logically equivalent formulas can generate radically different rules

Consider the rewrite rules that would be generated from the three commands below. In all three cases, the fact being stated relates the nth element of the reverse of x to the nth element of x. In fact, the three formulas are simple rearrangements of each other and are all equivalent. The theorem prover treats all three formulas equivalently when proving them. But the rules generated from them are very different.

(defthm nth-rev-1
  (implies (and (natp n)
                (< n (len x)))
           (equal (nth n (rev x))
                  (nth (- (len x) (+ 1 n)) x))))

(defthm nth-rev-2 (implies (and (natp n) (< n (len x))) (equal (nth (- (len x) (+ 1 n)) x) (nth n (rev x)))))

(defthm nth-rev-3 (implies (and (natp n) (not (equal (nth n (rev x)) (nth (- (len x) (+ 1 n)) x)))) (not (< n (len x)))))

Here are the three rewrite rules:

Replace instances of (NTH n (REV x))
by (NTH (- (LEN x) (+ 1 n)) x),
if you can establish that n is a natural number less than the length of x.

Replace instances of (NTH (- (LEN x) (+ 1 n)) x)
by (NTH n (REV x)),
if you can establish that n is a natural number less than the length of x.

Replace instances of (< n (LEN x))
by NIL
if you can establish that n is a natural number and that (NTH n (REV x)) is different from (NTH (- (LEN x) (+ 1 n)) x).

As the driver of ACL2, you have to decide which rule you want when you give the command to prove it.

If you tell the theorem prover to use both nth-rev-1 and nth-rev-2, ACL2 will enter an infinite loop when it sees any term matching either NTH expression.

Most users would choose form nth-rev-1 of the rule. It eliminates rev from the problem -- at the expense of introducing some arithmetic. But arithmetic is so fundamental it is rarely possible to avoid it and it is likely to be in the problem already since you're indexing into (rev x). The nth-rev-2 form of the rule is ``bad'' because it introduces rev into a problem where it might not have appeared. The nth-rev-3 version is ``bad'' because it makes the theorem prover shift its attention from a simple arithmetic inequality to a complicated property of nth and rev, which might not be in the problem.

Use your browser's Back Button now to return to introduction-to-rewrite-rules-part-1.