(NOTE-LIB "naturals" T) Loading ./numbers/naturals.lib Finished loading ./numbers/naturals.lib Loading ./numbers/naturals.o Finished loading ./numbers/naturals.o (#./numbers/naturals.lib #./numbers/naturals) (DEFN PUT (PLACE VALUE STATE) (IF (ZEROP PLACE) (CONS VALUE (CDR STATE)) (CONS (CAR STATE) (PUT (SUB1 PLACE) VALUE (CDR STATE))))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to show that the measure (COUNT PLACE) decreases according to the well-founded relation LESSP in each recursive call. Hence, PUT is accepted under the definitional principle. Observe that: (LISTP (PUT PLACE VALUE STATE)) is a theorem. [ 0.0 0.0 0.0 ] PUT (DEFN GET (PLACE STATE) (IF (ZEROP PLACE) (CAR STATE) (GET (SUB1 PLACE) (CDR STATE)))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT PLACE) decreases according to the well-founded relation LESSP in each recursive call. Hence, GET is accepted under the principle of definition. [ 0.0 0.0 0.0 ] GET (PROVE-LEMMA GET-PUT (REWRITE) (EQUAL (GET A1 (PUT A2 VALUE STATE)) (IF (EQUAL (FIX A1) (FIX A2)) VALUE (GET A1 STATE)))) This simplifies, opening up the function FIX, to seven new goals: Case 7. (IMPLIES (AND (NUMBERP A2) (NUMBERP A1) (NOT (EQUAL A1 A2))) (EQUAL (GET A1 (PUT A2 VALUE STATE)) (GET A1 STATE))), which we will name *1. Case 6. (IMPLIES (AND (NUMBERP A2) (NOT (NUMBERP A1)) (NOT (EQUAL 0 A2))) (EQUAL (GET A1 (PUT A2 VALUE STATE)) (GET A1 STATE))). However this again simplifies, opening up the definition of GET, to the conjecture: (IMPLIES (AND (NUMBERP A2) (NOT (NUMBERP A1)) (NOT (EQUAL 0 A2))) (EQUAL (CAR (PUT A2 VALUE STATE)) (CAR STATE))). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE). We must thus prove two new formulas: Case 6.2. (IMPLIES (AND (NOT (LISTP STATE)) (NUMBERP A2) (NOT (NUMBERP A1)) (NOT (EQUAL 0 A2))) (EQUAL (CAR (PUT A2 VALUE STATE)) (CAR STATE))), which further simplifies, applying CAR-NLISTP, to: (IMPLIES (AND (NOT (LISTP STATE)) (NUMBERP A2) (NOT (NUMBERP A1)) (NOT (EQUAL 0 A2))) (EQUAL (CAR (PUT A2 VALUE STATE)) 0)), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (EQUAL (GET A1 (PUT A2 VALUE STATE)) (IF (EQUAL (FIX A1) (FIX A2)) VALUE (GET A1 STATE))). We named this *1. We will try to prove it by induction. The recursive terms in the conjecture suggest three inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP A1) (p A1 A2 VALUE STATE)) (IMPLIES (AND (NOT (ZEROP A1)) (p (SUB1 A1) (SUB1 A2) VALUE (CDR STATE))) (p A1 A2 VALUE STATE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT A1) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for A2 and STATE. The above induction scheme leads to two new conjectures: Case 2. (IMPLIES (ZEROP A1) (EQUAL (GET A1 (PUT A2 VALUE STATE)) (IF (EQUAL (FIX A1) (FIX A2)) VALUE (GET A1 STATE)))), which simplifies, opening up ZEROP, PUT, EQUAL, GET, and FIX, to ten new conjectures: Case 2.10. (IMPLIES (AND (EQUAL A1 0) (NUMBERP A2) (NOT (EQUAL 0 A2)) (NOT (EQUAL A2 0))) (EQUAL (CAR (CONS (CAR STATE) (PUT (SUB1 A2) VALUE (CDR STATE)))) (CAR STATE))), which again simplifies, applying CAR-CONS, to: T. Case 2.9. (IMPLIES (AND (EQUAL A1 0) (NUMBERP A2) (NOT (EQUAL 0 A2)) (EQUAL A2 0)) (EQUAL (CAR (CONS VALUE (CDR STATE))) (CAR STATE))). This again simplifies, trivially, to: T. Case 2.8. (IMPLIES (AND (EQUAL A1 0) (NUMBERP A2) (EQUAL 0 A2) (NOT (EQUAL A2 0))) (EQUAL (CAR (CONS (CAR STATE) (PUT (SUB1 A2) VALUE (CDR STATE)))) VALUE)). This again simplifies, clearly, to: T. Case 2.7. (IMPLIES (AND (EQUAL A1 0) (EQUAL 0 A2) (EQUAL A2 0)) (EQUAL (CAR (CONS VALUE (CDR STATE))) VALUE)). This again simplifies, applying CAR-CONS, and expanding the function EQUAL, to: T. Case 2.6. (IMPLIES (AND (EQUAL A1 0) (NOT (NUMBERP A2))) (EQUAL (CAR (CONS VALUE (CDR STATE))) VALUE)). However this again simplifies, rewriting with CAR-CONS, to: T. Case 2.5. (IMPLIES (AND (NOT (NUMBERP A1)) (NUMBERP A2) (NOT (EQUAL 0 A2)) (NOT (EQUAL A2 0))) (EQUAL (CAR (CONS (CAR STATE) (PUT (SUB1 A2) VALUE (CDR STATE)))) (CAR STATE))). This again simplifies, appealing to the lemma CAR-CONS, to: T. Case 2.4. (IMPLIES (AND (NOT (NUMBERP A1)) (NUMBERP A2) (NOT (EQUAL 0 A2)) (EQUAL A2 0)) (EQUAL (CAR (CONS VALUE (CDR STATE))) (CAR STATE))), which again simplifies, trivially, to: T. Case 2.3. (IMPLIES (AND (NOT (NUMBERP A1)) (NUMBERP A2) (EQUAL 0 A2) (NOT (EQUAL A2 0))) (EQUAL (CAR (CONS (CAR STATE) (PUT (SUB1 A2) VALUE (CDR STATE)))) VALUE)). This again simplifies, trivially, to: T. Case 2.2. (IMPLIES (AND (NOT (NUMBERP A1)) (EQUAL 0 A2) (EQUAL A2 0)) (EQUAL (CAR (CONS VALUE (CDR STATE))) VALUE)). But this again simplifies, applying CAR-CONS, and unfolding EQUAL, to: T. Case 2.1. (IMPLIES (AND (NOT (NUMBERP A1)) (NOT (NUMBERP A2))) (EQUAL (CAR (CONS VALUE (CDR STATE))) VALUE)). This again simplifies, applying the lemma CAR-CONS, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP A1)) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) (IF (EQUAL (FIX (SUB1 A1)) (FIX (SUB1 A2))) VALUE (GET (SUB1 A1) (CDR STATE))))) (EQUAL (GET A1 (PUT A2 VALUE STATE)) (IF (EQUAL (FIX A1) (FIX A2)) VALUE (GET A1 STATE)))), which simplifies, opening up the definitions of ZEROP, FIX, PUT, and GET, to ten new formulas: Case 1.10. (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (NOT (EQUAL (SUB1 A1) (SUB1 A2))) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) (GET (SUB1 A1) (CDR STATE))) (NUMBERP A2) (NOT (EQUAL A1 A2)) (NOT (EQUAL A2 0))) (EQUAL (GET A1 (CONS (CAR STATE) (PUT (SUB1 A2) VALUE (CDR STATE)))) (GET (SUB1 A1) (CDR STATE)))), which again simplifies, applying CDR-CONS, and opening up the definition of GET, to: T. Case 1.9. (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (NOT (EQUAL (SUB1 A1) (SUB1 A2))) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) (GET (SUB1 A1) (CDR STATE))) (NOT (EQUAL A1 A2)) (EQUAL A2 0)) (EQUAL (GET A1 (CONS VALUE (CDR STATE))) (GET (SUB1 A1) (CDR STATE)))). But this again simplifies, rewriting with EQUAL-SUB1-0 and CDR-CONS, and expanding the functions SUB1, EQUAL, PUT, and GET, to: T. Case 1.8. (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (NOT (EQUAL (SUB1 A1) (SUB1 A2))) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) (GET (SUB1 A1) (CDR STATE))) (NOT (NUMBERP A2))) (EQUAL (GET A1 (CONS VALUE (CDR STATE))) (GET (SUB1 A1) (CDR STATE)))). But this again simplifies, applying SUB1-NNUMBERP, EQUAL-SUB1-0, and CDR-CONS, and unfolding the definition of GET, to: T. Case 1.7. (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (NOT (EQUAL (SUB1 A1) (SUB1 A2))) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) (GET (SUB1 A1) (CDR STATE))) (NUMBERP A2) (EQUAL A1 A2) (NOT (EQUAL A2 0))) (EQUAL (GET A1 (CONS (CAR STATE) (PUT (SUB1 A2) VALUE (CDR STATE)))) VALUE)). This again simplifies, clearly, to: T. Case 1.6. (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (NOT (EQUAL (SUB1 A1) (SUB1 A2))) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) (GET (SUB1 A1) (CDR STATE))) (NUMBERP A2) (EQUAL A1 A2) (EQUAL A2 0)) (EQUAL (GET A1 (CONS VALUE (CDR STATE))) VALUE)). This again simplifies, obviously, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (EQUAL (SUB1 A1) (SUB1 A2)) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) VALUE) (NUMBERP A2) (NOT (EQUAL A1 A2)) (NOT (EQUAL A2 0))) (EQUAL (GET A1 (CONS (CAR STATE) (PUT (SUB1 A2) VALUE (CDR STATE)))) (GET (SUB1 A1) (CDR STATE)))). This again simplifies, using linear arithmetic, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (EQUAL (SUB1 A1) (SUB1 A2)) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) VALUE) (NOT (EQUAL A1 A2)) (EQUAL A2 0)) (EQUAL (GET A1 (CONS VALUE (CDR STATE))) (GET (SUB1 A1) (CDR STATE)))), which again simplifies, applying EQUAL-SUB1-0, CAR-CONS, and CDR-CONS, and opening up the definitions of SUB1, EQUAL, PUT, GET, and NUMBERP, to: (IMPLIES (AND (NUMBERP A1) (EQUAL A1 1)) (EQUAL (CADR STATE) (GET (SUB1 A1) (CDR STATE)))), which again simplifies, expanding the definitions of NUMBERP, SUB1, EQUAL, and GET, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (EQUAL (SUB1 A1) (SUB1 A2)) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) VALUE) (NOT (NUMBERP A2))) (EQUAL (GET A1 (CONS VALUE (CDR STATE))) (GET (SUB1 A1) (CDR STATE)))), which again simplifies, applying the lemmas SUB1-NNUMBERP, EQUAL-SUB1-0, and CDR-CONS, and opening up SUB1, NUMBERP, EQUAL, and GET, to: (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (EQUAL A1 1) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) VALUE) (NOT (NUMBERP A2))) (EQUAL (CADR STATE) (GET (SUB1 A1) (CDR STATE)))). This again simplifies, opening up the definitions of EQUAL, NUMBERP, SUB1, and GET, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (EQUAL (SUB1 A1) (SUB1 A2)) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) VALUE) (NUMBERP A2) (EQUAL A1 A2) (NOT (EQUAL A2 0))) (EQUAL (GET A1 (CONS (CAR STATE) (PUT (SUB1 A2) VALUE (CDR STATE)))) VALUE)), which again simplifies, rewriting with CDR-CONS, and expanding the function GET, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL A1 0)) (NUMBERP A1) (EQUAL (SUB1 A1) (SUB1 A2)) (EQUAL (GET (SUB1 A1) (PUT (SUB1 A2) VALUE (CDR STATE))) VALUE) (NUMBERP A2) (EQUAL A1 A2) (EQUAL A2 0)) (EQUAL (GET A1 (CONS VALUE (CDR STATE))) VALUE)). This again simplifies, trivially, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] GET-PUT (DEFN LENGTH (LIST) (IF (LISTP LIST) (ADD1 (LENGTH (CDR LIST))) 0)) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT LIST) decreases according to the well-founded relation LESSP in each recursive call. Hence, LENGTH is accepted under the principle of definition. From the definition we can conclude that (NUMBERP (LENGTH LIST)) is a theorem. [ 0.0 0.0 0.0 ] LENGTH (DCL BV-SIZE NIL) [ 0.0 0.0 0.0 ] BV-SIZE (DEFN BITP (BIT) (OR (EQUAL BIT 0) (EQUAL BIT 1))) Observe that (OR (FALSEP (BITP BIT)) (TRUEP (BITP BIT))) is a theorem. [ 0.0 0.0 0.0 ] BITP (DEFN BVP (BV) (IF (LISTP BV) (AND (BITP (CAR BV)) (BVP (CDR BV))) (EQUAL BV NIL))) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT BV) decreases according to the well-founded relation LESSP in each recursive call. Hence, BVP is accepted under the principle of definition. Note that (OR (FALSEP (BVP BV)) (TRUEP (BVP BV))) is a theorem. [ 0.0 0.0 0.0 ] BVP (DEFN BVSP (BVS) (IF (LISTP BVS) (AND (BVP (CAR BVS)) (BVSP (CDR BVS))) (EQUAL BVS NIL))) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT BVS) decreases according to the well-founded relation LESSP in each recursive call. Hence, BVSP is accepted under the principle of definition. Note that (OR (FALSEP (BVSP BVS)) (TRUEP (BVSP BVS))) is a theorem. [ 0.0 0.0 0.0 ] BVSP (DEFN GOOD-STATE-OF-SIZE (STATE SIZE) (IF (LISTP STATE) (AND (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (FIX SIZE)) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (EQUAL STATE NIL))) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each recursive call. Hence, GOOD-STATE-OF-SIZE is accepted under the principle of definition. Observe that: (OR (FALSEP (GOOD-STATE-OF-SIZE STATE SIZE)) (TRUEP (GOOD-STATE-OF-SIZE STATE SIZE))) is a theorem. [ 0.0 0.0 0.0 ] GOOD-STATE-OF-SIZE (DEFN GOOD-STATE (STATE) (GOOD-STATE-OF-SIZE STATE (BV-SIZE))) From the definition we can conclude that: (OR (FALSEP (GOOD-STATE STATE)) (TRUEP (GOOD-STATE STATE))) is a theorem. [ 0.0 0.0 0.0 ] GOOD-STATE (DEFN LESSP-BV (BV1 BV2) (IF (AND (LISTP BV1) (LISTP BV2)) (OR (LESSP (CAR BV1) (CAR BV2)) (AND (EQUAL (CAR BV1) (CAR BV2)) (LESSP-BV (CDR BV1) (CDR BV2)))) F)) Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND establish that the measure (COUNT BV1) decreases according to the well-founded relation LESSP in each recursive call. Hence, LESSP-BV is accepted under the definitional principle. The definition of LESSP-BV can be justified in another way. Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND inform us that the measure (COUNT BV2) decreases according to the well-founded relation LESSP in each recursive call. From the definition we can conclude that: (OR (FALSEP (LESSP-BV BV1 BV2)) (TRUEP (LESSP-BV BV1 BV2))) is a theorem. [ 0.0 0.0 0.0 ] LESSP-BV (DEFN NAT-TO-BV (NAT SIZE) (IF (ZEROP SIZE) NIL (IF (LESSP NAT (EXP 2 (SUB1 SIZE))) (CONS 0 (NAT-TO-BV NAT (SUB1 SIZE))) (CONS 1 (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each recursive call. Hence, NAT-TO-BV is accepted under the definitional principle. Observe that: (OR (LITATOM (NAT-TO-BV NAT SIZE)) (LISTP (NAT-TO-BV NAT SIZE))) is a theorem. [ 0.0 0.0 0.0 ] NAT-TO-BV (DEFN BV-TO-NAT (BV) (IF (LISTP BV) (PLUS (TIMES (CAR BV) (EXP 2 (LENGTH (CDR BV)))) (BV-TO-NAT (CDR BV))) 0)) Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT BV) decreases according to the well-founded relation LESSP in each recursive call. Hence, BV-TO-NAT is accepted under the principle of definition. Note that (NUMBERP (BV-TO-NAT BV)) is a theorem. [ 0.0 0.0 0.0 ] BV-TO-NAT (PROVE-LEMMA LENGTH-NAT-TO-BV (REWRITE) (EQUAL (LENGTH (NAT-TO-BV NAT SIZE)) (FIX SIZE))) This simplifies, unfolding FIX, to two new formulas: Case 2. (IMPLIES (NOT (NUMBERP SIZE)) (EQUAL (LENGTH (NAT-TO-BV NAT SIZE)) 0)), which again simplifies, unfolding NAT-TO-BV, LENGTH, and EQUAL, to: T. Case 1. (IMPLIES (NUMBERP SIZE) (EQUAL (LENGTH (NAT-TO-BV NAT SIZE)) SIZE)), which we will name *1. We will appeal to induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP SIZE) (p NAT SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP NAT (EXP 2 (SUB1 SIZE))) (p NAT (SUB1 SIZE))) (p NAT SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (p (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (p NAT SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for NAT. The above induction scheme generates the following three new goals: Case 3. (IMPLIES (AND (ZEROP SIZE) (NUMBERP SIZE)) (EQUAL (LENGTH (NAT-TO-BV NAT SIZE)) SIZE)). This simplifies, opening up the definitions of ZEROP, NUMBERP, EQUAL, NAT-TO-BV, and LENGTH, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP NAT (EXP 2 (SUB1 SIZE))) (EQUAL (LENGTH (NAT-TO-BV NAT (SUB1 SIZE))) (SUB1 SIZE)) (NUMBERP SIZE)) (EQUAL (LENGTH (NAT-TO-BV NAT SIZE)) SIZE)). This simplifies, applying ADD1-SUB1 and CDR-CONS, and expanding ZEROP, NAT-TO-BV, and LENGTH, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (EQUAL (LENGTH (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (SUB1 SIZE)) (NUMBERP SIZE)) (EQUAL (LENGTH (NAT-TO-BV NAT SIZE)) SIZE)), which simplifies, appealing to the lemmas ADD1-SUB1 and CDR-CONS, and opening up the definitions of ZEROP, NAT-TO-BV, and LENGTH, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-NAT-TO-BV (PROVE-LEMMA BV-TO-NAT-NAT-TO-BV (REWRITE) (EQUAL (BV-TO-NAT (NAT-TO-BV NAT SIZE)) (IF (LESSP NAT (EXP 2 SIZE)) (FIX NAT) (SUB1 (EXP 2 SIZE))))) This simplifies, unfolding the definition of FIX, to the following three new formulas: Case 3. (IMPLIES (NOT (LESSP NAT (EXP 2 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV NAT SIZE)) (SUB1 (EXP 2 SIZE)))). Name the above subgoal *1. Case 2. (IMPLIES (AND (LESSP NAT (EXP 2 SIZE)) (NUMBERP NAT)) (EQUAL (BV-TO-NAT (NAT-TO-BV NAT SIZE)) NAT)), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (EQUAL (BV-TO-NAT (NAT-TO-BV NAT SIZE)) (IF (LESSP NAT (EXP 2 SIZE)) (FIX NAT) (SUB1 (EXP 2 SIZE)))). We gave this the name *1 above. Perhaps we can prove it by induction. The recursive terms in the conjecture suggest four inductions. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (ZEROP SIZE) (p NAT SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP NAT (EXP 2 (SUB1 SIZE))) (p NAT (SUB1 SIZE))) (p NAT SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (p (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (p NAT SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for NAT. The above induction scheme leads to the following three new conjectures: Case 3. (IMPLIES (ZEROP SIZE) (EQUAL (BV-TO-NAT (NAT-TO-BV NAT SIZE)) (IF (LESSP NAT (EXP 2 SIZE)) (FIX NAT) (SUB1 (EXP 2 SIZE))))). This simplifies, appealing to the lemma EXP-ZERO, and unfolding ZEROP, EQUAL, NAT-TO-BV, BV-TO-NAT, EXP, FIX, and SUB1, to the following two new goals: Case 3.2. (IMPLIES (AND (EQUAL SIZE 0) (LESSP NAT 1) (NUMBERP NAT)) (EQUAL 0 NAT)). This again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (NOT (NUMBERP SIZE)) (LESSP NAT 1) (NUMBERP NAT)) (EQUAL 0 NAT)), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP NAT (EXP 2 (SUB1 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV NAT (SUB1 SIZE))) (IF (LESSP NAT (EXP 2 (SUB1 SIZE))) (FIX NAT) (SUB1 (EXP 2 (SUB1 SIZE)))))) (EQUAL (BV-TO-NAT (NAT-TO-BV NAT SIZE)) (IF (LESSP NAT (EXP 2 SIZE)) (FIX NAT) (SUB1 (EXP 2 SIZE))))), which simplifies, rewriting with EQUAL-EXP-0, LENGTH-NAT-TO-BV, CDR-CONS, CAR-CONS, COMMUTATIVITY-OF-PLUS, TIMES-1-ARG1, SUB1-ADD1, and EQUAL-SUB1-0, and opening up ZEROP, FIX, NAT-TO-BV, NUMBERP, EQUAL, LESSP, PLUS, TIMES, BV-TO-NAT, EXP, and SUB1, to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP NAT (EXP 2 (SUB1 SIZE))) (NUMBERP NAT) (EQUAL (BV-TO-NAT (NAT-TO-BV NAT (SUB1 SIZE))) NAT) (NOT (EQUAL NAT 0)) (NOT (EQUAL NAT 1)) (NOT (LESSP (SUB1 (SUB1 NAT)) (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))))) (EQUAL NAT (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))))), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (SUB1 NAT) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP NAT (EXP 2 (SUB1 SIZE))) (NUMBERP NAT) (EQUAL (BV-TO-NAT (NAT-TO-BV NAT (SUB1 SIZE))) NAT) (NOT (EQUAL NAT 0)) (NOT (EQUAL NAT 1)) (NOT (LESSP (SUB1 (SUB1 NAT)) (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))))) (EQUAL NAT (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))))). But this again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (IF (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (FIX (DIFFERENCE NAT (EXP 2 (SUB1 SIZE)))) (SUB1 (EXP 2 (SUB1 SIZE)))))) (EQUAL (BV-TO-NAT (NAT-TO-BV NAT SIZE)) (IF (LESSP NAT (EXP 2 SIZE)) (FIX NAT) (SUB1 (EXP 2 SIZE))))), which simplifies, rewriting with EQUAL-EXP-0, TIMES-1-ARG1, LENGTH-NAT-TO-BV, CDR-CONS, CAR-CONS, COMMUTATIVITY-OF-PLUS, SUB1-ADD1, EQUAL-SUB1-0, PLUS-DIFFERENCE-ARG2, PLUS-ZERO-ARG2, and CORRECTNESS-OF-CANCEL-DIFFERENCE-PLUS, and expanding the functions ZEROP, FIX, NAT-TO-BV, PLUS, EQUAL, NUMBERP, BV-TO-NAT, EXP, SUB1, TIMES, and LESSP, to the following ten new formulas: Case 1.10. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))) (NUMBERP NAT) (EQUAL NAT 1)) (EQUAL (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))) NAT)). This again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (EXP 2 (SUB1 SIZE)) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP 1 (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE 1 (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE 1 (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))) (NUMBERP 1)) (EQUAL (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))) 1)). This again simplifies, rewriting with EQUAL-EXP-0, and expanding the definitions of EQUAL and NUMBERP, to: T. Case 1.9. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))) (EQUAL NAT 0) (NUMBERP NAT)) (EQUAL (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))) NAT)). However this again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (EXP 2 (SUB1 SIZE)) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP 0 (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE 0 (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE 0 (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))) (NUMBERP 0)) (EQUAL (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))) 0)). This again simplifies, rewriting with EQUAL-EXP-0, and expanding the definitions of EQUAL and NUMBERP, to: T. Case 1.8. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))) (NOT (NUMBERP NAT))) (EQUAL (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))) 0)). However this again simplifies, rewriting with the lemma EQUAL-EXP-0, and unfolding NUMBERP, EQUAL, and LESSP, to: T. Case 1.7. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))) (NUMBERP NAT) (LESSP (SUB1 (SUB1 NAT)) (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))))) (EQUAL (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))) NAT)), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (EXP 2 (SUB1 SIZE)) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))) (NUMBERP NAT) (LESSP (SUB1 (SUB1 NAT)) (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))))) (EQUAL (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))) NAT)). But this again simplifies, applying the lemma EQUAL-EXP-0, and unfolding the definitions of EQUAL and NUMBERP, to: T. Case 1.6. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (DIFFERENCE NAT (EXP 2 (SUB1 SIZE)))) (EQUAL NAT 0) (NUMBERP NAT) (NOT (LESSP (EXP 2 (SUB1 SIZE)) NAT))) (EQUAL (EXP 2 (SUB1 SIZE)) NAT)), which again simplifies, using linear arithmetic, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (DIFFERENCE NAT (EXP 2 (SUB1 SIZE)))) (NUMBERP NAT) (EQUAL NAT 1) (NOT (LESSP (EXP 2 (SUB1 SIZE)) NAT))) (EQUAL (EXP 2 (SUB1 SIZE)) NAT)), which again simplifies, using linear arithmetic, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (DIFFERENCE NAT (EXP 2 (SUB1 SIZE)))) (NUMBERP NAT) (LESSP (SUB1 (SUB1 NAT)) (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))) (NOT (LESSP (EXP 2 (SUB1 SIZE)) NAT))) (EQUAL (EXP 2 (SUB1 SIZE)) NAT)), which again simplifies, using linear arithmetic, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (DIFFERENCE NAT (EXP 2 (SUB1 SIZE)))) (NOT (NUMBERP NAT)) (NOT (LESSP (EXP 2 (SUB1 SIZE)) NAT))) (EQUAL (EXP 2 (SUB1 SIZE)) 0)), which again simplifies, applying EQUAL-EXP-0, and unfolding the functions NUMBERP, EQUAL, and LESSP, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (DIFFERENCE NAT (EXP 2 (SUB1 SIZE)))) (NOT (EQUAL NAT 0)) (NUMBERP NAT) (NOT (EQUAL NAT 1)) (NOT (LESSP (SUB1 (SUB1 NAT)) (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))))) (NOT (LESSP (EXP 2 (SUB1 SIZE)) NAT))) (EQUAL (EXP 2 (SUB1 SIZE)) (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))))). However this again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (SUB1 NAT) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (DIFFERENCE NAT (EXP 2 (SUB1 SIZE)))) (NOT (EQUAL NAT 0)) (NUMBERP NAT) (NOT (EQUAL NAT 1)) (NOT (LESSP (SUB1 (SUB1 NAT)) (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))))) (NOT (LESSP (EXP 2 (SUB1 SIZE)) NAT))) (EQUAL (EXP 2 (SUB1 SIZE)) (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))))). But this again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (EXP 2 (SUB1 SIZE)) 0) (EQUAL (SUB1 NAT) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (DIFFERENCE NAT (EXP 2 (SUB1 SIZE)))) (NOT (EQUAL NAT 0)) (NUMBERP NAT) (NOT (EQUAL NAT 1)) (NOT (LESSP (SUB1 0) (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))))) (NOT (LESSP (EXP 2 (SUB1 SIZE)) NAT))) (EQUAL (EXP 2 (SUB1 SIZE)) (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))))). But this again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (DIFFERENCE NAT (EXP 2 (SUB1 SIZE)))) (NOT (EQUAL NAT 0)) (NUMBERP NAT) (NOT (EQUAL NAT 1)) (NOT (LESSP (SUB1 (SUB1 NAT)) (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))))) (LESSP (EXP 2 (SUB1 SIZE)) NAT)) (EQUAL NAT (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))))), which again simplifies, using linear arithmetic, to the conjecture: (IMPLIES (AND (EQUAL (SUB1 NAT) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (EQUAL (BV-TO-NAT (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (DIFFERENCE NAT (EXP 2 (SUB1 SIZE)))) (NOT (EQUAL NAT 0)) (NUMBERP NAT) (NOT (EQUAL NAT 1)) (NOT (LESSP (SUB1 (SUB1 NAT)) (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE)))))) (LESSP (EXP 2 (SUB1 SIZE)) NAT)) (EQUAL NAT (ADD1 (PLUS (SUB1 (EXP 2 (SUB1 SIZE))) (SUB1 (EXP 2 (SUB1 SIZE))))))). However this again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.1 ] BV-TO-NAT-NAT-TO-BV (PROVE-LEMMA LESSP-BV-LENGTH (REWRITE) (IMPLIES (BVP X) (LESSP (BV-TO-NAT X) (EXP 2 (LENGTH X))))) WARNING: Note that the proposed lemma LESSP-BV-LENGTH is to be stored as zero type prescription rules, zero compound recognizer rules, one linear rule, and zero replacement rules. Give the conjecture the name *1. We will appeal to induction. There are three plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X))) (p X)) (IMPLIES (NOT (LISTP X)) (p X))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following three new formulas: Case 3. (IMPLIES (AND (LISTP X) (NOT (BVP (CDR X))) (BVP X)) (LESSP (BV-TO-NAT X) (EXP 2 (LENGTH X)))). This simplifies, opening up BVP and BITP, to: T. Case 2. (IMPLIES (AND (LISTP X) (LESSP (BV-TO-NAT (CDR X)) (EXP 2 (LENGTH (CDR X)))) (BVP X)) (LESSP (BV-TO-NAT X) (EXP 2 (LENGTH X)))). This simplifies, applying the lemmas TIMES-1-ARG1, COMMUTATIVITY-OF-PLUS, EXP-ADD1, and CORRECTNESS-OF-CANCEL-LESSP-PLUS, and unfolding the definitions of BVP, BITP, BV-TO-NAT, LENGTH, SUB1, NUMBERP, EQUAL, TIMES, FIX, and PLUS, to the new goal: (IMPLIES (AND (LISTP X) (LESSP (BV-TO-NAT (CDR X)) (EXP 2 (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X))) (LESSP (BV-TO-NAT (CDR X)) (PLUS (EXP 2 (LENGTH (CDR X))) (EXP 2 (LENGTH (CDR X)))))), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (LISTP X)) (BVP X)) (LESSP (BV-TO-NAT X) (EXP 2 (LENGTH X)))), which simplifies, opening up the functions BVP, BV-TO-NAT, LENGTH, EXP, and LESSP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.2 0.0 ] LESSP-BV-LENGTH (PROVE-LEMMA LESSP-BV-TO-NAT-BV-TO-NAT (REWRITE) (IMPLIES (AND (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP (BV-TO-NAT X) (BV-TO-NAT Y)) (LESSP-BV X Y)))) Name the conjecture *1. We will appeal to induction. The recursive terms in the conjecture suggest eight inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X) (CDR Y))) (p X Y)) (IMPLIES (NOT (LISTP X)) (p X Y))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for Y. The above induction scheme generates the following five new conjectures: Case 5. (IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y)))) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP (BV-TO-NAT X) (BV-TO-NAT Y)) (LESSP-BV X Y))). This simplifies, rewriting with TIMES-1-ARG1 and COMMUTATIVITY-OF-PLUS, and expanding LENGTH, BVP, BITP, BV-TO-NAT, EQUAL, LESSP, LISTP, LESSP-BV, TIMES, and PLUS, to four new formulas: Case 5.4. (IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y)))) (LISTP Y) (EQUAL (ADD1 (LENGTH (CDR X))) (ADD1 (LENGTH (CDR Y)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (EQUAL (CAR Y) 1) (BVP (CDR Y))) (EQUAL (LESSP (PLUS (BV-TO-NAT (CDR X)) (EXP 2 (LENGTH (CDR X)))) (PLUS (BV-TO-NAT (CDR Y)) (EXP 2 (LENGTH (CDR Y))))) (LESSP-BV (CDR X) (CDR Y)))), which again simplifies, using linear arithmetic, to: T. Case 5.3. (IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y)))) (LISTP Y) (EQUAL (ADD1 (LENGTH (CDR X))) (ADD1 (LENGTH (CDR Y)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (EQUAL (CAR Y) 0) (BVP (CDR Y))) (NOT (LESSP (PLUS (BV-TO-NAT (CDR X)) (EXP 2 (LENGTH (CDR X)))) (BV-TO-NAT (CDR Y))))), which again simplifies, using linear arithmetic, to: T. Case 5.2. (IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y)))) (LISTP Y) (EQUAL (ADD1 (LENGTH (CDR X))) (ADD1 (LENGTH (CDR Y)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (EQUAL (CAR Y) 1) (BVP (CDR Y))) (LESSP (BV-TO-NAT (CDR X)) (PLUS (BV-TO-NAT (CDR Y)) (EXP 2 (LENGTH (CDR Y)))))), which again simplifies, using linear arithmetic, to: T. Case 5.1. (IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y)))) (LISTP Y) (EQUAL (ADD1 (LENGTH (CDR X))) (ADD1 (LENGTH (CDR Y)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (EQUAL (CAR Y) 0) (BVP (CDR Y))) (EQUAL (LESSP (BV-TO-NAT (CDR X)) (BV-TO-NAT (CDR Y))) (LESSP-BV (CDR X) (CDR Y)))), which again simplifies, using linear arithmetic, to: T. Case 4. (IMPLIES (AND (LISTP X) (NOT (BVP (CDR X))) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP (BV-TO-NAT X) (BV-TO-NAT Y)) (LESSP-BV X Y))), which simplifies, expanding the functions LENGTH, BVP, and BITP, to: T. Case 3. (IMPLIES (AND (LISTP X) (NOT (BVP (CDR Y))) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP (BV-TO-NAT X) (BV-TO-NAT Y)) (LESSP-BV X Y))), which simplifies, applying TIMES-1-ARG1 and COMMUTATIVITY-OF-PLUS, and opening up the definitions of LENGTH, BVP, BITP, BV-TO-NAT, EQUAL, LESSP, LISTP, LESSP-BV, TIMES, and PLUS, to: T. Case 2. (IMPLIES (AND (LISTP X) (EQUAL (LESSP (BV-TO-NAT (CDR X)) (BV-TO-NAT (CDR Y))) (LESSP-BV (CDR X) (CDR Y))) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP (BV-TO-NAT X) (BV-TO-NAT Y)) (LESSP-BV X Y))). This simplifies, rewriting with TIMES-1-ARG1 and COMMUTATIVITY-OF-PLUS, and expanding LENGTH, BVP, BITP, BV-TO-NAT, EQUAL, LESSP, LISTP, LESSP-BV, TIMES, and PLUS, to three new goals: Case 2.3. (IMPLIES (AND (LISTP X) (EQUAL (LESSP (BV-TO-NAT (CDR X)) (BV-TO-NAT (CDR Y))) (LESSP-BV (CDR X) (CDR Y))) (LISTP Y) (EQUAL (ADD1 (LENGTH (CDR X))) (ADD1 (LENGTH (CDR Y)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (EQUAL (CAR Y) 1) (BVP (CDR Y))) (EQUAL (LESSP (PLUS (BV-TO-NAT (CDR X)) (EXP 2 (LENGTH (CDR X)))) (PLUS (BV-TO-NAT (CDR Y)) (EXP 2 (LENGTH (CDR Y))))) (LESSP-BV (CDR X) (CDR Y)))), which again simplifies, applying ADD1-EQUAL and CORRECTNESS-OF-CANCEL-LESSP-PLUS, and expanding the definition of FIX, to: T. Case 2.2. (IMPLIES (AND (LISTP X) (EQUAL (LESSP (BV-TO-NAT (CDR X)) (BV-TO-NAT (CDR Y))) (LESSP-BV (CDR X) (CDR Y))) (LISTP Y) (EQUAL (ADD1 (LENGTH (CDR X))) (ADD1 (LENGTH (CDR Y)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (EQUAL (CAR Y) 0) (BVP (CDR Y))) (NOT (LESSP (PLUS (BV-TO-NAT (CDR X)) (EXP 2 (LENGTH (CDR X)))) (BV-TO-NAT (CDR Y))))). However this again simplifies, rewriting with ADD1-EQUAL, to: (IMPLIES (AND (LISTP X) (EQUAL (LESSP (BV-TO-NAT (CDR X)) (BV-TO-NAT (CDR Y))) (LESSP-BV (CDR X) (CDR Y))) (LISTP Y) (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y))) (EQUAL (CAR X) 1) (BVP (CDR X)) (EQUAL (CAR Y) 0) (BVP (CDR Y))) (NOT (LESSP (PLUS (BV-TO-NAT (CDR X)) (EXP 2 (LENGTH (CDR X)))) (BV-TO-NAT (CDR Y))))). Applying the lemma CAR-CDR-ELIM, replace X by (CONS V Z) to eliminate (CDR X) and (CAR X). This produces the new conjecture: (IMPLIES (AND (EQUAL (LESSP (BV-TO-NAT Z) (BV-TO-NAT (CDR Y))) (LESSP-BV Z (CDR Y))) (LISTP Y) (EQUAL (LENGTH Z) (LENGTH (CDR Y))) (EQUAL V 1) (BVP Z) (EQUAL (CAR Y) 0) (BVP (CDR Y))) (NOT (LESSP (PLUS (BV-TO-NAT Z) (EXP 2 (LENGTH Z))) (BV-TO-NAT (CDR Y))))), which further simplifies, clearly, to the new conjecture: (IMPLIES (AND (EQUAL (LESSP (BV-TO-NAT Z) (BV-TO-NAT (CDR Y))) (LESSP-BV Z (CDR Y))) (LISTP Y) (EQUAL (LENGTH Z) (LENGTH (CDR Y))) (BVP Z) (EQUAL (CAR Y) 0) (BVP (CDR Y))) (NOT (LESSP (PLUS (BV-TO-NAT Z) (EXP 2 (LENGTH Z))) (BV-TO-NAT (CDR Y))))). Applying the lemma CAR-CDR-ELIM, replace Y by (CONS W V) to eliminate (CDR Y) and (CAR Y). We thus obtain: (IMPLIES (AND (EQUAL (LESSP (BV-TO-NAT Z) (BV-TO-NAT V)) (LESSP-BV Z V)) (EQUAL (LENGTH Z) (LENGTH V)) (BVP Z) (EQUAL W 0) (BVP V)) (NOT (LESSP (PLUS (BV-TO-NAT Z) (EXP 2 (LENGTH Z))) (BV-TO-NAT V)))), which further simplifies, trivially, to the new goal: (IMPLIES (AND (EQUAL (LESSP (BV-TO-NAT Z) (BV-TO-NAT V)) (LESSP-BV Z V)) (EQUAL (LENGTH Z) (LENGTH V)) (BVP Z) (BVP V)) (NOT (LESSP (PLUS (BV-TO-NAT Z) (EXP 2 (LENGTH V))) (BV-TO-NAT V)))), which finally simplifies, using linear arithmetic and rewriting with the lemma LESSP-BV-LENGTH, to: T. Case 2.1. (IMPLIES (AND (LISTP X) (EQUAL (LESSP (BV-TO-NAT (CDR X)) (BV-TO-NAT (CDR Y))) (LESSP-BV (CDR X) (CDR Y))) (LISTP Y) (EQUAL (ADD1 (LENGTH (CDR X))) (ADD1 (LENGTH (CDR Y)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (EQUAL (CAR Y) 1) (BVP (CDR Y))) (LESSP (BV-TO-NAT (CDR X)) (PLUS (BV-TO-NAT (CDR Y)) (EXP 2 (LENGTH (CDR Y)))))), which again simplifies, rewriting with ADD1-EQUAL, to the new formula: (IMPLIES (AND (LISTP X) (EQUAL (LESSP (BV-TO-NAT (CDR X)) (BV-TO-NAT (CDR Y))) (LESSP-BV (CDR X) (CDR Y))) (LISTP Y) (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y))) (EQUAL (CAR X) 0) (BVP (CDR X)) (EQUAL (CAR Y) 1) (BVP (CDR Y))) (LESSP (BV-TO-NAT (CDR X)) (PLUS (BV-TO-NAT (CDR Y)) (EXP 2 (LENGTH (CDR X)))))), which again simplifies, using linear arithmetic and appealing to the lemma LESSP-BV-LENGTH, to: T. Case 1. (IMPLIES (AND (NOT (LISTP X)) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP (BV-TO-NAT X) (BV-TO-NAT Y)) (LESSP-BV X Y))), which simplifies, applying the lemmas TIMES-1-ARG1, COMMUTATIVITY-OF-PLUS, EQUAL-PLUS-0, and EQUAL-EXP-0, and unfolding the functions LENGTH, BVP, BITP, BV-TO-NAT, LESSP, LESSP-BV, EQUAL, TIMES, PLUS, LISTP, and NUMBERP, to two new conjectures: Case 1.2. (IMPLIES (AND (NOT (LISTP X)) (EQUAL 0 (ADD1 (LENGTH (CDR Y)))) (EQUAL X NIL) (LISTP Y) (EQUAL (CAR Y) 0) (BVP (CDR Y))) (EQUAL (BV-TO-NAT (CDR Y)) 0)), which again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (LISTP X)) (EQUAL 0 (ADD1 (LENGTH (CDR Y)))) (EQUAL X NIL) (LISTP Y) (EQUAL (CAR Y) 1)) (NOT (BVP (CDR Y)))), which again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.3 0.0 ] LESSP-BV-TO-NAT-BV-TO-NAT (PROVE-LEMMA LESSP-BV-NAT-TO-BV-NAT-TO-BV (REWRITE) (IMPLIES (AND (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y)))) Give the conjecture the name *1. We will appeal to induction. There are eight plausible inductions. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (ZEROP SIZE) (p X SIZE Y)) (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP X (EXP 2 (SUB1 SIZE))) (p X (SUB1 SIZE) (DIFFERENCE Y (EXP 2 (SUB1 SIZE)))) (p X (SUB1 SIZE) Y)) (p X SIZE Y)) (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (p (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE) (DIFFERENCE Y (EXP 2 (SUB1 SIZE)))) (p (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE) Y)) (p X SIZE Y))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for Y and X. The above induction scheme generates the following ten new formulas: Case 10.(IMPLIES (AND (ZEROP SIZE) (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y))). This simplifies, rewriting with EXP-ZERO, and unfolding the definitions of ZEROP, EXP, EQUAL, NAT-TO-BV, and LESSP-BV, to two new goals: Case 10.2. (IMPLIES (AND (EQUAL SIZE 0) (LESSP X 1) (LESSP Y 1)) (NOT (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 10.1. (IMPLIES (AND (NOT (NUMBERP SIZE)) (LESSP X 1) (LESSP Y 1)) (NOT (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 9. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y))), which simplifies, applying TIMES-1-ARG1 and CAR-CONS, and opening up ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, LESSP, and LESSP-BV, to the new conjecture: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE))))) (LESSP X Y)), which again simplifies, using linear arithmetic, to: T. Case 8. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y))), which simplifies, rewriting with TIMES-1-ARG1 and CAR-CONS, and expanding the functions ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, LESSP, and LESSP-BV, to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE))))) (LESSP X Y)), which again simplifies, using linear arithmetic, to: T. Case 7. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y))), which simplifies, appealing to the lemmas TIMES-1-ARG1, CDR-CONS, and CAR-CONS, and expanding the definitions of ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, LESSP, and LESSP-BV, to ten new goals: Case 7.10. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (NUMBERP (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL 0 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (CDR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))) (LESSP X Y))), which again simplifies, trivially, to: T. Case 7.9. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (EQUAL (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))) 0) (EQUAL 0 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (CDR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))) (LESSP X Y))). However this again simplifies, using linear arithmetic, to: T. Case 7.8. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (NUMBERP (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (NOT (EQUAL 0 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))), which again simplifies, using linear arithmetic, rewriting with the lemmas DIFFERENCE-LEQ-ARG1 and EQUAL-EXP-0, and unfolding the definitions of NUMBERP, EQUAL, and LESSP, to: T. Case 7.7. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (EQUAL (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))) 0) (NOT (EQUAL 0 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))), which again simplifies, trivially, to: T. Case 7.6. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (NUMBERP (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (NOT (EQUAL 0 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))). This again simplifies, using linear arithmetic, to: T. Case 7.5. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (EQUAL (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))) 0) (NOT (EQUAL 0 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))), which again simplifies, trivially, to: T. Case 7.4. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (EQUAL (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))) 0)) (NUMBERP (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL T (LESSP X Y))). However this again simplifies, using linear arithmetic, to: T. Case 7.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (EQUAL (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))) 0)) (NUMBERP (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL T (LESSP X Y))), which again simplifies, using linear arithmetic, applying DIFFERENCE-LEQ-ARG1 and EQUAL-EXP-0, and opening up NUMBERP, EQUAL, and LESSP, to: T. Case 7.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (NUMBERP (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL 0 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (CDR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))) (LESSP X Y))). This again simplifies, trivially, to: T. Case 7.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (EQUAL (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))) 0) (EQUAL 0 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (CDR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))) (LESSP X Y))). However this again simplifies, using linear arithmetic, applying DIFFERENCE-LEQ-ARG1 and EQUAL-EXP-0, and opening up NUMBERP, EQUAL, and LESSP, to: T. Case 6. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y))). This simplifies, rewriting with the lemmas TIMES-1-ARG1, CDR-CONS, and CAR-CONS, and opening up the functions ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, LESSP, and LESSP-BV, to the following ten new goals: Case 6.10. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (NUMBERP (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL 0 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (CDR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))) (LESSP X Y))). This again simplifies, trivially, to: T. Case 6.9. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (EQUAL (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))) 0) (EQUAL 0 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (CDR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))) (LESSP X Y))). But this again simplifies, rewriting with the lemma CAR-CONS, and unfolding EQUAL, to: T. Case 6.8. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (NUMBERP (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (NOT (EQUAL 0 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))), which again simplifies, using linear arithmetic, rewriting with the lemmas DIFFERENCE-LEQ-ARG1 and CAR-CONS, and expanding the definitions of EQUAL, LESSP, and NUMBERP, to: T. Case 6.7. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (EQUAL (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))) 0) (NOT (EQUAL 0 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))), which again simplifies, clearly, to: T. Case 6.6. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (NUMBERP (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (NOT (EQUAL 0 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))). But this again simplifies, applying CAR-CONS, and expanding the definition of NUMBERP, to: T. Case 6.5. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (EQUAL (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))) 0) (NOT (EQUAL 0 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))). This again simplifies, trivially, to: T. Case 6.4. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (EQUAL (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))) 0)) (NUMBERP (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL T (LESSP X Y))). But this again simplifies, applying the lemma CAR-CONS, and expanding EQUAL and NUMBERP, to the conjecture: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (NOT (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE))))) (LESSP X Y)). But this again simplifies, using linear arithmetic, to: T. Case 6.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (EQUAL (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))) 0)) (NUMBERP (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL T (LESSP X Y))), which again simplifies, using linear arithmetic, applying DIFFERENCE-LEQ-ARG1 and CAR-CONS, and expanding the functions EQUAL and LESSP, to: T. Case 6.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (NUMBERP (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL 0 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (CDR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))) (LESSP X Y))). This again simplifies, clearly, to: T. Case 6.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP X (EXP 2 (SUB1 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP X Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (EQUAL (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))) 0) (EQUAL 0 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV X (SUB1 SIZE)) (CDR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))) (LESSP X Y))). This again simplifies, using linear arithmetic, applying DIFFERENCE-LEQ-ARG1, CAR-CONS, and CDR-CONS, and expanding the functions EQUAL and LESSP, to: T. Case 5. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y))). This simplifies, applying TIMES-1-ARG1, CDR-CONS, and CAR-CONS, and unfolding the functions ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, LESSP, and LESSP-BV, to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP X Y))). But this again simplifies, using linear arithmetic, to: T. Case 4. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y))), which simplifies, appealing to the lemmas TIMES-1-ARG1, CDR-CONS, and CAR-CONS, and unfolding ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, LESSP, and LESSP-BV, to the goal: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE)))) (LESSP X Y))). Appealing to the lemma DIFFERENCE-ELIM, we now replace Y by: (PLUS (EXP 2 (SUB1 SIZE)) Z) to eliminate (DIFFERENCE Y (EXP 2 (SUB1 SIZE))). We employ the type restriction lemma noted when DIFFERENCE was introduced to constrain the new variable. We must thus prove two new conjectures: Case 4.2. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE)))) (LESSP X Y))), which further simplifies, using linear arithmetic, applying the lemmas DIFFERENCE-LEQ-ARG1 and EQUAL-EXP-0, and opening up the definitions of EQUAL, LESSP, and NUMBERP, to: T. Case 4.1. (IMPLIES (AND (NUMBERP Z) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Z (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z)) (NOT (LESSP (PLUS (EXP 2 (SUB1 SIZE)) Z) (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP (PLUS (EXP 2 (SUB1 SIZE)) Z) (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) Z)))), which further simplifies, rewriting with COMMUTATIVITY-OF-PLUS and CORRECTNESS-OF-CANCEL-LESSP-PLUS, and unfolding the definition of FIX, to the new goal: (IMPLIES (AND (NUMBERP Z) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Z (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Z (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z) (LESSP X (PLUS Z (EXP 2 (SUB1 SIZE)))))). Applying the lemma DIFFERENCE-ELIM, replace X by: (PLUS (EXP 2 (SUB1 SIZE)) V) to eliminate (DIFFERENCE X (EXP 2 (SUB1 SIZE))). We employ the type restriction lemma noted when DIFFERENCE was introduced to restrict the new variable. We thus obtain the following two new goals: Case 4.1.2. (IMPLIES (AND (NOT (NUMBERP X)) (NUMBERP Z) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Z (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Z (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z) (LESSP X (PLUS Z (EXP 2 (SUB1 SIZE)))))). This further simplifies, applying EQUAL-EXP-0, and expanding NUMBERP, EQUAL, and LESSP, to: T. Case 4.1.1. (IMPLIES (AND (NUMBERP V) (NUMBERP Z) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP (PLUS (EXP 2 (SUB1 SIZE)) V) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV V (SUB1 SIZE)) (NAT-TO-BV Z (SUB1 SIZE))) (LESSP V Z)) (LESSP (PLUS (EXP 2 (SUB1 SIZE)) V) (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Z (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP V Z) (LESSP (PLUS (EXP 2 (SUB1 SIZE)) V) (PLUS Z (EXP 2 (SUB1 SIZE)))))). This further simplifies, rewriting with COMMUTATIVITY-OF-PLUS and CORRECTNESS-OF-CANCEL-LESSP-PLUS, and unfolding FIX, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y))). This simplifies, applying TIMES-1-ARG1, CDR-CONS, and CAR-CONS, and opening up the definitions of ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, and LESSP-BV, to six new goals: Case 3.6. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (LESSP 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (CDR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))) (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 3.5. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (LESSP 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (NOT (EQUAL 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 3.4. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (LESSP 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (NOT (EQUAL 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 3.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (LESSP 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL T (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 3.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL T (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (LESSP 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (CDR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))) (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y))), which simplifies, applying TIMES-1-ARG1, CDR-CONS, and CAR-CONS, and unfolding the functions ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, and LESSP-BV, to the following six new goals: Case 2.6. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (LESSP 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (CDR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))) (LESSP X Y))). However this again simplifies, using linear arithmetic, rewriting with the lemmas DIFFERENCE-LEQ-ARG1 and EQUAL-EXP-0, and expanding the functions NUMBERP, EQUAL, and LESSP, to: T. Case 2.5. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (LESSP 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (NOT (EQUAL 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))), which again simplifies, using linear arithmetic, appealing to the lemmas DIFFERENCE-LEQ-ARG1 and EQUAL-EXP-0, and opening up NUMBERP, EQUAL, and LESSP, to: T. Case 2.4. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (LESSP 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (NOT (EQUAL 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 2.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (LESSP 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL T (LESSP X Y))), which again simplifies, using linear arithmetic, applying DIFFERENCE-LEQ-ARG1 and EQUAL-EXP-0, and expanding NUMBERP, EQUAL, and LESSP, to: T. Case 2.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL T (LESSP X Y))). But this again simplifies, using linear arithmetic, to: T. Case 2.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (LESSP 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (CDR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))) (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (EXP 2 SIZE)) (LESSP Y (EXP 2 SIZE))) (EQUAL (LESSP-BV (NAT-TO-BV X SIZE) (NAT-TO-BV Y SIZE)) (LESSP X Y))), which simplifies, rewriting with TIMES-1-ARG1, CDR-CONS, and CAR-CONS, and unfolding the definitions of ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, and LESSP-BV, to the following six new conjectures: Case 1.6. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (LESSP 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (CDR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))) (LESSP X Y))). This again simplifies, using linear arithmetic, rewriting with DIFFERENCE-LEQ-ARG1 and CAR-CONS, and opening up the functions EQUAL and LESSP, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (NOT (LESSP 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (NOT (EQUAL 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))). However this again simplifies, using linear arithmetic, rewriting with DIFFERENCE-LEQ-ARG1 and CAR-CONS, and opening up EQUAL and LESSP, to the new conjecture: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (NOT (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (LESSP X Y))), which again simplifies, using linear arithmetic, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (LESSP 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (NOT (EQUAL 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))))) (EQUAL F (LESSP X Y))), which again simplifies, rewriting with CAR-CONS, and opening up the definitions of LESSP and EQUAL, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (EXP 2 (SUB1 SIZE))) (LESSP 1 (CAR (CONS 0 (NAT-TO-BV Y (SUB1 SIZE)))))) (EQUAL T (LESSP X Y))). This again simplifies, using linear arithmetic, applying the lemmas DIFFERENCE-LEQ-ARG1 and CAR-CONS, and unfolding EQUAL and LESSP, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (LESSP 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL T (LESSP X Y))), which again simplifies, rewriting with CAR-CONS, and expanding the function LESSP, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE)))) (NOT (LESSP 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL 1 (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (CDR (CONS 1 (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))))) (LESSP X Y))). But this again simplifies, rewriting with the lemmas CAR-CONS and CDR-CONS, and opening up the functions LESSP and EQUAL, to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE)))) (LESSP X Y))). Appealing to the lemma DIFFERENCE-ELIM, we now replace Y by: (PLUS (EXP 2 (SUB1 SIZE)) Z) to eliminate (DIFFERENCE Y (EXP 2 (SUB1 SIZE))). We employ the type restriction lemma noted when DIFFERENCE was introduced to constrain the new variable. This generates two new formulas: Case 1.1.2. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Y (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Y)) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Y (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP Y (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (DIFFERENCE Y (EXP 2 (SUB1 SIZE)))) (LESSP X Y))), which further simplifies, using linear arithmetic, rewriting with DIFFERENCE-LEQ-ARG1, EQUAL-PLUS-0, and EQUAL-EXP-0, and unfolding EQUAL, LESSP, and NUMBERP, to: T. Case 1.1.1. (IMPLIES (AND (NUMBERP Z) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Z (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z)) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (PLUS (EXP 2 (SUB1 SIZE)) Z) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (PLUS (EXP 2 (SUB1 SIZE)) Z))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP (PLUS (EXP 2 (SUB1 SIZE)) Z) (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (NOT (LESSP (PLUS (EXP 2 (SUB1 SIZE)) Z) (EXP 2 (SUB1 SIZE))))) (EQUAL (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) Z)))). This further simplifies, applying COMMUTATIVITY-OF-PLUS and CORRECTNESS-OF-CANCEL-LESSP-PLUS, and opening up the function FIX, to: (IMPLIES (AND (NUMBERP Z) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Z (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z)) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (PLUS Z (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (PLUS Z (EXP 2 (SUB1 SIZE))))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Z (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z) (LESSP X (PLUS Z (EXP 2 (SUB1 SIZE)))))). Applying the lemma DIFFERENCE-ELIM, replace X by: (PLUS (EXP 2 (SUB1 SIZE)) V) to eliminate (DIFFERENCE X (EXP 2 (SUB1 SIZE))). We use the type restriction lemma noted when DIFFERENCE was introduced to restrict the new variable. This produces the following two new conjectures: Case 1.1.1.2. (IMPLIES (AND (NOT (NUMBERP X)) (NUMBERP Z) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP X (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV Z (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z)) (EQUAL (LESSP-BV (NAT-TO-BV (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (NAT-TO-BV (PLUS Z (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) (PLUS Z (EXP 2 (SUB1 SIZE))))) (LESSP X (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Z (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP (DIFFERENCE X (EXP 2 (SUB1 SIZE))) Z) (LESSP X (PLUS Z (EXP 2 (SUB1 SIZE)))))). However this finally simplifies, rewriting with EQUAL-EXP-0, and opening up the definitions of NUMBERP, EQUAL, and LESSP, to: T. Case 1.1.1.1. (IMPLIES (AND (NUMBERP V) (NUMBERP Z) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP (PLUS (EXP 2 (SUB1 SIZE)) V) (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP-BV (NAT-TO-BV V (SUB1 SIZE)) (NAT-TO-BV Z (SUB1 SIZE))) (LESSP V Z)) (EQUAL (LESSP-BV (NAT-TO-BV V (SUB1 SIZE)) (NAT-TO-BV (PLUS Z (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (LESSP V (PLUS Z (EXP 2 (SUB1 SIZE))))) (LESSP (PLUS (EXP 2 (SUB1 SIZE)) V) (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))) (LESSP Z (EXP 2 (SUB1 SIZE)))) (EQUAL (LESSP V Z) (LESSP (PLUS (EXP 2 (SUB1 SIZE)) V) (PLUS Z (EXP 2 (SUB1 SIZE)))))). But this finally simplifies, applying COMMUTATIVITY-OF-PLUS and CORRECTNESS-OF-CANCEL-LESSP-PLUS, and unfolding the definition of FIX, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.9 0.1 ] LESSP-BV-NAT-TO-BV-NAT-TO-BV (DEFN NUMBER-WITH-AT-LEAST (STATE MIN SIZE) (IF (LISTP STATE) (IF (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV MIN SIZE))) (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) MIN SIZE)) (NUMBER-WITH-AT-LEAST (CDR STATE) MIN SIZE)) 0)) Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each recursive call. Hence, NUMBER-WITH-AT-LEAST is accepted under the principle of definition. Note that (NUMBERP (NUMBER-WITH-AT-LEAST STATE MIN SIZE)) is a theorem. [ 0.0 0.0 0.0 ] NUMBER-WITH-AT-LEAST (DEFN COL-WITH-AT-LEAST (STATE MIN SIZE) (IF (LISTP STATE) (IF (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV MIN SIZE))) 0 (ADD1 (COL-WITH-AT-LEAST (CDR STATE) MIN SIZE))) F)) Linear arithmetic and the lemma CDR-LESSP can be used to show that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each recursive call. Hence, COL-WITH-AT-LEAST is accepted under the definitional principle. Note that: (OR (FALSEP (COL-WITH-AT-LEAST STATE MIN SIZE)) (NUMBERP (COL-WITH-AT-LEAST STATE MIN SIZE))) is a theorem. [ 0.0 0.0 0.0 ] COL-WITH-AT-LEAST (DEFN XOR (BIT1 BIT2) (IF (EQUAL (ZEROP BIT1) (ZEROP BIT2)) 0 1)) Observe that (NUMBERP (XOR BIT1 BIT2)) is a theorem. [ 0.0 0.0 0.0 ] XOR (DEFN XOR-BV (BV1 BV2) (IF (AND (LISTP BV1) (LISTP BV2)) (CONS (XOR (CAR BV1) (CAR BV2)) (XOR-BV (CDR BV1) (CDR BV2))) NIL)) Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND inform us that the measure (COUNT BV1) decreases according to the well-founded relation LESSP in each recursive call. Hence, XOR-BV is accepted under the definitional principle. The definition of XOR-BV can be justified in another way. Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND inform us that the measure (COUNT BV2) decreases according to the well-founded relation LESSP in each recursive call. Observe that (OR (LITATOM (XOR-BV BV1 BV2)) (LISTP (XOR-BV BV1 BV2))) is a theorem. [ 0.0 0.0 0.0 ] XOR-BV (DEFN FIX-BIT (X) (IF (ZEROP X) 0 1)) Observe that (NUMBERP (FIX-BIT X)) is a theorem. [ 0.0 0.0 0.0 ] FIX-BIT (DEFN FIX-XOR-BV (BV) (IF (LISTP BV) (CONS (FIX-BIT (CAR BV)) (FIX-XOR-BV (CDR BV))) NIL)) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT BV) decreases according to the well-founded relation LESSP in each recursive call. Hence, FIX-XOR-BV is accepted under the definitional principle. Observe that: (OR (LITATOM (FIX-XOR-BV BV)) (LISTP (FIX-XOR-BV BV))) is a theorem. [ 0.0 0.0 0.0 ] FIX-XOR-BV (DEFN XOR-BVS (BVS) (IF (LISTP BVS) (IF (LISTP (CDR BVS)) (XOR-BV (CAR BVS) (XOR-BVS (CDR BVS))) (FIX-XOR-BV (CAR BVS))) NIL) ((LESSP (LENGTH BVS)))) Linear arithmetic, the lemma SUB1-ADD1, and the definitions of LESSP and LENGTH can be used to show that the measure (LENGTH BVS) decreases according to the well-founded relation LESSP in each recursive call. Hence, XOR-BVS is accepted under the definitional principle. Note that: (OR (LITATOM (XOR-BVS BVS)) (LISTP (XOR-BVS BVS))) is a theorem. [ 0.0 0.0 0.0 ] XOR-BVS (PROVE-LEMMA BVP-FIX-XOR-BV (REWRITE) (BVP (FIX-XOR-BV X))) Call the conjecture *1. Let us appeal to the induction principle. There is only one suggested induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X))) (p X)) (IMPLIES (NOT (LISTP X)) (p X))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to two new goals: Case 2. (IMPLIES (AND (LISTP X) (BVP (FIX-XOR-BV (CDR X)))) (BVP (FIX-XOR-BV X))), which simplifies, applying CDR-CONS and CAR-CONS, and expanding the functions FIX-XOR-BV, FIX-BIT, BITP, and BVP, to: T. Case 1. (IMPLIES (NOT (LISTP X)) (BVP (FIX-XOR-BV X))). This simplifies, expanding FIX-XOR-BV and BVP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] BVP-FIX-XOR-BV (PROVE-LEMMA BVP-FIX-XOR-BV-IDENTITY (REWRITE) (IMPLIES (BVP X) (EQUAL (FIX-XOR-BV X) X))) Call the conjecture *1. We will try to prove it by induction. The recursive terms in the conjecture suggest two inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X))) (p X)) (IMPLIES (NOT (LISTP X)) (p X))). Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates the following three new formulas: Case 3. (IMPLIES (AND (LISTP X) (NOT (BVP (CDR X))) (BVP X)) (EQUAL (FIX-XOR-BV X) X)). This simplifies, expanding the definitions of BVP and BITP, to: T. Case 2. (IMPLIES (AND (LISTP X) (EQUAL (FIX-XOR-BV (CDR X)) (CDR X)) (BVP X)) (EQUAL (FIX-XOR-BV X) X)). This simplifies, appealing to the lemmas CAR-CONS and CDR-CONS, and opening up BVP, BITP, FIX-XOR-BV, FIX-BIT, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (LISTP X)) (BVP X)) (EQUAL (FIX-XOR-BV X) X)). This simplifies, unfolding BVP, FIX-XOR-BV, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] BVP-FIX-XOR-BV-IDENTITY (PROVE-LEMMA COMMUTATIVITY-OF-XOR (REWRITE) (EQUAL (XOR A B) (XOR B A))) WARNING: Note that the rewrite rule COMMUTATIVITY-OF-XOR will be stored so as to apply only to terms with the nonrecursive function symbol XOR. This formula simplifies, unfolding the definition of XOR, to: T. Q.E.D. [ 0.0 0.0 0.0 ] COMMUTATIVITY-OF-XOR (PROVE-LEMMA ASSOCIATIVITY-OF-XOR (REWRITE) (EQUAL (XOR (XOR A B) C) (XOR A (XOR B C)))) WARNING: Note that the rewrite rule ASSOCIATIVITY-OF-XOR will be stored so as to apply only to terms with the nonrecursive function symbol XOR. WARNING: the previously added lemma, COMMUTATIVITY-OF-XOR, could be applied whenever the newly proposed ASSOCIATIVITY-OF-XOR could! This simplifies, rewriting with COMMUTATIVITY-OF-XOR, and expanding XOR, to 27 new formulas: Case 27.(IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 0) (XOR A 0))), which again simplifies, applying the lemma COMMUTATIVITY-OF-XOR, and opening up the definitions of EQUAL and XOR, to: T. Case 26.(IMPLIES (AND (NOT (NUMBERP B)) (NOT (NUMBERP C)) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 0))), which again simplifies, applying COMMUTATIVITY-OF-XOR, and unfolding EQUAL and XOR, to: T. Case 25.(IMPLIES (AND (NOT (NUMBERP B)) (NOT (NUMBERP C)) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 0))). But this again simplifies, appealing to the lemma COMMUTATIVITY-OF-XOR, and unfolding the functions EQUAL and XOR, to: T. Case 24.(IMPLIES (AND (NOT (NUMBERP B)) (EQUAL C 0) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 0))), which again simplifies, rewriting with the lemma COMMUTATIVITY-OF-XOR, and expanding the functions XOR and EQUAL, to: T. Case 23.(IMPLIES (AND (NOT (NUMBERP B)) (EQUAL C 0) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 0))), which again simplifies, trivially, to: T. Case 22.(IMPLIES (AND (EQUAL B 0) (EQUAL C 0) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 0))). This again simplifies, rewriting with the lemma COMMUTATIVITY-OF-XOR, and expanding the definitions of XOR and EQUAL, to: T. Case 21.(IMPLIES (AND (EQUAL B 0) (EQUAL C 0) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 0))), which again simplifies, clearly, to: T. Case 20.(IMPLIES (AND (EQUAL B 0) (NOT (NUMBERP C)) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 0))). However this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and expanding the definitions of EQUAL and XOR, to: T. Case 19.(IMPLIES (AND (EQUAL B 0) (NOT (NUMBERP C)) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 0))). However this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and expanding the functions EQUAL and XOR, to: T. Case 18.(IMPLIES (AND (EQUAL B 0) (NOT (NUMBERP C)) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 0))). But this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and opening up the definitions of NUMBERP, EQUAL, and XOR, to: T. Case 17.(IMPLIES (AND (EQUAL B 0) (EQUAL C 0) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 0))). However this again simplifies, appealing to the lemma COMMUTATIVITY-OF-XOR, and opening up the definitions of XOR and EQUAL, to: T. Case 16.(IMPLIES (AND (NOT (NUMBERP B)) (EQUAL C 0) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 0))), which again simplifies, applying COMMUTATIVITY-OF-XOR, and unfolding XOR and EQUAL, to: T. Case 15.(IMPLIES (AND (NOT (NUMBERP B)) (NOT (NUMBERP C)) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 0))). This again simplifies, applying the lemma COMMUTATIVITY-OF-XOR, and opening up the functions NUMBERP, EQUAL, and XOR, to: T. Case 14.(IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (EQUAL C 0)) (NUMBERP C) (EQUAL A 0)) (EQUAL (XOR C 1) (XOR A 0))), which again simplifies, appealing to the lemma COMMUTATIVITY-OF-XOR, and expanding NUMBERP, EQUAL, and XOR, to: T. Case 13.(IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (NUMBERP A))) (EQUAL (XOR C 1) (XOR A 0))), which again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and opening up the definitions of NUMBERP, EQUAL, and XOR, to: T. Case 12.(IMPLIES (AND (EQUAL B 0) (NOT (EQUAL C 0)) (NUMBERP C) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 1))). This again simplifies, applying COMMUTATIVITY-OF-XOR, and unfolding the functions EQUAL and XOR, to: T. Case 11.(IMPLIES (AND (EQUAL B 0) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 1))). But this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and expanding the definitions of EQUAL, XOR, and NUMBERP, to: T. Case 10.(IMPLIES (AND (NOT (NUMBERP B)) (NOT (EQUAL C 0)) (NUMBERP C) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 1))). But this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and expanding EQUAL and XOR, to: T. Case 9. (IMPLIES (AND (NOT (NUMBERP B)) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 1))). This again simplifies, applying COMMUTATIVITY-OF-XOR, and opening up the definitions of EQUAL, XOR, and NUMBERP, to: T. Case 8. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (EQUAL C 0) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 0) (XOR A 1))). But this again simplifies, applying COMMUTATIVITY-OF-XOR, and unfolding XOR, NUMBERP, and EQUAL, to: T. Case 7. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (NUMBERP C)) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 0) (XOR A 1))). But this again simplifies, rewriting with the lemma COMMUTATIVITY-OF-XOR, and expanding EQUAL, XOR, and NUMBERP, to: T. Case 6. (IMPLIES (AND (EQUAL B 0) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 1))), which again simplifies, rewriting with the lemma COMMUTATIVITY-OF-XOR, and unfolding the functions NUMBERP, EQUAL, and XOR, to: T. Case 5. (IMPLIES (AND (NOT (NUMBERP B)) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 1))), which again simplifies, applying COMMUTATIVITY-OF-XOR, and opening up NUMBERP, EQUAL, and XOR, to: T. Case 4. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (EQUAL C 0) (EQUAL A 0)) (EQUAL (XOR C 1) (XOR A 1))). This again simplifies, obviously, to: T. Case 3. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (EQUAL C 0) (NOT (NUMBERP A))) (EQUAL (XOR C 1) (XOR A 1))). But this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and unfolding XOR, NUMBERP, and EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (NUMBERP C)) (EQUAL A 0)) (EQUAL (XOR C 1) (XOR A 1))). However this again simplifies, applying COMMUTATIVITY-OF-XOR, and opening up NUMBERP, EQUAL, and XOR, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (NUMBERP C)) (NOT (NUMBERP A))) (EQUAL (XOR C 1) (XOR A 1))). But this again simplifies, rewriting with the lemma COMMUTATIVITY-OF-XOR, and expanding NUMBERP, EQUAL, and XOR, to: T. Q.E.D. [ 0.0 0.0 0.0 ] ASSOCIATIVITY-OF-XOR (PROVE-LEMMA COMMUTATIVITY2-OF-XOR (REWRITE) (EQUAL (XOR C (XOR A B)) (XOR A (XOR C B)))) WARNING: Note that the rewrite rule COMMUTATIVITY2-OF-XOR will be stored so as to apply only to terms with the nonrecursive function symbol XOR. WARNING: the previously added lemma, COMMUTATIVITY-OF-XOR, could be applied whenever the newly proposed COMMUTATIVITY2-OF-XOR could! This simplifies, rewriting with COMMUTATIVITY-OF-XOR, and expanding XOR, to 27 new formulas: Case 27.(IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 0) (XOR A 0))), which again simplifies, applying the lemma COMMUTATIVITY-OF-XOR, and opening up the definitions of EQUAL and XOR, to: T. Case 26.(IMPLIES (AND (NOT (NUMBERP B)) (NOT (NUMBERP C)) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 0))), which again simplifies, applying COMMUTATIVITY-OF-XOR, and unfolding EQUAL and XOR, to: T. Case 25.(IMPLIES (AND (NOT (NUMBERP B)) (NOT (NUMBERP C)) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 0))). But this again simplifies, appealing to the lemma COMMUTATIVITY-OF-XOR, and unfolding the functions EQUAL and XOR, to: T. Case 24.(IMPLIES (AND (NOT (NUMBERP B)) (EQUAL C 0) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 0))), which again simplifies, rewriting with the lemma COMMUTATIVITY-OF-XOR, and expanding the functions XOR and EQUAL, to: T. Case 23.(IMPLIES (AND (NOT (NUMBERP B)) (EQUAL C 0) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 0))), which again simplifies, trivially, to: T. Case 22.(IMPLIES (AND (EQUAL B 0) (EQUAL C 0) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 0))). This again simplifies, rewriting with the lemma COMMUTATIVITY-OF-XOR, and expanding the definitions of XOR and EQUAL, to: T. Case 21.(IMPLIES (AND (EQUAL B 0) (EQUAL C 0) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 0))), which again simplifies, clearly, to: T. Case 20.(IMPLIES (AND (EQUAL B 0) (NOT (NUMBERP C)) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 0))). However this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and expanding the definitions of EQUAL and XOR, to: T. Case 19.(IMPLIES (AND (EQUAL B 0) (NOT (NUMBERP C)) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 0))). However this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and expanding the functions EQUAL and XOR, to: T. Case 18.(IMPLIES (AND (EQUAL B 0) (NOT (NUMBERP C)) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 0))). But this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and opening up the definitions of NUMBERP, EQUAL, and XOR, to: T. Case 17.(IMPLIES (AND (EQUAL B 0) (EQUAL C 0) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 0))). However this again simplifies, appealing to the lemma COMMUTATIVITY-OF-XOR, and opening up the definitions of XOR and EQUAL, to: T. Case 16.(IMPLIES (AND (NOT (NUMBERP B)) (EQUAL C 0) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 0))), which again simplifies, applying COMMUTATIVITY-OF-XOR, and unfolding XOR and EQUAL, to: T. Case 15.(IMPLIES (AND (NOT (NUMBERP B)) (NOT (NUMBERP C)) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 0))). This again simplifies, applying the lemma COMMUTATIVITY-OF-XOR, and opening up the functions NUMBERP, EQUAL, and XOR, to: T. Case 14.(IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (EQUAL C 0)) (NUMBERP C) (EQUAL A 0)) (EQUAL (XOR C 1) (XOR A 0))), which again simplifies, appealing to the lemma COMMUTATIVITY-OF-XOR, and expanding NUMBERP, EQUAL, and XOR, to: T. Case 13.(IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (NUMBERP A))) (EQUAL (XOR C 1) (XOR A 0))), which again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and opening up the definitions of NUMBERP, EQUAL, and XOR, to: T. Case 12.(IMPLIES (AND (EQUAL B 0) (NOT (EQUAL C 0)) (NUMBERP C) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 1))). This again simplifies, applying COMMUTATIVITY-OF-XOR, and unfolding the functions EQUAL and XOR, to: T. Case 11.(IMPLIES (AND (EQUAL B 0) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 1))). But this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and expanding the definitions of EQUAL, XOR, and NUMBERP, to: T. Case 10.(IMPLIES (AND (NOT (NUMBERP B)) (NOT (EQUAL C 0)) (NUMBERP C) (EQUAL A 0)) (EQUAL (XOR C 0) (XOR A 1))). But this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and expanding EQUAL and XOR, to: T. Case 9. (IMPLIES (AND (NOT (NUMBERP B)) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (NUMBERP A))) (EQUAL (XOR C 0) (XOR A 1))). This again simplifies, applying COMMUTATIVITY-OF-XOR, and opening up the definitions of EQUAL, XOR, and NUMBERP, to: T. Case 8. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (EQUAL C 0) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 0) (XOR A 1))). But this again simplifies, applying COMMUTATIVITY-OF-XOR, and unfolding XOR, NUMBERP, and EQUAL, to: T. Case 7. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (NUMBERP C)) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 0) (XOR A 1))). But this again simplifies, rewriting with the lemma COMMUTATIVITY-OF-XOR, and expanding EQUAL, XOR, and NUMBERP, to: T. Case 6. (IMPLIES (AND (EQUAL B 0) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 1))), which again simplifies, rewriting with the lemma COMMUTATIVITY-OF-XOR, and unfolding the functions NUMBERP, EQUAL, and XOR, to: T. Case 5. (IMPLIES (AND (NOT (NUMBERP B)) (NOT (EQUAL C 0)) (NUMBERP C) (NOT (EQUAL A 0)) (NUMBERP A)) (EQUAL (XOR C 1) (XOR A 1))), which again simplifies, applying COMMUTATIVITY-OF-XOR, and opening up NUMBERP, EQUAL, and XOR, to: T. Case 4. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (EQUAL C 0) (EQUAL A 0)) (EQUAL (XOR C 1) (XOR A 1))). This again simplifies, obviously, to: T. Case 3. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (EQUAL C 0) (NOT (NUMBERP A))) (EQUAL (XOR C 1) (XOR A 1))). But this again simplifies, rewriting with COMMUTATIVITY-OF-XOR, and unfolding XOR, NUMBERP, and EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (NUMBERP C)) (EQUAL A 0)) (EQUAL (XOR C 1) (XOR A 1))). However this again simplifies, applying COMMUTATIVITY-OF-XOR, and opening up NUMBERP, EQUAL, and XOR, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL B 0)) (NUMBERP B) (NOT (NUMBERP C)) (NOT (NUMBERP A))) (EQUAL (XOR C 1) (XOR A 1))). But this again simplifies, rewriting with the lemma COMMUTATIVITY-OF-XOR, and expanding NUMBERP, EQUAL, and XOR, to: T. Q.E.D. [ 0.0 0.1 0.0 ] COMMUTATIVITY2-OF-XOR (PROVE-LEMMA COMMUTATIVITY-OF-XOR-BV (REWRITE) (EQUAL (XOR-BV A B) (XOR-BV B A))) Give the conjecture the name *1. We will appeal to induction. Four inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (AND (LISTP A) (LISTP B)) (p (CDR A) (CDR B))) (p A B)) (IMPLIES (NOT (AND (LISTP A) (LISTP B))) (p A B))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND inform us that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for B. The above induction scheme produces the following two new conjectures: Case 2. (IMPLIES (AND (AND (LISTP A) (LISTP B)) (EQUAL (XOR-BV (CDR A) (CDR B)) (XOR-BV (CDR B) (CDR A)))) (EQUAL (XOR-BV A B) (XOR-BV B A))). This simplifies, applying COMMUTATIVITY-OF-XOR, and opening up the functions AND, XOR-BV, and XOR, to: T. Case 1. (IMPLIES (NOT (AND (LISTP A) (LISTP B))) (EQUAL (XOR-BV A B) (XOR-BV B A))), which simplifies, unfolding the functions AND, XOR-BV, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] COMMUTATIVITY-OF-XOR-BV (PROVE-LEMMA ASSOCIATIVITY-OF-XOR-BV (REWRITE) (EQUAL (XOR-BV (XOR-BV A B) C) (XOR-BV A (XOR-BV B C)))) WARNING: the previously added lemma, COMMUTATIVITY-OF-XOR-BV, could be applied whenever the newly proposed ASSOCIATIVITY-OF-XOR-BV could! This simplifies, rewriting with COMMUTATIVITY-OF-XOR-BV, to: (EQUAL (XOR-BV C (XOR-BV A B)) (XOR-BV A (XOR-BV B C))). Give the above formula the name *1. Perhaps we can prove it by induction. Six inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (AND (LISTP C) (LISTP (XOR-BV A B))) (p (CDR C) (CDR A) (CDR B))) (p C A B)) (IMPLIES (NOT (AND (LISTP C) (LISTP (XOR-BV A B)))) (p C A B))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND inform us that the measure (COUNT C) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for A and B. The above induction scheme produces the following two new goals: Case 2. (IMPLIES (AND (AND (LISTP C) (LISTP (XOR-BV A B))) (EQUAL (XOR-BV (CDR C) (XOR-BV (CDR A) (CDR B))) (XOR-BV (CDR A) (XOR-BV (CDR B) (CDR C))))) (EQUAL (XOR-BV C (XOR-BV A B)) (XOR-BV A (XOR-BV B C)))). This simplifies, applying CDR-CONS, CAR-CONS, and CONS-EQUAL, and expanding XOR-BV, XOR, and AND, to: T. Case 1. (IMPLIES (NOT (AND (LISTP C) (LISTP (XOR-BV A B)))) (EQUAL (XOR-BV C (XOR-BV A B)) (XOR-BV A (XOR-BV B C)))), which simplifies, applying the lemma COMMUTATIVITY-OF-XOR-BV, and opening up the functions XOR-BV, XOR, AND, LISTP, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] ASSOCIATIVITY-OF-XOR-BV (PROVE-LEMMA COMMUTATIVITY2-OF-XOR-BV (REWRITE) (EQUAL (XOR-BV C (XOR-BV A B)) (XOR-BV A (XOR-BV C B)))) WARNING: the previously added lemma, COMMUTATIVITY-OF-XOR-BV, could be applied whenever the newly proposed COMMUTATIVITY2-OF-XOR-BV could! This simplifies, rewriting with COMMUTATIVITY-OF-XOR-BV, to: (EQUAL (XOR-BV C (XOR-BV A B)) (XOR-BV A (XOR-BV B C))). Give the above formula the name *1. Perhaps we can prove it by induction. Six inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (AND (LISTP C) (LISTP (XOR-BV A B))) (p (CDR C) (CDR A) (CDR B))) (p C A B)) (IMPLIES (NOT (AND (LISTP C) (LISTP (XOR-BV A B)))) (p C A B))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND inform us that the measure (COUNT C) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for A and B. The above induction scheme produces the following two new goals: Case 2. (IMPLIES (AND (AND (LISTP C) (LISTP (XOR-BV A B))) (EQUAL (XOR-BV (CDR C) (XOR-BV (CDR A) (CDR B))) (XOR-BV (CDR A) (XOR-BV (CDR B) (CDR C))))) (EQUAL (XOR-BV C (XOR-BV A B)) (XOR-BV A (XOR-BV B C)))). This simplifies, applying CDR-CONS, CAR-CONS, and CONS-EQUAL, and expanding XOR-BV, XOR, and AND, to: T. Case 1. (IMPLIES (NOT (AND (LISTP C) (LISTP (XOR-BV A B)))) (EQUAL (XOR-BV C (XOR-BV A B)) (XOR-BV A (XOR-BV B C)))), which simplifies, applying the lemma COMMUTATIVITY-OF-XOR-BV, and opening up the functions XOR-BV, XOR, AND, LISTP, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] COMMUTATIVITY2-OF-XOR-BV (DEFN HIGH-BIT-ON (BVS) (IF (LISTP BVS) (IF (EQUAL (CAAR BVS) 1) 0 (ADD1 (HIGH-BIT-ON (CDR BVS)))) F)) Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT BVS) decreases according to the well-founded relation LESSP in each recursive call. Hence, HIGH-BIT-ON is accepted under the principle of definition. Note that: (OR (FALSEP (HIGH-BIT-ON BVS)) (NUMBERP (HIGH-BIT-ON BVS))) is a theorem. [ 0.0 0.0 0.0 ] HIGH-BIT-ON (DEFN DELETE-PILE (PLACE STATE) (IF (NOT (LISTP STATE)) STATE (IF (ZEROP PLACE) (CDR STATE) (CONS (CAR STATE) (DELETE-PILE (SUB1 PLACE) (CDR STATE)))))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to establish that the measure (COUNT PLACE) decreases according to the well-founded relation LESSP in each recursive call. Hence, DELETE-PILE is accepted under the principle of definition. The definition of DELETE-PILE can be justified in another way. Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each recursive call. [ 0.0 0.0 0.0 ] DELETE-PILE (DEFN DELETE-HIGH-BITS (STATE) (IF (LISTP STATE) (CONS (CDAR STATE) (DELETE-HIGH-BITS (CDR STATE))) NIL)) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each recursive call. Hence, DELETE-HIGH-BITS is accepted under the definitional principle. Observe that: (OR (LITATOM (DELETE-HIGH-BITS STATE)) (LISTP (DELETE-HIGH-BITS STATE))) is a theorem. [ 0.0 0.0 0.0 ] DELETE-HIGH-BITS (PROVE-LEMMA FIND-HIGH-OUT-OF-SYNC-REWRITE (REWRITE) (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE))) (LESSP (LENGTH (CAR (DELETE-HIGH-BITS STATE))) (LENGTH (CAR STATE))))) WARNING: Note that the proposed lemma FIND-HIGH-OUT-OF-SYNC-REWRITE is to be stored as zero type prescription rules, zero compound recognizer rules, one linear rule, and zero replacement rules. . Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE). We would thus like to prove: (IMPLIES (LISTP X) (LESSP (LENGTH (CAR (DELETE-HIGH-BITS (CONS X Z)))) (LENGTH X))), which simplifies, appealing to the lemmas CDR-CONS and CAR-CONS, and unfolding the function DELETE-HIGH-BITS, to: (IMPLIES (LISTP X) (LESSP (LENGTH (CDR X)) (LENGTH X))). This again simplifies, rewriting with the lemma SUB1-ADD1, and opening up LENGTH and LESSP, to: (IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) 0))) (LESSP (SUB1 (LENGTH (CDR X))) (LENGTH (CDR X)))). But this again simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] FIND-HIGH-OUT-OF-SYNC-REWRITE (DEFN FIND-HIGH-OUT-OF-SYNC (STATE) (IF (LISTP STATE) (IF (LISTP (CAR STATE)) (IF (EQUAL (CAR (XOR-BVS STATE)) 1) (HIGH-BIT-ON STATE) (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE))) F) F) ((LESSP (LENGTH (CAR STATE))))) Linear arithmetic and the lemma FIND-HIGH-OUT-OF-SYNC-REWRITE establish that the measure (LENGTH (CAR STATE)) decreases according to the well-founded relation LESSP in each recursive call. Hence, FIND-HIGH-OUT-OF-SYNC is accepted under the principle of definition. From the definition we can conclude that: (OR (FALSEP (FIND-HIGH-OUT-OF-SYNC STATE)) (NUMBERP (FIND-HIGH-OUT-OF-SYNC STATE))) is a theorem. [ 0.0 0.0 0.0 ] FIND-HIGH-OUT-OF-SYNC (DEFN SMART-MOVE (STATE SIZE) (COND ((EQUAL (NUMBER-WITH-AT-LEAST STATE 2 SIZE) 0) (CONS (COL-WITH-AT-LEAST STATE 1 SIZE) (NAT-TO-BV 0 SIZE))) ((EQUAL (NUMBER-WITH-AT-LEAST STATE 2 SIZE) 1) (CONS (COL-WITH-AT-LEAST STATE 2 SIZE) (IF (EQUAL (REMAINDER (NUMBER-WITH-AT-LEAST STATE 1 SIZE) 2) 0) (NAT-TO-BV 0 SIZE) (NAT-TO-BV 1 SIZE)))) (T (LET ((BADCOL (FIND-HIGH-OUT-OF-SYNC STATE))) (CONS BADCOL (XOR-BVS (DELETE-PILE BADCOL STATE))))))) From the definition we can conclude that (LISTP (SMART-MOVE STATE SIZE)) is a theorem. [ 0.0 0.0 0.0 ] SMART-MOVE (DEFN APPLY-MOVE (MOVE STATE) (PUT (CAR MOVE) (CDR MOVE) STATE)) From the definition we can conclude that (LISTP (APPLY-MOVE MOVE STATE)) is a theorem. [ 0.0 0.0 0.0 ] APPLY-MOVE (DEFN ALL-ZEROS (BV) (IF (LISTP BV) (AND (EQUAL (CAR BV) 0) (ALL-ZEROS (CDR BV))) T)) Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT BV) decreases according to the well-founded relation LESSP in each recursive call. Hence, ALL-ZEROS is accepted under the principle of definition. Note that (OR (FALSEP (ALL-ZEROS BV)) (TRUEP (ALL-ZEROS BV))) is a theorem. [ 0.0 0.0 0.0 ] ALL-ZEROS (DEFN LOSER-STATE (STATE SIZE) (OR (AND (EQUAL (NUMBER-WITH-AT-LEAST STATE 2 SIZE) 0) (EQUAL (REMAINDER (NUMBER-WITH-AT-LEAST STATE 1 SIZE) 2) 1)) (AND (LESSP 0 (NUMBER-WITH-AT-LEAST STATE 2 SIZE)) (ALL-ZEROS (XOR-BVS STATE))))) Observe that: (OR (FALSEP (LOSER-STATE STATE SIZE)) (TRUEP (LOSER-STATE STATE SIZE))) is a theorem. [ 0.0 0.0 0.0 ] LOSER-STATE (DEFN MOVEP (MOVE STATE SIZE) (AND (LESSP-BV (CDR MOVE) (GET (CAR MOVE) STATE)) (EQUAL (LENGTH (CDR MOVE)) SIZE) (BVP (CDR MOVE)) (LESSP (CAR MOVE) (LENGTH STATE)))) Note that: (OR (FALSEP (MOVEP MOVE STATE SIZE)) (TRUEP (MOVEP MOVE STATE SIZE))) is a theorem. [ 0.0 0.0 0.0 ] MOVEP (DEFN HIGH-BIT-OUT-OF-SYNC (PLACE STATE) (IF (LISTP STATE) (IF (LISTP (CAR STATE)) (OR (AND (EQUAL (CAR (GET PLACE STATE)) 1) (EQUAL (CAR (XOR-BVS STATE)) 1)) (AND (EQUAL (CAR (XOR-BVS STATE)) 0) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE)))) F) F) ((LESSP (LENGTH (CAR STATE))))) Linear arithmetic and the lemma FIND-HIGH-OUT-OF-SYNC-REWRITE can be used to establish that the measure (LENGTH (CAR STATE)) decreases according to the well-founded relation LESSP in each recursive call. Hence, HIGH-BIT-OUT-OF-SYNC is accepted under the definitional principle. Observe that: (OR (FALSEP (HIGH-BIT-OUT-OF-SYNC PLACE STATE)) (TRUEP (HIGH-BIT-OUT-OF-SYNC PLACE STATE))) is a theorem. [ 0.0 0.0 0.0 ] HIGH-BIT-OUT-OF-SYNC (DEFN LESSP-WHEN-HIGH-BIT-RECURSION (STATE SIZE) (IF (ZEROP SIZE) T (LESSP-WHEN-HIGH-BIT-RECURSION (DELETE-HIGH-BITS STATE) (SUB1 SIZE)))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each recursive call. Hence, LESSP-WHEN-HIGH-BIT-RECURSION is accepted under the principle of definition. Observe that: (TRUEP (LESSP-WHEN-HIGH-BIT-RECURSION STATE SIZE)) is a theorem. [ 0.0 0.0 0.0 ] LESSP-WHEN-HIGH-BIT-RECURSION (PROVE-LEMMA EQUAL-LENGTH-0 (REWRITE) (EQUAL (EQUAL (LENGTH X) 0) (NOT (LISTP X)))) This formula simplifies, expanding the function NOT, to two new conjectures: Case 2. (IMPLIES (NOT (EQUAL (LENGTH X) 0)) (LISTP X)), which again simplifies, opening up the functions LENGTH and EQUAL, to: T. Case 1. (IMPLIES (EQUAL (LENGTH X) 0) (NOT (LISTP X))), which we will name *1. We will appeal to induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X))) (p X)) (IMPLIES (NOT (LISTP X)) (p X))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following two new formulas: Case 2. (IMPLIES (AND (NOT (EQUAL (LENGTH (CDR X)) 0)) (EQUAL (LENGTH X) 0)) (NOT (LISTP X))). This simplifies, expanding LENGTH, to: T. Case 1. (IMPLIES (AND (NOT (LISTP (CDR X))) (EQUAL (LENGTH X) 0)) (NOT (LISTP X))). This simplifies, unfolding LENGTH, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] EQUAL-LENGTH-0 (PROVE-LEMMA EQUAL-LENGTH-1 (REWRITE) (EQUAL (EQUAL (LENGTH X) 1) (AND (LISTP X) (NOT (LISTP (CDR X)))))) This simplifies, unfolding the functions LENGTH, NOT, and AND, to the following two new formulas: Case 2. (IMPLIES (AND (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 1))) (LISTP (CDR X))). But this again simplifies, opening up the functions LENGTH, ADD1, and EQUAL, to: T. Case 1. (IMPLIES (AND (LISTP X) (EQUAL (ADD1 (LENGTH (CDR X))) 1)) (NOT (LISTP (CDR X)))), which again simplifies, applying the lemmas EQUAL-LENGTH-0 and ADD1-EQUAL, and opening up the definition of NUMBERP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] EQUAL-LENGTH-1 (PROVE-LEMMA GOOD-STATE-OF-SIZE-DELETE-HIGH-BITS (REWRITE) (IMPLIES (GOOD-STATE-OF-SIZE STATE (ADD1 X)) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) X))) Name the conjecture *1. We will appeal to induction. The recursive terms in the conjecture suggest two inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (p (CDR STATE) X)) (p STATE X)) (IMPLIES (NOT (LISTP STATE)) (p STATE X))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following three new formulas: Case 3. (IMPLIES (AND (LISTP STATE) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) (ADD1 X))) (GOOD-STATE-OF-SIZE STATE (ADD1 X))) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) X)). This simplifies, expanding the definition of GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS (CDR STATE)) X) (GOOD-STATE-OF-SIZE STATE (ADD1 X))) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) X)). This simplifies, applying EQUAL-LENGTH-0, CDR-CONS, and CAR-CONS, and expanding the definitions of GOOD-STATE-OF-SIZE and DELETE-HIGH-BITS, to three new goals: Case 2.3. (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS (CDR STATE)) X) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (ADD1 X)) (GOOD-STATE-OF-SIZE (CDR STATE) (ADD1 X))) (BVP (CDAR STATE))), which again simplifies, opening up the functions BITP, BVP, and LENGTH, to: T. Case 2.2. (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS (CDR STATE)) X) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (ADD1 X)) (GOOD-STATE-OF-SIZE (CDR STATE) (ADD1 X)) (NOT (NUMBERP X))) (NOT (LISTP (CDAR STATE)))), which again simplifies, rewriting with the lemmas SUB1-TYPE-RESTRICTION and EQUAL-LENGTH-1, to: T. Case 2.1. (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS (CDR STATE)) X) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (ADD1 X)) (GOOD-STATE-OF-SIZE (CDR STATE) (ADD1 X)) (NUMBERP X)) (EQUAL (LENGTH (CDAR STATE)) X)), which again simplifies, rewriting with CDR-NLISTP, and opening up LENGTH, to the following two new formulas: Case 2.1.2. (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS (CDR STATE)) X) (BVP (CAR STATE)) (NOT (LISTP (CAR STATE))) (EQUAL 0 (ADD1 X)) (GOOD-STATE-OF-SIZE (CDR STATE) (ADD1 X)) (NUMBERP X)) (EQUAL 0 X)). This again simplifies, using linear arithmetic, to: T. Case 2.1.1. (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS (CDR STATE)) X) (BVP (CAR STATE)) (LISTP (CAR STATE)) (EQUAL (ADD1 (LENGTH (CDAR STATE))) (ADD1 X)) (GOOD-STATE-OF-SIZE (CDR STATE) (ADD1 X)) (NUMBERP X)) (EQUAL (LENGTH (CDAR STATE)) X)), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE (ADD1 X))) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) X)), which simplifies, unfolding the functions GOOD-STATE-OF-SIZE, DELETE-HIGH-BITS, EQUAL, and LISTP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] GOOD-STATE-OF-SIZE-DELETE-HIGH-BITS (PROVE-LEMMA HIGH-BIT-OUT-OF-SYNC-EMPTY (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE)))) WARNING: Note that HIGH-BIT-OUT-OF-SYNC-EMPTY contains the free variable SIZE which will be chosen by instantiating the hypothesis: (GOOD-STATE-OF-SIZE STATE SIZE). This conjecture simplifies, unfolding ZEROP, to two new conjectures: Case 2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL SIZE 0)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))), which again simplifies, trivially, to: (IMPLIES (GOOD-STATE-OF-SIZE STATE 0) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))), which we will name *1. Case 1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (NUMBERP SIZE))) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))). We gave this the name *1 above. Perhaps we can prove it by induction. The recursive terms in the conjecture suggest two inductions, both of which are unflawed. So we will choose the one suggested by the largest number of nonprimitive recursive functions. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (p PLACE (DELETE-HIGH-BITS STATE) SIZE)) (p PLACE STATE SIZE)) (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CAR STATE)))) (p PLACE STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p PLACE STATE SIZE))). Linear arithmetic and the lemma FIND-HIGH-OUT-OF-SYNC-REWRITE inform us that the measure (LENGTH (CAR STATE)) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following four new conjectures: Case 4. (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))). This simplifies, expanding the definitions of ZEROP and HIGH-BIT-OUT-OF-SYNC, to the following four new formulas: Case 4.4. (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL SIZE 0) (EQUAL (CAR (XOR-BVS STATE)) 0)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE)))). This again simplifies, applying the lemma EQUAL-LENGTH-0, and opening up the functions NUMBERP and GOOD-STATE-OF-SIZE, to: T. Case 4.3. (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL SIZE 0) (EQUAL (CAR (GET PLACE STATE)) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1))), which again simplifies, applying EQUAL-LENGTH-0, and unfolding NUMBERP and GOOD-STATE-OF-SIZE, to: T. Case 4.2. (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (NUMBERP SIZE)) (EQUAL (CAR (XOR-BVS STATE)) 0)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE)))). But this again simplifies, applying EQUAL-LENGTH-0, and expanding the definition of GOOD-STATE-OF-SIZE, to: T. Case 4.1. (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (NUMBERP SIZE)) (EQUAL (CAR (GET PLACE STATE)) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1))). But this again simplifies, appealing to the lemma EQUAL-LENGTH-0, and unfolding GOOD-STATE-OF-SIZE, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))), which simplifies, unfolding the functions ZEROP and HIGH-BIT-OUT-OF-SYNC, to two new conjectures: Case 3.2. (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL SIZE 0) (EQUAL (CAR (GET PLACE STATE)) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1))), which again simplifies, rewriting with EQUAL-LENGTH-0, and expanding the functions NUMBERP and GOOD-STATE-OF-SIZE, to: T. Case 3.1. (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (NUMBERP SIZE)) (EQUAL (CAR (GET PLACE STATE)) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1))). However this again simplifies, rewriting with EQUAL-LENGTH-0, and unfolding the function GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))). This simplifies, opening up the functions ZEROP and HIGH-BIT-OUT-OF-SYNC, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))). This simplifies, opening up the definitions of GOOD-STATE-OF-SIZE, ZEROP, LISTP, and HIGH-BIT-OUT-OF-SYNC, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] HIGH-BIT-OUT-OF-SYNC-EMPTY (PROVE-LEMMA GET-OF-BAD-PLACE (REWRITE) (IMPLIES (NOT (LESSP PLACE (LENGTH STATE))) (EQUAL (GET PLACE STATE) 0))) Call the conjecture *1. We will try to prove it by induction. There are three plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE)))) (p PLACE STATE)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (OR (EQUAL PLACE 0) (NOT (NUMBERP PLACE)))) (p PLACE STATE)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (NOT (OR (EQUAL PLACE 0) (NOT (NUMBERP PLACE)))) (p (SUB1 PLACE) (CDR STATE))) (p PLACE STATE))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT inform us that the measure (COUNT PLACE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for STATE. The above induction scheme generates four new goals: Case 4. (IMPLIES (AND (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE)))) (NOT (LESSP PLACE (LENGTH STATE)))) (EQUAL (GET PLACE STATE) 0)), which simplifies, appealing to the lemma CAR-NLISTP, and unfolding LENGTH, NOT, OR, EQUAL, LESSP, and GET, to four new formulas: Case 4.4. (IMPLIES (AND (EQUAL (ADD1 (LENGTH (CDR STATE))) 0) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (EQUAL (GET (SUB1 PLACE) (CDR STATE)) 0)), which again simplifies, using linear arithmetic, to: T. Case 4.3. (IMPLIES (AND (EQUAL (ADD1 (LENGTH (CDR STATE))) 0) (EQUAL PLACE 0)) (EQUAL (CAR STATE) 0)), which again simplifies, using linear arithmetic, to: T. Case 4.2. (IMPLIES (AND (EQUAL (ADD1 (LENGTH (CDR STATE))) 0) (NOT (NUMBERP PLACE))) (EQUAL (CAR STATE) 0)), which again simplifies, using linear arithmetic, to: T. Case 4.1. (IMPLIES (AND (NOT (LISTP STATE)) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (EQUAL (GET (SUB1 PLACE) (CDR STATE)) 0)), which further simplifies, applying the lemma CDR-NLISTP, to: (IMPLIES (AND (NOT (LISTP STATE)) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (EQUAL (GET (SUB1 PLACE) 0) 0)). Appealing to the lemma SUB1-ELIM, we now replace PLACE by (ADD1 X) to eliminate (SUB1 PLACE). We use the type restriction lemma noted when SUB1 was introduced to constrain the new variable. The result is the formula: (IMPLIES (AND (NUMBERP X) (NOT (LISTP STATE)) (NOT (EQUAL (ADD1 X) 0))) (EQUAL (GET X 0) 0)). This further simplifies, trivially, to: (IMPLIES (AND (NUMBERP X) (NOT (LISTP STATE))) (EQUAL (GET X 0) 0)), which has an irrelevant term in it. By eliminating the term we get the new conjecture: (IMPLIES (NUMBERP X) (EQUAL (GET X 0) 0)), which we will finally name *1.1. Case 3. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (OR (EQUAL PLACE 0) (NOT (NUMBERP PLACE))) (NOT (LESSP PLACE (LENGTH STATE)))) (EQUAL (GET PLACE STATE) 0)). This simplifies, expanding the functions LENGTH, NOT, OR, EQUAL, and LESSP, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (NOT (OR (EQUAL PLACE 0) (NOT (NUMBERP PLACE)))) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (NOT (LESSP PLACE (LENGTH STATE)))) (EQUAL (GET PLACE STATE) 0)). This simplifies, applying SUB1-ADD1, and expanding LENGTH, NOT, OR, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (NOT (OR (EQUAL PLACE 0) (NOT (NUMBERP PLACE)))) (EQUAL (GET (SUB1 PLACE) (CDR STATE)) 0) (NOT (LESSP PLACE (LENGTH STATE)))) (EQUAL (GET PLACE STATE) 0)), which simplifies, rewriting with SUB1-ADD1, and expanding LENGTH, NOT, OR, LESSP, GET, and EQUAL, to: T. So let us turn our attention to: (IMPLIES (NUMBERP X) (EQUAL (GET X 0) 0)), which we named *1.1 above. Perhaps we can prove it by induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP X) (p X)) (IMPLIES (AND (NOT (ZEROP X)) (p (SUB1 X))) (p X))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates two new goals: Case 2. (IMPLIES (AND (ZEROP X) (NUMBERP X)) (EQUAL (GET X 0) 0)), which simplifies, unfolding the functions ZEROP, NUMBERP, GET, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP X)) (EQUAL (GET (SUB1 X) 0) 0) (NUMBERP X)) (EQUAL (GET X 0) 0)), which simplifies, unfolding the definitions of ZEROP, GET, CDR, and EQUAL, to: T. That finishes the proof of *1.1, which, in turn, finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] GET-OF-BAD-PLACE (PROVE-LEMMA LISTP-DELETE-HIGH-BITS (REWRITE) (EQUAL (LISTP (DELETE-HIGH-BITS X)) (LISTP X))) Give the conjecture the name *1. We will appeal to induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X))) (p X)) (IMPLIES (NOT (LISTP X)) (p X))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following two new conjectures: Case 2. (IMPLIES (AND (LISTP X) (EQUAL (LISTP (DELETE-HIGH-BITS (CDR X))) (LISTP (CDR X)))) (EQUAL (LISTP (DELETE-HIGH-BITS X)) (LISTP X))). This simplifies, expanding the functions DELETE-HIGH-BITS and EQUAL, to: T. Case 1. (IMPLIES (NOT (LISTP X)) (EQUAL (LISTP (DELETE-HIGH-BITS X)) (LISTP X))). This simplifies, opening up DELETE-HIGH-BITS, LISTP, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LISTP-DELETE-HIGH-BITS (DEFN BV-NOT (X) (IF (EQUAL X 0) 1 0)) Observe that (NUMBERP (BV-NOT X)) is a theorem. [ 0.0 0.0 0.0 ] BV-NOT (PROVE-LEMMA BVP-XOR-BV (REWRITE) (BVP (XOR-BV X Y))) Name the conjecture *1. We will appeal to induction. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (AND (LISTP X) (LISTP Y)) (p (CDR X) (CDR Y))) (p X Y)) (IMPLIES (NOT (AND (LISTP X) (LISTP Y))) (p X Y))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND can be used to show that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for Y. The above induction scheme leads to two new goals: Case 2. (IMPLIES (AND (AND (LISTP X) (LISTP Y)) (BVP (XOR-BV (CDR X) (CDR Y)))) (BVP (XOR-BV X Y))), which simplifies, rewriting with CDR-CONS and CAR-CONS, and expanding the functions AND, XOR-BV, XOR, BITP, and BVP, to: T. Case 1. (IMPLIES (NOT (AND (LISTP X) (LISTP Y))) (BVP (XOR-BV X Y))). This simplifies, unfolding the definitions of AND, XOR-BV, and BVP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] BVP-XOR-BV (PROVE-LEMMA BVP-XOR-BVS (REWRITE) (BVP (XOR-BVS STATE))) Call the conjecture *1. Let us appeal to the induction principle. There is only one suggested induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (p (CDR STATE))) (p STATE)) (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE)))) (p STATE)) (IMPLIES (NOT (LISTP STATE)) (p STATE))). Linear arithmetic, the lemma SUB1-ADD1, and the definitions of LESSP and LENGTH inform us that the measure (LENGTH STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to three new goals: Case 3. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (BVP (XOR-BVS (CDR STATE)))) (BVP (XOR-BVS STATE))), which simplifies, applying BVP-XOR-BV, and expanding the function XOR-BVS, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE)))) (BVP (XOR-BVS STATE))). This simplifies, applying BVP-FIX-XOR-BV, and unfolding the function XOR-BVS, to: T. Case 1. (IMPLIES (NOT (LISTP STATE)) (BVP (XOR-BVS STATE))), which simplifies, expanding the definitions of XOR-BVS and BVP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] BVP-XOR-BVS (PROVE-LEMMA EQUAL-BITP-SIMPLIFY (REWRITE) (IMPLIES (AND (BITP X) (NOT (EQUAL X 0))) (EQUAL (EQUAL X Y) (EQUAL Y 1)))) This simplifies, expanding BITP and EQUAL, to two new goals: Case 2. (IMPLIES (AND (EQUAL X 1) (NOT (EQUAL Y 1))) (NOT (EQUAL 1 Y))), which again simplifies, trivially, to: T. Case 1. (IMPLIES (AND (EQUAL X 1) (EQUAL Y 1)) (EQUAL (EQUAL 1 Y) T)). But this again simplifies, expanding the definition of EQUAL, to: T. Q.E.D. [ 0.0 0.0 0.0 ] EQUAL-BITP-SIMPLIFY (PROVE-LEMMA EQUAL-BIT-1 (REWRITE) (IMPLIES (BITP X) (EQUAL (EQUAL X 1) (NOT (EQUAL X 0))))) This formula simplifies, expanding BITP, EQUAL, and NOT, to: T. Q.E.D. [ 0.0 0.0 0.0 ] EQUAL-BIT-1 (PROVE-LEMMA BITP-CAR-BVP (REWRITE) (IMPLIES (BVP X) (BITP (CAR X)))) WARNING: Note that the rewrite rule BITP-CAR-BVP will be stored so as to apply only to terms with the nonrecursive function symbol BITP. This formula can be simplified, using the abbreviations BITP and IMPLIES, to: (IMPLIES (AND (BVP X) (NOT (EQUAL (CAR X) 0))) (EQUAL (CAR X) 1)), which simplifies, opening up the definitions of BITP, BVP, CAR, and EQUAL, to: T. Q.E.D. [ 0.0 0.0 0.0 ] BITP-CAR-BVP (PROVE-LEMMA GOOD-STATE-OF-SIZE-MEANS-BVSP (REWRITE) (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (BVSP STATE))) WARNING: Note that GOOD-STATE-OF-SIZE-MEANS-BVSP contains the free variable SIZE which will be chosen by instantiating the hypothesis: (GOOD-STATE-OF-SIZE STATE SIZE). Name the conjecture *1. Let us appeal to the induction principle. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (p (CDR STATE) SIZE)) (p STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p STATE SIZE))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to three new conjectures: Case 3. (IMPLIES (AND (LISTP STATE) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (BVSP STATE)), which simplifies, applying EQUAL-LENGTH-0, and unfolding the function GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (BVSP (CDR STATE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (BVSP STATE)). This simplifies, applying EQUAL-LENGTH-0, and opening up the definitions of GOOD-STATE-OF-SIZE, BVSP, and BVP, to: (IMPLIES (AND (LISTP STATE) (BVSP (CDR STATE)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (EQUAL (CAR STATE) NIL)). However this again simplifies, unfolding BVP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (BVSP STATE)), which simplifies, unfolding the functions GOOD-STATE-OF-SIZE and BVSP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] GOOD-STATE-OF-SIZE-MEANS-BVSP (PROVE-LEMMA LISTP-XOR-BV (REWRITE) (EQUAL (LISTP (XOR-BV X Y)) (AND (LISTP X) (LISTP Y)))) This simplifies, unfolding the definition of AND, to the following two new goals: Case 2. (IMPLIES (NOT (LISTP X)) (EQUAL (LISTP (XOR-BV X Y)) F)). This again simplifies, opening up the definitions of XOR-BV, LISTP, and EQUAL, to: T. Case 1. (IMPLIES (LISTP X) (EQUAL (LISTP (XOR-BV X Y)) (LISTP Y))), which we will name *1. We will appeal to induction. There are two plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (AND (LISTP X) (LISTP Y)) (p (CDR X) (CDR Y))) (p X Y)) (IMPLIES (NOT (AND (LISTP X) (LISTP Y))) (p X Y))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for Y. The above induction scheme generates the following three new formulas: Case 3. (IMPLIES (AND (AND (LISTP X) (LISTP Y)) (NOT (LISTP (CDR X))) (LISTP X)) (EQUAL (LISTP (XOR-BV X Y)) (LISTP Y))). This simplifies, expanding the functions AND, XOR-BV, XOR, and EQUAL, to: T. Case 2. (IMPLIES (AND (AND (LISTP X) (LISTP Y)) (EQUAL (LISTP (XOR-BV (CDR X) (CDR Y))) (LISTP (CDR Y))) (LISTP X)) (EQUAL (LISTP (XOR-BV X Y)) (LISTP Y))). This simplifies, opening up the functions AND, XOR-BV, XOR, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (AND (LISTP X) (LISTP Y))) (LISTP X)) (EQUAL (LISTP (XOR-BV X Y)) (LISTP Y))). This simplifies, unfolding the definitions of AND, XOR-BV, LISTP, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LISTP-XOR-BV (PROVE-LEMMA LISTP-XOR-BVS (REWRITE) (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LISTP (XOR-BVS STATE)) (AND (LISTP STATE) (LESSP 0 SIZE))))) WARNING: Note that LISTP-XOR-BVS contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). This formula simplifies, opening up EQUAL, LESSP, and AND, to the following three new formulas: Case 3. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL SIZE 0)) (EQUAL (LISTP (XOR-BVS STATE)) F)). This again simplifies, trivially, to the new formula: (IMPLIES (GOOD-STATE-OF-SIZE STATE 0) (NOT (LISTP (XOR-BVS STATE)))), which we will name *1. Case 2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (LISTP STATE))) (EQUAL (LISTP (XOR-BVS STATE)) F)). But this again simplifies, expanding the definitions of GOOD-STATE-OF-SIZE, LISTP, XOR-BVS, and EQUAL, to: T. Case 1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (NOT (EQUAL SIZE 0))) (EQUAL (LISTP (XOR-BVS STATE)) (NUMBERP SIZE))), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LISTP (XOR-BVS STATE)) (AND (LISTP STATE) (LESSP 0 SIZE)))). We named this *1. We will try to prove it by induction. There are three plausible inductions. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (p (CDR STATE) SIZE)) (p STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p STATE SIZE))). Linear arithmetic and the lemma CDR-LESSP can be used to show that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates the following three new conjectures: Case 3. (IMPLIES (AND (LISTP STATE) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (LISTP (XOR-BVS STATE)) (AND (LISTP STATE) (LESSP 0 SIZE)))). This simplifies, applying EQUAL-LENGTH-0, and expanding the definition of GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (EQUAL (LISTP (XOR-BVS (CDR STATE))) (AND (LISTP (CDR STATE)) (LESSP 0 SIZE))) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (LISTP (XOR-BVS STATE)) (AND (LISTP STATE) (LESSP 0 SIZE)))), which simplifies, appealing to the lemmas EQUAL-LENGTH-0, BVP-FIX-XOR-BV-IDENTITY, and LISTP-XOR-BV, and unfolding the definitions of EQUAL, LESSP, AND, NUMBERP, GOOD-STATE-OF-SIZE, XOR-BVS, XOR-BV, and LISTP, to three new formulas: Case 2.3. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (EQUAL (LISTP (XOR-BVS (CDR STATE))) F) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0))) (EQUAL (LISTP (CAR STATE)) T)), which again simplifies, expanding the definitions of BVP, LENGTH, NUMBERP, GOOD-STATE-OF-SIZE, and EQUAL, to: T. Case 2.2. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (EQUAL (LISTP (XOR-BVS (CDR STATE))) F) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (EQUAL SIZE 0)) (EQUAL (LISTP (CAR STATE)) F)), which again simplifies, applying EQUAL-LENGTH-0, and expanding NUMBERP and GOOD-STATE-OF-SIZE, to: T. Case 2.1. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (NOT (EQUAL SIZE 0)) (EQUAL (LISTP (XOR-BVS (CDR STATE))) (NUMBERP SIZE)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (LISTP (CAR STATE))). This again simplifies, expanding the functions LENGTH and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (LISTP (XOR-BVS STATE)) (AND (LISTP STATE) (LESSP 0 SIZE)))), which simplifies, expanding the functions GOOD-STATE-OF-SIZE, XOR-BVS, LISTP, EQUAL, LESSP, and AND, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] LISTP-XOR-BVS (PROVE-LEMMA BVP-GET (REWRITE) (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (BVP (GET PLACE STATE)) (LESSP PLACE (LENGTH STATE))))) WARNING: Note that BVP-GET contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). Name the conjecture *1. Perhaps we can prove it by induction. Four inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (p (SUB1 PLACE) (CDR STATE) SIZE)) (p PLACE STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p PLACE STATE SIZE))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for PLACE. The above induction scheme leads to the following three new conjectures: Case 3. (IMPLIES (AND (LISTP STATE) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (BVP (GET PLACE STATE)) (LESSP PLACE (LENGTH STATE)))). This simplifies, rewriting with the lemma EQUAL-LENGTH-0, and opening up the definition of GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (EQUAL (BVP (GET (SUB1 PLACE) (CDR STATE))) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (BVP (GET PLACE STATE)) (LESSP PLACE (LENGTH STATE)))). This simplifies, appealing to the lemmas EQUAL-LENGTH-0 and SUB1-ADD1, and expanding GOOD-STATE-OF-SIZE, GET, LENGTH, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (BVP (GET PLACE STATE)) (LESSP PLACE (LENGTH STATE)))). This simplifies, using linear arithmetic, applying GET-OF-BAD-PLACE, and opening up the definitions of GOOD-STATE-OF-SIZE, LENGTH, BVP, EQUAL, and LESSP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] BVP-GET (PROVE-LEMMA LISTP-GET (REWRITE) (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LISTP (GET PLACE STATE)) (AND (LESSP PLACE (LENGTH STATE)) (LESSP 0 SIZE))))) WARNING: Note that LISTP-GET contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). This conjecture simplifies, expanding the functions EQUAL, LESSP, and AND, to the following three new formulas: Case 3. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL SIZE 0)) (EQUAL (LISTP (GET PLACE STATE)) F)). This again simplifies, clearly, to the new conjecture: (IMPLIES (GOOD-STATE-OF-SIZE STATE 0) (NOT (LISTP (GET PLACE STATE)))), which we will name *1. Case 2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (LESSP PLACE (LENGTH STATE)))) (EQUAL (LISTP (GET PLACE STATE)) F)). However this again simplifies, rewriting with GET-OF-BAD-PLACE, and unfolding LISTP and EQUAL, to: T. Case 1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (NOT (EQUAL SIZE 0))) (EQUAL (LISTP (GET PLACE STATE)) (NUMBERP SIZE))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LISTP (GET PLACE STATE)) (AND (LESSP PLACE (LENGTH STATE)) (LESSP 0 SIZE)))), which we named *1 above. We will appeal to induction. There are five plausible inductions. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (p (SUB1 PLACE) (CDR STATE) SIZE)) (p PLACE STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p PLACE STATE SIZE))). Linear arithmetic and the lemma CDR-LESSP can be used to prove that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for PLACE. The above induction scheme produces three new goals: Case 3. (IMPLIES (AND (LISTP STATE) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (LISTP (GET PLACE STATE)) (AND (LESSP PLACE (LENGTH STATE)) (LESSP 0 SIZE)))), which simplifies, applying EQUAL-LENGTH-0, and opening up GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) (AND (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (LESSP 0 SIZE))) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (LISTP (GET PLACE STATE)) (AND (LESSP PLACE (LENGTH STATE)) (LESSP 0 SIZE)))). This simplifies, rewriting with EQUAL-LENGTH-0 and SUB1-ADD1, and unfolding EQUAL, LESSP, AND, NUMBERP, GOOD-STATE-OF-SIZE, GET, and LENGTH, to ten new formulas: Case 2.10. (IMPLIES (AND (LISTP STATE) (EQUAL SIZE 0) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) F) (BVP (CAR STATE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) 0) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (NOT (LISTP (GET (SUB1 PLACE) (CDR STATE))))), which again simplifies, clearly, to: T. Case 2.9. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) F) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (NUMBERP PLACE)) (NOT (EQUAL SIZE 0))) (EQUAL (LISTP (CAR STATE)) T)). But this again simplifies, expanding BVP, LENGTH, NUMBERP, and EQUAL, to: T. Case 2.8. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) F) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (NUMBERP PLACE)) (EQUAL SIZE 0)) (EQUAL (LISTP (CAR STATE)) F)), which again simplifies, rewriting with EQUAL-LENGTH-0, and expanding the definition of NUMBERP, to: T. Case 2.7. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) F) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (EQUAL PLACE 0) (NOT (EQUAL SIZE 0))) (EQUAL (LISTP (CAR STATE)) T)). However this again simplifies, rewriting with EQUAL-LENGTH-0 and GET-OF-BAD-PLACE, and opening up the definitions of SUB1, EQUAL, LESSP, LISTP, BVP, LENGTH, NUMBERP, and GOOD-STATE-OF-SIZE, to: T. Case 2.6. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) F) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (EQUAL PLACE 0) (EQUAL SIZE 0)) (EQUAL (LISTP (CAR STATE)) F)). But this again simplifies, applying EQUAL-LENGTH-0 and GET-OF-BAD-PLACE, and unfolding the definitions of SUB1, EQUAL, LESSP, LISTP, NUMBERP, and GOOD-STATE-OF-SIZE, to: T. Case 2.5. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) F) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (NOT (LISTP (GET (SUB1 PLACE) (CDR STATE))))). This again simplifies, clearly, to: T. Case 2.4. (IMPLIES (AND (LISTP STATE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (NOT (EQUAL SIZE 0)) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) (NUMBERP SIZE)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (LISTP (GET (SUB1 PLACE) (CDR STATE)))). However this again simplifies, applying EQUAL-LENGTH-0, and expanding EQUAL, to: T. Case 2.3. (IMPLIES (AND (LISTP STATE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (NOT (EQUAL SIZE 0)) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) (NUMBERP SIZE)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (EQUAL PLACE 0)) (LISTP (CAR STATE))). But this again simplifies, rewriting with EQUAL-LENGTH-0, and unfolding the definitions of SUB1, EQUAL, LESSP, and LENGTH, to: T. Case 2.2. (IMPLIES (AND (LISTP STATE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (NOT (EQUAL SIZE 0)) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) (NUMBERP SIZE)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (NUMBERP PLACE))) (LISTP (CAR STATE))). This again simplifies, unfolding the functions LENGTH and EQUAL, to: T. Case 2.1. (IMPLIES (AND (LISTP STATE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (NOT (EQUAL SIZE 0)) (EQUAL (LISTP (GET (SUB1 PLACE) (CDR STATE))) (NUMBERP SIZE)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (NOT (LISTP (GET (SUB1 PLACE) (CDR STATE))))), which again simplifies, expanding EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (LISTP (GET PLACE STATE)) (AND (LESSP PLACE (LENGTH STATE)) (LESSP 0 SIZE)))), which simplifies, using linear arithmetic, rewriting with GET-OF-BAD-PLACE, and unfolding the definitions of GOOD-STATE-OF-SIZE, LENGTH, LISTP, EQUAL, LESSP, and AND, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] LISTP-GET (PROVE-LEMMA CAR-XOR-BV (REWRITE) (IMPLIES (AND (LISTP X) (LISTP Y)) (EQUAL (CAR (XOR-BV X Y)) (XOR (CAR X) (CAR Y))))) This formula simplifies, opening up the definition of XOR, to the following nine new formulas: Case 9. (IMPLIES (AND (LISTP X) (LISTP Y) (EQUAL (CAR X) 0) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV X Y)) 0)). Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). This generates: (IMPLIES (AND (LISTP Y) (EQUAL Z 0) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0)). However this further simplifies, applying CDR-CONS, COMMUTATIVITY-OF-XOR, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and unfolding the functions XOR, EQUAL, and XOR-BV, to: T. Case 8. (IMPLIES (AND (LISTP X) (LISTP Y) (EQUAL (CAR X) 0) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV X Y)) 0)). Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). We must thus prove: (IMPLIES (AND (LISTP Y) (EQUAL Z 0) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0)). But this further simplifies, applying CDR-CONS, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and unfolding XOR, XOR-BV, and EQUAL, to: T. Case 7. (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (NUMBERP (CAR X))) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV X Y)) 0)). Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). We must thus prove the conjecture: (IMPLIES (AND (LISTP Y) (NOT (NUMBERP Z)) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0)). This further simplifies, rewriting with CDR-CONS, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and opening up the functions XOR, EQUAL, and XOR-BV, to: T. Case 6. (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (NUMBERP (CAR X))) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV X Y)) 0)). Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). We must thus prove the conjecture: (IMPLIES (AND (LISTP Y) (NOT (NUMBERP Z)) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0)). But this further simplifies, rewriting with CDR-CONS, COMMUTATIVITY-OF-XOR, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and unfolding XOR, XOR-BV, and EQUAL, to: T. Case 5. (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (EQUAL (CAR X) 0)) (NUMBERP (CAR X)) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (EQUAL (CAR (XOR-BV X Y)) 0)). Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). The result is the conjecture: (IMPLIES (AND (LISTP Y) (NOT (EQUAL Z 0)) (NUMBERP Z) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0)). However this further simplifies, applying the lemmas CDR-CONS, COMMUTATIVITY-OF-XOR, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and opening up the definitions of XOR, XOR-BV, and EQUAL, to: T. Case 4. (IMPLIES (AND (LISTP X) (LISTP Y) (EQUAL (CAR X) 0) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (EQUAL (CAR (XOR-BV X Y)) 1)), which again simplifies, applying BITP-CAR-BVP, BVP-XOR-BV, and EQUAL-BIT-1, to the new goal: (IMPLIES (AND (LISTP X) (LISTP Y) (EQUAL (CAR X) 0) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (NOT (EQUAL (CAR (XOR-BV X Y)) 0))). Applying the lemma CAR-CDR-ELIM, replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). We would thus like to prove: (IMPLIES (AND (LISTP Y) (EQUAL Z 0) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (NOT (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0))), which further simplifies, rewriting with the lemmas CDR-CONS, COMMUTATIVITY-OF-XOR, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and expanding XOR, EQUAL, and XOR-BV, to: T. Case 3. (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (NUMBERP (CAR X))) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (EQUAL (CAR (XOR-BV X Y)) 1)), which again simplifies, applying BITP-CAR-BVP, BVP-XOR-BV, and EQUAL-BIT-1, to: (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (NUMBERP (CAR X))) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (NOT (EQUAL (CAR (XOR-BV X Y)) 0))). Applying the lemma CAR-CDR-ELIM, replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). This produces: (IMPLIES (AND (LISTP Y) (NOT (NUMBERP Z)) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (NOT (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0))), which further simplifies, rewriting with CDR-CONS, COMMUTATIVITY-OF-XOR, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and expanding the definitions of XOR, XOR-BV, and EQUAL, to: T. Case 2. (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (EQUAL (CAR X) 0)) (NUMBERP (CAR X)) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV X Y)) 1)). But this again simplifies, appealing to the lemmas BITP-CAR-BVP, BVP-XOR-BV, and EQUAL-BIT-1, to: (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (EQUAL (CAR X) 0)) (NUMBERP (CAR X)) (EQUAL (CAR Y) 0)) (NOT (EQUAL (CAR (XOR-BV X Y)) 0))). Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). This generates: (IMPLIES (AND (LISTP Y) (NOT (EQUAL Z 0)) (NUMBERP Z) (EQUAL (CAR Y) 0)) (NOT (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0))). But this further simplifies, rewriting with the lemmas CDR-CONS, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and unfolding the functions XOR, EQUAL, and XOR-BV, to: T. Case 1. (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (EQUAL (CAR X) 0)) (NUMBERP (CAR X)) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV X Y)) 1)), which again simplifies, applying BITP-CAR-BVP, BVP-XOR-BV, and EQUAL-BIT-1, to: (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (EQUAL (CAR X) 0)) (NUMBERP (CAR X)) (NOT (NUMBERP (CAR Y)))) (NOT (EQUAL (CAR (XOR-BV X Y)) 0))). Applying the lemma CAR-CDR-ELIM, replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). We would thus like to prove: (IMPLIES (AND (LISTP Y) (NOT (EQUAL Z 0)) (NUMBERP Z) (NOT (NUMBERP (CAR Y)))) (NOT (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0))), which further simplifies, rewriting with CDR-CONS, COMMUTATIVITY-OF-XOR, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and expanding the definitions of XOR, XOR-BV, and EQUAL, to: T. Q.E.D. [ 0.0 0.3 0.0 ] CAR-XOR-BV (DEFN LESSP-BV-RECURSION (LIST SIZE) (IF (ZEROP SIZE) T (LESSP-BV-RECURSION (CDR LIST) (SUB1 SIZE)))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each recursive call. Hence, LESSP-BV-RECURSION is accepted under the principle of definition. Observe that: (TRUEP (LESSP-BV-RECURSION LIST SIZE)) is a theorem. [ 0.0 0.0 0.0 ] LESSP-BV-RECURSION (DEFN FIRSTN (LIST N) (IF (NOT (LISTP LIST)) LIST (IF (ZEROP N) NIL (CONS (CAR LIST) (FIRSTN (CDR LIST) (SUB1 N)))))) Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT LIST) decreases according to the well-founded relation LESSP in each recursive call. Hence, FIRSTN is accepted under the principle of definition. The definition of FIRSTN can be justified in another way. Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT N) decreases according to the well-founded relation LESSP in each recursive call. Observe that: (OR (OR (LITATOM (FIRSTN LIST N)) (LISTP (FIRSTN LIST N))) (EQUAL (FIRSTN LIST N) LIST)) is a theorem. [ 0.0 0.0 0.0 ] FIRSTN (DEFN MIN (X Y) (IF (LESSP X Y) (FIX X) (FIX Y))) From the definition we can conclude that (NUMBERP (MIN X Y)) is a theorem. [ 0.0 0.0 0.0 ] MIN (PROVE-LEMMA XOR-BV-INVERSE (REWRITE) (EQUAL (XOR-BV A (XOR-BV A B)) (FIRSTN (FIX-XOR-BV B) (MIN (LENGTH A) (LENGTH B))))) WARNING: the previously added lemma, COMMUTATIVITY2-OF-XOR-BV, could be applied whenever the newly proposed XOR-BV-INVERSE could! WARNING: the previously added lemma, COMMUTATIVITY-OF-XOR-BV, could be applied whenever the newly proposed XOR-BV-INVERSE could! This simplifies, unfolding the function MIN, to the following two new formulas: Case 2. (IMPLIES (NOT (LESSP (LENGTH A) (LENGTH B))) (EQUAL (XOR-BV A (XOR-BV A B)) (FIRSTN (FIX-XOR-BV B) (LENGTH B)))). Give the above formula the name *1. Case 1. (IMPLIES (LESSP (LENGTH A) (LENGTH B)) (EQUAL (XOR-BV A (XOR-BV A B)) (FIRSTN (FIX-XOR-BV B) (LENGTH A)))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (EQUAL (XOR-BV A (XOR-BV A B)) (FIRSTN (FIX-XOR-BV B) (MIN (LENGTH A) (LENGTH B)))). We gave this the name *1 above. Perhaps we can prove it by induction. There are six plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (AND (LISTP A) (LISTP (XOR-BV A B))) (p (CDR A) (CDR B))) (p A B)) (IMPLIES (NOT (AND (LISTP A) (LISTP (XOR-BV A B)))) (p A B))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND establish that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for B. The above induction scheme produces the following two new formulas: Case 2. (IMPLIES (AND (AND (LISTP A) (LISTP (XOR-BV A B))) (EQUAL (XOR-BV (CDR A) (XOR-BV (CDR A) (CDR B))) (FIRSTN (FIX-XOR-BV (CDR B)) (MIN (LENGTH (CDR A)) (LENGTH (CDR B)))))) (EQUAL (XOR-BV A (XOR-BV A B)) (FIRSTN (FIX-XOR-BV B) (MIN (LENGTH A) (LENGTH B))))). This simplifies, applying CDR-CONS, CAR-CONS, SUB1-ADD1, and CONS-EQUAL, and expanding the definitions of XOR-BV, XOR, AND, MIN, FIX-XOR-BV, FIX-BIT, LENGTH, LESSP, and FIRSTN, to: T. Case 1. (IMPLIES (NOT (AND (LISTP A) (LISTP (XOR-BV A B)))) (EQUAL (XOR-BV A (XOR-BV A B)) (FIRSTN (FIX-XOR-BV B) (MIN (LENGTH A) (LENGTH B))))), which simplifies, applying COMMUTATIVITY-OF-XOR-BV, and expanding the functions XOR-BV, XOR, AND, LISTP, FIX-XOR-BV, LENGTH, NUMBERP, LESSP, EQUAL, MIN, FIRSTN, and FIX-BIT, to the following four new goals: Case 1.4. (IMPLIES (AND (NOT (LISTP A)) (NOT (LISTP B))) (EQUAL NIL (FIRSTN NIL (MIN 0 0)))). But this again simplifies, opening up the definitions of MIN, FIRSTN, and EQUAL, to: T. Case 1.3. (IMPLIES (AND (NOT (LISTP A)) (LISTP B) (NOT (NUMBERP (CAR B)))) (EQUAL NIL (FIRSTN (CONS 0 (FIX-XOR-BV (CDR B))) (MIN 0 (ADD1 (LENGTH (CDR B))))))), which again simplifies, expanding NUMBERP, LESSP, EQUAL, MIN, and FIRSTN, to: T. Case 1.2. (IMPLIES (AND (NOT (LISTP A)) (LISTP B) (EQUAL (CAR B) 0)) (EQUAL NIL (FIRSTN (CONS 0 (FIX-XOR-BV (CDR B))) (MIN 0 (ADD1 (LENGTH (CDR B))))))), which again simplifies, opening up the functions NUMBERP, LESSP, EQUAL, MIN, and FIRSTN, to: T. Case 1.1. (IMPLIES (AND (NOT (LISTP A)) (LISTP B) (NOT (EQUAL (CAR B) 0)) (NUMBERP (CAR B))) (EQUAL NIL (FIRSTN (CONS 1 (FIX-XOR-BV (CDR B))) (MIN 0 (ADD1 (LENGTH (CDR B))))))), which again simplifies, opening up the functions NUMBERP, LESSP, EQUAL, MIN, and FIRSTN, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.2 0.0 ] XOR-BV-INVERSE (PROVE-LEMMA XOR-BV-FIX-XOR-BV (REWRITE) (AND (EQUAL (XOR-BV (FIX-XOR-BV X) Y) (XOR-BV X Y)) (EQUAL (XOR-BV Y (FIX-XOR-BV X)) (XOR-BV Y X)))) WARNING: the previously added lemma, COMMUTATIVITY-OF-XOR-BV, could be applied whenever the newly proposed XOR-BV-FIX-XOR-BV could! WARNING: the previously added lemma, COMMUTATIVITY-OF-XOR-BV, could be applied whenever the newly proposed XOR-BV-FIX-XOR-BV could! WARNING: Note that the proposed lemma XOR-BV-FIX-XOR-BV is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This formula can be simplified, using the abbreviation AND, to the following two new conjectures: Case 2. (EQUAL (XOR-BV (FIX-XOR-BV X) Y) (XOR-BV X Y)). This simplifies, rewriting with COMMUTATIVITY-OF-XOR-BV, to the formula: (EQUAL (XOR-BV Y (FIX-XOR-BV X)) (XOR-BV X Y)). Call the above conjecture *1. Case 1. (EQUAL (XOR-BV Y (FIX-XOR-BV X)) (XOR-BV Y X)). This simplifies, rewriting with COMMUTATIVITY-OF-XOR-BV, to the goal: (EQUAL (XOR-BV Y (FIX-XOR-BV X)) (XOR-BV X Y)), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (AND (EQUAL (XOR-BV (FIX-XOR-BV X) Y) (XOR-BV X Y)) (EQUAL (XOR-BV Y (FIX-XOR-BV X)) (XOR-BV Y X))), which we named *1 above. We will appeal to induction. Eight inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (AND (LISTP (FIX-XOR-BV X)) (LISTP Y)) (p (CDR Y) (CDR X))) (p Y X)) (IMPLIES (NOT (AND (LISTP (FIX-XOR-BV X)) (LISTP Y))) (p Y X))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND can be used to establish that the measure (COUNT Y) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for X. The above induction scheme produces four new formulas: Case 4. (IMPLIES (AND (AND (LISTP (FIX-XOR-BV X)) (LISTP Y)) (EQUAL (XOR-BV (FIX-XOR-BV (CDR X)) (CDR Y)) (XOR-BV (CDR X) (CDR Y))) (EQUAL (XOR-BV (CDR Y) (FIX-XOR-BV (CDR X))) (XOR-BV (CDR Y) (CDR X)))) (EQUAL (XOR-BV (FIX-XOR-BV X) Y) (XOR-BV X Y))), which simplifies, applying CDR-CONS, CAR-CONS, COMMUTATIVITY-OF-XOR-BV, and CONS-EQUAL, and opening up the definitions of FIX-XOR-BV, FIX-BIT, AND, XOR, and XOR-BV, to the new goal: (IMPLIES (AND (LISTP X) (LISTP Y) (EQUAL (XOR-BV (FIX-XOR-BV (CDR X)) (CDR Y)) (XOR-BV (CDR X) (CDR Y))) (EQUAL (XOR-BV (CDR Y) (FIX-XOR-BV (CDR X))) (XOR-BV (CDR Y) (CDR X)))) (EQUAL (XOR-BV (CDR Y) (CDR X)) (XOR-BV (CDR X) (CDR Y)))), which further simplifies, rewriting with COMMUTATIVITY-OF-XOR-BV, to: T. Case 3. (IMPLIES (NOT (AND (LISTP (FIX-XOR-BV X)) (LISTP Y))) (EQUAL (XOR-BV (FIX-XOR-BV X) Y) (XOR-BV X Y))). This simplifies, applying COMMUTATIVITY-OF-XOR-BV, and expanding the definitions of FIX-XOR-BV, FIX-BIT, AND, LISTP, XOR-BV, and EQUAL, to: T. Case 2. (IMPLIES (AND (AND (LISTP (FIX-XOR-BV X)) (LISTP Y)) (EQUAL (XOR-BV (FIX-XOR-BV (CDR X)) (CDR Y)) (XOR-BV (CDR X) (CDR Y))) (EQUAL (XOR-BV (CDR Y) (FIX-XOR-BV (CDR X))) (XOR-BV (CDR Y) (CDR X)))) (EQUAL (XOR-BV Y (FIX-XOR-BV X)) (XOR-BV Y X))), which simplifies, rewriting with CDR-CONS, CAR-CONS, COMMUTATIVITY-OF-XOR-BV, and CONS-EQUAL, and unfolding FIX-XOR-BV, FIX-BIT, AND, XOR, and XOR-BV, to the new conjecture: (IMPLIES (AND (LISTP X) (LISTP Y) (EQUAL (XOR-BV (FIX-XOR-BV (CDR X)) (CDR Y)) (XOR-BV (CDR X) (CDR Y))) (EQUAL (XOR-BV (CDR Y) (FIX-XOR-BV (CDR X))) (XOR-BV (CDR Y) (CDR X)))) (EQUAL (XOR-BV (CDR Y) (CDR X)) (XOR-BV (CDR X) (CDR Y)))), which further simplifies, applying COMMUTATIVITY-OF-XOR-BV, to: T. Case 1. (IMPLIES (NOT (AND (LISTP (FIX-XOR-BV X)) (LISTP Y))) (EQUAL (XOR-BV Y (FIX-XOR-BV X)) (XOR-BV Y X))). This simplifies, rewriting with COMMUTATIVITY-OF-XOR-BV, and opening up the definitions of FIX-XOR-BV, FIX-BIT, AND, LISTP, XOR-BV, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.2 0.0 ] XOR-BV-FIX-XOR-BV (PROVE-LEMMA FIRSTN-NOOP (REWRITE) (IMPLIES (NOT (LESSP X (LENGTH LIST))) (EQUAL (FIRSTN LIST X) LIST))) Name the conjecture *1. Let us appeal to the induction principle. The recursive terms in the conjecture suggest four inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST)))) (p LIST X)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST))))) (OR (EQUAL X 0) (NOT (NUMBERP X)))) (p LIST X)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST))))) (NOT (OR (EQUAL X 0) (NOT (NUMBERP X)))) (p (CDR LIST) (SUB1 X))) (p LIST X))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT can be used to show that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for LIST. The above induction scheme leads to the following four new goals: Case 4. (IMPLIES (AND (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST)))) (NOT (LESSP X (LENGTH LIST)))) (EQUAL (FIRSTN LIST X) LIST)). This simplifies, expanding the definitions of LENGTH, NOT, OR, EQUAL, LESSP, and FIRSTN, to the following three new formulas: Case 4.3. (IMPLIES (AND (EQUAL (ADD1 (LENGTH (CDR LIST))) 0) (LISTP LIST) (NOT (NUMBERP X))) (EQUAL NIL LIST)). However this again simplifies, using linear arithmetic, to: T. Case 4.2. (IMPLIES (AND (EQUAL (ADD1 (LENGTH (CDR LIST))) 0) (LISTP LIST) (EQUAL X 0)) (EQUAL NIL LIST)), which again simplifies, using linear arithmetic, to: T. Case 4.1. (IMPLIES (AND (EQUAL (ADD1 (LENGTH (CDR LIST))) 0) (LISTP LIST) (NOT (EQUAL X 0)) (NUMBERP X)) (EQUAL (CONS (CAR LIST) (FIRSTN (CDR LIST) (SUB1 X))) LIST)), which again simplifies, using linear arithmetic, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST))))) (OR (EQUAL X 0) (NOT (NUMBERP X))) (NOT (LESSP X (LENGTH LIST)))) (EQUAL (FIRSTN LIST X) LIST)), which simplifies, expanding the functions LENGTH, NOT, OR, EQUAL, and LESSP, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST))))) (NOT (OR (EQUAL X 0) (NOT (NUMBERP X)))) (LESSP (SUB1 X) (LENGTH (CDR LIST))) (NOT (LESSP X (LENGTH LIST)))) (EQUAL (FIRSTN LIST X) LIST)), which simplifies, applying SUB1-ADD1, and unfolding the functions LENGTH, NOT, OR, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST))))) (NOT (OR (EQUAL X 0) (NOT (NUMBERP X)))) (EQUAL (FIRSTN (CDR LIST) (SUB1 X)) (CDR LIST)) (NOT (LESSP X (LENGTH LIST)))) (EQUAL (FIRSTN LIST X) LIST)). This simplifies, rewriting with the lemmas SUB1-ADD1 and CONS-CAR-CDR, and opening up the definitions of LENGTH, NOT, OR, LESSP, and FIRSTN, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] FIRSTN-NOOP (PROVE-LEMMA XOR-BVS-DELETE-HIGH-BITS (REWRITE) (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (XOR-BVS (DELETE-HIGH-BITS STATE)) (IF (OR (NOT (LISTP STATE)) (NOT (LESSP 1 SIZE))) NIL (CDR (XOR-BVS STATE)))))) WARNING: Note that XOR-BVS-DELETE-HIGH-BITS contains the free variable SIZE which will be chosen by instantiating the hypothesis: (GOOD-STATE-OF-SIZE STATE SIZE). This formula simplifies, opening up the functions NOT and OR, to the following three new conjectures: Case 3. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (LISTP STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS STATE)) NIL)). However this again simplifies, opening up GOOD-STATE-OF-SIZE, LISTP, DELETE-HIGH-BITS, XOR-BVS, and EQUAL, to: T. Case 2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (LESSP 1 SIZE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS STATE)) NIL)), which we will name *1. Case 1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 SIZE)) (EQUAL (XOR-BVS (DELETE-HIGH-BITS STATE)) (CDR (XOR-BVS STATE)))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (XOR-BVS (DELETE-HIGH-BITS STATE)) (IF (OR (NOT (LISTP STATE)) (NOT (LESSP 1 SIZE))) NIL (CDR (XOR-BVS STATE))))). We gave this the name *1 above. Perhaps we can prove it by induction. Four inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (p (CDR STATE) SIZE)) (p STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p STATE SIZE))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following three new conjectures: Case 3. (IMPLIES (AND (LISTP STATE) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (XOR-BVS (DELETE-HIGH-BITS STATE)) (IF (OR (NOT (LISTP STATE)) (NOT (LESSP 1 SIZE))) NIL (CDR (XOR-BVS STATE))))). This simplifies, rewriting with the lemma EQUAL-LENGTH-0, and expanding GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (IF (OR (NOT (LISTP (CDR STATE))) (NOT (LESSP 1 SIZE))) NIL (CDR (XOR-BVS (CDR STATE))))) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (XOR-BVS (DELETE-HIGH-BITS STATE)) (IF (OR (NOT (LISTP STATE)) (NOT (LESSP 1 SIZE))) NIL (CDR (XOR-BVS STATE))))). This simplifies, rewriting with the lemmas EQUAL-LENGTH-0, CAR-CONS, LISTP-DELETE-HIGH-BITS, CDR-CONS, BVP-FIX-XOR-BV-IDENTITY, CDR-NLISTP, and COMMUTATIVITY-OF-XOR-BV, and expanding the functions NOT, OR, GOOD-STATE-OF-SIZE, DELETE-HIGH-BITS, XOR-BVS, FIX-XOR-BV, LESSP, EQUAL, XOR-BV, and LISTP, to the following four new conjectures: Case 2.4. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) NIL) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LESSP 1 SIZE))) (EQUAL (FIX-XOR-BV (CDAR STATE)) NIL)). This again simplifies, appealing to the lemma LISTP-DELETE-HIGH-BITS, and expanding the definitions of XOR-BVS, EQUAL, and GOOD-STATE-OF-SIZE, to: (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (BVP (CAR STATE)) (EQUAL (CDR STATE) NIL) (NOT (LESSP 1 (LENGTH (CAR STATE))))) (EQUAL (FIX-XOR-BV (CDAR STATE)) NIL)). However this again simplifies, opening up the function LISTP, to: (IMPLIES (AND (LISTP STATE) (BVP (CAR STATE)) (EQUAL (CDR STATE) NIL) (NOT (LESSP 1 (LENGTH (CAR STATE))))) (EQUAL (FIX-XOR-BV (CDAR STATE)) NIL)). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE) and X by (CONS W V) to eliminate (CDR X) and (CAR X). The result is two new formulas: Case 2.4.2. (IMPLIES (AND (NOT (LISTP X)) (BVP X) (EQUAL Z NIL) (NOT (LESSP 1 (LENGTH X)))) (EQUAL (FIX-XOR-BV (CDR X)) NIL)), which further simplifies, expanding the definitions of BVP, LENGTH, LESSP, CDR, FIX-XOR-BV, and EQUAL, to: T. Case 2.4.1. (IMPLIES (AND (BVP (CONS W V)) (EQUAL Z NIL) (NOT (LESSP 1 (LENGTH (CONS W V))))) (EQUAL (FIX-XOR-BV V) NIL)), which further simplifies, applying CDR-CONS, CAR-CONS, SUB1-ADD1, EQUAL-LENGTH-0, and BVP-FIX-XOR-BV-IDENTITY, and unfolding BITP, BVP, LENGTH, SUB1, NUMBERP, EQUAL, and LESSP, to the following two new goals: Case 2.4.1.2. (IMPLIES (AND (EQUAL W 1) (BVP V) (NOT (LISTP V))) (EQUAL V NIL)). However this finally simplifies, unfolding BVP, to: T. Case 2.4.1.1. (IMPLIES (AND (EQUAL W 0) (BVP V) (NOT (LISTP V))) (EQUAL V NIL)), which finally simplifies, unfolding the function BVP, to: T. Case 2.3. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) NIL) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP 1 SIZE)) (EQUAL (FIX-XOR-BV (CDAR STATE)) (CDAR STATE))), which again simplifies, rewriting with the lemma LISTP-DELETE-HIGH-BITS, and unfolding the definitions of XOR-BVS, EQUAL, and GOOD-STATE-OF-SIZE, to: (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (BVP (CAR STATE)) (EQUAL (CDR STATE) NIL) (LESSP 1 (LENGTH (CAR STATE)))) (EQUAL (FIX-XOR-BV (CDAR STATE)) (CDAR STATE))). However this again simplifies, unfolding the function LISTP, to: (IMPLIES (AND (LISTP STATE) (BVP (CAR STATE)) (EQUAL (CDR STATE) NIL) (LESSP 1 (LENGTH (CAR STATE)))) (EQUAL (FIX-XOR-BV (CDAR STATE)) (CDAR STATE))). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE) and X by (CONS W V) to eliminate (CDR X) and (CAR X). We must thus prove two new conjectures: Case 2.3.2. (IMPLIES (AND (NOT (LISTP X)) (BVP X) (EQUAL Z NIL) (LESSP 1 (LENGTH X))) (EQUAL (FIX-XOR-BV (CDR X)) (CDR X))), which further simplifies, opening up the functions BVP, LENGTH, and LESSP, to: T. Case 2.3.1. (IMPLIES (AND (BVP (CONS W V)) (EQUAL Z NIL) (LESSP 1 (LENGTH (CONS W V)))) (EQUAL (FIX-XOR-BV V) V)), which further simplifies, rewriting with the lemmas CDR-CONS, CAR-CONS, SUB1-ADD1, EQUAL-LENGTH-0, and BVP-FIX-XOR-BV-IDENTITY, and unfolding BITP, BVP, LENGTH, SUB1, NUMBERP, EQUAL, and LESSP, to: T. Case 2.2. (IMPLIES (AND (LISTP STATE) (NOT (LESSP 1 SIZE)) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) NIL) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP (CDR STATE)))) (EQUAL (FIX-XOR-BV (CDAR STATE)) NIL)), which again simplifies, rewriting with the lemma LISTP-DELETE-HIGH-BITS, and expanding the definitions of XOR-BVS, EQUAL, GOOD-STATE-OF-SIZE, and LISTP, to: (IMPLIES (AND (LISTP STATE) (NOT (LESSP 1 (LENGTH (CAR STATE)))) (BVP (CAR STATE)) (EQUAL (CDR STATE) NIL)) (EQUAL (FIX-XOR-BV (CDAR STATE)) NIL)). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE) and X by (CONS W V) to eliminate (CDR X) and (CAR X). We must thus prove two new formulas: Case 2.2.2. (IMPLIES (AND (NOT (LISTP X)) (NOT (LESSP 1 (LENGTH X))) (BVP X) (EQUAL Z NIL)) (EQUAL (FIX-XOR-BV (CDR X)) NIL)), which further simplifies, expanding LENGTH, LESSP, BVP, CDR, FIX-XOR-BV, and EQUAL, to: T. Case 2.2.1. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CONS W V)))) (BVP (CONS W V)) (EQUAL Z NIL)) (EQUAL (FIX-XOR-BV V) NIL)), which further simplifies, rewriting with the lemmas CDR-CONS, SUB1-ADD1, EQUAL-LENGTH-0, and CAR-CONS, and opening up LENGTH, SUB1, NUMBERP, EQUAL, LESSP, BITP, BVP, and FIX-XOR-BV, to: T. Case 2.1. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 SIZE) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))))), which again simplifies, applying LISTP-XOR-BVS and EQUAL-LENGTH-0, and unfolding the functions XOR, LESSP, EQUAL, and XOR-BV, to the following ten new conjectures: Case 2.1.10. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 (LENGTH (CAR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (NOT (LISTP (CAR STATE)))) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR NIL))). But this again simplifies, expanding the definitions of LENGTH and LESSP, to: T. Case 2.1.9. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 (LENGTH (CAR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (NOT (EQUAL (CAAR STATE) 0)) (NUMBERP (CAAR STATE)) (NOT (NUMBERP (CAR (XOR-BVS (CDR STATE)))))) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR (CONS 1 (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))))))), which again simplifies, appealing to the lemma CDR-CONS, to: T. Case 2.1.8. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 (LENGTH (CAR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (NOT (EQUAL (CAAR STATE) 0)) (NUMBERP (CAAR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR (CONS 1 (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))))))), which again simplifies, applying CDR-CONS, to: T. Case 2.1.7. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 (LENGTH (CAR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (NOT (NUMBERP (CAAR STATE))) (NOT (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (NUMBERP (CAR (XOR-BVS (CDR STATE))))) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR (CONS 1 (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))))))). This again simplifies, expanding the definitions of BITP and BVP, to: T. Case 2.1.6. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 (LENGTH (CAR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (EQUAL (CAAR STATE) 0) (NOT (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (NUMBERP (CAR (XOR-BVS (CDR STATE))))) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR (CONS 1 (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))))))), which again simplifies, rewriting with CDR-CONS, to: T. Case 2.1.5. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 (LENGTH (CAR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (EQUAL (CAAR STATE) 0) (NOT (NUMBERP (CAR (XOR-BVS (CDR STATE)))))) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR (CONS 0 (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))))))). However this again simplifies, applying CDR-CONS, to: T. Case 2.1.4. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 (LENGTH (CAR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (EQUAL (CAAR STATE) 0) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR (CONS 0 (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))))))). But this again simplifies, applying CDR-CONS, to: T. Case 2.1.3. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 (LENGTH (CAR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (NOT (NUMBERP (CAAR STATE))) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR (CONS 0 (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))))))). But this again simplifies, unfolding BITP and BVP, to: T. Case 2.1.2. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 (LENGTH (CAR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (NOT (NUMBERP (CAAR STATE))) (NOT (NUMBERP (CAR (XOR-BVS (CDR STATE)))))) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR (CONS 0 (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))))))), which again simplifies, opening up the definitions of BITP and BVP, to: T. Case 2.1.1. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP 1 (LENGTH (CAR STATE))) (EQUAL (XOR-BVS (DELETE-HIGH-BITS (CDR STATE))) (CDR (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (NOT (EQUAL (CAAR STATE) 0)) (NUMBERP (CAAR STATE)) (NOT (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (NUMBERP (CAR (XOR-BVS (CDR STATE))))) (EQUAL (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))) (CDR (CONS 0 (XOR-BV (CDAR STATE) (CDR (XOR-BVS (CDR STATE)))))))), which again simplifies, rewriting with CDR-CONS, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (XOR-BVS (DELETE-HIGH-BITS STATE)) (IF (OR (NOT (LISTP STATE)) (NOT (LESSP 1 SIZE))) NIL (CDR (XOR-BVS STATE))))). This simplifies, expanding the functions GOOD-STATE-OF-SIZE, DELETE-HIGH-BITS, XOR-BVS, LISTP, NOT, OR, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.3 0.1 ] XOR-BVS-DELETE-HIGH-BITS (PROVE-LEMMA LENGTH-XOR-BVS (REWRITE) (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH (XOR-BVS STATE)) (IF (LISTP STATE) (FIX SIZE) 0))) ((INDUCT (LESSP-WHEN-HIGH-BIT-RECURSION STATE SIZE)))) WARNING: Note that LENGTH-XOR-BVS contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). This formula can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, AND, and LISTP-DELETE-HIGH-BITS, to the following two new conjectures: Case 2. (IMPLIES (AND (ZEROP SIZE) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (LENGTH (XOR-BVS STATE)) (IF (LISTP STATE) (FIX SIZE) 0))). This simplifies, applying the lemma LISTP-XOR-BVS, and unfolding ZEROP, LESSP, LENGTH, FIX, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (IMPLIES (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) (SUB1 SIZE)) (EQUAL (LENGTH (XOR-BVS (DELETE-HIGH-BITS STATE))) (IF (LISTP STATE) (FIX (SUB1 SIZE)) 0))) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (LENGTH (XOR-BVS STATE)) (IF (LISTP STATE) (FIX SIZE) 0))). This simplifies, applying the lemmas ADD1-SUB1, GOOD-STATE-OF-SIZE-DELETE-HIGH-BITS, EQUAL-SUB1-0, XOR-BVS-DELETE-HIGH-BITS, LISTP-XOR-BVS, and EQUAL-LENGTH-1, and opening up the definitions of SUB1, NUMBERP, EQUAL, LESSP, FIX, IMPLIES, GOOD-STATE-OF-SIZE, XOR-BVS, LENGTH, and LISTP, to the new goal: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LISTP STATE) (EQUAL SIZE 1) (EQUAL (LENGTH NIL) (SUB1 SIZE)) (GOOD-STATE-OF-SIZE STATE 1)) (NOT (LISTP (CDR (XOR-BVS STATE))))), which again simplifies, unfolding the definitions of EQUAL, NUMBERP, LENGTH, and SUB1, to: (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 1)) (NOT (LISTP (CDR (XOR-BVS STATE))))). Give the above formula the name *1. Perhaps we can prove it by induction. There are two plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (p (CDR STATE))) (p STATE)) (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE)))) (p STATE)) (IMPLIES (NOT (LISTP STATE)) (p STATE))). Linear arithmetic, the lemma SUB1-ADD1, and the definitions of LESSP and LENGTH can be used to establish that the measure (LENGTH STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to three new goals: Case 3. (IMPLIES (AND (LISTP (CDR STATE)) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) 1)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 1)) (NOT (LISTP (CDR (XOR-BVS STATE))))), which simplifies, applying EQUAL-LENGTH-1, and unfolding the functions GOOD-STATE-OF-SIZE and NUMBERP, to: T. Case 2. (IMPLIES (AND (LISTP (CDR STATE)) (NOT (LISTP (CDR (XOR-BVS (CDR STATE))))) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 1)) (NOT (LISTP (CDR (XOR-BVS STATE))))). This simplifies, rewriting with EQUAL-LENGTH-1, and expanding the definitions of GOOD-STATE-OF-SIZE, NUMBERP, and XOR-BVS, to the goal: (IMPLIES (AND (LISTP (CDR STATE)) (NOT (LISTP (CDR (XOR-BVS (CDR STATE))))) (LISTP STATE) (BVP (CAR STATE)) (LISTP (CAR STATE)) (NOT (LISTP (CDAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) 1)) (NOT (LISTP (CDR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))))))). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE) and Z by (CONS W V) to eliminate (CDR Z) and (CAR Z). The result is: (IMPLIES (AND (LISTP X) (NOT (LISTP (CDR (XOR-BVS X)))) (BVP (CONS W V)) (NOT (LISTP V)) (GOOD-STATE-OF-SIZE X 1)) (NOT (LISTP (CDR (XOR-BV (CONS W V) (XOR-BVS X)))))). This further simplifies, rewriting with CDR-CONS, CAR-CONS, and LISTP-XOR-BVS, and opening up the functions BITP, BVP, LISTP, CONS, CDR, XOR, EQUAL, NUMBERP, CAR, LESSP, and XOR-BV, to: T. Case 1. (IMPLIES (AND (NOT (LISTP (CDR STATE))) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 1)) (NOT (LISTP (CDR (XOR-BVS STATE))))). This simplifies, rewriting with EQUAL-LENGTH-1 and BVP-FIX-XOR-BV-IDENTITY, and opening up the functions GOOD-STATE-OF-SIZE, NUMBERP, and XOR-BVS, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] LENGTH-XOR-BVS (PROVE-LEMMA LISTP-DELETE-PILE (REWRITE) (EQUAL (LISTP (DELETE-PILE PLACE STATE)) (AND (LISTP STATE) (NOT (AND (ZEROP PLACE) (NOT (LISTP (CDR STATE)))))))) This simplifies, expanding ZEROP, NOT, and AND, to five new goals: Case 5. (IMPLIES (NOT (LISTP STATE)) (EQUAL (LISTP (DELETE-PILE PLACE STATE)) F)), which again simplifies, opening up the definitions of DELETE-PILE and EQUAL, to: T. Case 4. (IMPLIES (AND (EQUAL PLACE 0) (NOT (LISTP (CDR STATE)))) (EQUAL (LISTP (DELETE-PILE PLACE STATE)) F)), which again simplifies, expanding the definitions of EQUAL and DELETE-PILE, to: T. Case 3. (IMPLIES (AND (NOT (NUMBERP PLACE)) (NOT (LISTP (CDR STATE)))) (EQUAL (LISTP (DELETE-PILE PLACE STATE)) F)), which again simplifies, unfolding the definitions of DELETE-PILE and EQUAL, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE))) (EQUAL (LISTP (DELETE-PILE PLACE STATE)) T)), which again simplifies, obviously, to: (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE))) (LISTP (DELETE-PILE PLACE STATE))). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE). We thus obtain: (IMPLIES (LISTP X) (LISTP (DELETE-PILE PLACE (CONS Z X)))), which further simplifies, applying CAR-CONS and CDR-CONS, and expanding the function DELETE-PILE, to: T. Case 1. (IMPLIES (AND (LISTP STATE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (EQUAL (LISTP (DELETE-PILE PLACE STATE)) T)). This again simplifies, trivially, to: (IMPLIES (AND (LISTP STATE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (LISTP (DELETE-PILE PLACE STATE))), which we will name *1. Perhaps we can prove it by induction. The recursive terms in the conjecture suggest two inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NOT (LISTP STATE)) (p PLACE STATE)) (IMPLIES (AND (LISTP STATE) (ZEROP PLACE)) (p PLACE STATE)) (IMPLIES (AND (LISTP STATE) (NOT (ZEROP PLACE)) (p (SUB1 PLACE) (CDR STATE))) (p PLACE STATE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT PLACE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for STATE. The above induction scheme generates the following four new goals: Case 4. (IMPLIES (AND (ZEROP PLACE) (LISTP STATE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (LISTP (DELETE-PILE PLACE STATE))). This simplifies, unfolding the definition of ZEROP, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP PLACE)) (NOT (LISTP (CDR STATE))) (LISTP STATE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (LISTP (DELETE-PILE PLACE STATE))). This simplifies, unfolding the functions ZEROP and DELETE-PILE, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP PLACE)) (EQUAL (SUB1 PLACE) 0) (LISTP STATE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (LISTP (DELETE-PILE PLACE STATE))). This simplifies, using linear arithmetic, applying EQUAL-BITP-SIMPLIFY and EQUAL-SUB1-0, and opening up the definitions of EQUAL, BITP, ZEROP, and NUMBERP, to: (IMPLIES (AND (EQUAL PLACE 1) (LISTP STATE)) (LISTP (DELETE-PILE 1 STATE))). This again simplifies, clearly, to: (IMPLIES (LISTP STATE) (LISTP (DELETE-PILE 1 STATE))), which we will name *1.1. Case 1. (IMPLIES (AND (NOT (ZEROP PLACE)) (LISTP (DELETE-PILE (SUB1 PLACE) (CDR STATE))) (LISTP STATE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (LISTP (DELETE-PILE PLACE STATE))). This simplifies, opening up the functions ZEROP and DELETE-PILE, to: T. So we now return to: (IMPLIES (LISTP STATE) (LISTP (DELETE-PILE 1 STATE))), which is formula *1.1 above. Perhaps we can prove it by induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (NOT (LISTP STATE)) (p STATE)) (IMPLIES (AND (LISTP STATE) (ZEROP 1)) (p STATE)) (IMPLIES (AND (LISTP STATE) (NOT (ZEROP 1)) (p (CDR STATE))) (p STATE))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates the following three new goals: Case 3. (IMPLIES (AND (ZEROP 1) (LISTP STATE)) (LISTP (DELETE-PILE 1 STATE))). This simplifies, opening up the definition of ZEROP, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP 1)) (NOT (LISTP (CDR STATE))) (LISTP STATE)) (LISTP (DELETE-PILE 1 STATE))). This simplifies, rewriting with CONS-CAR-CDR, and opening up the definitions of ZEROP, DELETE-PILE, EQUAL, NUMBERP, and SUB1, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP 1)) (LISTP (DELETE-PILE 1 (CDR STATE))) (LISTP STATE)) (LISTP (DELETE-PILE 1 STATE))), which simplifies, expanding ZEROP, DELETE-PILE, EQUAL, NUMBERP, and SUB1, to: T. That finishes the proof of *1.1, which, consequently, finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.1 ] LISTP-DELETE-PILE (PROVE-LEMMA XOR-BVS-DELETE-PILE (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE))) (EQUAL (XOR-BVS (DELETE-PILE PLACE STATE)) (IF (LESSP 1 (LENGTH STATE)) (XOR-BV (GET PLACE STATE) (XOR-BVS STATE)) NIL))) ((INDUCT (LESSP-BV-RECURSION STATE PLACE)))) WARNING: Note that XOR-BVS-DELETE-PILE contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). This formula can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, and AND, to the following two new formulas: Case 2. (IMPLIES (AND (ZEROP PLACE) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE))) (EQUAL (XOR-BVS (DELETE-PILE PLACE STATE)) (IF (LESSP 1 (LENGTH STATE)) (XOR-BV (GET PLACE STATE) (XOR-BVS STATE)) NIL))). This simplifies, appealing to the lemma EQUAL-LENGTH-0, and unfolding ZEROP, EQUAL, LESSP, DELETE-PILE, and GET, to the following four new formulas: Case 2.4. (IMPLIES (AND (EQUAL PLACE 0) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (NOT (LESSP 1 (LENGTH STATE)))) (EQUAL (XOR-BVS (CDR STATE)) NIL)). This again simplifies, trivially, to: (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (NOT (LESSP 1 (LENGTH STATE)))) (EQUAL (XOR-BVS (CDR STATE)) NIL)). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE). We would thus like to prove: (IMPLIES (AND (GOOD-STATE-OF-SIZE (CONS Z X) SIZE) (NOT (LESSP 1 (LENGTH (CONS Z X))))) (EQUAL (XOR-BVS X) NIL)), which further simplifies, applying the lemmas EQUAL-LENGTH-0, CDR-CONS, CAR-CONS, and SUB1-ADD1, and unfolding the functions GOOD-STATE-OF-SIZE, LENGTH, SUB1, NUMBERP, EQUAL, LESSP, and XOR-BVS, to: T. Case 2.3. (IMPLIES (AND (EQUAL PLACE 0) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE))) (EQUAL (XOR-BVS (CDR STATE)) (XOR-BV (CAR STATE) (XOR-BVS STATE)))), which again simplifies, expanding the definition of XOR-BVS, to two new formulas: Case 2.3.2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE)) (NOT (LISTP (CDR STATE)))) (EQUAL (XOR-BVS (CDR STATE)) (XOR-BV (CAR STATE) (FIX-XOR-BV (CAR STATE))))), which again simplifies, applying XOR-BV-FIX-XOR-BV, and unfolding XOR-BVS, to: (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE)) (NOT (LISTP (CDR STATE)))) (EQUAL NIL (XOR-BV (CAR STATE) (CAR STATE)))). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE). We thus obtain: (IMPLIES (AND (GOOD-STATE-OF-SIZE (CONS Z X) SIZE) (LESSP 1 (LENGTH (CONS Z X))) (NOT (LISTP X))) (EQUAL NIL (XOR-BV Z Z))), which further simplifies, rewriting with EQUAL-LENGTH-0, CDR-CONS, and CAR-CONS, and opening up the functions GOOD-STATE-OF-SIZE, ADD1, LENGTH, and LESSP, to: T. Case 2.3.1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE)) (LISTP (CDR STATE))) (EQUAL (XOR-BVS (CDR STATE)) (XOR-BV (CAR STATE) (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))))). This again simplifies, rewriting with BVP-XOR-BVS, BVP-FIX-XOR-BV-IDENTITY, and XOR-BV-INVERSE, and expanding the function MIN, to the following two new conjectures: Case 2.3.1.2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE)) (LISTP (CDR STATE)) (NOT (LESSP (LENGTH (CAR STATE)) (LENGTH (XOR-BVS (CDR STATE)))))) (EQUAL (XOR-BVS (CDR STATE)) (FIRSTN (XOR-BVS (CDR STATE)) (LENGTH (XOR-BVS (CDR STATE)))))). This again simplifies, using linear arithmetic and rewriting with FIRSTN-NOOP, to: T. Case 2.3.1.1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE)) (LISTP (CDR STATE)) (LESSP (LENGTH (CAR STATE)) (LENGTH (XOR-BVS (CDR STATE))))) (EQUAL (XOR-BVS (CDR STATE)) (FIRSTN (XOR-BVS (CDR STATE)) (LENGTH (CAR STATE))))). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE). We must thus prove the goal: (IMPLIES (AND (GOOD-STATE-OF-SIZE (CONS Z X) SIZE) (LESSP 1 (LENGTH (CONS Z X))) (LISTP X) (LESSP (LENGTH Z) (LENGTH (XOR-BVS X)))) (EQUAL (XOR-BVS X) (FIRSTN (XOR-BVS X) (LENGTH Z)))). But this further simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-0, CDR-CONS, CAR-CONS, SUB1-ADD1, LENGTH-XOR-BVS, and FIRSTN-NOOP, and opening up the definitions of GOOD-STATE-OF-SIZE, LENGTH, SUB1, NUMBERP, EQUAL, and LESSP, to: T. Case 2.2. (IMPLIES (AND (NOT (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (NOT (LESSP 1 (LENGTH STATE)))) (EQUAL (XOR-BVS (CDR STATE)) NIL)). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE). This generates: (IMPLIES (AND (NOT (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE (CONS Z X) SIZE) (NOT (LESSP 1 (LENGTH (CONS Z X))))) (EQUAL (XOR-BVS X) NIL)). But this further simplifies, applying the lemmas EQUAL-LENGTH-0, CDR-CONS, CAR-CONS, and SUB1-ADD1, and unfolding the functions GOOD-STATE-OF-SIZE, LENGTH, SUB1, NUMBERP, EQUAL, LESSP, and XOR-BVS, to: T. Case 2.1. (IMPLIES (AND (NOT (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE))) (EQUAL (XOR-BVS (CDR STATE)) (XOR-BV (CAR STATE) (XOR-BVS STATE)))), which again simplifies, unfolding XOR-BVS, to two new formulas: Case 2.1.2. (IMPLIES (AND (NOT (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE)) (NOT (LISTP (CDR STATE)))) (EQUAL (XOR-BVS (CDR STATE)) (XOR-BV (CAR STATE) (FIX-XOR-BV (CAR STATE))))), which again simplifies, applying XOR-BV-FIX-XOR-BV, and opening up the function XOR-BVS, to the new conjecture: (IMPLIES (AND (NOT (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE)) (NOT (LISTP (CDR STATE)))) (EQUAL NIL (XOR-BV (CAR STATE) (CAR STATE)))). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE). This produces: (IMPLIES (AND (NOT (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE (CONS Z X) SIZE) (LESSP 1 (LENGTH (CONS Z X))) (NOT (LISTP X))) (EQUAL NIL (XOR-BV Z Z))), which further simplifies, applying EQUAL-LENGTH-0, CDR-CONS, and CAR-CONS, and expanding the functions GOOD-STATE-OF-SIZE, ADD1, LENGTH, and LESSP, to: T. Case 2.1.1. (IMPLIES (AND (NOT (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE)) (LISTP (CDR STATE))) (EQUAL (XOR-BVS (CDR STATE)) (XOR-BV (CAR STATE) (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))))). This again simplifies, rewriting with the lemmas BVP-XOR-BVS, BVP-FIX-XOR-BV-IDENTITY, and XOR-BV-INVERSE, and opening up MIN, to two new conjectures: Case 2.1.1.2. (IMPLIES (AND (NOT (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE)) (LISTP (CDR STATE)) (NOT (LESSP (LENGTH (CAR STATE)) (LENGTH (XOR-BVS (CDR STATE)))))) (EQUAL (XOR-BVS (CDR STATE)) (FIRSTN (XOR-BVS (CDR STATE)) (LENGTH (XOR-BVS (CDR STATE)))))), which again simplifies, using linear arithmetic and rewriting with the lemma FIRSTN-NOOP, to: T. Case 2.1.1.1. (IMPLIES (AND (NOT (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LESSP 1 (LENGTH STATE)) (LISTP (CDR STATE)) (LESSP (LENGTH (CAR STATE)) (LENGTH (XOR-BVS (CDR STATE))))) (EQUAL (XOR-BVS (CDR STATE)) (FIRSTN (XOR-BVS (CDR STATE)) (LENGTH (CAR STATE))))). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE). This produces the new conjecture: (IMPLIES (AND (NOT (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE (CONS Z X) SIZE) (LESSP 1 (LENGTH (CONS Z X))) (LISTP X) (LESSP (LENGTH Z) (LENGTH (XOR-BVS X)))) (EQUAL (XOR-BVS X) (FIRSTN (XOR-BVS X) (LENGTH Z)))), which further simplifies, using linear arithmetic, applying the lemmas EQUAL-LENGTH-0, CDR-CONS, CAR-CONS, SUB1-ADD1, LENGTH-XOR-BVS, and FIRSTN-NOOP, and unfolding the functions GOOD-STATE-OF-SIZE, LENGTH, SUB1, NUMBERP, EQUAL, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (IMPLIES (AND (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) (IF (LESSP 1 (LENGTH (CDR STATE))) (XOR-BV (GET (SUB1 PLACE) (CDR STATE)) (XOR-BVS (CDR STATE))) NIL))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE))) (EQUAL (XOR-BVS (DELETE-PILE PLACE STATE)) (IF (LESSP 1 (LENGTH STATE)) (XOR-BV (GET PLACE STATE) (XOR-BVS STATE)) NIL))), which simplifies, rewriting with COMMUTATIVITY-OF-XOR-BV, EQUAL-LENGTH-0, SUB1-ADD1, BVP-FIX-XOR-BV-IDENTITY, CAR-CONS, LISTP-DELETE-PILE, EQUAL-SUB1-0, CDR-CONS, and COMMUTATIVITY2-OF-XOR-BV, and expanding the functions AND, IMPLIES, GOOD-STATE-OF-SIZE, LENGTH, EQUAL, LESSP, DELETE-PILE, XOR-BV, LISTP, XOR-BVS, SUB1, NUMBERP, and GET, to the following ten new conjectures: Case 1.10. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (NOT (LESSP 1 (LENGTH (CDR STATE)))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (EQUAL PLACE 1) (NOT (LISTP (CDDR STATE)))) (EQUAL (CAR STATE) NIL)). This again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (LENGTH (CDR STATE)) 1) (NOT (EQUAL 1 0)) (NUMBERP 1) (NOT (LESSP 1 1)) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 1) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 1) 1) (NOT (LISTP (CDDR STATE)))) (EQUAL (CAR STATE) NIL)). But this again simplifies, applying EQUAL-LENGTH-0, EQUAL-LENGTH-1, and EQUAL-BIT-1, and opening up the functions BITP, EQUAL, NUMBERP, LESSP, SUB1, DELETE-PILE, XOR-BVS, and BVP, to: T. Case 1.9. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (NOT (LESSP 1 (LENGTH (CDR STATE)))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (NOT (LISTP (CDR STATE)))) (EQUAL (CAR STATE) NIL)). However this again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (EQUAL 1 0)) (NUMBERP 1) (NOT (LESSP 1 (LENGTH (CDR STATE)))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 1) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 1) (LENGTH (CDR STATE))) (NOT (LISTP (CDR STATE)))) (EQUAL (CAR STATE) NIL)). But this again simplifies, using linear arithmetic, to the conjecture: (IMPLIES (AND (EQUAL (LENGTH (CDR STATE)) 1) (NOT (EQUAL 1 0)) (NUMBERP 1) (NOT (LESSP 1 1)) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 1) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 1) 1) (NOT (LISTP (CDR STATE)))) (EQUAL (CAR STATE) NIL)). However this again simplifies, expanding the functions LENGTH and EQUAL, to: T. Case 1.8. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (NOT (LESSP 1 (LENGTH (CDR STATE)))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (NOT (LISTP (CDR STATE)))) (EQUAL (CAR STATE) NIL)), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (EQUAL 1 0)) (NUMBERP 1) (NOT (LESSP 1 (LENGTH (CDR STATE)))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 1) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP (LENGTH (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LESSP (SUB1 1) (LENGTH (CDR STATE))) (NOT (LISTP (CDR STATE)))) (EQUAL (CAR STATE) NIL)). However this again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (LENGTH (CDR STATE)) 1) (NOT (EQUAL 1 0)) (NUMBERP 1) (NOT (LESSP 1 1)) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 1) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP (LENGTH (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LESSP (SUB1 1) 1) (NOT (LISTP (CDR STATE)))) (EQUAL (CAR STATE) NIL)). But this again simplifies, unfolding the definitions of LENGTH and EQUAL, to: T. Case 1.7. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (NOT (LESSP 1 (LENGTH (CDR STATE)))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (LISTP (CDR STATE)) (LISTP (CDDR STATE))) (EQUAL NIL (XOR-BV (CAR STATE) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE)))))), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (EQUAL 1 0)) (NUMBERP 1) (NOT (LESSP 1 (LENGTH (CDR STATE)))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 1) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP (LENGTH (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LESSP (SUB1 1) (LENGTH (CDR STATE))) (LISTP (CDR STATE)) (LISTP (CDDR STATE))) (EQUAL NIL (XOR-BV (CAR STATE) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 1) (CDR STATE)))))). This again simplifies, using linear arithmetic, to the formula: (IMPLIES (AND (EQUAL (LENGTH (CDR STATE)) 1) (NOT (EQUAL 1 0)) (NUMBERP 1) (NOT (LESSP 1 1)) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 1) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP (LENGTH (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LESSP (SUB1 1) 1) (LISTP (CDR STATE)) (LISTP (CDDR STATE))) (EQUAL NIL (XOR-BV (CAR STATE) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 1) (CDR STATE)))))). However this again simplifies, applying EQUAL-LENGTH-1, to: T. Case 1.6. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (NOT (LESSP 1 (LENGTH (CDR STATE)))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (LISTP (CDR STATE)) (NOT (EQUAL PLACE 1))) (EQUAL NIL (XOR-BV (CAR STATE) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE)))))). But this again simplifies, using linear arithmetic, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (NOT (LESSP 1 (LENGTH (CDR STATE)))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (LISTP (CDR STATE)) (EQUAL PLACE 1) (NOT (LISTP (CDDR STATE)))) (EQUAL (CAR STATE) (XOR-BV (CAR STATE) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE)))))), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (LENGTH (CDR STATE)) 1) (NOT (EQUAL 1 0)) (NUMBERP 1) (NOT (LESSP 1 1)) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 1) (CDR STATE))) NIL) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP (LENGTH (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LESSP (SUB1 1) 1) (LISTP (CDR STATE)) (NOT (LISTP (CDDR STATE)))) (EQUAL (CAR STATE) (XOR-BV (CAR STATE) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 1) (CDR STATE)))))). However this again simplifies, rewriting with EQUAL-LENGTH-0, EQUAL-LENGTH-1, EQUAL-BITP-SIMPLIFY, EQUAL-BIT-1, and XOR-BV-FIX-XOR-BV, and expanding BITP, EQUAL, NUMBERP, LESSP, SUB1, DELETE-PILE, XOR-BVS, and GET, to: (IMPLIES (AND (LISTP STATE) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CDR STATE)) (NOT (LISTP (CDDR STATE)))) (EQUAL (CAR STATE) (XOR-BV (CAR STATE) (XOR-BV (CADR STATE) (CADR STATE))))). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE) and Z by (CONS W V) to eliminate (CDR Z) and (CAR Z). We thus obtain: (IMPLIES (AND (BVP X) (GOOD-STATE-OF-SIZE (CONS W V) (LENGTH X)) (NOT (LISTP V))) (EQUAL X (XOR-BV X (XOR-BV W W)))), which further simplifies, using linear arithmetic, applying CDR-CONS, CAR-CONS, COMMUTATIVITY-OF-XOR-BV, BVP-FIX-XOR-BV-IDENTITY, FIRSTN-NOOP, XOR-BV-INVERSE, and COMMUTATIVITY2-OF-XOR-BV, and opening up the functions GOOD-STATE-OF-SIZE, LISTP, and MIN, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (LESSP 1 (LENGTH (CDR STATE))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE)))) (LISTP STATE) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (EQUAL PLACE 1) (NOT (LISTP (CDDR STATE)))) (EQUAL (CAR STATE) NIL)). This again simplifies, rewriting with COMMUTATIVITY-OF-XOR-BV, and opening up the functions EQUAL, NUMBERP, SUB1, DELETE-PILE, XOR-BVS, GET, and BVP, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (LESSP 1 (LENGTH (CDR STATE))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE)))) (LISTP STATE) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (NOT (LISTP (CDR STATE)))) (EQUAL (CAR STATE) NIL)). This again simplifies, opening up the definitions of LENGTH and LESSP, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (LESSP 1 (LENGTH (CDR STATE))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE)))) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (NOT (LISTP (CDR STATE)))) (EQUAL (CAR STATE) NIL)), which again simplifies, unfolding the functions LENGTH and LESSP, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (LESSP 1 (LENGTH (CDR STATE))) (EQUAL (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE))) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE)))) (LISTP STATE) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (LISTP (CDR STATE)) (EQUAL PLACE 1) (NOT (LISTP (CDDR STATE)))) (EQUAL (CAR STATE) (XOR-BV (CAR STATE) (XOR-BVS (DELETE-PILE (SUB1 PLACE) (CDR STATE)))))), which again simplifies, using linear arithmetic, applying XOR-BV-FIX-XOR-BV, EQUAL-BITP-SIMPLIFY, EQUAL-LENGTH-1, EQUAL-LENGTH-0, and COMMUTATIVITY-OF-XOR-BV, and unfolding EQUAL, NUMBERP, SUB1, DELETE-PILE, XOR-BVS, GET, BITP, LESSP, LISTP, and XOR-BV, to the new formula: (IMPLIES (AND (LESSP 1 (LENGTH (CDR STATE))) (EQUAL NIL (XOR-BV (CADR STATE) (CADR STATE))) (LISTP STATE) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CDR STATE)) (NOT (LISTP (CDDR STATE)))) (EQUAL (CAR STATE) NIL)). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE) and X by (CONS V W) to eliminate (CAR X) and (CDR X). We thus obtain: (IMPLIES (AND (LESSP 1 (LENGTH (CONS V W))) (EQUAL NIL (XOR-BV V V)) (BVP Z) (GOOD-STATE-OF-SIZE (CONS V W) (LENGTH Z)) (NOT (LISTP W))) (EQUAL Z NIL)), which further simplifies, applying CDR-CONS, and expanding the definitions of LENGTH, ADD1, and LESSP, to: T. Q.E.D. [ 0.0 0.8 0.0 ] XOR-BVS-DELETE-PILE (PROVE-LEMMA LISTP-DELETE-PILE-DELETE-HIGH-BITS (REWRITE) (EQUAL (LISTP (DELETE-PILE PLACE (DELETE-HIGH-BITS STATE))) (LISTP (DELETE-PILE PLACE STATE)))) WARNING: the previously added lemma, LISTP-DELETE-PILE, could be applied whenever the newly proposed LISTP-DELETE-PILE-DELETE-HIGH-BITS could! This simplifies, rewriting with LISTP-DELETE-HIGH-BITS and LISTP-DELETE-PILE, to two new formulas: Case 2. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP PLACE))) (EQUAL (LISTP (CDR (DELETE-HIGH-BITS STATE))) (LISTP (CDR STATE)))). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE). We would thus like to prove the new conjecture: (IMPLIES (NOT (NUMBERP PLACE)) (EQUAL (LISTP (CDR (DELETE-HIGH-BITS (CONS Z X)))) (LISTP X))), which further simplifies, applying the lemmas CDR-CONS, CAR-CONS, and LISTP-DELETE-HIGH-BITS, and expanding DELETE-HIGH-BITS, to: T. Case 1. (IMPLIES (AND (LISTP STATE) (EQUAL PLACE 0)) (EQUAL (LISTP (CDR (DELETE-HIGH-BITS STATE))) (LISTP (CDR STATE)))), which again simplifies, trivially, to: (IMPLIES (LISTP STATE) (EQUAL (LISTP (CDR (DELETE-HIGH-BITS STATE))) (LISTP (CDR STATE)))). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE). This produces the new conjecture: (EQUAL (LISTP (CDR (DELETE-HIGH-BITS (CONS Z X)))) (LISTP X)), which further simplifies, applying CDR-CONS, CAR-CONS, and LISTP-DELETE-HIGH-BITS, and opening up the function DELETE-HIGH-BITS, to: T. Q.E.D. [ 0.0 0.0 0.0 ] LISTP-DELETE-PILE-DELETE-HIGH-BITS (PROVE-LEMMA GET-DELETE-HIGH-BITS (REWRITE) (EQUAL (GET PLACE (DELETE-HIGH-BITS STATE)) (CDR (GET PLACE STATE)))) Name the conjecture *1. We will appeal to induction. The recursive terms in the conjecture suggest three inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP PLACE) (p PLACE STATE)) (IMPLIES (AND (NOT (ZEROP PLACE)) (p (SUB1 PLACE) (CDR STATE))) (p PLACE STATE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT PLACE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for STATE. The above induction scheme produces the following two new formulas: Case 2. (IMPLIES (ZEROP PLACE) (EQUAL (GET PLACE (DELETE-HIGH-BITS STATE)) (CDR (GET PLACE STATE)))). This simplifies, expanding the definitions of ZEROP, DELETE-HIGH-BITS, EQUAL, and GET, to the following four new conjectures: Case 2.4. (IMPLIES (AND (EQUAL PLACE 0) (NOT (LISTP STATE))) (EQUAL (CAR NIL) (CDAR STATE))). This again simplifies, appealing to the lemma CAR-NLISTP, and opening up CAR, CDR, and EQUAL, to: T. Case 2.3. (IMPLIES (AND (EQUAL PLACE 0) (LISTP STATE)) (EQUAL (CAR (CONS (CDAR STATE) (DELETE-HIGH-BITS (CDR STATE)))) (CDAR STATE))), which again simplifies, applying the lemma CAR-CONS, to: T. Case 2.2. (IMPLIES (AND (NOT (NUMBERP PLACE)) (NOT (LISTP STATE))) (EQUAL (CAR NIL) (CDAR STATE))), which again simplifies, rewriting with CAR-NLISTP, and opening up CAR, CDR, and EQUAL, to: T. Case 2.1. (IMPLIES (AND (NOT (NUMBERP PLACE)) (LISTP STATE)) (EQUAL (CAR (CONS (CDAR STATE) (DELETE-HIGH-BITS (CDR STATE)))) (CDAR STATE))). However this again simplifies, rewriting with CAR-CONS, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP PLACE)) (EQUAL (GET (SUB1 PLACE) (DELETE-HIGH-BITS (CDR STATE))) (CDR (GET (SUB1 PLACE) (CDR STATE))))) (EQUAL (GET PLACE (DELETE-HIGH-BITS STATE)) (CDR (GET PLACE STATE)))). This simplifies, unfolding the definitions of ZEROP, DELETE-HIGH-BITS, and GET, to the following two new conjectures: Case 1.2. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (EQUAL (GET (SUB1 PLACE) (DELETE-HIGH-BITS (CDR STATE))) (CDR (GET (SUB1 PLACE) (CDR STATE)))) (NOT (LISTP STATE))) (EQUAL (GET PLACE NIL) (CDR (GET (SUB1 PLACE) (CDR STATE))))). However this again simplifies, using linear arithmetic, applying GET-OF-BAD-PLACE, and unfolding the function LENGTH, to the new goal: (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (EQUAL (GET (SUB1 PLACE) (DELETE-HIGH-BITS (CDR STATE))) (CDR (GET (SUB1 PLACE) (CDR STATE)))) (NOT (LISTP STATE))) (EQUAL 0 (CDR (GET (SUB1 PLACE) (CDR STATE))))), which further simplifies, using linear arithmetic, appealing to the lemmas CDR-NLISTP and GET-OF-BAD-PLACE, and opening up DELETE-HIGH-BITS, LENGTH, CDR, and EQUAL, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (EQUAL (GET (SUB1 PLACE) (DELETE-HIGH-BITS (CDR STATE))) (CDR (GET (SUB1 PLACE) (CDR STATE)))) (LISTP STATE)) (EQUAL (GET PLACE (CONS (CDAR STATE) (DELETE-HIGH-BITS (CDR STATE)))) (CDR (GET (SUB1 PLACE) (CDR STATE))))), which again simplifies, appealing to the lemma CDR-CONS, and opening up GET, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] GET-DELETE-HIGH-BITS (PROVE-LEMMA DELETE-PILE-DELETE-HIGH-BITS (REWRITE) (EQUAL (DELETE-PILE PLACE (DELETE-HIGH-BITS STATE)) (DELETE-HIGH-BITS (DELETE-PILE PLACE STATE)))) Name the conjecture *1. We will appeal to induction. The recursive terms in the conjecture suggest four inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NOT (LISTP (DELETE-HIGH-BITS STATE))) (p PLACE STATE)) (IMPLIES (AND (LISTP (DELETE-HIGH-BITS STATE)) (ZEROP PLACE)) (p PLACE STATE)) (IMPLIES (AND (LISTP (DELETE-HIGH-BITS STATE)) (NOT (ZEROP PLACE)) (p (SUB1 PLACE) (CDR STATE))) (p PLACE STATE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT PLACE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for STATE. The above induction scheme produces the following three new formulas: Case 3. (IMPLIES (NOT (LISTP (DELETE-HIGH-BITS STATE))) (EQUAL (DELETE-PILE PLACE (DELETE-HIGH-BITS STATE)) (DELETE-HIGH-BITS (DELETE-PILE PLACE STATE)))). This simplifies, expanding the definitions of DELETE-HIGH-BITS, LISTP, DELETE-PILE, and EQUAL, to: T. Case 2. (IMPLIES (AND (LISTP (DELETE-HIGH-BITS STATE)) (ZEROP PLACE)) (EQUAL (DELETE-PILE PLACE (DELETE-HIGH-BITS STATE)) (DELETE-HIGH-BITS (DELETE-PILE PLACE STATE)))). This simplifies, applying CDR-CONS, and expanding the definitions of DELETE-HIGH-BITS, ZEROP, EQUAL, and DELETE-PILE, to: T. Case 1. (IMPLIES (AND (LISTP (DELETE-HIGH-BITS STATE)) (NOT (ZEROP PLACE)) (EQUAL (DELETE-PILE (SUB1 PLACE) (DELETE-HIGH-BITS (CDR STATE))) (DELETE-HIGH-BITS (DELETE-PILE (SUB1 PLACE) (CDR STATE))))) (EQUAL (DELETE-PILE PLACE (DELETE-HIGH-BITS STATE)) (DELETE-HIGH-BITS (DELETE-PILE PLACE STATE)))), which simplifies, rewriting with the lemmas CDR-CONS and CAR-CONS, and opening up the functions DELETE-HIGH-BITS, ZEROP, and DELETE-PILE, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] DELETE-PILE-DELETE-HIGH-BITS (PROVE-LEMMA GOOD-STATE-OF-SIZE-DELETE-PILE (REWRITE) (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (GOOD-STATE-OF-SIZE (DELETE-PILE PLACE STATE) SIZE))) Give the conjecture the name *1. Let us appeal to the induction principle. Three inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (p (SUB1 PLACE) (CDR STATE) SIZE)) (p PLACE STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p PLACE STATE SIZE))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for PLACE. The above induction scheme generates three new conjectures: Case 3. (IMPLIES (AND (LISTP STATE) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (GOOD-STATE-OF-SIZE (DELETE-PILE PLACE STATE) SIZE)), which simplifies, applying EQUAL-LENGTH-0, and opening up GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE (DELETE-PILE (SUB1 PLACE) (CDR STATE)) SIZE) (GOOD-STATE-OF-SIZE STATE SIZE)) (GOOD-STATE-OF-SIZE (DELETE-PILE PLACE STATE) SIZE)). This simplifies, applying the lemma EQUAL-LENGTH-0, and unfolding the functions GOOD-STATE-OF-SIZE and DELETE-PILE, to the following two new goals: Case 2.2. (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE (DELETE-PILE (SUB1 PLACE) (CDR STATE)) SIZE) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE (CONS (CAR STATE) (DELETE-PILE (SUB1 PLACE) (CDR STATE))) SIZE)). But this again simplifies, rewriting with the lemmas CDR-CONS and CAR-CONS, and expanding GOOD-STATE-OF-SIZE, to: T. Case 2.1. (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE (DELETE-PILE (SUB1 PLACE) (CDR STATE)) SIZE) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (GOOD-STATE-OF-SIZE (CONS (CAR STATE) (DELETE-PILE (SUB1 PLACE) (CDR STATE))) SIZE)), which again simplifies, applying the lemmas CDR-CONS and CAR-CONS, and unfolding BVP, LISTP, EQUAL, LENGTH, and GOOD-STATE-OF-SIZE, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (GOOD-STATE-OF-SIZE (DELETE-PILE PLACE STATE) SIZE)), which simplifies, opening up the functions GOOD-STATE-OF-SIZE, LISTP, DELETE-PILE, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] GOOD-STATE-OF-SIZE-DELETE-PILE (PROVE-LEMMA SILLY-LISTP-CDR (REWRITE) (IMPLIES (LESSP 1 (LENGTH X)) (LISTP (CDR X)))) This formula simplifies, applying CDR-NLISTP, and opening up the functions LENGTH, ADD1, and LISTP, to the following two new formulas: Case 2. (IMPLIES (NOT (LISTP X)) (NOT (LESSP 1 0))). But this again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (LISTP X) (LESSP 1 1)) (LISTP (CDR X))), which again simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 0.0 0.0 ] SILLY-LISTP-CDR (PROVE-LEMMA NUMBERP-CAR-BV (REWRITE) (IMPLIES (BVP BV) (NUMBERP (CAR BV)))) This formula simplifies, unfolding the definitions of BITP, BVP, CAR, and NUMBERP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] NUMBERP-CAR-BV (PROVE-LEMMA LENGTH-DELETE-HIGH-BITS (REWRITE) (EQUAL (LENGTH (DELETE-HIGH-BITS X)) (LENGTH X))) Give the conjecture the name *1. We will appeal to induction. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X))) (p X)) (IMPLIES (NOT (LISTP X)) (p X))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following two new conjectures: Case 2. (IMPLIES (AND (LISTP X) (EQUAL (LENGTH (DELETE-HIGH-BITS (CDR X))) (LENGTH (CDR X)))) (EQUAL (LENGTH (DELETE-HIGH-BITS X)) (LENGTH X))). This simplifies, applying CDR-CONS, and opening up the functions DELETE-HIGH-BITS and LENGTH, to: T. Case 1. (IMPLIES (NOT (LISTP X)) (EQUAL (LENGTH (DELETE-HIGH-BITS X)) (LENGTH X))), which simplifies, unfolding the functions DELETE-HIGH-BITS, LENGTH, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-DELETE-HIGH-BITS (PROVE-LEMMA XOR-BVS-DELETE-HIGH-BITS-2 (REWRITE) (IMPLIES (AND (NOT (EQUAL SIZE 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (XOR-BVS (DELETE-HIGH-BITS STATE)) (IF (OR (NOT (LISTP STATE)) (NOT (LESSP 1 SIZE))) NIL (CDR (XOR-BVS STATE)))))) WARNING: Note that XOR-BVS-DELETE-HIGH-BITS-2 contains the free variable SIZE which will be chosen by instantiating the hypothesis (NOT (EQUAL SIZE 0)). WARNING: the previously added lemma, XOR-BVS-DELETE-HIGH-BITS, could be applied whenever the newly proposed XOR-BVS-DELETE-HIGH-BITS-2 could! This conjecture simplifies, rewriting with XOR-BVS-DELETE-HIGH-BITS, and opening up NOT and OR, to: T. Q.E.D. [ 0.0 0.0 0.0 ] XOR-BVS-DELETE-HIGH-BITS-2 (PROVE-LEMMA LESSP-WHEN-HIGH-BIT-OUT-OF-SYNC-HELPER NIL (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (HIGH-BIT-OUT-OF-SYNC PLACE STATE)) (LESSP-BV (XOR-BVS (DELETE-PILE PLACE STATE)) (GET PLACE STATE))) ((INDUCT (LESSP-WHEN-HIGH-BIT-RECURSION STATE SIZE)))) This formula can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, AND, GET-DELETE-HIGH-BITS, DELETE-PILE-DELETE-HIGH-BITS, and LENGTH-DELETE-HIGH-BITS, to the following two new formulas: Case 2. (IMPLIES (AND (ZEROP SIZE) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (HIGH-BIT-OUT-OF-SYNC PLACE STATE)) (LESSP-BV (XOR-BVS (DELETE-PILE PLACE STATE)) (GET PLACE STATE))). This simplifies, appealing to the lemma HIGH-BIT-OUT-OF-SYNC-EMPTY, and opening up the function ZEROP, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (IMPLIES (AND (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) (SUB1 SIZE)) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE))) (LESSP-BV (XOR-BVS (DELETE-HIGH-BITS (DELETE-PILE PLACE STATE))) (CDR (GET PLACE STATE)))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (HIGH-BIT-OUT-OF-SYNC PLACE STATE)) (LESSP-BV (XOR-BVS (DELETE-PILE PLACE STATE)) (GET PLACE STATE))). This simplifies, using linear arithmetic, applying the lemmas ADD1-SUB1, GOOD-STATE-OF-SIZE-DELETE-HIGH-BITS, GOOD-STATE-OF-SIZE-DELETE-PILE, SILLY-LISTP-CDR, LISTP-DELETE-PILE, EQUAL-SUB1-0, COMMUTATIVITY-OF-XOR-BV, XOR-BVS-DELETE-PILE, XOR-BVS-DELETE-HIGH-BITS-2, BVP-XOR-BVS, EQUAL-BIT-1, BVP-GET, BITP-CAR-BVP, CAR-XOR-BV, EQUAL-BITP-SIMPLIFY, NUMBERP-CAR-BV, LISTP-XOR-BV, LISTP-GET, and LISTP-XOR-BVS, and unfolding the definitions of AND, SUB1, NUMBERP, EQUAL, LESSP, IMPLIES, HIGH-BIT-OUT-OF-SYNC, XOR, LESSP-BV, GOOD-STATE-OF-SIZE, and LENGTH, to the following six new formulas: Case 1.6. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL SIZE 1) (LESSP-BV NIL (CDR (GET PLACE STATE))) (GOOD-STATE-OF-SIZE STATE 1) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (LISTP STATE) (LISTP (CAR STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE))) (LESSP-BV (XOR-BV (XOR-BVS STATE) (GET PLACE STATE)) (GET PLACE STATE))). But this again simplifies, expanding the functions EQUAL, NUMBERP, LISTP, and LESSP-BV, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL SIZE 1) (LESSP-BV NIL (CDR (GET PLACE STATE))) (GOOD-STATE-OF-SIZE STATE 1) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (LISTP STATE) (LISTP (CAR STATE)) (NOT (EQUAL (CAR (GET PLACE STATE)) 0)) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE))) (LESSP-BV (XOR-BV (XOR-BVS STATE) (GET PLACE STATE)) (GET PLACE STATE))), which again simplifies, opening up the definitions of EQUAL, NUMBERP, LISTP, and LESSP-BV, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LISTP STATE) (NOT (EQUAL SIZE 1)) (LESSP-BV (CDR (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))) (CDR (GET PLACE STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (LISTP (CAR STATE)) (NOT (EQUAL (CAR (GET PLACE STATE)) 0)) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0) (NOT (LESSP 1 (CAR (GET PLACE STATE))))) (EQUAL 1 (CAR (GET PLACE STATE)))), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (NUMBERP (CAR (GET PLACE STATE)))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LISTP STATE) (NOT (EQUAL SIZE 1)) (LESSP-BV (CDR (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))) (CDR (GET PLACE STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (LISTP (CAR STATE)) (NOT (EQUAL (CAR (GET PLACE STATE)) 0)) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0) (NOT (LESSP 1 (CAR (GET PLACE STATE))))) (EQUAL 1 (CAR (GET PLACE STATE)))). But this again simplifies, using linear arithmetic and rewriting with BVP-GET and NUMBERP-CAR-BV, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LISTP STATE) (NOT (EQUAL SIZE 1)) (LESSP-BV (CDR (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))) (CDR (GET PLACE STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (LISTP (CAR STATE)) (NOT (EQUAL (CAR (GET PLACE STATE)) 0)) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))) (LESSP 0 (CAR (GET PLACE STATE)))). But this again simplifies, using linear arithmetic, to the conjecture: (IMPLIES (AND (NOT (NUMBERP (CAR (GET PLACE STATE)))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LISTP STATE) (NOT (EQUAL SIZE 1)) (LESSP-BV (CDR (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))) (CDR (GET PLACE STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (LISTP (CAR STATE)) (NOT (EQUAL (CAR (GET PLACE STATE)) 0)) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))) (LESSP 0 (CAR (GET PLACE STATE)))). But this again simplifies, using linear arithmetic and rewriting with BVP-GET and NUMBERP-CAR-BV, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LISTP STATE) (NOT (EQUAL SIZE 1)) (LESSP-BV (CDR (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))) (CDR (GET PLACE STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (LISTP (CAR STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE)) (EQUAL (CAR (GET PLACE STATE)) 0) (NOT (LESSP 0 (CAR (GET PLACE STATE))))) (EQUAL 0 (CAR (GET PLACE STATE)))). This again simplifies, trivially, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LISTP STATE) (NOT (EQUAL SIZE 1)) (LESSP-BV (CDR (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))) (CDR (GET PLACE STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (LISTP (CAR STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE)) (NOT (EQUAL (CAR (GET PLACE STATE)) 0)) (NOT (LESSP 1 (CAR (GET PLACE STATE))))) (EQUAL 1 (CAR (GET PLACE STATE)))). However this again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (NUMBERP (CAR (GET PLACE STATE)))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LISTP STATE) (NOT (EQUAL SIZE 1)) (LESSP-BV (CDR (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))) (CDR (GET PLACE STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (LESSP 1 (LENGTH STATE)) (LISTP (CAR STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0) (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE)) (NOT (EQUAL (CAR (GET PLACE STATE)) 0)) (NOT (LESSP 1 (CAR (GET PLACE STATE))))) (EQUAL 1 (CAR (GET PLACE STATE)))). However this again simplifies, using linear arithmetic and applying BVP-GET and NUMBERP-CAR-BV, to: T. Q.E.D. [ 0.0 1.1 0.0 ] LESSP-WHEN-HIGH-BIT-OUT-OF-SYNC-HELPER (DISABLE XOR-BVS-DELETE-HIGH-BITS-2) [ 0.0 0.0 0.0 ] XOR-BVS-DELETE-HIGH-BITS-2-OFF (PROVE-LEMMA HIGH-BIT-OUT-OF-SYNC-TRIVIAL (REWRITE) (IMPLIES (NOT (LESSP PLACE (LENGTH STATE))) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE)))) Call the conjecture *1. Perhaps we can prove it by induction. Three inductions are suggested by terms in the conjecture, two of which are unflawed. So we will choose the one suggested by the largest number of nonprimitive recursive functions. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (p PLACE (DELETE-HIGH-BITS STATE))) (p PLACE STATE)) (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CAR STATE)))) (p PLACE STATE)) (IMPLIES (NOT (LISTP STATE)) (p PLACE STATE))). Linear arithmetic and the lemma FIND-HIGH-OUT-OF-SYNC-REWRITE can be used to prove that the measure (LENGTH (CAR STATE)) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to four new goals: Case 4. (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (LESSP PLACE (LENGTH (DELETE-HIGH-BITS STATE))) (NOT (LESSP PLACE (LENGTH STATE)))) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))), which simplifies, applying the lemma LENGTH-DELETE-HIGH-BITS, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE (DELETE-HIGH-BITS STATE))) (NOT (LESSP PLACE (LENGTH STATE)))) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))), which simplifies, applying GET-OF-BAD-PLACE, and unfolding HIGH-BIT-OUT-OF-SYNC, CAR, and EQUAL, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CAR STATE))) (NOT (LESSP PLACE (LENGTH STATE)))) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))). This simplifies, expanding the function HIGH-BIT-OUT-OF-SYNC, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (NOT (LESSP PLACE (LENGTH STATE)))) (NOT (HIGH-BIT-OUT-OF-SYNC PLACE STATE))). This simplifies, opening up the functions LENGTH, EQUAL, LESSP, and HIGH-BIT-OUT-OF-SYNC, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] HIGH-BIT-OUT-OF-SYNC-TRIVIAL (PROVE-LEMMA LESSP-WHEN-HIGH-BIT-OUT-OF-SYNC (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP 1 (LENGTH STATE)) (HIGH-BIT-OUT-OF-SYNC PLACE STATE)) (LESSP-BV (XOR-BVS (DELETE-PILE PLACE STATE)) (GET PLACE STATE))) ((USE (LESSP-WHEN-HIGH-BIT-OUT-OF-SYNC-HELPER)))) WARNING: Note that LESSP-WHEN-HIGH-BIT-OUT-OF-SYNC contains the free variable SIZE which will be chosen by instantiating the hypothesis: (GOOD-STATE-OF-SIZE STATE SIZE). This conjecture simplifies, rewriting with HIGH-BIT-OUT-OF-SYNC-TRIVIAL, and unfolding the functions AND and IMPLIES, to: T. Q.E.D. [ 0.0 0.1 0.0 ] LESSP-WHEN-HIGH-BIT-OUT-OF-SYNC (PROVE-LEMMA BITP-CAR-XOR-BVS (REWRITE) (BITP (CAR (XOR-BVS BVS)))) WARNING: Note that the rewrite rule BITP-CAR-XOR-BVS will be stored so as to apply only to terms with the nonrecursive function symbol BITP. This conjecture can be simplified, using the abbreviation BITP, to: (IMPLIES (NOT (EQUAL (CAR (XOR-BVS BVS)) 0)) (EQUAL (CAR (XOR-BVS BVS)) 1)). This simplifies, rewriting with BITP-CAR-BVP, BVP-XOR-BVS, EQUAL-BITP-SIMPLIFY, and EQUAL-BIT-1, and unfolding EQUAL, to: T. Q.E.D. [ 0.0 0.0 0.0 ] BITP-CAR-XOR-BVS (PROVE-LEMMA HIGH-BIT-ON-WORKS (REWRITE) (IMPLIES (AND (EQUAL (CAR (XOR-BVS STATE)) 1) (BVSP STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON STATE) STATE)) 1))) This simplifies, rewriting with BITP-CAR-XOR-BVS and EQUAL-BIT-1, to: (IMPLIES (AND (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (BVSP STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON STATE) STATE)) 1)). Call the above conjecture *1. We will appeal to induction. Three inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (p (CDR STATE))) (p STATE)) (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE)))) (p STATE)) (IMPLIES (NOT (LISTP STATE)) (p STATE))). Linear arithmetic, the lemma SUB1-ADD1, and the definitions of LESSP and LENGTH establish that the measure (LENGTH STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following five new goals: Case 5. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (BVSP STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON STATE) STATE)) 1)). This simplifies, applying BITP-CAR-BVP and EQUAL-BIT-1, and unfolding the functions XOR-BVS, BVSP, and HIGH-BIT-ON, to two new formulas: Case 5.2. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (NOT (EQUAL (CAAR STATE) 0))) (EQUAL (CAR (GET 0 STATE)) 1)), which again simplifies, rewriting with the lemmas BITP-CAR-BVP, EQUAL-BITP-SIMPLIFY, and EQUAL-BIT-1, and unfolding the functions EQUAL and GET, to: T. Case 5.1. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (EQUAL (CAAR STATE) 0)) (EQUAL (CAR (GET (ADD1 (HIGH-BIT-ON (CDR STATE))) STATE)) 1)), which again simplifies, applying SUB1-ADD1, and expanding the function GET, to the following two new conjectures: Case 5.1.2. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (EQUAL (CAAR STATE) 0) (NOT (NUMBERP (HIGH-BIT-ON (CDR STATE))))) (EQUAL (CAR (GET 0 (CDR STATE))) 1)). However this again simplifies, unfolding the definitions of EQUAL and GET, to: (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (EQUAL (CAAR STATE) 0) (NOT (NUMBERP (HIGH-BIT-ON (CDR STATE))))) (EQUAL (CAADR STATE) 1)). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE), Z by (CONS V W) to eliminate (CAR Z) and (CDR Z), X by (CONS Z D) to eliminate (CAR X) and (CDR X), Z by (CONS X C) to eliminate (CAR Z) and (CDR Z), X by (CONS V W) to eliminate (CAR X) and (CDR X), and V by (CONS X D) to eliminate (CAR V) and (CDR V). This generates four new conjectures: Case 5.1.2.4. (IMPLIES (AND (NOT (LISTP V)) (NOT (LISTP Z)) (EQUAL (CAR (XOR-BVS (CONS V W))) 0) (NOT (EQUAL (CAR (XOR-BV Z (XOR-BVS (CONS V W)))) 0)) (BVP Z) (BVSP (CONS V W)) (EQUAL (CAR Z) 0) (NOT (NUMBERP (HIGH-BIT-ON (CONS V W))))) (EQUAL (CAR V) 1)), which further simplifies, rewriting with CAR-CONS, CDR-CONS, and COMMUTATIVITY-OF-XOR-BV, and expanding the functions FIX-XOR-BV, XOR-BV, XOR-BVS, CAR, EQUAL, and LISTP, to: T. Case 5.1.2.3. (IMPLIES (AND (NOT (LISTP Z)) (EQUAL (CAR (XOR-BVS (CONS (CONS X D) W))) 0) (NOT (EQUAL (CAR (XOR-BV Z (XOR-BVS (CONS (CONS X D) W)))) 0)) (BVP Z) (BVSP (CONS (CONS X D) W)) (EQUAL (CAR Z) 0) (NOT (NUMBERP (HIGH-BIT-ON (CONS (CONS X D) W))))) (EQUAL X 1)). However this further simplifies, applying COMMUTATIVITY-OF-XOR-BV, NUMBERP-CAR-BV, BVP-XOR-BVS, COMMUTATIVITY-OF-XOR, CAR-CONS, CDR-CONS, EQUAL-BITP-SIMPLIFY, and BITP-CAR-XOR-BVS, and unfolding the definitions of FIX-XOR-BV, FIX-BIT, XOR-BV, XOR, XOR-BVS, CAR, EQUAL, and LISTP, to: T. Case 5.1.2.2. (IMPLIES (AND (NOT (LISTP Z)) (EQUAL (CAR (XOR-BVS (CONS Z D))) 0) (NOT (EQUAL (CAR (XOR-BV (CONS V W) (XOR-BVS (CONS Z D)))) 0)) (BVP (CONS V W)) (BVSP (CONS Z D)) (EQUAL V 0) (NOT (NUMBERP (HIGH-BIT-ON (CONS Z D))))) (EQUAL (CAR Z) 1)). This further simplifies, rewriting with CAR-CONS, CDR-CONS, and COMMUTATIVITY-OF-XOR-BV, and expanding the definitions of FIX-XOR-BV, XOR-BV, XOR-BVS, CAR, EQUAL, and LISTP, to: T. Case 5.1.2.1. (IMPLIES (AND (EQUAL (CAR (XOR-BVS (CONS (CONS X C) D))) 0) (NOT (EQUAL (CAR (XOR-BV (CONS V W) (XOR-BVS (CONS (CONS X C) D)))) 0)) (BVP (CONS V W)) (BVSP (CONS (CONS X C) D)) (EQUAL V 0) (NOT (NUMBERP (HIGH-BIT-ON (CONS (CONS X C) D))))) (EQUAL X 1)). However this further simplifies, applying COMMUTATIVITY-OF-XOR-BV, NUMBERP-CAR-BV, BVP-XOR-BVS, COMMUTATIVITY-OF-XOR, CAR-CONS, CDR-CONS, XOR-BV-FIX-XOR-BV, COMMUTATIVITY2-OF-XOR-BV, EQUAL-BITP-SIMPLIFY, and BITP-CAR-XOR-BVS, and opening up the definitions of FIX-XOR-BV, FIX-BIT, XOR-BV, XOR, XOR-BVS, EQUAL, BITP, BVP, BVSP, HIGH-BIT-ON, LISTP, and CAR, to: T. Case 5.1.1. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (EQUAL (CAAR STATE) 0) (NUMBERP (HIGH-BIT-ON (CDR STATE)))) (EQUAL (CAR (GET (HIGH-BIT-ON (CDR STATE)) (CDR STATE))) 1)). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE) and Z by (CONS V W) to eliminate (CAR Z) and (CDR Z). The result is two new goals: Case 5.1.1.2. (IMPLIES (AND (NOT (LISTP Z)) (LISTP X) (EQUAL (CAR (XOR-BVS X)) 0) (NOT (EQUAL (CAR (XOR-BV Z (XOR-BVS X))) 0)) (BVP Z) (BVSP X) (EQUAL (CAR Z) 0) (NUMBERP (HIGH-BIT-ON X))) (EQUAL (CAR (GET (HIGH-BIT-ON X) X)) 1)), which further simplifies, opening up XOR-BV, CAR, and EQUAL, to: T. Case 5.1.1.1. (IMPLIES (AND (LISTP X) (EQUAL (CAR (XOR-BVS X)) 0) (NOT (EQUAL (CAR (XOR-BV (CONS V W) (XOR-BVS X))) 0)) (BVP (CONS V W)) (BVSP X) (EQUAL V 0) (NUMBERP (HIGH-BIT-ON X))) (EQUAL (CAR (GET (HIGH-BIT-ON X) X)) 1)), which further simplifies, applying the lemmas CDR-CONS, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and unfolding the functions XOR, XOR-BV, BITP, and BVP, to two new goals: Case 5.1.1.1.2. (IMPLIES (AND (LISTP X) (EQUAL (CAR (XOR-BVS X)) 0) (NOT (LISTP (XOR-BVS X))) (NOT (EQUAL (CAR NIL) 0)) (BVP W) (BVSP X) (NUMBERP (HIGH-BIT-ON X))) (EQUAL (CAR (GET (HIGH-BIT-ON X) X)) 1)), which again simplifies, rewriting with CAR-NLISTP, and expanding the functions EQUAL and CAR, to: T. Case 5.1.1.1.1. (IMPLIES (AND (LISTP X) (EQUAL (CAR (XOR-BVS X)) 0) (LISTP (XOR-BVS X)) (NOT (EQUAL (CAR (CONS 0 (XOR-BV W (CDR (XOR-BVS X))))) 0)) (BVP W) (BVSP X) (NUMBERP (HIGH-BIT-ON X))) (EQUAL (CAR (GET (HIGH-BIT-ON X) X)) 1)). But this again simplifies, applying the lemma CAR-CONS, and expanding the function EQUAL, to: T. Case 4. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (NOT (BVSP (CDR STATE))) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (BVSP STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON STATE) STATE)) 1)), which simplifies, opening up the functions XOR-BVS and BVSP, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON (CDR STATE)) (CDR STATE))) 1) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (BVSP STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON STATE) STATE)) 1)), which simplifies, applying BITP-CAR-BVP and EQUAL-BIT-1, and unfolding the functions XOR-BVS, BVSP, and HIGH-BIT-ON, to the following two new conjectures: Case 3.2. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON (CDR STATE)) (CDR STATE))) 1) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (NOT (EQUAL (CAAR STATE) 0))) (EQUAL (CAR (GET 0 STATE)) 1)). But this again simplifies, applying the lemmas BITP-CAR-BVP, EQUAL-BITP-SIMPLIFY, and EQUAL-BIT-1, and opening up the definitions of EQUAL and GET, to: T. Case 3.1. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON (CDR STATE)) (CDR STATE))) 1) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (EQUAL (CAAR STATE) 0)) (EQUAL (CAR (GET (ADD1 (HIGH-BIT-ON (CDR STATE))) STATE)) 1)), which again simplifies, rewriting with SUB1-ADD1, and opening up the function GET, to: (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON (CDR STATE)) (CDR STATE))) 1) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (EQUAL (CAAR STATE) 0) (NOT (NUMBERP (HIGH-BIT-ON (CDR STATE))))) (EQUAL (CAR (GET 0 (CDR STATE))) 1)), which again simplifies, unfolding the functions NUMBERP, EQUAL, and GET, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (BVSP STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON STATE) STATE)) 1)), which simplifies, rewriting with the lemmas BITP-CAR-BVP, EQUAL-BIT-1, and GET-OF-BAD-PLACE, and expanding the functions XOR-BVS, BVSP, HIGH-BIT-ON, LENGTH, EQUAL, LESSP, and GET, to three new conjectures: Case 2.3. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (NOT (EQUAL (CAR (FIX-XOR-BV (CAR STATE))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (EQUAL (CAAR STATE) 0) (NOT (EQUAL (ADD1 (HIGH-BIT-ON (CDR STATE))) 0))) (EQUAL (CAR 0) 1)), which again simplifies, applying BVP-FIX-XOR-BV-IDENTITY, and expanding the function EQUAL, to: T. Case 2.2. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (NOT (EQUAL (CAR (FIX-XOR-BV (CAR STATE))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (NOT (EQUAL (CAAR STATE) 0))) (EQUAL (CAAR STATE) 1)). This again simplifies, applying BVP-FIX-XOR-BV-IDENTITY, BITP-CAR-BVP, and EQUAL-BITP-SIMPLIFY, and unfolding the definitions of EQUAL, BITP, BVP, and CAR, to: T. Case 2.1. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (NOT (EQUAL (CAR (FIX-XOR-BV (CAR STATE))) 0)) (BVP (CAR STATE)) (BVSP (CDR STATE)) (EQUAL (ADD1 (HIGH-BIT-ON (CDR STATE))) 0)) (EQUAL (CAAR STATE) 1)). However this again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (BVSP STATE)) (EQUAL (CAR (GET (HIGH-BIT-ON STATE) STATE)) 1)), which simplifies, expanding XOR-BVS, CAR, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 1.1 0.0 ] HIGH-BIT-ON-WORKS (PROVE-LEMMA ALL-ZEROS-LENGTH-1 (REWRITE) (IMPLIES (EQUAL (LENGTH X) 1) (EQUAL (ALL-ZEROS X) (EQUAL (CAR X) 0)))) This conjecture can be simplified, using the abbreviations EQUAL-LENGTH-1 and IMPLIES, to: (IMPLIES (AND (LISTP X) (NOT (LISTP (CDR X)))) (EQUAL (ALL-ZEROS X) (EQUAL (CAR X) 0))). This simplifies, expanding the function ALL-ZEROS, to: T. Q.E.D. [ 0.0 0.0 0.0 ] ALL-ZEROS-LENGTH-1 (PROVE-LEMMA ALL-ZEROS-XOR-BVS-SIMPLE (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP SIZE 2)) (EQUAL (ALL-ZEROS (XOR-BVS STATE)) (OR (ZEROP SIZE) (NOT (LISTP STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0)))) ((INDUCT (LESSP-WHEN-HIGH-BIT-RECURSION STATE SIZE)))) WARNING: Note that ALL-ZEROS-XOR-BVS-SIMPLE contains the free variable SIZE which will be chosen by instantiating the hypothesis: (GOOD-STATE-OF-SIZE STATE SIZE). This conjecture can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, AND, and LISTP-DELETE-HIGH-BITS, to two new formulas: Case 2. (IMPLIES (AND (ZEROP SIZE) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP SIZE 2)) (EQUAL (ALL-ZEROS (XOR-BVS STATE)) (OR (ZEROP SIZE) (NOT (LISTP STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0)))), which simplifies, using linear arithmetic, rewriting with LISTP-XOR-BVS and CAR-NLISTP, and opening up the definitions of ZEROP, LESSP, ALL-ZEROS, NOT, EQUAL, OR, and NUMBERP, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (IMPLIES (AND (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) (SUB1 SIZE)) (LESSP (SUB1 SIZE) 2)) (EQUAL (ALL-ZEROS (XOR-BVS (DELETE-HIGH-BITS STATE))) (OR (ZEROP (SUB1 SIZE)) (NOT (LISTP STATE)) (EQUAL (CAR (XOR-BVS (DELETE-HIGH-BITS STATE))) 0)))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP SIZE 2)) (EQUAL (ALL-ZEROS (XOR-BVS STATE)) (OR (ZEROP SIZE) (NOT (LISTP STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0)))). This simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (EQUAL 1 0)) (NUMBERP 1) (IMPLIES (AND (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) (SUB1 1)) (LESSP (SUB1 1) 2)) (EQUAL (ALL-ZEROS (XOR-BVS (DELETE-HIGH-BITS STATE))) (OR (ZEROP (SUB1 1)) (NOT (LISTP STATE)) (EQUAL (CAR (XOR-BVS (DELETE-HIGH-BITS STATE))) 0)))) (GOOD-STATE-OF-SIZE STATE 1) (LESSP 1 2)) (EQUAL (ALL-ZEROS (XOR-BVS STATE)) (OR (ZEROP 1) (NOT (LISTP STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0)))), which again simplifies, rewriting with GOOD-STATE-OF-SIZE-DELETE-HIGH-BITS and XOR-BVS-DELETE-HIGH-BITS, and unfolding the functions EQUAL, NUMBERP, SUB1, LESSP, AND, ALL-ZEROS, ZEROP, NOT, CAR, OR, and IMPLIES, to the following two new formulas: Case 1.2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE 1) (NOT (LISTP STATE))) (EQUAL (ALL-ZEROS (XOR-BVS STATE)) T)). However this again simplifies, expanding the functions GOOD-STATE-OF-SIZE, LISTP, XOR-BVS, ALL-ZEROS, and EQUAL, to: T. Case 1.1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE 1) (LISTP STATE)) (EQUAL (ALL-ZEROS (XOR-BVS STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0))), which again simplifies, applying LENGTH-XOR-BVS and ALL-ZEROS-LENGTH-1, and expanding EQUAL and NUMBERP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] ALL-ZEROS-XOR-BVS-SIMPLE (PROVE-LEMMA FIND-HIGH-OUT-OF-SYNC-WORKS (REWRITE) (IMPLIES (AND (NOT (ALL-ZEROS (XOR-BVS STATE))) (GOOD-STATE-OF-SIZE STATE SIZE)) (HIGH-BIT-OUT-OF-SYNC (FIND-HIGH-OUT-OF-SYNC STATE) STATE)) ((INDUCT (LESSP-WHEN-HIGH-BIT-RECURSION STATE SIZE)))) WARNING: Note that FIND-HIGH-OUT-OF-SYNC-WORKS contains the free variable SIZE which will be chosen by instantiating the hypothesis: (GOOD-STATE-OF-SIZE STATE SIZE). This conjecture can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, and AND, to two new formulas: Case 2. (IMPLIES (AND (ZEROP SIZE) (NOT (ALL-ZEROS (XOR-BVS STATE))) (GOOD-STATE-OF-SIZE STATE SIZE)) (HIGH-BIT-OUT-OF-SYNC (FIND-HIGH-OUT-OF-SYNC STATE) STATE)), which simplifies, using linear arithmetic, rewriting with the lemma ALL-ZEROS-XOR-BVS-SIMPLE, and unfolding the functions ZEROP, LESSP, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (IMPLIES (AND (NOT (ALL-ZEROS (XOR-BVS (DELETE-HIGH-BITS STATE)))) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) (SUB1 SIZE))) (HIGH-BIT-OUT-OF-SYNC (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) (DELETE-HIGH-BITS STATE))) (NOT (ALL-ZEROS (XOR-BVS STATE))) (GOOD-STATE-OF-SIZE STATE SIZE)) (HIGH-BIT-OUT-OF-SYNC (FIND-HIGH-OUT-OF-SYNC STATE) STATE)), which simplifies, applying EQUAL-SUB1-0, XOR-BVS-DELETE-HIGH-BITS, ADD1-SUB1, GOOD-STATE-OF-SIZE-DELETE-HIGH-BITS, ALL-ZEROS-XOR-BVS-SIMPLE, EQUAL-BIT-1, EQUAL-BITP-SIMPLIFY, BITP-CAR-XOR-BVS, and LISTP-XOR-BVS, and opening up SUB1, NUMBERP, EQUAL, LESSP, NOT, AND, IMPLIES, FIND-HIGH-OUT-OF-SYNC, HIGH-BIT-OUT-OF-SYNC, XOR-BVS, and ALL-ZEROS, to the following eight new goals: Case 1.8. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL SIZE 1) (ALL-ZEROS NIL) (LISTP STATE) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (GOOD-STATE-OF-SIZE STATE 1)) (EQUAL (CAR (GET (HIGH-BIT-ON STATE) STATE)) 1)). However this again simplifies, appealing to the lemmas GOOD-STATE-OF-SIZE-MEANS-BVSP, EQUAL-BIT-1, EQUAL-BITP-SIMPLIFY, BITP-CAR-XOR-BVS, and HIGH-BIT-ON-WORKS, and unfolding EQUAL, NUMBERP, and ALL-ZEROS, to: T. Case 1.7. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL SIZE 1) (ALL-ZEROS NIL) (LISTP STATE) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (GOOD-STATE-OF-SIZE STATE 1)) (LISTP (CAR STATE))), which again simplifies, unfolding EQUAL, NUMBERP, ALL-ZEROS, FIX-XOR-BV, XOR-BV, XOR-BVS, and CAR, to: T. Case 1.6. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LISTP STATE) (NOT (EQUAL SIZE 1)) (ALL-ZEROS (CDR (XOR-BVS STATE))) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (CAR (GET (HIGH-BIT-ON STATE) STATE)) 1)), which again simplifies, rewriting with GOOD-STATE-OF-SIZE-MEANS-BVSP, EQUAL-BIT-1, EQUAL-BITP-SIMPLIFY, BITP-CAR-XOR-BVS, and HIGH-BIT-ON-WORKS, and unfolding the function EQUAL, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LISTP STATE) (NOT (EQUAL SIZE 1)) (ALL-ZEROS (CDR (XOR-BVS STATE))) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LISTP (CAR STATE))). But this again simplifies, expanding FIX-XOR-BV, XOR-BV, XOR-BVS, CDR, ALL-ZEROS, CAR, and EQUAL, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (HIGH-BIT-OUT-OF-SYNC (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) (DELETE-HIGH-BITS STATE)) (NOT (ALL-ZEROS (XOR-BVS STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (LISTP (CAR STATE)))) (HIGH-BIT-OUT-OF-SYNC F STATE)), which again simplifies, opening up FIX-XOR-BV, XOR-BV, XOR-BVS, and ALL-ZEROS, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (HIGH-BIT-OUT-OF-SYNC (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) (DELETE-HIGH-BITS STATE)) (NOT (ALL-ZEROS (XOR-BVS STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (LISTP STATE))) (HIGH-BIT-OUT-OF-SYNC F STATE)), which again simplifies, unfolding the definitions of DELETE-HIGH-BITS, FIND-HIGH-OUT-OF-SYNC, and HIGH-BIT-OUT-OF-SYNC, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (HIGH-BIT-OUT-OF-SYNC (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) (DELETE-HIGH-BITS STATE)) (NOT (ALL-ZEROS (XOR-BVS STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LISTP (CAR STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))) (HIGH-BIT-OUT-OF-SYNC (HIGH-BIT-ON STATE) STATE)), which again simplifies, applying EQUAL-BITP-SIMPLIFY, BITP-CAR-XOR-BVS, LISTP-XOR-BVS, HIGH-BIT-ON-WORKS, EQUAL-BIT-1, and GOOD-STATE-OF-SIZE-MEANS-BVSP, and unfolding LESSP, EQUAL, ALL-ZEROS, and HIGH-BIT-OUT-OF-SYNC, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (HIGH-BIT-OUT-OF-SYNC (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) (DELETE-HIGH-BITS STATE)) (NOT (ALL-ZEROS (XOR-BVS STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (LISTP (CAR STATE)) (EQUAL (CAR (XOR-BVS STATE)) 0)) (HIGH-BIT-OUT-OF-SYNC (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) STATE)). However this again simplifies, expanding EQUAL and HIGH-BIT-OUT-OF-SYNC, to: T. Q.E.D. [ 0.0 1.1 0.0 ] FIND-HIGH-OUT-OF-SYNC-WORKS (PROVE-LEMMA BVP-NAT-TO-BV (REWRITE) (BVP (NAT-TO-BV NAT SIZE))) Name the conjecture *1. We will appeal to induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP SIZE) (p NAT SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP NAT (EXP 2 (SUB1 SIZE))) (p NAT (SUB1 SIZE))) (p NAT SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (p (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (p NAT SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to show that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for NAT. The above induction scheme leads to three new goals: Case 3. (IMPLIES (ZEROP SIZE) (BVP (NAT-TO-BV NAT SIZE))), which simplifies, unfolding the definitions of ZEROP, EQUAL, NAT-TO-BV, and BVP, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP NAT (EXP 2 (SUB1 SIZE))) (BVP (NAT-TO-BV NAT (SUB1 SIZE)))) (BVP (NAT-TO-BV NAT SIZE))), which simplifies, rewriting with the lemmas CDR-CONS and CAR-CONS, and expanding ZEROP, NAT-TO-BV, BITP, and BVP, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (BVP (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)))) (BVP (NAT-TO-BV NAT SIZE))), which simplifies, rewriting with CDR-CONS and CAR-CONS, and unfolding the functions ZEROP, NAT-TO-BV, BITP, and BVP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] BVP-NAT-TO-BV (PROVE-LEMMA SILLY-LESSP-SUB1-EXP-LENGTH NIL (IMPLIES (AND (NOT (LESSP NAT (EXP 2 (LENGTH BV)))) (BVP BV)) (NOT (LESSP NAT (BV-TO-NAT BV))))) This conjecture simplifies, using linear arithmetic and applying LESSP-BV-LENGTH, to: T. Q.E.D. [ 0.0 0.1 0.0 ] SILLY-LESSP-SUB1-EXP-LENGTH (DEFN ALL-ONES (SIZE) (IF (ZEROP SIZE) NIL (CONS 1 (ALL-ONES (SUB1 SIZE))))) Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each recursive call. Hence, ALL-ONES is accepted under the definitional principle. From the definition we can conclude that (OR (LITATOM (ALL-ONES SIZE)) (LISTP (ALL-ONES SIZE))) is a theorem. [ 0.0 0.0 0.0 ] ALL-ONES (PROVE-LEMMA NAT-TO-BV-IS-ALL-ONES (REWRITE) (IMPLIES (NOT (LESSP NAT (EXP 2 SIZE))) (EQUAL (NAT-TO-BV NAT SIZE) (ALL-ONES SIZE)))) Call the conjecture *1. We will appeal to induction. There are four plausible inductions. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (ZEROP SIZE) (p NAT SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP NAT (EXP 2 (SUB1 SIZE))) (p NAT (SUB1 SIZE))) (p NAT SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (p (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (p NAT SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to establish that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for NAT. The above induction scheme generates four new formulas: Case 4. (IMPLIES (AND (ZEROP SIZE) (NOT (LESSP NAT (EXP 2 SIZE)))) (EQUAL (NAT-TO-BV NAT SIZE) (ALL-ONES SIZE))), which simplifies, applying EXP-ZERO, and expanding the functions ZEROP, EXP, EQUAL, NAT-TO-BV, and ALL-ONES, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP NAT (EXP 2 (SUB1 SIZE))) (NOT (LESSP NAT (EXP 2 SIZE)))) (EQUAL (NAT-TO-BV NAT SIZE) (ALL-ONES SIZE))). This simplifies, applying TIMES-1-ARG1 and CAR-CONS, and unfolding the definitions of ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, and ALL-ONES, to the conjecture: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP NAT (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE))))). However this again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (NOT (LESSP NAT (EXP 2 SIZE)))) (EQUAL (NAT-TO-BV NAT SIZE) (ALL-ONES SIZE))), which simplifies, rewriting with the lemmas TIMES-1-ARG1, CAR-CONS, CDR-CONS, and CONS-EQUAL, and opening up the functions ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, and ALL-ONES, to the goal: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (LESSP (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (EXP 2 (SUB1 SIZE))) (NOT (LESSP NAT (PLUS (EXP 2 (SUB1 SIZE)) (EXP 2 (SUB1 SIZE)))))) (EQUAL (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (ALL-ONES (SUB1 SIZE)))). But this again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP NAT (EXP 2 (SUB1 SIZE)))) (EQUAL (NAT-TO-BV (DIFFERENCE NAT (EXP 2 (SUB1 SIZE))) (SUB1 SIZE)) (ALL-ONES (SUB1 SIZE))) (NOT (LESSP NAT (EXP 2 SIZE)))) (EQUAL (NAT-TO-BV NAT SIZE) (ALL-ONES SIZE))), which simplifies, appealing to the lemma TIMES-1-ARG1, and opening up the functions ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, NAT-TO-BV, and ALL-ONES, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] NAT-TO-BV-IS-ALL-ONES (PROVE-LEMMA LENGTH-ALL-ONES (REWRITE) (EQUAL (LENGTH (ALL-ONES SIZE)) (FIX SIZE))) This formula simplifies, unfolding the definition of FIX, to the following two new goals: Case 2. (IMPLIES (NOT (NUMBERP SIZE)) (EQUAL (LENGTH (ALL-ONES SIZE)) 0)). This again simplifies, unfolding the definitions of ALL-ONES, LENGTH, and EQUAL, to: T. Case 1. (IMPLIES (NUMBERP SIZE) (EQUAL (LENGTH (ALL-ONES SIZE)) SIZE)), which we will name *1. Perhaps we can prove it by induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP SIZE) (p SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (p (SUB1 SIZE))) (p SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to the following two new formulas: Case 2. (IMPLIES (AND (ZEROP SIZE) (NUMBERP SIZE)) (EQUAL (LENGTH (ALL-ONES SIZE)) SIZE)). This simplifies, unfolding the definitions of ZEROP, NUMBERP, ALL-ONES, LENGTH, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP SIZE)) (EQUAL (LENGTH (ALL-ONES (SUB1 SIZE))) (SUB1 SIZE)) (NUMBERP SIZE)) (EQUAL (LENGTH (ALL-ONES SIZE)) SIZE)). This simplifies, rewriting with the lemmas ADD1-SUB1 and CDR-CONS, and opening up the functions ZEROP, ALL-ONES, and LENGTH, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-ALL-ONES (PROVE-LEMMA BVP-ALL-ONES (REWRITE) (BVP (ALL-ONES SIZE))) Call the conjecture *1. Let us appeal to the induction principle. There is only one suggested induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP SIZE) (p SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (p (SUB1 SIZE))) (p SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to two new goals: Case 2. (IMPLIES (ZEROP SIZE) (BVP (ALL-ONES SIZE))), which simplifies, expanding the definitions of ZEROP, ALL-ONES, and BVP, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP SIZE)) (BVP (ALL-ONES (SUB1 SIZE)))) (BVP (ALL-ONES SIZE))), which simplifies, applying CDR-CONS and CAR-CONS, and expanding ZEROP, ALL-ONES, BITP, and BVP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] BVP-ALL-ONES (PROVE-LEMMA LESSP-BV-ALL-ONES-ARG1 (REWRITE) (IMPLIES (BVP BV) (NOT (LESSP-BV (ALL-ONES SIZE) BV))) ((INDUCT (LESSP-BV-RECURSION BV SIZE)))) This conjecture can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, and AND, to two new conjectures: Case 2. (IMPLIES (AND (ZEROP SIZE) (BVP BV)) (NOT (LESSP-BV (ALL-ONES SIZE) BV))), which simplifies, expanding ZEROP, ALL-ONES, LISTP, and LESSP-BV, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (IMPLIES (BVP (CDR BV)) (NOT (LESSP-BV (ALL-ONES (SUB1 SIZE)) (CDR BV)))) (BVP BV)) (NOT (LESSP-BV (ALL-ONES SIZE) BV))), which simplifies, appealing to the lemmas CAR-CONS and CDR-CONS, and opening up the functions NOT, IMPLIES, BITP, BVP, ALL-ONES, LISTP, LESSP-BV, EQUAL, and LESSP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] LESSP-BV-ALL-ONES-ARG1 (PROVE-LEMMA LESSP-BV-ALL-ONES-ARG2 (REWRITE) (IMPLIES (AND (EQUAL (LENGTH BV) SIZE) (BVP BV)) (EQUAL (LESSP-BV BV (ALL-ONES SIZE)) (LESSP (BV-TO-NAT BV) (SUB1 (EXP 2 SIZE)))))) Name the conjecture *1. We will appeal to induction. The recursive terms in the conjecture suggest five inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP BV) (p (CDR BV))) (p BV)) (IMPLIES (NOT (LISTP BV)) (p BV))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT BV) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates the following three new conjectures: Case 3. (IMPLIES (AND (LISTP BV) (NOT (BVP (CDR BV))) (BVP BV)) (EQUAL (LESSP-BV BV (ALL-ONES (LENGTH BV))) (LESSP (BV-TO-NAT BV) (SUB1 (EXP 2 (LENGTH BV)))))). This simplifies, unfolding the definitions of BVP and BITP, to: T. Case 2. (IMPLIES (AND (LISTP BV) (EQUAL (LESSP-BV (CDR BV) (ALL-ONES (LENGTH (CDR BV)))) (LESSP (BV-TO-NAT (CDR BV)) (SUB1 (EXP 2 (LENGTH (CDR BV)))))) (BVP BV)) (EQUAL (LESSP-BV BV (ALL-ONES (LENGTH BV))) (LESSP (BV-TO-NAT BV) (SUB1 (EXP 2 (LENGTH BV)))))). This simplifies, rewriting with SUB1-ADD1, CDR-CONS, CAR-CONS, TIMES-1-ARG1, COMMUTATIVITY-OF-PLUS, EQUAL-EXP-0, EXP-ADD1, and EQUAL-PLUS-0, and expanding the definitions of BVP, BITP, LENGTH, ALL-ONES, EQUAL, LESSP, LESSP-BV, BV-TO-NAT, PLUS, SUB1, NUMBERP, and TIMES, to two new goals: Case 2.2. (IMPLIES (AND (LISTP BV) (EQUAL (LESSP-BV (CDR BV) (ALL-ONES (LENGTH (CDR BV)))) (LESSP (BV-TO-NAT (CDR BV)) (SUB1 (EXP 2 (LENGTH (CDR BV)))))) (EQUAL (CAR BV) 1) (BVP (CDR BV))) (EQUAL (LESSP-BV (CDR BV) (ALL-ONES (LENGTH (CDR BV)))) (LESSP (SUB1 (PLUS (BV-TO-NAT (CDR BV)) (EXP 2 (LENGTH (CDR BV))))) (PLUS (SUB1 (EXP 2 (LENGTH (CDR BV)))) (SUB1 (EXP 2 (LENGTH (CDR BV)))))))). Applying the lemma CAR-CDR-ELIM, replace BV by (CONS Z X) to eliminate (CDR BV) and (CAR BV). This produces the new conjecture: (IMPLIES (AND (EQUAL (LESSP-BV X (ALL-ONES (LENGTH X))) (LESSP (BV-TO-NAT X) (SUB1 (EXP 2 (LENGTH X))))) (EQUAL Z 1) (BVP X)) (EQUAL (LESSP-BV X (ALL-ONES (LENGTH X))) (LESSP (SUB1 (PLUS (BV-TO-NAT X) (EXP 2 (LENGTH X)))) (PLUS (SUB1 (EXP 2 (LENGTH X))) (SUB1 (EXP 2 (LENGTH X))))))), which further simplifies, trivially, to: (IMPLIES (AND (EQUAL (LESSP-BV X (ALL-ONES (LENGTH X))) (LESSP (BV-TO-NAT X) (SUB1 (EXP 2 (LENGTH X))))) (BVP X)) (EQUAL (LESSP-BV X (ALL-ONES (LENGTH X))) (LESSP (SUB1 (PLUS (BV-TO-NAT X) (EXP 2 (LENGTH X)))) (PLUS (SUB1 (EXP 2 (LENGTH X))) (SUB1 (EXP 2 (LENGTH X))))))). We use the above equality hypothesis by substituting: (LESSP (BV-TO-NAT X) (SUB1 (EXP 2 (LENGTH X)))) for (LESSP-BV X (ALL-ONES (LENGTH X))) and throwing away the equality. This generates: (IMPLIES (BVP X) (EQUAL (LESSP (BV-TO-NAT X) (SUB1 (EXP 2 (LENGTH X)))) (LESSP (SUB1 (PLUS (BV-TO-NAT X) (EXP 2 (LENGTH X)))) (PLUS (SUB1 (EXP 2 (LENGTH X))) (SUB1 (EXP 2 (LENGTH X))))))). We will try to prove the above formula by generalizing it, replacing (LENGTH X) by Y and (BV-TO-NAT X) by A. We restrict the new variables by recalling the type restriction lemma noted when LENGTH was introduced and the type restriction lemma noted when BV-TO-NAT was introduced. We would thus like to prove: (IMPLIES (AND (NUMBERP Y) (NUMBERP A) (BVP X)) (EQUAL (LESSP A (SUB1 (EXP 2 Y))) (LESSP (SUB1 (PLUS A (EXP 2 Y))) (PLUS (SUB1 (EXP 2 Y)) (SUB1 (EXP 2 Y)))))), which we generalize by replacing (EXP 2 Y) by U. We restrict the new variable by recalling the type restriction lemma noted when EXP was introduced. We would thus like to prove: (IMPLIES (AND (NUMBERP U) (NUMBERP Y) (NUMBERP A) (BVP X)) (EQUAL (LESSP A (SUB1 U)) (LESSP (SUB1 (PLUS A U)) (PLUS (SUB1 U) (SUB1 U))))). Applying the lemma SUB1-ELIM, replace U by (ADD1 Z) to eliminate (SUB1 U). We rely upon the type restriction lemma noted when SUB1 was introduced to restrict the new variable. This produces the following two new formulas: Case 2.2.2. (IMPLIES (AND (EQUAL U 0) (NUMBERP U) (NUMBERP Y) (NUMBERP A) (BVP X)) (EQUAL (LESSP A (SUB1 U)) (LESSP (SUB1 (PLUS A U)) (PLUS (SUB1 U) (SUB1 U))))). However this finally simplifies, rewriting with PLUS-ZERO-ARG2, and opening up NUMBERP, SUB1, EQUAL, LESSP, ZEROP, and PLUS, to: T. Case 2.2.1. (IMPLIES (AND (NUMBERP Z) (NOT (EQUAL (ADD1 Z) 0)) (NUMBERP Y) (NUMBERP A) (BVP X)) (EQUAL (LESSP A Z) (LESSP (SUB1 (PLUS A (ADD1 Z))) (PLUS Z Z)))). However this finally simplifies, applying PLUS-ADD1-ARG2, SUB1-ADD1, and CORRECTNESS-OF-CANCEL-LESSP-PLUS, and opening up FIX, to: T. Case 2.1. (IMPLIES (AND (LISTP BV) (EQUAL (LESSP-BV (CDR BV) (ALL-ONES (LENGTH (CDR BV)))) (LESSP (BV-TO-NAT (CDR BV)) (SUB1 (EXP 2 (LENGTH (CDR BV)))))) (EQUAL (CAR BV) 0) (BVP (CDR BV)) (NOT (EQUAL (BV-TO-NAT (CDR BV)) 0))) (LESSP (SUB1 (BV-TO-NAT (CDR BV))) (PLUS (SUB1 (EXP 2 (LENGTH (CDR BV)))) (SUB1 (EXP 2 (LENGTH (CDR BV))))))). However this again simplifies, using linear arithmetic and rewriting with the lemma LESSP-BV-LENGTH, to: T. Case 1. (IMPLIES (AND (NOT (LISTP BV)) (BVP BV)) (EQUAL (LESSP-BV BV (ALL-ONES (LENGTH BV))) (LESSP (BV-TO-NAT BV) (SUB1 (EXP 2 (LENGTH BV)))))), which simplifies, opening up the functions BVP, LENGTH, ALL-ONES, LESSP-BV, BV-TO-NAT, EXP, SUB1, LESSP, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 3.6 0.1 ] LESSP-BV-ALL-ONES-ARG2 (PROVE-LEMMA LESSP-BV-NAT-TO-BV (REWRITE) (IMPLIES (AND (EQUAL (LENGTH BV) (FIX SIZE)) (LESSP NAT (EXP 2 SIZE)) (BVP BV)) (AND (EQUAL (LESSP-BV (NAT-TO-BV NAT SIZE) BV) (LESSP NAT (BV-TO-NAT BV))) (EQUAL (LESSP-BV BV (NAT-TO-BV NAT SIZE)) (LESSP (BV-TO-NAT BV) NAT)))) ((USE (SILLY-LESSP-SUB1-EXP-LENGTH) (LESSP-BV-TO-NAT-BV-TO-NAT (X BV) (Y (NAT-TO-BV NAT SIZE))) (LESSP-BV-TO-NAT-BV-TO-NAT (Y BV) (X (NAT-TO-BV NAT SIZE)))))) WARNING: Note that the proposed lemma LESSP-BV-NAT-TO-BV is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This conjecture simplifies, applying LENGTH-NAT-TO-BV, BVP-NAT-TO-BV, BV-TO-NAT-NAT-TO-BV, EQUAL-LENGTH-0, EXP-ZERO, and EQUAL-EXP-0, and expanding NOT, AND, IMPLIES, NAT-TO-BV, LENGTH, BVP, BV-TO-NAT, EQUAL, LESSP, LISTP, LESSP-BV, FIX, ZEROP, and NUMBERP, to the following 25 new conjectures: Case 25.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NOT (NUMBERP SIZE)) (NOT (EQUAL (FIX SIZE) 0)) (NOT (LISTP BV)) (LESSP NAT 1) (EQUAL BV NIL) (NOT (EQUAL NAT 0))) (NOT (NUMBERP NAT))). However this again simplifies, using linear arithmetic, to: T. Case 24.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NUMBERP SIZE) (NOT (EQUAL (FIX SIZE) SIZE)) (EQUAL (LENGTH BV) SIZE) (LESSP NAT (EXP 2 SIZE)) (BVP BV)) (EQUAL (LESSP-BV (NAT-TO-BV NAT SIZE) BV) (LESSP NAT (BV-TO-NAT BV)))), which again simplifies, expanding the function FIX, to: T. Case 23.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NUMBERP SIZE) (NOT (EQUAL (FIX SIZE) SIZE)) (EQUAL (LENGTH BV) SIZE) (LESSP NAT (EXP 2 SIZE)) (BVP BV)) (EQUAL (LESSP-BV BV (NAT-TO-BV NAT SIZE)) (LESSP (BV-TO-NAT BV) NAT))), which again simplifies, unfolding FIX, to: T. Case 22.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NUMBERP SIZE) (NOT (EQUAL SIZE (FIX SIZE))) (EQUAL (LENGTH BV) SIZE) (BVP BV) (NOT (EQUAL (BV-TO-NAT BV) 0))) (EQUAL (LESSP-BV (NAT-TO-BV NAT SIZE) BV) T)), which again simplifies, rewriting with the lemma EQUAL-EXP-0, and unfolding FIX, NUMBERP, EQUAL, and LESSP, to: T. Case 21.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NUMBERP SIZE) (NOT (EQUAL SIZE (FIX SIZE))) (EQUAL (LENGTH BV) SIZE) (BVP BV) (EQUAL (BV-TO-NAT BV) 0)) (EQUAL (LESSP-BV (NAT-TO-BV NAT SIZE) BV) F)), which again simplifies, rewriting with the lemma EQUAL-EXP-0, and opening up FIX, NUMBERP, EQUAL, and LESSP, to: T. Case 20.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NUMBERP SIZE) (NOT (EQUAL SIZE (FIX SIZE))) (EQUAL (LENGTH BV) SIZE) (BVP BV)) (NOT (LESSP (BV-TO-NAT BV) 0))), which again simplifies, using linear arithmetic, to: T. Case 19.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NOT (EQUAL (BV-TO-NAT BV) 0)) (EQUAL T (LESSP-BV (NAT-TO-BV NAT SIZE) BV)) (NOT (NUMBERP SIZE)) (EQUAL (LENGTH BV) 0)) (NOT (BVP BV))), which again simplifies, opening up FIX, EXP, NUMBERP, EQUAL, LESSP, NAT-TO-BV, LISTP, and LESSP-BV, to: T. Case 18.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NOT (EQUAL (BV-TO-NAT BV) 0)) (EQUAL T (LESSP-BV (NAT-TO-BV NAT SIZE) BV)) (NUMBERP SIZE) (EQUAL (LENGTH BV) SIZE) (BVP BV)) (NOT (LESSP (BV-TO-NAT BV) 0))), which again simplifies, using linear arithmetic, to: T. Case 17.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (EQUAL (BV-TO-NAT BV) 0) (EQUAL F (LESSP-BV (NAT-TO-BV NAT SIZE) BV)) (NUMBERP SIZE) (EQUAL (LENGTH BV) SIZE) (BVP BV)) (NOT (LESSP (BV-TO-NAT BV) 0))), which again simplifies, using linear arithmetic, to: T. Case 16.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NUMBERP NAT) (EQUAL (LESSP (BV-TO-NAT BV) NAT) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NOT (NUMBERP SIZE)) (NOT (EQUAL 0 (FIX SIZE))) (NOT (LISTP BV)) (LESSP NAT 1) (EQUAL BV NIL)) (EQUAL NAT 0)), which again simplifies, using linear arithmetic, to: T. Case 15.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NUMBERP NAT) (EQUAL (LESSP (BV-TO-NAT BV) NAT) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NUMBERP SIZE) (NOT (EQUAL SIZE (FIX SIZE))) (EQUAL (LENGTH BV) SIZE) (LESSP NAT (EXP 2 SIZE)) (BVP BV)) (EQUAL (LESSP-BV (NAT-TO-BV NAT SIZE) BV) (LESSP NAT (BV-TO-NAT BV)))), which again simplifies, unfolding FIX, to: T. Case 14.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NUMBERP NAT) (EQUAL (LESSP (BV-TO-NAT BV) NAT) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (EQUAL (LESSP NAT (BV-TO-NAT BV)) (LESSP-BV (NAT-TO-BV NAT SIZE) BV)) (NOT (NUMBERP SIZE)) (EQUAL (LENGTH BV) 0) (LESSP NAT 1) (BVP BV)) (NOT (LESSP NAT (BV-TO-NAT BV)))), which again simplifies, opening up FIX, EXP, NAT-TO-BV, LISTP, LESSP-BV, and EQUAL, to: T. Case 13.(IMPLIES (AND (LESSP NAT (EXP 2 (FIX SIZE))) (NUMBERP NAT) (EQUAL (LESSP (BV-TO-NAT BV) NAT) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (EQUAL (LESSP NAT (BV-TO-NAT BV)) (LESSP-BV (NAT-TO-BV NAT SIZE) BV)) (NOT (NUMBERP SIZE)) (EQUAL (LENGTH BV) 0) (LESSP NAT 1) (BVP BV)) (NOT (LESSP (BV-TO-NAT BV) NAT))), which again simplifies, using linear arithmetic, to: T. Case 12.(IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NOT (NUMBERP SIZE)) (NOT (EQUAL (FIX SIZE) 0)) (NOT (LISTP BV)) (LESSP NAT 1) (EQUAL BV NIL) (NOT (EQUAL NAT 0))) (NOT (NUMBERP NAT))), which again simplifies, using linear arithmetic, to: T. Case 11.(IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NUMBERP SIZE) (NOT (EQUAL (FIX SIZE) SIZE)) (EQUAL (LENGTH BV) SIZE) (LESSP NAT (EXP 2 SIZE)) (BVP BV)) (NOT (LESSP-BV (NAT-TO-BV NAT SIZE) BV))), which again simplifies, unfolding the definition of FIX, to: T. Case 10.(IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NUMBERP SIZE) (NOT (EQUAL (FIX SIZE) SIZE)) (EQUAL (LENGTH BV) SIZE) (LESSP NAT (EXP 2 SIZE)) (BVP BV)) (EQUAL (LESSP-BV BV (NAT-TO-BV NAT SIZE)) (LESSP (BV-TO-NAT BV) NAT))), which again simplifies, opening up FIX, to: T. Case 9. (IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NUMBERP SIZE) (NOT (EQUAL SIZE (FIX SIZE))) (EQUAL (LENGTH BV) SIZE) (BVP BV) (NOT (EQUAL (BV-TO-NAT BV) 0))) (EQUAL (LESSP-BV (NAT-TO-BV NAT SIZE) BV) T)), which again simplifies, opening up the definition of LESSP, to: T. Case 8. (IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NUMBERP SIZE) (NOT (EQUAL SIZE (FIX SIZE))) (EQUAL (LENGTH BV) SIZE) (BVP BV) (EQUAL (BV-TO-NAT BV) 0)) (EQUAL (LESSP-BV (NAT-TO-BV NAT SIZE) BV) F)), which again simplifies, unfolding the functions EQUAL, LESSP, and FIX, to: T. Case 7. (IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NUMBERP SIZE) (NOT (EQUAL SIZE (FIX SIZE))) (EQUAL (LENGTH BV) SIZE) (BVP BV)) (NOT (LESSP (BV-TO-NAT BV) 0))), which again simplifies, using linear arithmetic, to: T. Case 6. (IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NOT (EQUAL (BV-TO-NAT BV) 0)) (EQUAL T (LESSP-BV (NAT-TO-BV NAT SIZE) BV)) (NOT (NUMBERP SIZE)) (EQUAL (LENGTH BV) 0)) (NOT (BVP BV))), which again simplifies, opening up LESSP, to: T. Case 5. (IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NOT (EQUAL (BV-TO-NAT BV) 0)) (EQUAL T (LESSP-BV (NAT-TO-BV NAT SIZE) BV)) (NUMBERP SIZE) (EQUAL (LENGTH BV) SIZE) (BVP BV)) (NOT (LESSP (BV-TO-NAT BV) 0))), which again simplifies, using linear arithmetic, to: T. Case 4. (IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NOT (NUMBERP NAT)) (EQUAL (LESSP (BV-TO-NAT BV) 0) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (EQUAL (BV-TO-NAT BV) 0) (EQUAL F (LESSP-BV (NAT-TO-BV NAT SIZE) BV)) (NUMBERP SIZE) (EQUAL (LENGTH BV) SIZE) (BVP BV)) (NOT (LESSP (BV-TO-NAT BV) 0))), which again simplifies, using linear arithmetic, to: T. Case 3. (IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NUMBERP NAT) (EQUAL (LESSP (BV-TO-NAT BV) NAT) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NOT (NUMBERP SIZE)) (NOT (EQUAL 0 (FIX SIZE))) (NOT (LISTP BV)) (LESSP NAT 1) (EQUAL BV NIL)) (EQUAL NAT 0)), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NUMBERP NAT) (EQUAL (LESSP (BV-TO-NAT BV) NAT) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NUMBERP SIZE) (NOT (EQUAL SIZE (FIX SIZE))) (EQUAL (LENGTH BV) SIZE) (LESSP NAT (EXP 2 SIZE)) (BVP BV)) (NOT (LESSP-BV (NAT-TO-BV NAT SIZE) BV))), which again simplifies, opening up the function FIX, to: T. Case 1. (IMPLIES (AND (NOT (LESSP NAT (BV-TO-NAT BV))) (NUMBERP NAT) (EQUAL (LESSP (BV-TO-NAT BV) NAT) (LESSP-BV BV (NAT-TO-BV NAT SIZE))) (NOT (LESSP-BV (NAT-TO-BV NAT SIZE) BV)) (NOT (NUMBERP SIZE)) (EQUAL (LENGTH BV) 0) (LESSP NAT 1) (BVP BV)) (NOT (LESSP (BV-TO-NAT BV) NAT))), which again simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 5.1 0.1 ] LESSP-BV-NAT-TO-BV (PROVE-LEMMA LENGTH-CAR-STATE (REWRITE) (IMPLIES (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH (CAR STATE)) (IF (LISTP STATE) (FIX SIZE) 0)))) WARNING: Note that LENGTH-CAR-STATE contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). This formula simplifies, opening up FIX, to the following three new formulas: Case 3. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (NUMBERP SIZE))) (EQUAL (LENGTH (CAR STATE)) 0)). This again simplifies, appealing to the lemma EQUAL-LENGTH-0, to the formula: (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (NUMBERP SIZE))) (NOT (LISTP (CAR STATE)))). But this again simplifies, applying EQUAL-LENGTH-0, and expanding the functions GOOD-STATE-OF-SIZE, CAR, and LISTP, to: T. Case 2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (LISTP STATE))) (EQUAL (LENGTH (CAR STATE)) 0)). This again simplifies, unfolding the functions GOOD-STATE-OF-SIZE, LISTP, CAR, LENGTH, and EQUAL, to: T. Case 1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP STATE) (NUMBERP SIZE)) (EQUAL (LENGTH (CAR STATE)) SIZE)), which again simplifies, expanding the definition of GOOD-STATE-OF-SIZE, to: T. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-CAR-STATE (PROVE-LEMMA BVP-CAR (REWRITE) (IMPLIES (AND (BVSP X) (LISTP X)) (BVP (CAR X)))) This formula simplifies, expanding the function BVSP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] BVP-CAR (PROVE-LEMMA LESSP-BV-ZERO (REWRITE) (IMPLIES (ZEROP ZERO) (NOT (LESSP-BV X (NAT-TO-BV ZERO SIZE)))) ((INDUCT (LESSP-BV-RECURSION X SIZE)))) This formula can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, and AND, to the following two new formulas: Case 2. (IMPLIES (AND (ZEROP SIZE) (ZEROP ZERO)) (NOT (LESSP-BV X (NAT-TO-BV ZERO SIZE)))). This simplifies, expanding the functions ZEROP, NAT-TO-BV, LISTP, LESSP-BV, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (IMPLIES (ZEROP ZERO) (NOT (LESSP-BV (CDR X) (NAT-TO-BV ZERO (SUB1 SIZE))))) (ZEROP ZERO)) (NOT (LESSP-BV X (NAT-TO-BV ZERO SIZE)))). This simplifies, applying the lemmas EQUAL-EXP-0, CDR-CONS, and CAR-CONS, and expanding ZEROP, NOT, IMPLIES, LESSP, EQUAL, NUMBERP, NAT-TO-BV, and LESSP-BV, to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (LESSP-BV (CDR X) (NAT-TO-BV ZERO (SUB1 SIZE)))) (EQUAL ZERO 0) (LISTP X) (EQUAL (CAR X) 0)) (NOT (LESSP-BV (CDR X) (NAT-TO-BV 0 (SUB1 SIZE))))), which again simplifies, clearly, to: T. Q.E.D. [ 0.0 0.3 0.0 ] LESSP-BV-ZERO (PROVE-LEMMA NUMBER-WITH-AT-LEAST-ZERO (REWRITE) (IMPLIES (ZEROP ZERO) (EQUAL (NUMBER-WITH-AT-LEAST BV ZERO SIZE) (LENGTH BV)))) This formula simplifies, expanding the function ZEROP, to two new conjectures: Case 2. (IMPLIES (EQUAL ZERO 0) (EQUAL (NUMBER-WITH-AT-LEAST BV 0 SIZE) (LENGTH BV))), which again simplifies, trivially, to the new formula: (EQUAL (NUMBER-WITH-AT-LEAST BV 0 SIZE) (LENGTH BV)), which we will name *1. Case 1. (IMPLIES (NOT (NUMBERP ZERO)) (EQUAL (NUMBER-WITH-AT-LEAST BV ZERO SIZE) (LENGTH BV))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (ZEROP ZERO) (EQUAL (NUMBER-WITH-AT-LEAST BV ZERO SIZE) (LENGTH BV))). We gave this the name *1 above. Perhaps we can prove it by induction. There are two plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP BV) (NOT (LESSP-BV (CAR BV) (NAT-TO-BV ZERO SIZE))) (p (CDR BV) ZERO SIZE)) (p BV ZERO SIZE)) (IMPLIES (AND (LISTP BV) (LESSP-BV (CAR BV) (NAT-TO-BV ZERO SIZE)) (p (CDR BV) ZERO SIZE)) (p BV ZERO SIZE)) (IMPLIES (NOT (LISTP BV)) (p BV ZERO SIZE))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT BV) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to the following three new goals: Case 3. (IMPLIES (AND (LISTP BV) (NOT (LESSP-BV (CAR BV) (NAT-TO-BV ZERO SIZE))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR BV) ZERO SIZE) (LENGTH (CDR BV))) (ZEROP ZERO)) (EQUAL (NUMBER-WITH-AT-LEAST BV ZERO SIZE) (LENGTH BV))). This simplifies, appealing to the lemma LESSP-BV-ZERO, and opening up the functions ZEROP, LENGTH, and NUMBER-WITH-AT-LEAST, to the new conjecture: (IMPLIES (AND (LISTP BV) (EQUAL (NUMBER-WITH-AT-LEAST (CDR BV) ZERO SIZE) (LENGTH (CDR BV))) (EQUAL ZERO 0)) (EQUAL (NUMBER-WITH-AT-LEAST BV 0 SIZE) (ADD1 (LENGTH (CDR BV))))), which again simplifies, applying the lemma LESSP-BV-ZERO, and unfolding ZEROP and NUMBER-WITH-AT-LEAST, to: T. Case 2. (IMPLIES (AND (LISTP BV) (LESSP-BV (CAR BV) (NAT-TO-BV ZERO SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (CDR BV) ZERO SIZE) (LENGTH (CDR BV))) (ZEROP ZERO)) (EQUAL (NUMBER-WITH-AT-LEAST BV ZERO SIZE) (LENGTH BV))), which simplifies, rewriting with LESSP-BV-ZERO, to: T. Case 1. (IMPLIES (AND (NOT (LISTP BV)) (ZEROP ZERO)) (EQUAL (NUMBER-WITH-AT-LEAST BV ZERO SIZE) (LENGTH BV))). This simplifies, expanding the functions ZEROP, NUMBER-WITH-AT-LEAST, LENGTH, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.4 0.0 ] NUMBER-WITH-AT-LEAST-ZERO (PROVE-LEMMA LESSP-1-EXP (REWRITE) (EQUAL (LESSP 1 (EXP X Y)) (AND (LESSP 1 X) (NOT (ZEROP Y))))) This formula simplifies, opening up ZEROP, NOT, and AND, to the following four new formulas: Case 4. (IMPLIES (NOT (LESSP 1 X)) (EQUAL (LESSP 1 (EXP X Y)) F)). This again simplifies, trivially, to the new formula: (IMPLIES (NOT (LESSP 1 X)) (NOT (LESSP 1 (EXP X Y)))), which we will name *1. Case 3. (IMPLIES (NOT (NUMBERP Y)) (EQUAL (LESSP 1 (EXP X Y)) F)). But this again simplifies, applying EXP-ZERO, and expanding the functions ZEROP, LESSP, and EQUAL, to: T. Case 2. (IMPLIES (EQUAL Y 0) (EQUAL (LESSP 1 (EXP X Y)) F)). This again simplifies, rewriting with EXP-0-ARG2, and opening up LESSP and EQUAL, to: T. Case 1. (IMPLIES (AND (LESSP 1 X) (NOT (EQUAL Y 0)) (NUMBERP Y)) (EQUAL (LESSP 1 (EXP X Y)) T)). This again simplifies, clearly, to the new conjecture: (IMPLIES (AND (LESSP 1 X) (NOT (EQUAL Y 0)) (NUMBERP Y)) (LESSP 1 (EXP X Y))), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (EQUAL (LESSP 1 (EXP X Y)) (AND (LESSP 1 X) (NOT (ZEROP Y)))), named *1. Let us appeal to the induction principle. There are two plausible inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (ZEROP Y) (p X Y)) (IMPLIES (AND (NOT (ZEROP Y)) (p X (SUB1 Y))) (p X Y))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to show that the measure (COUNT Y) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates the following two new conjectures: Case 2. (IMPLIES (ZEROP Y) (EQUAL (LESSP 1 (EXP X Y)) (AND (LESSP 1 X) (NOT (ZEROP Y))))). This simplifies, applying EXP-0-ARG2 and EXP-ZERO, and unfolding the definitions of ZEROP, LESSP, NOT, AND, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP Y)) (EQUAL (LESSP 1 (EXP X (SUB1 Y))) (AND (LESSP 1 X) (NOT (ZEROP (SUB1 Y)))))) (EQUAL (LESSP 1 (EXP X Y)) (AND (LESSP 1 X) (NOT (ZEROP Y))))), which simplifies, rewriting with EQUAL-SUB1-0, EXP-0-ARG2, TIMES-1-ARG1, COMMUTATIVITY-OF-TIMES, EXP-ADD1, EQUAL-EXP-0, EQUAL-EXP-1, EQUAL-BITP-SIMPLIFY, EQUAL-BIT-1, and LESSP-1-TIMES, and unfolding the definitions of ZEROP, NOT, AND, EXP, BITP, EQUAL, and NUMBERP, to the following five new conjectures: Case 1.5. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (EQUAL Y 1) (EQUAL (LESSP 1 (EXP X (SUB1 Y))) F) (NOT (NUMBERP X))) (EQUAL (LESSP 1 0) (LESSP 1 X))). However this again simplifies, applying EXP-0-ARG2, and opening up EQUAL, NUMBERP, SUB1, and LESSP, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (LESSP 1 X)) (EQUAL (LESSP 1 (EXP X (SUB1 Y))) F) (NOT (EQUAL X 0)) (NUMBERP X)) (EQUAL X 1)). But this again simplifies, using linear arithmetic, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (LESSP 1 X) (NOT (EQUAL Y 1)) (EQUAL (LESSP 1 (EXP X (SUB1 Y))) T)) (NOT (EQUAL X 0))), which again simplifies, using linear arithmetic, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (LESSP 1 X) (NOT (EQUAL Y 1)) (EQUAL (LESSP 1 (EXP X (SUB1 Y))) T)) (NUMBERP X)), which again simplifies, unfolding the function LESSP, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (LESSP 1 X) (NOT (EQUAL Y 1)) (EQUAL (LESSP 1 (EXP X (SUB1 Y))) T)) (NOT (EQUAL X 1))), which again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.2 0.0 ] LESSP-1-EXP (PROVE-LEMMA LESSP-X-EXP-X-Y (REWRITE) (EQUAL (LESSP X (EXP X Y)) (OR (AND (ZEROP X) (ZEROP Y)) (AND (LESSP 1 X) (LESSP 1 Y)))) ((INDUCT (EXP X Y)))) This conjecture can be simplified, using the abbreviations ZEROP, NOT, OR, and AND, to two new conjectures: Case 2. (IMPLIES (ZEROP Y) (EQUAL (LESSP X (EXP X Y)) (OR (AND (ZEROP X) (ZEROP Y)) (AND (LESSP 1 X) (LESSP 1 Y))))), which simplifies, appealing to the lemmas EXP-0-ARG2 and EXP-ZERO, and unfolding ZEROP, AND, LESSP, and OR, to six new conjectures: Case 2.6. (IMPLIES (AND (EQUAL Y 0) (NOT (EQUAL X 0)) (NUMBERP X)) (EQUAL (LESSP X 1) F)), which again simplifies, trivially, to: (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X)) (NOT (LESSP X 1))), which again simplifies, using linear arithmetic, to: T. Case 2.5. (IMPLIES (AND (EQUAL Y 0) (EQUAL X 0)) (EQUAL (LESSP X 1) T)), which again simplifies, expanding the definitions of LESSP and EQUAL, to: T. Case 2.4. (IMPLIES (AND (EQUAL Y 0) (NOT (NUMBERP X))) (EQUAL (LESSP X 1) T)), which again simplifies, expanding NUMBERP, EQUAL, and LESSP, to: T. Case 2.3. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (EQUAL X 0)) (NUMBERP X)) (EQUAL (LESSP X 1) F)), which again simplifies, trivially, to the new formula: (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (EQUAL X 0)) (NUMBERP X)) (NOT (LESSP X 1))), which again simplifies, using linear arithmetic, to: T. Case 2.2. (IMPLIES (AND (NOT (NUMBERP Y)) (EQUAL X 0)) (EQUAL (LESSP X 1) T)), which again simplifies, opening up LESSP and EQUAL, to: T. Case 2.1. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (NUMBERP X))) (EQUAL (LESSP X 1) T)), which again simplifies, opening up NUMBERP, EQUAL, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (EQUAL (LESSP X (EXP X (SUB1 Y))) (OR (AND (ZEROP X) (ZEROP (SUB1 Y))) (AND (LESSP 1 X) (LESSP 1 (SUB1 Y)))))) (EQUAL (LESSP X (EXP X Y)) (OR (AND (ZEROP X) (ZEROP Y)) (AND (LESSP 1 X) (LESSP 1 Y))))), which simplifies, rewriting with EQUAL-SUB1-0, EXP-0-ARG1, TIMES-ZERO, EQUAL-EXP-0, LESSP-1-EXP, LESSP-TIMES3, EXP-0-ARG2, TIMES-1-ARG1, COMMUTATIVITY-OF-TIMES, and EXP-ADD1, and unfolding the definitions of ZEROP, AND, OR, LESSP, SUB1, NUMBERP, EQUAL, and EXP, to: T. Q.E.D. [ 0.0 0.2 0.0 ] LESSP-X-EXP-X-Y (PROVE-LEMMA LESSP-BV-COL-GET-WITH-AT-LEAST (REWRITE) (IMPLIES (AND (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (ZEROP (NUMBER-WITH-AT-LEAST STATE Y SIZE)))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST STATE Y SIZE) STATE)))) This formula can be simplified, using the abbreviations ZEROP, NOT, AND, and IMPLIES, to: (IMPLIES (AND (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE Y SIZE) 0)) (NUMBERP (NUMBER-WITH-AT-LEAST STATE Y SIZE))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST STATE Y SIZE) STATE))), which simplifies, trivially, to: (IMPLIES (AND (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE Y SIZE) 0))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST STATE Y SIZE) STATE))), which we will name *1. We will appeal to induction. The recursive terms in the conjecture suggest eight inductions. They merge into three likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV Y SIZE))) (p X SIZE (CDR STATE) Y)) (p X SIZE STATE Y)) (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV Y SIZE)) (p X SIZE (CDR STATE) Y)) (p X SIZE STATE Y)) (IMPLIES (NOT (LISTP STATE)) (p X SIZE STATE Y))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following seven new conjectures: Case 7. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV Y SIZE))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE Y SIZE) 0))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST STATE Y SIZE) STATE))). This simplifies, rewriting with BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, LENGTH-CAR-STATE, LESSP-BV-NAT-TO-BV, and EQUAL-LENGTH-0, and unfolding FIX and GOOD-STATE-OF-SIZE, to: T. Case 6. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV Y SIZE))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) Y SIZE) 0) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE Y SIZE) 0))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST STATE Y SIZE) STATE))), which simplifies, using linear arithmetic, rewriting with BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, LENGTH-CAR-STATE, LESSP-BV-NAT-TO-BV, and EQUAL-LENGTH-0, and unfolding the definitions of FIX, GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, ADD1, EQUAL, COL-WITH-AT-LEAST, GET, NAT-TO-BV, LESSP-BV, and LISTP, to the following two new conjectures: Case 6.2. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (BV-TO-NAT (CAR STATE)) Y)) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) Y SIZE) 0) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (LESSP X (BV-TO-NAT (CAR STATE)))). This again simplifies, using linear arithmetic, to: T. Case 6.1. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (BV-TO-NAT (CAR STATE)) Y)) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) Y SIZE) 0) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE)))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE))), which again simplifies, unfolding the functions BV-TO-NAT, EQUAL, and LESSP, to: T. Case 5. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV Y SIZE))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST (CDR STATE) Y SIZE) (CDR STATE))) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE Y SIZE) 0))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST STATE Y SIZE) STATE))), which simplifies, using linear arithmetic, rewriting with BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, LENGTH-CAR-STATE, LESSP-BV-NAT-TO-BV, and EQUAL-LENGTH-0, and expanding the definitions of FIX, GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, COL-WITH-AT-LEAST, EQUAL, GET, NAT-TO-BV, LESSP-BV, and LISTP, to the following two new conjectures: Case 5.2. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (BV-TO-NAT (CAR STATE)) Y)) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST (CDR STATE) Y SIZE) (CDR STATE))) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (LESSP X (BV-TO-NAT (CAR STATE)))). But this again simplifies, using linear arithmetic, to: T. Case 5.1. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (BV-TO-NAT (CAR STATE)) Y)) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST (CDR STATE) Y SIZE) (CDR STATE))) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE)))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE))), which again simplifies, opening up BV-TO-NAT, EQUAL, LESSP, NAT-TO-BV, LISTP, and LESSP-BV, to: T. Case 4. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV Y SIZE)) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE Y SIZE) 0))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST STATE Y SIZE) STATE))), which simplifies, applying BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, LENGTH-CAR-STATE, LESSP-BV-NAT-TO-BV, and EQUAL-LENGTH-0, and expanding FIX and GOOD-STATE-OF-SIZE, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV Y SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) Y SIZE) 0) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE Y SIZE) 0))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST STATE Y SIZE) STATE))). This simplifies, rewriting with the lemmas BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, LENGTH-CAR-STATE, LESSP-BV-NAT-TO-BV, and EQUAL-LENGTH-0, and expanding the functions FIX, GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, EQUAL, NAT-TO-BV, LESSP-BV, ADD1, COL-WITH-AT-LEAST, GET, and LISTP, to the new formula: (IMPLIES (AND (LISTP STATE) (LESSP (BV-TO-NAT (CAR STATE)) Y) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) Y SIZE) 0) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE)))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE))), which again simplifies, rewriting with EXP-ZERO, and opening up the definitions of BV-TO-NAT, EQUAL, LESSP, ZEROP, BVP, and LISTP, to the new goal: (IMPLIES (AND (LISTP STATE) (NOT (EQUAL Y 0)) (NUMBERP Y) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) Y SIZE) 0) (LESSP X Y) (LESSP Y 1) (EQUAL (CAR STATE) NIL) (NOT (NUMBERP SIZE))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE))), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV Y SIZE)) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST (CDR STATE) Y SIZE) (CDR STATE))) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE Y SIZE) 0))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST STATE Y SIZE) STATE))), which simplifies, applying BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, LENGTH-CAR-STATE, LESSP-BV-NAT-TO-BV, EQUAL-LENGTH-0, and SUB1-ADD1, and expanding the definitions of FIX, GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, COL-WITH-AT-LEAST, GET, NAT-TO-BV, LESSP-BV, EQUAL, and LISTP, to the following two new conjectures: Case 2.2. (IMPLIES (AND (LISTP STATE) (LESSP (BV-TO-NAT (CAR STATE)) Y) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST (CDR STATE) Y SIZE) (CDR STATE))) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) Y SIZE) 0)) (NOT (NUMBERP (COL-WITH-AT-LEAST (CDR STATE) Y SIZE)))) (LESSP-BV (NAT-TO-BV X SIZE) (GET 0 (CDR STATE)))). This again simplifies, opening up the functions NUMBERP, EQUAL, and GET, to: T. Case 2.1. (IMPLIES (AND (LISTP STATE) (LESSP (BV-TO-NAT (CAR STATE)) Y) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST (CDR STATE) Y SIZE) (CDR STATE))) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE)))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE))), which again simplifies, opening up the definitions of BV-TO-NAT, EQUAL, LESSP, NAT-TO-BV, LISTP, and LESSP-BV, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (LESSP X Y) (LESSP Y (EXP 2 SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE Y SIZE) 0))) (LESSP-BV (NAT-TO-BV X SIZE) (GET (COL-WITH-AT-LEAST STATE Y SIZE) STATE))), which simplifies, opening up the functions GOOD-STATE-OF-SIZE, LISTP, NUMBER-WITH-AT-LEAST, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 2.4 0.1 ] LESSP-BV-COL-GET-WITH-AT-LEAST (PROVE-LEMMA LESSP-1-X-MEANS-NOT-ZEROP-X NIL (IMPLIES (LESSP 1 X) (NOT (ZEROP X)))) This formula simplifies, opening up the definition of ZEROP, to two new conjectures: Case 2. (IMPLIES (LESSP 1 X) (NOT (EQUAL X 0))), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (LESSP 1 X) (NUMBERP X)), which again simplifies, expanding the function LESSP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] LESSP-1-X-MEANS-NOT-ZEROP-X (PROVE-LEMMA LENGTH-XOR-BVS-DELETE-PILE (REWRITE) (IMPLIES (AND (LESSP 1 (LENGTH STATE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (EQUAL (LENGTH (XOR-BVS (DELETE-PILE N STATE))) (FIX SIZE))) ((USE (LENGTH-XOR-BVS (STATE (DELETE-PILE N STATE)))))) WARNING: Note that LENGTH-XOR-BVS-DELETE-PILE contains the free variable SIZE which will be chosen by instantiating the hypothesis: (GOOD-STATE-OF-SIZE STATE SIZE). This conjecture simplifies, rewriting with GOOD-STATE-OF-SIZE-DELETE-PILE, SILLY-LISTP-CDR, and LISTP-DELETE-PILE, and unfolding FIX, IMPLIES, EQUAL, LENGTH, and LESSP, to: T. Q.E.D. [ 0.0 0.1 0.0 ] LENGTH-XOR-BVS-DELETE-PILE (PROVE-LEMMA HIGH-BIT-ON-REASONABLE (REWRITE) (IMPLIES (AND (EQUAL (CAR (XOR-BVS STATE)) 1) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (HIGH-BIT-ON STATE) (LENGTH STATE)))) WARNING: When the linear lemma HIGH-BIT-ON-REASONABLE is stored under (LENGTH STATE) it contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). WARNING: When the linear lemma HIGH-BIT-ON-REASONABLE is stored under (HIGH-BIT-ON STATE) it contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). WARNING: Note that the proposed lemma HIGH-BIT-ON-REASONABLE is to be stored as zero type prescription rules, zero compound recognizer rules, two linear rules, and zero replacement rules. This formula simplifies, applying the lemmas BITP-CAR-XOR-BVS and EQUAL-BIT-1, to: (IMPLIES (AND (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (HIGH-BIT-ON STATE) (LENGTH STATE))), which we will name *1. We will appeal to induction. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (p (CDR STATE) SIZE)) (p STATE SIZE)) (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE)))) (p STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p STATE SIZE))). Linear arithmetic, the lemma SUB1-ADD1, and the definitions of LESSP and LENGTH inform us that the measure (LENGTH STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to the following five new formulas: Case 5. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (HIGH-BIT-ON STATE) (LENGTH STATE))). This simplifies, rewriting with EQUAL-LENGTH-0, BITP-CAR-BVP, EQUAL-BIT-1, SUB1-ADD1, and CAR-NLISTP, and opening up XOR-BVS, GOOD-STATE-OF-SIZE, HIGH-BIT-ON, LENGTH, LESSP, and EQUAL, to three new formulas: Case 5.3. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (EQUAL (CAAR STATE) 0) (NOT (EQUAL (ADD1 (HIGH-BIT-ON (CDR STATE))) 0))) (LESSP (SUB1 (ADD1 (HIGH-BIT-ON (CDR STATE)))) (LENGTH (CDR STATE)))), which again simplifies, rewriting with the lemma SUB1-ADD1, to two new formulas: Case 5.3.2. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (EQUAL (CAAR STATE) 0) (NOT (NUMBERP (HIGH-BIT-ON (CDR STATE))))) (LESSP 0 (LENGTH (CDR STATE)))), which again simplifies, rewriting with EQUAL-LENGTH-0, and unfolding the functions EQUAL and LESSP, to: T. Case 5.3.1. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (EQUAL (CAAR STATE) 0) (NUMBERP (HIGH-BIT-ON (CDR STATE)))) (LESSP (HIGH-BIT-ON (CDR STATE)) (LENGTH (CDR STATE)))). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS Z X) to eliminate (CDR STATE) and (CAR STATE) and Z by (CONS V W) to eliminate (CAR Z) and (CDR Z). This generates two new goals: Case 5.3.1.2. (IMPLIES (AND (NOT (LISTP Z)) (LISTP X) (EQUAL (CAR (XOR-BVS X)) 0) (NOT (EQUAL (CAR (XOR-BV Z (XOR-BVS X))) 0)) (BVP Z) (GOOD-STATE-OF-SIZE X (LENGTH Z)) (EQUAL (CAR Z) 0) (NUMBERP (HIGH-BIT-ON X))) (LESSP (HIGH-BIT-ON X) (LENGTH X))), which further simplifies, applying the lemmas LISTP-XOR-BVS, EQUAL-LENGTH-0, and CAR-NLISTP, and unfolding LESSP, EQUAL, XOR-BV, and CAR, to: T. Case 5.3.1.1. (IMPLIES (AND (LISTP X) (EQUAL (CAR (XOR-BVS X)) 0) (NOT (EQUAL (CAR (XOR-BV (CONS V W) (XOR-BVS X))) 0)) (BVP (CONS V W)) (GOOD-STATE-OF-SIZE X (LENGTH (CONS V W))) (EQUAL V 0) (NUMBERP (HIGH-BIT-ON X))) (LESSP (HIGH-BIT-ON X) (LENGTH X))), which further simplifies, applying CDR-CONS, CAR-CONS, LISTP-XOR-BVS, EQUAL-LENGTH-0, and COMMUTATIVITY-OF-XOR-BV, and expanding the functions XOR, LESSP, EQUAL, and XOR-BV, to: T. Case 5.2. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (NUMBERP (HIGH-BIT-ON (CDR STATE))))) (LESSP 0 (LENGTH (CDR STATE)))). However this again simplifies, using linear arithmetic, rewriting with LISTP-XOR-BVS and CAR-NLISTP, and opening up the definitions of EQUAL, XOR-BV, and CAR, to: T. Case 5.1. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NUMBERP (HIGH-BIT-ON (CDR STATE)))) (LESSP (HIGH-BIT-ON (CDR STATE)) (LENGTH (CDR STATE)))). But this again simplifies, using linear arithmetic, applying LISTP-XOR-BVS and CAR-NLISTP, and unfolding EQUAL, XOR-BV, and CAR, to: T. Case 4. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (HIGH-BIT-ON STATE) (LENGTH STATE))). This simplifies, applying EQUAL-LENGTH-0, and opening up the definitions of XOR-BVS and GOOD-STATE-OF-SIZE, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (LISTP (CDR STATE)) (LESSP (HIGH-BIT-ON (CDR STATE)) (LENGTH (CDR STATE))) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (HIGH-BIT-ON STATE) (LENGTH STATE))), which simplifies, using linear arithmetic, applying SILLY-LISTP-CDR, EQUAL-LENGTH-0, BITP-CAR-BVP, EQUAL-BIT-1, SUB1-ADD1, and CAR-NLISTP, and opening up the definitions of LENGTH, XOR-BVS, GOOD-STATE-OF-SIZE, HIGH-BIT-ON, LESSP, and EQUAL, to the following two new conjectures: Case 3.2. (IMPLIES (AND (LISTP STATE) (LESSP (HIGH-BIT-ON (CDR STATE)) (LENGTH (CDR STATE))) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (EQUAL (CAAR STATE) 0) (NOT (EQUAL (ADD1 (HIGH-BIT-ON (CDR STATE))) 0))) (LESSP (SUB1 (ADD1 (HIGH-BIT-ON (CDR STATE)))) (LENGTH (CDR STATE)))). This again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (LISTP STATE) (LESSP (HIGH-BIT-ON (CDR STATE)) (LENGTH (CDR STATE))) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (NUMBERP (HIGH-BIT-ON (CDR STATE))))) (LESSP 0 (LENGTH (CDR STATE)))), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (HIGH-BIT-ON STATE) (LENGTH STATE))), which simplifies, applying BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BVP-FIX-XOR-BV-IDENTITY, EQUAL-LENGTH-0, BITP-CAR-BVP, EQUAL-BITP-SIMPLIFY, EQUAL-BIT-1, CAR-NLISTP, and SUB1-ADD1, and unfolding XOR-BVS, GOOD-STATE-OF-SIZE, HIGH-BIT-ON, EQUAL, LENGTH, and LESSP, to: (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CDR STATE))) (NOT (EQUAL (CAAR STATE) 0)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE)))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE))), which again simplifies, applying CAR-NLISTP, and unfolding EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (HIGH-BIT-ON STATE) (LENGTH STATE))). This simplifies, opening up XOR-BVS, CAR, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.4 0.0 ] HIGH-BIT-ON-REASONABLE (PROVE-LEMMA FIND-HIGH-OUT-OF-SYNC-REASONABLE (REWRITE) (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))) ((INDUCT (LESSP-WHEN-HIGH-BIT-RECURSION STATE SIZE)))) WARNING: When the linear lemma FIND-HIGH-OUT-OF-SYNC-REASONABLE is stored under (LENGTH STATE) it contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). WARNING: When the linear lemma FIND-HIGH-OUT-OF-SYNC-REASONABLE is stored under (FIND-HIGH-OUT-OF-SYNC STATE) it contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). WARNING: Note that the proposed lemma FIND-HIGH-OUT-OF-SYNC-REASONABLE is to be stored as zero type prescription rules, zero compound recognizer rules, two linear rules, and zero replacement rules. This conjecture can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, AND, LENGTH-DELETE-HIGH-BITS, and LISTP-DELETE-HIGH-BITS, to two new goals: Case 2. (IMPLIES (AND (ZEROP SIZE) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), which simplifies, expanding the function ZEROP, to two new formulas: Case 2.2. (IMPLIES (AND (EQUAL SIZE 0) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 0)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), which again simplifies, clearly, to the new formula: (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 0)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), which we will name *1. Case 2.1. (IMPLIES (AND (NOT (NUMBERP SIZE)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))). Name the above subgoal *2. Case 1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) (SUB1 SIZE))) (LESSP (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) (LENGTH STATE))) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))). This simplifies, applying ADD1-SUB1, GOOD-STATE-OF-SIZE-DELETE-HIGH-BITS, EQUAL-BIT-1, and BITP-CAR-XOR-BVS, and expanding the definitions of AND, IMPLIES, and FIND-HIGH-OUT-OF-SYNC, to two new goals: Case 1.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) (LENGTH STATE)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (LISTP (CAR STATE)))) (LESSP F (LENGTH STATE))), which again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (LESSP (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) (LENGTH STATE)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE) (LISTP (CAR STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))) (LESSP (HIGH-BIT-ON STATE) (LENGTH STATE))), which again simplifies, using linear arithmetic, rewriting with HIGH-BIT-ON-REASONABLE, BITP-CAR-XOR-BVS, EQUAL-BITP-SIMPLIFY, and EQUAL-BIT-1, and expanding the function EQUAL, to: T. So next consider: (IMPLIES (AND (NOT (NUMBERP SIZE)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), which we named *2 above. Perhaps we can prove it by induction. Three inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions, both of which are unflawed. So we will choose the one suggested by the largest number of nonprimitive recursive functions. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (EQUAL (CAR (XOR-BVS STATE)) 1)) (p STATE SIZE)) (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1)) (p (DELETE-HIGH-BITS STATE) SIZE)) (p STATE SIZE)) (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CAR STATE)))) (p STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p STATE SIZE))). Linear arithmetic and the lemma FIND-HIGH-OUT-OF-SYNC-REWRITE establish that the measure (LENGTH (CAR STATE)) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to the following five new conjectures: Case 5. (IMPLIES (AND (LISTP (CAR STATE)) (EQUAL (CAR (XOR-BVS STATE)) 1) (NOT (NUMBERP SIZE)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))). This simplifies, using linear arithmetic, applying the lemmas LISTP-XOR-BVS and CAR-NLISTP, and opening up the function EQUAL, to: T. Case 4. (IMPLIES (AND (LISTP (CAR STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1)) (NOT (LISTP (DELETE-HIGH-BITS STATE))) (NOT (NUMBERP SIZE)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))). This simplifies, using linear arithmetic, appealing to the lemmas LISTP-XOR-BVS, CAR-NLISTP, and LISTP-DELETE-HIGH-BITS, and opening up EQUAL, to: T. Case 3. (IMPLIES (AND (LISTP (CAR STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1)) (NOT (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) SIZE)) (NOT (NUMBERP SIZE)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))). This simplifies, using linear arithmetic, rewriting with LISTP-XOR-BVS, CAR-NLISTP, EQUAL-BITP-SIMPLIFY, LENGTH-CAR-STATE, FIND-HIGH-OUT-OF-SYNC-REWRITE, EQUAL-LENGTH-0, and LISTP-DELETE-HIGH-BITS, and expanding EQUAL, BITP, and GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP (CAR STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1)) (LESSP (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) (LENGTH (DELETE-HIGH-BITS STATE))) (NOT (NUMBERP SIZE)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), which simplifies, using linear arithmetic, appealing to the lemmas LISTP-XOR-BVS, CAR-NLISTP, LENGTH-DELETE-HIGH-BITS, and EQUAL-LENGTH-0, and unfolding the functions EQUAL and GOOD-STATE-OF-SIZE, to: T. Case 1. (IMPLIES (AND (NOT (LISTP (CAR STATE))) (NOT (NUMBERP SIZE)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), which simplifies, rewriting with EQUAL-LENGTH-0, and expanding the functions FIND-HIGH-OUT-OF-SYNC, NUMBERP, EQUAL, and LESSP, to: T. That finishes the proof of *2. So next consider: (IMPLIES (AND (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 0)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), named *1 above. Perhaps we can prove it by induction. Three inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions, both of which are unflawed. So we will choose the one suggested by the largest number of nonprimitive recursive functions. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (EQUAL (CAR (XOR-BVS STATE)) 1)) (p STATE)) (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1)) (p (DELETE-HIGH-BITS STATE))) (p STATE)) (IMPLIES (AND (LISTP STATE) (NOT (LISTP (CAR STATE)))) (p STATE)) (IMPLIES (NOT (LISTP STATE)) (p STATE))). Linear arithmetic and the lemma FIND-HIGH-OUT-OF-SYNC-REWRITE can be used to show that the measure (LENGTH (CAR STATE)) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates five new goals: Case 5. (IMPLIES (AND (LISTP (CAR STATE)) (EQUAL (CAR (XOR-BVS STATE)) 1) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 0)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), which simplifies, rewriting with the lemmas LISTP-XOR-BVS and CAR-NLISTP, and expanding LESSP and EQUAL, to: T. Case 4. (IMPLIES (AND (LISTP (CAR STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1)) (NOT (LISTP (DELETE-HIGH-BITS STATE))) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 0)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), which simplifies, appealing to the lemmas LISTP-XOR-BVS, CAR-NLISTP, and LISTP-DELETE-HIGH-BITS, and unfolding LESSP and EQUAL, to: T. Case 3. (IMPLIES (AND (LISTP (CAR STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1)) (NOT (GOOD-STATE-OF-SIZE (DELETE-HIGH-BITS STATE) 0)) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 0)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), which simplifies, using linear arithmetic, applying LISTP-XOR-BVS, CAR-NLISTP, EQUAL-BITP-SIMPLIFY, LENGTH-CAR-STATE, FIND-HIGH-OUT-OF-SYNC-REWRITE, EQUAL-LENGTH-0, and LISTP-DELETE-HIGH-BITS, and expanding LESSP, EQUAL, BITP, NUMBERP, and GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP (CAR STATE)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 1)) (LESSP (FIND-HIGH-OUT-OF-SYNC (DELETE-HIGH-BITS STATE)) (LENGTH (DELETE-HIGH-BITS STATE))) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 0)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))). This simplifies, applying LISTP-XOR-BVS, CAR-NLISTP, LENGTH-DELETE-HIGH-BITS, and EQUAL-LENGTH-0, and unfolding the definitions of LESSP, EQUAL, NUMBERP, and GOOD-STATE-OF-SIZE, to: T. Case 1. (IMPLIES (AND (NOT (LISTP (CAR STATE))) (LISTP STATE) (GOOD-STATE-OF-SIZE STATE 0)) (LESSP (FIND-HIGH-OUT-OF-SYNC STATE) (LENGTH STATE))), which simplifies, applying the lemma EQUAL-LENGTH-0, and expanding the functions FIND-HIGH-OUT-OF-SYNC, NUMBERP, EQUAL, and LESSP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.4 0.1 ] FIND-HIGH-OUT-OF-SYNC-REASONABLE (PROVE-LEMMA COL-WITH-AT-LEAST-REASONABLE (REWRITE) (IMPLIES (AND (NOT (ZEROP (NUMBER-WITH-AT-LEAST STATE N SIZE))) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (COL-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE)))) WARNING: When the linear lemma COL-WITH-AT-LEAST-REASONABLE is stored under (LENGTH STATE) it contains the free variables SIZE and N which will be chosen by instantiating the hypothesis: (NOT (ZEROP (NUMBER-WITH-AT-LEAST STATE N SIZE))). WARNING: Note that the proposed lemma COL-WITH-AT-LEAST-REASONABLE is to be stored as zero type prescription rules, zero compound recognizer rules, two linear rules, and zero replacement rules. This conjecture can be simplified, using the abbreviations ZEROP, NOT, AND, and IMPLIES, to: (IMPLIES (AND (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (NUMBERP (NUMBER-WITH-AT-LEAST STATE N SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (COL-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))). This simplifies, obviously, to: (IMPLIES (AND (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (COL-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))), which we will name *1. Perhaps we can prove it by induction. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (p (CDR STATE) N SIZE)) (p STATE N SIZE)) (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (p (CDR STATE) N SIZE)) (p STATE N SIZE)) (IMPLIES (NOT (LISTP STATE)) (p STATE N SIZE))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates the following seven new goals: Case 7. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (COL-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))). This simplifies, applying EQUAL-LENGTH-0, and unfolding the functions NUMBER-WITH-AT-LEAST, ADD1, EQUAL, GOOD-STATE-OF-SIZE, COL-WITH-AT-LEAST, LENGTH, LESSP, NAT-TO-BV, and LESSP-BV, to: T. Case 6. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (COL-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))), which simplifies, rewriting with EQUAL-LENGTH-0, and opening up the functions NUMBER-WITH-AT-LEAST and GOOD-STATE-OF-SIZE, to: T. Case 5. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (LESSP (COL-WITH-AT-LEAST (CDR STATE) N SIZE) (LENGTH (CDR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (COL-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))). This simplifies, applying the lemma EQUAL-LENGTH-0, and expanding the functions NUMBER-WITH-AT-LEAST, GOOD-STATE-OF-SIZE, COL-WITH-AT-LEAST, LENGTH, EQUAL, LESSP, NAT-TO-BV, and LESSP-BV, to: T. Case 4. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (COL-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))). This simplifies, expanding the functions NUMBER-WITH-AT-LEAST and EQUAL, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (COL-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))). This simplifies, applying EQUAL-LENGTH-0, and unfolding the functions NUMBER-WITH-AT-LEAST and GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (LESSP (COL-WITH-AT-LEAST (CDR STATE) N SIZE) (LENGTH (CDR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (COL-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))), which simplifies, applying the lemmas EQUAL-LENGTH-0 and SUB1-ADD1, and unfolding NUMBER-WITH-AT-LEAST, GOOD-STATE-OF-SIZE, COL-WITH-AT-LEAST, LENGTH, LESSP, NAT-TO-BV, LESSP-BV, and EQUAL, to: (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (LESSP (COL-WITH-AT-LEAST (CDR STATE) N SIZE) (LENGTH (CDR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (NUMBERP (COL-WITH-AT-LEAST (CDR STATE) N SIZE)))) (LESSP 0 (LENGTH (CDR STATE)))). This again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (GOOD-STATE-OF-SIZE STATE SIZE)) (LESSP (COL-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))), which simplifies, opening up the definitions of NUMBER-WITH-AT-LEAST and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 1.2 0.0 ] COL-WITH-AT-LEAST-REASONABLE (PROVE-LEMMA LESSP-LENGTH (REWRITE) (IMPLIES (LESSP N (LENGTH STATE)) (LISTP STATE))) WARNING: Note that LESSP-LENGTH contains the free variable N which will be chosen by instantiating the hypothesis (LESSP N (LENGTH STATE)). This simplifies, unfolding LENGTH, EQUAL, and LESSP, to: T. Q.E.D. [ 0.0 0.0 0.0 ] LESSP-LENGTH (DISABLE EQUAL-BITP-SIMPLIFY) [ 0.0 0.0 0.0 ] EQUAL-BITP-SIMPLIFY-OFF (PROVE-LEMMA LISTP-NAT-TO-BV (REWRITE) (EQUAL (LISTP (NAT-TO-BV N SIZE)) (NOT (ZEROP SIZE)))) This formula simplifies, opening up the definitions of ZEROP and NOT, to three new conjectures: Case 3. (IMPLIES (NOT (NUMBERP SIZE)) (EQUAL (LISTP (NAT-TO-BV N SIZE)) F)), which again simplifies, unfolding the definitions of NAT-TO-BV, LISTP, and EQUAL, to: T. Case 2. (IMPLIES (EQUAL SIZE 0) (EQUAL (LISTP (NAT-TO-BV N SIZE)) F)), which again simplifies, unfolding EQUAL, NAT-TO-BV, and LISTP, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE)) (EQUAL (LISTP (NAT-TO-BV N SIZE)) T)), which again simplifies, clearly, to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE)) (LISTP (NAT-TO-BV N SIZE))), which we will name *1. Perhaps we can prove it by induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP SIZE) (p N SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP N (EXP 2 (SUB1 SIZE))) (p N (SUB1 SIZE))) (p N SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP N (EXP 2 (SUB1 SIZE)))) (p (DIFFERENCE N (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (p N SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to prove that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for N. The above induction scheme produces five new formulas: Case 5. (IMPLIES (AND (ZEROP SIZE) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE)) (LISTP (NAT-TO-BV N SIZE))), which simplifies, expanding the definition of ZEROP, to: T. Case 4. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP N (EXP 2 (SUB1 SIZE))) (EQUAL (SUB1 SIZE) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE)) (LISTP (NAT-TO-BV N SIZE))), which simplifies, rewriting with EQUAL-SUB1-0, and unfolding the functions ZEROP, EXP, EQUAL, NUMBERP, SUB1, NAT-TO-BV, CONS, and LISTP, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP N (EXP 2 (SUB1 SIZE))) (LISTP (NAT-TO-BV N (SUB1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE)) (LISTP (NAT-TO-BV N SIZE))). This simplifies, opening up the functions ZEROP and NAT-TO-BV, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP N (EXP 2 (SUB1 SIZE)))) (EQUAL (SUB1 SIZE) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE)) (LISTP (NAT-TO-BV N SIZE))). This simplifies, applying EQUAL-SUB1-0, and expanding the definitions of ZEROP, EXP, EQUAL, and NUMBERP, to: (IMPLIES (AND (NOT (LESSP N 1)) (EQUAL SIZE 1)) (LISTP (NAT-TO-BV N 1))). This again simplifies, clearly, to the new formula: (IMPLIES (NOT (LESSP N 1)) (LISTP (NAT-TO-BV N 1))), which we will name *1.1. Case 1. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP N (EXP 2 (SUB1 SIZE)))) (LISTP (NAT-TO-BV (DIFFERENCE N (EXP 2 (SUB1 SIZE))) (SUB1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE)) (LISTP (NAT-TO-BV N SIZE))). This simplifies, opening up the definitions of ZEROP and NAT-TO-BV, to: T. So let us turn our attention to: (IMPLIES (NOT (LESSP N 1)) (LISTP (NAT-TO-BV N 1))), which is formula *1.1 above. Perhaps we can prove it by induction. There is only one plausible induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL 1 0) (NOT (NUMBERP 1))) (p N)) (IMPLIES (AND (NOT (OR (EQUAL 1 0) (NOT (NUMBERP 1)))) (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p N)) (IMPLIES (AND (NOT (OR (EQUAL 1 0) (NOT (NUMBERP 1)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p (SUB1 N))) (p N))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT can be used to prove that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to four new formulas: Case 4. (IMPLIES (AND (OR (EQUAL 1 0) (NOT (NUMBERP 1))) (NOT (LESSP N 1))) (LISTP (NAT-TO-BV N 1))), which simplifies, unfolding EQUAL, NUMBERP, NOT, and OR, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL 1 0) (NOT (NUMBERP 1)))) (OR (EQUAL N 0) (NOT (NUMBERP N))) (NOT (LESSP N 1))) (LISTP (NAT-TO-BV N 1))), which simplifies, expanding EQUAL, NUMBERP, NOT, OR, and LESSP, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL 1 0) (NOT (NUMBERP 1)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (LESSP (SUB1 N) 1) (NOT (LESSP N 1))) (LISTP (NAT-TO-BV N 1))), which simplifies, using linear arithmetic, to two new goals: Case 2.2. (IMPLIES (AND (NOT (NUMBERP N)) (NOT (OR (EQUAL 1 0) (NOT (NUMBERP 1)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (LESSP (SUB1 N) 1) (NOT (LESSP N 1))) (LISTP (NAT-TO-BV N 1))), which again simplifies, expanding the definitions of EQUAL, NUMBERP, NOT, and OR, to: T. Case 2.1. (IMPLIES (AND (NUMBERP N) (NOT (OR (EQUAL 1 0) (NOT (NUMBERP 1)))) (NOT (OR (EQUAL 1 0) (NOT (NUMBERP 1)))) (LESSP (SUB1 1) 1) (NOT (LESSP 1 1))) (LISTP (NAT-TO-BV 1 1))), which again simplifies, expanding EQUAL, NUMBERP, NOT, OR, SUB1, LESSP, NAT-TO-BV, and LISTP, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL 1 0) (NOT (NUMBERP 1)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (LISTP (NAT-TO-BV (SUB1 N) 1)) (NOT (LESSP N 1))) (LISTP (NAT-TO-BV N 1))), which simplifies, rewriting with DIFFERENCE-ADD1-ARG2, and opening up the definitions of EQUAL, NUMBERP, NOT, OR, LESSP, SUB1, DIFFERENCE, EXP, NAT-TO-BV, CONS, and LISTP, to: T. That finishes the proof of *1.1, which, in turn, also finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] LISTP-NAT-TO-BV (PROVE-LEMMA NUMBER-WITH-AT-LEAST-SIMPLE (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE)))) This formula simplifies, expanding ZEROP, to two new conjectures: Case 2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N 0) (LENGTH STATE))), which again simplifies, clearly, to: (IMPLIES (GOOD-STATE-OF-SIZE STATE 0) (EQUAL (NUMBER-WITH-AT-LEAST STATE N 0) (LENGTH STATE))), which we will name *1. Case 1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (NOT (NUMBERP SIZE))) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))). We gave this the name *1 above. Perhaps we can prove it by induction. There are three plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (p (CDR STATE) N SIZE)) (p STATE N SIZE)) (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (p (CDR STATE) N SIZE)) (p STATE N SIZE)) (IMPLIES (NOT (LISTP STATE)) (p STATE N SIZE))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates the following five new formulas: Case 5. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))). This simplifies, rewriting with the lemma EQUAL-LENGTH-0, and expanding the function GOOD-STATE-OF-SIZE, to: T. Case 4. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) (LENGTH (CDR STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))). This simplifies, rewriting with EQUAL-LENGTH-0, and opening up GOOD-STATE-OF-SIZE, ZEROP, LENGTH, NUMBER-WITH-AT-LEAST, NAT-TO-BV, and LESSP-BV, to: (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) (LENGTH (CDR STATE))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N 0) (ADD1 (LENGTH (CDR STATE))))). This again simplifies, rewriting with EQUAL-LENGTH-0, and opening up the definitions of EQUAL, NAT-TO-BV, LISTP, LESSP-BV, NUMBERP, and NUMBER-WITH-AT-LEAST, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))). This simplifies, rewriting with EQUAL-LENGTH-0, and expanding the definition of GOOD-STATE-OF-SIZE, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) (LENGTH (CDR STATE))) (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))), which simplifies, applying EQUAL-LENGTH-0, and unfolding the definitions of GOOD-STATE-OF-SIZE, ZEROP, LENGTH, NUMBER-WITH-AT-LEAST, NAT-TO-BV, and LESSP-BV, to the new goal: (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) (LENGTH (CDR STATE))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N 0) (ADD1 (LENGTH (CDR STATE))))), which again simplifies, opening up the definitions of EQUAL, NAT-TO-BV, LISTP, and LESSP-BV, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (ZEROP SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) (LENGTH STATE))), which simplifies, opening up the functions GOOD-STATE-OF-SIZE, ZEROP, LISTP, NUMBER-WITH-AT-LEAST, LENGTH, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.6 0.0 ] NUMBER-WITH-AT-LEAST-SIMPLE (PROVE-LEMMA BITP-CAR (REWRITE) (IMPLIES (BVP BV) (BITP (CAR BV)))) WARNING: Note that the rewrite rule BITP-CAR will be stored so as to apply only to terms with the nonrecursive function symbol BITP. WARNING: the previously added lemma, BITP-CAR-BVP, could be applied whenever the newly proposed BITP-CAR could! This formula can be simplified, using the abbreviations BITP and IMPLIES, to: (IMPLIES (AND (BVP BV) (NOT (EQUAL (CAR BV) 0))) (EQUAL (CAR BV) 1)), which simplifies, opening up the definitions of BITP, BVP, CAR, and EQUAL, to: T. Q.E.D. [ 0.0 0.0 0.0 ] BITP-CAR (PROVE-LEMMA CAR-XOR-BV-BETTER (REWRITE) (EQUAL (CAR (XOR-BV X Y)) (IF (AND (LISTP X) (LISTP Y)) (XOR (CAR X) (CAR Y)) 0))) WARNING: the newly proposed lemma, CAR-XOR-BV-BETTER, could be applied whenever the previously added lemma CAR-XOR-BV could. This formula simplifies, unfolding the functions AND and XOR, to 11 new goals: Case 11.(IMPLIES (NOT (LISTP Y)) (EQUAL (CAR (XOR-BV X Y)) 0)), which again simplifies, opening up the definitions of XOR-BV, CAR, and EQUAL, to: T. Case 10.(IMPLIES (AND (EQUAL (CAR X) 0) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV X Y)) 0)). Applying the lemma CAR-CDR-ELIM, replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). This produces the following two new formulas: Case 10.2. (IMPLIES (AND (NOT (LISTP X)) (EQUAL (CAR X) 0) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV X Y)) 0)). But this further simplifies, rewriting with CAR-NLISTP, and expanding the functions EQUAL, XOR-BV, and CAR, to: T. Case 10.1. (IMPLIES (AND (EQUAL Z 0) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0)). However this further simplifies, rewriting with CDR-CONS, COMMUTATIVITY-OF-XOR, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and opening up the functions XOR, EQUAL, and XOR-BV, to the following two new formulas: Case 10.1.2. (IMPLIES (AND (NOT (NUMBERP (CAR Y))) (NOT (LISTP Y))) (EQUAL (CAR NIL) 0)). But this again simplifies, rewriting with CAR-NLISTP, and expanding the function NUMBERP, to: T. Case 10.1.1. (IMPLIES (AND (NOT (NUMBERP (CAR Y))) (LISTP Y)) (EQUAL (CAR (CONS 0 (XOR-BV V (CDR Y)))) 0)). This again simplifies, appealing to the lemma CAR-CONS, and expanding the function EQUAL, to: T. Case 9. (IMPLIES (AND (EQUAL (CAR X) 0) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV X Y)) 0)). Applying the lemma CAR-CDR-ELIM, replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). We thus obtain the following two new formulas: Case 9.2. (IMPLIES (AND (NOT (LISTP X)) (EQUAL (CAR X) 0) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV X Y)) 0)). This further simplifies, rewriting with CAR-NLISTP, and expanding EQUAL, XOR-BV, and CAR, to: T. Case 9.1. (IMPLIES (AND (EQUAL Z 0) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0)). However this further simplifies, applying CDR-CONS, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and opening up the functions XOR and XOR-BV, to the following two new formulas: Case 9.1.2. (IMPLIES (AND (EQUAL (CAR Y) 0) (NOT (LISTP Y))) (EQUAL (CAR NIL) 0)). This again simplifies, rewriting with CAR-NLISTP, and opening up the definitions of EQUAL and CAR, to: T. Case 9.1.1. (IMPLIES (AND (EQUAL (CAR Y) 0) (LISTP Y)) (EQUAL (CAR (CONS 0 (XOR-BV V (CDR Y)))) 0)). However this again simplifies, applying CAR-CONS, and opening up EQUAL, to: T. Case 8. (IMPLIES (AND (NOT (NUMBERP (CAR X))) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV X Y)) 0)). Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). This generates two new conjectures: Case 8.2. (IMPLIES (AND (NOT (LISTP X)) (NOT (NUMBERP (CAR X))) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV X Y)) 0)), which further simplifies, appealing to the lemma CAR-NLISTP, and expanding the function NUMBERP, to: T. Case 8.1. (IMPLIES (AND (NOT (NUMBERP Z)) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0)), which further simplifies, rewriting with CDR-CONS, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and opening up the definitions of XOR, EQUAL, and XOR-BV, to the following two new conjectures: Case 8.1.2. (IMPLIES (AND (NOT (NUMBERP Z)) (EQUAL (CAR Y) 0) (NOT (LISTP Y))) (EQUAL (CAR NIL) 0)). However this again simplifies, rewriting with CAR-NLISTP, and expanding EQUAL and CAR, to: T. Case 8.1.1. (IMPLIES (AND (NOT (NUMBERP Z)) (EQUAL (CAR Y) 0) (LISTP Y)) (EQUAL (CAR (CONS 0 (XOR-BV V (CDR Y)))) 0)). However this again simplifies, rewriting with CAR-CONS, and opening up the function EQUAL, to: T. Case 7. (IMPLIES (AND (NOT (NUMBERP (CAR X))) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV X Y)) 0)). Appealing to the lemma CAR-CDR-ELIM, we now replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). This generates two new formulas: Case 7.2. (IMPLIES (AND (NOT (LISTP X)) (NOT (NUMBERP (CAR X))) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV X Y)) 0)), which further simplifies, applying the lemma CAR-NLISTP, and unfolding NUMBERP, to: T. Case 7.1. (IMPLIES (AND (NOT (NUMBERP Z)) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0)), which further simplifies, appealing to the lemmas CDR-CONS, COMMUTATIVITY-OF-XOR, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and unfolding XOR and XOR-BV, to two new conjectures: Case 7.1.2. (IMPLIES (AND (NOT (NUMBERP Z)) (NOT (NUMBERP (CAR Y))) (NOT (LISTP Y))) (EQUAL (CAR NIL) 0)), which again simplifies, applying CAR-NLISTP, and opening up NUMBERP, to: T. Case 7.1.1. (IMPLIES (AND (NOT (NUMBERP Z)) (NOT (NUMBERP (CAR Y))) (LISTP Y)) (EQUAL (CAR (CONS 0 (XOR-BV V (CDR Y)))) 0)). However this again simplifies, appealing to the lemma CAR-CONS, and opening up the function EQUAL, to: T. Case 6. (IMPLIES (AND (NOT (EQUAL (CAR X) 0)) (NUMBERP (CAR X)) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (EQUAL (CAR (XOR-BV X Y)) 0)). Applying the lemma CAR-CDR-ELIM, replace X by (CONS Z V) to eliminate (CAR X) and (CDR X). We would thus like to prove the following two new conjectures: Case 6.2. (IMPLIES (AND (NOT (LISTP X)) (NOT (EQUAL (CAR X) 0)) (NUMBERP (CAR X)) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (EQUAL (CAR (XOR-BV X Y)) 0)). This further simplifies, rewriting with CAR-NLISTP, and unfolding the function EQUAL, to: T. Case 6.1. (IMPLIES (AND (NOT (EQUAL Z 0)) (NUMBERP Z) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (EQUAL (CAR (XOR-BV (CONS Z V) Y)) 0)). But this further simplifies, rewriting with CDR-CONS, COMMUTATIVITY-OF-XOR, CAR-CONS, and COMMUTATIVITY-OF-XOR-BV, and expanding XOR and XOR-BV, to the following two new goals: Case 6.1.2. (IMPLIES (AND (NOT (EQUAL Z 0)) (NUMBERP Z) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y)) (NOT (LISTP Y))) (EQUAL (CAR NIL) 0)). This again simplifies, applying CAR-NLISTP, and opening up the function EQUAL, to: T. Case 6.1.1. (IMPLIES (AND (NOT (EQUAL Z 0)) (NUMBERP Z) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y)) (LISTP Y)) (EQUAL (CAR (CONS 0 (XOR-BV V (CDR Y)))) 0)). However this again simplifies, applying CAR-CONS, and expanding the function EQUAL, to: T. Case 5. (IMPLIES (NOT (LISTP X)) (EQUAL (CAR (XOR-BV X Y)) 0)). But this again simplifies, unfolding the definitions of XOR-BV, CAR, and EQUAL, to: T. Case 4. (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (EQUAL (CAR X) 0)) (NUMBERP (CAR X)) (NOT (NUMBERP (CAR Y)))) (EQUAL (CAR (XOR-BV X Y)) 1)), which again simplifies, rewriting with CAR-XOR-BV, and opening up the definitions of XOR and EQUAL, to: T. Case 3. (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (EQUAL (CAR X) 0)) (NUMBERP (CAR X)) (EQUAL (CAR Y) 0)) (EQUAL (CAR (XOR-BV X Y)) 1)). However this again simplifies, appealing to the lemmas COMMUTATIVITY-OF-XOR and CAR-XOR-BV, and expanding the functions EQUAL and XOR, to: T. Case 2. (IMPLIES (AND (LISTP X) (LISTP Y) (NOT (NUMBERP (CAR X))) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (EQUAL (CAR (XOR-BV X Y)) 1)), which again simplifies, rewriting with CAR-XOR-BV, and unfolding XOR and EQUAL, to: T. Case 1. (IMPLIES (AND (LISTP X) (LISTP Y) (EQUAL (CAR X) 0) (NOT (EQUAL (CAR Y) 0)) (NUMBERP (CAR Y))) (EQUAL (CAR (XOR-BV X Y)) 1)). This again simplifies, applying CAR-XOR-BV, and opening up EQUAL and XOR, to: T. Q.E.D. [ 0.0 0.1 0.1 ] CAR-XOR-BV-BETTER (PROVE-LEMMA XOR-BV-INVERSE-2 (REWRITE) (EQUAL (XOR-BV B (XOR-BV A A)) (FIRSTN (FIX-XOR-BV B) (MIN (LENGTH A) (LENGTH B))))) WARNING: the previously added lemma, COMMUTATIVITY2-OF-XOR-BV, could be applied whenever the newly proposed XOR-BV-INVERSE-2 could! WARNING: the previously added lemma, COMMUTATIVITY-OF-XOR-BV, could be applied whenever the newly proposed XOR-BV-INVERSE-2 could! This simplifies, rewriting with COMMUTATIVITY-OF-XOR-BV, XOR-BV-INVERSE, and COMMUTATIVITY2-OF-XOR-BV, and opening up MIN, to: T. Q.E.D. [ 0.0 0.0 0.0 ] XOR-BV-INVERSE-2 (PROVE-LEMMA LENGTH-FIX-XOR-BV (REWRITE) (EQUAL (LENGTH (FIX-XOR-BV X)) (LENGTH X))) Give the conjecture the name *1. We will appeal to induction. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X))) (p X)) (IMPLIES (NOT (LISTP X)) (p X))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following two new conjectures: Case 2. (IMPLIES (AND (LISTP X) (EQUAL (LENGTH (FIX-XOR-BV (CDR X))) (LENGTH (CDR X)))) (EQUAL (LENGTH (FIX-XOR-BV X)) (LENGTH X))). This simplifies, applying CDR-CONS, and opening up the functions FIX-XOR-BV, FIX-BIT, and LENGTH, to: T. Case 1. (IMPLIES (NOT (LISTP X)) (EQUAL (LENGTH (FIX-XOR-BV X)) (LENGTH X))), which simplifies, unfolding the functions FIX-XOR-BV, LENGTH, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] LENGTH-FIX-XOR-BV (PROVE-LEMMA XOR-BVS-PUT (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH VALUE) SIZE) (LESSP PLACE (LENGTH STATE))) (EQUAL (XOR-BVS (PUT PLACE VALUE STATE)) (XOR-BV (GET PLACE STATE) (XOR-BV VALUE (XOR-BVS STATE))))) ((DISABLE EQUAL-BITP-SIMPLIFY))) WARNING: Note that XOR-BVS-PUT contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). This formula simplifies, rewriting with COMMUTATIVITY-OF-XOR-BV and COMMUTATIVITY2-OF-XOR-BV, to: (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE (LENGTH VALUE)) (LESSP PLACE (LENGTH STATE))) (EQUAL (XOR-BVS (PUT PLACE VALUE STATE)) (XOR-BV VALUE (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))))), which we will name *1. Perhaps we can prove it by induction. Eight inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (p (SUB1 PLACE) VALUE (CDR STATE))) (p PLACE VALUE STATE)) (IMPLIES (NOT (LISTP STATE)) (p PLACE VALUE STATE))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for PLACE. The above induction scheme generates the following four new formulas: Case 4. (IMPLIES (AND (LISTP STATE) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE))) (GOOD-STATE-OF-SIZE STATE (LENGTH VALUE)) (LESSP PLACE (LENGTH STATE))) (EQUAL (XOR-BVS (PUT PLACE VALUE STATE)) (XOR-BV VALUE (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))))). This simplifies, applying LESSP-LENGTH, and unfolding GOOD-STATE-OF-SIZE, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (GOOD-STATE-OF-SIZE STATE (LENGTH VALUE)) (LESSP PLACE (LENGTH STATE))) (EQUAL (XOR-BVS (PUT PLACE VALUE STATE)) (XOR-BV VALUE (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))))), which simplifies, using linear arithmetic, applying LESSP-LENGTH, CDR-NLISTP, CAR-NLISTP, GET-OF-BAD-PLACE, COMMUTATIVITY-OF-XOR-BV, and BVP-FIX-XOR-BV-IDENTITY, and opening up GOOD-STATE-OF-SIZE, LENGTH, PUT, XOR-BVS, XOR-BV, and LISTP, to the following seven new conjectures: Case 3.7. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (NOT (LISTP STATE)) (LESSP PLACE 0) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (EQUAL (XOR-BVS (CONS 0 (PUT (SUB1 PLACE) VALUE (CDR STATE)))) NIL)). However this again simplifies, using linear arithmetic, to: T. Case 3.6. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (NOT (LISTP STATE)) (LESSP PLACE 0) (EQUAL PLACE 0)) (EQUAL (XOR-BVS (CONS VALUE 0)) NIL)), which again simplifies, using linear arithmetic, to: T. Case 3.5. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (NOT (LISTP STATE)) (LESSP PLACE 0) (NOT (NUMBERP PLACE))) (EQUAL (XOR-BVS (CONS VALUE 0)) NIL)), which again simplifies, using linear arithmetic, to: T. Case 3.4. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (LESSP PLACE 1)) (EQUAL (XOR-BVS (PUT PLACE VALUE STATE)) (XOR-BV VALUE (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))))), which again simplifies, rewriting with SUB1-ADD1, CAR-CONS, CDR-CONS, BVP-FIX-XOR-BV-IDENTITY, and COMMUTATIVITY-OF-XOR-BV, and opening up the functions LESSP, EQUAL, PUT, XOR-BVS, GET, and NUMBERP, to the following four new goals: Case 3.4.4. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (EQUAL PLACE 0) (NOT (LISTP (CDR STATE)))) (EQUAL (FIX-XOR-BV VALUE) (XOR-BV VALUE (XOR-BV (CAR STATE) (CAR STATE))))). However this again simplifies, using linear arithmetic, rewriting with the lemmas EQUAL-LENGTH-0, LENGTH-FIX-XOR-BV, FIRSTN-NOOP, and XOR-BV-INVERSE-2, and opening up the functions SUB1, LESSP, and MIN, to: T. Case 3.4.3. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (EQUAL PLACE 0) (LISTP (CDR STATE))) (EQUAL (XOR-BV VALUE (XOR-BVS (CDR STATE))) (XOR-BV VALUE (XOR-BV (CAR STATE) (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))))))), which again simplifies, applying EQUAL-LENGTH-0, and opening up the definitions of SUB1, EQUAL, and LESSP, to: T. Case 3.4.2. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (NOT (NUMBERP PLACE)) (NOT (LISTP (CDR STATE)))) (EQUAL (FIX-XOR-BV VALUE) (XOR-BV VALUE (XOR-BV (CAR STATE) (CAR STATE))))). But this again simplifies, using linear arithmetic, rewriting with LENGTH-FIX-XOR-BV, FIRSTN-NOOP, and XOR-BV-INVERSE-2, and unfolding the definition of MIN, to: T. Case 3.4.1. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (NOT (NUMBERP PLACE)) (LISTP (CDR STATE))) (EQUAL (XOR-BV VALUE (XOR-BVS (CDR STATE))) (XOR-BV VALUE (XOR-BV (CAR STATE) (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))))))). But this again simplifies, using linear arithmetic, applying BVP-XOR-BVS, BVP-FIX-XOR-BV-IDENTITY, LENGTH-XOR-BVS, FIRSTN-NOOP, and XOR-BV-INVERSE, and opening up the function MIN, to: T. Case 3.3. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (NOT (LESSP PLACE 1)) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (EQUAL (XOR-BVS (CONS (CAR STATE) (PUT (SUB1 PLACE) VALUE (CDR STATE)))) NIL)). But this again simplifies, using linear arithmetic, to: T. Case 3.2. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (NOT (LESSP PLACE 1)) (EQUAL PLACE 0)) (EQUAL (XOR-BVS (CONS VALUE (CDR STATE))) NIL)), which again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (NOT (LESSP PLACE 1)) (NOT (NUMBERP PLACE))) (EQUAL (XOR-BVS (CONS VALUE (CDR STATE))) NIL)), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (GOOD-STATE-OF-SIZE STATE (LENGTH VALUE)) (LESSP PLACE (LENGTH STATE))) (EQUAL (XOR-BVS (PUT PLACE VALUE STATE)) (XOR-BV VALUE (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))))), which simplifies, using linear arithmetic, applying the lemmas LESSP-LENGTH, CDR-NLISTP, CAR-NLISTP, GET-OF-BAD-PLACE, COMMUTATIVITY-OF-XOR-BV, and BVP-FIX-XOR-BV-IDENTITY, and opening up the functions GOOD-STATE-OF-SIZE, LENGTH, PUT, XOR-BVS, XOR-BV, LISTP, and GET, to nine new goals: Case 2.9. (IMPLIES (AND (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (NOT (LISTP STATE)) (LESSP PLACE 0) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (EQUAL (XOR-BVS (CONS 0 (PUT (SUB1 PLACE) VALUE (CDR STATE)))) NIL)), which again simplifies, using linear arithmetic, to: T. Case 2.8. (IMPLIES (AND (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (NOT (LISTP STATE)) (LESSP PLACE 0) (EQUAL PLACE 0)) (EQUAL (XOR-BVS (CONS VALUE 0)) NIL)), which again simplifies, using linear arithmetic, to: T. Case 2.7. (IMPLIES (AND (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (NOT (LISTP STATE)) (LESSP PLACE 0) (NOT (NUMBERP PLACE))) (EQUAL (XOR-BVS (CONS VALUE 0)) NIL)), which again simplifies, using linear arithmetic, to: T. Case 2.6. (IMPLIES (AND (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (NOT (LISTP (CDR STATE)))) (EQUAL (XOR-BVS (CONS (CAR STATE) (PUT (SUB1 PLACE) VALUE (CDR STATE)))) (XOR-BV VALUE (XOR-BV (CAR STATE) (GET (SUB1 PLACE) (CDR STATE)))))), which again simplifies, rewriting with the lemmas LISTP-XOR-BVS, COMMUTATIVITY-OF-XOR-BV, SUB1-ADD1, and LESSP-LENGTH, and expanding the definitions of XOR-BV, LISTP, and LESSP, to: T. Case 2.5. (IMPLIES (AND (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE) (LISTP (CDR STATE))) (EQUAL (XOR-BVS (CONS (CAR STATE) (PUT (SUB1 PLACE) VALUE (CDR STATE)))) (XOR-BV VALUE (XOR-BV (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) (GET (SUB1 PLACE) (CDR STATE)))))), which again simplifies, applying SUB1-ADD1, LESSP-LENGTH, CAR-CONS, CDR-CONS, and ASSOCIATIVITY-OF-XOR-BV, and expanding the definitions of LESSP and XOR-BVS, to: (IMPLIES (AND (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP (SUB1 PLACE) (LENGTH (CDR STATE))) (NOT (EQUAL PLACE 0)) (NUMBERP PLACE)) (EQUAL (XOR-BV (CAR STATE) (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE)))) (XOR-BV VALUE (XOR-BV (CAR STATE) (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))))). Applying the lemma SUB1-ELIM, replace PLACE by (ADD1 X) to eliminate (SUB1 PLACE). We employ the type restriction lemma noted when SUB1 was introduced to restrict the new variable. This produces: (IMPLIES (AND (NUMBERP X) (EQUAL (XOR-BVS (PUT X VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET X (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP X (LENGTH (CDR STATE))) (NOT (EQUAL (ADD1 X) 0))) (EQUAL (XOR-BV (CAR STATE) (XOR-BVS (PUT X VALUE (CDR STATE)))) (XOR-BV VALUE (XOR-BV (CAR STATE) (XOR-BV (XOR-BVS (CDR STATE)) (GET X (CDR STATE))))))), which further simplifies, obviously, to: (IMPLIES (AND (NUMBERP X) (EQUAL (XOR-BVS (PUT X VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET X (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP X (LENGTH (CDR STATE)))) (EQUAL (XOR-BV (CAR STATE) (XOR-BVS (PUT X VALUE (CDR STATE)))) (XOR-BV VALUE (XOR-BV (CAR STATE) (XOR-BV (XOR-BVS (CDR STATE)) (GET X (CDR STATE))))))). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS V Z) to eliminate (CDR STATE) and (CAR STATE). We thus obtain the new conjecture: (IMPLIES (AND (NUMBERP X) (EQUAL (XOR-BVS (PUT X VALUE Z)) (XOR-BV VALUE (XOR-BV (XOR-BVS Z) (GET X Z)))) (BVP V) (EQUAL (LENGTH V) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE Z (LENGTH VALUE)) (LESSP X (LENGTH Z))) (EQUAL (XOR-BV V (XOR-BVS (PUT X VALUE Z))) (XOR-BV VALUE (XOR-BV V (XOR-BV (XOR-BVS Z) (GET X Z)))))), which finally simplifies, applying COMMUTATIVITY2-OF-XOR-BV, to: T. Case 2.4. (IMPLIES (AND (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (EQUAL PLACE 0) (NOT (LISTP (CDR STATE)))) (EQUAL (XOR-BVS (CONS VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (CAR STATE) (CAR STATE))))). However this again simplifies, using linear arithmetic, appealing to the lemmas CDR-NLISTP, CAR-CONS, CDR-CONS, EQUAL-LENGTH-0, GET-OF-BAD-PLACE, COMMUTATIVITY-OF-XOR-BV, FIRSTN-NOOP, and XOR-BV-INVERSE-2, and opening up the definitions of SUB1, EQUAL, PUT, LISTP, XOR-BVS, LESSP, XOR-BV, MIN, and LENGTH, to: T. Case 2.3. (IMPLIES (AND (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (NOT (NUMBERP PLACE)) (NOT (LISTP (CDR STATE)))) (EQUAL (XOR-BVS (CONS VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (CAR STATE) (CAR STATE))))), which again simplifies, using linear arithmetic, applying LISTP-XOR-BVS, COMMUTATIVITY-OF-XOR-BV, CAR-CONS, CDR-CONS, LENGTH-FIX-XOR-BV, FIRSTN-NOOP, and XOR-BV-INVERSE-2, and unfolding XOR-BV, LISTP, LESSP, XOR-BVS, and MIN, to: T. Case 2.2. (IMPLIES (AND (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (EQUAL PLACE 0) (LISTP (CDR STATE))) (EQUAL (XOR-BVS (CONS VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) (CAR STATE))))). This again simplifies, using linear arithmetic, applying the lemmas CAR-CONS, CDR-CONS, COMMUTATIVITY-OF-XOR-BV, BVP-XOR-BVS, BVP-FIX-XOR-BV-IDENTITY, LENGTH-XOR-BVS, FIRSTN-NOOP, XOR-BV-INVERSE, and ASSOCIATIVITY-OF-XOR-BV, and opening up the functions SUB1, EQUAL, PUT, XOR-BVS, GET, LESSP, and MIN, to: T. Case 2.1. (IMPLIES (AND (EQUAL (XOR-BVS (PUT (SUB1 PLACE) VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BVS (CDR STATE)) (GET (SUB1 PLACE) (CDR STATE))))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH VALUE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH VALUE)) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (NOT (NUMBERP PLACE)) (LISTP (CDR STATE))) (EQUAL (XOR-BVS (CONS VALUE (CDR STATE))) (XOR-BV VALUE (XOR-BV (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) (CAR STATE))))), which again simplifies, using linear arithmetic, appealing to the lemmas CAR-CONS, CDR-CONS, COMMUTATIVITY-OF-XOR-BV, BVP-XOR-BVS, BVP-FIX-XOR-BV-IDENTITY, LENGTH-XOR-BVS, FIRSTN-NOOP, XOR-BV-INVERSE, and ASSOCIATIVITY-OF-XOR-BV, and expanding LESSP, XOR-BVS, and MIN, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE (LENGTH VALUE)) (LESSP PLACE (LENGTH STATE))) (EQUAL (XOR-BVS (PUT PLACE VALUE STATE)) (XOR-BV VALUE (XOR-BV (XOR-BVS STATE) (GET PLACE STATE))))), which simplifies, rewriting with LESSP-LENGTH, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 2.2 0.0 ] XOR-BVS-PUT (DEFN TRIPLE-CDR-INDUCTION (A B C) (IF (AND (LISTP A) (LISTP B) (LISTP C)) (TRIPLE-CDR-INDUCTION (CDR A) (CDR B) (CDR C)) T)) Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND establish that the measure (COUNT A) decreases according to the well-founded relation LESSP in each recursive call. Hence, TRIPLE-CDR-INDUCTION is accepted under the principle of definition. There are two other measures and well-founded functions explaining the recursion above. Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND can be used to prove that the measure (COUNT B) decreases according to the well-founded relation LESSP in each recursive call. In addition, linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND can be used to show that the measure (COUNT C) decreases according to the well-founded relation LESSP in each recursive call. Note that: (TRUEP (TRIPLE-CDR-INDUCTION A B C)) is a theorem. [ 0.0 0.0 0.0 ] TRIPLE-CDR-INDUCTION (PROVE-LEMMA ALL-ZEROS-XOR-BV-IDENTITY (REWRITE) (IMPLIES (AND (EQUAL (LENGTH A) (LENGTH B)) (EQUAL (LENGTH B) (LENGTH C)) (ALL-ZEROS C)) (EQUAL (ALL-ZEROS (XOR-BV A (XOR-BV B C))) (EQUAL (FIX-XOR-BV A) (FIX-XOR-BV B)))) ((DISABLE EQUAL-BITP-SIMPLIFY) (INDUCT (TRIPLE-CDR-INDUCTION A B C)))) This formula can be simplified, using the abbreviations IMPLIES, NOT, OR, and AND, to the following two new conjectures: Case 2. (IMPLIES (AND (LISTP A) (LISTP B) (LISTP C) (IMPLIES (AND (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B))) (EQUAL (LENGTH (CDR B)) (LENGTH (CDR C))) (ALL-ZEROS (CDR C))) (EQUAL (ALL-ZEROS (XOR-BV (CDR A) (XOR-BV (CDR B) (CDR C)))) (EQUAL (FIX-XOR-BV (CDR A)) (FIX-XOR-BV (CDR B))))) (EQUAL (LENGTH A) (LENGTH B)) (EQUAL (LENGTH B) (LENGTH C)) (ALL-ZEROS C)) (EQUAL (ALL-ZEROS (XOR-BV A (XOR-BV B C))) (EQUAL (FIX-XOR-BV A) (FIX-XOR-BV B)))). This simplifies, applying the lemmas ADD1-EQUAL, COMMUTATIVITY-OF-XOR, CDR-CONS, CAR-CONS, and CONS-EQUAL, and unfolding the functions AND, IMPLIES, LENGTH, ALL-ZEROS, XOR, EQUAL, XOR-BV, FIX-BIT, and FIX-XOR-BV, to the following five new goals: Case 2.5. (IMPLIES (AND (LISTP A) (LISTP B) (LISTP C) (NOT (EQUAL (LENGTH (CDR B)) (LENGTH (CDR C)))) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B))) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR C))) (EQUAL (CAR C) 0) (ALL-ZEROS (CDR C)) (NOT (EQUAL (CAR B) 0)) (NUMBERP (CAR B)) (NOT (EQUAL (CAR A) 0)) (NUMBERP (CAR A))) (EQUAL (ALL-ZEROS (XOR-BV (CDR A) (XOR-BV (CDR B) (CDR C)))) (EQUAL (FIX-XOR-BV (CDR A)) (FIX-XOR-BV (CDR B))))). However this again simplifies, using linear arithmetic, to: T. Case 2.4. (IMPLIES (AND (LISTP A) (LISTP B) (LISTP C) (NOT (EQUAL (LENGTH (CDR B)) (LENGTH (CDR C)))) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B))) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR C))) (EQUAL (CAR C) 0) (ALL-ZEROS (CDR C)) (NOT (NUMBERP (CAR B))) (NOT (NUMBERP (CAR A)))) (EQUAL (ALL-ZEROS (XOR-BV (CDR A) (XOR-BV (CDR B) (CDR C)))) (EQUAL (FIX-XOR-BV (CDR A)) (FIX-XOR-BV (CDR B))))), which again simplifies, using linear arithmetic, to: T. Case 2.3. (IMPLIES (AND (LISTP A) (LISTP B) (LISTP C) (NOT (EQUAL (LENGTH (CDR B)) (LENGTH (CDR C)))) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B))) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR C))) (EQUAL (CAR C) 0) (ALL-ZEROS (CDR C)) (NOT (NUMBERP (CAR B))) (EQUAL (CAR A) 0)) (EQUAL (ALL-ZEROS (XOR-BV (CDR A) (XOR-BV (CDR B) (CDR C)))) (EQUAL (FIX-XOR-BV (CDR A)) (FIX-XOR-BV (CDR B))))), which again simplifies, using linear arithmetic, to: T. Case 2.2. (IMPLIES (AND (LISTP A) (LISTP B) (LISTP C) (NOT (EQUAL (LENGTH (CDR B)) (LENGTH (CDR C)))) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B))) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR C))) (EQUAL (CAR C) 0) (ALL-ZEROS (CDR C)) (EQUAL (CAR B) 0) (NOT (NUMBERP (CAR A)))) (EQUAL (ALL-ZEROS (XOR-BV (CDR A) (XOR-BV (CDR B) (CDR C)))) (EQUAL (FIX-XOR-BV (CDR A)) (FIX-XOR-BV (CDR B))))), which again simplifies, using linear arithmetic, to: T. Case 2.1. (IMPLIES (AND (LISTP A) (LISTP B) (LISTP C) (NOT (EQUAL (LENGTH (CDR B)) (LENGTH (CDR C)))) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B))) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR C))) (EQUAL (CAR C) 0) (ALL-ZEROS (CDR C)) (EQUAL (CAR B) 0) (EQUAL (CAR A) 0)) (EQUAL (ALL-ZEROS (XOR-BV (CDR A) (XOR-BV (CDR B) (CDR C)))) (EQUAL (FIX-XOR-BV (CDR A)) (FIX-XOR-BV (CDR B))))), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (AND (LISTP A) (LISTP B) (LISTP C))) (EQUAL (LENGTH A) (LENGTH B)) (EQUAL (LENGTH B) (LENGTH C)) (ALL-ZEROS C)) (EQUAL (ALL-ZEROS (XOR-BV A (XOR-BV B C))) (EQUAL (FIX-XOR-BV A) (FIX-XOR-BV B)))), which simplifies, applying EQUAL-LENGTH-0 and COMMUTATIVITY-OF-XOR-BV, and opening up the functions AND, LENGTH, ALL-ZEROS, XOR-BV, LISTP, FIX-XOR-BV, and EQUAL, to the new conjecture: (IMPLIES (AND (NOT (LISTP C)) (EQUAL (LENGTH A) (LENGTH B)) (NOT (LISTP A))) (EQUAL NIL (FIX-XOR-BV B))), which again simplifies, rewriting with the lemma EQUAL-LENGTH-0, and expanding the functions LENGTH, FIX-XOR-BV, and EQUAL, to: T. Q.E.D. [ 0.0 16.6 0.0 ] ALL-ZEROS-XOR-BV-IDENTITY (PROVE-LEMMA LENGTH-GET (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE))) (EQUAL (LENGTH (GET PLACE STATE)) (FIX SIZE)))) WARNING: Note that LENGTH-GET contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE STATE SIZE). This simplifies, opening up the function FIX, to two new goals: Case 2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (NOT (NUMBERP SIZE))) (EQUAL (LENGTH (GET PLACE STATE)) 0)), which again simplifies, rewriting with LISTP-GET, and unfolding the functions LESSP, LENGTH, and EQUAL, to: T. Case 1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (NUMBERP SIZE)) (EQUAL (LENGTH (GET PLACE STATE)) SIZE)). Give the above formula the name *1. We will appeal to induction. Four inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (p (SUB1 PLACE) (CDR STATE) SIZE)) (p PLACE STATE SIZE)) (IMPLIES (NOT (LISTP STATE)) (p PLACE STATE SIZE))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for PLACE. The above induction scheme generates the following four new conjectures: Case 4. (IMPLIES (AND (LISTP STATE) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (NUMBERP SIZE)) (EQUAL (LENGTH (GET PLACE STATE)) SIZE)). This simplifies, rewriting with LESSP-LENGTH, and expanding the definition of GOOD-STATE-OF-SIZE, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (NUMBERP SIZE)) (EQUAL (LENGTH (GET PLACE STATE)) SIZE)), which simplifies, using linear arithmetic, rewriting with LESSP-LENGTH and GET-OF-BAD-PLACE, and unfolding the functions GOOD-STATE-OF-SIZE and LENGTH, to the following three new goals: Case 3.3. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP PLACE 0)) (EQUAL 0 SIZE)). But this again simplifies, using linear arithmetic, to: T. Case 3.2. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (LESSP PLACE 1)) (EQUAL (LENGTH (GET PLACE STATE)) SIZE)), which again simplifies, rewriting with the lemma SUB1-ADD1, and expanding the definitions of LESSP, EQUAL, GET, and NUMBERP, to: T. Case 3.1. (IMPLIES (AND (NOT (LESSP (SUB1 PLACE) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (NOT (LESSP PLACE 1))) (EQUAL 0 SIZE)), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (EQUAL (LENGTH (GET (SUB1 PLACE) (CDR STATE))) SIZE) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (NUMBERP SIZE)) (EQUAL (LENGTH (GET PLACE STATE)) SIZE)), which simplifies, using linear arithmetic, applying LESSP-LENGTH, GET-OF-BAD-PLACE, and EQUAL-LENGTH-0, and expanding the functions LENGTH and GET, to the following three new goals: Case 2.3. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE (LENGTH (GET (SUB1 PLACE) (CDR STATE)))) (NOT (LISTP STATE)) (LESSP PLACE 0)) (NOT (LISTP (GET (SUB1 PLACE) (CDR STATE))))). This again simplifies, using linear arithmetic, to: T. Case 2.2. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE (LENGTH (GET (SUB1 PLACE) (CDR STATE)))) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (NOT (NUMBERP PLACE))) (EQUAL (LENGTH (CAR STATE)) (LENGTH (GET (SUB1 PLACE) (CDR STATE))))), which again simplifies, expanding the definition of GOOD-STATE-OF-SIZE, to: T. Case 2.1. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE (LENGTH (GET (SUB1 PLACE) (CDR STATE)))) (LISTP STATE) (LESSP PLACE (ADD1 (LENGTH (CDR STATE)))) (EQUAL PLACE 0)) (EQUAL (LENGTH (CAR STATE)) (LENGTH (GET (SUB1 PLACE) (CDR STATE))))), which again simplifies, rewriting with LENGTH-CAR-STATE, and expanding SUB1, EQUAL, GET, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP PLACE (LENGTH STATE)) (NUMBERP SIZE)) (EQUAL (LENGTH (GET PLACE STATE)) SIZE)). This simplifies, appealing to the lemma LESSP-LENGTH, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 1.0 0.0 ] LENGTH-GET (PROVE-LEMMA ALL-ZEROS-XOR-BVS-PUT (REWRITE) (IMPLIES (AND (ALL-ZEROS (XOR-BVS STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH VALUE) SIZE) (LESSP PLACE (LENGTH STATE))) (EQUAL (ALL-ZEROS (XOR-BVS (PUT PLACE VALUE STATE))) (EQUAL (FIX-XOR-BV VALUE) (GET PLACE STATE)))) ((USE (ALL-ZEROS-XOR-BV-IDENTITY (A VALUE) (B (GET PLACE STATE)) (C (XOR-BVS STATE)))) (DISABLE ALL-ZEROS-XOR-BV-IDENTITY))) WARNING: Note that ALL-ZEROS-XOR-BVS-PUT contains the free variable SIZE which will be chosen by instantiating the hypothesis: (GOOD-STATE-OF-SIZE STATE SIZE). This formula simplifies, using linear arithmetic, applying the lemmas LENGTH-GET, LESSP-LENGTH, LENGTH-XOR-BVS, COMMUTATIVITY-OF-XOR-BV, BVP-GET, BVP-FIX-XOR-BV-IDENTITY, COMMUTATIVITY2-OF-XOR-BV, XOR-BVS-PUT, BVP-XOR-BVS, FIRSTN-NOOP, XOR-BV-INVERSE, and XOR-BV-FIX-XOR-BV, and expanding the definitions of AND, IMPLIES, EQUAL, and MIN, to: T. Q.E.D. [ 0.0 1.6 0.0 ] ALL-ZEROS-XOR-BVS-PUT (PROVE-LEMMA LESSP-BV-X-X (REWRITE) (NOT (LESSP-BV X X))) Name the conjecture *1. We will appeal to induction. Two inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (AND (LISTP X) (LISTP X)) (p (CDR X))) (p X)) (IMPLIES (NOT (AND (LISTP X) (LISTP X))) (p X))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND can be used to show that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to two new goals: Case 2. (IMPLIES (AND (AND (LISTP X) (LISTP X)) (NOT (LESSP-BV (CDR X) (CDR X)))) (NOT (LESSP-BV X X))), which simplifies, unfolding the definitions of AND and LESSP-BV, to the goal: (IMPLIES (AND (LISTP X) (NOT (LESSP-BV (CDR X) (CDR X)))) (NOT (LESSP (CAR X) (CAR X)))). This again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (NOT (AND (LISTP X) (LISTP X))) (NOT (LESSP-BV X X))), which simplifies, unfolding AND and LESSP-BV, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LESSP-BV-X-X (PROVE-LEMMA PUT-GET (REWRITE) (IMPLIES (LESSP X (LENGTH STATE)) (EQUAL (PUT X (GET X STATE) STATE) STATE))) Call the conjecture *1. We will try to prove it by induction. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE)))) (p X STATE)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (OR (EQUAL X 0) (NOT (NUMBERP X)))) (p X STATE)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (NOT (OR (EQUAL X 0) (NOT (NUMBERP X)))) (p (SUB1 X) (CDR STATE))) (p X STATE))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT inform us that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for STATE. The above induction scheme generates four new goals: Case 4. (IMPLIES (AND (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE)))) (LESSP X (LENGTH STATE))) (EQUAL (PUT X (GET X STATE) STATE) STATE)), which simplifies, appealing to the lemma LESSP-LENGTH, and unfolding LENGTH, NOT, and OR, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (OR (EQUAL X 0) (NOT (NUMBERP X))) (LESSP X (LENGTH STATE))) (EQUAL (PUT X (GET X STATE) STATE) STATE)), which simplifies, rewriting with the lemmas LESSP-LENGTH and CONS-CAR-CDR, and expanding the functions LENGTH, NOT, OR, EQUAL, LESSP, GET, and PUT, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (NOT (OR (EQUAL X 0) (NOT (NUMBERP X)))) (NOT (LESSP (SUB1 X) (LENGTH (CDR STATE)))) (LESSP X (LENGTH STATE))) (EQUAL (PUT X (GET X STATE) STATE) STATE)), which simplifies, using linear arithmetic, applying the lemmas LESSP-LENGTH, GET-OF-BAD-PLACE, CDR-NLISTP, CAR-NLISTP, CAR-CONS, and CDR-CONS, and opening up the definitions of LENGTH, NOT, OR, and PUT, to three new formulas: Case 2.3. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (LENGTH (CDR STATE)))) (NOT (LISTP STATE))) (NOT (LESSP X 0))), which again simplifies, using linear arithmetic, to: T. Case 2.2. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (LENGTH (CDR STATE)))) (LISTP STATE) (LESSP X (ADD1 (LENGTH (CDR STATE)))) (LESSP X 1)) (EQUAL (PUT X (GET X STATE) STATE) STATE)), which again simplifies, using linear arithmetic, to: T. Case 2.1. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (LENGTH (CDR STATE)))) (LISTP STATE) (LESSP X (ADD1 (LENGTH (CDR STATE)))) (NOT (LESSP X 1))) (EQUAL (CONS (CAR STATE) (PUT (SUB1 X) 0 (CDR STATE))) STATE)), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (NOT (OR (EQUAL X 0) (NOT (NUMBERP X)))) (EQUAL (PUT (SUB1 X) (GET (SUB1 X) (CDR STATE)) (CDR STATE)) (CDR STATE)) (LESSP X (LENGTH STATE))) (EQUAL (PUT X (GET X STATE) STATE) STATE)), which simplifies, using linear arithmetic, applying the lemmas LESSP-LENGTH, GET-OF-BAD-PLACE, CDR-NLISTP, CAR-NLISTP, and CONS-CAR-CDR, and opening up LENGTH, NOT, OR, PUT, and GET, to: (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (EQUAL (PUT (SUB1 X) (GET (SUB1 X) (CDR STATE)) (CDR STATE)) (CDR STATE)) (NOT (LISTP STATE))) (NOT (LESSP X 0))). But this again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.2 0.0 ] PUT-GET (PROVE-LEMMA GET-MEANS-NUMBER-WITH-AT-LEAST (REWRITE) (IMPLIES (AND (NOT (LESSP-BV (GET X STATE) (NAT-TO-BV N SIZE))) (LESSP X (LENGTH STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)))) WARNING: Note that GET-MEANS-NUMBER-WITH-AT-LEAST contains the free variable X which will be chosen by instantiating the hypothesis: (NOT (LESSP-BV (GET X STATE) (NAT-TO-BV N SIZE))). Name the conjecture *1. We will appeal to induction. The recursive terms in the conjecture suggest five inductions. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (ZEROP X) (p STATE N SIZE X)) (IMPLIES (AND (NOT (ZEROP X)) (p (CDR STATE) N SIZE (SUB1 X))) (p STATE N SIZE X))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for STATE. The above induction scheme generates the following four new conjectures: Case 4. (IMPLIES (AND (ZEROP X) (NOT (LESSP-BV (GET X STATE) (NAT-TO-BV N SIZE))) (LESSP X (LENGTH STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0))). This simplifies, unfolding the definitions of ZEROP, EQUAL, GET, LENGTH, LESSP, and NUMBER-WITH-AT-LEAST, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP X)) (LESSP-BV (GET (SUB1 X) (CDR STATE)) (NAT-TO-BV N SIZE)) (NOT (LESSP-BV (GET X STATE) (NAT-TO-BV N SIZE))) (LESSP X (LENGTH STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0))). This simplifies, unfolding the definitions of ZEROP and GET, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP X)) (NOT (LESSP (SUB1 X) (LENGTH (CDR STATE)))) (NOT (LESSP-BV (GET X STATE) (NAT-TO-BV N SIZE))) (LESSP X (LENGTH STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0))). This simplifies, opening up the definitions of ZEROP, GET, LENGTH, NUMBER-WITH-AT-LEAST, and EQUAL, to the following three new formulas: Case 2.3. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (LENGTH (CDR STATE)))) (NOT (LESSP-BV (GET (SUB1 X) (CDR STATE)) (NAT-TO-BV N SIZE))) (NOT (LISTP STATE))) (NOT (LESSP X 0))). This again simplifies, using linear arithmetic, to: T. Case 2.2. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (LENGTH (CDR STATE)))) (NOT (LESSP-BV (GET (SUB1 X) (CDR STATE)) (NAT-TO-BV N SIZE))) (LISTP STATE) (LESSP X (ADD1 (LENGTH (CDR STATE)))) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE)) 0))), which again simplifies, using linear arithmetic, to: T. Case 2.1. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (LENGTH (CDR STATE)))) (NOT (LESSP-BV (GET (SUB1 X) (CDR STATE)) (NAT-TO-BV N SIZE))) (LISTP STATE) (LESSP X (ADD1 (LENGTH (CDR STATE)))) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0))), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP X)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (NOT (LESSP-BV (GET X STATE) (NAT-TO-BV N SIZE))) (LESSP X (LENGTH STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0))), which simplifies, expanding the functions ZEROP, GET, LENGTH, NUMBER-WITH-AT-LEAST, and EQUAL, to two new formulas: Case 1.2. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (NOT (LESSP-BV (GET (SUB1 X) (CDR STATE)) (NAT-TO-BV N SIZE))) (NOT (LISTP STATE))) (NOT (LESSP X 0))), which again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (NOT (LESSP-BV (GET (SUB1 X) (CDR STATE)) (NAT-TO-BV N SIZE))) (LISTP STATE) (LESSP X (ADD1 (LENGTH (CDR STATE)))) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE)) 0))), which again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.6 0.0 ] GET-MEANS-NUMBER-WITH-AT-LEAST (PROVE-LEMMA NUMBER-WITH-AT-LEAST-PUT (REWRITE) (IMPLIES (AND (LESSP P (LENGTH STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH V) SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V STATE) N SIZE) (IF (LESSP-BV (GET P STATE) (NAT-TO-BV N SIZE)) (IF (LESSP-BV V (NAT-TO-BV N SIZE)) (NUMBER-WITH-AT-LEAST STATE N SIZE) (ADD1 (NUMBER-WITH-AT-LEAST STATE N SIZE))) (IF (LESSP-BV V (NAT-TO-BV N SIZE)) (SUB1 (NUMBER-WITH-AT-LEAST STATE N SIZE)) (NUMBER-WITH-AT-LEAST STATE N SIZE)))))) This conjecture simplifies, obviously, to the following four new goals: Case 4. (IMPLIES (AND (LESSP P (LENGTH STATE)) (GOOD-STATE-OF-SIZE STATE (LENGTH V)) (NOT (LESSP-BV (GET P STATE) (NAT-TO-BV N (LENGTH V)))) (LESSP-BV V (NAT-TO-BV N (LENGTH V)))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V STATE) N (LENGTH V)) (SUB1 (NUMBER-WITH-AT-LEAST STATE N (LENGTH V))))). Name the above subgoal *1. Case 3. (IMPLIES (AND (LESSP P (LENGTH STATE)) (GOOD-STATE-OF-SIZE STATE (LENGTH V)) (NOT (LESSP-BV (GET P STATE) (NAT-TO-BV N (LENGTH V)))) (NOT (LESSP-BV V (NAT-TO-BV N (LENGTH V))))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V STATE) N (LENGTH V)) (NUMBER-WITH-AT-LEAST STATE N (LENGTH V)))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (AND (LESSP P (LENGTH STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH V) SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V STATE) N SIZE) (COND ((LESSP-BV (GET P STATE) (NAT-TO-BV N SIZE)) (IF (LESSP-BV V (NAT-TO-BV N SIZE)) (NUMBER-WITH-AT-LEAST STATE N SIZE) (ADD1 (NUMBER-WITH-AT-LEAST STATE N SIZE)))) ((LESSP-BV V (NAT-TO-BV N SIZE)) (SUB1 (NUMBER-WITH-AT-LEAST STATE N SIZE))) (T (NUMBER-WITH-AT-LEAST STATE N SIZE))))), which we named *1 above. We will appeal to induction. The recursive terms in the conjecture suggest 15 inductions. They merge into three likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE)))) (p P V STATE N SIZE)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (OR (EQUAL P 0) (NOT (NUMBERP P)))) (p P V STATE N SIZE)) (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (NOT (OR (EQUAL P 0) (NOT (NUMBERP P)))) (p (SUB1 P) V (CDR STATE) N SIZE)) (p P V STATE N SIZE))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT can be used to show that the measure (COUNT P) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for STATE. The above induction scheme generates five new goals: Case 5. (IMPLIES (AND (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE)))) (LESSP P (LENGTH STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH V) SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V STATE) N SIZE) (COND ((LESSP-BV (GET P STATE) (NAT-TO-BV N SIZE)) (IF (LESSP-BV V (NAT-TO-BV N SIZE)) (NUMBER-WITH-AT-LEAST STATE N SIZE) (ADD1 (NUMBER-WITH-AT-LEAST STATE N SIZE)))) ((LESSP-BV V (NAT-TO-BV N SIZE)) (SUB1 (NUMBER-WITH-AT-LEAST STATE N SIZE))) (T (NUMBER-WITH-AT-LEAST STATE N SIZE))))), which simplifies, rewriting with LESSP-LENGTH, and opening up LENGTH, NOT, and OR, to: T. Case 4. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (OR (EQUAL P 0) (NOT (NUMBERP P))) (LESSP P (LENGTH STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH V) SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V STATE) N SIZE) (COND ((LESSP-BV (GET P STATE) (NAT-TO-BV N SIZE)) (IF (LESSP-BV V (NAT-TO-BV N SIZE)) (NUMBER-WITH-AT-LEAST STATE N SIZE) (ADD1 (NUMBER-WITH-AT-LEAST STATE N SIZE)))) ((LESSP-BV V (NAT-TO-BV N SIZE)) (SUB1 (NUMBER-WITH-AT-LEAST STATE N SIZE))) (T (NUMBER-WITH-AT-LEAST STATE N SIZE))))). This simplifies, applying the lemmas LESSP-LENGTH, CDR-CONS, and CAR-CONS, and opening up LENGTH, NOT, OR, EQUAL, LESSP, PUT, NUMBER-WITH-AT-LEAST, and GET, to the following eight new formulas: Case 4.8. (IMPLIES (AND (EQUAL P 0) (LISTP STATE) (NOT (EQUAL (ADD1 (LENGTH (CDR STATE))) 0)) (GOOD-STATE-OF-SIZE STATE (LENGTH V)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V)))) (LESSP-BV V (NAT-TO-BV N (LENGTH V)))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)) (SUB1 (NUMBER-WITH-AT-LEAST STATE N (LENGTH V))))). However this again simplifies, applying SUB1-ADD1, and opening up the function NUMBER-WITH-AT-LEAST, to: T. Case 4.7. (IMPLIES (AND (EQUAL P 0) (LISTP STATE) (NOT (EQUAL (ADD1 (LENGTH (CDR STATE))) 0)) (GOOD-STATE-OF-SIZE STATE (LENGTH V)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V)))) (NOT (LESSP-BV V (NAT-TO-BV N (LENGTH V))))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V))) (NUMBER-WITH-AT-LEAST STATE N (LENGTH V)))). But this again simplifies, unfolding NUMBER-WITH-AT-LEAST, to: T. Case 4.6. (IMPLIES (AND (EQUAL P 0) (LISTP STATE) (NOT (EQUAL (ADD1 (LENGTH (CDR STATE))) 0)) (GOOD-STATE-OF-SIZE STATE (LENGTH V)) (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V))) (LESSP-BV V (NAT-TO-BV N (LENGTH V)))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)) (NUMBER-WITH-AT-LEAST STATE N (LENGTH V)))), which again simplifies, unfolding the definition of NUMBER-WITH-AT-LEAST, to: T. Case 4.5. (IMPLIES (AND (EQUAL P 0) (LISTP STATE) (NOT (EQUAL (ADD1 (LENGTH (CDR STATE))) 0)) (GOOD-STATE-OF-SIZE STATE (LENGTH V)) (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V))) (NOT (LESSP-BV V (NAT-TO-BV N (LENGTH V))))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V))) (ADD1 (NUMBER-WITH-AT-LEAST STATE N (LENGTH V))))), which again simplifies, opening up NUMBER-WITH-AT-LEAST, to: T. Case 4.4. (IMPLIES (AND (NOT (NUMBERP P)) (LISTP STATE) (NOT (EQUAL (ADD1 (LENGTH (CDR STATE))) 0)) (GOOD-STATE-OF-SIZE STATE (LENGTH V)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V)))) (LESSP-BV V (NAT-TO-BV N (LENGTH V)))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)) (SUB1 (NUMBER-WITH-AT-LEAST STATE N (LENGTH V))))), which again simplifies, applying SUB1-ADD1, and expanding the function NUMBER-WITH-AT-LEAST, to: T. Case 4.3. (IMPLIES (AND (NOT (NUMBERP P)) (LISTP STATE) (NOT (EQUAL (ADD1 (LENGTH (CDR STATE))) 0)) (GOOD-STATE-OF-SIZE STATE (LENGTH V)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V)))) (NOT (LESSP-BV V (NAT-TO-BV N (LENGTH V))))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V))) (NUMBER-WITH-AT-LEAST STATE N (LENGTH V)))). But this again simplifies, unfolding the definition of NUMBER-WITH-AT-LEAST, to: T. Case 4.2. (IMPLIES (AND (NOT (NUMBERP P)) (LISTP STATE) (NOT (EQUAL (ADD1 (LENGTH (CDR STATE))) 0)) (GOOD-STATE-OF-SIZE STATE (LENGTH V)) (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V))) (LESSP-BV V (NAT-TO-BV N (LENGTH V)))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)) (NUMBER-WITH-AT-LEAST STATE N (LENGTH V)))), which again simplifies, expanding the definition of NUMBER-WITH-AT-LEAST, to: T. Case 4.1. (IMPLIES (AND (NOT (NUMBERP P)) (LISTP STATE) (NOT (EQUAL (ADD1 (LENGTH (CDR STATE))) 0)) (GOOD-STATE-OF-SIZE STATE (LENGTH V)) (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V))) (NOT (LESSP-BV V (NAT-TO-BV N (LENGTH V))))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V))) (ADD1 (NUMBER-WITH-AT-LEAST STATE N (LENGTH V))))), which again simplifies, opening up NUMBER-WITH-AT-LEAST, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (NOT (OR (EQUAL P 0) (NOT (NUMBERP P)))) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (LESSP P (LENGTH STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH V) SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V STATE) N SIZE) (COND ((LESSP-BV (GET P STATE) (NAT-TO-BV N SIZE)) (IF (LESSP-BV V (NAT-TO-BV N SIZE)) (NUMBER-WITH-AT-LEAST STATE N SIZE) (ADD1 (NUMBER-WITH-AT-LEAST STATE N SIZE)))) ((LESSP-BV V (NAT-TO-BV N SIZE)) (SUB1 (NUMBER-WITH-AT-LEAST STATE N SIZE))) (T (NUMBER-WITH-AT-LEAST STATE N SIZE))))), which simplifies, using linear arithmetic, appealing to the lemmas LESSP-LENGTH, CDR-CONS, CAR-CONS, and GET-OF-BAD-PLACE, and unfolding the functions LENGTH, NOT, OR, GOOD-STATE-OF-SIZE, CDR, CAR, PUT, LESSP-BV, LISTP, NUMBER-WITH-AT-LEAST, and SUB1, to six new formulas: Case 3.6. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (NOT (LISTP STATE)) (LESSP P 0)) (NOT (EQUAL STATE NIL))), which again simplifies, using linear arithmetic, to: T. Case 3.5. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (LISTP STATE) (LESSP P (ADD1 (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH V)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH V)) (LESSP P 1)) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V STATE) N (LENGTH V)) (COND ((LESSP-BV (GET P STATE) (NAT-TO-BV N (LENGTH V))) (IF (LESSP-BV V (NAT-TO-BV N (LENGTH V))) (NUMBER-WITH-AT-LEAST STATE N (LENGTH V)) (ADD1 (NUMBER-WITH-AT-LEAST STATE N (LENGTH V))))) ((LESSP-BV V (NAT-TO-BV N (LENGTH V))) (SUB1 (NUMBER-WITH-AT-LEAST STATE N (LENGTH V)))) (T (NUMBER-WITH-AT-LEAST STATE N (LENGTH V)))))), which again simplifies, using linear arithmetic, to: T. Case 3.4. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (LISTP STATE) (LESSP P (ADD1 (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH V)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH V)) (NOT (LESSP P 1)) (NOT (LESSP-BV V (NAT-TO-BV N (LENGTH V)))) (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V)))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N (LENGTH V)) (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)))), which again simplifies, using linear arithmetic, to: T. Case 3.3. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (LISTP STATE) (LESSP P (ADD1 (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH V)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH V)) (NOT (LESSP P 1)) (NOT (LESSP-BV V (NAT-TO-BV N (LENGTH V)))) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V))))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N (LENGTH V))) (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V))))), which again simplifies, using linear arithmetic, to: T. Case 3.2. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (LISTP STATE) (LESSP P (ADD1 (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH V)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH V)) (NOT (LESSP P 1)) (LESSP-BV V (NAT-TO-BV N (LENGTH V))) (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V)))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N (LENGTH V)) (SUB1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V))))), which again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (LESSP (SUB1 P) (LENGTH (CDR STATE)))) (LISTP STATE) (LESSP P (ADD1 (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH V)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH V)) (NOT (LESSP P 1)) (LESSP-BV V (NAT-TO-BV N (LENGTH V))) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V))))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N (LENGTH V))) (SUB1 (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)))))), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (NOT (OR (EQUAL P 0) (NOT (NUMBERP P)))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (LESSP P (LENGTH STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH V) SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V STATE) N SIZE) (COND ((LESSP-BV (GET P STATE) (NAT-TO-BV N SIZE)) (IF (LESSP-BV V (NAT-TO-BV N SIZE)) (NUMBER-WITH-AT-LEAST STATE N SIZE) (ADD1 (NUMBER-WITH-AT-LEAST STATE N SIZE)))) ((LESSP-BV V (NAT-TO-BV N SIZE)) (SUB1 (NUMBER-WITH-AT-LEAST STATE N SIZE))) (T (NUMBER-WITH-AT-LEAST STATE N SIZE))))), which simplifies, using linear arithmetic, applying the lemmas LESSP-LENGTH and GET-OF-BAD-PLACE, and opening up LENGTH, NOT, OR, GOOD-STATE-OF-SIZE, LISTP, LESSP-BV, NUMBER-WITH-AT-LEAST, and SUB1, to the conjecture: (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH V))) (NOT (LISTP STATE)) (LESSP P 0) (EQUAL STATE NIL)) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V NIL) N (LENGTH V)) 0)). However this again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL (LENGTH STATE) 0) (NOT (NUMBERP (LENGTH STATE))))) (NOT (OR (EQUAL P 0) (NOT (NUMBERP P)))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N SIZE) (COND ((LESSP-BV (GET (SUB1 P) (CDR STATE)) (NAT-TO-BV N SIZE)) (IF (LESSP-BV V (NAT-TO-BV N SIZE)) (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE)))) ((LESSP-BV V (NAT-TO-BV N SIZE)) (SUB1 (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE))) (T (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE)))) (LESSP P (LENGTH STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (EQUAL (LENGTH V) SIZE)) (EQUAL (NUMBER-WITH-AT-LEAST (PUT P V STATE) N SIZE) (COND ((LESSP-BV (GET P STATE) (NAT-TO-BV N SIZE)) (IF (LESSP-BV V (NAT-TO-BV N SIZE)) (NUMBER-WITH-AT-LEAST STATE N SIZE) (ADD1 (NUMBER-WITH-AT-LEAST STATE N SIZE)))) ((LESSP-BV V (NAT-TO-BV N SIZE)) (SUB1 (NUMBER-WITH-AT-LEAST STATE N SIZE))) (T (NUMBER-WITH-AT-LEAST STATE N SIZE))))), which simplifies, using linear arithmetic, rewriting with LESSP-LENGTH, CDR-CONS, CAR-CONS, GET-OF-BAD-PLACE, and ADD1-SUB1, and opening up LENGTH, NOT, OR, GOOD-STATE-OF-SIZE, CDR, CAR, PUT, LESSP-BV, LISTP, NUMBER-WITH-AT-LEAST, SUB1, and GET, to the following six new conjectures: Case 1.6. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (LESSP-BV (GET (SUB1 P) (CDR STATE)) (NAT-TO-BV N (LENGTH V)))) (LESSP-BV V (NAT-TO-BV N (LENGTH V))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N (LENGTH V)) (SUB1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)))) (NOT (LISTP STATE)) (LESSP P 0)) (NOT (EQUAL STATE NIL))). This again simplifies, using linear arithmetic, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (LESSP-BV (GET (SUB1 P) (CDR STATE)) (NAT-TO-BV N (LENGTH V)))) (LESSP-BV V (NAT-TO-BV N (LENGTH V))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N (LENGTH V)) (SUB1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)))) (LISTP STATE) (LESSP P (ADD1 (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH V)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH V)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V)))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)) 0)) (EQUAL 1 (SUB1 (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)))))), which again simplifies, rewriting with SUB1-ADD1 and GET-MEANS-NUMBER-WITH-AT-LEAST, and expanding SUB1 and LESSP, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (LESSP-BV (GET (SUB1 P) (CDR STATE)) (NAT-TO-BV N (LENGTH V)))) (LESSP-BV V (NAT-TO-BV N (LENGTH V))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N (LENGTH V)) (SUB1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)))) (LISTP STATE) (LESSP P (ADD1 (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) (LENGTH V)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH V)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH V)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)) 0))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)) (SUB1 (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)))))). This again simplifies, using linear arithmetic, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (NOT (LESSP-BV (GET (SUB1 P) (CDR STATE)) (NAT-TO-BV N (LENGTH V)))) (NOT (LESSP-BV V (NAT-TO-BV N (LENGTH V)))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N (LENGTH V)) (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V))) (NOT (LISTP STATE)) (LESSP P 0)) (NOT (EQUAL STATE NIL))), which again simplifies, using linear arithmetic, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (LESSP-BV (GET (SUB1 P) (CDR STATE)) (NAT-TO-BV N (LENGTH V))) (LESSP-BV V (NAT-TO-BV N (LENGTH V))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N (LENGTH V)) (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V))) (NOT (LISTP STATE)) (LESSP P 0)) (NOT (EQUAL STATE NIL))), which again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL P 0)) (NUMBERP P) (LESSP-BV (GET (SUB1 P) (CDR STATE)) (NAT-TO-BV N (LENGTH V))) (NOT (LESSP-BV V (NAT-TO-BV N (LENGTH V)))) (EQUAL (NUMBER-WITH-AT-LEAST (PUT (SUB1 P) V (CDR STATE)) N (LENGTH V)) (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH V)))) (NOT (LISTP STATE)) (LESSP P 0)) (NOT (EQUAL STATE NIL))), which again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 18.5 0.0 ] NUMBER-WITH-AT-LEAST-PUT (PROVE-LEMMA ALL-ZEROS-XOR-BVS-WHEN-LONE-BIG-SIMPLE (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE 1) (EQUAL (NUMBER-WITH-AT-LEAST STATE 1 1) 1)) (EQUAL (CAR (XOR-BVS STATE)) 1))) This conjecture simplifies, applying BITP-CAR, BVP-XOR-BVS, and EQUAL-BIT-1, to: (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE 1) (EQUAL (NUMBER-WITH-AT-LEAST STATE 1 1) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))). Name the above subgoal *1. We will appeal to induction. Three inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 1))) (p (CDR STATE))) (p STATE)) (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 1)) (p (CDR STATE))) (p STATE)) (IMPLIES (NOT (LISTP STATE)) (p STATE))). Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to seven new formulas: Case 7. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 1))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) 1)) (GOOD-STATE-OF-SIZE STATE 1) (EQUAL (NUMBER-WITH-AT-LEAST STATE 1 1) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))), which simplifies, applying EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, and EQUAL-LENGTH-1, and expanding the functions NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, BVP, NUMBERP, LENGTH, and EQUAL, to: T. Case 6. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 1))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 1)) (GOOD-STATE-OF-SIZE STATE 1) (EQUAL (NUMBER-WITH-AT-LEAST STATE 1 1) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))). This simplifies, applying EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, EQUAL-LENGTH-1, ADD1-EQUAL, and BVP-FIX-XOR-BV-IDENTITY, and unfolding the functions NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, BVP, NUMBERP, LENGTH, EQUAL, NUMBER-WITH-AT-LEAST, and XOR-BVS, to two new conjectures: Case 6.2. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (CAAR STATE) 1)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 1)) (BVP (CAR STATE)) (LISTP (CAR STATE)) (NOT (LISTP (CDAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 0) (NOT (LISTP (CDR STATE)))) (NOT (EQUAL (CAAR STATE) 0))), which again simplifies, using linear arithmetic, to: T. Case 6.1. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (CAAR STATE) 1)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 1)) (BVP (CAR STATE)) (LISTP (CAR STATE)) (NOT (LISTP (CDAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 0) (LISTP (CDR STATE))) (NOT (EQUAL (CAR (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE)))) 0))), which again simplifies, applying LISTP-XOR-BVS, NUMBERP-CAR-BV, BVP-XOR-BVS, and CAR-XOR-BV-BETTER, and opening up the definitions of EQUAL, LESSP, and XOR, to the following two new formulas: Case 6.1.2. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (CAAR STATE) 1)) (BVP (CAR STATE)) (LISTP (CAR STATE)) (NOT (LISTP (CDAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 0) (LISTP (CDR STATE)) (NOT (EQUAL (CAAR STATE) 0))) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)). This again simplifies, using linear arithmetic, appealing to the lemmas EQUAL-BIT-1, BVP-XOR-BVS, BITP-CAR, HIGH-BIT-ON-REASONABLE, and SILLY-LISTP-CDR, and expanding LENGTH, to: (IMPLIES (AND (LISTP STATE) (NOT (LESSP (CAAR STATE) 1)) (BVP (CAR STATE)) (LISTP (CAR STATE)) (NOT (LISTP (CDAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 0) (NOT (EQUAL (CAAR STATE) 0))) (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE) and X by (CONS V W) to eliminate (CAR X) and (CDR X). This generates: (IMPLIES (AND (NOT (LESSP V 1)) (BVP (CONS V W)) (NOT (LISTP W)) (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0) (NOT (EQUAL V 0))) (EQUAL (CAR (XOR-BVS Z)) 0)). However this further simplifies, rewriting with CDR-CONS and CAR-CONS, and unfolding BITP, BVP, LISTP, and EQUAL, to the new conjecture: (IMPLIES (AND (NOT (LESSP V 1)) (EQUAL V 1) (EQUAL W NIL) (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL (CAR (XOR-BVS Z)) 0)), which again simplifies, expanding the function LESSP, to: (IMPLIES (AND (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL (CAR (XOR-BVS Z)) 0)). Finally call the above conjecture *1.1. Case 6.1.1. (IMPLIES (AND (LISTP STATE) (NOT (LESSP (CAAR STATE) 1)) (BVP (CAR STATE)) (LISTP (CAR STATE)) (NOT (LISTP (CDAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 0) (LISTP (CDR STATE)) (EQUAL (CAAR STATE) 0)) (NOT (EQUAL (CAR (XOR-BVS (CDR STATE))) 0))). But this again simplifies, using linear arithmetic, to: T. Case 5. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 1))) (NOT (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (GOOD-STATE-OF-SIZE STATE 1) (EQUAL (NUMBER-WITH-AT-LEAST STATE 1 1) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))), which simplifies, using linear arithmetic, appealing to the lemmas EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, EQUAL-LENGTH-1, ADD1-EQUAL, BVP-XOR-BVS, HIGH-BIT-ON-REASONABLE, SILLY-LISTP-CDR, LISTP-XOR-BVS, NUMBERP-CAR-BV, and CAR-XOR-BV-BETTER, and expanding the functions NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, BVP, NUMBERP, LENGTH, EQUAL, NUMBER-WITH-AT-LEAST, XOR-BVS, LESSP, and XOR, to the goal: (IMPLIES (AND (LISTP STATE) (NOT (LESSP (CAAR STATE) 1)) (NOT (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (BVP (CAR STATE)) (LISTP (CAR STATE)) (NOT (LISTP (CDAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 0)) (EQUAL (CAAR STATE) 0)). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE) and X by (CONS V W) to eliminate (CAR X) and (CDR X). We must thus prove: (IMPLIES (AND (NOT (LESSP V 1)) (NOT (EQUAL (CAR (XOR-BVS Z)) 0)) (BVP (CONS V W)) (NOT (LISTP W)) (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL V 0)). However this further simplifies, rewriting with CDR-CONS and CAR-CONS, and expanding the functions BITP, BVP, LISTP, and EQUAL, to the new formula: (IMPLIES (AND (NOT (LESSP V 1)) (NOT (EQUAL (CAR (XOR-BVS Z)) 0)) (EQUAL V 1) (EQUAL W NIL) (GOOD-STATE-OF-SIZE Z 1)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0))), which again simplifies, unfolding the function LESSP, to the formula: (IMPLIES (AND (NOT (EQUAL (CAR (XOR-BVS Z)) 0)) (GOOD-STATE-OF-SIZE Z 1)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0))). Call the above conjecture *1.2. Case 4. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 1)) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) 1)) (GOOD-STATE-OF-SIZE STATE 1) (EQUAL (NUMBER-WITH-AT-LEAST STATE 1 1) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))). This simplifies, rewriting with the lemmas EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, and EQUAL-LENGTH-1, and expanding the functions NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, and NUMBERP, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 1)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 1)) (GOOD-STATE-OF-SIZE STATE 1) (EQUAL (NUMBER-WITH-AT-LEAST STATE 1 1) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))). This simplifies, applying EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, and EQUAL-LENGTH-1, and unfolding the definitions of NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, NUMBERP, and NUMBER-WITH-AT-LEAST, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 1)) (NOT (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (GOOD-STATE-OF-SIZE STATE 1) (EQUAL (NUMBER-WITH-AT-LEAST STATE 1 1) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))), which simplifies, using linear arithmetic, applying EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, EQUAL-LENGTH-1, BVP-XOR-BVS, HIGH-BIT-ON-REASONABLE, SILLY-LISTP-CDR, LISTP-XOR-BVS, NUMBERP-CAR-BV, and CAR-XOR-BV-BETTER, and opening up NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, NUMBERP, NUMBER-WITH-AT-LEAST, XOR-BVS, LENGTH, LESSP, and XOR, to the new goal: (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (LESSP (CAAR STATE) 1) (NOT (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (BVP (CAR STATE)) (NOT (LISTP (CDAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 1)) (EQUAL (CAAR STATE) 0)), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (NUMBERP (CAAR STATE))) (LISTP STATE) (LISTP (CAR STATE)) (LESSP (CAAR STATE) 1) (NOT (EQUAL (CAR (XOR-BVS (CDR STATE))) 0)) (BVP (CAR STATE)) (NOT (LISTP (CDAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 1) 1)) (EQUAL (CAAR STATE) 0)). This again simplifies, rewriting with NUMBERP-CAR-BV, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE 1) (EQUAL (NUMBER-WITH-AT-LEAST STATE 1 1) 1)) (NOT (EQUAL (CAR (XOR-BVS STATE)) 0))). This simplifies, expanding the functions GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, and EQUAL, to: T. So next consider: (IMPLIES (AND (NOT (EQUAL (CAR (XOR-BVS Z)) 0)) (GOOD-STATE-OF-SIZE Z 1)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0))), which we named *1.2 above. What luck! This conjecture is subsumed by another subgoal awaiting our attention, namely *1.1 above. So let us turn our attention to: (IMPLIES (AND (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL (CAR (XOR-BVS Z)) 0)), which is formula *1.1 above. Perhaps we can prove it by induction. The recursive terms in the conjecture suggest three inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 1))) (p (CDR Z))) (p Z)) (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 1)) (p (CDR Z))) (p Z)) (IMPLIES (NOT (LISTP Z)) (p Z))). Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT Z) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates seven new formulas: Case 7. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 1))) (NOT (GOOD-STATE-OF-SIZE (CDR Z) 1)) (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL (CAR (XOR-BVS Z)) 0)), which simplifies, appealing to the lemmas EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, and EQUAL-LENGTH-1, and opening up the definitions of NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, BVP, NUMBERP, LENGTH, and EQUAL, to: T. Case 6. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 1))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 1) 0)) (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL (CAR (XOR-BVS Z)) 0)), which simplifies, applying EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, and EQUAL-LENGTH-1, and unfolding NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, BVP, NUMBERP, LENGTH, EQUAL, and NUMBER-WITH-AT-LEAST, to: T. Case 5. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 1))) (EQUAL (CAR (XOR-BVS (CDR Z))) 0) (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL (CAR (XOR-BVS Z)) 0)). This simplifies, applying EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, and EQUAL-LENGTH-1, and opening up the functions NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, BVP, NUMBERP, LENGTH, EQUAL, and NUMBER-WITH-AT-LEAST, to: T. Case 4. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 1)) (NOT (GOOD-STATE-OF-SIZE (CDR Z) 1)) (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL (CAR (XOR-BVS Z)) 0)), which simplifies, applying EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, and EQUAL-LENGTH-1, and unfolding NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, and NUMBERP, to: T. Case 3. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 1)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 1) 0)) (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL (CAR (XOR-BVS Z)) 0)). This simplifies, rewriting with EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, and EQUAL-LENGTH-1, and expanding NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, NUMBERP, and NUMBER-WITH-AT-LEAST, to: T. Case 2. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 1)) (EQUAL (CAR (XOR-BVS (CDR Z))) 0) (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL (CAR (XOR-BVS Z)) 0)), which simplifies, rewriting with EQUAL-BIT-1, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, BITP-CAR, EQUAL-LENGTH-1, and BVP-FIX-XOR-BV-IDENTITY, and expanding the functions NAT-TO-BV, CDR, CAR, LISTP, LESSP-BV, GOOD-STATE-OF-SIZE, NUMBERP, NUMBER-WITH-AT-LEAST, and XOR-BVS, to the following two new goals: Case 2.2. (IMPLIES (AND (LISTP Z) (LISTP (CAR Z)) (LESSP (CAAR Z) 1) (EQUAL (CAR (XOR-BVS (CDR Z))) 0) (BVP (CAR Z)) (NOT (LISTP (CDAR Z))) (GOOD-STATE-OF-SIZE (CDR Z) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 1) 0) (NOT (LISTP (CDR Z)))) (EQUAL (CAAR Z) 0)). But this again simplifies, using linear arithmetic, to the conjecture: (IMPLIES (AND (NOT (NUMBERP (CAAR Z))) (LISTP Z) (LISTP (CAR Z)) (LESSP (CAAR Z) 1) (EQUAL (CAR (XOR-BVS (CDR Z))) 0) (BVP (CAR Z)) (NOT (LISTP (CDAR Z))) (GOOD-STATE-OF-SIZE (CDR Z) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 1) 0) (NOT (LISTP (CDR Z)))) (EQUAL (CAAR Z) 0)). However this again simplifies, rewriting with NUMBERP-CAR-BV, to: T. Case 2.1. (IMPLIES (AND (LISTP Z) (LISTP (CAR Z)) (LESSP (CAAR Z) 1) (EQUAL (CAR (XOR-BVS (CDR Z))) 0) (BVP (CAR Z)) (NOT (LISTP (CDAR Z))) (GOOD-STATE-OF-SIZE (CDR Z) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 1) 0) (LISTP (CDR Z))) (EQUAL (CAR (XOR-BV (CAR Z) (XOR-BVS (CDR Z)))) 0)). But this again simplifies, appealing to the lemmas LISTP-XOR-BVS, NUMBERP-CAR-BV, COMMUTATIVITY-OF-XOR, and CAR-XOR-BV-BETTER, and expanding LESSP, EQUAL, and XOR, to: (IMPLIES (AND (LISTP Z) (LISTP (CAR Z)) (LESSP (CAAR Z) 1) (EQUAL (CAR (XOR-BVS (CDR Z))) 0) (BVP (CAR Z)) (NOT (LISTP (CDAR Z))) (GOOD-STATE-OF-SIZE (CDR Z) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 1) 0) (LISTP (CDR Z))) (EQUAL (CAAR Z) 0)). This again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (NUMBERP (CAAR Z))) (LISTP Z) (LISTP (CAR Z)) (LESSP (CAAR Z) 1) (EQUAL (CAR (XOR-BVS (CDR Z))) 0) (BVP (CAR Z)) (NOT (LISTP (CDAR Z))) (GOOD-STATE-OF-SIZE (CDR Z) 1) (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 1) 0) (LISTP (CDR Z))) (EQUAL (CAAR Z) 0)). But this again simplifies, rewriting with NUMBERP-CAR-BV, to: T. Case 1. (IMPLIES (AND (NOT (LISTP Z)) (GOOD-STATE-OF-SIZE Z 1) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 1) 0)) (EQUAL (CAR (XOR-BVS Z)) 0)). This simplifies, expanding GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, EQUAL, XOR-BVS, and CAR, to: T. That finishes the proof of *1.1, which also finishes the proof of *1. Q.E.D. [ 0.0 1.6 0.1 ] ALL-ZEROS-XOR-BVS-WHEN-LONE-BIG-SIMPLE (PROVE-LEMMA PLUS-EXP-2-X-EXP-2-X (REWRITE) (EQUAL (PLUS (EXP 2 X) (EXP 2 X)) (EXP 2 (ADD1 X)))) WARNING: the previously added lemma, COMMUTATIVITY-OF-PLUS, could be applied whenever the newly proposed PLUS-EXP-2-X-EXP-2-X could! This formula simplifies, rewriting with the lemmas TIMES-1-ARG1 and EXP-ADD1, and expanding SUB1, NUMBERP, EQUAL, and TIMES, to: T. Q.E.D. [ 0.0 0.0 0.0 ] PLUS-EXP-2-X-EXP-2-X (PROVE-LEMMA LESSP-EXP-EXP (REWRITE) (EQUAL (LESSP (EXP X Y) (EXP X Z)) (IF (ZEROP X) (AND (NOT (ZEROP Y)) (ZEROP Z)) (AND (NOT (EQUAL X 1)) (LESSP Y Z))))) This simplifies, expanding ZEROP, NOT, and AND, to 12 new formulas: Case 12.(IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (EQUAL X 1)) (EQUAL (LESSP (EXP X Y) (EXP X Z)) F)), which again simplifies, applying EXP-1-ARG1, and unfolding EQUAL, NUMBERP, and LESSP, to: T. Case 11.(IMPLIES (AND (NOT (NUMBERP X)) (EQUAL Y 0)) (EQUAL (LESSP (EXP X Y) (EXP X Z)) F)). But this again simplifies, rewriting with the lemma EXP-0-ARG2, and opening up the definitions of TIMES and EXP, to three new formulas: Case 11.3. (IMPLIES (AND (NOT (NUMBERP X)) (NOT (EQUAL Z 0)) (NUMBERP Z)) (NOT (LESSP 1 0))), which again simplifies, using linear arithmetic, to: T. Case 11.2. (IMPLIES (AND (NOT (NUMBERP X)) (EQUAL Z 0)) (NOT (LESSP 1 1))), which again simplifies, using linear arithmetic, to: T. Case 11.1. (IMPLIES (AND (NOT (NUMBERP X)) (NOT (NUMBERP Z))) (NOT (LESSP 1 1))), which again simplifies, using linear arithmetic, to: T. Case 10.(IMPLIES (AND (NOT (NUMBERP X)) (NOT (NUMBERP Y))) (EQUAL (LESSP (EXP X Y) (EXP X Z)) F)), which again simplifies, applying EXP-ZERO, and expanding the functions ZEROP, TIMES, and EXP, to the following three new goals: Case 10.3. (IMPLIES (AND (NOT (NUMBERP X)) (NOT (NUMBERP Y)) (NOT (EQUAL Z 0)) (NUMBERP Z)) (NOT (LESSP 1 0))). This again simplifies, using linear arithmetic, to: T. Case 10.2. (IMPLIES (AND (NOT (NUMBERP X)) (NOT (NUMBERP Y)) (EQUAL Z 0)) (NOT (LESSP 1 1))), which again simplifies, using linear arithmetic, to: T. Case 10.1. (IMPLIES (AND (NOT (NUMBERP X)) (NOT (NUMBERP Y)) (NOT (NUMBERP Z))) (NOT (LESSP 1 1))), which again simplifies, using linear arithmetic, to: T. Case 9. (IMPLIES (AND (NOT (NUMBERP X)) (NOT (EQUAL Z 0)) (NUMBERP Z)) (EQUAL (LESSP (EXP X Y) (EXP X Z)) F)), which again simplifies, unfolding the definitions of TIMES, EXP, EQUAL, and LESSP, to: T. Case 8. (IMPLIES (AND (EQUAL X 0) (EQUAL Y 0)) (EQUAL (LESSP (EXP X Y) (EXP X Z)) F)), which again simplifies, applying EXP-0-ARG1, and opening up the function EXP, to the following three new conjectures: Case 8.3. (IMPLIES (AND (NOT (EQUAL Z 0)) (NUMBERP Z)) (NOT (LESSP 1 0))). But this again simplifies, using linear arithmetic, to: T. Case 8.2. (IMPLIES (EQUAL Z 0) (NOT (LESSP 1 1))), which again simplifies, using linear arithmetic, to: T. Case 8.1. (IMPLIES (NOT (NUMBERP Z)) (NOT (LESSP 1 1))), which again simplifies, using linear arithmetic, to: T. Case 7. (IMPLIES (AND (EQUAL X 0) (NOT (NUMBERP Y))) (EQUAL (LESSP (EXP X Y) (EXP X Z)) F)), which again simplifies, applying EXP-0-ARG1, to the following three new formulas: Case 7.3. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (EQUAL Z 0)) (NUMBERP Z)) (NOT (LESSP 1 0))). This again simplifies, using linear arithmetic, to: T. Case 7.2. (IMPLIES (AND (NOT (NUMBERP Y)) (EQUAL Z 0)) (NOT (LESSP 1 1))), which again simplifies, using linear arithmetic, to: T. Case 7.1. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (NUMBERP Z))) (NOT (LESSP 1 1))), which again simplifies, using linear arithmetic, to: T. Case 6. (IMPLIES (AND (EQUAL X 0) (NOT (EQUAL Z 0)) (NUMBERP Z)) (EQUAL (LESSP (EXP X Y) (EXP X Z)) F)), which again simplifies, rewriting with EXP-0-ARG1, and unfolding EQUAL and LESSP, to: T. Case 5. (IMPLIES (AND (EQUAL X 0) (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (NUMBERP Z))) (EQUAL (LESSP (EXP X Y) (EXP X Z)) T)). This again simplifies, applying EXP-0-ARG1, and opening up the functions LESSP and EQUAL, to: T. Case 4. (IMPLIES (AND (EQUAL X 0) (NOT (EQUAL Y 0)) (NUMBERP Y) (EQUAL Z 0)) (EQUAL (LESSP (EXP X Y) (EXP X Z)) T)). However this again simplifies, applying the lemma EXP-0-ARG1, and opening up the functions EXP, LESSP, and EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (NUMBERP X)) (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (NUMBERP Z))) (EQUAL (LESSP (EXP X Y) (EXP X Z)) T)), which again simplifies, applying EXP-ZERO, and expanding TIMES, EXP, ZEROP, LESSP, and EQUAL, to: T. Case 2. (IMPLIES (AND (NOT (NUMBERP X)) (NOT (EQUAL Y 0)) (NUMBERP Y) (EQUAL Z 0)) (EQUAL (LESSP (EXP X Y) (EXP X Z)) T)). This again simplifies, rewriting with EXP-0-ARG2, and unfolding TIMES, EXP, LESSP, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1))) (EQUAL (LESSP (EXP X Y) (EXP X Z)) (LESSP Y Z))). Name the above subgoal *1. We will appeal to induction. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP Y) (p X Y Z)) (IMPLIES (AND (NOT (ZEROP Y)) (p X (SUB1 Y) (SUB1 Z))) (p X Y Z))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT Y) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for Z. The above induction scheme generates the following two new conjectures: Case 2. (IMPLIES (AND (ZEROP Y) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1))) (EQUAL (LESSP (EXP X Y) (EXP X Z)) (LESSP Y Z))). This simplifies, applying the lemmas EXP-0-ARG2 and EXP-ZERO, and expanding ZEROP, EXP, EQUAL, and LESSP, to the following six new goals: Case 2.6. (IMPLIES (AND (EQUAL Y 0) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1)) (NOT (EQUAL Z 0)) (NUMBERP Z)) (EQUAL (LESSP 1 (TIMES X (EXP X (SUB1 Z)))) (NUMBERP Z))). But this again simplifies, applying EQUAL-EXP-0 and LESSP-1-TIMES, and unfolding the definition of EQUAL, to: T. Case 2.5. (IMPLIES (AND (EQUAL Y 0) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1)) (NOT (EQUAL Z 0)) (NOT (NUMBERP Z))) (EQUAL (LESSP 1 1) (NUMBERP Z))). But this again simplifies, opening up the functions LESSP and EQUAL, to: T. Case 2.4. (IMPLIES (AND (EQUAL Y 0) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1)) (EQUAL Z 0)) (EQUAL (LESSP 1 1) F)), which again simplifies, opening up LESSP and EQUAL, to: T. Case 2.3. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1)) (NOT (EQUAL Z 0)) (NUMBERP Z)) (EQUAL (LESSP 1 (TIMES X (EXP X (SUB1 Z)))) (NUMBERP Z))), which again simplifies, applying the lemmas EQUAL-EXP-0 and LESSP-1-TIMES, and opening up the function EQUAL, to: T. Case 2.2. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1)) (NOT (EQUAL Z 0)) (NOT (NUMBERP Z))) (EQUAL (LESSP 1 1) (NUMBERP Z))), which again simplifies, expanding the functions LESSP and EQUAL, to: T. Case 2.1. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1)) (EQUAL Z 0)) (EQUAL (LESSP 1 1) F)), which again simplifies, expanding the definitions of LESSP and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP Y)) (EQUAL (LESSP (EXP X (SUB1 Y)) (EXP X (SUB1 Z))) (LESSP (SUB1 Y) (SUB1 Z))) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1))) (EQUAL (LESSP (EXP X Y) (EXP X Z)) (LESSP Y Z))), which simplifies, opening up the functions ZEROP, EXP, and LESSP, to three new goals: Case 1.3. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (EQUAL (LESSP (EXP X (SUB1 Y)) (EXP X (SUB1 Z))) (LESSP (SUB1 Y) (SUB1 Z))) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1)) (NOT (EQUAL Z 0)) (NUMBERP Z)) (EQUAL (LESSP (TIMES X (EXP X (SUB1 Y))) (TIMES X (EXP X (SUB1 Z)))) (LESSP (SUB1 Y) (SUB1 Z)))), which again simplifies, rewriting with CORRECTNESS-OF-CANCEL-LESSP-TIMES, and unfolding the definitions of ZEROP, NOT, FIX, and AND, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (EQUAL (LESSP (EXP X (SUB1 Y)) (EXP X (SUB1 Z))) (LESSP (SUB1 Y) (SUB1 Z))) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1)) (EQUAL Z 0)) (EQUAL (LESSP (TIMES X (EXP X (SUB1 Y))) 1) F)). This again simplifies, applying EXP-0-ARG2 and LESSP-TIMES2, and opening up SUB1, EQUAL, and LESSP, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (EQUAL (LESSP (EXP X (SUB1 Y)) (EXP X (SUB1 Z))) (LESSP (SUB1 Y) (SUB1 Z))) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 1)) (NOT (NUMBERP Z))) (EQUAL (LESSP (TIMES X (EXP X (SUB1 Y))) 1) F)). But this again simplifies, using linear arithmetic, rewriting with EQUAL-EXP-0 and LESSP-TIMES2, and opening up EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] LESSP-EXP-EXP (PROVE-LEMMA NAT-TO-BV-EXP (REWRITE) (IMPLIES (NOT (LESSP N SIZE)) (EQUAL (NAT-TO-BV (EXP 2 N) SIZE) (ALL-ONES SIZE)))) This simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and opening up TIMES, EQUAL, NUMBERP, SUB1, and EXP, to three new conjectures: Case 3. (IMPLIES (AND (NOT (LESSP N SIZE)) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (NAT-TO-BV (EXP 2 N) SIZE) (ALL-ONES SIZE))), which we will name *1. Case 2. (IMPLIES (AND (NOT (LESSP N SIZE)) (EQUAL N 0)) (EQUAL (NAT-TO-BV 1 SIZE) (ALL-ONES SIZE))). But this again simplifies, applying EXP-ZERO and NAT-TO-BV-IS-ALL-ONES, and expanding the functions EQUAL, LESSP, NAT-TO-BV, ALL-ONES, and ZEROP, to: T. Case 1. (IMPLIES (AND (NOT (LESSP N SIZE)) (NOT (NUMBERP N))) (EQUAL (NAT-TO-BV 1 SIZE) (ALL-ONES SIZE))). But this again simplifies, rewriting with EXP-ZERO and NAT-TO-BV-IS-ALL-ONES, and expanding the functions LESSP, NAT-TO-BV, ALL-ONES, EQUAL, and ZEROP, to: T. So let us turn our attention to: (IMPLIES (AND (NOT (LESSP N SIZE)) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (NAT-TO-BV (EXP 2 N) SIZE) (ALL-ONES SIZE))), which we named *1 above. We will appeal to induction. The recursive terms in the conjecture suggest five inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE))) (p N SIZE)) (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p N SIZE)) (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p (SUB1 N) (SUB1 SIZE))) (p N SIZE))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT establish that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for SIZE. The above induction scheme generates the following five new goals: Case 5. (IMPLIES (AND (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE))) (NOT (LESSP N SIZE)) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (NAT-TO-BV (EXP 2 N) SIZE) (ALL-ONES SIZE))). This simplifies, appealing to the lemmas LESSP-TIMES2, EQUAL-EXP-0, NAT-TO-BV-IS-ALL-ONES, and EXP-ZERO, and expanding the functions NOT, OR, EQUAL, LESSP, EXP, NUMBERP, ALL-ONES, and ZEROP, to: T. Case 4. (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (OR (EQUAL N 0) (NOT (NUMBERP N))) (NOT (LESSP N SIZE)) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (NAT-TO-BV (EXP 2 N) SIZE) (ALL-ONES SIZE))). This simplifies, unfolding the definitions of NOT and OR, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (LESSP (SUB1 N) (SUB1 SIZE)) (NOT (LESSP N SIZE)) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (NAT-TO-BV (EXP 2 N) SIZE) (ALL-ONES SIZE))). This simplifies, using linear arithmetic, to the new goal: (IMPLIES (AND (LESSP SIZE 1) (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (LESSP (SUB1 N) (SUB1 SIZE)) (NOT (LESSP N SIZE)) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (NAT-TO-BV (EXP 2 N) SIZE) (ALL-ONES SIZE))), which again simplifies, opening up the functions SUB1, NUMBERP, EQUAL, LESSP, NOT, and OR, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (EQUAL (SUB1 N) 0) (NOT (LESSP N SIZE)) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (NAT-TO-BV (EXP 2 N) SIZE) (ALL-ONES SIZE))), which simplifies, using linear arithmetic, rewriting with EQUAL-SUB1-0, LESSP-X-EXP-X-Y, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, TIMES-1-ARG1, and NAT-TO-BV-IS-ALL-ONES, and unfolding the definitions of NOT, OR, EQUAL, NUMBERP, EXP, LESSP, SUB1, TIMES, and ALL-ONES, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (EQUAL (NAT-TO-BV (EXP 2 (SUB1 N)) (SUB1 SIZE)) (ALL-ONES (SUB1 SIZE))) (NOT (LESSP N SIZE)) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (NAT-TO-BV (EXP 2 N) SIZE) (ALL-ONES SIZE))). This simplifies, applying PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, and TIMES-1-ARG1, and expanding the definitions of NOT, OR, LESSP, EXP, SUB1, NUMBERP, EQUAL, TIMES, and ALL-ONES, to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL (NAT-TO-BV (EXP 2 (SUB1 N)) (SUB1 SIZE)) (ALL-ONES (SUB1 SIZE))) (NOT (LESSP (SUB1 N) (SUB1 SIZE))) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (NAT-TO-BV (TIMES 2 (EXP 2 (SUB1 N))) SIZE) (CONS 1 (ALL-ONES (SUB1 SIZE))))). However this further simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and EQUAL-SUB1-0, and expanding TIMES, EQUAL, NUMBERP, SUB1, EXP, LESSP, NAT-TO-BV, ALL-ONES, and CONS, to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL N 1)) (EQUAL (NAT-TO-BV (EXP 2 (SUB1 N)) (SUB1 SIZE)) (ALL-ONES (SUB1 SIZE))) (NOT (LESSP (SUB1 N) (SUB1 SIZE))) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (NAT-TO-BV (TIMES 2 (EXP 2 (SUB1 N))) SIZE) (CONS 1 (ALL-ONES (SUB1 SIZE))))). Applying the lemma SUB1-ELIM, replace N by (ADD1 X) to eliminate (SUB1 N). We employ the type restriction lemma noted when SUB1 was introduced to restrict the new variable. We thus obtain: (IMPLIES (AND (NUMBERP X) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL (ADD1 X) 1)) (EQUAL (NAT-TO-BV (EXP 2 X) (SUB1 SIZE)) (ALL-ONES (SUB1 SIZE))) (NOT (LESSP X (SUB1 SIZE))) (NOT (EQUAL (ADD1 X) 0))) (EQUAL (NAT-TO-BV (TIMES 2 (EXP 2 X)) SIZE) (CONS 1 (ALL-ONES (SUB1 SIZE))))), which further simplifies, rewriting with ADD1-EQUAL, TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and EXP-ADD1, and expanding the definitions of NUMBERP, TIMES, EQUAL, SUB1, and EXP, to: (IMPLIES (AND (NUMBERP X) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL X 0)) (EQUAL (NAT-TO-BV (EXP 2 X) (SUB1 SIZE)) (ALL-ONES (SUB1 SIZE))) (NOT (LESSP X (SUB1 SIZE)))) (EQUAL (NAT-TO-BV (TIMES 2 (EXP 2 X)) SIZE) (CONS 1 (ALL-ONES (SUB1 SIZE))))). Applying the lemma SUB1-ELIM, replace SIZE by (ADD1 Z) to eliminate (SUB1 SIZE). We employ the type restriction lemma noted when SUB1 was introduced to restrict the new variable. This produces the new conjecture: (IMPLIES (AND (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) 0)) (NOT (EQUAL X 0)) (EQUAL (NAT-TO-BV (EXP 2 X) Z) (ALL-ONES Z)) (NOT (LESSP X Z))) (EQUAL (NAT-TO-BV (TIMES 2 (EXP 2 X)) (ADD1 Z)) (CONS 1 (ALL-ONES Z)))), which finally simplifies, using linear arithmetic, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, LESSP-EXP-EXP, NAT-TO-BV-IS-ALL-ONES, EXP-ADD1, CORRECTNESS-OF-CANCEL-LESSP-TIMES, and SUB1-ADD1, and expanding the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, AND, FIX, NOT, ZEROP, and ALL-ONES, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.5 0.0 ] NAT-TO-BV-EXP (PROVE-LEMMA BV-TO-NAT-ALL-ZEROS (REWRITE) (IMPLIES (BVP BV) (EQUAL (EQUAL (BV-TO-NAT BV) 0) (ALL-ZEROS BV)))) This formula simplifies, trivially, to two new conjectures: Case 2. (IMPLIES (AND (BVP BV) (NOT (EQUAL (BV-TO-NAT BV) 0))) (NOT (ALL-ZEROS BV))), which we will name *1. Case 1. (IMPLIES (AND (BVP BV) (EQUAL (BV-TO-NAT BV) 0)) (EQUAL (ALL-ZEROS BV) T)). This again simplifies, obviously, to the new formula: (IMPLIES (AND (BVP BV) (EQUAL (BV-TO-NAT BV) 0)) (ALL-ZEROS BV)), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (IMPLIES (BVP BV) (EQUAL (EQUAL (BV-TO-NAT BV) 0) (ALL-ZEROS BV))). We named this *1. We will try to prove it by induction. There are three plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP BV) (p (CDR BV))) (p BV)) (IMPLIES (NOT (LISTP BV)) (p BV))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT BV) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces three new goals: Case 3. (IMPLIES (AND (LISTP BV) (NOT (BVP (CDR BV))) (BVP BV)) (EQUAL (EQUAL (BV-TO-NAT BV) 0) (ALL-ZEROS BV))), which simplifies, opening up the functions BVP and BITP, to: T. Case 2. (IMPLIES (AND (LISTP BV) (EQUAL (EQUAL (BV-TO-NAT (CDR BV)) 0) (ALL-ZEROS (CDR BV))) (BVP BV)) (EQUAL (EQUAL (BV-TO-NAT BV) 0) (ALL-ZEROS BV))), which simplifies, rewriting with TIMES-1-ARG1, COMMUTATIVITY-OF-PLUS, EQUAL-PLUS-0, PLUS-ZERO-ARG2, and EQUAL-EXP-0, and opening up the functions BVP, BITP, BV-TO-NAT, ALL-ZEROS, EQUAL, TIMES, PLUS, ZEROP, and NUMBERP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP BV)) (BVP BV)) (EQUAL (EQUAL (BV-TO-NAT BV) 0) (ALL-ZEROS BV))). This simplifies, unfolding the functions BVP, BV-TO-NAT, EQUAL, and ALL-ZEROS, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 2.4 0.0 ] BV-TO-NAT-ALL-ZEROS (PROVE-LEMMA LESSP-BV-TO-NAT-1 (REWRITE) (IMPLIES (BVP BV) (EQUAL (LESSP (BV-TO-NAT BV) 1) (ALL-ZEROS BV)))) Give the conjecture the name *1. We will appeal to induction. There are three plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP BV) (p (CDR BV))) (p BV)) (IMPLIES (NOT (LISTP BV)) (p BV))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT BV) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following three new formulas: Case 3. (IMPLIES (AND (LISTP BV) (NOT (BVP (CDR BV))) (BVP BV)) (EQUAL (LESSP (BV-TO-NAT BV) 1) (ALL-ZEROS BV))). This simplifies, opening up BVP and BITP, to: T. Case 2. (IMPLIES (AND (LISTP BV) (EQUAL (LESSP (BV-TO-NAT (CDR BV)) 1) (ALL-ZEROS (CDR BV))) (BVP BV)) (EQUAL (LESSP (BV-TO-NAT BV) 1) (ALL-ZEROS BV))). This simplifies, applying the lemmas TIMES-1-ARG1 and COMMUTATIVITY-OF-PLUS, and unfolding the definitions of BVP, BITP, BV-TO-NAT, ALL-ZEROS, EQUAL, TIMES, and PLUS, to the new goal: (IMPLIES (AND (LISTP BV) (EQUAL (LESSP (BV-TO-NAT (CDR BV)) 1) (ALL-ZEROS (CDR BV))) (EQUAL (CAR BV) 1) (BVP (CDR BV))) (NOT (LESSP (PLUS (BV-TO-NAT (CDR BV)) (EXP 2 (LENGTH (CDR BV)))) 1))), which again simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and EQUAL-LENGTH-0, and unfolding the functions TIMES, EQUAL, NUMBERP, SUB1, and EXP, to the following two new conjectures: Case 2.2. (IMPLIES (AND (LISTP BV) (EQUAL (LESSP (BV-TO-NAT (CDR BV)) 1) (ALL-ZEROS (CDR BV))) (EQUAL (CAR BV) 1) (BVP (CDR BV)) (NOT (LISTP (CDR BV)))) (NOT (LESSP (PLUS (BV-TO-NAT (CDR BV)) 1) 1))). However this again simplifies, using linear arithmetic, to: T. Case 2.1. (IMPLIES (AND (LISTP BV) (EQUAL (LESSP (BV-TO-NAT (CDR BV)) 1) (ALL-ZEROS (CDR BV))) (EQUAL (CAR BV) 1) (BVP (CDR BV)) (LISTP (CDR BV))) (NOT (LESSP (PLUS (BV-TO-NAT (CDR BV)) (EXP 2 (LENGTH (CDR BV)))) 1))), which again simplifies, using linear arithmetic, rewriting with the lemmas LESSP-BV-LENGTH, EQUAL-LENGTH-0, SUB1-ADD1, SILLY-LISTP-CDR, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, and TIMES-1-ARG1, and opening up the functions EXP, LESSP, EQUAL, NUMBERP, SUB1, LENGTH, and TIMES, to: T. Case 1. (IMPLIES (AND (NOT (LISTP BV)) (BVP BV)) (EQUAL (LESSP (BV-TO-NAT BV) 1) (ALL-ZEROS BV))), which simplifies, opening up BVP, BV-TO-NAT, LESSP, ALL-ZEROS, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 2.0 0.0 ] LESSP-BV-TO-NAT-1 (PROVE-LEMMA CAR-NAT-TO-BV-EXP (REWRITE) (IMPLIES (LESSP N SIZE) (EQUAL (CAR (NAT-TO-BV (EXP 2 N) SIZE)) (IF (EQUAL (ADD1 N) SIZE) 1 0)))) This simplifies, applying TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and expanding the definitions of TIMES, EQUAL, NUMBERP, SUB1, and EXP, to the following six new conjectures: Case 6. (IMPLIES (AND (LESSP N SIZE) (NOT (EQUAL (ADD1 N) SIZE)) (NOT (EQUAL N 0)) (NUMBERP N)) (EQUAL (CAR (NAT-TO-BV (EXP 2 N) SIZE)) 0)). Call the above conjecture *1. Case 5. (IMPLIES (AND (LESSP N SIZE) (NOT (EQUAL (ADD1 N) SIZE)) (EQUAL N 0)) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)). However this again simplifies, expanding the functions EQUAL and LESSP, to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (LESSP N SIZE) (EQUAL (CAR (NAT-TO-BV (EXP 2 N) SIZE)) (IF (EQUAL (ADD1 N) SIZE) 1 0))). We gave this the name *1 above. Perhaps we can prove it by induction. Four inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE))) (p N SIZE)) (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p N SIZE)) (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (p (SUB1 N) (SUB1 SIZE))) (p N SIZE))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT inform us that the measure (COUNT N) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for SIZE. The above induction scheme produces the following four new goals: Case 4. (IMPLIES (AND (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE))) (LESSP N SIZE)) (EQUAL (CAR (NAT-TO-BV (EXP 2 N) SIZE)) (IF (EQUAL (ADD1 N) SIZE) 1 0))). This simplifies, opening up NOT, OR, EQUAL, and LESSP, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (OR (EQUAL N 0) (NOT (NUMBERP N))) (LESSP N SIZE)) (EQUAL (CAR (NAT-TO-BV (EXP 2 N) SIZE)) (IF (EQUAL (ADD1 N) SIZE) 1 0))). This simplifies, appealing to the lemmas EXP-ZERO and SUB1-TYPE-RESTRICTION, and unfolding NOT, OR, EQUAL, LESSP, EXP, ADD1, and ZEROP, to the following four new formulas: Case 3.4. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL N 0) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)). This again simplifies, trivially, to the new conjecture: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)), which we will name *1.1. Case 3.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (EQUAL N 0) (EQUAL 1 SIZE)) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 1)). But this again simplifies, opening up the functions EQUAL, NUMBERP, NAT-TO-BV, and CAR, to: T. Case 3.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (NUMBERP N)) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)), which has an irrelevant term in it. By eliminating the term we get: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)), which we will name *1.2. Case 3.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (NUMBERP N)) (EQUAL 1 SIZE)) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 1)). But this again simplifies, opening up the functions EQUAL, NUMBERP, NAT-TO-BV, and CAR, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (LESSP (SUB1 N) (SUB1 SIZE))) (LESSP N SIZE)) (EQUAL (CAR (NAT-TO-BV (EXP 2 N) SIZE)) (IF (EQUAL (ADD1 N) SIZE) 1 0))), which simplifies, using linear arithmetic, to: (IMPLIES (AND (LESSP N 1) (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (NOT (LESSP (SUB1 N) (SUB1 SIZE))) (LESSP N SIZE)) (EQUAL (CAR (NAT-TO-BV (EXP 2 N) SIZE)) (IF (EQUAL (ADD1 N) SIZE) 1 0))). This again simplifies, opening up SUB1, NUMBERP, EQUAL, LESSP, NOT, and OR, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL N 0) (NOT (NUMBERP N)))) (EQUAL (CAR (NAT-TO-BV (EXP 2 (SUB1 N)) (SUB1 SIZE))) (IF (EQUAL (ADD1 (SUB1 N)) (SUB1 SIZE)) 1 0)) (LESSP N SIZE)) (EQUAL (CAR (NAT-TO-BV (EXP 2 N) SIZE)) (IF (EQUAL (ADD1 N) SIZE) 1 0))), which simplifies, applying the lemmas ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, TIMES-1-ARG1, DIFFERENCE-X-X, EQUAL-EXP-0, CORRECTNESS-OF-CANCEL-LESSP-TIMES, and CAR-CONS, and expanding the definitions of NOT, OR, LESSP, EXP, SUB1, NUMBERP, EQUAL, TIMES, AND, ZEROP, and NAT-TO-BV, to three new conjectures: Case 1.3. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL N (SUB1 SIZE))) (EQUAL (CAR (NAT-TO-BV (EXP 2 (SUB1 N)) (SUB1 SIZE))) 0) (LESSP (SUB1 N) (SUB1 SIZE)) (NOT (EQUAL (ADD1 N) SIZE))) (EQUAL (CAR (NAT-TO-BV (TIMES 2 (EXP 2 (SUB1 N))) SIZE)) 0)), which further simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and EQUAL-SUB1-0, and opening up the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, LESSP, and ADD1, to the following two new formulas: Case 1.3.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL N (SUB1 SIZE))) (NOT (EQUAL N 1)) (EQUAL (CAR (NAT-TO-BV (EXP 2 (SUB1 N)) (SUB1 SIZE))) 0) (LESSP (SUB1 N) (SUB1 SIZE)) (NOT (EQUAL (ADD1 N) SIZE))) (EQUAL (CAR (NAT-TO-BV (TIMES 2 (EXP 2 (SUB1 N))) SIZE)) 0)). Appealing to the lemma SUB1-ELIM, we now replace SIZE by (ADD1 X) to eliminate (SUB1 SIZE). We use the type restriction lemma noted when SUB1 was introduced to constrain the new variable. The result is the goal: (IMPLIES (AND (NUMBERP X) (NOT (EQUAL (ADD1 X) 0)) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL N X)) (NOT (EQUAL N 1)) (EQUAL (CAR (NAT-TO-BV (EXP 2 (SUB1 N)) X)) 0) (LESSP (SUB1 N) X) (NOT (EQUAL (ADD1 N) (ADD1 X)))) (EQUAL (CAR (NAT-TO-BV (TIMES 2 (EXP 2 (SUB1 N))) (ADD1 X))) 0)). But this further simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-SUB1-0, ADD1-EQUAL, and SUB1-ADD1, and unfolding TIMES, EQUAL, NUMBERP, SUB1, EXP, and NAT-TO-BV, to the following two new conjectures: Case 1.3.2.2. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL N X)) (NOT (EQUAL N 1)) (EQUAL (CAR (NAT-TO-BV (EXP 2 (SUB1 N)) X)) 0) (LESSP (SUB1 N) X) (NOT (LESSP (TIMES 2 (EXP 2 (SUB1 N))) (EXP 2 X)))) (EQUAL (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE (TIMES 2 (EXP 2 (SUB1 N))) (EXP 2 X)) X))) 0)). However this again simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-SUB1-0, CAR-CONS, EQUAL-EXP-0, LESSP-TIMES1, EQUAL-TIMES-0, and DIFFERENCE-ADD1-ARG2, and opening up the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, LESSP, DIFFERENCE, NAT-TO-BV, CONS, and CAR, to the following two new formulas: Case 1.3.2.2.2. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL N X)) (NOT (EQUAL N 1)) (EQUAL (CAR (NAT-TO-BV (EXP 2 (SUB1 N)) X)) 0) (LESSP (SUB1 N) X) (NOT (EQUAL X 0))) (LESSP (TIMES 2 (EXP 2 (SUB1 N))) (EXP 2 X))). Appealing to the lemma SUB1-ELIM, we now replace N by (ADD1 Z) to eliminate (SUB1 N). We use the type restriction lemma noted when SUB1 was introduced to constrain the new variable. We must thus prove: (IMPLIES (AND (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) 0)) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL (ADD1 Z) 1)) (EQUAL (CAR (NAT-TO-BV (EXP 2 Z) X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (TIMES 2 (EXP 2 Z)) (EXP 2 X))). This further simplifies, rewriting with ADD1-EQUAL, TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and EXP-ADD1, and expanding NUMBERP, TIMES, EQUAL, SUB1, and EXP, to: (IMPLIES (AND (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV (EXP 2 Z) X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (TIMES 2 (EXP 2 Z)) (EXP 2 X))), which we generalize by replacing (EXP 2 Z) by Y. We restrict the new variable by recalling the type restriction lemma noted when EXP was introduced. We thus obtain: (IMPLIES (AND (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (TIMES 2 Y) (EXP 2 X))), which further simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and opening up the functions SUB1, NUMBERP, EQUAL, TIMES, and EXP, to: (IMPLIES (AND (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which we will finally name *1.3. Case 1.3.2.2.1. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL N X)) (NOT (EQUAL N 1)) (EQUAL (CAR (NAT-TO-BV (EXP 2 (SUB1 N)) X)) 0) (LESSP (SUB1 N) X) (EQUAL X 0)) (LESSP (TIMES 2 (EXP 2 (SUB1 N))) 1)). But this finally simplifies, using linear arithmetic, to: T. Case 1.3.2.1. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL N X)) (NOT (EQUAL N 1)) (EQUAL (CAR (NAT-TO-BV (EXP 2 (SUB1 N)) X)) 0) (LESSP (SUB1 N) X) (LESSP (TIMES 2 (EXP 2 (SUB1 N))) (EXP 2 X))) (EQUAL (CAR (CONS 0 (NAT-TO-BV (TIMES 2 (EXP 2 (SUB1 N))) X))) 0)), which again simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-SUB1-0, CAR-CONS, LESSP-TIMES2, EQUAL-EXP-0, and NAT-TO-BV-IS-ALL-ONES, and opening up the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, LESSP, ALL-ONES, CONS, and CAR, to: T. Case 1.3.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL N (SUB1 SIZE))) (EQUAL N 1) (EQUAL (CAR (NAT-TO-BV 1 (SUB1 SIZE))) 0) (NOT (EQUAL SIZE 1)) (NOT (EQUAL 2 SIZE))) (EQUAL (CAR (NAT-TO-BV 2 SIZE)) 0)). However this again simplifies, unfolding EQUAL and NUMBERP, to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 (SUB1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 (SUB1 SIZE))) 0) (NOT (EQUAL SIZE 1)) (NOT (EQUAL 2 SIZE))) (EQUAL (CAR (NAT-TO-BV 2 SIZE)) 0)). Appealing to the lemma SUB1-ELIM, we now replace SIZE by (ADD1 X) to eliminate (SUB1 SIZE). We employ the type restriction lemma noted when SUB1 was introduced to constrain the new variable. This generates: (IMPLIES (AND (NUMBERP X) (NOT (EQUAL (ADD1 X) 0)) (NOT (EQUAL 1 X)) (EQUAL (CAR (NAT-TO-BV 1 X)) 0) (NOT (EQUAL (ADD1 X) 1)) (NOT (EQUAL 2 (ADD1 X)))) (EQUAL (CAR (NAT-TO-BV 2 (ADD1 X))) 0)). This further simplifies, rewriting with ADD1-EQUAL, LESSP-X-EXP-X-Y, and SUB1-ADD1, and expanding the definitions of NUMBERP, LESSP, EQUAL, and NAT-TO-BV, to the following two new formulas: Case 1.3.1.2. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL 1 X)) (EQUAL (CAR (NAT-TO-BV 1 X)) 0) (NOT (EQUAL X 0)) (NOT (LESSP 1 X))) (EQUAL (CAR (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 X)) X))) 0)). This finally simplifies, using linear arithmetic, to: T. Case 1.3.1.1. (IMPLIES (AND (NUMBERP X) (NOT (EQUAL 1 X)) (EQUAL (CAR (NAT-TO-BV 1 X)) 0) (NOT (EQUAL X 0)) (LESSP 1 X)) (EQUAL (CAR (CONS 0 (NAT-TO-BV 2 X))) 0)), which finally simplifies, rewriting with CAR-CONS, and unfolding the function EQUAL, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL N (SUB1 SIZE))) (EQUAL (CAR (NAT-TO-BV (EXP 2 (SUB1 N)) (SUB1 SIZE))) 0) (LESSP (SUB1 N) (SUB1 SIZE)) (EQUAL (ADD1 N) SIZE)) (EQUAL (CAR (NAT-TO-BV (TIMES 2 (EXP 2 (SUB1 N))) SIZE)) 1)). This again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL N (SUB1 SIZE)) (EQUAL (CAR (NAT-TO-BV (EXP 2 (SUB1 N)) (SUB1 SIZE))) 1) (LESSP (SUB1 N) (SUB1 SIZE))) (EQUAL (ADD1 N) SIZE)), which again simplifies, using linear arithmetic, to: T. So let us turn our attention to: (IMPLIES (AND (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which is formula *1.3 above. We will try to prove it by induction. The recursive terms in the conjecture suggest five inductions. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (ZEROP X) (p Y X Z)) (IMPLIES (AND (NOT (ZEROP X)) (LESSP Y (EXP 2 (SUB1 X))) (p Y (SUB1 X) (SUB1 Z))) (p Y X Z)) (IMPLIES (AND (NOT (ZEROP X)) (NOT (LESSP Y (EXP 2 (SUB1 X)))) (p (DIFFERENCE Y (EXP 2 (SUB1 X))) (SUB1 X) (SUB1 Z))) (p Y X Z))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for Z and Y. The above induction scheme leads to 13 new goals: Case 13.(IMPLIES (AND (ZEROP X) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which simplifies, expanding ZEROP, to: T. Case 12.(IMPLIES (AND (NOT (ZEROP X)) (LESSP Y (EXP 2 (SUB1 X))) (EQUAL (ADD1 (SUB1 Z)) (SUB1 X)) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which simplifies, using linear arithmetic, to: T. Case 11.(IMPLIES (AND (NOT (ZEROP X)) (LESSP Y (EXP 2 (SUB1 X))) (EQUAL (SUB1 Z) 0) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which simplifies, rewriting with EQUAL-SUB1-0, CAR-CONS, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, and TIMES-1-ARG1, and opening up ZEROP, NUMBERP, ADD1, EQUAL, NAT-TO-BV, SUB1, LESSP, EXP, and TIMES, to the new goal: (IMPLIES (AND (LESSP Y (EXP 2 (SUB1 X))) (EQUAL Z 1) (NUMBERP Y) (NUMBERP X) (NOT (EQUAL 2 X)) (NOT (EQUAL X 1)) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (TIMES 2 (EXP 2 (SUB1 X))))), which again simplifies, using linear arithmetic, to: T. Case 10.(IMPLIES (AND (NOT (ZEROP X)) (LESSP Y (EXP 2 (SUB1 X))) (NOT (EQUAL (CAR (NAT-TO-BV Y (SUB1 X))) 0)) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which simplifies, rewriting with the lemmas CAR-CONS, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, and TIMES-1-ARG1, and unfolding the definitions of ZEROP, NAT-TO-BV, EQUAL, LESSP, EXP, SUB1, NUMBERP, and TIMES, to the goal: (IMPLIES (AND (LESSP Y (EXP 2 (SUB1 X))) (NOT (EQUAL (CAR (NAT-TO-BV Y (SUB1 X))) 0)) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (LESSP (SUB1 Z) (SUB1 X)) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (TIMES 2 (EXP 2 (SUB1 X))))). However this again simplifies, using linear arithmetic, to: T. Case 9. (IMPLIES (AND (NOT (ZEROP X)) (LESSP Y (EXP 2 (SUB1 X))) (NOT (LESSP (SUB1 Z) (SUB1 X))) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which simplifies, using linear arithmetic, to: T. Case 8. (IMPLIES (AND (NOT (ZEROP X)) (LESSP Y (EXP 2 (SUB1 X))) (EQUAL (SUB1 X) 0) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which simplifies, using linear arithmetic, to: T. Case 7. (IMPLIES (AND (NOT (ZEROP X)) (LESSP Y (EXP 2 (SUB1 X))) (LESSP (PLUS Y Y) (EXP 2 (SUB1 X))) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which simplifies, applying CAR-CONS, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, TIMES-1-ARG1, and LESSP-TIMES1, and opening up the definitions of ZEROP, NAT-TO-BV, EQUAL, LESSP, EXP, SUB1, NUMBERP, and TIMES, to: T. Case 6. (IMPLIES (AND (NOT (ZEROP X)) (NOT (LESSP Y (EXP 2 (SUB1 X)))) (EQUAL (ADD1 (SUB1 Z)) (SUB1 X)) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))). This simplifies, using linear arithmetic, to: T. Case 5. (IMPLIES (AND (NOT (ZEROP X)) (NOT (LESSP Y (EXP 2 (SUB1 X)))) (EQUAL (SUB1 Z) 0) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))). This simplifies, rewriting with the lemmas EQUAL-SUB1-0 and CAR-CONS, and expanding the functions ZEROP, NUMBERP, ADD1, EQUAL, and NAT-TO-BV, to: T. Case 4. (IMPLIES (AND (NOT (ZEROP X)) (NOT (LESSP Y (EXP 2 (SUB1 X)))) (NOT (EQUAL (CAR (NAT-TO-BV (DIFFERENCE Y (EXP 2 (SUB1 X))) (SUB1 X))) 0)) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))). This simplifies, rewriting with CAR-CONS, and unfolding the functions ZEROP, NAT-TO-BV, and EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP X)) (NOT (LESSP Y (EXP 2 (SUB1 X)))) (NOT (LESSP (SUB1 Z) (SUB1 X))) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP X)) (NOT (LESSP Y (EXP 2 (SUB1 X)))) (EQUAL (SUB1 X) 0) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP X)) (NOT (LESSP Y (EXP 2 (SUB1 X)))) (LESSP (PLUS (DIFFERENCE Y (EXP 2 (SUB1 X))) (DIFFERENCE Y (EXP 2 (SUB1 X)))) (EXP 2 (SUB1 X))) (NUMBERP Y) (NUMBERP Z) (NUMBERP X) (NOT (EQUAL (ADD1 Z) X)) (NOT (EQUAL Z 0)) (EQUAL (CAR (NAT-TO-BV Y X)) 0) (LESSP Z X) (NOT (EQUAL X 0))) (LESSP (PLUS Y Y) (EXP 2 X))), which simplifies, appealing to the lemmas PLUS-DIFFERENCE-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, TIMES-1-ARG1, DIFFERENCE-DIFFERENCE-ARG1, PLUS-DIFFERENCE-ARG2, and CAR-CONS, and expanding the definitions of ZEROP, EXP, SUB1, NUMBERP, EQUAL, TIMES, PLUS, and NAT-TO-BV, to: T. That finishes the proof of *1.3. So let us turn our attention to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)), which is formula *1.2 above. You probably did not notice, but this conjecture is subsumed by another subgoal awaiting our attention, namely *1.1 above. So we now return to: (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)), which is formula *1.1 above. We will try to prove it by induction. There is only one suggested induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP SIZE) (p SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP 1 (EXP 2 (SUB1 SIZE))) (p (SUB1 SIZE))) (p SIZE)) (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP 1 (EXP 2 (SUB1 SIZE)))) (p (SUB1 SIZE))) (p SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP can be used to establish that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to the following seven new goals: Case 7. (IMPLIES (AND (ZEROP SIZE) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)). This simplifies, unfolding the definition of ZEROP, to: T. Case 6. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP 1 (EXP 2 (SUB1 SIZE))) (EQUAL (SUB1 SIZE) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)). This simplifies, using linear arithmetic, to: T. Case 5. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP 1 (EXP 2 (SUB1 SIZE))) (EQUAL 1 (SUB1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)). This simplifies, rewriting with the lemma CAR-CONS, and opening up the functions ZEROP, EXP, LESSP, NAT-TO-BV, and EQUAL, to: T. Case 4. (IMPLIES (AND (NOT (ZEROP SIZE)) (LESSP 1 (EXP 2 (SUB1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 (SUB1 SIZE))) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)). This simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-SUB1-0, LESSP-1-EXP, and CAR-CONS, and unfolding the definitions of ZEROP, TIMES, EQUAL, NUMBERP, SUB1, EXP, LESSP, and NAT-TO-BV, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP 1 (EXP 2 (SUB1 SIZE)))) (EQUAL (SUB1 SIZE) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)), which simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP 1 (EXP 2 (SUB1 SIZE)))) (EQUAL 1 (SUB1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)), which simplifies, unfolding ZEROP, EXP, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP SIZE)) (NOT (LESSP 1 (EXP 2 (SUB1 SIZE)))) (EQUAL (CAR (NAT-TO-BV 1 (SUB1 SIZE))) 0) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (EQUAL 1 SIZE))) (EQUAL (CAR (NAT-TO-BV 1 SIZE)) 0)), which simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-SUB1-0, and LESSP-1-EXP, and expanding ZEROP, TIMES, EQUAL, NUMBERP, SUB1, EXP, and LESSP, to: T. That finishes the proof of *1.1, which, in turn, also finishes the proof of *1. Q.E.D. [ 0.0 1.3 0.1 ] CAR-NAT-TO-BV-EXP (DISABLE EQUAL-BITP-SIMPLIFY) [ 0.0 0.0 0.0 ] EQUAL-BITP-SIMPLIFY-OFF1 (DISABLE ALL-ZEROS-XOR-BVS-WHEN-LONE-BIG-SIMPLE) [ 0.0 0.0 0.0 ] ALL-ZEROS-XOR-BVS-WHEN-LONE-BIG-SIMPLE-OFF (DISABLE HIGH-BIT-ON-REASONABLE) [ 0.0 0.0 0.0 ] HIGH-BIT-ON-REASONABLE-OFF (DISABLE FIND-HIGH-OUT-OF-SYNC-REASONABLE) [ 0.0 0.0 0.0 ] FIND-HIGH-OUT-OF-SYNC-REASONABLE-OFF (PROVE-LEMMA ALL-ZEROS-FIRSTN-DIFFERENCE (REWRITE) (IMPLIES (AND (BVP X) (EQUAL (LENGTH X) SIZE) (LESSP N SIZE)) (EQUAL (LESSP-BV X (NAT-TO-BV (EXP 2 N) SIZE)) (ALL-ZEROS (FIRSTN X (DIFFERENCE SIZE N))))) ((INDUCT (LESSP-BV-RECURSION X SIZE)))) This formula can be simplified, using the abbreviations ZEROP, IMPLIES, NOT, OR, and AND, to the following two new conjectures: Case 2. (IMPLIES (AND (ZEROP SIZE) (BVP X) (EQUAL (LENGTH X) SIZE) (LESSP N SIZE)) (EQUAL (LESSP-BV X (NAT-TO-BV (EXP 2 N) SIZE)) (ALL-ZEROS (FIRSTN X (DIFFERENCE SIZE N))))). This simplifies, rewriting with EQUAL-LENGTH-0 and LESSP-LENGTH, and unfolding the function ZEROP, to: T. Case 1. (IMPLIES (AND (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (IMPLIES (AND (BVP (CDR X)) (EQUAL (LENGTH (CDR X)) (SUB1 SIZE)) (LESSP N (SUB1 SIZE))) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (SUB1 SIZE))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (SUB1 SIZE) N))))) (BVP X) (EQUAL (LENGTH X) SIZE) (LESSP N SIZE)) (EQUAL (LESSP-BV X (NAT-TO-BV (EXP 2 N) SIZE)) (ALL-ZEROS (FIRSTN X (DIFFERENCE SIZE N))))), which simplifies, using linear arithmetic, applying the lemmas LESSP-LENGTH, SUB1-ADD1, TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, FIRSTN-NOOP, EQUAL-LENGTH-0, DIFFERENCE-LEQ-ARG1, DIFFERENCE-SUB1-ARG2, and EXP-ZERO, and opening up the definitions of LENGTH, AND, TIMES, EQUAL, NUMBERP, SUB1, EXP, IMPLIES, BITP, BVP, NAT-TO-BV, LESSP-BV, DIFFERENCE, LESSP, ALL-ZEROS, ADD1, and ZEROP, to 72 new goals: Case 1.72. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (NOT (LISTP X))) (NOT (LESSP N 0))), which again simplifies, using linear arithmetic, to: T. Case 1.71. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP (LENGTH (CDR X)) N)) (LISTP (CDR X)) (NOT (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP (LENGTH (CDR X)) (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL (LENGTH (CDR X)) 0)) (NUMBERP (LENGTH (CDR X))) (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (LISTP (CDR X)) (NOT (LESSP (EXP 2 (LENGTH (CDR X))) (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 (LENGTH (CDR X))) (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))). This again simplifies, appealing to the lemmas SUB1-ADD1, EQUAL-LENGTH-0, LESSP-LENGTH, TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, LESSP-EXP-EXP, DIFFERENCE-X-X, LESSP-BV-ZERO, CDR-CONS, and CAR-CONS, and opening up the functions LESSP, TIMES, EQUAL, NUMBERP, SUB1, EXP, ZEROP, LESSP-BV, FIRSTN, CONS, and ALL-ZEROS, to: T. Case 1.70. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP (LENGTH (CDR X)) N)) (LISTP (CDR X)) (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))), which again simplifies, using linear arithmetic, to the formula: (IMPLIES (AND (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP (LENGTH (CDR X)) (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL (LENGTH (CDR X)) 0)) (NUMBERP (LENGTH (CDR X))) (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (LISTP (CDR X)) (LESSP (EXP 2 (LENGTH (CDR X))) (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 (LENGTH (CDR X))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))). However this again simplifies, using linear arithmetic, to: T. Case 1.69. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP (LENGTH (CDR X)) N)) (NOT (LISTP (CDR X))) (LESSP (EXP 2 N) 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))), which again simplifies, using linear arithmetic, to the formula: (IMPLIES (AND (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP (LENGTH (CDR X)) (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL (LENGTH (CDR X)) 0)) (NUMBERP (LENGTH (CDR X))) (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (LESSP (EXP 2 (LENGTH (CDR X))) 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 (LENGTH (CDR X))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))). However this again simplifies, unfolding the functions LENGTH, LESSP, BVP, ADD1, and EQUAL, to: T. Case 1.68. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP (LENGTH (CDR X)) N)) (NOT (LISTP (CDR X))) (NOT (LESSP (EXP 2 N) 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP (LENGTH (CDR X)) (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL (LENGTH (CDR X)) 0)) (NUMBERP (LENGTH (CDR X))) (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (NOT (LESSP (EXP 2 (LENGTH (CDR X))) 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 (LENGTH (CDR X))) 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))). This again simplifies, expanding the functions LENGTH, LESSP, BVP, ADD1, and EQUAL, to: T. Case 1.67. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP (LENGTH (CDR X)) N) (LISTP (CDR X)) (NOT (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.66. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP (LENGTH (CDR X)) N) (LISTP (CDR X)) (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.65. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP (LENGTH (CDR X)) N) (NOT (LISTP (CDR X))) (LESSP (EXP 2 N) 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.64. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP (LENGTH (CDR X)) N) (NOT (LISTP (CDR X))) (NOT (LESSP (EXP 2 N) 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.63. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (EQUAL N 0) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 1 (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))), which again simplifies, applying EQUAL-LENGTH-0, and expanding the functions EQUAL and LESSP, to: T. Case 1.62. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (NUMBERP N)) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 1 (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))). This again simplifies, rewriting with EQUAL-LENGTH-0, and opening up LESSP, to: T. Case 1.61. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (EQUAL N 0) (NOT (LISTP (CDR X))) (LESSP 1 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))). This again simplifies, using linear arithmetic, to: T. Case 1.60. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (EQUAL N 0) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))), which again simplifies, appealing to the lemma EQUAL-LENGTH-0, and expanding the functions EQUAL and LESSP, to: T. Case 1.59. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (NUMBERP N)) (NOT (LISTP (CDR X))) (LESSP 1 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to: T. Case 1.58. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (NUMBERP N)) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))), which again simplifies, applying EQUAL-LENGTH-0, and expanding the function LESSP, to: T. Case 1.57. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (EQUAL N 0) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 1 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))). This again simplifies, rewriting with the lemmas FIRSTN-NOOP and ALL-ZEROS-LENGTH-1, and unfolding the functions LENGTH, LESSP, BVP, ADD1, LISTP, DIFFERENCE, NAT-TO-BV, CONS, LESSP-BV, CDR, EQUAL, and CAR, to: T. Case 1.56. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (NUMBERP N)) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 1 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))), which again simplifies, rewriting with FIRSTN-NOOP and ALL-ZEROS-LENGTH-1, and unfolding the definitions of LENGTH, EQUAL, LESSP, BVP, ADD1, NUMBERP, LISTP, DIFFERENCE, NAT-TO-BV, CONS, LESSP-BV, CDR, and CAR, to: T. Case 1.55. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (NOT (LISTP X))) (NOT (LESSP N 0))). This again simplifies, using linear arithmetic, to: T. Case 1.54. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP (LENGTH (CDR X)) N)) (LISTP (CDR X)) (NOT (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))), which again simplifies, using linear arithmetic, to the formula: (IMPLIES (AND (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP (LENGTH (CDR X)) (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL (LENGTH (CDR X)) 0)) (NUMBERP (LENGTH (CDR X))) (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (LISTP (CDR X)) (NOT (LESSP (EXP 2 (LENGTH (CDR X))) (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 (LENGTH (CDR X))) (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))). However this again simplifies, rewriting with SUB1-ADD1, EQUAL-LENGTH-0, LESSP-LENGTH, TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, LESSP-EXP-EXP, DIFFERENCE-X-X, and CAR-CONS, and expanding the functions LESSP, TIMES, EQUAL, NUMBERP, SUB1, EXP, LESSP-BV, FIRSTN, CONS, and ALL-ZEROS, to: T. Case 1.53. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP (LENGTH (CDR X)) N)) (LISTP (CDR X)) (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))). But this again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP (LENGTH (CDR X)) (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL (LENGTH (CDR X)) 0)) (NUMBERP (LENGTH (CDR X))) (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (LISTP (CDR X)) (LESSP (EXP 2 (LENGTH (CDR X))) (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 (LENGTH (CDR X))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))). This again simplifies, using linear arithmetic, to: T. Case 1.52. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP (LENGTH (CDR X)) N)) (NOT (LISTP (CDR X))) (LESSP (EXP 2 N) 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP (LENGTH (CDR X)) (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL (LENGTH (CDR X)) 0)) (NUMBERP (LENGTH (CDR X))) (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (LESSP (EXP 2 (LENGTH (CDR X))) 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 (LENGTH (CDR X))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))). But this again simplifies, expanding LENGTH, LESSP, BVP, ADD1, and EQUAL, to: T. Case 1.51. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP (LENGTH (CDR X)) N)) (NOT (LISTP (CDR X))) (NOT (LESSP (EXP 2 N) 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))), which again simplifies, using linear arithmetic, to the formula: (IMPLIES (AND (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP (LENGTH (CDR X)) (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL (LENGTH (CDR X)) 0)) (NUMBERP (LENGTH (CDR X))) (NOT (LESSP (LENGTH (CDR X)) (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (NOT (LESSP (EXP 2 (LENGTH (CDR X))) 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 (LENGTH (CDR X))) 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 1)))). This again simplifies, expanding the definitions of LENGTH, LESSP, BVP, ADD1, and EQUAL, to: T. Case 1.50. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP (LENGTH (CDR X)) N) (LISTP (CDR X)) (NOT (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.49. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP (LENGTH (CDR X)) N) (LISTP (CDR X)) (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.48. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP (LENGTH (CDR X)) N) (NOT (LISTP (CDR X))) (LESSP (EXP 2 N) 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.47. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP (LENGTH (CDR X)) N) (NOT (LISTP (CDR X))) (NOT (LESSP (EXP 2 N) 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.46. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (EQUAL N 0) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 1 (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))), which again simplifies, applying EQUAL-LENGTH-0, and opening up EQUAL and LESSP, to: T. Case 1.45. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (NUMBERP N)) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 1 (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))). However this again simplifies, rewriting with the lemma EQUAL-LENGTH-0, and expanding the definition of LESSP, to: T. Case 1.44. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (EQUAL N 0) (NOT (LISTP (CDR X))) (LESSP 1 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to: T. Case 1.43. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (EQUAL N 0) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))), which again simplifies, rewriting with EQUAL-LENGTH-0, and expanding the definitions of EQUAL and LESSP, to: T. Case 1.42. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (NUMBERP N)) (NOT (LISTP (CDR X))) (LESSP 1 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))). But this again simplifies, using linear arithmetic, to: T. Case 1.41. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (NUMBERP N)) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))), which again simplifies, rewriting with EQUAL-LENGTH-0, and opening up the definition of LESSP, to: T. Case 1.40. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (EQUAL N 0) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 1 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))). However this again simplifies, rewriting with the lemmas FIRSTN-NOOP and ALL-ZEROS-LENGTH-1, and expanding the definitions of LENGTH, LESSP, BVP, ADD1, LISTP, DIFFERENCE, NAT-TO-BV, CONS, CAR, LESSP-BV, and EQUAL, to: T. Case 1.39. (IMPLIES (AND (NOT (LESSP N (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (NUMBERP N)) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 1 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (LENGTH (CDR X))))))), which again simplifies, applying the lemmas FIRSTN-NOOP and ALL-ZEROS-LENGTH-1, and opening up the functions LENGTH, EQUAL, LESSP, BVP, ADD1, NUMBERP, LISTP, DIFFERENCE, NAT-TO-BV, CONS, CAR, and LESSP-BV, to: T. Case 1.38. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (NOT (LISTP X))) (NOT (LESSP N 0))), which again simplifies, using linear arithmetic, to: T. Case 1.37. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (LESSP (LENGTH (CDR X)) N)) (LISTP (CDR X)) (NOT (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (DIFFERENCE (LENGTH (CDR X)) N)))))), which again simplifies, using linear arithmetic, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, NAT-TO-BV-IS-ALL-ONES, EQUAL-LENGTH-0, LESSP-BV-ALL-ONES-ARG2, SUB1-ADD1, LESSP-LENGTH, LESSP-EXP-EXP, DIFFERENCE-LEQ-ARG1, LESSP-BV-ZERO, CDR-CONS, and CAR-CONS, and opening up TIMES, EQUAL, NUMBERP, SUB1, EXP, LESSP, ZEROP, LESSP-BV, ADD1, FIRSTN, CONS, and ALL-ZEROS, to: T. Case 1.36. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (LESSP (LENGTH (CDR X)) N)) (LISTP (CDR X)) (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (DIFFERENCE (LENGTH (CDR X)) N)))))). This again simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, LESSP-BV-NAT-TO-BV, SUB1-ADD1, LESSP-LENGTH, EQUAL-LENGTH-0, LESSP-EXP-EXP, and CAR-CONS, and expanding the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, FIX, LESSP, LESSP-BV, FIRSTN, and ALL-ZEROS, to: T. Case 1.35. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (LESSP (LENGTH (CDR X)) N)) (NOT (LISTP (CDR X))) (LESSP (EXP 2 N) 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (DIFFERENCE (LENGTH (CDR X)) N)))))). However this again simplifies, using linear arithmetic, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, NAT-TO-BV-EXP, DIFFERENCE-LEQ-ARG1, and FIRSTN-NOOP, and unfolding the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, LENGTH, ALL-ONES, LESSP-BV, LESSP, and ALL-ZEROS, to: T. Case 1.34. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (LESSP (LENGTH (CDR X)) N)) (NOT (LISTP (CDR X))) (NOT (LESSP (EXP 2 N) 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (DIFFERENCE (LENGTH (CDR X)) N)))))). However this again simplifies, using linear arithmetic, applying the lemmas TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, NAT-TO-BV-EXP, DIFFERENCE-LEQ-ARG1, and FIRSTN-NOOP, and unfolding the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, LENGTH, ALL-ONES, LESSP-BV, LESSP, and ALL-ZEROS, to: T. Case 1.33. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (LESSP (LENGTH (CDR X)) N) (LISTP (CDR X)) (NOT (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.32. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (LESSP (LENGTH (CDR X)) N) (LISTP (CDR X)) (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.31. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (LESSP (LENGTH (CDR X)) N) (NOT (LISTP (CDR X))) (LESSP (EXP 2 N) 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.30. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (LESSP (LENGTH (CDR X)) N) (NOT (LISTP (CDR X))) (NOT (LESSP (EXP 2 N) 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.29. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (NOT (LISTP X))) (NOT (LESSP N 0))), which again simplifies, using linear arithmetic, to: T. Case 1.28. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (LESSP (LENGTH (CDR X)) N)) (LISTP (CDR X)) (NOT (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (DIFFERENCE (LENGTH (CDR X)) N)))))), which again simplifies, using linear arithmetic, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, NAT-TO-BV-IS-ALL-ONES, EQUAL-LENGTH-0, LESSP-BV-ALL-ONES-ARG2, SUB1-ADD1, LESSP-LENGTH, LESSP-EXP-EXP, DIFFERENCE-LEQ-ARG1, and CAR-CONS, and unfolding the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, LESSP, LESSP-BV, ADD1, FIRSTN, CONS, and ALL-ZEROS, to: T. Case 1.27. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (LESSP (LENGTH (CDR X)) N)) (LISTP (CDR X)) (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (DIFFERENCE (LENGTH (CDR X)) N)))))). This again simplifies, using linear arithmetic, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, LESSP-BV-NAT-TO-BV, SUB1-ADD1, LESSP-LENGTH, EQUAL-LENGTH-0, LESSP-EXP-EXP, CDR-CONS, and CAR-CONS, and expanding the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, FIX, LESSP, LESSP-BV, FIRSTN, and ALL-ZEROS, to: T. Case 1.26. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (LESSP (LENGTH (CDR X)) N)) (NOT (LISTP (CDR X))) (LESSP (EXP 2 N) 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (DIFFERENCE (LENGTH (CDR X)) N)))))). However this again simplifies, using linear arithmetic, rewriting with the lemmas TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, NAT-TO-BV-EXP, DIFFERENCE-LEQ-ARG1, and FIRSTN-NOOP, and opening up the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, LENGTH, ALL-ONES, LESSP-BV, LESSP, and ALL-ZEROS, to: T. Case 1.25. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (NOT (LESSP (LENGTH (CDR X)) N)) (NOT (LISTP (CDR X))) (NOT (LESSP (EXP 2 N) 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X (ADD1 (DIFFERENCE (LENGTH (CDR X)) N)))))), which again simplifies, using linear arithmetic, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, NAT-TO-BV-EXP, DIFFERENCE-LEQ-ARG1, and FIRSTN-NOOP, and opening up the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, LENGTH, ALL-ONES, LESSP-BV, LESSP, and ALL-ZEROS, to: T. Case 1.24. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (LESSP (LENGTH (CDR X)) N) (LISTP (CDR X)) (NOT (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))). However this again simplifies, using linear arithmetic, to: T. Case 1.23. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (LESSP (LENGTH (CDR X)) N) (LISTP (CDR X)) (LESSP (EXP 2 N) (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.22. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (LESSP (LENGTH (CDR X)) N) (NOT (LISTP (CDR X))) (LESSP (EXP 2 N) 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.21. (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV (EXP 2 N) (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP N (ADD1 (LENGTH (CDR X)))) (LESSP (LENGTH (CDR X)) N) (NOT (LISTP (CDR X))) (NOT (LESSP (EXP 2 N) 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE (EXP 2 N) 1) (LENGTH (CDR X))))) (ALL-ZEROS (FIRSTN X 0)))), which again simplifies, using linear arithmetic, to: T. Case 1.20. (IMPLIES (AND (EQUAL N 0) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (EXP 2 (LENGTH (CDR X))) 0)) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV 1 (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, rewriting with LESSP-BV-LENGTH, EQUAL-LENGTH-0, SUB1-ADD1, SILLY-LISTP-CDR, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, and TIMES-1-ARG1, and opening up EXP, LESSP, EQUAL, NUMBERP, SUB1, LENGTH, and TIMES, to: T. Case 1.19. (IMPLIES (AND (EQUAL N 0) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (NOT (EQUAL (EXP 2 (LENGTH (CDR X))) 0))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))))). But this again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (EXP 2 (LENGTH (CDR X))) 1) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) 0)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 1)) (NOT (EQUAL 1 0))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))))). But this again simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, and EQUAL-EXP-1, and opening up TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: T. Case 1.18. (IMPLIES (AND (EQUAL N 0) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))))). But this again simplifies, rewriting with FIRSTN-NOOP, and opening up the functions LENGTH, NAT-TO-BV, LESSP-BV, DIFFERENCE, LESSP, ALL-ZEROS, and EQUAL, to: T. Case 1.17. (IMPLIES (AND (EQUAL N 0) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (NOT (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))))). However this again simplifies, using linear arithmetic, rewriting with the lemmas LESSP-BV-TO-NAT-1, LESSP-BV-NAT-TO-BV, EQUAL-LENGTH-0, FIRSTN-NOOP, TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, LESSP-1-EXP, and CAR-CONS, and expanding the functions FIX, EQUAL, DIFFERENCE, TIMES, NUMBERP, SUB1, EXP, LESSP, and LESSP-BV, to: T. Case 1.16. (IMPLIES (AND (EQUAL N 0) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (NOT (LISTP (CDR X))) (LESSP 1 1)) (NOT (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to: T. Case 1.15. (IMPLIES (AND (EQUAL N 0) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (EXP 2 (LENGTH (CDR X))) 0)) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))), which again simplifies, using linear arithmetic, applying LESSP-BV-LENGTH, EQUAL-LENGTH-0, SUB1-ADD1, SILLY-LISTP-CDR, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, and TIMES-1-ARG1, and expanding the functions EXP, LESSP, EQUAL, NUMBERP, SUB1, LENGTH, and TIMES, to: T. Case 1.14. (IMPLIES (AND (EQUAL N 0) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (NOT (EQUAL (EXP 2 (LENGTH (CDR X))) 0))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))). However this again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (EXP 2 (LENGTH (CDR X))) 1) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) 0)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 1)) (NOT (EQUAL 1 0))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))). However this again simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, and EQUAL-EXP-1, and opening up TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: T. Case 1.13. (IMPLIES (AND (EQUAL N 0) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))). This again simplifies, applying the lemma FIRSTN-NOOP, and unfolding LENGTH, NAT-TO-BV, LESSP-BV, DIFFERENCE, LESSP, ALL-ZEROS, and EQUAL, to: T. Case 1.12. (IMPLIES (AND (EQUAL N 0) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))), which again simplifies, using linear arithmetic, rewriting with LESSP-BV-TO-NAT-1, LESSP-BV-NAT-TO-BV, EQUAL-LENGTH-0, FIRSTN-NOOP, TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, LESSP-1-EXP, CDR-CONS, and CAR-CONS, and opening up the definitions of FIX, EQUAL, DIFFERENCE, TIMES, NUMBERP, SUB1, EXP, LESSP, and LESSP-BV, to: T. Case 1.11. (IMPLIES (AND (EQUAL N 0) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (NOT (LISTP (CDR X))) (LESSP 1 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))). However this again simplifies, using linear arithmetic, to: T. Case 1.10. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (EXP 2 (LENGTH (CDR X))) 0)) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV 1 (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, rewriting with LESSP-BV-LENGTH, EQUAL-LENGTH-0, SUB1-ADD1, SILLY-LISTP-CDR, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, and TIMES-1-ARG1, and expanding the functions EXP, LESSP, EQUAL, NUMBERP, SUB1, LENGTH, and TIMES, to: T. Case 1.9. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (NOT (EQUAL (EXP 2 (LENGTH (CDR X))) 0))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))))). This again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (EXP 2 (LENGTH (CDR X))) 1) (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 1)) (NOT (EQUAL 1 0))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))))). But this again simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, and EQUAL-EXP-1, and opening up the definitions of TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: T. Case 1.8. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))))). However this again simplifies, using linear arithmetic, applying DIFFERENCE-LEQ-ARG1 and FIRSTN-NOOP, and expanding the definitions of LENGTH, NAT-TO-BV, LESSP-BV, LESSP, ALL-ZEROS, and EQUAL, to: T. Case 1.7. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (NOT (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))))). However this again simplifies, using linear arithmetic, rewriting with LESSP-BV-TO-NAT-1, LESSP-BV-NAT-TO-BV, EQUAL-LENGTH-0, FIRSTN-NOOP, TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, LESSP-1-EXP, and CAR-CONS, and expanding FIX, DIFFERENCE, TIMES, EQUAL, NUMBERP, SUB1, EXP, LESSP, and LESSP-BV, to: T. Case 1.6. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (NOT (LISTP (CDR X))) (LESSP 1 1)) (NOT (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))))). However this again simplifies, using linear arithmetic, to: T. Case 1.5. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (EXP 2 (LENGTH (CDR X))) 0)) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))), which again simplifies, using linear arithmetic, appealing to the lemmas LESSP-BV-LENGTH, EQUAL-LENGTH-0, SUB1-ADD1, SILLY-LISTP-CDR, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, and TIMES-1-ARG1, and opening up the functions EXP, LESSP, EQUAL, NUMBERP, SUB1, LENGTH, and TIMES, to: T. Case 1.4. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (NOT (EQUAL (EXP 2 (LENGTH (CDR X))) 0))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))), which again simplifies, using linear arithmetic, to the goal: (IMPLIES (AND (EQUAL (EXP 2 (LENGTH (CDR X))) 1) (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (NOT (LESSP 1 1)) (NOT (EQUAL 1 0))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))). However this again simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, and EQUAL-EXP-1, and opening up the functions TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: T. Case 1.3. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))). However this again simplifies, using linear arithmetic, applying the lemmas DIFFERENCE-LEQ-ARG1 and FIRSTN-NOOP, and expanding the functions LENGTH, NAT-TO-BV, LESSP-BV, LESSP, ALL-ZEROS, and EQUAL, to: T. Case 1.2. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))), which again simplifies, using linear arithmetic, rewriting with LESSP-BV-TO-NAT-1, LESSP-BV-NAT-TO-BV, EQUAL-LENGTH-0, FIRSTN-NOOP, TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, LESSP-1-EXP, CDR-CONS, and CAR-CONS, and expanding FIX, DIFFERENCE, TIMES, EQUAL, NUMBERP, SUB1, EXP, LESSP, and LESSP-BV, to: T. Case 1.1. (IMPLIES (AND (NOT (NUMBERP N)) (EQUAL (LESSP-BV (CDR X) (NAT-TO-BV 1 (LENGTH (CDR X)))) (ALL-ZEROS (FIRSTN (CDR X) (DIFFERENCE (LENGTH (CDR X)) N)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (NOT (EQUAL (ADD1 (LENGTH (CDR X))) 0)) (NOT (LISTP (CDR X))) (LESSP 1 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (ALL-ZEROS (CDR X)))). But this again simplifies, using linear arithmetic, to: T. Q.E.D. [ 0.0 4.3 0.4 ] ALL-ZEROS-FIRSTN-DIFFERENCE (PROVE-LEMMA ALL-ZEROS-XOR-BV (REWRITE) (IMPLIES (AND (BVP A) (BVP B) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (ALL-ZEROS (XOR-BV A B)) (EQUAL A B)))) This formula simplifies, trivially, to two new formulas: Case 2. (IMPLIES (AND (BVP A) (BVP B) (EQUAL (LENGTH A) (LENGTH B)) (NOT (EQUAL A B))) (NOT (ALL-ZEROS (XOR-BV A B)))), which we will name *1. Case 1. (IMPLIES (AND (BVP A) (BVP B) (EQUAL (LENGTH A) (LENGTH B)) (EQUAL A B)) (EQUAL (ALL-ZEROS (XOR-BV A B)) T)). This again simplifies, obviously, to: (IMPLIES (BVP B) (ALL-ZEROS (XOR-BV B B))), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (IMPLIES (AND (BVP A) (BVP B) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (ALL-ZEROS (XOR-BV A B)) (EQUAL A B))). We named this *1. We will try to prove it by induction. Six inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP A) (p (CDR A) (CDR B))) (p A B)) (IMPLIES (NOT (LISTP A)) (p A B))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for B. The above induction scheme leads to five new formulas: Case 5. (IMPLIES (AND (LISTP A) (NOT (BVP (CDR A))) (BVP A) (BVP B) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (ALL-ZEROS (XOR-BV A B)) (EQUAL A B))), which simplifies, expanding BVP and BITP, to: T. Case 4. (IMPLIES (AND (LISTP A) (NOT (BVP (CDR B))) (BVP A) (BVP B) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (ALL-ZEROS (XOR-BV A B)) (EQUAL A B))), which simplifies, unfolding the functions BVP, BITP, and LENGTH, to: T. Case 3. (IMPLIES (AND (LISTP A) (NOT (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B)))) (BVP A) (BVP B) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (ALL-ZEROS (XOR-BV A B)) (EQUAL A B))), which simplifies, applying ADD1-EQUAL, and opening up BVP, BITP, and LENGTH, to: T. Case 2. (IMPLIES (AND (LISTP A) (EQUAL (ALL-ZEROS (XOR-BV (CDR A) (CDR B))) (EQUAL (CDR A) (CDR B))) (BVP A) (BVP B) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (ALL-ZEROS (XOR-BV A B)) (EQUAL A B))). This simplifies, applying the lemmas ADD1-EQUAL, CAR-CONS, and CDR-CONS, and unfolding the definitions of BVP, BITP, LENGTH, XOR-BV, XOR, EQUAL, and ALL-ZEROS, to: T. Case 1. (IMPLIES (AND (NOT (LISTP A)) (BVP A) (BVP B) (EQUAL (LENGTH A) (LENGTH B))) (EQUAL (ALL-ZEROS (XOR-BV A B)) (EQUAL A B))). This simplifies, unfolding the definitions of BVP, BITP, LENGTH, EQUAL, XOR-BV, and ALL-ZEROS, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.2 0.0 ] ALL-ZEROS-XOR-BV (PROVE-LEMMA LESSP-BV-NAT-TO-BV-1 (REWRITE) (IMPLIES (AND (EQUAL (LENGTH X) SIZE) (BVP X)) (EQUAL (LESSP-BV X (NAT-TO-BV 1 SIZE)) (AND (LESSP 0 SIZE) (ALL-ZEROS X))))) This formula simplifies, rewriting with EQUAL-LENGTH-0, and opening up the functions EQUAL, LESSP, and AND, to the following two new goals: Case 2. (IMPLIES (AND (BVP X) (NOT (LISTP X))) (EQUAL (LESSP-BV X (NAT-TO-BV 1 (LENGTH X))) F)). However this again simplifies, unfolding BVP, LISTP, LENGTH, NAT-TO-BV, LESSP-BV, and EQUAL, to: T. Case 1. (IMPLIES (AND (BVP X) (LISTP X)) (EQUAL (LESSP-BV X (NAT-TO-BV 1 (LENGTH X))) (ALL-ZEROS X))), which again simplifies, appealing to the lemmas LESSP-1-EXP, EQUAL-LENGTH-0, LESSP-BV-TO-NAT-1, and LESSP-BV-NAT-TO-BV, and expanding the definitions of LESSP and FIX, to: T. Q.E.D. [ 0.0 0.1 0.0 ] LESSP-BV-NAT-TO-BV-1 (DEFN DOUBLE-LENGTH-INDUCTION (X Y) (IF (AND (LISTP X) (LISTP Y)) (DOUBLE-LENGTH-INDUCTION (CDR X) (CDR Y)) T)) Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each recursive call. Hence, DOUBLE-LENGTH-INDUCTION is accepted under the definitional principle. The definition of DOUBLE-LENGTH-INDUCTION can be justified in another way. Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND inform us that the measure (COUNT Y) decreases according to the well-founded relation LESSP in each recursive call. Observe that: (TRUEP (DOUBLE-LENGTH-INDUCTION X Y)) is a theorem. [ 0.0 0.0 0.0 ] DOUBLE-LENGTH-INDUCTION (PROVE-LEMMA ALL-ZEROS-EQUAL (REWRITE) (IMPLIES (AND (BVP A) (BVP B) (ALL-ZEROS A) (ALL-ZEROS B)) (EQUAL (EQUAL A B) (EQUAL (LENGTH A) (LENGTH B)))) ((INDUCT (DOUBLE-LENGTH-INDUCTION A B)))) This formula can be simplified, using the abbreviations IMPLIES, NOT, OR, and AND, to the following two new goals: Case 2. (IMPLIES (AND (LISTP A) (LISTP B) (IMPLIES (AND (BVP (CDR A)) (BVP (CDR B)) (ALL-ZEROS (CDR A)) (ALL-ZEROS (CDR B))) (EQUAL (EQUAL (CDR A) (CDR B)) (EQUAL (LENGTH (CDR A)) (LENGTH (CDR B))))) (BVP A) (BVP B) (ALL-ZEROS A) (ALL-ZEROS B)) (EQUAL (EQUAL A B) (EQUAL (LENGTH A) (LENGTH B)))). This simplifies, rewriting with the lemma ADD1-EQUAL, and unfolding AND, IMPLIES, BITP, BVP, EQUAL, ALL-ZEROS, and LENGTH, to: T. Case 1. (IMPLIES (AND (NOT (AND (LISTP A) (LISTP B))) (BVP A) (BVP B) (ALL-ZEROS A) (ALL-ZEROS B)) (EQUAL (EQUAL A B) (EQUAL (LENGTH A) (LENGTH B)))). This simplifies, rewriting with EQUAL-LENGTH-0, and expanding the definitions of AND, BVP, ALL-ZEROS, and LENGTH, to four new conjectures: Case 1.4. (IMPLIES (AND (NOT (LISTP A)) (EQUAL A NIL) (BVP B) (ALL-ZEROS B) (NOT (EQUAL NIL B))) (LISTP B)), which again simplifies, unfolding the definitions of LISTP and BVP, to: T. Case 1.3. (IMPLIES (AND (NOT (LISTP A)) (EQUAL A NIL) (BVP B) (ALL-ZEROS B) (EQUAL NIL B)) (NOT (LISTP B))), which again simplifies, trivially, to: T. Case 1.2. (IMPLIES (AND (NOT (LISTP B)) (BVP A) (EQUAL B NIL) (ALL-ZEROS A) (NOT (EQUAL A NIL))) (LISTP A)). But this again simplifies, unfolding the functions LISTP and BVP, to: T. Case 1.1. (IMPLIES (AND (NOT (LISTP B)) (BVP A) (EQUAL B NIL) (ALL-ZEROS A) (EQUAL A NIL)) (NOT (LISTP A))), which again simplifies, obviously, to: T. Q.E.D. [ 0.0 0.5 0.0 ] ALL-ZEROS-EQUAL (DISABLE ALL-ZEROS-EQUAL) [ 0.0 0.0 0.0 ] ALL-ZEROS-EQUAL-OFF (PROVE-LEMMA ALL-ZEROS-XOR-BVS (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE Z SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0)) (ALL-ZEROS (XOR-BVS Z))) ((ENABLE ALL-ZEROS-EQUAL))) WARNING: Note that ALL-ZEROS-XOR-BVS contains the free variable SIZE which will be chosen by instantiating the hypothesis (GOOD-STATE-OF-SIZE Z SIZE). Call the conjecture *1. Let us appeal to the induction principle. There are three plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (p (CDR Z) SIZE)) (p Z SIZE)) (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (p (CDR Z) SIZE)) (p Z SIZE)) (IMPLIES (NOT (LISTP Z)) (p Z SIZE))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT Z) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces seven new formulas: Case 7. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (GOOD-STATE-OF-SIZE (CDR Z) SIZE)) (GOOD-STATE-OF-SIZE Z SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0)) (ALL-ZEROS (XOR-BVS Z))), which simplifies, applying the lemma EQUAL-LENGTH-0, and opening up GOOD-STATE-OF-SIZE, to: T. Case 6. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0)) (GOOD-STATE-OF-SIZE Z SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0)) (ALL-ZEROS (XOR-BVS Z))), which simplifies, applying EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, BVP-FIX-XOR-BV-IDENTITY, LISTP-XOR-BVS, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, ALL-ZEROS-EQUAL, and NUMBER-WITH-AT-LEAST-SIMPLE, and unfolding the definitions of GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, EQUAL, LESSP, XOR-BVS, XOR-BV, ZEROP, ALL-ZEROS, BVP, LENGTH, and BVSP, to the following four new goals: Case 6.4. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (ALL-ZEROS (CAR Z))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0)) (ALL-ZEROS (XOR-BV (CAR Z) (XOR-BVS (CDR Z))))). This again simplifies, using linear arithmetic, to: T. Case 6.3. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (ALL-ZEROS (CAR Z))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0)) (LISTP (CDR Z))), which again simplifies, using linear arithmetic, to: T. Case 6.2. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL SIZE 0) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (CAR Z))), which again simplifies, using linear arithmetic, to: T. Case 6.1. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL SIZE 0) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0) (LISTP (CDR Z))) (ALL-ZEROS NIL)), which again simplifies, using linear arithmetic, to: T. Case 5. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (ALL-ZEROS (XOR-BVS (CDR Z))) (GOOD-STATE-OF-SIZE Z SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0)) (ALL-ZEROS (XOR-BVS Z))), which simplifies, applying the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, BVP-FIX-XOR-BV-IDENTITY, LISTP-XOR-BVS, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, ALL-ZEROS-EQUAL, and NUMBER-WITH-AT-LEAST-SIMPLE, and expanding GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, EQUAL, LESSP, XOR-BVS, XOR-BV, ZEROP, ALL-ZEROS, BVP, LENGTH, and BVSP, to five new formulas: Case 5.5. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (ALL-ZEROS (CAR Z))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0)) (ALL-ZEROS (XOR-BV (CAR Z) (XOR-BVS (CDR Z))))), which again simplifies, using linear arithmetic, to: T. Case 5.4. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (ALL-ZEROS (CAR Z))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0)) (LISTP (CDR Z))), which again simplifies, using linear arithmetic, to: T. Case 5.3. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL SIZE 0) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (CAR Z))), which again simplifies, using linear arithmetic, to: T. Case 5.2. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL SIZE 0) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0) (LISTP (CDR Z))) (ALL-ZEROS NIL)), which again simplifies, using linear arithmetic, to: T. Case 5.1. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (EQUAL SIZE 0)) (ALL-ZEROS (CAR Z)) (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (XOR-BV (CAR Z) (XOR-BVS (CDR Z))))), which again simplifies, appealing to the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, and ALL-ZEROS-XOR-BVS-SIMPLE, and expanding the functions EQUAL, LESSP, NUMBERP, BVP, and LENGTH, to: T. Case 4. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (GOOD-STATE-OF-SIZE (CDR Z) SIZE)) (GOOD-STATE-OF-SIZE Z SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0)) (ALL-ZEROS (XOR-BVS Z))), which simplifies, applying EQUAL-LENGTH-0, and expanding the function GOOD-STATE-OF-SIZE, to: T. Case 3. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0)) (GOOD-STATE-OF-SIZE Z SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0)) (ALL-ZEROS (XOR-BVS Z))). This simplifies, applying EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, BVP-FIX-XOR-BV-IDENTITY, LISTP-XOR-BVS, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, ALL-ZEROS-EQUAL, and NUMBER-WITH-AT-LEAST-SIMPLE, and unfolding the functions GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, EQUAL, LESSP, XOR-BVS, XOR-BV, ZEROP, ALL-ZEROS, BVP, LENGTH, and BVSP, to four new goals: Case 3.4. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (ALL-ZEROS (CAR Z))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0)) (ALL-ZEROS (XOR-BV (CAR Z) (XOR-BVS (CDR Z))))), which again simplifies, using linear arithmetic, to: T. Case 3.3. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (ALL-ZEROS (CAR Z))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0)) (LISTP (CDR Z))), which again simplifies, using linear arithmetic, to: T. Case 3.2. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL SIZE 0) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (CAR Z))), which again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL SIZE 0) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0) (LISTP (CDR Z))) (ALL-ZEROS NIL)), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (ALL-ZEROS (XOR-BVS (CDR Z))) (GOOD-STATE-OF-SIZE Z SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0)) (ALL-ZEROS (XOR-BVS Z))), which simplifies, applying the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, BVP-FIX-XOR-BV-IDENTITY, LISTP-XOR-BVS, BVP-CAR, GOOD-STATE-OF-SIZE-MEANS-BVSP, ALL-ZEROS-EQUAL, and NUMBER-WITH-AT-LEAST-SIMPLE, and expanding GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, EQUAL, LESSP, XOR-BVS, XOR-BV, ZEROP, ALL-ZEROS, BVP, LENGTH, and BVSP, to five new formulas: Case 2.5. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (ALL-ZEROS (CAR Z))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0)) (ALL-ZEROS (XOR-BV (CAR Z) (XOR-BVS (CDR Z))))), which again simplifies, using linear arithmetic, to: T. Case 2.4. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (ALL-ZEROS (CAR Z))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0)) (LISTP (CDR Z))), which again simplifies, using linear arithmetic, to: T. Case 2.3. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL SIZE 0) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (CAR Z))), which again simplifies, using linear arithmetic, to: T. Case 2.2. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL SIZE 0) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE)) 0) (LISTP (CDR Z))) (ALL-ZEROS NIL)), which again simplifies, using linear arithmetic, to: T. Case 2.1. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (EQUAL SIZE 0)) (ALL-ZEROS (CAR Z)) (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (XOR-BV (CAR Z) (XOR-BVS (CDR Z))))), which again simplifies, rewriting with EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, BVP-XOR-BVS, ALL-ZEROS-EQUAL, and ALL-ZEROS-XOR-BV, and unfolding the definitions of EQUAL and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP Z)) (GOOD-STATE-OF-SIZE Z SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0)) (ALL-ZEROS (XOR-BVS Z))). This simplifies, opening up the functions GOOD-STATE-OF-SIZE, LISTP, NUMBER-WITH-AT-LEAST, EQUAL, XOR-BVS, and ALL-ZEROS, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 1.1 0.1 ] ALL-ZEROS-XOR-BVS (PROVE-LEMMA LENGTH-FIRSTN (REWRITE) (EQUAL (LENGTH (FIRSTN LIST SIZE)) (MIN (LENGTH LIST) SIZE))) This conjecture simplifies, expanding MIN, to the following three new goals: Case 3. (IMPLIES (AND (NOT (LESSP (LENGTH LIST) SIZE)) (NUMBERP SIZE)) (EQUAL (LENGTH (FIRSTN LIST SIZE)) SIZE)). Call the above conjecture *1. Case 2. (IMPLIES (AND (NOT (LESSP (LENGTH LIST) SIZE)) (NOT (NUMBERP SIZE))) (EQUAL (LENGTH (FIRSTN LIST SIZE)) 0)). This again simplifies, expanding LESSP, FIRSTN, LENGTH, and EQUAL, to: T. Case 1. (IMPLIES (LESSP (LENGTH LIST) SIZE) (EQUAL (LENGTH (FIRSTN LIST SIZE)) (LENGTH LIST))), which again simplifies, using linear arithmetic and applying FIRSTN-NOOP, to: T. So let us turn our attention to: (IMPLIES (AND (NOT (LESSP (LENGTH LIST) SIZE)) (NUMBERP SIZE)) (EQUAL (LENGTH (FIRSTN LIST SIZE)) SIZE)), named *1 above. We will appeal to induction. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE))) (p LIST SIZE)) (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST))))) (p LIST SIZE)) (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST))))) (p (CDR LIST) (SUB1 SIZE))) (p LIST SIZE))). Linear arithmetic, the lemmas SUB1-LESSEQP and SUB1-LESSP, and the definitions of OR and NOT can be used to prove that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for LIST. The above induction scheme produces four new conjectures: Case 4. (IMPLIES (AND (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE))) (NOT (LESSP (LENGTH LIST) SIZE)) (NUMBERP SIZE)) (EQUAL (LENGTH (FIRSTN LIST SIZE)) SIZE)), which simplifies, unfolding the functions NOT, OR, LENGTH, EQUAL, LESSP, NUMBERP, and FIRSTN, to: T. Case 3. (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST)))) (NOT (LESSP (LENGTH LIST) SIZE)) (NUMBERP SIZE)) (EQUAL (LENGTH (FIRSTN LIST SIZE)) SIZE)), which simplifies, unfolding NOT, OR, LENGTH, EQUAL, and LESSP, to: T. Case 2. (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST))))) (LESSP (LENGTH (CDR LIST)) (SUB1 SIZE)) (NOT (LESSP (LENGTH LIST) SIZE)) (NUMBERP SIZE)) (EQUAL (LENGTH (FIRSTN LIST SIZE)) SIZE)), which simplifies, applying SUB1-ADD1, and unfolding the definitions of NOT, OR, LENGTH, and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (OR (EQUAL SIZE 0) (NOT (NUMBERP SIZE)))) (NOT (OR (EQUAL (LENGTH LIST) 0) (NOT (NUMBERP (LENGTH LIST))))) (EQUAL (LENGTH (FIRSTN (CDR LIST) (SUB1 SIZE))) (SUB1 SIZE)) (NOT (LESSP (LENGTH LIST) SIZE)) (NUMBERP SIZE)) (EQUAL (LENGTH (FIRSTN LIST SIZE)) SIZE)). This simplifies, rewriting with the lemmas SUB1-ADD1, ADD1-SUB1, and CDR-CONS, and opening up the definitions of NOT, OR, LENGTH, LESSP, and FIRSTN, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-FIRSTN (PROVE-LEMMA LENGTH-XOR-BV (REWRITE) (EQUAL (LENGTH (XOR-BV A B)) (MIN (LENGTH A) (LENGTH B)))) This simplifies, unfolding the definition of MIN, to the following two new goals: Case 2. (IMPLIES (NOT (LESSP (LENGTH A) (LENGTH B))) (EQUAL (LENGTH (XOR-BV A B)) (LENGTH B))). Name the above subgoal *1. Case 1. (IMPLIES (LESSP (LENGTH A) (LENGTH B)) (EQUAL (LENGTH (XOR-BV A B)) (LENGTH A))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (EQUAL (LENGTH (XOR-BV A B)) (MIN (LENGTH A) (LENGTH B))), which we named *1 above. We will appeal to induction. There are four plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (AND (LISTP A) (LISTP B)) (p (CDR A) (CDR B))) (p A B)) (IMPLIES (NOT (AND (LISTP A) (LISTP B))) (p A B))). Linear arithmetic, the lemmas CDR-LESSEQP and CDR-LESSP, and the definition of AND establish that the measure (COUNT A) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for B. The above induction scheme generates the following two new formulas: Case 2. (IMPLIES (AND (AND (LISTP A) (LISTP B)) (EQUAL (LENGTH (XOR-BV (CDR A) (CDR B))) (MIN (LENGTH (CDR A)) (LENGTH (CDR B))))) (EQUAL (LENGTH (XOR-BV A B)) (MIN (LENGTH A) (LENGTH B)))). This simplifies, applying CDR-CONS and SUB1-ADD1, and opening up the functions AND, MIN, XOR-BV, XOR, LENGTH, and LESSP, to: T. Case 1. (IMPLIES (NOT (AND (LISTP A) (LISTP B))) (EQUAL (LENGTH (XOR-BV A B)) (MIN (LENGTH A) (LENGTH B)))), which simplifies, opening up the definitions of AND, XOR-BV, LENGTH, NUMBERP, LESSP, EQUAL, and MIN, to two new formulas: Case 1.2. (IMPLIES (AND (NOT (LISTP A)) (NOT (LISTP B))) (EQUAL 0 (MIN 0 0))), which again simplifies, opening up the definitions of MIN and EQUAL, to: T. Case 1.1. (IMPLIES (AND (NOT (LISTP A)) (LISTP B)) (EQUAL 0 (MIN 0 (ADD1 (LENGTH (CDR B)))))), which again simplifies, expanding the definitions of NUMBERP, LESSP, EQUAL, and MIN, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] LENGTH-XOR-BV (PROVE-LEMMA FIRSTN-XOR-BV (REWRITE) (EQUAL (FIRSTN (XOR-BV A B) SIZE) (XOR-BV (FIRSTN A SIZE) (FIRSTN B SIZE)))) Call the conjecture *1. We will try to prove it by induction. There are seven plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NOT (LISTP (XOR-BV A B))) (p A B SIZE)) (IMPLIES (AND (LISTP (XOR-BV A B)) (ZEROP SIZE)) (p A B SIZE)) (IMPLIES (AND (LISTP (XOR-BV A B)) (NOT (ZEROP SIZE)) (p (CDR A) (CDR B) (SUB1 SIZE))) (p A B SIZE))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT SIZE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for B and A. The above induction scheme generates three new goals: Case 3. (IMPLIES (NOT (LISTP (XOR-BV A B))) (EQUAL (FIRSTN (XOR-BV A B) SIZE) (XOR-BV (FIRSTN A SIZE) (FIRSTN B SIZE)))), which simplifies, using linear arithmetic, appealing to the lemmas FIRSTN-NOOP and COMMUTATIVITY-OF-XOR-BV, and unfolding XOR-BV, XOR, LENGTH, FIRSTN, and EQUAL, to: T. Case 2. (IMPLIES (AND (LISTP (XOR-BV A B)) (ZEROP SIZE)) (EQUAL (FIRSTN (XOR-BV A B) SIZE) (XOR-BV (FIRSTN A SIZE) (FIRSTN B SIZE)))), which simplifies, opening up XOR-BV, XOR, ZEROP, EQUAL, and FIRSTN, to: T. Case 1. (IMPLIES (AND (LISTP (XOR-BV A B)) (NOT (ZEROP SIZE)) (EQUAL (FIRSTN (XOR-BV (CDR A) (CDR B)) (SUB1 SIZE)) (XOR-BV (FIRSTN (CDR A) (SUB1 SIZE)) (FIRSTN (CDR B) (SUB1 SIZE))))) (EQUAL (FIRSTN (XOR-BV A B) SIZE) (XOR-BV (FIRSTN A SIZE) (FIRSTN B SIZE)))), which simplifies, applying the lemmas CDR-CONS and CAR-CONS, and opening up the definitions of XOR-BV, XOR, ZEROP, and FIRSTN, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.3 0.0 ] FIRSTN-XOR-BV (PROVE-LEMMA ALL-ZEROS-XOR-BVS-FIRSTN (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))) ((ENABLE ALL-ZEROS-EQUAL))) This formula simplifies, applying TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and expanding the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, and DIFFERENCE, to seven new formulas: Case 7. (IMPLIES (AND (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))). Applying the lemma DIFFERENCE-ELIM, replace SIZE by (PLUS N X) to eliminate (DIFFERENCE SIZE N). We employ the type restriction lemma noted when DIFFERENCE was introduced to restrict the new variable. We would thus like to prove the following three new goals: Case 7.3. (IMPLIES (AND (LESSP SIZE N) (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))). This further simplifies, using linear arithmetic, to: T. Case 7.2. (IMPLIES (AND (NOT (NUMBERP SIZE)) (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))), which further simplifies, opening up the definition of LESSP, to: T. Case 7.1. (IMPLIES (AND (NUMBERP X) (NOT (LESSP (PLUS N X) N)) (GOOD-STATE-OF-SIZE Z (PLUS N X)) (LESSP N (PLUS N X)) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) (PLUS N X)) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) X))), which further simplifies, applying CORRECTNESS-OF-CANCEL-LESSP-PLUS, TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and unfolding FIX, ZEROP, NOT, TIMES, EQUAL, NUMBERP, SUB1, and EXP, to the new conjecture: (IMPLIES (AND (NUMBERP X) (GOOD-STATE-OF-SIZE Z (PLUS N X)) (NOT (EQUAL X 0)) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) (PLUS N X)) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) X))), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (IMPLIES (AND (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))), named *1. Let us appeal to the induction principle. Eight inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE))) (p (CDR Z) SIZE N)) (p Z SIZE N)) (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE)) (p (CDR Z) SIZE N)) (p Z SIZE N)) (IMPLIES (NOT (LISTP Z)) (p Z SIZE N))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT Z) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to seven new goals: Case 7. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (GOOD-STATE-OF-SIZE (CDR Z) SIZE)) (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))), which simplifies, rewriting with the lemmas TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and EQUAL-LENGTH-0, and expanding the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, and GOOD-STATE-OF-SIZE, to: T. Case 6. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))), which simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, ALL-ZEROS-FIRSTN-DIFFERENCE, BVP-FIX-XOR-BV-IDENTITY, and EXP-ZERO, and expanding the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, XOR-BVS, LESSP, DIFFERENCE, and ZEROP, to the following six new conjectures: Case 6.6. (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (LESSP N SIZE) (NOT (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE SIZE N)))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE)) 0)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) (DIFFERENCE SIZE N)))). However this again simplifies, using linear arithmetic, to: T. Case 6.5. (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (LESSP N SIZE) (NOT (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE SIZE N)))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE)) 0)) (LISTP (CDR Z))), which again simplifies, using linear arithmetic, to: T. Case 6.4. (IMPLIES (AND (LISTP Z) (EQUAL N 0) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (FIRSTN (CAR Z) SIZE))), which again simplifies, rewriting with EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and unfolding EQUAL, LESSP, EXP, LENGTH, and NUMBER-WITH-AT-LEAST, to: T. Case 6.3. (IMPLIES (AND (LISTP Z) (EQUAL N 0) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) SIZE))). But this again simplifies, using linear arithmetic, applying the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, FIRSTN-NOOP, LENGTH-XOR-BVS, FIRSTN-XOR-BV, BVP-XOR-BVS, and ALL-ZEROS-XOR-BV, and unfolding the functions EQUAL, LESSP, EXP, LENGTH, BVP, and NUMBERP, to: (IMPLIES (AND (LISTP Z) (NOT (ALL-ZEROS (CAR Z))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 (LENGTH (CAR Z))) 0)) (BVP (CAR Z)) (GOOD-STATE-OF-SIZE (CDR Z) (LENGTH (CAR Z))) (LISTP (CAR Z)) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH (CAR Z))) 0) (LISTP (CDR Z))) (EQUAL (CAR Z) (XOR-BVS (CDR Z)))). However this again simplifies, appealing to the lemmas LESSP-BV-NAT-TO-BV-1 and EQUAL-LENGTH-0, and opening up the definitions of LESSP, EQUAL, and NUMBER-WITH-AT-LEAST, to: T. Case 6.2. (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (FIRSTN (CAR Z) SIZE))), which again simplifies, applying EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, and EXP-ZERO, and unfolding EQUAL, LESSP, ZEROP, LENGTH, and NUMBER-WITH-AT-LEAST, to: T. Case 6.1. (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) SIZE))). This again simplifies, using linear arithmetic, applying the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, EXP-ZERO, FIRSTN-NOOP, LENGTH-XOR-BVS, FIRSTN-XOR-BV, BVP-XOR-BVS, and ALL-ZEROS-XOR-BV, and opening up the functions EQUAL, LESSP, ZEROP, LENGTH, BVP, and NUMBERP, to the goal: (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (NOT (ALL-ZEROS (CAR Z))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 (LENGTH (CAR Z))) 0)) (BVP (CAR Z)) (GOOD-STATE-OF-SIZE (CDR Z) (LENGTH (CAR Z))) (LISTP (CAR Z)) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH (CAR Z))) 0) (LISTP (CDR Z))) (EQUAL (CAR Z) (XOR-BVS (CDR Z)))). This again simplifies, rewriting with LESSP-BV-NAT-TO-BV-1 and EQUAL-LENGTH-0, and unfolding LESSP, EQUAL, and NUMBER-WITH-AT-LEAST, to: T. Case 5. (IMPLIES (AND (LISTP Z) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE))) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) (DIFFERENCE SIZE N))) (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))). This simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, ALL-ZEROS-FIRSTN-DIFFERENCE, BVP-FIX-XOR-BV-IDENTITY, and EXP-ZERO, and expanding the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, XOR-BVS, LESSP, DIFFERENCE, and ZEROP, to seven new formulas: Case 5.7. (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE))) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) (DIFFERENCE SIZE N))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (LESSP N SIZE) (NOT (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE SIZE N)))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE)) 0)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) (DIFFERENCE SIZE N)))), which again simplifies, using linear arithmetic, to: T. Case 5.6. (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE))) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) (DIFFERENCE SIZE N))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (LESSP N SIZE) (NOT (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE SIZE N)))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE)) 0)) (LISTP (CDR Z))), which again simplifies, using linear arithmetic, to: T. Case 5.5. (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE))) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) (DIFFERENCE SIZE N))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE SIZE N))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) (DIFFERENCE SIZE N)))), which again simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and ALL-ZEROS-FIRSTN-DIFFERENCE, and opening up the functions TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: T. Case 5.4. (IMPLIES (AND (LISTP Z) (EQUAL N 0) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) SIZE)) (BVP (CAR Z)) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (FIRSTN (CAR Z) SIZE))). However this again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, and ALL-ZEROS-XOR-BVS, and expanding the definitions of EQUAL, LESSP, LENGTH, NUMBER-WITH-AT-LEAST, GOOD-STATE-OF-SIZE, and LISTP, to: (IMPLIES (AND (LISTP Z) (NOT (ALL-ZEROS (CAR Z))) (LISTP (CAR Z)) (BVP (CAR Z)) (EQUAL (CDR Z) NIL)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH (CAR Z))) 0))). Applying the lemma CAR-CDR-ELIM, replace Z by (CONS X V) to eliminate (CAR Z) and (CDR Z). We would thus like to prove: (IMPLIES (AND (NOT (ALL-ZEROS X)) (LISTP X) (BVP X) (EQUAL V NIL)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CONS X V) 1 (LENGTH X)) 0))), which further simplifies, applying CDR-CONS, LESSP-BV-NAT-TO-BV-1, EQUAL-LENGTH-0, and CAR-CONS, and unfolding LESSP, EQUAL, NUMBER-WITH-AT-LEAST, LISTP, and ADD1, to: T. Case 5.3. (IMPLIES (AND (LISTP Z) (EQUAL N 0) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) SIZE)) (BVP (CAR Z)) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) SIZE))). But this again simplifies, using linear arithmetic, rewriting with the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, FIRSTN-XOR-BV, BVP-XOR-BVS, and ALL-ZEROS-XOR-BV, and expanding EQUAL, LESSP, and LENGTH, to the goal: (IMPLIES (AND (LISTP Z) (NOT (ALL-ZEROS (CAR Z))) (LISTP (CAR Z)) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (GOOD-STATE-OF-SIZE (CDR Z) (LENGTH (CAR Z))) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH (CAR Z))) 0) (LISTP (CDR Z))) (EQUAL (CAR Z) (XOR-BVS (CDR Z)))). Appealing to the lemma CAR-CDR-ELIM, we now replace Z by (CONS X V) to eliminate (CAR Z) and (CDR Z). This generates: (IMPLIES (AND (NOT (ALL-ZEROS X)) (LISTP X) (ALL-ZEROS (XOR-BVS V)) (BVP X) (GOOD-STATE-OF-SIZE V (LENGTH X)) (EQUAL (NUMBER-WITH-AT-LEAST (CONS X V) 1 (LENGTH X)) 0) (LISTP V)) (EQUAL X (XOR-BVS V))). This further simplifies, rewriting with CDR-CONS, LESSP-BV-NAT-TO-BV-1, EQUAL-LENGTH-0, and CAR-CONS, and expanding the functions LESSP, EQUAL, and NUMBER-WITH-AT-LEAST, to: T. Case 5.2. (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) SIZE)) (BVP (CAR Z)) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (FIRSTN (CAR Z) SIZE))). However this again simplifies, using linear arithmetic, appealing to the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, and ALL-ZEROS-XOR-BVS, and unfolding EQUAL, LESSP, LENGTH, NUMBER-WITH-AT-LEAST, GOOD-STATE-OF-SIZE, and LISTP, to: (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (NOT (ALL-ZEROS (CAR Z))) (LISTP (CAR Z)) (BVP (CAR Z)) (EQUAL (CDR Z) NIL)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH (CAR Z))) 0))). Appealing to the lemma CAR-CDR-ELIM, we now replace Z by (CONS X V) to eliminate (CAR Z) and (CDR Z). We must thus prove: (IMPLIES (AND (NOT (NUMBERP N)) (NOT (ALL-ZEROS X)) (LISTP X) (BVP X) (EQUAL V NIL)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CONS X V) 1 (LENGTH X)) 0))). However this further simplifies, applying the lemmas CDR-CONS, LESSP-BV-NAT-TO-BV-1, EQUAL-LENGTH-0, and CAR-CONS, and opening up LESSP, EQUAL, NUMBER-WITH-AT-LEAST, LISTP, and ADD1, to: T. Case 5.1. (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (NOT (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) SIZE)) (BVP (CAR Z)) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) SIZE))), which again simplifies, using linear arithmetic, rewriting with the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, FIRSTN-XOR-BV, BVP-XOR-BVS, and ALL-ZEROS-XOR-BV, and opening up EQUAL, LESSP, and LENGTH, to: (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (NOT (ALL-ZEROS (CAR Z))) (LISTP (CAR Z)) (ALL-ZEROS (XOR-BVS (CDR Z))) (BVP (CAR Z)) (GOOD-STATE-OF-SIZE (CDR Z) (LENGTH (CAR Z))) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH (CAR Z))) 0) (LISTP (CDR Z))) (EQUAL (CAR Z) (XOR-BVS (CDR Z)))). Appealing to the lemma CAR-CDR-ELIM, we now replace Z by (CONS X V) to eliminate (CAR Z) and (CDR Z). The result is the conjecture: (IMPLIES (AND (NOT (NUMBERP N)) (NOT (ALL-ZEROS X)) (LISTP X) (ALL-ZEROS (XOR-BVS V)) (BVP X) (GOOD-STATE-OF-SIZE V (LENGTH X)) (EQUAL (NUMBER-WITH-AT-LEAST (CONS X V) 1 (LENGTH X)) 0) (LISTP V)) (EQUAL X (XOR-BVS V))). However this further simplifies, rewriting with CDR-CONS, LESSP-BV-NAT-TO-BV-1, EQUAL-LENGTH-0, and CAR-CONS, and unfolding the definitions of LESSP, EQUAL, and NUMBER-WITH-AT-LEAST, to: T. Case 4. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (GOOD-STATE-OF-SIZE (CDR Z) SIZE)) (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))). This simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and EQUAL-LENGTH-0, and expanding the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, and GOOD-STATE-OF-SIZE, to: T. Case 3. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))), which simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, ALL-ZEROS-FIRSTN-DIFFERENCE, BVP-FIX-XOR-BV-IDENTITY, and EXP-ZERO, and opening up the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, XOR-BVS, LESSP, DIFFERENCE, and ZEROP, to the following six new formulas: Case 3.6. (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (LESSP N SIZE) (NOT (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE SIZE N)))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE)) 0)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) (DIFFERENCE SIZE N)))). This again simplifies, using linear arithmetic, to: T. Case 3.5. (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (LESSP N SIZE) (NOT (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE SIZE N)))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE)) 0)) (LISTP (CDR Z))), which again simplifies, using linear arithmetic, to: T. Case 3.4. (IMPLIES (AND (LISTP Z) (EQUAL N 0) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (FIRSTN (CAR Z) SIZE))), which again simplifies, applying EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and expanding the functions EQUAL, LESSP, EXP, and NUMBER-WITH-AT-LEAST, to: T. Case 3.3. (IMPLIES (AND (LISTP Z) (EQUAL N 0) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) SIZE))). But this again simplifies, using linear arithmetic, rewriting with the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, FIRSTN-NOOP, LENGTH-XOR-BVS, FIRSTN-XOR-BV, BVP-XOR-BVS, and ALL-ZEROS-XOR-BV, and opening up the definitions of EQUAL, LESSP, and EXP, to: (IMPLIES (AND (LISTP Z) (LISTP (CAR Z)) (ALL-ZEROS (CAR Z)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 (LENGTH (CAR Z))) 0)) (BVP (CAR Z)) (GOOD-STATE-OF-SIZE (CDR Z) (LENGTH (CAR Z))) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH (CAR Z))) 0) (LISTP (CDR Z))) (EQUAL (CAR Z) (XOR-BVS (CDR Z)))). However this again simplifies, applying LESSP-BV-NAT-TO-BV-1 and EQUAL-LENGTH-0, and opening up LESSP, EQUAL, and NUMBER-WITH-AT-LEAST, to: T. Case 3.2. (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (FIRSTN (CAR Z) SIZE))). But this again simplifies, rewriting with the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, and EXP-ZERO, and opening up EQUAL, LESSP, ZEROP, and NUMBER-WITH-AT-LEAST, to: T. Case 3.1. (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0)) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (NOT (EQUAL SIZE 0)) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) SIZE))), which again simplifies, using linear arithmetic, applying EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, EXP-ZERO, FIRSTN-NOOP, LENGTH-XOR-BVS, FIRSTN-XOR-BV, BVP-XOR-BVS, and ALL-ZEROS-XOR-BV, and opening up EQUAL, LESSP, and ZEROP, to the new conjecture: (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (LISTP (CAR Z)) (ALL-ZEROS (CAR Z)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) 1 (LENGTH (CAR Z))) 0)) (BVP (CAR Z)) (GOOD-STATE-OF-SIZE (CDR Z) (LENGTH (CAR Z))) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH (CAR Z))) 0) (LISTP (CDR Z))) (EQUAL (CAR Z) (XOR-BVS (CDR Z)))), which again simplifies, applying LESSP-BV-NAT-TO-BV-1 and EQUAL-LENGTH-0, and expanding the definitions of LESSP, EQUAL, and NUMBER-WITH-AT-LEAST, to: T. Case 2. (IMPLIES (AND (LISTP Z) (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE)) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) (DIFFERENCE SIZE N))) (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))). This simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, ALL-ZEROS-FIRSTN-DIFFERENCE, BVP-FIX-XOR-BV-IDENTITY, and EXP-ZERO, and expanding the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, GOOD-STATE-OF-SIZE, NUMBER-WITH-AT-LEAST, XOR-BVS, LESSP, DIFFERENCE, and ZEROP, to seven new goals: Case 2.7. (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE)) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) (DIFFERENCE SIZE N))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (LESSP N SIZE) (NOT (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE SIZE N)))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE)) 0)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) (DIFFERENCE SIZE N)))), which again simplifies, using linear arithmetic, to: T. Case 2.6. (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE)) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) (DIFFERENCE SIZE N))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (LESSP N SIZE) (NOT (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE SIZE N)))) (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE)) 0)) (LISTP (CDR Z))), which again simplifies, using linear arithmetic, to: T. Case 2.5. (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP-BV (CAR Z) (NAT-TO-BV (EXP 2 N) SIZE)) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) (DIFFERENCE SIZE N))) (BVP (CAR Z)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE SIZE N))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) (DIFFERENCE SIZE N)))), which again simplifies, appealing to the lemmas TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, ALL-ZEROS-FIRSTN-DIFFERENCE, and FIRSTN-XOR-BV, and unfolding the functions TIMES, EQUAL, NUMBERP, SUB1, and EXP, to the conjecture: (IMPLIES (AND (LISTP Z) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) (DIFFERENCE (LENGTH (CAR Z)) N))) (BVP (CAR Z)) (GOOD-STATE-OF-SIZE (CDR Z) (LENGTH (CAR Z))) (LESSP N (LENGTH (CAR Z))) (ALL-ZEROS (FIRSTN (CAR Z) (DIFFERENCE (LENGTH (CAR Z)) N))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR Z) (EXP 2 N) (LENGTH (CAR Z))) 0) (LISTP (CDR Z))) (ALL-ZEROS (XOR-BV (FIRSTN (CAR Z) (DIFFERENCE (LENGTH (CAR Z)) N)) (FIRSTN (XOR-BVS (CDR Z)) (DIFFERENCE (LENGTH (CAR Z)) N))))). Appealing to the lemma CAR-CDR-ELIM, we now replace Z by (CONS V X) to eliminate (CDR Z) and (CAR Z). This generates: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS (FIRSTN (XOR-BVS X) (DIFFERENCE (LENGTH V) N))) (BVP V) (GOOD-STATE-OF-SIZE X (LENGTH V)) (LESSP N (LENGTH V)) (ALL-ZEROS (FIRSTN V (DIFFERENCE (LENGTH V) N))) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) (LENGTH V)) 0) (LISTP X)) (ALL-ZEROS (XOR-BV (FIRSTN V (DIFFERENCE (LENGTH V) N)) (FIRSTN (XOR-BVS X) (DIFFERENCE (LENGTH V) N))))). We will try to prove the above formula by generalizing it, replacing (XOR-BVS X) by Y and (LENGTH V) by A. We restrict the new variables by recalling the type restriction lemma noted when LENGTH was introduced. This produces the new formula: (IMPLIES (AND (NUMBERP A) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS (FIRSTN Y (DIFFERENCE A N))) (BVP V) (GOOD-STATE-OF-SIZE X A) (LESSP N A) (ALL-ZEROS (FIRSTN V (DIFFERENCE A N))) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) A) 0) (LISTP X)) (ALL-ZEROS (XOR-BV (FIRSTN V (DIFFERENCE A N)) (FIRSTN Y (DIFFERENCE A N))))). Applying the lemma DIFFERENCE-ELIM, replace A by (PLUS N W) to eliminate (DIFFERENCE A N). We use the type restriction lemma noted when DIFFERENCE was introduced to restrict the new variable. This produces the following two new conjectures: Case 2.5.2. (IMPLIES (AND (LESSP A N) (NUMBERP A) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS (FIRSTN Y (DIFFERENCE A N))) (BVP V) (GOOD-STATE-OF-SIZE X A) (LESSP N A) (ALL-ZEROS (FIRSTN V (DIFFERENCE A N))) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) A) 0) (LISTP X)) (ALL-ZEROS (XOR-BV (FIRSTN V (DIFFERENCE A N)) (FIRSTN Y (DIFFERENCE A N))))). This finally simplifies, using linear arithmetic, to: T. Case 2.5.1. (IMPLIES (AND (NUMBERP W) (NOT (LESSP (PLUS N W) N)) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS (FIRSTN Y W)) (BVP V) (GOOD-STATE-OF-SIZE X (PLUS N W)) (LESSP N (PLUS N W)) (ALL-ZEROS (FIRSTN V W)) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) (PLUS N W)) 0) (LISTP X)) (ALL-ZEROS (XOR-BV (FIRSTN V W) (FIRSTN Y W)))), which further simplifies, appealing to the lemmas CORRECTNESS-OF-CANCEL-LESSP-PLUS, TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and unfolding FIX, ZEROP, NOT, TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: (IMPLIES (AND (NUMBERP W) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS (FIRSTN Y W)) (BVP V) (GOOD-STATE-OF-SIZE X (PLUS N W)) (NOT (EQUAL W 0)) (ALL-ZEROS (FIRSTN V W)) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) (PLUS N W)) 0) (LISTP X)) (ALL-ZEROS (XOR-BV (FIRSTN V W) (FIRSTN Y W)))). We will try to prove the above formula by generalizing it, replacing (FIRSTN V W) by A, (PLUS N W) by U, and (FIRSTN Y W) by B. We restrict the new variables by recalling the type restriction lemma noted when PLUS was introduced. We would thus like to prove: (IMPLIES (AND (NUMBERP U) (NUMBERP W) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS B) (BVP V) (GOOD-STATE-OF-SIZE X U) (NOT (EQUAL W 0)) (ALL-ZEROS A) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) U) 0) (LISTP X)) (ALL-ZEROS (XOR-BV A B))), which has three irrelevant terms in it. By eliminating these terms we get: (IMPLIES (AND (NUMBERP U) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS B) (GOOD-STATE-OF-SIZE X U) (ALL-ZEROS A) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) U) 0) (LISTP X)) (ALL-ZEROS (XOR-BV A B))), which we will finally name *1.1. Case 2.4. (IMPLIES (AND (LISTP Z) (EQUAL N 0) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) SIZE)) (BVP (CAR Z)) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (FIRSTN (CAR Z) SIZE))). But this again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, and ALL-ZEROS-XOR-BVS, and expanding the functions EQUAL, LESSP, NUMBER-WITH-AT-LEAST, GOOD-STATE-OF-SIZE, and LISTP, to: T. Case 2.3. (IMPLIES (AND (LISTP Z) (EQUAL N 0) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) SIZE)) (BVP (CAR Z)) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) SIZE))). However this again simplifies, using linear arithmetic, applying EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, FIRSTN-XOR-BV, BVP-XOR-BVS, ALL-ZEROS-EQUAL, and ALL-ZEROS-XOR-BV, and opening up the functions EQUAL and LESSP, to: T. Case 2.2. (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) SIZE)) (BVP (CAR Z)) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (NOT (LISTP (CDR Z)))) (ALL-ZEROS (FIRSTN (CAR Z) SIZE))). But this again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, and ALL-ZEROS-XOR-BVS, and unfolding the definitions of EQUAL, LESSP, NUMBER-WITH-AT-LEAST, GOOD-STATE-OF-SIZE, and LISTP, to: T. Case 2.1. (IMPLIES (AND (LISTP Z) (NOT (NUMBERP N)) (LESSP-BV (CAR Z) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS (CDR Z)) SIZE)) (BVP (CAR Z)) (EQUAL (LENGTH (CAR Z)) SIZE) (GOOD-STATE-OF-SIZE (CDR Z) SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z 1 SIZE) 0) (LISTP (CDR Z))) (ALL-ZEROS (FIRSTN (XOR-BV (CAR Z) (XOR-BVS (CDR Z))) SIZE))). This again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, FIRSTN-XOR-BV, BVP-XOR-BVS, ALL-ZEROS-EQUAL, and ALL-ZEROS-XOR-BV, and unfolding the functions EQUAL and LESSP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP Z)) (GOOD-STATE-OF-SIZE Z SIZE) (LESSP N SIZE) (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) SIZE) 0)) (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE SIZE N)))). This simplifies, using linear arithmetic, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and FIRSTN-NOOP, and opening up the definitions of GOOD-STATE-OF-SIZE, TIMES, EQUAL, NUMBERP, SUB1, EXP, LISTP, NUMBER-WITH-AT-LEAST, XOR-BVS, LENGTH, and ALL-ZEROS, to: T. So we now return to: (IMPLIES (AND (NUMBERP U) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS B) (GOOD-STATE-OF-SIZE X U) (ALL-ZEROS A) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) U) 0) (LISTP X)) (ALL-ZEROS (XOR-BV A B))), which is formula *1.1 above. We will try to prove it by induction. Seven inductions are suggested by terms in the conjecture. They merge into three likely candidate inductions, all of which are unflawed. However, one of these is more likely than the others. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP B) (p (CDR A) (CDR B) X N U)) (p A B X N U)) (IMPLIES (NOT (LISTP B)) (p A B X N U))). Linear arithmetic and the lemma CDR-LESSP establish that the measure (COUNT B) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for A. The above induction scheme produces four new formulas: Case 4. (IMPLIES (AND (LISTP B) (NOT (ALL-ZEROS (CDR B))) (NUMBERP U) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS B) (GOOD-STATE-OF-SIZE X U) (ALL-ZEROS A) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) U) 0) (LISTP X)) (ALL-ZEROS (XOR-BV A B))), which simplifies, unfolding the definition of ALL-ZEROS, to: T. Case 3. (IMPLIES (AND (LISTP B) (NOT (ALL-ZEROS (CDR A))) (NUMBERP U) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS B) (GOOD-STATE-OF-SIZE X U) (ALL-ZEROS A) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) U) 0) (LISTP X)) (ALL-ZEROS (XOR-BV A B))), which simplifies, applying TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and opening up ALL-ZEROS, TIMES, EQUAL, NUMBERP, SUB1, EXP, and XOR-BV, to: T. Case 2. (IMPLIES (AND (LISTP B) (ALL-ZEROS (XOR-BV (CDR A) (CDR B))) (NUMBERP U) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS B) (GOOD-STATE-OF-SIZE X U) (ALL-ZEROS A) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) U) 0) (LISTP X)) (ALL-ZEROS (XOR-BV A B))). This simplifies, appealing to the lemmas TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and expanding the functions ALL-ZEROS, TIMES, EQUAL, NUMBERP, SUB1, EXP, XOR-BV, and XOR, to the following two new formulas: Case 2.2. (IMPLIES (AND (LISTP B) (ALL-ZEROS (XOR-BV (CDR A) (CDR B))) (NUMBERP U) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (CAR B) 0) (ALL-ZEROS (CDR B)) (GOOD-STATE-OF-SIZE X U) (EQUAL (CAR A) 0) (ALL-ZEROS (CDR A)) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) U) 0) (LISTP X) (NOT (LISTP A))) (ALL-ZEROS NIL)). However this again simplifies, rewriting with the lemmas CAR-NLISTP, TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and unfolding EQUAL, TIMES, NUMBERP, SUB1, EXP, and ALL-ZEROS, to: T. Case 2.1. (IMPLIES (AND (LISTP B) (ALL-ZEROS (XOR-BV (CDR A) (CDR B))) (NUMBERP U) (NOT (EQUAL N 0)) (NUMBERP N) (EQUAL (CAR B) 0) (ALL-ZEROS (CDR B)) (GOOD-STATE-OF-SIZE X U) (EQUAL (CAR A) 0) (ALL-ZEROS (CDR A)) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) U) 0) (LISTP X) (LISTP A)) (ALL-ZEROS (CONS 0 (XOR-BV (CDR A) (CDR B))))), which again simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, CDR-CONS, and CAR-CONS, and opening up the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, and ALL-ZEROS, to: T. Case 1. (IMPLIES (AND (NOT (LISTP B)) (NUMBERP U) (NOT (EQUAL N 0)) (NUMBERP N) (ALL-ZEROS B) (GOOD-STATE-OF-SIZE X U) (ALL-ZEROS A) (EQUAL (NUMBER-WITH-AT-LEAST X (EXP 2 N) U) 0) (LISTP X)) (ALL-ZEROS (XOR-BV A B))). This simplifies, applying TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and unfolding the functions ALL-ZEROS, TIMES, EQUAL, NUMBERP, SUB1, EXP, and XOR-BV, to: T. That finishes the proof of *1.1, which, in turn, finishes the proof of *1. Q.E.D. [ 0.0 10.5 0.1 ] ALL-ZEROS-XOR-BVS-FIRSTN (PROVE-LEMMA ALL-ZEROS-IF-FIRSTN-ZEROS (REWRITE) (IMPLIES (ALL-ZEROS X) (ALL-ZEROS (FIRSTN X SIZE)))) Call the conjecture *1. We will try to prove it by induction. The recursive terms in the conjecture suggest three inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NOT (LISTP X)) (p X SIZE)) (IMPLIES (AND (LISTP X) (ZEROP SIZE)) (p X SIZE)) (IMPLIES (AND (LISTP X) (NOT (ZEROP SIZE)) (p (CDR X) (SUB1 SIZE))) (p X SIZE))). Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for SIZE. The above induction scheme generates the following four new formulas: Case 4. (IMPLIES (AND (NOT (LISTP X)) (ALL-ZEROS X)) (ALL-ZEROS (FIRSTN X SIZE))). This simplifies, using linear arithmetic, applying FIRSTN-NOOP, and expanding the functions ALL-ZEROS and LENGTH, to: T. Case 3. (IMPLIES (AND (LISTP X) (ZEROP SIZE) (ALL-ZEROS X)) (ALL-ZEROS (FIRSTN X SIZE))), which simplifies, opening up the functions ZEROP, ALL-ZEROS, EQUAL, and FIRSTN, to: T. Case 2. (IMPLIES (AND (LISTP X) (NOT (ZEROP SIZE)) (NOT (ALL-ZEROS (CDR X))) (ALL-ZEROS X)) (ALL-ZEROS (FIRSTN X SIZE))), which simplifies, expanding ZEROP and ALL-ZEROS, to: T. Case 1. (IMPLIES (AND (LISTP X) (NOT (ZEROP SIZE)) (ALL-ZEROS (FIRSTN (CDR X) (SUB1 SIZE))) (ALL-ZEROS X)) (ALL-ZEROS (FIRSTN X SIZE))), which simplifies, applying CDR-CONS and CAR-CONS, and unfolding the definitions of ZEROP, ALL-ZEROS, FIRSTN, and EQUAL, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] ALL-ZEROS-IF-FIRSTN-ZEROS (PROVE-LEMMA GOOD-STATE-OF-SIZE-LENGTH-XOR-BVS (REWRITE) (EQUAL (GOOD-STATE-OF-SIZE Z (LENGTH (XOR-BVS Z))) (GOOD-STATE-OF-SIZE Z (LENGTH (CAR Z))))) . Applying the lemma CAR-CDR-ELIM, replace Z by (CONS X V) to eliminate (CAR Z) and (CDR Z). We thus obtain the following two new goals: Case 2. (IMPLIES (NOT (LISTP Z)) (EQUAL (GOOD-STATE-OF-SIZE Z (LENGTH (XOR-BVS Z))) (GOOD-STATE-OF-SIZE Z (LENGTH (CAR Z))))). However this simplifies, rewriting with CAR-NLISTP, and opening up XOR-BVS, LENGTH, and GOOD-STATE-OF-SIZE, to: T. Case 1. (EQUAL (GOOD-STATE-OF-SIZE (CONS X V) (LENGTH (XOR-BVS (CONS X V)))) (GOOD-STATE-OF-SIZE (CONS X V) (LENGTH X))). However this simplifies, applying CAR-CONS, CDR-CONS, and BVP-FIX-XOR-BV-IDENTITY, and unfolding the definitions of XOR-BVS and GOOD-STATE-OF-SIZE, to the new goal: (IMPLIES (AND (BVP X) (LISTP V) (NOT (EQUAL (LENGTH X) (LENGTH (XOR-BV X (XOR-BVS V)))))) (EQUAL F (GOOD-STATE-OF-SIZE V (LENGTH X)))), which again simplifies, applying LENGTH-XOR-BVS and LENGTH-XOR-BV, and unfolding the function MIN, to: T. Q.E.D. [ 0.0 0.1 0.0 ] GOOD-STATE-OF-SIZE-LENGTH-XOR-BVS (PROVE-LEMMA BVP-FIRSTN (REWRITE) (IMPLIES (BVP X) (BVP (FIRSTN X SIZE)))) Call the conjecture *1. We will try to prove it by induction. The recursive terms in the conjecture suggest three inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (NOT (LISTP X)) (p X SIZE)) (IMPLIES (AND (LISTP X) (ZEROP SIZE)) (p X SIZE)) (IMPLIES (AND (LISTP X) (NOT (ZEROP SIZE)) (p (CDR X) (SUB1 SIZE))) (p X SIZE))). Linear arithmetic and the lemma CDR-LESSP can be used to establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for SIZE. The above induction scheme generates the following four new formulas: Case 4. (IMPLIES (AND (NOT (LISTP X)) (BVP X)) (BVP (FIRSTN X SIZE))). This simplifies, using linear arithmetic, applying FIRSTN-NOOP, and expanding the functions BVP and LENGTH, to: T. Case 3. (IMPLIES (AND (LISTP X) (ZEROP SIZE) (BVP X)) (BVP (FIRSTN X SIZE))), which simplifies, opening up the functions ZEROP, BVP, BITP, EQUAL, and FIRSTN, to: T. Case 2. (IMPLIES (AND (LISTP X) (NOT (ZEROP SIZE)) (NOT (BVP (CDR X))) (BVP X)) (BVP (FIRSTN X SIZE))), which simplifies, expanding ZEROP, BVP, and BITP, to: T. Case 1. (IMPLIES (AND (LISTP X) (NOT (ZEROP SIZE)) (BVP (FIRSTN (CDR X) (SUB1 SIZE))) (BVP X)) (BVP (FIRSTN X SIZE))), which simplifies, applying CDR-CONS and CAR-CONS, and unfolding the definitions of ZEROP, BVP, BITP, and FIRSTN, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.0 0.0 ] BVP-FIRSTN (PROVE-LEMMA NUMBER-WITH-AT-LEAST-EXP-2 (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1)))) This conjecture simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and opening up TIMES, EQUAL, NUMBERP, SUB1, and EXP, to three new conjectures: Case 3. (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N))) (NOT (EQUAL N 0)) (NUMBERP N)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))). Applying the lemma DIFFERENCE-ELIM, replace SIZE by (PLUS N X) to eliminate (DIFFERENCE SIZE N). We rely upon the type restriction lemma noted when DIFFERENCE was introduced to restrict the new variable. We thus obtain the following three new formulas: Case 3.3. (IMPLIES (AND (LESSP SIZE N) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N))) (NOT (EQUAL N 0)) (NUMBERP N)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))). But this further simplifies, using linear arithmetic, to: T. Case 3.2. (IMPLIES (AND (NOT (NUMBERP SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N))) (NOT (EQUAL N 0)) (NUMBERP N)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))), which further simplifies, expanding the function LESSP, to: T. Case 3.1. (IMPLIES (AND (NUMBERP X) (NOT (LESSP (PLUS N X) N)) (GOOD-STATE-OF-SIZE STATE (PLUS N X)) (LESSP N (PLUS N X)) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) X)) (NOT (EQUAL N 0)) (NUMBERP N)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) (PLUS N X)) 1))), which further simplifies, applying the lemmas CORRECTNESS-OF-CANCEL-LESSP-PLUS, TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and unfolding FIX, ZEROP, NOT, TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: (IMPLIES (AND (NUMBERP X) (GOOD-STATE-OF-SIZE STATE (PLUS N X)) (NOT (EQUAL X 0)) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) X)) (NOT (EQUAL N 0)) (NUMBERP N)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) (PLUS N X)) 1))), which we would usually push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us consider: (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))). We gave this the name *1 above. Perhaps we can prove it by induction. There are eight plausible inductions. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE))) (p (CDR STATE) N SIZE)) (p STATE N SIZE)) (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE)) (p (CDR STATE) N SIZE)) (p STATE N SIZE)) (IMPLIES (NOT (LISTP STATE)) (p STATE N SIZE))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces the following seven new goals: Case 7. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))). This simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and EQUAL-LENGTH-0, and expanding the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, and GOOD-STATE-OF-SIZE, to: T. Case 6. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE SIZE N)))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))), which simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, BVP-FIX-XOR-BV-IDENTITY, ALL-ZEROS-FIRSTN-DIFFERENCE, LESSP-BV-NAT-TO-BV-1, and EXP-ZERO, and unfolding the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, GOOD-STATE-OF-SIZE, XOR-BVS, NUMBER-WITH-AT-LEAST, LESSP, DIFFERENCE, ADD1, and ZEROP, to the following nine new formulas: Case 6.9. (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE SIZE N)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP N SIZE) (NOT (LISTP (CDR STATE))) (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1))). But this again simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and ALL-ZEROS-FIRSTN-DIFFERENCE, and opening up TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: T. Case 6.8. (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE SIZE N)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP N SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) (DIFFERENCE SIZE N))) (NOT (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE SIZE N))))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE)) 1))). This again simplifies, using linear arithmetic, applying the lemmas TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, ALL-ZEROS-FIRSTN-DIFFERENCE, and ALL-ZEROS-XOR-BVS-FIRSTN, and opening up the functions TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: T. Case 6.7. (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE SIZE N)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP N SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) (DIFFERENCE SIZE N))) (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1))), which again simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and ALL-ZEROS-FIRSTN-DIFFERENCE, and unfolding the functions TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: T. Case 6.6. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP (CDR STATE))) (ALL-ZEROS (FIRSTN (CAR STATE) SIZE))) (ALL-ZEROS (CAR STATE))). However this again simplifies, using linear arithmetic, rewriting with the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, and ALL-ZEROS-XOR-BVS, and expanding the functions EQUAL, LESSP, and NUMBER-WITH-AT-LEAST, to: T. Case 6.5. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE)) 1))), which again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, and ALL-ZEROS-XOR-BVS, and expanding EQUAL and LESSP, to: T. Case 6.4. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (ALL-ZEROS (CAR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE) 1))). But this again simplifies, applying EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and opening up EQUAL, LESSP, and LENGTH, to: T. Case 6.3. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP (CDR STATE))) (ALL-ZEROS (FIRSTN (CAR STATE) SIZE))) (ALL-ZEROS (CAR STATE))). This again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, and ALL-ZEROS-XOR-BVS, and expanding the functions EQUAL, LESSP, and NUMBER-WITH-AT-LEAST, to: T. Case 6.2. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE)) 1))). However this again simplifies, using linear arithmetic, applying EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, and ALL-ZEROS-XOR-BVS, and unfolding the definitions of EQUAL and LESSP, to: T. Case 6.1. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (ALL-ZEROS (CAR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE) 1))). But this again simplifies, rewriting with EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and unfolding the functions EQUAL, LESSP, and LENGTH, to: T. Case 5. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))). This simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, BVP-FIX-XOR-BV-IDENTITY, ALL-ZEROS-FIRSTN-DIFFERENCE, LESSP-BV-NAT-TO-BV-1, and EXP-ZERO, and unfolding TIMES, EQUAL, NUMBERP, SUB1, EXP, GOOD-STATE-OF-SIZE, XOR-BVS, NUMBER-WITH-AT-LEAST, LESSP, DIFFERENCE, ADD1, and ZEROP, to seven new formulas: Case 5.7. (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP N SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) (DIFFERENCE SIZE N))) (NOT (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE SIZE N))))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE)) 1))), which again simplifies, applying the lemmas TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, ALL-ZEROS-FIRSTN-DIFFERENCE, FIRSTN-XOR-BV, LENGTH-XOR-BVS, LENGTH-FIRSTN, BVP-XOR-BVS, BVP-FIRSTN, ALL-ZEROS-XOR-BV, and ADD1-EQUAL, and opening up the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, and MIN, to the goal: (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) (LENGTH (CAR STATE))) 1)) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LESSP N (LENGTH (CAR STATE))) (LISTP (CDR STATE)) (EQUAL (FIRSTN (CAR STATE) (DIFFERENCE (LENGTH (CAR STATE)) N)) (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE (LENGTH (CAR STATE)) N))) (NOT (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE (LENGTH (CAR STATE)) N))))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) (LENGTH (CAR STATE))) 0))). But this again simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and opening up the functions EQUAL, TIMES, NUMBERP, SUB1, and EXP, to: (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LESSP N (LENGTH (CAR STATE))) (LISTP (CDR STATE)) (EQUAL (FIRSTN (CAR STATE) (DIFFERENCE (LENGTH (CAR STATE)) N)) (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE (LENGTH (CAR STATE)) N))) (NOT (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE (LENGTH (CAR STATE)) N))))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) (LENGTH (CAR STATE))) 0))). Applying the lemma CAR-CDR-ELIM, replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE). We thus obtain: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (BVP X) (GOOD-STATE-OF-SIZE Z (LENGTH X)) (LESSP N (LENGTH X)) (LISTP Z) (EQUAL (FIRSTN X (DIFFERENCE (LENGTH X) N)) (FIRSTN (XOR-BVS Z) (DIFFERENCE (LENGTH X) N))) (NOT (ALL-ZEROS (FIRSTN X (DIFFERENCE (LENGTH X) N))))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) (LENGTH X)) 0))). We use the first equality hypothesis by substituting: (FIRSTN (XOR-BVS Z) (DIFFERENCE (LENGTH X) N)) for (FIRSTN X (DIFFERENCE (LENGTH X) N)) and throwing away the equality. This generates: (IMPLIES (AND (NOT (EQUAL N 0)) (NUMBERP N) (BVP X) (GOOD-STATE-OF-SIZE Z (LENGTH X)) (LESSP N (LENGTH X)) (LISTP Z) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS Z) (DIFFERENCE (LENGTH X) N))))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z (EXP 2 N) (LENGTH X)) 0))). But this finally simplifies, rewriting with the lemma ALL-ZEROS-XOR-BVS-FIRSTN, to: T. Case 5.6. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (NOT (LISTP (CDR STATE))) (ALL-ZEROS (FIRSTN (CAR STATE) SIZE))) (ALL-ZEROS (CAR STATE))), which again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, and FIRSTN-NOOP, and opening up EQUAL, LESSP, EXP, NUMBER-WITH-AT-LEAST, GOOD-STATE-OF-SIZE, and LISTP, to: T. Case 5.5. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE)) 1))). This again simplifies, using linear arithmetic, applying EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, FIRSTN-NOOP, LENGTH-XOR-BVS, FIRSTN-XOR-BV, BVP-XOR-BVS, ALL-ZEROS-XOR-BV, and ADD1-EQUAL, and opening up the functions EQUAL, LESSP, EXP, and NUMBERP, to the new goal: (IMPLIES (AND (LISTP STATE) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 (LENGTH (CAR STATE))) 1)) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (LISTP (CDR STATE)) (EQUAL (CAR STATE) (XOR-BVS (CDR STATE))) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 (LENGTH (CAR STATE))) 0))), which again simplifies, expanding the function EQUAL, to: (IMPLIES (AND (LISTP STATE) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (LISTP (CDR STATE)) (EQUAL (CAR STATE) (XOR-BVS (CDR STATE))) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 (LENGTH (CAR STATE))) 0))). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE). We must thus prove: (IMPLIES (AND (BVP X) (GOOD-STATE-OF-SIZE Z (LENGTH X)) (LISTP X) (LISTP Z) (EQUAL X (XOR-BVS Z)) (NOT (ALL-ZEROS X))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH X)) 0))). But this further simplifies, appealing to the lemmas BVP-XOR-BVS, GOOD-STATE-OF-SIZE-LENGTH-XOR-BVS, EQUAL-LENGTH-0, LISTP-XOR-BVS, and LENGTH-XOR-BVS, and expanding the definitions of EQUAL and LESSP, to the goal: (IMPLIES (AND (GOOD-STATE-OF-SIZE Z (LENGTH (CAR Z))) (LISTP (CAR Z)) (LISTP Z) (NOT (ALL-ZEROS (XOR-BVS Z)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH (CAR Z))) 0))). However this finally simplifies, applying the lemma ALL-ZEROS-XOR-BVS, to: T. Case 5.4. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (ALL-ZEROS (CAR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE) 1))), which again simplifies, rewriting with EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and expanding the definitions of EQUAL, LESSP, EXP, LENGTH, BVP, and NUMBERP, to: T. Case 5.3. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (NOT (LISTP (CDR STATE))) (ALL-ZEROS (FIRSTN (CAR STATE) SIZE))) (ALL-ZEROS (CAR STATE))). But this again simplifies, using linear arithmetic, appealing to the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, EXP-ZERO, and FIRSTN-NOOP, and opening up the definitions of EQUAL, LESSP, ZEROP, NUMBER-WITH-AT-LEAST, GOOD-STATE-OF-SIZE, and LISTP, to: T. Case 5.2. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE)) 1))), which again simplifies, using linear arithmetic, rewriting with the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, EXP-ZERO, FIRSTN-NOOP, LENGTH-XOR-BVS, FIRSTN-XOR-BV, BVP-XOR-BVS, ALL-ZEROS-XOR-BV, and ADD1-EQUAL, and expanding EQUAL, LESSP, ZEROP, and NUMBERP, to the goal: (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 (LENGTH (CAR STATE))) 1)) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (LISTP (CDR STATE)) (EQUAL (CAR STATE) (XOR-BVS (CDR STATE))) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 (LENGTH (CAR STATE))) 0))). This again simplifies, opening up the function EQUAL, to: (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CAR STATE)) (LISTP (CDR STATE)) (EQUAL (CAR STATE) (XOR-BVS (CDR STATE))) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 (LENGTH (CAR STATE))) 0))). Appealing to the lemma CAR-CDR-ELIM, we now replace STATE by (CONS X Z) to eliminate (CAR STATE) and (CDR STATE). We must thus prove: (IMPLIES (AND (NOT (NUMBERP N)) (BVP X) (GOOD-STATE-OF-SIZE Z (LENGTH X)) (LISTP X) (LISTP Z) (EQUAL X (XOR-BVS Z)) (NOT (ALL-ZEROS X))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH X)) 0))). However this further simplifies, applying BVP-XOR-BVS, GOOD-STATE-OF-SIZE-LENGTH-XOR-BVS, EQUAL-LENGTH-0, LISTP-XOR-BVS, and LENGTH-XOR-BVS, and expanding EQUAL and LESSP, to the new conjecture: (IMPLIES (AND (NOT (NUMBERP N)) (GOOD-STATE-OF-SIZE Z (LENGTH (CAR Z))) (LISTP (CAR Z)) (LISTP Z) (NOT (ALL-ZEROS (XOR-BVS Z)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST Z 1 (LENGTH (CAR Z))) 0))), which finally simplifies, rewriting with ALL-ZEROS-XOR-BVS, to: T. Case 5.1. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (ALL-ZEROS (CAR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE) 1))). However this again simplifies, rewriting with EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, and EXP-ZERO, and expanding the functions EQUAL, LESSP, ZEROP, LENGTH, BVP, and NUMBERP, to: T. Case 4. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))). This simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and EQUAL-LENGTH-0, and unfolding the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, and GOOD-STATE-OF-SIZE, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE SIZE N)))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))), which simplifies, appealing to the lemmas TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, BVP-FIX-XOR-BV-IDENTITY, ALL-ZEROS-FIRSTN-DIFFERENCE, LESSP-BV-NAT-TO-BV-1, and EXP-ZERO, and unfolding the functions TIMES, EQUAL, NUMBERP, SUB1, EXP, GOOD-STATE-OF-SIZE, XOR-BVS, NUMBER-WITH-AT-LEAST, LESSP, DIFFERENCE, ADD1, and ZEROP, to nine new goals: Case 3.9. (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE SIZE N)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP N SIZE) (NOT (LISTP (CDR STATE))) (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1))), which again simplifies, using linear arithmetic, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, ALL-ZEROS-FIRSTN-DIFFERENCE, LENGTH-XOR-BVS, FIRSTN-NOOP, and ALL-ZEROS-XOR-BVS, and expanding TIMES, EQUAL, NUMBERP, SUB1, EXP, and NUMBER-WITH-AT-LEAST, to: T. Case 3.8. (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE SIZE N)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP N SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) (DIFFERENCE SIZE N))) (NOT (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE SIZE N))))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE)) 1))). But this again simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and ALL-ZEROS-FIRSTN-DIFFERENCE, and expanding TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: T. Case 3.7. (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE SIZE N)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP N SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) (DIFFERENCE SIZE N))) (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1))). However this again simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, ALL-ZEROS-FIRSTN-DIFFERENCE, FIRSTN-XOR-BV, LENGTH-XOR-BVS, LENGTH-FIRSTN, BVP-XOR-BVS, BVP-FIRSTN, and ALL-ZEROS-XOR-BV, and expanding TIMES, EQUAL, NUMBERP, SUB1, EXP, and MIN, to: (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE (LENGTH (CAR STATE)) N)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LESSP N (LENGTH (CAR STATE))) (LISTP (CDR STATE)) (EQUAL (FIRSTN (CAR STATE) (DIFFERENCE (LENGTH (CAR STATE)) N)) (FIRSTN (XOR-BVS (CDR STATE)) (DIFFERENCE (LENGTH (CAR STATE)) N))) (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE (LENGTH (CAR STATE)) N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) (LENGTH (CAR STATE))) 1))), which again simplifies, trivially, to: T. Case 3.6. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP (CDR STATE))) (ALL-ZEROS (FIRSTN (CAR STATE) SIZE))) (ALL-ZEROS (CAR STATE))). However this again simplifies, applying EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and opening up EQUAL and LESSP, to: T. Case 3.5. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE)) 1))). However this again simplifies, applying the lemmas EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and opening up EQUAL and LESSP, to: T. Case 3.4. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (ALL-ZEROS (CAR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE) 1))), which again simplifies, using linear arithmetic, applying EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, FIRSTN-XOR-BV, BVP-XOR-BVS, and ALL-ZEROS-XOR-BV, and expanding the definitions of EQUAL and LESSP, to: (IMPLIES (AND (LISTP STATE) (LISTP (CAR STATE)) (NOT (ALL-ZEROS (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CDR STATE)) (EQUAL (CAR STATE) (XOR-BVS (CDR STATE))) (ALL-ZEROS (CAR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 (LENGTH (CAR STATE))) 1))), which again simplifies, trivially, to: T. Case 3.3. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP (CDR STATE))) (ALL-ZEROS (FIRSTN (CAR STATE) SIZE))) (ALL-ZEROS (CAR STATE))). This again simplifies, rewriting with EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and opening up the definitions of EQUAL and LESSP, to: T. Case 3.2. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE)) 1))). This again simplifies, rewriting with EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and unfolding the definitions of EQUAL and LESSP, to: T. Case 3.1. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL SIZE 0)) (NUMBERP SIZE) (NOT (ALL-ZEROS (FIRSTN (XOR-BVS (CDR STATE)) SIZE))) (BVP (CAR STATE)) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (ALL-ZEROS (CAR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE) 1))). However this again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, LENGTH-XOR-BVS, FIRSTN-NOOP, FIRSTN-XOR-BV, BVP-XOR-BVS, and ALL-ZEROS-XOR-BV, and expanding the functions EQUAL and LESSP, to: (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (LISTP (CAR STATE)) (NOT (ALL-ZEROS (XOR-BVS (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP (CDR STATE)) (EQUAL (CAR STATE) (XOR-BVS (CDR STATE))) (ALL-ZEROS (CAR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 (LENGTH (CAR STATE))) 1))), which again simplifies, clearly, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))). This simplifies, applying TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, EQUAL-LENGTH-0, BVP-FIX-XOR-BV-IDENTITY, ALL-ZEROS-FIRSTN-DIFFERENCE, LESSP-BV-NAT-TO-BV-1, and EXP-ZERO, and unfolding the definitions of TIMES, EQUAL, NUMBERP, SUB1, EXP, GOOD-STATE-OF-SIZE, XOR-BVS, NUMBER-WITH-AT-LEAST, LESSP, DIFFERENCE, ADD1, and ZEROP, to seven new goals: Case 2.7. (IMPLIES (AND (LISTP STATE) (NOT (EQUAL N 0)) (NUMBERP N) (LESSP-BV (CAR STATE) (NAT-TO-BV (EXP 2 N) SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LESSP N SIZE) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) (DIFFERENCE SIZE N))) (NOT (ALL-ZEROS (FIRSTN (CAR STATE) (DIFFERENCE SIZE N))))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE)) 1))), which again simplifies, rewriting with TIMES-1-ARG1, ADD1-SUB1, PLUS-EXP-2-X-EXP-2-X, and ALL-ZEROS-FIRSTN-DIFFERENCE, and opening up the functions TIMES, EQUAL, NUMBERP, SUB1, and EXP, to: T. Case 2.6. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (NOT (LISTP (CDR STATE))) (ALL-ZEROS (FIRSTN (CAR STATE) SIZE))) (ALL-ZEROS (CAR STATE))). This again simplifies, applying EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and expanding the functions EQUAL and LESSP, to: T. Case 2.5. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE)) 1))). However this again simplifies, rewriting with the lemmas EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and unfolding the definitions of EQUAL and LESSP, to: T. Case 2.4. (IMPLIES (AND (LISTP STATE) (EQUAL N 0) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (ALL-ZEROS (CAR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE) 1))), which again simplifies, applying EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and expanding the functions EQUAL, LESSP, and EXP, to: T. Case 2.3. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (NOT (LISTP (CDR STATE))) (ALL-ZEROS (FIRSTN (CAR STATE) SIZE))) (ALL-ZEROS (CAR STATE))). However this again simplifies, applying EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and expanding the definitions of EQUAL and LESSP, to: T. Case 2.2. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (NOT (ALL-ZEROS (CAR STATE)))) (NOT (EQUAL (ADD1 (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE)) 1))). But this again simplifies, applying the lemmas EQUAL-LENGTH-0 and LESSP-BV-NAT-TO-BV-1, and opening up the definitions of EQUAL and LESSP, to: T. Case 2.1. (IMPLIES (AND (LISTP STATE) (NOT (NUMBERP N)) (LESSP-BV (CAR STATE) (NAT-TO-BV 1 SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) (EXP 2 N) SIZE) 1)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (EQUAL SIZE 0)) (LISTP (CDR STATE)) (ALL-ZEROS (FIRSTN (XOR-BV (CAR STATE) (XOR-BVS (CDR STATE))) SIZE)) (ALL-ZEROS (CAR STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) 1 SIZE) 1))), which again simplifies, rewriting with the lemmas EQUAL-LENGTH-0, LESSP-BV-NAT-TO-BV-1, and EXP-ZERO, and expanding the definitions of EQUAL, LESSP, and ZEROP, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP N SIZE) (ALL-ZEROS (FIRSTN (XOR-BVS STATE) (DIFFERENCE SIZE N)))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE (EXP 2 N) SIZE) 1))), which simplifies, using linear arithmetic, rewriting with FIRSTN-NOOP, TIMES-1-ARG1, ADD1-SUB1, and PLUS-EXP-2-X-EXP-2-X, and opening up the functions GOOD-STATE-OF-SIZE, XOR-BVS, LENGTH, ALL-ZEROS, TIMES, EQUAL, NUMBERP, SUB1, EXP, LISTP, and NUMBER-WITH-AT-LEAST, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 6.8 0.2 ] NUMBER-WITH-AT-LEAST-EXP-2 (PROVE-LEMMA NUMBER-WITH-AT-LEAST-2 (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP 1 SIZE) (ALL-ZEROS (XOR-BVS STATE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST STATE 2 SIZE) 1))) ((USE (NUMBER-WITH-AT-LEAST-EXP-2 (N 1))))) This formula simplifies, rewriting with DIFFERENCE-ADD1-ARG2 and ALL-ZEROS-IF-FIRSTN-ZEROS, and unfolding EQUAL, LESSP, DIFFERENCE, AND, EXP, NOT, and IMPLIES, to: T. Q.E.D. [ 0.0 0.0 0.0 ] NUMBER-WITH-AT-LEAST-2 (PROVE-LEMMA LESSP-BV-ALL-ZEROS (REWRITE) (IMPLIES (AND (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (AND (EQUAL (LESSP-BV X Y) (NOT (ALL-ZEROS Y))) (NOT (LESSP-BV Y X))))) WARNING: Note that the proposed lemma LESSP-BV-ALL-ZEROS is to be stored as zero type prescription rules, zero compound recognizer rules, zero linear rules, and two replacement rules. This simplifies, opening up NOT and AND, to the following three new goals: Case 3. (IMPLIES (AND (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y) (NOT (ALL-ZEROS Y))) (EQUAL (LESSP-BV X Y) T)). This again simplifies, clearly, to: (IMPLIES (AND (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y) (NOT (ALL-ZEROS Y))) (LESSP-BV X Y)), which we will name *1. Case 2. (IMPLIES (AND (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y) (ALL-ZEROS Y)) (EQUAL (LESSP-BV X Y) F)). This again simplifies, trivially, to: (IMPLIES (AND (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y) (ALL-ZEROS Y)) (NOT (LESSP-BV X Y))), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (AND (IMPLIES (AND (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP-BV X Y) (NOT (ALL-ZEROS Y)))) (IMPLIES (AND (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (NOT (LESSP-BV Y X)))), named *1. Let us appeal to the induction principle. 15 inductions are suggested by terms in the conjecture. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR Y) (CDR X))) (p Y X)) (IMPLIES (NOT (LISTP X)) (p Y X))). Linear arithmetic and the lemma CDR-LESSP can be used to prove that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instance chosen for Y. The above induction scheme produces the following 12 new formulas: Case 12.(IMPLIES (AND (LISTP X) (NOT (ALL-ZEROS (CDR X))) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP-BV X Y) (NOT (ALL-ZEROS Y)))). This simplifies, opening up ALL-ZEROS, to: T. Case 11.(IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y)))) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP-BV X Y) (NOT (ALL-ZEROS Y)))). This simplifies, opening up the functions ALL-ZEROS, LENGTH, BVP, BITP, LISTP, LESSP-BV, NOT, EQUAL, and LESSP, to the following two new formulas: Case 11.2. (IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y)))) (EQUAL (CAR X) 0) (ALL-ZEROS (CDR X)) (LISTP Y) (EQUAL (ADD1 (LENGTH (CDR X))) (ADD1 (LENGTH (CDR Y)))) (BVP (CDR X)) (EQUAL (CAR Y) 0) (BVP (CDR Y)) (NOT (ALL-ZEROS (CDR Y)))) (EQUAL (LESSP-BV (CDR X) (CDR Y)) T)). However this again simplifies, using linear arithmetic, to: T. Case 11.1. (IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y)))) (EQUAL (CAR X) 0) (ALL-ZEROS (CDR X)) (LISTP Y) (EQUAL (ADD1 (LENGTH (CDR X))) (ADD1 (LENGTH (CDR Y)))) (BVP (CDR X)) (EQUAL (CAR Y) 0) (BVP (CDR Y)) (ALL-ZEROS (CDR Y))) (EQUAL (LESSP-BV (CDR X) (CDR Y)) F)), which again simplifies, using linear arithmetic, to: T. Case 10.(IMPLIES (AND (LISTP X) (NOT (BVP (CDR X))) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP-BV X Y) (NOT (ALL-ZEROS Y)))), which simplifies, opening up the functions ALL-ZEROS, LENGTH, BVP, and BITP, to: T. Case 9. (IMPLIES (AND (LISTP X) (NOT (BVP (CDR Y))) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP-BV X Y) (NOT (ALL-ZEROS Y)))), which simplifies, expanding the functions ALL-ZEROS, LENGTH, BVP, BITP, LISTP, LESSP-BV, NOT, and EQUAL, to: T. Case 8. (IMPLIES (AND (LISTP X) (EQUAL (LESSP-BV (CDR X) (CDR Y)) (NOT (ALL-ZEROS (CDR Y)))) (NOT (LESSP-BV (CDR Y) (CDR X))) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP-BV X Y) (NOT (ALL-ZEROS Y)))), which simplifies, opening up NOT, ALL-ZEROS, LENGTH, BVP, BITP, LISTP, LESSP-BV, EQUAL, and LESSP, to: T. Case 7. (IMPLIES (AND (NOT (LISTP X)) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (EQUAL (LESSP-BV X Y) (NOT (ALL-ZEROS Y)))), which simplifies, expanding the definitions of ALL-ZEROS, LENGTH, BVP, BITP, LESSP-BV, NOT, EQUAL, and LISTP, to two new formulas: Case 7.2. (IMPLIES (AND (NOT (LISTP X)) (EQUAL 0 (ADD1 (LENGTH (CDR Y)))) (EQUAL X NIL) (LISTP Y) (EQUAL (CAR Y) 0) (BVP (CDR Y))) (ALL-ZEROS (CDR Y))), which again simplifies, using linear arithmetic, to: T. Case 7.1. (IMPLIES (AND (NOT (LISTP X)) (EQUAL 0 (ADD1 (LENGTH (CDR Y)))) (EQUAL X NIL) (LISTP Y) (EQUAL (CAR Y) 1)) (NOT (BVP (CDR Y)))), which again simplifies, using linear arithmetic, to: T. Case 6. (IMPLIES (AND (LISTP X) (NOT (ALL-ZEROS (CDR X))) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (NOT (LESSP-BV Y X))), which simplifies, expanding ALL-ZEROS, to: T. Case 5. (IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y)))) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (NOT (LESSP-BV Y X))), which simplifies, opening up the functions ALL-ZEROS, LENGTH, BVP, BITP, LISTP, LESSP-BV, LESSP, and EQUAL, to: (IMPLIES (AND (LISTP X) (NOT (EQUAL (LENGTH (CDR X)) (LENGTH (CDR Y)))) (EQUAL (CAR X) 0) (ALL-ZEROS (CDR X)) (LISTP Y) (EQUAL (ADD1 (LENGTH (CDR X))) (ADD1 (LENGTH (CDR Y)))) (BVP (CDR X)) (EQUAL (CAR Y) 0) (BVP (CDR Y))) (NOT (LESSP-BV (CDR Y) (CDR X)))). However this again simplifies, using linear arithmetic, to: T. Case 4. (IMPLIES (AND (LISTP X) (NOT (BVP (CDR X))) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (NOT (LESSP-BV Y X))), which simplifies, expanding the definitions of ALL-ZEROS, LENGTH, BVP, and BITP, to: T. Case 3. (IMPLIES (AND (LISTP X) (NOT (BVP (CDR Y))) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (NOT (LESSP-BV Y X))), which simplifies, expanding ALL-ZEROS, LENGTH, BVP, BITP, LISTP, and LESSP-BV, to: T. Case 2. (IMPLIES (AND (LISTP X) (EQUAL (LESSP-BV (CDR X) (CDR Y)) (NOT (ALL-ZEROS (CDR Y)))) (NOT (LESSP-BV (CDR Y) (CDR X))) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (NOT (LESSP-BV Y X))), which simplifies, unfolding NOT, ALL-ZEROS, LENGTH, BVP, BITP, LISTP, LESSP-BV, LESSP, and EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (LISTP X)) (ALL-ZEROS X) (EQUAL (LENGTH X) (LENGTH Y)) (BVP X) (BVP Y)) (NOT (LESSP-BV Y X))), which simplifies, opening up the functions ALL-ZEROS, LENGTH, BVP, BITP, LESSP-BV, and LISTP, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.1 ] LESSP-BV-ALL-ZEROS (PROVE-LEMMA NUMBER-WITH-AT-LEAST-MEANS-GET (REWRITE) (IMPLIES (AND (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP Z (LENGTH STATE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (EQUAL (LESSP (BV-TO-NAT (GET Z STATE)) N) T))) WARNING: Note that NUMBER-WITH-AT-LEAST-MEANS-GET contains the free variable SIZE which will be chosen by instantiating the hypothesis: (GOOD-STATE-OF-SIZE STATE SIZE). Give the conjecture the name *1. Perhaps we can prove it by induction. Six inductions are suggested by terms in the conjecture. They merge into two likely candidate inductions. However, only one is unflawed. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (p (SUB1 Z) (CDR STATE) N SIZE)) (p Z STATE N SIZE)) (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (p (SUB1 Z) (CDR STATE) N SIZE)) (p Z STATE N SIZE)) (IMPLIES (NOT (LISTP STATE)) (p Z STATE N SIZE))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT STATE) decreases according to the well-founded relation LESSP in each induction step of the scheme. Note, however, the inductive instances chosen for Z. The above induction scheme generates the following nine new goals: Case 9. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP Z (LENGTH STATE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (LESSP (BV-TO-NAT (GET Z STATE)) N)). This simplifies, rewriting with LESSP-LENGTH and EQUAL-LENGTH-0, and expanding GOOD-STATE-OF-SIZE, to: T. Case 8. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP Z (LENGTH STATE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (LESSP (BV-TO-NAT (GET Z STATE)) N)), which simplifies, using linear arithmetic, applying LESSP-LENGTH, EQUAL-LENGTH-0, GET-OF-BAD-PLACE, and LESSP-BV-ALL-ZEROS, and opening up the functions GOOD-STATE-OF-SIZE, LENGTH, NUMBER-WITH-AT-LEAST, EQUAL, BV-TO-NAT, LESSP, NAT-TO-BV, BVP, and ALL-ZEROS, to the following four new goals: Case 8.4. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))). But this again simplifies, using linear arithmetic, to: T. Case 8.3. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 8.2. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))), which again simplifies, using linear arithmetic, to: T. Case 8.1. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 7. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP Z (LENGTH STATE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (LESSP (BV-TO-NAT (GET Z STATE)) N)), which simplifies, using linear arithmetic, rewriting with LESSP-LENGTH, EQUAL-LENGTH-0, GET-OF-BAD-PLACE, and LESSP-BV-ALL-ZEROS, and opening up the functions GOOD-STATE-OF-SIZE, LENGTH, NUMBER-WITH-AT-LEAST, EQUAL, BV-TO-NAT, LESSP, NAT-TO-BV, BVP, and ALL-ZEROS, to the following four new goals: Case 7.4. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))). This again simplifies, using linear arithmetic, to: T. Case 7.3. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 7.2. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))), which again simplifies, using linear arithmetic, to: T. Case 7.1. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 6. (IMPLIES (AND (LISTP STATE) (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP Z (LENGTH STATE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (LESSP (BV-TO-NAT (GET Z STATE)) N)), which simplifies, using linear arithmetic, applying LESSP-LENGTH, EQUAL-LENGTH-0, GET-OF-BAD-PLACE, EXP-ZERO, NAT-TO-BV-IS-ALL-ONES, and LESSP-BV-ALL-ZEROS, and expanding the definitions of GOOD-STATE-OF-SIZE, LENGTH, NUMBER-WITH-AT-LEAST, EQUAL, BV-TO-NAT, LESSP, ZEROP, ALL-ONES, BVP, and ALL-ZEROS, to the following four new conjectures: Case 6.4. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))). However this again simplifies, using linear arithmetic, to: T. Case 6.3. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 6.2. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))), which again simplifies, using linear arithmetic, to: T. Case 6.1. (IMPLIES (AND (NOT (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE))) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 5. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (GOOD-STATE-OF-SIZE (CDR STATE) SIZE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP Z (LENGTH STATE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (LESSP (BV-TO-NAT (GET Z STATE)) N)), which simplifies, appealing to the lemmas LESSP-LENGTH and EQUAL-LENGTH-0, and opening up the definition of GOOD-STATE-OF-SIZE, to: T. Case 4. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP Z (LENGTH STATE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (LESSP (BV-TO-NAT (GET Z STATE)) N)), which simplifies, using linear arithmetic, applying LESSP-LENGTH, EQUAL-LENGTH-0, GET-OF-BAD-PLACE, and LESSP-BV-ALL-ZEROS, and unfolding GOOD-STATE-OF-SIZE, LENGTH, NUMBER-WITH-AT-LEAST, EQUAL, BV-TO-NAT, LESSP, NAT-TO-BV, BVP, and ALL-ZEROS, to the following seven new goals: Case 4.7. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))). But this again simplifies, using linear arithmetic, to: T. Case 4.6. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 4.5. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP STATE) (LESSP Z (ADD1 (LENGTH (CDR STATE)))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0) (LESSP Z 1)) (LESSP (BV-TO-NAT (GET Z STATE)) N)), which again simplifies, rewriting with SUB1-ADD1, and opening up the definitions of LESSP, EQUAL, GET, and NUMBERP, to the following two new goals: Case 4.5.2. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH (CAR STATE)))) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP STATE) (EQUAL Z 0) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH (CAR STATE))) 0)) (LESSP (BV-TO-NAT (CAR STATE)) N)). But this again simplifies, using linear arithmetic, applying the lemmas LESSP-BV-LENGTH and LESSP-BV-NAT-TO-BV, and opening up the function FIX, to: T. Case 4.5.1. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N (LENGTH (CAR STATE)))) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (GOOD-STATE-OF-SIZE (CDR STATE) (LENGTH (CAR STATE))) (LISTP STATE) (NOT (NUMBERP Z)) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N (LENGTH (CAR STATE))) 0)) (LESSP (BV-TO-NAT (CAR STATE)) N)), which again simplifies, using linear arithmetic, rewriting with LESSP-BV-LENGTH and LESSP-BV-NAT-TO-BV, and unfolding FIX, to: T. Case 4.4. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP STATE) (LESSP Z (ADD1 (LENGTH (CDR STATE)))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0) (NOT (LESSP Z 1))) (NOT (EQUAL N 0))). This again simplifies, using linear arithmetic, to: T. Case 4.3. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP STATE) (LESSP Z (ADD1 (LENGTH (CDR STATE)))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0) (NOT (LESSP Z 1))) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 4.2. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))), which again simplifies, using linear arithmetic, to: T. Case 4.1. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (LESSP (SUB1 Z) (LENGTH (CDR STATE)))) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 3. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP Z (LENGTH STATE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (LESSP (BV-TO-NAT (GET Z STATE)) N)), which simplifies, using linear arithmetic, rewriting with LESSP-LENGTH, EQUAL-LENGTH-0, GET-OF-BAD-PLACE, and LESSP-BV-ALL-ZEROS, and expanding the definitions of GOOD-STATE-OF-SIZE, LENGTH, NUMBER-WITH-AT-LEAST, EQUAL, BV-TO-NAT, LESSP, NAT-TO-BV, BVP, and ALL-ZEROS, to the following four new goals: Case 3.4. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))). However this again simplifies, using linear arithmetic, to: T. Case 3.3. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 3.2. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))), which again simplifies, using linear arithmetic, to: T. Case 3.1. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (NOT (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0)) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (LISTP STATE) (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP Z (LENGTH STATE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (LESSP (BV-TO-NAT (GET Z STATE)) N)), which simplifies, using linear arithmetic, appealing to the lemmas LESSP-LENGTH, EQUAL-LENGTH-0, GET-OF-BAD-PLACE, EXP-ZERO, NAT-TO-BV-IS-ALL-ONES, and LESSP-BV-ALL-ZEROS, and expanding GOOD-STATE-OF-SIZE, LENGTH, NUMBER-WITH-AT-LEAST, EQUAL, BV-TO-NAT, LESSP, GET, ZEROP, ALL-ONES, BVP, and ALL-ZEROS, to six new goals: Case 2.6. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))), which again simplifies, using linear arithmetic, to: T. Case 2.5. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 2.4. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP STATE) (LESSP Z (ADD1 (LENGTH (CDR STATE)))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0) (NOT (NUMBERP Z))) (LESSP (BV-TO-NAT (CAR STATE)) N)), which again simplifies, using linear arithmetic, applying the lemmas LESSP-BV-LENGTH and LESSP-BV-NAT-TO-BV, and opening up FIX, to: T. Case 2.3. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (BVP (CAR STATE)) (NUMBERP SIZE) (EQUAL (LENGTH (CAR STATE)) SIZE) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (LISTP STATE) (LESSP Z (ADD1 (LENGTH (CDR STATE)))) (EQUAL (NUMBER-WITH-AT-LEAST (CDR STATE) N SIZE) 0) (EQUAL Z 0)) (LESSP (BV-TO-NAT (CAR STATE)) N)), which again simplifies, using linear arithmetic, applying LESSP-BV-LENGTH and LESSP-BV-NAT-TO-BV, and unfolding the definition of FIX, to: T. Case 2.2. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NOT (EQUAL N 0))). However this again simplifies, using linear arithmetic, to: T. Case 2.1. (IMPLIES (AND (LESSP-BV (CAR STATE) (NAT-TO-BV N SIZE)) (LESSP (BV-TO-NAT (GET (SUB1 Z) (CDR STATE))) N) (BVP (CAR STATE)) (NOT (NUMBERP SIZE)) (NOT (LISTP (CAR STATE))) (GOOD-STATE-OF-SIZE (CDR STATE) SIZE) (NOT (LISTP STATE)) (LESSP Z 0)) (NUMBERP N)), which again simplifies, using linear arithmetic, to: T. Case 1. (IMPLIES (AND (NOT (LISTP STATE)) (GOOD-STATE-OF-SIZE STATE SIZE) (LESSP Z (LENGTH STATE)) (EQUAL (NUMBER-WITH-AT-LEAST STATE N SIZE) 0)) (LESSP (BV-TO-NAT (GET Z STATE)) N)), which simplifies, appealing to the lemma LESSP-LENGTH, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 1.8 0.1 ] NUMBER-WITH-AT-LEAST-MEANS-GET (PROVE-LEMMA REMAINDER-SUB1-HACK (REWRITE) (IMPLIES (EQUAL (REMAINDER X Y) P) (EQUAL (REMAINDER (SUB1 X) Y) (IF (ZEROP X) 0 (IF (ZEROP P) (SUB1 Y) (SUB1 P)))))) WARNING: Note that REMAINDER-SUB1-HACK contains the free variable P which will be chosen by instantiating the hypothesis (EQUAL (REMAINDER X Y) P). This simplifies, unfolding the definition of ZEROP, to the following four new conjectures: Case 4. (IMPLIES (NOT (NUMBERP X)) (EQUAL (REMAINDER (SUB1 X) Y) 0)). But this again simplifies, applying SUB1-NNUMBERP, and unfolding the functions LESSP, EQUAL, NUMBERP, and REMAINDER, to: T. Case 3. (IMPLIES (EQUAL X 0) (EQUAL (REMAINDER (SUB1 X) Y) 0)). However this again simplifies, expanding SUB1, LESSP, EQUAL, NUMBERP, and REMAINDER, to: T. Case 2. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (EQUAL (REMAINDER X Y) 0)) (EQUAL (REMAINDER (SUB1 X) Y) (SUB1 Y))). Applying the lemma REMAINDER-QUOTIENT-ELIM, replace X by (PLUS Z (TIMES Y V)) to eliminate (REMAINDER X Y) and (QUOTIENT X Y). We employ LESSP-REMAINDER, the type restriction lemma noted when REMAINDER was introduced, and the type restriction lemma noted when QUOTIENT was introduced to restrict the new variables. We would thus like to prove the following three new goals: Case 2.3. (IMPLIES (AND (EQUAL Y 0) (NOT (EQUAL X 0)) (NUMBERP X) (EQUAL (REMAINDER X Y) 0)) (EQUAL (REMAINDER (SUB1 X) Y) (SUB1 Y))). This further simplifies, applying REMAINDER-ZERO, and unfolding ZEROP, to: T. Case 2.2. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (EQUAL X 0)) (NUMBERP X) (EQUAL (REMAINDER X Y) 0)) (EQUAL (REMAINDER (SUB1 X) Y) (SUB1 Y))). This further simplifies, rewriting with REMAINDER-ZERO, and unfolding the definition of ZEROP, to: T. Case 2.1. (IMPLIES (AND (NUMBERP Z) (EQUAL (LESSP Z Y) (NOT (ZEROP Y))) (NUMBERP V) (NUMBERP Y) (NOT (EQUAL Y 0)) (NOT (EQUAL (PLUS Z (TIMES Y V)) 0)) (EQUAL Z 0)) (EQUAL (REMAINDER (SUB1 (PLUS Z (TIMES Y V))) Y) (SUB1 Y))). However this further simplifies, rewriting with the lemmas COMMUTATIVITY-OF-TIMES and EQUAL-TIMES-0, and unfolding NUMBERP, EQUAL, LESSP, ZEROP, NOT, and PLUS, to: (IMPLIES (AND (NUMBERP V) (NUMBERP Y) (NOT (EQUAL Y 0)) (NOT (EQUAL V 0))) (EQUAL (REMAINDER (SUB1 (TIMES V Y)) Y) (SUB1 Y))). Appealing to the lemma SUB1-ELIM, we now replace Y by (ADD1 Z) to eliminate (SUB1 Y). We use the type restriction lemma noted when SUB1 was introduced to constrain the new variable. This generates: (IMPLIES (AND (NUMBERP Z) (NUMBERP V) (NOT (EQUAL (ADD1 Z) 0)) (NOT (EQUAL V 0))) (EQUAL (REMAINDER (SUB1 (TIMES V (ADD1 Z))) (ADD1 Z)) Z)). This further simplifies, applying TIMES-ADD1, to the new formula: (IMPLIES (AND (NUMBERP Z) (NUMBERP V) (NOT (EQUAL V 0))) (EQUAL (REMAINDER (SUB1 (PLUS V (TIMES V Z))) (ADD1 Z)) Z)), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (IMPLIES (EQUAL (REMAINDER X Y) P) (EQUAL (REMAINDER (SUB1 X) Y) (COND ((ZEROP X) 0) ((ZEROP P) (SUB1 Y)) (T (SUB1 P))))), named *1. Let us appeal to the induction principle. There is only one suggested induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP Y) (p X Y P)) (IMPLIES (AND (NOT (ZEROP Y)) (LESSP X Y)) (p X Y P)) (IMPLIES (AND (NOT (ZEROP Y)) (NOT (LESSP X Y)) (p (DIFFERENCE X Y) Y P)) (p X Y P))). Linear arithmetic, the lemmas COUNT-NUMBERP and COUNT-NOT-LESSP, and the definition of ZEROP establish that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme generates four new conjectures: Case 4. (IMPLIES (AND (ZEROP Y) (EQUAL (REMAINDER X Y) P)) (EQUAL (REMAINDER (SUB1 X) Y) (COND ((ZEROP X) 0) ((ZEROP P) (SUB1 Y)) (T (SUB1 P))))), which simplifies, rewriting with the lemmas REMAINDER-ZERO and SUB1-NNUMBERP, and expanding ZEROP and SUB1, to four new formulas: Case 4.4. (IMPLIES (AND (EQUAL Y 0) (NOT (NUMBERP X))) (EQUAL (SUB1 X) 0)), which again simplifies, rewriting with SUB1-NNUMBERP, and unfolding the definition of EQUAL, to: T. Case 4.3. (IMPLIES (AND (EQUAL Y 0) (EQUAL X 0)) (EQUAL (SUB1 X) 0)). But this again simplifies, unfolding SUB1 and EQUAL, to: T. Case 4.2. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (NUMBERP X))) (EQUAL (SUB1 X) 0)), which again simplifies, applying SUB1-NNUMBERP, and expanding the definition of EQUAL, to: T. Case 4.1. (IMPLIES (AND (NOT (NUMBERP Y)) (EQUAL X 0)) (EQUAL (SUB1 X) 0)). But this again simplifies, opening up the definitions of SUB1 and EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (ZEROP Y)) (LESSP X Y) (EQUAL (REMAINDER X Y) P)) (EQUAL (REMAINDER (SUB1 X) Y) (COND ((ZEROP X) 0) ((ZEROP P) (SUB1 Y)) (T (SUB1 P))))), which simplifies, using linear arithmetic, applying REMAINDER-NOOP and SUB1-NNUMBERP, and opening up the definitions of ZEROP, LESSP, SUB1, NUMBERP, and EQUAL, to the following three new conjectures: Case 3.3. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (LESSP (SUB1 X) (SUB1 Y)) (LESSP X 1)) (EQUAL (REMAINDER (SUB1 X) Y) (COND ((ZEROP X) 0) ((ZEROP (REMAINDER X Y)) (SUB1 Y)) (T (SUB1 (REMAINDER X Y)))))). This again simplifies, using linear arithmetic, rewriting with REMAINDER-NOOP and SUB1-NNUMBERP, and opening up SUB1, NUMBERP, EQUAL, LESSP, and ZEROP, to: T. Case 3.2. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (LESSP (SUB1 X) (SUB1 Y)) (NOT (LESSP X 1)) (NOT (NUMBERP X))) (EQUAL (SUB1 X) 0)). This again simplifies, rewriting with SUB1-NNUMBERP and EQUAL-SUB1-0, and expanding EQUAL, LESSP, and NUMBERP, to: T. Case 3.1. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (LESSP (SUB1 X) (SUB1 Y)) (NOT (LESSP X 1)) (EQUAL X 0)) (EQUAL (SUB1 X) 0)). This again simplifies, using linear arithmetic, to: T. Case 2. (IMPLIES (AND (NOT (ZEROP Y)) (NOT (LESSP X Y)) (NOT (EQUAL (REMAINDER (DIFFERENCE X Y) Y) P)) (EQUAL (REMAINDER X Y) P)) (EQUAL (REMAINDER (SUB1 X) Y) (COND ((ZEROP X) 0) ((ZEROP P) (SUB1 Y)) (T (SUB1 P))))), which simplifies, opening up ZEROP, LESSP, and REMAINDER, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP Y)) (NOT (LESSP X Y)) (EQUAL (REMAINDER (SUB1 (DIFFERENCE X Y)) Y) (COND ((ZEROP (DIFFERENCE X Y)) 0) ((ZEROP P) (SUB1 Y)) (T (SUB1 P)))) (EQUAL (REMAINDER X Y) P)) (EQUAL (REMAINDER (SUB1 X) Y) (COND ((ZEROP X) 0) ((ZEROP P) (SUB1 Y)) (T (SUB1 P))))), which simplifies, rewriting with DIFFERENCE-SUB1-ARG2 and REMAINDER-NOOP, and opening up the functions ZEROP, LESSP, DIFFERENCE, and REMAINDER, to the following six new conjectures: Case 1.6. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (SUB1 Y))) (LESSP (SUB1 X) Y) (EQUAL (REMAINDER (SUB1 0) Y) 0) (NOT (EQUAL (REMAINDER (DIFFERENCE X Y) Y) 0))) (EQUAL (SUB1 X) (SUB1 (REMAINDER (DIFFERENCE X Y) Y)))). This again simplifies, using linear arithmetic, to: (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (SUB1 X))) (LESSP (SUB1 X) X) (EQUAL (REMAINDER (SUB1 0) X) 0) (NOT (EQUAL (REMAINDER (DIFFERENCE X X) X) 0))) (EQUAL (SUB1 X) (SUB1 (REMAINDER (DIFFERENCE X X) X)))). However this again simplifies, rewriting with REMAINDER-NOOP and DIFFERENCE-X-X, and unfolding the definitions of SUB1, LESSP, EQUAL, and NUMBERP, to: T. Case 1.5. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (SUB1 Y))) (LESSP (SUB1 X) Y) (EQUAL (REMAINDER (SUB1 0) Y) 0) (EQUAL (REMAINDER (DIFFERENCE X Y) Y) 0)) (EQUAL (SUB1 X) (SUB1 Y))). But this again simplifies, using linear arithmetic, to: T. Case 1.4. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (SUB1 Y))) (NOT (LESSP (SUB1 X) Y)) (NOT (EQUAL (ADD1 (DIFFERENCE (SUB1 X) Y)) 0)) (EQUAL (REMAINDER (DIFFERENCE X Y) Y) 0) (EQUAL (REMAINDER (SUB1 (ADD1 (DIFFERENCE (SUB1 X) Y))) Y) (SUB1 Y))) (EQUAL (REMAINDER (SUB1 X) Y) (SUB1 Y))), which again simplifies, rewriting with the lemma SUB1-ADD1, and expanding the definition of REMAINDER, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (SUB1 Y))) (NOT (LESSP (SUB1 X) Y)) (NOT (EQUAL (ADD1 (DIFFERENCE (SUB1 X) Y)) 0)) (NOT (EQUAL (REMAINDER (DIFFERENCE X Y) Y) 0)) (EQUAL (REMAINDER (SUB1 (ADD1 (DIFFERENCE (SUB1 X) Y))) Y) (SUB1 (REMAINDER (DIFFERENCE X Y) Y)))) (EQUAL (REMAINDER (SUB1 X) Y) (SUB1 (REMAINDER (DIFFERENCE X Y) Y)))), which again simplifies, rewriting with SUB1-ADD1, to: (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (SUB1 Y))) (NOT (LESSP (SUB1 X) Y)) (NOT (EQUAL (REMAINDER (DIFFERENCE X Y) Y) 0)) (EQUAL (REMAINDER (DIFFERENCE (SUB1 X) Y) Y) (SUB1 (REMAINDER (DIFFERENCE X Y) Y)))) (EQUAL (REMAINDER (SUB1 X) Y) (REMAINDER (DIFFERENCE (SUB1 X) Y) Y))), which again simplifies, expanding the function REMAINDER, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (SUB1 Y))) (NOT (LESSP (SUB1 X) Y)) (EQUAL (ADD1 (DIFFERENCE (SUB1 X) Y)) 0) (EQUAL (REMAINDER (SUB1 (ADD1 (DIFFERENCE (SUB1 X) Y))) Y) 0) (NOT (EQUAL (REMAINDER (DIFFERENCE X Y) Y) 0))) (EQUAL (REMAINDER (SUB1 X) Y) (SUB1 (REMAINDER (DIFFERENCE X Y) Y)))), which again simplifies, using linear arithmetic, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (EQUAL X 0)) (NUMBERP X) (NOT (LESSP (SUB1 X) (SUB1 Y))) (NOT (LESSP (SUB1 X) Y)) (EQUAL (ADD1 (DIFFERENCE (SUB1 X) Y)) 0) (EQUAL (REMAINDER (SUB1 (ADD1 (DIFFERENCE (SUB1 X) Y))) Y) 0) (EQUAL (REMAINDER (DIFFERENCE X Y) Y) 0)) (EQUAL (REMAINDER (SUB1 X) Y) (SUB1 Y))), which again simplifies, using linear arithmetic, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.9 0.0 ] REMAINDER-SUB1-HACK (PROVE-LEMMA EQUAL-TIMES-X (REWRITE) (EQUAL (EQUAL (TIMES Y X) X) (OR (EQUAL X 0) (AND (NUMBERP X) (EQUAL Y 1))))) WARNING: the previously added lemma, EQUAL-TIMES-X-X, could be applied whenever the newly proposed EQUAL-TIMES-X could! This conjecture simplifies, applying COMMUTATIVITY-OF-TIMES and EQUAL-TIMES-X-X, and opening up the definitions of AND and OR, to four new formulas: Case 4. (IMPLIES (AND (EQUAL X 0) (NOT (EQUAL Y 1))) (EQUAL (EQUAL X 0) T)), which again simplifies, expanding the function EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL Y 1))) (EQUAL (EQUAL X 0) (EQUAL Y 1))), which again simplifies, trivially, to: T. Case 2. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (EQUAL Y 1)) (EQUAL T (EQUAL Y 1))). However this again simplifies, unfolding EQUAL, to: T. Case 1. (IMPLIES (EQUAL X 0) (NUMBERP X)), which again simplifies, trivially, to: T. Q.E.D. [ 0.0 0.0 0.0 ] EQUAL-TIMES-X (PROVE-LEMMA EQUAL-TIMES-X-2 (REWRITE) (EQUAL (EQUAL (TIMES X Y) X) (OR (EQUAL X 0) (AND (NUMBERP X) (EQUAL Y 1))))) WARNING: the previously added lemma, EQUAL-TIMES-X-X, could be applied whenever the newly proposed EQUAL-TIMES-X-2 could! This conjecture simplifies, applying EQUAL-TIMES-X-X, and opening up the definitions of AND and OR, to four new formulas: Case 4. (IMPLIES (AND (EQUAL X 0) (NOT (EQUAL Y 1))) (EQUAL (EQUAL X 0) T)), which again simplifies, expanding the function EQUAL, to: T. Case 3. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (NOT (EQUAL Y 1))) (EQUAL (EQUAL X 0) (EQUAL Y 1))), which again simplifies, trivially, to: T. Case 2. (IMPLIES (AND (NOT (EQUAL X 0)) (NUMBERP X) (EQUAL Y 1)) (EQUAL T (EQUAL Y 1))). However this again simplifies, unfolding EQUAL, to: T. Case 1. (IMPLIES (EQUAL X 0) (NUMBERP X)), which again simplifies, trivially, to: T. Q.E.D. [ 0.0 0.0 0.0 ] EQUAL-TIMES-X-2 (PROVE-LEMMA EQUAL-EXP-X-X (REWRITE) (EQUAL (EQUAL (EXP X Y) X) (OR (EQUAL X 1) (AND (EQUAL X 0) (NOT (ZEROP Y))) (AND (NUMBERP X) (EQUAL Y 1))))) This formula simplifies, unfolding the definitions of ZEROP, NOT, AND, and OR, to nine new formulas: Case 9. (IMPLIES (AND (EQUAL (EXP X Y) X) (NOT (EQUAL X 1)) (NOT (EQUAL X 0))) (EQUAL (EQUAL Y 1) T)), which again simplifies, clearly, to: (IMPLIES (AND (EQUAL (EXP X Y) X) (NOT (EQUAL X 1)) (NOT (EQUAL X 0))) (EQUAL Y 1)). We now use the above equality hypothesis by substituting (EXP X Y) for X and keeping the equality hypothesis. The result is: (IMPLIES (AND (EQUAL (EXP X Y) X) (NOT (EQUAL (EXP X Y) 1)) (NOT (EQUAL (EXP X Y) 0))) (EQUAL Y 1)). This further simplifies, clearly, to the new goal: (IMPLIES (AND (EQUAL (EXP X Y) X) (NOT (EQUAL X 1)) (NOT (EQUAL X 0))) (EQUAL Y 1)), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (EQUAL (EQUAL (EXP X Y) X) (OR (EQUAL X 1) (AND (EQUAL X 0) (NOT (ZEROP Y))) (AND (NUMBERP X) (EQUAL Y 1)))), named *1. Let us appeal to the induction principle. There is only one suggested induction. We will induct according to the following scheme: (AND (IMPLIES (ZEROP Y) (p X Y)) (IMPLIES (AND (NOT (ZEROP Y)) (p X (SUB1 Y))) (p X Y))). Linear arithmetic, the lemma COUNT-NUMBERP, and the definition of ZEROP inform us that the measure (COUNT Y) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme leads to two new formulas: Case 2. (IMPLIES (ZEROP Y) (EQUAL (EQUAL (EXP X Y) X) (OR (EQUAL X 1) (AND (EQUAL X 0) (NOT (ZEROP Y))) (AND (NUMBERP X) (EQUAL Y 1))))), which simplifies, rewriting with EXP-0-ARG2 and EXP-ZERO, and opening up the functions ZEROP, NOT, AND, EQUAL, and OR, to the following four new goals: Case 2.4. (IMPLIES (AND (EQUAL Y 0) (NOT (EQUAL X 1))) (NOT (EQUAL 1 X))). This again simplifies, trivially, to: T. Case 2.3. (IMPLIES (AND (EQUAL Y 0) (EQUAL X 1)) (EQUAL (EQUAL 1 X) T)). But this again simplifies, opening up the definition of EQUAL, to: T. Case 2.2. (IMPLIES (AND (NOT (NUMBERP Y)) (NOT (EQUAL X 1))) (NOT (EQUAL 1 X))), which again simplifies, clearly, to: T. Case 2.1. (IMPLIES (AND (NOT (NUMBERP Y)) (EQUAL X 1)) (EQUAL (EQUAL 1 X) T)). But this again simplifies, unfolding EQUAL, to: T. Case 1. (IMPLIES (AND (NOT (ZEROP Y)) (EQUAL (EQUAL (EXP X (SUB1 Y)) X) (OR (EQUAL X 1) (AND (EQUAL X 0) (NOT (ZEROP (SUB1 Y)))) (AND (NUMBERP X) (EQUAL (SUB1 Y) 1))))) (EQUAL (EQUAL (EXP X Y) X) (OR (EQUAL X 1) (AND (EQUAL X 0) (NOT (ZEROP Y))) (AND (NUMBERP X) (EQUAL Y 1))))), which simplifies, rewriting with the lemmas EQUAL-SUB1-0, EXP-0-ARG2, TIMES-1-ARG1, COMMUTATIVITY-OF-TIMES, EXP-ADD1, EQUAL-TIMES-X-2, EQUAL-EXP-1, EXP-0-ARG1, and EXP-1-ARG1, and expanding the functions ZEROP, NOT, AND, OR, EQUAL, EXP, NUMBERP, and TIMES, to four new conjectures: Case 1.4. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (EQUAL (EXP X (SUB1 Y)) X) (NOT (EQUAL X 0)) (NUMBERP X) (EQUAL (EQUAL (SUB1 Y) 1) T) (NOT (EQUAL X 1))) (NOT (EQUAL Y 1))), which again simplifies, applying the lemma EXP-0-ARG2, and expanding EQUAL, NUMBERP, and SUB1, to: T. Case 1.3. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (EQUAL (EXP X (SUB1 Y)) X)) (NOT (EQUAL X 1)) (EQUAL Y 1) (NOT (EQUAL (SUB1 Y) 1)) (NOT (NUMBERP X)) (NOT (EQUAL 0 X))) (NOT (EQUAL X 0))), which again simplifies, trivially, to: T. Case 1.2. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (EQUAL (EXP X (SUB1 Y)) X)) (NOT (EQUAL X 1)) (EQUAL Y 1) (NOT (EQUAL (SUB1 Y) 1)) (EQUAL 0 X) (NOT (EQUAL X 0))) (EQUAL (NUMBERP X) T)). This again simplifies, obviously, to: T. Case 1.1. (IMPLIES (AND (NOT (EQUAL Y 0)) (NUMBERP Y) (NOT (EQUAL (EXP X (SUB1 Y)) X)) (NOT (EQUAL X 1)) (EQUAL Y 1) (NOT (EQUAL (SUB1 Y) 1)) (NUMBERP X) (NOT (EQUAL X 0))) (EQUAL (NUMBERP X) T)). This again simplifies, trivially, to: T. That finishes the proof of *1. Q.E.D. [ 0.0 0.1 0.0 ] EQUAL-EXP-X-X (PROVE-LEMMA LESSP-BV-2-MEANS (REWRITE) (IMPLIES (AND (BVP X) (LESSP 1 (LENGTH X))) (EQUAL (LESSP-BV X (NAT-TO-BV 2 (LENGTH X))) (OR (ALL-ZEROS X) (EQUAL X (NAT-TO-BV 1 (LENGTH X))))))) This simplifies, using linear arithmetic, rewriting with the lemmas LESSP-X-EXP-X-Y, LESSP-LENGTH, EQUAL-LENGTH-0, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, TIMES-1-ARG1, and LESSP-BV-NAT-TO-BV, and expanding the functions LESSP, EXP, SUB1, NUMBERP, EQUAL, TIMES, FIX, and OR, to the following two new conjectures: Case 2. (IMPLIES (AND (BVP X) (LESSP 1 (LENGTH X)) (NOT (ALL-ZEROS X))) (EQUAL (LESSP (BV-TO-NAT X) 2) (EQUAL X (NAT-TO-BV 1 (LENGTH X))))). This again simplifies, obviously, to the following two new conjectures: Case 2.2. (IMPLIES (AND (BVP X) (LESSP 1 (LENGTH X)) (NOT (ALL-ZEROS X)) (NOT (EQUAL X (NAT-TO-BV 1 (LENGTH X))))) (NOT (LESSP (BV-TO-NAT X) 2))). Give the above formula the name *1. Case 2.1. (IMPLIES (AND (BVP X) (LESSP 1 (LENGTH X)) (NOT (ALL-ZEROS X)) (EQUAL X (NAT-TO-BV 1 (LENGTH X)))) (EQUAL (LESSP (BV-TO-NAT X) 2) T)). This again simplifies, obviously, to: (IMPLIES (AND (BVP X) (LESSP 1 (LENGTH X)) (NOT (ALL-ZEROS X)) (EQUAL X (NAT-TO-BV 1 (LENGTH X)))) (LESSP (BV-TO-NAT X) 2)). We now use the above equality hypothesis by substituting (NAT-TO-BV 1 (LENGTH X)) for X and keeping the equality hypothesis. The result is: (IMPLIES (AND (BVP (NAT-TO-BV 1 (LENGTH X))) (LESSP 1 (LENGTH (NAT-TO-BV 1 (LENGTH X)))) (NOT (ALL-ZEROS (NAT-TO-BV 1 (LENGTH X)))) (EQUAL X (NAT-TO-BV 1 (LENGTH X)))) (LESSP (BV-TO-NAT (NAT-TO-BV 1 (LENGTH X))) 2)). This further simplifies, obviously, to: (IMPLIES (AND (BVP X) (LESSP 1 (LENGTH X)) (NOT (ALL-ZEROS X)) (EQUAL X (NAT-TO-BV 1 (LENGTH X)))) (LESSP (BV-TO-NAT X) 2)), which we would normally push and work on later by induction. But if we must use induction to prove the input conjecture, we prefer to induct on the original formulation of the problem. Thus we will disregard all that we have previously done, give the name *1 to the original input, and work on it. So now let us return to: (IMPLIES (AND (BVP X) (LESSP 1 (LENGTH X))) (EQUAL (LESSP-BV X (NAT-TO-BV 2 (LENGTH X))) (OR (ALL-ZEROS X) (EQUAL X (NAT-TO-BV 1 (LENGTH X)))))), named *1. Let us appeal to the induction principle. There are six plausible inductions. However, they merge into one likely candidate induction. We will induct according to the following scheme: (AND (IMPLIES (AND (LISTP X) (p (CDR X))) (p X)) (IMPLIES (NOT (LISTP X)) (p X))). Linear arithmetic and the lemma CDR-LESSP inform us that the measure (COUNT X) decreases according to the well-founded relation LESSP in each induction step of the scheme. The above induction scheme produces four new goals: Case 4. (IMPLIES (AND (LISTP X) (NOT (BVP (CDR X))) (BVP X) (LESSP 1 (LENGTH X))) (EQUAL (LESSP-BV X (NAT-TO-BV 2 (LENGTH X))) (OR (ALL-ZEROS X) (EQUAL X (NAT-TO-BV 1 (LENGTH X)))))), which simplifies, rewriting with the lemma LESSP-LENGTH, and opening up the definitions of BVP and BITP, to: T. Case 3. (IMPLIES (AND (LISTP X) (NOT (LESSP 1 (LENGTH (CDR X)))) (BVP X) (LESSP 1 (LENGTH X))) (EQUAL (LESSP-BV X (NAT-TO-BV 2 (LENGTH X))) (OR (ALL-ZEROS X) (EQUAL X (NAT-TO-BV 1 (LENGTH X)))))), which simplifies, rewriting with LESSP-LENGTH, EQUAL-LENGTH-0, PLUS-EXP-2-X-EXP-2-X, ADD1-SUB1, TIMES-1-ARG1, SUB1-ADD1, and DIFFERENCE-LEQ-ARG1, and opening up the definitions of BVP, BITP, LENGTH, NAT-TO-BV, LESSP-BV, ALL-ZEROS, OR, EQUAL, EXP, SUB1, NUMBERP, TIMES, DIFFERENCE, and LESSP, to the following 36 new conjectures: Case 3.36. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (NOT (LISTP X))) (NOT (LESSP 1 0))). But this again simplifies, using linear arithmetic, to: T. Case 3.35. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (LESSP 1 1) (NOT (EQUAL X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X)))))) (LESSP 2 1)) (NOT (LESSP-BV X (CONS 0 (NAT-TO-BV 2 (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to: T. Case 3.34. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1)) (NOT (EQUAL X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X)))))) (LESSP 2 1)) (NOT (LESSP-BV X (CONS 0 (NAT-TO-BV 2 (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to: T. Case 3.33. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X)))) (NOT (EQUAL X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X)))))) (LESSP 2 (EXP 2 (LENGTH (CDR X))))) (NOT (LESSP-BV X (CONS 0 (NAT-TO-BV 2 (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (LENGTH (CDR X)) 1) (NOT (LESSP 1 1)) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 2) (LISTP (CDR X)) (LESSP 1 (EXP 2 1)) (NOT (EQUAL X (CONS 0 (NAT-TO-BV 1 1)))) (LESSP 2 (EXP 2 1))) (NOT (LESSP-BV X (CONS 0 (NAT-TO-BV 2 1))))). But this again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-1 and SILLY-LISTP-CDR, and opening up the definitions of LESSP, LENGTH, EXP, NAT-TO-BV, CONS, CAR, and EQUAL, to: T. Case 3.32. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (NOT (EQUAL (EXP 2 (LENGTH (CDR X))) 0)) (NOT (EQUAL X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X)))))) (LESSP 2 (EXP 2 (LENGTH (CDR X))))) (NOT (LESSP-BV X (CONS 0 (NAT-TO-BV 2 (LENGTH (CDR X))))))). This again simplifies, using linear arithmetic, to: T. Case 3.31. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (EXP 2 (LENGTH (CDR X))) 0) (NOT (EQUAL X (CONS 1 (NAT-TO-BV 1 (LENGTH (CDR X)))))) (LESSP 2 (EXP 2 (LENGTH (CDR X))))) (NOT (LESSP-BV X (CONS 0 (NAT-TO-BV 2 (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to: T. Case 3.30. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (LESSP 1 1) (NOT (EQUAL X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X)))))) (NOT (LESSP 2 1))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 1) (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to: T. Case 3.29. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1)) (NOT (EQUAL X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X)))))) (NOT (LESSP 2 1))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 1) (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to the conjecture: (IMPLIES (AND (EQUAL (LENGTH (CDR X)) 1) (NOT (LESSP 1 1)) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 2) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1)) (NOT (EQUAL X (CONS 1 (NAT-TO-BV 0 1)))) (NOT (LESSP 2 1))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 1) 1))))). This again simplifies, applying EQUAL-LENGTH-0 and EQUAL-BIT-1, and unfolding the function BITP, to: T. Case 3.28. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (LESSP 1 1) (EQUAL X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (LESSP 2 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 2 (LENGTH (CDR X))))) T)). However this again simplifies, using linear arithmetic, to: T. Case 3.27. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1)) (EQUAL X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))) (LESSP 2 1)) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 2 (LENGTH (CDR X))))) T)), which again simplifies, using linear arithmetic, to: T. Case 3.26. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X)))) (EQUAL X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (LESSP 2 (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 2 (LENGTH (CDR X))))) T)), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (LENGTH (CDR X)) 1) (NOT (LESSP 1 1)) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 2) (LISTP (CDR X)) (LESSP 1 (EXP 2 1)) (EQUAL X (CONS 0 (NAT-TO-BV 1 1))) (LESSP 2 (EXP 2 1))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 2 1))) T)). But this again simplifies, opening up the functions NAT-TO-BV, CONS, CDR, LENGTH, EQUAL, LESSP, and CAR, to: T. Case 3.25. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (NOT (EQUAL (EXP 2 (LENGTH (CDR X))) 0)) (EQUAL X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))) (LESSP 2 (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 2 (LENGTH (CDR X))))) T)), which again simplifies, using linear arithmetic, to: T. Case 3.24. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (EXP 2 (LENGTH (CDR X))) 0) (EQUAL X (CONS 1 (NAT-TO-BV 1 (LENGTH (CDR X))))) (LESSP 2 (EXP 2 (LENGTH (CDR X))))) (EQUAL (LESSP-BV X (CONS 0 (NAT-TO-BV 2 (LENGTH (CDR X))))) T)), which again simplifies, using linear arithmetic, to: T. Case 3.23. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (LESSP 1 1) (EQUAL X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (NOT (LESSP 2 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 1) (LENGTH (CDR X))))) T)), which again simplifies, using linear arithmetic, to: T. Case 3.22. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1)) (EQUAL X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))) (NOT (LESSP 2 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 1) (LENGTH (CDR X))))) T)), which again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (LENGTH (CDR X)) 1) (NOT (LESSP 1 1)) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 2) (NOT (LISTP (CDR X))) (NOT (LESSP 1 1)) (EQUAL X (CONS 1 (NAT-TO-BV 0 1))) (NOT (LESSP 2 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 1) 1))) T)). However this again simplifies, opening up the functions NAT-TO-BV, CONS, CDR, LENGTH, EQUAL, LESSP, CAR, BVP, and LISTP, to: T. Case 3.21. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X)))) (NOT (EQUAL X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X)))))) (NOT (LESSP 2 (EXP 2 (LENGTH (CDR X)))))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to the goal: (IMPLIES (AND (EQUAL (EXP 2 (LENGTH (CDR X))) 2) (EQUAL (LENGTH (CDR X)) 1) (NOT (LESSP 1 1)) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 2) (LISTP (CDR X)) (LESSP 1 (EXP 2 1)) (NOT (EQUAL X (CONS 0 (NAT-TO-BV 1 1)))) (NOT (LESSP 2 (EXP 2 1)))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 1)) 1))))). However this again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-1, SILLY-LISTP-CDR, and LESSP-BV-ALL-ZEROS, and opening up the functions EXP, EQUAL, LESSP, LENGTH, NAT-TO-BV, CONS, CAR, DIFFERENCE, ALL-ZEROS, BVP, CDR, LISTP, and LESSP-BV, to: T. Case 3.20. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (NOT (EQUAL (EXP 2 (LENGTH (CDR X))) 0)) (NOT (EQUAL X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X)))))) (NOT (LESSP 2 (EXP 2 (LENGTH (CDR X)))))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))))). But this again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (EXP 2 (LENGTH (CDR X))) 1) (EQUAL (LENGTH (CDR X)) 1) (NOT (LESSP 1 1)) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 2) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 1))) (NOT (EQUAL (EXP 2 1) 0)) (NOT (EQUAL X (CONS 1 (NAT-TO-BV 0 1)))) (NOT (LESSP 2 (EXP 2 1)))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 1)) 1))))). However this again simplifies, unfolding EXP and EQUAL, to: T. Case 3.19. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (EXP 2 (LENGTH (CDR X))) 0) (NOT (EQUAL X (CONS 1 (NAT-TO-BV 1 (LENGTH (CDR X)))))) (NOT (LESSP 2 (EXP 2 (LENGTH (CDR X)))))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))))), which again simplifies, using linear arithmetic, to the goal: (IMPLIES (AND (EQUAL (LENGTH (CDR X)) 1) (NOT (LESSP 1 1)) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 2) (LISTP (CDR X)) (NOT (LESSP 1 0)) (EQUAL (EXP 2 1) 0) (NOT (EQUAL X (CONS 1 (NAT-TO-BV 1 1)))) (NOT (LESSP 2 0))) (NOT (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 0) 1))))). However this again simplifies, using linear arithmetic, rewriting with EQUAL-LENGTH-1 and SILLY-LISTP-CDR, and opening up LESSP, LENGTH, EXP, and EQUAL, to: T. Case 3.18. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (LESSP 1 (EXP 2 (LENGTH (CDR X)))) (EQUAL X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))) (NOT (LESSP 2 (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) T)). This again simplifies, using linear arithmetic, to: (IMPLIES (AND (EQUAL (EXP 2 (LENGTH (CDR X))) 2) (EQUAL (LENGTH (CDR X)) 1) (NOT (LESSP 1 1)) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 2) (LISTP (CDR X)) (LESSP 1 (EXP 2 1)) (EQUAL X (CONS 0 (NAT-TO-BV 1 1))) (NOT (LESSP 2 (EXP 2 1)))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 1)) 1))) T)). This again simplifies, expanding the functions EXP, EQUAL, NAT-TO-BV, CONS, CDR, LENGTH, LESSP, and CAR, to: T. Case 3.17. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (NOT (EQUAL (EXP 2 (LENGTH (CDR X))) 0)) (EQUAL X (CONS 1 (NAT-TO-BV 0 (LENGTH (CDR X))))) (NOT (LESSP 2 (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) T)), which again simplifies, using linear arithmetic, to the conjecture: (IMPLIES (AND (EQUAL (EXP 2 (LENGTH (CDR X))) 1) (EQUAL (LENGTH (CDR X)) 1) (NOT (LESSP 1 1)) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 2) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 1))) (NOT (EQUAL (EXP 2 1) 0)) (EQUAL X (CONS 1 (NAT-TO-BV 0 1))) (NOT (LESSP 2 (EXP 2 1)))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 1)) 1))) T)). This again simplifies, opening up the definitions of EXP and EQUAL, to: T. Case 3.16. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (LISTP (CDR X)) (NOT (LESSP 1 (EXP 2 (LENGTH (CDR X))))) (EQUAL (EXP 2 (LENGTH (CDR X))) 0) (EQUAL X (CONS 1 (NAT-TO-BV 1 (LENGTH (CDR X))))) (NOT (LESSP 2 (EXP 2 (LENGTH (CDR X)))))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 (EXP 2 (LENGTH (CDR X)))) (LENGTH (CDR X))))) T)), which again simplifies, using linear arithmetic, to the conjecture: (IMPLIES (AND (EQUAL (LENGTH (CDR X)) 1) (NOT (LESSP 1 1)) (EQUAL (CAR X) 1) (BVP (CDR X)) (LISTP X) (LESSP 1 2) (LISTP (CDR X)) (NOT (LESSP 1 0)) (EQUAL (EXP 2 1) 0) (EQUAL X (CONS 1 (NAT-TO-BV 1 1))) (NOT (LESSP 2 0))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 0) 1))) T)). But this again simplifies, expanding the functions NAT-TO-BV, CONS, CDR, LENGTH, EQUAL, LESSP, CAR, BVP, LISTP, and EXP, to: T. Case 3.15. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (NOT (LISTP X))) (NOT (LESSP 1 0))), which again simplifies, using linear arithmetic, to: T. Case 3.14. (IMPLIES (AND (NOT (LESSP 1 (LENGTH (CDR X)))) (EQUAL (CAR X) 0) (BVP (CDR X)) (LISTP X) (LESSP 1 (ADD1 (LENGTH (CDR X)))) (NOT (ALL-ZEROS (CDR X))) (NOT (LISTP (CDR X))) (LESSP 1 1) (NOT (LESSP 2 1))) (EQUAL (LESSP-BV X (CONS 1 (NAT-TO-BV (DIFFERENCE 2 1) (LENGTH (CDR X))))) (EQUAL X (CONS 0 (NAT-TO-BV 1 (LENGTH (CDR X))))))), which again sim