Welcome to Clozure Common Lisp Version 1.10-dev-r15960M-trunk (DarwinX8664)! ACL2 Version 6.3 built October 26, 2013 20:56:32. Copyright (C) 2013, Regents of the University of Texas ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the LICENSE file distributed with ACL2. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + WARNING: This is NOT an ACL2 release; it is svn revision 1144. + + The authors of ACL2 consider svn distributions to be experimental; + + they may be incomplete, fragile, and unable to pass our own + + regression. Bug reports should include the following line: + + ACL2 svn revision 1144; community books svn revision 2204 + ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES*). Experimental modification for HONS, memoization, and applicative hash tables. See the documentation topic note-6-3 for recent changes. Note: We have modified the prompt in some underlying Lisps to further distinguish it from the ACL2 prompt. ACL2 Version 6.3. Level 1. Cbd "/Users/moore/acl2-code-proofs/". System books directory "/Users/moore/work/v6-3-xdoc/acl2-devel/books/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>(include-book "m1-with-stobj") ACL2 Observation in NON-LINEAR-ARITHMETIC: To turn on non-linear arithmetic, execute : (SET-DEFAULT-HINTS '((NONLINEARP-DEFAULT-HINT STABLE-UNDER-SIMPLIFICATIONP HIST PSPV))) or : (SET-DEFAULT-HINTS '((NONLINEARP-DEFAULT-HINT++ ID STABLE-UNDER-SIMPLIFICATIONP HIST NIL))) See the README for more about non-linear arithmetic and general information about using this library. Summary Form: ( INCLUDE-BOOK "m1-with-stobj" ...) Rules: NIL Time: 0.69 seconds (prove: 0.00, print: 0.00, other: 0.69) "/Users/moore/acl2-code-proofs/m1-with-stobj.lisp" ACL2 !>"M1" "M1" M1 !>(set-verify-guards-eagerness 0) 0 M1 !>(defconst *pi* '((ICONST 0) ; 0 (ISTORE 2) ; 1 a $=$ 0; (ILOAD 0) ; 2 [loop:] (IFEQ 10) ; 3 if x$=$0 then go to end; (ILOAD 0) ; 4 (ICONST 1) ; 5 (ISUB) ; 6 (ISTORE 0) ; 7 x $=$ x-1; (ILOAD 1) ; 8 (ILOAD 2) ; 9 (IADD) ;10 (ISTORE 2) ;11 a $=$ y+a; (GOTO -10) ;12 go to loop (ILOAD 2) ;13 [end:] (HALT) ;14 ``return'' a )) Summary Form: ( DEFCONST *PI* ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) *PI* M1 !>(defun bad-statep (s) (declare (xargs :stobjs (s))) (and (sp s) (natp (rd :pc s)) (integerp (loi 0 s)) (integerp (loi 1 s)) (integerp (loi 2 s)) (<= 3 (len (rd :locals s))) (< (loi 0 s) 0) (equal (rd :program s) *pi*))) Since BAD-STATEP is non-recursive, its admission is trivial. We observe that the type of BAD-STATEP is described by the theorem (OR (EQUAL (BAD-STATEP S) T) (EQUAL (BAD-STATEP S) NIL)). We used primitive type reasoning. (BAD-STATEP S) => *. Summary Form: ( DEFUN BAD-STATEP ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) BAD-STATEP M1 !>(defun loop-clk (n) (if (zp n) 0 (clk+ 11 (loop-clk (- n 1))))) The admission of LOOP-CLK is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT N). We observe that the type of LOOP-CLK is described by the theorem (AND (INTEGERP (LOOP-CLK N)) (<= 0 (LOOP-CLK N))). We used the :type-prescription rule BINARY-CLK+. Summary Form: ( DEFUN LOOP-CLK ...) Rules: ((:TYPE-PRESCRIPTION BINARY-CLK+)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) LOOP-CLK M1 !>(defun clk (n) (if (zp n) 0 (if (equal n 1) 1 (clk+ 2 (loop-clk (floor (- n 2) 11)) (mod (- n 2) 11))))) Since CLK is non-recursive, its admission is trivial. We observe that the type of CLK is described by the theorem (AND (INTEGERP (CLK N)) (<= 0 (CLK N))). We used the :type-prescription rule BINARY-CLK+. Summary Form: ( DEFUN CLK ...) Rules: ((:TYPE-PRESCRIPTION BINARY-CLK+)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) CLK M1 !>(defun hint (n s) (declare (xargs :stobjs (s))) (if (zp n) s (let ((s (m1 s 11))) (hint (- n 1) s)))) The admission of HINT is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT N). We observe that the type of HINT is described by the theorem (OR (CONSP (HINT N S)) (EQUAL (HINT N S) S)). (HINT * S) => S. Summary Form: ( DEFUN HINT ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) HINT M1 !>(defthm lemma1 (implies (and (bad-statep s) (equal (rd :pc s) 2) (natp n)) (equal (m1 s (loop-clk n)) (!loi 0 (- (loi 0 s) n) (!loi 2 (+ (* n (loi 1 s)) (loi 2 s)) s)))) :hints (("Goal" :induct (hint n s)))) *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. We have been told to use induction. One induction scheme is suggested by the induction hint. We will induct according to a scheme suggested by (HINT N S). This suggestion was produced using the :induction rule HINT. If we let (:P N S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP N)) (:P (+ -1 N) (M1 S 11))) (:P N S)) (IMPLIES (ZP N) (:P N S))). This induction is justified by the same argument used to admit HINT. Note, however, that the unmeasured variable S is being instantiated. When applied to the goal at hand the above induction scheme produces two nontautological subgoals. Subgoal *1/2 Subgoal *1/2' Splitter note (see :DOC splitter) for Subgoal *1/2' (28 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION NTH) (:REWRITE ACL2::|(+ (if a b c) x)|) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE ACL2::DEFAULT-TIMES-2)) Subgoal *1/2.28 Subgoal *1/2.28' Subgoal *1/2.28'' Subgoal *1/2.28''' Subgoal *1/2.27 Subgoal *1/2.27' Subgoal *1/2.26 Subgoal *1/2.26' Subgoal *1/2.26'' Subgoal *1/2.26''' Subgoal *1/2.25 Subgoal *1/2.25' Subgoal *1/2.24 Subgoal *1/2.24' Subgoal *1/2.23 Subgoal *1/2.23' Subgoal *1/2.22 Subgoal *1/2.22' Subgoal *1/2.21 Subgoal *1/2.21' Subgoal *1/2.20 Subgoal *1/2.20' Subgoal *1/2.20'' Subgoal *1/2.20''' Subgoal *1/2.19 Subgoal *1/2.19' Subgoal *1/2.18 Subgoal *1/2.18' Subgoal *1/2.17 Subgoal *1/2.17' Subgoal *1/2.16 Subgoal *1/2.16' Subgoal *1/2.15 Subgoal *1/2.15' Subgoal *1/2.14 Subgoal *1/2.14' Subgoal *1/2.14'' Subgoal *1/2.14''' Subgoal *1/2.13 Subgoal *1/2.13' Subgoal *1/2.12 Subgoal *1/2.12' Subgoal *1/2.11 Subgoal *1/2.11' Subgoal *1/2.10 Subgoal *1/2.10' Subgoal *1/2.9 Subgoal *1/2.9' Subgoal *1/2.8 Subgoal *1/2.8' Subgoal *1/2.7 Subgoal *1/2.7' Subgoal *1/2.6 Subgoal *1/2.6' Subgoal *1/2.5 Subgoal *1/2.5' Subgoal *1/2.4 Subgoal *1/2.4' Subgoal *1/2.4'' Subgoal *1/2.4''' Subgoal *1/2.3 Subgoal *1/2.3' Subgoal *1/2.2 Subgoal *1/2.2' Subgoal *1/2.1 Subgoal *1/2.1' Subgoal *1/1 Subgoal *1/1' Subgoal *1/1'' Subgoal *1/1''' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM LEMMA1 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION BAD-STATEP) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION LEN) (:DEFINITION LOI) (:DEFINITION LOOP-CLK) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:DEFINITION UPDATE-NTH) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ACL2-NUMBERP) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONS) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART LOOP-CLK) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART UPDATE-NTH) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION HINT) (:REWRITE ACL2::|(* (+ x y) z)|) (:REWRITE ACL2::|(* -1 x)|) (:REWRITE ACL2::|(* 0 x)|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ (if a b c) x)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ x (if a b c))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(- (+ x y))|) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE ACL2::|(< x (if a b c))|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE DEFAULT-CAR) (:REWRITE DEFAULT-CDR) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE ACL2::DEFAULT-TIMES-2) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-0-CONS) (:REWRITE NTH-ADD1) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-<) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-REDUNDANT) (:REWRITE UPDATE-NTH-UPDATE-NTH-SAME) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION SP)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION DO-INST) (:DEFINITION NTH) (:REWRITE ACL2::|(+ (if a b c) x)|) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE ACL2::DEFAULT-TIMES-2)) Time: 2.39 seconds (prove: 2.38, print: 0.01, other: 0.00) Prover steps counted: 778625 LEMMA1 M1 !>(in-theory (disable loop-clk)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) (:NUMBER-OF-ENABLED-RUNES 4826) M1 !>(include-book "enumerate") Summary Form: ( INCLUDE-BOOK "enumerate" ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) "/Users/moore/acl2-code-proofs/enumerate.lisp" M1 !>:pe clk L 6 (DEFUN CLK (N) (IF (ZP N) 0 (IF (EQUAL N 1) 1 (CLK+ 2 (LOOP-CLK (FLOOR (- N 2) 11)) (MOD (- N 2) 11))))) M1 !