stirling% v63 Welcome to Clozure Common Lisp Version 1.10-dev-r15960M-trunk (DarwinX8664)! ACL2 Version 6.3 built October 26, 2013 20:56:32. Copyright (C) 2013, Regents of the University of Texas ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the LICENSE file distributed with ACL2. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + WARNING: This is NOT an ACL2 release; it is svn revision 1144. + + The authors of ACL2 consider svn distributions to be experimental; + + they may be incomplete, fragile, and unable to pass our own + + regression. Bug reports should include the following line: + + ACL2 svn revision 1144; community books svn revision 2204 + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES*). Experimental modification for HONS, memoization, and applicative hash tables. See the documentation topic note-6-3 for recent changes. Note: We have modified the prompt in some underlying Lisps to further distinguish it from the ACL2 prompt. ACL2 Version 6.3. Level 1. Cbd "/Users/moore/acl2-code-proofs/". System books directory "/Users/moore/work/v6-3-xdoc/acl2-devel/books/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>(include-book "models/jvm/m1/m1" :dir :system) ACL2 Observation in NON-LINEAR-ARITHMETIC: To turn on non-linear arithmetic, execute : (SET-DEFAULT-HINTS '((NONLINEARP-DEFAULT-HINT STABLE-UNDER-SIMPLIFICATIONP HIST PSPV))) or : (SET-DEFAULT-HINTS '((NONLINEARP-DEFAULT-HINT++ ID STABLE-UNDER-SIMPLIFICATIONP HIST NIL))) See the README for more about non-linear arithmetic and general information about using this library. Summary Form: ( INCLUDE-BOOK "models/jvm/m1/m1" ...) Rules: NIL Time: 0.70 seconds (prove: 0.00, print: 0.00, other: 0.70) "/Users/moore/work/v6-3-xdoc/acl2-devel/books/models/jvm/m1/m1.lisp" ACL2 !>(in-package "M1") "M1" M1 !>(defun execute-ILOAD (inst s) ; (ILOAD n) (make-state (+ 1 (pc s)) (locals s) (push (nth (arg1 inst) (locals s)) (stack s)) (program s))) The event ( DEFUN EXECUTE-ILOAD ...) is redundant. See :DOC redundant- events. Summary Form: ( DEFUN EXECUTE-ILOAD ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT M1 !>(defun execute-ISTORE (inst s) ; (ISTORE n) (make-state (+ 1 (pc s)) (update-nth (arg1 inst) (top (stack s)) (locals s)) (pop (stack s)) (program s))) The event ( DEFUN EXECUTE-ISTORE ...) is redundant. See :DOC redundant- events. Summary Form: ( DEFUN EXECUTE-ISTORE ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT M1 !>(defun execute-IADD (inst s) ; (IADD) (declare (ignore inst)) (make-state (+ 1 (pc s)) (locals s) (push (+ (top (pop (stack s))) (top (stack s))) (pop (pop (stack s)))) (program s))) The event ( DEFUN EXECUTE-IADD ...) is redundant. See :DOC redundant- events. Summary Form: ( DEFUN EXECUTE-IADD ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT M1 !>(defun execute-IFEQ (inst s) ; (IFEQ offset) (make-state (if (equal (top (stack s)) 0) (+ (arg1 inst) (pc s)) (+ 1 (pc s))) (locals s) (pop (stack s)) (program s))) The event ( DEFUN EXECUTE-IFEQ ...) is redundant. See :DOC redundant- events. Summary Form: ( DEFUN EXECUTE-IFEQ ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT M1 !>(defun do-inst (inst s) (if (equal (op-code inst) 'ILOAD) (execute-ILOAD inst s) (if (equal (op-code inst) 'ICONST) (execute-ICONST inst s) (if (equal (op-code inst) 'IADD) (execute-IADD inst s) (if (equal (op-code inst) 'ISUB) (execute-ISUB inst s) (if (equal (op-code inst) 'IMUL) (execute-IMUL inst s) (if (equal (op-code inst) 'ISTORE) (execute-ISTORE inst s) (if (equal (op-code inst) 'GOTO) (execute-GOTO inst s) (if (equal (op-code inst) 'IFEQ) (execute-IFEQ inst s) s))))))))) The event ( DEFUN DO-INST ...) is redundant. See :DOC redundant-events. Summary Form: ( DEFUN DO-INST ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT M1 !>(defun next-inst (s) (nth (pc s) (program s))) The event ( DEFUN NEXT-INST ...) is redundant. See :DOC redundant- events. Summary Form: ( DEFUN NEXT-INST ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT M1 !>(defun step (s) (do-inst (next-inst s) s)) The event ( DEFUN STEP ...) is redundant. See :DOC redundant-events. Summary Form: ( DEFUN STEP ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT M1 !