w-mob101-128-62-89-117:~/class/march-2007 kaufmann$ ls 101-ordinals-make-ord.lisp notes.txt 101-ordinals.lisp rev3.lisp 101.lisp simple-demo.lisp w-mob101-128-62-89-117:~/class/march-2007 kaufmann$ acl2 Welcome to OpenMCL Version 1.0 (DarwinPPC32)! ACL2 Version 3.1 built November 28, 2006 23:08:33. Copyright (C) 2006 University of Texas at Austin ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the GNU General Public License. Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES*). See the documentation topic note-3-1 for recent changes. Note: We have modified the prompt in some underlying Lisps to further distinguish it from the ACL2 prompt. NOTE!! Proof trees are disabled in ACL2. To enable them in emacs, look under the ACL2 source directory in interface/emacs/README.doc; and, to turn on proof trees, execute :START-PROOF-TREE in the ACL2 command loop. Look in the ACL2 documentation under PROOF-TREE. ACL2 Version 3.1. Level 1. Cbd "/Users/kaufmann/class/march-2007/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>3 3 ACL2 !>(+ 3 4) 7 ACL2 !>(thm (equal (car (cons x y)) x)) But we reduce the conjecture to T, by the simple :rewrite rule CAR- CONS. Q.E.D. Summary Form: ( THM ...) Rules: ((:REWRITE CAR-CONS)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) Proof succeeded. ACL2 !>(defun app (x y) (if (consp x) (cons (car x) (app (cdr x) y)) y)) The admission of APP is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of APP is described by the theorem (OR (CONSP (APP X Y)) (EQUAL (APP X Y) Y)). We used primitive type reasoning. Summary Form: ( DEFUN APP ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.03 seconds (prove: 0.00, print: 0.01, other: 0.03) APP ACL2 !>:pbt 1 L 1:x(DEFUN APP (X Y) ...) ACL2 !>:pbt 0 0 (EXIT-BOOT-STRAP-MODE) L 1:x(DEFUN APP (X Y) ...) ACL2 !>:u 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>:pbt 0 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>:oops Installing the requested world. Note that functions being re-defined during this procedure will not have compiled definitions, even if they had compiled definitions before the last :ubt or :u. L 1:x(DEFUN APP (X Y) ...) ACL2 !>:pbt 0 0 (EXIT-BOOT-STRAP-MODE) L 1:x(DEFUN APP (X Y) ...) ACL2 !>(app '(3 4 5) '(a b)) (3 4 5 A B) ACL2 !>(defun rev (x) (if (consp x) (app (rev (cdr x)) (list (car x))) nil)) The admission of REV is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of REV is described by the theorem (OR (CONSP (REV X)) (EQUAL (REV X) NIL)). We used primitive type reasoning and the :type-prescription rule APP. Summary Form: ( DEFUN REV ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL) (:TYPE-PRESCRIPTION APP)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.01) REV ACL2 !>(defthm rev-app (equal (rev (app x y)) (app (rev y) (rev x)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X Y)) (IMPLIES (AND (CONSP X) (:P (CDR X) Y)) (:P X Y))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP and REV, to Subgoal *1/2' (IMPLIES (NOT (CONSP X)) (EQUAL (REV Y) (APP (REV Y) NIL))). We generalize this conjecture, replacing (REV Y) by RV. This produces Subgoal *1/2'' (IMPLIES (NOT (CONSP X)) (EQUAL RV (APP RV NIL))). We suspect that the term (NOT (CONSP X)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/2''' (EQUAL RV (APP RV NIL)). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/1' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/1'' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/1''' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/1'4' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). We generalize this conjecture, replacing (REV X2) by RV and (REV Y) by RV0. This produces Subgoal *1/1'5' (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1)))). Name the formula above *1.2. Perhaps we can prove *1.2 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP RV0 RV). This suggestion was produced using the :induction rule APP. If we let (:P RV RV0 X1) denote *1.2 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV0)) (:P RV RV0 X1)) (IMPLIES (AND (CONSP RV0) (:P RV (CDR RV0) X1)) (:P RV RV0 X1))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.2/2 (IMPLIES (NOT (CONSP RV0)) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP and primitive type reasoning. Subgoal *1.2/1 (IMPLIES (AND (CONSP RV0) (EQUAL (APP (APP (CDR RV0) RV) (LIST X1)) (APP (CDR RV0) (APP RV (LIST X1))))) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. That completes the proof of *1.2. We therefore turn our attention to *1.1, which is (EQUAL RV (APP RV NIL)). Perhaps we can prove *1.1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (APP RV 'NIL). This suggestion was produced using the :induction rule APP. If we let (:P RV) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV)) (:P RV)) (IMPLIES (AND (CONSP RV) (:P (CDR RV))) (:P RV))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (NOT (CONSP RV)) (EQUAL RV (APP RV NIL))). This simplifies, using the :definition APP and primitive type reasoning, to Subgoal *1.1/2' (IMPLIES (NOT (CONSP RV)) (NOT RV)). Name the formula above *1.1.1. Subgoal *1.1/1 (IMPLIES (AND (CONSP RV) (EQUAL (CDR RV) (APP (CDR RV) NIL))) (EQUAL RV (APP RV NIL))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :rewrite rule CONS-CAR-CDR. So we now return to *1.1.1, which is (IMPLIES (NOT (CONSP RV)) (NOT RV)). No induction schemes are suggested by *1.1.1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM REV-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE CONS-CAR-CDR)) Warnings: None Time: 0.14 seconds (prove: 0.06, print: 0.07, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm app-nil (implies (true-listp x) (equal (app x nil) x))) Name the formula above *1. Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (APP X 'NIL). This suggestion was produced using the :induction rules APP and TRUE-LISTP. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X)) (IMPLIES (AND (CONSP X) (:P (CDR X))) (:P X))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (CONSP X)) (TRUE-LISTP X)) (EQUAL (APP X NIL) X)). But simplification reduces this to T, using the :definition TRUE-LISTP, the :executable-counterparts of APP, CONSP and EQUAL and primitive type reasoning. Subgoal *1/2 (IMPLIES (AND (CONSP X) (EQUAL (APP (CDR X) NIL) (CDR X)) (TRUE-LISTP X)) (EQUAL (APP X NIL) X)). But simplification reduces this to T, using the :definitions APP and TRUE-LISTP, primitive type reasoning and the :rewrite rule CONS-CAR- CDR. Subgoal *1/1 (IMPLIES (AND (CONSP X) (NOT (TRUE-LISTP (CDR X))) (TRUE-LISTP X)) (EQUAL (APP X NIL) X)). But we reduce the conjecture to T, by primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-NIL ...) Rules: ((:DEFINITION APP) (:DEFINITION TRUE-LISTP) (:EXECUTABLE-COUNTERPART APP) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION TRUE-LISTP) (:REWRITE CONS-CAR-CDR)) Warnings: None Time: 0.04 seconds (prove: 0.01, print: 0.03, other: 0.00) APP-NIL ACL2 !>(defthm rev-app (equal (rev (app x y)) (app (rev y) (rev x)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X Y)) (IMPLIES (AND (CONSP X) (:P (CDR X) Y)) (:P X Y))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP and REV, to Subgoal *1/2' (IMPLIES (NOT (CONSP X)) (EQUAL (REV Y) (APP (REV Y) NIL))). We generalize this conjecture, replacing (REV Y) by RV. This produces Subgoal *1/2'' (IMPLIES (NOT (CONSP X)) (EQUAL RV (APP RV NIL))). We suspect that the term (NOT (CONSP X)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/2''' (EQUAL RV (APP RV NIL)). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/1' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/1'' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/1''' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/1'4' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). We generalize this conjecture, replacing (REV X2) by RV and (REV Y) by RV0. This produces Subgoal *1/1'5' (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1)))). Name the formula above *1.2. Perhaps we can prove *1.2 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP RV0 RV). This suggestion was produced using the :induction rule APP. If we let (:P RV RV0 X1) denote *1.2 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV0)) (:P RV RV0 X1)) (IMPLIES (AND (CONSP RV0) (:P RV (CDR RV0) X1)) (:P RV RV0 X1))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.2/2 (IMPLIES (NOT (CONSP RV0)) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP and primitive type reasoning. Subgoal *1.2/1 (IMPLIES (AND (CONSP RV0) (EQUAL (APP (APP (CDR RV0) RV) (LIST X1)) (APP (CDR RV0) (APP RV (LIST X1))))) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. That completes the proof of *1.2. We therefore turn our attention to *1.1, which is (EQUAL RV (APP RV NIL)). Perhaps we can prove *1.1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (APP RV 'NIL). This suggestion was produced using the :induction rule APP. If we let (:P RV) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV)) (:P RV)) (IMPLIES (AND (CONSP RV) (:P (CDR RV))) (:P RV))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (NOT (CONSP RV)) (EQUAL RV (APP RV NIL))). This simplifies, using the :definition APP and primitive type reasoning, to Subgoal *1.1/2' (IMPLIES (NOT (CONSP RV)) (NOT RV)). Name the formula above *1.1.1. Subgoal *1.1/1 (IMPLIES (AND (CONSP RV) (EQUAL (CDR RV) (APP (CDR RV) NIL))) (EQUAL RV (APP RV NIL))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :rewrite rule CONS-CAR-CDR. So we now return to *1.1.1, which is (IMPLIES (NOT (CONSP RV)) (NOT RV)). No induction schemes are suggested by *1.1.1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM REV-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE CONS-CAR-CDR)) Warnings: None Time: 0.19 seconds (prove: 0.05, print: 0.14, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm true-listp-rev (true-listp (rev x))) Name the formula above *1. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (REV X). This suggestion was produced using the :induction rule REV. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X)) (IMPLIES (AND (CONSP X) (:P (CDR X))) (:P X))). This induction is justified by the same argument used to admit REV. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (NOT (CONSP X)) (TRUE-LISTP (REV X))). But simplification reduces this to T, using the :definition REV and the :executable-counterpart of TRUE-LISTP. Subgoal *1/1 (IMPLIES (AND (CONSP X) (TRUE-LISTP (REV (CDR X)))) (TRUE-LISTP (REV X))). This simplifies, using the :definition REV, to Subgoal *1/1' (IMPLIES (AND (CONSP X) (TRUE-LISTP (REV (CDR X)))) (TRUE-LISTP (APP (REV (CDR X)) (LIST (CAR X))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/1'' (IMPLIES (AND (CONSP (CONS X1 X2)) (TRUE-LISTP (REV X2))) (TRUE-LISTP (APP (REV X2) (LIST X1)))). This simplifies, using primitive type reasoning, to Subgoal *1/1''' (IMPLIES (TRUE-LISTP (REV X2)) (TRUE-LISTP (APP (REV X2) (LIST X1)))). We generalize this conjecture, replacing (REV X2) by RV. This produces Subgoal *1/1'4' (IMPLIES (TRUE-LISTP RV) (TRUE-LISTP (APP RV (LIST X1)))). Name the formula above *1.1. Perhaps we can prove *1.1 by induction. Two induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (APP RV (CONS X1 'NIL)). This suggestion was produced using the :induction rules APP and TRUE- LISTP. If we let (:P RV X1) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV)) (:P RV X1)) (IMPLIES (AND (CONSP RV) (:P (CDR RV) X1)) (:P RV X1))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1.1/3 (IMPLIES (AND (NOT (CONSP RV)) (TRUE-LISTP RV)) (TRUE-LISTP (APP RV (LIST X1)))). But simplification reduces this to T, using the :definitions APP and TRUE-LISTP, the :executable-counterpart of CONSP and primitive type reasoning. Subgoal *1.1/2 (IMPLIES (AND (CONSP RV) (TRUE-LISTP (APP (CDR RV) (LIST X1))) (TRUE-LISTP RV)) (TRUE-LISTP (APP RV (LIST X1)))). But simplification reduces this to T, using the :definitions APP and TRUE-LISTP, primitive type reasoning and the :type-prescription rule APP. Subgoal *1.1/1 (IMPLIES (AND (CONSP RV) (NOT (TRUE-LISTP (CDR RV))) (TRUE-LISTP RV)) (TRUE-LISTP (APP RV (LIST X1)))). But we reduce the conjecture to T, by primitive type reasoning. That completes the proofs of *1.1 and *1. Q.E.D. The storage of TRUE-LISTP-REV depends upon the :type-prescription rule TRUE-LISTP. Summary Form: ( DEFTHM TRUE-LISTP-REV ...) Rules: ((:DEFINITION APP) (:DEFINITION REV) (:DEFINITION TRUE-LISTP) (:ELIM CAR-CDR-ELIM) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART TRUE-LISTP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:INDUCTION TRUE-LISTP) (:TYPE-PRESCRIPTION APP) (:TYPE-PRESCRIPTION TRUE-LISTP)) Warnings: None Time: 0.10 seconds (prove: 0.02, print: 0.08, other: 0.00) TRUE-LISTP-REV ACL2 !>(defthm rev-app (equal (rev (app x y)) (app (rev y) (rev x)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X Y)) (IMPLIES (AND (CONSP X) (:P (CDR X) Y)) (:P X Y))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). But simplification reduces this to T, using the :definitions APP and REV, primitive type reasoning and the :rewrite rules APP-NIL and TRUE- LISTP-REV. Subgoal *1/1 (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/1' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/1'' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/1''' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/1'4' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). We generalize this conjecture, replacing (REV X2) by RV and (REV Y) by RV0. This produces Subgoal *1/1'5' (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1)))). Name the formula above *1.1. Perhaps we can prove *1.1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP RV0 RV). This suggestion was produced using the :induction rule APP. If we let (:P RV RV0 X1) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV0)) (:P RV RV0 X1)) (IMPLIES (AND (CONSP RV0) (:P RV (CDR RV0) X1)) (:P RV RV0 X1))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (NOT (CONSP RV0)) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP and primitive type reasoning. Subgoal *1.1/1 (IMPLIES (AND (CONSP RV0) (EQUAL (APP (APP (CDR RV0) RV) (LIST X1)) (APP (CDR RV0) (APP RV (LIST X1))))) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. That completes the proofs of *1.1 and *1. Q.E.D. Summary Form: ( DEFTHM REV-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE APP-NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE TRUE-LISTP-REV)) Warnings: None Time: 0.13 seconds (prove: 0.04, print: 0.09, other: 0.00) REV-APP ACL2 !>:u 4:x(DEFTHM TRUE-LISTP-REV ...) ACL2 !>:u 3:x(DEFTHM APP-NIL ...) ACL2 !>(defthm rev-app (equal (rev (app x y)) (app (rev y) (rev x)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X Y)) (IMPLIES (AND (CONSP X) (:P (CDR X) Y)) (:P X Y))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP and REV, to Subgoal *1/2' (IMPLIES (NOT (CONSP X)) (EQUAL (REV Y) (APP (REV Y) NIL))). We generalize this conjecture, replacing (REV Y) by RV. This produces Subgoal *1/2'' (IMPLIES (NOT (CONSP X)) (EQUAL RV (APP RV NIL))). We suspect that the term (NOT (CONSP X)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/2''' (EQUAL RV (APP RV NIL)). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/1' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/1'' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/1''' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/1'4' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). We generalize this conjecture, replacing (REV X2) by RV and (REV Y) by RV0. This produces Subgoal *1/1'5' (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1)))). Name the formula above *1.2. Perhaps we can prove *1.2 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP RV0 RV). This suggestion was produced using the :induction rule APP. If we let (:P RV RV0 X1) denote *1.2 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV0)) (:P RV RV0 X1)) (IMPLIES (AND (CONSP RV0) (:P RV (CDR RV0) X1)) (:P RV RV0 X1))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.2/2 (IMPLIES (NOT (CONSP RV0)) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP and primitive type reasoning. Subgoal *1.2/1 (IMPLIES (AND (CONSP RV0) (EQUAL (APP (APP (CDR RV0) RV) (LIST X1)) (APP (CDR RV0) (APP RV (LIST X1))))) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. That completes the proof of *1.2. We therefore turn our attention to *1.1, which is (EQUAL RV (APP RV NIL)). Perhaps we can prove *1.1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (APP RV 'NIL). This suggestion was produced using the :induction rule APP. If we let (:P RV) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV)) (:P RV)) (IMPLIES (AND (CONSP RV) (:P (CDR RV))) (:P RV))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (NOT (CONSP RV)) (EQUAL RV (APP RV NIL))). This simplifies, using the :definition APP and primitive type reasoning, to Subgoal *1.1/2' (IMPLIES (NOT (CONSP RV)) (NOT RV)). Name the formula above *1.1.1. Subgoal *1.1/1 (IMPLIES (AND (CONSP RV) (EQUAL (CDR RV) (APP (CDR RV) NIL))) (EQUAL RV (APP RV NIL))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :rewrite rule CONS-CAR-CDR. So we now return to *1.1.1, which is (IMPLIES (NOT (CONSP RV)) (NOT RV)). No induction schemes are suggested by *1.1.1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM REV-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE CONS-CAR-CDR)) Warnings: None Time: 0.12 seconds (prove: 0.04, print: 0.08, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(verify (IMPLIES (NOT (CONSP X)) (EQUAL (REV Y) (APP (REV Y) NIL)))) ->: p (IMPLIES (NOT (CONSP X)) (EQUAL (REV Y) (APP (REV Y) NIL))) ->: th *** Top-level hypotheses: There are no top-level hypotheses. The current subterm is: (IMPLIES (NOT (CONSP X)) (EQUAL (REV Y) (APP (REV Y) NIL))) ->: promote ->: th *** Top-level hypotheses: 1. (NOT (CONSP X)) The current subterm is: (EQUAL (REV Y) (APP (REV Y) NIL)) ->: 2 ->: p (APP (REV Y) NIL) ->: undo Undoing: (:DV 2) ->: p (EQUAL (REV Y) (APP (REV Y) NIL)) ->: (dv 2 0) ->: p (APP (REV Y) NIL) ->: p-top (EQUAL (REV Y) (*** (APP (REV Y) NIL) ***)) ->: p (APP (REV Y) NIL) ->: th *** Top-level hypotheses: 1. (NOT (CONSP X)) The current subterm is: (APP (REV Y) NIL) ->: show-rewrites 1. APP-NIL New term: (REV Y) Hypotheses: ((TRUE-LISTP (REV Y))) Equiv: EQUAL 2. APP New term: (AND (CONSP (REV Y)) (CONS (CAR (REV Y)) (APP (CDR (REV Y)) NIL))) Hypotheses: Equiv: EQUAL ->: sr 1. APP-NIL New term: (REV Y) Hypotheses: ((TRUE-LISTP (REV Y))) Equiv: EQUAL 2. APP New term: (AND (CONSP (REV Y)) (CONS (CAR (REV Y)) (APP (CDR (REV Y)) NIL))) Hypotheses: Equiv: EQUAL ->: (r 1) Rewriting with APP-NIL. Creating one new goal: (MAIN . 1). ->: goals MAIN (MAIN . 1) ->: p (REV Y) ->: p-top (EQUAL (REV Y) (*** (REV Y) ***)) ->: top ->: p (EQUAL (REV Y) (REV Y)) ->: s The proof of the current goal, MAIN, has been completed. However, the following subgoals remain to be proved: (MAIN . 1). Now proving (MAIN . 1). ->: goals (MAIN . 1) ->: th *** Top-level hypotheses: 1. (NOT (CONSP X)) The current subterm is: (TRUE-LISTP (REV Y)) ->: exit Exiting.... NIL ACL2 !>(good-bye) Quitting ACL2 and lisp; this may take a moment. For faster response time, exit the ACL2 loop with :q and then: type (GOOD-BYE) or (CCL:QUIT), then . ACL2 !>ACL2 !>w-mob101-128-62-89-117:~/class/march-2007 kaufmann$ w-mob101-128-62-89-117:~/class/march-2007 kaufmann$ acl2 Welcome to OpenMCL Version 1.0 (DarwinPPC32)! ACL2 Version 3.1 built November 28, 2006 23:08:33. Copyright (C) 2006 University of Texas at Austin ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the GNU General Public License. Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES*). See the documentation topic note-3-1 for recent changes. Note: We have modified the prompt in some underlying Lisps to further distinguish it from the ACL2 prompt. NOTE!! Proof trees are disabled in ACL2. To enable them in emacs, look under the ACL2 source directory in interface/emacs/README.doc; and, to turn on proof trees, execute :START-PROOF-TREE in the ACL2 command loop. Look in the ACL2 documentation under PROOF-TREE. ACL2 Version 3.1. Level 1. Cbd "/Users/kaufmann/class/march-2007/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>(certify-book "simple-demo") CERTIFICATION ATTEMPT FOR "/Users/kaufmann/class/march-2007/simple-demo.lisp" ACL2 Version 3.1 * Step 1: Read "/Users/kaufmann/class/march-2007/simple-demo.lisp" and compute its check sum. * Step 2: There were six forms in the file. We now attempt to establish that each form, whether local or non-local, is indeed an admissible embedded event form in the context of the previously admitted ones. Note that proof-tree output is inhibited during this check; see :DOC proof-tree. ACL2 >>(DEFUN APP (X Y) (IF (CONSP X) (CONS (CAR X) (APP (CDR X) Y)) Y)) The admission of APP is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of APP is described by the theorem (OR (CONSP (APP X Y)) (EQUAL (APP X Y) Y)). We used primitive type reasoning. Summary Form: ( DEFUN APP ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) APP ACL2 >>(DEFUN REV (X) (IF (CONSP X) (APP (REV (CDR X)) (LIST (CAR X))) NIL)) The admission of REV is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of REV is described by the theorem (OR (CONSP (REV X)) (EQUAL (REV X) NIL)). We used primitive type reasoning and the :type-prescription rule APP. Summary Form: ( DEFUN REV ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL) (:TYPE-PRESCRIPTION APP)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.01) REV ACL2 >>(DEFTHM APP-NIL (IMPLIES (TRUE-LISTP X) (EQUAL (APP X NIL) X))) Name the formula above *1. Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (APP X 'NIL). This suggestion was produced using the :induction rules APP and TRUE-LISTP. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X)) (IMPLIES (AND (CONSP X) (:P (CDR X))) (:P X))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (CONSP X)) (TRUE-LISTP X)) (EQUAL (APP X NIL) X)). But simplification reduces this to T, using the :definition TRUE-LISTP, the :executable-counterparts of APP, CONSP and EQUAL and primitive type reasoning. Subgoal *1/2 (IMPLIES (AND (CONSP X) (EQUAL (APP (CDR X) NIL) (CDR X)) (TRUE-LISTP X)) (EQUAL (APP X NIL) X)). But simplification reduces this to T, using the :definitions APP and TRUE-LISTP, primitive type reasoning and the :rewrite rule CONS-CAR- CDR. Subgoal *1/1 (IMPLIES (AND (CONSP X) (NOT (TRUE-LISTP (CDR X))) (TRUE-LISTP X)) (EQUAL (APP X NIL) X)). But we reduce the conjecture to T, by primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-NIL ...) Rules: ((:DEFINITION APP) (:DEFINITION TRUE-LISTP) (:EXECUTABLE-COUNTERPART APP) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION TRUE-LISTP) (:REWRITE CONS-CAR-CDR)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.02, other: 0.00) APP-NIL ACL2 >>(DEFTHM TRUE-LISTP-REV (TRUE-LISTP (REV X))) Name the formula above *1. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (REV X). This suggestion was produced using the :induction rule REV. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X)) (IMPLIES (AND (CONSP X) (:P (CDR X))) (:P X))). This induction is justified by the same argument used to admit REV. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (NOT (CONSP X)) (TRUE-LISTP (REV X))). But simplification reduces this to T, using the :definition REV and the :executable-counterpart of TRUE-LISTP. Subgoal *1/1 (IMPLIES (AND (CONSP X) (TRUE-LISTP (REV (CDR X)))) (TRUE-LISTP (REV X))). This simplifies, using the :definition REV, to Subgoal *1/1' (IMPLIES (AND (CONSP X) (TRUE-LISTP (REV (CDR X)))) (TRUE-LISTP (APP (REV (CDR X)) (LIST (CAR X))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/1'' (IMPLIES (AND (CONSP (CONS X1 X2)) (TRUE-LISTP (REV X2))) (TRUE-LISTP (APP (REV X2) (LIST X1)))). This simplifies, using primitive type reasoning, to Subgoal *1/1''' (IMPLIES (TRUE-LISTP (REV X2)) (TRUE-LISTP (APP (REV X2) (LIST X1)))). We generalize this conjecture, replacing (REV X2) by RV. This produces Subgoal *1/1'4' (IMPLIES (TRUE-LISTP RV) (TRUE-LISTP (APP RV (LIST X1)))). Name the formula above *1.1. Perhaps we can prove *1.1 by induction. Two induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (APP RV (CONS X1 'NIL)). This suggestion was produced using the :induction rules APP and TRUE- LISTP. If we let (:P RV X1) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV)) (:P RV X1)) (IMPLIES (AND (CONSP RV) (:P (CDR RV) X1)) (:P RV X1))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1.1/3 (IMPLIES (AND (NOT (CONSP RV)) (TRUE-LISTP RV)) (TRUE-LISTP (APP RV (LIST X1)))). But simplification reduces this to T, using the :definitions APP and TRUE-LISTP, the :executable-counterpart of CONSP and primitive type reasoning. Subgoal *1.1/2 (IMPLIES (AND (CONSP RV) (TRUE-LISTP (APP (CDR RV) (LIST X1))) (TRUE-LISTP RV)) (TRUE-LISTP (APP RV (LIST X1)))). But simplification reduces this to T, using the :definitions APP and TRUE-LISTP, primitive type reasoning and the :type-prescription rule APP. Subgoal *1.1/1 (IMPLIES (AND (CONSP RV) (NOT (TRUE-LISTP (CDR RV))) (TRUE-LISTP RV)) (TRUE-LISTP (APP RV (LIST X1)))). But we reduce the conjecture to T, by primitive type reasoning. That completes the proofs of *1.1 and *1. Q.E.D. The storage of TRUE-LISTP-REV depends upon the :type-prescription rule TRUE-LISTP. Summary Form: ( DEFTHM TRUE-LISTP-REV ...) Rules: ((:DEFINITION APP) (:DEFINITION REV) (:DEFINITION TRUE-LISTP) (:ELIM CAR-CDR-ELIM) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART TRUE-LISTP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:INDUCTION TRUE-LISTP) (:TYPE-PRESCRIPTION APP) (:TYPE-PRESCRIPTION TRUE-LISTP)) Warnings: None Time: 0.05 seconds (prove: 0.01, print: 0.03, other: 0.00) TRUE-LISTP-REV ACL2 >>(DEFTHM REV-APP (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X Y)) (IMPLIES (AND (CONSP X) (:P (CDR X) Y)) (:P X Y))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). But simplification reduces this to T, using the :definitions APP and REV, primitive type reasoning and the :rewrite rules APP-NIL and TRUE- LISTP-REV. Subgoal *1/1 (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/1' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/1'' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/1''' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/1'4' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). We generalize this conjecture, replacing (REV X2) by RV and (REV Y) by RV0. This produces Subgoal *1/1'5' (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1)))). Name the formula above *1.1. Perhaps we can prove *1.1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP RV0 RV). This suggestion was produced using the :induction rule APP. If we let (:P RV RV0 X1) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV0)) (:P RV RV0 X1)) (IMPLIES (AND (CONSP RV0) (:P RV (CDR RV0) X1)) (:P RV RV0 X1))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (NOT (CONSP RV0)) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP and primitive type reasoning. Subgoal *1.1/1 (IMPLIES (AND (CONSP RV0) (EQUAL (APP (APP (CDR RV0) RV) (LIST X1)) (APP (CDR RV0) (APP RV (LIST X1))))) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. That completes the proofs of *1.1 and *1. Q.E.D. Summary Form: ( DEFTHM REV-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE APP-NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE TRUE-LISTP-REV)) Warnings: None Time: 0.09 seconds (prove: 0.03, print: 0.06, other: 0.00) REV-APP * Step 3: That completes the admissibility check. Each form read was an embedded event form and was admissible. We now retract back to the initial world and try to include the book. This may expose local incompatibilities. Summary Form: ( INCLUDE-BOOK "simple-demo" ...) Rules: NIL Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) ACL2 Warning [Guards] in (CERTIFY-BOOK "simple-demo" ...): The book "/Users/kaufmann/class/march-2007/simple-demo.lisp" defines the functions APP and REV, which have not had their guards verified. See :DOC guards. * Step 4: Write the certificate for "/Users/kaufmann/class/march-2007/simple-demo.lisp" in "/Users/kaufmann/class/march-2007/simple-demo.cert". The final check sum alist is (("/Users/kaufmann/class/march-2007/simple-demo.lisp" "simple-demo" "simple-demo" ((:SKIPPED-PROOFSP) (:AXIOMSP) (:TTAGS)) . 112006708)). * Step 5: Compile the functions defined in "/Users/kaufmann/class/march-2007/simple-demo.lisp". "/Users/kaufmann/class/march-2007/simple-demo.dfsl" Summary Form: (CERTIFY-BOOK "simple-demo" ...) Rules: NIL Warnings: Guards Time: 0.25 seconds (prove: 0.05, print: 0.12, other: 0.09) "/Users/kaufmann/class/march-2007/simple-demo.lisp" ACL2 !>:pbt 0 0 (EXIT-BOOT-STRAP-MODE) 1:x(CERTIFY-BOOK "simple-demo") ACL2 !>:u 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>(include-book "simple-demo") Summary Form: ( INCLUDE-BOOK "simple-demo" ...) Rules: NIL Warnings: None Time: 0.03 seconds (prove: 0.00, print: 0.00, other: 0.03) "/Users/kaufmann/class/march-2007/simple-demo.lisp" ACL2 !>:pbt 0 0 (EXIT-BOOT-STRAP-MODE) 1:x(INCLUDE-BOOK "simple-demo") ACL2 !>:pcb! :x 1:x(INCLUDE-BOOK "simple-demo") (INCLUDE-BOOK "/Users/kaufmann/class/march-2007/simple-demo.lisp") L (DEFUN APP (X Y) (IF (CONSP X) (CONS (CAR X) (APP (CDR X) Y)) Y)) L (DEFUN REV (X) (IF (CONSP X) (APP (REV (CDR X)) (LIST (CAR X))) NIL)) (DEFTHM APP-NIL (IMPLIES (TRUE-LISTP X) (EQUAL (APP X NIL) X))) (DEFTHM TRUE-LISTP-REV (TRUE-LISTP (REV X))) (DEFTHM REV-APP (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))) ACL2 !>(good-bye) Quitting ACL2 and lisp; this may take a moment. For faster response time, exit the ACL2 loop with :q and then: type (GOOD-BYE) or (CCL:QUIT), then . ACL2 !>ACL2 !>w-mob101-128-62-89-117:~/class/march-2007 kaufmann$ acl2 Welcome to OpenMCL Version 1.0 (DarwinPPC32)! ACL2 Version 3.1 built November 28, 2006 23:08:33. Copyright (C) 2006 University of Texas at Austin ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the GNU General Public License. Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES*). See the documentation topic note-3-1 for recent changes. Note: We have modified the prompt in some underlying Lisps to further distinguish it from the ACL2 prompt. NOTE!! Proof trees are disabled in ACL2. To enable them in emacs, look under the ACL2 source directory in interface/emacs/README.doc; and, to turn on proof trees, execute :START-PROOF-TREE in the ACL2 command loop. Look in the ACL2 documentation under PROOF-TREE. ACL2 Version 3.1. Level 1. Cbd "/Users/kaufmann/class/march-2007/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>(certify-book "simple-demo") CERTIFICATION ATTEMPT FOR "/Users/kaufmann/class/march-2007/simple-demo.lisp" ACL2 Version 3.1 * Step 1: Read "/Users/kaufmann/class/march-2007/simple-demo.lisp" and compute its check sum. * Step 2: There were six forms in the file. We now attempt to establish that each form, whether local or non-local, is indeed an admissible embedded event form in the context of the previously admitted ones. Note that proof-tree output is inhibited during this check; see :DOC proof-tree. ACL2 >>(DEFUN APP (X Y) (IF (CONSP X) (CONS (CAR X) (APP (CDR X) Y)) Y)) The admission of APP is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of APP is described by the theorem (OR (CONSP (APP X Y)) (EQUAL (APP X Y) Y)). We used primitive type reasoning. Summary Form: ( DEFUN APP ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.01, other: 0.02) APP ACL2 >>(DEFUN REV (X) (IF (CONSP X) (APP (REV (CDR X)) (LIST (CAR X))) NIL)) The admission of REV is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of REV is described by the theorem (OR (CONSP (REV X)) (EQUAL (REV X) NIL)). We used primitive type reasoning and the :type-prescription rule APP. Summary Form: ( DEFUN REV ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL) (:TYPE-PRESCRIPTION APP)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.01) REV ACL2 >>(LOCAL (DEFTHM APP-NIL (IMPLIES (TRUE-LISTP X) (EQUAL (APP X NIL) X)))) Name the formula above *1. Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (APP X 'NIL). This suggestion was produced using the :induction rules APP and TRUE-LISTP. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X)) (IMPLIES (AND (CONSP X) (:P (CDR X))) (:P X))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (CONSP X)) (TRUE-LISTP X)) (EQUAL (APP X NIL) X)). But simplification reduces this to T, using the :definition TRUE-LISTP, the :executable-counterparts of APP, CONSP and EQUAL and primitive type reasoning. Subgoal *1/2 (IMPLIES (AND (CONSP X) (EQUAL (APP (CDR X) NIL) (CDR X)) (TRUE-LISTP X)) (EQUAL (APP X NIL) X)). But simplification reduces this to T, using the :definitions APP and TRUE-LISTP, primitive type reasoning and the :rewrite rule CONS-CAR- CDR. Subgoal *1/1 (IMPLIES (AND (CONSP X) (NOT (TRUE-LISTP (CDR X))) (TRUE-LISTP X)) (EQUAL (APP X NIL) X)). But we reduce the conjecture to T, by primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-NIL ...) Rules: ((:DEFINITION APP) (:DEFINITION TRUE-LISTP) (:EXECUTABLE-COUNTERPART APP) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION TRUE-LISTP) (:REWRITE CONS-CAR-CDR)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.02, other: 0.00) APP-NIL ACL2 >>(LOCAL (DEFTHM TRUE-LISTP-REV (TRUE-LISTP (REV X)))) Name the formula above *1. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (REV X). This suggestion was produced using the :induction rule REV. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X)) (IMPLIES (AND (CONSP X) (:P (CDR X))) (:P X))). This induction is justified by the same argument used to admit REV. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (NOT (CONSP X)) (TRUE-LISTP (REV X))). But simplification reduces this to T, using the :definition REV and the :executable-counterpart of TRUE-LISTP. Subgoal *1/1 (IMPLIES (AND (CONSP X) (TRUE-LISTP (REV (CDR X)))) (TRUE-LISTP (REV X))). This simplifies, using the :definition REV, to Subgoal *1/1' (IMPLIES (AND (CONSP X) (TRUE-LISTP (REV (CDR X)))) (TRUE-LISTP (APP (REV (CDR X)) (LIST (CAR X))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/1'' (IMPLIES (AND (CONSP (CONS X1 X2)) (TRUE-LISTP (REV X2))) (TRUE-LISTP (APP (REV X2) (LIST X1)))). This simplifies, using primitive type reasoning, to Subgoal *1/1''' (IMPLIES (TRUE-LISTP (REV X2)) (TRUE-LISTP (APP (REV X2) (LIST X1)))). We generalize this conjecture, replacing (REV X2) by RV. This produces Subgoal *1/1'4' (IMPLIES (TRUE-LISTP RV) (TRUE-LISTP (APP RV (LIST X1)))). Name the formula above *1.1. Perhaps we can prove *1.1 by induction. Two induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (APP RV (CONS X1 'NIL)). This suggestion was produced using the :induction rules APP and TRUE- LISTP. If we let (:P RV X1) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV)) (:P RV X1)) (IMPLIES (AND (CONSP RV) (:P (CDR RV) X1)) (:P RV X1))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1.1/3 (IMPLIES (AND (NOT (CONSP RV)) (TRUE-LISTP RV)) (TRUE-LISTP (APP RV (LIST X1)))). But simplification reduces this to T, using the :definitions APP and TRUE-LISTP, the :executable-counterpart of CONSP and primitive type reasoning. Subgoal *1.1/2 (IMPLIES (AND (CONSP RV) (TRUE-LISTP (APP (CDR RV) (LIST X1))) (TRUE-LISTP RV)) (TRUE-LISTP (APP RV (LIST X1)))). But simplification reduces this to T, using the :definitions APP and TRUE-LISTP, primitive type reasoning and the :type-prescription rule APP. Subgoal *1.1/1 (IMPLIES (AND (CONSP RV) (NOT (TRUE-LISTP (CDR RV))) (TRUE-LISTP RV)) (TRUE-LISTP (APP RV (LIST X1)))). But we reduce the conjecture to T, by primitive type reasoning. That completes the proofs of *1.1 and *1. Q.E.D. The storage of TRUE-LISTP-REV depends upon the :type-prescription rule TRUE-LISTP. Summary Form: ( DEFTHM TRUE-LISTP-REV ...) Rules: ((:DEFINITION APP) (:DEFINITION REV) (:DEFINITION TRUE-LISTP) (:ELIM CAR-CDR-ELIM) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART TRUE-LISTP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:INDUCTION TRUE-LISTP) (:TYPE-PRESCRIPTION APP) (:TYPE-PRESCRIPTION TRUE-LISTP)) Warnings: None Time: 0.07 seconds (prove: 0.01, print: 0.06, other: 0.00) TRUE-LISTP-REV ACL2 >>(DEFTHM REV-APP (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP X)) (:P X Y)) (IMPLIES (AND (CONSP X) (:P (CDR X) Y)) (:P X Y))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). But simplification reduces this to T, using the :definitions APP and REV, primitive type reasoning and the :rewrite rules APP-NIL and TRUE- LISTP-REV. Subgoal *1/1 (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/1' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/1'' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/1''' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/1'4' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). We generalize this conjecture, replacing (REV X2) by RV and (REV Y) by RV0. This produces Subgoal *1/1'5' (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1)))). Name the formula above *1.1. Perhaps we can prove *1.1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP RV0 RV). This suggestion was produced using the :induction rule APP. If we let (:P RV RV0 X1) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (CONSP RV0)) (:P RV RV0 X1)) (IMPLIES (AND (CONSP RV0) (:P RV (CDR RV0) X1)) (:P RV RV0 X1))). This induction is justified by the same argument used to admit APP. When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (NOT (CONSP RV0)) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP and primitive type reasoning. Subgoal *1.1/1 (IMPLIES (AND (CONSP RV0) (EQUAL (APP (APP (CDR RV0) RV) (LIST X1)) (APP (CDR RV0) (APP RV (LIST X1))))) (EQUAL (APP (APP RV0 RV) (LIST X1)) (APP RV0 (APP RV (LIST X1))))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. That completes the proofs of *1.1 and *1. Q.E.D. Summary Form: ( DEFTHM REV-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE APP-NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE TRUE-LISTP-REV)) Warnings: None Time: 0.09 seconds (prove: 0.03, print: 0.06, other: 0.00) REV-APP * Step 3: That completes the admissibility check. Each form read was an embedded event form and was admissible. We now retract back to the initial world and try to include the book. This may expose local incompatibilities. Summary Form: ( INCLUDE-BOOK "simple-demo" ...) Rules: NIL Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) ACL2 Warning [Guards] in (CERTIFY-BOOK "simple-demo" ...): The book "/Users/kaufmann/class/march-2007/simple-demo.lisp" defines the functions APP and REV, which have not had their guards verified. See :DOC guards. * Step 4: Write the certificate for "/Users/kaufmann/class/march-2007/simple-demo.lisp" in "/Users/kaufmann/class/march-2007/simple-demo.cert". The final check sum alist is (("/Users/kaufmann/class/march-2007/simple-demo.lisp" "simple-demo" "simple-demo" ((:SKIPPED-PROOFSP) (:AXIOMSP) (:TTAGS)) . 111692738)). * Step 5: Compile the functions defined in "/Users/kaufmann/class/march-2007/simple-demo.lisp". "/Users/kaufmann/class/march-2007/simple-demo.dfsl" Summary Form: (CERTIFY-BOOK "simple-demo" ...) Rules: NIL Warnings: Guards Time: 0.28 seconds (prove: 0.05, print: 0.15, other: 0.08) "/Users/kaufmann/class/march-2007/simple-demo.lisp" ACL2 !>:pcb! :x 1:x(CERTIFY-BOOK "simple-demo") (INCLUDE-BOOK "/Users/kaufmann/class/march-2007/simple-demo.lisp" :LOAD-COMPILED-FILE NIL :UNCERTIFIED-OKP NIL :DEFAXIOMS-OKP NIL :SKIP-PROOFS-OKP NIL) L (DEFUN APP (X Y) (IF (CONSP X) (CONS (CAR X) (APP (CDR X) Y)) Y)) L (DEFUN REV (X) (IF (CONSP X) (APP (REV (CDR X)) (LIST (CAR X))) NIL)) (DEFTHM REV-APP (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))) ACL2 !>:pe app 1:x(CERTIFY-BOOK "simple-demo") \ [Included books, outermost to innermost: "/Users/kaufmann/class/march-2007/simple-demo.lisp" ] \ >L (DEFUN APP (X Y) (IF (CONSP X) (CONS (CAR X) (APP (CDR X) Y)) Y)) ACL2 !>:pe app-nil ACL2 Error in :PE: The object APP-NIL is not a logical name. See :DOC logical-name. ACL2 !>:u 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>(include-book "simple-demo") Summary Form: ( INCLUDE-BOOK "simple-demo" ...) Rules: NIL Warnings: None Time: 0.03 seconds (prove: 0.00, print: 0.00, other: 0.03) "/Users/kaufmann/class/march-2007/simple-demo.lisp" ACL2 !>:pe app-nil ACL2 Error in :PE: The object APP-NIL is not a logical name. See :DOC logical-name. ACL2 !>:pcb! :x 1:x(INCLUDE-BOOK "simple-demo") (INCLUDE-BOOK "/Users/kaufmann/class/march-2007/simple-demo.lisp") L (DEFUN APP (X Y) (IF (CONSP X) (CONS (CAR X) (APP (CDR X) Y)) Y)) L (DEFUN REV (X) (IF (CONSP X) (APP (REV (CDR X)) (LIST (CAR X))) NIL)) (DEFTHM REV-APP (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))) ACL2 !