0, R1, TIMES-PROGRAM, TIMESP, and IMPLIES, to: (IMPLIES (AND (NUMBERP I0) (NUMBERP I1) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (EQUAL I1 (GET 1 (MEM S))) (CASE (PC S) ((TIMES . 0) (EQUAL I0 (GET 0 (MEM S)))) ((TIMES . 1) (IF (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 I1) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) F)) ((TIMES . 2) (COND ((EQUAL (GET 0 (MEM S)) 0) F) ((NUMBERP (GET 0 (MEM S))) (IF (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 I1) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) F)) (T F))) ((TIMES . 3) (COND ((EQUAL (GET 0 (MEM S)) 0) F) ((NUMBERP (GET 0 (MEM S))) (IF (NUMBERP (GET 2 (MEM S))) (EQUAL (PLUS I1 (TIMES I0 I1)) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) F)) (T F))) ((TIMES . 4) (IF (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 I1) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) F)) ((TIMES . 5) (EQUAL (GET 2 (MEM S)) (TIMES I0 I1))) (OTHERWISE F))) (TIMESP I0 I1 (STEP S))), which simplifies, appealing to the lemmas STEP-OPENER, DIFFERENCE-1, and COMMUTATIVITY-OF-PLUS, and unfolding LISTP, FETCH, CDR, CAR, GET, MOVI, ADD1-PC, EQUAL, EXECUTE, RET, SUBI, ADD, JUMPZ, CONS, and JUMP, to 14 new conjectures: Case 14.(IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (EQUAL (PC S) '(TIMES . 0)) (EQUAL I0 (GET 0 (MEM S))) (NOT (HALTEDP S))) (TIMESP I0 (GET 1 (MEM S)) (ST '(TIMES . 1) (STK S) (PUT 2 0 (MEM S)) F (DEFS S)))), which again simplifies, applying PC-ST, MEM-ST, GET-PUT, DEFS-ST, and STK-ST, and expanding the definitions of PLUS, R0, NUMBERP, R2, R1, EQUAL, TIMES-PROGRAM, and TIMESP, to: T. Case 13.(IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (EQUAL (PC S) '(TIMES . 0)) (EQUAL I0 (GET 0 (MEM S))) (HALTEDP S)) (TIMESP I0 (GET 1 (MEM S)) S)). But this again simplifies, opening up R0, R1, EQUAL, TIMES-PROGRAM, and TIMESP, to: T. Case 12.(IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (NOT (EQUAL (PC S) '(TIMES . 1))) (NOT (EQUAL (PC S) '(TIMES . 2))) (NOT (EQUAL (PC S) '(TIMES . 3))) (NOT (EQUAL (PC S) '(TIMES . 4))) (EQUAL (PC S) '(TIMES . 5)) (EQUAL (GET 2 (MEM S)) (TIMES I0 (GET 1 (MEM S)))) (NOT (HALTEDP S))) (TIMESP I0 (GET 1 (MEM S)) (ST '(TIMES . 5) (STK S) (MEM S) T (DEFS S)))), which again simplifies, applying the lemmas PC-ST, MEM-ST, DEFS-ST, and STK-ST, and opening up EQUAL, R2, R1, TIMES-PROGRAM, and TIMESP, to: T. Case 11.(IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (NOT (EQUAL (PC S) '(TIMES . 1))) (NOT (EQUAL (PC S) '(TIMES . 2))) (NOT (EQUAL (PC S) '(TIMES . 3))) (NOT (EQUAL (PC S) '(TIMES . 4))) (EQUAL (PC S) '(TIMES . 5)) (EQUAL (GET 2 (MEM S)) (TIMES I0 (GET 1 (MEM S)))) (HALTEDP S)) (TIMESP I0 (GET 1 (MEM S)) S)), which again simplifies, unfolding the functions EQUAL, R2, R1, TIMES-PROGRAM, and TIMESP, to: T. Case 10.(IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (NOT (EQUAL (PC S) '(TIMES . 1))) (NOT (EQUAL (PC S) '(TIMES . 2))) (EQUAL (PC S) '(TIMES . 3)) (NOT (EQUAL (GET 0 (MEM S)) 0)) (NUMBERP (GET 0 (MEM S))) (NUMBERP (GET 2 (MEM S))) (EQUAL (PLUS (GET 1 (MEM S)) (TIMES I0 (GET 1 (MEM S)))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (NOT (HALTEDP S))) (TIMESP I0 (GET 1 (MEM S)) (ST '(TIMES . 4) (STK S) (PUT 0 (SUB1 (GET 0 (MEM S))) (MEM S)) F (DEFS S)))), which again simplifies, rewriting with PC-ST, MEM-ST, GET-PUT, DEFS-ST, and STK-ST, and opening up the definitions of EQUAL, R0, R2, R1, TIMES-PROGRAM, and TIMESP, to: (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (EQUAL (PC S) '(TIMES . 3)) (NOT (EQUAL (GET 0 (MEM S)) 0)) (NUMBERP (GET 0 (MEM S))) (NUMBERP (GET 2 (MEM S))) (EQUAL (PLUS (GET 1 (MEM S)) (TIMES I0 (GET 1 (MEM S)))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (NOT (HALTEDP S))) (EQUAL (TIMES I0 (GET 1 (MEM S))) (PLUS (GET 2 (MEM S)) (TIMES (SUB1 (GET 0 (MEM S))) (GET 1 (MEM S)))))), which again simplifies, applying COMMUTATIVITY2-OF-PLUS, and opening up TIMES, to the new formula: (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (EQUAL (PC S) '(TIMES . 3)) (NOT (EQUAL (GET 0 (MEM S)) 0)) (NUMBERP (GET 0 (MEM S))) (NUMBERP (GET 2 (MEM S))) (EQUAL (PLUS (GET 1 (MEM S)) (TIMES I0 (GET 1 (MEM S)))) (PLUS (GET 1 (MEM S)) (GET 2 (MEM S)) (TIMES (SUB1 (GET 0 (MEM S))) (GET 1 (MEM S))))) (NOT (HALTEDP S))) (EQUAL (TIMES I0 (GET 1 (MEM S))) (PLUS (GET 2 (MEM S)) (TIMES (SUB1 (GET 0 (MEM S))) (GET 1 (MEM S)))))), which again simplifies, using linear arithmetic, to: T. Case 9. (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (NOT (EQUAL (PC S) '(TIMES . 1))) (NOT (EQUAL (PC S) '(TIMES . 2))) (EQUAL (PC S) '(TIMES . 3)) (NOT (EQUAL (GET 0 (MEM S)) 0)) (NUMBERP (GET 0 (MEM S))) (NUMBERP (GET 2 (MEM S))) (EQUAL (PLUS (GET 1 (MEM S)) (TIMES I0 (GET 1 (MEM S)))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (HALTEDP S)) (TIMESP I0 (GET 1 (MEM S)) S)), which again simplifies, unfolding the functions EQUAL, R2, R0, R1, TIMES-PROGRAM, and TIMESP, to: T. Case 8. (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (EQUAL (PC S) '(TIMES . 2)) (NOT (EQUAL (GET 0 (MEM S)) 0)) (NUMBERP (GET 0 (MEM S))) (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 (GET 1 (MEM S))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (NOT (HALTEDP S))) (TIMESP I0 (GET 1 (MEM S)) (ST '(TIMES . 3) (STK S) (PUT 2 (PLUS (GET 1 (MEM S)) (GET 2 (MEM S))) (MEM S)) F (DEFS S)))), which again simplifies, rewriting with the lemmas COMMUTATIVITY2-OF-PLUS, COMMUTATIVITY-OF-PLUS, PC-ST, MEM-ST, GET-PUT, DEFS-ST, and STK-ST, and opening up the functions EQUAL, R2, R0, R1, TIMES-PROGRAM, and TIMESP, to: T. Case 7. (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (EQUAL (PC S) '(TIMES . 2)) (NOT (EQUAL (GET 0 (MEM S)) 0)) (NUMBERP (GET 0 (MEM S))) (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 (GET 1 (MEM S))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (HALTEDP S)) (TIMESP I0 (GET 1 (MEM S)) S)), which again simplifies, opening up EQUAL, R2, R0, R1, TIMES-PROGRAM, and TIMESP, to: T. Case 6. (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (EQUAL (PC S) '(TIMES . 1)) (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 (GET 1 (MEM S))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (NOT (HALTEDP S)) (NOT (NUMBERP (GET 0 (MEM S))))) (TIMESP I0 (GET 1 (MEM S)) (ST '(TIMES . 5) (STK S) (MEM S) F (DEFS S)))), which again simplifies, applying COMMUTATIVITY-OF-PLUS, PC-ST, MEM-ST, DEFS-ST, and STK-ST, and unfolding the functions EQUAL, TIMES, PLUS, R2, R1, TIMES-PROGRAM, and TIMESP, to: T. Case 5. (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (EQUAL (PC S) '(TIMES . 1)) (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 (GET 1 (MEM S))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (NOT (HALTEDP S)) (EQUAL (GET 0 (MEM S)) 0)) (TIMESP I0 (GET 1 (MEM S)) (ST '(TIMES . 5) (STK S) (MEM S) F (DEFS S)))). But this again simplifies, rewriting with COMMUTATIVITY-OF-PLUS, PC-ST, MEM-ST, DEFS-ST, and STK-ST, and expanding the functions EQUAL, TIMES, PLUS, R2, R1, TIMES-PROGRAM, and TIMESP, to: T. Case 4. (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (EQUAL (PC S) '(TIMES . 1)) (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 (GET 1 (MEM S))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (NOT (HALTEDP S)) (NOT (EQUAL (GET 0 (MEM S)) 0)) (NUMBERP (GET 0 (MEM S)))) (TIMESP I0 (GET 1 (MEM S)) (ST '(TIMES . 2) (STK S) (MEM S) F (DEFS S)))). This again simplifies, applying PC-ST, MEM-ST, DEFS-ST, and STK-ST, and unfolding EQUAL, R2, R0, R1, TIMES-PROGRAM, and TIMESP, to: T. Case 3. (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (EQUAL (PC S) '(TIMES . 1)) (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 (GET 1 (MEM S))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (HALTEDP S)) (TIMESP I0 (GET 1 (MEM S)) S)). This again simplifies, unfolding the definitions of EQUAL, R0, R2, R1, TIMES-PROGRAM, and TIMESP, to: T. Case 2. (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (NOT (EQUAL (PC S) '(TIMES . 2))) (NOT (EQUAL (PC S) '(TIMES . 3))) (EQUAL (PC S) '(TIMES . 4)) (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 (GET 1 (MEM S))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (NOT (HALTEDP S))) (TIMESP I0 (GET 1 (MEM S)) (ST '(TIMES . 1) (STK S) (MEM S) F (DEFS S)))), which again simplifies, applying the lemmas PC-ST, MEM-ST, DEFS-ST, and STK-ST, and expanding the functions EQUAL, R0, R2, R1, TIMES-PROGRAM, and TIMESP, to: T. Case 1. (IMPLIES (AND (NUMBERP I0) (NUMBERP (GET 1 (MEM S))) (STP S) (NOT (LISTP (STK S))) (EQUAL (ASSOC 'TIMES (DEFS S)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (NOT (EQUAL (PC S) '(TIMES . 0))) (NOT (EQUAL (PC S) '(TIMES . 2))) (NOT (EQUAL (PC S) '(TIMES . 3))) (EQUAL (PC S) '(TIMES . 4)) (NUMBERP (GET 2 (MEM S))) (EQUAL (TIMES I0 (GET 1 (MEM S))) (PLUS (GET 2 (MEM S)) (TIMES (GET 0 (MEM S)) (GET 1 (MEM S))))) (HALTEDP S)) (TIMESP I0 (GET 1 (MEM S)) S)), which again simplifies, expanding the functions EQUAL, R0, R2, R1, TIMES-PROGRAM, and TIMESP, to: T. Q.E.D. [ 0.0 0.1 0.1 ] TIMESP-STEP (FUNCTIONALLY-INSTANTIATE TIMESP-INVARIANT NIL (IMPLIES (TIMESP I0 I1 S0) (TIMESP I0 I1 (SM S0 N))) P-INVARIANT ((P (LAMBDA (S) (TIMESP I0 I1 S)))) ((DISABLE TIMESP))) The functional instantiation of P-INVARIANT under: ((P (LAMBDA (S) (TIMESP I0 I1 S)))) requires us to prove (IMPLIES (TIMESP I0 I1 S) (TIMESP I0 I1 (STEP S))). This conjecture simplifies, applying TIMESP-STEP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] TIMESP-INVARIANT (PROVE-LEMMA TIMES-CORRECT-REVISITED-AGAIN NIL (IMPLIES (AND (STP S0) (NLISTP (STK S0)) (EQUAL (ASSOC 'TIMES (DEFS S0)) (TIMES-PROGRAM)) (EQUAL I0 (GET 0 (MEM S0))) (EQUAL I1 (GET 1 (MEM S0))) (NUMBERP I0) (NUMBERP I1) (EQUAL (PC S0) '(TIMES . 0)) (EQUAL (PC (SM S0 N)) '(TIMES . 5))) (EQUAL (GET 2 (MEM (SM S0 N))) (TIMES I0 I1))) ((USE (TIMESP-INVARIANT)))) This formula can be simplified, using the abbreviations NLISTP, AND, IMPLIES, and TIMES-PROGRAM, to: (IMPLIES (AND (IMPLIES (TIMESP I0 I1 S0) (TIMESP I0 I1 (SM S0 N))) (STP S0) (NOT (LISTP (STK S0))) (EQUAL (ASSOC 'TIMES (DEFS S0)) '(TIMES (MOVI 2 0) (JUMPZ 0 5) (ADD 2 1) (SUBI 0 1) (JUMP 1) (RET))) (EQUAL I0 (GET 0 (MEM S0))) (EQUAL I1 (GET 1 (MEM S0))) (NUMBERP I0) (NUMBERP I1) (EQUAL (PC S0) '(TIMES . 0)) (EQUAL (PC (SM S0 N)) '(TIMES . 5))) (EQUAL (GET 2 (MEM (SM S0 N))) (TIMES I0 I1))), which simplifies, opening up the functions R0, R1, EQUAL, TIMES-PROGRAM, TIMESP, R2, and IMPLIES, to: T. Q.E.D. [ 0.0 0.0 0.0 ] TIMES-CORRECT-REVISITED-AGAIN (PROVE-LEMMA STEP-PRESERVES-HALTEDP (REWRITE) (IMPLIES (NOT (HALTEDP (STEP S))) (NOT (HALTEDP S))) ((ENABLE STEP))) This conjecture simplifies, applying STEP-OPENER, to: T. Q.E.D. [ 0.0 0.0 0.0 ] STEP-PRESERVES-HALTEDP (PROVE-LEMMA SM-PRESERVES-HALTEDP (REWRITE) (IMPLIES (NOT (HALTEDP (SM S N))) (NOT (HALTEDP S))) ((ENABLE SM))) WARNING: Note that SM-PRESERVES-HALTEDP contains the free variable N which will be chosen by instantiating the hypothesis (NOT (HALTEDP (SM S N))). . Appealing to the lemma PC-STK-MEM-HALTEDP-DEFS-ELIM, we now replace S by (ST D W V X Z) to eliminate (HALTEDP S), (DEFS S), (MEM S), (STK S), and (PC S). This generates two new conjectures: Case 2. (IMPLIES (AND (NOT (STP S)) (NOT (HALTEDP (SM S N)))) (NOT (HALTEDP S))), which simplifies, appealing to the lemma HALTEDP-NSTP, to: (IMPLIES (NOT (STP S)) (HALTEDP (SM S N))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (NOT (HALTEDP (SM S N))) (NOT (HALTEDP S))), which we named *1 above. We will appeal to induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP N) (p S N)) (IMPLIES (AND (NOT (ZEROP N)) (p (STEP S) (SUB1 N))) (p S N))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for S. The above induction scheme produces the following three new formulas: Case 3. (IMPLIES (AND (ZEROP N) (NOT (HALTEDP (SM S N)))) (NOT (HALTEDP S))). This simplifies, rewriting with SM-0, and unfolding the functions ZEROP and SM, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP N)) (HALTEDP (SM (STEP S) (SUB1 N))) (NOT (HALTEDP (SM S N)))) (NOT (HALTEDP S))), which simplifies, opening up the functions ZEROP and SM, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP N)) (NOT (HALTEDP (STEP S))) (NOT (HALTEDP (SM S N)))) (NOT (HALTEDP S))), which simplifies, applying STEP-OPENER, and unfolding the function ZEROP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] SM-PRESERVES-HALTEDP (PROVE-LEMMA ONLY-RET-SETS-HALTEDP (REWRITE) (IMPLIES (AND (NOT (HALTEDP S)) (AND (HALTEDP (STEP S)) (EQUAL DEFS (DEFS S)))) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) DEFS)))) 'RET)) ((ENABLE STEP))) This formula simplifies, expanding the definitions of EXECUTE, ADD1-PC, MOVE, MOVI, ADD, SUBI, JUMPZ, JUMP, CALL, FETCH, STEP, and EQUAL, to the following nine new goals: Case 9. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (HALTEDP (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) F (DEFS S))))). However this again simplifies, applying the lemma HALTEDP-ST, and expanding the function EQUAL, to: T. Case 8. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (HALTEDP (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (MEM S)) F (DEFS S))))), which again simplifies, rewriting with the lemma HALTEDP-ST, and opening up the definition of EQUAL, to: T. Case 7. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (HALTEDP (ST (CONS (CAR (PC S)) (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S))))), which again simplifies, rewriting with HALTEDP-ST, and unfolding EQUAL, to: T. Case 6. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (HALTEDP (ST (CONS (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S))))). But this again simplifies, rewriting with the lemma HALTEDP-ST, and unfolding the function EQUAL, to: T. Case 5. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))))) (NOT (HALTEDP (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S))))), which again simplifies, applying HALTEDP-ST, and opening up the function EQUAL, to: T. Case 4. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (NOT (HALTEDP (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S))))). However this again simplifies, rewriting with HALTEDP-ST, and opening up EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)))) (NOT (HALTEDP (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (MEM S) F (DEFS S))))). But this again simplifies, rewriting with HALTEDP-ST, and expanding the function EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (HALTEDP (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (PLUS (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))) (MEM S)) F (DEFS S))))). However this again simplifies, applying the lemma HALTEDP-ST, and unfolding the definition of EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (HALTEDP (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (MEM S)) F (DEFS S))))), which again simplifies, rewriting with the lemma HALTEDP-ST, to: T. Q.E.D. [ 0.0 0.7 0.0 ] ONLY-RET-SETS-HALTEDP (DEFN K (S D N) (IF (ZEROP N) 0 (IF (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET)) 0 (ADD1 (K (STEP S) D (SUB1 N)))))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definitions of AND, FETCH, and ZEROP inform us that the measure (COUNT N) decreases according to the well-founded relation LESSP in each recursive call. Hence, K is accepted under the principle of definition. From the definition we can conclude that (NUMBERP (K S D N)) is a theorem. [ 0.0 0.0 0.0 ] K (PROVE-LEMMA LENGTH-STK-STEP (REWRITE) (EQUAL (LENGTH (STK (STEP S))) (IF (HALTEDP S) (LENGTH (STK S)) (IF (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET) (SUB1 (LENGTH (STK S))) (IF (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'CALL) (ADD1 (LENGTH (STK S))) (LENGTH (STK S)))))) ((ENABLE STEP))) This simplifies, expanding the functions EXECUTE, ADD1-PC, MOVE, MOVI, ADD, SUBI, JUMPZ, JUMP, CALL, RET, FETCH, and STEP, to the following 28 new conjectures: Case 28.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (MEM S)) F (DEFS S)))) (SUB1 (LENGTH (STK S))))). This again simplifies, unfolding EQUAL, to: T. Case 27.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (PLUS (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))) (MEM S)) F (DEFS S)))) (SUB1 (LENGTH (STK S))))), which again simplifies, expanding the function EQUAL, to: T. Case 26.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (MEM S) F (DEFS S)))) (SUB1 (LENGTH (STK S))))), which again simplifies, opening up EQUAL, to: T. Case 25.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)))) (SUB1 (LENGTH (STK S))))), which again simplifies, unfolding EQUAL, to: T. Case 24.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)))) (SUB1 (LENGTH (STK S))))), which again simplifies, opening up EQUAL, to: T. Case 23.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (EQUAL (LENGTH (STK (ST (CONS (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)))) (SUB1 (LENGTH (STK S))))), which again simplifies, unfolding the function EQUAL, to: T. Case 22.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (LISTP (STK S))) (EQUAL (LENGTH (STK (ST (CAR (STK S)) (CDR (STK S)) (MEM S) F (DEFS S)))) (SUB1 (LENGTH (STK S))))), which again simplifies, applying STK-ST, and expanding EQUAL, to: (IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (LISTP (STK S))) (EQUAL (LENGTH (CDR (STK S))) (SUB1 (LENGTH (STK S))))), which again simplifies, applying the lemma SUB1-ADD1, and unfolding the function LENGTH, to: T. Case 21.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (LISTP (STK S)))) (EQUAL (LENGTH (STK (ST (PC S) (STK S) (MEM S) T (DEFS S)))) (SUB1 (LENGTH (STK S))))), which again simplifies, rewriting with STK-ST, and opening up EQUAL, LENGTH, and SUB1, to: T. Case 20.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)))) (SUB1 (LENGTH (STK S))))). This again simplifies, expanding the definition of EQUAL, to: T. Case 19.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (MEM S)) F (DEFS S)))) (SUB1 (LENGTH (STK S))))), which again simplifies, expanding EQUAL, to: T. Case 18.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) F (DEFS S)))) (SUB1 (LENGTH (STK S))))), which again simplifies, unfolding the definition of EQUAL, to: T. Case 17.(IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (MEM S)) F (DEFS S)))) (LENGTH (STK S)))), which again simplifies, rewriting with the lemma STK-ST, and expanding the definition of EQUAL, to: T. Case 16.(IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (PLUS (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))) (MEM S)) F (DEFS S)))) (LENGTH (STK S)))), which again simplifies, applying STK-ST, and unfolding the function EQUAL, to: T. Case 15.(IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (MEM S) F (DEFS S)))) (LENGTH (STK S)))). However this again simplifies, applying the lemma STK-ST, and unfolding EQUAL, to: T. Case 14.(IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)))) (LENGTH (STK S)))), which again simplifies, rewriting with STK-ST, and unfolding EQUAL, to: T. Case 13.(IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)))) (LENGTH (STK S)))). However this again simplifies, rewriting with STK-ST, and expanding the function EQUAL, to: T. Case 12.(IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)))) (LENGTH (STK S)))). This again simplifies, applying STK-ST, and expanding EQUAL, to: T. Case 11.(IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (MEM S)) F (DEFS S)))) (LENGTH (STK S)))). This again simplifies, applying the lemma STK-ST, and expanding the definition of EQUAL, to: T. Case 10.(IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) F (DEFS S)))) (LENGTH (STK S)))), which again simplifies, rewriting with STK-ST, and expanding EQUAL, to: T. Case 9. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (MEM S)) F (DEFS S)))) (ADD1 (LENGTH (STK S))))). But this again simplifies, unfolding the definition of EQUAL, to: T. Case 8. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (PLUS (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))) (MEM S)) F (DEFS S)))) (ADD1 (LENGTH (STK S))))), which again simplifies, unfolding EQUAL, to: T. Case 7. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (MEM S) F (DEFS S)))) (ADD1 (LENGTH (STK S))))), which again simplifies, opening up the function EQUAL, to: T. Case 6. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)))) (ADD1 (LENGTH (STK S))))), which again simplifies, unfolding EQUAL, to: T. Case 5. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)))) (ADD1 (LENGTH (STK S))))), which again simplifies, opening up the definition of EQUAL, to: T. Case 4. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP))) (EQUAL (LENGTH (STK (ST (CONS (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)))) (ADD1 (LENGTH (STK S))))), which again simplifies, rewriting with STK-ST and CDR-CONS, and opening up the definitions of EQUAL and LENGTH, to: T. Case 3. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)))) (ADD1 (LENGTH (STK S))))). This again simplifies, opening up EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (MEM S)) F (DEFS S)))) (ADD1 (LENGTH (STK S))))), which again simplifies, expanding the definition of EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) F (DEFS S)))) (ADD1 (LENGTH (STK S))))), which again simplifies, expanding the definition of EQUAL, to: T. Q.E.D. [ 0.0 0.8 0.1 ] LENGTH-STK-STEP (PROVE-LEMMA EXISTS-TERMINATING-RET NIL (IMPLIES (AND (NUMBERP D) (NOT (LESSP (LENGTH (STK S0)) D)) (LESSP (LENGTH (STK (SM S0 N))) D)) (LESSP (K S0 D N) N)) ((ENABLE SM) (INDUCT (K S0 D N)))) This conjecture can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, and AND, to three new formulas: Case 3. (IMPLIES (AND (ZEROP N) (NUMBERP D) (NOT (LESSP (LENGTH (STK S0)) D)) (LESSP (LENGTH (STK (SM S0 N))) D)) (LESSP (K S0 D N) N)), which simplifies, appealing to the lemma SM-0, and opening up ZEROP and SM, to: T. Case 2. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LENGTH (STK S0)) D) (EQUAL (CAR (FETCH (PC S0) (DEFS S0))) 'RET) (NUMBERP D) (NOT (LESSP (LENGTH (STK S0)) D)) (LESSP (LENGTH (STK (SM S0 N))) D)) (LESSP (K S0 D N) N)), which simplifies, expanding the functions FETCH, EQUAL, K, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (AND (EQUAL (LENGTH (STK S0)) D) (EQUAL (CAR (FETCH (PC S0) (DEFS S0))) 'RET))) (IMPLIES (AND (NUMBERP D) (NOT (LESSP (LENGTH (STK (STEP S0))) D)) (LESSP (LENGTH (STK (SM (STEP S0) (SUB1 N)))) D)) (LESSP (K (STEP S0) D (SUB1 N)) (SUB1 N))) (NUMBERP D) (NOT (LESSP (LENGTH (STK S0)) D)) (LESSP (LENGTH (STK (SM S0 N))) D)) (LESSP (K S0 D N) N)), which simplifies, applying LENGTH-STK-STEP and SUB1-ADD1, and expanding FETCH, AND, NOT, IMPLIES, SM, K, LESSP, and EQUAL, to the following three new formulas: Case 1.3. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S0)) D)) (NOT (HALTEDP S0)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'RET) (LESSP (SUB1 (LENGTH (STK S0))) D) (NUMBERP D) (NOT (LESSP (LENGTH (STK S0)) D)) (LESSP (LENGTH (STK (SM (STEP S0) (SUB1 N)))) D)) (LESSP (K (STEP S0) D (SUB1 N)) (SUB1 N))). This again simplifies, using linear arithmetic, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S0)) D)) (NOT (HALTEDP S0)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'CALL) (LESSP (ADD1 (LENGTH (STK S0))) D) (NUMBERP D) (NOT (LESSP (LENGTH (STK S0)) D)) (LESSP (LENGTH (STK (SM (STEP S0) (SUB1 N)))) D)) (LESSP (K (STEP S0) D (SUB1 N)) (SUB1 N))), which again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'RET)) (NOT (HALTEDP S0)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'CALL) (LESSP (ADD1 (LENGTH (STK S0))) D) (NUMBERP D) (NOT (LESSP (LENGTH (STK S0)) D)) (LESSP (LENGTH (STK (SM (STEP S0) (SUB1 N)))) D)) (LESSP (K (STEP S0) D (SUB1 N)) (SUB1 N))), which again simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.1 0.0 ] EXISTS-TERMINATING-RET (PROVE-LEMMA DEFS-STEP (REWRITE) (EQUAL (DEFS (STEP S)) (DEFS S)) ((ENABLE STEP))) This formula simplifies, unfolding the definitions of EXECUTE, ADD1-PC, MOVE, MOVI, ADD, SUBI, JUMPZ, JUMP, CALL, RET, FETCH, and STEP, to the following 11 new goals: Case 11.(IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (DEFS (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (MEM S)) F (DEFS S))) (DEFS S))). This again simplifies, rewriting with DEFS-ST, to: T. Case 10.(IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (DEFS (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (PLUS (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))) (MEM S)) F (DEFS S))) (DEFS S))). But this again simplifies, applying DEFS-ST, and opening up EQUAL, to: T. Case 9. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)))) (EQUAL (DEFS (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (MEM S) F (DEFS S))) (DEFS S))). However this again simplifies, applying DEFS-ST, and unfolding the definition of EQUAL, to: T. Case 8. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (EQUAL (DEFS (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S))) (DEFS S))). This again simplifies, rewriting with DEFS-ST, and opening up the function EQUAL, to: T. Case 7. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))))) (EQUAL (DEFS (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S))) (DEFS S))). However this again simplifies, rewriting with DEFS-ST, and opening up EQUAL, to: T. Case 6. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (EQUAL (DEFS (ST (CONS (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S))) (DEFS S))). This again simplifies, applying the lemma DEFS-ST, and unfolding EQUAL, to: T. Case 5. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (LISTP (STK S))) (EQUAL (DEFS (ST (CAR (STK S)) (CDR (STK S)) (MEM S) F (DEFS S))) (DEFS S))), which again simplifies, applying DEFS-ST, and opening up the definition of EQUAL, to: T. Case 4. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (LISTP (STK S)))) (EQUAL (DEFS (ST (PC S) (STK S) (MEM S) T (DEFS S))) (DEFS S))). But this again simplifies, rewriting with DEFS-ST, and unfolding EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (DEFS (ST (CONS (CAR (PC S)) (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S))) (DEFS S))). However this again simplifies, rewriting with the lemma DEFS-ST, and opening up the definition of EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (DEFS (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (MEM S)) F (DEFS S))) (DEFS S))), which again simplifies, appealing to the lemma DEFS-ST, and unfolding the function EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (DEFS (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) F (DEFS S))) (DEFS S))), which again simplifies, applying DEFS-ST, and opening up EQUAL, to: T. Q.E.D. [ 0.0 0.3 0.0 ] DEFS-STEP (PROVE-LEMMA PROPERTIES-OF-K (REWRITE) (IMPLIES (LESSP (K S0 D N) N) (AND (EQUAL (LENGTH (STK (SM S0 (K S0 D N)))) D) (EQUAL (CAR (FETCH (PC (SM S0 (K S0 D N))) (DEFS S0))) 'RET))) ((DISABLE LENGTH-STK-STEP) (ENABLE SM))) WARNING: Note that the proposed lemma PROPERTIES-OF-K is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This formula simplifies, unfolding the functions FETCH and AND, to two new formulas: Case 2. (IMPLIES (LESSP (K S0 D N) N) (EQUAL (LENGTH (STK (SM S0 (K S0 D N)))) D)), which we will name *1. Case 1. (IMPLIES (LESSP (K S0 D N) N) (EQUAL (CAR (GET (CDR (PC (SM S0 (K S0 D N)))) (CDR (ASSOC (CAR (PC (SM S0 (K S0 D N)))) (DEFS S0))))) 'RET)). Appealing to the lemma PC-STK-MEM-HALTEDP-DEFS-ELIM, we now replace S0 by (ST C W V Z X) to eliminate (DEFS S0), (HALTEDP S0), (MEM S0), (STK S0), and (PC S0). We must thus prove two new conjectures: Case 1.2. (IMPLIES (AND (NOT (STP S0)) (LESSP (K S0 D N) N)) (EQUAL (CAR (GET (CDR (PC (SM S0 (K S0 D N)))) (CDR (ASSOC (CAR (PC (SM S0 (K S0 D N)))) (DEFS S0))))) 'RET)), which further simplifies, applying the lemma DEFS-NSTP, and opening up the functions LISTP, ASSOC, and CDR, to: (IMPLIES (AND (NOT (STP S0)) (LESSP (K S0 D N) N)) (EQUAL (CAR (GET (CDR (PC (SM S0 (K S0 D N)))) 0)) 'RET)), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (AND (IMPLIES (LESSP (K S0 D N) N) (EQUAL (LENGTH (STK (SM S0 (K S0 D N)))) D)) (IMPLIES (LESSP (K S0 D N) N) (EQUAL (CAR (FETCH (PC (SM S0 (K S0 D N))) (DEFS S0))) 'RET))). We gave this the name *1 above. Perhaps we can prove it by induction. The recursive terms in the conjecture suggest six inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL N 0) (NOT (NUMBERP N))) (p S0 D N)) (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (p S0 D N)) (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (p (STEP S0) D (SUB1 N))) (p S0 D N))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT establish that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for S0. The above induction scheme generates the following eight new formulas: Case 8. (IMPLIES (AND (OR (EQUAL N 0) (NOT (NUMBERP N))) (LESSP (K S0 D N) N)) (EQUAL (LENGTH (STK (SM S0 (K S0 D N)))) D)). This simplifies, expanding NOT, OR, EQUAL, K, and LESSP, to: T. Case 7. (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N)))) (LESSP (K S0 D N) N)) (EQUAL (LENGTH (STK (SM S0 (K S0 D N)))) D)). This simplifies, rewriting with SM-0, and opening up NOT, OR, K, FETCH, EQUAL, and LESSP, to two new goals: Case 7.2. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'RET)) (EQUAL (ADD1 (K (STEP S0) D (SUB1 N))) 0)) (EQUAL (LENGTH (STK S0)) D)), which again simplifies, using linear arithmetic, to: T. Case 7.1. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S0)) D))) (NOT (EQUAL (ADD1 (K (STEP S0) D (SUB1 N))) 0))), which again simplifies, using linear arithmetic, to: T. Case 6. (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (NOT (LESSP (K (STEP S0) D (SUB1 N)) (SUB1 N))) (LESSP (K S0 D N) N)) (EQUAL (LENGTH (STK (SM S0 (K S0 D N)))) D)), which simplifies, applying SUB1-ADD1, and unfolding the functions NOT, OR, K, FETCH, and LESSP, to: T. Case 5. (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (EQUAL (LENGTH (STK (SM (STEP S0) (K (STEP S0) D (SUB1 N))))) D) (EQUAL (CAR (FETCH (PC (SM (STEP S0) (K (STEP S0) D (SUB1 N)))) (DEFS (STEP S0)))) 'RET) (LESSP (K S0 D N) N)) (EQUAL (LENGTH (STK (SM S0 (K S0 D N)))) D)). This simplifies, appealing to the lemmas DEFS-STEP, SUB1-ADD1, and SM-ADD1, and unfolding the definitions of NOT, OR, K, FETCH, and LESSP, to: T. Case 4. (IMPLIES (AND (OR (EQUAL N 0) (NOT (NUMBERP N))) (LESSP (K S0 D N) N)) (EQUAL (CAR (FETCH (PC (SM S0 (K S0 D N))) (DEFS S0))) 'RET)). This simplifies, unfolding the functions NOT, OR, EQUAL, K, and LESSP, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N)))) (LESSP (K S0 D N) N)) (EQUAL (CAR (FETCH (PC (SM S0 (K S0 D N))) (DEFS S0))) 'RET)). This simplifies, applying SM-0, and unfolding the definitions of NOT, OR, K, FETCH, EQUAL, and LESSP, to two new goals: Case 3.2. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'RET))) (NOT (EQUAL (ADD1 (K (STEP S0) D (SUB1 N))) 0))), which again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S0)) D)) (EQUAL (ADD1 (K (STEP S0) D (SUB1 N))) 0)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'RET)), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (NOT (LESSP (K (STEP S0) D (SUB1 N)) (SUB1 N))) (LESSP (K S0 D N) N)) (EQUAL (CAR (FETCH (PC (SM S0 (K S0 D N))) (DEFS S0))) 'RET)), which simplifies, rewriting with SUB1-ADD1, and opening up NOT, OR, K, FETCH, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (EQUAL (LENGTH (STK (SM (STEP S0) (K (STEP S0) D (SUB1 N))))) D) (EQUAL (CAR (FETCH (PC (SM (STEP S0) (K (STEP S0) D (SUB1 N)))) (DEFS (STEP S0)))) 'RET) (LESSP (K S0 D N) N)) (EQUAL (CAR (FETCH (PC (SM S0 (K S0 D N))) (DEFS S0))) 'RET)). This simplifies, rewriting with the lemmas DEFS-STEP, SUB1-ADD1, and SM-ADD1, and opening up the definitions of NOT, OR, K, FETCH, LESSP, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] PROPERTIES-OF-K (PROVE-LEMMA HALTEDP-PERSISTS (REWRITE) (IMPLIES (HALTEDP S) (HALTEDP (SM S N))) ((ENABLE SM STEP))) This simplifies, rewriting with SM-PRESERVES-HALTEDP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] HALTEDP-PERSISTS (PROVE-LEMMA HALTEDP-K (REWRITE) (IMPLIES (HALTEDP S) (EQUAL (K S D N) (IF (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET)) 0 (FIX N))))) This conjecture simplifies, opening up the functions FETCH, AND, and FIX, to five new formulas: Case 5. (IMPLIES (AND (HALTEDP S) (NOT (EQUAL (LENGTH (STK S)) D)) (NUMBERP N)) (EQUAL (K S D N) N)). Applying the lemma PC-STK-MEM-HALTEDP-DEFS-ELIM, replace S by (ST C W V X Z) to eliminate (HALTEDP S), (DEFS S), (MEM S), (STK S), and (PC S). This produces the following two new conjectures: Case 5.2. (IMPLIES (AND (NOT (STP S)) (HALTEDP S) (NOT (EQUAL (LENGTH (STK S)) D)) (NUMBERP N)) (EQUAL (K S D N) N)). However this further simplifies, applying HALTEDP-NSTP and STK-NSTP, and expanding the definition of LENGTH, to: (IMPLIES (AND (NOT (STP S)) (NOT (EQUAL 0 D)) (NUMBERP N)) (EQUAL (K S D N) N)), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (IMPLIES (HALTEDP S) (EQUAL (K S D N) (IF (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET)) 0 (FIX N)))), named *1. Let us appeal to the induction principle. There is only one suggested induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP N) (p S D N)) (IMPLIES (AND (NOT (ZEROP N)) (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET))) (p S D N)) (IMPLIES (AND (NOT (ZEROP N)) (NOT (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET))) (p (STEP S) D (SUB1 N))) (p S D N))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definitions of AND, FETCH, and ZEROP establish that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for S. The above induction scheme produces four new goals: Case 4. (IMPLIES (AND (ZEROP N) (HALTEDP S)) (EQUAL (K S D N) (IF (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET)) 0 (FIX N)))), which simplifies, opening up the definitions of ZEROP, EQUAL, K, FETCH, AND, and FIX, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP N)) (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET)) (HALTEDP S)) (EQUAL (K S D N) (IF (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET)) 0 (FIX N)))), which simplifies, opening up the functions ZEROP, FETCH, AND, K, and EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP N)) (NOT (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET))) (NOT (HALTEDP (STEP S))) (HALTEDP S)) (EQUAL (K S D N) (IF (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET)) 0 (FIX N)))), which simplifies, appealing to the lemma STEP-OPENER, and expanding the definitions of ZEROP, FETCH, and AND, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP N)) (NOT (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET))) (EQUAL (K (STEP S) D (SUB1 N)) (IF (AND (EQUAL (LENGTH (STK (STEP S))) D) (EQUAL (CAR (FETCH (PC (STEP S)) (DEFS (STEP S)))) 'RET)) 0 (FIX (SUB1 N)))) (HALTEDP S)) (EQUAL (K S D N) (IF (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET)) 0 (FIX N)))), which simplifies, rewriting with STEP-OPENER and ADD1-SUB1, and unfolding ZEROP, FETCH, AND, FIX, and K, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] HALTEDP-K (PROVE-LEMMA HALTING-PRESERVES-STK (REWRITE) (IMPLIES (HALTEDP (STEP S0)) (EQUAL (LENGTH (STK (STEP S0))) (LENGTH (STK S0)))) ((ENABLE STEP))) WARNING: the previously added lemma, LENGTH-STK-STEP, could be applied whenever the newly proposed HALTING-PRESERVES-STK could! This formula simplifies, applying STEP-OPENER, and unfolding EXECUTE, ADD1-PC, MOVE, MOVI, ADD, SUBI, JUMPZ, JUMP, CALL, RET, FETCH, STEP, EQUAL, and LENGTH, to the following 12 new conjectures: Case 12.(IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI) (HALTEDP (ST (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0) (PUT (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)) F (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0) (PUT (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)) F (DEFS S0)))) (LENGTH (STK S0)))). This again simplifies, appealing to the lemma HALTEDP-ST, and opening up the definition of EQUAL, to: T. Case 11.(IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'ADD)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'SUBI) (HALTEDP (ST (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0) (PUT (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)) (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0)))))) (MEM S0)) F (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0) (PUT (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)) (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0)))))) (MEM S0)) F (DEFS S0)))) (LENGTH (STK S0)))), which again simplifies, applying the lemma HALTEDP-ST, and expanding the definition of EQUAL, to: T. Case 10.(IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMPZ)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMP) (HALTEDP (ST (CONS (CAR (PC S0)) (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0)))))) (STK S0) (MEM S0) F (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S0)) (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0)))))) (STK S0) (MEM S0) F (DEFS S0)))) (LENGTH (STK S0)))), which again simplifies, applying HALTEDP-ST, and opening up EQUAL, to: T. Case 9. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'CALL)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'RET) (NOT (LISTP (STK S0))) (HALTEDP (ST (PC S0) (STK S0) (MEM S0) T (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (PC S0) (STK S0) (MEM S0) T (DEFS S0)))) 0)). But this again simplifies, rewriting with the lemmas HALTEDP-ST and STK-ST, and opening up EQUAL and LENGTH, to: T. Case 8. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'CALL)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'RET) (NOT (LISTP (STK S0))) (HALTEDP (ST (PC S0) (STK S0) (MEM S0) T (DEFS S0))) (HALTEDP S0)) (EQUAL (LENGTH (STK S0)) 0)), which again simplifies, applying HALTEDP-ST, and opening up EQUAL and LENGTH, to: T. Case 7. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'CALL)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'RET) (LISTP (STK S0)) (HALTEDP (ST (CAR (STK S0)) (CDR (STK S0)) (MEM S0) F (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (CAR (STK S0)) (CDR (STK S0)) (MEM S0) F (DEFS S0)))) (LENGTH (STK S0)))). This again simplifies, applying HALTEDP-ST, and unfolding the definition of EQUAL, to: T. Case 6. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMP)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'CALL) (HALTEDP (ST (CONS (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 0) (CONS (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0)) (MEM S0) F (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (CONS (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 0) (CONS (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0)) (MEM S0) F (DEFS S0)))) (LENGTH (STK S0)))). This again simplifies, applying HALTEDP-ST, and unfolding the definition of EQUAL, to: T. Case 5. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMPZ) (NOT (NUMBERP (GET (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)))) (HALTEDP (ST (CONS (CAR (PC S0)) (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0)))))) (STK S0) (MEM S0) F (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S0)) (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0)))))) (STK S0) (MEM S0) F (DEFS S0)))) (LENGTH (STK S0)))). But this again simplifies, applying the lemma HALTEDP-ST, and opening up the definition of EQUAL, to: T. Case 4. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMPZ) (EQUAL (GET (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)) 0) (HALTEDP (ST (CONS (CAR (PC S0)) (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0)))))) (STK S0) (MEM S0) F (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S0)) (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0)))))) (STK S0) (MEM S0) F (DEFS S0)))) (LENGTH (STK S0)))), which again simplifies, appealing to the lemma HALTEDP-ST, and unfolding the function EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'JUMPZ) (NOT (EQUAL (GET (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)) 0)) (NUMBERP (GET (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0))) (HALTEDP (ST (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0) (MEM S0) F (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0) (MEM S0) F (DEFS S0)))) (LENGTH (STK S0)))), which again simplifies, applying HALTEDP-ST, and expanding EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVI)) (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'ADD) (HALTEDP (ST (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0) (PUT (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (PLUS (GET (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)) (GET (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0))) (MEM S0)) F (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0) (PUT (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (PLUS (GET (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)) (GET (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0))) (MEM S0)) F (DEFS S0)))) (LENGTH (STK S0)))). However this again simplifies, rewriting with HALTEDP-ST, and expanding EQUAL, to: T. Case 1. (IMPLIES (AND (EQUAL (CAR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) 'MOVE) (HALTEDP (ST (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0) (PUT (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (GET (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)) (MEM S0)) F (DEFS S0))) (NOT (HALTEDP S0))) (EQUAL (LENGTH (STK (ST (CONS (CAR (PC S0)) (ADD1 (CDR (PC S0)))) (STK S0) (PUT (CADR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (GET (CADDR (GET (CDR (PC S0)) (CDR (ASSOC (CAR (PC S0)) (DEFS S0))))) (MEM S0)) (MEM S0)) F (DEFS S0)))) (LENGTH (STK S0)))). However this again simplifies, applying HALTEDP-ST, to: T. Q.E.D. [ 0.0 1.2 0.0 ] HALTING-PRESERVES-STK (PROVE-LEMMA ANOTHER-PROPERTY-OF-K (REWRITE) (IMPLIES (AND (NOT (HALTEDP S0)) (LESSP (K S0 D N) N)) (NOT (HALTEDP (SM S0 (K S0 D N))))) ((DISABLE LENGTH-STK-STEP) (ENABLE SM))) . Appealing to the lemma PC-STK-MEM-HALTEDP-DEFS-ELIM, we now replace S0 by (ST C W V X Z) to eliminate (HALTEDP S0), (DEFS S0), (MEM S0), (STK S0), and (PC S0). This generates two new goals: Case 2. (IMPLIES (AND (NOT (STP S0)) (NOT (HALTEDP S0)) (LESSP (K S0 D N) N)) (NOT (HALTEDP (SM S0 (K S0 D N))))), which simplifies, applying the lemma HALTEDP-NSTP, to: T. Case 1. (IMPLIES (AND (NOT X) (LESSP (K (ST C W V X Z) D N) N)) (NOT (HALTEDP (SM (ST C W V X Z) (K (ST C W V X Z) D N))))), which simplifies, obviously, to the new conjecture: (IMPLIES (LESSP (K (ST C W V F Z) D N) N) (NOT (HALTEDP (SM (ST C W V F Z) (K (ST C W V F Z) D N))))), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (IMPLIES (AND (NOT (HALTEDP S0)) (LESSP (K S0 D N) N)) (NOT (HALTEDP (SM S0 (K S0 D N))))). We named this *1. We will try to prove it by induction. Three inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL N 0) (NOT (NUMBERP N))) (p S0 D N)) (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (p S0 D N)) (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (p (STEP S0) D (SUB1 N))) (p S0 D N))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT can be used to prove that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for S0. The above induction scheme leads to the following five new goals: Case 5. (IMPLIES (AND (OR (EQUAL N 0) (NOT (NUMBERP N))) (NOT (HALTEDP S0)) (LESSP (K S0 D N) N)) (NOT (HALTEDP (SM S0 (K S0 D N))))). This simplifies, opening up the functions NOT, OR, EQUAL, K, and LESSP, to: T. Case 4. (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N)))) (NOT (HALTEDP S0)) (LESSP (K S0 D N) N)) (NOT (HALTEDP (SM S0 (K S0 D N))))). This simplifies, applying SM-0, and opening up NOT, OR, K, FETCH, EQUAL, and LESSP, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (HALTEDP (STEP S0)) (NOT (HALTEDP S0)) (LESSP (K S0 D N) N)) (NOT (HALTEDP (SM S0 (K S0 D N))))), which simplifies, appealing to the lemmas ONLY-RET-SETS-HALTEDP, SUB1-ADD1, SM-ADD1, and HALTEDP-PERSISTS, and expanding the functions NOT, OR, K, FETCH, EQUAL, and LESSP, to: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S0)) D)) (NOT (EQUAL (ADD1 (K (STEP S0) D (SUB1 N))) 0)) (HALTEDP (STEP S0)) (NOT (HALTEDP S0))) (NOT (LESSP (K (STEP S0) D (SUB1 N)) (SUB1 N)))). This again simplifies, obviously, to: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S0)) D)) (HALTEDP (STEP S0)) (NOT (HALTEDP S0))) (NOT (LESSP (K (STEP S0) D (SUB1 N)) (SUB1 N)))), which further simplifies, rewriting with HALTING-PRESERVES-STK and HALTEDP-K, to: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S0)) D)) (HALTEDP (STEP S0)) (NOT (HALTEDP S0))) (NOT (LESSP (SUB1 N) (SUB1 N)))), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (NOT (LESSP (K (STEP S0) D (SUB1 N)) (SUB1 N))) (NOT (HALTEDP S0)) (LESSP (K S0 D N) N)) (NOT (HALTEDP (SM S0 (K S0 D N))))), which simplifies, applying SUB1-ADD1, and opening up the functions NOT, OR, K, FETCH, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (OR (EQUAL (K S0 D N) 0) (NOT (NUMBERP (K S0 D N))))) (NOT (HALTEDP (SM (STEP S0) (K (STEP S0) D (SUB1 N))))) (NOT (HALTEDP S0)) (LESSP (K S0 D N) N)) (NOT (HALTEDP (SM S0 (K S0 D N))))). This simplifies, rewriting with SM-PRESERVES-HALTEDP, STEP-PRESERVES-HALTEDP, SUB1-ADD1, and SM-ADD1, and expanding NOT, OR, K, FETCH, and LESSP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] ANOTHER-PROPERTY-OF-K (PROVE-LEMMA DECREASING-STK-MEANS-RET-EXISTS (REWRITE) (IMPLIES (AND (NOT (HALTEDP S0)) (LESSP (LENGTH (STK (SM S0 N))) (LENGTH (STK S0)))) (AND (LESSP (K S0 (LENGTH (STK S0)) N) N) (EQUAL (LENGTH (STK (SM S0 (K S0 (LENGTH (STK S0)) N)))) (LENGTH (STK S0))) (EQUAL (CAR (FETCH (PC (SM S0 (K S0 (LENGTH (STK S0)) N))) (DEFS S0))) 'RET) (NOT (HALTEDP (SM S0 (K S0 (LENGTH (STK S0)) N)))))) ((DISABLE FETCH) (USE (EXISTS-TERMINATING-RET (D (LENGTH (STK S0))))))) WARNING: Note that the proposed lemma DECREASING-STK-MEANS-RET-EXISTS is to be stored as zero type prescription rules, zero compound recognizer rules, one linear rule, and three replacement rules. This formula simplifies, appealing to the lemmas PROPERTIES-OF-K and ANOTHER-PROPERTY-OF-K, and unfolding the functions NOT, AND, IMPLIES, and EQUAL, to the following four new