>(defun m1 (s n) (if (zp n) s (m1 (step s) (- n 1)))) The event ( DEFUN M1 ...) is redundant. See :DOC redundant-events. Summary Form: ( DEFUN M1 ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(defconst *pi* '((ICONST 0) ; 0 (ISTORE 2) ; 1 a $=$ 0; (ILOAD 0) ; 2 [loop:] (IFEQ 10) ; 3 if x$=$0 then go to end; (ILOAD 0) ; 4 (ICONST 1) ; 5 (ISUB) ; 6 (ISTORE 0) ; 7 x $=$ x-1; (ILOAD 1) ; 8 (ILOAD 2) ; 9 (IADD) ;10 (ISTORE 2) ;11 a $=$ y+a; (GOTO -10) ;12 go to loop (ILOAD 2) ;13 [end:] (HALT) ;14 ``return'' a )) Summary Form: ( DEFCONST *PI* ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) *PI* M1 !>(defconst *si* (make-state 0 ; initial pc '(5 7 17 19 23) ; initial locals nil ; initial stack *pi* ; program )) Summary Form: ( DEFCONST *SI* ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) *SI* M1 !>(m1 *si* 100) (14 (0 7 35 19 23) (35) ((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(defun loop-clk (x) (if (zp x) 3 (clk+ 11 (loop-clk (- x 1))))) The admission of LOOP-CLK is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of LOOP-CLK is described by the theorem (AND (INTEGERP (LOOP-CLK X)) (<= 0 (LOOP-CLK X))). We used the :type-prescription rule BINARY-CLK+. Summary Form: ( DEFUN LOOP-CLK ...) Rules: ((:TYPE-PRESCRIPTION BINARY-CLK+)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) LOOP-CLK M1 !>(defun clk (x) (clk+ 2 (loop-clk x))) Since CLK is non-recursive, its admission is trivial. We observe that the type of CLK is described by the theorem (AND (INTEGERP (CLK X)) (<= 0 (CLK X))). We used the :type-prescription rule BINARY-CLK+. Summary Form: ( DEFUN CLK ...) Rules: ((:TYPE-PRESCRIPTION BINARY-CLK+)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) CLK M1 !>(defun test-program (x y) (let* ((si (make-state 0 (list x y 0) nil *pi*)) (k (clk x)) (sf-prev (m1 si (- k 1))) (sf (step sf-prev))) `((:clk ,k) (:just-enough? ,(and (not (haltedp sf-prev)) (haltedp sf))) (:tos ,(top (stack sf)))))) Since TEST-PROGRAM is non-recursive, its admission is trivial. We observe that the type of TEST-PROGRAM is described by the theorem (AND (CONSP (TEST-PROGRAM X Y)) (TRUE-LISTP (TEST-PROGRAM X Y))). We used primitive type reasoning. Summary Form: ( DEFUN TEST-PROGRAM ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) TEST-PROGRAM M1 !>(test-program 5 7) ((:CLK 60) (:JUST-ENOUGH? T) (:TOS 35)) M1 !>(test-program 7 5) ((:CLK 82) (:JUST-ENOUGH? T) (:TOS 35)) M1 !>(test-program 700 500) ((:CLK 7705) (:JUST-ENOUGH? T) (:TOS 350000)) M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(thm (implies (and (natp x) (natp y) (natp a) (not (zp x))) (equal (m1 (make-state 2 (list x y a) nil *pi*) 11) xxx))) Goal' Goal'' ([ A key checkpoint: Goal'' (IMPLIES (AND (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A) (NOT (ZP X))) (EQUAL (MAKE-STATE 2 (LIST (+ -1 X) Y (+ A Y)) NIL '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) XXX)) *1 (Goal'') is pushed for proof by induction. ]) No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( THM ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION UPDATE-NTH) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ y x)|) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE M1-OPENER) (:REWRITE NTH-ADD1!) (:REWRITE STACKS) (:REWRITE STATES) (:REWRITE STEP-OPENER)) Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 1198 --- The key checkpoint goal, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint-summary-limit. --- *** Key checkpoint at the top level: *** Goal'' (IMPLIES (AND (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A) (NOT (ZP X))) (EQUAL (MAKE-STATE 2 (LIST (+ -1 X) Y (+ A Y)) NIL '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) XXX)) ACL2 Error in ( THM ...): See :DOC failure. ******** FAILED ******** M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(thm (implies (and (natp i) (natp j)) (equal (m1 s (+ i j)) (m1 (m1 s i) j))) :hints (("Goal" :in-theory (ENABLE M1 STEP)))) Goal' ([ A key checkpoint: Goal' (IMPLIES (AND (INTEGERP I) (<= 0 I) (INTEGERP J) (<= 0 J)) (EQUAL (M1 S (+ I J)) (M1 (M1 S I) J))) *1 (Goal') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. One of these has a score higher than the other. We will induct according to a scheme suggested by (M1 S I). This suggestion was produced using the :induction rule M1. If we let (:P I J S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP I)) (:P (+ -1 I) J (STEP S))) (:P I J S)) (IMPLIES (ZP I) (:P I J S))). This induction is justified by the same argument used to admit M1. Note, however, that the unmeasured variable S is being instantiated. When