>(defthm lemma2 (implies (and (bad-statep s) (equal (rd :pc s) 0) (equal sf (m1 s (clk n)))) (not (haltedp sf))) :hints (("Goal" :use (:instance acl2::enumerate (acl2::term (mod n 11)) (acl2::i 0) (acl2::j 10))))) ACL2 Warning [Non-rec] in ( DEFTHM LEMMA2 ...): A :REWRITE rule generated from LEMMA2 will be triggered only by terms containing the non-recursive function symbol HALTEDP. Unless this function is disabled, this rule is unlikely ever to be used. ACL2 Warning [Free] in ( DEFTHM LEMMA2 ...): A :REWRITE rule generated from LEMMA2 contains the free variables S and N. These variables will be chosen by searching for instances of (BAD-STATEP S) and (EQUAL SF (M1 S (CLK N))) in the context of the term being rewritten. This is generally a severe restriction on the applicability of a :REWRITE rule. See :DOC free-variables. ACL2 Warning [Non-rec] in ( DEFTHM LEMMA2 ...): As noted, we will instantiate the free variables, S and N, of a :REWRITE rule generated from LEMMA2, by searching for the set of hypotheses shown above. However, these hypotheses mention the function symbols BAD-STATEP and CLK, which are defun'd non-recursively. Unless disabled, these function symbols are unlikely to occur in the conjecture being proved and hence the search for the required hypotheses will likely fail. ACL2 Warning [Subsume] in ( DEFTHM LEMMA2 ...): The previously added rule HALTEDP subsumes a newly proposed :REWRITE rule generated from LEMMA2, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. Goal' Goal'' Splitter note (see :DOC splitter) for Goal'' (29 subgoals). if-intro: ((:DEFINITION CLK) (:DEFINITION NOT) (:DEFINITION NTH) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE ACL2::|(< x (if a b c))|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::|(floor (+ x y) z) where (< 0 z)| . 1) (:REWRITE ACL2::|(mod (+ x y) z) where (<= 0 z)| . 1) (:REWRITE ACL2::DEFAULT-MOD-1) (:REWRITE ACL2::DEFAULT-MOD-RATIO) (:REWRITE ACL2::ENUMERATE-EXPANDER)) Subgoal 29 Subgoal 29' Subgoal 28 Subgoal 28' Subgoal 27 Subgoal 27' Subgoal 26 Subgoal 26' Subgoal 25 Subgoal 25' Subgoal 24 Subgoal 24' Subgoal 24'' Subgoal 24.2 Subgoal 24.1 Subgoal 24.1' Subgoal 24.1'' Splitter note (see :DOC splitter) for Subgoal 24.1'' (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION NTH)) Subgoal 24.1.2 Subgoal 24.1.2' Splitter note (see :DOC splitter) for Subgoal 24.1.2' (4 subgoals). if-intro: ((:DEFINITION DO-INST) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2)) Subgoal 24.1.2.4 Subgoal 24.1.2.4' Subgoal 24.1.2.3 Subgoal 24.1.2.3' Subgoal 24.1.2.2 Subgoal 24.1.2.2' Subgoal 24.1.2.1 Subgoal 24.1.2.1' Subgoal 24.1.1 Subgoal 24.1.1' Subgoal 23 Subgoal 22 Subgoal 22' Subgoal 21 Subgoal 21' ;;; Starting full GC, 537,001,984 bytes allocated. ;;; Finished full GC. 421,713,568 bytes freed in 0.341082 s ;;; 42229 soft faults, 0 faults, 0 pageins Subgoal 20 Subgoal 20' Subgoal 19 Subgoal 19' Subgoal 18 Subgoal 18' Subgoal 17 Subgoal 17' Subgoal 16 Subgoal 16' Subgoal 15 Subgoal 15' Subgoal 14 Subgoal 14' Subgoal 13 Subgoal 13' Subgoal 12 Subgoal 12' Subgoal 11 Subgoal 11' Subgoal 10 Subgoal 10' Splitter note (see :DOC splitter) for Subgoal 10' (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION NTH)) Subgoal 10.2 Subgoal 10.2' Subgoal 10.1 Subgoal 10.1' Subgoal 9 Subgoal 9' Subgoal 8 Subgoal 8' Subgoal 7 Subgoal 7' Subgoal 6 Subgoal 6' Subgoal 5 Subgoal 5' Subgoal 4 Subgoal 4' Subgoal 3 Subgoal 3' Subgoal 3'' Subgoal 3.2 Subgoal 3.1 Subgoal 3.1' Subgoal 3.1'' Splitter note (see :DOC splitter) for Subgoal 3.1'' (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION NTH) (:REWRITE ACL2::|(< 0 (* x y)) rationalp (* x y)|)) Subgoal 3.1.2 Subgoal 3.1.2' Splitter note (see :DOC splitter) for Subgoal 3.1.2' (4 subgoals). if-intro: ((:DEFINITION DO-INST) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2)) Subgoal 3.1.2.4 Subgoal 3.1.2.4' Subgoal 3.1.2.3 Subgoal 3.1.2.3' Subgoal 3.1.2.2 Subgoal 3.1.2.2' Subgoal 3.1.2.1 Subgoal 3.1.2.1' Subgoal 3.1.1 Subgoal 3.1.1' Subgoal 2 Subgoal 2' Subgoal 1 Subgoal 1' Splitter note (see :DOC splitter) for Subgoal 1' (2 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION NTH)) Subgoal 1.2 Subgoal 1.2' ;;; Starting full GC, 537,001,984 bytes allocated. ;;; Finished full GC. 421,399,312 bytes freed in 0.230546 s ;;; 0 soft faults, 0 faults, 0 pageins Subgoal 1.1 Subgoal 1.1' Q.E.D. Summary Form: ( DEFTHM LEMMA2 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION BAD-STATEP) (:DEFINITION CLK) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION HALTEDP) (:DEFINITION LOI) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:DEFINITION UPDATE-NTH) (:ELIM ACL2::FLOOR-MOD-ELIM) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ACL2-NUMBERP) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-*) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CONS) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART FLOOR) (:EXECUTABLE-COUNTERPART IMPLIES) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART MOD) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART RATIONALP) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART UNARY-/) (:EXECUTABLE-COUNTERPART UPDATE-NTH) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:GENERALIZE ACL2::LINEAR-FLOOR-BOUNDS-1) (:GENERALIZE ACL2::LINEAR-FLOOR-BOUNDS-2) (:GENERALIZE ACL2::LINEAR-FLOOR-BOUNDS-3) (:GENERALIZE ACL2::MOD-BOUNDS-1) (:GENERALIZE ACL2::MOD-BOUNDS-2) (:GENERALIZE ACL2::MOD-BOUNDS-3) (:LINEAR ACL2::MOD-BOUNDS-1) (:REWRITE ACL2::|(* (* x y) z)|) (:REWRITE ACL2::|(* (+ x y) z)|) (:REWRITE ACL2::|(* -1 x)|) (:REWRITE ACL2::|(* a (/ a) b)|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* y (* x z))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(- (+ x y))|) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE ACL2::|(< 0 (* x y)) rationalp (* x y)|) (:REWRITE ACL2::|(< x (if a b c))|) (:REWRITE ACL2::|(equal (* x y) 0)|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::|(floor (+ x y) z) where (< 0 z)| . 1) (:REWRITE ACL2::|(mod (+ x y) z) where (<= 0 z)| . 1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE DEFAULT-CAR) (:REWRITE DEFAULT-CDR) (:REWRITE ACL2::DEFAULT-MOD-1) (:REWRITE ACL2::DEFAULT-MOD-RATIO) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE ACL2::ENUMERATE-EXPANDER) (:REWRITE LEMMA1) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE ACL2::MOD-NEGATIVE . 1) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-0-CONS) (:REWRITE NTH-ADD1) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE ACL2::PREFER-POSITIVE-ADDENDS-EQUAL) (:REWRITE RD-WR) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-EQUAL) (:REWRITE ACL2::REDUCE-RATIONALP-*) (:REWRITE ACL2::SIMPLIFY-SUMS-<) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-UPDATE-NTH-SAME) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:REWRITE ACL2::ZP-OPEN) (:TYPE-PRESCRIPTION ACL2::FLOOR-NONNEGATIVE . 2) (:TYPE-PRESCRIPTION ACL2::INTEGERP-MOD-1) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION MOD) (:TYPE-PRESCRIPTION ACL2::MOD-NONNEGATIVE) (:TYPE-PRESCRIPTION ACL2::MOD-ZERO . 1) (:TYPE-PRESCRIPTION SP)) Hint-events: ((:USE ACL2::ENUMERATE)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION CLK) (:DEFINITION DO-INST) (:DEFINITION NOT) (:DEFINITION NTH) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE ACL2::|(< 0 (* x y)) rationalp (* x y)|) (:REWRITE ACL2::|(< x (if a b c))|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::|(floor (+ x y) z) where (< 0 z)| . 1) (:REWRITE ACL2::|(mod (+ x y) z) where (<= 0 z)| . 1) (:REWRITE ACL2::DEFAULT-MOD-1) (:REWRITE ACL2::DEFAULT-MOD-RATIO) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE ACL2::ENUMERATE-EXPANDER)) Warnings: Subsume, Free and Non-rec Time: 5.74 seconds (prove: 5.72, print: 0.01, other: 0.00) Prover steps counted: 132501 LEMMA2 M1 !>(in-theory (disable clk)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) (:NUMBER-OF-ENABLED-RUNES 4829) M1 !>:pe lemma2 11 (DEFTHM LEMMA2 (IMPLIES (AND (BAD-STATEP S) (EQUAL (RD :PC S) 0) (EQUAL SF (M1 S (CLK N)))) (NOT (HALTEDP SF))) :HINTS (("Goal" :USE (:INSTANCE ACL2::ENUMERATE (ACL2::TERM (MOD N 11)) (ACL2::I 0) (ACL2::J 10))))) M1 !