(NOTE-LIB "piton" T) Loading ./fm9001-piton/piton.lib Finished loading ./fm9001-piton/piton.lib Loading ./fm9001-piton/piton.o Loading ./fm9001-piton/0piton.o Finished loading ./fm9001-piton/0piton.o Loading ./fm9001-piton/1piton.o Finished loading ./fm9001-piton/1piton.o Loading ./fm9001-piton/2piton.o Finished loading ./fm9001-piton/2piton.o Loading ./fm9001-piton/3piton.o Finished loading ./fm9001-piton/3piton.o Loading ./fm9001-piton/4piton.o Finished loading ./fm9001-piton/4piton.o Loading ./fm9001-piton/5piton.o Finished loading ./fm9001-piton/5piton.o Finished loading ./fm9001-piton/piton.o (#./fm9001-piton/piton.lib #./fm9001-piton/piton) (SET-STATUS ADDITION-ON ADDITION ((OTHERWISE ENABLE))) [ 0.0 0.0 0.0 ] ADDITION-ON (SET-STATUS MULTIPLICATION-ON MULTIPLICATION ((OTHERWISE ENABLE))) [ 0.0 0.0 0.0 ] MULTIPLICATION-ON (SET-STATUS REMAINDERS-ON REMAINDERS ((OTHERWISE ENABLE))) [ 0.0 0.0 0.0 ] REMAINDERS-ON (SET-STATUS QUOTIENTS-ON QUOTIENTS ((OTHERWISE ENABLE))) [ 0.0 0.0 0.0 ] QUOTIENTS-ON (SET-STATUS EXPONENTIATION-ON EXPONENTIATION ((OTHERWISE ENABLE))) [ 0.0 0.0 0.0 ] EXPONENTIATION-ON (SET-STATUS LOGS-ON LOGS ((OTHERWISE ENABLE))) [ 0.0 0.0 0.0 ] LOGS-ON (SET-STATUS GCDS-ON GCDS ((OTHERWISE ENABLE))) [ 0.0 0.0 0.0 ] GCDS-ON (DEFN CLOCK-PLUS (X Y) (PLUS X Y)) From the definition we can conclude that (NUMBERP (CLOCK-PLUS X Y)) is a theorem. [ 0.0 0.0 0.0 ] CLOCK-PLUS (PROVE-LEMMA P-ADD1 (REWRITE) (EQUAL (P P0 (ADD1 N)) (P (P-STEP P0) N)) ((DISABLE P-STEP))) This conjecture simplifies, applying SUB1-ADD1, and unfolding the function P, to the formula: (IMPLIES (NOT (NUMBERP N)) (EQUAL (P (P-STEP P0) 0) (P (P-STEP P0) N))). This again simplifies, expanding EQUAL and P, to: T. Q.E.D. [ 0.0 0.0 0.0 ] P-ADD1 (PROVE-LEMMA P-0 (REWRITE) (IMPLIES (ZEROP N) (EQUAL (P P0 N) P0))) This conjecture simplifies, opening up the functions ZEROP, EQUAL, and P, to: T. Q.E.D. [ 0.0 0.0 0.0 ] P-0 (PROVE-LEMMA CLOCK-PLUS-FUNCTION (REWRITE) (EQUAL (P P0 (CLOCK-PLUS X Y)) (P (P P0 X) Y)) ((INDUCT (P P0 X)) (DISABLE P P-STEP))) This formula can be simplified, using the abbreviations ZEROP, NOT, OR, AND, and CLOCK-PLUS, to the following two new formulas: Case 2. (IMPLIES (ZEROP X) (EQUAL (P P0 (PLUS X Y)) (P (P P0 X) Y))). This simplifies, applying P-0, and opening up the definitions of ZEROP, EQUAL, and PLUS, to two new formulas: Case 2.2. (IMPLIES (AND (EQUAL X 0) (NOT (NUMBERP Y))) (EQUAL (P P0 0) (P P0 Y))), which again simplifies, rewriting with the lemma P-0, and unfolding the definition of ZEROP, to: T. Case 2.1. (IMPLIES (AND (NOT (NUMBERP X)) (NOT (NUMBERP Y))) (EQUAL (P P0 0) (P P0 Y))), which again simplifies, applying P-0, and opening up ZEROP, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (EQUAL (P (P-STEP P0) (PLUS (SUB1 X) Y)) (P (P (P-STEP P0) (SUB1 X)) Y))) (EQUAL (P P0 (PLUS X Y)) (P (P P0 X) Y))). This simplifies, rewriting with COMMUTATIVITY-OF-PLUS and P-ADD1, and opening up PLUS, to: (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (EQUAL (P (P-STEP P0) (PLUS Y (SUB1 X))) (P (P (P-STEP P0) (SUB1 X)) Y))) (EQUAL (P (P (P-STEP P0) (SUB1 X)) Y) (P (P P0 X) Y))). Appealing to the lemma SUB1-ELIM, we now replace X by (ADD1 Z) to eliminate (SUB1 X). We use the type restriction lemma noted when SUB1 was introduced to constrain the new variable. The result is: (IMPLIES (AND (NUMBERP Z) (NOT (EQUAL (ADD1 Z) 0)) (EQUAL (P (P-STEP P0) (PLUS Y Z)) (P (P (P-STEP P0) Z) Y))) (EQUAL (P (P (P-STEP P0) Z) Y) (P (P P0 (ADD1 Z)) Y))). However this further simplifies, rewriting with the lemma P-ADD1, to: T. Q.E.D. [ 0.1 0.0 0.0 ] CLOCK-PLUS-FUNCTION (DISABLE P-ADD1) [ 0.0 0.0 0.0 ] P-ADD1-OFF (PROVE-LEMMA CLOCK-PLUS-ADD1 (REWRITE) (EQUAL (P P0 (CLOCK-PLUS (ADD1 X) Y)) (P P0 (ADD1 (CLOCK-PLUS X Y))))) WARNING: the previously added lemma, CLOCK-PLUS-FUNCTION, could be applied whenever the newly proposed CLOCK-PLUS-ADD1 could! This formula can be simplified, using the abbreviations PLUS-ADD1-ARG1 and CLOCK-PLUS, to: (EQUAL (P P0 (ADD1 (PLUS X Y))) (P P0 (ADD1 (PLUS X Y)))), which simplifies, obviously, to: T. Q.E.D. [ 0.0 0.0 0.0 ] CLOCK-PLUS-ADD1 (DISABLE CLOCK-PLUS) [ 0.0 0.0 0.0 ] CLOCK-PLUS-OFF (PROVE-LEMMA CLOCK-PLUS-0 (REWRITE) (IMPLIES (ZEROP X) (EQUAL (CLOCK-PLUS X Y) (FIX Y))) ((ENABLE CLOCK-PLUS))) This formula can be simplified, using the abbreviations IMPLIES and CLOCK-PLUS, to: (IMPLIES (ZEROP X) (EQUAL (PLUS X Y) (FIX Y))), which simplifies, opening up the functions ZEROP, EQUAL, PLUS, and FIX, to: T. Q.E.D. [ 0.0 0.0 0.0 ] CLOCK-PLUS-0 (PROVE-LEMMA FIX-CLOCK-PLUS (REWRITE) (EQUAL (FIX (CLOCK-PLUS X Y)) (CLOCK-PLUS X Y)) ((ENABLE CLOCK-PLUS))) WARNING: Note that the rewrite rule FIX-CLOCK-PLUS will be stored so as to apply only to terms with the nonrecursive function symbol FIX. This formula can be simplified, using the abbreviation CLOCK-PLUS, to the new conjecture: (EQUAL (FIX (PLUS X Y)) (PLUS X Y)), which simplifies, opening up FIX, to: T. Q.E.D. [ 0.0 0.0 0.0 ] FIX-CLOCK-PLUS (PROVE-LEMMA P-STEP1-OPENER (REWRITE) (EQUAL (P-STEP1 (CONS OPCODE OPERANDS) P) (IF (P-INS-OKP (CONS OPCODE OPERANDS) P) (P-INS-STEP (CONS OPCODE OPERANDS) P) (P-HALT P (X-Y-ERROR-MSG 'P OPCODE)))) ((DISABLE P-INS-OKP P-INS-STEP))) WARNING: Note that the rewrite rule P-STEP1-OPENER will be stored so as to apply only to terms with the nonrecursive function symbol P-STEP1. This formula can be simplified, using the abbreviations CDR-CONS, UNPACK-PACK, and X-Y-ERROR-MSG, to: (EQUAL (P-STEP1 (CONS OPCODE OPERANDS) P) (IF (P-INS-OKP (CONS OPCODE OPERANDS) P) (P-INS-STEP (CONS OPCODE OPERANDS) P) (P-HALT P (PACK (APPEND '(73 76 76 69 71 65 76 45 . 0) (APPEND (UNPACK OPCODE) '(45 73 78 83 84 82 85 67 84 73 79 78 . 0))))))), which simplifies, applying CAR-CONS, and opening up the definitions of P-HALT, X-Y-ERROR-MSG, UNPACK, CDR, CAR, LISTP, APPEND, and P-STEP1, to: T. Q.E.D. [ 0.0 0.0 0.0 ] P-STEP1-OPENER (DISABLE P-STEP1) [ 0.0 0.0 0.0 ] P-STEP1-OFF (PROVE-LEMMA P-OPENER (REWRITE) (AND (EQUAL (P S 0) S) (EQUAL (P (P-STATE PC CTRL TEMP PROG DATA MAX-CTRL MAX-TEMP WORD-SIZE PSW) (ADD1 N)) (P (P-STEP (P-STATE PC CTRL TEMP PROG DATA MAX-CTRL MAX-TEMP WORD-SIZE PSW)) N))) ((DISABLE P-STEP))) WARNING: Note that the proposed lemma P-OPENER is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This conjecture can be simplified, using the abbreviation AND, to two new goals: Case 2. (EQUAL (P S 0) S), which simplifies, rewriting with the lemma P-0, and unfolding the function ZEROP, to: T. Case 1. (EQUAL (P (P-STATE PC CTRL TEMP PROG DATA MAX-CTRL MAX-TEMP WORD-SIZE PSW) (ADD1 N)) (P (P-STEP (P-STATE PC CTRL TEMP PROG DATA MAX-CTRL MAX-TEMP WORD-SIZE PSW)) N)), which simplifies, rewriting with SUB1-ADD1, and opening up the definition of P, to: (IMPLIES (NOT (NUMBERP N)) (EQUAL (P (P-STEP (P-STATE PC CTRL TEMP PROG DATA MAX-CTRL MAX-TEMP WORD-SIZE PSW)) 0) (P (P-STEP (P-STATE PC CTRL TEMP PROG DATA MAX-CTRL MAX-TEMP WORD-SIZE PSW)) N))), which again simplifies, applying P-0, and expanding the definition of ZEROP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] P-OPENER (DISABLE P) [ 0.0 0.0 0.0 ] P-OFF (DEFN AT-LEAST-MOREP (BASE DELTA VALUE) (NOT (LESSP VALUE (PLUS BASE DELTA)))) Observe that: (OR (FALSEP (AT-LEAST-MOREP BASE DELTA VALUE)) (TRUEP (AT-LEAST-MOREP BASE DELTA VALUE))) is a theorem. [ 0.0 0.0 0.0 ] AT-LEAST-MOREP (PROVE-LEMMA AT-LEAST-MOREP-NORMALIZE (REWRITE) (AND (EQUAL (AT-LEAST-MOREP (ADD1 BASE) DELTA VALUE) (AT-LEAST-MOREP BASE (ADD1 DELTA) VALUE)) (EQUAL (AT-LEAST-MOREP BASE (ADD1 DELTA) (ADD1 VALUE)) (AT-LEAST-MOREP BASE DELTA VALUE)))) WARNING: Note that the rewrite rule AT-LEAST-MOREP-NORMALIZE will be stored so as to apply only to terms with the nonrecursive function symbol AT-LEAST-MOREP. WARNING: Note that the rewrite rule AT-LEAST-MOREP-NORMALIZE will be stored so as to apply only to terms with the nonrecursive function symbol AT-LEAST-MOREP. WARNING: Note that the proposed lemma AT-LEAST-MOREP-NORMALIZE is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This formula can be simplified, using the abbreviation AND, to the following two new formulas: Case 2. (EQUAL (AT-LEAST-MOREP (ADD1 BASE) DELTA VALUE) (AT-LEAST-MOREP BASE (ADD1 DELTA) VALUE)). This simplifies, applying the lemmas SUB1-ADD1, PLUS-ADD1-ARG1, and PLUS-ADD1-ARG2, and unfolding LESSP and AT-LEAST-MOREP, to the following eight new conjectures: Case 2.8. (IMPLIES (AND (NUMBERP DELTA) (NOT (LESSP VALUE (ADD1 (PLUS BASE DELTA))))) (NOT (EQUAL VALUE 0))). But this again simplifies, using linear arithmetic, to: T. Case 2.7. (IMPLIES (AND (NUMBERP DELTA) (NOT (LESSP VALUE (ADD1 (PLUS BASE DELTA))))) (NUMBERP VALUE)), which again simplifies, opening up the function LESSP, to: T. Case 2.6. (IMPLIES (AND (NUMBERP DELTA) (NOT (LESSP VALUE (ADD1 (PLUS BASE DELTA))))) (NOT (LESSP (SUB1 VALUE) (PLUS BASE DELTA)))), which again simplifies, using linear arithmetic, to: T. Case 2.5. (IMPLIES (AND (NUMBERP DELTA) (LESSP VALUE (ADD1 (PLUS BASE DELTA))) (NOT (EQUAL VALUE 0)) (NUMBERP VALUE)) (LESSP (SUB1 VALUE) (PLUS BASE DELTA))), which again simplifies, using linear arithmetic, to: T. Case 2.4. (IMPLIES (AND (NOT (NUMBERP DELTA)) (NOT (LESSP VALUE (ADD1 BASE)))) (NOT (EQUAL VALUE 0))), which again simplifies, using linear arithmetic, to: T. Case 2.3. (IMPLIES (AND (NOT (NUMBERP DELTA)) (NOT (LESSP VALUE (ADD1 BASE)))) (NUMBERP VALUE)), which again simplifies, opening up the definition of LESSP, to: T. Case 2.2. (IMPLIES (AND (NOT (NUMBERP DELTA)) (NOT (LESSP VALUE (ADD1 BASE)))) (NOT (LESSP (SUB1 VALUE) (PLUS BASE DELTA)))), which again simplifies, applying SUB1-ADD1 and PLUS-ZERO-ARG2, and opening up LESSP, ZEROP, and EQUAL, to: T. Case 2.1. (IMPLIES (AND (NOT (NUMBERP DELTA)) (LESSP VALUE (ADD1 BASE)) (NOT (EQUAL VALUE 0)) (NUMBERP VALUE)) (LESSP (SUB1 VALUE) (PLUS BASE DELTA))). This again simplifies, using linear arithmetic, to: T. Case 1. (EQUAL (AT-LEAST-MOREP BASE (ADD1 DELTA) (ADD1 VALUE)) (AT-LEAST-MOREP BASE DELTA VALUE)), which simplifies, applying SUB1-ADD1 and PLUS-ADD1-ARG2, and unfolding the definitions of LESSP and AT-LEAST-MOREP, to the following ten new conjectures: Case 1.10. (IMPLIES (AND (LESSP VALUE (PLUS BASE DELTA)) (NUMBERP DELTA) (NUMBERP VALUE)) (LESSP VALUE (SUB1 (ADD1 (PLUS BASE DELTA))))). However this again simplifies, using linear arithmetic, to: T. Case 1.9. (IMPLIES (AND (LESSP VALUE (PLUS BASE DELTA)) (NUMBERP DELTA) (NOT (NUMBERP VALUE))) (LESSP 0 (SUB1 (ADD1 (PLUS BASE DELTA))))), which again simplifies, using linear arithmetic, to: T. Case 1.8. (IMPLIES (AND (LESSP VALUE (PLUS BASE DELTA)) (NUMBERP DELTA)) (NOT (EQUAL (ADD1 (PLUS BASE DELTA)) 0))), which again simplifies, using linear arithmetic, to: T. Case 1.7. (IMPLIES (AND (LESSP VALUE (PLUS BASE DELTA)) (NOT (NUMBERP DELTA)) (NUMBERP VALUE)) (LESSP VALUE (SUB1 (ADD1 BASE)))), which again simplifies, rewriting with PLUS-ZERO-ARG2, SUB1-TYPE-RESTRICTION, and SUB1-ADD1, and expanding ZEROP, SUB1, EQUAL, and LESSP, to the new goal: (IMPLIES (AND (NOT (NUMBERP BASE)) (LESSP VALUE 0) (NOT (NUMBERP DELTA))) (NOT (NUMBERP VALUE))), which again simplifies, using linear arithmetic, to: T. Case 1.6. (IMPLIES (AND (LESSP VALUE (PLUS BASE DELTA)) (NOT (NUMBERP DELTA)) (NOT (NUMBERP VALUE))) (LESSP 0 (SUB1 (ADD1 BASE)))), which again simplifies, rewriting with the lemmas PLUS-ZERO-ARG2 and SUB1-ADD1, and opening up the functions ZEROP, LESSP, and EQUAL, to: T. Case 1.5. (IMPLIES (AND (LESSP VALUE (PLUS BASE DELTA)) (NOT (NUMBERP DELTA))) (NOT (EQUAL (ADD1 BASE) 0))), which again simplifies, using linear arithmetic, to: T. Case 1.4. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NUMBERP DELTA) (NOT (EQUAL (ADD1 (PLUS BASE DELTA)) 0)) (NUMBERP VALUE)) (NOT (LESSP VALUE (SUB1 (ADD1 (PLUS BASE DELTA)))))), which again simplifies, using linear arithmetic, to: T. Case 1.3. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NUMBERP DELTA) (NOT (EQUAL (ADD1 (PLUS BASE DELTA)) 0)) (NOT (NUMBERP VALUE))) (NOT (LESSP 0 (SUB1 (ADD1 (PLUS BASE DELTA)))))), which again simplifies, rewriting with the lemmas EQUAL-PLUS-0 and PLUS-ZERO-ARG2, and expanding LESSP, NUMBERP, ZEROP, ADD1, EQUAL, SUB1, and PLUS, to: T. Case 1.2. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NOT (NUMBERP DELTA)) (NOT (EQUAL (ADD1 BASE) 0)) (NUMBERP VALUE)) (NOT (LESSP VALUE (SUB1 (ADD1 BASE))))), which again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NOT (NUMBERP DELTA)) (NOT (EQUAL (ADD1 BASE) 0)) (NOT (NUMBERP VALUE))) (NOT (LESSP 0 (SUB1 (ADD1 BASE))))), which again simplifies, rewriting with PLUS-ZERO-ARG2 and SUB1-TYPE-RESTRICTION, and expanding the functions ZEROP, LESSP, ADD1, EQUAL, and SUB1, to: T. Q.E.D. [ 0.0 0.0 0.0 ] AT-LEAST-MOREP-NORMALIZE (PROVE-LEMMA AT-LEAST-MOREP-LINEAR (REWRITE) (IMPLIES (AND (AT-LEAST-MOREP BASE D1 VALUE) (NOT (LESSP D1 D2))) (AT-LEAST-MOREP BASE D2 VALUE))) WARNING: Note that the rewrite rule AT-LEAST-MOREP-LINEAR will be stored so as to apply only to terms with the nonrecursive function symbol AT-LEAST-MOREP. WARNING: Note that AT-LEAST-MOREP-LINEAR contains the free variable D1 which will be chosen by instantiating the hypothesis (AT-LEAST-MOREP BASE D1 VALUE). This formula can be simplified, using the abbreviations NOT, AT-LEAST-MOREP, AND, and IMPLIES, to: (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE D1))) (NOT (LESSP D1 D2))) (NOT (LESSP VALUE (PLUS BASE D2)))), which simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] AT-LEAST-MOREP-LINEAR (PROVE-LEMMA LESSP-AS-AT-LEAST-MOREP (REWRITE) (IMPLIES (AT-LEAST-MOREP BASE DELTA VALUE) (AND (EQUAL (LESSP VALUE X) (NOT (AT-LEAST-MOREP X 0 VALUE))) (EQUAL (LESSP X VALUE) (AT-LEAST-MOREP X 1 VALUE))))) WARNING: Note that LESSP-AS-AT-LEAST-MOREP contains the free variables DELTA and BASE which will be chosen by instantiating the hypothesis: (AT-LEAST-MOREP BASE DELTA VALUE). WARNING: Note that LESSP-AS-AT-LEAST-MOREP contains the free variables DELTA and BASE which will be chosen by instantiating the hypothesis: (AT-LEAST-MOREP BASE DELTA VALUE). WARNING: Note that the proposed lemma LESSP-AS-AT-LEAST-MOREP is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This conjecture can be simplified, using the abbreviations AT-LEAST-MOREP and IMPLIES, to the formula: (IMPLIES (NOT (LESSP VALUE (PLUS BASE DELTA))) (AND (EQUAL (LESSP VALUE X) (NOT (AT-LEAST-MOREP X 0 VALUE))) (EQUAL (LESSP X VALUE) (AT-LEAST-MOREP X 1 VALUE)))). This simplifies, applying PLUS-ZERO-ARG2, SUB1-ADD1, and PLUS-ADD1-ARG2, and opening up the functions ZEROP, AT-LEAST-MOREP, NOT, LESSP, NUMBERP, and AND, to seven new conjectures: Case 7. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NOT (NUMBERP X))) (EQUAL (LESSP VALUE X) (LESSP VALUE 0))), which again simplifies, unfolding the functions LESSP and EQUAL, to: T. Case 6. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (EQUAL VALUE 0)) (EQUAL (LESSP X VALUE) F)), which again simplifies, applying the lemma EQUAL-PLUS-0, and unfolding the functions EQUAL and LESSP, to: T. Case 5. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NOT (NUMBERP VALUE))) (EQUAL (LESSP X VALUE) F)), which again simplifies, rewriting with EQUAL-PLUS-0, and expanding the functions LESSP and EQUAL, to: T. Case 4. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NUMBERP X) (LESSP (SUB1 VALUE) X)) (EQUAL (LESSP X VALUE) F)). This again simplifies, trivially, to the new goal: (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NUMBERP X) (LESSP (SUB1 VALUE) X)) (NOT (LESSP X VALUE))), which again simplifies, using linear arithmetic, to: T. Case 3. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NOT (NUMBERP X)) (LESSP (SUB1 VALUE) 0)) (EQUAL (LESSP X VALUE) F)), which again simplifies, unfolding EQUAL and LESSP, to: T. Case 2. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NOT (EQUAL VALUE 0)) (NUMBERP VALUE) (NUMBERP X) (NOT (LESSP (SUB1 VALUE) X))) (EQUAL (LESSP X VALUE) T)), which again simplifies, obviously, to: (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NOT (EQUAL VALUE 0)) (NUMBERP VALUE) (NUMBERP X) (NOT (LESSP (SUB1 VALUE) X))) (LESSP X VALUE)), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (LESSP VALUE (PLUS BASE DELTA))) (NOT (EQUAL VALUE 0)) (NUMBERP VALUE) (NOT (NUMBERP X)) (NOT (LESSP (SUB1 VALUE) 0))) (EQUAL (LESSP X VALUE) T)), which again simplifies, expanding the functions EQUAL and LESSP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] LESSP-AS-AT-LEAST-MOREP (DISABLE AT-LEAST-MOREP) [ 0.0 0.0 0.0 ] AT-LEAST-MOREP-OFF (DEFN NAT-TO-BV (NAT SIZE) (IF (ZEROP SIZE) NIL (IF (LESSP NAT (EXP 2 (SUB1 SIZE))) (CONS 0 (NAT-TO-BV NAT (SUB1 SIZE))) (CONS 1 (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each recursive call. Hence, NAT-TO-BV is accepted under the definitional principle. Observe that: (OR (LITATOM (NAT-TO-BV NAT SIZE)) (LISTP (NAT-TO-BV NAT SIZE))) is a theorem. [ 0.0 0.0 0.0 ] NAT-TO-BV (DEFN NAT-TO-BV-STATE (STATE SIZE) (IF (LISTP STATE) (CONS (NAT-TO-BV (CAR STATE) SIZE) (NAT-TO-BV-STATE (CDR STATE) SIZE)) NIL)) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each recursive call. Hence, NAT-TO-BV-STATE is accepted under the principle of definition. Note that: (OR (LITATOM (NAT-TO-BV-STATE STATE SIZE)) (LISTP (NAT-TO-BV-STATE STATE SIZE))) is a theorem. [ 0.0 0.0 0.0 ] NAT-TO-BV-STATE (DEFN XOR-BVS-PROGRAM NIL '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) Note that (LISTP (XOR-BVS-PROGRAM)) is a theorem. [ 0.0 0.0 0.0 ] XOR-BVS-PROGRAM (DEFN BIT-VECTORS-PITON (ARRAY SIZE) (IF (LISTP ARRAY) (AND (LISTP (CAR ARRAY)) (EQUAL (CAAR ARRAY) 'BITV) (BIT-VECTORP (CADAR ARRAY) SIZE) (EQUAL (CDDAR ARRAY) NIL) (BIT-VECTORS-PITON (CDR ARRAY) SIZE)) (EQUAL ARRAY NIL))) Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT ARRAY) decreases according to the well-founded relation LESSP in each recursive call. Hence, BIT-VECTORS-PITON is accepted under the definitional principle. Observe that: (OR (FALSEP (BIT-VECTORS-PITON ARRAY SIZE)) (TRUEP (BIT-VECTORS-PITON ARRAY SIZE))) is a theorem. [ 0.0 0.0 0.0 ] BIT-VECTORS-PITON (DEFN ARRAY (NAME SEGMENT) (CDR (ASSOC NAME SEGMENT))) [ 0.0 0.0 0.0 ] ARRAY (DEFN XOR-BVS-INPUT-CONDITIONP (P0) (AND (EQUAL (CAR (TOP (P-TEMP-STK P0))) 'NAT) (EQUAL (CAR (TOP (CDR (P-TEMP-STK P0)))) 'ADDR) (EQUAL (CDADR (TOP (CDR (P-TEMP-STK P0)))) 0) (LISTP (CADR (TOP (CDR (P-TEMP-STK P0))))) (EQUAL (CDDR (TOP (P-TEMP-STK P0))) NIL) (EQUAL (CDDR (TOP (CDR (P-TEMP-STK P0)))) NIL) (DEFINEDP (CAADR (TOP (CDR (P-TEMP-STK P0)))) (P-DATA-SEGMENT P0)) (BIT-VECTORS-PITON (ARRAY (CAADR (TOP (CDR (P-TEMP-STK P0)))) (P-DATA-SEGMENT P0)) (P-WORD-SIZE P0)) (EQUAL (CADR (TOP (P-TEMP-STK P0))) (LENGTH (ARRAY (CAADR (TOP (CDR (P-TEMP-STK P0)))) (P-DATA-SEGMENT P0)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE (P-CTRL-STK P0)) 4 (P-MAX-CTRL-STK-SIZE P0)) (AT-LEAST-MOREP (LENGTH (P-TEMP-STK P0)) 2 (P-MAX-TEMP-STK-SIZE P0)) (NOT (ZEROP (UNTAG (TOP (P-TEMP-STK P0))))) (LESSP (UNTAG (TOP (P-TEMP-STK P0))) (EXP 2 (P-WORD-SIZE P0))) (LISTP (P-CTRL-STK P0)))) From the definition we can conclude that: (OR (FALSEP (XOR-BVS-INPUT-CONDITIONP P0)) (TRUEP (XOR-BVS-INPUT-CONDITIONP P0))) is a theorem. [ 0.0 0.0 0.0 ] XOR-BVS-INPUT-CONDITIONP (DEFN XOR-BVS-CLOCK-LOOP (NUMVECS) (IF (ZEROP NUMVECS) 3 (PLUS 12 (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT NUMVECS) decreases according to the well-founded relation LESSP in each recursive call. Hence, XOR-BVS-CLOCK-LOOP is accepted under the definitional principle. From the definition we can conclude that (NUMBERP (XOR-BVS-CLOCK-LOOP NUMVECS)) is a theorem. [ 0.0 0.0 0.0 ] XOR-BVS-CLOCK-LOOP (DEFN XOR-BVS-CLOCK (NUMVECS) (PLUS 6 (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS)))) From the definition we can conclude that: (NUMBERP (XOR-BVS-CLOCK NUMVECS)) is a theorem. [ 0.3 0.0 0.0 ] XOR-BVS-CLOCK (DEFN XOR-BVS-ARRAY (CURRENT ARRAY N ARRAY-SIZE) (IF (ZEROP N) CURRENT (XOR-BVS-ARRAY (XOR-BITV CURRENT (UNTAG (GET (DIFFERENCE ARRAY-SIZE N) ARRAY))) ARRAY (SUB1 N) ARRAY-SIZE))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT N) decreases according to the well-founded relation LESSP in each recursive call. Hence, XOR-BVS-ARRAY is accepted under the definitional principle. From the definition we can conclude that: (OR (OR (LITATOM (XOR-BVS-ARRAY CURRENT ARRAY N ARRAY-SIZE)) (LISTP (XOR-BVS-ARRAY CURRENT ARRAY N ARRAY-SIZE))) (EQUAL (XOR-BVS-ARRAY CURRENT ARRAY N ARRAY-SIZE) CURRENT)) is a theorem. [ 0.0 0.0 0.0 ] XOR-BVS-ARRAY (PROVE-LEMMA LESSP-1-EXP (REWRITE) (EQUAL (LESSP 1 (EXP A B)) (AND (LESSP 1 A) (NOT (ZEROP B)))) ((ENABLE EXP))) This formula simplifies, opening up ZEROP, NOT, and AND, to the following four new formulas: Case 4. (IMPLIES (NOT (LESSP 1 A)) (EQUAL (LESSP 1 (EXP A B)) F)). This again simplifies, trivially, to the new formula: (IMPLIES (NOT (LESSP 1 A)) (NOT (LESSP 1 (EXP A B)))), which we will name *1. Case 3. (IMPLIES (NOT (NUMBERP B)) (EQUAL (LESSP 1 (EXP A B)) F)). But this again simplifies, applying EXP-ZERO, and expanding the functions ZEROP, LESSP, and EQUAL, to: T. Case 2. (IMPLIES (EQUAL B 0) (EQUAL (LESSP 1 (EXP A B)) F)). This again simplifies, rewriting with EXP-0-ARG2, and opening up LESSP and EQUAL, to: T. Case 1. (IMPLIES (AND (LESSP 1 A) (NOT (EQUAL B 0)) (NUMBERP B)) (EQUAL (LESSP 1 (EXP A B)) T)). This again simplifies, clearly, to the new conjecture: (IMPLIES (AND (LESSP 1 A) (NOT (EQUAL B 0)) (NUMBERP B)) (LESSP 1 (EXP A B))), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (EQUAL (LESSP 1 (EXP A B)) (AND (LESSP 1 A) (NOT (ZEROP B)))), named *1. Let us appeal to the induction principle. There are two plausible inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (ZEROP B) (p A B)) (IMPLIES (AND (NOT (ZEROP B)) (p A (SUB1 B))) (p A B))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to show that the measure (COUNT B) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates the following two new conjectures: Case 2. (IMPLIES (ZEROP B) (EQUAL (LESSP 1 (EXP A B)) (AND (LESSP 1 A) (NOT (ZEROP B))))). This simplifies, applying EXP-0-ARG2 and EXP-ZERO, and unfolding the definitions of ZEROP, LESSP, NOT, AND, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP B)) (EQUAL (LESSP 1 (EXP A (SUB1 B))) (AND (LESSP 1 A) (NOT (ZEROP (SUB1 B)))))) (EQUAL (LESSP 1 (EXP A B)) (AND (LESSP 1 A) (NOT (ZEROP B))))), which simplifies, rewriting with EQUAL-SUB1-0, EXP-0-ARG2, TIMES-1-ARG1, COMMUTATIVITY-OF-TIMES, EXP-ADD1, EQUAL-EXP-0, EQUAL-EXP-1, and LESSP-1-TIMES, and unfolding the definitions of ZEROP, NOT, AND, EXP, and EQUAL, to the following five new conjectures: Case 1.5. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (EQUAL B 1) (EQUAL (LESSP 1 (EXP A (SUB1 B))) F) (NOT (NUMBERP A))) (EQUAL (LESSP 1 0) (LESSP 1 A))). However this again simplifies, applying EXP-0-ARG2, and opening up EQUAL, NUMBERP, SUB1, and LESSP, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (LESSP 1 A)) (EQUAL (LESSP 1 (EXP A (SUB1 B))) F) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL A 1)). But this again simplifies, using linear arithmetic, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (LESSP 1 A) (NOT (EQUAL B 1)) (EQUAL (LESSP 1 (EXP A (SUB1 B))) T)) (NOT (EQUAL A 0))), which again simplifies, using linear arithmetic, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (LESSP 1 A) (NOT (EQUAL B 1)) (EQUAL (LESSP 1 (EXP A (SUB1 B))) T)) (NUMBERP A)), which again simplifies, unfolding the function LESSP, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (LESSP 1 A) (NOT (EQUAL B 1)) (EQUAL (LESSP 1 (EXP A (SUB1 B))) T)) (NOT (EQUAL A 1))), which again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] LESSP-1-EXP (PROVE-LEMMA BIT-VECTORS-PITON-MEANS (REWRITE) (IMPLIES (AND (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (AND (EQUAL (CAR (GET P STATE)) 'BITV) (LISTP (GET P STATE)) (BIT-VECTORP (CADR (GET P STATE)) SIZE) (EQUAL (CDDR (GET P STATE)) NIL)))) WARNING: Note that BIT-VECTORS-PITON-MEANS contains the free variable SIZE which will be chosen by instantiating the hypothesis: (BIT-VECTORS-PITON STATE SIZE). WARNING: Note that BIT-VECTORS-PITON-MEANS contains the free variable SIZE which will be chosen by instantiating the hypothesis: (BIT-VECTORS-PITON STATE SIZE). WARNING: Note that BIT-VECTORS-PITON-MEANS contains the free variable SIZE which will be chosen by instantiating the hypothesis: (BIT-VECTORS-PITON STATE SIZE). WARNING: Note that the proposed lemma BIT-VECTORS-PITON-MEANS is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and four replacement rules. This simplifies, unfolding AND, to four new conjectures: Case 4. (IMPLIES (AND (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CAR (GET P STATE)) 'BITV)), which we will name *1. Case 3. (IMPLIES (AND (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (LISTP (GET P STATE))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (AND (IMPLIES (AND (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CAR (GET P STATE)) 'BITV)) (IMPLIES (AND (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (LISTP (GET P STATE))) (IMPLIES (AND (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (BIT-VECTORP (CADR (GET P STATE)) SIZE)) (IMPLIES (AND (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CDDR (GET P STATE)) NIL))). We gave this the name *1 above. Perhaps we can prove it by induction. The recursive terms in the conjecture suggest 16 inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (p (SUB1 P) (CDR STATE) SIZE)) (p P STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p P STATE SIZE))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for P. The above induction scheme produces the following 16 new goals: Case 16.(IMPLIES (AND (LISTP STATE) (NOT (BIT-VECTORS-PITON (CDR STATE) SIZE)) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CAR (GET P STATE)) 'BITV)). This simplifies, expanding the definition of BIT-VECTORS-PITON, to: T. Case 15.(IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CAR (GET P STATE)) 'BITV)). This simplifies, rewriting with SUB1-ADD1, and opening up the functions BIT-VECTORS-PITON, LENGTH, LESSP, EQUAL, and GET, to: T. Case 14.(IMPLIES (AND (LISTP STATE) (EQUAL (CAR (GET (SUB1 P) (CDR STATE))) 'BITV) (LISTP (GET (SUB1 P) (CDR STATE))) (BIT-VECTORP (CADR (GET (SUB1 P) (CDR STATE))) SIZE) (EQUAL (CDDR (GET (SUB1 P) (CDR STATE))) NIL) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CAR (GET P STATE)) 'BITV)), which simplifies, applying SUB1-ADD1, and unfolding the functions BIT-VECTORS-PITON, LENGTH, LESSP, EQUAL, and GET, to: T. Case 13.(IMPLIES (AND (NOT (LISTP STATE)) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CAR (GET P STATE)) 'BITV)). This simplifies, opening up the functions BIT-VECTORS-PITON, LENGTH, EQUAL, and LESSP, to: T. Case 12.(IMPLIES (AND (LISTP STATE) (NOT (BIT-VECTORS-PITON (CDR STATE) SIZE)) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (LISTP (GET P STATE))). This simplifies, expanding the function BIT-VECTORS-PITON, to: T. Case 11.(IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (LISTP (GET P STATE))). This simplifies, rewriting with SUB1-ADD1, and unfolding the functions BIT-VECTORS-PITON, LENGTH, LESSP, EQUAL, and GET, to: T. Case 10.(IMPLIES (AND (LISTP STATE) (EQUAL (CAR (GET (SUB1 P) (CDR STATE))) 'BITV) (LISTP (GET (SUB1 P) (CDR STATE))) (BIT-VECTORP (CADR (GET (SUB1 P) (CDR STATE))) SIZE) (EQUAL (CDDR (GET (SUB1 P) (CDR STATE))) NIL) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (LISTP (GET P STATE))), which simplifies, appealing to the lemma SUB1-ADD1, and unfolding the functions BIT-VECTORS-PITON, LENGTH, LESSP, EQUAL, and GET, to: T. Case 9. (IMPLIES (AND (NOT (LISTP STATE)) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (LISTP (GET P STATE))), which simplifies, opening up BIT-VECTORS-PITON, LENGTH, EQUAL, and LESSP, to: T. Case 8. (IMPLIES (AND (LISTP STATE) (NOT (BIT-VECTORS-PITON (CDR STATE) SIZE)) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (BIT-VECTORP (CADR (GET P STATE)) SIZE)), which simplifies, opening up the definition of BIT-VECTORS-PITON, to: T. Case 7. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (BIT-VECTORP (CADR (GET P STATE)) SIZE)), which simplifies, applying SUB1-ADD1, and expanding the functions BIT-VECTORS-PITON, LENGTH, LESSP, EQUAL, and GET, to: T. Case 6. (IMPLIES (AND (LISTP STATE) (EQUAL (CAR (GET (SUB1 P) (CDR STATE))) 'BITV) (LISTP (GET (SUB1 P) (CDR STATE))) (BIT-VECTORP (CADR (GET (SUB1 P) (CDR STATE))) SIZE) (EQUAL (CDDR (GET (SUB1 P) (CDR STATE))) NIL) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (BIT-VECTORP (CADR (GET P STATE)) SIZE)). This simplifies, applying SUB1-ADD1, and expanding BIT-VECTORS-PITON, LENGTH, LESSP, EQUAL, and GET, to: T. Case 5. (IMPLIES (AND (NOT (LISTP STATE)) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (BIT-VECTORP (CADR (GET P STATE)) SIZE)), which simplifies, unfolding the definitions of BIT-VECTORS-PITON, LENGTH, EQUAL, and LESSP, to: T. Case 4. (IMPLIES (AND (LISTP STATE) (NOT (BIT-VECTORS-PITON (CDR STATE) SIZE)) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CDDR (GET P STATE)) NIL)), which simplifies, expanding BIT-VECTORS-PITON, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CDDR (GET P STATE)) NIL)), which simplifies, rewriting with SUB1-ADD1, and expanding the functions BIT-VECTORS-PITON, LENGTH, LESSP, EQUAL, and GET, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (EQUAL (CAR (GET (SUB1 P) (CDR STATE))) 'BITV) (LISTP (GET (SUB1 P) (CDR STATE))) (BIT-VECTORP (CADR (GET (SUB1 P) (CDR STATE))) SIZE) (EQUAL (CDDR (GET (SUB1 P) (CDR STATE))) NIL) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CDDR (GET P STATE)) NIL)). This simplifies, applying SUB1-ADD1, and unfolding the functions BIT-VECTORS-PITON, LENGTH, LESSP, EQUAL, and GET, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (BIT-VECTORS-PITON STATE SIZE) (LESSP P (LENGTH STATE))) (EQUAL (CDDR (GET P STATE)) NIL)), which simplifies, unfolding the definitions of BIT-VECTORS-PITON, LENGTH, EQUAL, and LESSP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.2 0.0 ] BIT-VECTORS-PITON-MEANS (DEFN XOR-BVS-LOOP-CORRECTNESS-GENERAL-INDUCT (I CURRENT N S DATA-SEGMENT) (IF (ZEROP I) T (XOR-BVS-LOOP-CORRECTNESS-GENERAL-INDUCT (SUB1 I) (XOR-BITV CURRENT (CADR (GET (DIFFERENCE N I) (ARRAY S DATA-SEGMENT)))) N S DATA-SEGMENT))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT I) decreases according to the well-founded relation LESSP in each recursive call. Hence, XOR-BVS-LOOP-CORRECTNESS-GENERAL-INDUCT is accepted under the principle of definition. Observe that: (TRUEP (XOR-BVS-LOOP-CORRECTNESS-GENERAL-INDUCT I CURRENT N S DATA-SEGMENT)) is a theorem. [ 0.0 0.0 0.0 ] XOR-BVS-LOOP-CORRECTNESS-GENERAL-INDUCT (ENABLE BIT-VECTORP-XOR-BITV) [ 0.0 0.0 0.0 ] BIT-VECTORP-XOR-BITV-ON (PROVE-LEMMA XOR-BVS-LOOP-CORRECTNESS-GENERAL NIL (IMPLIES (AND (LESSP (LENGTH (ARRAY S DATA-SEGMENT)) (EXP 2 WORD-SIZE)) (NOT (ZEROP WORD-SIZE)) (LISTP CTRL-STK) (BIT-VECTORS-PITON (ARRAY S DATA-SEGMENT) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (DEFINITION 'XOR-BVS PROG-SEGMENT) (XOR-BVS-PROGRAM)) (DEFINEDP S DATA-SEGMENT) (NUMBERP I) (LESSP I N) (BIT-VECTORP CURRENT WORD-SIZE) (EQUAL N (LENGTH (ARRAY S DATA-SEGMENT)))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (CONS 'VECS-ADDR (LIST 'ADDR (CONS S (SUB1 (DIFFERENCE N I))))) (CONS 'NUMVECS (LIST 'NAT I))) RET-PC) CTRL-STK) (CONS (LIST 'BITV CURRENT) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP I)) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (ARRAY S DATA-SEGMENT) I N)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))) ((INDUCT (XOR-BVS-LOOP-CORRECTNESS-GENERAL-INDUCT I CURRENT N S DATA-SEGMENT)))) This conjecture can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, AND, XOR-BVS-PROGRAM, DEFINITION, and ARRAY, to two new goals: Case 2. (IMPLIES (AND (ZEROP I) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (NUMBERP I) (LESSP I N) (BIT-VECTORP CURRENT WORD-SIZE) (EQUAL N (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE N I)))) (LIST 'NUMVECS 'NAT I)) RET-PC) CTRL-STK) (CONS (LIST 'BITV CURRENT) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP I)) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) I N)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which simplifies, rewriting with P-STEP1-OPENER, P-WORD-SIZE-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-DATA-SEGMENT-P-STATE, CAR-CONS, P-CTRL-STK-P-STATE, LESSP-AS-AT-LEAST-MOREP, AT-LEAST-MOREP-NORMALIZE, AT-LEAST-MOREP-LINEAR, P-MAX-TEMP-STK-SIZE-P-STATE, CDR-CONS, P-TEMP-STK-P-STATE, P-PC-P-STATE, P-PROG-SEGMENT-P-STATE, P-PSW-P-STATE, EQUAL-EXP-0, and P-OPENER, and expanding ZEROP, NUMBERP, EQUAL, LESSP, DIFFERENCE, CONS, XOR-BVS-CLOCK-LOOP, P-INS-STEP, PUSH, LOCAL-VAR-VALUE, TOP, BINDINGS, ASSOC, DEFINIENS, CDR, ADD1-P-PC, ADD1-ADDR, P-PUSH-LOCAL-STEP, P-INS-OKP, CAR, ADD1, LENGTH, P-PUSH-LOCAL-OKP, P-CURRENT-INSTRUCTION, OFFSET, DEFINITION, AREA-NAME, P-CURRENT-PROGRAM, PROGRAM-BODY, GET, UNLABEL, P-STEP, P-TEST-AND-JUMP-STEP, PC, POP, P-TEST-NAT-AND-JUMP-STEP, P-TEST-AND-JUMP-OKP, P-OBJECTP, LISTP, SMALL-NATURALP, TYPE, P-OBJECTP-TYPE, P-TEST-NATP, UNTAG, P-TEST-NAT-AND-JUMP-OKP, RET-PC, P-RET-STEP, P-RET-OKP, and XOR-BVS-ARRAY, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (IMPLIES (AND (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (ZEROP WORD-SIZE)) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (NUMBERP (SUB1 I)) (LESSP (SUB1 I) N) (BIT-VECTORP (XOR-BITV CURRENT (CADR (GET (DIFFERENCE N I) (CDR (ASSOC S DATA-SEGMENT))))) WORD-SIZE) (EQUAL N (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE N (SUB1 I))))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS (LIST 'BITV (XOR-BITV CURRENT (CADR (GET (DIFFERENCE N I) (CDR (ASSOC S DATA-SEGMENT)))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 I))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE N I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) N)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP I N) (BIT-VECTORP CURRENT WORD-SIZE) (EQUAL N (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE N I)))) (LIST 'NUMVECS 'NAT I)) RET-PC) CTRL-STK) (CONS (LIST 'BITV CURRENT) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP I)) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) I N)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This simplifies, using linear arithmetic, applying AT-LEAST-MOREP-LINEAR, BIT-VECTORS-PITON-MEANS, BIT-VECTORP-XOR-BITV, DIFFERENCE-SUB1-ARG2, P-PC-P-STATE, PLUS-ADD1-ARG1, P-STEP1-OPENER, P-WORD-SIZE-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-DATA-SEGMENT-P-STATE, CAR-CONS, P-CTRL-STK-P-STATE, LESSP-AS-AT-LEAST-MOREP, AT-LEAST-MOREP-NORMALIZE, P-MAX-TEMP-STK-SIZE-P-STATE, CDR-CONS, P-TEMP-STK-P-STATE, P-PROG-SEGMENT-P-STATE, P-PSW-P-STATE, and P-OPENER, and opening up ZEROP, NOT, LESSP, EQUAL, AND, IMPLIES, PLUS, XOR-BVS-CLOCK-LOOP, P-INS-STEP, PUSH, LOCAL-VAR-VALUE, TOP, BINDINGS, ASSOC, DEFINIENS, CDR, ADD1-P-PC, ADD1-ADDR, P-PUSH-LOCAL-STEP, P-INS-OKP, CAR, ADD1, LENGTH, P-PUSH-LOCAL-OKP, CONS, P-CURRENT-INSTRUCTION, OFFSET, DEFINITION, AREA-NAME, P-CURRENT-PROGRAM, PROGRAM-BODY, GET, UNLABEL, P-STEP, P-HALT, X-Y-ERROR-MSG, P-TEST-AND-JUMP-STEP, POP, P-TEST-NAT-AND-JUMP-STEP, P-TEST-AND-JUMP-OKP, P-OBJECTP, SMALL-NATURALP, TYPE, P-OBJECTP-TYPE, P-TEST-NATP, UNTAG, and P-TEST-NAT-AND-JUMP-OKP, to six new conjectures: Case 1.6. (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (IMPLIES (AND (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (ZEROP WORD-SIZE)) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET))) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (NUMBERP (SUB1 I)) (LESSP (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) WORD-SIZE) (EQUAL (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (SUB1 I))))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS (LIST 'BITV (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT)))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 I))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP I (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP CURRENT WORD-SIZE) (NOT (LESSP I (EXP 2 WORD-SIZE)))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 6)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (LIST 'NUMVECS 'NAT I)) RET-PC) CTRL-STK) (CONS (LIST 'NAT I) (CONS (LIST 'BITV CURRENT) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'ILLEGAL-TEST-NAT-AND-JUMP-INSTRUCTION) (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (XOR-BVS-CLOCK-LOOP (SUB1 I))))))))))))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) I (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, using linear arithmetic, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (IMPLIES (AND (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (ZEROP WORD-SIZE)) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET))) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (NUMBERP (SUB1 I)) (LESSP (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) WORD-SIZE) (EQUAL (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (SUB1 I))))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS (LIST 'BITV (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT)))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 I))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP I (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP CURRENT WORD-SIZE) (LESSP I (EXP 2 WORD-SIZE))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 7)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (LIST 'NUMVECS 'NAT I)) RET-PC) CTRL-STK) (CONS (LIST 'BITV CURRENT) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (XOR-BVS-CLOCK-LOOP (SUB1 I))))))))))))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) I (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, using linear arithmetic, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (NOT (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)) (NOT (LESSP (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP I (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP CURRENT WORD-SIZE) (NOT (LESSP I (EXP 2 WORD-SIZE)))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 6)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (LIST 'NUMVECS 'NAT I)) RET-PC) CTRL-STK) (CONS (LIST 'NAT I) (CONS (LIST 'BITV CURRENT) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'ILLEGAL-TEST-NAT-AND-JUMP-INSTRUCTION) (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (XOR-BVS-CLOCK-LOOP (SUB1 I))))))))))))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) I (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, using linear arithmetic, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (NOT (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)) (NOT (LESSP (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP I (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP CURRENT WORD-SIZE) (LESSP I (EXP 2 WORD-SIZE))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 7)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (LIST 'NUMVECS 'NAT I)) RET-PC) CTRL-STK) (CONS (LIST 'BITV CURRENT) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (XOR-BVS-CLOCK-LOOP (SUB1 I))))))))))))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) I (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, using linear arithmetic, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (NOT (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (ADD1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I))))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS (LIST 'BITV (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT)))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 I))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP I (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP CURRENT WORD-SIZE) (NOT (LESSP I (EXP 2 WORD-SIZE)))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 6)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (LIST 'NUMVECS 'NAT I)) RET-PC) CTRL-STK) (CONS (LIST 'NAT I) (CONS (LIST 'BITV CURRENT) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'ILLEGAL-TEST-NAT-AND-JUMP-INSTRUCTION) (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (XOR-BVS-CLOCK-LOOP (SUB1 I))))))))))))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) I (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (NOT (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (ADD1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I))))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS (LIST 'BITV (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT)))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 I))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP I (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP CURRENT WORD-SIZE) (LESSP I (EXP 2 WORD-SIZE))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 7)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (LIST 'NUMVECS 'NAT I)) RET-PC) CTRL-STK) (CONS (LIST 'BITV CURRENT) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (XOR-BVS-CLOCK-LOOP (SUB1 I))))))))))))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) I (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, applying SUB1-ADD1, P-PC-P-STATE, P-STEP1-OPENER, P-WORD-SIZE-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-DATA-SEGMENT-P-STATE, CAR-CONS, P-CTRL-STK-P-STATE, LESSP-AS-AT-LEAST-MOREP, AT-LEAST-MOREP-NORMALIZE, AT-LEAST-MOREP-LINEAR, P-MAX-TEMP-STK-SIZE-P-STATE, CDR-CONS, P-TEMP-STK-P-STATE, P-PROG-SEGMENT-P-STATE, P-PSW-P-STATE, PLUS-ADD1-ARG2, ADD1-SUB1, EQUAL-DIFFERENCE-0, PLUS-ZERO-ARG2, LESSP-1-EXP, and P-OPENER, and opening up P-INS-STEP, PUSH, LOCAL-VAR-VALUE, TOP, BINDINGS, ASSOC, DEFINIENS, CDR, ADD1-P-PC, ADD1-ADDR, P-PUSH-LOCAL-STEP, P-INS-OKP, CAR, LESSP, ADD1, LENGTH, P-PUSH-LOCAL-OKP, CONS, P-CURRENT-INSTRUCTION, OFFSET, DEFINITION, AREA-NAME, P-CURRENT-PROGRAM, PROGRAM-BODY, GET, UNLABEL, EQUAL, P-STEP, POP, TAG, P-SUB1-NAT-STEP, P-OBJECTP-TYPE, TYPE, SMALL-NATURALP, UNTAG, P-OBJECTP, P-SUB1-NAT-OKP, SET-LOCAL-VAR-VALUE, PUT-ASSOC, PUT-VALUE, RET-PC, P-FRAME, P-POP-LOCAL-STEP, P-POP-LOCAL-OKP, UNABBREVIATE-CONSTANT, LISTP, P-PUSH-CONSTANT-STEP, P-PUSH-CONSTANT-OKP, P-HALT, X-Y-ERROR-MSG, P-ADD-ADDR-STEP, ADD-ADDR, ZEROP, ADD-ADP, ADPP, ADP-OFFSET, ADP-NAME, TOP1, NUMBERP, P-ADD-ADDR-OKP, and XOR-BVS-ARRAY, to the following three new conjectures: Case 1.1.3. (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (NOT (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS (LIST 'BITV (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT)))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 I))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP I (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP CURRENT WORD-SIZE) (LESSP I (EXP 2 WORD-SIZE)) (NOT (LESSP (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)) (LENGTH (CDR (ASSOC S DATA-SEGMENT)))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 12)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS '(NAT 1) (CONS (LIST 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (CONS (LIST 'BITV CURRENT) TEMP-STK))) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'ILLEGAL-ADD-ADDR-INSTRUCTION) (ADD1 (ADD1 (ADD1 (ADD1 (XOR-BVS-CLOCK-LOOP (SUB1 I))))))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this again simplifies, using linear arithmetic, to: T. Case 1.1.2. (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (NOT (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS (LIST 'BITV (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT)))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 I))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP I (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP CURRENT WORD-SIZE) (LESSP I (EXP 2 WORD-SIZE)) (NOT (LESSP (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (LENGTH (CDR (ASSOC S DATA-SEGMENT)))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 12)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS '(NAT 1) (CONS (LIST 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (CONS (LIST 'BITV CURRENT) TEMP-STK))) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'ILLEGAL-ADD-ADDR-INSTRUCTION) (ADD1 (ADD1 (ADD1 (ADD1 (XOR-BVS-CLOCK-LOOP (SUB1 I))))))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, using linear arithmetic, to: T. Case 1.1.1. (IMPLIES (AND (NOT (EQUAL I 0)) (NUMBERP I) (NOT (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS (LIST 'BITV (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT)))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 I))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP I (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (BIT-VECTORP CURRENT WORD-SIZE) (LESSP I (EXP 2 WORD-SIZE)) (LESSP (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)) (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (LESSP (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 13)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I)))) (LIST 'NUMVECS 'NAT (SUB1 I))) RET-PC) CTRL-STK) (CONS (LIST 'ADDR (CONS S (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I))) (CONS (LIST 'BITV CURRENT) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (ADD1 (ADD1 (ADD1 (ADD1 (XOR-BVS-CLOCK-LOOP (SUB1 I))))))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH (CDR (ASSOC S DATA-SEGMENT))) I) (CDR (ASSOC S DATA-SEGMENT))))) (CDR (ASSOC S DATA-SEGMENT)) (SUB1 I) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, applying P-PC-P-STATE, P-STEP1-OPENER, P-WORD-SIZE-P-STATE, P-MAX-TEMP-STK-SIZE-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-DATA-SEGMENT-P-STATE, CDR-CONS, P-CTRL-STK-P-STATE, CAR-CONS, P-TEMP-STK-P-STATE, P-PROG-SEGMENT-P-STATE, P-PSW-P-STATE, BIT-VECTORS-PITON-MEANS, and P-OPENER, and expanding the functions P-INS-STEP, SET-LOCAL-VAR-VALUE, BINDINGS, PUT-ASSOC, PUT-VALUE, RET-PC, P-FRAME, POP, PUSH, CDR, TOP, ADD1-P-PC, ADD1-ADDR, P-SET-LOCAL-STEP, P-INS-OKP, CAR, P-SET-LOCAL-OKP, CONS, P-CURRENT-INSTRUCTION, OFFSET, DEFINITION, AREA-NAME, P-CURRENT-PROGRAM, PROGRAM-BODY, GET, UNLABEL, EQUAL, P-STEP, FETCH, FETCH-ADP, P-FETCH-STEP, P-OBJECTP-TYPE, TYPE, ADPP, ADP-OFFSET, ADP-NAME, DEFINIENS, UNTAG, P-OBJECTP, P-FETCH-OKP, TAG, P-XOR-BITV-STEP, TOP1, P-XOR-BITV-OKP, PC, P-JUMP-STEP, and P-JUMP-OKP, to: T. Q.E.D. [ 0.0 1.0 0.3 ] XOR-BVS-LOOP-CORRECTNESS-GENERAL (PROVE-LEMMA DIFFERENCE-X-SUB1-X-BETTER (REWRITE) (EQUAL (DIFFERENCE X (SUB1 X)) (IF (LESSP 0 X) 1 0))) WARNING: the previously added lemma, DIFFERENCE-SUB1-ARG2, could be applied whenever the newly proposed DIFFERENCE-X-SUB1-X-BETTER could! This simplifies, rewriting with DIFFERENCE-X-X and DIFFERENCE-SUB1-ARG2, and opening up NUMBERP, LESSP, ADD1, and EQUAL, to: (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X)) (NOT (LESSP (SUB1 X) (SUB1 X)))). But this again simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] DIFFERENCE-X-SUB1-X-BETTER (PROVE-LEMMA XOR-BVS-LOOP-CORRECTNESS NIL (IMPLIES (AND (LESSP (LENGTH (ARRAY S DATA-SEGMENT)) (EXP 2 WORD-SIZE)) (NOT (ZEROP WORD-SIZE)) (LISTP CTRL-STK) (BIT-VECTORS-PITON (ARRAY S DATA-SEGMENT) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (DEFINITION 'XOR-BVS PROG-SEGMENT) (XOR-BVS-PROGRAM)) (DEFINEDP S DATA-SEGMENT) (LESSP 0 N) (BIT-VECTORP CURRENT WORD-SIZE) (EQUAL N (LENGTH (ARRAY S DATA-SEGMENT)))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (CONS 'VECS-ADDR (LIST 'ADDR (CONS S 0))) (CONS 'NUMVECS (LIST 'NAT (SUB1 N)))) RET-PC) CTRL-STK) (CONS (LIST 'BITV CURRENT) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 N))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (ARRAY S DATA-SEGMENT) (SUB1 N) N)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))) ((USE (XOR-BVS-LOOP-CORRECTNESS-GENERAL (I (SUB1 N)))))) This conjecture can be simplified, using the abbreviations ZEROP, NOT, AND, IMPLIES, XOR-BVS-PROGRAM, DEFINITION, and ARRAY, to the goal: (IMPLIES (AND (IMPLIES (AND (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (ZEROP WORD-SIZE)) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (NUMBERP (SUB1 N)) (LESSP (SUB1 N) N) (BIT-VECTORP CURRENT WORD-SIZE) (EQUAL N (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S (SUB1 (DIFFERENCE N (SUB1 N))))) (LIST 'NUMVECS 'NAT (SUB1 N))) RET-PC) CTRL-STK) (CONS (LIST 'BITV CURRENT) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 N))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) (SUB1 N) N)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (LESSP 0 N) (BIT-VECTORP CURRENT WORD-SIZE) (EQUAL N (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S 0)) (LIST 'NUMVECS 'NAT (SUB1 N))) RET-PC) CTRL-STK) (CONS (LIST 'BITV CURRENT) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 N))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) (SUB1 N) N)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This simplifies, rewriting with AT-LEAST-MOREP-LINEAR, DIFFERENCE-X-SUB1-X-BETTER, P-PC-P-STATE, and EQUAL-EXP-0, and unfolding ZEROP, NOT, LESSP, EQUAL, AND, IMPLIES, SUB1, and NUMBERP, to: (IMPLIES (AND (NOT (LESSP (SUB1 (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) (LESSP (LENGTH (CDR (ASSOC S DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC S DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP S DATA-SEGMENT) (NOT (EQUAL (LENGTH (CDR (ASSOC S DATA-SEGMENT))) 0)) (BIT-VECTORP CURRENT WORD-SIZE)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS S 0)) (LIST 'NUMVECS 'NAT (SUB1 (LENGTH (CDR (ASSOC S DATA-SEGMENT)))))) RET-PC) CTRL-STK) (CONS (LIST 'BITV CURRENT) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 (LENGTH (CDR (ASSOC S DATA-SEGMENT)))))) (P-STATE RET-PC CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY CURRENT (CDR (ASSOC S DATA-SEGMENT)) (SUB1 (LENGTH (CDR (ASSOC S DATA-SEGMENT)))) (LENGTH (CDR (ASSOC S DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this again simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.3 0.0 ] XOR-BVS-LOOP-CORRECTNESS (PROVE-LEMMA EXP-0 (REWRITE) (IMPLIES (ZEROP X) (AND (EQUAL (EXP X Y) (IF (ZEROP Y) 1 0)) (EQUAL (EXP Y X) 1))) ((ENABLE EXP))) WARNING: the previously added lemma, EXP-ZERO, could be applied whenever the newly proposed EXP-0 could! WARNING: Note that the proposed lemma EXP-0 is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This simplifies, applying EXP-0-ARG1, EXP-0-ARG2, and EXP-ZERO, and expanding the definitions of ZEROP, EQUAL, AND, TIMES, and EXP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] EXP-0 (PROVE-LEMMA BIT-VECTORS-PITON-MEANS-MORE (REWRITE) (IMPLIES (AND (LISTP X) (BIT-VECTORS-PITON X SIZE)) (EQUAL (LIST 'BITV (CADAR X)) (CAR X)))) WARNING: Note that BIT-VECTORS-PITON-MEANS-MORE contains the free variable SIZE which will be chosen by instantiating the hypothesis: (BIT-VECTORS-PITON X SIZE). . Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X), Z by (CONS D W) to eliminate (CDR Z) and (CAR Z), and W by (CONS Z C) to eliminate (CAR W) and (CDR W). The result is three new goals: Case 3. (IMPLIES (AND (NOT (LISTP Z)) (BIT-VECTORS-PITON (CONS Z V) SIZE)) (EQUAL (LIST 'BITV (CADR Z)) Z)), which simplifies, rewriting with CAR-CONS, and unfolding BIT-VECTORS-PITON, to: T. Case 2. (IMPLIES (AND (NOT (LISTP W)) (BIT-VECTORS-PITON (CONS (CONS D W) V) SIZE)) (EQUAL (LIST 'BITV (CAR W)) (CONS D W))). This simplifies, applying CAR-NLISTP, CDR-CONS, and CAR-CONS, and opening up the definitions of BIT-VECTORP, LISTP, EQUAL, and BIT-VECTORS-PITON, to: T. Case 1. (IMPLIES (BIT-VECTORS-PITON (CONS (CONS D (CONS Z C)) V) SIZE) (EQUAL (LIST 'BITV Z) (CONS D (CONS Z C)))). But this simplifies, applying CDR-CONS and CAR-CONS, and opening up the function BIT-VECTORS-PITON, to: T. Q.E.D. [ 0.0 0.0 0.0 ] BIT-VECTORS-PITON-MEANS-MORE (DEFN XOR-BVS (ARRAY) (IF (LISTP ARRAY) (XOR-BITV (CAR ARRAY) (XOR-BVS (CDR ARRAY))) NIL)) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT ARRAY) decreases according to the well-founded relation LESSP in each recursive call. Hence, XOR-BVS is accepted under the definitional principle. From the definition we can conclude that: (OR (LITATOM (XOR-BVS ARRAY)) (LISTP (XOR-BVS ARRAY))) is a theorem. [ 0.0 0.0 0.0 ] XOR-BVS (DEFN UNTAG-ARRAY (ARRAY) (IF (LISTP ARRAY) (CONS (UNTAG (CAR ARRAY)) (UNTAG-ARRAY (CDR ARRAY))) NIL)) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT ARRAY) decreases according to the well-founded relation LESSP in each recursive call. Hence, UNTAG-ARRAY is accepted under the definitional principle. Observe that: (OR (LITATOM (UNTAG-ARRAY ARRAY)) (LISTP (UNTAG-ARRAY ARRAY))) is a theorem. [ 0.3 0.0 0.0 ] UNTAG-ARRAY (PROVE-LEMMA BIT-VECTORP-GET (REWRITE) (IMPLIES (BIT-VECTORS-PITON ARRAY SIZE) (EQUAL (BIT-VECTORP (UNTAG (GET N ARRAY)) SIZE) (LESSP N (LENGTH ARRAY))))) This conjecture can be simplified, using the abbreviations IMPLIES and UNTAG, to: (IMPLIES (BIT-VECTORS-PITON ARRAY SIZE) (EQUAL (BIT-VECTORP (CADR (GET N ARRAY)) SIZE) (LESSP N (LENGTH ARRAY)))). Name the above subgoal *1. Perhaps we can prove it by induction. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP ARRAY) (p (SUB1 N) (CDR ARRAY) SIZE)) (p N ARRAY SIZE)) (IMPLIES (NOT (LISTP ARRAY)) (p N ARRAY SIZE))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT ARRAY) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for N. The above induction scheme leads to the following three new goals: Case 3. (IMPLIES (AND (LISTP ARRAY) (NOT (BIT-VECTORS-PITON (CDR ARRAY) SIZE)) (BIT-VECTORS-PITON ARRAY SIZE)) (EQUAL (BIT-VECTORP (CADR (GET N ARRAY)) SIZE) (LESSP N (LENGTH ARRAY)))). This simplifies, opening up BIT-VECTORS-PITON, to: T. Case 2. (IMPLIES (AND (LISTP ARRAY) (EQUAL (BIT-VECTORP (CADR (GET (SUB1 N) (CDR ARRAY))) SIZE) (LESSP (SUB1 N) (LENGTH (CDR ARRAY)))) (BIT-VECTORS-PITON ARRAY SIZE)) (EQUAL (BIT-VECTORP (CADR (GET N ARRAY)) SIZE) (LESSP N (LENGTH ARRAY)))). This simplifies, applying the lemma SUB1-ADD1, and expanding the definitions of BIT-VECTORS-PITON, GET, LENGTH, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP ARRAY)) (BIT-VECTORS-PITON ARRAY SIZE)) (EQUAL (BIT-VECTORP (CADR (GET N ARRAY)) SIZE) (LESSP N (LENGTH ARRAY)))). This simplifies, unfolding BIT-VECTORS-PITON, LENGTH, EQUAL, and LESSP, to: (IMPLIES (AND (NOT (LISTP ARRAY)) (EQUAL ARRAY NIL)) (NOT (BIT-VECTORP (CADR (GET N NIL)) SIZE))), which again simplifies, unfolding the definition of LISTP, to the conjecture: (NOT (BIT-VECTORP (CADR (GET N NIL)) SIZE)). Name the above subgoal *1.1. We will appeal to induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP N) (p N SIZE)) (IMPLIES (AND (NOT (ZEROP N)) (p (SUB1 N) SIZE)) (p N SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to prove that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates two new conjectures: Case 2. (IMPLIES (ZEROP N) (NOT (BIT-VECTORP (CADR (GET N NIL)) SIZE))), which simplifies, unfolding ZEROP, GET, CDR, CAR, EQUAL, LISTP, and BIT-VECTORP, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP N)) (NOT (BIT-VECTORP (CADR (GET (SUB1 N) NIL)) SIZE))) (NOT (BIT-VECTORP (CADR (GET N NIL)) SIZE))), which simplifies, unfolding ZEROP, GET, and CDR, to: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (BIT-VECTORP (CADR (GET (SUB1 N) NIL)) SIZE))) (NOT (BIT-VECTORP (CADR (GET (SUB1 N) 0)) SIZE))). Appealing to the lemma SUB1-ELIM, we now replace N by (ADD1 X) to eliminate (SUB1 N). We use the type restriction lemma noted when SUB1 was introduced to constrain the new variable. The result is the conjecture: (IMPLIES (AND (NUMBERP X) (NOT (EQUAL (ADD1 X) 0)) (NOT (BIT-VECTORP (CADR (GET X NIL)) SIZE))) (NOT (BIT-VECTORP (CADR (GET X 0)) SIZE))). This further simplifies, obviously, to: (IMPLIES (AND (NUMBERP X) (NOT (BIT-VECTORP (CADR (GET X NIL)) SIZE))) (NOT (BIT-VECTORP (CADR (GET X 0)) SIZE))), which we will name *1.1.1. Perhaps we can prove it by induction. There are two plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP X) (p X SIZE)) (IMPLIES (AND (NOT (ZEROP X)) (p (SUB1 X) SIZE)) (p X SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates the following three new formulas: Case 3. (IMPLIES (AND (ZEROP X) (NUMBERP X) (NOT (BIT-VECTORP (CADR (GET X NIL)) SIZE))) (NOT (BIT-VECTORP (CADR (GET X 0)) SIZE))). This simplifies, expanding ZEROP, NUMBERP, GET, CDR, CAR, EQUAL, LISTP, and BIT-VECTORP, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP X)) (BIT-VECTORP (CADR (GET (SUB1 X) NIL)) SIZE) (NUMBERP X) (NOT (BIT-VECTORP (CADR (GET X NIL)) SIZE))) (NOT (BIT-VECTORP (CADR (GET X 0)) SIZE))). This simplifies, unfolding ZEROP, GET, and CDR, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP X)) (NOT (BIT-VECTORP (CADR (GET (SUB1 X) 0)) SIZE)) (NUMBERP X) (NOT (BIT-VECTORP (CADR (GET X NIL)) SIZE))) (NOT (BIT-VECTORP (CADR (GET X 0)) SIZE))). This simplifies, opening up ZEROP, GET, and CDR, to: T. That finishes the proof of *1.1.1, which also finishes the proof of *1.1, which, in turn, also finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] BIT-VECTORP-GET (ENABLE DIFFERENCE-SUB1-ARG2) [ 0.0 0.0 0.0 ] DIFFERENCE-SUB1-ARG2-ON1 (PROVE-LEMMA XOR-BITV-COMMUTATIVE (REWRITE) (IMPLIES (EQUAL (LENGTH A) (LENGTH B)) (EQUAL (XOR-BITV A B) (XOR-BITV B A)))) Name the conjecture *1. Perhaps we can prove it by induction. Four inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP A) (p (CDR A) (CDR B))) (p A B)) (IMPLIES (NOT (LISTP A)) (p A B))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for B. The above induction scheme leads to the following three new conjectures: Case 3. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (XOR-BITV A B) (XOR-BITV B A))). This simplifies, rewriting with the lemmas CAR-NLISTP, CAR-CONS, and CONS-EQUAL, and opening up the definitions of LENGTH, XOR-BITV, EQUAL, and XOR-BIT, to the following two new conjectures: Case 3.2. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (NOT (LISTP B))) (NOT (EQUAL (ADD1 (LENGTH (CDR A))) 0))). But this again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B))))) (EQUAL (XOR-BITV (CDR A) (CDR B)) (XOR-BITV (CDR B) (CDR A)))), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (CDR B)) (XOR-BITV (CDR B) (CDR A))) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (XOR-BITV A B) (XOR-BITV B A))), which simplifies, applying the lemmas CAR-NLISTP, CAR-CONS, and CONS-EQUAL, and expanding LENGTH, XOR-BITV, EQUAL, and XOR-BIT, to: (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (CDR B)) (XOR-BITV (CDR B) (CDR A))) (NOT (LISTP B))) (NOT (EQUAL (ADD1 (LENGTH (CDR A))) 0))). This again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (LISTP A)) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (XOR-BITV A B) (XOR-BITV B A))), which simplifies, rewriting with the lemma CAR-NLISTP, and opening up LENGTH, XOR-BITV, EQUAL, and XOR-BIT, to: (IMPLIES (AND (NOT (LISTP A)) (EQUAL 0 (ADD1 (LENGTH (CDR B))))) (NOT (LISTP B))). But this again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] XOR-BITV-COMMUTATIVE (PROVE-LEMMA XOR-BITV-COMMUTATIVE2 (REWRITE) (IMPLIES (EQUAL (LENGTH A) (LENGTH B)) (EQUAL (XOR-BITV A (XOR-BITV B C)) (XOR-BITV B (XOR-BITV A C))))) Give the conjecture the name *1. We will appeal to induction. Six inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP A) (p (CDR A) (CDR B) (CDR C))) (p A B C)) (IMPLIES (NOT (LISTP A)) (p A B C))). Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for B and C. The above induction scheme leads to three new goals: Case 3. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (XOR-BITV A (XOR-BITV B C)) (XOR-BITV B (XOR-BITV A C)))), which simplifies, rewriting with XOR-BITV-COMMUTATIVE, and opening up the definitions of LENGTH, XOR-BITV, EQUAL, LISTP, and XOR-BIT, to the following eight new goals: Case 3.8. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (NOT (EQUAL (CAR A) 0)) (EQUAL (CAR C) 0) (NOT (EQUAL (CAR B) 0))) (EQUAL (XOR-BITV A (CONS 1 (XOR-BITV (CDR B) (CDR C)))) (XOR-BITV B (CONS 1 (XOR-BITV (CDR A) (CDR C)))))). But this again simplifies, using linear arithmetic, to: T. Case 3.7. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (EQUAL (CAR A) 0) (NOT (EQUAL (CAR C) 0)) (EQUAL (CAR B) 0)) (EQUAL (XOR-BITV A (CONS 1 (XOR-BITV (CDR B) (CDR C)))) (XOR-BITV B (CONS 1 (XOR-BITV (CDR A) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.6. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (NOT (EQUAL (CAR A) 0)) (EQUAL (CAR C) 0) (EQUAL (CAR B) 0)) (EQUAL (XOR-BITV A (CONS 0 (XOR-BITV (CDR B) (CDR C)))) (XOR-BITV B (CONS 1 (XOR-BITV (CDR A) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.5. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (EQUAL (CAR A) 0) (NOT (EQUAL (CAR C) 0)) (NOT (EQUAL (CAR B) 0))) (EQUAL (XOR-BITV A (CONS 0 (XOR-BITV (CDR B) (CDR C)))) (XOR-BITV B (CONS 1 (XOR-BITV (CDR A) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.4. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (NOT (EQUAL (CAR A) 0)) (NOT (EQUAL (CAR C) 0)) (NOT (EQUAL (CAR B) 0))) (EQUAL (XOR-BITV A (CONS 0 (XOR-BITV (CDR B) (CDR C)))) (XOR-BITV B (CONS 0 (XOR-BITV (CDR A) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.3. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (EQUAL (CAR A) 0) (EQUAL (CAR C) 0) (EQUAL (CAR B) 0)) (EQUAL (XOR-BITV A (CONS 0 (XOR-BITV (CDR B) (CDR C)))) (XOR-BITV B (CONS 0 (XOR-BITV (CDR A) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.2. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (NOT (EQUAL (CAR A) 0)) (NOT (EQUAL (CAR C) 0)) (EQUAL (CAR B) 0)) (EQUAL (XOR-BITV A (CONS 1 (XOR-BITV (CDR B) (CDR C)))) (XOR-BITV B (CONS 0 (XOR-BITV (CDR A) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (EQUAL (CAR A) 0) (EQUAL (CAR C) 0) (NOT (EQUAL (CAR B) 0))) (EQUAL (XOR-BITV A (CONS 1 (XOR-BITV (CDR B) (CDR C)))) (XOR-BITV B (CONS 0 (XOR-BITV (CDR A) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR B) (XOR-BITV (CDR A) (CDR C)))) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (XOR-BITV A (XOR-BITV B C)) (XOR-BITV B (XOR-BITV A C)))), which simplifies, rewriting with XOR-BITV-COMMUTATIVE, CDR-CONS, CAR-CONS, and CONS-EQUAL, and opening up the functions LENGTH, XOR-BITV, EQUAL, LISTP, and XOR-BIT, to: T. Case 1. (IMPLIES (AND (NOT (LISTP A)) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (XOR-BITV A (XOR-BITV B C)) (XOR-BITV B (XOR-BITV A C)))). This simplifies, rewriting with XOR-BITV-COMMUTATIVE, and opening up the definitions of LENGTH, XOR-BITV, XOR-BIT, EQUAL, and LISTP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] XOR-BITV-COMMUTATIVE2 (PROVE-LEMMA XOR-BITV-ASSOCIATIVE (REWRITE) (IMPLIES (EQUAL (LENGTH A) (LENGTH B)) (EQUAL (XOR-BITV (XOR-BITV A B) C) (XOR-BITV A (XOR-BITV B C))))) Give the conjecture the name *1. We will appeal to induction. Five inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP A) (p (CDR A) (CDR B) (CDR C))) (p A B C)) (IMPLIES (NOT (LISTP A)) (p A B C))). Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for C and B. The above induction scheme leads to three new goals: Case 3. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (XOR-BITV (XOR-BITV A B) C) (XOR-BITV A (XOR-BITV B C)))), which simplifies, rewriting with CAR-NLISTP, CDR-CONS, CAR-CONS, and XOR-BITV-COMMUTATIVE, and opening up the definitions of LENGTH, XOR-BITV, EQUAL, XOR-BIT, and LISTP, to the following nine new goals: Case 3.9. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (NOT (LISTP B))) (NOT (EQUAL (ADD1 (LENGTH (CDR A))) 0))). But this again simplifies, using linear arithmetic, to: T. Case 3.8. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (NOT (EQUAL (CAR B) 0)) (EQUAL (CAR C) 0) (EQUAL (CAR A) 0)) (EQUAL (CONS 1 (XOR-BITV (XOR-BITV (CDR A) (CDR B)) (CDR C))) (XOR-BITV A (CONS 1 (XOR-BITV (CDR B) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.7. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (EQUAL (CAR B) 0) (NOT (EQUAL (CAR C) 0)) (EQUAL (CAR A) 0)) (EQUAL (CONS 1 (XOR-BITV (XOR-BITV (CDR A) (CDR B)) (CDR C))) (XOR-BITV A (CONS 1 (XOR-BITV (CDR B) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.6. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (NOT (EQUAL (CAR B) 0)) (EQUAL (CAR C) 0) (NOT (EQUAL (CAR A) 0))) (EQUAL (CONS 0 (XOR-BITV (XOR-BITV (CDR A) (CDR B)) (CDR C))) (XOR-BITV A (CONS 1 (XOR-BITV (CDR B) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.5. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (EQUAL (CAR B) 0) (NOT (EQUAL (CAR C) 0)) (NOT (EQUAL (CAR A) 0))) (EQUAL (CONS 0 (XOR-BITV (XOR-BITV (CDR A) (CDR B)) (CDR C))) (XOR-BITV A (CONS 1 (XOR-BITV (CDR B) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.4. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (NOT (EQUAL (CAR B) 0)) (NOT (EQUAL (CAR C) 0)) (EQUAL (CAR A) 0)) (EQUAL (CONS 0 (XOR-BITV (XOR-BITV (CDR A) (CDR B)) (CDR C))) (XOR-BITV A (CONS 0 (XOR-BITV (CDR B) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.3. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (EQUAL (CAR B) 0) (EQUAL (CAR C) 0) (EQUAL (CAR A) 0)) (EQUAL (CONS 0 (XOR-BITV (XOR-BITV (CDR A) (CDR B)) (CDR C))) (XOR-BITV A (CONS 0 (XOR-BITV (CDR B) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.2. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (NOT (EQUAL (CAR B) 0)) (NOT (EQUAL (CAR C) 0)) (NOT (EQUAL (CAR A) 0))) (EQUAL (CONS 1 (XOR-BITV (XOR-BITV (CDR A) (CDR B)) (CDR C))) (XOR-BITV A (CONS 0 (XOR-BITV (CDR B) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (LISTP B) (EQUAL (ADD1 (LENGTH (CDR A))) (ADD1 (LENGTH (CDR B)))) (EQUAL (CAR B) 0) (EQUAL (CAR C) 0) (NOT (EQUAL (CAR A) 0))) (EQUAL (CONS 1 (XOR-BITV (XOR-BITV (CDR A) (CDR B)) (CDR C))) (XOR-BITV A (CONS 0 (XOR-BITV (CDR B) (CDR C)))))), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (XOR-BITV (CDR A) (CDR B)) (CDR C)) (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C)))) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (XOR-BITV (XOR-BITV A B) C) (XOR-BITV A (XOR-BITV B C)))), which simplifies, applying the lemmas CAR-NLISTP, CDR-CONS, CAR-CONS, XOR-BITV-COMMUTATIVE, and CONS-EQUAL, and unfolding LENGTH, XOR-BITV, EQUAL, XOR-BIT, and LISTP, to the conjecture: (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (XOR-BITV (CDR A) (CDR B)) (CDR C)) (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C)))) (NOT (LISTP B))) (NOT (EQUAL (ADD1 (LENGTH (CDR A))) 0))). But this again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (LISTP A)) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (XOR-BITV (XOR-BITV A B) C) (XOR-BITV A (XOR-BITV B C)))), which simplifies, rewriting with XOR-BITV-COMMUTATIVE, and opening up the definitions of LENGTH, XOR-BITV, LISTP, XOR-BIT, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.3 ] XOR-BITV-ASSOCIATIVE (PROVE-LEMMA LENGTH-FROM-BIT-VECTORP (REWRITE) (IMPLIES (BIT-VECTORP X S) (EQUAL (LENGTH X) (FIX S)))) WARNING: Note that LENGTH-FROM-BIT-VECTORP contains the free variable S which will be chosen by instantiating the hypothesis (BIT-VECTORP X S). This conjecture simplifies, expanding FIX, to the following two new goals: Case 2. (IMPLIES (AND (BIT-VECTORP X S) (NOT (NUMBERP S))) (EQUAL (LENGTH X) 0)). However this again simplifies, expanding the definitions of BIT-VECTORP, LENGTH, and EQUAL, to: T. Case 1. (IMPLIES (AND (BIT-VECTORP X S) (NUMBERP S)) (EQUAL (LENGTH X) S)), which we will name *1. Perhaps we can prove it by induction. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NLISTP X) (p X S)) (IMPLIES (AND (NOT (NLISTP X)) (p (CDR X) (SUB1 S))) (p X S))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of NLISTP establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for S. The above induction scheme generates the following three new goals: Case 3. (IMPLIES (AND (NLISTP X) (BIT-VECTORP X S) (NUMBERP S)) (EQUAL (LENGTH X) S)). This simplifies, unfolding the functions NLISTP, BIT-VECTORP, NUMBERP, LENGTH, and EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (NLISTP X)) (NOT (BIT-VECTORP (CDR X) (SUB1 S))) (BIT-VECTORP X S) (NUMBERP S)) (EQUAL (LENGTH X) S)). This simplifies, expanding the functions NLISTP, BIT-VECTORP, and BITP, to: T. Case 1. (IMPLIES (AND (NOT (NLISTP X)) (EQUAL (LENGTH (CDR X)) (SUB1 S)) (BIT-VECTORP X S) (NUMBERP S)) (EQUAL (LENGTH X) S)). This simplifies, rewriting with the lemma ADD1-SUB1, and opening up NLISTP, BIT-VECTORP, BITP, and LENGTH, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-FROM-BIT-VECTORP (PROVE-LEMMA LENGTH-XOR-BITV (REWRITE) (EQUAL (LENGTH (XOR-BITV A B)) (LENGTH A))) Call the conjecture *1. We will try to prove it by induction. The recursive terms in the conjecture suggest two inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NLISTP A) (p A B)) (IMPLIES (AND (NOT (NLISTP A)) (p (CDR A) (CDR B))) (p A B))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of NLISTP can be used to establish that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for B. The above induction scheme generates the following two new formulas: Case 2. (IMPLIES (NLISTP A) (EQUAL (LENGTH (XOR-BITV A B)) (LENGTH A))). This simplifies, expanding the definitions of NLISTP, XOR-BITV, LENGTH, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (NLISTP A)) (EQUAL (LENGTH (XOR-BITV (CDR A) (CDR B))) (LENGTH (CDR A)))) (EQUAL (LENGTH (XOR-BITV A B)) (LENGTH A))). This simplifies, appealing to the lemma CDR-CONS, and opening up NLISTP, XOR-BITV, XOR-BIT, and LENGTH, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-XOR-BITV (PROVE-LEMMA LENGTH-CADR-GET-BIT-VECTORS-PITON (REWRITE) (IMPLIES (AND (BIT-VECTORS-PITON X L) (LESSP I (LENGTH X))) (EQUAL (LENGTH (CADR (GET I X))) (FIX L)))) WARNING: Note that LENGTH-CADR-GET-BIT-VECTORS-PITON contains the free variable L which will be chosen by instantiating the hypothesis (BIT-VECTORS-PITON X L). This formula simplifies, unfolding the function FIX, to two new goals: Case 2. (IMPLIES (AND (BIT-VECTORS-PITON X L) (LESSP I (LENGTH X)) (NOT (NUMBERP L))) (EQUAL (LENGTH (CADR (GET I X))) 0)), which we will name *1. Case 1. (IMPLIES (AND (BIT-VECTORS-PITON X L) (LESSP I (LENGTH X)) (NUMBERP L)) (EQUAL (LENGTH (CADR (GET I X))) L)), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (AND (BIT-VECTORS-PITON X L) (LESSP I (LENGTH X))) (EQUAL (LENGTH (CADR (GET I X))) (FIX L))). We gave this the name *1 above. Perhaps we can prove it by induction. The recursive terms in the conjecture suggest four inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (SUB1 I) (CDR X) L)) (p I X L)) (IMPLIES (NOT (LISTP X)) (p I X L))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for I. The above induction scheme leads to the following four new goals: Case 4. (IMPLIES (AND (LISTP X) (NOT (BIT-VECTORS-PITON (CDR X) L)) (BIT-VECTORS-PITON X L) (LESSP I (LENGTH X))) (EQUAL (LENGTH (CADR (GET I X))) (FIX L))). This simplifies, expanding the function BIT-VECTORS-PITON, to: T. Case 3. (IMPLIES (AND (LISTP X) (NOT (LESSP (SUB1 I) (LENGTH (CDR X)))) (BIT-VECTORS-PITON X L) (LESSP I (LENGTH X))) (EQUAL (LENGTH (CADR (GET I X))) (FIX L))). This simplifies, rewriting with the lemmas SUB1-ADD1 and LENGTH-FROM-BIT-VECTORP, and opening up the functions BIT-VECTORS-PITON, LENGTH, LESSP, EQUAL, GET, and FIX, to: T. Case 2. (IMPLIES (AND (LISTP X) (EQUAL (LENGTH (CADR (GET (SUB1 I) (CDR X)))) (FIX L)) (BIT-VECTORS-PITON X L) (LESSP I (LENGTH X))) (EQUAL (LENGTH (CADR (GET I X))) (FIX L))). This simplifies, appealing to the lemmas SUB1-ADD1 and LENGTH-FROM-BIT-VECTORP, and unfolding FIX, BIT-VECTORS-PITON, BIT-VECTORP, LENGTH, LESSP, EQUAL, and GET, to the following four new goals: Case 2.4. (IMPLIES (AND (LISTP X) (NOT (NUMBERP L)) (EQUAL (LENGTH (CADR (GET (SUB1 I) (CDR X)))) 0) (LISTP (CAR X)) (EQUAL (CAAR X) 'BITV) (NOT (LISTP (CADAR X))) (EQUAL (CADAR X) NIL) (EQUAL (CDDAR X) NIL) (BIT-VECTORS-PITON (CDR X) L) (LESSP (SUB1 I) (LENGTH (CDR X))) (NOT (NUMBERP I))) (EQUAL (LENGTH (CADAR X)) 0)). This again simplifies, opening up the functions LISTP, LENGTH, and EQUAL, to: T. Case 2.3. (IMPLIES (AND (LISTP X) (NOT (NUMBERP L)) (EQUAL (LENGTH (CADR (GET (SUB1 I) (CDR X)))) 0) (LISTP (CAR X)) (EQUAL (CAAR X) 'BITV) (NOT (LISTP (CADAR X))) (EQUAL (CADAR X) NIL) (EQUAL (CDDAR X) NIL) (BIT-VECTORS-PITON (CDR X) L) (LESSP (SUB1 I) (LENGTH (CDR X))) (EQUAL I 0)) (EQUAL (LENGTH (CADAR X)) 0)), which again simplifies, expanding the definitions of SUB1, EQUAL, GET, LISTP, LESSP, and LENGTH, to: T. Case 2.2. (IMPLIES (AND (LISTP X) (NUMBERP L) (EQUAL (LENGTH (CADR (GET (SUB1 I) (CDR X)))) L) (LISTP (CAR X)) (EQUAL (CAAR X) 'BITV) (BIT-VECTORP (CADAR X) L) (EQUAL (CDDAR X) NIL) (BIT-VECTORS-PITON (CDR X) L) (LESSP (SUB1 I) (LENGTH (CDR X))) (NOT (NUMBERP I))) (EQUAL (LENGTH (CADAR X)) L)), which again simplifies, rewriting with LENGTH-FROM-BIT-VECTORP, to: T. Case 2.1. (IMPLIES (AND (LISTP X) (NUMBERP L) (EQUAL (LENGTH (CADR (GET (SUB1 I) (CDR X)))) L) (LISTP (CAR X)) (EQUAL (CAAR X) 'BITV) (BIT-VECTORP (CADAR X) L) (EQUAL (CDDAR X) NIL) (BIT-VECTORS-PITON (CDR X) L) (LESSP (SUB1 I) (LENGTH (CDR X))) (EQUAL I 0)) (EQUAL (LENGTH (CADAR X)) L)). This again simplifies, rewriting with LENGTH-FROM-BIT-VECTORP, and expanding SUB1, EQUAL, GET, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP X)) (BIT-VECTORS-PITON X L) (LESSP I (LENGTH X))) (EQUAL (LENGTH (CADR (GET I X))) (FIX L))). This simplifies, expanding the definitions of BIT-VECTORS-PITON, LENGTH, EQUAL, and LESSP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] LENGTH-CADR-GET-BIT-VECTORS-PITON (PROVE-LEMMA EQUAL-XOR-BITV-X-X (REWRITE) (IMPLIES (AND (BIT-VECTORP B (LENGTH A)) (BIT-VECTORP C (LENGTH A))) (EQUAL (EQUAL (XOR-BITV A B) (XOR-BITV A C)) (EQUAL B C)))) This formula simplifies, trivially, to two new formulas: Case 2. (IMPLIES (AND (BIT-VECTORP B (LENGTH A)) (BIT-VECTORP C (LENGTH A)) (NOT (EQUAL B C))) (NOT (EQUAL (XOR-BITV A B) (XOR-BITV A C)))), which we will name *1. Case 1. (IMPLIES (AND (BIT-VECTORP B (LENGTH A)) (BIT-VECTORP C (LENGTH A)) (EQUAL B C)) (EQUAL (EQUAL (XOR-BITV A B) (XOR-BITV A C)) T)). However this again simplifies, unfolding EQUAL, to: T. So we now return to: (IMPLIES (AND (BIT-VECTORP B (LENGTH A)) (BIT-VECTORP C (LENGTH A)) (NOT (EQUAL B C))) (NOT (EQUAL (XOR-BITV A B) (XOR-BITV A C)))), which we named *1 above. Let us appeal to the induction principle. There are six plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NLISTP B) (p A B C)) (IMPLIES (AND (NOT (NLISTP B)) (p (CDR A) (CDR B) (CDR C))) (p A B C))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of NLISTP can be used to show that the measure (COUNT B) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for C and A. The above induction scheme generates the following five new goals: Case 5. (IMPLIES (AND (NLISTP B) (BIT-VECTORP B (LENGTH A)) (BIT-VECTORP C (LENGTH A)) (NOT (EQUAL B C))) (NOT (EQUAL (XOR-BITV A B) (XOR-BITV A C)))). This simplifies, unfolding the definitions of NLISTP, LENGTH, BIT-VECTORP, and EQUAL, to: T. Case 4. (IMPLIES (AND (NOT (NLISTP B)) (NOT (BIT-VECTORP (CDR B) (LENGTH (CDR A)))) (BIT-VECTORP B (LENGTH A)) (BIT-VECTORP C (LENGTH A)) (NOT (EQUAL B C))) (NOT (EQUAL (XOR-BITV A B) (XOR-BITV A C)))). This simplifies, rewriting with the lemmas XOR-BITV-COMMUTATIVE, CAR-CONS, and CONS-EQUAL, and opening up NLISTP, LENGTH, EQUAL, BIT-VECTORP, XOR-BITV, LISTP, and XOR-BIT, to the following three new conjectures: Case 4.3. (IMPLIES (AND (LISTP B) (NOT (BIT-VECTORP (CDR B) (LENGTH (CDR A)))) (NOT (LISTP A)) (BIT-VECTORP B 0) (NOT (LISTP C))) (NOT (EQUAL C NIL))). However this again simplifies, expanding the functions EQUAL and BIT-VECTORP, to: T. Case 4.2. (IMPLIES (AND (LISTP B) (NOT (BIT-VECTORP (CDR B) (LENGTH (CDR A)))) (LISTP A) (BIT-VECTORP B (ADD1 (LENGTH (CDR A)))) (BIT-VECTORP C (ADD1 (LENGTH (CDR A)))) (NOT (EQUAL B C)) (EQUAL (CAR C) 0) (EQUAL (CAR B) 0)) (NOT (EQUAL (XOR-BITV (CDR A) (CDR B)) (XOR-BITV (CDR A) (CDR C))))), which again simplifies, applying SUB1-ADD1, and expanding BITP and BIT-VECTORP, to: T. Case 4.1. (IMPLIES (AND (LISTP B) (NOT (BIT-VECTORP (CDR B) (LENGTH (CDR A)))) (LISTP A) (BIT-VECTORP B (ADD1 (LENGTH (CDR A)))) (BIT-VECTORP C (ADD1 (LENGTH (CDR A)))) (NOT (EQUAL B C)) (NOT (EQUAL (CAR C) 0)) (NOT (EQUAL (CAR B) 0))) (NOT (EQUAL (XOR-BITV (CDR A) (CDR B)) (XOR-BITV (CDR A) (CDR C))))). This again simplifies, applying SUB1-ADD1, and expanding the definitions of BITP and BIT-VECTORP, to: T. Case 3. (IMPLIES (AND (NOT (NLISTP B)) (NOT (BIT-VECTORP (CDR C) (LENGTH (CDR A)))) (BIT-VECTORP B (LENGTH A)) (BIT-VECTORP C (LENGTH A)) (NOT (EQUAL B C))) (NOT (EQUAL (XOR-BITV A B) (XOR-BITV A C)))). This simplifies, appealing to the lemmas XOR-BITV-COMMUTATIVE and SUB1-ADD1, and expanding the functions NLISTP, LENGTH, EQUAL, BIT-VECTORP, XOR-BITV, LISTP, and BITP, to: (IMPLIES (AND (LISTP B) (NOT (BIT-VECTORP (CDR C) (LENGTH (CDR A)))) (NOT (LISTP A)) (BIT-VECTORP B 0) (NOT (LISTP C))) (NOT (EQUAL C NIL))), which again simplifies, expanding CDR, EQUAL, LISTP, and BIT-VECTORP, to: T. Case 2. (IMPLIES (AND (NOT (NLISTP B)) (EQUAL (CDR B) (CDR C)) (BIT-VECTORP B (LENGTH A)) (BIT-VECTORP C (LENGTH A)) (NOT (EQUAL B C))) (NOT (EQUAL (XOR-BITV A B) (XOR-BITV A C)))), which simplifies, appealing to the lemmas XOR-BITV-COMMUTATIVE, CAR-CONS, and CONS-EQUAL, and unfolding NLISTP, LENGTH, EQUAL, BIT-VECTORP, XOR-BITV, LISTP, and XOR-BIT, to three new conjectures: Case 2.3. (IMPLIES (AND (LISTP B) (EQUAL (CDR B) (CDR C)) (NOT (LISTP A)) (BIT-VECTORP B 0) (NOT (LISTP C))) (NOT (EQUAL C NIL))), which again simplifies, opening up the functions CDR, EQUAL, and BIT-VECTORP, to: T. Case 2.2. (IMPLIES (AND (LISTP B) (EQUAL (CDR B) (CDR C)) (LISTP A) (BIT-VECTORP B (ADD1 (LENGTH (CDR A)))) (BIT-VECTORP C (ADD1 (LENGTH (CDR A)))) (NOT (EQUAL B C)) (EQUAL (CAR C) 0) (EQUAL (CAR B) 0)) (NOT (EQUAL (XOR-BITV (CDR A) (CDR B)) (XOR-BITV (CDR A) (CDR C))))), which further simplifies, obviously, to: (IMPLIES (AND (LISTP B) (EQUAL (CDR B) (CDR C)) (LISTP A) (BIT-VECTORP B (ADD1 (LENGTH (CDR A)))) (BIT-VECTORP C (ADD1 (LENGTH (CDR A)))) (NOT (EQUAL B C)) (EQUAL (CAR C) 0)) (NOT (EQUAL (CAR B) 0))). Applying the lemma CAR-CDR-ELIM, replace B by (CONS Z X) to eliminate (CDR B) and (CAR B). We would thus like to prove the new conjecture: (IMPLIES (AND (EQUAL X (CDR C)) (LISTP A) (BIT-VECTORP (CONS Z X) (ADD1 (LENGTH (CDR A)))) (BIT-VECTORP C (ADD1 (LENGTH (CDR A)))) (NOT (EQUAL (CONS Z X) C)) (EQUAL (CAR C) 0)) (NOT (EQUAL Z 0))), which further simplifies, appealing to the lemmas SUB1-ADD1, CDR-CONS, and CAR-CONS, and opening up the definitions of BITP, BIT-VECTORP, and EQUAL, to: T. Case 2.1. (IMPLIES (AND (LISTP B) (EQUAL (CDR B) (CDR C)) (LISTP A) (BIT-VECTORP B (ADD1 (LENGTH (CDR A)))) (BIT-VECTORP C (ADD1 (LENGTH (CDR A)))) (NOT (EQUAL B C)) (NOT (EQUAL (CAR C) 0)) (NOT (EQUAL (CAR B) 0))) (NOT (EQUAL (XOR-BITV (CDR A) (CDR B)) (XOR-BITV (CDR A) (CDR C))))), which further simplifies, obviously, to the new goal: (IMPLIES (AND (LISTP B) (EQUAL (CDR B) (CDR C)) (LISTP A) (BIT-VECTORP B (ADD1 (LENGTH (CDR A)))) (BIT-VECTORP C (ADD1 (LENGTH (CDR A)))) (NOT (EQUAL B C)) (NOT (EQUAL (CAR C) 0))) (EQUAL (CAR B) 0)). Applying the lemma CAR-CDR-ELIM, replace B by (CONS Z X) to eliminate (CDR B) and (CAR B). We thus obtain: (IMPLIES (AND (EQUAL X (CDR C)) (LISTP A) (BIT-VECTORP (CONS Z X) (ADD1 (LENGTH (CDR A)))) (BIT-VECTORP C (ADD1 (LENGTH (CDR A)))) (NOT (EQUAL (CONS Z X) C)) (NOT (EQUAL (CAR C) 0))) (EQUAL Z 0)), which further simplifies, applying SUB1-ADD1, CDR-CONS, and CAR-CONS, and expanding BITP, BIT-VECTORP, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (NLISTP B)) (NOT (EQUAL (XOR-BITV (CDR A) (CDR B)) (XOR-BITV (CDR A) (CDR C)))) (BIT-VECTORP B (LENGTH A)) (BIT-VECTORP C (LENGTH A)) (NOT (EQUAL B C))) (NOT (EQUAL (XOR-BITV A B) (XOR-BITV A C)))). This simplifies, applying the lemmas XOR-BITV-COMMUTATIVE, CAR-CONS, and CONS-EQUAL, and unfolding NLISTP, LENGTH, EQUAL, BIT-VECTORP, XOR-BITV, LISTP, and XOR-BIT, to: (IMPLIES (AND (LISTP B) (NOT (EQUAL (XOR-BITV (CDR A) (CDR B)) (XOR-BITV (CDR A) (CDR C)))) (NOT (LISTP A)) (BIT-VECTORP B 0) (NOT (LISTP C))) (NOT (EQUAL C NIL))), which again simplifies, rewriting with the lemma CDR-NLISTP, and expanding the definitions of CDR, XOR-BITV, EQUAL, and BIT-VECTORP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.3 ] EQUAL-XOR-BITV-X-X (DEFN BIT-VECTORP-INDUCT (SIZE A B) (IF (ZEROP SIZE) T (BIT-VECTORP-INDUCT (SUB1 SIZE) (CDR A) (CDR B)))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to show that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each recursive call. Hence, BIT-VECTORP-INDUCT is accepted under the definitional principle. From the definition we can conclude that (TRUEP (BIT-VECTORP-INDUCT SIZE A B)) is a theorem. [ 0.0 0.0 0.0 ] BIT-VECTORP-INDUCT (PROVE-LEMMA BIT-VECTORP-XOR-BITV2 (REWRITE) (EQUAL (BIT-VECTORP (XOR-BITV A B) SIZE) (EQUAL (LENGTH A) (FIX SIZE))) ((INDUCT (BIT-VECTORP-INDUCT SIZE A B)))) This conjecture can be simplified, using the abbreviations ZEROP, NOT, OR, and AND, to two new goals: Case 2. (IMPLIES (ZEROP SIZE) (EQUAL (BIT-VECTORP (XOR-BITV A B) SIZE) (EQUAL (LENGTH A) (FIX SIZE)))), which simplifies, opening up the definitions of ZEROP, UNPACK, EQUAL, BIT-VECTORP, and FIX, to six new formulas: Case 2.6. (IMPLIES (AND (EQUAL SIZE 0) (EQUAL (LENGTH A) 0)) (EQUAL (EQUAL (XOR-BITV A B) NIL) T)), which again simplifies, trivially, to the new formula: (IMPLIES (EQUAL (LENGTH A) 0) (EQUAL (XOR-BITV A B) NIL)), which we will name *1. Case 2.5. (IMPLIES (AND (EQUAL SIZE 0) (NOT (EQUAL (LENGTH A) 0)) (NOT (LISTP (XOR-BITV A B)))) (NOT (EQUAL (XOR-BITV A B) NIL))). But this again simplifies, expanding LISTP, to the formula: (IMPLIES (NOT (EQUAL (LENGTH A) 0)) (NOT (EQUAL (XOR-BITV A B) NIL))). Name the above subgoal *2. Case 2.4. (IMPLIES (AND (EQUAL SIZE 0) (EQUAL (LENGTH A) 0)) (NOT (LISTP (XOR-BITV A B)))). This again simplifies, obviously, to: (IMPLIES (EQUAL (LENGTH A) 0) (NOT (LISTP (XOR-BITV A B)))), which we will name *3. Case 2.3. (IMPLIES (AND (NOT (NUMBERP SIZE)) (EQUAL (LENGTH A) 0)) (EQUAL (EQUAL (XOR-BITV A B) NIL) T)). This again simplifies, clearly, to the new conjecture: (IMPLIES (AND (NOT (NUMBERP SIZE)) (EQUAL (LENGTH A) 0)) (EQUAL (XOR-BITV A B) NIL)), which we will name *4. Case 2.2. (IMPLIES (AND (NOT (NUMBERP SIZE)) (NOT (EQUAL (LENGTH A) 0)) (NOT (LISTP (XOR-BITV A B)))) (NOT (EQUAL (XOR-BITV A B) NIL))). This again simplifies, opening up LISTP, to: (IMPLIES (AND (NOT (NUMBERP SIZE)) (NOT (EQUAL (LENGTH A) 0))) (NOT (EQUAL (XOR-BITV A B) NIL))). Give the above formula the name *5. Case 2.1. (IMPLIES (AND (NOT (NUMBERP SIZE)) (EQUAL (LENGTH A) 0)) (NOT (LISTP (XOR-BITV A B)))). Give the above formula the name *6. Case 1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE)) (EQUAL (LENGTH (CDR A)) (FIX (SUB1 SIZE))))) (EQUAL (BIT-VECTORP (XOR-BITV A B) SIZE) (EQUAL (LENGTH A) (FIX SIZE)))). This simplifies, rewriting with ADD1-SUB1, and expanding FIX, XOR-BIT, XOR-BITV, and LENGTH, to 14 new goals: Case 1.14. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL (LENGTH (CDR A)) (SUB1 SIZE))) (NOT (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE))) (LISTP A) (NOT (EQUAL (ADD1 (LENGTH (CDR A))) SIZE)) (NOT (EQUAL (CAR A) 0)) (EQUAL (CAR B) 0)) (NOT (BIT-VECTORP (CONS 1 (XOR-BITV (CDR A) (CDR B))) SIZE))), which again simplifies, applying CDR-CONS and CAR-CONS, and unfolding the functions BITP and BIT-VECTORP, to: T. Case 1.13. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL (LENGTH (CDR A)) (SUB1 SIZE))) (NOT (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE))) (LISTP A) (NOT (EQUAL (ADD1 (LENGTH (CDR A))) SIZE)) (EQUAL (CAR A) 0) (NOT (EQUAL (CAR B) 0))) (NOT (BIT-VECTORP (CONS 1 (XOR-BITV (CDR A) (CDR B))) SIZE))). This again simplifies, applying CDR-CONS and CAR-CONS, and unfolding the functions BITP and BIT-VECTORP, to: T. Case 1.12. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL (LENGTH (CDR A)) (SUB1 SIZE))) (NOT (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE))) (LISTP A) (NOT (EQUAL (ADD1 (LENGTH (CDR A))) SIZE)) (NOT (EQUAL (CAR A) 0)) (NOT (EQUAL (CAR B) 0))) (NOT (BIT-VECTORP (CONS 0 (XOR-BITV (CDR A) (CDR B))) SIZE))). But this again simplifies, applying CDR-CONS and CAR-CONS, and expanding the functions BITP and BIT-VECTORP, to: T. Case 1.11. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL (LENGTH (CDR A)) (SUB1 SIZE))) (NOT (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE))) (LISTP A) (NOT (EQUAL (ADD1 (LENGTH (CDR A))) SIZE)) (EQUAL (CAR A) 0) (EQUAL (CAR B) 0)) (NOT (BIT-VECTORP (CONS 0 (XOR-BITV (CDR A) (CDR B))) SIZE))). But this again simplifies, appealing to the lemmas CDR-CONS and CAR-CONS, and opening up BITP and BIT-VECTORP, to: T. Case 1.10. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL (LENGTH (CDR A)) (SUB1 SIZE))) (NOT (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE))) (LISTP A) (EQUAL (ADD1 (LENGTH (CDR A))) SIZE) (NOT (EQUAL (CAR A) 0)) (EQUAL (CAR B) 0)) (EQUAL (BIT-VECTORP (CONS 1 (XOR-BITV (CDR A) (CDR B))) SIZE) T)), which again simplifies, using linear arithmetic, to: T. Case 1.9. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL (LENGTH (CDR A)) (SUB1 SIZE))) (NOT (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE))) (LISTP A) (EQUAL (ADD1 (LENGTH (CDR A))) SIZE) (EQUAL (CAR A) 0) (NOT (EQUAL (CAR B) 0))) (EQUAL (BIT-VECTORP (CONS 1 (XOR-BITV (CDR A) (CDR B))) SIZE) T)), which again simplifies, using linear arithmetic, to: T. Case 1.8. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL (LENGTH (CDR A)) (SUB1 SIZE))) (NOT (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE))) (LISTP A) (EQUAL (ADD1 (LENGTH (CDR A))) SIZE) (NOT (EQUAL (CAR A) 0)) (NOT (EQUAL (CAR B) 0))) (EQUAL (BIT-VECTORP (CONS 0 (XOR-BITV (CDR A) (CDR B))) SIZE) T)), which again simplifies, using linear arithmetic, to: T. Case 1.7. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL (LENGTH (CDR A)) (SUB1 SIZE))) (NOT (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE))) (LISTP A) (EQUAL (ADD1 (LENGTH (CDR A))) SIZE) (EQUAL (CAR A) 0) (EQUAL (CAR B) 0)) (EQUAL (BIT-VECTORP (CONS 0 (XOR-BITV (CDR A) (CDR B))) SIZE) T)), which again simplifies, using linear arithmetic, to: T. Case 1.6. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL (LENGTH (CDR A)) (SUB1 SIZE))) (NOT (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE))) (NOT (LISTP A))) (NOT (BIT-VECTORP NIL SIZE))), which again simplifies, appealing to the lemmas CDR-NLISTP and EQUAL-SUB1-0, and expanding LENGTH, LISTP, XOR-BITV, EQUAL, and BIT-VECTORP, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL (LENGTH (CDR A)) (SUB1 SIZE)) (EQUAL (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE)) T) (LISTP A) (NOT (EQUAL (CAR A) 0)) (EQUAL (CAR B) 0)) (EQUAL (BIT-VECTORP (CONS 1 (XOR-BITV (CDR A) (CDR B))) SIZE) T)), which again simplifies, rewriting with CDR-CONS and CAR-CONS, and opening up BITP, BIT-VECTORP, and EQUAL, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL (LENGTH (CDR A)) (SUB1 SIZE)) (EQUAL (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE)) T) (LISTP A) (EQUAL (CAR A) 0) (NOT (EQUAL (CAR B) 0))) (EQUAL (BIT-VECTORP (CONS 1 (XOR-BITV (CDR A) (CDR B))) SIZE) T)). However this again simplifies, applying CDR-CONS and CAR-CONS, and expanding BITP, BIT-VECTORP, and EQUAL, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL (LENGTH (CDR A)) (SUB1 SIZE)) (EQUAL (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE)) T) (LISTP A) (NOT (EQUAL (CAR A) 0)) (NOT (EQUAL (CAR B) 0))) (EQUAL (BIT-VECTORP (CONS 0 (XOR-BITV (CDR A) (CDR B))) SIZE) T)). But this again simplifies, applying the lemmas CDR-CONS and CAR-CONS, and opening up the functions BITP, BIT-VECTORP, and EQUAL, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL (LENGTH (CDR A)) (SUB1 SIZE)) (EQUAL (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE)) T) (LISTP A) (EQUAL (CAR A) 0) (EQUAL (CAR B) 0)) (EQUAL (BIT-VECTORP (CONS 0 (XOR-BITV (CDR A) (CDR B))) SIZE) T)), which again simplifies, applying the lemmas CDR-CONS and CAR-CONS, and expanding the definitions of BITP, BIT-VECTORP, and EQUAL, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL (LENGTH (CDR A)) (SUB1 SIZE)) (EQUAL (BIT-VECTORP (XOR-BITV (CDR A) (CDR B)) (SUB1 SIZE)) T) (NOT (LISTP A))) (NOT (BIT-VECTORP NIL SIZE))), which again simplifies, rewriting with the lemmas CDR-NLISTP and EQUAL-SUB1-0, and expanding the functions LENGTH, LISTP, XOR-BITV, SUB1, BIT-VECTORP, and EQUAL, to: T. So we now return to: (IMPLIES (AND (NOT (NUMBERP SIZE)) (EQUAL (LENGTH A) 0)) (NOT (LISTP (XOR-BITV A B)))), named *6 above. But this conjecture is subsumed by another subgoal awaiting our attention, namely *3 above. So next consider: (IMPLIES (AND (NOT (NUMBERP SIZE)) (NOT (EQUAL (LENGTH A) 0))) (NOT (EQUAL (XOR-BITV A B) NIL))), named *5 above. This conjecture is subsumed by another subgoal awaiting our attention, namely *2 above. So next consider: (IMPLIES (AND (NOT (NUMBERP SIZE)) (EQUAL (LENGTH A) 0)) (EQUAL (XOR-BITV A B) NIL)), named *4 above. This conjecture is subsumed by the subgoal we named *1 above. So let us turn our attention to: (IMPLIES (EQUAL (LENGTH A) 0) (NOT (LISTP (XOR-BITV A B)))), which we named *3 above. Let us appeal to the induction principle. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP A) (p (CDR A) (CDR B))) (p A B)) (IMPLIES (NOT (LISTP A)) (p A B))). Linear arithmetic and the lemma CDR-LESSP can be used to show that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for B. The above induction scheme generates the following three new formulas: Case 3. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) 0)) (EQUAL (LENGTH A) 0)) (NOT (LISTP (XOR-BITV A B)))). This simplifies, opening up the definition of LENGTH, to: T. Case 2. (IMPLIES (AND (LISTP A) (NOT (LISTP (XOR-BITV (CDR A) (CDR B)))) (EQUAL (LENGTH A) 0)) (NOT (LISTP (XOR-BITV A B)))). This simplifies, expanding the function LENGTH, to: T. Case 1. (IMPLIES (AND (NOT (LISTP A)) (EQUAL (LENGTH A) 0)) (NOT (LISTP (XOR-BITV A B)))). This simplifies, opening up the functions LENGTH, EQUAL, XOR-BITV, and LISTP, to: T. That finishes the proof of *3. So we now return to: (IMPLIES (NOT (EQUAL (LENGTH A) 0)) (NOT (EQUAL (XOR-BITV A B) NIL))), which we named *2 above. Perhaps we can prove it by induction. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP A) (p (CDR A) (CDR B))) (p A B)) (IMPLIES (NOT (LISTP A)) (p A B))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for B. The above induction scheme produces the following three new formulas: Case 3. (IMPLIES (AND (LISTP A) (EQUAL (LENGTH (CDR A)) 0) (NOT (EQUAL (LENGTH A) 0))) (NOT (EQUAL (XOR-BITV A B) NIL))). This simplifies, expanding the functions LENGTH, ADD1, EQUAL, XOR-BITV, and XOR-BIT, to: T. Case 2. (IMPLIES (AND (LISTP A) (NOT (EQUAL (XOR-BITV (CDR A) (CDR B)) NIL)) (NOT (EQUAL (LENGTH A) 0))) (NOT (EQUAL (XOR-BITV A B) NIL))). This simplifies, opening up the definitions of LENGTH, XOR-BITV, and XOR-BIT, to: T. Case 1. (IMPLIES (AND (NOT (LISTP A)) (NOT (EQUAL (LENGTH A) 0))) (NOT (EQUAL (XOR-BITV A B) NIL))). This simplifies, expanding LENGTH and EQUAL, to: T. That finishes the proof of *2. So let us turn our attention to: (IMPLIES (EQUAL (LENGTH A) 0) (EQUAL (XOR-BITV A B) NIL)), which we named *1 above. Perhaps we can prove it by induction. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP A) (p (CDR A) (CDR B))) (p A B)) (IMPLIES (NOT (LISTP A)) (p A B))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for B. The above induction scheme generates the following three new conjectures: Case 3. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) 0)) (EQUAL (LENGTH A) 0)) (EQUAL (XOR-BITV A B) NIL)). This simplifies, opening up the definition of LENGTH, to: T. Case 2. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (CDR B)) NIL) (EQUAL (LENGTH A) 0)) (EQUAL (XOR-BITV A B) NIL)). This simplifies, expanding the function LENGTH, to: T. Case 1. (IMPLIES (AND (NOT (LISTP A)) (EQUAL (LENGTH A) 0)) (EQUAL (XOR-BITV A B) NIL)). This simplifies, unfolding the definitions of LENGTH, EQUAL, and XOR-BITV, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.2 0.3 ] BIT-VECTORP-XOR-BITV2 (DEFN BIT-VECTORSP (BVS SIZE) (IF (LISTP BVS) (AND (BIT-VECTORP (CAR BVS) SIZE) (BIT-VECTORSP (CDR BVS) SIZE)) (EQUAL BVS NIL))) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT BVS) decreases according to the well-founded relation LESSP in each recursive call. Hence, BIT-VECTORSP is accepted under the definitional principle. Note that: (OR (FALSEP (BIT-VECTORSP BVS SIZE)) (TRUEP (BIT-VECTORSP BVS SIZE))) is a theorem. [ 0.0 0.0 0.0 ] BIT-VECTORSP (PROVE-LEMMA LENGTH-XOR-BVS (REWRITE) (IMPLIES (BIT-VECTORSP BVS (LENGTH (CAR BVS))) (EQUAL (LENGTH (XOR-BVS BVS)) (LENGTH (CAR BVS))))) . Applying the lemma CAR-CDR-ELIM, replace BVS by (CONS X Z) to eliminate (CAR BVS) and (CDR BVS). We thus obtain the following two new formulas: Case 2. (IMPLIES (AND (NOT (LISTP BVS)) (BIT-VECTORSP BVS (LENGTH (CAR BVS)))) (EQUAL (LENGTH (XOR-BVS BVS)) (LENGTH (CAR BVS)))). But this simplifies, appealing to the lemma CAR-NLISTP, and expanding the definitions of LENGTH, BIT-VECTORSP, XOR-BVS, CAR, and EQUAL, to: T. Case 1. (IMPLIES (BIT-VECTORSP (CONS X Z) (LENGTH X)) (EQUAL (LENGTH (XOR-BVS (CONS X Z))) (LENGTH X))), which simplifies, applying the lemmas CDR-CONS, CAR-CONS, LENGTH-FROM-BIT-VECTORP, and LENGTH-XOR-BITV, and unfolding the definitions of BIT-VECTORSP and XOR-BVS, to: T. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-XOR-BVS (PROVE-LEMMA BIT-VECTORSP-UNTAG (REWRITE) (IMPLIES (BIT-VECTORS-PITON X S) (BIT-VECTORSP (UNTAG-ARRAY X) S))) Name the conjecture *1. Perhaps we can prove it by induction. There are two plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X) S)) (p X S)) (IMPLIES (NOT (LISTP X)) (p X S))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following three new goals: Case 3. (IMPLIES (AND (LISTP X) (NOT (BIT-VECTORS-PITON (CDR X) S)) (BIT-VECTORS-PITON X S)) (BIT-VECTORSP (UNTAG-ARRAY X) S)). This simplifies, expanding BIT-VECTORS-PITON, to: T. Case 2. (IMPLIES (AND (LISTP X) (BIT-VECTORSP (UNTAG-ARRAY (CDR X)) S) (BIT-VECTORS-PITON X S)) (BIT-VECTORSP (UNTAG-ARRAY X) S)). This simplifies, rewriting with CDR-CONS and CAR-CONS, and unfolding the definitions of BIT-VECTORS-PITON, UNTAG-ARRAY, UNTAG, and BIT-VECTORSP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP X)) (BIT-VECTORS-PITON X S)) (BIT-VECTORSP (UNTAG-ARRAY X) S)), which simplifies, unfolding the definitions of BIT-VECTORS-PITON, UNTAG-ARRAY, EQUAL, LISTP, and BIT-VECTORSP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] BIT-VECTORSP-UNTAG (PROVE-LEMMA BIT-VECTORSP-CDR-UNTAG (REWRITE) (IMPLIES (BIT-VECTORS-PITON (CDR X) S) (BIT-VECTORSP (CDR (UNTAG-ARRAY X)) S))) This simplifies, unfolding the definitions of UNTAG and UNTAG-ARRAY, to the following two new goals: Case 2. (IMPLIES (AND (BIT-VECTORS-PITON (CDR X) S) (NOT (LISTP X))) (BIT-VECTORSP (CDR NIL) S)). This again simplifies, applying the lemma CDR-NLISTP, and opening up the definitions of EQUAL, LISTP, and BIT-VECTORS-PITON, to: T. Case 1. (IMPLIES (AND (BIT-VECTORS-PITON (CDR X) S) (LISTP X)) (BIT-VECTORSP (CDR (CONS (CADAR X) (UNTAG-ARRAY (CDR X)))) S)), which again simplifies, applying CDR-CONS and BIT-VECTORSP-UNTAG, to: T. Q.E.D. [ 0.0 0.0 0.0 ] BIT-VECTORSP-CDR-UNTAG (ENABLE NTHCDR) [ 0.0 0.0 0.0 ] NTHCDR-ON (PROVE-LEMMA BIT-VECTORSP-NTHCDR (REWRITE) (IMPLIES (AND (BIT-VECTORSP X S) (LESSP N (LENGTH X))) (BIT-VECTORSP (NTHCDR N X) S)) ((ENABLE NTHCDR))) Give the conjecture the name *1. Let us appeal to the induction principle. The recursive terms in the conjecture suggest four inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (SUB1 N) (CDR X) S)) (p N X S)) (IMPLIES (NOT (LISTP X)) (p N X S))). Linear arithmetic and the lemma CDR-LESSP can be used to show that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for N. The above induction scheme generates the following four new conjectures: Case 4. (IMPLIES (AND (LISTP X) (NOT (BIT-VECTORSP (CDR X) S)) (BIT-VECTORSP X S) (LESSP N (LENGTH X))) (BIT-VECTORSP (NTHCDR N X) S)). This simplifies, opening up the function BIT-VECTORSP, to: T. Case 3. (IMPLIES (AND (LISTP X) (NOT (LESSP (SUB1 N) (LENGTH (CDR X)))) (BIT-VECTORSP X S) (LESSP N (LENGTH X))) (BIT-VECTORSP (NTHCDR N X) S)). This simplifies, rewriting with SUB1-ADD1, and opening up the definitions of BIT-VECTORSP, LENGTH, LESSP, EQUAL, and NTHCDR, to: T. Case 2. (IMPLIES (AND (LISTP X) (BIT-VECTORSP (NTHCDR (SUB1 N) (CDR X)) S) (BIT-VECTORSP X S) (LESSP N (LENGTH X))) (BIT-VECTORSP (NTHCDR N X) S)), which simplifies, rewriting with SUB1-ADD1, and opening up the definitions of BIT-VECTORSP, LENGTH, LESSP, EQUAL, and NTHCDR, to the following two new formulas: Case 2.2. (IMPLIES (AND (LISTP X) (BIT-VECTORSP (NTHCDR (SUB1 N) (CDR X)) S) (BIT-VECTORP (CAR X) S) (BIT-VECTORSP (CDR X) S) (LESSP (SUB1 N) (LENGTH (CDR X))) (NOT (NUMBERP N))) (BIT-VECTORSP X S)). But this again simplifies, opening up BIT-VECTORSP, to: T. Case 2.1. (IMPLIES (AND (LISTP X) (BIT-VECTORSP (NTHCDR (SUB1 N) (CDR X)) S) (BIT-VECTORP (CAR X) S) (BIT-VECTORSP (CDR X) S) (LESSP (SUB1 N) (LENGTH (CDR X))) (EQUAL N 0)) (BIT-VECTORSP X S)), which again simplifies, unfolding the functions SUB1, EQUAL, NTHCDR, LESSP, and BIT-VECTORSP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP X)) (BIT-VECTORSP X S) (LESSP N (LENGTH X))) (BIT-VECTORSP (NTHCDR N X) S)), which simplifies, unfolding the functions BIT-VECTORSP, LENGTH, EQUAL, and LESSP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] BIT-VECTORSP-NTHCDR (PROVE-LEMMA BIT-VECTORP-XOR-BVS (REWRITE) (IMPLIES (AND (BIT-VECTORSP X SIZE) (LISTP X)) (BIT-VECTORP (XOR-BVS X) SIZE))) Name the conjecture *1. Let us appeal to the induction principle. The recursive terms in the conjecture suggest two inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X) SIZE)) (p X SIZE)) (IMPLIES (NOT (LISTP X)) (p X SIZE))). Linear arithmetic and the lemma CDR-LESSP can be used to show that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to the following three new goals: Case 3. (IMPLIES (AND (NOT (BIT-VECTORSP (CDR X) SIZE)) (BIT-VECTORSP X SIZE) (LISTP X)) (BIT-VECTORP (XOR-BVS X) SIZE)). This simplifies, expanding the definition of BIT-VECTORSP, to: T. Case 2. (IMPLIES (AND (NOT (LISTP (CDR X))) (BIT-VECTORSP X SIZE) (LISTP X)) (BIT-VECTORP (XOR-BVS X) SIZE)). This simplifies, rewriting with LENGTH-FROM-BIT-VECTORP and BIT-VECTORP-XOR-BITV2, and unfolding the functions BIT-VECTORSP, XOR-BVS, and EQUAL, to: T. Case 1. (IMPLIES (AND (BIT-VECTORP (XOR-BVS (CDR X)) SIZE) (BIT-VECTORSP X SIZE) (LISTP X)) (BIT-VECTORP (XOR-BVS X) SIZE)), which simplifies, applying LENGTH-FROM-BIT-VECTORP and BIT-VECTORP-XOR-BITV2, and expanding the functions BIT-VECTORSP, XOR-BVS, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] BIT-VECTORP-XOR-BVS (PROVE-LEMMA LENGTH-UNTAG-ARRAY (REWRITE) (EQUAL (LENGTH (UNTAG-ARRAY X)) (LENGTH X))) Give the conjecture the name *1. We will appeal to induction. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X))) (p X)) (IMPLIES (NOT (LISTP X)) (p X))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following two new conjectures: Case 2. (IMPLIES (AND (LISTP X) (EQUAL (LENGTH (UNTAG-ARRAY (CDR X))) (LENGTH (CDR X)))) (EQUAL (LENGTH (UNTAG-ARRAY X)) (LENGTH X))). This simplifies, applying CDR-CONS, and opening up the functions UNTAG-ARRAY, UNTAG, and LENGTH, to: T. Case 1. (IMPLIES (NOT (LISTP X)) (EQUAL (LENGTH (UNTAG-ARRAY X)) (LENGTH X))), which simplifies, unfolding the functions UNTAG-ARRAY, LENGTH, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-UNTAG-ARRAY (ENABLE LISTP-NTHCDR) [ 0.0 0.0 0.0 ] LISTP-NTHCDR-ON (PROVE-LEMMA NTHCDR-OPEN (REWRITE) (IMPLIES (LESSP N (LENGTH X)) (EQUAL (NTHCDR N X) (CONS (GET N X) (NTHCDR (ADD1 N) X)))) ((ENABLE NTHCDR))) This formula simplifies, applying the lemma SUB1-ADD1, and unfolding NTHCDR, to the following two new goals: Case 2. (IMPLIES (AND (LESSP N (LENGTH X)) (NOT (NUMBERP N))) (EQUAL (NTHCDR N X) (CONS (GET N X) (NTHCDR 0 (CDR X))))). However this again simplifies, rewriting with CONS-CAR-CDR, and opening up the definitions of LESSP, NTHCDR, GET, and EQUAL, to: (IMPLIES (AND (NOT (EQUAL (LENGTH X) 0)) (NOT (NUMBERP N)) (NOT (LISTP X))) (EQUAL X '(0 . 0))), which again simplifies, opening up LENGTH and EQUAL, to: T. Case 1. (IMPLIES (AND (LESSP N (LENGTH X)) (NUMBERP N)) (EQUAL (NTHCDR N X) (CONS (GET N X) (NTHCDR N (CDR X))))). Applying the lemma CAR-CDR-ELIM, replace X by (CONS V Z) to eliminate (CDR X) and (CAR X). We thus obtain the following two new conjectures: Case 1.2. (IMPLIES (AND (NOT (LISTP X)) (LESSP N (LENGTH X)) (NUMBERP N)) (EQUAL (NTHCDR N X) (CONS (GET N X) (NTHCDR N (CDR X))))). However this further simplifies, unfolding LENGTH, EQUAL, and LESSP, to: T. Case 1.1. (IMPLIES (AND (LESSP N (LENGTH (CONS V Z))) (NUMBERP N)) (EQUAL (NTHCDR N (CONS V Z)) (CONS (GET N (CONS V Z)) (NTHCDR N Z)))), which further simplifies, applying CDR-CONS, SUB1-ADD1, and CAR-CONS, and opening up the definitions of LENGTH, LESSP, NUMBERP, EQUAL, NTHCDR, and GET, to the new goal: (IMPLIES (AND (LESSP (SUB1 N) (LENGTH Z)) (NUMBERP N)) (EQUAL (NTHCDR N (CONS V Z)) (CONS (GET N (CONS V Z)) (NTHCDR N Z)))). Applying the lemma SUB1-ELIM, replace N by (ADD1 W) to eliminate (SUB1 N). We employ the type restriction lemma noted when SUB1 was introduced to restrict the new variable. We thus obtain the following two new conjectures: Case 1.1.2. (IMPLIES (AND (EQUAL N 0) (LESSP (SUB1 N) (LENGTH Z)) (NUMBERP N)) (EQUAL (NTHCDR N (CONS V Z)) (CONS (GET N (CONS V Z)) (NTHCDR N Z)))). But this further simplifies, rewriting with CAR-CONS, and unfolding SUB1, EQUAL, LESSP, NUMBERP, NTHCDR, and GET, to: T. Case 1.1.1. (IMPLIES (AND (NUMBERP W) (NOT (EQUAL (ADD1 W) 0)) (LESSP W (LENGTH Z))) (EQUAL (NTHCDR (ADD1 W) (CONS V Z)) (CONS (GET (ADD1 W) (CONS V Z)) (NTHCDR (ADD1 W) Z)))). This further simplifies, rewriting with the lemmas CDR-CONS and SUB1-ADD1, and expanding NTHCDR and GET, to: (IMPLIES (AND (NUMBERP W) (LESSP W (LENGTH Z))) (EQUAL (NTHCDR W Z) (CONS (GET W Z) (NTHCDR W (CDR Z))))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (LESSP N (LENGTH X)) (EQUAL (NTHCDR N X) (CONS (GET N X) (NTHCDR (ADD1 N) X)))), which we named *1 above. We will appeal to induction. The recursive terms in the conjecture suggest four inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X)))) (p N X)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X))))) (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p N X)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X))))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p (SUB1 N) (CDR X))) (p N X))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT establish that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for X. The above induction scheme generates the following four new conjectures: Case 4. (IMPLIES (AND (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X)))) (LESSP N (LENGTH X))) (EQUAL (NTHCDR N X) (CONS (GET N X) (NTHCDR (ADD1 N) X)))). This simplifies, opening up the definitions of LENGTH, NOT, OR, EQUAL, and LESSP, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X))))) (OR (EQUAL N 0) (NOT (NUMBERP N))) (LESSP N (LENGTH X))) (EQUAL (NTHCDR N X) (CONS (GET N X) (NTHCDR (ADD1 N) X)))). This simplifies, applying CAR-CONS, CDR-CONS, and SUB1-TYPE-RESTRICTION, and opening up LENGTH, NOT, OR, EQUAL, LESSP, NTHCDR, GET, and ADD1, to two new formulas: Case 3.2. (IMPLIES (AND (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (EQUAL N 0)) (EQUAL X (CONS (CAR X) (NTHCDR 1 X)))), which again simplifies, applying CAR-CONS and CDR-CONS, to: (IMPLIES (LISTP X) (EQUAL X (CONS (CAR X) (NTHCDR 1 X)))). Applying the lemma CAR-CDR-ELIM, replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). This produces: (EQUAL (CONS Z V) (CONS Z (NTHCDR 1 (CONS Z V)))), which further simplifies, rewriting with CDR-CONS, and expanding the definitions of SUB1, NUMBERP, EQUAL, and NTHCDR, to: T. Case 3.1. (IMPLIES (AND (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (NOT (NUMBERP N))) (EQUAL X (CONS (CAR X) (NTHCDR 1 X)))). But this again simplifies, appealing to the lemmas CAR-CONS and CDR-CONS, to: (IMPLIES (AND (LISTP X) (NOT (NUMBERP N))) (EQUAL X (CONS (CAR X) (NTHCDR 1 X)))). Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). This generates: (IMPLIES (NOT (NUMBERP N)) (EQUAL (CONS Z V) (CONS Z (NTHCDR 1 (CONS Z V))))). But this further simplifies, rewriting with the lemma CDR-CONS, and unfolding the functions SUB1, NUMBERP, EQUAL, and NTHCDR, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X))))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (LESSP (SUB1 N) (LENGTH (CDR X)))) (LESSP N (LENGTH X))) (EQUAL (NTHCDR N X) (CONS (GET N X) (NTHCDR (ADD1 N) X)))), which simplifies, applying SUB1-ADD1, and expanding the functions LENGTH, NOT, OR, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X))))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (EQUAL (NTHCDR (SUB1 N) (CDR X)) (CONS (GET (SUB1 N) (CDR X)) (NTHCDR (ADD1 (SUB1 N)) (CDR X)))) (LESSP N (LENGTH X))) (EQUAL (NTHCDR N X) (CONS (GET N X) (NTHCDR (ADD1 N) X)))). This simplifies, applying ADD1-SUB1 and SUB1-ADD1, and unfolding the functions LENGTH, NOT, OR, LESSP, NTHCDR, and GET, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] NTHCDR-OPEN (PROVE-LEMMA GET-UNTAG-ARRAY (REWRITE) (IMPLIES (LESSP N (LENGTH X)) (EQUAL (GET N (UNTAG-ARRAY X)) (CADR (GET N X))))) Give the conjecture the name *1. Perhaps we can prove it by induction. The recursive terms in the conjecture suggest five inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X)))) (p N X)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X))))) (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p N X)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X))))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p (SUB1 N) (CDR X))) (p N X))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT establish that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for X. The above induction scheme leads to the following four new conjectures: Case 4. (IMPLIES (AND (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X)))) (LESSP N (LENGTH X))) (EQUAL (GET N (UNTAG-ARRAY X)) (CADR (GET N X)))). This simplifies, opening up the functions LENGTH, NOT, OR, EQUAL, and LESSP, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X))))) (OR (EQUAL N 0) (NOT (NUMBERP N))) (LESSP N (LENGTH X))) (EQUAL (GET N (UNTAG-ARRAY X)) (CADR (GET N X)))). This simplifies, appealing to the lemma CAR-CONS, and expanding the definitions of LENGTH, NOT, OR, EQUAL, LESSP, UNTAG-ARRAY, UNTAG, and GET, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X))))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (LESSP (SUB1 N) (LENGTH (CDR X)))) (LESSP N (LENGTH X))) (EQUAL (GET N (UNTAG-ARRAY X)) (CADR (GET N X)))). This simplifies, applying the lemma SUB1-ADD1, and expanding LENGTH, NOT, OR, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH X) 0) (NOT (NUMBERP (LENGTH X))))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (EQUAL (GET (SUB1 N) (UNTAG-ARRAY (CDR X))) (CADR (GET (SUB1 N) (CDR X)))) (LESSP N (LENGTH X))) (EQUAL (GET N (UNTAG-ARRAY X)) (CADR (GET N X)))). This simplifies, applying SUB1-ADD1 and CDR-CONS, and expanding the definitions of LENGTH, NOT, OR, LESSP, UNTAG-ARRAY, UNTAG, and GET, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] GET-UNTAG-ARRAY (PROVE-LEMMA EQUAL-XOR-BITV-X-X-SPECIAL (REWRITE) (IMPLIES (AND (BIT-VECTORP B (LENGTH A)) (BIT-VECTORP (XOR-BITV Z C) (LENGTH A))) (EQUAL (EQUAL (XOR-BITV A B) (XOR-BITV Z (XOR-BITV A C))) (EQUAL B (XOR-BITV Z C))))) This simplifies, applying BIT-VECTORP-XOR-BITV2, XOR-BITV-COMMUTATIVE2, and EQUAL-XOR-BITV-X-X, to: T. Q.E.D. [ 0.0 0.0 0.0 ] EQUAL-XOR-BITV-X-X-SPECIAL (DEFN FIX-BIT (B) (IF (EQUAL B 0) 0 1)) Observe that (NUMBERP (FIX-BIT B)) is a theorem. [ 0.0 0.0 0.0 ] FIX-BIT (PROVE-LEMMA XOR-BITV-0 (REWRITE) (AND (EQUAL (XOR-BIT X 0) (FIX-BIT X)) (EQUAL (XOR-BIT 0 X) (FIX-BIT X)))) WARNING: Note that the rewrite rule XOR-BITV-0 will be stored so as to apply only to terms with the nonrecursive function symbol XOR-BIT. WARNING: Note that the rewrite rule XOR-BITV-0 will be stored so as to apply only to terms with the nonrecursive function symbol XOR-BIT. WARNING: Note that the proposed lemma XOR-BITV-0 is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This formula can be simplified, using the abbreviation AND, to the following two new formulas: Case 2. (EQUAL (XOR-BIT X 0) (FIX-BIT X)). This simplifies, opening up the definitions of EQUAL, XOR-BIT, and FIX-BIT, to: T. Case 1. (EQUAL (XOR-BIT 0 X) (FIX-BIT X)). This simplifies, opening up the functions EQUAL, XOR-BIT, and FIX-BIT, to: T. Q.E.D. [ 0.0 0.0 0.0 ] XOR-BITV-0 (PROVE-LEMMA XOR-BITV-NLISTP (REWRITE) (IMPLIES (NOT (LISTP C)) (EQUAL (XOR-BITV A (XOR-BITV B C)) (XOR-BITV A B)))) Name the conjecture *1. Perhaps we can prove it by induction. Three inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NLISTP A) (p A B C)) (IMPLIES (AND (NOT (NLISTP A)) (p (CDR A) (CDR B) (CDR C))) (p A B C))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of NLISTP inform us that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for C and B. The above induction scheme leads to the following three new conjectures: Case 3. (IMPLIES (AND (NLISTP A) (NOT (LISTP C))) (EQUAL (XOR-BITV A (XOR-BITV B C)) (XOR-BITV A B))). This simplifies, rewriting with the lemmas CAR-NLISTP and XOR-BITV-0, and opening up the definitions of NLISTP, XOR-BITV, FIX-BIT, and EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (NLISTP A)) (LISTP (CDR C)) (NOT (LISTP C))) (EQUAL (XOR-BITV A (XOR-BITV B C)) (XOR-BITV A B))). This simplifies, appealing to the lemma CDR-NLISTP, and expanding NLISTP and LISTP, to: T. Case 1. (IMPLIES (AND (NOT (NLISTP A)) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C))) (EQUAL (XOR-BITV A (XOR-BITV B C)) (XOR-BITV A B))). This simplifies, applying CAR-NLISTP and XOR-BITV-0, and opening up the definitions of NLISTP, XOR-BITV, FIX-BIT, and XOR-BIT, to eight new formulas: Case 1.8. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C)) (NOT (EQUAL (CAR A) 0)) (EQUAL (CAR B) 0) (NOT (LISTP B))) (EQUAL (XOR-BITV A NIL) (CONS 1 (XOR-BITV (CDR A) (CDR B))))), which again simplifies, applying CAR-NLISTP, and opening up the function EQUAL, to: (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C)) (NOT (EQUAL (CAR A) 0)) (NOT (LISTP B))) (EQUAL (XOR-BITV A NIL) (CONS 1 (XOR-BITV (CDR A) (CDR B))))), which further simplifies, rewriting with the lemma CDR-NLISTP, and unfolding the definition of XOR-BITV, to the conjecture: (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) NIL) (XOR-BITV (CDR A) 0)) (NOT (LISTP C)) (NOT (EQUAL (CAR A) 0)) (NOT (LISTP B))) (EQUAL (XOR-BITV A NIL) (CONS 1 (XOR-BITV (CDR A) 0)))). This again simplifies, rewriting with XOR-BITV-0, and unfolding the functions CDR, FIX-BIT, CAR, and XOR-BITV, to: T. Case 1.7. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C)) (EQUAL (CAR A) 0) (NOT (EQUAL (CAR B) 0)) (NOT (LISTP B))) (EQUAL (XOR-BITV A NIL) (CONS 1 (XOR-BITV (CDR A) (CDR B))))). This again simplifies, rewriting with CAR-NLISTP, and opening up the function EQUAL, to: T. Case 1.6. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C)) (NOT (EQUAL (CAR A) 0)) (EQUAL (CAR B) 0) (LISTP B)) (EQUAL (XOR-BITV A (CONS 0 (XOR-BITV (CDR B) (CDR C)))) (CONS 1 (XOR-BITV (CDR A) (CDR B))))). This again simplifies, rewriting with CDR-CONS, XOR-BITV-0, and CAR-CONS, and unfolding the functions FIX-BIT and XOR-BITV, to: T. Case 1.5. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C)) (NOT (EQUAL (CAR A) 0)) (NOT (EQUAL (CAR B) 0)) (NOT (LISTP B))) (EQUAL (XOR-BITV A NIL) (CONS 0 (XOR-BITV (CDR A) (CDR B))))). But this again simplifies, applying CAR-NLISTP, and opening up EQUAL, to: T. Case 1.4. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C)) (EQUAL (CAR A) 0) (EQUAL (CAR B) 0) (NOT (LISTP B))) (EQUAL (XOR-BITV A NIL) (CONS 0 (XOR-BITV (CDR A) (CDR B))))). However this again simplifies, applying CAR-NLISTP, and expanding EQUAL, to: (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C)) (EQUAL (CAR A) 0) (NOT (LISTP B))) (EQUAL (XOR-BITV A NIL) (CONS 0 (XOR-BITV (CDR A) (CDR B))))), which further simplifies, applying the lemma CDR-NLISTP, and unfolding the function XOR-BITV, to the formula: (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) NIL) (XOR-BITV (CDR A) 0)) (NOT (LISTP C)) (EQUAL (CAR A) 0) (NOT (LISTP B))) (EQUAL (XOR-BITV A NIL) (CONS 0 (XOR-BITV (CDR A) 0)))). However this again simplifies, expanding the functions CDR, XOR-BIT, CAR, and XOR-BITV, to: T. Case 1.3. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C)) (NOT (EQUAL (CAR A) 0)) (NOT (EQUAL (CAR B) 0)) (LISTP B)) (EQUAL (XOR-BITV A (CONS 1 (XOR-BITV (CDR B) (CDR C)))) (CONS 0 (XOR-BITV (CDR A) (CDR B))))), which again simplifies, applying CDR-CONS and CAR-CONS, and opening up the definitions of XOR-BIT, EQUAL, and XOR-BITV, to: T. Case 1.2. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C)) (EQUAL (CAR A) 0) (EQUAL (CAR B) 0) (LISTP B)) (EQUAL (XOR-BITV A (CONS 0 (XOR-BITV (CDR B) (CDR C)))) (CONS 0 (XOR-BITV (CDR A) (CDR B))))). However this again simplifies, rewriting with CDR-CONS and CAR-CONS, and expanding XOR-BIT and XOR-BITV, to: T. Case 1.1. (IMPLIES (AND (LISTP A) (EQUAL (XOR-BITV (CDR A) (XOR-BITV (CDR B) (CDR C))) (XOR-BITV (CDR A) (CDR B))) (NOT (LISTP C)) (EQUAL (CAR A) 0) (NOT (EQUAL (CAR B) 0)) (LISTP B)) (EQUAL (XOR-BITV A (CONS 1 (XOR-BITV (CDR B) (CDR C)))) (CONS 1 (XOR-BITV (CDR A) (CDR B))))). But this again simplifies, applying CDR-CONS and CAR-CONS, and expanding the definitions of XOR-BIT and XOR-BITV, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.3 ] XOR-BITV-NLISTP (PROVE-LEMMA XOR-BITV-NLISTP2 (REWRITE) (IMPLIES (AND (BIT-VECTORP A B) (NOT (LISTP C))) (EQUAL (XOR-BITV A C) A))) WARNING: Note that XOR-BITV-NLISTP2 contains the free variable B which will be chosen by instantiating the hypothesis (BIT-VECTORP A B). Name the conjecture *1. Perhaps we can prove it by induction. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NLISTP A) (p A C B)) (IMPLIES (AND (NOT (NLISTP A)) (p (CDR A) (CDR C) (SUB1 B))) (p A C B))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of NLISTP inform us that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for C and B. The above induction scheme leads to the following four new conjectures: Case 4. (IMPLIES (AND (NLISTP A) (BIT-VECTORP A B) (NOT (LISTP C))) (EQUAL (XOR-BITV A C) A)). This simplifies, opening up NLISTP, BIT-VECTORP, LISTP, XOR-BITV, and EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (NLISTP A)) (NOT (BIT-VECTORP (CDR A) (SUB1 B))) (BIT-VECTORP A B) (NOT (LISTP C))) (EQUAL (XOR-BITV A C) A)). This simplifies, unfolding the definitions of NLISTP, BIT-VECTORP, and BITP, to: T. Case 2. (IMPLIES (AND (NOT (NLISTP A)) (LISTP (CDR C)) (BIT-VECTORP A B) (NOT (LISTP C))) (EQUAL (XOR-BITV A C) A)). This simplifies, applying CDR-NLISTP, and unfolding NLISTP and LISTP, to: T. Case 1. (IMPLIES (AND (NOT (NLISTP A)) (EQUAL (XOR-BITV (CDR A) (CDR C)) (CDR A)) (BIT-VECTORP A B) (NOT (LISTP C))) (EQUAL (XOR-BITV A C) A)), which simplifies, applying the lemmas CAR-NLISTP, CAR-CONS, and CDR-CONS, and expanding NLISTP, BIT-VECTORP, BITP, XOR-BITV, XOR-BIT, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] XOR-BITV-NLISTP2 (PROVE-LEMMA XOR-BVS-ARRAY-REWRITE (REWRITE) (IMPLIES (AND (BIT-VECTORS-PITON ARRAY (LENGTH CURRENT)) (BIT-VECTORP CURRENT (LENGTH CURRENT)) (LESSP N (LENGTH ARRAY)) (EQUAL (LENGTH ARRAY) AS)) (EQUAL (XOR-BVS-ARRAY CURRENT ARRAY N AS) (XOR-BITV CURRENT (XOR-BVS (NTHCDR (DIFFERENCE AS N) (UNTAG-ARRAY ARRAY)))))) ((INDUCT (XOR-BVS-ARRAY CURRENT ARRAY N AS)) (ENABLE NTHCDR))) This conjecture can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, AND, LENGTH-XOR-BITV, and UNTAG, to two new formulas: Case 2. (IMPLIES (AND (ZEROP N) (BIT-VECTORS-PITON ARRAY (LENGTH CURRENT)) (BIT-VECTORP CURRENT (LENGTH CURRENT)) (LESSP N (LENGTH ARRAY)) (EQUAL (LENGTH ARRAY) AS)) (EQUAL (XOR-BVS-ARRAY CURRENT ARRAY N AS) (XOR-BITV CURRENT (XOR-BVS (NTHCDR (DIFFERENCE AS N) (UNTAG-ARRAY ARRAY)))))), which simplifies, using linear arithmetic, applying LENGTH-FROM-BIT-VECTORP, CDR-NLISTP, CAR-NLISTP, LISTP-NTHCDR, LENGTH-UNTAG-ARRAY, and XOR-BITV-NLISTP2, and opening up the definitions of ZEROP, EQUAL, LESSP, XOR-BVS-ARRAY, DIFFERENCE, XOR-BITV, and XOR-BVS, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (IMPLIES (AND (BIT-VECTORS-PITON ARRAY (LENGTH CURRENT)) (BIT-VECTORP (XOR-BITV CURRENT (CADR (GET (DIFFERENCE AS N) ARRAY))) (LENGTH CURRENT)) (LESSP (SUB1 N) (LENGTH ARRAY)) (EQUAL (LENGTH ARRAY) AS)) (EQUAL (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE AS N) ARRAY))) ARRAY (SUB1 N) AS) (XOR-BITV (XOR-BITV CURRENT (CADR (GET (DIFFERENCE AS N) ARRAY))) (XOR-BVS (NTHCDR (DIFFERENCE AS (SUB1 N)) (UNTAG-ARRAY ARRAY)))))) (BIT-VECTORS-PITON ARRAY (LENGTH CURRENT)) (BIT-VECTORP CURRENT (LENGTH CURRENT)) (LESSP N (LENGTH ARRAY)) (EQUAL (LENGTH ARRAY) AS)) (EQUAL (XOR-BVS-ARRAY CURRENT ARRAY N AS) (XOR-BITV CURRENT (XOR-BVS (NTHCDR (DIFFERENCE AS N) (UNTAG-ARRAY ARRAY)))))). This simplifies, using linear arithmetic, applying LENGTH-FROM-BIT-VECTORP, BIT-VECTORP-XOR-BITV2, DIFFERENCE-SUB1-ARG2, LENGTH-CADR-GET-BIT-VECTORS-PITON, XOR-BITV-ASSOCIATIVE, LENGTH-UNTAG-ARRAY, GET-UNTAG-ARRAY, SUB1-ADD1, NTHCDR-OPEN, CDR-CONS, and CAR-CONS, and unfolding AND, IMPLIES, NTHCDR, and XOR-BVS, to three new goals: Case 1.3. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (LESSP (LENGTH ARRAY) N) (IMPLIES (AND (BIT-VECTORS-PITON ARRAY (LENGTH CURRENT)) (BIT-VECTORP (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH ARRAY) N) ARRAY))) (LENGTH CURRENT)) (LESSP (SUB1 N) (LENGTH ARRAY)) (EQUAL (LENGTH ARRAY) (LENGTH ARRAY))) (EQUAL (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH ARRAY) N) ARRAY))) ARRAY (SUB1 N) (LENGTH ARRAY)) (XOR-BITV (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH ARRAY) N) ARRAY))) (XOR-BVS (NTHCDR (DIFFERENCE (LENGTH ARRAY) (SUB1 N)) (UNTAG-ARRAY ARRAY)))))) (BIT-VECTORS-PITON ARRAY (LENGTH CURRENT)) (BIT-VECTORP CURRENT (LENGTH CURRENT)) (LESSP N (LENGTH ARRAY))) (EQUAL (XOR-BVS-ARRAY CURRENT ARRAY N (LENGTH ARRAY)) (XOR-BITV CURRENT (XOR-BVS (NTHCDR (DIFFERENCE (LENGTH ARRAY) N) (UNTAG-ARRAY ARRAY)))))), which again simplifies, using linear arithmetic, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP (LENGTH ARRAY) N)) (NOT (LESSP (SUB1 N) (LENGTH ARRAY))) (BIT-VECTORS-PITON ARRAY (LENGTH CURRENT)) (BIT-VECTORP CURRENT (LENGTH CURRENT)) (LESSP N (LENGTH ARRAY))) (EQUAL (XOR-BVS-ARRAY CURRENT ARRAY N (LENGTH ARRAY)) (XOR-BITV CURRENT (XOR-BITV (CADR (GET (DIFFERENCE (LENGTH ARRAY) N) ARRAY)) (XOR-BVS (NTHCDR (DIFFERENCE (LENGTH ARRAY) N) (CDR (UNTAG-ARRAY ARRAY)))))))), which again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP (LENGTH ARRAY) N)) (EQUAL (XOR-BVS-ARRAY (XOR-BITV CURRENT (CADR (GET (DIFFERENCE (LENGTH ARRAY) N) ARRAY))) ARRAY (SUB1 N) (LENGTH ARRAY)) (XOR-BITV CURRENT (XOR-BITV (CADR (GET (DIFFERENCE (LENGTH ARRAY) N) ARRAY)) (XOR-BVS (NTHCDR (ADD1 (DIFFERENCE (LENGTH ARRAY) N)) (UNTAG-ARRAY ARRAY)))))) (BIT-VECTORS-PITON ARRAY (LENGTH CURRENT)) (BIT-VECTORP CURRENT (LENGTH CURRENT)) (LESSP N (LENGTH ARRAY))) (EQUAL (XOR-BVS-ARRAY CURRENT ARRAY N (LENGTH ARRAY)) (XOR-BITV CURRENT (XOR-BITV (CADR (GET (DIFFERENCE (LENGTH ARRAY) N) ARRAY)) (XOR-BVS (NTHCDR (DIFFERENCE (LENGTH ARRAY) N) (CDR (UNTAG-ARRAY ARRAY)))))))), which again simplifies, applying SUB1-ADD1 and LENGTH-FROM-BIT-VECTORP, and expanding the definitions of NTHCDR, UNTAG, and XOR-BVS-ARRAY, to: T. Q.E.D. [ 0.0 0.4 0.0 ] XOR-BVS-ARRAY-REWRITE (ENABLE EQUAL-LENGTH-0) [ 0.0 0.0 0.0 ] EQUAL-LENGTH-0-ON4 (PROVE-LEMMA CORRECTNESS-OF-XOR-BVS-HELPER (REWRITE) (IMPLIES (AND (EQUAL P0 (P-STATE PC CTRL-STK (APPEND (LIST (TAG 'NAT NUMVECS) (TAG 'ADDR (CONS STATE 0))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (P-CURRENT-INSTRUCTION P0) '(CALL XOR-BVS)) (EQUAL (DEFINITION 'XOR-BVS PROG-SEGMENT) (XOR-BVS-PROGRAM)) (XOR-BVS-INPUT-CONDITIONP P0)) (EQUAL (P P0 (XOR-BVS-CLOCK NUMVECS)) (P-STATE (ADD1-ADDR PC) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (UNTAG (CAR (ARRAY STATE DATA-SEGMENT))) (ARRAY STATE DATA-SEGMENT) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))) ((USE (XOR-BVS-LOOP-CORRECTNESS (CURRENT (UNTAG (CAR (ARRAY STATE DATA-SEGMENT)))) (S STATE) (N NUMVECS) (RET-PC (ADD-ADDR PC 1)))))) WARNING: Note that CORRECTNESS-OF-XOR-BVS-HELPER contains the free variables WORD-SIZE, MAX-TEMP-STK-SIZE, MAX-CTRL-STK-SIZE, DATA-SEGMENT, PROG-SEGMENT, TEMP-STK, STATE, CTRL-STK, and PC which will be chosen by instantiating the hypothesis: (EQUAL P0 (P-STATE PC CTRL-STK (APPEND (LIST (TAG 'NAT NUMVECS) (TAG 'ADDR (CONS STATE 0))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)). This conjecture can be simplified, using the abbreviations TOP, XOR-BVS-INPUT-CONDITIONP, AND, IMPLIES, ADD1-ADDR, PLUS-ADD1-ARG1, XOR-BVS-CLOCK, TAG, UNTAG, XOR-BVS-PROGRAM, DEFINITION, and ARRAY, to the goal: (IMPLIES (AND (IMPLIES (AND (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (NOT (ZEROP WORD-SIZE)) (LISTP CTRL-STK) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (LESSP 0 NUMVECS) (BIT-VECTORP (CADADR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (ADD-ADDR PC 1)) CTRL-STK) (CONS (LIST 'BITV (CADADR (ASSOC STATE DATA-SEGMENT))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (ADD-ADDR PC 1) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))) (EQUAL P0 (P-STATE PC CTRL-STK (APPEND (LIST (LIST 'NAT NUMVECS) (LIST 'ADDR (CONS STATE 0))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (P-CURRENT-INSTRUCTION P0) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAAR (P-TEMP-STK P0)) 'NAT) (EQUAL (CAADR (P-TEMP-STK P0)) 'ADDR) (EQUAL (CDADADR (P-TEMP-STK P0)) 0) (LISTP (CADADR (P-TEMP-STK P0))) (EQUAL (CDDAR (P-TEMP-STK P0)) NIL) (EQUAL (CDDADR (P-TEMP-STK P0)) NIL) (DEFINEDP (CAADADR (P-TEMP-STK P0)) (P-DATA-SEGMENT P0)) (BIT-VECTORS-PITON (CDR (ASSOC (CAADADR (P-TEMP-STK P0)) (P-DATA-SEGMENT P0))) (P-WORD-SIZE P0)) (EQUAL (CADAR (P-TEMP-STK P0)) (LENGTH (CDR (ASSOC (CAADADR (P-TEMP-STK P0)) (P-DATA-SEGMENT P0))))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE (P-CTRL-STK P0)) 4 (P-MAX-CTRL-STK-SIZE P0)) (AT-LEAST-MOREP (LENGTH (P-TEMP-STK P0)) 2 (P-MAX-TEMP-STK-SIZE P0)) (NOT (EQUAL (CADAR (P-TEMP-STK P0)) 0)) (NUMBERP (CADAR (P-TEMP-STK P0))) (LESSP (CADAR (P-TEMP-STK P0)) (EXP 2 (P-WORD-SIZE P0))) (LISTP (P-CTRL-STK P0))) (EQUAL (P P0 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (ADD1 (PLUS 0 (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS)))))))))) (P-STATE (ADD-ADDR PC 1) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This simplifies, applying PLUS-ZERO-ARG2, PLUS-ADD1-ARG2, P-PC-P-STATE, CDR-CONS, CAR-CONS, P-PROG-SEGMENT-P-STATE, P-TEMP-STK-P-STATE, P-DATA-SEGMENT-P-STATE, P-WORD-SIZE-P-STATE, P-CTRL-STK-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-MAX-TEMP-STK-SIZE-P-STATE, AT-LEAST-MOREP-NORMALIZE, P-STEP1-OPENER, SUB1-ADD1, LESSP-AS-AT-LEAST-MOREP, AT-LEAST-MOREP-LINEAR, PLUS-ADD1-ARG1, P-PSW-P-STATE, P-OPENER, EXP-0, and EQUAL-LENGTH-0, and unfolding the functions ZEROP, NOT, EQUAL, LESSP, AND, TAG, ADD-ADP, ADP-NAME, ADP-OFFSET, NUMBERP, UNTAG, TYPE, ADD-ADDR, IMPLIES, APPEND, LISTP, UNLABEL, LABELLEDP, PROGRAM-BODY, P-CURRENT-PROGRAM, AREA-NAME, DEFINITION, OFFSET, P-CURRENT-INSTRUCTION, LENGTH, ADD1, PLUS, P-INS-STEP, POPN, P-CALL-STEP, P-INS-OKP, CAR, P-CTRL-STK-SIZE, TOP, BINDINGS, P-FRAME-SIZE, PUSH, MAKE-P-CALL-FRAME, PAIRLIST, REV, FIRST-N, SUB1, PAIR-FORMAL-VARS-WITH-ACTUALS, PAIR-TEMPS-WITH-INITIAL-VALUES, P-FRAME, ADD1-ADDR, TEMP-VAR-DCLS, FORMAL-VARS, CDR, P-CALL-OKP, CONS, P-STEP, LOCAL-VAR-VALUE, ASSOC, DEFINIENS, ADD1-P-PC, P-PUSH-LOCAL-STEP, P-PUSH-LOCAL-OKP, GET, POP, FETCH, FETCH-ADP, P-FETCH-STEP, P-OBJECTP-TYPE, ADPP, P-OBJECTP, P-FETCH-OKP, P-SUB1-NAT-STEP, SMALL-NATURALP, P-SUB1-NAT-OKP, SET-LOCAL-VAR-VALUE, PUT-ASSOC, PUT-VALUE, RET-PC, P-POP-LOCAL-STEP, P-POP-LOCAL-OKP, EXP, and BIT-VECTORS-PITON, to 12 new goals: Case 12.(IMPLIES (AND (NOT (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE))) (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, trivially, to: T. Case 11.(IMPLIES (AND (NOT (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE))) (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This again simplifies, trivially, to: T. Case 10.(IMPLIES (AND (NOT (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE))) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This again simplifies, clearly, to: T. Case 9. (IMPLIES (AND (NOT (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE))) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This again simplifies, clearly, to: T. Case 8. (IMPLIES (AND (NOT (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE)) (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This again simplifies, applying AT-LEAST-MOREP-LINEAR, and expanding the definition of LESSP, to: T. Case 7. (IMPLIES (AND (NOT (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE)) (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This again simplifies, applying AT-LEAST-MOREP-LINEAR, and opening up the function LESSP, to: T. Case 6. (IMPLIES (AND (NOT (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE)) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). But this again simplifies, applying the lemma AT-LEAST-MOREP-LINEAR, and expanding the definition of LESSP, to: T. Case 5. (IMPLIES (AND (NOT (AT-LEAST-MOREP (LENGTH TEMP-STK) 3 MAX-TEMP-STK-SIZE)) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, rewriting with AT-LEAST-MOREP-LINEAR, and opening up the function LESSP, to: T. Case 4. (IMPLIES (AND (NOT (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (LIST 'BITV (CADADR (ASSOC STATE DATA-SEGMENT))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (NOT (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL)) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (LIST 'BITV (CADADR (ASSOC STATE DATA-SEGMENT))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))))). This again simplifies, rewriting with P-PC-P-STATE, EQUAL-LENGTH-0, and BIT-VECTORS-PITON-MEANS-MORE, and opening up CAR and EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (LIST 'BITV (CADADR (ASSOC STATE DATA-SEGMENT))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (LIST 'BITV (CADADR (ASSOC STATE DATA-SEGMENT))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))))). However this again simplifies, rewriting with P-PC-P-STATE, EQUAL-LENGTH-0, and BIT-VECTORS-PITON-MEANS-MORE, to: T. Case 2. (IMPLIES (AND (NUMBERP (CDADR PC)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (LIST 'BITV (CADADR (ASSOC STATE DATA-SEGMENT))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (LIST 'BITV (CADADR (ASSOC STATE DATA-SEGMENT))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))))). However this again simplifies, applying P-PC-P-STATE, EQUAL-LENGTH-0, and BIT-VECTORS-PITON-MEANS-MORE, and expanding the functions CAR and EQUAL, to: T. Case 1. (IMPLIES (AND (NUMBERP (CDADR PC)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (LIST 'BITV (CADADR (ASSOC STATE DATA-SEGMENT))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK)) (EQUAL (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (CADR (ASSOC STATE DATA-SEGMENT)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))) (P (P-STATE '(PC (XOR-BVS . 5)) (CONS (LIST (LIST (LIST 'VECS-ADDR 'ADDR (CONS STATE 0)) (LIST 'NUMVECS 'NAT (SUB1 NUMVECS))) (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (LIST 'BITV (CADADR (ASSOC STATE DATA-SEGMENT))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK-LOOP (SUB1 NUMVECS))))). However this again simplifies, applying P-PC-P-STATE, EQUAL-LENGTH-0, and BIT-VECTORS-PITON-MEANS-MORE, to: T. Q.E.D. [ 0.0 6.0 0.4 ] CORRECTNESS-OF-XOR-BVS-HELPER (PROVE-LEMMA LENGTH-CADAR-BVS (REWRITE) (IMPLIES (AND (BIT-VECTORS-PITON X S) (LISTP X)) (EQUAL (LENGTH (CADAR X)) (FIX S)))) WARNING: Note that LENGTH-CADAR-BVS contains the free variable S which will be chosen by instantiating the hypothesis (BIT-VECTORS-PITON X S). This simplifies, opening up the function FIX, to two new goals: Case 2. (IMPLIES (AND (BIT-VECTORS-PITON X S) (LISTP X) (NOT (NUMBERP S))) (EQUAL (LENGTH (CADAR X)) 0)), which again simplifies, rewriting with EQUAL-LENGTH-0, to: (IMPLIES (AND (BIT-VECTORS-PITON X S) (LISTP X) (NOT (NUMBERP S))) (NOT (LISTP (CADAR X)))), which again simplifies, opening up BIT-VECTORP and BIT-VECTORS-PITON, to: T. Case 1. (IMPLIES (AND (BIT-VECTORS-PITON X S) (LISTP X) (NUMBERP S)) (EQUAL (LENGTH (CADAR X)) S)). Applying the lemma CAR-CDR-ELIM, replace X by (CONS Z V) to eliminate (CAR X) and (CDR X), Z by (CONS D W) to eliminate (CDR Z) and (CAR Z), and W by (CONS Z C) to eliminate (CAR W) and (CDR W). We would thus like to prove the following three new conjectures: Case 1.3. (IMPLIES (AND (NOT (LISTP Z)) (BIT-VECTORS-PITON (CONS Z V) S) (NUMBERP S)) (EQUAL (LENGTH (CADR Z)) S)). But this further simplifies, applying CAR-CONS, and expanding the definition of BIT-VECTORS-PITON, to: T. Case 1.2. (IMPLIES (AND (NOT (LISTP W)) (BIT-VECTORS-PITON (CONS (CONS D W) V) S) (NUMBERP S)) (EQUAL (LENGTH (CAR W)) S)). However this further simplifies, rewriting with the lemmas CAR-NLISTP, CDR-CONS, and CAR-CONS, and opening up BIT-VECTORP, LISTP, EQUAL, and BIT-VECTORS-PITON, to: T. Case 1.1. (IMPLIES (AND (BIT-VECTORS-PITON (CONS (CONS D (CONS Z C)) V) S) (NUMBERP S)) (EQUAL (LENGTH Z) S)), which further simplifies, applying CDR-CONS, CAR-CONS, and LENGTH-FROM-BIT-VECTORP, and unfolding the function BIT-VECTORS-PITON, to: T. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-CADAR-BVS (PROVE-LEMMA BIT-VECTORP-FROM-BIT-VECTORS-PITON (REWRITE) (IMPLIES (BIT-VECTORS-PITON X S) (AND (EQUAL (BIT-VECTORP (CADAR X) S) (LISTP X)) (EQUAL (BIT-VECTORP (CADR (GET N X)) S) (LESSP N (LENGTH X)))))) WARNING: Note that the proposed lemma BIT-VECTORP-FROM-BIT-VECTORS-PITON is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This conjecture simplifies, unfolding the function AND, to the following two new conjectures: Case 2. (IMPLIES (BIT-VECTORS-PITON X S) (EQUAL (BIT-VECTORP (CADAR X) S) (LISTP X))). Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X), Z by (CONS D W) to eliminate (CDR Z) and (CAR Z), and W by (CONS Z C) to eliminate (CAR W) and (CDR W). The result is four new formulas: Case 2.4. (IMPLIES (AND (NOT (LISTP X)) (BIT-VECTORS-PITON X S)) (EQUAL (BIT-VECTORP (CADAR X) S) (LISTP X))), which further simplifies, unfolding the definitions of BIT-VECTORS-PITON, CAR, CDR, EQUAL, LISTP, and BIT-VECTORP, to: T. Case 2.3. (IMPLIES (AND (NOT (LISTP Z)) (BIT-VECTORS-PITON (CONS Z V) S)) (EQUAL (BIT-VECTORP (CADR Z) S) (LISTP (CONS Z V)))), which further simplifies, rewriting with CAR-CONS, and expanding the definition of BIT-VECTORS-PITON, to: T. Case 2.2. (IMPLIES (AND (NOT (LISTP W)) (BIT-VECTORS-PITON (CONS (CONS D W) V) S)) (EQUAL (BIT-VECTORP (CAR W) S) (LISTP (CONS (CONS D W) V)))). But this further simplifies, applying the lemmas CAR-NLISTP, CDR-CONS, and CAR-CONS, and unfolding BIT-VECTORP, LISTP, EQUAL, and BIT-VECTORS-PITON, to: T. Case 2.1. (IMPLIES (BIT-VECTORS-PITON (CONS (CONS D (CONS Z C)) V) S) (EQUAL (BIT-VECTORP Z S) (LISTP (CONS (CONS D (CONS Z C)) V)))), which further simplifies, applying CDR-CONS and CAR-CONS, and opening up BIT-VECTORS-PITON, to: T. Case 1. (IMPLIES (BIT-VECTORS-PITON X S) (EQUAL (BIT-VECTORP (CADR (GET N X)) S) (LESSP N (LENGTH X)))). Give the above formula the name *1. We will appeal to induction. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (SUB1 N) (CDR X) S)) (p N X S)) (IMPLIES (NOT (LISTP X)) (p N X S))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for N. The above induction scheme produces the following three new formulas: Case 3. (IMPLIES (AND (LISTP X) (NOT (BIT-VECTORS-PITON (CDR X) S)) (BIT-VECTORS-PITON X S)) (EQUAL (BIT-VECTORP (CADR (GET N X)) S) (LESSP N (LENGTH X)))). This simplifies, expanding the definition of BIT-VECTORS-PITON, to: T. Case 2. (IMPLIES (AND (LISTP X) (EQUAL (BIT-VECTORP (CADR (GET (SUB1 N) (CDR X))) S) (LESSP (SUB1 N) (LENGTH (CDR X)))) (BIT-VECTORS-PITON X S)) (EQUAL (BIT-VECTORP (CADR (GET N X)) S) (LESSP N (LENGTH X)))). This simplifies, rewriting with SUB1-ADD1, and expanding BIT-VECTORS-PITON, GET, LENGTH, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP X)) (BIT-VECTORS-PITON X S)) (EQUAL (BIT-VECTORP (CADR (GET N X)) S) (LESSP N (LENGTH X)))), which simplifies, opening up the functions BIT-VECTORS-PITON, LENGTH, EQUAL, and LESSP, to: (IMPLIES (AND (NOT (LISTP X)) (EQUAL X NIL)) (NOT (BIT-VECTORP (CADR (GET N NIL)) S))). However this again simplifies, expanding the function LISTP, to the goal: (NOT (BIT-VECTORP (CADR (GET N NIL)) S)). Call the above conjecture *1.1. Perhaps we can prove it by induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP N) (p N S)) (IMPLIES (AND (NOT (ZEROP N)) (p (SUB1 N) S)) (p N S))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to prove that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to two new formulas: Case 2. (IMPLIES (ZEROP N) (NOT (BIT-VECTORP (CADR (GET N NIL)) S))), which simplifies, expanding the functions ZEROP, GET, CDR, CAR, EQUAL, LISTP, and BIT-VECTORP, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP N)) (NOT (BIT-VECTORP (CADR (GET (SUB1 N) NIL)) S))) (NOT (BIT-VECTORP (CADR (GET N NIL)) S))), which simplifies, unfolding the definitions of ZEROP, GET, and CDR, to: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (NOT (BIT-VECTORP (CADR (GET (SUB1 N) NIL)) S))) (NOT (BIT-VECTORP (CADR (GET (SUB1 N) 0)) S))). Appealing to the lemma SUB1-ELIM, we now replace N by (ADD1 X) to eliminate (SUB1 N). We rely upon the type restriction lemma noted when SUB1 was introduced to constrain the new variable. This generates: (IMPLIES (AND (NUMBERP X) (NOT (EQUAL (ADD1 X) 0)) (NOT (BIT-VECTORP (CADR (GET X NIL)) S))) (NOT (BIT-VECTORP (CADR (GET X 0)) S))). This further simplifies, obviously, to: (IMPLIES (AND (NUMBERP X) (NOT (BIT-VECTORP (CADR (GET X NIL)) S))) (NOT (BIT-VECTORP (CADR (GET X 0)) S))), which we will name *1.1.1. Perhaps we can prove it by induction. The recursive terms in the conjecture suggest two inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP X) (p X S)) (IMPLIES (AND (NOT (ZEROP X)) (p (SUB1 X) S)) (p X S))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to show that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to three new goals: Case 3. (IMPLIES (AND (ZEROP X) (NUMBERP X) (NOT (BIT-VECTORP (CADR (GET X NIL)) S))) (NOT (BIT-VECTORP (CADR (GET X 0)) S))), which simplifies, unfolding ZEROP, NUMBERP, GET, CDR, CAR, EQUAL, LISTP, and BIT-VECTORP, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP X)) (BIT-VECTORP (CADR (GET (SUB1 X) NIL)) S) (NUMBERP X) (NOT (BIT-VECTORP (CADR (GET X NIL)) S))) (NOT (BIT-VECTORP (CADR (GET X 0)) S))), which simplifies, expanding ZEROP, GET, and CDR, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP X)) (NOT (BIT-VECTORP (CADR (GET (SUB1 X) 0)) S)) (NUMBERP X) (NOT (BIT-VECTORP (CADR (GET X NIL)) S))) (NOT (BIT-VECTORP (CADR (GET X 0)) S))), which simplifies, unfolding ZEROP, GET, and CDR, to: T. That finishes the proof of *1.1.1, which, in turn, finishes the proof of *1.1, which, in turn, finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.3 ] BIT-VECTORP-FROM-BIT-VECTORS-PITON (PROVE-LEMMA NTHCDR-1 (REWRITE) (EQUAL (NTHCDR 1 A) (CDR A)) ((ENABLE NTHCDR))) . Appealing to the lemma CAR-CDR-ELIM, we now replace A by (CONS Z X) to eliminate (CDR A) and (CAR A). We must thus prove two new formulas: Case 2. (IMPLIES (NOT (LISTP A)) (EQUAL (NTHCDR 1 A) (CDR A))), which simplifies, rewriting with CDR-NLISTP, and unfolding the definitions of NTHCDR, SUB1, NUMBERP, and EQUAL, to: T. Case 1. (EQUAL (NTHCDR 1 (CONS Z X)) X). This simplifies, applying CDR-CONS, and opening up the functions SUB1, NUMBERP, EQUAL, and NTHCDR, to: T. Q.E.D. [ 0.0 0.0 0.0 ] NTHCDR-1 (PROVE-LEMMA LISTP-UNTAG-ARRAY (REWRITE) (EQUAL (LISTP (UNTAG-ARRAY X)) (LISTP X))) Give the conjecture the name *1. We will appeal to induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X))) (p X)) (IMPLIES (NOT (LISTP X)) (p X))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following two new conjectures: Case 2. (IMPLIES (AND (LISTP X) (EQUAL (LISTP (UNTAG-ARRAY (CDR X))) (LISTP (CDR X)))) (EQUAL (LISTP (UNTAG-ARRAY X)) (LISTP X))). This simplifies, expanding the functions UNTAG-ARRAY, UNTAG, and EQUAL, to: T. Case 1. (IMPLIES (NOT (LISTP X)) (EQUAL (LISTP (UNTAG-ARRAY X)) (LISTP X))). This simplifies, opening up UNTAG-ARRAY, LISTP, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LISTP-UNTAG-ARRAY (PROVE-LEMMA XOR-BVS-INPUT-CONDITIONP-MEANS-XOR-BVS-HACK (REWRITE) (IMPLIES (AND (XOR-BVS-INPUT-CONDITIONP (P-STATE PC CTRL-STK (CONS (LIST 'NAT NUMVECS) (CONS (LIST 'ADDR (CONS STATE 0)) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (LESSP 0 WORD-SIZE)) (EQUAL (XOR-BVS-ARRAY (UNTAG (CAR (ARRAY STATE DATA-SEGMENT))) (ARRAY STATE DATA-SEGMENT) (SUB1 NUMVECS) NUMVECS) (XOR-BVS (UNTAG-ARRAY (ARRAY STATE DATA-SEGMENT))))) ((ENABLE NTHCDR))) WARNING: Note that XOR-BVS-INPUT-CONDITIONP-MEANS-XOR-BVS-HACK contains the free variables WORD-SIZE, MAX-TEMP-STK-SIZE, MAX-CTRL-STK-SIZE, PROG-SEGMENT, TEMP-STK, CTRL-STK, and PC which will be chosen by instantiating the hypothesis: (XOR-BVS-INPUT-CONDITIONP (P-STATE PC CTRL-STK (CONS (LIST 'NAT NUMVECS) (CONS (LIST 'ADDR (CONS STATE 0)) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)). This formula can be simplified, using the abbreviations CONS-EQUAL, P-MAX-TEMP-STK-SIZE-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-CTRL-STK-P-STATE, P-WORD-SIZE-P-STATE, P-DATA-SEGMENT-P-STATE, CDR-CONS, PACK-EQUAL, CAR-CONS, P-TEMP-STK-P-STATE, TOP, XOR-BVS-INPUT-CONDITIONP, AND, IMPLIES, ARRAY, and UNTAG, to the new formula: (IMPLIES (AND (EQUAL 78 78) (EQUAL 65 65) (EQUAL 84 84) (EQUAL 0 0) (EQUAL 68 68) (EQUAL 82 82) (LISTP (CONS STATE 0)) (EQUAL 73 73) (EQUAL 76 76) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (EQUAL NUMVECS (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH (CONS (LIST 'NAT NUMVECS) (CONS (LIST 'ADDR (CONS STATE 0)) TEMP-STK))) 2 MAX-TEMP-STK-SIZE) (NOT (EQUAL NUMVECS 0)) (NUMBERP NUMVECS) (LESSP NUMVECS (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (LESSP 0 WORD-SIZE)) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 NUMVECS) NUMVECS) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))), which simplifies, using linear arithmetic, rewriting with CDR-CONS, AT-LEAST-MOREP-NORMALIZE, EQUAL-LENGTH-0, BIT-VECTORP-FROM-BIT-VECTORS-PITON, LENGTH-CADAR-BVS, DIFFERENCE-X-SUB1-X-BETTER, NTHCDR-1, and XOR-BVS-ARRAY-REWRITE, and expanding the functions EQUAL, LENGTH, ADD1, and LESSP, to the following two new goals: Case 2. (IMPLIES (AND (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR (ASSOC STATE DATA-SEGMENT))) (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) 0)) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC STATE DATA-SEGMENT)) (CDR (ASSOC STATE DATA-SEGMENT)) (SUB1 (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (LENGTH (CDR (ASSOC STATE DATA-SEGMENT)))) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))). This again simplifies, applying the lemmas EQUAL-EXP-0 and EQUAL-LENGTH-0, and opening up the definitions of NUMBERP, EQUAL, and LESSP, to: T. Case 1. (IMPLIES (AND (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR (ASSOC STATE DATA-SEGMENT))) (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (NOT (EQUAL (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) 0))) (EQUAL (XOR-BITV (CADADR (ASSOC STATE DATA-SEGMENT)) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))), which again simplifies, applying the lemmas EQUAL-LENGTH-0 and LISTP-UNTAG-ARRAY, and expanding the definition of XOR-BVS, to: (IMPLIES (AND (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR (ASSOC STATE DATA-SEGMENT))) (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADADR (ASSOC STATE DATA-SEGMENT)) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))))). Name the above subgoal *1. We will appeal to induction. There are 11 plausible inductions. They merge into four likely candidate inductions, all of which are unflawed. However, one of these is more likely than the others. We will induct according to the following scheme: (AND (IMPLIES (NLISTP DATA-SEGMENT) (p STATE DATA-SEGMENT WORD-SIZE CTRL-STK TEMP-STK MAX-TEMP-STK-SIZE MAX-CTRL-STK-SIZE)) (IMPLIES (AND (NOT (NLISTP DATA-SEGMENT)) (EQUAL STATE (CAAR DATA-SEGMENT))) (p STATE DATA-SEGMENT WORD-SIZE CTRL-STK TEMP-STK MAX-TEMP-STK-SIZE MAX-CTRL-STK-SIZE)) (IMPLIES (AND (NOT (NLISTP DATA-SEGMENT)) (NOT (EQUAL STATE (CAAR DATA-SEGMENT))) (p STATE (CDR DATA-SEGMENT) WORD-SIZE CTRL-STK TEMP-STK MAX-TEMP-STK-SIZE MAX-CTRL-STK-SIZE)) (p STATE DATA-SEGMENT WORD-SIZE CTRL-STK TEMP-STK MAX-TEMP-STK-SIZE MAX-CTRL-STK-SIZE))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of NLISTP can be used to prove that the measure (COUNT DATA-SEGMENT) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces seven new conjectures: Case 7. (IMPLIES (AND (NLISTP DATA-SEGMENT) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR (ASSOC STATE DATA-SEGMENT))) (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADADR (ASSOC STATE DATA-SEGMENT)) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))))), which simplifies, opening up NLISTP and DEFINEDP, to: T. Case 6. (IMPLIES (AND (NOT (NLISTP DATA-SEGMENT)) (EQUAL STATE (CAAR DATA-SEGMENT)) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR (ASSOC STATE DATA-SEGMENT))) (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADADR (ASSOC STATE DATA-SEGMENT)) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))))), which simplifies, opening up the functions NLISTP, DEFINEDP, and ASSOC, to the conjecture: (IMPLIES (AND (LISTP DATA-SEGMENT) (BIT-VECTORS-PITON (CDAR DATA-SEGMENT) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDAR DATA-SEGMENT)) (LESSP (LENGTH (CDAR DATA-SEGMENT)) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADADAR DATA-SEGMENT) (XOR-BVS (CDR (UNTAG-ARRAY (CDAR DATA-SEGMENT))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDAR DATA-SEGMENT))) (XOR-BVS (CDR (UNTAG-ARRAY (CDAR DATA-SEGMENT))))))). Appealing to the lemma CAR-CDR-ELIM, we now replace DATA-SEGMENT by (CONS X Z) to eliminate (CAR DATA-SEGMENT) and (CDR DATA-SEGMENT), X by (CONS W V) to eliminate (CDR X) and (CAR X), V by (CONS X D) to eliminate (CAR V) and (CDR V), X by (CONS C V) to eliminate (CDR X) and (CAR X), and V by (CONS X X1) to eliminate (CAR V) and (CDR V). This generates four new goals: Case 6.4. (IMPLIES (AND (NOT (LISTP X)) (BIT-VECTORS-PITON (CDR X) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR X)) (LESSP (LENGTH (CDR X)) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADADR X) (XOR-BVS (CDR (UNTAG-ARRAY (CDR X))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDR X))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR X))))))), which further simplifies, applying CDR-NLISTP, and opening up EQUAL, LISTP, and BIT-VECTORS-PITON, to: T. Case 6.3. (IMPLIES (AND (NOT (LISTP X)) (BIT-VECTORS-PITON (CONS X D) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LESSP (LENGTH (CONS X D)) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADR X) (XOR-BVS (CDR (UNTAG-ARRAY (CONS X D))))) (XOR-BITV (CAR (UNTAG-ARRAY (CONS X D))) (XOR-BVS (CDR (UNTAG-ARRAY (CONS X D))))))). This further simplifies, rewriting with CAR-CONS, and opening up BIT-VECTORS-PITON, to: T. Case 6.2. (IMPLIES (AND (NOT (LISTP V)) (BIT-VECTORS-PITON (CONS (CONS C V) D) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LESSP (LENGTH (CONS (CONS C V) D)) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CAR V) (XOR-BVS (CDR (UNTAG-ARRAY (CONS (CONS C V) D))))) (XOR-BITV (CAR (UNTAG-ARRAY (CONS (CONS C