applied to the goal at hand the above induction scheme produces four nontautological subgoals. Subgoal *1/4 Subgoal *1/4' Splitter note (see :DOC splitter) for Subgoal *1/4' (19 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ) (:REWRITE ACL2::|(+ x (if a b c))|) (:REWRITE ACL2::DEFAULT-MINUS) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2)) Subgoal *1/4.19 Subgoal *1/4.19' Subgoal *1/4.18 Subgoal *1/4.18' Subgoal *1/4.17 Subgoal *1/4.17' Subgoal *1/4.16 Subgoal *1/4.15 Subgoal *1/4.15' Subgoal *1/4.14 Subgoal *1/4.13 Subgoal *1/4.12 Subgoal *1/4.12' Subgoal *1/4.11 Subgoal *1/4.10 Subgoal *1/4.9 Subgoal *1/4.8 Subgoal *1/4.7 Subgoal *1/4.6 Subgoal *1/4.5 Subgoal *1/4.4 Subgoal *1/4.3 Subgoal *1/4.2 Subgoal *1/4.1 Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' Subgoal *1/1'' *1 is COMPLETED! Thus key checkpoint Goal' is COMPLETED! Q.E.D. Summary Form: ( THM ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION ARG1) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-IMUL) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION M1) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION OP-CODE) (:DEFINITION STEP) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ACL2-NUMBERP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION M1) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ x (if a b c))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::DEFAULT-MINUS) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2) (:REWRITE M1-OPENER) (:REWRITE NTH-ADD1!) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ) (:REWRITE ACL2::|(+ x (if a b c))|) (:REWRITE ACL2::DEFAULT-MINUS) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2)) Time: 1.86 seconds (prove: 1.85, print: 0.00, other: 0.00) Prover steps counted: 219466 Proof succeeded. M1 !>(thm (implies (and (natp i) (natp j)) (equal (m1 s (+ i j)) (m1 (m1 s i) j))) :hints (("Goal" :in-theory (ENABLE M1)))) Goal' ([ A key checkpoint: Goal' (IMPLIES (AND (INTEGERP I) (<= 0 I) (INTEGERP J) (<= 0 J)) (EQUAL (M1 S (+ I J)) (M1 (M1 S I) J))) *1 (Goal') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. One of these has a score higher than the other. We will induct according to a scheme suggested by (M1 S I). This suggestion was produced using the :induction rule M1. If we let (:P I J S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP I)) (:P (+ -1 I) J (STEP S))) (:P I J S)) (IMPLIES (ZP I) (:P I J S))). This induction is justified by the same argument used to admit M1. Note, however, that the unmeasured variable S is being instantiated. When applied to the goal at hand the above induction scheme produces four nontautological subgoals. Subgoal *1/4 Subgoal *1/4' Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' Subgoal *1/1'' *1 is COMPLETED! Thus key checkpoint Goal' is COMPLETED! Q.E.D. Summary Form: ( THM ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION M1) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION M1) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE M1-OPENER) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES)) Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.01) Prover steps counted: 1011 Proof succeeded. M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(defun g (x y a) (if (zp x) a (g (- x 1) y (+ y a)))) The admission of G is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of G is described by the theorem (OR (ACL2-NUMBERP (G X Y A)) (EQUAL (G X Y A) A)). We used primitive type reasoning. Summary Form: ( DEFUN G ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) G M1 !>(defthm loop-code-correct (implies (and (natp x) (natp y) (natp a)) (equal (m1 (make-state 2 (list x y a) nil *pi*) (loop-clk x)) (make-state 14 (list 0 y (g x y a)) (push (g x y a) nil) *pi*)))) Goal' ([ A key checkpoint: Goal' (IMPLIES (AND (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (M1 (MAKE-STATE 2 (LIST X Y A) NIL '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (LOOP-CLK X)) (MAKE-STATE 14 (LIST 0 Y (G X Y A)) (PUSH (G X Y A) NIL) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))))) *1 (Goal') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (G X Y A). This suggestion was produced using the :induction rules G and LOOP-CLK. If we let (:P A X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP X)) (:P (+ Y A) (+ -1 X) Y)) (:P A X Y)) (IMPLIES (ZP X) (:P A X Y))). This