>(defthm lemma3 (implies (natp n) (equal (loop-clk n) (* 11 n))) :hints (("Goal" :in-theory (enable loop-clk binary-clk+)))) Goal' ([ A key checkpoint: Goal' (IMPLIES (AND (INTEGERP N) (<= 0 N)) (EQUAL (LOOP-CLK N) (* 11 N))) *1 (Goal') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (LOOP-CLK N). This suggestion was produced using the :induction rule LOOP-CLK. If we let (:P N) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP N)) (:P (+ -1 N))) (:P N)) (IMPLIES (ZP N) (:P N))). This induction is justified by the same argument used to admit LOOP-CLK. When applied to the goal at hand the above induction scheme produces four nontautological subgoals. Subgoal *1/4 Subgoal *1/4' Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 *1 is COMPLETED! Thus key checkpoint Goal' is COMPLETED! Q.E.D. Summary Form: ( DEFTHM LEMMA3 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION BINARY-CLK+) (:DEFINITION LOOP-CLK) (:DEFINITION NATP) (:DEFINITION NFIX) (:DEFINITION NOT) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-*) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART LOOP-CLK) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION LOOP-CLK) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:TYPE-PRESCRIPTION LOOP-CLK)) Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 272 LEMMA3 M1 !>(defthm lemma4 (implies (natp n) (equal (clk n) n)) :hints (("Goal" :in-theory (enable clk binary-clk+)))) Goal' Splitter note (see :DOC splitter) for Goal' (9 subgoals). if-intro: ((:DEFINITION CLK) (:DEFINITION NFIX) (:REWRITE ACL2::|(+ x (if a b c))|) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE ACL2::|(floor (+ x y) z) where (< 0 z)| . 1) (:REWRITE ACL2::|(mod (+ x y) z) where (<= 0 z)| . 1)) Subgoal 9 Subgoal 8 Subgoal 7 Subgoal 6 Subgoal 5 Subgoal 4 Subgoal 4' Subgoal 4.2 Subgoal 4.1 Subgoal 4.1' Splitter note (see :DOC splitter) for Subgoal 4.1' (2 subgoals). if-intro: ((:DEFINITION NOT) (:REWRITE ACL2::ZP-OPEN)) Subgoal 4.1.2 Subgoal 4.1.2' Subgoal 4.1.2'' Subgoal 4.1.2''' Subgoal 4.1.1 Subgoal 3 Subgoal 2 Subgoal 1 Q.E.D. Summary Form: ( DEFTHM LEMMA4 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION BINARY-CLK+) (:DEFINITION CLK) (:DEFINITION NATP) (:DEFINITION NFIX) (:DEFINITION NOT) (:DEFINITION SYNP) (:ELIM ACL2::FLOOR-MOD-ELIM) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-*) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART FLOOR) (:EXECUTABLE-COUNTERPART IMPLIES) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART LOOP-CLK) (:EXECUTABLE-COUNTERPART MOD) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART RATIONALP) (:EXECUTABLE-COUNTERPART TAU-SYSTEM) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART UNARY-/) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:GENERALIZE ACL2::LINEAR-FLOOR-BOUNDS-1) (:GENERALIZE ACL2::LINEAR-FLOOR-BOUNDS-2) (:GENERALIZE ACL2::LINEAR-FLOOR-BOUNDS-3) (:GENERALIZE ACL2::MOD-BOUNDS-1) (:GENERALIZE ACL2::MOD-BOUNDS-2) (:GENERALIZE ACL2::MOD-BOUNDS-3) (:REWRITE ACL2::|(* (* x y) z)|) (:REWRITE ACL2::|(* a (/ a) b)|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* y (* x z))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ x (if a b c))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(< (* (/ x) y) 1) with (< 0 x)|) (:REWRITE ACL2::|(< (* x y) 0) rationalp (* x y)|) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE ACL2::|(< 0 (* x y)) rationalp (* x y)|) (:REWRITE ACL2::|(equal (* x y) 0)|) (:REWRITE ACL2::|(floor (+ x y) z) where (< 0 z)| . 1) (:REWRITE ACL2::|(mod (+ x y) z) where (<= 0 z)| . 1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE ACL2::FLOOR-MOD-ELIM) (:REWRITE LEMMA3) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-<) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-EQUAL) (:REWRITE ACL2::REDUCE-INTEGERP-+) (:REWRITE ACL2::REMOVE-STRICT-INEQUALITIES) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE ACL2::SIMPLIFY-SUMS-<) (:REWRITE ACL2::SIMPLIFY-SUMS-EQUAL) (:REWRITE ACL2::ZP-OPEN) (:TYPE-PRESCRIPTION ACL2::FLOOR-NONNEGATIVE . 2) (:TYPE-PRESCRIPTION ACL2::INTEGERP-MOD-1) (:TYPE-PRESCRIPTION LOOP-CLK) (:TYPE-PRESCRIPTION ACL2::MOD-NONNEGATIVE) (:TYPE-PRESCRIPTION ACL2::NOT-INTEGERP-1A)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION CLK) (:DEFINITION NFIX) (:DEFINITION NOT) (:REWRITE ACL2::|(+ x (if a b c))|) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE ACL2::|(floor (+ x y) z) where (< 0 z)| . 1) (:REWRITE ACL2::|(mod (+ x y) z) where (<= 0 z)| . 1) (:REWRITE ACL2::ZP-OPEN)) Time: 0.59 seconds (prove: 0.59, print: 0.00, other: 0.00) Prover steps counted: 5640 LEMMA4 M1 !>:pe lemma4 14:x(DEFTHM LEMMA4 (IMPLIES (NATP N) (EQUAL (CLK N) N)) :HINTS (("Goal" :IN-THEORY (ENABLE CLK BINARY-CLK+)))) M1 !>(defthm main (implies (and (bad-statep s) (equal (rd :pc s) 0) (natp n) (equal sf (m1 s n))) (not (haltedp sf))) :hints (("Goal" :use (lemma2) ))) ACL2 Warning [Non-rec] in ( DEFTHM MAIN ...): A :REWRITE rule generated from MAIN will be triggered only by terms containing the non-recursive function symbol HALTEDP. Unless this function is disabled, this rule is unlikely ever to be used. ACL2 Warning [Free] in ( DEFTHM MAIN ...): A :REWRITE rule generated from MAIN contains the free variables S and N. These variables will be chosen by searching for instances of (BAD-STATEP S) and (NATP N) in the context of the term being rewritten. This is generally a severe restriction on the applicability of a :REWRITE rule. See :DOC free- variables. ACL2 Warning [Non-rec] in ( DEFTHM MAIN ...): As noted, we will instantiate the free variables, S and N, of a :REWRITE rule generated from MAIN, by searching for the set of hypotheses shown above. However, these hypotheses mention the function symbols BAD-STATEP and NATP, which are defun'd non-recursively. Unless disabled, these function symbols are unlikely to occur in the conjecture being proved and hence the search for the required hypotheses will likely fail. ACL2 Warning [Subsume] in ( DEFTHM MAIN ...): The previously added rule HALTEDP subsumes a newly proposed :REWRITE rule generated from MAIN, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. ACL2 Warning [Use] in ( DEFTHM MAIN ...): It is unusual to :USE an enabled :REWRITE or :DEFINITION rule, so you may want to consider disabling (:REWRITE LEMMA2) in the hint provided for Goal. See :DOC using-enabled- rules. Goal' Goal'' Q.E.D. Summary Form: ( DEFTHM MAIN ...) Rules: ((:DEFINITION BAD-STATEP) (:DEFINITION HALTEDP) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE LEMMA4) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:TYPE-PRESCRIPTION SP)) Hint-events: ((:USE LEMMA2)) Warnings: Use, Subsume, Free and Non-rec Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 670 MAIN M1 !>:pe lemma1 8 (DEFTHM LEMMA1 (IMPLIES (AND (BAD-STATEP S) (EQUAL (RD :PC S) 2) (NATP N)) (EQUAL (M1 S (LOOP-CLK N)) (!LOI 0 (- (LOI 0 S) N) (!LOI 2 (+ (* N (LOI 1 S)) (LOI 2 S)) S)))) :HINTS (("Goal" :INDUCT (HINT N S)))) M1 !>(ubt! 'lemma1) L 7:x(DEFUN HINT (N S) ...) M1 !>(defun-nx whatever-it-is (s n) ; value of local 2 after running (loi 2 (m1 s (loop-clk n)))) Since WHATEVER-IT-IS is non-recursive, its admission is trivial. We could deduce no constraints on the type of WHATEVER-IT-IS. Summary Form: ( DEFUN WHATEVER-IT-IS ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) WHATEVER-IT-IS M1 !>(defthm lemma1 (implies (and (bad-statep s) (equal (rd :pc s) 2) (natp n)) (equal (m1 s (loop-clk n)) (!loi 0 (- (loi 0 s) n) (!loi 2 (whatever-it-is s n) s)))) :hints (("Goal" :induct (hint n s)))) *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. We have been told to use induction. One induction scheme is suggested by the induction hint. We will induct according to a scheme suggested by (HINT N S). This suggestion was produced using the :induction rule HINT. If we let (:P N S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP N)) (:P (+ -1 N) (M1 S 11))) (:P N S)) (IMPLIES (ZP N) (:P N S))). This induction is justified by the same argument used to admit HINT. Note, however, that the unmeasured variable S is being instantiated. When applied to the goal at hand the above induction scheme produces two nontautological subgoals. Subgoal *1/2 Subgoal *1/2' Splitter note (see :DOC splitter) for Subgoal *1/2' (10 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION NTH) (:REWRITE ACL2::DEFAULT-PLUS-1)) Subgoal *1/2.10 Subgoal *1/2.10' Subgoal *1/2.10'' Subgoal *1/2.10''' Subgoal *1/2.9 Subgoal *1/2.9' Subgoal *1/2.8 Subgoal *1/2.8' Subgoal *1/2.8'' Subgoal *1/2.8''' Subgoal *1/2.7 Subgoal *1/2.7' Subgoal *1/2.6 Subgoal *1/2.6' Subgoal *1/2.6'' Subgoal *1/2.6''' Subgoal *1/2.5 Subgoal *1/2.5' Subgoal *1/2.4 Subgoal *1/2.4' Subgoal *1/2.4'' Subgoal *1/2.4''' Subgoal *1/2.3 Subgoal *1/2.3' Subgoal *1/2.2 Subgoal *1/2.2' Subgoal *1/2.2'' Subgoal *1/2.2''' Subgoal *1/2.1 Subgoal *1/2.1' Subgoal *1/1 Subgoal *1/1' Subgoal *1/1'' Subgoal *1/1''' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM LEMMA1 ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION BAD-STATEP) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION LEN) (:DEFINITION LOI) (:DEFINITION LOOP-CLK) (:DEFINITION MAX) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION NTH) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:DEFINITION UPDATE-NTH) (:DEFINITION WHATEVER-IT-IS) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CAR) (:EXECUTABLE-COUNTERPART CDR) (:EXECUTABLE-COUNTERPART CONS) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART LOOP-CLK) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART UPDATE-NTH) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION HINT) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (if a b c))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(- (+ x y))|) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE DEFAULT-CAR) (:REWRITE DEFAULT-CDR) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-PLUS-2) (:REWRITE LEN-UPDATE-NTH) (:REWRITE M1-CLK+) (:REWRITE M1-OPENER) (:REWRITE NTH-0-CONS) (:REWRITE NTH-ADD1) (:REWRITE NTH-UPDATE-NTH) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::REDUCE-ADDITIVE-CONSTANT-<) (:REWRITE ACL2::REMOVE-WEAK-INEQUALITIES) (:REWRITE SP-WR) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-REDUNDANT) (:REWRITE UPDATE-NTH-UPDATE-NTH-SAME) (:REWRITE WR-REDUNDANT) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME) (:TYPE-PRESCRIPTION LEN) (:TYPE-PRESCRIPTION SP)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION DO-INST) (:DEFINITION NTH) (:REWRITE ACL2::DEFAULT-PLUS-1)) Time: 1.01 seconds (prove: 1.01, print: 0.00, other: 0.00) Prover steps counted: 300949 LEMMA1 M1 !>(in-theory (disable whatever-it-is)) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) (:NUMBER-OF-ENABLED-RUNES 4830) M1 !>:pe lemma1 9 (DEFTHM LEMMA1 (IMPLIES (AND (BAD-STATEP S) (EQUAL (RD :PC S) 2) (NATP N)) (EQUAL (M1 S (LOOP-CLK N)) (!LOI 0 (- (LOI 0 S) N) (!LOI 2 (WHATEVER-IT-IS S N) S)))) :HINTS (("Goal" :INDUCT (HINT N S)))) M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>:pbt 1 d 1 (INCLUDE-BOOK "m1-with-stobj") 2 (SET-VERIFY-GUARDS-EAGERNESS 0) 3 (DEFCONST *PI* '#) L 4 (DEFUN BAD-STATEP (S) ...) L 5 (DEFUN LOOP-CLK (N) ...) L 6 (DEFUN CLK (N) ...) L 7 (DEFUN HINT (N S) ...) L d 8 (DEFUN-NX WHATEVER-IT-IS (S N) ...) 9 (DEFTHM LEMMA1 ...) 10:x(IN-THEORY (DISABLE WHATEVER-IT-IS)) M1 !>(ubt! '(*pi* 1)) 3:x(DEFCONST *PI* '#) M1 !>(defun x (s) (declare (xargs :stobjs (s))) (loi 0 s)) Since X is non-recursive, its admission is trivial. We could deduce no constraints on the type of X. (X S) => *. Summary Form: ( DEFUN X ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) X M1 !>(defun y (s) (declare (xargs :stobjs (s))) (loi 1 s)) Since Y is non-recursive, its admission is trivial. We could deduce no constraints on the type of Y. (Y S) => *. Summary Form: ( DEFUN Y ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Y M1 !>(defun a (s) (declare (xargs :stobjs (s))) (loi 2 s)) Since A is non-recursive, its admission is trivial. We could deduce no constraints on the type of A. (A S) => *. Summary Form: ( DEFUN A ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) A M1 !>(include-book "m1-with-stobj-defspec") Summary Form: ( INCLUDE-BOOK "m1-with-stobj-defspec" ...) Rules: NIL Time: 0.03 seconds (prove: 0.00, print: 0.00, other: 0.03) "/Users/moore/acl2-code-proofs/m1-with-stobj-defspec.lisp" M1 !>(trans1 '(defspec pi *pi* (x0 y0 a0) 0 14 ((0 ; Pre-condition (and (natp x0) (equal (x s) x0) (equal (y s) y0))) (2 ; Loop Invariant (and (natp x0) (natp (x s)) (<= (x s) x0) (equal (y s) y0) (equal (a s) (* y0 (- x0 (x s)))))) (14 ; Post-condition (equal (top (rd :stack s)) (* x0 y0)))) t)) (PROGN (DEFPUN PI-INV (X0 Y0 A0 S) (IF (MEMBER (PC S) '(0 2 14)) (AND (EQUAL (PROGRAM S) *PI*) (CASE (PC S) (0 (AND (NATP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (2 (AND (NATP X0) (NATP (X S)) (<= (X S) X0) (EQUAL (Y S) Y0) (EQUAL (A S) (* Y0 (- X0 (X S)))))) (14 (EQUAL (TOP (RD :STACK S)) (* X0 Y0))))) (PI-INV X0 Y0 A0 (STEP S)))) (DEFTHM PI-INV-OPENER (IMPLIES (AND (EQUAL PC (PC S)) (SYNTAXP (QUOTEP PC)) (NOT (MEMBER PC '(0 2 14)))) (EQUAL (PI-INV X0 Y0 A0 S) (PI-INV X0 Y0 A0 (STEP S))))) (DEFTHM PI-INV-STEP (IMPLIES (PI-INV X0 Y0 A0 S) (PI-INV X0 Y0 A0 (STEP S)))) (DEFTHM PI-INV-RUN (IMPLIES (PI-INV X0 Y0 A0 S) (PI-INV X0 Y0 A0 (M1 S CLK))) :RULE-CLASSES NIL :HINTS (("Goal" :IN-THEORY (E/D (M1) (PI-INV-DEF))))) (DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI (LET* ((SK (M1 S0 CLK))) (IMPLIES (AND (LET ((S S0)) (AND (NATP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (EQUAL (PC S0) 0) (EQUAL (PROGRAM S0) *PI*) (EQUAL (PC SK) 14)) (LET ((S SK)) (EQUAL (TOP (RD :STACK S)) (* X0 Y0))))) :HINTS (("Goal" :USE (:INSTANCE PI-INV-RUN (X0 X0) (Y0 Y0) (A0 A0) (S S0) (CLK CLK)))) :RULE-CLASSES NIL) (DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED (IMPLIES (AND (AND (NATP X0) (EQUAL (X S0) X0) (EQUAL (Y S0) Y0)) (EQUAL (RD :PC S0) 0) (EQUAL (RD :PROGRAM S0) *PI*) (EQUAL SK (M1 S0 CLK)) (HALTEDP SK)) (EQUAL (TOP (RD :STACK SK)) (* X0 Y0))) :HINTS (("Goal" :USE ((:INSTANCE PARTIAL-CORRECTNESS-OF-PROGRAM-PI) (:INSTANCE HALTING-PC (PROGRAM *PI*) (I (RD :PC (M1 S0 CLK))))))))) M1 !>(defspec pi *pi* (x0 y0 a0) 0 14 ((0 ; Pre-condition (and (natp x0) (equal (x s) x0) (equal (y s) y0))) (2 ; Loop Invariant (and (natp x0) (natp (x s)) (<= (x s) x0) (equal (y s) y0) (equal (a s) (* y0 (- x0 (x s)))))) (14 ; Post-condition (equal (top (rd :stack s)) (* x0 y0)))) t) M1 !>>(DEFPUN PI-INV (X0 Y0 A0 S) (IF (MEMBER (PC S) '(0 2 14)) (AND (EQUAL (PROGRAM S) *PI*) (CASE (PC S) (0 (AND (NATP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (2 (AND (NATP X0) (NATP (X S)) (<= (X S) X0) (EQUAL (Y S) Y0) (EQUAL (A S) (* Y0 (- X0 (X S)))))) (14 (EQUAL (TOP (RD :STACK S)) (* X0 Y0))))) (PI-INV X0 Y0 A0 (STEP S)))) To verify that the eight encapsulated events correctly extend the current theory we will evaluate them. The theory thus constructed is only ephemeral. Encapsulated Events: M1 !>>(SET-IGNORE-OK T) T M1 !>>(SET-IRRELEVANT-FORMALS-OK T) T M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-test| (ACL2::X) (LET ((X0 (CAR ACL2::X)) (Y0 (CAR (CDR ACL2::X))) (A0 (CAR (CDR (CDR ACL2::X)))) (S (CAR (CDR (CDR (CDR ACL2::X)))))) (MEMBER (PC S) '(0 2 14))))) Since |PI-INV-arity-1-defpun-test| is non-recursive, its admission is trivial. We observe that the type of |PI-INV-arity-1-defpun-test| is described by the theorem (OR (CONSP (|PI-INV-arity-1-defpun-test| ACL2::X)) (EQUAL (|PI-INV-arity-1-defpun-test| ACL2::X) NIL)). We used the :type-prescription rule MEMBER-EQUAL. Summary Form: ( DEFUN |PI-INV-arity-1-defpun-test| ...) Rules: ((:TYPE-PRESCRIPTION MEMBER-EQUAL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1-defpun-test| M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-base| (ACL2::X) (LET ((X0 (CAR ACL2::X)) (Y0 (CAR (CDR ACL2::X))) (A0 (CAR (CDR (CDR ACL2::X)))) (S (CAR (CDR (CDR (CDR ACL2::X)))))) (AND (EQUAL (PROGRAM S) *PI*) (CASE (PC S) (0 (AND (NATP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (2 (AND (NATP X0) (NATP (X S)) (<= (X S) X0) (EQUAL (Y S) Y0) (EQUAL (A S) (* Y0 (- X0 (X S)))))) (14 (EQUAL (TOP (RD :STACK S)) (* X0 Y0)))))))) Since |PI-INV-arity-1-defpun-base| is non-recursive, its admission is trivial. We observe that the type of |PI-INV-arity-1-defpun-base| is described by the theorem (OR (EQUAL (|PI-INV-arity-1-defpun-base| ACL2::X) T) (EQUAL (|PI-INV-arity-1-defpun-base| ACL2::X) NIL)). We used primitive type reasoning. Summary Form: ( DEFUN |PI-INV-arity-1-defpun-base| ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1-defpun-base| M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-step| (ACL2::X) (LET ((X0 (CAR ACL2::X)) (Y0 (CAR (CDR ACL2::X))) (A0 (CAR (CDR (CDR ACL2::X)))) (S (CAR (CDR (CDR (CDR ACL2::X)))))) (LIST X0 Y0 A0 (STEP S))))) Since |PI-INV-arity-1-step| is non-recursive, its admission is trivial. We observe that the type of |PI-INV-arity-1-step| is described by the theorem (AND (CONSP (|PI-INV-arity-1-step| ACL2::X)) (TRUE-LISTP (|PI-INV-arity-1-step| ACL2::X))). We used primitive type reasoning. Summary Form: ( DEFUN |PI-INV-arity-1-step| ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1-step| M1 !