ACL2 !>(defun g (x y a) (if (zp x) a (g (- x 1) y (+ y a)))) The admission of G is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of G is described by the theorem (OR (ACL2-NUMBERP (G X Y A)) (EQUAL (G X Y A) A)). We used primitive type reasoning. Summary Form: ( DEFUN G ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) G ACL2 !>(defthm generalized-g-lemma (implies (and (natp x) (natp y) (natp a)) (equal (g x y a) (+ a (* x y))))) By the simple :definition NATP we reduce the conjecture to Goal' (IMPLIES (AND (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G X Y A) (+ A (* X Y)))). Name the formula above *1. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (G X Y A). This suggestion was produced using the :induction rule G. If we let (:P A X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP X)) (:P (+ Y A) (+ -1 X) Y)) (:P A X Y)) (IMPLIES (ZP X) (:P A X Y))). This induction is justified by the same argument used to admit G. Note, however, that the unmeasured variable A is being instantiated. When applied to the goal at hand the above induction scheme produces six nontautological subgoals. Subgoal *1/6 (IMPLIES (AND (NOT (ZP X)) (EQUAL (G (+ -1 X) Y (+ Y A)) (+ (+ Y A) (* (+ -1 X) Y))) (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G X Y A) (+ A (* X Y)))). By the simple :rewrite rule ASSOCIATIVITY-OF-+ we reduce the conjecture to Subgoal *1/6' (IMPLIES (AND (NOT (ZP X)) (EQUAL (G (+ -1 X) Y (+ Y A)) (+ Y A (* (+ -1 X) Y))) (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G X Y A) (+ A (* X Y)))). This simplifies, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER, the :definition G and the :rewrite rules COMMUTATIVITY-OF-* and DISTRIBUTIVITY, to Subgoal *1/6'' (IMPLIES (AND (NOT (ZP X)) (EQUAL (G (+ -1 X) Y (+ Y A)) (+ Y A (* -1 Y) (* X Y))) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G (+ -1 X) Y (+ Y A)) (+ A (* X Y)))). But simplification reduces this to T, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER, linear arithmetic, primitive type reasoning and the :type-prescription rule G. Subgoal *1/5 (IMPLIES (AND (NOT (ZP X)) (< (+ Y A) 0) (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G X Y A) (+ A (* X Y)))). But we reduce the conjecture to T, by primitive type reasoning. Subgoal *1/4 (IMPLIES (AND (NOT (ZP X)) (NOT (INTEGERP (+ Y A))) (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G X Y A) (+ A (* X Y)))). But we reduce the conjecture to T, by primitive type reasoning. Subgoal *1/3 (IMPLIES (AND (NOT (ZP X)) (< (+ -1 X) 0) (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G X Y A) (+ A (* X Y)))). But we reduce the conjecture to T, by the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER and primitive type reasoning. Subgoal *1/2 (IMPLIES (AND (NOT (ZP X)) (NOT (INTEGERP (+ -1 X))) (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G X Y A) (+ A (* X Y)))). But we reduce the conjecture to T, by the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER and primitive type reasoning. Subgoal *1/1 (IMPLIES (AND (ZP X) (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G X Y A) (+ A (* X Y)))). This simplifies, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER, the :executable-counterparts of <, INTEGERP, NOT and ZP and linear arithmetic, to Subgoal *1/1' (IMPLIES (AND (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G 0 Y A) (+ A (* 0 Y)))). This simplifies, using the :definition G and the :executable-counterpart of ZP, to Subgoal *1/1'' (IMPLIES (AND (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL A (+ A (* 0 Y)))). But simplification reduces this to T, using linear arithmetic and primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM GENERALIZED-G-LEMMA ...) Rules: ((:COMPOUND-RECOGNIZER ZP-COMPOUND-RECOGNIZER) (:DEFINITION G) (:DEFINITION NATP) (:DEFINITION NOT) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION G) (:REWRITE ASSOCIATIVITY-OF-+) (:REWRITE COMMUTATIVITY-OF-*) (:REWRITE DISTRIBUTIVITY) (:TYPE-PRESCRIPTION G)) Time: 0.01 seconds (prove: 0.00, print: 0.01, other: 0.00) Prover steps counted: 735 GENERALIZED-G-LEMMA ACL2 !>(defthm g-theorem (implies (and (natp x) (natp y)) (equal (g x y 0) (* x y)))) By the simple :definition NATP we reduce the conjecture to Goal' (IMPLIES (AND (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y)) (EQUAL (G X Y 0) (* X Y))). But simplification reduces this to T, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER, the :definition FIX, primitive type reasoning and the :rewrite rules GENERALIZED-G-LEMMA and UNICITY-OF-0. Q.E.D. Summary Form: ( DEFTHM G-THEOREM ...) Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER) (:DEFINITION FIX) (:DEFINITION NATP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE GENERALIZED-G-LEMMA) (:REWRITE UNICITY-OF-0)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 106 G-THEOREM ACL2 !>