stirling% v63 Welcome to Clozure Common Lisp Version 1.10-dev-r15960M-trunk (DarwinX8664)! ACL2 Version 6.3 built October 26, 2013 20:56:32. Copyright (C) 2013, Regents of the University of Texas ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the LICENSE file distributed with ACL2. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + WARNING: This is NOT an ACL2 release; it is svn revision 1144. + + The authors of ACL2 consider svn distributions to be experimental; + + they may be incomplete, fragile, and unable to pass our own + + regression. Bug reports should include the following line: + + ACL2 svn revision 1144; community books svn revision 2204 + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES*). Experimental modification for HONS, memoization, and applicative hash tables. See the documentation topic note-6-3 for recent changes. Note: We have modified the prompt in some underlying Lisps to further distinguish it from the ACL2 prompt. ACL2 Version 6.3. Level 1. Cbd "/Users/moore/". System books directory "/Users/moore/work/v6-3-xdoc/acl2-devel/books/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>(include-book "m1-with-stobj") ACL2 Observation in NON-LINEAR-ARITHMETIC: To turn on non-linear arithmetic, execute : (SET-DEFAULT-HINTS '((NONLINEARP-DEFAULT-HINT STABLE-UNDER-SIMPLIFICATIONP HIST PSPV))) or : (SET-DEFAULT-HINTS '((NONLINEARP-DEFAULT-HINT++ ID STABLE-UNDER-SIMPLIFICATIONP HIST NIL))) See the README for more about non-linear arithmetic and general information about using this library. Summary Form: ( INCLUDE-BOOK "m1-with-stobj" ...) Rules: NIL Time: 0.68 seconds (prove: 0.00, print: 0.00, other: 0.68) "/Users/moore/m1-with-stobj.lisp" ACL2 !>(in-package "M1") "M1" M1 !>(set-verify-guards-eagerness 0) 0 M1 !>(set-guard-checking :nowarn) Leaving guard checking on, but changing value to :NOWARN. M1 !>(pe 'execute-ILOAD) d 1 (INCLUDE-BOOK "m1-with-stobj") \ [Included books, outermost to innermost: "/Users/moore/m1-with-stobj.lisp" ] \ >L (DEFUN EXECUTE-ILOAD (INST S) (DECLARE (XARGS :STOBJS (S))) (LET* ((S (!STACK (PUSH (LOI (ARG1 INST) S) (STACK S)) S)) (S (!PC (+ 1 (PC S)) S))) S)) M1 !>(pe '!pc) d 1 (INCLUDE-BOOK "m1-with-stobj") \ [Included books, outermost to innermost: "/Users/moore/m1-with-stobj.lisp" ] \ >L (DEFUN !PC (V S) (DECLARE (XARGS :STOBJS (S))) (WR :PC V S)) M1 !>(pe 'wr) d 1 (INCLUDE-BOOK "m1-with-stobj") \ [Included books, outermost to innermost: "/Users/moore/m1-with-stobj.lisp" ] \ >L d (DEFUN WR (KEY V S) (DECLARE (XARGS :STOBJS (S))) (CASE KEY (:PC (UPDATE-UGLY-PC V S)) (:LOCALS (UPDATE-UGLY-LOCALS V S)) (:STACK (UPDATE-UGLY-STACK V S)) (:PROGRAM (UPDATE-UGLY-PROGRAM V S)) (OTHERWISE S))) M1 !>(pe 'wr-wr-diff) d 1 (INCLUDE-BOOK "m1-with-stobj") \ [Included books, outermost to innermost: "/Users/moore/m1-with-stobj.lisp" ] \ > (DEFTHM WR-WR-DIFF (IMPLIES (AND (KEYP KEY1) (KEYP KEY2) (NOT (EQUAL KEY1 KEY2))) (EQUAL (WR KEY1 V1 (WR KEY2 V2 S)) (WR KEY2 V2 (WR KEY1 V1 S)))) :HINTS (("Goal" :IN-THEORY (DISABLE NTH UPDATE-NTH))) :RULE-CLASSES ((:REWRITE :LOOP-STOPPER ((KEY1 KEY2 WR))))) M1 !>(pe 'execute-ISTORE) d 1 (INCLUDE-BOOK "m1-with-stobj") \ [Included books, outermost to innermost: "/Users/moore/m1-with-stobj.lisp" ] \ >L (DEFUN EXECUTE-ISTORE (INST S) (DECLARE (XARGS :STOBJS (S))) (LET ((U (TOP (STACK S))) (STACK1 (POP (STACK S)))) (LET* ((S (!STACK STACK1 S)) (S (!LOI (ARG1 INST) U S)) (S (!PC (+ 1 (PC S)) S))) S))) M1 !>(pe 'execute-IADD) d 1 (INCLUDE-BOOK "m1-with-stobj") \ [Included books, outermost to innermost: "/Users/moore/m1-with-stobj.lisp" ] \ >L (DEFUN EXECUTE-IADD (INST S) (DECLARE (XARGS :STOBJS (S)) (IGNORE INST)) (LET ((U (TOP (STACK S))) (V (TOP (POP (STACK S)))) (STACK1 (POP (POP (STACK S))))) (LET* ((S (!STACK (PUSH (+ V U) STACK1) S)) (S (!PC (+ 1 (PC S)) S))) S))) M1 !>(defconst *pi* '((ICONST 0) ; 0 (ISTORE 2) ; 1 a $=$ 0; (ILOAD 0) ; 2 [loop:] (IFEQ 10) ; 3 if x$=$0 then go to end; (ILOAD 0) ; 4 (ICONST 1) ; 5 (ISUB) ; 6 (ISTORE 0) ; 7 x $=$ x-1; (ILOAD 1) ; 8 (ILOAD 2) ; 9 (IADD) ;10 (ISTORE 2) ;11 a $=$ y+a; (GOTO -10) ;12 go to loop (ILOAD 2) ;13 [end:] (HALT) ;14 ``return'' a )) Summary Form: ( DEFCONST *PI* ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) *PI* M1 !>(defun g (x y a) (if (zp x) a (g (- x 1) y (+ y a)))) The admission of G is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of G is described by the theorem (OR (ACL2-NUMBERP (G X Y A)) (EQUAL (G X Y A) A)). We used primitive type reasoning. Summary Form: ( DEFUN G ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) G M1 !>(defun loop-clk (x) (if (zp x) 3 (clk+ 11 (loop-clk (- x 1))))) The admission of LOOP-CLK is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of LOOP-CLK is described by the theorem (AND (INTEGERP (LOOP-CLK X)) (<= 0 (LOOP-CLK X))). We used the :type-prescription rule BINARY-CLK+. Summary Form: ( DEFUN LOOP-CLK ...) Rules: ((:TYPE-PRESCRIPTION BINARY-CLK+)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) LOOP-CLK M1 !>(defun clk (x) (clk+ 2 (loop-clk x))) Since CLK is non-recursive, its admission is trivial. We observe that the type of CLK is described by the theorem (AND (INTEGERP (CLK X)) (<= 0 (CLK X))). We used the :type-prescription rule BINARY-CLK+. Summary Form: ( DEFUN CLK ...) Rules: ((:TYPE-PRESCRIPTION BINARY-CLK+)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) CLK M1 !>(defun test-program (x y s) (declare (xargs :stobjs (s))) (let* ((s (!pc 0 s)) (s (!loi 0 x s)) (s (!loi 1 y s)) (s (!stack nil s)) (s (update-ugly-program *pi* s)) (k (clk x)) (s (m1 s k))) (mv `((:clk ,k) (:haltedp ,(haltedp s)) (:tos ,(top (stack s)))) s))) Since TEST-PROGRAM is non-recursive, its admission is trivial. We observe that the type of TEST-PROGRAM is described by the theorem (AND (CONSP (TEST-PROGRAM X Y S)) (TRUE-LISTP (TEST-PROGRAM X Y S))). We used primitive type reasoning. (TEST-PROGRAM * * S) => (MV * S). Summary Form: ( DEFUN TEST-PROGRAM ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) TEST-PROGRAM M1 !>(test-program 5 7 s) (((:CLK 60) (:HALTEDP T) (:TOS 35)) ) M1 !>(test-program 7 5 s) (((:CLK 82) (:HALTEDP T) (:TOS 35)) ) M1 !>(test-program 700 500 s) (((:CLK 7705) (:HALTEDP T) (:TOS 350000)) ) M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(defun natp-listp (x) (if (endp x) (equal x nil) (and (natp (car x)) (natp-listp (cdr x))))) The admission of NATP-LISTP is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of NATP-LISTP is described by the theorem (OR (EQUAL (NATP-LISTP X) T) (EQUAL (NATP-LISTP X) NIL)). We used primitive type reasoning. Summary Form: ( DEFUN NATP-LISTP ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) NATP-LISTP M1 !>(defun good-statep (s) (declare (xargs :stobjs (s))) (and (sp s) (natp (rd :pc s)) (natp-listp (rd :locals s)) (<= 3 (len (rd :locals s))) (natp-listp (rd :stack s)) (equal (rd :program s) *pi*))) Since GOOD-STATEP is non-recursive, its admission is trivial. We observe that the type of GOOD-STATEP is described by the theorem (OR (EQUAL (GOOD-STATEP S) T) (EQUAL (GOOD-STATEP S) NIL)). We used primitive type reasoning. (GOOD-STATEP S) => *. Summary Form: ( DEFUN GOOD-STATEP ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) GOOD-STATEP M1 !>(thm (implies (good-statep s) (good-statep (m1 s 11)))) Goal' Splitter note (see :DOC splitter) for Goal' (7 subgoals). if-intro: ((:DEFINITION GOOD-STATEP) (:DEFINITION NATP)) Subgoal 7 ([ A key checkpoint: Subgoal 7 (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT)))) (SP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP S))))))))))))) *1 (Subgoal 7) is pushed for proof by induction. ]) Subgoal 6 ([ A key checkpoint: Subgoal 6 (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT)))) (INTEGERP (RD :PC (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP S)))))))))))))) Normally we would attempt to prove Subgoal 6 by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) ]) No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( THM ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION GOOD-STATEP) (:DEFINITION NATP) (:REWRITE M1-OPENER)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION GOOD-STATEP) (:DEFINITION NATP)) Time: 0.03 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 2354 --- The key checkpoint goals, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint-summary-limit. --- *** Key checkpoints before reverting to proof by induction: *** Subgoal 7 (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT)))) (SP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP S))))))))))))) Subgoal 6 (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT)))) (INTEGERP (RD :PC (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP (STEP S)))))))))))))) ACL2 Error in ( THM ...): See :DOC failure. ******** FAILED ******** M1 !>(thm (implies (and (good-statep s) (equal (pc s) 2)) (good-statep (m1 s 11)))) Goal' Splitter note (see :DOC splitter) for Goal' (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION NTH)) Subgoal 2 Subgoal 2' Splitter note (see :DOC splitter) for Subgoal 2' (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 2.2 Subgoal 2.2' ([ A key checkpoint: Subgoal 2.2' (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (CONSP (RD :LOCALS S)) (EQUAL (CAR (RD :LOCALS S)) 0)) (NATP-LISTP (PUSH (NTH 2 (RD :LOCALS S)) (RD :STACK S)))) *1 (Subgoal 2.2') is pushed for proof by induction. ]) Subgoal 2.1 Splitter note (see :DOC splitter) for Subgoal 2.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:REWRITE ACL2::DEFAULT-PLUS-1)) Subgoal 2.1.2 Subgoal 2.1.2' Splitter note (see :DOC splitter) for Subgoal 2.1.2' (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION NTH)) Subgoal 2.1.2.2 Subgoal 2.1.2.2' Splitter note (see :DOC splitter) for Subgoal 2.1.2.2' (4 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2)) Subgoal 2.1.2.2.4 Subgoal 2.1.2.2.4' Subgoal 2.1.2.2.4'' ([ A key checkpoint: Subgoal 2.1.2.2.4'' (IMPLIES (AND (SP S) (INTEGERP (CAR (RD :LOCALS S))) (<= 0 (CAR (RD :LOCALS S))) (NATP-LISTP (CDR (RD :LOCALS S))) (<= 2 (LEN (CDR (RD :LOCALS S)))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (CONSP (RD :LOCALS S)) (NOT (EQUAL (CAR (RD :LOCALS S)) 0)) (ACL2-NUMBERP (CAR (RD :LOCALS S))) (CONSP (CDR (RD :LOCALS S))) (ACL2-NUMBERP (NTH 1 (CDR (RD :LOCALS S)))) (ACL2-NUMBERP (CADR (RD :LOCALS S)))) (NATP-LISTP (UPDATE-NTH 1 (+ (CADR (RD :LOCALS S)) (NTH 1 (CDR (RD :LOCALS S)))) (CDR (RD :LOCALS S))))) Normally we would attempt to prove Subgoal 2.1.2.2.4'' by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) ]) No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( THM ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION GOOD-STATEP) (:DEFINITION LEN) (:DEFINITION LOI) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:DEFINITION UPDATE-NTH) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ACL2-NUMBERP) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-OPENER) (:REWRITE NTH-ADD1) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-<) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION SP)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION NTH) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2)) Time: 0.06 seconds (prove: 0.06, print: 0.01, other: 0.00) Prover steps counted: 10691 --- The key checkpoint goals, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint-summary-limit. --- *** Key checkpoints before reverting to proof by induction: *** Subgoal 2.2' (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (CONSP (RD :LOCALS S)) (EQUAL (CAR (RD :LOCALS S)) 0)) (NATP-LISTP (PUSH (NTH 2 (RD :LOCALS S)) (RD :STACK S)))) Subgoal 2.1.2.2.4'' (IMPLIES (AND (SP S) (INTEGERP (CAR (RD :LOCALS S))) (<= 0 (CAR (RD :LOCALS S))) (NATP-LISTP (CDR (RD :LOCALS S))) (<= 2 (LEN (CDR (RD :LOCALS S)))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (CONSP (RD :LOCALS S)) (NOT (EQUAL (CAR (RD :LOCALS S)) 0)) (ACL2-NUMBERP (CAR (RD :LOCALS S))) (CONSP (CDR (RD :LOCALS S))) (ACL2-NUMBERP (NTH 1 (CDR (RD :LOCALS S)))) (ACL2-NUMBERP (CADR (RD :LOCALS S)))) (NATP-LISTP (UPDATE-NTH 1 (+ (CADR (RD :LOCALS S)) (NTH 1 (CDR (RD :LOCALS S)))) (CDR (RD :LOCALS S))))) ACL2 Error in ( THM ...): See :DOC failure. ******** FAILED ******** M1 !>(defthm natp-listp-nth (implies (and (natp-listp x) (natp i) (< i (len x))) (natp (nth i x))) :rule-classes (:rewrite :type-prescription)) ACL2 Observation in ( DEFTHM NATP-LISTP-NTH ...): Our heuristics choose (NTH I X) as the :TYPED-TERM. ACL2 Warning [Non-rec] in ( DEFTHM NATP-LISTP-NTH ...): A :REWRITE rule generated from NATP-LISTP-NTH will be triggered only by terms containing the non-recursive function symbol NATP. Unless this function is disabled, this rule is unlikely ever to be used. Goal' Splitter note (see :DOC splitter) for Goal' (2 subgoals). if-intro: ((:DEFINITION NATP)) Subgoal 2 ([ A key checkpoint: Subgoal 2 (IMPLIES (AND (NATP-LISTP X) (INTEGERP I) (<= 0 I) (< I (LEN X))) (INTEGERP (NTH I X))) *1 (Subgoal 2) is pushed for proof by induction. ]) Subgoal 1 Subgoal 1' ([ A key checkpoint: Subgoal 1' (IMPLIES (AND (NATP-LISTP X) (INTEGERP I) (<= 0 I) (< I (LEN X)) (ACL2-NUMBERP (NTH I X))) (<= 0 (NTH I X))) Normally we would attempt to prove Subgoal 1' by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) ]) Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. These merge into one derived induction scheme. We will induct according to a scheme suggested by (NTH I X). This suggestion was produced using the :induction rules LEN, NATP-LISTP and NTH. If we let (:P I X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (NOT (ZP I)) (:P (+ -1 I) (CDR X))) (:P I X)) (IMPLIES (AND (NOT (ENDP X)) (ZP I)) (:P I X)) (IMPLIES (ENDP X) (:P I X))). This induction is justified by the same argument used to admit NTH. Note, however, that the unmeasured variable X is being instantiated. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/3' Splitter note (see :DOC splitter) for Subgoal *1/3' (2 subgoals). if-intro: ((:DEFINITION NATP) (:DEFINITION NATP-LISTP)) Subgoal *1/3.2 Subgoal *1/3.1 Subgoal *1/2 Subgoal *1/2' Subgoal *1/2'' Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. The storage of NATP-LISTP-NTH depends upon the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER and the :type-prescription rule NATP. Summary Form: ( DEFTHM NATP-LISTP-NTH ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION ENDP) (:DEFINITION LEN) (:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION LEN) (:INDUCTION NATP-LISTP) (:INDUCTION NTH) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:TYPE-PRESCRIPTION NATP)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION NATP) (:DEFINITION NATP-LISTP)) Warnings: Non-rec Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 1514 NATP-LISTP-NTH M1 !>(defthm natp-listp-update-nth (implies (and (natp i) (< i (len x)) (natp (nth i x))) (equal (natp-listp (update-nth i v x)) (and (natp v) (natp-listp x))))) Goal' Splitter note (see :DOC splitter) for Goal' (3 subgoals). if-intro: ((:DEFINITION NATP) (:REWRITE ACL2::|(equal (if a b c) x)|)) Subgoal 3 ([ A key checkpoint: Subgoal 3 (IMPLIES (AND (INTEGERP I) (<= 0 I) (< I (LEN X)) (INTEGERP (NTH I X)) (<= 0 (NTH I X)) (NOT (INTEGERP V))) (NOT (NATP-LISTP (UPDATE-NTH I V X)))) *1 (Subgoal 3) is pushed for proof by induction. ]) Subgoal 2 ([ A key checkpoint: Subgoal 2 (IMPLIES (AND (INTEGERP I) (<= 0 I) (< I (LEN X)) (INTEGERP (NTH I X)) (<= 0 (NTH I X)) (INTEGERP V) (<= 0 V)) (EQUAL (NATP-LISTP X) (NATP-LISTP (UPDATE-NTH I V X)))) Normally we would attempt to prove Subgoal 2 by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) ]) Perhaps we can prove *1 by induction. Four induction schemes are suggested by this conjecture. These merge into one derived induction scheme. We will induct according to a scheme suggested by (NATP-LISTP X), but modified to accommodate (UPDATE-NTH I V X). These suggestions were produced using the :induction rules LEN, NATP-LISTP, NTH and UPDATE-NTH. If we let (:P I V X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (NOT (NATP (CAR X)))) (:P I V X)) (IMPLIES (AND (NOT (ENDP X)) (NATP (CAR X)) (:P (+ -1 I) V (CDR X))) (:P I V X)) (IMPLIES (ENDP X) (:P I V X))). This induction is justified by the same argument used to admit NATP-LISTP. Note, however, that the unmeasured variable I is being instantiated. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/2' Splitter note (see :DOC splitter) for Subgoal *1/2' (18 subgoals). if-intro: ((:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION NTH) (:DEFINITION UPDATE-NTH) (:REWRITE ACL2::|(equal (if a b c) x)|)) Subgoal *1/2.18 Subgoal *1/2.18' Subgoal *1/2.17 Subgoal *1/2.16 Subgoal *1/2.16' Subgoal *1/2.15 Subgoal *1/2.14 Subgoal *1/2.14' Subgoal *1/2.13 Subgoal *1/2.12 Subgoal *1/2.11 Subgoal *1/2.10 Subgoal *1/2.9 Subgoal *1/2.8 Subgoal *1/2.7 Subgoal *1/2.6 Subgoal *1/2.6' Subgoal *1/2.5 Subgoal *1/2.4 Subgoal *1/2.4' Subgoal *1/2.3 Subgoal *1/2.2 Subgoal *1/2.2' Subgoal *1/2.1 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM NATP-LISTP-UPDATE-NTH ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION ENDP) (:DEFINITION LEN) (:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION SYNP) (:DEFINITION UPDATE-NTH) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION LEN) (:INDUCTION NATP-LISTP) (:INDUCTION NTH) (:INDUCTION UPDATE-NTH) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE ACL2::DEFAULT-LESS-THAN-1) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-<) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:TYPE-PRESCRIPTION LEN)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION NTH) (:DEFINITION UPDATE-NTH) (:REWRITE ACL2::|(equal (if a b c) x)|)) Time: 0.09 seconds (prove: 0.09, print: 0.01, other: 0.00) Prover steps counted: 8627 NATP-LISTP-UPDATE-NTH M1 !>(defthm natp-listp-push (implies (natp-listp stk) (equal (natp-listp (push i stk)) (natp i))) :hints (("Goal" :in-theory (enable push)))) Goal' Q.E.D. Summary Form: ( DEFTHM NATP-LISTP-PUSH ...) Rules: ((:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION PUSH) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:TYPE-PRESCRIPTION NATP-LISTP)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) Prover steps counted: 100 NATP-LISTP-PUSH M1 !>(in-theory (disable natp-listp len nth update-nth)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 4830) M1 !>(thm (implies (and (good-statep s) (equal (pc s) 2)) (good-statep (m1 s 11)))) Goal' Splitter note (see :DOC splitter) for Goal' (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 2 Subgoal 1 Q.E.D. Summary Form: ( THM ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ y x)|) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-OPENER) (:REWRITE NATP-LISTP-PUSH) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 5983 Proof succeeded. M1 !>(defun hint (s) (declare (xargs :stobjs (s) :measure (acl2-count (loi 0 s)))) (if (and (good-statep s) (equal (pc s) 2)) (if (zp (loi 0 s)) s (let ((s (m1 s 11))) (hint s))) s)) For the admission of HINT we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT (LOI 0 S)). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (NOT (ZP (LOI 0 S)))) (O< (ACL2-COUNT (LOI 0 (M1 S 11))) (ACL2-COUNT (LOI 0 S)))). Goal' Q.E.D. That completes the proof of the measure theorem for HINT. Thus, we admit this function under the principle of definition. We observe that the type of HINT is described by the theorem (OR (CONSP (HINT S)) (EQUAL (HINT S) S)). (HINT S) => S. Summary Form: ( DEFUN HINT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION ACL2-COUNT) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION GOOD-STATEP) (:DEFINITION INTEGER-ABS) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O<) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE M1-OPENER) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::SIMPLIFY-SUMS-<) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:REWRITE ACL2::ZP-OPEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 4244 HINT M1 !>(defthm loop-correct (implies (and (good-statep s) (equal (rd :pc s) 2)) (equal (m1 s (loop-clk (loi 0 s))) (!pc 14 (!loi 0 0 (!loi 2 (g (loi 0 s) (loi 1 s) (loi 2 s)) (!stack (push (g (loi 0 s) (loi 1 s) (loi 2 s)) (stack s)) s)))))) :hints (("Goal" :induct (hint s)))) ACL2 Warning [Non-rec] in ( DEFTHM LOOP-CORRECT ...): A :REWRITE rule generated from LOOP-CORRECT will be triggered only by terms containing the non-recursive function symbol LOI. Unless this function is disabled, this rule is unlikely ever to be used. *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. We have been told to use induction. One induction scheme is suggested by the induction hint. We will induct according to a scheme suggested by (HINT S). This suggestion was produced using the :induction rule HINT. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (AND (GOOD-STATEP S) (EQUAL (PC S) 2))) (:P S)) (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (NOT (ZP (LOI 0 S))) (:P (M1 S 11))) (:P S)) (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (ZP (LOI 0 S))) (:P S))). This induction is justified by the same argument used to admit HINT. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/2' Subgoal *1/2'' Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM LOOP-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION G) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION LOOP-CLK) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LOOP-CLK) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION HINT) (:REWRITE ACL2::|(+ y x)|) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-REDUNDANT) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE UPDATE-NTH-UPDATE-NTH-SAME) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:REWRITE ACL2::ZP-OPEN) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Warnings: Non-rec Time: 0.20 seconds (prove: 0.20, print: 0.00, other: 0.00) Prover steps counted: 55122 LOOP-CORRECT M1 !>(in-theory (disable loop-clk)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 4833) M1 !>(defthm entry-correct (implies (and (good-statep s) (equal (pc s) 0)) (equal (m1 s (clk (loi 0 s))) (!pc 14 (!loi 0 0 (!loi 2 (g (loi 0 s) (loi 1 s) 0) (!stack (push (g (loi 0 s) (loi 1 s) 0) (stack s)) s))))))) ACL2 Warning [Non-rec] in ( DEFTHM ENTRY-CORRECT ...): A :REWRITE rule generated from ENTRY-CORRECT will be triggered only by terms containing the non-recursive function symbols CLK and LOI. Unless these functions are disabled, this rule is unlikely ever to be used. Goal' Goal'' ([ A key checkpoint: Goal'' (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 0)) (EQUAL (M1 (WR :PC 2 (WR :LOCALS (UPDATE-NTH 2 0 (RD :LOCALS S)) S)) (LOOP-CLK (NTH 0 (RD :LOCALS S)))) (WR :PC 14 (WR :STACK (PUSH (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) 0) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) 0) (RD :LOCALS S))) S))))) *1 (Goal'') is pushed for proof by induction. ]) No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM ENTRY-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION CLK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION SP)) Warnings: Non-rec Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 1842 --- The key checkpoint goal, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint-summary-limit. --- *** Key checkpoint at the top level: *** Goal'' (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 0)) (EQUAL (M1 (WR :PC 2 (WR :LOCALS (UPDATE-NTH 2 0 (RD :LOCALS S)) S)) (LOOP-CLK (NTH 0 (RD :LOCALS S)))) (WR :PC 14 (WR :STACK (PUSH (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) 0) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) 0) (RD :LOCALS S))) S))))) ACL2 Error in ( DEFTHM ENTRY-CORRECT ...): See :DOC failure. ******** FAILED ******** M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(ubt! 'loop-correct) L 14:x(DEFUN HINT (S) ...) M1 !>(defthm loop-correct (implies (and (good-statep s) (equal (rd :pc s) 2)) (equal (m1 s (loop-clk (loi 0 s))) (!pc 14 (!loi 0 0 (!loi 2 (g (loi 0 s) (loi 1 s) (loi 2 s)) (!stack (push (g (loi 0 s) (loi 1 s) (loi 2 s)) (stack s)) s)))))) :hints (("Goal" :induct (hint s))) :rule-classes ((:rewrite :corollary (implies (and (good-statep s) (equal (rd :pc s) 2) (equal x (loi 0 s))) (equal (m1 s (loop-clk x)) (!pc 14 (!loi 0 0 (!loi 2 (g (loi 0 s) (loi 1 s) (loi 2 s)) (!stack (push (g (loi 0 s) (loi 1 s) (loi 2 s)) (stack s)) s))))))))) *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. We have been told to use induction. One induction scheme is suggested by the induction hint. We will induct according to a scheme suggested by (HINT S). This suggestion was produced using the :induction rule HINT. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (AND (GOOD-STATEP S) (EQUAL (PC S) 2))) (:P S)) (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (NOT (ZP (LOI 0 S))) (:P (M1 S 11))) (:P S)) (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (ZP (LOI 0 S))) (:P S))). This induction is justified by the same argument used to admit HINT. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/2' Subgoal *1/2'' Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. We now consider the corollary claimed in the specified rule class. The goal is (IMPLIES (IMPLIES (AND (GOOD-STATEP S) (EQUAL (RD :PC S) 2)) (EQUAL (M1 S (LOOP-CLK (LOI 0 S))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (!STACK (PUSH (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (STACK S)) S)))))) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (RD :PC S) 2) (EQUAL X (LOI 0 S))) (EQUAL (M1 S (LOOP-CLK X)) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (!STACK (PUSH (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (STACK S)) S))))))). Goal' Q.E.D. Summary Form: ( DEFTHM LOOP-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION G) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION LOOP-CLK) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LOOP-CLK) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION HINT) (:REWRITE ACL2::|(+ y x)|) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-REDUNDANT) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE UPDATE-NTH-UPDATE-NTH-SAME) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:REWRITE ACL2::ZP-OPEN) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Time: 0.22 seconds (prove: 0.21, print: 0.00, other: 0.00) Prover steps counted: 56608 LOOP-CORRECT M1 !