>:u 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>:pbt 0 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>(defun f4 (x y q) (declare (xargs :measure (if (p x) (cons (if q (cons (m x) 1) (if (p y) (cons (m y) 2) 1)) 0) 0))) (if (p x) (if q (f4 y (dn x) (not q)) (f4 y (up x) (not q))) 4)) ACL2 Error in ( DEFUN F4 ...): The symbol P (in package "ACL2") has neither a function nor macro definition in ACL2. Please define it. Summary Form: ( DEFUN F4 ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(encapsulate ((p (x) t) (m (x) t) (up (x) t) (dn (x) t)) (local (defun p (x) (posp x))) ; or, (not (zp x)) (local (defun m (x) (nfix x))) ; or, (acl2-count x) (defthm o-p-m (o-p (m x))) (local (defun dn (x) (1- x))) ; or, (- x 1) (defthm dn-goes-down (implies (p x) (o< (m (dn x)) (m x)))) (local (defun up (x) (1+ x))) ; or, x ) To verify that the six encapsulated events correctly extend the current theory we will evaluate them. The theory thus constructed is only ephemeral. Encapsulated Events: ACL2 !>>(LOCAL (DEFUN P (X) (POSP X))) Since P is non-recursive, its admission is trivial. We observe that the type of P is described by the theorem (OR (EQUAL (P X) T) (EQUAL (P X) NIL)). We used the :compound-recognizer rule POSP-COMPOUND-RECOGNIZER. Summary Form: ( DEFUN P ...) Rules: ((:COMPOUND-RECOGNIZER POSP-COMPOUND-RECOGNIZER)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) P ACL2 !>>(LOCAL (DEFUN M (X) (NFIX X))) Since M is non-recursive, its admission is trivial. We observe that the type of M is described by the theorem (AND (INTEGERP (M X)) (<= 0 (M X))). We used the :type-prescription rule NFIX. Summary Form: ( DEFUN M ...) Rules: ((:TYPE-PRESCRIPTION NFIX)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) M ACL2 !>>(DEFTHM O-P-M (O-P (M X))) ACL2 Warning [Non-rec] in ( DEFTHM O-P-M ...): A :REWRITE rule generated from O-P-M will be triggered only by terms containing the non-recursive function symbol M. Unless this function is disabled, this rule is unlikely ever to be used. By the simple :definition M we reduce the conjecture to Goal' (O-P (NFIX X)). But simplification reduces this to T, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER and the :definitions NFIX, O-FINP and O-P. Q.E.D. The storage of O-P-M depends upon the :type-prescription rule O-P. Summary Form: ( DEFTHM O-P-M ...) Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER) (:DEFINITION M) (:DEFINITION NFIX) (:DEFINITION O-FINP) (:DEFINITION O-P) (:TYPE-PRESCRIPTION O-P)) Warnings: Non-rec Time: 0.06 seconds (prove: 0.00, print: 0.00, other: 0.05) O-P-M ACL2 !>>(LOCAL (DEFUN DN (X) (1- X))) Since DN is non-recursive, its admission is trivial. We observe that the type of DN is described by the theorem (ACL2-NUMBERP (DN X)). We used primitive type reasoning. Summary Form: ( DEFUN DN ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) DN ACL2 !>>(DEFTHM DN-GOES-DOWN (IMPLIES (P X) (O< (M (DN X)) (M X)))) ACL2 Warning [Non-rec] in ( DEFTHM DN-GOES-DOWN ...): A :REWRITE rule generated from DN-GOES-DOWN will be triggered only by terms containing the non-recursive function symbols DN and M. Unless these functions are disabled, this rule is unlikely ever to be used. By the simple :definitions DN, M, P and POSP we reduce the conjecture to Goal' (IMPLIES (AND (INTEGERP X) (< 0 X)) (O< (NFIX (+ -1 X)) (NFIX X))). This simplifies, using the :definitions NFIX, O-FINP and O< and primitive type reasoning, to Goal'' (IMPLIES (AND (INTEGERP X) (< 0 X)) (< (+ -1 X) X)). But simplification reduces this to T, using linear arithmetic and primitive type reasoning. Q.E.D. The storage of DN-GOES-DOWN depends upon the :type-prescription rule O<. Summary Form: ( DEFTHM DN-GOES-DOWN ...) Rules: ((:DEFINITION DN) (:DEFINITION M) (:DEFINITION NFIX) (:DEFINITION O-FINP) (:DEFINITION O<) (:DEFINITION P) (:DEFINITION POSP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:TYPE-PRESCRIPTION O<)) Warnings: Non-rec Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) DN-GOES-DOWN ACL2 !>>(LOCAL (DEFUN UP (X) (1+ X))) Since UP is non-recursive, its admission is trivial. We observe that the type of UP is described by the theorem (ACL2-NUMBERP (UP X)). We used primitive type reasoning. Summary Form: ( DEFUN UP ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) UP End of Encapsulated Events. Having verified that the encapsulated events validate the signatures of the ENCAPSULATE event, we discard the ephemeral theory and extend the original theory as directed by the signatures and the non-LOCAL events. The following constraint is associated with every one of the functions P, M, UP and DN: (AND (O-P (M X)) (IMPLIES (P X) (O< (M (DN X)) (M X)))) Summary Form: ( ENCAPSULATE ((P ...) ...) ...) Rules: NIL Warnings: Non-rec Time: 0.11 seconds (prove: 0.00, print: 0.02, other: 0.09) T ACL2 !>(defun f4 (x y q) (declare (xargs :measure (if (p x) (cons (if q (cons (m x) 1) (if (p y) (cons (m y) 2) 1)) 0) 0))) (if (p x) (if q (f4 y (dn x) (not q)) (f4 y (up x) (not q))) 4)) For the admission of F4 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0). The non-trivial part of the measure conjecture is Goal (AND (O-P (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)) (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (UP X)) (CONS (M (UP X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))) (IMPLIES (AND (P X) Q) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (DN X)) (CONS (M (DN X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)))). By case analysis we reduce the conjecture to the following three conjectures. Subgoal 3 (O-P (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)). This simplifies, using trivial observations, to the following four conjectures. Subgoal 3.4 (IMPLIES (NOT (P X)) (O-P 0)). But we reduce the conjecture to T, by the :executable-counterpart of O-P. Subgoal 3.3 (IMPLIES (AND (P X) Q) (O-P (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O- FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and O-P-M, to the following two conjectures. Subgoal 3.3.2 (IMPLIES (P X) (NOT (EQUAL 0 (M X)))). Name the formula above *1. Subgoal 3.3.1 (IMPLIES (AND (P X) (NOT (CONSP (M X)))) (< 0 (M X))). Name the formula above *2. Subgoal 3.2 (IMPLIES (AND (P X) (NOT Q) (NOT (P Y))) (O-P '(1 . 0))). By the :executable-counterpart of O-P we reduce the conjecture to Subgoal 3.2' (IMPLIES (AND (P X) (NOT Q)) (P Y)). This simplifies, using trivial observations, to Subgoal 3.2'' (IMPLIES (P X) (P Y)). Name the formula above *3. Subgoal 3.1 (IMPLIES (AND (P X) (NOT Q) (P Y)) (O-P (CONS (CONS (M Y) 2) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O- FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and O-P-M, to the following two conjectures. Subgoal 3.1.2 (IMPLIES (AND (P X) (P Y)) (NOT (EQUAL 0 (M Y)))). Name the formula above *4. Subgoal 3.1.1 (IMPLIES (AND (P X) (P Y) (NOT (CONSP (M Y)))) (< 0 (M Y))). Name the formula above *5. Subgoal 2 (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (UP X)) (CONS (M (UP X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))). This simplifies, using the :executable-counterpart of NOT, to the following two conjectures. Subgoal 2.2 (IMPLIES (AND (P X) (P Y)) (O< (CONS (CONS (M Y) 1) 0) (CONS (CONS (M Y) 2) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal 2.1 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 '(1 . 0))). But we reduce the conjecture to T, by the :executable-counterpart of O<. Subgoal 1 (IMPLIES (AND (P X) Q) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (DN X)) (CONS (M (DN X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))). This simplifies, using the :congruence rule IFF-IMPLIES-EQUAL-NOT and the :executable-counterpart of NOT, to the following three conjectures. Subgoal 1.3 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP and O<, the :executable-counterpart of O-FINP and primitive type reasoning. Subgoal 1.2 (IMPLIES (AND (P X) (P Y) (P (DN X))) (O< (CONS (CONS (M (DN X)) 2) 0) (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and DN-GOES- DOWN, to Subgoal 1.2' (IMPLIES (AND (P X) (P Y) (P (DN X))) (NOT (EQUAL (M (DN X)) (M X)))). Name the formula above *6. Subgoal 1.1 (IMPLIES (AND (P X) (P Y) (NOT (P (DN X)))) (O< '(1 . 0) (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT and O<, the :executable-counterparts of <, EQUAL, O-FINP, O-FIRST- COEFF and O-FIRST-EXPT, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and DEFAULT-<-1, to Subgoal 1.1' (IMPLIES (AND (P X) (P Y) (NOT (P (DN X))) (M X) (NOT (CONSP (M X)))) (< 0 (M X))). Name the formula above *7. But this formula is subsumed by *5, which we'll try to prove later. We therefore regard *7 as proved (pending the proof of the more general *5). We next consider *6, which is (IMPLIES (AND (P X) (P Y) (P (DN X))) (NOT (EQUAL (M (DN X)) (M X)))). No induction schemes are suggested by *6. Consequently, the proof attempt has failed. ACL2 Error in ( DEFUN F4 ...): The proof of the measure conjecture for F4 has failed. Summary Form: ( DEFUN F4 ...) Rules: ((:CONGRUENCE IFF-IMPLIES-EQUAL-NOT) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O-FIRST-COEFF) (:DEFINITION O-FIRST-EXPT) (:DEFINITION O-P) (:DEFINITION O-RST) (:DEFINITION O<) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART O-FINP) (:EXECUTABLE-COUNTERPART O-FIRST-COEFF) (:EXECUTABLE-COUNTERPART O-FIRST-EXPT) (:EXECUTABLE-COUNTERPART O-P) (:EXECUTABLE-COUNTERPART O<) (:EXECUTABLE-COUNTERPART POSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE DEFAULT-<-1) (:REWRITE DN-GOES-DOWN) (:REWRITE O-P-M)) Warnings: None Time: 0.12 seconds (prove: 0.03, print: 0.08, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>:start-proof-tree Proof tree output is now enabled. Note that :START-PROOF-TREE works by removing 'proof-tree from the inhibit-output-lst; see :DOC set- inhibit-output-lst. ACL2 !>(defun f4 (x y q) (declare (xargs :measure (if (p x) (cons (if q (cons (m x) 1) (if (p y) (cons (m y) 2) 1)) 0) 0))) (if (p x) (if q (f4 y (dn x) (not q)) (f4 y (up x) (not q))) 4)) For the admission of F4 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0). The non-trivial part of the measure conjecture is Goal (AND (O-P (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)) (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (UP X)) (CONS (M (UP X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))) (IMPLIES (AND (P X) Q) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (DN X)) (CONS (M (DN X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)))). << Starting proof tree logging >> By case analysis we reduce the conjecture to the following three conjectures. Subgoal 3 (O-P (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)). This simplifies, using trivial observations, to the following four conjectures. Subgoal 3.4 (IMPLIES (NOT (P X)) (O-P 0)). But we reduce the conjecture to T, by the :executable-counterpart of O-P. Subgoal 3.3 (IMPLIES (AND (P X) Q) (O-P (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O- FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and O-P-M, to the following two conjectures. Subgoal 3.3.2 (IMPLIES (P X) (NOT (EQUAL 0 (M X)))). Name the formula above *1. Subgoal 3.3.1 (IMPLIES (AND (P X) (NOT (CONSP (M X)))) (< 0 (M X))). Name the formula above *2. Subgoal 3.2 (IMPLIES (AND (P X) (NOT Q) (NOT (P Y))) (O-P '(1 . 0))). By the :executable-counterpart of O-P we reduce the conjecture to Subgoal 3.2' (IMPLIES (AND (P X) (NOT Q)) (P Y)). This simplifies, using trivial observations, to Subgoal 3.2'' (IMPLIES (P X) (P Y)). Name the formula above *3. Subgoal 3.1 (IMPLIES (AND (P X) (NOT Q) (P Y)) (O-P (CONS (CONS (M Y) 2) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O- FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and O-P-M, to the following two conjectures. Subgoal 3.1.2 (IMPLIES (AND (P X) (P Y)) (NOT (EQUAL 0 (M Y)))). Name the formula above *4. Subgoal 3.1.1 (IMPLIES (AND (P X) (P Y) (NOT (CONSP (M Y)))) (< 0 (M Y))). Name the formula above *5. Subgoal 2 (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (UP X)) (CONS (M (UP X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))). This simplifies, using the :executable-counterpart of NOT, to the following two conjectures. Subgoal 2.2 (IMPLIES (AND (P X) (P Y)) (O< (CONS (CONS (M Y) 1) 0) (CONS (CONS (M Y) 2) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal 2.1 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 '(1 . 0))). But we reduce the conjecture to T, by the :executable-counterpart of O<. Subgoal 1 (IMPLIES (AND (P X) Q) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (DN X)) (CONS (M (DN X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))). This simplifies, using the :congruence rule IFF-IMPLIES-EQUAL-NOT and the :executable-counterpart of NOT, to the following three conjectures. Subgoal 1.3 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP and O<, the :executable-counterpart of O-FINP and primitive type reasoning. Subgoal 1.2 (IMPLIES (AND (P X) (P Y) (P (DN X))) (O< (CONS (CONS (M (DN X)) 2) 0) (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and DN-GOES- DOWN, to Subgoal 1.2' (IMPLIES (AND (P X) (P Y) (P (DN X))) (NOT (EQUAL (M (DN X)) (M X)))). Name the formula above *6. Subgoal 1.1 (IMPLIES (AND (P X) (P Y) (NOT (P (DN X)))) (O< '(1 . 0) (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT and O<, the :executable-counterparts of <, EQUAL, O-FINP, O-FIRST- COEFF and O-FIRST-EXPT, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and DEFAULT-<-1, to Subgoal 1.1' (IMPLIES (AND (P X) (P Y) (NOT (P (DN X))) (M X) (NOT (CONSP (M X)))) (< 0 (M X))). Name the formula above *7. But this formula is subsumed by *5, which we'll try to prove later. We therefore regard *7 as proved (pending the proof of the more general *5). We next consider *6, which is (IMPLIES (AND (P X) (P Y) (P (DN X))) (NOT (EQUAL (M (DN X)) (M X)))). No induction schemes are suggested by *6. Consequently, the proof attempt has failed. ACL2 Error in ( DEFUN F4 ...): The proof of the measure conjecture for F4 has failed. Summary Form: ( DEFUN F4 ...) Rules: ((:CONGRUENCE IFF-IMPLIES-EQUAL-NOT) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O-FIRST-COEFF) (:DEFINITION O-FIRST-EXPT) (:DEFINITION O-P) (:DEFINITION O-RST) (:DEFINITION O<) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART O-FINP) (:EXECUTABLE-COUNTERPART O-FIRST-COEFF) (:EXECUTABLE-COUNTERPART O-FIRST-EXPT) (:EXECUTABLE-COUNTERPART O-P) (:EXECUTABLE-COUNTERPART O<) (:EXECUTABLE-COUNTERPART POSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE DEFAULT-<-1) (:REWRITE DN-GOES-DOWN) (:REWRITE O-P-M)) Warnings: None Time: 0.26 seconds (prove: 0.04, print: 0.08, proof tree: 0.14, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm lemma-1 (implies (p x) (not (equal 0 (m x)))) ; (equal (equal 0 (m x)) nil) :hints (("Goal" :in-theory (disable dn-goes-down) :use dn-goes-down))) << Starting proof tree logging >> [Note: A hint was supplied for our processing of the goal above. Thanks!] We augment the goal with the hypothesis provided by the :USE hint. The hypothesis can be obtained from DN-GOES-DOWN. We are left with the following subgoal. Goal' (IMPLIES (IMPLIES (P X) (O< (M (DN X)) (M X))) (IMPLIES (P X) (NOT (EQUAL 0 (M X))))). By case analysis we reduce the conjecture to Goal'' (IMPLIES (AND (IMPLIES (P X) (O< (M (DN X)) (M X))) (P X)) (NOT (EQUAL 0 (M X)))). This simplifies, using the :definitions O-FINP and O< and the :executable- counterpart of O-FINP, to Goal''' (IMPLIES (AND (NOT (CONSP (M (DN X)))) (< (M (DN X)) 0) (P X)) (NOT (EQUAL 0 (M X)))). This simplifies, using trivial observations, to Goal'4' (IMPLIES (AND (< (M (DN X)) 0) (P X)) (NOT (EQUAL 0 (M X)))). Normally we would attempt to prove this formula by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) [Note: Thanks again for the hint.] No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM LEMMA-1 ...) Rules: ((:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O<) (:EXECUTABLE-COUNTERPART O-FINP)) Warnings: None Time: 0.07 seconds (prove: 0.02, print: 0.02, proof tree: 0.01, other: 0.01) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm lemma-1-1 (not (< (m x) 0))) << Starting proof tree logging >> Name the formula above *1. No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM LEMMA-1-1 ...) Rules: NIL Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, proof tree: 0.00, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm lemma-1-1 (not (< (m x) 0)) :hints (("Goal" :use o-p-m :in-theory (disable o-p-m)))) << Starting proof tree logging >> [Note: A hint was supplied for our processing of the goal above. Thanks!] We augment the goal with the hypothesis provided by the :USE hint. The hypothesis can be obtained from O-P-M. We are left with the following subgoal. Goal' (IMPLIES (O-P (M X)) (<= 0 (M X))). But simplification reduces this to T, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER and the :definitions O-FINP and O-P. Q.E.D. Summary Form: ( DEFTHM LEMMA-1-1 ...) Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER) (:DEFINITION O-FINP) (:DEFINITION O-P)) Warnings: None Time: 0.03 seconds (prove: 0.01, print: 0.01, proof tree: 0.00, other: 0.01) LEMMA-1-1 ACL2 !>(defthm lemma-1 (implies (p x) (not (equal 0 (m x)))) :hints (("Goal" :in-theory (disable dn-goes-down) :use dn-goes-down))) << Starting proof tree logging >> [Note: A hint was supplied for our processing of the goal above. Thanks!] We augment the goal with the hypothesis provided by the :USE hint. The hypothesis can be obtained from DN-GOES-DOWN. We are left with the following subgoal. Goal' (IMPLIES (IMPLIES (P X) (O< (M (DN X)) (M X))) (IMPLIES (P X) (NOT (EQUAL 0 (M X))))). By case analysis we reduce the conjecture to Goal'' (IMPLIES (AND (IMPLIES (P X) (O< (M (DN X)) (M X))) (P X)) (NOT (EQUAL 0 (M X)))). But simplification reduces this to T, using the :definitions O-FINP and O<, the :executable-counterpart of O-FINP and the :rewrite rule LEMMA-1-1. Q.E.D. Summary Form: ( DEFTHM LEMMA-1 ...) Rules: ((:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O<) (:EXECUTABLE-COUNTERPART O-FINP) (:REWRITE LEMMA-1-1)) Warnings: None Time: 0.04 seconds (prove: 0.01, print: 0.01, proof tree: 0.00, other: 0.02) LEMMA-1 ACL2 !>(defun f4 (x y q) (declare (xargs :measure (if (p x) (cons (if q (cons (m x) 1) (if (p y) (cons (m y) 2) 1)) 0) 0))) (if (p x) (if q (f4 y (dn x) (not q)) (f4 y (up x) (not q))) 4)) For the admission of F4 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0). The non-trivial part of the measure conjecture is Goal (AND (O-P (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)) (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (UP X)) (CONS (M (UP X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))) (IMPLIES (AND (P X) Q) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (DN X)) (CONS (M (DN X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)))). << Starting proof tree logging >> By case analysis we reduce the conjecture to the following three conjectures. Subgoal 3 (O-P (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)). This simplifies, using trivial observations, to the following four conjectures. Subgoal 3.4 (IMPLIES (NOT (P X)) (O-P 0)). But we reduce the conjecture to T, by the :executable-counterpart of O-P. Subgoal 3.3 (IMPLIES (AND (P X) Q) (O-P (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O- FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS, LEMMA-1 and O-P-M, to Subgoal 3.3' (IMPLIES (AND (P X) (NOT (CONSP (M X)))) (< 0 (M X))). Name the formula above *1. Subgoal 3.2 (IMPLIES (AND (P X) (NOT Q) (NOT (P Y))) (O-P '(1 . 0))). By the :executable-counterpart of O-P we reduce the conjecture to Subgoal 3.2' (IMPLIES (AND (P X) (NOT Q)) (P Y)). This simplifies, using trivial observations, to Subgoal 3.2'' (IMPLIES (P X) (P Y)). Name the formula above *2. Subgoal 3.1 (IMPLIES (AND (P X) (NOT Q) (P Y)) (O-P (CONS (CONS (M Y) 2) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O- FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS, LEMMA-1 and O-P-M, to Subgoal 3.1' (IMPLIES (AND (P X) (P Y) (NOT (CONSP (M Y)))) (< 0 (M Y))). Name the formula above *3. Subgoal 2 (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (UP X)) (CONS (M (UP X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))). This simplifies, using the :executable-counterpart of NOT, to the following two conjectures. Subgoal 2.2 (IMPLIES (AND (P X) (P Y)) (O< (CONS (CONS (M Y) 1) 0) (CONS (CONS (M Y) 2) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal 2.1 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 '(1 . 0))). But we reduce the conjecture to T, by the :executable-counterpart of O<. Subgoal 1 (IMPLIES (AND (P X) Q) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (DN X)) (CONS (M (DN X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))). This simplifies, using the :congruence rule IFF-IMPLIES-EQUAL-NOT and the :executable-counterpart of NOT, to the following three conjectures. Subgoal 1.3 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP and O<, the :executable-counterpart of O-FINP and primitive type reasoning. Subgoal 1.2 (IMPLIES (AND (P X) (P Y) (P (DN X))) (O< (CONS (CONS (M (DN X)) 2) 0) (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and DN-GOES- DOWN, to Subgoal 1.2' (IMPLIES (AND (P X) (P Y) (P (DN X))) (NOT (EQUAL (M (DN X)) (M X)))). Name the formula above *4. Subgoal 1.1 (IMPLIES (AND (P X) (P Y) (NOT (P (DN X)))) (O< '(1 . 0) (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT and O<, the :executable-counterparts of <, EQUAL, O-FINP, O-FIRST- COEFF and O-FIRST-EXPT, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and DEFAULT-<-1, to Subgoal 1.1' (IMPLIES (AND (P X) (P Y) (NOT (P (DN X))) (M X) (NOT (CONSP (M X)))) (< 0 (M X))). Name the formula above *5. But this formula is subsumed by *3, which we'll try to prove later. We therefore regard *5 as proved (pending the proof of the more general *3). We next consider *4, which is (IMPLIES (AND (P X) (P Y) (P (DN X))) (NOT (EQUAL (M (DN X)) (M X)))). No induction schemes are suggested by *4. Consequently, the proof attempt has failed. ACL2 Error in ( DEFUN F4 ...): The proof of the measure conjecture for F4 has failed. Summary Form: ( DEFUN F4 ...) Rules: ((:CONGRUENCE IFF-IMPLIES-EQUAL-NOT) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O-FIRST-COEFF) (:DEFINITION O-FIRST-EXPT) (:DEFINITION O-P) (:DEFINITION O-RST) (:DEFINITION O<) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART O-FINP) (:EXECUTABLE-COUNTERPART O-FIRST-COEFF) (:EXECUTABLE-COUNTERPART O-FIRST-EXPT) (:EXECUTABLE-COUNTERPART O-P) (:EXECUTABLE-COUNTERPART O<) (:EXECUTABLE-COUNTERPART POSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE DEFAULT-<-1) (:REWRITE DN-GOES-DOWN) (:REWRITE LEMMA-1) (:REWRITE O-P-M)) Warnings: None Time: 0.17 seconds (prove: 0.04, print: 0.07, proof tree: 0.06, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm lemma-2 (implies (and (p x) (not (consp (m x)))) (< 0 (m x))) :hints (("Goal" :use (lemma-1 o-p-m) :in-theory (disable lemma-1 o-p-m)))) << Starting proof tree logging >> [Note: A hint was supplied for our processing of the goal above. Thanks!] We augment the goal with the hypotheses provided by the :USE hint. These hypotheses can be obtained from LEMMA-1 and O-P-M. We are left with the following subgoal. Goal' (IMPLIES (AND (IMPLIES (P X) (NOT (EQUAL 0 (M X)))) (O-P (M X))) (IMPLIES (AND (P X) (NOT (CONSP (M X)))) (< 0 (M X)))). By case analysis we reduce the conjecture to Goal'' (IMPLIES (AND (IMPLIES (P X) (NOT (EQUAL 0 (M X)))) (O-P (M X)) (P X) (NOT (CONSP (M X)))) (< 0 (M X))). But simplification reduces this to T, using the :compound-recognizer rule NATP-COMPOUND-RECOGNIZER and the :definitions NOT, O-FINP and O-P. Q.E.D. Summary Form: ( DEFTHM LEMMA-2 ...) Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O-P)) Warnings: None Time: 0.04 seconds (prove: 0.01, print: 0.01, proof tree: 0.00, other: 0.01) LEMMA-2 ACL2 !>(defun f4 (x y q) (declare (xargs :measure (if (p x) (cons (if q (cons (m x) 1) (if (p y) (cons (m y) 2) 1)) 0) 0))) (if (p x) (if q (f4 y (dn x) (not q)) (f4 y (up x) (not q))) 4)) For the admission of F4 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0). The non-trivial part of the measure conjecture is Goal (AND (O-P (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)) (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (UP X)) (CONS (M (UP X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))) (IMPLIES (AND (P X) Q) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (DN X)) (CONS (M (DN X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)))). << Starting proof tree logging >> By case analysis we reduce the conjecture to the following three conjectures. Subgoal 3 (O-P (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0)). This simplifies, using trivial observations, to the following four conjectures. Subgoal 3.4 (IMPLIES (NOT (P X)) (O-P 0)). But we reduce the conjecture to T, by the :executable-counterpart of O-P. Subgoal 3.3 (IMPLIES (AND (P X) Q) (O-P (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O-FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS, LEMMA-1, LEMMA-2 and O-P-M. Subgoal 3.2 (IMPLIES (AND (P X) (NOT Q) (NOT (P Y))) (O-P '(1 . 0))). By the :executable-counterpart of O-P we reduce the conjecture to Subgoal 3.2' (IMPLIES (AND (P X) (NOT Q)) (P Y)). This simplifies, using trivial observations, to Subgoal 3.2'' (IMPLIES (P X) (P Y)). Name the formula above *1. Subgoal 3.1 (IMPLIES (AND (P X) (NOT Q) (P Y)) (O-P (CONS (CONS (M Y) 2) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O-FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS, LEMMA-1, LEMMA-2 and O-P-M. Subgoal 2 (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (UP X)) (CONS (M (UP X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))). This simplifies, using the :executable-counterpart of NOT, to the following two conjectures. Subgoal 2.2 (IMPLIES (AND (P X) (P Y)) (O< (CONS (CONS (M Y) 1) 0) (CONS (CONS (M Y) 2) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal 2.1 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 '(1 . 0))). But we reduce the conjecture to T, by the :executable-counterpart of O<. Subgoal 1 (IMPLIES (AND (P X) Q) (O< (IF (P Y) (CONS (COND ((NOT Q) (CONS (M Y) 1)) ((P (DN X)) (CONS (M (DN X)) 2)) (T 1)) 0) 0) (IF (P X) (CONS (COND (Q (CONS (M X) 1)) ((P Y) (CONS (M Y) 2)) (T 1)) 0) 0))). This simplifies, using the :congruence rule IFF-IMPLIES-EQUAL-NOT and the :executable-counterpart of NOT, to the following three conjectures. Subgoal 1.3 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP and O<, the :executable-counterpart of O-FINP and primitive type reasoning. Subgoal 1.2 (IMPLIES (AND (P X) (P Y) (P (DN X))) (O< (CONS (CONS (M (DN X)) 2) 0) (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and DN-GOES- DOWN, to Subgoal 1.2' (IMPLIES (AND (P X) (P Y) (P (DN X))) (NOT (EQUAL (M (DN X)) (M X)))). Name the formula above *2. Subgoal 1.1 (IMPLIES (AND (P X) (P Y) (NOT (P (DN X)))) (O< '(1 . 0) (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT and O<, the :executable-counterparts of <, EQUAL, O-FINP, O-FIRST-COEFF and O-FIRST-EXPT, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS, DEFAULT-<-1 and LEMMA-2. So we now return to *2, which is (IMPLIES (AND (P X) (P Y) (P (DN X))) (NOT (EQUAL (M (DN X)) (M X)))). No induction schemes are suggested by *2. Consequently, the proof attempt has failed. ACL2 Error in ( DEFUN F4 ...): The proof of the measure conjecture for F4 has failed. Summary Form: ( DEFUN F4 ...) Rules: ((:CONGRUENCE IFF-IMPLIES-EQUAL-NOT) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O-FIRST-COEFF) (:DEFINITION O-FIRST-EXPT) (:DEFINITION O-P) (:DEFINITION O-RST) (:DEFINITION O<) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART O-FINP) (:EXECUTABLE-COUNTERPART O-FIRST-COEFF) (:EXECUTABLE-COUNTERPART O-FIRST-EXPT) (:EXECUTABLE-COUNTERPART O-P) (:EXECUTABLE-COUNTERPART O<) (:EXECUTABLE-COUNTERPART POSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE DEFAULT-<-1) (:REWRITE DN-GOES-DOWN) (:REWRITE LEMMA-1) (:REWRITE LEMMA-2) (:REWRITE O-P-M)) Warnings: None Time: 0.13 seconds (prove: 0.02, print: 0.07, proof tree: 0.04, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defun f4 (x y q) (declare (xargs :measure (if (p x) (cons (if q (cons (m x) 1) (cons (m y) 2)) 0) 0))) (if (p x) (if q (f4 y (dn x) (not q)) (f4 y (up x) (not q))) 4)) For the admission of F4 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (IF (P X) (CONS (IF Q (CONS (M X) 1) (CONS (M Y) 2)) 0) 0). The non- trivial part of the measure conjecture is Goal (AND (O-P (IF (P X) (CONS (IF Q (CONS (M X) 1) (CONS (M Y) 2)) 0) 0)) (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (CONS (IF (NOT Q) (CONS (M Y) 1) (CONS (M (UP X)) 2)) 0) 0) (IF (P X) (CONS (IF Q (CONS (M X) 1) (CONS (M Y) 2)) 0) 0))) (IMPLIES (AND (P X) Q) (O< (IF (P Y) (CONS (IF (NOT Q) (CONS (M Y) 1) (CONS (M (DN X)) 2)) 0) 0) (IF (P X) (CONS (IF Q (CONS (M X) 1) (CONS (M Y) 2)) 0) 0)))). << Starting proof tree logging >> By case analysis we reduce the conjecture to the following three conjectures. Subgoal 3 (O-P (IF (P X) (CONS (IF Q (CONS (M X) 1) (CONS (M Y) 2)) 0) 0)). This simplifies, using trivial observations, to the following three conjectures. Subgoal 3.3 (IMPLIES (NOT (P X)) (O-P 0)). But we reduce the conjecture to T, by the :executable-counterpart of O-P. Subgoal 3.2 (IMPLIES (AND (P X) Q) (O-P (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O-FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS, LEMMA-1, LEMMA-2 and O-P-M. Subgoal 3.1 (IMPLIES (AND (P X) (NOT Q)) (O-P (CONS (CONS (M Y) 2) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O- FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and O-P-M, to the following two conjectures. Subgoal 3.1.2 (IMPLIES (P X) (NOT (EQUAL 0 (M Y)))). Name the formula above *1. Subgoal 3.1.1 (IMPLIES (AND (P X) (NOT (CONSP (M Y)))) (< 0 (M Y))). Name the formula above *2. Subgoal 2 (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (CONS (IF (NOT Q) (CONS (M Y) 1) (CONS (M (UP X)) 2)) 0) 0) (IF (P X) (CONS (IF Q (CONS (M X) 1) (CONS (M Y) 2)) 0) 0))). This simplifies, using the :executable-counterpart of NOT, to the following two conjectures. Subgoal 2.2 (IMPLIES (AND (P X) (P Y)) (O< (CONS (CONS (M Y) 1) 0) (CONS (CONS (M Y) 2) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal 2.1 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 (CONS (CONS (M Y) 2) 0))). But simplification reduces this to T, using the :definitions O-FINP and O<, the :executable-counterpart of O-FINP and primitive type reasoning. Subgoal 1 (IMPLIES (AND (P X) Q) (O< (IF (P Y) (CONS (IF (NOT Q) (CONS (M Y) 1) (CONS (M (DN X)) 2)) 0) 0) (IF (P X) (CONS (IF Q (CONS (M X) 1) (CONS (M Y) 2)) 0) 0))). This simplifies, using the :congruence rule IFF-IMPLIES-EQUAL-NOT and the :executable-counterpart of NOT, to the following two conjectures. Subgoal 1.2 (IMPLIES (AND (P X) (P Y)) (O< (CONS (CONS (M (DN X)) 2) 