>>(LOCAL (ENCAPSULATE ((|PI-INV-arity-1| (ACL2::X) T)) (LOCAL (IN-THEORY (DISABLE |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step|))) (LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-stn| (ACL2::X ACL2::N) (IF (ZP ACL2::N) ACL2::X (|PI-INV-arity-1-defpun-stn| (|PI-INV-arity-1-step| ACL2::X) (1- ACL2::N))))) (LOCAL (DEFCHOOSE |PI-INV-arity-1-fch| (ACL2::N) (ACL2::X) (|PI-INV-arity-1-defpun-test| (|PI-INV-arity-1-defpun-stn| ACL2::X ACL2::N)))) (LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-fn| (ACL2::X ACL2::N) (DECLARE (XARGS :MEASURE (NFIX ACL2::N))) (IF (OR (ZP ACL2::N) (|PI-INV-arity-1-defpun-test| ACL2::X)) (|PI-INV-arity-1-defpun-base| ACL2::X) (|PI-INV-arity-1-defpun-fn| (|PI-INV-arity-1-step| ACL2::X) (1- ACL2::N))))) (LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1| (ACL2::X) (IF (|PI-INV-arity-1-defpun-test| (|PI-INV-arity-1-defpun-stn| ACL2::X (|PI-INV-arity-1-fch| ACL2::X))) (|PI-INV-arity-1-defpun-fn| ACL2::X (|PI-INV-arity-1-fch| ACL2::X)) NIL))) (LOCAL (IN-THEORY '(|PI-INV-arity-1| |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step| |PI-INV-arity-1-defpun-stn| |PI-INV-arity-1-defpun-fn| (:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-fn|)))) (DEFTHM |PI-INV-arity-1-DEF| (EQUAL (|PI-INV-arity-1| ACL2::X) (IF (|PI-INV-arity-1-defpun-test| ACL2::X) (|PI-INV-arity-1-defpun-base| ACL2::X) (|PI-INV-arity-1| (|PI-INV-arity-1-step| ACL2::X)))) :HINTS (("Goal" :USE (:FUNCTIONAL-INSTANCE ACL2::GENERIC-TAIL-RECURSIVE-DEFPUN-F (ACL2::DEFPUN-F |PI-INV-arity-1|) (ACL2::DEFPUN-TEST |PI-INV-arity-1-defpun-test|) (ACL2::DEFPUN-BASE |PI-INV-arity-1-defpun-base|) (ACL2::DEFPUN-ST |PI-INV-arity-1-step|) (ACL2::DEFPUN-STN |PI-INV-arity-1-defpun-stn|) (ACL2::FCH |PI-INV-arity-1-fch|) (ACL2::DEFPUN-FN |PI-INV-arity-1-defpun-fn|))) ("Subgoal 2" :USE |PI-INV-arity-1-fch|)) :RULE-CLASSES NIL))) To verify that the seven encapsulated events correctly extend the current theory we will evaluate them. The theory thus constructed is only ephemeral. Encapsulated Events: M1 !>>(LOCAL (IN-THEORY (DISABLE |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step|))) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) (:NUMBER-OF-ENABLED-RUNES 4860) M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-stn| (ACL2::X ACL2::N) (IF (ZP ACL2::N) ACL2::X (|PI-INV-arity-1-defpun-stn| (|PI-INV-arity-1-step| ACL2::X) (1- ACL2::N))))) The admission of |PI-INV-arity-1-defpun-stn| is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT ACL2::N). We observe that the type of |PI-INV-arity-1-defpun-stn| is described by the theorem (OR (AND (CONSP (|PI-INV-arity-1-defpun-stn| ACL2::X ACL2::N)) (TRUE-LISTP (|PI-INV-arity-1-defpun-stn| ACL2::X ACL2::N))) (EQUAL (|PI-INV-arity-1-defpun-stn| ACL2::X ACL2::N) ACL2::X)). We used the :type-prescription rule |PI-INV-arity-1-step|. Summary Form: ( DEFUN |PI-INV-arity-1-defpun-stn| ...) Rules: ((:TYPE-PRESCRIPTION |PI-INV-arity-1-step|)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1-defpun-stn| M1 !>>(LOCAL (DEFCHOOSE |PI-INV-arity-1-fch| (ACL2::N) (ACL2::X) (|PI-INV-arity-1-defpun-test| (|PI-INV-arity-1-defpun-stn| ACL2::X ACL2::N)))) Summary Form: ( DEFCHOOSE |PI-INV-arity-1-fch| ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1-fch| M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-fn| (ACL2::X ACL2::N) (DECLARE (XARGS :MEASURE (NFIX ACL2::N))) (IF (OR (ZP ACL2::N) (|PI-INV-arity-1-defpun-test| ACL2::X)) (|PI-INV-arity-1-defpun-base| ACL2::X) (|PI-INV-arity-1-defpun-fn| (|PI-INV-arity-1-step| ACL2::X) (1- ACL2::N))))) For the admission of |PI-INV-arity-1-defpun-fn| we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (NFIX ACL2::N). The non-trivial part of the measure conjecture is Goal (AND (O-P (NFIX ACL2::N)) (IMPLIES (NOT (OR (ZP ACL2::N) (|PI-INV-arity-1-defpun-test| ACL2::X))) (O< (NFIX (+ -1 ACL2::N)) (NFIX ACL2::N)))). Subgoal 2 Subgoal 1 Q.E.D. That completes the proof of the measure theorem for |PI-INV-arity-1-defpun-fn|. Thus, we admit this function under the principle of definition. We observe that the type of |PI-INV-arity-1-defpun-fn| is described by the theorem (OR (EQUAL (|PI-INV-arity-1-defpun-fn| ACL2::X ACL2::N) T) (EQUAL (|PI-INV-arity-1-defpun-fn| ACL2::X ACL2::N) NIL)). We used the :compound-recognizer rule ACL2::ZP-COMPOUND-RECOGNIZER and the :type-prescription rule |PI-INV-arity-1-defpun-base|. Summary Form: ( DEFUN |PI-INV-arity-1-defpun-fn| ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION NFIX) (:DEFINITION O-FINP) (:DEFINITION O-P) (:DEFINITION O<) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::SIMPLIFY-SUMS-<) (:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-base|)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 143 |PI-INV-arity-1-defpun-fn| M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1| (ACL2::X) (IF (|PI-INV-arity-1-defpun-test| (|PI-INV-arity-1-defpun-stn| ACL2::X (|PI-INV-arity-1-fch| ACL2::X))) (|PI-INV-arity-1-defpun-fn| ACL2::X (|PI-INV-arity-1-fch| ACL2::X)) NIL))) Since |PI-INV-arity-1| is non-recursive, its admission is trivial. We observe that the type of |PI-INV-arity-1| is described by the theorem (OR (EQUAL (|PI-INV-arity-1| ACL2::X) T) (EQUAL (|PI-INV-arity-1| ACL2::X) NIL)). We used the :type-prescription rule |PI-INV-arity-1-defpun-fn|. Summary Form: ( DEFUN |PI-INV-arity-1| ...) Rules: ((:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-fn|)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1| M1 !>>(LOCAL (IN-THEORY '(|PI-INV-arity-1| |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step| |PI-INV-arity-1-defpun-stn| |PI-INV-arity-1-defpun-fn| (:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-fn|)))) ACL2 Warning [Theory] in ( IN-THEORY (QUOTE ...)): Although the theory expression '(|PI-INV-arity-1| |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step| |PI-INV-arity-1-defpun-stn| |PI-INV-arity-1-defpun-fn| (:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-fn|)) disables the :DEFINITION rules for DOUBLE-REWRITE, MV-NTH, THE-CHECK, IFF, WORMHOLE-EVAL, MV-LIST, MINUSP, PLUSP, ZEROP, LISTP, SYNP, CASE-SPLIT, FORCE, /=, =, RETURN-LAST, NULL, ENDP, ATOM, EQL, NOT, IMPLIES or EQ, some expansions involving these functions may still occur. See :DOC theories-and-primitives. ACL2 Warning [Theory] in ( IN-THEORY (QUOTE ...)): Although the theory expression '(|PI-INV-arity-1| |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step| |PI-INV-arity-1-defpun-stn| |PI-INV-arity-1-defpun-fn| (:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-fn|)) disables the :EXECUTABLE-COUNTERPART rules for NOT, SYMBOLP, SYMBOL-PACKAGE-NAME, SYMBOL-NAME, STRINGP, REALPART, RATIONALP, PKG-WITNESS, PKG-IMPORTS, NUMERATOR, INTERN-IN-PACKAGE-OF-SYMBOL, INTEGERP, IMAGPART, IF, EQUAL, DENOMINATOR, CONSP, CONS, COERCE, COMPLEX-RATIONALP, COMPLEX, CODE-CHAR, CHARACTERP, CHAR-CODE, CDR, CAR, <, UNARY-/, UNARY--, BINARY-+, BINARY-* or ACL2-NUMBERP, some calls involving these functions may still be made. See :DOC theories-and-primitives. ACL2 Warning [Disable] in ( IN-THEORY (QUOTE ...)): Forcing has transitioned from enabled to disabled. See :DOC force. Summary Form: ( IN-THEORY (QUOTE ...)) Rules: NIL Warnings: Disable and Theory Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) (:NUMBER-OF-ENABLED-RUNES 9) M1 !