>(in-theory (disable loop-clk)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 4833) M1 !>(defthm entry-correct (implies (and (good-statep s) (equal (pc s) 0)) (equal (m1 s (clk (loi 0 s))) (!pc 14 (!loi 0 0 (!loi 2 (g (loi 0 s) (loi 1 s) 0) (!stack (push (g (loi 0 s) (loi 1 s) 0) (stack s)) s)))))) :rule-classes ((:rewrite :corollary (implies (and (good-statep s) (equal (pc s) 0) (equal x (loi 0 s))) (equal (m1 s (clk x)) (!pc 14 (!loi 0 0 (!loi 2 (g (loi 0 s) (loi 1 s) 0) (!stack (push (g (loi 0 s) (loi 1 s) 0) (stack s)) s))))))))) ACL2 Warning [Non-rec] in ( DEFTHM ENTRY-CORRECT ...): A :REWRITE rule generated from ENTRY-CORRECT will be triggered only by terms containing the non-recursive function symbol CLK. Unless this function is disabled, this rule is unlikely ever to be used. Goal' Q.E.D. We now consider the corollary claimed in the specified rule class. The goal is (IMPLIES (IMPLIES (AND (GOOD-STATEP S) (EQUAL (PC S) 0)) (EQUAL (M1 S (CLK (LOI 0 S))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 S) (LOI 1 S) 0) (!STACK (PUSH (G (LOI 0 S) (LOI 1 S) 0) (STACK S)) S)))))) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (PC S) 0) (EQUAL X (LOI 0 S))) (EQUAL (M1 S (CLK X)) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 S) (LOI 1 S) 0) (!STACK (PUSH (G (LOI 0 S) (LOI 1 S) 0) (STACK S)) S))))))). Goal' Q.E.D. Summary Form: ( DEFTHM ENTRY-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION CLK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE LEN-UPDATE-NTH) (:REWRITE LOOP-CORRECT) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-UPDATE-NTH-SAME) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Warnings: Non-rec Time: 0.04 seconds (prove: 0.04, print: 0.00, other: 0.00) Prover steps counted: 7051 ENTRY-CORRECT M1 !>(in-theory (disable clk)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 4833) M1 !>(defthm lemma (implies (and (natp x) (natp y) (natp a)) (equal (g x y a) (+ a (* x y))))) Goal' ([ A key checkpoint: Goal' (IMPLIES (AND (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G X Y A) (+ A (* X Y)))) *1 (Goal') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (G X Y A). This suggestion was produced using the :induction rule G. If we let (:P A X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP X)) (:P (+ Y A) (+ -1 X) Y)) (:P A X Y)) (IMPLIES (ZP X) (:P A X Y))). This induction is justified by the same argument used to admit G. Note, however, that the unmeasured variable A is being instantiated. When applied to the goal at hand the above induction scheme produces six nontautological subgoals. Subgoal *1/6 Subgoal *1/6' Subgoal *1/5 Subgoal *1/4 Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' Subgoal *1/1'' *1 is COMPLETED! Thus key checkpoint Goal' is COMPLETED! Q.E.D. Summary Form: ( DEFTHM LEMMA ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION G) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION G) (:REWRITE ACL2::|(* -1 x)|) (:REWRITE ACL2::|(* 0 x)|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES)) Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 660 LEMMA M1 !>(defthm algorithm-implements-spec (implies (and (natp x) (natp y)) (equal (g x y 0) (* x y)))) Goal' Q.E.D. Summary Form: ( DEFTHM ALGORITHM-IMPLEMENTS-SPEC ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION NATP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE LEMMA)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 101 ALGORITHM-IMPLEMENTS-SPEC M1 !>(defthm main-goal (implies (and (good-statep s) (equal (pc s) 0) (equal sf (m1 s (clk (loi 0 s))))) (and (haltedp sf) (equal (top (stack sf)) (* (loi 0 s) (loi 1 s))))) :rule-classes nil) Goal' Q.E.D. Summary Form: ( DEFTHM MAIN-GOAL ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION GOOD-STATEP) (:DEFINITION HALTEDP) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ALGORITHM-IMPLEMENTS-SPEC) (:REWRITE ENTRY-CORRECT) (:REWRITE RD-WR) (:REWRITE TOP-PUSH) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 1168 MAIN-GOAL M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(ubt! 'hint) 13:x(IN-THEORY (DISABLE NATP-LISTP LEN ...)) M1 !>(defun hint (s) (declare (xargs :stobjs (s) :measure (acl2-count (loi 0 s)))) (if (zp (loi 0 s)) s (let* ((s (!loi 0 (- (loi 0 s) 1) s)) (s (!loi 2 (+ (loi 1 s) (loi 2 s)) s))) (hint s)))) For the admission of HINT we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT (LOI 0 S)). The non-trivial part of the measure conjecture is Goal (IMPLIES (NOT (ZP (LOI 0 S))) (O< (ACL2-COUNT (LOI 0 (!LOI 2 (+ (LOI 1 (!LOI 0 (+ -1 (LOI 0 S)) S)) (LOI 2 (!LOI 0 (+ -1 (LOI 0 S)) S))) (!LOI 0 (+ -1 (LOI 0 S)) S)))) (ACL2-COUNT (LOI 0 S)))). Goal' Q.E.D. That completes the proof of the measure theorem for HINT. Thus, we admit this function under the principle of definition. We observe that the type of HINT is described by the theorem (OR (CONSP (HINT S)) (EQUAL (HINT S) S)). (HINT S) => S. Summary Form: ( DEFUN HINT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION ACL2-COUNT) (:DEFINITION INTEGER-ABS) (:DEFINITION LOI) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O<) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART NFIX) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-UPDATE-NTH) (:REWRITE RD-WR) (:REWRITE ACL2::SIMPLIFY-SUMS-<) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE WR-WR-SAME) (:REWRITE ACL2::ZP-OPEN)) Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 573 HINT M1 !>(defthm loop-correct (implies (and (good-statep s) (equal (pc s) 2)) (equal (m1 s (loop-clk (loi 0 s))) (!pc 14 (!loi 0 0 (!loi 2 (g (loi 0 s) (loi 1 s) (loi 2 s)) (!stack (push (g (loi 0 s) (loi 1 s) (loi 2 s)) (stack s)) s)))))) :hints (("Goal" :induct (hint s))) ; :rule-classes ((:rewrite :corollary ...)) ) ACL2 Warning [Non-rec] in ( DEFTHM LOOP-CORRECT ...): A :REWRITE rule generated from LOOP-CORRECT will be triggered only by terms containing the non-recursive function symbol LOI. Unless this function is disabled, this rule is unlikely ever to be used. *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. We have been told to use induction. One induction scheme is suggested by the induction hint. We will induct according to a scheme suggested by (HINT S). This suggestion was produced using the :induction rule HINT. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP (LOI 0 S))) (:P (!LOI 2 (+ (LOI 1 (!LOI 0 (+ -1 (LOI 0 S)) S)) (LOI 2 (!LOI 0 (+ -1 (LOI 0 S)) S))) (!LOI 0 (+ -1 (LOI 0 S)) S)))) (:P S)) (IMPLIES (ZP (LOI 0 S)) (:P S))). This induction is justified by the same argument used to admit HINT. When applied to the goal at hand the above induction scheme produces two nontautological subgoals. Subgoal *1/2 Subgoal *1/2' Subgoal *1/2'' Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM LOOP-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION G) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION LOOP-CLK) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LOOP-CLK) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION HINT) (:REWRITE ACL2::|(+ y x)|) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-REDUNDANT) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE UPDATE-NTH-UPDATE-NTH-SAME) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:REWRITE ACL2::ZP-OPEN) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Warnings: Non-rec Time: 0.13 seconds (prove: 0.13, print: 0.00, other: 0.00) Prover steps counted: 17289 LOOP-CORRECT M1 !>(ubt! 'hint) 13:x(IN-THEORY (DISABLE NATP-LISTP LEN ...)) M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(encapsulate (((pre *) => *) ((post *) => *) ((test *) => *) ; recog base case ((k *) => *) ; steps to termination ((n *) => *) ; steps around loop ((m *) => *)) ; measure (local (defun pre (si) (declare (ignore si)) t)) (local (defun post (sf) (declare (ignore sf)) t)) (local (defun test (s) (declare (ignore s)) t)) (local (defun k (s) (declare (ignore s)) 0)) (local (defun n (s) (declare (ignore s)) 0)) (local (defun m (s) (declare (ignore s)) 0)) (defthm natp-k (natp (k s)) :rule-classes :type-prescription) (defthm natp-n (natp (n s)) :rule-classes :type-prescription) (defthm o-p-m (implies (pre s) (o-p (m s))) :rule-classes :rewrite) (defthm m-dec (implies (and (pre s) (not (test s))) (o< (m (m1 s (n s))) (m s))) :rule-classes :rewrite) (defthm pre-invariant (implies (and (pre s) (not (test s))) (pre (m1 s (n s)))) :rule-classes :rewrite) (defthm pre-implies-post (implies (and (pre s) (test s)) (post (m1 s (k s))))) ) To verify that the twelve encapsulated events correctly extend the current theory we will evaluate them. The theory thus constructed is only ephemeral. Encapsulated Events: M1 !>>(LOCAL (DEFUN PRE (SI) (DECLARE (IGNORE SI)) T)) Since PRE is non-recursive, its admission is trivial. We observe that the type of PRE is described by the theorem (EQUAL (PRE SI) T). Summary Form: ( DEFUN PRE ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) PRE M1 !>>(LOCAL (DEFUN POST (SF) (DECLARE (IGNORE SF)) T)) Since POST is non-recursive, its admission is trivial. We observe that the type of POST is described by the theorem (EQUAL (POST SF) T). Summary Form: ( DEFUN POST ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) POST M1 !>>(LOCAL (DEFUN TEST (S) (DECLARE (IGNORE S)) T)) Since TEST is non-recursive, its admission is trivial. We observe that the type of TEST is described by the theorem (EQUAL (TEST S) T). Summary Form: ( DEFUN TEST ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) TEST M1 !>>(LOCAL (DEFUN K (S) (DECLARE (IGNORE S)) 0)) Since K is non-recursive, its admission is trivial. We observe that the type of K is described by the theorem (EQUAL (K S) 0). Summary Form: ( DEFUN K ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) K M1 !>>(LOCAL (DEFUN N (S) (DECLARE (IGNORE S)) 0)) Since N is non-recursive, its admission is trivial. We observe that the type of N is described by the theorem (EQUAL (N S) 0). Summary Form: ( DEFUN N ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) N M1 !>>(LOCAL (DEFUN M (S) (DECLARE (IGNORE S)) 0)) Since M is non-recursive, its admission is trivial. We observe that the type of M is described by the theorem (EQUAL (M S) 0). Summary Form: ( DEFUN M ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) M M1 !>>(DEFTHM NATP-K (NATP (K S)) :RULE-CLASSES :TYPE-PRESCRIPTION) ACL2 Observation in ( DEFTHM NATP-K ...): Our heuristics choose (K S) as the :TYPED-TERM. Q.E.D. The storage of NATP-K depends upon the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER. Summary Form: ( DEFTHM NATP-K ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:TYPE-PRESCRIPTION K)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) NATP-K M1 !>>(DEFTHM NATP-N (NATP (N S)) :RULE-CLASSES :TYPE-PRESCRIPTION) ACL2 Observation in ( DEFTHM NATP-N ...): Our heuristics choose (N S) as the :TYPED-TERM. Q.E.D. The storage of NATP-N depends upon the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER. Summary Form: ( DEFTHM NATP-N ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:TYPE-PRESCRIPTION N)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) NATP-N M1 !>>(DEFTHM O-P-M (IMPLIES (PRE S) (O-P (M S))) :RULE-CLASSES :REWRITE) ACL2 Warning [Non-rec] in ( DEFTHM O-P-M ...): A :REWRITE rule generated from O-P-M will be triggered only by terms containing the non-recursive function symbol M. Unless this function is disabled, this rule is unlikely ever to be used. Q.E.D. The storage of O-P-M depends upon the :type-prescription rule O-P. Summary Form: ( DEFTHM O-P-M ...) Rules: ((:DEFINITION M) (:DEFINITION PRE) (:EXECUTABLE-COUNTERPART IF) (:EXECUTABLE-COUNTERPART O-P) (:TYPE-PRESCRIPTION O-P)) Warnings: Non-rec Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 12 O-P-M M1 !>>(DEFTHM M-DEC (IMPLIES (AND (PRE S) (NOT (TEST S))) (O< (M (M1 S (N S))) (M S))) :RULE-CLASSES :REWRITE) ACL2 Warning [Non-rec] in ( DEFTHM M-DEC ...): A :REWRITE rule generated from M-DEC will be triggered only by terms containing the non-recursive function symbols N and M. Unless these functions are disabled, this rule is unlikely ever to be used. Q.E.D. The storage of M-DEC depends upon the :type-prescription rule O<. Summary Form: ( DEFTHM M-DEC ...) Rules: ((:TYPE-PRESCRIPTION O<) (:TYPE-PRESCRIPTION PRE) (:TYPE-PRESCRIPTION TEST)) Warnings: Non-rec Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) M-DEC M1 !>>(DEFTHM PRE-INVARIANT (IMPLIES (AND (PRE S) (NOT (TEST S))) (PRE (M1 S (N S)))) :RULE-CLASSES :REWRITE) ACL2 Warning [Non-rec] in ( DEFTHM PRE-INVARIANT ...): A :REWRITE rule generated from PRE-INVARIANT will be triggered only by terms containing the non-recursive function symbols PRE and N. Unless these functions are disabled, this rule is unlikely ever to be used. ACL2 Warning [Subsume] in ( DEFTHM PRE-INVARIANT ...): The previously added rule PRE subsumes a newly proposed :REWRITE rule generated from PRE-INVARIANT, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. Q.E.D. The storage of PRE-INVARIANT depends upon the :type-prescription rule PRE. Summary Form: ( DEFTHM PRE-INVARIANT ...) Rules: ((:TYPE-PRESCRIPTION PRE) (:TYPE-PRESCRIPTION TEST)) Warnings: Subsume and Non-rec Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) PRE-INVARIANT M1 !>>(DEFTHM PRE-IMPLIES-POST (IMPLIES (AND (PRE S) (TEST S)) (POST (M1 S (K S))))) ACL2 Warning [Non-rec] in ( DEFTHM PRE-IMPLIES-POST ...): A :REWRITE rule generated from PRE-IMPLIES-POST will be triggered only by terms containing the non-recursive function symbols POST and K. Unless these functions are disabled, this rule is unlikely ever to be used. ACL2 Warning [Subsume] in ( DEFTHM PRE-IMPLIES-POST ...): The previously added rule POST subsumes a newly proposed :REWRITE rule generated from PRE-IMPLIES-POST, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. Q.E.D. The storage of PRE-IMPLIES-POST depends upon the :type-prescription rule POST. Summary Form: ( DEFTHM PRE-IMPLIES-POST ...) Rules: ((:TYPE-PRESCRIPTION POST) (:TYPE-PRESCRIPTION PRE) (:TYPE-PRESCRIPTION TEST)) Warnings: Subsume and Non-rec Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) PRE-IMPLIES-POST End of Encapsulated Events. Having verified that the encapsulated events validate the signatures of the ENCAPSULATE event, we discard the ephemeral theory and extend the original theory as directed by the signatures and the non-LOCAL events. The following constraint is associated with every one of the functions PRE, POST, TEST, K, N and M: (AND (NATP (K S)) (NATP (N S)) (IMPLIES (PRE S) (O-P (M S))) (IMPLIES (AND (PRE S) (NOT (TEST S))) (O< (M (M1 S (N S))) (M S))) (IMPLIES (AND (PRE S) (NOT (TEST S))) (PRE (M1 S (N S)))) (IMPLIES (AND (PRE S) (TEST S)) (POST (M1 S (K S))))) Summary Form: ( ENCAPSULATE (((PRE * ...) ...) ...) ...) Rules: NIL Warnings: Subsume and Non-rec Time: 0.03 seconds (prove: 0.00, print: 0.00, other: 0.03) Prover steps counted: 12 T M1 !>(encapsulate nil (defun-nx iclk (s) (declare (xargs :measure (if (pre s) (m s) 0) :hints (("Goal" :in-theory (disable o-p o<))))) (if (pre s) (if (test s) (k s) (clk+ (n s) (iclk (m1 s (n s))))) 0)) (local (defun-nx iclk1 (s) (declare (xargs :measure (if (pre s) (m s) 0) :hints (("Goal" :in-theory (disable o-p o<))))) (if (pre s) (if (test s) 0 (clk+ (n s) (iclk1 (m1 s (n s))))) 0))) (local (defthm iclk-is-iclk1+k (implies (pre s) (equal (iclk s) (clk+ (iclk1 s) (k (m1 s (iclk1 s)))))) :hints (("Subgoal *1/1'" :in-theory (enable binary-clk+))) :rule-classes :rewrite)) (local (defthm irule1 (implies (pre s) (pre (m1 s (iclk1 s)))))) (local (defthm irule2 (implies (pre s) (test (m1 s (iclk1 s)))))) (defthm irule ; This is the special-purpose induction rule! (implies (pre s) (post (m1 s (iclk s)))))) To verify that the six encapsulated events correctly extend the current theory we will evaluate them. The theory thus constructed is only ephemeral. Encapsulated Events: M1 !>>(DEFUN-NX ICLK (S) (DECLARE (XARGS :MEASURE (IF (PRE S) (M S) 0) :HINTS (("Goal" :IN-THEORY (DISABLE O-P O<))))) (IF (PRE S) (IF (TEST S) (K S) (CLK+ (N S) (ICLK (M1 S (N S))))) 0)) For the admission of ICLK we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (IF (PRE S) (M S) 0). The non-trivial part of the measure conjecture is Goal (AND (O-P (IF (PRE S) (M S) 0)) (IMPLIES (AND (PRE S) (NOT (TEST S))) (O< (IF (PRE (M1 S (N S))) (M (M1 S (N S))) 0) (IF (PRE S) (M S) 0)))). Subgoal 2 Subgoal 2.2 Subgoal 2.1 Subgoal 1 Q.E.D. That completes the proof of the measure theorem for ICLK. Thus, we admit this function under the principle of definition. We observe that the type of ICLK is described by the theorem (AND (INTEGERP (ICLK S)) (<= 0 (ICLK S))). We used the :type-prescription rules BINARY-CLK+ and NATP-K. Summary Form: ( DEFUN ICLK ...) Rules: ((:DEFINITION NOT) (:EXECUTABLE-COUNTERPART O-P) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:REWRITE M-DEC) (:REWRITE PRE-INVARIANT) (:TYPE-PRESCRIPTION BINARY-CLK+) (:TYPE-PRESCRIPTION NATP-K)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) Prover steps counted: 131 ICLK M1 !>>(LOCAL (DEFUN-NX ICLK1 (S) (DECLARE (XARGS :MEASURE (IF (PRE S) (M S) 0) :HINTS (("Goal" :IN-THEORY (DISABLE O-P O<))))) (IF (PRE S) (IF (TEST S) 0 (CLK+ (N S) (ICLK1 (M1 S (N S))))) 0))) For the admission of ICLK1 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (IF (PRE S) (M S) 0). The non-trivial part of the measure conjecture is Goal (AND (O-P (IF (PRE S) (M S) 0)) (IMPLIES (AND (PRE S) (NOT (TEST S))) (O< (IF (PRE (M1 S (N S))) (M (M1 S (N S))) 0) (IF (PRE S) (M S) 0)))). Subgoal 2 Subgoal 2.2 Subgoal 2.1 Subgoal 1 Q.E.D. That completes the proof of the measure theorem for ICLK1. Thus, we admit this function under the principle of definition. We observe that the type of ICLK1 is described by the theorem (AND (INTEGERP (ICLK1 S)) (<= 0 (ICLK1 S))). We used the :type-prescription rule BINARY-CLK+. Summary Form: ( DEFUN ICLK1 ...) Rules: ((:DEFINITION NOT) (:EXECUTABLE-COUNTERPART O-P) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:REWRITE M-DEC) (:REWRITE PRE-INVARIANT) (:TYPE-PRESCRIPTION BINARY-CLK+)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) Prover steps counted: 131 ICLK1 M1 !>>(LOCAL (DEFTHM ICLK-IS-ICLK1+K (IMPLIES (PRE S) (EQUAL (ICLK S) (CLK+ (ICLK1 S) (K (M1 S (ICLK1 S)))))) :HINTS (("Subgoal *1/1'" :IN-THEORY (ENABLE BINARY-CLK+))) :RULE-CLASSES :REWRITE)) Goal' ([ A key checkpoint: Goal' (IMPLIES (PRE S) (EQUAL (ICLK S) (BINARY-CLK+ (ICLK1 S) (K (M1 S (ICLK1 S)))))) *1 (Goal') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (ICLK1 S). This suggestion was produced using the :induction rules ICLK and ICLK1. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (PRE S)) (:P S)) (IMPLIES (AND (PRE S) (NOT (TEST S)) (:P (M1 S (N S)))) (:P S)) (IMPLIES (AND (PRE S) (TEST S)) (:P S))). This induction is justified by the same argument used to admit ICLK1. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' Subgoal *1/1'' *1 is COMPLETED! Thus key checkpoint Goal' is COMPLETED! Q.E.D. Summary Form: ( DEFTHM ICLK-IS-ICLK1+K ...) Rules: ((:DEFINITION BINARY-CLK+) (:DEFINITION ICLK) (:DEFINITION ICLK1) (:DEFINITION NFIX) (:DEFINITION NOT) (:EXECUTABLE-COUNTERPART NFIX) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION ICLK) (:INDUCTION ICLK1) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE CLK+-ASSOCIATIVE) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE PRE-INVARIANT) (:TYPE-PRESCRIPTION NATP-K)) Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 454 ICLK-IS-ICLK1+K M1 !>>(LOCAL (DEFTHM IRULE1 (IMPLIES (PRE S) (PRE (M1 S (ICLK1 S)))))) *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (ICLK1 S). This suggestion was produced using the :induction rule ICLK1. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (PRE S)) (:P S)) (IMPLIES (AND (PRE S) (NOT (TEST S)) (:P (M1 S (N S)))) (:P S)) (IMPLIES (AND (PRE S) (TEST S)) (:P S))). This induction is justified by the same argument used to admit ICLK1. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM IRULE1 ...) Rules: ((:DEFINITION ICLK1) (:INDUCTION ICLK1) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE PRE-INVARIANT)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 220 IRULE1 M1 !>>(LOCAL (DEFTHM IRULE2 (IMPLIES (PRE S) (TEST (M1 S (ICLK1 S)))))) *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (ICLK1 S). This suggestion was produced using the :induction rule ICLK1. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (PRE S)) (:P S)) (IMPLIES (AND (PRE S) (NOT (TEST S)) (:P (M1 S (N S)))) (:P S)) (IMPLIES (AND (PRE S) (TEST S)) (:P S))). This induction is justified by the same argument used to admit ICLK1. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM IRULE2 ...) Rules: ((:DEFINITION ICLK1) (:INDUCTION ICLK1) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE PRE-INVARIANT)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 220 IRULE2 M1 !>>(DEFTHM IRULE (IMPLIES (PRE S) (POST (M1 S (ICLK S))))) Q.E.D. Summary Form: ( DEFTHM IRULE ...) Rules: ((:REWRITE ICLK-IS-ICLK1+K) (:REWRITE IRULE1) (:REWRITE IRULE2) (:REWRITE M1-CLK+) (:REWRITE PRE-IMPLIES-POST)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 84 IRULE End of Encapsulated Events. Having verified that the encapsulated events validate the signatures of the ENCAPSULATE event, we discard the ephemeral theory and extend the original theory as directed by the signatures and the non-LOCAL events. We export ICLK. Summary Form: ( ENCAPSULATE NIL (DEFUN-NX ICLK ...) ...) Rules: NIL Time: 0.05 seconds (prove: 0.01, print: 0.01, other: 0.03) Prover steps counted: 1240 T M1 !>(defthm loop-correct (implies (and (good-statep s) (equal (rd :pc s) 2)) (equal (m1 s (loop-clk (loi 0 s))) (!pc 14 (!loi 0 0 (!loi 2 (g (loi 0 s) (loi 1 s) (loi 2 s)) (!stack (push (g (loi 0 s) (loi 1 s) (loi 2 s)) (stack s)) s)))))) :hints (("Goal" :use (:functional-instance irule (pre (lambda (s) (and (good-statep s) (equal (rd :pc s) 2)))) (post (lambda (sf) (equal sf (!pc 14 (!loi 0 0 (!loi 2 (g (loi 0 s) (loi 1 s) (loi 2 s)) (!stack (push (g (loi 0 s) (loi 1 s) (loi 2 s)) (stack s)) s))))))) (m (lambda (s) (acl2-count (loi 0 s)))) (k (lambda (s) 3)) (n (lambda (s) 11)) (iclk (lambda (s) (if (and (good-statep s) (equal (rd :pc s) 2)) (loop-clk (loi 0 s)) 0))) (test (lambda (s) (zp (loi 0 s)))))))) ACL2 Warning [Non-rec] in ( DEFTHM LOOP-CORRECT ...): A :REWRITE rule generated from LOOP-CORRECT will be triggered only by terms containing the non-recursive function symbol LOI. Unless this function is disabled, this rule is unlikely ever to be used. ACL2 Warning [Use] in ( DEFTHM LOOP-CORRECT ...): It is unusual to :USE an enabled :REWRITE or :DEFINITION rule, so you may want to consider disabling (:REWRITE IRULE) in the hint provided for Goal. See :DOC using-enabled-rules. Subgoal 6 Subgoal 5 Splitter note (see :DOC splitter) for Subgoal 5 (2 subgoals). if-intro: ((:DEFINITION GOOD-STATEP) (:DEFINITION NATP) (:DEFINITION NOT) (:REWRITE ACL2::ZP-OPEN)) Subgoal 5.2 Subgoal 5.1 Subgoal 4 Subgoal 3 Subgoal 2 Subgoal 1 Q.E.D. Summary Form: ( DEFTHM LOOP-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION ACL2-COUNT) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION G) (:DEFINITION GOOD-STATEP) (:DEFINITION INTEGER-ABS) (:DEFINITION LOI) (:DEFINITION LOOP-CLK) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O<) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION RETURN-LAST) (:DEFINITION STACK) (:DEFINITION SYNP) (:DEFINITION ACL2::THROW-NONEXEC-ERROR) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART IF) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LOOP-CLK) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-OPENER) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE ACL2::SIMPLIFY-SUMS-<) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-REDUNDANT) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:REWRITE ACL2::ZP-OPEN) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Hint-events: ((:USE IRULE)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION GOOD-STATEP) (:DEFINITION NATP) (:DEFINITION NOT) (:REWRITE ACL2::ZP-OPEN)) Warnings: Use and Non-rec Time: 0.10 seconds (prove: 0.10, print: 0.00, other: 0.00) Prover steps counted: 26020 LOOP-CORRECT M1 !>(ubt! 'loop-correct) 15:x(ENCAPSULATE NIL ...) M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(set-gag-mode :goals) M1 !>(thm (implies (and (good-statep s) (equal (pc s) 2) (> (loi 0 s) 40)) (equal (pc (m1 s 440)) 2))) Goal' Splitter note (see :DOC splitter) for Goal' (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 2 Subgoal 1 Splitter note (see :DOC splitter) for Subgoal 1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.2 Subgoal 1.1 Splitter note (see :DOC splitter) for Subgoal 1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.2 Subgoal 1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.2 Subgoal 1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.2 Subgoal 1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.2 Subgoal 1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 ;;; Starting full GC, 537,001,984 bytes allocated. ;;; Finished full GC. 420,442,816 bytes freed in 0.351283 s ;;; 42271 soft faults, 0 faults, 0 pageins Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1 Q.E.D. Summary Form: ( THM ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:EXECUTABLE-COUNTERPART UNARY--) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (* c x))|) (:REWRITE ACL2::|(+ x x)|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-BUBBLE-DOWN) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE M1-OPENER) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-EQUAL) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE UPDATE-NTH-UPDATE-NTH-SAME) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Time: 5.12 seconds (prove: 5.10, print: 0.02, other: 0.00) Prover steps counted: 285114 Proof succeeded. M1 !