0) (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and DN-GOES- DOWN, to Subgoal 1.2' (IMPLIES (AND (P X) (P Y)) (NOT (EQUAL (M (DN X)) (M X)))). Name the formula above *3. Subgoal 1.1 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP and O<, the :executable-counterpart of O-FINP and primitive type reasoning. So we now return to *3, which is (IMPLIES (AND (P X) (P Y)) (NOT (EQUAL (M (DN X)) (M X)))). No induction schemes are suggested by *3. Consequently, the proof attempt has failed. ACL2 Error in ( DEFUN F4 ...): The proof of the measure conjecture for F4 has failed. Summary Form: ( DEFUN F4 ...) Rules: ((:CONGRUENCE IFF-IMPLIES-EQUAL-NOT) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O-FIRST-COEFF) (:DEFINITION O-FIRST-EXPT) (:DEFINITION O-P) (:DEFINITION O-RST) (:DEFINITION O<) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART O-FINP) (:EXECUTABLE-COUNTERPART O-FIRST-EXPT) (:EXECUTABLE-COUNTERPART O-P) (:EXECUTABLE-COUNTERPART POSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE DN-GOES-DOWN) (:REWRITE LEMMA-1) (:REWRITE LEMMA-2) (:REWRITE O-P-M)) Warnings: None Time: 0.27 seconds (prove: 0.02, print: 0.09, proof tree: 0.15, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defun f4 (x y q) (declare (xargs :measure (if (p x) (if q (cons (cons (m x) 1) 0) ; (make-ord (m x) 1 0) (if (p y) (cons (cons (m y) 2) 0) ; (make-ord (m y) 2 0) 1)) 0))) (if (p x) (if q (f4 y (dn x) (not q)) (f4 y (up x) (not q))) 4)) For the admission of F4 we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (IF (P X) (COND (Q (CONS (CONS (M X) 1) 0)) ((P Y) (CONS (CONS (M Y) 2) 0)) (T 1)) 0). The non-trivial part of the measure conjecture is Goal (AND (O-P (IF (P X) (COND (Q (CONS (CONS (M X) 1) 0)) ((P Y) (CONS (CONS (M Y) 2) 0)) (T 1)) 0)) (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (COND ((NOT Q) (CONS (CONS (M Y) 1) 0)) ((P (UP X)) (CONS (CONS (M (UP X)) 2) 0)) (T 1)) 0) (IF (P X) (COND (Q (CONS (CONS (M X) 1) 0)) ((P Y) (CONS (CONS (M Y) 2) 0)) (T 1)) 0))) (IMPLIES (AND (P X) Q) (O< (IF (P Y) (COND ((NOT Q) (CONS (CONS (M Y) 1) 0)) ((P (DN X)) (CONS (CONS (M (DN X)) 2) 0)) (T 1)) 0) (IF (P X) (COND (Q (CONS (CONS (M X) 1) 0)) ((P Y) (CONS (CONS (M Y) 2) 0)) (T 1)) 0)))). << Starting proof tree logging >> By case analysis we reduce the conjecture to the following three conjectures. Subgoal 3 (O-P (IF (P X) (COND (Q (CONS (CONS (M X) 1) 0)) ((P Y) (CONS (CONS (M Y) 2) 0)) (T 1)) 0)). This simplifies, using trivial observations, to the following four conjectures. Subgoal 3.4 (IMPLIES (NOT (P X)) (O-P 0)). But we reduce the conjecture to T, by the :executable-counterpart of O-P. Subgoal 3.3 (IMPLIES (AND (P X) Q) (O-P (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O-FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS, LEMMA-1, LEMMA-2 and O-P-M. Subgoal 3.2 (IMPLIES (AND (P X) (NOT Q) (NOT (P Y))) (O-P 1)). But we reduce the conjecture to T, by the :executable-counterpart of O-P. Subgoal 3.1 (IMPLIES (AND (P X) (NOT Q) (P Y)) (O-P (CONS (CONS (M Y) 2) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT, O-P, O-RST and O<, the :executable-counterparts of O-FINP, O-FIRST-EXPT, O-P and POSP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS, LEMMA-1, LEMMA-2 and O-P-M. Subgoal 2 (IMPLIES (AND (P X) (NOT Q)) (O< (IF (P Y) (COND ((NOT Q) (CONS (CONS (M Y) 1) 0)) ((P (UP X)) (CONS (CONS (M (UP X)) 2) 0)) (T 1)) 0) (IF (P X) (COND (Q (CONS (CONS (M X) 1) 0)) ((P Y) (CONS (CONS (M Y) 2) 0)) (T 1)) 0))). This simplifies, using the :executable-counterpart of NOT, to the following two conjectures. Subgoal 2.2 (IMPLIES (AND (P X) (P Y)) (O< (CONS (CONS (M Y) 1) 0) (CONS (CONS (M Y) 2) 0))). But simplification reduces this to T, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST-EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal 2.1 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 1)). But we reduce the conjecture to T, by the :executable-counterpart of O<. Subgoal 1 (IMPLIES (AND (P X) Q) (O< (IF (P Y) (COND ((NOT Q) (CONS (CONS (M Y) 1) 0)) ((P (DN X)) (CONS (CONS (M (DN X)) 2) 0)) (T 1)) 0) (IF (P X) (COND (Q (CONS (CONS (M X) 1) 0)) ((P Y) (CONS (CONS (M Y) 2) 0)) (T 1)) 0))). This simplifies, using the :congruence rule IFF-IMPLIES-EQUAL-NOT and the :executable-counterpart of NOT, to the following three conjectures. Subgoal 1.3 (IMPLIES (AND (P X) (NOT (P Y))) (O< 0 (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP and O<, the :executable-counterpart of O-FINP and primitive type reasoning. Subgoal 1.2 (IMPLIES (AND (P X) (P Y) (P (DN X))) (O< (CONS (CONS (M (DN X)) 2) 0) (CONS (CONS (M X) 1) 0))). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT and O<, the :executable-counterparts of < and EQUAL, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and DN-GOES- DOWN, to Subgoal 1.2' (IMPLIES (AND (P X) (P Y) (P (DN X))) (NOT (EQUAL (M (DN X)) (M X)))). Name the formula above *1. Subgoal 1.1 (IMPLIES (AND (P X) (P Y) (NOT (P (DN X)))) (O< 1 (CONS (CONS (M X) 1) 0))). But simplification reduces this to T, using the :definitions O-FINP and O<, the :executable-counterpart of O-FINP and primitive type reasoning. So we now return to *1, which is (IMPLIES (AND (P X) (P Y) (P (DN X))) (NOT (EQUAL (M (DN X)) (M X)))). No induction schemes are suggested by *1. Consequently, the proof attempt has failed. ACL2 Error in ( DEFUN F4 ...): The proof of the measure conjecture for F4 has failed. Summary Form: ( DEFUN F4 ...) Rules: ((:CONGRUENCE IFF-IMPLIES-EQUAL-NOT) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O-FIRST-COEFF) (:DEFINITION O-FIRST-EXPT) (:DEFINITION O-P) (:DEFINITION O-RST) (:DEFINITION O<) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART O-FINP) (:EXECUTABLE-COUNTERPART O-FIRST-EXPT) (:EXECUTABLE-COUNTERPART O-P) (:EXECUTABLE-COUNTERPART O<) (:EXECUTABLE-COUNTERPART POSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE DN-GOES-DOWN) (:REWRITE LEMMA-1) (:REWRITE LEMMA-2) (:REWRITE O-P-M)) Warnings: None Time: 0.14 seconds (prove: 0.02, print: 0.10, proof tree: 0.02, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm lemma-3 (implies (p x) (not (equal (m (dn x)) (m x)))) :hints (("Goal" :in-theory (disable dn-goes-down) :use dn-goes-down))) << Starting proof tree logging >> [Note: A hint was supplied for our processing of the goal above. Thanks!] We augment the goal with the hypothesis provided by the :USE hint. The hypothesis can be obtained from DN-GOES-DOWN. We are left with the following subgoal. Goal' (IMPLIES (IMPLIES (P X) (O< (M (DN X)) (M X))) (IMPLIES (P X) (NOT (EQUAL (M (DN X)) (M X))))). By case analysis we reduce the conjecture to Goal'' (IMPLIES (AND (IMPLIES (P X) (O< (M (DN X)) (M X))) (P X)) (NOT (EQUAL (M (DN X)) (M X)))). This simplifies, using trivial observations, to Goal''' (IMPLIES (AND (O< (M X) (M X)) (P X)) (NOT (EQUAL (M (DN X)) (M X)))). We now use the conclusion by substituting (M (DN X)) for (M X) and hiding the conclusion. This produces Goal'4' (IMPLIES (AND (O< (M (DN X)) (M (DN X))) (P X)) (NOT (HIDE (EQUAL (M (DN X)) (M X))))). We remove HIDE from the conclusion, which was used heuristically to transform Goal''' by substituting into the rest of that goal. This produces Goal'5' (IMPLIES (AND (O< (M (DN X)) (M (DN X))) (P X)) (NOT (EQUAL (M (DN X)) (M X)))). This simplifies, using trivial observations, to Goal'6' (IMPLIES (AND (O< (M X) (M X)) (P X)) (NOT (EQUAL (M (DN X)) (M X)))). Normally we would attempt to prove this formula by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) [Note: Thanks again for the hint.] No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM LEMMA-3 ...) Rules: ((:DEFINITION HIDE) (:DEFINITION NOT)) Warnings: None Time: 0.09 seconds (prove: 0.03, print: 0.03, proof tree: 0.02, other: 0.02) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm lemma-3-1 (not (o< x x))) << Starting proof tree logging >> Name the formula above *1. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (O< X X). This suggestion was produced using the :induction rule O<. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (O-FINP X)) (NOT (O-FINP X)) (EQUAL (O-FIRST-EXPT X) (O-FIRST-EXPT X)) (= (O-FIRST-COEFF X) (O-FIRST-COEFF X)) (:P (O-RST X))) (:P X)) (IMPLIES (AND (NOT (O-FINP X)) (NOT (O-FINP X)) (EQUAL (O-FIRST-EXPT X) (O-FIRST-EXPT X)) (NOT (= (O-FIRST-COEFF X) (O-FIRST-COEFF X)))) (:P X)) (IMPLIES (AND (NOT (O-FINP X)) (NOT (O-FINP X)) (NOT (EQUAL (O-FIRST-EXPT X) (O-FIRST-EXPT X))) (:P (O-FIRST-EXPT X))) (:P X)) (IMPLIES (AND (O-FINP X) (O-FINP X)) (:P X))). This induction is justified by the same argument used to admit O<. When applied to the goal at hand the above induction scheme produces the following four nontautological subgoals. Subgoal *1/4 (IMPLIES (AND (NOT (O-FINP X)) (NOT (O-FINP X)) (EQUAL (O-FIRST-EXPT X) (O-FIRST-EXPT X)) (= (O-FIRST-COEFF X) (O-FIRST-COEFF X)) (O<= (O-RST X) (O-RST X))) (O<= X X)). By the simple :definitions =, O-FINP and O-RST we reduce the conjecture to Subgoal *1/4' (IMPLIES (AND (CONSP X) (O<= (CDR X) (CDR X))) (O<= X X)). This simplifies, using the :definitions O-FINP, O-FIRST-COEFF, O-FIRST- EXPT and O< and primitive type reasoning, to Subgoal *1/4'' (IMPLIES (AND (CONSP X) (O<= (CDR X) (CDR X))) (O<= (O-RST X) (O-RST X))). But we reduce the conjecture to T, by the simple :definition O-RST. Subgoal *1/3 (IMPLIES (AND (NOT (O-FINP X)) (NOT (O-FINP X)) (EQUAL (O-FIRST-EXPT X) (O-FIRST-EXPT X)) (NOT (= (O-FIRST-COEFF X) (O-FIRST-COEFF X)))) (O<= X X)). But we reduce the conjecture to T, by primitive type reasoning. Subgoal *1/2 (IMPLIES (AND (NOT (O-FINP X)) (NOT (O-FINP X)) (NOT (EQUAL (O-FIRST-EXPT X) (O-FIRST-EXPT X))) (O<= (O-FIRST-EXPT X) (O-FIRST-EXPT X))) (O<= X X)). But we reduce the conjecture to T, by primitive type reasoning. Subgoal *1/1 (IMPLIES (AND (O-FINP X) (O-FINP X)) (O<= X X)). By the simple :definition O-FINP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (O<= X X)). This simplifies, using the :definitions O-FINP and O<, to Subgoal *1/1'' (IMPLIES (NOT (CONSP X)) (<= X X)). But simplification reduces this to T, using linear arithmetic. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM LEMMA-3-1 ...) Rules: ((:DEFINITION =) (:DEFINITION NOT) (:DEFINITION O-FINP) (:DEFINITION O-FIRST-COEFF) (:DEFINITION O-FIRST-EXPT) (:DEFINITION O-RST) (:DEFINITI