induction is justified by the same argument used to admit G. Note, however, that the unmeasured variable A is being instantiated. When applied to the goal at hand the above induction scheme produces six nontautological subgoals. Subgoal *1/6 Subgoal *1/5 Subgoal *1/4 Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal' is COMPLETED! Q.E.D. Summary Form: ( DEFTHM LOOP-CODE-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION G) (:DEFINITION LOOP-CLK) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NTH) (:DEFINITION SYNP) (:DEFINITION UPDATE-NTH) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART LOOP-CLK) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION G) (:INDUCTION LOOP-CLK) (:REWRITE ACL2::|(+ y x)|) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE NTH-ADD1!) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE STACKS) (:REWRITE STATES) (:REWRITE STEP-OPENER)) Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 1954 LOOP-CODE-CORRECT M1 !>(in-theory (disable loop-clk)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 4774) M1 !>(defthm entry-code-correct (implies (and (natp x) (natp y)) (equal (m1 (make-state 0 (list x y) nil *pi*) (clk x)) (make-state 14 (list 0 y (g x y 0)) (push (g x y 0) nil) *pi*)))) ACL2 Warning [Non-rec] in ( DEFTHM ENTRY-CODE-CORRECT ...): A :REWRITE rule generated from ENTRY-CODE-CORRECT will be triggered only by terms containing the non-recursive function symbol CLK. Unless this function is disabled, this rule is unlikely ever to be used. Goal' Q.E.D. Summary Form: ( DEFTHM ENTRY-CODE-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION CLK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION UPDATE-NTH) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UPDATE-NTH) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE LOOP-CODE-CORRECT) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE STACKS) (:REWRITE STATES) (:REWRITE STEP-OPENER)) Warnings: Non-rec Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 441 ENTRY-CODE-CORRECT M1 !>(in-theory (disable clk)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 4774) M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(defthm lemma (implies (and (natp x) (natp y) (natp a)) (equal (g x y a) (+ a (* x y))))) Goal' ([ A key checkpoint: Goal' (IMPLIES (AND (INTEGERP X) (<= 0 X) (INTEGERP Y) (<= 0 Y) (INTEGERP A) (<= 0 A)) (EQUAL (G X Y A) (+ A (* X Y)))) *1 (Goal') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (G X Y A). This suggestion was produced using the :induction rule G. If we let (:P A X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP X)) (:P (+ Y A) (+ -1 X) Y)) (:P A X Y)) (IMPLIES (ZP X) (:P A X Y))). This induction is justified by the same argument used to admit G. Note, however, that the unmeasured variable A is being instantiated. When applied to the goal at hand the above induction scheme produces six nontautological subgoals. Subgoal *1/6 Subgoal *1/6' Subgoal *1/5 Subgoal *1/4 Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' Subgoal *1/1'' *1 is COMPLETED! Thus key checkpoint Goal' is COMPLETED! Q.E.D. Summary Form: ( DEFTHM LEMMA ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION G) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION G) (:REWRITE ACL2::|(* -1 x)|) (:REWRITE ACL2::|(* 0 x)|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES)) Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 660 LEMMA M1 !>(defthm algorithm-implements-spec (implies (and (natp x) (natp y)) (equal (g x y 0) (* x y)))) Goal' Q.E.D. Summary Form: ( DEFTHM ALGORITHM-IMPLEMENTS-SPEC ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION NATP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE LEMMA)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 101 ALGORITHM-IMPLEMENTS-SPEC M1 !>(defthm main-goal (implies (and (natp x) (natp y) (equal si (make-state 0 (list x y) nil *pi*)) (equal sf (m1 si (clk x)))) (and (haltedp sf) (equal (top (stack sf)) (* x y)))) :rule-classes nil) Goal' Q.E.D. Summary Form: ( DEFTHM MAIN-GOAL ...) Rules: ((:DEFINITION HALTEDP) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART NTH) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ALGORITHM-IMPLEMENTS-SPEC) (:REWRITE ENTRY-CODE-CORRECT) (:REWRITE STACKS) (:REWRITE STATES)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 259 MAIN-GOAL M1 !>(quote (the end)) (THE END) M1 !>