conjectures: Case 4. (IMPLIES (AND (LESSP (LENGTH (STK S0)) (LENGTH (STK S0))) (NOT (HALTEDP S0)) (LESSP (LENGTH (STK (SM S0 N))) (LENGTH (STK S0)))) (LESSP (K S0 (LENGTH (STK S0)) N) N)). But this again simplifies, using linear arithmetic, to: T. Case 3. (IMPLIES (AND (LESSP (LENGTH (STK S0)) (LENGTH (STK S0))) (NOT (HALTEDP S0)) (LESSP (LENGTH (STK (SM S0 N))) (LENGTH (STK S0)))) (EQUAL (LENGTH (STK (SM S0 (K S0 (LENGTH (STK S0)) N)))) (LENGTH (STK S0)))), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (LESSP (LENGTH (STK S0)) (LENGTH (STK S0))) (NOT (HALTEDP S0)) (LESSP (LENGTH (STK (SM S0 N))) (LENGTH (STK S0)))) (EQUAL (CAR (FETCH (PC (SM S0 (K S0 (LENGTH (STK S0)) N))) (DEFS S0))) 'RET)), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (LESSP (LENGTH (STK S0)) (LENGTH (STK S0))) (NOT (HALTEDP S0)) (LESSP (LENGTH (STK (SM S0 N))) (LENGTH (STK S0)))) (NOT (HALTEDP (SM S0 (K S0 (LENGTH (STK S0)) N))))), which again simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] DECREASING-STK-MEANS-RET-EXISTS (DISABLE PROPERTIES-OF-K) [ 0.0 0.0 0.0 ] PROPERTIES-OF-K-OFF (DISABLE ANOTHER-PROPERTY-OF-K) [ 0.0 0.0 0.0 ] ANOTHER-PROPERTY-OF-K-OFF (DEFN GROW-STK (S STK) (ST (PC S) (APPEND (STK S) STK) (MEM S) (HALTEDP S) (DEFS S))) From the definition we can conclude that (STP (GROW-STK S STK)) is a theorem. [ 0.0 0.0 0.0 ] GROW-STK (PROVE-LEMMA LISTP-APPEND (REWRITE) (EQUAL (LISTP (APPEND A B)) (OR (LISTP A) (LISTP B)))) This simplifies, unfolding the definition of OR, to the following two new goals: Case 2. (IMPLIES (NOT (LISTP A)) (EQUAL (LISTP (APPEND A B)) (LISTP B))). This again simplifies, opening up the definition of APPEND, to: T. Case 1. (IMPLIES (LISTP A) (EQUAL (LISTP (APPEND A B)) T)), which again simplifies, trivially, to: (IMPLIES (LISTP A) (LISTP (APPEND A B))), which we will name *1. We will appeal to induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP A) (p (CDR A) B)) (p A B)) (IMPLIES (NOT (LISTP A)) (p A B))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following two new goals: Case 2. (IMPLIES (AND (NOT (LISTP (CDR A))) (LISTP A)) (LISTP (APPEND A B))). This simplifies, opening up the function APPEND, to: T. Case 1. (IMPLIES (AND (LISTP (APPEND (CDR A) B)) (LISTP A)) (LISTP (APPEND A B))). This simplifies, unfolding the definition of APPEND, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LISTP-APPEND (PROVE-LEMMA STEP-GROW-STK (REWRITE) (IMPLIES (NOT (HALTEDP (STEP S))) (EQUAL (STEP (GROW-STK S STK)) (GROW-STK (STEP S) STK))) ((ENABLE STEP))) This conjecture simplifies, rewriting with MEM-ST, STK-ST, DEFS-ST, PC-ST, HALTEDP-ST, STEP-PRESERVES-HALTEDP, ONLY-RET-SETS-HALTEDP, LISTP-APPEND, CAR-CONS, and CDR-CONS, and expanding the definitions of EXECUTE, ADD1-PC, MOVE, MOVI, ADD, SUBI, JUMPZ, JUMP, CALL, RET, FETCH, STEP, GROW-STK, EQUAL, and APPEND, to the following five new goals: Case 5. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (LISTP (STK S))) (NOT (HALTEDP (ST (PC S) (STK S) (MEM S) T (DEFS S)))) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET))) (EQUAL (ST (PC S) STK (MEM S) F (DEFS S)) (GROW-STK S STK))). However this again simplifies, rewriting with the lemma HALTEDP-ST, to: T. Case 4. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (LISTP (STK S))) (NOT (HALTEDP (ST (PC S) (STK S) (MEM S) T (DEFS S)))) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (LISTP STK)) (EQUAL (ST (CAR STK) (CDR STK) (MEM S) F (DEFS S)) (GROW-STK (ST (PC S) (STK S) (MEM S) T (DEFS S)) STK))), which again simplifies, rewriting with HALTEDP-ST, and unfolding the definition of EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (LISTP (STK S))) (NOT (HALTEDP (ST (PC S) (STK S) (MEM S) T (DEFS S)))) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (LISTP STK))) (EQUAL (ST (PC S) STK (MEM S) T (DEFS S)) (GROW-STK (ST (PC S) (STK S) (MEM S) T (DEFS S)) STK))). This again simplifies, applying HALTEDP-ST, and opening up the definition of EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (LISTP (STK S)) (NOT (HALTEDP (ST (CAR (STK S)) (CDR (STK S)) (MEM S) F (DEFS S)))) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET))) (EQUAL (ST (PC S) (APPEND (STK S) STK) (MEM S) F (DEFS S)) (GROW-STK S STK))). However this again simplifies, rewriting with HALTEDP-ST, STEP-PRESERVES-HALTEDP, and ONLY-RET-SETS-HALTEDP, and expanding EXECUTE, EQUAL, RET, FETCH, STEP, and GROW-STK, to: T. Case 1. (IMPLIES (AND (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (LISTP (STK S)) (NOT (HALTEDP (ST (CAR (STK S)) (CDR (STK S)) (MEM S) F (DEFS S)))) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (ST (CAR (APPEND (STK S) STK)) (CDR (APPEND (STK S) STK)) (MEM S) F (DEFS S)) (GROW-STK (ST (CAR (STK S)) (CDR (STK S)) (MEM S) F (DEFS S)) STK))). But this again simplifies, applying HALTEDP-ST, DEFS-ST, MEM-ST, STK-ST, PC-ST, and ST-EQUAL, and expanding the definitions of EQUAL and GROW-STK, to the following two new conjectures: Case 1.2. (IMPLIES (AND (NOT (HALTEDP S)) (LISTP (STK S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (APPEND (STK S) STK)) (CAR (STK S)))). Appealing to the lemmas PC-STK-MEM-HALTEDP-DEFS-ELIM and CAR-CDR-ELIM, we now replace S by (ST D W V X Z) to eliminate (HALTEDP S), (DEFS S), (MEM S), (STK S), and (PC S), D by (CONS X1 C) to eliminate (CDR D) and (CAR D), W by (CONS D Z1) to eliminate (CAR W) and (CDR W), and W by (CONS C X1) to eliminate (CAR W) and (CDR W). The result is three new conjectures: Case 1.2.3. (IMPLIES (AND (NOT (STP S)) (NOT (HALTEDP S)) (LISTP (STK S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (APPEND (STK S) STK)) (CAR (STK S)))), which further simplifies, rewriting with HALTEDP-NSTP, to: T. Case 1.2.2. (IMPLIES (AND (NOT (LISTP D)) (NOT X) (EQUAL (CAR (GET (CDR D) (CDR (ASSOC (CAR D) Z)))) 'RET)) (EQUAL (CAR (APPEND (CONS C X1) STK)) C)). However this further simplifies, rewriting with CDR-NLISTP, CAR-NLISTP, CDR-CONS, and CAR-CONS, and unfolding APPEND, to: T. Case 1.2.1. (IMPLIES (AND (NOT X) (EQUAL (CAR (GET C (CDR (ASSOC X1 Z)))) 'RET)) (EQUAL (CAR (APPEND (CONS D Z1) STK)) D)). However this further simplifies, rewriting with CDR-CONS and CAR-CONS, and expanding the function APPEND, to: T. Case 1.1. (IMPLIES (AND (NOT (HALTEDP S)) (LISTP (STK S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CDR (APPEND (STK S) STK)) (APPEND (CDR (STK S)) STK))). This again simplifies, applying CDR-CONS, and expanding APPEND, to: T. Q.E.D. [ 0.0 1.5 0.0 ] STEP-GROW-STK (PROVE-LEMMA SM-GROW-STK NIL (IMPLIES (NOT (HALTEDP (SM S N))) (EQUAL (SM (GROW-STK S STK) N) (GROW-STK (SM S N) STK))) ((INDUCT (SM S N)) (DISABLE GROW-STK) (ENABLE SM))) This formula can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, and AND, to the following two new formulas: Case 2. (IMPLIES (AND (ZEROP N) (NOT (HALTEDP (SM S N)))) (EQUAL (SM (GROW-STK S STK) N) (GROW-STK (SM S N) STK))). This simplifies, applying SM-0, and unfolding the definitions of ZEROP and SM, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (IMPLIES (NOT (HALTEDP (SM (STEP S) (SUB1 N)))) (EQUAL (SM (GROW-STK (STEP S) STK) (SUB1 N)) (GROW-STK (SM (STEP S) (SUB1 N)) STK))) (NOT (HALTEDP (SM S N)))) (EQUAL (SM (GROW-STK S STK) N) (GROW-STK (SM S N) STK))), which simplifies, applying STEP-GROW-STK and SM-PRESERVES-HALTEDP, and unfolding the functions NOT, IMPLIES, and SM, to: T. Q.E.D. [ 0.0 0.0 0.0 ] SM-GROW-STK (PROVE-LEMMA LESSP-HALTEDP NIL (IMPLIES (AND (NOT (LESSP N K)) (HALTEDP (SM S K))) (HALTEDP (SM S N))) ((ENABLE SM))) Call the conjecture *1. We will appeal to induction. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL K 0) (NOT (NUMBERP K))) (p S N K)) (IMPLIES (AND (NOT (OR (EQUAL K 0) (NOT (NUMBERP K)))) (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p S N K)) (IMPLIES (AND (NOT (OR (EQUAL K 0) (NOT (NUMBERP K)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p (STEP S) (SUB1 N) (SUB1 K))) (p S N K))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT can be used to establish that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for S and K. The above induction scheme generates five new formulas: Case 5. (IMPLIES (AND (OR (EQUAL K 0) (NOT (NUMBERP K))) (NOT (LESSP N K)) (HALTEDP (SM S K))) (HALTEDP (SM S N))), which simplifies, applying SM-0 and SM-PRESERVES-HALTEDP, and expanding the functions NOT, OR, EQUAL, LESSP, and SM, to: T. Case 4. (IMPLIES (AND (NOT (OR (EQUAL K 0) (NOT (NUMBERP K)))) (OR (EQUAL N 0) (NOT (NUMBERP N))) (NOT (LESSP N K)) (HALTEDP (SM S K))) (HALTEDP (SM S N))). This simplifies, expanding NOT, OR, EQUAL, and LESSP, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL K 0) (NOT (NUMBERP K)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (LESSP (SUB1 N) (SUB1 K)) (NOT (LESSP N K)) (HALTEDP (SM S K))) (HALTEDP (SM S N))). This simplifies, using linear arithmetic, to: (IMPLIES (AND (LESSP K 1) (NOT (OR (EQUAL K 0) (NOT (NUMBERP K)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (LESSP (SUB1 N) (SUB1 K)) (NOT (LESSP N K)) (HALTEDP (SM S K))) (HALTEDP (SM S N))), which again simplifies, unfolding the definitions of SUB1, NUMBERP, EQUAL, LESSP, NOT, and OR, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL K 0) (NOT (NUMBERP K)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (HALTEDP (SM (STEP S) (SUB1 K)))) (NOT (LESSP N K)) (HALTEDP (SM S K))) (HALTEDP (SM S N))), which simplifies, opening up NOT, OR, LESSP, and SM, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL K 0) (NOT (NUMBERP K)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (HALTEDP (SM (STEP S) (SUB1 N))) (NOT (LESSP N K)) (HALTEDP (SM S K))) (HALTEDP (SM S N))), which simplifies, opening up the definitions of NOT, OR, LESSP, and SM, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LESSP-HALTEDP (PROVE-LEMMA EQUAL-LENGTH-0 (REWRITE) (EQUAL (EQUAL (LENGTH X) 0) (NLISTP X))) This formula simplifies, opening up the definition of NLISTP, to two new conjectures: Case 2. (IMPLIES (NOT (EQUAL (LENGTH X) 0)) (LISTP X)), which again simplifies, unfolding the definitions of LENGTH and EQUAL, to: T. Case 1. (IMPLIES (EQUAL (LENGTH X) 0) (NOT (LISTP X))), which we will name *1. Perhaps we can prove it by induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (NLISTP X) (p X)) (IMPLIES (AND (NOT (NLISTP X)) (p (CDR X))) (p X))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of NLISTP can be used to prove that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces three new formulas: Case 3. (IMPLIES (AND (NLISTP X) (EQUAL (LENGTH X) 0)) (NOT (LISTP X))), which simplifies, opening up NLISTP, to: T. Case 2. (IMPLIES (AND (NOT (NLISTP X)) (NOT (EQUAL (LENGTH (CDR X)) 0)) (EQUAL (LENGTH X) 0)) (NOT (LISTP X))), which simplifies, opening up NLISTP and LENGTH, to: T. Case 1. (IMPLIES (AND (NOT (NLISTP X)) (NOT (LISTP (CDR X))) (EQUAL (LENGTH X) 0)) (NOT (LISTP X))), which simplifies, expanding the definitions of NLISTP and LENGTH, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] EQUAL-LENGTH-0 (PROVE-LEMMA STEP-IS-RET NIL (IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET) (NLISTP (STK S))) (HALTEDP (STEP S))) ((ENABLE STEP))) This formula can be simplified, using the abbreviations NLISTP, NOT, AND, and IMPLIES, to: (IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET) (NOT (LISTP (STK S)))) (HALTEDP (STEP S))), which simplifies, applying STEP-PRESERVES-HALTEDP, and opening up the functions FETCH, EXECUTE, EQUAL, RET, and STEP, to: (IMPLIES (AND (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (NOT (LISTP (STK S))) (NOT (HALTEDP S))) (HALTEDP (ST (PC S) (STK S) (MEM S) T (DEFS S)))), which again