define a new abstract single-threaded object
Major Section:  EVENTS

We assume familiarity with single-threaded objects; see stobj and see defstobj. The event defabsstobj defines a so-called ``abstract stobj'', a notion we introduce briefly now and then explain in more depth below.

The evaluation of a defstobj event produces logical definitions for several functions: a recognizer, which characterizes the stobj in terms of lists; a creator, which produces an initial suitable list structure; and field accessors and updators, defined in terms of nth and update-nth. Defabsstobj provides a way to define alternate definitions for a recognizer, creator, and primitive read/write functions. In essence, defabsstobj establishes interface functions, or ``exports'', on a new stobj that is a copy of an indicated ``concrete'' stobj that already exists.

We begin below with an introduction to abstract stobjs. We then explain the defabsstobj event by way of an example. We conclude by giving summary documentation for the defabsstobj event.


We start with a brief review of stobjs and some potential problems with them, followed by an introduction to abstract stobjs and how they can avoid these problems. Prior experience with stobjs will probably help the reader to absorb the ideas below.

Recall that single-threaded objects, or stobjs, provide a way for ACL2 users to stay within the ACL2 logic, where every data object is an atom or a cons of data objects, while obtaining the benefits of fast evaluation through destructive updates. Consider for example this very simple event.

(defstobj st fld)
This event introduces a recognizer, stp, and a creator, create-st, for a data structure consisting of a single field accessed and updated by functions fld and update-fld, respectively. Each of these four primitive functions has both a logical definition, which is used when the prover reasons about the function, and an executable definition, which is used in raw Lisp. In the logic, stp recognizes objects that have the requisite fields. In raw Lisp, there is a ``live stobj'', which is an array object whose fields correspond to those specified by the defstobj event, implemented as Lisp arrays.

Here are the logical definition and the executable definition, respectively, that are introduced for the field accessor, fld, introduced above. Notice that since a stobj is represented in raw Lisp using an array, the raw Lisp accessor uses a raw Lisp array accessor, svref. (You can see all the logical and executable definitions by evaluating the form (trace$ defstobj-axiomatic-defs defstobj-raw-defs) before evaluating the defstobj form.)

; logical definition
(defun fld (st)
  (declare (xargs :guard (stp st)
                  :verify-guards t))
  (nth 0 st))

; executable (raw Lisp) definition
(defun fld (st)
  (svref st 0))

Sophisticated programming with stobjs can provide efficient implementations of algorithms, but may require the preservation of a complex invariant. One can, of course, define a function to implement such an invariant after introducing the stobj, as follows.

; Introduce a stobj.
(defstobj st fld1 ... fldk)

; Define an invariant on that stobj.
(defun good-stp (st)
  (declare (xargs :stobjs st))

; Define some basic functions that update the stobj and preserve the
; invariant.
(defun update-st (... st ...)
  (declare (xargs :stobjs st
                  :guard (and (good-stp st) ...)))

; Prove that the invariant is indeed preserved by those basic functions.
(defthm good-stp-update-st
  (implies (and (good-stp st)
           (good-stp (update-st ... st ...))))

; Implement algorithms built on the basic functions.
(defun foo (... st ...)
  (declare (xargs :stobjs st
                  :guard (and (good-stp st) ...)))
  ... (update-st ... st ...) ...)

; Prove invariance theorems about these algorithms.
(defthm good-stp-foo
  (implies (and (good-stp st)
           (good-stp (foo ... st ...))))

; Prove other properties of these algorithms.
(defthm foo-is-correct
  (implies (and (good-stp st)
           (some-property (foo ... st ...))))

But there are at least two potential difficulties in using stobjs as described above.

1. When foo is executed on concrete data in the ACL2 loop, the guard check may be expensive because (good-stp st) is expensive.

2. Reasoning about foo (using rules like foo-is-correct above) involves proving hypotheses of invariance theorems, which may be complicated for the user to manage or slow for the theorem prover.

The defabsstobj event offers an opportunity to address these issues. It introduces a new stobj, which we call an ``abstract stobj'', which is associated with a corresponding ``concrete stobj'' introduced by an earlier defstobj event. The defabsstobj event specifies a logical (:LOGIC) and an executable (:EXEC) definition for each primitive operation involving that stobj. As is the case for defstobj, the logical definition is what ACL2 reasons about, and is appropriate to apply to an ACL2 object satisfying the logical definition of the recognizer function for the stobj. The executable definition is applied in raw Lisp to a live stobj, which is an array object associated with the given stobj name.