V) D))) (XOR-BVS (CDR (UNTAG-ARRAY (CONS (CONS C V) D))))))). This further simplifies, rewriting with CAR-NLISTP, CDR-CONS, and CAR-CONS, and unfolding BIT-VECTORP, LISTP, EQUAL, and BIT-VECTORS-PITON, to: T. Case 6.1. (IMPLIES (AND (BIT-VECTORS-PITON (CONS (CONS C (CONS X X1)) D) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LESSP (LENGTH (CONS (CONS C (CONS X X1)) D)) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV X (XOR-BVS (CDR (UNTAG-ARRAY (CONS (CONS C (CONS X X1)) D))))) (XOR-BITV (CAR (UNTAG-ARRAY (CONS (CONS C (CONS X X1)) D))) (XOR-BVS (CDR (UNTAG-ARRAY (CONS (CONS C (CONS X X1)) D))))))). However this further simplifies, applying the lemmas CDR-CONS, CAR-CONS, SUB1-ADD1, and EQUAL-EXP-0, and opening up BIT-VECTORS-PITON, LENGTH, NUMBERP, EQUAL, LESSP, UNTAG, and UNTAG-ARRAY, to: T. Case 5. (IMPLIES (AND (NOT (NLISTP DATA-SEGMENT)) (NOT (EQUAL STATE (CAAR DATA-SEGMENT))) (NOT (DEFINEDP STATE (CDR DATA-SEGMENT))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR (ASSOC STATE DATA-SEGMENT))) (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADADR (ASSOC STATE DATA-SEGMENT)) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))))), which simplifies, expanding NLISTP and DEFINEDP, to: T. Case 4. (IMPLIES (AND (NOT (NLISTP DATA-SEGMENT)) (NOT (EQUAL STATE (CAAR DATA-SEGMENT))) (NOT (BIT-VECTORS-PITON (CDR (ASSOC STATE (CDR DATA-SEGMENT))) WORD-SIZE)) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR (ASSOC STATE DATA-SEGMENT))) (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADADR (ASSOC STATE DATA-SEGMENT)) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))))), which simplifies, unfolding the functions NLISTP, DEFINEDP, and ASSOC, to: T. Case 3. (IMPLIES (AND (NOT (NLISTP DATA-SEGMENT)) (NOT (EQUAL STATE (CAAR DATA-SEGMENT))) (NOT (LISTP (CDR (ASSOC STATE (CDR DATA-SEGMENT))))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR (ASSOC STATE DATA-SEGMENT))) (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADADR (ASSOC STATE DATA-SEGMENT)) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))))), which simplifies, unfolding the definitions of NLISTP, DEFINEDP, ASSOC, BIT-VECTORS-PITON, and LISTP, to: T. Case 2. (IMPLIES (AND (NOT (NLISTP DATA-SEGMENT)) (NOT (EQUAL STATE (CAAR DATA-SEGMENT))) (NOT (LESSP (LENGTH (CDR (ASSOC STATE (CDR DATA-SEGMENT)))) (EXP 2 WORD-SIZE))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR (ASSOC STATE DATA-SEGMENT))) (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADADR (ASSOC STATE DATA-SEGMENT)) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))))), which simplifies, unfolding the definitions of NLISTP, DEFINEDP, and ASSOC, to: T. Case 1. (IMPLIES (AND (NOT (NLISTP DATA-SEGMENT)) (NOT (EQUAL STATE (CAAR DATA-SEGMENT))) (EQUAL (XOR-BITV (CADADR (ASSOC STATE (CDR DATA-SEGMENT))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE (CDR DATA-SEGMENT))))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDR (ASSOC STATE (CDR DATA-SEGMENT))))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE (CDR DATA-SEGMENT)))))))) (DEFINEDP STATE DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC STATE DATA-SEGMENT)) WORD-SIZE) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (LISTP (CDR (ASSOC STATE DATA-SEGMENT))) (LESSP (LENGTH (CDR (ASSOC STATE DATA-SEGMENT))) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE)) (EQUAL (XOR-BITV (CADADR (ASSOC STATE DATA-SEGMENT)) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))) (XOR-BITV (CAR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))) (XOR-BVS (CDR (UNTAG-ARRAY (CDR (ASSOC STATE DATA-SEGMENT)))))))), which simplifies, expanding the definitions of NLISTP, DEFINEDP, and ASSOC, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.3 0.3 ] XOR-BVS-INPUT-CONDITIONP-MEANS-XOR-BVS-HACK (PROVE-LEMMA CORRECTNESS-OF-XOR-BVS (REWRITE) (IMPLIES (AND (EQUAL P0 (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (LESSP 0 WORD-SIZE) (EQUAL (P-CURRENT-INSTRUCTION P0) '(CALL XOR-BVS)) (EQUAL (DEFINITION 'XOR-BVS PROG-SEGMENT) (XOR-BVS-PROGRAM)) (XOR-BVS-INPUT-CONDITIONP P0)) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (ADD1-ADDR PC) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (ARRAY (CAADR S) DATA-SEGMENT)))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))) ((DISABLE XOR-BVS-CLOCK) (USE (CORRECTNESS-OF-XOR-BVS-HELPER (STATE (CAADR S)) (NUMVECS (CADR N))) (XOR-BVS-INPUT-CONDITIONP-MEANS-XOR-BVS-HACK (STATE (CAADR S)) (NUMVECS (CADR N)))))) WARNING: Note that CORRECTNESS-OF-XOR-BVS contains the free variable P0 which will be chosen by instantiating the hypothesis: (EQUAL P0 (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)). This conjecture can be simplified, using the abbreviations TOP, XOR-BVS-INPUT-CONDITIONP, IMPLIES, AND, ARRAY, UNTAG, ADD1-ADDR, XOR-BVS-PROGRAM, DEFINITION, and TAG, to: (IMPLIES (AND (IMPLIES (AND (EQUAL P0 (P-STATE PC CTRL-STK (APPEND (LIST (LIST 'NAT (CADR N)) (LIST 'ADDR (CONS (CAADR S) 0))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (P-CURRENT-INSTRUCTION P0) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (XOR-BVS-INPUT-CONDITIONP P0)) (EQUAL (P P0 (XOR-BVS-CLOCK (CADR N))) (P-STATE (ADD-ADDR PC 1) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))) (IMPLIES (AND (XOR-BVS-INPUT-CONDITIONP (P-STATE PC CTRL-STK (CONS (LIST 'NAT (CADR N)) (CONS (LIST 'ADDR (CONS (CAADR S) 0)) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (LESSP 0 WORD-SIZE)) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT)))))) (EQUAL P0 (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (LESSP 0 WORD-SIZE) (EQUAL (P-CURRENT-INSTRUCTION P0) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAAR (P-TEMP-STK P0)) 'NAT) (EQUAL (CAADR (P-TEMP-STK P0)) 'ADDR) (EQUAL (CDADADR (P-TEMP-STK P0)) 0) (LISTP (CADADR (P-TEMP-STK P0))) (EQUAL (CDDAR (P-TEMP-STK P0)) NIL) (EQUAL (CDDADR (P-TEMP-STK P0)) NIL) (DEFINEDP (CAADADR (P-TEMP-STK P0)) (P-DATA-SEGMENT P0)) (BIT-VECTORS-PITON (CDR (ASSOC (CAADADR (P-TEMP-STK P0)) (P-DATA-SEGMENT P0))) (P-WORD-SIZE P0)) (EQUAL (CADAR (P-TEMP-STK P0)) (LENGTH (CDR (ASSOC (CAADADR (P-TEMP-STK P0)) (P-DATA-SEGMENT P0))))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE (P-CTRL-STK P0)) 4 (P-MAX-CTRL-STK-SIZE P0)) (AT-LEAST-MOREP (LENGTH (P-TEMP-STK P0)) 2 (P-MAX-TEMP-STK-SIZE P0)) (NOT (EQUAL (CADAR (P-TEMP-STK P0)) 0)) (NUMBERP (CADAR (P-TEMP-STK P0))) (LESSP (CADAR (P-TEMP-STK P0)) (EXP 2 (P-WORD-SIZE P0))) (LISTP (P-CTRL-STK P0))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (ADD-ADDR PC 1) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This simplifies, applying CDR-CONS, CAR-CONS, P-PC-P-STATE, P-CTRL-STK-P-STATE, P-TEMP-STK-P-STATE, CONS-EQUAL, P-STATE-EQUAL, AT-LEAST-MOREP-NORMALIZE, P-MAX-TEMP-STK-SIZE-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-WORD-SIZE-P-STATE, P-DATA-SEGMENT-P-STATE, PLUS-ZERO-ARG2, PLUS-ADD1-ARG2, P-PROG-SEGMENT-P-STATE, EQUAL-LENGTH-0, CAR-NLISTP, and CDR-NLISTP, and expanding the functions APPEND, LISTP, EQUAL, UNTAG, ADD1, LENGTH, ARRAY, TOP, XOR-BVS-INPUT-CONDITIONP, AND, TAG, ADD-ADP, ADP-NAME, ADP-OFFSET, NUMBERP, ZEROP, TYPE, ADD-ADDR, IMPLIES, LESSP, UNLABEL, LABELLEDP, PROGRAM-BODY, P-CURRENT-PROGRAM, AREA-NAME, DEFINITION, OFFSET, P-CURRENT-INSTRUCTION, P-CTRL-STK-SIZE, CONS, CDR, CAR, SUB1, XOR-BVS-ARRAY, and GET, to 12 new formulas: Case 12.(IMPLIES (AND (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, applying P-PC-P-STATE, and expanding the functions CAR, EQUAL, and GET, to: (IMPLIES (AND (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). Applying the lemmas CAR-CDR-ELIM and SUB1-ELIM, replace N by (CONS Z X) to eliminate (CDR N) and (CAR N), X by (CONS V W) to eliminate (CAR X) and (CDR X), and V by (ADD1 X) to eliminate (SUB1 V). We employ the type restriction lemma noted when SUB1 was introduced to restrict the new variables. This produces the following four new conjectures: Case 12.4. (IMPLIES (AND (NOT (LISTP N)) (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this further simplifies, appealing to the lemmas CDR-NLISTP and CAR-NLISTP, and expanding the functions CAR, CONS, SUB1, EQUAL, and XOR-BVS-ARRAY, to: T. Case 12.3. (IMPLIES (AND (NOT (LISTP X)) (NOT (EQUAL (CONS Z X) (LIST 'NAT (CAR X)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CAR X)) (CAR X)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDR X) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CAR X) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CAR X) 0)) (LESSP (CAR X) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z X) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CAR X))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which further simplifies, rewriting with CAR-NLISTP, CAR-CONS, CDR-CONS, and CDR-NLISTP, and opening up the definitions of CONS, CAR, EQUAL, CDR, SUB1, and XOR-BVS-ARRAY, to: T. Case 12.2. (IMPLIES (AND (NOT (NUMBERP V)) (NOT (EQUAL (CONS Z (CONS V W)) (LIST 'NAT V))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 V) V) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL W NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL V (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL V 0)) (LESSP V (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z (CONS V W)) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK V)) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This further simplifies, clearly, to: T. Case 12.1. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL (CONS Z (CONS (ADD1 X) W)) (LIST 'NAT (ADD1 X)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) X (ADD1 X)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL W NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (ADD1 X) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (ADD1 X) 0)) (LESSP (ADD1 X) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z (CONS (ADD1 X) W)) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (ADD1 X))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This further simplifies, obviously, to: T. Case 11.(IMPLIES (AND (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). But this again simplifies, rewriting with P-PC-P-STATE, and unfolding the definitions of CAR and EQUAL, to: (IMPLIES (AND (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). Applying the lemmas CAR-CDR-ELIM and SUB1-ELIM, replace N by (CONS Z X) to eliminate (CDR N) and (CAR N), X by (CONS V W) to eliminate (CAR X) and (CDR X), and V by (ADD1 X) to eliminate (SUB1 V). We rely upon the type restriction lemma noted when SUB1 was introduced to restrict the new variables. We thus obtain the following four new formulas: Case 11.4. (IMPLIES (AND (NOT (LISTP N)) (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this further simplifies, rewriting with CDR-NLISTP and CAR-NLISTP, and expanding the functions CAR, CONS, SUB1, EQUAL, and XOR-BVS-ARRAY, to: T. Case 11.3. (IMPLIES (AND (NOT (LISTP X)) (NOT (EQUAL (CONS Z X) (LIST 'NAT (CAR X)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CAR X)) (CAR X)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDR X) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CAR X) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CAR X) 0)) (LESSP (CAR X) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z X) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CAR X))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). But this further simplifies, applying CAR-NLISTP, CAR-CONS, CDR-CONS, and CDR-NLISTP, and unfolding the definitions of CONS, CAR, EQUAL, CDR, SUB1, and XOR-BVS-ARRAY, to: T. Case 11.2. (IMPLIES (AND (NOT (NUMBERP V)) (NOT (EQUAL (CONS Z (CONS V W)) (LIST 'NAT V))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 V) V) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL W NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL V (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL V 0)) (LESSP V (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z (CONS V W)) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK V)) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This further simplifies, obviously, to: T. Case 11.1. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL (CONS Z (CONS (ADD1 X) W)) (LIST 'NAT (ADD1 X)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) X (ADD1 X)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL W NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (ADD1 X) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (ADD1 X) 0)) (LESSP (ADD1 X) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z (CONS (ADD1 X) W)) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (ADD1 X))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This further simplifies, clearly, to: T. Case 10.(IMPLIES (AND (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). But this again simplifies, appealing to the lemma P-PC-P-STATE, and unfolding GET, to: (IMPLIES (AND (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). Appealing to the lemmas CAR-CDR-ELIM and SUB1-ELIM, we now replace N by (CONS Z X) to eliminate (CDR N) and (CAR N), X by (CONS V W) to eliminate (CAR X) and (CDR X), and V by (ADD1 X) to eliminate (SUB1 V). We rely upon the type restriction lemma noted when SUB1 was introduced to constrain the new variables. We must thus prove four new conjectures: Case 10.4. (IMPLIES (AND (NOT (LISTP N)) (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which further simplifies, rewriting with the lemmas CDR-NLISTP and CAR-NLISTP, and opening up the definitions of CAR, CONS, SUB1, EQUAL, and XOR-BVS-ARRAY, to: T. Case 10.3. (IMPLIES (AND (NOT (LISTP X)) (NOT (EQUAL (CONS Z X) (LIST 'NAT (CAR X)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CAR X)) (CAR X)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDR X) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CAR X) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CAR X) 0)) (LESSP (CAR X) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z X) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CAR X))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which further simplifies, rewriting with CAR-NLISTP, CAR-CONS, CDR-CONS, and CDR-NLISTP, and unfolding CONS, CAR, EQUAL, CDR, SUB1, and XOR-BVS-ARRAY, to: T. Case 10.2. (IMPLIES (AND (NOT (NUMBERP V)) (NOT (EQUAL (CONS Z (CONS V W)) (LIST 'NAT V))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 V) V) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL W NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL V (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL V 0)) (LESSP V (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z (CONS V W)) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK V)) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This further simplifies, clearly, to: T. Case 10.1. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL (CONS Z (CONS (ADD1 X) W)) (LIST 'NAT (ADD1 X)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) X (ADD1 X)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL W NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (ADD1 X) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (ADD1 X) 0)) (LESSP (ADD1 X) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z (CONS (ADD1 X) W)) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (ADD1 X))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This further simplifies, clearly, to: T. Case 9. (IMPLIES (AND (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). Appealing to the lemmas CAR-CDR-ELIM and SUB1-ELIM, we now replace N by (CONS Z X) to eliminate (CDR N) and (CAR N), X by (CONS V W) to eliminate (CAR X) and (CDR X), and V by (ADD1 X) to eliminate (SUB1 V). We rely upon the type restriction lemma noted when SUB1 was introduced to constrain the new variables. We must thus prove four new conjectures: Case 9.4. (IMPLIES (AND (NOT (LISTP N)) (NOT (EQUAL N (LIST 'NAT (CADR N)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which further simplifies, rewriting with CDR-NLISTP and CAR-NLISTP, and opening up the definitions of CAR, CONS, SUB1, EQUAL, and XOR-BVS-ARRAY, to: T. Case 9.3. (IMPLIES (AND (NOT (LISTP X)) (NOT (EQUAL (CONS Z X) (LIST 'NAT (CAR X)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CAR X)) (CAR X)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDR X) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CAR X) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CAR X) 0)) (LESSP (CAR X) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z X) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CAR X))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this further simplifies, rewriting with the lemmas CAR-NLISTP, CAR-CONS, CDR-CONS, and CDR-NLISTP, and expanding the definitions of CONS, CAR, EQUAL, CDR, SUB1, and XOR-BVS-ARRAY, to: T. Case 9.2. (IMPLIES (AND (NOT (NUMBERP V)) (NOT (EQUAL (CONS Z (CONS V W)) (LIST 'NAT V))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 V) V) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL W NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL V (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL V 0)) (LESSP V (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z (CONS V W)) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK V)) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which further simplifies, trivially, to: T. Case 9.1. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL (CONS Z (CONS (ADD1 X) W)) (LIST 'NAT (ADD1 X)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) X (ADD1 X)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL Z 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL W NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (ADD1 X) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (ADD1 X) 0)) (LESSP (ADD1 X) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS (CONS Z (CONS (ADD1 X) W)) (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (ADD1 X))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This further simplifies, obviously, to: T. Case 8. (IMPLIES (AND (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this again simplifies, rewriting with P-PC-P-STATE, and opening up CAR, EQUAL, and GET, to: (IMPLIES (AND (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). Applying the lemma CAR-CDR-ELIM, replace S by (CONS Z X) to eliminate (CDR S) and (CAR S), X by (CONS V W) to eliminate (CAR X) and (CDR X), and V by (CONS X D) to eliminate (CAR V) and (CDR V). This produces the following three new goals: Case 8.3. (IMPLIES (AND (NOT (LISTP S)) (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this further simplifies, rewriting with CDR-NLISTP and CAR-NLISTP, and unfolding the functions CAR, CONS, and EQUAL, to: T. Case 8.2. (IMPLIES (AND (NOT (LISTP X)) (NOT (EQUAL (CONS Z X) (LIST 'ADDR (CONS (CAAR X) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAAR X) DATA-SEGMENT)) (CDR (ASSOC (CAAR X) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAAR X) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL Z 'ADDR) (EQUAL (CDAR X) 0) (LISTP (CAR X)) (EQUAL (CDDR N) NIL) (EQUAL (CDR X) NIL) (DEFINEDP (CAAR X) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAAR X) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAAR X) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS (CONS Z X) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAAR X) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this further simplifies, applying the lemmas CAR-NLISTP, CAR-CONS, and CDR-CONS, and unfolding the functions CAR, CONS, EQUAL, CDR, and LISTP, to: T. Case 8.1. (IMPLIES (AND (NOT (EQUAL (CONS Z (CONS (CONS X D) W)) (LIST 'ADDR (CONS X 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC X DATA-SEGMENT)) (CDR (ASSOC X DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC X DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL Z 'ADDR) (EQUAL D 0) (EQUAL (CDDR N) NIL) (EQUAL W NIL) (DEFINEDP X DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC X DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC X DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS (CONS Z (CONS (CONS X D) W)) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC X DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which further simplifies, clearly, to: T. Case 7. (IMPLIES (AND (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). But this again simplifies, appealing to the lemma P-PC-P-STATE, and opening up CAR and EQUAL, to: (IMPLIES (AND (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). Appealing to the lemma CAR-CDR-ELIM, we now replace S by (CONS Z X) to eliminate (CDR S) and (CAR S), X by (CONS V W) to eliminate (CAR X) and (CDR X), and V by (CONS X D) to eliminate (CAR V) and (CDR V). We must thus prove three new goals: Case 7.3. (IMPLIES (AND (NOT (LISTP S)) (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which further simplifies, rewriting with CDR-NLISTP and CAR-NLISTP, and expanding the definitions of CAR, CONS, and EQUAL, to: T. Case 7.2. (IMPLIES (AND (NOT (LISTP X)) (NOT (EQUAL (CONS Z X) (LIST 'ADDR (CONS (CAAR X) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAAR X) DATA-SEGMENT)) (CDR (ASSOC (CAAR X) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAAR X) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL Z 'ADDR) (EQUAL (CDAR X) 0) (LISTP (CAR X)) (EQUAL (CDDR N) NIL) (EQUAL (CDR X) NIL) (DEFINEDP (CAAR X) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAAR X) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAAR X) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS (CONS Z X) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAAR X) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this further simplifies, rewriting with the lemmas CAR-NLISTP, CAR-CONS, and CDR-CONS, and opening up the functions CAR, CONS, EQUAL, CDR, and LISTP, to: T. Case 7.1. (IMPLIES (AND (NOT (EQUAL (CONS Z (CONS (CONS X D) W)) (LIST 'ADDR (CONS X 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC X DATA-SEGMENT)) (CDR (ASSOC X DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC X DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL Z 'ADDR) (EQUAL D 0) (EQUAL (CDDR N) NIL) (EQUAL W NIL) (DEFINEDP X DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC X DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC X DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS (CONS Z (CONS (CONS X D) W)) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC X DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which further simplifies, obviously, to: T. Case 6. (IMPLIES (AND (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This again simplifies, rewriting with P-PC-P-STATE, and opening up the definition of GET, to the new goal: (IMPLIES (AND (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). Applying the lemma CAR-CDR-ELIM, replace S by (CONS Z X) to eliminate (CDR S) and (CAR S), X by (CONS V W) to eliminate (CAR X) and (CDR X), and V by (CONS X D) to eliminate (CAR V) and (CDR V). We thus obtain the following three new formulas: Case 6.3. (IMPLIES (AND (NOT (LISTP S)) (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this further simplifies, appealing to the lemmas CDR-NLISTP and CAR-NLISTP, and unfolding the definitions of CAR, CONS, and EQUAL, to: T. Case 6.2. (IMPLIES (AND (NOT (LISTP X)) (NOT (EQUAL (CONS Z X) (LIST 'ADDR (CONS (CAAR X) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAAR X) DATA-SEGMENT)) (CDR (ASSOC (CAAR X) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAAR X) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL Z 'ADDR) (EQUAL (CDAR X) 0) (LISTP (CAR X)) (EQUAL (CDDR N) NIL) (EQUAL (CDR X) NIL) (DEFINEDP (CAAR X) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAAR X) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAAR X) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS (CONS Z X) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAAR X) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which further simplifies, rewriting with