>(thm (implies (and (good-statep s) (equal (pc s) 2) (> (loi 0 s) 80)) (equal (pc (m1 s 880)) 2))) Goal' HARD ACL2 ERROR in ACL2::REWRITE: The call depth limit of 1000 has been exceeded in the ACL2 rewriter. To see why the limit was exceeded, first execute :brr t and then try the proof again, and then execute the form (cw-gstack) or, for less verbose output, instead try (cw-gstack :frames 30). You will then probably notice a loop caused by some set of enabled rules, some of which you can then disable; see :DOC disable. Also see :DOC rewrite-stack-limit. ACL2 Error in TOP-LEVEL: Evaluation aborted. To debug see :DOC print- gv, see :DOC trace, and see :DOC wet. Here is the current pstack [see :DOC pstack]: (ACL2::REWRITE-ATM ACL2::SIMPLIFY-CLAUSE ACL2::WATERFALL) *** Note: No checkpoints to print. *** M1 !>(in-theory (disable (:executable-counterpart binary-clk+))) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 4840) M1 !>(thm (implies (and (good-statep s) (equal (pc s) 2) (> (loi 0 s) 80)) (equal (pc (m1 s (clk+ 400 400 80))) 2))) Goal' Splitter note (see :DOC splitter) for Goal' (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 2 Subgoal 1 Splitter note (see :DOC splitter) for Subgoal 1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.2 Subgoal 1.1 Splitter note (see :DOC splitter) for Subgoal 1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.2 Subgoal 1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.2 Subgoal 1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.2 Subgoal 1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.2 Subgoal 1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1 ;;; Starting full GC, 537,001,984 bytes allocated. ;;; Finished full GC. 420,705,920 bytes freed in 0.225793 s ;;; 0 soft faults, 0 faults, 0 pageins Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 ;;; Starting full GC, 537,001,984 bytes allocated. ;;; Finished full GC. 419,601,344 bytes freed in 0.179020 s ;;; 0 soft faults, 0 faults, 0 pageins Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 ;;; Starting full GC, 537,001,984 bytes allocated. ;;; Finished full GC. 417,999,456 bytes freed in 0.180760 s ;;; 0 soft faults, 0 faults, 0 pageins Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1 Splitter note (see :DOC splitter) for Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1 (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.2 Subgoal 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1. 1.1.1.1.1.1.1 Q.E.D. Summary Form: ( THM ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:EXECUTABLE-COUNTERPART UNARY--) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (* c x))|) (:REWRITE ACL2::|(+ x x)|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-BUBBLE-DOWN) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-EQUAL) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE UPDATE-NTH-UPDATE-NTH-SAME) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ)) Time: 62.37 seconds (prove: 62.31, print: 0.06, other: 0.00) Prover steps counted: 717238 Proof succeeded. M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(include-book "/u/moore/work/codewalkers/lift-subterm-from-clause") Summary Form: ( INCLUDE-BOOK "/u/moore/work/codewalkers/lift-subterm-from-clause" ...) Rules: NIL Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) "/Users/moore/work/codewalkers/lift-subterm-from-clause.lisp" M1 !>(set-gag-mode nil) M1 !>(defun hint (s) (declare (xargs :stobjs (s) :measure (acl2-count (loi 0 s)))) (if (and (good-statep s) (equal (pc s) 2)) (if (zp (loi 0 s)) s (let ((s (m1 s 11))) (hint s))) s)) For the admission of HINT we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT (LOI 0 S)). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (NOT (ZP (LOI 0 S)))) (O< (ACL2-COUNT (LOI 0 (M1 S 11))) (ACL2-COUNT (LOI 0 S)))). By the simple :definitions GOOD-STATEP, LOI, NATP and PC we reduce the conjecture to Goal' (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (NOT (ZP (NTH 0 (RD :LOCALS S))))) (O< (ACL2-COUNT (NTH 0 (RD :LOCALS (M1 S 11)))) (ACL2-COUNT (NTH 0 (RD :LOCALS S))))). But simplification reduces this to T, using the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER, the :definitions !LOI, !PC, !STACK, ACL2-COUNT, DO-INST, EXECUTE-GOTO, EXECUTE-IADD, EXECUTE-ICONST, EXECUTE-IFEQ, EXECUTE-ILOAD, EXECUTE-ISTORE, EXECUTE-ISUB, INTEGER-ABS, LOI, NEXT-INST, NOT, O-FINP, O<, PC, PROGRAM, STACK and SYNP, the :executable- counterparts of <, ARG1, BINARY-+, CONSP, EQUAL, INTEGERP, KEYP, NATP, NFIX, NOT, NTH, OP-CODE and UNARY--, primitive type reasoning, the :rewrite rules ACL2::|(+ x (- x))|, ACL2::|(+ y (+ x z))|, ACL2::|(+ y x)|, ACL2::BUBBLE-DOWN-+-MATCH-1, M1-OPENER, ACL2::NORMALIZE-ADDENDS, NTH-UPDATE-NTH, POP-PUSH, RD-WR, ACL2::SIMPLIFY-SUMS-<, SP-WR, STEP-OPENER, TOP-PUSH, UPDATE-NTH-UPDATE-NTH-DIFF, WR-REDUNDANT, WR-WR-DIFF, WR-WR-SAME and ACL2::ZP-OPEN and the :type-prescription rules NATP-LISTP, NATP-LISTP-NTH and SP. Q.E.D. That completes the proof of the measure theorem for HINT. Thus, we admit this function under the principle of definition. We observe that the type of HINT is described by the theorem (OR (CONSP (HINT S)) (EQUAL (HINT S) S)). (HINT S) => S. Summary Form: ( DEFUN HINT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION ACL2-COUNT) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION GOOD-STATEP) (:DEFINITION INTEGER-ABS) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O<) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE M1-OPENER) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::SIMPLIFY-SUMS-<) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:REWRITE ACL2::ZP-OPEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 4244 HINT M1 !>(defthm loop-correct (implies (and (good-statep s) (equal (rd :pc s) 2)) (equal (m1 s (loop-clk (loi 0 s))) (!pc 14 (!loi 0 0 (!loi 2 (g (loi 0 s) (loi 1 s) (loi 2 s)) (!stack (push (g (loi 0 s) (loi 1 s) (loi 2 s)) (stack s)) s)))))) :hints (("Goal" :induct (hint s)) ("Subgoal *1/2" :clause-processor (acl2::lift-subterm-from-clause clause '(m1 s '11))) (acl2::stage HIDE 1))) ACL2 Warning [Non-rec] in ( DEFTHM LOOP-CORRECT ...): A :REWRITE rule generated from LOOP-CORRECT will be triggered only by terms containing the non-recursive function symbol LOI. Unless this function is disabled, this rule is unlikely ever to be used. [Note: A hint was supplied for our processing of the goal above. Thanks!] Name the formula above *1. We have been told to use induction. One induction scheme is suggested by the induction hint. We will induct according to a scheme suggested by (HINT S). This suggestion was produced using the :induction rule HINT. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (AND (GOOD-STATEP S) (EQUAL (PC S) 2))) (:P S)) (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (NOT (ZP (LOI 0 S))) (:P (M1 S 11))) (:P S)) (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (ZP (LOI 0 S))) (:P S))). This induction is justified by the same argument used to admit HINT. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 (IMPLIES (NOT (AND (GOOD-STATEP S) (EQUAL (PC S) 2))) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (RD :PC S) 2)) (EQUAL (M1 S (LOOP-CLK (LOI 0 S))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (!STACK (PUSH (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (STACK S)) S))))))). By the simple :definitions !PC, !STACK, GOOD-STATEP, LOI, NATP, PC and STACK we reduce the conjecture to Subgoal *1/3' (IMPLIES (AND (NOT (AND (GOOD-STATEP S) (EQUAL (RD :PC S) 2))) (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2)) (EQUAL (M1 S (LOOP-CLK (NTH 0 (RD :LOCALS S)))) (WR :PC 14 (!LOI 0 0 (!LOI 2 (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (WR :STACK (PUSH (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :STACK S)) S)))))). But simplification reduces this to T, using the :definitions GOOD-STATEP and SYNP, the :executable-counterparts of <, EQUAL, INTEGERP, NATP and NOT, the :rewrite rule ACL2::REMOVE-WEAK-INEQUALITIES and the :type- prescription rules NATP-LISTP and SP. [Note: A hint was supplied for our processing of the goal below. Thanks!] Subgoal *1/2 (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (NOT (ZP (LOI 0 S))) (IMPLIES (AND (GOOD-STATEP (M1 S 11)) (EQUAL (RD :PC (M1 S 11)) 2)) (EQUAL (M1 (M1 S 11) (LOOP-CLK (LOI 0 (M1 S 11)))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 (M1 S 11)) (LOI 1 (M1 S 11)) (LOI 2 (M1 S 11))) (!STACK (PUSH (G (LOI 0 (M1 S 11)) (LOI 1 (M1 S 11)) (LOI 2 (M1 S 11))) (STACK (M1 S 11))) (M1 S 11)))))))) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (RD :PC S) 2)) (EQUAL (M1 S (LOOP-CLK (LOI 0 S))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (!STACK (PUSH (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (STACK S)) S))))))). We now apply the verified :CLAUSE-PROCESSOR function ACL2::LIFT-SUBTERM-FROM-CLAUSE to produce one new subgoal. Subgoal *1/2' (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (NOT (ZP (LOI 0 S))) (EQUAL ACL2::STAR (M1 S 11)) (NOT (HIDE (NOT (IMPLIES (AND (GOOD-STATEP ACL2::STAR) (EQUAL (RD :PC ACL2::STAR) 2)) (EQUAL (M1 ACL2::STAR (LOOP-CLK (LOI 0 ACL2::STAR))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 ACL2::STAR) (LOI 1 ACL2::STAR) (LOI 2 ACL2::STAR)) (!STACK (PUSH (G (LOI 0 ACL2::STAR) (LOI 1 ACL2::STAR) (LOI 2 ACL2::STAR)) (STACK ACL2::STAR)) ACL2::STAR)))))))))) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (RD :PC S) 2)) (EQUAL (M1 S (LOOP-CLK (LOI 0 S))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (!STACK (PUSH (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (STACK S)) S))))))). By the simple :definitions !PC, !STACK, GOOD-STATEP, LOI, NATP, PC and STACK we reduce the conjecture to Subgoal *1/2'' (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (NOT (ZP (NTH 0 (RD :LOCALS S)))) (EQUAL ACL2::STAR (M1 S 11)) (NOT (HIDE (NOT (IMPLIES (AND (GOOD-STATEP ACL2::STAR) (EQUAL (RD :PC ACL2::STAR) 2)) (EQUAL (M1 ACL2::STAR (LOOP-CLK (LOI 0 ACL2::STAR))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 ACL2::STAR) (LOI 1 ACL2::STAR) (LOI 2 ACL2::STAR)) (!STACK (PUSH (G (LOI 0 ACL2::STAR) (LOI 1 ACL2::STAR) (LOI 2 ACL2::STAR)) (STACK ACL2::STAR)) ACL2::STAR)))))))))) (EQUAL (M1 S (LOOP-CLK (NTH 0 (RD :LOCALS S)))) (WR :PC 14 (!LOI 0 0 (!LOI 2 (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (WR :STACK (PUSH (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :STACK S)) S)))))). This simplifies, using the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER, the :definitions !LOI, !PC, !STACK, DO-INST, EXECUTE-GOTO, EXECUTE-IADD, EXECUTE-ICONST, EXECUTE-IFEQ, EXECUTE-ILOAD, EXECUTE-ISTORE, EXECUTE-ISUB, LOI, NEXT-INST, NOT, PC, PROGRAM, STACK and SYNP, the :executable-counterparts of <, ARG1, BINARY-+, CONSP, EQUAL, INTEGERP, KEYP, NATP, NFIX, NOT, NTH, OP-CODE and UNARY--, primitive type reasoning, the :rewrite rules ACL2::|(+ y x)|, M1-OPENER, NTH-UPDATE-NTH, POP-PUSH, RD-WR, SP-WR, STEP-OPENER, TOP-PUSH, UPDATE-NTH-UPDATE-NTH-DIFF, WR-REDUNDANT, WR-WR-DIFF, WR-WR-SAME and ACL2::ZP-OPEN and the :type-prescription rules NATP-LISTP, NATP-LISTP-NTH and SP, to Subgoal *1/2''' (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (NOT (HIDE (NOT (IMPLIES (AND (GOOD-STATEP ACL2::STAR) (EQUAL (RD :PC ACL2::STAR) 2)) (EQUAL (M1 ACL2::STAR (LOOP-CLK (LOI 0 ACL2::STAR))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 ACL2::STAR) (LOI 1 ACL2::STAR) (LOI 2 ACL2::STAR)) (!STACK (PUSH (G (LOI 0 ACL2::STAR) (LOI 1 ACL2::STAR) (LOI 2 ACL2::STAR)) (STACK ACL2::STAR)) ACL2::STAR)))))))))) (EQUAL (M1 S (LOOP-CLK (NTH 0 (RD :LOCALS S)))) (WR :PC 14 (WR :STACK (PUSH (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))))). This simplifies, using the :compound-recognizer rules ACL2::NATP-COMPOUND-RECOGNIZER and ACL2::ZP-COMPOUND-RECOGNIZER, the :definitions !LOI, !PC, !STACK, DO-INST, EXECUTE-IADD, EXECUTE-ICONST, EXECUTE-IFEQ, EXECUTE-ILOAD, EXECUTE-ISTORE, EXECUTE-ISUB, G, LOI, LOOP-CLK, NEXT-INST, PC, PROGRAM and STACK, the :executable-counterparts of ARG1, BINARY-+, CONSP, EQUAL, KEYP, NATP, NFIX, NTH, OP-CODE and UNARY--, primitive type reasoning, the :rewrite rules ACL2::|(+ y x)|, M1-CLK+, M1-OPENER, NTH-UPDATE-NTH, POP-PUSH, RD-WR, SP-WR, STEP-OPENER, TOP-PUSH, UPDATE-NTH-UPDATE-NTH-DIFF, WR-REDUNDANT, WR-WR-DIFF and WR-WR-SAME and the :type-prescription rules NATP-LISTP, NATP-LISTP-NTH and SP, to Subgoal *1/2'4' (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (NOT (HIDE (NOT (IMPLIES (AND (GOOD-STATEP ACL2::STAR) (EQUAL (RD :PC ACL2::STAR) 2)) (EQUAL (M1 ACL2::STAR (LOOP-CLK (LOI 0 ACL2::STAR))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 ACL2::STAR) (LOI 1 ACL2::STAR) (LOI 2 ACL2::STAR)) (!STACK (PUSH (G (LOI 0 ACL2::STAR) (LOI 1 ACL2::STAR) (LOI 2 ACL2::STAR)) (STACK ACL2::STAR)) ACL2::STAR)))))))))) (EQUAL (M1 (STEP (WR :PC 12 ACL2::STAR)) (LOOP-CLK (+ -1 (NTH 0 (RD :LOCALS S))))) (WR :PC 14 (WR :STACK (PUSH (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :LOCALS S))) S))))). [Note: A hint was supplied for our processing of the goal above. Thanks!] This simplifies, using the :definitions !LOI, !PC, !STACK, GOOD-STATEP (if-intro), HIDE, LOI, NATP (if-intro), NOT (if-intro) and STACK, the :executable-counterparts of EQUAL and KEYP and the :rewrite rules RD-WR, WR-WR-DIFF and WR-WR-SAME, to the following nine conjectures. Subgoal *1/2.9 (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (NOT (SP ACL2::STAR))) (EQUAL (M1 (STEP (WR :PC 12 ACL2::STAR)) (LOOP-CLK (+ -1 (NTH 0 (RD :LOCALS S))))) (WR :PC 14 (WR :STACK (PUSH (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :LOCALS S))) S))))). But simplification reduces this to T, using the :rewrite rule SP-WR and the :type-prescription rule SP. Subgoal *1/2.8 (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (EQUAL (M1 ACL2::STAR (LOOP-CLK (NTH 0 (RD :LOCALS ACL2::STAR)))) (WR :PC 14 (WR :STACK (PUSH (G (NTH 0 (RD :LOCALS ACL2::STAR)) (NTH 1 (RD :LOCALS ACL2::STAR)) (NTH 2 (RD :LOCALS ACL2::STAR))) (RD :STACK ACL2::STAR)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (NTH 0 (RD :LOCALS ACL2::STAR)) (NTH 1 (RD :LOCALS ACL2::STAR)) (NTH 2 (RD :LOCALS ACL2::STAR))) (RD :LOCALS ACL2::STAR))) ACL2::STAR))))) (EQUAL (M1 (STEP (WR :PC 12 ACL2::STAR)) (LOOP-CLK (+ -1 (NTH 0 (RD :LOCALS S))))) (WR :PC 14 (WR :STACK (PUSH (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :LOCALS S))) S))))). But simplification reduces this to T, using the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER, the :definitions !PC, DO-INST, EXECUTE-GOTO, NEXT-INST, PC and PROGRAM, the :executable-counterparts of ARG1, BINARY-+, CONSP, EQUAL, KEYP, NFIX, NTH and OP-CODE, primitive type reasoning, the :rewrite rules NTH-UPDATE-NTH, RD-WR, SP-WR, STEP-OPENER, UPDATE-NTH-UPDATE-NTH-DIFF, UPDATE-NTH-UPDATE-NTH-SAME, WR-REDUNDANT and WR-WR-SAME and the :type-prescription rule SP. Subgoal *1/2.7 (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (< (RD :PC ACL2::STAR) 0)) (EQUAL (M1 (STEP (WR :PC 12 ACL2::STAR)) (LOOP-CLK (+ -1 (NTH 0 (RD :LOCALS S))))) (WR :PC 14 (WR :STACK (PUSH (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :LOCALS S))) S))))). But simplification reduces this to T, using the :executable-counterparts of < and EQUAL and the :rewrite rule RD-WR. Subgoal *1/2.6 (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (NOT (NATP-LISTP (RD :STACK ACL2::STAR)))) (EQUAL (M1 (STEP (WR :PC 12 ACL2::STAR)) (LOOP-CLK (+ -1 (NTH 0 (RD :LOCALS S))))) (WR :PC 14 (WR :STACK (PUSH (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :LOCALS S))) S))))). But simplification reduces this to T, using the :executable-counterpart of EQUAL, the :rewrite rule RD-WR and the :type-prescription rule NATP-LISTP. Subgoal *1/2.5 (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (NOT (INTEGERP (RD :PC ACL2::STAR)))) (EQUAL (M1 (STEP (WR :PC 12 ACL2::STAR)) (LOOP-CLK (+ -1 (NTH 0 (RD :LOCALS S))))) (WR :PC 14 (WR :STACK (PUSH (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :LOCALS S))) S))))). But simplification reduces this to T, using the :executable-counterparts of EQUAL and INTEGERP and the :rewrite rule RD-WR. Subgoal *1/2.4 (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (NOT (EQUAL (RD :PC ACL2::STAR) 2))) (EQUAL (M1 (STEP (WR :PC 12 ACL2::STAR)) (LOOP-CLK (+ -1 (NTH 0 (RD :LOCALS S))))) (WR :PC 14 (WR :STACK (PUSH (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :LOCALS S))) S))))). But simplification reduces this to T, using the :executable-counterpart of EQUAL and the :rewrite rule RD-WR. Subgoal *1/2.3 (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (NOT (EQUAL (RD :PROGRAM ACL2::STAR) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))))) (EQUAL (M1 (STEP (WR :PC 12 ACL2::STAR)) (LOOP-CLK (+ -1 (NTH 0 (RD :LOCALS S))))) (WR :PC 14 (WR :STACK (PUSH (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :LOCALS S))) S))))). But simplification reduces this to T, using the :executable-counterpart of EQUAL and the :rewrite rule RD-WR. Subgoal *1/2.2 (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (NOT (NATP-LISTP (RD :LOCALS ACL2::STAR)))) (EQUAL (M1 (STEP (WR :PC 12 ACL2::STAR)) (LOOP-CLK (+ -1 (NTH 0 (RD :LOCALS S))))) (WR :PC 14 (WR :STACK (PUSH (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :LOCALS S))) S))))). But simplification reduces this to T, using the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER, the :definition MAX, the :executable- counterparts of BINARY-+, EQUAL, KEYP, NATP and NFIX, linear arithmetic, primitive type reasoning, the :rewrite rules LEN-UPDATE-NTH, NATP-LISTP-UPDATE-NTH, NTH-UPDATE-NTH and RD-WR and the :type-prescription rules LEN, NATP-LISTP and NATP-LISTP-NTH. Subgoal *1/2.1 (IMPLIES (AND (SP S) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (< 0 (NTH 0 (RD :LOCALS S))) (EQUAL ACL2::STAR (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)) (< (LEN (RD :LOCALS ACL2::STAR)) 3)) (EQUAL (M1 (STEP (WR :PC 12 ACL2::STAR)) (LOOP-CLK (+ -1 (NTH 0 (RD :LOCALS S))))) (WR :PC 14 (WR :STACK (PUSH (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :STACK S)) (WR :LOCALS (UPDATE-NTH 0 0 (UPDATE-NTH 2 (G (+ -1 (NTH 0 (RD :LOCALS S))) (NTH 1 (RD :LOCALS S)) (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)))) (RD :LOCALS S))) S))))). But simplification reduces this to T, using the :definitions MAX and SYNP, the :executable-counterparts of BINARY-+, EQUAL, KEYP and NFIX, primitive type reasoning, the :rewrite rules LEN-UPDATE-NTH, RD-WR and ACL2::REMOVE-WEAK-INEQUALITIES and the :type-prescription rule LEN. Subgoal *1/1 (IMPLIES (AND (AND (GOOD-STATEP S) (EQUAL (PC S) 2)) (ZP (LOI 0 S))) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (RD :PC S) 2)) (EQUAL (M1 S (LOOP-CLK (LOI 0 S))) (!PC 14 (!LOI 0 0 (!LOI 2 (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (!STACK (PUSH (G (LOI 0 S) (LOI 1 S) (LOI 2 S)) (STACK S)) S))))))). By the simple :definitions !PC, !STACK, GOOD-STATEP, LOI, NATP, PC and STACK we reduce the conjecture to Subgoal *1/1' (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (NATP-LISTP (RD :LOCALS S)) (<= 3 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2) (ZP (NTH 0 (RD :LOCALS S)))) (EQUAL (M1 S (LOOP-CLK (NTH 0 (RD :LOCALS S)))) (WR :PC 14 (!LOI 0 0 (!LOI 2 (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (WR :STACK (PUSH (G (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :STACK S)) S)))))). But simplification reduces this to T, using the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER, the :definitions !LOI, !PC, !STACK, DO-INST, EXECUTE-IFEQ, EXECUTE-ILOAD, G, LOI, NEXT-INST, NOT, PC, PROGRAM, STACK and SYNP, the :executable-counterparts of <, ARG1, BINARY-+, CONSP, EQUAL, INTEGERP, KEYP, LOOP-CLK, NATP, NOT, NTH, OP-CODE and ZP, primitive type reasoning, the :rewrite rules M1-OPENER, POP-PUSH, RD-WR, SP-WR, STEP-OPENER, TOP-PUSH, UPDATE-NTH-REDUNDANT, WR-REDUNDANT, WR-WR-DIFF, WR-WR-SAME and ACL2::ZP-OPEN and the :type-prescription rules NATP-LISTP, NATP-LISTP-NTH and SP. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM LOOP-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION G) (:DEFINITION GOOD-STATEP) (:DEFINITION HIDE) (:DEFINITION LOI) (:DEFINITION LOOP-CLK) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LOOP-CLK) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION HINT) (:REWRITE ACL2::|(+ y x)|) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-REDUNDANT) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE UPDATE-NTH-UPDATE-NTH-SAME) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:REWRITE ACL2::ZP-OPEN) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Hint-events: ((:CLAUSE-PROCESSOR ACL2::LIFT-SUBTERM-FROM-CLAUSE)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION GOOD-STATEP) (:DEFINITION NATP) (:DEFINITION NOT)) Warnings: Non-rec Time: 0.20 seconds (prove: 0.16, print: 0.04, other: 0.00) Prover steps counted: 22033 LOOP-CORRECT M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(ubt! 1) 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>(include-book "/u/moore/work/codewalkers/cw10") Summary Form: ( INCLUDE-BOOK "/u/moore/work/codewalkers/cw10" ...) Rules: NIL Time: 0.14 seconds (prove: 0.00, print: 0.00, other: 0.14) "/Users/moore/work/codewalkers/cw10.lisp" ACL2 !>(include-book "ordinals/lexicographic-ordering" :dir :system) Summary Form: ( INCLUDE-BOOK "ordinals/lexicographic-ordering" ...) Rules: NIL Time: 0.35 seconds (prove: 0.00, print: 0.00, other: 0.35) "/Users/moore/work/v6-3-xdoc/acl2-devel/books/ordinals/lexicographic-ordering.lisp" ACL2 !>(defunm foo (i j max) (if (and (natp i) (natp j) (natp max)) (if (< j max) (foo (- i 1) (+ j 2) (+ max 1)) i) 0)) Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. ((67 (DECLARE (XARGS :MEASURE (DEFUNM-MARKER (ACL2-COUNT I)) :WELL-FOUNDED-RELATION O<)) ((TESTED-POSITIVE-AND-DECREMENTED TESTED-NON-0-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED))) (34 (DECLARE (XARGS :MEASURE (DEFUNM-MARKER (NFIX (- (IFIX MAX) (IFIX J)))) :WELL-FOUNDED-RELATION O<)) ((COUNTING-UP-WITH-<-TEST)))) However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! For the admission of FOO we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT I). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (AND (NATP I) (NATP J) (NATP MAX)) (< J MAX)) (O< (ACL2-COUNT (+ -1 I)) (ACL2-COUNT I))). By case analysis we reduce the conjecture to Goal' (IMPLIES (AND (NATP I) (NATP J) (NATP MAX) (< J MAX)) (O< (ACL2-COUNT (+ -1 I)) (ACL2-COUNT I))). This simplifies, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER, the :definitions ACL2-COUNT (if-intro) and INTEGER-ABS (if-intro), the :executable-counterparts of BINARY-+ and UNARY--, primitive type reasoning and the :rewrite rules <-+-NEGATIVE-0-1 and DISTRIBUTIVITY-OF-MINUS-OVER-+, to the following two conjectures. Subgoal 2 (IMPLIES (AND (NATP I) (NATP J) (NATP MAX) (< J MAX) (< I 1)) (O< 1 I)). This simplifies, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER, the :executable-counterparts of <, NATP, NOT and O<, linear arithmetic and the :forward-chaining rule NATP-FC-1, to Subgoal 2' (IMPLIES (AND (NATP J) (NATP MAX)) (<= MAX J)). Name the formula above *1. Subgoal 1 (IMPLIES (AND (NATP I) (NATP J) (NATP MAX) (< J MAX) (<= 1 I)) (O< (+ -1 I) I)). But simplification reduces this to T, using the :compound-recognizer rules NATP-COMPOUND-RECOGNIZER and O-FINP-CR, linear arithmetic, primitive type reasoning and the :rewrite rule O-FINP-<. So we now return to *1, which is (IMPLIES (AND (NATP J) (NATP MAX)) (<= MAX J)). No induction schemes are suggested by *1. Consequently, the proof attempt has failed. ACL2 Error in ( DEFUN FOO ...): The proof of the measure conjecture for FOO has failed. Summary Form: ( DEFUN FOO ...) Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER O-FINP-CR) (:DEFINITION ACL2-COUNT) (:DEFINITION INTEGER-ABS) (:DEFINITION NOT) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART O<) (:EXECUTABLE-COUNTERPART UNARY--) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:FORWARD-CHAINING NATP-FC-1) (:REWRITE <-+-NEGATIVE-0-1) (:REWRITE DISTRIBUTIVITY-OF-MINUS-OVER-+) (:REWRITE O-FINP-<)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION ACL2-COUNT) (:DEFINITION INTEGER-ABS)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 388 --- The key checkpoint goal, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint-summary-limit. --- *** Key checkpoint at the top level: *** Subgoal 2' (IMPLIES (AND (NATP J) (NATP MAX)) (<= MAX J)) ACL2 Error in ( DEFUN FOO ...): The proof of the measure conjecture for FOO has failed. See :DOC failure. ******** FAILED ******** For the admission of FOO we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT I). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (AND (NATP I) (NATP J) (NATP MAX)) (< J MAX)) (O< (ACL2-COUNT (+ -1 I)) (ACL2-COUNT I))). By case analysis we reduce the conjecture to Goal' (IMPLIES (AND (NATP I) (NATP J) (NATP MAX) (< J MAX)) (O< (ACL2-COUNT (+ -1 I)) (ACL2-COUNT I))). This simplifies, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER, the :definitions ACL2-COUNT (if-intro) and INTEGER-ABS (if-intro), the :executable-counterparts of BINARY-+ and UNARY--, primitive type reasoning and the :rewrite rules <-+-NEGATIVE-0-1 and DISTRIBUTIVITY-OF-MINUS-OVER-+, to the following two conjectures. Subgoal 2 (IMPLIES (AND (NATP I) (NATP J) (NATP MAX) (< J MAX) (< I 1)) (O< 1 I)). This simplifies, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER, the :executable-counterparts of <, NATP, NOT and O<, linear arithmetic and the :forward-chaining rule NATP-FC-1, to Subgoal 2' (IMPLIES (AND (NATP J) (NATP MAX)) (<= MAX J)). Name the formula above *1. Subgoal 1 (IMPLIES (AND (NATP I) (NATP J) (NATP MAX) (< J MAX) (<= 1 I)) (O< (+ -1 I) I)). But simplification reduces this to T, using the :compound-recognizer rules NATP-COMPOUND-RECOGNIZER and O-FINP-CR, linear arithmetic, primitive type reasoning and the :rewrite rule O-FINP-<. So we now return to *1, which is (IMPLIES (AND (NATP J) (NATP MAX)) (<= MAX J)). No induction schemes are suggested by *1. Consequently, the proof attempt has failed. ACL2 Error in ( DEFUN FOO ...): The proof of the measure conjecture for FOO has failed. Summary Form: ( DEFUN FOO ...) Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER O-FINP-CR) (:DEFINITION ACL2-COUNT) (:DEFINITION INTEGER-ABS) (:DEFINITION NOT) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART O<) (:EXECUTABLE-COUNTERPART UNARY--) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:FORWARD-CHAINING NATP-FC-1) (:REWRITE <-+-NEGATIVE-0-1) (:REWRITE DISTRIBUTIVITY-OF-MINUS-OVER-+) (:REWRITE O-FINP-<)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION ACL2-COUNT) (:DEFINITION INTEGER-ABS)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 388 --- The key checkpoint goal, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint-summary-limit. --- *** Key checkpoint at the top level: *** Subgoal 2' (IMPLIES (AND (NATP J) (NATP MAX)) (<= MAX J)) ACL2 Error in ( DEFUN FOO ...): The proof of the measure conjecture for FOO has failed. See :DOC failure. ******** FAILED ******** For the admission of FOO we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (NFIX (+ (IFIX MAX) (- (IFIX J)))). The non-trivial part of the measure conjecture is Goal (AND (O-P (NFIX (+ (IFIX MAX) (- (IFIX J))))) (IMPLIES (AND (AND (NATP I) (NATP J) (NATP MAX)) (< J MAX)) (O< (NFIX (+ (IFIX (+ MAX 1)) (- (IFIX (+ J 2))))) (NFIX (+ (IFIX MAX) (- (IFIX J))))))). By case analysis we reduce the conjecture to the following two conjectures. Subgoal 2 (O-P (NFIX (+ (IFIX MAX) (- (IFIX J))))). This simplifies, using the :compound-recognizer rule O-FINP-CR, the :definitions IFIX (if-intro) and NFIX (if-intro), primitive type reasoning and the :rewrite rules <-+-NEGATIVE-0-1, COMMUTATIVITY-OF-+ and O-P-DEF-O-FINP-1, to the following seven conjectures. Subgoal 2.7 (IMPLIES (AND (NOT (INTEGERP J)) (< MAX 0)) (NATP 0)). But we reduce the conjecture to T, by the :executable-counterpart of NATP. Subgoal 2.6 (IMPLIES (AND (INTEGERP MAX) (NOT (INTEGERP J)) (<= 0 MAX)) (NATP (+ 0 MAX))). By the simple :rewrite rule UNICITY-OF-0 we reduce the conjecture to Subgoal 2.6' (IMPLIES (AND (INTEGERP MAX) (NOT (INTEGERP J)) (<= 0 MAX)) (NATP (FIX MAX))). But simplification reduces this to T, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER and the :definition FIX. Subgoal 2.5 (IMPLIES (AND (INTEGERP MAX) (INTEGERP J) (< MAX J)) (NATP 0)). But we reduce the conjecture to T, by the :executable-counterpart of NATP. Subgoal 2.4 (IMPLIES (AND (NOT (INTEGERP MAX)) (NOT (INTEGERP J))) (NATP 0)). But we reduce the conjecture to T, by the :executable-counterpart of NATP. Subgoal 2.3 (IMPLIES (AND (INTEGERP MAX) (INTEGERP J) (<= J MAX)) (NATP (+ (- J) MAX))). But simplification reduces this to T, using linear arithmetic, primitive type reasoning and the :rewrite rule NATP-RW. Subgoal 2.2 (IMPLIES (AND (NOT (INTEGERP MAX)) (INTEGERP J) (<= J 0)) (NATP (+ (- J) 0))). But we reduce the conjecture to T, by the :executable-counterpart of TAU-SYSTEM. Subgoal 2.1 (IMPLIES (AND (NOT (INTEGERP MAX)) (< 0 J)) (NATP 0)). But we reduce the conjecture to T, by the :executable-counterpart of NATP. Subgoal 1 (IMPLIES (AND (NATP I) (NATP J) (NATP MAX) (< J MAX)) (O< (NFIX (+ (IFIX (+ MAX 1)) (- (IFIX (+ J 2))))) (NFIX (+ (IFIX MAX) (- (IFIX J)))))). This simplifies, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER, the :definitions IFIX, NFIX (if-intro) and SYNP, the :executable-counterparts of BINARY-+ and UNARY--, primitive type reasoning, the :rewrite rules <-+-NEGATIVE-0-1, COMMUTATIVITY-2-OF-+, COMMUTATIVITY-OF-+, DISTRIBUTIVITY-OF-MINUS-OVER-+ and FOLD-CONSTS-IN-+ and the :type-prescription rule |x < y => 0 < -x+y|, to the following two conjectures. Subgoal 1.2 (IMPLIES (AND (NATP I) (NATP J) (NATP MAX) (< J MAX) (< MAX J)) (O< (+ -1 (- J) MAX) 0)). But we reduce the conjecture to T, by the :executable-counterpart of TAU-SYSTEM. Subgoal 1.1 (IMPLIES (AND (NATP I) (NATP J) (NATP MAX) (< J MAX) (<= J MAX)) (O< (+ -1 (- J) MAX) (+ (- J) MAX))). But simplification reduces this to T, using the :compound-recognizer rules NATP-COMPOUND-RECOGNIZER and O-FINP-CR, linear arithmetic, primitive type reasoning, the :rewrite rule O-FINP-< and the :type-prescription rule |x < y => 0 < -x+y|. Q.E.D. That completes the proof of the measure theorem for FOO. Thus, we admit this function under the principle of definition. We observe that the type of FOO is described by the theorem (AND (INTEGERP (FOO I J MAX)) (<= 0 (FOO I J MAX))). We used the :compound- recognizer rule NATP-COMPOUND-RECOGNIZER. Summary Form: ( DEFUN FOO ...) Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER O-FINP-CR) (:DEFINITION FIX) (:DEFINITION IFIX) (:DEFINITION NFIX) (:DEFINITION NOT) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:EXECUTABLE-COUNTERPART UNARY--) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE <-+-NEGATIVE-0-1) (:REWRITE COMMUTATIVITY-2-OF-+) (:REWRITE COMMUTATIVITY-OF-+) (:REWRITE DISTRIBUTIVITY-OF-MINUS-OVER-+) (:REWRITE FOLD-CONSTS-IN-+) (:REWRITE NATP-RW) (:REWRITE O-FINP-<) (:REWRITE O-P-DEF-O-FINP-1) (:REWRITE UNICITY-OF-0) (:TYPE-PRESCRIPTION |x < y => 0 < -x+y|)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION IFIX) (:DEFINITION NFIX)) Time: 0.02 seconds (prove: 0.01, print: 0.01, other: 0.00) Prover steps counted: 632 Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.04 seconds (prove: 0.01, print: 0.01, other: 0.01) Prover steps counted: 1408 Summary Form: ( MAKE-EVENT (ER-LET* ...) ...) Rules: NIL Time: 0.05 seconds (prove: 0.01, print: 0.01, other: 0.02) Prover steps counted: 1408 FOO ACL2 !>(pe 'foo) L 3:x(DEFUNM FOO (I J MAX) ...) \ >L (DEFUN FOO (I J MAX) (DECLARE (XARGS :MEASURE (DEFUNM-MARKER (NFIX (- (IFIX MAX) (IFIX J)))) :WELL-FOUNDED-RELATION O<)) (IF (AND (NATP I) (NATP J) (NATP MAX)) (IF (< J MAX) (FOO (- I 1) (+ J 2) (+ MAX 1)) I) 0)) ACL2 !>(defunm ack (k n m) (if (zp k) (+ 1 n) (if (zp m) (if (equal k 2) 0 (if (equal k 3) 1 n)) (ack (- k 1) (ack k n (- m 1)) n)))) Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) We updated the measure patterns database by adding a pattern named FOO. To see the new database evaluate (TABLE MEASURE-PATTERNS :LIST). From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. ((34 (DECLARE (XARGS :MEASURE (DEFUNM-MARKER (ACL2-COUNT M)) :WELL-FOUNDED-RELATION O<)) ((TESTED-POSITIVE-AND-DECREMENTED TESTED-NON-0-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED) (TESTED-NON-ZP-AND-DECREMENTED))) (34 (DECLARE (XARGS :MEASURE (DEFUNM-MARKER (LLIST (ACL2-COUNT M) (ACL2-COUNT K))) :WELL-FOUNDED-RELATION L<)) ((TESTED-POSITIVE-AND-DECREMENTED TESTED-NON-0-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED) (TESTED-POSITIVE-AND-DECREMENTED TESTED-NON-0-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED))) (1 (DECLARE (XARGS :MEASURE (DEFUNM-MARKER (LLIST (ACL2-COUNT K) (ACL2-COUNT M))) :WELL-FOUNDED-RELATION L<)) ((TESTED-POSITIVE-AND-DECREMENTED TESTED-NON-0-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED) (TESTED-POSITIVE-AND-DECREMENTED TESTED-NON-0-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED TESTED-NON-ZP-AND-DECREMENTED)))) However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! ACL2 !>>(TABLE MEASURE-PATTERNS :LIST '((MEASURE-PATTERN FOO (NFIX (BINARY-+ (IFIX MAX) (UNARY-- (IFIX J)))) (J MAX) ((NATP J) (NATP MAX) (< J MAX)) ((:SLOT J (BINARY-+ J '2)) (:SLOT MAX (BINARY-+ MAX '1))) NIL < ((:MEASURE (NFIX (BINARY-+ (IFIX MAX) (UNARY-- (IFIX J))))) (NATP J) (NATP MAX) (< J MAX) (:SLOT J (BINARY-+ J '2)) (:SLOT MAX (BINARY-+ MAX '1)))) (MEASURE-PATTERN TESTED-NON-ZP-AND-DECREMENTED (ACL2-COUNT I) (I) ((NOT (ZP I))) ((:SLOT I (BINARY-+ NEGINT I))) ((:CONSTANT ':NEGINT NEGINT)) < ((:MEASURE (ACL2-COUNT I)) (:CONSTANT ':NEGINT NEGINT) (NOT (ZP I)) (:SLOT I (BINARY-+ NEGINT I)))) (MEASURE-PATTERN TESTED-NON-0-AND-DECREMENTED (ACL2-COUNT I) (I) ((NOT (EQUAL I '0))) ((:SLOT I (BINARY-+ NEGINT I))) ((:CONSTANT ':NEGINT NEGINT)) < ((:MEASURE (ACL2-COUNT I)) (:CONSTANT ':NEGINT NEGINT) (NOT (EQUAL I '0)) (:SLOT I (BINARY-+ NEGINT I)))) (MEASURE-PATTERN TESTED-POSITIVE-AND-DECREMENTED (ACL2-COUNT I) (I) ((< '0 I)) ((:SLOT I (BINARY-+ NEGINT I))) ((:CONSTANT ':NEGINT NEGINT)) < ((:MEASURE (ACL2-COUNT I)) (:CONSTANT ':NEGINT NEGINT) (< '0 I) (:SLOT I (BINARY-+ NEGINT I)))) (MEASURE-PATTERN COUNTING-UP-WITH-ZP-TRICK (NFIX (- MAX I)) (I MAX) ((NOT (ZP (BINARY-+ MAX (UNARY-- I))))) ((:SLOT I (BINARY-+ POSINT I))) ((:CONSTANT ':POSINT NEGINT)) < ((:MEASURE (NFIX (- MAX I))) (:CONSTANT ':POSINT NEGINT) (NOT (ZP (BINARY-+ MAX (UNARY-- I)))) (:SLOT I (BINARY-+ POSINT I)))) (MEASURE-PATTERN COUNTING-UP-WITH-<-TEST (NFIX (- (IFIX MAX) (IFIX I))) (I MAX) ((< I MAX)) ((:SLOT I (BINARY-+ POSINT I))) ((:CONSTANT ':POSINT NEGINT)) < ((:MEASURE (NFIX (- (IFIX MAX) (IFIX I)))) (:CONSTANT ':POSINT NEGINT) (< I MAX) (:SLOT I (BINARY-+ POSINT I)))) (MEASURE-PATTERN RECURSION-BY-CDR-STRONG (ACL2-COUNT X) (X) ((CONSP X)) ((:SLOT X (CDR X))) NIL < ((:MEASURE (ACL2-COUNT X)) (CONSP X) (:SLOT X (CDR X)))) (MEASURE-PATTERN RECURSION-BY-CAR-STRONG (ACL2-COUNT X) (X) ((CONSP X)) ((:SLOT X (CAR X))) NIL < ((:MEASURE (ACL2-COUNT X)) (CONSP X) (:SLOT X (CAR X)))) (MEASURE-PATTERN RECURSION-BY-CDR-WEAK (ACL2-COUNT X) (X) NIL ((:SLOT X (CDR X))) NIL <= ((:MEASURE (ACL2-COUNT X)) (:SLOT X (CDR X)))) (MEASURE-PATTERN RECURSION-BY-CAR-STRONG (ACL2-COUNT X) (X) NIL ((:SLOT X (CAR X))) NIL <= ((:MEASURE (ACL2-COUNT X)) (:SLOT X (CAR X)))))) Summary Form: ( TABLE MEASURE-PATTERNS ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) MEASURE-PATTERNS ACL2 !>>(MAKE-EVENT '(:OR (DEFUNM-WRAPPER (DEFUN ACK (K N M) (IF (ZP K) (+ 1 N) (IF (ZP M) (IF (EQUAL K 2) 0 (IF (EQUAL K 3) 1 N)) (ACK (- K 1) (ACK K N (- M 1)) N))))) (DEFUNM-WRAPPER (DEFUN ACK (K N M) (DECLARE (XARGS :MEASURE (DEFUNM-MARKER (ACL2-COUNT M)) :WELL-FOUNDED-RELATION O<)) (IF (ZP K) (+ 1 N) (IF (ZP M) (IF (EQUAL K 2) 0 (IF (EQUAL K 3) 1 N)) (ACK (- K 1) (ACK K N (- M 1)) N))))) (DEFUNM-WRAPPER (DEFUN ACK (K N M) (DECLARE (XARGS :MEASURE (DEFUNM-MARKER (LLIST (ACL2-COUNT M) (ACL2-COUNT K))) :WELL-FOUNDED-RELATION L<)) (IF (ZP K) (+ 1 N) (IF (ZP M) (IF (EQUAL K 2) 0 (IF (EQUAL K 3) 1 N)) (ACK (- K 1) (ACK K N (- M 1)) N))))) (DEFUNM-WRAPPER (DEFUN ACK (K N M) (DECLARE (XARGS :MEASURE (DEFUNM-MARKER (LLIST (ACL2-COUNT K) (ACL2-COUNT M))) :WELL-FOUNDED-RELATION L<)) (IF (ZP K) (+ 1 N) (IF (ZP M) (IF (EQUAL K 2) 0 (IF (EQUAL K 3) 1 N)) (ACK (- K 1) (ACK K N (- M 1)) N))))) (DEFUNM-ERROR (CONS 'DEFUNM 'ACK) "We guessed the following ~#0~[possible justification for ~x2 and ~ it could not be proved~/~x1 possible justifications for ~x2, listed ~ from those deemed most likely to those deemed least likely, and none ~ of them could be proved~]. It is possible your definition does not ~ terminate. But if it does, you have three options. One is to prove ~ enough lemmas to make ACL2 to prove that ~#0~[the measure~/one of ~ the measures~] shown below actually decreases. The second is to edit ~ the MEASURE-PATTERNS table so that some pattern suggests a provable ~ measure; execute (edit-measure-patterns-table) for instructions. ~ Then try your ~x5 again. The third option is to use DEFUN ~ instead of ~x5 and explicitly specify a provable measure.~%~%~ Measure Guesses (in order of deemed likelihood):~%~%~X34~%" (IF (NULL (CDR (@ RANKED-MEASURE-DCLS))) 0 1) (LEN (@ RANKED-MEASURE-DCLS)) 'ACK (@ RANKED-MEASURE-DCLS) NIL (IF (EQ DEFUN-FLAVOR 'DEFUN) 'DEFUNM 'DEFUNM-NX)))) ACL2 Error in ( DEFUN ACK ...): No :MEASURE was supplied with the definition of ACK. Our heuristics for guessing one have not made any suggestions. No argument of the function is tested along every branch of the relevant IF structure and occurs as a proper subterm at the same argument position in every recursive call. You must specify a :MEASURE. See :DOC defun. Also see :DOC ruler-extenders for how to affect how much of the IF structure is explored by our heuristics. Summary Form: ( DEFUN ACK ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ACL2 Error in ( DEFUN ACK ...): See :DOC failure. ******** FAILED ******** For the admission of ACK we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT M). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M))) (O< (ACL2-COUNT N) (ACL2-COUNT M))). This simplifies, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER, the :definitions ACL2-COUNT and INTEGER-ABS and primitive type reasoning, to Goal' (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M))) (O< (ACL2-COUNT N) M)). Name the formula above *1. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (ACL2-COUNT N). This suggestion was produced using the :induction rule ACL2-COUNT. If we let (:P K M N) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (NOT (STRINGP N))) (:P K M N)) (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N)) (:P K M N)) (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (:P K M (REALPART N)) (:P K M (IMAGPART N))) (:P K M N)) (IMPLIES (AND (NOT (CONSP N)) (RATIONALP N) (NOT (INTEGERP N))) (:P K M N)) (IMPLIES (AND (NOT (CONSP N)) (RATIONALP N) (INTEGERP N)) (:P K M N)) (IMPLIES (AND (CONSP N) (:P K M (CAR N)) (:P K M (CDR N))) (:P K M N))). This induction is justified by the same argument used to admit ACL2-COUNT. When applied to the goal at hand the above induction scheme produces six nontautological subgoals. Subgoal *1/6 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (NOT (STRINGP N)) (NOT (ZP K)) (NOT (ZP M))) (O< (ACL2-COUNT N) M)). But simplification reduces this to T, using the :compound-recognizer rules NATP-COMPOUND-RECOGNIZER and ZP-COMPOUND-RECOGNIZER, the :definition ACL2-COUNT, the :executable-counterpart of NOT, primitive type reasoning and the :rewrite rules |0 < a = ~(a = 0)| and O-P-DEF-O-FINP-1. Subgoal *1/5 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N) (NOT (ZP K)) (NOT (ZP M))) (O< (ACL2-COUNT N) M)). This simplifies, using the :definitions ACL2-COUNT and LENGTH, to Subgoal *1/5' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N) (NOT (ZP K)) (NOT (ZP M))) (O< (LEN (COERCE N 'LIST)) M)). We suspect that the term (NOT (ZP K)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/5'' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N) (NOT (ZP M))) (O< (LEN (COERCE N 'LIST)) M)). Name the formula above *1.1. Subgoal *1/4 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (O< (ACL2-COUNT (REALPART N)) M) (O< (ACL2-COUNT (IMAGPART N)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (ACL2-COUNT N) M)). This simplifies, using the :definition ACL2-COUNT and the :rewrite rule COMMUTATIVITY-OF-+, to Subgoal *1/4' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (O< (ACL2-COUNT (REALPART N)) M) (O< (ACL2-COUNT (IMAGPART N)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (ACL2-COUNT (IMAGPART N)) (ACL2-COUNT (REALPART N))) M)). This simplifies, using the :definitions ACL2-COUNT (if-intro) and INTEGER-ABS (if-intro), primitive type reasoning and the :rewrite rules COMMUTATIVITY-2-OF-+ and COMMUTATIVITY-OF-+, to the following 16 conjectures. Subgoal *1/4.16 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (< (REALPART N) 0) (O< (- (REALPART N)) M) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (O< (- (IMAGPART N)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- (IMAGPART N)) (- (REALPART N))) M)). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX I J), (REALPART N) by I and (IMAGPART N) by J. This produces the following two goals. Subgoal *1/4.16.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (< (REALPART N) 0) (O< (- (REALPART N)) M) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (O< (- (IMAGPART N)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- (IMAGPART N)) (- (REALPART N))) M)). But we reduce the conjecture to T, by case analysis. Subgoal *1/4.16.1 (IMPLIES (AND (ACL2-NUMBERP (COMPLEX I J)) (NOT (CONSP (COMPLEX I J))) (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (INTEGERP I) (< I 0) (O< (- I) M) (INTEGERP J) (< J 0) (O< (- J) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- J) (- I)) M)). This simplifies, using primitive type reasoning and the :rewrite rule COMMUTATIVITY-OF-+, to Subgoal *1/4.16.1' (IMPLIES (AND (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (INTEGERP I) (< I 0) (O< (- I) M) (INTEGERP J) (< J 0) (O< (- J) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- I) (- J)) M)). We generalize this conjecture, replacing (- J) by L, (- I) by N and (COMPLEX I J) by Z and restricting the types of the new variables L and N to be those of the terms they replace, as established by primitive type reasoning. This produces Subgoal *1/4.16.1'' (IMPLIES (AND (INTEGERP L) (< 0 L) (INTEGERP N) (< 0 N) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (INTEGERP J) (< J 0) (O< L M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 N L) M)). This simplifies, using the :rewrite rule COMMUTATIVITY-OF-+, to Subgoal *1/4.16.1''' (IMPLIES (AND (INTEGERP L) (< 0 L) (INTEGERP N) (< 0 N) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (INTEGERP J) (< J 0) (O< L M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 L N) M)). We suspect that the term (NOT (ZP K)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/4.16.1'4' (IMPLIES (AND (INTEGERP L) (< 0 L) (INTEGERP N) (< 0 N) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (INTEGERP J) (< J 0) (O< L M) (NOT (ZP M))) (O< (+ 1 L N) M)). Name the formula above *1.2. Subgoal *1/4.15 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (< (REALPART N) 0) (O< (- (REALPART N)) M) (INTEGERP (IMAGPART N)) (<= 0 (IMAGPART N)) (O< (IMAGPART N) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (IMAGPART N) (- (REALPART N))) M)). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX I J), (REALPART N) by I and (IMAGPART N) by J and restrict the type of the new variable J to be that of the term it replaces, as established by primitive type reasoning. This produces the following two goals. Subgoal *1/4.15.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (< (REALPART N) 0) (O< (- (REALPART N)) M) (INTEGERP (IMAGPART N)) (<= 0 (IMAGPART N)) (O< (IMAGPART N) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (IMAGPART N) (- (REALPART N))) M)). But we reduce the conjecture to T, by case analysis. Subgoal *1/4.15.1 (IMPLIES (AND (INTEGERP J) (< 0 J) (ACL2-NUMBERP (COMPLEX I J)) (NOT (CONSP (COMPLEX I J))) (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (INTEGERP I) (< I 0) (O< (- I) M) (<= 0 J) (O< J M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 J (- I)) M)). This simplifies, using primitive type reasoning and the :rewrite rule COMMUTATIVITY-OF-+, to Subgoal *1/4.15.1' (IMPLIES (AND (INTEGERP J) (< 0 J) (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (INTEGERP I) (< I 0) (O< (- I) M) (<= 0 J) (O< J M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- I) J) M)). We generalize this conjecture, replacing (- I) by L and (COMPLEX I J) by Z and restricting the type of the new variable L to be that of the term it replaces, as established by primitive type reasoning. This produces Subgoal *1/4.15.1'' (IMPLIES (AND (INTEGERP L) (< 0 L) (INTEGERP J) (< 0 J) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< L M) (<= 0 J) (O< J M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 L J) M)). This simplifies, using the :rewrite rule COMMUTATIVITY-OF-+, to Subgoal *1/4.15.1''' (IMPLIES (AND (INTEGERP L) (< 0 L) (INTEGERP J) (< 0 J) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< L M) (<= 0 J) (O< J M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 J L) M)). We suspect that the term (NOT (ZP K)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/4.15.1'4' (IMPLIES (AND (INTEGERP L) (< 0 L) (INTEGERP J) (< 0 J) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< L M) (<= 0 J) (O< J M) (NOT (ZP M))) (O< (+ 1 J L) M)). Name the formula above *1.3. Subgoal *1/4.14 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (< (REALPART N) 0) (O< (- (REALPART N)) M) (NOT (INTEGERP (IMAGPART N))) (< (NUMERATOR (IMAGPART N)) 0) (O< (+ (DENOMINATOR (IMAGPART N)) (- (NUMERATOR (IMAGPART N)))) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- (REALPART N)) (DENOMINATOR (IMAGPART N)) (- (NUMERATOR (IMAGPART N)))) M)). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX I R), (REALPART N) by I and (IMAGPART N) by R and restrict the type of the new variable R to be that of the term it replaces, as established by primitive type reasoning. This produces the following two goals. Subgoal *1/4.14.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (< (REALPART N) 0) (O< (- (REALPART N)) M) (NOT (INTEGERP (IMAGPART N))) (< (NUMERATOR (IMAGPART N)) 0) (O< (+ (DENOMINATOR (IMAGPART N)) (- (NUMERATOR (IMAGPART N)))) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- (REALPART N)) (DENOMINATOR (IMAGPART N)) (- (NUMERATOR (IMAGPART N)))) M)). But we reduce the conjecture to T, by case analysis. Subgoal *1/4.14.1 (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (ACL2-NUMBERP (COMPLEX I R)) (NOT (CONSP (COMPLEX I R))) (NOT (RATIONALP (COMPLEX I R))) (COMPLEX-RATIONALP (COMPLEX I R)) (INTEGERP I) (< I 0) (O< (- I) M) (NOT (INTEGERP R)) (< (NUMERATOR R) 0) (O< (+ (DENOMINATOR R) (- (NUMERATOR R))) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- I) (DENOMINATOR R) (- (NUMERATOR R))) M)). By case analysis we reduce the conjecture to Subgoal *1/4.14.1' (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (ACL2-NUMBERP (COMPLEX I R)) (NOT (CONSP (COMPLEX I R))) (NOT (RATIONALP (COMPLEX I R))) (COMPLEX-RATIONALP (COMPLEX I R)) (INTEGERP I) (< I 0) (O< (- I) M) (< (NUMERATOR R) 0) (O< (+ (DENOMINATOR R) (- (NUMERATOR R))) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- I) (DENOMINATOR R) (- (NUMERATOR R))) M)). This simplifies, using primitive type reasoning, to Subgoal *1/4.14.1'' (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP (COMPLEX I R))) (COMPLEX-RATIONALP (COMPLEX I R)) (INTEGERP I) (< I 0) (O< (- I) M) (< (NUMERATOR R) 0) (O< (+ (DENOMINATOR R) (- (NUMERATOR R))) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- I) (DENOMINATOR R) (- (NUMERATOR R))) M)). We generalize this conjecture, replacing (DENOMINATOR R) by J, (NUMERATOR R) by L, (- I) by N and (COMPLEX I R) by Z and restricting the types of the new variables J, L and N to be those of the terms they replace, as established by primitive type reasoning. This produces Subgoal *1/4.14.1''' (IMPLIES (AND (INTEGERP J) (< 0 J) (INTEGERP L) (< L 0) (INTEGERP N) (< 0 N) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (O< (+ J (- L)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 N J (- L)) M)). This simplifies, using the :rewrite rules COMMUTATIVITY-2-OF-+ and COMMUTATIVITY-OF-+, to Subgoal *1/4.14.1'4' (IMPLIES (AND (INTEGERP J) (< 0 J) (INTEGERP L) (< L 0) (INTEGERP N) (< 0 N) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (O< (+ J (- L)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 J (- L) N) M)). We generalize this conjecture, replacing (- L) by I0 and restricting the type of the new variable I0 to be that of the term it replaces, as established by primitive type reasoning. This produces Subgoal *1/4.14.1'5' (IMPLIES (AND (INTEGERP I0) (< 0 I0) (INTEGERP J) (< 0 J) (INTEGERP L) (< L 0) (INTEGERP N) (< 0 N) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (O< (+ J I0) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 J I0 N) M)). This simplifies, using the :rewrite rules COMMUTATIVITY-2-OF-+ and COMMUTATIVITY-OF-+, to Subgoal *1/4.14.1'6' (IMPLIES (AND (INTEGERP I0) (< 0 I0) (INTEGERP J) (< 0 J) (INTEGERP L) (< L 0) (INTEGERP N) (< 0 N) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (O< (+ I0 J) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 I0 J N) M)). We suspect that the term (NOT (ZP K)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/4.14.1'7' (IMPLIES (AND (INTEGERP I0) (< 0 I0) (INTEGERP J) (< 0 J) (INTEGERP L) (< L 0) (INTEGERP N) (< 0 N) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (O< (+ I0 J) M) (NOT (ZP M))) (O< (+ 1 I0 J N) M)). Name the formula above *1.4. Subgoal *1/4.13 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (< (REALPART N) 0) (O< (- (REALPART N)) M) (NOT (INTEGERP (IMAGPART N))) (<= 0 (NUMERATOR (IMAGPART N))) (O< (+ (DENOMINATOR (IMAGPART N)) (NUMERATOR (IMAGPART N))) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- (REALPART N)) (DENOMINATOR (IMAGPART N)) (NUMERATOR (IMAGPART N))) M)). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX I R), (REALPART N) by I and (IMAGPART N) by R and restrict the type of the new variable R to be that of the term it replaces, as established by primitive type reasoning. This produces the following two goals. Subgoal *1/4.13.