>>(DEFTHM |PI-INV-arity-1-DEF| (EQUAL (|PI-INV-arity-1| ACL2::X) (IF (|PI-INV-arity-1-defpun-test| ACL2::X) (|PI-INV-arity-1-defpun-base| ACL2::X) (|PI-INV-arity-1| (|PI-INV-arity-1-step| ACL2::X)))) :HINTS (("Goal" :USE (:FUNCTIONAL-INSTANCE ACL2::GENERIC-TAIL-RECURSIVE-DEFPUN-F (ACL2::DEFPUN-F |PI-INV-arity-1|) (ACL2::DEFPUN-TEST |PI-INV-arity-1-defpun-test|) (ACL2::DEFPUN-BASE |PI-INV-arity-1-defpun-base|) (ACL2::DEFPUN-ST |PI-INV-arity-1-step|) (ACL2::DEFPUN-STN |PI-INV-arity-1-defpun-stn|) (ACL2::FCH |PI-INV-arity-1-fch|) (ACL2::DEFPUN-FN |PI-INV-arity-1-defpun-fn|))) ("Subgoal 2" :USE |PI-INV-arity-1-fch|)) :RULE-CLASSES NIL) Subgoal 4 Subgoal 3 Splitter note (see :DOC splitter) for Subgoal 3 (23 subgoals). if-intro: ((:DEFINITION |PI-INV-arity-1-defpun-base|)) Subgoal 3.23 Subgoal 3.22 Subgoal 3.21 Subgoal 3.20 Subgoal 3.19 Subgoal 3.18 Subgoal 3.17 Subgoal 3.16 Subgoal 3.15 Subgoal 3.14 Subgoal 3.13 Subgoal 3.12 Subgoal 3.11 Subgoal 3.10 Subgoal 3.9 Subgoal 3.8 Subgoal 3.7 Subgoal 3.6 Subgoal 3.5 Subgoal 3.4 Subgoal 3.3 Subgoal 3.2 Subgoal 3.1 Subgoal 2 Subgoal 2' Subgoal 2'' Subgoal 1 Subgoal 1.2 Subgoal 1.1 Q.E.D. Summary Form: ( DEFTHM |PI-INV-arity-1-DEF| ...) Rules: ((:DEFINITION |PI-INV-arity-1|) (:DEFINITION |PI-INV-arity-1-defpun-base|) (:DEFINITION |PI-INV-arity-1-defpun-fn|) (:DEFINITION |PI-INV-arity-1-defpun-stn|) (:DEFINITION |PI-INV-arity-1-defpun-test|) (:DEFINITION |PI-INV-arity-1-step|) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Hint-events: ((:USE ACL2::GENERIC-TAIL-RECURSIVE-DEFPUN-F) (:USE |PI-INV-arity-1-fch|)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION |PI-INV-arity-1-defpun-base|)) Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 5766 |PI-INV-arity-1-DEF| End of Encapsulated Events. Having verified that the encapsulated events validate the signatures of the ENCAPSULATE event, we discard the ephemeral theory and extend the original theory as directed by the signatures and the non-LOCAL events. The following constraint is associated with the function |PI-INV-arity-1|: (EQUAL (|PI-INV-arity-1| ACL2::X) (IF (|PI-INV-arity-1-defpun-test| ACL2::X) (|PI-INV-arity-1-defpun-base| ACL2::X) (|PI-INV-arity-1| (|PI-INV-arity-1-step| ACL2::X)))) Summary Form: ( ENCAPSULATE ((|PI-INV-arity-1| ...) ...) ...) Rules: NIL Warnings: Disable and Theory Time: 0.05 seconds (prove: 0.02, print: 0.01, other: 0.03) Prover steps counted: 5909 T M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC PI-INV (X0 Y0 A0 S) (|PI-INV-arity-1| (LIST X0 Y0 A0 S)))) Since PI-INV is non-recursive, its admission is trivial. We could deduce no constraints on the type of PI-INV. Summary Form: ( DEFUN PI-INV ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) PI-INV M1 !>>(DEFTHM PI-INV-DEF (EQUAL (PI-INV X0 Y0 A0 S) (IF (MEMBER (PC S) '(0 2 14)) (AND (EQUAL (PROGRAM S) *PI*) (CASE (PC S) (0 (AND (NATP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (2 (AND (NATP X0) (NATP (X S)) (<= (X S) X0) (EQUAL (Y S) Y0) (EQUAL (A S) (* Y0 (- X0 (X S)))))) (14 (EQUAL (TOP (RD :STACK S)) (* X0 Y0))))) (PI-INV X0 Y0 A0 (STEP S)))) :HINTS (("Goal" :USE (:INSTANCE |PI-INV-arity-1-DEF| (ACL2::X (LIST X0 Y0 A0 S))))) :RULE-CLASSES :DEFINITION) ACL2 Warning [Non-rec] in ( DEFTHM PI-INV-DEF ...): A :DEFINITION rule generated from PI-INV-DEF will be triggered only by terms containing the non-recursive function symbol PI-INV. Unless this function is disabled, this rule is unlikely ever to be used. ACL2 Warning [Subsume] in ( DEFTHM PI-INV-DEF ...): A newly proposed :DEFINITION rule generated from PI-INV-DEF probably subsumes the previously added :REWRITE rule PI-INV, in the sense that the new rule will now probably be applied whenever the old rule would have been. ACL2 Warning [Subsume] in ( DEFTHM PI-INV-DEF ...): The previously added rule PI-INV subsumes a newly proposed :DEFINITION rule generated from PI-INV-DEF, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. Goal' Goal'' Q.E.D. Summary Form: ( DEFTHM PI-INV-DEF ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION A) (:DEFINITION EQL) (:DEFINITION LOI) (:DEFINITION MEMBER-EQUAL) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PI-INV) (:DEFINITION |PI-INV-arity-1-defpun-base|) (:DEFINITION |PI-INV-arity-1-defpun-test|) (:DEFINITION |PI-INV-arity-1-step|) (:DEFINITION PROGRAM) (:DEFINITION RETURN-LAST) (:DEFINITION SYNP) (:DEFINITION X) (:DEFINITION Y) (:EXECUTABLE-COUNTERPART CAR) (:EXECUTABLE-COUNTERPART CDR) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART MEMBER-EQUAL) (:EXECUTABLE-COUNTERPART NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* x (- y))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2)) Hint-events: ((:USE |PI-INV-arity-1-DEF|)) Warnings: Subsume and Non-rec Time: 0.03 seconds (prove: 0.03, print: 0.00, other: 0.00) Prover steps counted: 2922 PI-INV-DEF End of Encapsulated Events. Having verified that the encapsulated events validate the signatures of the ENCAPSULATE event, we discard the ephemeral theory and extend the original theory as directed by the signatures and the non-LOCAL events. The following constraint is associated with the function PI-INV: (EQUAL (PI-INV X0 Y0 A0 S) (IF (MEMBER-EQUAL (PC S) '(0 2 14)) (AND (EQUAL (PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (LET ((ACL2::CASE-DO-NOT-USE-ELSEWHERE (PC S))) (CASE ACL2::CASE-DO-NOT-USE-ELSEWHERE (0 (AND (NATP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (2 (AND (NATP X0) (NATP (X S)) (<= (X S) X0) (EQUAL (Y S) Y0) (EQUAL (A S) (* Y0 (+ X0 (- (X S))))))) (14 (EQUAL (TOP (RD :STACK S)) (* X0 Y0))) (OTHERWISE NIL)))) (PI-INV X0 Y0 A0 (STEP S)))) Summary Form: ( ENCAPSULATE ((PI-INV ...) ...) ...) Rules: NIL Warnings: Subsume, Non-rec, Disable and Theory Time: 0.11 seconds (prove: 0.05, print: 0.01, other: 0.06) Prover steps counted: 8831 T M1 !>>(DEFTHM PI-INV-OPENER (IMPLIES (AND (EQUAL PC (PC S)) (SYNTAXP (QUOTEP PC)) (NOT (MEMBER PC '(0 2 14)))) (EQUAL (PI-INV X0 Y0 A0 S) (PI-INV X0 Y0 A0 (STEP S))))) Goal' Q.E.D. Summary Form: ( DEFTHM PI-INV-OPENER ...) Rules: ((:DEFINITION MEMBER-EQUAL) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PI-INV-DEF) (:DEFINITION RETURN-LAST) (:EXECUTABLE-COUNTERPART CAR) (:EXECUTABLE-COUNTERPART CDR) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART SYNP) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.03 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 1879 PI-INV-OPENER M1 !>>(DEFTHM PI-INV-STEP (IMPLIES (PI-INV X0 Y0 A0 S) (PI-INV X0 Y0 A0 (STEP S)))) Splitter note (see :DOC splitter) for Goal (5 subgoals). case-split: ((:REWRITE ACL2::SIMPLIFY-PRODUCTS-GATHER-EXPONENTS-<)) if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION MEMBER-EQUAL) (:DEFINITION NATP) (:DEFINITION PI-INV-DEF) (:REWRITE ACL2::|(* a (/ a))|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2)) Subgoal 5 Subgoal 4 Subgoal 3 Subgoal 3' Subgoal 2 Subgoal 1 Subgoal 1' Q.E.D. Summary Form: ( DEFTHM PI-INV-STEP ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION A) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION LOI) (:DEFINITION MEMBER-EQUAL) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION PC) (:DEFINITION PI-INV-DEF) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:DEFINITION X) (:DEFINITION Y) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ACL2-NUMBERP) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CAR) (:EXECUTABLE-COUNTERPART CDR) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART MEMBER-EQUAL) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART UNARY-/) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(* 0 x)|) (:REWRITE ACL2::|(* 1 x)|) (:REWRITE ACL2::|(* a (/ a))|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* x (- y))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(- (+ x y))|) (:REWRITE ACL2::|(/ (/ x))|) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE ACL2::|(< x (if a b c))|) (:REWRITE ACL2::|(equal (/ x) c)|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-UPDATE-NTH) (:REWRITE PI-INV-OPENER) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::SIMPLIFY-PRODUCTS-GATHER-EXPONENTS-<) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME)) Splitter rules (see :DOC splitter): case-split: ((:REWRITE ACL2::SIMPLIFY-PRODUCTS-GATHER-EXPONENTS-<)) if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION MEMBER-EQUAL) (:DEFINITION NATP) (:DEFINITION PI-INV-DEF) (:REWRITE ACL2::|(* a (/ a))|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2)) Time: 0.08 seconds (prove: 0.08, print: 0.00, other: 0.00) Prover steps counted: 15095 PI-INV-STEP M1 !>>(DEFTHM PI-INV-RUN (IMPLIES (PI-INV X0 Y0 A0 S) (PI-INV X0 Y0 A0 (M1 S CLK))) :RULE-CLASSES NIL :HINTS (("Goal" :IN-THEORY (E/D (M1) (PI-INV-DEF))))) *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (M1 S CLK). This suggestion was produced using the :induction rule M1. If we let (:P A0 CLK S X0 Y0) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP CLK)) (:P A0 (+ -1 CLK) (STEP S) X0 Y0)) (:P A0 CLK S X0 Y0)) (IMPLIES (ZP CLK) (:P A0 CLK S X0 Y0))). This induction is justified by the same argument used to admit M1. Note, however, that the unmeasured variable S is being instantiated. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM PI-INV-RUN ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION M1) (:INDUCTION M1) (:REWRITE PI-INV-STEP)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) Prover steps counted: 340 PI-INV-RUN M1 !