Consider an abstract stobj st with corresponding concrete stobj st$c. The live stobjs for st and st$c have the same structure, but are distinct arrays. Indeed, the raw Lisp creator function for st$c is called to create a new initial live stobj for st. As we will see below, reads and writes in raw Lisp to the live stobj for st are ultimately performed using the primitive acccessors and updaters defined for st$c. One might think of the live stobjs for st and st$c as being congruent stobjs (see defstobj), except that the stobjs themselves are not congruent: only exported functions (not arbitrary field updaters of st$c, for example) may be applied to st. As one might expect, the :EXEC function for an exported function is applied to the live stobj for st in raw Lisp. As of this writing, congruent stobjs are not supported for abstract stobjs. Users who see a need for this feature are welcome to explain that need to the ACL2 implementors.


We present examples, with detailed comments intended to explain abstract stobjs, in two distributed books: books/misc/defabsstobj-example-1.lisp and books/misc/defabsstobj-example-2.lisp. In this section we outline the first of these. We suggest that after you finish this documentation topic, you read through those two books.

Here is the first of two closely related defabsstobj events from the book defabsstobj-example-1.lisp, but in expanded form. We will show the abbreviated form later, which omits most of data in the form that is immediately below. Thus most of the information shown here is default information. We believe that the comments below explain most or all of what you need to know in order to start using defabsstobj, and that you will learn the remainder when you see error messages. For example, we do not say in the comments below that every :LOGIC and :EXEC function must be guard-verified, but that is indeed a requirement.

(defabsstobj st ; The new abstract stobj is named st.

; The concrete stobj corresponding to st is st$c:

  :concrete st$c

; The recognizer for the new abstract stobj is stp, which is defined to be
; st$ap in the logic, and is executed on the live stobj in raw Lisp using
; st$cp.

  :recognizer (stp :logic st$ap :exec st$cp)

; The initial stobj is defined as create-st (a function of no arguments),
; which is defined logically as create-st$a, though create-st$c is invoked to
; create the initial live stobj for st.  The :correspondence and :preserved
; keywords refer to proof obligations, discussed below.

  :creator (create-st :logic create-st$a :exec create-st$c
                      :correspondence create-st{correspondence}
                      :preserved create-st{preserved})

; Proof obligations are generated that involve a correspondence between the
; new abstract stobj and corresponding concrete stobj.  The function
; st$corr, which need not be executable (see :DOC defun-nx), takes two
; arguments, a concrete stobj and an abstract stobj.  This function symbol is
; used in the statements of the proof obligations.

  :corr-fn st$corr

; In this example we have four exports.  In each case a new function is
; introduced that has the same signature as its :EXEC function, except that
; st$c is replaced by st.  The :LOGIC and :EXEC functions are as specified,
; and the other keywords refer to proof obligations that we discuss below.

  :exports ((lookup :logic lookup$a
                    :exec mem$ci
                    :correspondence lookup{correspondence}
                    :guard-thm lookup{guard-thm})
            (update :logic update$a
                    :exec update-mem$ci
                    :correspondence update{correspondence}
                    :preserved update{preserved}
                    :guard-thm update{guard-thm})
            (misc :logic misc$a
                  :exec misc$c
                  :correspondence misc{correspondence})
            (update-misc :logic update-misc$a
                         :exec update-misc$c
                         :correspondence update-misc{correspondence}
                         :preserved update-misc{preserved}))
  :doc nil)

Note that the recognizer, creator, and all exported functions are defined in the logic in terms of their :LOGIC functions and in raw Lisp in terms of their :EXEC functions. In the former case, a defun form defines a function, while in the latter case, a defmacro form defines a macro (for efficiency). Here is how that works, for example, for the recognizer. (You can see all the logical and executable definitions by evaluating the form (trace$ defabsstobj-axiomatic-defs defabsstobj-raw-defs) before evaluating the defstobj form.)

; In the logic:
(defun stp (st)
  (declare (xargs :guard 't))
  (st$ap st))

; In raw Lisp:
(defmacro stp (&rest args) (cons 'st$cp args))

We turn now to the proof obligations, as promised above. There are three types: :CORRESPONDENCE, :PRESERVED, and :GUARD-THM. All required lemmas may be printed simply by defining the necessary :LOGIC and :EXEC functions and then submitting the defabsstobj event. (To advanced users: also see defabsstobj-missing-events for a utility that returns the required formulas in translated form.) Although the defabsstobj event will fail if the required lemmas have not been proved, first it will print the defthm forms that must be admitted in order to complete submission of the defabsstobj event.

