# Measured-subset+

Enhanced variant of `measured-subset`.

- Signature
(measured-subset+ fn wrld) → measured-subset

- Arguments
`fn` — Guard (symbolp fn).
`wrld` — Guard (plist-worldp wrld).
- Returns
`measured-subset` — Type (symbol-listp measured-subset).

This returns the same result as `measured-subset`,
but it is guard-verified
and includes a run-time check (which should always succeed) on the result
that allows us to prove the return type theorem
without strengthening the guard on wrld.
This utility also includes a run-time check (which should always succeed)
on the form of the justification property of the function
that allows us to verify the guards
without strengthening the guard of wrld.
Furthermore, this utility causes an error if called on a symbol
that does not name a recursive logic-mode function;
the reason for ensuring logic-mode is that
recursive program-mode functions do not have a measured subset.

### Definitions and Theorems

**Function: **measured-subset+

(defun measured-subset+ (fn wrld)
(declare (xargs :guard (and (symbolp fn) (plist-worldp wrld))))
(let ((__function__ 'measured-subset+))
(declare (ignorable __function__))
(if (not (irecursivep+ fn wrld))
(raise "The function ~x0 is not recursive." fn)
(b*
((justification (getpropc fn 'justification nil wrld))
((unless (weak-justification-p justification))
(raise
"Internal error: ~
the JUSTIFICATION property ~x0 of ~x1 is not well-formed."
justification fn))
(measured-subset (access justification justification :subset))
((unless (symbol-listp measured-subset))
(raise
"Internal error: ~
the measured subset ~x0 of ~x1 is not a true list of symbols."
measured-subset fn)))
measured-subset))))

**Theorem: **symbol-listp-of-measured-subset+

(defthm symbol-listp-of-measured-subset+
(b* ((measured-subset (measured-subset+ fn wrld)))
(symbol-listp measured-subset))
:rule-classes :rewrite)