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (< (REALPART N) 0) (O< (- (REALPART N)) M) (NOT (INTEGERP (IMAGPART N))) (<= 0 (NUMERATOR (IMAGPART N))) (O< (+ (DENOMINATOR (IMAGPART N)) (NUMERATOR (IMAGPART N))) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- (REALPART N)) (DENOMINATOR (IMAGPART N)) (NUMERATOR (IMAGPART N))) M)). But we reduce the conjecture to T, by case analysis. Subgoal *1/4.13.1 (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (ACL2-NUMBERP (COMPLEX I R)) (NOT (CONSP (COMPLEX I R))) (NOT (RATIONALP (COMPLEX I R))) (COMPLEX-RATIONALP (COMPLEX I R)) (INTEGERP I) (< I 0) (O< (- I) M) (NOT (INTEGERP R)) (<= 0 (NUMERATOR R)) (O< (+ (DENOMINATOR R) (NUMERATOR R)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- I) (DENOMINATOR R) (NUMERATOR R)) M)). By case analysis we reduce the conjecture to Subgoal *1/4.13.1' (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (ACL2-NUMBERP (COMPLEX I R)) (NOT (CONSP (COMPLEX I R))) (NOT (RATIONALP (COMPLEX I R))) (COMPLEX-RATIONALP (COMPLEX I R)) (INTEGERP I) (< I 0) (O< (- I) M) (<= 0 (NUMERATOR R)) (O< (+ (DENOMINATOR R) (NUMERATOR R)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- I) (DENOMINATOR R) (NUMERATOR R)) M)). This simplifies, using primitive type reasoning, to Subgoal *1/4.13.1'' (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP (COMPLEX I R))) (COMPLEX-RATIONALP (COMPLEX I R)) (INTEGERP I) (< I 0) (O< (- I) M) (<= 0 (NUMERATOR R)) (O< (+ (DENOMINATOR R) (NUMERATOR R)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- I) (DENOMINATOR R) (NUMERATOR R)) M)). We generalize this conjecture, replacing (DENOMINATOR R) by J, (NUMERATOR R) by L, (- I) by N and (COMPLEX I R) by Z and restricting the types of the new variables J, L and N to be those of the terms they replace, as established by primitive type reasoning. This produces Subgoal *1/4.13.1''' (IMPLIES (AND (INTEGERP J) (< 0 J) (INTEGERP L) (< 0 L) (INTEGERP N) (< 0 N) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (<= 0 L) (O< (+ J L) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 N J L) M)). This simplifies, using the :rewrite rules COMMUTATIVITY-2-OF-+ and COMMUTATIVITY-OF-+, to Subgoal *1/4.13.1'4' (IMPLIES (AND (INTEGERP J) (< 0 J) (INTEGERP L) (< 0 L) (INTEGERP N) (< 0 N) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (<= 0 L) (O< (+ J L) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 J L N) M)). We suspect that the term (NOT (ZP K)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/4.13.1'5' (IMPLIES (AND (INTEGERP J) (< 0 J) (INTEGERP L) (< 0 L) (INTEGERP N) (< 0 N) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (O< N M) (<= 0 L) (O< (+ J L) M) (NOT (ZP M))) (O< (+ 1 J L N) M)). Name the formula above *1.5. Subgoal *1/4.12 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (<= 0 (REALPART N)) (O< (REALPART N) M) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (O< (- (IMAGPART N)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- (IMAGPART N)) (REALPART N)) M)). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX I J), (REALPART N) by I and (IMAGPART N) by J and restrict the type of the new variable I to be that of the term it replaces, as established by primitive type reasoning. This produces the following two goals. Subgoal *1/4.12.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (<= 0 (REALPART N)) (O< (REALPART N) M) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (O< (- (IMAGPART N)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- (IMAGPART N)) (REALPART N)) M)). But we reduce the conjecture to T, by case analysis. Subgoal *1/4.12.1 (IMPLIES (AND (INTEGERP I) (<= 0 I) (ACL2-NUMBERP (COMPLEX I J)) (NOT (CONSP (COMPLEX I J))) (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (<= 0 I) (O< I M) (INTEGERP J) (< J 0) (O< (- J) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- J) I) M)). By case analysis we reduce the conjecture to Subgoal *1/4.12.1' (IMPLIES (AND (INTEGERP I) (<= 0 I) (ACL2-NUMBERP (COMPLEX I J)) (NOT (CONSP (COMPLEX I J))) (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (O< I M) (INTEGERP J) (< J 0) (O< (- J) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- J) I) M)). This simplifies, using primitive type reasoning and the :rewrite rule COMMUTATIVITY-OF-+, to Subgoal *1/4.12.1'' (IMPLIES (AND (INTEGERP I) (<= 0 I) (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (O< I M) (INTEGERP J) (< J 0) (O< (- J) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 I (- J)) M)). We generalize this conjecture, replacing (- J) by L and (COMPLEX I J) by Z and restricting the type of the new variable L to be that of the term it replaces, as established by primitive type reasoning. This produces Subgoal *1/4.12.1''' (IMPLIES (AND (INTEGERP L) (< 0 L) (INTEGERP I) (<= 0 I) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (O< I M) (INTEGERP J) (< J 0) (O< L M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 I L) M)). ACL2 Error in STEP-LIMIT: The prover step-limit, which is 10000 in the current context, has been exceeded. See :DOC set-prover-step- limit. ACL2 Error in ( DEFUN ACK ...): The proof of the measure conjecture for ACK has failed. Summary Form: ( DEFUN ACK ...) Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ZP-COMPOUND-RECOGNIZER) (:DEFINITION ACL2-COUNT) (:DEFINITION INTEGER-ABS) (:DEFINITION LENGTH) (:DEFINITION NOT) (:ELIM REALPART-IMAGPART-ELIM) (:EXECUTABLE-COUNTERPART NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION ACL2-COUNT) (:REWRITE |0 < a = ~(a = 0)|) (:REWRITE COMMUTATIVITY-2-OF-+) (:REWRITE COMMUTATIVITY-OF-+) (:REWRITE O-P-DEF-O-FINP-1)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION ACL2-COUNT) (:DEFINITION INTEGER-ABS)) Time: 0.18 seconds (prove: 0.14, print: 0.04, other: 0.00) Prover steps counted: More than 10000 --- The key checkpoint goals, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint-summary-limit. --- *** Key checkpoint at the top level: *** Goal' (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M))) (O< (ACL2-COUNT N) M)) *** Key checkpoints under a top-level induction *** Subgoal *1/5' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N) (NOT (ZP K)) (NOT (ZP M))) (O< (LEN (COERCE N 'LIST)) M)) Subgoal *1/4.16 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (< (REALPART N) 0) (O< (- (REALPART N)) M) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (O< (- (IMAGPART N)) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (- (IMAGPART N)) (- (REALPART N))) M)) Subgoal *1/4.15 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (REALPART N)) (< (REALPART N) 0) (O< (- (REALPART N)) M) (INTEGERP (IMAGPART N)) (<= 0 (IMAGPART N)) (O< (IMAGPART N) M) (NOT (ZP K)) (NOT (ZP M))) (O< (+ 1 (IMAGPART N) (- (REALPART N))) M)) Note: There are three additional key checkpoints under a top-level induction. See :DOC set-checkpoint-summary-limit to change the number printed. ACL2 Error in ( DEFUN ACK ...): The proof of the measure conjecture for ACK has failed. See :DOC failure. ******** FAILED ******** For the admission of ACK we will use the relation L< (which, by WELL-FOUNDED-L<, is known to be well-founded on the domain recognized by LEXP) and the measure (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K))). The non-trivial part of the measure conjecture is Goal (AND (LEXP (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K)))) (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M))) (L< (LIST (NFIX (ACL2-COUNT (+ -1 M))) (NFIX (ACL2-COUNT K))) (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K))))) (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M))) (L< (LIST (NFIX (ACL2-COUNT N)) (NFIX (ACL2-COUNT (+ -1 K)))) (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K)))))). By the simple :definitions L< and LEXP we reduce the conjecture to the following three conjectures. Subgoal 3 (IMPLIES (NOT (NATP (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K))))) (AND (CONSP (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K)))) (NATP-LISTP (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K)))))). But simplification reduces this to T, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER, the :definitions NATP-LISTP and NFIX, the :executable-counterpart of NATP-LISTP, primitive type reasoning, the :rewrite rules CAR-CONS and CDR-CONS and the :type-prescription rule ACL2-COUNT. Subgoal 2 (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M)) (<= (LEN (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K)))) (LEN (LIST (NFIX (ACL2-COUNT (+ -1 M))) (NFIX (ACL2-COUNT K)))))) (AND (EQUAL (LEN (LIST (NFIX (ACL2-COUNT (+ -1 M))) (NFIX (ACL2-COUNT K)))) (LEN (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K))))) (IF (CONSP (LIST (NFIX (ACL2-COUNT (+ -1 M))) (NFIX (ACL2-COUNT K)))) (D< (LIST (NFIX (ACL2-COUNT (+ -1 M))) (NFIX (ACL2-COUNT K))) (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K)))) (< (LIST (NFIX (ACL2-COUNT (+ -1 M))) (NFIX (ACL2-COUNT K))) (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K))))))). But simplification reduces this to T, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER, the :definitions ACL2-COUNT, D<, INTEGER-ABS, LEN and NFIX, the :executable-counterparts of <, BINARY-+, EQUAL and LEN, primitive type reasoning, the :meta rule CANCEL_PLUS-LESSP-CORRECT and the :rewrite rules <-+-NEGATIVE-0-1, CAR-CONS and CDR-CONS. Subgoal 1 (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M)) (<= (LEN (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K)))) (LEN (LIST (NFIX (ACL2-COUNT N)) (NFIX (ACL2-COUNT (+ -1 K))))))) (AND (EQUAL (LEN (LIST (NFIX (ACL2-COUNT N)) (NFIX (ACL2-COUNT (+ -1 K))))) (LEN (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K))))) (IF (CONSP (LIST (NFIX (ACL2-COUNT N)) (NFIX (ACL2-COUNT (+ -1 K))))) (D< (LIST (NFIX (ACL2-COUNT N)) (NFIX (ACL2-COUNT (+ -1 K)))) (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K)))) (< (LIST (NFIX (ACL2-COUNT N)) (NFIX (ACL2-COUNT (+ -1 K)))) (LIST (NFIX (ACL2-COUNT M)) (NFIX (ACL2-COUNT K))))))). This simplifies, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER, the :definitions ACL2-COUNT, D<, INTEGER-ABS, LEN and NFIX, the :executable- counterparts of <, BINARY-+, EQUAL and LEN, primitive type reasoning, the :meta rule CANCEL_PLUS-LESSP-CORRECT, the :rewrite rules <-+-NEGATIVE-0-1, CAR-CONS and CDR-CONS and the :type-prescription rule ACL2-COUNT, to Subgoal 1' (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M)) (<= M (ACL2-COUNT N))) (EQUAL (ACL2-COUNT N) M)). Name the formula above *1. Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (ACL2-COUNT N). This suggestion was produced using the :induction rule ACL2-COUNT. If we let (:P K M N) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (NOT (STRINGP N))) (:P K M N)) (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N)) (:P K M N)) (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (:P K M (REALPART N)) (:P K M (IMAGPART N))) (:P K M N)) (IMPLIES (AND (NOT (CONSP N)) (RATIONALP N) (NOT (INTEGERP N))) (:P K M N)) (IMPLIES (AND (NOT (CONSP N)) (RATIONALP N) (INTEGERP N)) (:P K M N)) (IMPLIES (AND (CONSP N) (:P K M (CAR N)) (:P K M (CDR N))) (:P K M N))). This induction is justified by the same argument used to admit ACL2-COUNT. When applied to the goal at hand the above induction scheme produces twelve nontautological subgoals. Subgoal *1/12 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (NOT (STRINGP N)) (NOT (ZP K)) (NOT (ZP M)) (<= M (ACL2-COUNT N))) (EQUAL (ACL2-COUNT N) M)). But simplification reduces this to T, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER, the :definition ACL2-COUNT and primitive type reasoning. Subgoal *1/11 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N) (NOT (ZP K)) (NOT (ZP M)) (<= M (ACL2-COUNT N))) (EQUAL (ACL2-COUNT N) M)). This simplifies, using the :definitions ACL2-COUNT and LENGTH, to Subgoal *1/11' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N) (NOT (ZP K)) (NOT (ZP M)) (<= M (LEN (COERCE N 'LIST)))) (EQUAL (LEN (COERCE N 'LIST)) M)). We generalize this conjecture, replacing (COERCE N 'LIST) by CE and restricting the type of the new variable CE to be that of the term it replaces, as established by primitive type reasoning. This produces Subgoal *1/11'' (IMPLIES (AND (TRUE-LISTP CE) (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N) (NOT (ZP K)) (NOT (ZP M)) (<= M (LEN CE))) (EQUAL (LEN CE) M)). We generalize this conjecture, replacing (LEN CE) by I and restricting the type of the new variable I to be that of the term it replaces, as established by LEN and ZP-COMPOUND-RECOGNIZER. This produces Subgoal *1/11''' (IMPLIES (AND (INTEGERP I) (< 0 I) (TRUE-LISTP CE) (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N) (NOT (ZP K)) (NOT (ZP M)) (<= M I)) (EQUAL I M)). We suspect that the terms (NOT (ZP K)) and (TRUE-LISTP CE) are irrelevant to the truth of this conjecture and throw them out. We will thus try to prove Subgoal *1/11'4' (IMPLIES (AND (INTEGERP I) (< 0 I) (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N) (NOT (ZP M)) (<= M I)) (EQUAL I M)). Name the formula above *1.1. Subgoal *1/10 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (EQUAL (ACL2-COUNT (REALPART N)) M) (EQUAL (ACL2-COUNT (IMAGPART N)) M) (NOT (ZP K)) (NOT (ZP M)) (<= M (ACL2-COUNT N))) (EQUAL (ACL2-COUNT N) M)). This simplifies, using the :definitions ACL2-COUNT, NOT and SYNP, primitive type reasoning, the :meta rules CANCEL_PLUS-EQUAL-CORRECT and CANCEL_PLUS-LESSP-CORRECT, the :rewrite rule ZP-OPEN and the :type- prescription rule ACL2-COUNT, to Subgoal *1/10' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (EQUAL (ACL2-COUNT (IMAGPART N)) (ACL2-COUNT (REALPART N))) (NOT (ZP K)) (< 0 (ACL2-COUNT (IMAGPART N)))) (< (+ 1 (ACL2-COUNT (IMAGPART N))) 0)). This simplifies, using the :definitions ACL2-COUNT (if-intro) and INTEGER-ABS (if-intro), primitive type reasoning and the :rewrite rules <-+-NEGATIVE-0-2, <-0-+-NEGATIVE-2, <-0-MINUS and COMMUTATIVITY-OF-+, to the following 16 conjectures. Subgoal *1/10.16 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (INTEGERP (REALPART N)) (< (REALPART N) 0) (EQUAL (- (IMAGPART N)) (- (REALPART N))) (NOT (ZP K))) (< 1 (IMAGPART N))). By the simple :rewrite rule EQUAL-MINUS-MINUS we reduce the conjecture to Subgoal *1/10.16' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (INTEGERP (REALPART N)) (< (REALPART N) 0) (EQUAL (FIX (IMAGPART N)) (FIX (REALPART N))) (NOT (ZP K))) (< 1 (IMAGPART N))). This simplifies, using the :definition FIX and primitive type reasoning, to Subgoal *1/10.16'' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (INTEGERP (REALPART N)) (< (REALPART N) 0) (EQUAL (IMAGPART N) (REALPART N)) (NOT (ZP K))) (< 1 (IMAGPART N))). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX I J), (REALPART N) by I and (IMAGPART N) by J. This produces the following two goals. Subgoal *1/10.16.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (INTEGERP (REALPART N)) (< (REALPART N) 0) (EQUAL (IMAGPART N) (REALPART N)) (NOT (ZP K))) (< 1 (IMAGPART N))). But we reduce the conjecture to T, by case analysis. Subgoal *1/10.16.1 (IMPLIES (AND (ACL2-NUMBERP (COMPLEX I J)) (NOT (CONSP (COMPLEX I J))) (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (INTEGERP J) (< J 0) (INTEGERP I) (< I 0) (EQUAL J I) (NOT (ZP K))) (< 1 J)). This simplifies, using primitive type reasoning, to Subgoal *1/10.16.1' (IMPLIES (AND (NOT (RATIONALP (COMPLEX I I))) (COMPLEX-RATIONALP (COMPLEX I I)) (INTEGERP I) (< I 0) (NOT (ZP K))) (< 1 I)). We generalize this conjecture, replacing (COMPLEX I I) by Z. This produces Subgoal *1/10.16.1'' (IMPLIES (AND (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (NOT (ZP K))) (< 1 I)). We suspect that the term (NOT (ZP K)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/10.16.1''' (IMPLIES (AND (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0)) (< 1 I)). Name the formula above *1.2. Subgoal *1/10.15 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (<= 0 (IMAGPART N)) (INTEGERP (REALPART N)) (< (REALPART N) 0) (EQUAL (IMAGPART N) (- (REALPART N))) (NOT (ZP K)) (< 0 (IMAGPART N))) (< (+ 1 (IMAGPART N)) 0)). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX I J), (REALPART N) by I and (IMAGPART N) by J. This produces the following two goals. Subgoal *1/10.15.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (<= 0 (IMAGPART N)) (INTEGERP (REALPART N)) (< (REALPART N) 0) (EQUAL (IMAGPART N) (- (REALPART N))) (NOT (ZP K)) (< 0 (IMAGPART N))) (< (+ 1 (IMAGPART N)) 0)). But we reduce the conjecture to T, by case analysis. Subgoal *1/10.15.1 (IMPLIES (AND (ACL2-NUMBERP (COMPLEX I J)) (NOT (CONSP (COMPLEX I J))) (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (INTEGERP J) (<= 0 J) (INTEGERP I) (< I 0) (EQUAL J (- I)) (NOT (ZP K)) (< 0 J)) (< (+ 1 J) 0)). This simplifies, using primitive type reasoning and the :rewrite rules <-+-NEGATIVE-0-2, <-0-MINUS and <-MINUS-ZERO, to Subgoal *1/10.15.1' (IMPLIES (AND (NOT (RATIONALP (COMPLEX I (- I)))) (COMPLEX-RATIONALP (COMPLEX I (- I))) (INTEGERP (- I)) (<= I 0) (INTEGERP I) (< I 0) (NOT (ZP K))) (< 1 I)). We generalize this conjecture, replacing (- I) by L and restricting the type of the new variable L to be that of the term it replaces, as established by primitive type reasoning. This produces Subgoal *1/10.15.1'' (IMPLIES (AND (INTEGERP L) (< 0 L) (NOT (RATIONALP (COMPLEX I L))) (COMPLEX-RATIONALP (COMPLEX I L)) (<= I 0) (INTEGERP I) (< I 0) (NOT (ZP K))) (< 1 I)). We generalize this conjecture, replacing (COMPLEX I L) by Z. This produces Subgoal *1/10.15.1''' (IMPLIES (AND (INTEGERP L) (< 0 L) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (<= I 0) (INTEGERP I) (< I 0) (NOT (ZP K))) (< 1 I)). We suspect that the term (NOT (ZP K)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/10.15.1'4' (IMPLIES (AND (INTEGERP L) (< 0 L) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (<= I 0) (INTEGERP I) (< I 0)) (< 1 I)). Name the formula above *1.3. Subgoal *1/10.14 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (INTEGERP (REALPART N)) (<= 0 (REALPART N)) (EQUAL (- (IMAGPART N)) (REALPART N)) (NOT (ZP K)) (< 0 (REALPART N))) (< (+ 1 (REALPART N)) 0)). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX I J), (REALPART N) by I and (IMAGPART N) by J. This produces the following two goals. Subgoal *1/10.14.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (INTEGERP (REALPART N)) (<= 0 (REALPART N)) (EQUAL (- (IMAGPART N)) (REALPART N)) (NOT (ZP K)) (< 0 (REALPART N))) (< (+ 1 (REALPART N)) 0)). But we reduce the conjecture to T, by case analysis. Subgoal *1/10.14.1 (IMPLIES (AND (ACL2-NUMBERP (COMPLEX I J)) (NOT (CONSP (COMPLEX I J))) (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (INTEGERP J) (< J 0) (INTEGERP I) (<= 0 I) (EQUAL (- J) I) (NOT (ZP K)) (< 0 I)) (< (+ 1 I) 0)). This simplifies, using primitive type reasoning and the :rewrite rules <-+-NEGATIVE-0-2, <-0-MINUS and <-MINUS-ZERO, to Subgoal *1/10.14.1' (IMPLIES (AND (NOT (RATIONALP (COMPLEX (- J) J))) (COMPLEX-RATIONALP (COMPLEX (- J) J)) (INTEGERP J) (< J 0) (INTEGERP (- J)) (<= J 0) (NOT (ZP K))) (< 1 J)). We generalize this conjecture, replacing (- J) by L and restricting the type of the new variable L to be that of the term it replaces, as established by primitive type reasoning. This produces Subgoal *1/10.14.1'' (IMPLIES (AND (INTEGERP L) (< 0 L) (NOT (RATIONALP (COMPLEX L J))) (COMPLEX-RATIONALP (COMPLEX L J)) (INTEGERP J) (< J 0) (<= J 0) (NOT (ZP K))) (< 1 J)). We generalize this conjecture, replacing (COMPLEX L J) by Z. This produces Subgoal *1/10.14.1''' (IMPLIES (AND (INTEGERP L) (< 0 L) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP J) (< J 0) (<= J 0) (NOT (ZP K))) (< 1 J)). We suspect that the term (NOT (ZP K)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/10.14.1'4' (IMPLIES (AND (INTEGERP L) (< 0 L) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP J) (< J 0) (<= J 0)) (< 1 J)). Name the formula above *1.4. Subgoal *1/10.13 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (<= 0 (IMAGPART N)) (INTEGERP (REALPART N)) (<= 0 (REALPART N)) (EQUAL (IMAGPART N) (REALPART N)) (NOT (ZP K)) (< 0 (IMAGPART N))) (< (+ 1 (IMAGPART N)) 0)). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX I J), (REALPART N) by I and (IMAGPART N) by J and restrict the type of the new variable I to be that of the term it replaces, as established by primitive type reasoning. This produces the following two goals. Subgoal *1/10.13.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (<= 0 (IMAGPART N)) (INTEGERP (REALPART N)) (<= 0 (REALPART N)) (EQUAL (IMAGPART N) (REALPART N)) (NOT (ZP K)) (< 0 (IMAGPART N))) (< (+ 1 (IMAGPART N)) 0)). But we reduce the conjecture to T, by case analysis. Subgoal *1/10.13.1 (IMPLIES (AND (INTEGERP I) (< 0 I) (ACL2-NUMBERP (COMPLEX I J)) (NOT (CONSP (COMPLEX I J))) (NOT (RATIONALP (COMPLEX I J))) (COMPLEX-RATIONALP (COMPLEX I J)) (INTEGERP J) (<= 0 J) (<= 0 I) (EQUAL J I) (NOT (ZP K)) (< 0 J)) (< (+ 1 J) 0)). This simplifies, using primitive type reasoning, to Subgoal *1/10.13.1' (IMPLIES (AND (NOT (RATIONALP (COMPLEX I I))) (COMPLEX-RATIONALP (COMPLEX I I)) (INTEGERP I) (<= 0 I) (NOT (ZP K)) (< 0 I)) (< (+ 1 I) 0)). We generalize this conjecture, replacing (COMPLEX I I) by Z. This produces Subgoal *1/10.13.1'' (IMPLIES (AND (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (<= 0 I) (NOT (ZP K)) (< 0 I)) (< (+ 1 I) 0)). We suspect that the term (NOT (ZP K)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/10.13.1''' (IMPLIES (AND (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (<= 0 I) (< 0 I)) (< (+ 1 I) 0)). Name the formula above *1.5. Subgoal *1/10.12 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (NOT (INTEGERP (REALPART N))) (< (NUMERATOR (REALPART N)) 0) (EQUAL (- (IMAGPART N)) (+ (DENOMINATOR (REALPART N)) (- (NUMERATOR (REALPART N))))) (NOT (ZP K))) (< 1 (IMAGPART N))). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX R I), (REALPART N) by R and (IMAGPART N) by I and restrict the type of the new variable R to be that of the term it replaces, as established by primitive type reasoning. This produces the following two goals. Subgoal *1/10.12.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (NOT (INTEGERP (REALPART N))) (< (NUMERATOR (REALPART N)) 0) (EQUAL (- (IMAGPART N)) (+ (DENOMINATOR (REALPART N)) (- (NUMERATOR (REALPART N))))) (NOT (ZP K))) (< 1 (IMAGPART N))). But we reduce the conjecture to T, by case analysis. Subgoal *1/10.12.1 (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (ACL2-NUMBERP (COMPLEX R I)) (NOT (CONSP (COMPLEX R I))) (NOT (RATIONALP (COMPLEX R I))) (COMPLEX-RATIONALP (COMPLEX R I)) (INTEGERP I) (< I 0) (NOT (INTEGERP R)) (< (NUMERATOR R) 0) (EQUAL (- I) (+ (DENOMINATOR R) (- (NUMERATOR R)))) (NOT (ZP K))) (< 1 I)). By case analysis we reduce the conjecture to Subgoal *1/10.12.1' (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (ACL2-NUMBERP (COMPLEX R I)) (NOT (CONSP (COMPLEX R I))) (NOT (RATIONALP (COMPLEX R I))) (COMPLEX-RATIONALP (COMPLEX R I)) (INTEGERP I) (< I 0) (< (NUMERATOR R) 0) (EQUAL (- I) (+ (DENOMINATOR R) (- (NUMERATOR R)))) (NOT (ZP K))) (< 1 I)). This simplifies, using primitive type reasoning, to Subgoal *1/10.12.1'' (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP (COMPLEX R I))) (COMPLEX-RATIONALP (COMPLEX R I)) (INTEGERP I) (< I 0) (< (NUMERATOR R) 0) (EQUAL (- I) (+ (DENOMINATOR R) (- (NUMERATOR R)))) (NOT (ZP K))) (< 1 I)). We generalize this conjecture, replacing (NUMERATOR R) by J and (COMPLEX R I) by Z and restricting the type of the new variable J to be that of the term it replaces, as established by primitive type reasoning. This produces Subgoal *1/10.12.1''' (IMPLIES (AND (INTEGERP J) (< J 0) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (EQUAL (- I) (+ (DENOMINATOR R) (- J))) (NOT (ZP K))) (< 1 I)). This simplifies, using the :rewrite rule COMMUTATIVITY-OF-+, to Subgoal *1/10.12.1'4' (IMPLIES (AND (INTEGERP J) (< J 0) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (EQUAL (- I) (+ (- J) (DENOMINATOR R))) (NOT (ZP K))) (< 1 I)). We suspect that the term (NOT (ZP K)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/10.12.1'5' (IMPLIES (AND (INTEGERP J) (< J 0) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP Z)) (COMPLEX-RATIONALP Z) (INTEGERP I) (< I 0) (EQUAL (- I) (+ (- J) (DENOMINATOR R)))) (< 1 I)). Name the formula above *1.6. Subgoal *1/10.11 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (<= 0 (IMAGPART N)) (NOT (INTEGERP (REALPART N))) (< (NUMERATOR (REALPART N)) 0) (EQUAL (IMAGPART N) (+ (DENOMINATOR (REALPART N)) (- (NUMERATOR (REALPART N))))) (NOT (ZP K)) (< 0 (IMAGPART N))) (< (+ 1 (IMAGPART N)) 0)). The destructor terms (REALPART N) and (IMAGPART N) can be eliminated by using REALPART-IMAGPART-ELIM to replace N by (COMPLEX R I), (REALPART N) by R and (IMAGPART N) by I and restrict the type of the new variable R to be that of the term it replaces, as established by primitive type reasoning. This produces the following two goals. Subgoal *1/10.11.2 (IMPLIES (AND (NOT (ACL2-NUMBERP N)) (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (<= 0 (IMAGPART N)) (NOT (INTEGERP (REALPART N))) (< (NUMERATOR (REALPART N)) 0) (EQUAL (IMAGPART N) (+ (DENOMINATOR (REALPART N)) (- (NUMERATOR (REALPART N))))) (NOT (ZP K)) (< 0 (IMAGPART N))) (< (+ 1 (IMAGPART N)) 0)). But we reduce the conjecture to T, by case analysis. Subgoal *1/10.11.1 (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (ACL2-NUMBERP (COMPLEX R I)) (NOT (CONSP (COMPLEX R I))) (NOT (RATIONALP (COMPLEX R I))) (COMPLEX-RATIONALP (COMPLEX R I)) (INTEGERP I) (<= 0 I) (NOT (INTEGERP R)) (< (NUMERATOR R) 0) (EQUAL I (+ (DENOMINATOR R) (- (NUMERATOR R)))) (NOT (ZP K)) (< 0 I)) (< (+ 1 I) 0)). By case analysis we reduce the conjecture to Subgoal *1/10.11.1' (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (ACL2-NUMBERP (COMPLEX R I)) (NOT (CONSP (COMPLEX R I))) (NOT (RATIONALP (COMPLEX R I))) (COMPLEX-RATIONALP (COMPLEX R I)) (INTEGERP I) (<= 0 I) (< (NUMERATOR R) 0) (EQUAL I (+ (DENOMINATOR R) (- (NUMERATOR R)))) (NOT (ZP K)) (< 0 I)) (< (+ 1 I) 0)). This simplifies, using primitive type reasoning and the :rewrite rules <-+-NEGATIVE-0-2 and <-0-+-NEGATIVE-2, to Subgoal *1/10.11.1'' (IMPLIES (AND (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP (COMPLEX R (+ (DENOMINATOR R) (- (NUMERATOR R)))))) (COMPLEX-RATIONALP (COMPLEX R (+ (DENOMINATOR R) (- (NUMERATOR R))))) (<= (NUMERATOR R) (DENOMINATOR R)) (< (NUMERATOR R) 0) (NOT (ZP K)) (< (NUMERATOR R) (DENOMINATOR R))) (< (+ 1 (DENOMINATOR R) (- (NUMERATOR R))) 0)). We generalize this conjecture, replacing (NUMERATOR R) by J and (DENOMINATOR R) by L and restricting the types of the new variables J and L to be those of the terms they replace, as established by primitive type reasoning. This produces Subgoal *1/10.11.1''' (IMPLIES (AND (INTEGERP J) (< J 0) (INTEGERP L) (< 0 L) (RATIONALP R) (NOT (INTEGERP R)) (NOT (RATIONALP (COMPLEX R (+ L (- J))))) (COMPLEX-RATIONALP (COMPLEX R (+ L (- J)))) (<= J L) (NOT (ZP K)) (< J L)) (< (+ 1 L (- J)) 0)). ACL2 Error in STEP-LIMIT: The prover step-limit, which is 10000 in the current context, has been exceeded. See :DOC set-prover-step- limit. ACL2 Error in ( DEFUN ACK ...): The proof of the measure conjecture for ACK has failed. Summary Form: ( DEFUN ACK ...) Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ZP-COMPOUND-RECOGNIZER) (:DEFINITION ACL2-COUNT) (:DEFINITION D<) (:DEFINITION FIX) (:DEFINITION INTEGER-ABS) (:DEFINITION L<) (:DEFINITION LEN) (:DEFINITION LENGTH) (:DEFINITION LEXP) (:DEFINITION NATP-LISTP) (:DEFINITION NFIX) (:DEFINITION NOT) (:DEFINITION SYNP) (:ELIM REALPART-IMAGPART-ELIM) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP-LISTP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION ACL2-COUNT) (:META CANCEL_PLUS-EQUAL-CORRECT) (:META CANCEL_PLUS-LESSP-CORRECT) (:REWRITE <-+-NEGATIVE-0-1) (:REWRITE <-+-NEGATIVE-0-2) (:REWRITE <-0-+-NEGATIVE-2) (:REWRITE <-0-MINUS) (:REWRITE <-MINUS-ZERO) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE COMMUTATIVITY-OF-+) (:REWRITE EQUAL-MINUS-MINUS) (:REWRITE ZP-OPEN) (:TYPE-PRESCRIPTION ACL2-COUNT) (:TYPE-PRESCRIPTION LEN)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION ACL2-COUNT) (:DEFINITION INTEGER-ABS)) Time: 0.10 seconds (prove: 0.06, print: 0.04, other: 0.00) Prover steps counted: More than 10000 --- The key checkpoint goals, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint-summary-limit. --- *** Key checkpoint at the top level: *** Subgoal 1' (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M)) (<= M (ACL2-COUNT N))) (EQUAL (ACL2-COUNT N) M)) *** Key checkpoints under a top-level induction *** Subgoal *1/11' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N) (NOT (ZP K)) (NOT (ZP M)) (<= M (LEN (COERCE N 'LIST)))) (EQUAL (LEN (COERCE N 'LIST)) M)) Subgoal *1/10.16'' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (< (IMAGPART N) 0) (INTEGERP (REALPART N)) (< (REALPART N) 0) (EQUAL (IMAGPART N) (REALPART N)) (NOT (ZP K))) (< 1 (IMAGPART N))) Subgoal *1/10.15 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (INTEGERP (IMAGPART N)) (<= 0 (IMAGPART N)) (INTEGERP (REALPART N)) (< (REALPART N) 0) (EQUAL (IMAGPART N) (- (REALPART N))) (NOT (ZP K)) (< 0 (IMAGPART N))) (< (+ 1 (IMAGPART N)) 0)) Note: There are four additional key checkpoints under a top-level induction. See :DOC set-checkpoint-summary-limit to change the number printed. ACL2 Error in ( DEFUN ACK ...): The proof of the measure conjecture for ACK has failed. See :DOC failure. ******** FAILED ******** For the admission of ACK we will use the relation L< (which, by WELL-FOUNDED-L<, is known to be well-founded on the domain recognized by LEXP) and the measure (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M))). The non-trivial part of the measure conjecture is Goal (AND (LEXP (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M)))) (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M))) (L< (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT (+ -1 M)))) (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M))))) (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M))) (L< (LIST (NFIX (ACL2-COUNT (+ -1 K))) (NFIX (ACL2-COUNT N))) (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M)))))). By the simple :definitions L< and LEXP we reduce the conjecture to the following three conjectures. Subgoal 3 (IMPLIES (NOT (NATP (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M))))) (AND (CONSP (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M)))) (NATP-LISTP (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M)))))). But simplification reduces this to T, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER, the :definitions NATP-LISTP and NFIX, the :executable-counterpart of NATP-LISTP, primitive type reasoning, the :rewrite rules CAR-CONS and CDR-CONS and the :type-prescription rule ACL2-COUNT. Subgoal 2 (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M)) (<= (LEN (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M)))) (LEN (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT (+ -1 M))))))) (AND (EQUAL (LEN (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT (+ -1 M))))) (LEN (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M))))) (IF (CONSP (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT (+ -1 M))))) (D< (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT (+ -1 M)))) (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M)))) (< (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT (+ -1 M)))) (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M))))))). But simplification reduces this to T, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER, the :definitions ACL2-COUNT, D<, INTEGER-ABS, LEN and NFIX, the :executable-counterparts of <, BINARY-+, EQUAL and LEN, primitive type reasoning, the :meta rule CANCEL_PLUS-LESSP-CORRECT and the :rewrite rules <-+-NEGATIVE-0-1, CAR-CONS and CDR-CONS. Subgoal 1 (IMPLIES (AND (NOT (ZP K)) (NOT (ZP M)) (<= (LEN (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M)))) (LEN (LIST (NFIX (ACL2-COUNT (+ -1 K))) (NFIX (ACL2-COUNT N)))))) (AND (EQUAL (LEN (LIST (NFIX (ACL2-COUNT (+ -1 K))) (NFIX (ACL2-COUNT N)))) (LEN (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M))))) (IF (CONSP (LIST (NFIX (ACL2-COUNT (+ -1 K))) (NFIX (ACL2-COUNT N)))) (D< (LIST (NFIX (ACL2-COUNT (+ -1 K))) (NFIX (ACL2-COUNT N))) (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M)))) (< (LIST (NFIX (ACL2-COUNT (+ -1 K))) (NFIX (ACL2-COUNT N))) (LIST (NFIX (ACL2-COUNT K)) (NFIX (ACL2-COUNT M))))))). But simplification reduces this to T, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER, the :definitions ACL2-COUNT, D<, INTEGER-ABS, LEN and NFIX, the :executable-counterparts of <, BINARY-+, EQUAL and LEN, primitive type reasoning, the :meta rule CANCEL_PLUS-LESSP-CORRECT, the :rewrite rules <-+-NEGATIVE-0-1, CAR-CONS and CDR-CONS and the :type-prescription rule ACL2-COUNT. Q.E.D. That completes the proof of the measure theorem for ACK. Thus, we admit this function under the principle of definition. We could deduce no constraints on the type of ACK. However, in normalizing the definition we used primitive type reasoning. Summary Form: ( DEFUN ACK ...) Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ZP-COMPOUND-RECOGNIZER) (:DEFINITION ACL2-COUNT) (:DEFINITION D<) (:DEFINITION INTEGER-ABS) (:DEFINITION L<) (:DEFINITION LEN) (:DEFINITION LEXP) (:DEFINITION NATP-LISTP) (:DEFINITION NFIX) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP-LISTP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:META CANCEL_PLUS-LESSP-CORRECT) (:REWRITE <-+-NEGATIVE-0-1) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:TYPE-PRESCRIPTION ACL2-COUNT) (:WELL-FOUNDED-RELATION WELL-FOUNDED-L<)) Time: 0.02 seconds (prove: 0.01, print: 0.01, other: 0.00) Prover steps counted: 2974 Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.31 seconds (prove: 0.21, print: 0.09, other: 0.02) Prover steps counted: 22976 ACK Summary Form: ( PROGN (TABLE MEASURE-PATTERNS ...) ...) Rules: NIL Time: 0.32 seconds (prove: 0.21, print: 0.09, other: 0.02) Prover steps counted: 22976 Summary Form: ( MAKE-EVENT (ER-LET* ...) ...) Rules: NIL Time: 0.34 seconds (prove: 0.23, print: 0.09, other: 0.03) Prover steps counted: 25739 ACK ACL2 !>(quote (back to talk)) (BACK TO TALK) ACL2 !>(include-book "m1-with-stobj") ;;; Starting full GC, 537,001,984 bytes allocated. ;;; Finished full GC. 414,283,632 bytes freed in 0.234207 s ;;; 53 soft faults, 0 faults, 0 pageins ACL2 Observation in NON-LINEAR-ARITHMETIC: To turn on non-linear arithmetic, execute : (SET-DEFAULT-HINTS '((NONLINEARP-DEFAULT-HINT STABLE-UNDER-SIMPLIFICATIONP HIST PSPV))) or : (SET-DEFAULT-HINTS '((NONLINEARP-DEFAULT-HINT++ ID STABLE-UNDER-SIMPLIFICATIONP HIST NIL))) See the README for more about non-linear arithmetic and general information about using this library. Summary Form: ( INCLUDE-BOOK "m1-with-stobj" ...) Rules: NIL Time: 0.87 seconds (prove: 0.00, print: 0.00, other: 0.87) "/Users/moore/m1-with-stobj.lisp" ACL2 !>(set-gag-mode :goals) ACL2 !>(in-package "M1") "M1" M1 !>(encapsulate nil (set-verify-guards-eagerness 0) (defmacro codewalker (&rest x) `(acl2::codewalker ,@x)) (defmacro defprojection (&rest x) `(acl2::defprojection ,@x)) (table acl2::generalized-updater-drivers :list '(((UPDATE-NTH I :VALUE :BASE) (NTH I :BASE)) ((wr loc :value :base) (rd loc :base)))) (table acl2::constructor-drivers :list '(((cons a b) (car :base) (cdr :base)))) (defun natp-listp (x) (if (endp x) (equal x nil) (and (natp (car x)) (natp-listp (cdr x))))) (defconst *pi* '((ICONST 0) ; 0 (ISTORE 2) ; 1 a $=$ 0; (ILOAD 0) ; 2 [loop:] (IFEQ 10) ; 3 if x$=$0 then go to end; (ILOAD 0) ; 4 (ICONST 1) ; 5 (ISUB) ; 6 (ISTORE 0) ; 7 x $=$ x-1; (ILOAD 1) ; 8 (ILOAD 2) ; 9 (IADD) ;10 (ISTORE 2) ;11 a $=$ y+a; (GOTO -10) ;12 go to loop (ILOAD 2) ;13 [end:] (HALT) ;14 ``return'' a )) (defun good-statep (s) (declare (xargs :stobjs (s))) (and (sp s) (natp (rd :pc s)) (< (rd :pc s) (len (rd :program s))) (< 16 (len (rd :locals s))) (natp-listp (rd :locals s)) (natp-listp (rd :stack s)) (equal (rd :program s) *pi*))) (defthm natp-listp-nth (implies (and (natp-listp x) (natp i) (< i (len x))) (natp (nth i x))) :rule-classes (:rewrite :type-prescription)) (defthm resolve-next-inst (implies (and (good-statep s) (natp i) (< i 15)) (equal (nth i (program s)) (nth i *pi*)))) (defthm natp-listp-update-nth (implies (and (natp i) (< i (len x)) (natp (nth i x))) (equal (natp-listp (update-nth i v x)) (and (natp v) (natp-listp x))))) (in-theory (disable natp-listp len nth update-nth)) ) To verify that the twelve encapsulated events correctly extend the current theory we will evaluate them. The theory thus constructed is only ephemeral. Encapsulated Events: M1 !>>(SET-VERIFY-GUARDS-EAGERNESS 0) 0 M1 !>>(DEFMACRO CODEWALKER (&REST X) (CONS 'ACL2::CODEWALKER X)) Summary Form: ( DEFMACRO CODEWALKER ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) CODEWALKER M1 !>>(DEFMACRO DEFPROJECTION (&REST X) (CONS 'ACL2::DEFPROJECTION X)) Summary Form: ( DEFMACRO DEFPROJECTION ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) DEFPROJECTION M1 !>>(TABLE ACL2::GENERALIZED-UPDATER-DRIVERS :LIST '(((UPDATE-NTH I :VALUE :BASE) (NTH I :BASE)) ((WR LOC :VALUE :BASE) (RD LOC :BASE)))) Summary Form: ( TABLE ACL2::GENERALIZED-UPDATER-DRIVERS ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ACL2::GENERALIZED-UPDATER-DRIVERS M1 !>>(TABLE ACL2::CONSTRUCTOR-DRIVERS :LIST '(((CONS A B) (CAR :BASE) (CDR :BASE)))) Summary Form: ( TABLE ACL2::CONSTRUCTOR-DRIVERS ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ACL2::CONSTRUCTOR-DRIVERS M1 !>>(DEFUN NATP-LISTP (X) (IF (ENDP X) (EQUAL X NIL) (AND (NATP (CAR X)) (NATP-LISTP (CDR X))))) The admission of NATP-LISTP is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of NATP-LISTP is described by the theorem (OR (EQUAL (NATP-LISTP X) T) (EQUAL (NATP-LISTP X) NIL)). We used primitive type reasoning. Summary Form: ( DEFUN NATP-LISTP ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) NATP-LISTP M1 !>>(DEFCONST *PI* '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) Summary Form: ( DEFCONST *PI* ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) *PI* M1 !>>(DEFUN GOOD-STATEP (S) (DECLARE (XARGS :STOBJS (S))) (AND (SP S) (NATP (RD :PC S)) (< (RD :PC S) (LEN (RD :PROGRAM S))) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) *PI*))) Since GOOD-STATEP is non-recursive, its admission is trivial. We observe that the type of GOOD-STATEP is described by the theorem (OR (EQUAL (GOOD-STATEP S) T) (EQUAL (GOOD-STATEP S) NIL)). We used primitive type reasoning. (GOOD-STATEP S) => *. Summary Form: ( DEFUN GOOD-STATEP ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) GOOD-STATEP M1 !>>(DEFTHM NATP-LISTP-NTH (IMPLIES (AND (NATP-LISTP X) (NATP I) (< I (LEN X))) (NATP (NTH I X))) :RULE-CLASSES (:REWRITE :TYPE-PRESCRIPTION)) ACL2 Observation in ( DEFTHM NATP-LISTP-NTH ...): Our heuristics choose (NTH I X) as the :TYPED-TERM. ACL2 Warning [Non-rec] in ( DEFTHM NATP-LISTP-NTH ...): A :REWRITE rule generated from NATP-LISTP-NTH will be triggered only by terms containing the non-recursive function symbol NATP. Unless this function is disabled, this rule is unlikely ever to be used. Goal' Splitter note (see :DOC splitter) for Goal' (2 subgoals). if-intro: ((:DEFINITION NATP)) Subgoal 2 ([ A key checkpoint: Subgoal 2 (IMPLIES (AND (NATP-LISTP X) (INTEGERP I) (<= 0 I) (< I (LEN X))) (INTEGERP (NTH I X))) *1 (Subgoal 2) is pushed for proof by induction. ]) Subgoal 1 Subgoal 1' ([ A key checkpoint: Subgoal 1' (IMPLIES (AND (NATP-LISTP X) (INTEGERP I) (<= 0 I) (< I (LEN X)) (ACL2-NUMBERP (NTH I X))) (<= 0 (NTH I X))) Normally we would attempt to prove Subgoal 1' by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) ]) Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. These merge into one derived induction scheme. We will induct according to a scheme suggested by (NTH I X). This suggestion was produced using the :induction rules LEN, NATP-LISTP and NTH. If we let (:P I X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (NOT (ZP I)) (:P (+ -1 I) (CDR X))) (:P I X)) (IMPLIES (AND (NOT (ENDP X)) (ZP I)) (:P I X)) (IMPLIES (ENDP X) (:P I X))). This induction is justified by the same argument used to admit NTH. Note, however, that the unmeasured variable X is being instantiated. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/3' Splitter note (see :DOC splitter) for Subgoal *1/3' (2 subgoals). if-intro: ((:DEFINITION NATP) (:DEFINITION NATP-LISTP)) Subgoal *1/3.2 Subgoal *1/3.1 Subgoal *1/2 Subgoal *1/2' Subgoal *1/2'' Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. The storage of NATP-LISTP-NTH depends upon the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER and the :type-prescription rule NATP. Summary Form: ( DEFTHM NATP-LISTP-NTH ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::POSP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION ENDP) (:DEFINITION LEN) (:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION LEN) (:INDUCTION NATP-LISTP) (:INDUCTION NTH) (:REWRITE ACL2::NATP-POSP--1) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:TYPE-PRESCRIPTION NATP)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION NATP) (:DEFINITION NATP-LISTP)) Warnings: Non-rec Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 1532 NATP-LISTP-NTH M1 !>>(DEFTHM RESOLVE-NEXT-INST (IMPLIES (AND (GOOD-STATEP S) (NATP I) (< I 15)) (EQUAL (NTH I (PROGRAM S)) (NTH I *PI*)))) ACL2 Warning [Non-rec] in ( DEFTHM RESOLVE-NEXT-INST ...): A :REWRITE rule generated from RESOLVE-NEXT-INST will be triggered only by terms containing the non-recursive function symbol PROGRAM. Unless this function is disabled, this rule is unlikely ever to be used. Goal' Q.E.D. Summary Form: ( DEFTHM RESOLVE-NEXT-INST ...) Rules: ((:DEFINITION GOOD-STATEP) (:DEFINITION NATP) (:DEFINITION PROGRAM) (:EXECUTABLE-COUNTERPART LEN)) Warnings: Non-rec Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 247 RESOLVE-NEXT-INST M1 !>>(DEFTHM NATP-LISTP-UPDATE-NTH (IMPLIES (AND (NATP I) (< I (LEN X)) (NATP (NTH I X))) (EQUAL (NATP-LISTP (UPDATE-NTH I V X)) (AND (NATP V) (NATP-LISTP X))))) Goal' Splitter note (see :DOC splitter) for Goal' (3 subgoals). if-intro: ((:DEFINITION NATP) (:REWRITE ACL2::|(equal (if a b c) x)|)) Subgoal 3 ([ A key checkpoint: Subgoal 3 (IMPLIES (AND (INTEGERP I) (<= 0 I) (< I (LEN X)) (INTEGERP (NTH I X)) (<= 0 (NTH I X)) (NOT (INTEGERP V))) (NOT (NATP-LISTP (UPDATE-NTH I V X)))) *1 (Subgoal 3) is pushed for proof by induction. ]) Subgoal 2 ([ A key checkpoint: Subgoal 2 (IMPLIES (AND (INTEGERP I) (<= 0 I) (< I (LEN X)) (INTEGERP (NTH I X)) (<= 0 (NTH I X)) (INTEGERP V) (<= 0 V)) (EQUAL (NATP-LISTP X) (NATP-LISTP (UPDATE-NTH I V X)))) Normally we would attempt to prove Subgoal 2 by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) ]) Perhaps we can prove *1 by induction. Four induction schemes are suggested by this conjecture. These merge into one derived induction scheme. We will induct according to a scheme suggested by (NATP-LISTP X), but modified to accommodate (UPDATE-NTH I V X). These suggestions were produced using the :induction rules LEN, NATP-LISTP, NTH and UPDATE-NTH. If we let (:P I V X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (NOT (NATP (CAR X)))) (:P I V X)) (IMPLIES (AND (NOT (ENDP X)) (NATP (CAR X)) (:P (+ -1 I) V (CDR X))) (:P I V X)) (IMPLIES (ENDP X) (:P I V X))). This induction is justified by the same argument used to admit NATP-LISTP. Note, however, that the unmeasured variable I is being instantiated. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/2' Splitter note (see :DOC splitter) for Subgoal *1/2' (12 subgoals). if-intro: ((:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION NTH) (:DEFINITION UPDATE-NTH) (:REWRITE ACL2::|(equal (if a b c) x)|)) Subgoal *1/2.12 Subgoal *1/2.11 Subgoal *1/2.10 Subgoal *1/2.9 Subgoal *1/2.8 Subgoal *1/2.7 Subgoal *1/2.6 Subgoal *1/2.6' Subgoal *1/2.5 Subgoal *1/2.4 Subgoal *1/2.4' Subgoal *1/2.3 Subgoal *1/2.2 Subgoal *1/2.2' Subgoal *1/2.1 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM NATP-LISTP-UPDATE-NTH ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION ENDP) (:DEFINITION LEN) (:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION POSP) (:DEFINITION SYNP) (:DEFINITION UPDATE-NTH) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION LEN) (:INDUCTION NATP-LISTP) (:INDUCTION NTH) (:INDUCTION UPDATE-NTH) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE ACL2::DEFAULT-LESS-THAN-1) (:REWRITE ACL2::NATP-POSP--1) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-<) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:TYPE-PRESCRIPTION LEN)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION NATP) (:DEFINITION NATP-LISTP) (:DEFINITION NTH) (:DEFINITION UPDATE-NTH) (:REWRITE ACL2::|(equal (if a b c) x)|)) Time: 0.09 seconds (prove: 0.08, print: 0.01, other: 0.00) Prover steps counted: 7048 NATP-LISTP-UPDATE-NTH M1 !>>(IN-THEORY (DISABLE NATP-LISTP LEN NTH UPDATE-NTH)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 5519) End of Encapsulated Events. Having verified that the encapsulated events validate the signatures of the ENCAPSULATE event, we discard the ephemeral theory and extend the original theory as directed by the signatures and the non-LOCAL events. We export GOOD-STATEP and NATP-LISTP. Summary Form: ( ENCAPSULATE NIL (SET-VERIFY-GUARDS-EAGERNESS 0 ...) ...) Rules: NIL Warnings: Non-rec Time: 0.15 seconds (prove: 0.10, print: 0.01, other: 0.04) Prover steps counted: 8827 T M1 !>(acl2::simplify-under-hyps '((good-statep s) (equal (pc s) '2)) '(m1 s '11) acl2::state) (IF (EQUAL (NTH '0 (RD ':LOCALS S)) '0) (WR ':PC '14 (WR ':STACK (PUSH (NTH '2 (RD ':LOCALS S)) (RD ':STACK S)) S)) (WR ':LOCALS (UPDATE-NTH '0 (BINARY-+ '-1 (NTH '0 (RD ':LOCALS S))) (UPDATE-NTH '2 (BINARY-+ (NTH '1 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S))) (RD ':LOCALS S))) S)) M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(codewalker :run M1 :svar s :stobjp t :hyps ((good-statep s)) :step STEP :init-pc 0 :get-pc (lambda (s) (rd ':pc s)) :put-pc (lambda (v s) (wr ':pc v s)) :clk+ binary-clk+) For the admission of ACL2::CODEWALKER-WRAPPER we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (NFIX (+ 100 (- (NFIX ACL2::CNT)))). The non-trivial part of the measure conjecture is Goal (AND (O-P (NFIX (+ 100 (- (NFIX ACL2::CNT))))) (IMPLIES (NOT (OR (NOT (NATP ACL2::CNT)) (<= 100 ACL2::CNT) (MEMBER-EQUAL (LET NIL (RD :PC S)) ACL2::RPATH) (AND ACL2::RPATH (MEMBER-EQUAL (LET NIL (RD :PC S)) ACL2::KNOWN-CUTPOINTS)))) (O< (NFIX (+ 100 (- (NFIX (+ 1 ACL2::CNT))))) (NFIX (+ 100 (- (NFIX ACL2::CNT))))))). Subgoal 2 Subgoal 1 Q.E.D. That completes the proof of the measure theorem for ACL2::CODEWALKER-WRAPPER. Thus, we admit this function under the principle of definition. We could deduce no constraints on the type of ACL2::CODEWALKER-WRAPPER. However, in normalizing the definition we used the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER and the :type-prescription rule MEMBER-EQUAL. Summary Form: ( DEFUN ACL2::CODEWALKER-WRAPPER ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::O-FINP-CR) (:DEFINITION NATP) (:DEFINITION NFIX) (:DEFINITION NOT) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART UNARY--) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ x (if a b c))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(- (+ x y))|) (:REWRITE ACL2::|(- (- x))|) (:REWRITE ACL2::|(- (if a b c))|) (:REWRITE ACL2::|(< (- x) c)|) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE ACL2::|(< c (- x))|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE ACL2::NATP-RW) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::O-FINP-<) (:REWRITE ACL2::O-P-DEF-O-FINP-1) (:REWRITE ACL2::PREFER-POSITIVE-ADDENDS-<) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-<) (:TYPE-PRESCRIPTION MEMBER-EQUAL) (:TYPE-PRESCRIPTION ACL2::|x < y => 0 < y-x|)) Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 859 Goal' Q.E.D. Summary Form: ( DEFTHM ACL2::CODEWALKER-WRAPPER-RULE-1 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION ACL2::CODEWALKER-WRAPPER) (:DEFINITION MEMBER-EQUAL) (:DEFINITION NATP) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART SYNP) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 1001 Goal' Q.E.D. Summary Form: ( DEFTHM ACL2::CODEWALKER-WRAPPER-RULE-2 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION ACL2::CODEWALKER-WRAPPER) (:DEFINITION NATP) (:DEFINITION NOT) (:EXECUTABLE-COUNTERPART SYNP) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 1271 M1 !>>(SET-VERIFY-GUARDS-EAGERNESS 0) 0 M1 !>>(ACL2::DEFUNM-NX CLK-FROM-2 (S) (DECLARE (XARGS :STOBJS (S))) (IF (GOOD-STATEP S) (IF (EQUAL (NTH '0 (RD ':LOCALS S)) '0) '3 (BINARY-CLK+ '11 (CLK-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '0 (BINARY-+ '-1 (NTH '0 (RD ':LOCALS S))) (UPDATE-NTH '2 (BINARY-+ (NTH '1 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S))) (RD ':LOCALS S))) S))))) '0)) Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) We updated the measure patterns database by adding two patterns named ACL2::PRIME-FACTORS-2. To see the new database evaluate (TABLE ACL2::MEASURE-PATTERNS :LIST). From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. ((100 (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT (NTH '0 (RD ':LOCALS S)))) :WELL-FOUNDED-RELATION O<)) ((ACL2::TESTED-POSITIVE-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-ZP-AND-DECREMENTED))) (67 (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT (NTH '2 (RD ':LOCALS S)))) :WELL-FOUNDED-RELATION O<)) ((ACL2::TESTED-POSITIVE-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-ZP-AND-DECREMENTED)))) However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! M1 !>>(TABLE ACL2::MEASURE-PATTERNS :LIST '((ACL2::MEASURE-PATTERN ACL2::PRIME-FACTORS-2 (NFIX (BINARY-+ (BINARY-+ '1001 (UNARY-- ACL2::I)) ACL2::N)) (ACL2::N ACL2::I) ((INTEGERP ACL2::ITH-PRIME) (INTEGERP ACL2::N) (< ACL2::I '1000) (NOT (ZP ACL2::I)) (NOT (< ACL2::ITH-PRIME '2)) (NOT (< ACL2::N (BINARY-* ACL2::ITH-PRIME ACL2::ITH-PRIME)))) ((:SLOT ACL2::I (BINARY-+ '1 ACL2::I))) NIL < ((:MEASURE (NFIX (BINARY-+ (BINARY-+ '1001 (UNARY-- ACL2::I)) ACL2::N))) (INTEGERP ACL2::ITH-PRIME) (INTEGERP ACL2::N) (< ACL2::I '1000) (NOT (ZP ACL2::I)) (NOT (< ACL2::ITH-PRIME '2)) (NOT (< ACL2::N (BINARY-* ACL2::ITH-PRIME ACL2::ITH-PRIME))) (:SLOT ACL2::I (BINARY-+ '1 ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::PRIME-FACTORS-2 (NFIX (BINARY-+ (BINARY-+ '1001 (UNARY-- ACL2::I)) ACL2::N)) (ACL2::N ACL2::I) ((INTEGERP ACL2::ITH-PRIME) (INTEGERP ACL2::N) (< ACL2::I '1000) (NOT (ZP ACL2::I)) (NOT (< ACL2::ITH-PRIME '2)) (NOT (< ACL2::N (BINARY-* ACL2::ITH-PRIME ACL2::ITH-PRIME)))) ((:SLOT ACL2::N (BINARY-* ACL2::N (UNARY-/ ACL2::ITH-PRIME)))) NIL < ((:MEASURE (NFIX (BINARY-+ (BINARY-+ '1001 (UNARY-- ACL2::I)) ACL2::N))) (INTEGERP ACL2::ITH-PRIME) (INTEGERP ACL2::N) (< ACL2::I '1000) (NOT (ZP ACL2::I)) (NOT (< ACL2::ITH-PRIME '2)) (NOT (< ACL2::N (BINARY-* ACL2::ITH-PRIME ACL2::ITH-PRIME))) (:SLOT ACL2::N (BINARY-* ACL2::N (UNARY-/ ACL2::ITH-PRIME))))) (ACL2::MEASURE-PATTERN ACL2::FOO (NFIX (BINARY-+ (IFIX MAX) (UNARY-- (IFIX ACL2::J)))) (ACL2::J MAX) ((NATP ACL2::J) (NATP MAX) (< ACL2::J MAX)) ((:SLOT ACL2::J (BINARY-+ ACL2::J '2)) (:SLOT MAX (BINARY-+ MAX '1))) NIL < ((:MEASURE (NFIX (BINARY-+ (IFIX MAX) (UNARY-- (IFIX ACL2::J))))) (NATP ACL2::J) (NATP MAX) (< ACL2::J MAX) (:SLOT ACL2::J (BINARY-+ ACL2::J '2)) (:SLOT MAX (BINARY-+ MAX '1)))) (ACL2::MEASURE-PATTERN ACL2::TESTED-NON-ZP-AND-DECREMENTED (ACL2-COUNT ACL2::I) (ACL2::I) ((NOT (ZP ACL2::I))) ((:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I))) ((:CONSTANT ':NEGINT ACL2::NEGINT)) < ((:MEASURE (ACL2-COUNT ACL2::I)) (:CONSTANT ':NEGINT ACL2::NEGINT) (NOT (ZP ACL2::I)) (:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::TESTED-NON-0-AND-DECREMENTED (ACL2-COUNT ACL2::I) (ACL2::I) ((NOT (EQUAL ACL2::I '0))) ((:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I))) ((:CONSTANT ':NEGINT ACL2::NEGINT)) < ((:MEASURE (ACL2-COUNT ACL2::I)) (:CONSTANT ':NEGINT ACL2::NEGINT) (NOT (EQUAL ACL2::I '0)) (:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::TESTED-POSITIVE-AND-DECREMENTED (ACL2-COUNT ACL2::I) (ACL2::I) ((< '0 ACL2::I)) ((:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I))) ((:CONSTANT ':NEGINT ACL2::NEGINT)) < ((:MEASURE (ACL2-COUNT ACL2::I)) (:CONSTANT ':NEGINT ACL2::NEGINT) (< '0 ACL2::I) (:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::COUNTING-UP-WITH-ZP-TRICK (NFIX (- MAX ACL2::I)) (ACL2::I MAX) ((NOT (ZP (BINARY-+ MAX (UNARY-- ACL2::I))))) ((:SLOT ACL2::I (BINARY-+ ACL2::POSINT ACL2::I))) ((:CONSTANT ':POSINT ACL2::NEGINT)) < ((:MEASURE (NFIX (- MAX ACL2::I))) (:CONSTANT ':POSINT ACL2::NEGINT) (NOT (ZP (BINARY-+ MAX (UNARY-- ACL2::I)))) (:SLOT ACL2::I (BINARY-+ ACL2::POSINT ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::COUNTING-UP-WITH-<-TEST (NFIX (- (IFIX MAX) (IFIX ACL2::I))) (ACL2::I MAX) ((< ACL2::I MAX)) ((:SLOT ACL2::I (BINARY-+ ACL2::POSINT ACL2::I))) ((:CONSTANT ':POSINT ACL2::NEGINT)) < ((:MEASURE (NFIX (- (IFIX MAX) (IFIX ACL2::I)))) (:CONSTANT ':POSINT ACL2::NEGINT) (< ACL2::I MAX) (:SLOT ACL2::I (BINARY-+ ACL2::POSINT ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::RECURSION-BY-CDR-STRONG (ACL2-COUNT ACL2::X) (ACL2::X) ((CONSP ACL2::X)) ((:SLOT ACL2::X (CDR ACL2::X))) NIL < ((:MEASURE (ACL2-COUNT ACL2::X)) (CONSP ACL2::X) (:SLOT ACL2::X (CDR ACL2::X)))) (ACL2::MEASURE-PATTERN ACL2::RECURSION-BY-CAR-STRONG (ACL2-COUNT ACL2::X) (ACL2::X) ((CONSP ACL2::X)) ((:SLOT ACL2::X (CAR ACL2::X))) NIL < ((:MEASURE (ACL2-COUNT ACL2::X)) (CONSP ACL2::X) (:SLOT ACL2::X (CAR ACL2::X)))) (ACL2::MEASURE-PATTERN ACL2::RECURSION-BY-CDR-WEAK (ACL2-COUNT ACL2::X) (ACL2::X) NIL ((:SLOT ACL2::X (CDR ACL2::X))) NIL <= ((:MEASURE (ACL2-COUNT ACL2::X)) (:SLOT ACL2::X (CDR ACL2::X)))) (ACL2::MEASURE-PATTERN ACL2::RECURSION-BY-CAR-STRONG (ACL2-COUNT ACL2::X) (ACL2::X) NIL ((:SLOT ACL2::X (CAR ACL2::X))) NIL <= ((:MEASURE (ACL2-COUNT ACL2::X)) (:SLOT ACL2::X (CAR ACL2::X)))))) Summary Form: ( TABLE ACL2::MEASURE-PATTERNS ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ACL2::MEASURE-PATTERNS M1 !>>(MAKE-EVENT '(:OR (ACL2::DEFUNM-WRAPPER (DEFUN-NX CLK-FROM-2 (S) (DECLARE (XARGS :STOBJS (S))) (IF (GOOD-STATEP S) (IF (EQUAL (NTH '0 (RD ':LOCALS S)) '0) '3 (BINARY-CLK+ '11 (CLK-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '0 (BINARY-+ '-1 (NTH '0 (RD ':LOCALS S))) (UPDATE-NTH '2 (BINARY-+ (NTH '1 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S))) (RD ':LOCALS S))) S))))) '0))) (ACL2::DEFUNM-WRAPPER (DEFUN-NX CLK-FROM-2 (S) (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT (NTH '0 (RD ':LOCALS S)))) :WELL-FOUNDED-RELATION O<)) (DECLARE (XARGS :STOBJS (S))) (IF (GOOD-STATEP S) (IF (EQUAL (NTH '0 (RD ':LOCALS S)) '0) '3 (BINARY-CLK+ '11 (CLK-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '0 (BINARY-+ '-1 (NTH '0 (RD ':LOCALS S))) (UPDATE-NTH '2 (BINARY-+ (NTH '1 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S))) (RD ':LOCALS S))) S))))) '0))) (ACL2::DEFUNM-WRAPPER (DEFUN-NX CLK-FROM-2 (S) (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT (NTH '2 (RD ':LOCALS S)))) :WELL-FOUNDED-RELATION O<)) (DECLARE (XARGS :STOBJS (S))) (IF (GOOD-STATEP S) (IF (EQUAL (NTH '0 (RD ':LOCALS S)) '0) '3 (BINARY-CLK+ '11 (CLK-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '0 (BINARY-+ '-1 (NTH '0 (RD ':LOCALS S))) (UPDATE-NTH '2 (BINARY-+ (NTH '1 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S))) (RD ':LOCALS S))) S))))) '0))) (ACL2::DEFUNM-ERROR (CONS 'ACL2::DEFUNM-NX 'CLK-FROM-2) "We guessed the following ~#0~[possible justification for ~x2 and ~ it could not be proved~/~x1 possible justifications for ~x2, listed ~ from those deemed most likely to those deemed least likely, and none ~ of them could be proved~]. It is possible your definition does not ~ terminate. But if it does, you have three options. One is to prove ~ enough lemmas to make ACL2 to prove that ~#0~[the measure~/one of ~ the measures~] shown below actually decreases. The second is to edit ~ the MEASURE-PATTERNS table so that some pattern suggests a provable ~ measure; execute (edit-measure-patterns-table) for instructions. ~ Then try your ~x5 again. The third option is to use DEFUN ~ instead of ~x5 and explicitly specify a provable measure.~%~%~ Measure Guesses (in order of deemed likelihood):~%~%~X34~%" (IF (NULL (CDR (@ ACL2::RANKED-MEASURE-DCLS))) 0 1) (LEN (@ ACL2::RANKED-MEASURE-DCLS)) 'CLK-FROM-2 (@ ACL2::RANKED-MEASURE-DCLS) NIL (IF (EQ ACL2::DEFUN-FLAVOR 'DEFUN) 'ACL2::DEFUNM 'ACL2::DEFUNM-NX)))) For the admission of CLK-FROM-2 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT S). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (GOOD-STATEP S) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))) (ACL2-COUNT S))). Goal' Goal'' ([ A key checkpoint: Goal'' (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))) (ACL2-COUNT S))) *1 (Goal'') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (ACL2-COUNT S). This suggestion was produced using the :induction rule ACL2-COUNT. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (NOT (STRINGP S))) (:P S)) (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (STRINGP S)) (:P S)) (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (COMPLEX-RATIONALP S) (:P (REALPART S)) (:P (IMAGPART S))) (:P S)) (IMPLIES (AND (NOT (CONSP S)) (RATIONALP S) (NOT (INTEGERP S))) (:P S)) (IMPLIES (AND (NOT (CONSP S)) (RATIONALP S) (INTEGERP S)) (:P S)) (IMPLIES (AND (CONSP S) (:P (CAR S)) (:P (CDR S))) (:P S))). This induction is justified by the same argument used to admit ACL2-COUNT. When applied to the goal at hand the above induction scheme produces six nontautological subgoals. However, to achieve this relatively small number of cases we had to fold *1 into a single IF-expression. Had we left it as a set of clauses this induction would have produced approximately 204 cases! Chances are that this proof attempt is about to blow up in your face (and all over our memory boards). Subgoal *1/6 Subgoal *1/6' Subgoal *1/6'' Subgoal *1/6''' Subgoal *1/6'4' ([ A key checkpoint while proving *1 (descended from Goal''): Subgoal *1/6'' (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (NOT (STRINGP S)) (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT)))) (EQUAL (NTH 0 (RD :LOCALS S)) 0)) *1.1 (Subgoal *1/6'4') is pushed for proof by induction. ]) Subgoal *1/5 Subgoal *1/5' Subgoal *1/5'' Subgoal *1/5''' Subgoal *1/5'4' Subgoal *1/5'5' Subgoal *1/5'6' ([ A key checkpoint while proving *1 (descended from Goal''): Subgoal *1/5'' (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (STRINGP S) (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))) (LEN (COERCE S 'LIST)))) *1.2 (Subgoal *1/5'6') is pushed for proof by induction. ]) Subgoal *1/4 Subgoal *1/4' ACL2 Error in STEP-LIMIT: The prover step-limit, which is 10000 in the current context, has been exceeded. See :DOC set-prover-step- limit. ACL2 Error in ( DEFUN CLK-FROM-2 ...): The proof of the measure conjecture for CLK-FROM-2 has failed. Summary Form: ( DEFUN CLK-FROM-2 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::O-FINP-CR) (:DEFINITION ACL2-COUNT) (:DEFINITION GOOD-STATEP) (:DEFINITION LENGTH) (:DEFINITION NATP) (:DEFINITION NOT) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION ACL2-COUNT) (:REWRITE ACL2::O-P-DEF-O-FINP-1) (:REWRITE ACL2::|~(a<0)|) (:TYPE-PRESCRIPTION ACL2-COUNT) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH)) Time: 0.15 seconds (prove: 0.14, print: 0.01, other: 0.00) Prover steps counted: More than 10000 --- The key checkpoint goals, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint-summary-limit. --- *** Key checkpoint at the top level: *** Goal'' (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))) (ACL2-COUNT S))) *** Key checkpoints under a top-level induction *** Subgoal *1/6'' (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (NOT (STRINGP S)) (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT)))) (EQUAL (NTH 0 (RD :LOCALS S)) 0)) Subgoal *1/5'' (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (STRINGP S) (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))) (LEN (COERCE S 'LIST)))) ACL2 Error in ( DEFUN CLK-FROM-2 ...): The proof of the measure conjecture for CLK-FROM-2 has failed. See :DOC failure. ******** FAILED ******** For the admission of CLK-FROM-2 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT (NTH 0 (RD :LOCALS S))). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (GOOD-STATEP S) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (NTH 0 (RD :LOCALS (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))))) (ACL2-COUNT (NTH 0 (RD :LOCALS S))))). Goal' Q.E.D. That completes the proof of the measure theorem for CLK-FROM-2. Thus, we admit this function under the principle of definition. We observe that the type of CLK-FROM-2 is described by the theorem (AND (INTEGERP (CLK-FROM-2 S)) (<= 0 (CLK-FROM-2 S))). We used the :type-prescription rule BINARY-CLK+. (CLK-FROM-2 S) => *. Summary Form: ( DEFUN CLK-FROM-2 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::O-FINP-CR) (:DEFINITION ACL2-COUNT) (:DEFINITION GOOD-STATEP) (:DEFINITION INTEGER-ABS) (:DEFINITION NATP) (:DEFINITION NOT) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::<-+-NEGATIVE-0-1) (:REWRITE NTH-UPDATE-NTH) (:REWRITE ACL2::O-FINP-<) (:REWRITE RD-WR) (:TYPE-PRESCRIPTION BINARY-CLK+) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH)) Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 644 Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.17 seconds (prove: 0.15, print: 0.01, other: 0.01) Prover steps counted: 10645 CLK-FROM-2 Summary Form: ( PROGN (TABLE ACL2::MEASURE-PATTERNS ...) ...) Rules: NIL Time: 0.19 seconds (prove: 0.15, print: 0.01, other: 0.03) Prover steps counted: 10645 Summary Form: ( MAKE-EVENT (ACL2::ER-LET* ...) ...) Rules: NIL Time: 0.87 seconds (prove: 0.82, print: 0.01, other: 0.04) Prover steps counted: 37623 CLK-FROM-2 M1 !>>(ACL2::DEFUNM-NX CLK-FROM-0 (S) (DECLARE (XARGS :STOBJS (S))) (IF (GOOD-STATEP S) (BINARY-CLK+ '2 (CLK-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '2 '0 (RD ':LOCALS S)) S)))) '0)) Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) We updated the measure patterns database by adding a pattern named CLK-FROM-2. To see the new database evaluate (TABLE ACL2::MEASURE-PATTERNS :LIST). From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. NIL However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! M1 !>>(TABLE ACL2::MEASURE-PATTERNS :LIST '((ACL2::MEASURE-PATTERN CLK-FROM-2 (ACL2-COUNT (NTH '0 (RD ':LOCALS S))) (S) ((GOOD-STATEP S) (NOT (EQUAL (NTH '0 (RD ':LOCALS S)) '0))) ((:SLOT S (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '0 (BINARY-+ '-1 (NTH '0 (RD ':LOCALS S))) (UPDATE-NTH '2 (BINARY-+ (NTH '1 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S))) (RD ':LOCALS S))) S)))) NIL < ((:MEASURE (ACL2-COUNT (NTH '0 (RD ':LOCALS S)))) (GOOD-STATEP S) (NOT (EQUAL (NTH '0 (RD ':LOCALS S)) '0)) (:SLOT S (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '0 (BINARY-+ '-1 (NTH '0 (RD ':LOCALS S))) (UPDATE-NTH '2 (BINARY-+ (NTH '1 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S))) (RD ':LOCALS S))) S))))) (ACL2::MEASURE-PATTERN ACL2::PRIME-FACTORS-2 (NFIX (BINARY-+ (BINARY-+ '1001 (UNARY-- ACL2::I)) ACL2::N)) (ACL2::N ACL2::I) ((INTEGERP ACL2::ITH-PRIME) (INTEGERP ACL2::N) (< ACL2::I '1000) (NOT (ZP ACL2::I)) (NOT (< ACL2::ITH-PRIME '2)) (NOT (< ACL2::N (BINARY-* ACL2::ITH-PRIME ACL2::ITH-PRIME)))) ((:SLOT ACL2::I (BINARY-+ '1 ACL2::I))) NIL < ((:MEASURE (NFIX (BINARY-+ (BINARY-+ '1001 (UNARY-- ACL2::I)) ACL2::N))) (INTEGERP ACL2::ITH-PRIME) (INTEGERP ACL2::N) (< ACL2::I '1000) (NOT (ZP ACL2::I)) (NOT (< ACL2::ITH-PRIME '2)) (NOT (< ACL2::N (BINARY-* ACL2::ITH-PRIME ACL2::ITH-PRIME))) (:SLOT ACL2::I (BINARY-+ '1 ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::PRIME-FACTORS-2 (NFIX (BINARY-+ (BINARY-+ '1001 (UNARY-- ACL2::I)) ACL2::N)) (ACL2::N ACL2::I) ((INTEGERP ACL2::ITH-PRIME) (INTEGERP ACL2::N) (< ACL2::I '1000) (NOT (ZP ACL2::I)) (NOT (< ACL2::ITH-PRIME '2)) (NOT (< ACL2::N (BINARY-* ACL2::ITH-PRIME ACL2::ITH-PRIME)))) ((:SLOT ACL2::N (BINARY-* ACL2::N (UNARY-/ ACL2::ITH-PRIME)))) NIL < ((:MEASURE (NFIX (BINARY-+ (BINARY-+ '1001 (UNARY-- ACL2::I)) ACL2::N))) (INTEGERP ACL2::ITH-PRIME) (INTEGERP ACL2::N) (< ACL2::I '1000) (NOT (ZP ACL2::I)) (NOT (< ACL2::ITH-PRIME '2)) (NOT (< ACL2::N (BINARY-* ACL2::ITH-PRIME ACL2::ITH-PRIME))) (:SLOT ACL2::N (BINARY-* ACL2::N (UNARY-/ ACL2::ITH-PRIME))))) (ACL2::MEASURE-PATTERN ACL2::FOO (NFIX (BINARY-+ (IFIX MAX) (UNARY-- (IFIX ACL2::J)))) (ACL2::J MAX) ((NATP ACL2::J) (NATP MAX) (< ACL2::J MAX)) ((:SLOT ACL2::J (BINARY-+ ACL2::J '2)) (:SLOT MAX (BINARY-+ MAX '1))) NIL < ((:MEASURE (NFIX (BINARY-+ (IFIX MAX) (UNARY-- (IFIX ACL2::J))))) (NATP ACL2::J) (NATP MAX) (< ACL2::J MAX) (:SLOT ACL2::J (BINARY-+ ACL2::J '2)) (:SLOT MAX (BINARY-+ MAX '1)))) (ACL2::MEASURE-PATTERN ACL2::TESTED-NON-ZP-AND-DECREMENTED (ACL2-COUNT ACL2::I) (ACL2::I) ((NOT (ZP ACL2::I))) ((:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I))) ((:CONSTANT ':NEGINT ACL2::NEGINT)) < ((:MEASURE (ACL2-COUNT ACL2::I)) (:CONSTANT ':NEGINT ACL2::NEGINT) (NOT (ZP ACL2::I)) (:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::TESTED-NON-0-AND-DECREMENTED (ACL2-COUNT ACL2::I) (ACL2::I) ((NOT (EQUAL ACL2::I '0))) ((:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I))) ((:CONSTANT ':NEGINT ACL2::NEGINT)) < ((:MEASURE (ACL2-COUNT ACL2::I)) (:CONSTANT ':NEGINT ACL2::NEGINT) (NOT (EQUAL ACL2::I '0)) (:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::TESTED-POSITIVE-AND-DECREMENTED (ACL2-COUNT ACL2::I) (ACL2::I) ((< '0 ACL2::I)) ((:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I))) ((:CONSTANT ':NEGINT ACL2::NEGINT)) < ((:MEASURE (ACL2-COUNT ACL2::I)) (:CONSTANT ':NEGINT ACL2::NEGINT) (< '0 ACL2::I) (:SLOT ACL2::I (BINARY-+ ACL2::NEGINT ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::COUNTING-UP-WITH-ZP-TRICK (NFIX (- MAX ACL2::I)) (ACL2::I MAX) ((NOT (ZP (BINARY-+ MAX (UNARY-- ACL2::I))))) ((:SLOT ACL2::I (BINARY-+ ACL2::POSINT ACL2::I))) ((:CONSTANT ':POSINT ACL2::NEGINT)) < ((:MEASURE (NFIX (- MAX ACL2::I))) (:CONSTANT ':POSINT ACL2::NEGINT) (NOT (ZP (BINARY-+ MAX (UNARY-- ACL2::I)))) (:SLOT ACL2::I (BINARY-+ ACL2::POSINT ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::COUNTING-UP-WITH-<-TEST (NFIX (- (IFIX MAX) (IFIX ACL2::I))) (ACL2::I MAX) ((< ACL2::I MAX)) ((:SLOT ACL2::I (BINARY-+ ACL2::POSINT ACL2::I))) ((:CONSTANT ':POSINT ACL2::NEGINT)) < ((:MEASURE (NFIX (- (IFIX MAX) (IFIX ACL2::I)))) (:CONSTANT ':POSINT ACL2::NEGINT) (< ACL2::I MAX) (:SLOT ACL2::I (BINARY-+ ACL2::POSINT ACL2::I)))) (ACL2::MEASURE-PATTERN ACL2::RECURSION-BY-CDR-STRONG (ACL2-COUNT ACL2::X) (ACL2::X) ((CONSP ACL2::X)) ((:SLOT ACL2::X (CDR ACL2::X))) NIL < ((:MEASURE (ACL2-COUNT ACL2::X)) (CONSP ACL2::X) (:SLOT ACL2::X (CDR ACL2::X)))) (ACL2::MEASURE-PATTERN ACL2::RECURSION-BY-CAR-STRONG (ACL2-COUNT ACL2::X) (ACL2::X) ((CONSP ACL2::X)) ((:SLOT ACL2::X (CAR ACL2::X))) NIL < ((:MEASURE (ACL2-COUNT ACL2::X)) (CONSP ACL2::X) (:SLOT ACL2::X (CAR ACL2::X)))) (ACL2::MEASURE-PATTERN ACL2::RECURSION-BY-CDR-WEAK (ACL2-COUNT ACL2::X) (ACL2::X) NIL ((:SLOT ACL2::X (CDR ACL2::X))) NIL <= ((:MEASURE (ACL2-COUNT ACL2::X)) (:SLOT ACL2::X (CDR ACL2::X)))) (ACL2::MEASURE-PATTERN ACL2::RECURSION-BY-CAR-STRONG (ACL2-COUNT ACL2::X) (ACL2::X) NIL ((:SLOT ACL2::X (CAR ACL2::X))) NIL <= ((:MEASURE (ACL2-COUNT ACL2::X)) (:SLOT ACL2::X (CAR ACL2::X)))))) Summary Form: ( TABLE ACL2::MEASURE-PATTERNS ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ACL2::MEASURE-PATTERNS M1 !>>(MAKE-EVENT '(:OR (ACL2::DEFUNM-WRAPPER (DEFUN-NX CLK-FROM-0 (S) (DECLARE (XARGS :STOBJS (S))) (IF (GOOD-STATEP S) (BINARY-CLK+ '2 (CLK-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '2 '0 (RD ':LOCALS S)) S)))) '0))) (ACL2::DEFUNM-ERROR (CONS 'ACL2::DEFUNM-NX 'CLK-FROM-0) "We found no suggested measures for ~x0. It is possible that ~ your definition does not terminate. But if it does, the current ~ measure patterns table is inadequate for justifying it. You have ~ two options. One is to edit the MEASURE-PATTERNS table so that ~ it suggests a provable measure. The current table is shown ~ below, embedded in a form that sets the table to its current ~ value. To change the table, edit and then evaluate the form. ~ Then try your ~x3 again. The other option is to use DEFUN ~ instead of ~x3 and explicitly specify a provable ~ measure.~%~%Measure Table (from which measure guesses are ~ generated):~%~X12~%" 'CLK-FROM-0 (CONS 'TABLE (CONS 'ACL2::MEASURE-PATTERNS (CONS ':LIST (CONS (CONS 'LIST (ACL2::PRETTYIFY-MEASURE-PATTERN-LST (CDR (ASSOC-EQ :LIST (TABLE-ALIST 'ACL2::MEASURE-PATTERNS (W STATE)))))) 'NIL)))) NIL (IF (EQ ACL2::DEFUN-FLAVOR 'DEFUN) 'ACL2::DEFUNM 'ACL2::DEFUNM-NX)))) Since CLK-FROM-0 is non-recursive, its admission is trivial. We observe that the type of CLK-FROM-0 is described by the theorem (AND (INTEGERP (CLK-FROM-0 S)) (<= 0 (CLK-FROM-0 S))). We used the :type-prescription rule BINARY-CLK+. (CLK-FROM-0 S) => *. Summary Form: ( DEFUN CLK-FROM-0 ...) Rules: ((:TYPE-PRESCRIPTION BINARY-CLK+)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) CLK-FROM-0 Summary Form: ( PROGN (TABLE ACL2::MEASURE-PATTERNS ...) ...) Rules: NIL Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) Summary Form: ( MAKE-EVENT (ACL2::ER-LET* ...) ...) Rules: NIL Time: 0.06 seconds (prove: 0.03, print: 0.00, other: 0.03) Prover steps counted: 2641 CLK-FROM-0 M1 !>>(ACL2::DEFUNM-NX SEM-FROM-2 (S) (DECLARE (XARGS :STOBJS (S))) (IF (GOOD-STATEP S) (IF (EQUAL (NTH '0 (RD ':LOCALS S)) '0) (WR ':PC '14 (WR ':STACK (PUSH (NTH '2 (RD ':LOCALS S)) (RD ':STACK S)) S)) (SEM-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '0 (BINARY-+ '-1 (NTH '0 (RD ':LOCALS S))) (UPDATE-NTH '2 (BINARY-+ (NTH '1 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S))) (RD ':LOCALS S))) S)))) S)) Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. ((100 (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT (NTH '0 (RD ':LOCALS S)))) :WELL-FOUNDED-RELATION O<)) ((ACL2::TESTED-POSITIVE-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-ZP-AND-DECREMENTED CLK-FROM-2))) (67 (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT (NTH '2 (RD ':LOCALS S)))) :WELL-FOUNDED-RELATION O<)) ((ACL2::TESTED-POSITIVE-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-ZP-AND-DECREMENTED)))) However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! For the admission of SEM-FROM-2 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT S). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (GOOD-STATEP S) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))) (ACL2-COUNT S))). Goal' Goal'' ([ A key checkpoint: Goal'' (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))) (ACL2-COUNT S))) *1 (Goal'') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (ACL2-COUNT S). This suggestion was produced using the :induction rule ACL2-COUNT. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (NOT (STRINGP S))) (:P S)) (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (STRINGP S)) (:P S)) (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (COMPLEX-RATIONALP S) (:P (REALPART S)) (:P (IMAGPART S))) (:P S)) (IMPLIES (AND (NOT (CONSP S)) (RATIONALP S) (NOT (INTEGERP S))) (:P S)) (IMPLIES (AND (NOT (CONSP S)) (RATIONALP S) (INTEGERP S)) (:P S)) (IMPLIES (AND (CONSP S) (:P (CAR S)) (:P (CDR S))) (:P S))). This induction is justified by the same argument used to admit ACL2-COUNT. When applied to the goal at hand the above induction scheme produces six nontautological subgoals. However, to achieve this relatively small number of cases we had to fold *1 into a single IF-expression. Had we left it as a set of clauses this induction would have produced approximately 204 cases! Chances are that this proof attempt is about to blow up in your face (and all over our memory boards). Subgoal *1/6 Subgoal *1/6' Subgoal *1/6'' Subgoal *1/6''' Subgoal *1/6'4' ([ A key checkpoint while proving *1 (descended from Goal''): Subgoal *1/6'' (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (NOT (STRINGP S)) (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT)))) (EQUAL (NTH 0 (RD :LOCALS S)) 0)) *1.1 (Subgoal *1/6'4') is pushed for proof by induction. ]) Subgoal *1/5 Subgoal *1/5' Subgoal *1/5'' Subgoal *1/5''' Subgoal *1/5'4' Subgoal *1/5'5' Subgoal *1/5'6' ([ A key checkpoint while proving *1 (descended from Goal''): Subgoal *1/5'' (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (STRINGP S) (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))) (LEN (COERCE S 'LIST)))) *1.2 (Subgoal *1/5'6') is pushed for proof by induction. ]) Subgoal *1/4 Subgoal *1/4' ACL2 Error in STEP-LIMIT: The prover step-limit, which is 10000 in the current context, has been exceeded. See :DOC set-prover-step- limit. ACL2 Error in ( DEFUN SEM-FROM-2 ...): The proof of the measure conjecture for SEM-FROM-2 has failed. Summary Form: ( DEFUN SEM-FROM-2 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::O-FINP-CR) (:DEFINITION ACL2-COUNT) (:DEFINITION GOOD-STATEP) (:DEFINITION LENGTH) (:DEFINITION NATP) (:DEFINITION NOT) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION ACL2-COUNT) (:REWRITE ACL2::O-P-DEF-O-FINP-1) (:REWRITE ACL2::|~(a<0)|) (:TYPE-PRESCRIPTION ACL2-COUNT) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH)) Time: 0.16 seconds (prove: 0.15, print: 0.01, other: 0.00) Prover steps counted: More than 10000 --- The key checkpoint goals, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint-summary-limit. --- *** Key checkpoint at the top level: *** Goal'' (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))) (ACL2-COUNT S))) *** Key checkpoints under a top-level induction *** Subgoal *1/6'' (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (NOT (STRINGP S)) (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT)))) (EQUAL (NTH 0 (RD :LOCALS S)) 0)) Subgoal *1/5'' (IMPLIES (AND (NOT (CONSP S)) (NOT (RATIONALP S)) (NOT (COMPLEX-RATIONALP S)) (STRINGP S) (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))) (LEN (COERCE S 'LIST)))) ACL2 Error in ( DEFUN SEM-FROM-2 ...): The proof of the measure conjecture for SEM-FROM-2 has failed. See :DOC failure. ******** FAILED ******** For the admission of SEM-FROM-2 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT (NTH 0 (RD :LOCALS S))). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (GOOD-STATEP S) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0))) (O< (ACL2-COUNT (NTH 0 (RD :LOCALS (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S))))) (ACL2-COUNT (NTH 0 (RD :LOCALS S))))). Goal' Q.E.D. That completes the proof of the measure theorem for SEM-FROM-2. Thus, we admit this function under the principle of definition. We could deduce no constraints on the type of SEM-FROM-2. (SEM-FROM-2 S) => *. Summary Form: ( DEFUN SEM-FROM-2 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::O-FINP-CR) (:DEFINITION ACL2-COUNT) (:DEFINITION GOOD-STATEP) (:DEFINITION INTEGER-ABS) (:DEFINITION NATP) (:DEFINITION NOT) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::<-+-NEGATIVE-0-1) (:REWRITE NTH-UPDATE-NTH) (:REWRITE ACL2::O-FINP-<) (:REWRITE RD-WR) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH)) Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 644 Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.18 seconds (prove: 0.16, print: 0.01, other: 0.01) Prover steps counted: 10645 Summary Form: ( MAKE-EVENT (ACL2::ER-LET* ...) ...) Rules: NIL Time: 0.20 seconds (prove: 0.16, print: 0.01, other: 0.03) Prover steps counted: 10645 SEM-FROM-2 M1 !>>(ACL2::DEFUNM-NX SEM-FROM-0 (S) (DECLARE (XARGS :STOBJS (S))) (IF (GOOD-STATEP S) (SEM-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '2 '0 (RD ':LOCALS S)) S))) S)) Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. NIL However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! Since SEM-FROM-0 is non-recursive, its admission is trivial. We could deduce no constraints on the type of SEM-FROM-0. (SEM-FROM-0 S) => *. Summary Form: ( DEFUN SEM-FROM-0 ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Summary Form: ( MAKE-EVENT (ACL2::ER-LET* ...) ...) Rules: NIL Time: 0.04 seconds (prove: 0.03, print: 0.00, other: 0.01) Prover steps counted: 2641 SEM-FROM-0 M1 !>>(DEFTHM SEM-FROM-2-CORRECT (IMPLIES (AND (GOOD-STATEP S) (EQUAL ((LAMBDA (S) (RD ':PC S)) S) '2)) (EQUAL (M1 S (CLK-FROM-2 S)) (SEM-FROM-2 S)))) Goal' Goal'' ([ A key checkpoint: Goal'' (IMPLIES (AND (SP S) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2)) (EQUAL (M1 S (CLK-FROM-2 S)) (SEM-FROM-2 S))) *1 (Goal'') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (SEM-FROM-2 S). This suggestion was produced using the :induction rules CLK-FROM-2 and SEM-FROM-2. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (GOOD-STATEP S)) (:P S)) (IMPLIES (AND (GOOD-STATEP S) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0)) (:P (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)))) (:P S)) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (NTH 0 (RD :LOCALS S)) 0)) (:P S))). This induction is justified by the same argument used to admit SEM-FROM-2. When applied to the goal at hand the above induction scheme produces nine nontautological subgoals. Subgoal *1/9 Subgoal *1/8 Subgoal *1/8' Subgoal *1/7 Subgoal *1/7' Subgoal *1/6 Subgoal *1/6' Subgoal *1/5 Subgoal *1/5' Subgoal *1/4 Subgoal *1/4' Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal'' is COMPLETED! Q.E.D. Summary Form: ( DEFTHM SEM-FROM-2-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION CLK-FROM-2) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION SEM-FROM-2) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:EXECUTABLE-COUNTERPART UNARY--) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION CLK-FROM-2) (:INDUCTION SEM-FROM-2) (:REWRITE ACL2::|(+ y x)|) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Time: 0.09 seconds (prove: 0.08, print: 0.01, other: 0.00) Prover steps counted: 11213 SEM-FROM-2-CORRECT M1 !>>(IN-THEORY (DISABLE CLK-FROM-2)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 5532) M1 !>>(DEFTHM SEM-FROM-0-CORRECT (IMPLIES (AND (GOOD-STATEP S) (EQUAL ((LAMBDA (S) (RD ':PC S)) S) '0)) (EQUAL (M1 S (CLK-FROM-0 S)) (SEM-FROM-0 S)))) ACL2 Warning [Non-rec] in ( DEFTHM SEM-FROM-0-CORRECT ...): A :REWRITE rule generated from SEM-FROM-0-CORRECT will be triggered only by terms containing the non-recursive function symbol CLK-FROM-0. Unless this function is disabled, this rule is unlikely ever to be used. Goal' Q.E.D. Summary Form: ( DEFTHM SEM-FROM-0-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION CLK-FROM-0) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION GOOD-STATEP) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION SEM-FROM-0) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:REWRITE SEM-FROM-2-CORRECT) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Warnings: Non-rec Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 2723 SEM-FROM-0-CORRECT M1 !