simplifies, appealing to the lemma HALTEDP-ST, to: T. Q.E.D. [ 0.0 0.1 0.0 ] STEP-IS-RET (PROVE-LEMMA DEFS-SM (REWRITE) (EQUAL (DEFS (SM S N)) (DEFS S)) ((ENABLE SM))) . Appealing to the lemma PC-STK-MEM-HALTEDP-DEFS-ELIM, we now replace S by (ST D W V Z X) to eliminate (DEFS S), (HALTEDP S), (MEM S), (STK S), and (PC S). We must thus prove two new formulas: Case 2. (IMPLIES (NOT (STP S)) (EQUAL (DEFS (SM S N)) (DEFS S))), which simplifies, rewriting with DEFS-NSTP, to: (IMPLIES (NOT (STP S)) (EQUAL (DEFS (SM S N)) 0)), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (EQUAL (DEFS (SM S N)) (DEFS S)). We named this *1. We will try to prove it by induction. There is only one suggested induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP N) (p S N)) (IMPLIES (AND (NOT (ZEROP N)) (p (STEP S) (SUB1 N))) (p S N))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for S. The above induction scheme produces two new goals: Case 2. (IMPLIES (ZEROP N) (EQUAL (DEFS (SM S N)) (DEFS S))), which simplifies, rewriting with SM-0, and expanding the definitions of ZEROP and SM, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP N)) (EQUAL (DEFS (SM (STEP S) (SUB1 N))) (DEFS (STEP S)))) (EQUAL (DEFS (SM S N)) (DEFS S))). This simplifies, applying DEFS-STEP, and opening up the functions ZEROP and SM, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] DEFS-SM (PROVE-LEMMA EXPAND-SM-N (REWRITE) (IMPLIES (AND (LESSP K (SUB1 N)) (NOT (HALTEDP (SM S K))) (EQUAL (CAR (FETCH (PC (SM S K)) (DEFS S))) 'RET) (EQUAL (LENGTH (STK (SM S K))) 0)) (HALTEDP (SM S N))) ((USE (LESSP-HALTEDP (N N) (K (PLUS K 1))) (STEP-IS-RET (S (SM S K)))))) WARNING: Note that EXPAND-SM-N contains the free variable K which will be chosen by instantiating the hypothesis (LESSP K (SUB1 N)). This conjecture can be simplified, using the abbreviations EQUAL-LENGTH-0, NOT, IMPLIES, AND, DEFS-SM, SM-0, SM-ADD1, and SM-PLUS, to: (IMPLIES (AND (IMPLIES (AND (NOT (LESSP N (PLUS K 1))) (HALTEDP (STEP (SM S K)))) (HALTEDP (SM S N))) (IMPLIES (AND (NOT (HALTEDP (SM S K))) (EQUAL (CAR (FETCH (PC (SM S K)) (DEFS S))) 'RET) (NLISTP (STK (SM S K)))) (HALTEDP (STEP (SM S K)))) (LESSP K (SUB1 N)) (NOT (HALTEDP (SM S K))) (EQUAL (CAR (FETCH (PC (SM S K)) (DEFS S))) 'RET) (NOT (LISTP (STK (SM S K))))) (HALTEDP (SM S N))). This simplifies, rewriting with COMMUTATIVITY-OF-PLUS, DEFS-SM, ONLY-RET-SETS-HALTEDP, and STEP-PRESERVES-HALTEDP, and unfolding the definitions of NOT, AND, IMPLIES, EQUAL, NLISTP, and FETCH, to the goal: (IMPLIES (AND (LESSP N (PLUS 1 K)) (HALTEDP (STEP (SM S K))) (LESSP K (SUB1 N)) (NOT (HALTEDP (SM S K))) (NOT (LISTP (STK (SM S K))))) (HALTEDP (SM S N))). This again simplifies, using linear arithmetic, to: (IMPLIES (AND (LESSP N 1) (LESSP N (PLUS 1 K)) (HALTEDP (STEP (SM S K))) (LESSP K (SUB1 N)) (NOT (HALTEDP (SM S K))) (NOT (LISTP (STK (SM S K))))) (HALTEDP (SM S N))). Appealing to the lemma SUB1-ELIM, we now replace N by (ADD1 X) to eliminate (SUB1 N). We rely upon the type restriction lemma noted when SUB1 was introduced to constrain the new variable. We must thus prove three new formulas: Case 3. (IMPLIES (AND (EQUAL N 0) (LESSP N 1) (LESSP N (PLUS 1 K)) (HALTEDP (STEP (SM S K))) (LESSP K (SUB1 N)) (NOT (HALTEDP (SM S K))) (NOT (LISTP (STK (SM S K))))) (HALTEDP (SM S N))), which further simplifies, expanding the definitions of LESSP, EQUAL, and SUB1, to: T. Case 2. (IMPLIES (AND (NOT (NUMBERP N)) (LESSP N 1) (LESSP N (PLUS 1 K)) (HALTEDP (STEP (SM S K))) (LESSP K (SUB1 N)) (NOT (HALTEDP (SM S K))) (NOT (LISTP (STK (SM S K))))) (HALTEDP (SM S N))), which further simplifies, applying SUB1-NNUMBERP, and opening up the definitions of NUMBERP, EQUAL, and LESSP, to: T. Case 1. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL (ADD1 X) 0)) (LESSP (ADD1 X) 1) (LESSP (ADD1 X) (PLUS 1 K)) (HALTEDP (STEP (SM S K))) (LESSP K X) (NOT (HALTEDP (SM S K))) (NOT (LISTP (STK (SM S K))))) (HALTEDP (SM S (ADD1 X)))). This further simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] EXPAND-SM-N (PROVE-LEMMA PC-EQUIV (REWRITE) (IMPLIES (NOT (HALTEDP (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) K))) (EQUAL (PC (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) K)) (PC (SM (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) K)))) ((USE (SM-GROW-STK (S (ST (CONS PROG 0) NIL (MEM S) F (DEFS S))) (STK (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S))) (N K))))) This formula simplifies, applying DEFS-ST, SM-PRESERVES-HALTEDP, MEM-ST, STK-ST, PC-ST, and DEFS-SM, and unfolding the functions NOT, APPEND, LISTP, GROW-STK, and IMPLIES, to: T. Q.E.D. [ 0.0 0.0 0.0 ] PC-EQUIV (PROVE-LEMMA LENGTH-APPEND (REWRITE) (EQUAL (LENGTH (APPEND A B)) (PLUS (LENGTH A) (LENGTH B)))) Call the conjecture *1. Perhaps we can prove it by induction. Three inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP A) (p (CDR A) B)) (p A B)) (IMPLIES (NOT (LISTP A)) (p A B))). Linear arithmetic and the lemma CDR-LESSP can be used to prove that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to two new goals: Case 2. (IMPLIES (AND (LISTP A) (EQUAL (LENGTH (APPEND (CDR A) B)) (PLUS (LENGTH (CDR A)) (LENGTH B)))) (EQUAL (LENGTH (APPEND A B)) (PLUS (LENGTH A) (LENGTH B)))), which simplifies, applying the lemmas COMMUTATIVITY-OF-PLUS and CDR-CONS, and opening up the definitions of APPEND and LENGTH, to: (IMPLIES (AND (LISTP A) (EQUAL (LENGTH (APPEND (CDR A) B)) (PLUS (LENGTH B) (LENGTH (CDR A))))) (EQUAL (ADD1 (LENGTH (APPEND (CDR A) B))) (PLUS (LENGTH B) (ADD1 (LENGTH (CDR A)))))). However this again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (NOT (LISTP A)) (EQUAL (LENGTH (APPEND A B)) (PLUS (LENGTH A) (LENGTH B)))), which simplifies, opening up the functions APPEND, LENGTH, EQUAL, and PLUS, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-APPEND (PROVE-LEMMA GROW-STK-PROPS (REWRITE) (AND (EQUAL (PC (GROW-STK S STK)) (PC S)) (EQUAL (STK (GROW-STK S STK)) (APPEND (STK S) STK)) (EQUAL (MEM (GROW-STK S STK)) (MEM S)) (EQUAL (HALTEDP (GROW-STK S STK)) (HALTEDP S)) (EQUAL (DEFS (GROW-STK S STK)) (DEFS S)))) WARNING: Note that the proposed lemma GROW-STK-PROPS is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and five replacement rules. This formula can be simplified, using the abbreviation AND, to the following five new conjectures: Case 5. (EQUAL (PC (GROW-STK S STK)) (PC S)). This simplifies, applying PC-ST, and unfolding GROW-STK, to: T. Case 4. (EQUAL (STK (GROW-STK S STK)) (APPEND (STK S) STK)), which simplifies, rewriting with the lemma STK-ST, and expanding the function GROW-STK, to: T. Case 3. (EQUAL (MEM (GROW-STK S STK)) (MEM S)), which simplifies, applying the lemma MEM-ST, and expanding GROW-STK, to: T. Case 2. (EQUAL (HALTEDP (GROW-STK S STK)) (HALTEDP S)), which simplifies, appealing to the lemma HALTEDP-ST, and unfolding GROW-STK, to: T. Case 1. (EQUAL (DEFS (GROW-STK S STK)) (DEFS S)), which simplifies, appealing to the lemma DEFS-ST, and expanding GROW-STK, to: T. Q.E.D. [ 0.0 0.0 0.0 ] GROW-STK-PROPS (PROVE-LEMMA STEP-GROW-STK-REVISITED-1 (REWRITE) (IMPLIES (LESSP 0 (LENGTH (STK S))) (EQUAL (STEP (GROW-STK S STK)) (GROW-STK (STEP S) STK))) ((ENABLE STEP))) This formula simplifies, applying the lemmas EQUAL-LENGTH-0, MEM-ST, STK-ST, LISTP-APPEND, DEFS-ST, PC-ST, HALTEDP-ST, and GROW-STK-PROPS, and unfolding EQUAL, LESSP, GROW-STK, EXECUTE, ADD1-PC, MOVE, MOVI, ADD, SUBI, JUMPZ, JUMP, CALL, RET, FETCH, and STEP, to the following 12 new goals: Case 12.(IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (MEM S)) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (MEM S)) F (DEFS S)) STK))). However this again simplifies, rewriting with DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and opening up the definition of GROW-STK, to: T. Case 11.(IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (PLUS (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))) (MEM S)) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (PLUS (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))) (MEM S)) F (DEFS S)) STK))). But this again simplifies, rewriting with the lemmas DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and expanding EQUAL and GROW-STK, to: T. Case 10.(IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)))) (EQUAL (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK) (MEM S) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (MEM S) F (DEFS S)) STK))), which again simplifies, applying DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and unfolding EQUAL and GROW-STK, to: T. Case 9. (IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (EQUAL (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (APPEND (STK S) STK) (MEM S) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)) STK))). However this again simplifies, appealing to the lemmas DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and expanding the functions EQUAL and GROW-STK, to: T. Case 8. (IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))))) (EQUAL (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (APPEND (STK S) STK) (MEM S) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)) STK))), which again simplifies, rewriting with DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and opening up the functions EQUAL and GROW-STK, to: T. Case 7. (IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (EQUAL (ST (CONS (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK)) (MEM S) F (DEFS S)) (GROW-STK (ST (CONS (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) STK))). However this again simplifies, applying the lemmas DEFS-ST, HALTEDP-ST, MEM-ST, CAR-CONS, CDR-CONS, STK-ST, and PC-ST, and expanding the definitions of EQUAL, APPEND, and GROW-STK, to: T. Case 6. (IMPLIES (AND (LISTP (STK S)) (HALTEDP S)) (EQUAL (ST (PC S) (APPEND (STK S) STK) (MEM S) (HALTEDP S) (DEFS S)) (GROW-STK S STK))), which again simplifies, unfolding GROW-STK, to: T. Case 5. (IMPLIES (AND (LISTP (STK S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET))) (EQUAL (ST (PC S) (APPEND (STK S) STK) (MEM S) (HALTEDP S) (DEFS S)) (GROW-STK S STK))), which again simplifies, expanding the definition of GROW-STK, to: T. Case 4. (IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (ST (CAR (APPEND (STK S) STK)) (CDR (APPEND (STK S) STK)) (MEM S) F (DEFS S)) (GROW-STK (ST (CAR (STK S)) (CDR (STK S)) (MEM S) F (DEFS S)) STK))), which again simplifies, applying DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, PC-ST, and ST-EQUAL, and unfolding EQUAL and GROW-STK, to the following two new goals: Case 4.2. (IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (APPEND (STK S) STK)) (CAR (STK S)))). Appealing to the lemmas PC-STK-MEM-HALTEDP-DEFS-ELIM and CAR-CDR-ELIM, we now replace S by (ST D X W V Z) to eliminate (STK S), (DEFS S), (HALTEDP S), (MEM S), and (PC S), D by (CONS X1 C) to eliminate (CDR D) and (CAR D), X by (CONS D Z1) to eliminate (CAR X) and (CDR X), and X by (CONS C X1) to eliminate (CAR X) and (CDR X). The result is three new conjectures: Case 4.2.3. (IMPLIES (AND (NOT (STP S)) (LISTP (STK S)) (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (APPEND (STK S) STK)) (CAR (STK S)))), which further simplifies, applying STK-NSTP, and opening up the definition of LISTP, to: T. Case 4.2.2. (IMPLIES (AND (NOT (LISTP D)) (NOT V) (EQUAL (CAR (GET (CDR D) (CDR (ASSOC (CAR D) Z)))) 'RET)) (EQUAL (CAR (APPEND (CONS C X1) STK)) C)). This further simplifies, applying CDR-NLISTP, CAR-NLISTP, CDR-CONS, and CAR-CONS, and expanding the function APPEND, to: T. Case 4.2.1. (IMPLIES (AND (NOT V) (EQUAL (CAR (GET C (CDR (ASSOC X1 Z)))) 'RET)) (EQUAL (CAR (APPEND (CONS D Z1) STK)) D)). This further simplifies, rewriting with CDR-CONS and CAR-CONS, and expanding the definition of APPEND, to: T. Case 4.1. (IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CDR (APPEND (STK S) STK)) (APPEND (CDR (STK S)) STK))). This again simplifies, rewriting with CDR-CONS, and unfolding the definition of APPEND, to: T. Case 3. (IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (ST (CONS (CAR (PC S)) (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (APPEND (STK S) STK) (MEM S) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)) STK))). However this again simplifies, applying DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and expanding the functions EQUAL and GROW-STK, to: T. Case 2. (IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (MEM S)) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (MEM S)) F (DEFS S)) STK))). But this again simplifies, rewriting with DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and expanding EQUAL and GROW-STK, to: T. Case 1. (IMPLIES (AND (LISTP (STK S)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) F (DEFS S)) STK))). This again simplifies, appealing to the lemmas DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and opening up EQUAL and GROW-STK, to: T. Q.E.D. [ 0.0 1.2 0.1 ] STEP-GROW-STK-REVISITED-1 (PROVE-LEMMA STEP-GROW-STK-REVISITED-2 (REWRITE) (IMPLIES (NOT (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET)) (EQUAL (STEP (GROW-STK S STK)) (GROW-STK (STEP S) STK))) ((ENABLE STEP))) This simplifies, applying MEM-ST, STK-ST, DEFS-ST, PC-ST, HALTEDP-ST, and GROW-STK-PROPS, and expanding the definitions of FETCH, GROW-STK, EXECUTE, ADD1-PC, MOVE, MOVI, ADD, SUBI, JUMPZ, JUMP, CALL, and STEP, to the following 11 new conjectures: Case 11.(IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (MEM S)) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (MEM S)) F (DEFS S)) STK))). However this again simplifies, rewriting with DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and opening up the definitions of EQUAL and GROW-STK, to: T. Case 10.(IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (PLUS (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))) (MEM S)) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (PLUS (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (GET (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))) (MEM S)) F (DEFS S)) STK))). This again simplifies, applying DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and unfolding the functions EQUAL and GROW-STK, to: T. Case 9. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)))) (EQUAL (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK) (MEM S) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (MEM S) F (DEFS S)) STK))). This again simplifies, applying the lemmas DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and opening up the definitions of EQUAL and GROW-STK, to: T. Case 8. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (EQUAL (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) 0)) (EQUAL (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (APPEND (STK S) STK) (MEM S) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)) STK))), which again simplifies, rewriting with DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and opening up the functions EQUAL and GROW-STK, to: T. Case 7. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ) (NOT (NUMBERP (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S))))) (EQUAL (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (APPEND (STK S) STK) (MEM S) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)) STK))). But this again simplifies, rewriting with DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and expanding EQUAL and GROW-STK, to: T. Case 6. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL)) (EQUAL (ST (CONS (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK)) (MEM S) F (DEFS S)) (GROW-STK (ST (CONS (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) STK))). However this again simplifies, appealing to the lemmas DEFS-ST, HALTEDP-ST, MEM-ST, CAR-CONS, CDR-CONS, STK-ST, and PC-ST, and expanding the definitions of EQUAL, APPEND, and GROW-STK, to: T. Case 5. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (HALTEDP S)) (EQUAL (ST (PC S) (APPEND (STK S) STK) (MEM S) (HALTEDP S) (DEFS S)) (GROW-STK S STK))), which again simplifies, opening up the function GROW-STK, to: T. Case 4. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL))) (EQUAL (ST (PC S) (APPEND (STK S) STK) (MEM S) (HALTEDP S) (DEFS S)) (GROW-STK S STK))), which again simplifies, unfolding the definition of GROW-STK, to: T. Case 3. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMPZ)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'JUMP)) (EQUAL (ST (CONS (CAR (PC S)) (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (APPEND (STK S) STK) (MEM S) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (STK S) (MEM S) F (DEFS S)) STK))), which again simplifies, rewriting with the lemmas DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and opening up the functions EQUAL and GROW-STK, to: T. Case 2. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'ADD)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'SUBI)) (EQUAL (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (MEM S)) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (DIFFERENCE (GET (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))))) (MEM S)) F (DEFS S)) STK))), which again simplifies, rewriting with DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and expanding the definitions of EQUAL and GROW-STK, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVE)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'MOVI)) (EQUAL (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (APPEND (STK S) STK) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) F (DEFS S)) (GROW-STK (ST (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S) (PUT (CADR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (CADDR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) (MEM S)) F (DEFS S)) STK))). But this again simplifies, applying DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, and PC-ST, and expanding the functions EQUAL and GROW-STK, to: T. Q.E.D. [ 0.0 1.1 0.0 ] STEP-GROW-STK-REVISITED-2 (PROVE-LEMMA K-GROW-STK NIL (IMPLIES (AND (NUMBERP D) (NOT (LESSP (LENGTH (STK S)) D))) (EQUAL (K (GROW-STK S STK) (PLUS D (LENGTH STK)) N) (K S D N))) ((INDUCT (K S D N)) (EXPAND (K (GROW-STK S STK) (PLUS D (LENGTH STK)) N)) (DISABLE GROW-STK))) This conjecture can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, and AND, to three new goals: Case 3. (IMPLIES (AND (ZEROP N) (NUMBERP D) (NOT (LESSP (LENGTH (STK S)) D))) (EQUAL (K (GROW-STK S STK) (PLUS D (LENGTH STK)) N) (K S D N))), which simplifies, unfolding the definitions of ZEROP, EQUAL, and K, to: T. Case 2. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET) (NUMBERP D) (NOT (LESSP (LENGTH (STK S)) D))) (EQUAL (K (GROW-STK S STK) (PLUS D (LENGTH STK)) N) (K S D N))), which simplifies, rewriting with COMMUTATIVITY-OF-PLUS, LENGTH-APPEND, and GROW-STK-PROPS, and unfolding the definitions of FETCH, EQUAL, and K, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (AND (EQUAL (LENGTH (STK S)) D) (EQUAL (CAR (FETCH (PC S) (DEFS S))) 'RET))) (IMPLIES (AND (NUMBERP D) (NOT (LESSP (LENGTH (STK (STEP S))) D))) (EQUAL (K (GROW-STK (STEP S) STK) (PLUS D (LENGTH STK)) (SUB1 N)) (K (STEP S) D (SUB1 N)))) (NUMBERP D) (NOT (LESSP (LENGTH (STK S)) D))) (EQUAL (K (GROW-STK S STK) (PLUS D (LENGTH STK)) N) (K S D N))). This simplifies, rewriting with the lemmas LENGTH-STK-STEP, GROW-STK-PROPS, COMMUTATIVITY-OF-PLUS, LENGTH-APPEND, STEP-GROW-STK-REVISITED-2, and ADD1-EQUAL, and expanding the definitions of FETCH, AND, NOT, IMPLIES, K, and EQUAL, to the following six new formulas: Case 1.6. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S)) D)) (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (LESSP (SUB1 (LENGTH (STK S))) D) (NUMBERP D) (NOT (LESSP (LENGTH (STK S)) D)) (NOT (EQUAL (PLUS (LENGTH STK) (LENGTH (STK S))) (PLUS D (LENGTH STK))))) (EQUAL (ADD1 (K (STEP (GROW-STK S STK)) (PLUS D (LENGTH STK)) (SUB1 N))) (ADD1 (K (STEP S) D (SUB1 N))))). But this again simplifies, using linear arithmetic, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S)) D)) (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET) (LESSP (SUB1 (LENGTH (STK S))) D) (NUMBERP D) (NOT (LESSP (LENGTH (STK S)) D)) (EQUAL (PLUS (LENGTH STK) (LENGTH (STK S))) (PLUS D (LENGTH STK)))) (EQUAL 0 (ADD1 (K (STEP S) D (SUB1 N))))), which again simplifies, using linear arithmetic, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S)) D)) (NOT (HALTEDP S)) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (LESSP (ADD1 (LENGTH (STK S))) D) (NUMBERP D) (NOT (LESSP (LENGTH (STK S)) D))) (EQUAL (K (GROW-STK (STEP S) STK) (PLUS D (LENGTH STK)) (SUB1 N)) (K (STEP S) D (SUB1 N)))), which again simplifies, using linear arithmetic, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S)) D)) (EQUAL (K (GROW-STK (STEP S) STK) (PLUS D (LENGTH STK)) (SUB1 N)) (K (STEP S) D (SUB1 N))) (NUMBERP D) (NOT (LESSP (LENGTH (STK S)) D)) (NOT (EQUAL (PLUS (LENGTH STK) (LENGTH (STK S))) (PLUS D (LENGTH STK))))) (EQUAL (ADD1 (K (STEP (GROW-STK S STK)) (PLUS D (LENGTH STK)) (SUB1 N))) (ADD1 (K (STEP S) D (SUB1 N))))), which again simplifies, using linear arithmetic and appealing to the lemma STEP-GROW-STK-REVISITED-1, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (LENGTH (STK S)) D)) (EQUAL (K (GROW-STK (STEP S) STK) (PLUS D (LENGTH STK)) (SUB1 N)) (K (STEP S) D (SUB1 N))) (NUMBERP D) (NOT (LESSP (LENGTH (STK S)) D)) (EQUAL (PLUS (LENGTH STK) (LENGTH (STK S))) (PLUS D (LENGTH STK))) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (EQUAL 0 (ADD1 (K (STEP S) D (SUB1 N))))), which again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'RET)) (NOT (HALTEDP S)) (EQUAL (CAR (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S))))) 'CALL) (LESSP (ADD1 (LENGTH (STK S))) D) (NUMBERP D) (NOT (LESSP (LENGTH (STK S)) D))) (EQUAL (K (GROW-STK (STEP S) STK) (PLUS D (LENGTH STK)) (SUB1 N)) (K (STEP S) D (SUB1 N)))), which again simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.3 0.0 ] K-GROW-STK (PROVE-LEMMA STK-IS-NIL (REWRITE) (IMPLIES (LESSP (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (ADD1 (LENGTH (STK S))) (SUB1 N)) (SUB1 N)) (EQUAL (LISTP (STK (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (ADD1 (LENGTH (STK S))) (SUB1 N))))) F)) ((USE (K-GROW-STK (S (ST (CONS PROG 0) NIL (MEM S) F (DEFS S))) (STK (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S))) (D 0) (N (SUB1 N))) (PROPERTIES-OF-K (S0 (ST (CONS PROG 0) NIL (MEM S) F (DEFS S))) (D 0) (N (SUB1 N)))))) This formula can be simplified, using the abbreviations IMPLIES, AND, DEFS-ST, and STK-ST, to the new goal: (IMPLIES (AND (IMPLIES (AND (NUMBERP 0) (NOT (LESSP (LENGTH NIL) 0))) (EQUAL (K (GROW-STK (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S))) (PLUS 0 (LENGTH (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)))) (SUB1 N)) (K (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) 0 (SUB1 N)))) (IMPLIES (LESSP (K (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) 0 (SUB1 N)) (SUB1 N)) (AND (EQUAL (LENGTH (STK (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) (K (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) 0 (SUB1 N))))) 0) (EQUAL (CAR (FETCH (PC (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) (K (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) 0 (SUB1 N)))) (DEFS S))) 'RET))) (LESSP (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (ADD1 (LENGTH (STK S))) (SUB1 N)) (SUB1 N))) (EQUAL (LISTP (STK (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (ADD1 (LENGTH (STK S))) (SUB1 N))))) F)), which simplifies, applying DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, PC-ST, CDR-CONS, and EQUAL-LENGTH-0, and unfolding NUMBERP, LENGTH, LESSP, NOT, AND, APPEND, LISTP, GROW-STK, EQUAL, PLUS, IMPLIES, and FETCH, to: T. Q.E.D. [ 0.0 0.1 0.0 ] STK-IS-NIL (PROVE-LEMMA HALTEDP-IS-OFF (REWRITE) (IMPLIES (LESSP (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (ADD1 (LENGTH (STK S))) (SUB1 N)) (SUB1 N)) (EQUAL (HALTEDP (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (ADD1 (LENGTH (STK S))) (SUB1 N)))) F)) ((USE (K-GROW-STK (S (ST (CONS PROG 0) NIL (MEM S) F (DEFS S))) (STK (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S))) (D 0) (N (SUB1 N))) (ANOTHER-PROPERTY-OF-K (S0 (ST (CONS PROG 0) NIL (MEM S) F (DEFS S))) (D 0) (N (SUB1 N)))))) This formula can be simplified, using the abbreviations IMPLIES, AND, HALTEDP-ST, and STK-ST, to: (IMPLIES (AND (IMPLIES (AND (NUMBERP 0) (NOT (LESSP (LENGTH NIL) 0))) (EQUAL (K (GROW-STK (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S))) (PLUS 0 (LENGTH (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)))) (SUB1 N)) (K (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) 0 (SUB1 N)))) (IMPLIES (AND (NOT F) (LESSP (K (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) 0 (SUB1 N)) (SUB1 N))) (NOT (HALTEDP (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) (K (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) 0 (SUB1 N)))))) (LESSP (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (ADD1 (LENGTH (STK S))) (SUB1 N)) (SUB1 N))) (EQUAL (HALTEDP (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (ADD1 (LENGTH (STK S))) (SUB1 N)))) F)), which simplifies, rewriting with DEFS-ST, HALTEDP-ST, MEM-ST, STK-ST, PC-ST, and CDR-CONS, and expanding the definitions of NUMBERP, LENGTH, LESSP, NOT, AND, APPEND, LISTP, GROW-STK, EQUAL, PLUS, and IMPLIES, to: T. Q.E.D. [ 0.0 0.0 0.0 ] HALTEDP-IS-OFF (PROVE-LEMMA STANDARD-CORRECTNESS-IMPLIES-TERMINATION NIL (IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (FETCH (PC S) (DEFS S)) (LIST 'CALL PROG)) (NOT (ZEROP N)) (EQUAL (STK (SM S N)) (STK S))) (HALTEDP (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) N))) ((EXPAND (SM S N)) (DISABLE DECREASING-STK-MEANS-RET-EXISTS STEP-PRESERVES-HALTEDP) (USE (DECREASING-STK-MEANS-RET-EXISTS (S0 (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S))) (N (SUB1 N)))))) This conjecture can be simplified, using the abbreviations ZEROP, NOT, AND, IMPLIES, DEFS-ST, STK-ST, and HALTEDP-ST, to the formula: (IMPLIES (AND (IMPLIES (AND (NOT F) (LESSP (LENGTH (STK (SM (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (SUB1 N)))) (LENGTH (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S))))) (AND (LESSP (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (LENGTH (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S))) (SUB1 N)) (SUB1 N)) (EQUAL (LENGTH (STK (SM (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (LENGTH (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S))) (SUB1 N))))) (LENGTH (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)))) (EQUAL (CAR (FETCH (PC (SM (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (LENGTH (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S))) (SUB1 N)))) (DEFS S))) 'RET) (NOT (HALTEDP (SM (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (K (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (LENGTH (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S))) (SUB1 N))))))) (NOT (HALTEDP S)) (EQUAL (FETCH (PC S) (DEFS S)) (LIST 'CALL PROG)) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (STK (SM S N)) (STK S))) (HALTEDP (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) N))). This simplifies, rewriting with CDR-CONS, SUB1-ADD1, EQUAL-LENGTH-0, CAR-CONS, STEP-OPENER, STK-IS-NIL, DEFS-ST, PC-EQUIV, HALTEDP-IS-OFF, and EXPAND-SM-N, and unfolding the definitions of NOT, LENGTH, LESSP, AND, FETCH, IMPLIES, SM, CALL, ADD1-PC, EQUAL, and EXECUTE, to: (IMPLIES (AND (LISTP (STK (SM (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (SUB1 N)))) (NOT (LESSP (SUB1 (LENGTH (STK (SM (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (SUB1 N))))) (LENGTH (STK S)))) (NOT (HALTEDP S)) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) (LIST 'CALL PROG)) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (STK (SM (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (SUB1 N))) (STK S))) (HALTEDP (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) N))). This again simplifies, obviously, to: (IMPLIES (AND (LISTP (STK S)) (NOT (LESSP (SUB1 (LENGTH (STK S))) (LENGTH (STK S)))) (NOT (HALTEDP S)) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) (LIST 'CALL PROG)) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (STK (SM (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (SUB1 N))) (STK S))) (HALTEDP (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) N))), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (LENGTH (STK S)) 0) (LISTP (STK S)) (NOT (LESSP (SUB1 (LENGTH (STK S))) (LENGTH (STK S)))) (NOT (HALTEDP S)) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) (LIST 'CALL PROG)) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (STK (SM (ST (CONS PROG 0) (CONS (CONS (CAR (PC S)) (ADD1 (CDR (PC S)))) (STK S)) (MEM S) F (DEFS S)) (SUB1 N))) (STK S))) (HALTEDP (SM (ST (CONS PROG 0) NIL (MEM S) F (DEFS S)) N))). But this again simplifies, applying EQUAL-LENGTH-0, to: T. Q.E.D. [ 0.0 0.1 0.0 ] STANDARD-CORRECTNESS-IMPLIES-TERMINATION (PROVE-LEMMA INFINITE-LOOP NIL (IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (FETCH (PC S) (DEFS S)) (LIST 'JUMP I)) (NUMBERP I) (EQUAL (CDR (PC S)) I)) (NOT (HALTEDP (SM S N)))) ((ENABLE SM))) This conjecture simplifies, expanding the definition of FETCH, to: (IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) (LIST 'JUMP (CDR (PC S)))) (NUMBERP (CDR (PC S)))) (NOT (HALTEDP (SM S N)))). Appealing to the lemmas PC-STK-MEM-HALTEDP-DEFS-ELIM and CAR-CDR-ELIM, we now replace S by (ST D W V X Z) to eliminate (HALTEDP S), (DEFS S), (MEM S), (STK S), and (PC S) and D by (CONS X1 C) to eliminate (CDR D) and (CAR D). We must thus prove three new goals: Case 3. (IMPLIES (AND (NOT (STP S)) (NOT (HALTEDP S)) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) (LIST 'JUMP (CDR (PC S)))) (NUMBERP (CDR (PC S)))) (NOT (HALTEDP (SM S N)))), which further simplifies, applying HALTEDP-NSTP, to: T. Case 2. (IMPLIES (AND (NOT (LISTP D)) (NOT X) (EQUAL (GET (CDR D) (CDR (ASSOC (CAR D) Z))) (LIST 'JUMP (CDR D))) (NUMBERP (CDR D))) (NOT (HALTEDP (SM (ST D W V X Z) N)))). This further simplifies, applying CDR-NLISTP and CAR-NLISTP, and expanding CONS and NUMBERP, to: (IMPLIES (AND (NOT (LISTP D)) (EQUAL (GET 0 (CDR (ASSOC 0 Z))) '(JUMP 0))) (NOT (HALTEDP (SM (ST D W V F Z) N)))), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (IMPLIES (AND (NOT (HALTEDP S)) (EQUAL (FETCH (PC S) (DEFS S)) (LIST 'JUMP I)) (NUMBERP I) (EQUAL (CDR (PC S)) I)) (NOT (HALTEDP (SM S N)))). We named this *1. We will try to prove it by induction. There is only one suggested induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP N) (p S N I)) (IMPLIES (AND (NOT (ZEROP N)) (p (STEP S) (SUB1 N) I)) (p S N I))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to show that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for S. The above induction scheme leads to the following five new goals: Case 5. (IMPLIES (AND (ZEROP N) (NOT (HALTEDP S)) (EQUAL (FETCH (PC S) (DEFS S)) (LIST 'JUMP I)) (NUMBERP I) (EQUAL (CDR (PC S)) I)) (NOT (HALTEDP (SM S N)))). This simplifies, rewriting with SM-0, HALTEDP-ST, STEP-OPENER, CAR-CONS, CDR-CONS, CONS-CAR-CDR, and STEP-PRESERVES-HALTEDP, and expanding ZEROP, FETCH, EXECUTE, EQUAL, JUMP, and SM, to: T. Case 4. (IMPLIES (AND (NOT (ZEROP N)) (HALTEDP (STEP S)) (NOT (HALTEDP S)) (EQUAL (FETCH (PC S) (DEFS S)) (LIST 'JUMP I)) (NUMBERP I) (EQUAL (CDR (PC S)) I)) (NOT (HALTEDP (SM S N)))), which simplifies, rewriting with HALTEDP-PERSISTS, and unfolding the definitions of ZEROP, FETCH, and SM, to: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (HALTEDP (STEP S)) (NOT (HALTEDP S)) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) (LIST 'JUMP (CDR (PC S))))) (NOT (NUMBERP (CDR (PC S))))), which again simplifies, applying HALTEDP-ST, STEP-OPENER, CAR-CONS, CDR-CONS, CONS-CAR-CDR, and STEP-PRESERVES-HALTEDP, and unfolding FETCH, EXECUTE, EQUAL, and JUMP, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP N)) (NOT (EQUAL (FETCH (PC (STEP S)) (DEFS (STEP S))) (LIST 'JUMP I))) (NOT (HALTEDP S)) (EQUAL (FETCH (PC S) (DEFS S)) (LIST 'JUMP I)) (NUMBERP I) (EQUAL (CDR (PC S)) I)) (NOT (HALTEDP (SM S N)))). This simplifies, applying the lemma DEFS-STEP, and opening up the definitions of ZEROP, FETCH, and SM, to the new goal: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (GET (CDR (PC (STEP S))) (CDR (ASSOC (CAR (PC (STEP S))) (DEFS S)))) (LIST 'JUMP (CDR (PC S))))) (NOT (HALTEDP S)) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) (LIST 'JUMP (CDR (PC S)))) (NUMBERP (CDR (PC S)))) (NOT (HALTEDP (SM (STEP S) (SUB1 N))))), which again simplifies, rewriting with HALTEDP-ST, STEP-OPENER, CAR-CONS, CDR-CONS, CONS-CAR-CDR, STEP-PRESERVES-HALTEDP, PC-ST, CDR-NLISTP, and CAR-NLISTP, and expanding the definitions of FETCH, EXECUTE, EQUAL, JUMP, CONS, and NUMBERP, to the new goal: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LISTP (PC S))) (NOT (EQUAL (GET (CDR '(0 . 0)) (CDR (ASSOC (CAR '(0 . 0)) (DEFS S)))) (LIST 'JUMP (CDR (PC S))))) (NOT (HALTEDP S)) (EQUAL (GET 0 (CDR (ASSOC 0 (DEFS S)))) '(JUMP 0))) (NOT (HALTEDP (SM (STEP S) (SUB1 N))))), which again simplifies, rewriting with CDR-NLISTP, and unfolding the definitions of CDR, CAR, CONS, and EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP N)) (NOT (EQUAL (CDR (PC (STEP S))) I)) (NOT (HALTEDP S)) (EQUAL (FETCH (PC S) (DEFS S)) (LIST 'JUMP I)) (NUMBERP I) (EQUAL (CDR (PC S)) I)) (NOT (HALTEDP (SM S N)))). This simplifies, expanding the definitions of ZEROP, FETCH, and SM, to: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (CDR (PC (STEP S))) (CDR (PC S)))) (NOT (HALTEDP S)) (EQUAL (GET (CDR (PC S)) (CDR (ASSOC (CAR (PC S)) (DEFS S)))) (LIST 'JUMP (CDR (PC S)))) (NUMBERP (CDR (PC S)))) (NOT (HALTEDP (SM (STEP S) (SUB1 N))))), which again simplifies, rewriting with HALTEDP-ST, STEP-OPENER, CAR-CONS, CDR-CONS, CONS-CAR-CDR, STEP-PRESERVES-HALTEDP, PC-ST, CDR-NLISTP, and CAR-NLISTP, and unfolding the definitions of FETCH, EXECUTE, EQUAL, JUMP, CONS, and NUMBERP, to: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LISTP (PC S))) (NOT (EQUAL (CDR '(0 . 0)) (CDR (PC S)))) (NOT (HALTEDP S)) (EQUAL (GET 0 (CDR (ASSOC 0 (DEFS S)))) '(JUMP 0))) (NOT (HALTEDP (SM (STEP S) (SUB1 N))))), which again simplifies, rewriting with the lemma CDR-NLISTP, and unfolding the definitions of CDR and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP N)) (NOT (HALTEDP (SM (STEP S) (SUB1 N)))) (NOT (HALTEDP S)) (EQUAL (FETCH (PC S) (DEFS S)) (LIST 'JUMP I)) (NUMBERP I) (EQUAL (CDR (PC S)) I)) (NOT (HALTEDP (SM S N)))), which simplifies, applying SM-PRESERVES-HALTEDP and STEP-PRESERVES-HALTEDP, and expanding ZEROP, FETCH, and SM, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] INFINITE-LOOP