>>(DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI (LET* ((SK (M1 S0 CLK))) (IMPLIES (AND (LET ((S S0)) (AND (NATP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (EQUAL (PC S0) 0) (EQUAL (PROGRAM S0) *PI*) (EQUAL (PC SK) 14)) (LET ((S SK)) (EQUAL (TOP (RD :STACK S)) (* X0 Y0))))) :HINTS (("Goal" :USE (:INSTANCE PI-INV-RUN (X0 X0) (Y0 Y0) (A0 A0) (S S0) (CLK CLK)))) :RULE-CLASSES NIL) Goal' Goal'' Q.E.D. Summary Form: ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PI-INV-DEF) (:DEFINITION PROGRAM) (:DEFINITION SYNP) (:DEFINITION X) (:DEFINITION Y) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART MEMBER-EQUAL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::DEFAULT-TIMES-2) (:REWRITE PROGRAM-NEVER-CHANGES)) Hint-events: ((:USE PI-INV-RUN)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 532 PARTIAL-CORRECTNESS-OF-PROGRAM-PI M1 !>>(DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED (IMPLIES (AND (AND (NATP X0) (EQUAL (X S0) X0) (EQUAL (Y S0) Y0)) (EQUAL (RD :PC S0) 0) (EQUAL (RD :PROGRAM S0) *PI*) (EQUAL SK (M1 S0 CLK)) (HALTEDP SK)) (EQUAL (TOP (RD :STACK SK)) (* X0 Y0))) :HINTS (("Goal" :USE ((:INSTANCE PARTIAL-CORRECTNESS-OF-PROGRAM-PI) (:INSTANCE HALTING-PC (PROGRAM *PI*) (I (RD :PC (M1 S0 CLK)))))))) ACL2 Warning [Free] in ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED ...): A :REWRITE rule generated from PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED contains the free variables X0, S0, Y0 and CLK. These variables will be chosen by searching for instances of (NATP X0), (EQUAL (X S0) X0), (EQUAL (Y S0) Y0) and (EQUAL SK (M1 S0 CLK)) in the context of the term being rewritten. This is generally a severe restriction on the applicability of a :REWRITE rule. See :DOC free-variables. ACL2 Warning [Non-rec] in ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED ...): As noted, we will instantiate the free variables, X0, S0, Y0 and CLK, of a :REWRITE rule generated from PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED, by searching for the set of hypotheses shown above. However, these hypotheses mention the function symbols NATP, X and Y, which are defun'd non-recursively. Unless disabled, these function symbols are unlikely to occur in the conjecture being proved and hence the search for the required hypotheses will likely fail. Goal' Goal'' Q.E.D. Summary Form: ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION HALTEDP) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NFIX) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION SYNP) (:DEFINITION X) (:DEFINITION Y) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART FIND-PC) (:EXECUTABLE-COUNTERPART HOW-MANY) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::DEFAULT-TIMES-2) (:REWRITE PROGRAM-NEVER-CHANGES)) Hint-events: ((:USE HALTING-PC) (:USE PARTIAL-CORRECTNESS-OF-PROGRAM-PI)) Warnings: Non-rec and Free Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 791 PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED Summary Form: ( PROGN (DEFPUN PI-INV ...) ...) Rules: NIL Warnings: Free, Subsume, Non-rec, Disable and Theory Time: 0.26 seconds (prove: 0.17, print: 0.01, other: 0.08) Prover steps counted: 27468 PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED M1 !>(pe 'PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED) 8:x(DEFSPEC PI *PI* ...) \ > (DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED (IMPLIES (AND (AND (NATP X0) (EQUAL (X S0) X0) (EQUAL (Y S0) Y0)) (EQUAL (RD :PC S0) 0) (EQUAL (RD :PROGRAM S0) *PI*) (EQUAL SK (M1 S0 CLK)) (HALTEDP SK)) (EQUAL (TOP (RD :STACK SK)) (* X0 Y0))) :HINTS (("Goal" :USE ((:INSTANCE PARTIAL-CORRECTNESS-OF-PROGRAM-PI) (:INSTANCE HALTING-PC (PROGRAM *PI*) (I (RD :PC (M1 S0 CLK)))))))) M1 !>(quote (back to talk)) (BACK TO TALK) M1 !>(u) 7:x(INCLUDE-BOOK "m1-with-stobj-defspec") M1 !>(defspec pi *pi* (x0 y0 a0) 0 14 ((0 ; Pre-condition (and (integerp x0) (equal (x s) x0) (equal (y s) y0))) (2 ; Loop Invariant (and (integerp x0) (integerp (x s)) (<= (x s) x0) (equal (y s) y0) (equal (a s) (* y0 (- x0 (x s)))))) (14 ; Post-condition (and (natp x0) (equal (top (rd :stack s)) (* x0 y0))))) t) M1 !>>(DEFPUN PI-INV (X0 Y0 A0 S) (IF (MEMBER (PC S) '(0 2 14)) (AND (EQUAL (PROGRAM S) *PI*) (CASE (PC S) (0 (AND (INTEGERP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (2 (AND (INTEGERP X0) (INTEGERP (X S)) (<= (X S) X0) (EQUAL (Y S) Y0) (EQUAL (A S) (* Y0 (- X0 (X S)))))) (14 (AND (NATP X0) (EQUAL (TOP (RD :STACK S)) (* X0 Y0)))))) (PI-INV X0 Y0 A0 (STEP S)))) To verify that the eight encapsulated events correctly extend the current theory we will evaluate them. The theory thus constructed is only ephemeral. Encapsulated Events: M1 !>>(SET-IGNORE-OK T) T M1 !>>(SET-IRRELEVANT-FORMALS-OK T) T M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-test| (ACL2::X) (LET ((X0 (CAR ACL2::X)) (Y0 (CAR (CDR ACL2::X))) (A0 (CAR (CDR (CDR ACL2::X)))) (S (CAR (CDR (CDR (CDR ACL2::X)))))) (MEMBER (PC S) '(0 2 14))))) Since |PI-INV-arity-1-defpun-test| is non-recursive, its admission is trivial. We observe that the type of |PI-INV-arity-1-defpun-test| is described by the theorem (OR (CONSP (|PI-INV-arity-1-defpun-test| ACL2::X)) (EQUAL (|PI-INV-arity-1-defpun-test| ACL2::X) NIL)). We used the :type-prescription rule MEMBER-EQUAL. Summary Form: ( DEFUN |PI-INV-arity-1-defpun-test| ...) Rules: ((:TYPE-PRESCRIPTION MEMBER-EQUAL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1-defpun-test| M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-base| (ACL2::X) (LET ((X0 (CAR ACL2::X)) (Y0 (CAR (CDR ACL2::X))) (A0 (CAR (CDR (CDR ACL2::X)))) (S (CAR (CDR (CDR (CDR ACL2::X)))))) (AND (EQUAL (PROGRAM S) *PI*) (CASE (PC S) (0 (AND (INTEGERP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (2 (AND (INTEGERP X0) (INTEGERP (X S)) (<= (X S) X0) (EQUAL (Y S) Y0) (EQUAL (A S) (* Y0 (- X0 (X S)))))) (14 (AND (NATP X0) (EQUAL (TOP (RD :STACK S)) (* X0 Y0))))))))) Since |PI-INV-arity-1-defpun-base| is non-recursive, its admission is trivial. We observe that the type of |PI-INV-arity-1-defpun-base| is described by the theorem (OR (EQUAL (|PI-INV-arity-1-defpun-base| ACL2::X) T) (EQUAL (|PI-INV-arity-1-defpun-base| ACL2::X) NIL)). We used primitive type reasoning. Summary Form: ( DEFUN |PI-INV-arity-1-defpun-base| ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1-defpun-base| M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-step| (ACL2::X) (LET ((X0 (CAR ACL2::X)) (Y0 (CAR (CDR ACL2::X))) (A0 (CAR (CDR (CDR ACL2::X)))) (S (CAR (CDR (CDR (CDR ACL2::X)))))) (LIST X0 Y0 A0 (STEP S))))) Since |PI-INV-arity-1-step| is non-recursive, its admission is trivial. We observe that the type of |PI-INV-arity-1-step| is described by the theorem (AND (CONSP (|PI-INV-arity-1-step| ACL2::X)) (TRUE-LISTP (|PI-INV-arity-1-step| ACL2::X))). We used primitive type reasoning. Summary Form: ( DEFUN |PI-INV-arity-1-step| ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1-step| M1 !>>(LOCAL (ENCAPSULATE ((|PI-INV-arity-1| (ACL2::X) T)) (LOCAL (IN-THEORY (DISABLE |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step|))) (LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-stn| (ACL2::X ACL2::N) (IF (ZP ACL2::N) ACL2::X (|PI-INV-arity-1-defpun-stn| (|PI-INV-arity-1-step| ACL2::X) (1- ACL2::N))))) (LOCAL (DEFCHOOSE |PI-INV-arity-1-fch| (ACL2::N) (ACL2::X) (|PI-INV-arity-1-defpun-test| (|PI-INV-arity-1-defpun-stn| ACL2::X ACL2::N)))) (LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-fn| (ACL2::X ACL2::N) (DECLARE (XARGS :MEASURE (NFIX ACL2::N))) (IF (OR (ZP ACL2::N) (|PI-INV-arity-1-defpun-test| ACL2::X)) (|PI-INV-arity-1-defpun-base| ACL2::X) (|PI-INV-arity-1-defpun-fn| (|PI-INV-arity-1-step| ACL2::X) (1- ACL2::N))))) (LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1| (ACL2::X) (IF (|PI-INV-arity-1-defpun-test| (|PI-INV-arity-1-defpun-stn| ACL2::X (|PI-INV-arity-1-fch| ACL2::X))) (|PI-INV-arity-1-defpun-fn| ACL2::X (|PI-INV-arity-1-fch| ACL2::X)) NIL))) (LOCAL (IN-THEORY '(|PI-INV-arity-1| |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step| |PI-INV-arity-1-defpun-stn| |PI-INV-arity-1-defpun-fn| (:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-fn|)))) (DEFTHM |PI-INV-arity-1-DEF| (EQUAL (|PI-INV-arity-1| ACL2::X) (IF (|PI-INV-arity-1-defpun-test| ACL2::X) (|PI-INV-arity-1-defpun-base| ACL2::X) (|PI-INV-arity-1| (|PI-INV-arity-1-step| ACL2::X)))) :HINTS (("Goal" :USE (:FUNCTIONAL-INSTANCE ACL2::GENERIC-TAIL-RECURSIVE-DEFPUN-F (ACL2::DEFPUN-F |PI-INV-arity-1|) (ACL2::DEFPUN-TEST |PI-INV-arity-1-defpun-test|) (ACL2::DEFPUN-BASE |PI-INV-arity-1-defpun-base|) (ACL2::DEFPUN-ST |PI-INV-arity-1-step|) (ACL2::DEFPUN-STN |PI-INV-arity-1-defpun-stn|) (ACL2::FCH |PI-INV-arity-1-fch|) (ACL2::DEFPUN-FN |PI-INV-arity-1-defpun-fn|))) ("Subgoal 2" :USE |PI-INV-arity-1-fch|)) :RULE-CLASSES NIL))) To verify that the seven encapsulated events correctly extend the current theory we will evaluate them. The theory thus constructed is only ephemeral. Encapsulated Events: M1 !