>>(IN-THEORY (DISABLE CLK-FROM-0)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 5532) Summary Form: ( PROGN (SET-VERIFY-GUARDS-EAGERNESS 0 ...) ...) Rules: NIL Warnings: Non-rec Time: 1.31 seconds (prove: 1.14, print: 0.03, other: 0.13) Prover steps counted: 67486 Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Warnings: Non-rec Time: 1.45 seconds (prove: 1.17, print: 0.04, other: 0.25) Prover steps counted: 70617 (:NUMBER-OF-ENABLED-RUNES 5532) M1 !>(pe 'sem-from-2) d 7:x(CODEWALKER :RUN M1 ...) \ >L (DEFUN SEM-FROM-2 (S) (DECLARE (XARGS :NON-EXECUTABLE T :MODE :LOGIC)) (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT (NTH '0 (RD ':LOCALS S)))) :WELL-FOUNDED-RELATION O<)) (DECLARE (XARGS :STOBJS (S))) (PROG2$ (ACL2::THROW-NONEXEC-ERROR 'SEM-FROM-2 (LIST S)) (IF (GOOD-STATEP S) (IF (EQUAL (NTH '0 (RD ':LOCALS S)) '0) (WR ':PC '14 (WR ':STACK (PUSH (NTH '2 (RD ':LOCALS S)) (RD ':STACK S)) S)) (SEM-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '0 (BINARY-+ '-1 (NTH '0 (RD ':LOCALS S))) (UPDATE-NTH '2 (BINARY-+ (NTH '1 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S))) (RD ':LOCALS S))) S)))) S))) M1 !>(pe 'clk-from-2) d 7:x(CODEWALKER :RUN M1 ...) \ >L d (DEFUN CLK-FROM-2 (S) (DECLARE (XARGS :NON-EXECUTABLE T :MODE :LOGIC)) (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT (NTH '0 (RD ':LOCALS S)))) :WELL-FOUNDED-RELATION O<)) (DECLARE (XARGS :STOBJS (S))) (PROG2$ (ACL2::THROW-NONEXEC-ERROR 'CLK-FROM-2 (LIST S)) (IF (GOOD-STATEP S) (IF (EQUAL (NTH '0 (RD ':LOCALS S)) '0) '3 (BINARY-CLK+ '11 (CLK-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '0 (BINARY-+ '-1 (NTH '0 (RD ':LOCALS S))) (UPDATE-NTH '2 (BINARY-+ (NTH '1 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S))) (RD ':LOCALS S))) S))))) '0))) M1 !>(pe 'sem-from-2-correct) d 7:x(CODEWALKER :RUN M1 ...) \ > (DEFTHM SEM-FROM-2-CORRECT (IMPLIES (AND (GOOD-STATEP S) (EQUAL ((LAMBDA (S) (RD ':PC S)) S) '2)) (EQUAL (M1 S (CLK-FROM-2 S)) (SEM-FROM-2 S)))) M1 !>(pe 'sem-from-0) d 7:x(CODEWALKER :RUN M1 ...) \ >L (DEFUN SEM-FROM-0 (S) (DECLARE (XARGS :NON-EXECUTABLE T :MODE :LOGIC)) (DECLARE (XARGS :STOBJS (S))) (PROG2$ (ACL2::THROW-NONEXEC-ERROR 'SEM-FROM-0 (LIST S)) (IF (GOOD-STATEP S) (SEM-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '2 '0 (RD ':LOCALS S)) S))) S))) M1 !>(pe 'clk-from-0) d 7:x(CODEWALKER :RUN M1 ...) \ >L d (DEFUN CLK-FROM-0 (S) (DECLARE (XARGS :NON-EXECUTABLE T :MODE :LOGIC)) (DECLARE (XARGS :STOBJS (S))) (PROG2$ (ACL2::THROW-NONEXEC-ERROR 'CLK-FROM-0 (LIST S)) (IF (GOOD-STATEP S) (BINARY-CLK+ '2 (CLK-FROM-2 (WR ':PC '2 (WR ':LOCALS (UPDATE-NTH '2 '0 (RD ':LOCALS S)) S)))) '0))) M1 !>(pe 'sem-from-0-correct) d 7:x(CODEWALKER :RUN M1 ...) \ > (DEFTHM SEM-FROM-0-CORRECT (IMPLIES (AND (GOOD-STATEP S) (EQUAL ((LAMBDA (S) (RD ':PC S)) S) '0)) (EQUAL (M1 S (CLK-FROM-0 S)) (SEM-FROM-0 S)))) M1 !>(defthm haltedp-sem-from-2 (implies (and (good-statep s) (equal (rd :pc s) 2)) (haltedp (sem-from-2 s)))) ACL2 Warning [Non-rec] in ( DEFTHM HALTEDP-SEM-FROM-2 ...): A :REWRITE rule generated from HALTEDP-SEM-FROM-2 will be triggered only by terms containing the non-recursive function symbol HALTEDP. Unless this function is disabled, this rule is unlikely ever to be used. ACL2 Warning [Subsume] in ( DEFTHM HALTEDP-SEM-FROM-2 ...): The previously added rule HALTEDP subsumes a newly proposed :REWRITE rule generated from HALTEDP-SEM-FROM-2, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. Goal' Goal'' ([ A key checkpoint: Goal'' (IMPLIES (AND (SP S) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2)) (EQUAL (NTH (RD :PC (SEM-FROM-2 S)) (RD :PROGRAM (SEM-FROM-2 S))) '(HALT))) *1 (Goal'') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (SEM-FROM-2 S). This suggestion was produced using the :induction rule SEM-FROM-2. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (GOOD-STATEP S)) (:P S)) (IMPLIES (AND (GOOD-STATEP S) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0)) (:P (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)))) (:P S)) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (NTH 0 (RD :LOCALS S)) 0)) (:P S))). This induction is justified by the same argument used to admit SEM-FROM-2. When applied to the goal at hand the above induction scheme produces nine nontautological subgoals. Subgoal *1/9 Subgoal *1/8 Subgoal *1/8' Subgoal *1/7 Subgoal *1/7' Subgoal *1/6 Subgoal *1/6' Subgoal *1/5 Subgoal *1/5' Subgoal *1/4 Subgoal *1/4' Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal'' is COMPLETED! Q.E.D. The storage of HALTEDP-SEM-FROM-2 depends upon the :type-prescription rule HALTEDP. Summary Form: ( DEFTHM HALTEDP-SEM-FROM-2 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION GOOD-STATEP) (:DEFINITION HALTEDP) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION SEM-FROM-2) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION SEM-FROM-2) (:REWRITE LEN-UPDATE-NTH) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE WR-REDUNDANT) (:TYPE-PRESCRIPTION HALTEDP) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Warnings: Subsume and Non-rec Time: 0.07 seconds (prove: 0.06, print: 0.00, other: 0.00) Prover steps counted: 6393 HALTEDP-SEM-FROM-2 M1 !>(in-theory (disable haltedp)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 5532) M1 !>(defthm haltedp-sem-from-0 (implies (and (good-statep s) (equal (rd :pc s) 0)) (haltedp (sem-from-0 s)))) ACL2 Warning [Non-rec] in ( DEFTHM HALTEDP-SEM-FROM-0 ...): A :REWRITE rule generated from HALTEDP-SEM-FROM-0 will be triggered only by terms containing the non-recursive function symbol SEM-FROM-0. Unless this function is disabled, this rule is unlikely ever to be used. Goal' Q.E.D. The storage of HALTEDP-SEM-FROM-0 depends upon the :type-prescription rule HALTEDP. Summary Form: ( DEFTHM HALTEDP-SEM-FROM-0 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION GOOD-STATEP) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION SEM-FROM-0) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE HALTEDP-SEM-FROM-2) (:REWRITE LEN-UPDATE-NTH) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:REWRITE SP-WR) (:TYPE-PRESCRIPTION HALTEDP) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Warnings: Non-rec Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 1314 HALTEDP-SEM-FROM-0 M1 !>(defthm top-stack-sem-from-2 (implies (and (good-statep s) (equal (rd :pc s) 2)) (equal (top (rd :stack (sem-from-2 s))) (+ (loi 2 s) (* (loi 0 s) (loi 1 s)))))) Goal' Goal'' ([ A key checkpoint: Goal'' (IMPLIES (AND (SP S) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (EQUAL (RD :PC S) 2)) (EQUAL (TOP (RD :STACK (SEM-FROM-2 S))) (+ (NTH 2 (RD :LOCALS S)) (* (NTH 0 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S)))))) *1 (Goal'') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (SEM-FROM-2 S). This suggestion was produced using the :induction rule SEM-FROM-2. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (GOOD-STATEP S)) (:P S)) (IMPLIES (AND (GOOD-STATEP S) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0)) (:P (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)))) (:P S)) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (NTH 0 (RD :LOCALS S)) 0)) (:P S))). This induction is justified by the same argument used to admit SEM-FROM-2. When applied to the goal at hand the above induction scheme produces nine nontautological subgoals. Subgoal *1/9 Subgoal *1/8 Subgoal *1/8' Subgoal *1/7 Subgoal *1/7' Subgoal *1/6 Subgoal *1/6' Subgoal *1/5 Subgoal *1/5' Subgoal *1/4 Subgoal *1/4' Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal'' is COMPLETED! Q.E.D. Summary Form: ( DEFTHM TOP-STACK-SEM-FROM-2 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION SEM-FROM-2) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION SEM-FROM-2) (:REWRITE ACL2::|(* -1 x)|) (:REWRITE ACL2::|(* 0 x)|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE LEN-UPDATE-NTH) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-UPDATE-NTH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE TOP-PUSH) (:REWRITE WR-REDUNDANT) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Time: 0.10 seconds (prove: 0.10, print: 0.00, other: 0.00) Prover steps counted: 7052 TOP-STACK-SEM-FROM-2 M1 !>(defthm top-stack-sem-from-0 (implies (and (good-statep s) (equal (rd :pc s) 0)) (equal (top (rd :stack (sem-from-0 s))) (* (loi 0 s) (loi 1 s))))) ACL2 Warning [Non-rec] in ( DEFTHM TOP-STACK-SEM-FROM-0 ...): A :REWRITE rule generated from TOP-STACK-SEM-FROM-0 will be triggered only by terms containing the non-recursive function symbol SEM-FROM-0. Unless this function is disabled, this rule is unlikely ever to be used. Goal' Q.E.D. Summary Form: ( DEFTHM TOP-STACK-SEM-FROM-0 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION SEM-FROM-0) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE LEN-UPDATE-NTH) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE TOP-STACK-SEM-FROM-2) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Warnings: Non-rec Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 1470 TOP-STACK-SEM-FROM-0 M1 !>(defthm main-goal (implies (and (good-statep s) (equal (rd :pc s) 0) (equal sf (m1 s (clk-from-0 s)))) (and (haltedp sf) (equal (top (stack sf)) (* (loi 0 s) (loi 1 s))))) :rule-classes nil) Goal' Q.E.D. Summary Form: ( DEFTHM MAIN-GOAL ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION GOOD-STATEP) (:DEFINITION LOI) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION SEM-FROM-0) (:DEFINITION STACK) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE HALTEDP-SEM-FROM-2) (:REWRITE LEN-UPDATE-NTH) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:REWRITE SEM-FROM-0-CORRECT) (:REWRITE SP-WR) (:REWRITE TOP-STACK-SEM-FROM-2) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 2658 MAIN-GOAL M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(defprojection loc2-from-2 (nth '2 (rd ':locals s)) sem-from-2 s ((good-statep s)) (((nth i (rd ':locals s)) 't) ((rd ':stack s) 't) ((rd ':pc s) 't))) ;;; Starting full GC, 537,001,984 bytes allocated. ;;; Finished full GC. 406,306,736 bytes freed in 0.250454 s ;;; 5 soft faults, 0 faults, 0 pageins Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 1.74 seconds (prove: 0.00, print: 0.00, other: 1.74) From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. ((100 (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT I)) :WELL-FOUNDED-RELATION O<)) ((ACL2::TESTED-POSITIVE-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-ZP-AND-DECREMENTED))) (67 (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT J)) :WELL-FOUNDED-RELATION O<)) ((ACL2::TESTED-POSITIVE-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-ZP-AND-DECREMENTED)))) However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! For the admission of LOC2-FROM-2 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT I). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (AND (<= 0 J) (INTEGERP J) (<= 0 K) (INTEGERP K) (<= 0 I) (INTEGERP I)) (NOT (EQUAL I 0))) (O< (ACL2-COUNT (+ -1 I)) (ACL2-COUNT I))). Goal' Q.E.D. That completes the proof of the measure theorem for LOC2-FROM-2. Thus, we admit this function under the principle of definition. We observe that the type of LOC2-FROM-2 is described by the theorem (AND (INTEGERP (LOC2-FROM-2 I J K)) (<= 0 (LOC2-FROM-2 I J K))). Summary Form: ( DEFUN LOC2-FROM-2 ...) Rules: ((:DEFINITION NOT)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) Prover steps counted: 92 Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) Prover steps counted: 92 Summary Form: ( MAKE-EVENT (ACL2::ER-LET* ...) ...) Rules: NIL Time: 1.79 seconds (prove: 0.03, print: 0.00, other: 1.75) Prover steps counted: 2733 Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 1.82 seconds (prove: 0.03, print: 0.00, other: 1.79) Prover steps counted: 2733 M1 !>>(ACL2::DEFUNM LOC2-FROM-2 (I J K) (IF (ACL2-NUMBERP J) (COND ((< J 0) 0) ((INTEGERP J) (IF (ACL2-NUMBERP K) (COND ((< K 0) 0) ((INTEGERP K) (IF (ACL2-NUMBERP I) (COND ((< I 0) 0) ((INTEGERP I) (IF (EQUAL I 0) J (LOC2-FROM-2 (+ -1 I) (+ J K) K))) (T 0)) 0)) (T 0)) 0)) (T 0)) 0)) ;;; Starting full GC, 537,001,984 bytes allocated. ;;; Finished full GC. 406,316,240 bytes freed in 0.198683 s ;;; 0 soft faults, 0 faults, 0 pageins ;;; Starting full GC, 537,001,984 bytes allocated. ;;; Finished full GC. 406,317,696 bytes freed in 0.193627 s ;;; 0 soft faults, 0 faults, 0 pageins Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 9.17 seconds (prove: 0.00, print: 0.00, other: 9.17) From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. ((100 (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT I)) :WELL-FOUNDED-RELATION O<)) ((ACL2::TESTED-POSITIVE-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-ZP-AND-DECREMENTED)))) However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! The admission of LOC2-FROM-2 is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT I). We observe that the type of LOC2-FROM-2 is described by the theorem (AND (INTEGERP (LOC2-FROM-2 I J K)) (<= 0 (LOC2-FROM-2 I J K))). Summary Form: ( DEFUN LOC2-FROM-2 ...) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) Summary Form: ( MAKE-EVENT (ACL2::ER-LET* ...) ...) Rules: NIL Time: 9.21 seconds (prove: 0.03, print: 0.00, other: 9.18) Prover steps counted: 2641 LOC2-FROM-2 M1 !>>(DEFTHM LOC2-FROM-2-CORRECT (IMPLIES (GOOD-STATEP S) (EQUAL (NTH '2 (RD ':LOCALS (SEM-FROM-2 S))) (LOC2-FROM-2 (NTH '0 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S)) (NTH '1 (RD ':LOCALS S)))))) Goal' Goal'' ([ A key checkpoint: Goal'' (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT)))) (EQUAL (NTH 2 (RD :LOCALS (SEM-FROM-2 S))) (LOC2-FROM-2 (NTH 0 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S)) (NTH 1 (RD :LOCALS S))))) *1 (Goal'') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (SEM-FROM-2 S). This suggestion was produced using the :induction rule SEM-FROM-2. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (GOOD-STATEP S)) (:P S)) (IMPLIES (AND (GOOD-STATEP S) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0)) (:P (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)))) (:P S)) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (NTH 0 (RD :LOCALS S)) 0)) (:P S))). This induction is justified by the same argument used to admit SEM-FROM-2. When applied to the goal at hand the above induction scheme produces eleven nontautological subgoals. Subgoal *1/11 Subgoal *1/10 Subgoal *1/10' Subgoal *1/9 Subgoal *1/9' Subgoal *1/8 Subgoal *1/8' Subgoal *1/7 Subgoal *1/7' Subgoal *1/6 Subgoal *1/6' Subgoal *1/5 Subgoal *1/5' Subgoal *1/4 Subgoal *1/4' Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal'' is COMPLETED! Q.E.D. Summary Form: ( DEFTHM LOC2-FROM-2-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION GOOD-STATEP) (:DEFINITION LOC2-FROM-2) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION SEM-FROM-2) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ACL2-NUMBERP) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION SEM-FROM-2) (:REWRITE ACL2::|(+ y x)|) (:REWRITE LEN-UPDATE-NTH) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Time: 0.10 seconds (prove: 0.09, print: 0.01, other: 0.00) Prover steps counted: 8980 LOC2-FROM-2-CORRECT Summary Form: ( PROGN (ACL2::DEFUNM LOC2-FROM-2 ...) ...) Rules: NIL Time: 9.31 seconds (prove: 0.12, print: 0.01, other: 9.18) Prover steps counted: 11621 Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 11.14 seconds (prove: 0.16, print: 0.01, other: 10.97) Prover steps counted: 14354 Summary Form: ( MAKE-EVENT (ACL2::PROJECT-FN-TO-FN ...)) Rules: NIL Time: 11.25 seconds (prove: 0.16, print: 0.01, other: 11.08) Prover steps counted: 14354 LOC2-FROM-2-CORRECT M1 !>(pe 'loc2-from-2) 14:x(DEFPROJECTION LOC2-FROM-2 (NTH # #) ...) \ >L (DEFUN LOC2-FROM-2 (I J K) (IF (ACL2-NUMBERP J) (COND ((< J 0) 0) ((INTEGERP J) (IF (ACL2-NUMBERP K) (COND ((< K 0) 0) ((INTEGERP K) (IF (ACL2-NUMBERP I) (COND ((< I 0) 0) ((INTEGERP I) (IF (EQUAL I 0) J (LOC2-FROM-2 (+ -1 I) (+ J K) K))) (T 0)) 0)) (T 0)) 0)) (T 0)) 0)) M1 !>(pe 'loc2-from-2-correct) 14:x(DEFPROJECTION LOC2-FROM-2 (NTH # #) ...) \ > (DEFTHM LOC2-FROM-2-CORRECT (IMPLIES (GOOD-STATEP S) (EQUAL (NTH '2 (RD ':LOCALS (SEM-FROM-2 S))) (LOC2-FROM-2 (NTH '0 (RD ':LOCALS S)) (NTH '2 (RD ':LOCALS S)) (NTH '1 (RD ':LOCALS S)))))) M1 !>(defprojection loc2-from-0 (nth '2 (rd ':locals s)) sem-from-0 s ((good-statep s)) (((nth i (rd ':locals s)) 't) ((rd ':stack s) 't) ((rd ':pc s) 't))) Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. NIL However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! Since LOC2-FROM-0 is non-recursive, its admission is trivial. We observe that the type of LOC2-FROM-0 is described by the theorem (AND (INTEGERP (LOC2-FROM-0 I J)) (<= 0 (LOC2-FROM-0 I J))). We used the :type-prescription rule LOC2-FROM-2. Summary Form: ( DEFUN LOC2-FROM-0 ...) Rules: ((:TYPE-PRESCRIPTION LOC2-FROM-2)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Summary Form: ( MAKE-EVENT (ACL2::ER-LET* ...) ...) Rules: NIL Time: 0.04 seconds (prove: 0.03, print: 0.00, other: 0.01) Prover steps counted: 2641 Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.05 seconds (prove: 0.03, print: 0.00, other: 0.02) Prover steps counted: 2641 M1 !>>(ACL2::DEFUNM LOC2-FROM-0 (I J) (IF (ACL2-NUMBERP J) (COND ((< J 0) 0) ((INTEGERP J) (IF (ACL2-NUMBERP I) (COND ((< I 0) 0) ((INTEGERP I) (LOC2-FROM-2 I 0 J)) (T 0)) 0)) (T 0)) 0)) Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. NIL However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! Since LOC2-FROM-0 is non-recursive, its admission is trivial. We observe that the type of LOC2-FROM-0 is described by the theorem (AND (INTEGERP (LOC2-FROM-0 I J)) (<= 0 (LOC2-FROM-0 I J))). We used the :type-prescription rule LOC2-FROM-2. Summary Form: ( DEFUN LOC2-FROM-0 ...) Rules: ((:TYPE-PRESCRIPTION LOC2-FROM-2)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Summary Form: ( MAKE-EVENT (ACL2::ER-LET* ...) ...) Rules: NIL Time: 0.04 seconds (prove: 0.03, print: 0.00, other: 0.01) Prover steps counted: 2641 LOC2-FROM-0 M1 !>>(DEFTHM LOC2-FROM-0-CORRECT (IMPLIES (GOOD-STATEP S) (EQUAL (NTH '2 (RD ':LOCALS (SEM-FROM-0 S))) (LOC2-FROM-0 (NTH '0 (RD ':LOCALS S)) (NTH '1 (RD ':LOCALS S)))))) ACL2 Warning [Non-rec] in ( DEFTHM LOC2-FROM-0-CORRECT ...): A :REWRITE rule generated from LOC2-FROM-0-CORRECT will be triggered only by terms containing the non-recursive function symbol SEM-FROM-0. Unless this function is disabled, this rule is unlikely ever to be used. Goal' Q.E.D. Summary Form: ( DEFTHM LOC2-FROM-0-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION GOOD-STATEP) (:DEFINITION LOC2-FROM-0) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION SEM-FROM-0) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE LEN-UPDATE-NTH) (:REWRITE LOC2-FROM-2-CORRECT) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:REWRITE SP-WR) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Warnings: Non-rec Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 1520 LOC2-FROM-0-CORRECT Summary Form: ( PROGN (ACL2::DEFUNM LOC2-FROM-0 ...) ...) Rules: NIL Warnings: Non-rec Time: 0.06 seconds (prove: 0.05, print: 0.00, other: 0.01) Prover steps counted: 4161 Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Warnings: Non-rec Time: 0.11 seconds (prove: 0.08, print: 0.00, other: 0.03) Prover steps counted: 6802 Summary Form: ( MAKE-EVENT (ACL2::PROJECT-FN-TO-FN ...)) Rules: NIL Warnings: Non-rec Time: 0.15 seconds (prove: 0.08, print: 0.00, other: 0.07) Prover steps counted: 6802 LOC2-FROM-0-CORRECT M1 !>(pe 'loc2-from-0) 15:x(DEFPROJECTION LOC2-FROM-0 (NTH # #) ...) \ >L (DEFUN LOC2-FROM-0 (I J) (IF (ACL2-NUMBERP J) (COND ((< J 0) 0) ((INTEGERP J) (IF (ACL2-NUMBERP I) (COND ((< I 0) 0) ((INTEGERP I) (LOC2-FROM-2 I 0 J)) (T 0)) 0)) (T 0)) 0)) M1 !>(pe 'loc2-from-0-correct) 15:x(DEFPROJECTION LOC2-FROM-0 (NTH # #) ...) \ > (DEFTHM LOC2-FROM-0-CORRECT (IMPLIES (GOOD-STATEP S) (EQUAL (NTH '2 (RD ':LOCALS (SEM-FROM-0 S))) (LOC2-FROM-0 (NTH '0 (RD ':LOCALS S)) (NTH '1 (RD ':LOCALS S)))))) M1 !>(defprojection pc-from-2 (rd ':pc s) sem-from-2 s ((good-statep s)) (((nth i (rd ':locals s)) 't) ((rd ':stack s) 't) ((rd ':pc s) 't))) Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. ((100 (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT I)) :WELL-FOUNDED-RELATION O<)) ((ACL2::TESTED-POSITIVE-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-ZP-AND-DECREMENTED)))) However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! For the admission of PC-FROM-2 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT I). The non-trivial part of the measure conjecture is Goal (IMPLIES (AND (AND (<= 0 I) (INTEGERP I)) (NOT (EQUAL I 0))) (O< (ACL2-COUNT (+ -1 I)) (ACL2-COUNT I))). Goal' Q.E.D. That completes the proof of the measure theorem for PC-FROM-2. Thus, we admit this function under the principle of definition. We observe that the type of PC-FROM-2 is described by the theorem (AND (INTEGERP (PC-FROM-2 I)) (<= 0 (PC-FROM-2 I))). Summary Form: ( DEFUN PC-FROM-2 ...) Rules: ((:DEFINITION NOT)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 40 Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) Prover steps counted: 40 Summary Form: ( MAKE-EVENT (ACL2::ER-LET* ...) ...) Rules: NIL Time: 0.05 seconds (prove: 0.04, print: 0.00, other: 0.02) Prover steps counted: 2681 Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.06 seconds (prove: 0.04, print: 0.00, other: 0.03) Prover steps counted: 2681 M1 !>>(ACL2::DEFUNM PC-FROM-2 (I) (IF (ACL2-NUMBERP I) (COND ((< I 0) 0) ((INTEGERP I) (IF (EQUAL I 0) 14 (PC-FROM-2 (+ -1 I)))) (T 0)) 0)) Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) From the measure-patterns database we generated the following suggested measures, with those presumed most likely listed first. Each suggestion is a triple, (rank dcl names), where rank is the estimated plausibility of the suggestion, dcl is the DECLARE form to be tried, and names lists the names of the measure-patterns responsible for the suggestion. ((100 (DECLARE (XARGS :MEASURE (ACL2::DEFUNM-MARKER (ACL2-COUNT I)) :WELL-FOUNDED-RELATION O<)) ((ACL2::TESTED-POSITIVE-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-0-AND-DECREMENTED ACL2::TESTED-NON-ZP-AND-DECREMENTED)))) However, we will first try ACL2's native DEFUN event to see whether it guesses the right measure. Otherwise, we'll try each of the above measures in turn. You will therefore see a sequence of failed proof attempts and finally, perhaps, a successful one! The admission of PC-FROM-2 is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT I). We observe that the type of PC-FROM-2 is described by the theorem (AND (INTEGERP (PC-FROM-2 I)) (<= 0 (PC-FROM-2 I))). Summary Form: ( DEFUN PC-FROM-2 ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Summary Form: ( MAKE-EVENT (QUOTE ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Summary Form: ( MAKE-EVENT (ACL2::ER-LET* ...) ...) Rules: NIL Time: 0.06 seconds (prove: 0.03, print: 0.00, other: 0.03) Prover steps counted: 2641 PC-FROM-2 M1 !>>(DEFTHM PC-FROM-2-CORRECT (IMPLIES (GOOD-STATEP S) (EQUAL (RD ':PC (SEM-FROM-2 S)) (PC-FROM-2 (NTH '0 (RD ':LOCALS S)))))) Goal' Goal'' ([ A key checkpoint: Goal'' (IMPLIES (AND (SP S) (INTEGERP (RD :PC S)) (<= 0 (RD :PC S)) (< (RD :PC S) 15) (< 16 (LEN (RD :LOCALS S))) (NATP-LISTP (RD :LOCALS S)) (NATP-LISTP (RD :STACK S)) (EQUAL (RD :PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT)))) (EQUAL (RD :PC (SEM-FROM-2 S)) (PC-FROM-2 (NTH 0 (RD :LOCALS S))))) *1 (Goal'') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (SEM-FROM-2 S). This suggestion was produced using the :induction rule SEM-FROM-2. If we let (:P S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (GOOD-STATEP S)) (:P S)) (IMPLIES (AND (GOOD-STATEP S) (NOT (EQUAL (NTH 0 (RD :LOCALS S)) 0)) (:P (WR :PC 2 (WR :LOCALS (UPDATE-NTH 0 (+ -1 (NTH 0 (RD :LOCALS S))) (UPDATE-NTH 2 (+ (NTH 1 (RD :LOCALS S)) (NTH 2 (RD :LOCALS S))) (RD :LOCALS S))) S)))) (:P S)) (IMPLIES (AND (GOOD-STATEP S) (EQUAL (NTH 0 (RD :LOCALS S)) 0)) (:P S))). This induction is justified by the same argument used to admit SEM-FROM-2. When applied to the goal at hand the above induction scheme produces eleven nontautological subgoals. Subgoal *1/11 Subgoal *1/10 Subgoal *1/10' Subgoal *1/9 Subgoal *1/9' Subgoal *1/8 Subgoal *1/8' Subgoal *1/7 Subgoal *1/7' Subgoal *1/6 Subgoal *1/6' Subgoal *1/5 Subgoal *1/5' Subgoal *1/4 Subgoal *1/4' Subgoal *1/3 Subgoal *1/3' Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal'' is COMPLETED! Q.E.D. Summary Form: ( DEFTHM PC-FROM-2-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION GOOD-STATEP) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION PC-FROM-2) (:DEFINITION SEM-FROM-2) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART PC-FROM-2) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION SEM-FROM-2) (:REWRITE LEN-UPDATE-NTH) (:REWRITE NATP-LISTP-UPDATE-NTH) (:REWRITE NTH-UPDATE-NTH) (:REWRITE RD-WR) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION NATP-LISTP) (:TYPE-PRESCRIPTION NATP-LISTP-NTH) (:TYPE-PRESCRIPTION SP)) Time: 0.08 seconds (prove: 0.08, print: 0.00, other: 0.00) Prover steps counted: 7977 PC-FROM-2-CORRECT Summary Form: ( PROGN (ACL2::DEFUNM PC-FROM-2 ...) ...) Rules: NIL Time: 0.14 seconds (prove: 0.11, print: 0.00, other: 0.03) Prover steps counted: 10618 Summary Form: ( MAKE-EVENT (ER-PROGN ...)) Rules: NIL Time: 0.21 seconds (prove: 0.14, print: 0.01, other: 0.06) Prover steps counted: 13299 Summary Form: ( MAKE-EVENT (ACL2::PROJECT-FN-TO-FN ...)) Rules: NIL Time: 0.29 seconds (prove: 0.14, print: 0.01, other: 0.14) Prover steps counted: 13299 PC-FROM-2-CORRECT M1 !>(pe 'pc-from-2) 16:x(DEFPROJECTION PC-FROM-2 (RD # S) ...) \ >L (DEFUN PC-FROM-2 (I) (IF (ACL2-NUMBERP I) (COND ((< I 0) 0) ((INTEGERP I) (IF (EQUAL I 0) 14 (PC-FROM-2 (+ -1 I)))) (T 0)) 0)) M1 !>(quote (the end)) (THE END) M1 !>