Major Section: EVENTS

Examples: (encapsulate (((an-element *) => *))where each signature is as described in the documentation for signature, each signature describes a different function symbol, and each; The list of signatures above could also be written ; ((an-element (lst) t))

(local (defun an-element (lst) (if (consp lst) (car lst) nil))) (local (defthm member-equal-car (implies (and lst (true-listp lst)) (member-equal (car lst) lst)))) (defthm thm1 (implies (null lst) (null (an-element lst)))) (defthm thm2 (implies (and (true-listp lst) (not (null lst))) (member-equal (an-element lst) lst))))

(encapsulate ()

(local (defthm hack (implies (and (syntaxp (quotep x)) (syntaxp (quotep y))) (equal (+ x y z) (+ (+ x y) z)))))

(defthm nthcdr-add1-conditional (implies (not (zp (1+ n))) (equal (nthcdr (1+ n) x) (nthcdr n (cdr x))))))

General Form: (encapsulate (signature ... signature) ev1 ... evn)

`evi`

is an embedded event form as described in
the documentation for embedded-event-form. There must be at
least one `evi`

. The `evi`

inside `local`

special forms are
called ``local'' events below. Events that are not
`local`

are sometimes said to be ``exported'' by the encapsulation.
We make the further restriction that no `defaxiom`

event may be
introduced in the scope of an `encapsulate`

(not even by
`encapsulate`

or `include-book`

events that are among the `evi`

).
Furthermore, no non-`local`

`include-book`

event is permitted in the
scope of any `encapsulate`

with a non-empty list of signatures.
To be well-formed, an `encapsulate`

event must have the properties
that each event in the body (including the `local`

ones) can be
successfully executed in sequence and that in the resulting theory,
each function mentioned among the signatures was introduced via a
`local`

event and has the signature listed. In addition, the body may
contain no ``local incompatibilities'' which, roughly stated, means
that the events that are not `local`

must not syntactically require
symbols defined by `local`

events, except for the functions listed in
the signatures. See local-incompatibility. Finally, no
non-`local`

recursive definition in the body may involve in its
suggested induction scheme any function symbol listed among the
signatures. See subversive-recursions.

The result of an `encapsulate`

event is an extension of the logic
in which, roughly speaking, the functions listed in the
signatures are constrained to have the signatures listed
and to satisfy the non-`local`

theorems proved about them. In
fact, other functions introduced in the `encapsulate`

event may be
considered to have ``constraints'' as well. (See constraint
for details, which are only relevant to functional instantiation.)
Since the constraints were all theorems in the ``ephemeral'' or
``local'' theory, we are assured that the extension produced by
`encapsulate`

is sound. In essence, the `local`

definitions of
the constrained functions are just ``witness functions'' that
establish the consistency of the constraints. Because those
definitions are `local`

, they are not present in the theory
produced by encapsulation. `Encapsulate`

also exports all rules
generated by its non-`local`

events, but rules generated by
`local`

events are not exported.

The default-defun-mode for the first event in an encapsulation is
the default defun-mode ``outside'' the encapsulation. But since
events changing the defun-mode are permitted within the body of an
`encapsulate`

, the default defun-mode may be changed. However,
defun-mode changes occurring within the body of the `encapsulate`

are not exported. In particular, the `acl2-defaults-table`

after
an `encapsulate`

is always the same as it was before the
`encapsulate`

, even though the `encapsulate`

body might contain
defun-mode changing events, `:`

`program`

and `:`

`logic`

.
See defun-mode. More generally, after execution of an
`encapsulate`

event, the value of `acl2-defaults-table`

is
restored to what it was immediately before that event was executed.
See acl2-defaults-table.

Theorems about the constrained function symbols may then be proved
-- theorems whose proofs necessarily employ only the constraints.
Thus, those theorems may be later functionally instantiated, as with
the `:functional-instance`

lemma instance
(see lemma-instance), to derive analogous theorems about
different functions, provided the constraints (see constraint)
can be proved about the new functions.

Observe that if the signatures list is empty, `encapsulate`

may still
be useful for deriving theorems to be exported whose proofs require
lemmas you prefer to hide (i.e., made `local`

).

The order of the events in the vicinity of an `encapsulate`

is
confusing. We discuss it in some detail here because when logical
names are being used with theory functions to compute sets of rules,
it is sometimes important to know the order in which events were
executed. (See logical-name and see theory-functions.)
What, for example, is the set of function names extant in the middle
of an encapsulation?

If the most recent event is `previous`

and then you execute an
`encapsulate`

constraining `an-element`

with two non-`local`

events in its
body, `thm1`

and `thm2`

, then the order of the events after the
encapsulation is (reading chronologically forward): `previous`

, `thm1`

,
`thm2`

, `an-element`

(the `encapsulate`

itself). Actually, between
`previous`

and `thm1`

certain extensions were made to the world by the
superior `encapsulate`

, to permit `an-element`

to be used as a function
symbol in `thm1`

.

Finally, we note that an `encapsulate`

event is redundant if and
only if a syntactically identical `encapsulate`

has already been
executed under the same `default-defun-mode`

.
See redundant-events.