>>(LOCAL (IN-THEORY (DISABLE |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step|))) Summary Form: ( IN-THEORY (DISABLE ...)) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) (:NUMBER-OF-ENABLED-RUNES 4860) M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-stn| (ACL2::X ACL2::N) (IF (ZP ACL2::N) ACL2::X (|PI-INV-arity-1-defpun-stn| (|PI-INV-arity-1-step| ACL2::X) (1- ACL2::N))))) The admission of |PI-INV-arity-1-defpun-stn| is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT ACL2::N). We observe that the type of |PI-INV-arity-1-defpun-stn| is described by the theorem (OR (AND (CONSP (|PI-INV-arity-1-defpun-stn| ACL2::X ACL2::N)) (TRUE-LISTP (|PI-INV-arity-1-defpun-stn| ACL2::X ACL2::N))) (EQUAL (|PI-INV-arity-1-defpun-stn| ACL2::X ACL2::N) ACL2::X)). We used the :type-prescription rule |PI-INV-arity-1-step|. Summary Form: ( DEFUN |PI-INV-arity-1-defpun-stn| ...) Rules: ((:TYPE-PRESCRIPTION |PI-INV-arity-1-step|)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1-defpun-stn| M1 !>>(LOCAL (DEFCHOOSE |PI-INV-arity-1-fch| (ACL2::N) (ACL2::X) (|PI-INV-arity-1-defpun-test| (|PI-INV-arity-1-defpun-stn| ACL2::X ACL2::N)))) Summary Form: ( DEFCHOOSE |PI-INV-arity-1-fch| ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1-fch| M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1-defpun-fn| (ACL2::X ACL2::N) (DECLARE (XARGS :MEASURE (NFIX ACL2::N))) (IF (OR (ZP ACL2::N) (|PI-INV-arity-1-defpun-test| ACL2::X)) (|PI-INV-arity-1-defpun-base| ACL2::X) (|PI-INV-arity-1-defpun-fn| (|PI-INV-arity-1-step| ACL2::X) (1- ACL2::N))))) For the admission of |PI-INV-arity-1-defpun-fn| we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (NFIX ACL2::N). The non-trivial part of the measure conjecture is Goal (AND (O-P (NFIX ACL2::N)) (IMPLIES (NOT (OR (ZP ACL2::N) (|PI-INV-arity-1-defpun-test| ACL2::X))) (O< (NFIX (+ -1 ACL2::N)) (NFIX ACL2::N)))). Subgoal 2 Subgoal 1 Q.E.D. That completes the proof of the measure theorem for |PI-INV-arity-1-defpun-fn|. Thus, we admit this function under the principle of definition. We observe that the type of |PI-INV-arity-1-defpun-fn| is described by the theorem (OR (EQUAL (|PI-INV-arity-1-defpun-fn| ACL2::X ACL2::N) T) (EQUAL (|PI-INV-arity-1-defpun-fn| ACL2::X ACL2::N) NIL)). We used the :compound-recognizer rule ACL2::ZP-COMPOUND-RECOGNIZER and the :type-prescription rule |PI-INV-arity-1-defpun-base|. Summary Form: ( DEFUN |PI-INV-arity-1-defpun-fn| ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION NFIX) (:DEFINITION O-FINP) (:DEFINITION O-P) (:DEFINITION O<) (:DEFINITION SYNP) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART BINARY-+) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::SIMPLIFY-SUMS-<) (:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-base|)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) Prover steps counted: 143 |PI-INV-arity-1-defpun-fn| M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC |PI-INV-arity-1| (ACL2::X) (IF (|PI-INV-arity-1-defpun-test| (|PI-INV-arity-1-defpun-stn| ACL2::X (|PI-INV-arity-1-fch| ACL2::X))) (|PI-INV-arity-1-defpun-fn| ACL2::X (|PI-INV-arity-1-fch| ACL2::X)) NIL))) Since |PI-INV-arity-1| is non-recursive, its admission is trivial. We observe that the type of |PI-INV-arity-1| is described by the theorem (OR (EQUAL (|PI-INV-arity-1| ACL2::X) T) (EQUAL (|PI-INV-arity-1| ACL2::X) NIL)). We used the :type-prescription rule |PI-INV-arity-1-defpun-fn|. Summary Form: ( DEFUN |PI-INV-arity-1| ...) Rules: ((:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-fn|)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) |PI-INV-arity-1| M1 !>>(LOCAL (IN-THEORY '(|PI-INV-arity-1| |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step| |PI-INV-arity-1-defpun-stn| |PI-INV-arity-1-defpun-fn| (:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-fn|)))) ACL2 Warning [Theory] in ( IN-THEORY (QUOTE ...)): Although the theory expression '(|PI-INV-arity-1| |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step| |PI-INV-arity-1-defpun-stn| |PI-INV-arity-1-defpun-fn| (:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-fn|)) disables the :DEFINITION rules for DOUBLE-REWRITE, MV-NTH, THE-CHECK, IFF, WORMHOLE-EVAL, MV-LIST, MINUSP, PLUSP, ZEROP, LISTP, SYNP, CASE-SPLIT, FORCE, /=, =, RETURN-LAST, NULL, ENDP, ATOM, EQL, NOT, IMPLIES or EQ, some expansions involving these functions may still occur. See :DOC theories-and-primitives. ACL2 Warning [Theory] in ( IN-THEORY (QUOTE ...)): Although the theory expression '(|PI-INV-arity-1| |PI-INV-arity-1-defpun-test| |PI-INV-arity-1-defpun-base| |PI-INV-arity-1-step| |PI-INV-arity-1-defpun-stn| |PI-INV-arity-1-defpun-fn| (:TYPE-PRESCRIPTION |PI-INV-arity-1-defpun-fn|)) disables the :EXECUTABLE-COUNTERPART rules for NOT, SYMBOLP, SYMBOL-PACKAGE-NAME, SYMBOL-NAME, STRINGP, REALPART, RATIONALP, PKG-WITNESS, PKG-IMPORTS, NUMERATOR, INTERN-IN-PACKAGE-OF-SYMBOL, INTEGERP, IMAGPART, IF, EQUAL, DENOMINATOR, CONSP, CONS, COERCE, COMPLEX-RATIONALP, COMPLEX, CODE-CHAR, CHARACTERP, CHAR-CODE, CDR, CAR, <, UNARY-/, UNARY--, BINARY-+, BINARY-* or ACL2-NUMBERP, some calls involving these functions may still be made. See :DOC theories-and-primitives. ACL2 Warning [Disable] in ( IN-THEORY (QUOTE ...)): Forcing has transitioned from enabled to disabled. See :DOC force. Summary Form: ( IN-THEORY (QUOTE ...)) Rules: NIL Warnings: Disable and Theory Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) (:NUMBER-OF-ENABLED-RUNES 9) M1 !>>(DEFTHM |PI-INV-arity-1-DEF| (EQUAL (|PI-INV-arity-1| ACL2::X) (IF (|PI-INV-arity-1-defpun-test| ACL2::X) (|PI-INV-arity-1-defpun-base| ACL2::X) (|PI-INV-arity-1| (|PI-INV-arity-1-step| ACL2::X)))) :HINTS (("Goal" :USE (:FUNCTIONAL-INSTANCE ACL2::GENERIC-TAIL-RECURSIVE-DEFPUN-F (ACL2::DEFPUN-F |PI-INV-arity-1|) (ACL2::DEFPUN-TEST |PI-INV-arity-1-defpun-test|) (ACL2::DEFPUN-BASE |PI-INV-arity-1-defpun-base|) (ACL2::DEFPUN-ST |PI-INV-arity-1-step|) (ACL2::DEFPUN-STN |PI-INV-arity-1-defpun-stn|) (ACL2::FCH |PI-INV-arity-1-fch|) (ACL2::DEFPUN-FN |PI-INV-arity-1-defpun-fn|))) ("Subgoal 2" :USE |PI-INV-arity-1-fch|)) :RULE-CLASSES NIL) Subgoal 4 Subgoal 3 Splitter note (see :DOC splitter) for Subgoal 3 (25 subgoals). if-intro: ((:DEFINITION |PI-INV-arity-1-defpun-base|)) Subgoal 3.25 Subgoal 3.24 Subgoal 3.23 Subgoal 3.22 Subgoal 3.21 Subgoal 3.20 Subgoal 3.19 Subgoal 3.18 Subgoal 3.17 Subgoal 3.16 Subgoal 3.15 Subgoal 3.14 Subgoal 3.13 Subgoal 3.12 Subgoal 3.11 Subgoal 3.10 Subgoal 3.9 Subgoal 3.8 Subgoal 3.7 Subgoal 3.6 Subgoal 3.5 Subgoal 3.4 Subgoal 3.3 Subgoal 3.2 Subgoal 3.1 Subgoal 2 Subgoal 2' Subgoal 2'' Subgoal 1 Subgoal 1.2 Subgoal 1.1 Q.E.D. Summary Form: ( DEFTHM |PI-INV-arity-1-DEF| ...) Rules: ((:DEFINITION |PI-INV-arity-1|) (:DEFINITION |PI-INV-arity-1-defpun-base|) (:DEFINITION |PI-INV-arity-1-defpun-fn|) (:DEFINITION |PI-INV-arity-1-defpun-stn|) (:DEFINITION |PI-INV-arity-1-defpun-test|) (:DEFINITION |PI-INV-arity-1-step|) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Hint-events: ((:USE ACL2::GENERIC-TAIL-RECURSIVE-DEFPUN-F) (:USE |PI-INV-arity-1-fch|)) Splitter rules (see :DOC splitter): if-intro: ((:DEFINITION |PI-INV-arity-1-defpun-base|)) Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 6098 |PI-INV-arity-1-DEF| End of Encapsulated Events. Having verified that the encapsulated events validate the signatures of the ENCAPSULATE event, we discard the ephemeral theory and extend the original theory as directed by the signatures and the non-LOCAL events. The following constraint is associated with the function |PI-INV-arity-1|: (EQUAL (|PI-INV-arity-1| ACL2::X) (IF (|PI-INV-arity-1-defpun-test| ACL2::X) (|PI-INV-arity-1-defpun-base| ACL2::X) (|PI-INV-arity-1| (|PI-INV-arity-1-step| ACL2::X)))) Summary Form: ( ENCAPSULATE ((|PI-INV-arity-1| ...) ...) ...) Rules: NIL Warnings: Disable and Theory Time: 0.05 seconds (prove: 0.02, print: 0.01, other: 0.03) