Outline of the way the FGL interpreter works.
The FGL interpreter is called by the FGL clause processor in order to try
and turn the theorem term into an equivalent Boolean formula, which then can
perhaps be solved by SAT. In order to do this, it recursively interprets terms
turning them into symbolic objects (see fgl-object) containing Boolean formula
objects. In this doc topic we outline the operation of the interpreter.
The interpreter consists of a 31-way mutual recursion. We won't detail each
of the functions in the mutual recursion, but we will try to cover in general
terms all of the things that happen in them.
Interpreting Terms -- Overview
The highest-level entry point into the interpreter when trying to compute a
Boolean formula from a term is fgl-interp-test. This first interprets the
term using another possible high-level entry point, fgl-interp-term-equivs,
which calls fgl-interp-term to produce a symbolic object (we'll cover its
operation shortly), then checks a database of equivalences that have been
assumed in the current path condition and replaces that symbolic object with an
equivalent if there are any that have been assumed (and which some heuristics
say are a good replacement). Finally, it calls fgl-interp-simplify-if-test
which is the subroutine for coercing a symbolic object into a Boolean
fGl-interp-term is very similar to a classical interpreter or rewriter.
It examines the term and treats different kinds of terms differently:
- When it is a constant (quote), it returns the quoted value, coerced to a g-concrete symbolic object.
- When it is a variable, it looks up the variable in the current
bindings (alist). There are actually two sets of bindings for our interpreter:
"minor" bindings, which come from lambdas, and "major" bindings, which come
from outermost contexts not inside any lambdas; these are checked in that
- When it is a lambda application, it processes the term into an equivalent
pair (bindinglist body). The bindinglist is a list of pairs (formals
actuals) from the nest of lambdas, omitting formal/actual pairs that are the
same. This may include the bindings of more than one lambda: if the body of a
lambda is itself a lambda application, it recursively adds that to the
bindinglist, stopping when it finds a lambda body that is not itself a lambda.
The interpreter interprets the bindinglist by recurring through the list,
recursively interpreting each of the actuals of each pair with
fgl-interp-term-equivs. When a pair is done it adds the bindings formed by
pairing the formals with the symbolic object results from the actuals to the
minor bindings of the interpreter. When done with all the (formals
actuals) pairs, it then recursively interprets the body, then pops off the
bindings produced by the bindinglist, returning the symbolic object resulting
from interpreting the body.
- When it is a function call, it deals with a few special cases, described
next, and then the generic function call case. In the generic case, it first
recursively interprets the arguments of the function, then calls
fgl-interp-fncall, described below, on the function and symbolic objects
resulting from the arguments.
Interpreting Function Calls -- Special Cases
The special cases of function calls include if, return-last,
bind-var, abort-rewrite, fgl-sat-check, syntax-interp-fn,
assume, narrow-equiv, and fgl-interp-obj. Each of these requires
special treatment of the arguments, rather than just recursively interpreting
- For if terms, the test is recursively interpreted and coerced to a
Boolean function using fgl-interp-test. Then, unless a syntactic analysis
shows that the path condition implies the test's negation, we recursively
interpret the "then" branch with fgl-interp-term-equivs and with the test
conjoined to the path condition, and unless the syntactic analysis shows the
path condition implies the test, we recursively interpret the "else" branch
with the negated test conjoined to the path condition. If both branches were
interpreted, we then attempt to merge the results from the two branches into a
single symbolic object using fgl-interp-merge-branches, described
- For return-last, we provide special support for time$, allowing
it to time the symbolic interpretation of the enclosed term. Otherwise, we
simply interpret the last argument. Note this means that prog2$ might not
function as expected -- if you intend the first argument to prog2$ to be
interpreted in FGL for side effects, you should instead bind it to an ignored
variable or else use an equivalent two-argument function instead.
- For bind-var, we bind the first argument, which must be a variable
that is not yet bound in the current major or minor frame, to the result of
interpreting the second argument under the unequiv equivalence relation.
Under this equivalence relation, every object is equivalent to every other
object; this is sort of an "anything goes" mode which allows certain behavior
that would normally be unsound. This is allowable in this context because
bind-var logically just returns its first argument (the variable), so the
second argument is irrelevant. It is allowable to bind anything to the
variable if it is not yet bound ****
- For binder, the argument must be a function call whose first argument
is a variable, and that variable must be free in the current stack frame. The
rest of that function's arguments are recursively interpreted, and then binder
rewrite/meta rules are applied to choose a binding for the free variable based
on the rest of the arguments.
- For abort-rewrite, the interpreter returns nil and inserts a
special error keyword in the interpreter state's errmsg field, which will
get caught when returning from the current major stack frame.
- For fgl-sat-check, we use fgl-interp-test to coerce the second
argument (the condition to be tested) to a Boolean function, and
fgl-interp-term-equivs to interpret the first argument (params). We then
call interp-st-sat-check, an attachable function which calls SAT and
returns NIL if the input Boolean formula is unsat.
- For syntax-interp-fn, we check that the second argument is a quoted
term (this is true for calls generated by the syntax-interp and
syntax-bind macros) and that we're in an unequiv equivalence
context. If so, we evaluate the first argument using fancy-ev, with the
current variable bindings from the symbolic interpreter passed in as the
evaluation environment. For example, if a variable x is bound to a
symbolic integer in our current interpreter frame, then x will be bound to
the fgl-object representation of that symbolic integer when evaluating
the syntax-interp term. This is similar to ACL2's syntaxp
behavior, but the syntaxp term operates on FGL object syntax rather than ACL2
- For assume, we first check that we're in an unequiv equivalence
context. Then we interpret the first and second arguments as if they were the
test and then branches of an if; in particular, the Boolean
formula resulting from the test is conjoined onto the path condition (that
is, assumed) when symbolically executing the then branch. We then simply
return the result from the then branch.
- For narrow-equiv, we interpret the first argument. If its result is a
concrete object whose value satisfies equiv-contexts-p and those
equivalence contexts are a refinement (narrowing) of the interpreter state's
current equiv-contexts, then we set the interpreter state's equiv-contexts
field to that object while interpreting the second argument. This can be used
to (conditionally) exit an unequiv context.
- For fgl-time-fn, we interpret the first argument and use that as a
time$ format specifier for timing the interpretation of the second
argument, returning the result from the second argument.
- For fgl-prog2, we interpret the first argument under the
unequiv equivalence context, discarding the result; then interpret the
second argument under the current equivalence context and return its result.
- For fgl-interp-obj, we first check that we're in an unequiv
equivalence context. Then we interpret the first argument. If its result is a
concrete object whose value satisfies pseudo-term-p, then we interpret
that term and return its result.
Interpreting Function Calls -- Generic Case
Generic function calls are run by fgl-interp-fncall after reducing the
arguments to a list of symbolic objects. This looks up the function mode of the function and, depending on the
restrictions encoded in that mode, may do some or all of the following:
- If all the arguments are explicit, i.e. symbolic objects of the g-concrete kind, then try to execute the function using magic-ev-fncall. If it runs successfuly, return the result as a
- Otherwise try applying each of the rules enabled for that function in the
fgl-rewrite-rules table using fgl-rewrite-try-rule. These may be
rewrite, meta, or primitive rules. If any of those rules succeeds, return the
symbolic object produced by recursively interpreting the RHS of the rule under
the unifying substitution.
- Otherwise try executing a primitive associated with that function; see
fgl-primitive-and-meta-rules. If successful, return the value from that primitive.
- Otherwise, if there exists a rule with rune (:definition fnname), or
if there are rewrite/definition rules for that function listed in the
fgl-definition-rules table, then try rewriting the call using those
- Finally, if none of the above were successful, produce the object
(g-apply fnname args).
This completes the overview of how a term is interpreted and turned into
either a symbolic object (fgl-object) or Boolean formula. Next we
describe three subroutines that we skipped describing above:
fgl-rewrite-try-rule, which attempts to apply a rewrite rule;
fgl-interp-simplify-if-test, which coerces a symbolic object into a Boolean
formula; and fgl-interp-merge-branches, which merges two branches of an IF
test. This will also lead us to discuss fgl-interp-add-constraints, which
adds Boolean constraints according to a set of rules activated when introducing
a new Boolean variable representing some term.
Applying Rewrite Rules
fgl-rewrite-try-rule takes a rule, a function name, and a list of
arguments which are FGL symbolic objects. The rule may be a rewrite, meta, or
primitive rule. For a primitive rule, the primitive function indicated by the
rule is run on the function and arguments, and we return the object it produces
if successful. For a meta rule, the metafunction indicated is run, and if
successful we recursively interpret the term returned under the bindings
returned. For a rewrite rule, we first try to unify the LHS of the rule with
the input function/arguments. If successful, we then try to relieve the hyps
of the rule by calling fgl-interp-test on each one and checking that the
result is (syntactically) constant-true. We also check syntaxp and
bind-free hyps, the latter of which might extend the unifying substitution
with some free variable bindings.
If the hypotheses are all relieved, then we recurs on the conclusion using
fgl-interp-term and return the result unless there were errors recorded in
the interpreter state. Errors are passed up to the caller except for the
special error produced by abort-rewrite, which only causes the current
rule application to fail.
During this process, various helper functions are also called to support
tracing (see fgl-rewrite-tracing) and accumulated-persistence-style
profiling, but none of these are logically relevant.
Application of binder rules is similar, but with slightly different logical
contracts for the rules and very slightly different behavior. For binder
rules, we unify the argument list with the argument list of the LHS of the
rule, omitting the initial argument of the LHS which must be the variable to be
bound. Binder rules also specify the equivalence context under which the RHS
must be rewritten.
Simplifying IF Tests
fgl-interp-simplify-if-test takes a symbolic object and attempts to
reduce it to an IFF-equivalent Boolean formula. For some varieties of symbolic
object, this is trivial: :g-concrete objects' truth value is just the
truth value of the quoted value, g-integer and g-cons objects are
always nonnil, g-map objects are nonnil unless their alist field is
exactly NIL, and g-boolean objects' truth values are given by their
Boolean formulas. This leaves g-var, g-ite, and g-apply objects.
For g-ite objects, we coerce the test sub-object into a Boolean
formula using fgl-interp-simplify-if-test recursively. Then, similar to
symbolic interpretation of IF, we recur on the then object unless the test
formula is syntactically falsified by the path condition, we recur on the
else branch unless the test formula is syntactically true under the path
condition, and we then merge the branches by creating the if-then-else of the
Boolean formulas if both branches were run.
For g-var objects, we assign a fresh Boolean variable to the object,
storing the association in the Boolean variable database (bvar-db) of the
interpreter state, unless the object already has an associated Boolean
variable, in which case we return it.
For g-apply objects, we first rewrite the function call under an IFF
context. In many cases this is redundant, but in some cases it may produce
reductions. If rewriting is successful, we recursively apply
fgl-simplify-if-test to the result. Otherwise, we look up the function
call object in the bvar-db and return the associated Boolean variable, if
any, or else introduce a fresh one and record that association. Finally, if a
new Boolean variable was introduced, we process the object with
fgl-interp-add-constraints (see below) to record any constraints on the new
Merging IF Branches
fgl-interp-merge-branches takes a Boolean formula for an IF test and
symbolic objects for the then and else branch values, and returns a new
symbolic object encapsulating the if-then-else.
It first checks for trivial cases -- test constant true, test constant false,
or branches equal -- and returns the obvious results in those cases.
Otherwise, if either branch is a function call (g-apply) object, then it
tries applying branch merge rules for those functions using
fgl-rewrite-try-rule applied to the IF. If any of these are successful, it
returns the result.
Otherwise, if both branches are calls of the same function, it recursively
merges the argument lists and returns the function applied to the merged
arguments. Otherwise, it calls helper function
interp-st-fgl-object-basic-merge, which merges basic symbolic objects
together when their types match, otherwise either producing an
if-then-else (g-ite) object or an error, depending on the configuration
setting of make-ites. (See also fgl-handling-if-then-elses.)
Introducing Boolean Constraints