The detailed theory explaining the need for these lemmas may be found in a comment in ACL2 source file other-events.lisp, in a comment entitled ``Essay on the Correctness of Abstract Stobjs''. Here, we give an informal sense of the importance of these lemmas as we present examples of them. Fundamental is the notion of evaluation in the logic versus evaluation using live stobjs, where one imagines tracking the current value of each abstract stobj during each of these two evaluations.

We start with the :CORRESPONDENCE lemmas. These guarantee that evaluation in the logic agrees with evaluation using live stobjs, in the sense that the only difference is between a logical stobj and a live stobj, where the two correspond in the sense of the function specified by :CORR-FN. We start with the :CREATOR function where the statement is quite simple, stating that the :CORR-FN holds initially.

(defthm create-st{correspondence}
  (st$corr (create-st$c) (create-st$a)))
For the exported functions, there are essentially two cases. If an exported function returns other than the new abstract stobj, then the theorem asserts the equality of the results of applying the :LOGIC and :EXEC functions for the exported function. Hypotheses include the :CORR-FN correspondence followed by the guard for the :LOGIC function, which is stated in terms of the formal parameters of the :EXEC function except using the abstract stobj (here, st) in place of the concrete stobj (here, st$c). The conclusion uses the :EXEC formals, modified in the call of the :LOGIC function (here, lookup$a) to use the abstract stobj, as in the hypotheses.
(defthm lookup{correspondence}
  (implies (and (st$corr st$c st)
                (integerp i) (<= 0 i) (<= i 49)
                (st$ap st))
           (equal (mem$ci i st$c)
                  (lookup$a i st)))
  :rule-classes nil)
By contrast, if the exported function returns the new abstract stobj, then the conclusion uses the correspondence function insted of EQUAL, as in the following.
(defthm update{correspondence}
  (implies (and (st$corr st$c st)
                (integerp i) (<= 0 i) (<= i 49)
                (integerp v) (<= 0 v)
                (st$ap st)
                (mem$c-entryp v))
           (st$corr (update-mem$ci i v st$c)
                    (update$a i v st)))
  :rule-classes nil)
For exported functions that return multiple values, such conclusions are conjoined together over the returned values.

The :PRESERVED lemmas guarantee that updates to the abstract stobj preserve its recognizer. The fact that every exported function has this property provides justification for an optimization performed by ACL2 during generation of proof obligations for guard verification, by assuming that the recognizer always holds. The :PRESERVED lemma for the :CREATOR shows that the recognizer holds initially.

(defthm create-st{preserved}
  (st$ap (create-st$a)))
Here is a typical such lemma, for the exported function update. Note that there is no such lemma for lookup, since lookup does not return st.
(defthm update{preserved}
  (implies (and (integerp i) (<= 0 i) (<= i 49)
                (integerp v) (<= 0 v)
                (st$ap st)
                (mem$c-entryp v))
           (st$ap (update$a i v st))))

Finally, we consider the :GUARD-THM lemmas. These serve to guarantee that the guard holds for each :EXEC function. During guard verification, logical definitions are used; in particular, since each exported function is defined in the logic as the corresponding call of its :LOGIC function, guard verification shows that each call of the :LOGIC function for an exported function satisfies that function's guard. But why is this true for raw Lisp evaluation using live stobjs, where the :EXEC function is called for an exported function? The :GUARD-THM lemmas provide the answer, as they state that if the :LOGIC function's guard holds, then the :EXEC function's guard holds. Here is an example. Note that the hypotheses come from the correspondence of the concrete and abstract function as guaranteed by the :CORR function, together with the guard of the :LOGIC function; and the conclusion comes from the guard of the :EXEC function.

(defthm lookup{guard-thm}
  (implies (and (st$corr st$c c)
                (integerp i)
                (<= 0 i)
                (<= i 49)
                (st$ap st))
           (and (integerp i)
                (<= 0 i)
                (< i (mem$c-length st$c))))
  :rule-classes nil)

We conclude this EXAMPLE section by showing a short form for the defabsstobj form displayed above.

(defabsstobj st
  :exports ((lookup :exec mem$ci)
            (update :exec update-mem$ci)
            misc update-misc))


The General Form is as shown below, where the order of keywords is unimportant. Duplicate keywords are discouraged; while permitted, only the first (leftmost) occurrence of a given keyword is used. Only the :exports keyword is required.