CAR-NLISTP, CAR-CONS, and CDR-CONS, and opening up CAR, CONS, EQUAL, CDR, and LISTP, to: T. Case 6.1. (IMPLIES (AND (NOT (EQUAL (CONS Z (CONS (CONS X D) W)) (LIST 'ADDR (CONS X 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC X DATA-SEGMENT)) (CDR (ASSOC X DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC X DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL Z 'ADDR) (EQUAL D 0) (EQUAL (CDDR N) NIL) (EQUAL W NIL) (DEFINEDP X DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC X DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC X DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC)))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS (CONS Z (CONS (CONS X D) W)) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC X DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This further simplifies, obviously, to: T. Case 5. (IMPLIES (AND (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). Appealing to the lemma CAR-CDR-ELIM, we now replace S by (CONS Z X) to eliminate (CDR S) and (CAR S), X by (CONS V W) to eliminate (CAR X) and (CDR X), and V by (CONS X D) to eliminate (CAR V) and (CDR V). We must thus prove three new conjectures: Case 5.3. (IMPLIES (AND (NOT (LISTP S)) (NOT (EQUAL S (LIST 'ADDR (CONS (CAADR S) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which further simplifies, applying CDR-NLISTP and CAR-NLISTP, and opening up the functions CAR, CONS, and EQUAL, to: T. Case 5.2. (IMPLIES (AND (NOT (LISTP X)) (NOT (EQUAL (CONS Z X) (LIST 'ADDR (CONS (CAAR X) 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAAR X) DATA-SEGMENT)) (CDR (ASSOC (CAAR X) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAAR X) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL Z 'ADDR) (EQUAL (CDAR X) 0) (LISTP (CAR X)) (EQUAL (CDDR N) NIL) (EQUAL (CDR X) NIL) (DEFINEDP (CAAR X) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAAR X) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAAR X) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS (CONS Z X) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAAR X) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This further simplifies, applying CAR-NLISTP, CAR-CONS, and CDR-CONS, and expanding the functions CAR, CONS, EQUAL, CDR, and LISTP, to: T. Case 5.1. (IMPLIES (AND (NOT (EQUAL (CONS Z (CONS (CONS X D) W)) (LIST 'ADDR (CONS X 0)))) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC X DATA-SEGMENT)) (CDR (ASSOC X DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC X DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL Z 'ADDR) (EQUAL D 0) (EQUAL (CDDR N) NIL) (EQUAL W NIL) (DEFINEDP X DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC X DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC X DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK) (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS (CONS Z (CONS (CONS X D) W)) TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC X DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This further simplifies, clearly, to: T. Case 4. (IMPLIES (AND (NOT (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (NOT (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL)) (EQUAL (CADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK)) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this again simplifies, rewriting with P-PC-P-STATE, to: T. Case 3. (IMPLIES (AND (NOT (NUMBERP (CDADR PC))) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) 'DL) (EQUAL (CADDDADDDR (ASSOC (CAADR PC) PROG-SEGMENT)) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK)) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this again simplifies, applying P-PC-P-STATE, to: T. Case 2. (IMPLIES (AND (NUMBERP (CDADR PC)) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK)) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). But this again simplifies, rewriting with P-PC-P-STATE, to: T. Case 1. (IMPLIES (AND (NUMBERP (CDADR PC)) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (XOR-BVS-ARRAY (CADADR (ASSOC (CAADR S) DATA-SEGMENT)) (CDR (ASSOC (CAADR S) DATA-SEGMENT)) (SUB1 (CADR N)) (CADR N)) (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) (NOT (EQUAL WORD-SIZE 0)) (NUMBERP WORD-SIZE) (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL XOR-BVS)) (EQUAL (ASSOC 'XOR-BVS PROG-SEGMENT) '(XOR-BVS (VECS-ADDR NUMVECS) NIL (PUSH-LOCAL VECS-ADDR) (FETCH) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (DL LOOP NIL (PUSH-LOCAL NUMVECS)) (TEST-NAT-AND-JUMP ZERO DONE) (PUSH-LOCAL NUMVECS) (SUB1-NAT) (POP-LOCAL NUMVECS) (PUSH-LOCAL VECS-ADDR) (PUSH-CONSTANT (NAT 1)) (ADD-ADDR) (SET-LOCAL VECS-ADDR) (FETCH) (XOR-BITV) (JUMP LOOP) (DL DONE NIL (RET)))) (EQUAL (CAR N) 'NAT) (EQUAL (CAR S) 'ADDR) (EQUAL (CDADR S) 0) (LISTP (CADR S)) (EQUAL (CDDR N) NIL) (EQUAL (CDDR S) NIL) (DEFINEDP (CAADR S) DATA-SEGMENT) (BIT-VECTORS-PITON (CDR (ASSOC (CAADR S) DATA-SEGMENT)) WORD-SIZE) (EQUAL (CADR N) (LENGTH (CDR (ASSOC (CAADR S) DATA-SEGMENT)))) (AT-LEAST-MOREP (P-CTRL-STK-SIZE CTRL-STK) 4 MAX-CTRL-STK-SIZE) (AT-LEAST-MOREP (LENGTH TEMP-STK) 4 MAX-TEMP-STK-SIZE) (NOT (EQUAL (CADR N) 0)) (LESSP (CADR N) (EXP 2 WORD-SIZE)) (LISTP CTRL-STK)) (EQUAL (P (P-STATE PC CTRL-STK (CONS N (CONS S TEMP-STK)) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) (XOR-BVS-CLOCK (CADR N))) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (XOR-BVS (UNTAG-ARRAY (CDR (ASSOC (CAADR S) DATA-SEGMENT))))) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). This again simplifies, rewriting with P-PC-P-STATE, to: T. Q.E.D. [ 0.0 16.6 2.7 ] CORRECTNESS-OF-XOR-BVS (DEFN EXAMPLE-XOR-BVS-P-STATE NIL (P-STATE '(PC (MAIN . 0)) '((NIL (PC (MAIN . 0)))) NIL (LIST '(MAIN NIL NIL (PUSH-CONSTANT (ADDR (ARR . 0))) (PUSH-CONSTANT (NAT 3)) (CALL XOR-BVS) (RET)) (XOR-BVS-PROGRAM)) '((ARR (BITV (0 1 0 1 1 0 0 1)) (BITV (0 0 0 0 0 0 0 1)) (BITV (0 1 1 0 1 0 0 1)))) 10 8 8 'RUN)) Observe that (P-STATEP (EXAMPLE-XOR-BVS-P-STATE)) is a theorem. [ 0.0 0.0 0.0 ] EXAMPLE-XOR-BVS-P-STATE (DEFN ONE-BIT-VECTOR (WORDSIZE) (IF (LESSP WORDSIZE 2) (LIST 1) (CONS 0 (ONE-BIT-VECTOR (SUB1 WORDSIZE))))) Linear arithmetic and the lemmas COUNT-NUMBERP and COUNT-NOT-LESSP establish that the measure (COUNT WORDSIZE) decreases according to the well-founded relation LESSP in each recursive call. Hence, ONE-BIT-VECTOR is accepted under the definitional principle. Note that: (LISTP (ONE-BIT-VECTOR WORDSIZE)) is a theorem. [ 0.0 0.0 0.0 ] ONE-BIT-VECTOR (DEFN PUSH-1-VECTOR-PROGRAM (WORDSIZE) (LIST 'PUSH-1-VECTOR NIL NIL (LIST 'PUSH-CONSTANT (LIST 'BITV (ONE-BIT-VECTOR WORDSIZE))) (LIST 'RET))) Observe that (LISTP (PUSH-1-VECTOR-PROGRAM WORDSIZE)) is a theorem. [ 0.0 0.0 0.0 ] PUSH-1-VECTOR-PROGRAM (DEFN EXAMPLE-PUSH-1-VECTOR-STATE NIL (P-STATE '(PC (MAIN . 0)) '((NIL (PC (MAIN . 0)))) NIL (LIST '(MAIN NIL NIL (CALL PUSH-1-VECTOR) (RET)) (PUSH-1-VECTOR-PROGRAM 8)) NIL 10 8 8 'RUN)) Note that (P-STATEP (EXAMPLE-PUSH-1-VECTOR-STATE)) is a theorem. [ 0.0 0.0 0.0 ] EXAMPLE-PUSH-1-VECTOR-STATE (DEFN PUSH-1-VECTOR-INPUT-CONDITIONP (P0) (AND (NOT (LESSP (P-MAX-CTRL-STK-SIZE P0) (PLUS 2 (P-CTRL-STK-SIZE (P-CTRL-STK P0))))) (NOT (LESSP (P-MAX-TEMP-STK-SIZE P0) (PLUS 1 (LENGTH (P-TEMP-STK P0))))) (LISTP (P-CTRL-STK P0)))) Note that: (OR (FALSEP (PUSH-1-VECTOR-INPUT-CONDITIONP P0)) (TRUEP (PUSH-1-VECTOR-INPUT-CONDITIONP P0))) is a theorem. [ 0.0 0.0 0.0 ] PUSH-1-VECTOR-INPUT-CONDITIONP (ENABLE LENGTH-APPEND) [ 0.0 0.0 0.0 ] LENGTH-APPEND-ON3 (PROVE-LEMMA EQUAL-ASSOC-CONS (REWRITE) (IMPLIES (EQUAL (ASSOC K A) (CONS X Y)) (AND (EQUAL (CAR (ASSOC K A)) X) (EQUAL (CDR (ASSOC K A)) Y)))) WARNING: Note that EQUAL-ASSOC-CONS contains the free variables Y and X which will be chosen by instantiating the hypothesis (EQUAL (ASSOC K A) (CONS X Y)). WARNING: Note that EQUAL-ASSOC-CONS contains the free variables Y and X which will be chosen by instantiating the hypothesis (EQUAL (ASSOC K A) (CONS X Y)). WARNING: Note that the proposed lemma EQUAL-ASSOC-CONS is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This formula simplifies, opening up the function AND, to the following two new conjectures: Case 2. (IMPLIES (EQUAL (ASSOC K A) (CONS X Y)) (EQUAL (CAR (ASSOC K A)) X)). We use the above equality hypothesis by substituting (CONS X Y) for (ASSOC K A) and keeping the equality hypothesis. This produces: (IMPLIES (EQUAL (ASSOC K A) (CONS X Y)) (EQUAL (CAR (CONS X Y)) X)), which further simplifies, obviously, to: (IMPLIES (EQUAL (ASSOC K A) (CONS X Y)) (EQUAL (CAR (ASSOC K A)) X)), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (AND (IMPLIES (EQUAL (ASSOC K A) (CONS X Y)) (EQUAL (CAR (ASSOC K A)) X)) (IMPLIES (EQUAL (ASSOC K A) (CONS X Y)) (EQUAL (CDR (ASSOC K A)) Y))), named *1. Let us appeal to the induction principle. The recursive terms in the conjecture suggest four inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NLISTP A) (p K A Y X)) (IMPLIES (AND (NOT (NLISTP A)) (EQUAL K (CAAR A))) (p K A Y X)) (IMPLIES (AND (NOT (NLISTP A)) (NOT (EQUAL K (CAAR A))) (p K (CDR A) Y X)) (p K A Y X))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of NLISTP inform us that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to eight new formulas: Case 8. (IMPLIES (AND (NLISTP A) (EQUAL (ASSOC K A) (CONS X Y))) (EQUAL (CAR (ASSOC K A)) X)), which simplifies, opening up the functions NLISTP and ASSOC, to: T. Case 7. (IMPLIES (AND (NOT (NLISTP A)) (EQUAL K (CAAR A)) (EQUAL (ASSOC K A) (CONS X Y))) (EQUAL (CAR (ASSOC K A)) X)), which simplifies, unfolding the functions NLISTP and ASSOC, to: (IMPLIES (AND (LISTP A) (EQUAL (CAR A) (CONS X Y))) (EQUAL (CAAR A) X)). Appealing to the lemma CAR-CDR-ELIM, we now replace A by (CONS Z V) to eliminate (CAR A) and (CDR A) and Z by (CONS W D) to eliminate (CAR Z) and (CDR Z). We must thus prove two new goals: Case 7.2. (IMPLIES (AND (NOT (LISTP Z)) (EQUAL Z (CONS X Y))) (EQUAL (CAR Z) X)), which further simplifies, clearly, to: T. Case 7.1. (IMPLIES (EQUAL (CONS W D) (CONS X Y)) (EQUAL W X)). However this further simplifies, applying CAR-CONS, to: T. Case 6. (IMPLIES (AND (NOT (NLISTP A)) (NOT (EQUAL K (CAAR A))) (NOT (EQUAL (ASSOC K (CDR A)) (CONS X Y))) (EQUAL (ASSOC K A) (CONS X Y))) (EQUAL (CAR (ASSOC K A)) X)). This simplifies, applying CAR-CONS, and expanding the definitions of NLISTP and ASSOC, to: T. Case 5. (IMPLIES (AND (NOT (NLISTP A)) (NOT (EQUAL K (CAAR A))) (EQUAL (CAR (ASSOC K (CDR A))) X) (EQUAL (CDR (ASSOC K (CDR A))) Y) (EQUAL (ASSOC K A) (CONS X Y))) (EQUAL (CAR (ASSOC K A)) X)), which simplifies, applying the lemma CONS-CAR-CDR, and opening up NLISTP, ASSOC, CAR, and EQUAL, to: T. Case 4. (IMPLIES (AND (NLISTP A) (EQUAL (ASSOC K A) (CONS X Y))) (EQUAL (CDR (ASSOC K A)) Y)), which simplifies, expanding NLISTP and ASSOC, to: T. Case 3. (IMPLIES (AND (NOT (NLISTP A)) (EQUAL K (CAAR A)) (EQUAL (ASSOC K A) (CONS X Y))) (EQUAL (CDR (ASSOC K A)) Y)), which simplifies, opening up the functions NLISTP and ASSOC, to: (IMPLIES (AND (LISTP A) (EQUAL (CAR A) (CONS X Y))) (EQUAL (CDAR A) Y)). Appealing to the lemma CAR-CDR-ELIM, we now replace A by (CONS Z V) to eliminate (CAR A) and (CDR A) and Z by (CONS D W) to eliminate (CDR Z) and (CAR Z). The result is two new goals: Case 3.2. (IMPLIES (AND (NOT (LISTP Z)) (EQUAL Z (CONS X Y))) (EQUAL (CDR Z) Y)), which further simplifies, trivially, to: T. Case 3.1. (IMPLIES (EQUAL (CONS D W) (CONS X Y)) (EQUAL W Y)). However this further simplifies, applying the lemmas CAR-CONS and CONS-EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (NLISTP A)) (NOT (EQUAL K (CAAR A))) (NOT (EQUAL (ASSOC K (CDR A)) (CONS X Y))) (EQUAL (ASSOC K A) (CONS X Y))) (EQUAL (CDR (ASSOC K A)) Y)), which simplifies, applying CDR-CONS, and expanding the definitions of NLISTP and ASSOC, to: T. Case 1. (IMPLIES (AND (NOT (NLISTP A)) (NOT (EQUAL K (CAAR A))) (EQUAL (CAR (ASSOC K (CDR A))) X) (EQUAL (CDR (ASSOC K (CDR A))) Y) (EQUAL (ASSOC K A) (CONS X Y))) (EQUAL (CDR (ASSOC K A)) Y)). This simplifies, appealing to the lemma CONS-CAR-CDR, and expanding NLISTP, ASSOC, CDR, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.3 ] EQUAL-ASSOC-CONS (PROVE-LEMMA CORRECTNESS-OF-PUSH-1-VECTOR (REWRITE) (IMPLIES (AND (EQUAL P0 (P-STATE PC CTRL-STK TEMP-STK PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (P-CURRENT-INSTRUCTION P0) '(CALL PUSH-1-VECTOR)) (EQUAL (DEFINITION 'PUSH-1-VECTOR PROG-SEGMENT) (PUSH-1-VECTOR-PROGRAM WORD-SIZE)) (PUSH-1-VECTOR-INPUT-CONDITIONP P0)) (EQUAL (P P0 3) (P-STATE (ADD1-ADDR PC) CTRL-STK (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)))) WARNING: Note that CORRECTNESS-OF-PUSH-1-VECTOR contains the free variables WORD-SIZE, MAX-TEMP-STK-SIZE, MAX-CTRL-STK-SIZE, DATA-SEGMENT, PROG-SEGMENT, TEMP-STK, CTRL-STK, and PC which will be chosen by instantiating the hypothesis: (EQUAL P0 (P-STATE PC CTRL-STK TEMP-STK PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)). This formula can be simplified, using the abbreviations PLUS-ADD1-ARG1, PUSH-1-VECTOR-INPUT-CONDITIONP, AND, IMPLIES, ADD1-ADDR, PUSH-1-VECTOR-PROGRAM, and DEFINITION, to: (IMPLIES (AND (EQUAL P0 (P-STATE PC CTRL-STK TEMP-STK PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN)) (EQUAL (P-CURRENT-INSTRUCTION P0) '(CALL PUSH-1-VECTOR)) (EQUAL (ASSOC 'PUSH-1-VECTOR PROG-SEGMENT) (CONS 'PUSH-1-VECTOR (CONS NIL (CONS NIL (CONS (LIST 'PUSH-CONSTANT (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE))) '((RET))))))) (NOT (LESSP (P-MAX-CTRL-STK-SIZE P0) (ADD1 (ADD1 (PLUS 0 (P-CTRL-STK-SIZE (P-CTRL-STK P0))))))) (NOT (LESSP (P-MAX-TEMP-STK-SIZE P0) (ADD1 (PLUS 0 (LENGTH (P-TEMP-STK P0)))))) (LISTP (P-CTRL-STK P0))) (EQUAL (P P0 3) (P-STATE (ADD-ADDR PC 1) CTRL-STK (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which simplifies, applying the lemmas P-PROG-SEGMENT-P-STATE, P-PC-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-CTRL-STK-P-STATE, SUB1-ADD1, EQUAL-SUB1-0, P-MAX-TEMP-STK-SIZE-P-STATE, P-TEMP-STK-P-STATE, P-STEP1-OPENER, P-WORD-SIZE-P-STATE, P-DATA-SEGMENT-P-STATE, PLUS-ADD1-ARG1, PLUS-ZERO-ARG2, PLUS-ADD1-ARG2, CDR-CONS, EQUAL-ASSOC-CONS, CAR-CONS, P-PSW-P-STATE, and P-OPENER, and expanding the definitions of UNLABEL, LABELLEDP, PROGRAM-BODY, P-CURRENT-PROGRAM, ADP-NAME, AREA-NAME, DEFINITION, OFFSET, UNTAG, ADP-OFFSET, P-CURRENT-INSTRUCTION, EQUAL, PLUS, LESSP, P-INS-STEP, POPN, P-CALL-STEP, P-INS-OKP, CAR, P-CTRL-STK-SIZE, TOP, BINDINGS, P-FRAME-SIZE, PUSH, MAKE-P-CALL-FRAME, PAIRLIST, REV, FIRST-N, LENGTH, PAIR-FORMAL-VARS-WITH-ACTUALS, PAIR-TEMPS-WITH-INITIAL-VALUES, APPEND, P-FRAME, ADD1-ADDR, TAG, ADD-ADP, NUMBERP, ZEROP, TYPE, ADD-ADDR, TEMP-VAR-DCLS, FORMAL-VARS, CDR, P-CALL-OKP, CONS, P-STEP, P-HALT, X-Y-ERROR-MSG, UNABBREVIATE-CONSTANT, ADD1-P-PC, P-PUSH-CONSTANT-STEP, P-PUSH-CONSTANT-OKP, and GET, to eight new conjectures: Case 8. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL PUSH-1-VECTOR)) (EQUAL (ASSOC 'PUSH-1-VECTOR PROG-SEGMENT) (CONS 'PUSH-1-VECTOR (CONS NIL (CONS NIL (CONS (LIST 'PUSH-CONSTANT (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE))) '((RET))))))) (NOT (EQUAL MAX-CTRL-STK-SIZE 0)) (NUMBERP MAX-CTRL-STK-SIZE) (NOT (EQUAL MAX-CTRL-STK-SIZE 1)) (NOT (LESSP (SUB1 (SUB1 MAX-CTRL-STK-SIZE)) (P-CTRL-STK-SIZE CTRL-STK))) (NOT (EQUAL MAX-TEMP-STK-SIZE 0)) (NUMBERP MAX-TEMP-STK-SIZE) (NOT (LESSP (SUB1 MAX-TEMP-STK-SIZE) (LENGTH TEMP-STK))) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC))) (NOT (LESSP (LENGTH TEMP-STK) MAX-TEMP-STK-SIZE))) (EQUAL (P (P-STATE '(PC (PUSH-1-VECTOR . 0)) (CONS (LIST NIL (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) TEMP-STK PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'ILLEGAL-PUSH-CONSTANT-INSTRUCTION) 1) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, using linear arithmetic, to: T. Case 7. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL PUSH-1-VECTOR)) (EQUAL (ASSOC 'PUSH-1-VECTOR PROG-SEGMENT) (CONS 'PUSH-1-VECTOR (CONS NIL (CONS NIL (CONS (LIST 'PUSH-CONSTANT (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE))) '((RET))))))) (NOT (EQUAL MAX-CTRL-STK-SIZE 0)) (NUMBERP MAX-CTRL-STK-SIZE) (NOT (EQUAL MAX-CTRL-STK-SIZE 1)) (NOT (LESSP (SUB1 (SUB1 MAX-CTRL-STK-SIZE)) (P-CTRL-STK-SIZE CTRL-STK))) (NOT (EQUAL MAX-TEMP-STK-SIZE 0)) (NUMBERP MAX-TEMP-STK-SIZE) (NOT (LESSP (SUB1 MAX-TEMP-STK-SIZE) (LENGTH TEMP-STK))) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC))) (LESSP (LENGTH TEMP-STK) MAX-TEMP-STK-SIZE)) (EQUAL (P (P-STATE '(PC (PUSH-1-VECTOR . 1)) (CONS (LIST NIL (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) 1) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, rewriting with the lemmas P-STEP1-OPENER, P-WORD-SIZE-P-STATE, P-MAX-TEMP-STK-SIZE-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-DATA-SEGMENT-P-STATE, P-TEMP-STK-P-STATE, CAR-CONS, P-CTRL-STK-P-STATE, P-PC-P-STATE, P-PROG-SEGMENT-P-STATE, CDR-CONS, EQUAL-ASSOC-CONS, P-PSW-P-STATE, and P-OPENER, and unfolding the definitions of CAR, EQUAL, GET, P-INS-STEP, RET-PC, TOP, POP, P-RET-STEP, P-INS-OKP, P-RET-OKP, CONS, P-CURRENT-INSTRUCTION, OFFSET, DEFINITION, AREA-NAME, P-CURRENT-PROGRAM, PROGRAM-BODY, SUB1, NUMBERP, UNLABEL, and P-STEP, to: T. Case 6. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL PUSH-1-VECTOR)) (EQUAL (ASSOC 'PUSH-1-VECTOR PROG-SEGMENT) (CONS 'PUSH-1-VECTOR (CONS NIL (CONS NIL (CONS (LIST 'PUSH-CONSTANT (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE))) '((RET))))))) (NOT (EQUAL MAX-CTRL-STK-SIZE 0)) (NUMBERP MAX-CTRL-STK-SIZE) (NOT (EQUAL MAX-CTRL-STK-SIZE 1)) (NOT (LESSP (SUB1 (SUB1 MAX-CTRL-STK-SIZE)) (P-CTRL-STK-SIZE CTRL-STK))) (NOT (EQUAL MAX-TEMP-STK-SIZE 0)) (NUMBERP MAX-TEMP-STK-SIZE) (NOT (LESSP (SUB1 MAX-TEMP-STK-SIZE) (LENGTH TEMP-STK))) (LISTP CTRL-STK) (NUMBERP (CDADR PC)) (NOT (LESSP (LENGTH TEMP-STK) MAX-TEMP-STK-SIZE))) (EQUAL (P (P-STATE '(PC (PUSH-1-VECTOR . 0)) (CONS (LIST NIL (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) TEMP-STK PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'ILLEGAL-PUSH-CONSTANT-INSTRUCTION) 1) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, using linear arithmetic, to: T. Case 5. (IMPLIES (AND (NOT (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL)) (EQUAL (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT))) '(CALL PUSH-1-VECTOR)) (EQUAL (ASSOC 'PUSH-1-VECTOR PROG-SEGMENT) (CONS 'PUSH-1-VECTOR (CONS NIL (CONS NIL (CONS (LIST 'PUSH-CONSTANT (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE))) '((RET))))))) (NOT (EQUAL MAX-CTRL-STK-SIZE 0)) (NUMBERP MAX-CTRL-STK-SIZE) (NOT (EQUAL MAX-CTRL-STK-SIZE 1)) (NOT (LESSP (SUB1 (SUB1 MAX-CTRL-STK-SIZE)) (P-CTRL-STK-SIZE CTRL-STK))) (NOT (EQUAL MAX-TEMP-STK-SIZE 0)) (NUMBERP MAX-TEMP-STK-SIZE) (NOT (LESSP (SUB1 MAX-TEMP-STK-SIZE) (LENGTH TEMP-STK))) (LISTP CTRL-STK) (NUMBERP (CDADR PC)) (LESSP (LENGTH TEMP-STK) MAX-TEMP-STK-SIZE)) (EQUAL (P (P-STATE '(PC (PUSH-1-VECTOR . 1)) (CONS (LIST NIL (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) 1) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, applying P-STEP1-OPENER, P-WORD-SIZE-P-STATE, P-MAX-TEMP-STK-SIZE-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-DATA-SEGMENT-P-STATE, P-TEMP-STK-P-STATE, CAR-CONS, P-CTRL-STK-P-STATE, P-PC-P-STATE, P-PROG-SEGMENT-P-STATE, CDR-CONS, EQUAL-ASSOC-CONS, P-PSW-P-STATE, and P-OPENER, and opening up the functions CAR, EQUAL, P-INS-STEP, RET-PC, TOP, POP, P-RET-STEP, P-INS-OKP, P-RET-OKP, CONS, P-CURRENT-INSTRUCTION, OFFSET, DEFINITION, AREA-NAME, P-CURRENT-PROGRAM, PROGRAM-BODY, GET, SUB1, NUMBERP, UNLABEL, and P-STEP, to: T. Case 4. (IMPLIES (AND (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL PUSH-1-VECTOR)) (EQUAL (ASSOC 'PUSH-1-VECTOR PROG-SEGMENT) (CONS 'PUSH-1-VECTOR (CONS NIL (CONS NIL (CONS (LIST 'PUSH-CONSTANT (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE))) '((RET))))))) (NOT (EQUAL MAX-CTRL-STK-SIZE 0)) (NUMBERP MAX-CTRL-STK-SIZE) (NOT (EQUAL MAX-CTRL-STK-SIZE 1)) (NOT (LESSP (SUB1 (SUB1 MAX-CTRL-STK-SIZE)) (P-CTRL-STK-SIZE CTRL-STK))) (NOT (EQUAL MAX-TEMP-STK-SIZE 0)) (NUMBERP MAX-TEMP-STK-SIZE) (NOT (LESSP (SUB1 MAX-TEMP-STK-SIZE) (LENGTH TEMP-STK))) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC))) (NOT (LESSP (LENGTH TEMP-STK) MAX-TEMP-STK-SIZE))) (EQUAL (P (P-STATE '(PC (PUSH-1-VECTOR . 0)) (CONS (LIST NIL (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) TEMP-STK PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'ILLEGAL-PUSH-CONSTANT-INSTRUCTION) 1) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))). However this again simplifies, using linear arithmetic, to: T. Case 3. (IMPLIES (AND (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL PUSH-1-VECTOR)) (EQUAL (ASSOC 'PUSH-1-VECTOR PROG-SEGMENT) (CONS 'PUSH-1-VECTOR (CONS NIL (CONS NIL (CONS (LIST 'PUSH-CONSTANT (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE))) '((RET))))))) (NOT (EQUAL MAX-CTRL-STK-SIZE 0)) (NUMBERP MAX-CTRL-STK-SIZE) (NOT (EQUAL MAX-CTRL-STK-SIZE 1)) (NOT (LESSP (SUB1 (SUB1 MAX-CTRL-STK-SIZE)) (P-CTRL-STK-SIZE CTRL-STK))) (NOT (EQUAL MAX-TEMP-STK-SIZE 0)) (NUMBERP MAX-TEMP-STK-SIZE) (NOT (LESSP (SUB1 MAX-TEMP-STK-SIZE) (LENGTH TEMP-STK))) (LISTP CTRL-STK) (NOT (NUMBERP (CDADR PC))) (LESSP (LENGTH TEMP-STK) MAX-TEMP-STK-SIZE)) (EQUAL (P (P-STATE '(PC (PUSH-1-VECTOR . 1)) (CONS (LIST NIL (LIST (CAR PC) (CONS (CAADR PC) 1))) CTRL-STK) (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) 1) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) 1)) CTRL-STK (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, rewriting with the lemmas P-STEP1-OPENER, P-WORD-SIZE-P-STATE, P-MAX-TEMP-STK-SIZE-P-STATE, P-MAX-CTRL-STK-SIZE-P-STATE, P-DATA-SEGMENT-P-STATE, P-TEMP-STK-P-STATE, CAR-CONS, P-CTRL-STK-P-STATE, P-PC-P-STATE, P-PROG-SEGMENT-P-STATE, CDR-CONS, EQUAL-ASSOC-CONS, P-PSW-P-STATE, and P-OPENER, and opening up the definitions of GET, P-INS-STEP, RET-PC, TOP, POP, P-RET-STEP, P-INS-OKP, CAR, P-RET-OKP, CONS, P-CURRENT-INSTRUCTION, OFFSET, DEFINITION, AREA-NAME, P-CURRENT-PROGRAM, PROGRAM-BODY, SUB1, NUMBERP, UNLABEL, EQUAL, and P-STEP, to: T. Case 2. (IMPLIES (AND (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL PUSH-1-VECTOR)) (EQUAL (ASSOC 'PUSH-1-VECTOR PROG-SEGMENT) (CONS 'PUSH-1-VECTOR (CONS NIL (CONS NIL (CONS (LIST 'PUSH-CONSTANT (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE))) '((RET))))))) (NOT (EQUAL MAX-CTRL-STK-SIZE 0)) (NUMBERP MAX-CTRL-STK-SIZE) (NOT (EQUAL MAX-CTRL-STK-SIZE 1)) (NOT (LESSP (SUB1 (SUB1 MAX-CTRL-STK-SIZE)) (P-CTRL-STK-SIZE CTRL-STK))) (NOT (EQUAL MAX-TEMP-STK-SIZE 0)) (NUMBERP MAX-TEMP-STK-SIZE) (NOT (LESSP (SUB1 MAX-TEMP-STK-SIZE) (LENGTH TEMP-STK))) (LISTP CTRL-STK) (NUMBERP (CDADR PC)) (NOT (LESSP (LENGTH TEMP-STK) MAX-TEMP-STK-SIZE))) (EQUAL (P (P-STATE '(PC (PUSH-1-VECTOR . 0)) (CONS (LIST NIL (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) TEMP-STK PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'ILLEGAL-PUSH-CONSTANT-INSTRUCTION) 1) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN))), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (EQUAL (CAR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) 'DL) (EQUAL (CADDDR (GET (CDADR PC) (CDDDR (ASSOC (CAADR PC) PROG-SEGMENT)))) '(CALL PUSH-1-VECTOR)) (EQUAL (ASSOC 'PUSH-1-VECTOR PROG-SEGMENT) (CONS 'PUSH-1-VECTOR (CONS NIL (CONS NIL (CONS (LIST 'PUSH-CONSTANT (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE))) '((RET))))))) (NOT (EQUAL MAX-CTRL-STK-SIZE 0)) (NUMBERP MAX-CTRL-STK-SIZE) (NOT (EQUAL MAX-CTRL-STK-SIZE 1)) (NOT (LESSP (SUB1 (SUB1 MAX-CTRL-STK-SIZE)) (P-CTRL-STK-SIZE CTRL-STK))) (NOT (EQUAL MAX-TEMP-STK-SIZE 0)) (NUMBERP MAX-TEMP-STK-SIZE) (NOT (LESSP (SUB1 MAX-TEMP-STK-SIZE) (LENGTH TEMP-STK))) (LISTP CTRL-STK) (NUMBERP (CDADR PC)) (LESSP (LENGTH TEMP-STK) MAX-TEMP-STK-SIZE)) (EQUAL (P (P-STATE '(PC (PUSH-1-VECTOR . 1)) (CONS (LIST NIL (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC))))) CTRL-STK) (CONS (LIST 'BITV (ONE-BIT-VECTOR WORD-SIZE)) TEMP-STK) PROG-SEGMENT DATA-SEGMENT MAX-CTRL-STK-SIZE MAX-TEMP-STK-SIZE WORD-SIZE 'RUN) 1) (P-STATE (LIST (CAR PC) (CONS (CAADR PC) (ADD1 (CDADR PC)))) CTRL-STK (CONS (LIST 'BITV