(defabsstobj st
  :concrete concrete
  :recognizer recognizer
  :creator creator
  :corr-fn corr-fn
  :exports (e1 ... ek)
  :doc doc)
The keyword argument :EXPORTS must be supplied, and missing or nil keyword arguments have defaults as indicated below. All arguments must satisfy the conditions below.

Before we describe the arguments, we define a notion of a ``function spec'' and its ``completion''. A function spec is either a symbol or else a list of the form

(fn :kwd1 val1 ... :kwdn valn),
that is, a symbol followed by a keyword-value-listp. We view the case of a symbol, s, as the function spec (s), with no keywords. There must be no duplicate keywords. In each case that we expect a function spec, the context provides a set of valid keywords for that function spec; it is an error to provide any other keyword in the function spec. Each function spec is interpreted as its ``completion'', obtained by extending the function spec with a default value for each valid keyword as indicated below. With that interpretation, the ``exported function'' of a function spec is its car, and that function symbol and each keyword value must be a guard-verified function symbols; and moreover, the :EXEC function must not include the new abstract stobj name, st, among its formals.

We are ready to describe the arguments of defabsstobj.

St is a symbol, which names the new abstract stobj.

Concrete is the name of an existing stobj that is not an abstract stobj, i.e., was introduced with defstobj (not defabsstobj).

Recognizer is a function spec (for the recognizer function). The valid keywords are :LOGIC and :EXEC. The default for recognizer is obtained by adding the suffix "P" to name. The default value for :LOGIC is formed by adding the suffix "$AP" to recognizer; for :EXEC, by adding the suffix "$CP".

Creator is a function spec (for the creator function). The valid keywords are :LOGIC and :EXEC. The default for creator is obtained by adding the prefix "CREATE-" to name. The default value for :LOGIC is formed by adding the suffix "$A" to creator; for :EXEC, by adding the suffix "$C".

Corr-fn is a known function symbol that takes two arguments (for the correspondence theorems).

The value of :EXPORTS is a non-empty true list. Each ei is a function spec (for an exported function). The valid keywords are :LOGIC, :EXEC, :CORRESPONDENCE, and :GUARD-THM, and also :PRESERVED if and only if the specified :EXEC function returns the :CONCRETE stobj. The default values for these keywords are obtained by respectively adding the suffix "$A" "$C", "{CORRESPONDENCE}", "{GUARD-THM}", or "{PRESERVED}".

Doc, if non-nil, is a documentation string (see doc-string).

Not shown is the keyword, :MISSING; the effect of :missing t is to turn the call of defabsstobj into a corresponding call of defabsstobj-missing-events.

Note that a defabsstobj event will fail if the required lemmas -- that is, those for valid keywords :CORRESPONDENCE, :GUARD-THM, and :PRESERVED -- have not been proved, unless proofs are being skipped. Note that the exemption when skipping proofs allows the supporting lemmas to be local to books and encapsulate events. If the ld special ld-skip-proofsp is t, then the missing events are printed with a warning before the defabsstobj event is admitted; but if ld-skip-proofsp is the symbol INCLUDE-BOOK, then that warning is omitted. (Also see skip-proofs and see ld-skip-proofsp.) If however proofs are not being skipped, then the defabsstobj event will fail after printing the missing events. Advanced users may wish to see defabsstobj-missing-events for a utility that returns a data structure containing the missing lemmas. There are a few additional restrictions, as follows.

All exported function names must be new (unless redefinition is on; see ld-redefinition-action), and there must be no duplicates among them.

The :CONCRETE stobj name must be a formal parameter of the :EXEC fn of every function spec, except for the :CREATOR function spec. Also the input signatures of the :LOGIC and :EXEC function for a function spec must agree, except perhaps at the position of that :CONCRETE formal.

For function specs other than the :CREATOR function spec, the output signatures of the :LOGIC and :EXEC functions must have the same length and must agree, except perhaps at position p_out of the :CONCRETE stobj in the :EXEC function's output. If p_in is the position of the :CONCRETE stobj in the :EXEC function's formals, then the :LOGIC function's output at position p_out should match the :LOGIC function's formal at position p_in.

We conclude with some remarks.

Unlike defstobj, there is no :renaming argument. Instead, the scheme described above provides a flexible way to assign names.

Those who use the experimental extension ACL2(h), which includes function memoization (see memoize), may be aware that the memo table for a function is flushed whenever it is the case that one of its stobj inputs is updated. In fact, such flushing happens even when a stobj that is congruent to one of its stobj inputs is updated. For that purpose, an abstract stobj is considered to be congruent to its corresponding concrete stobj.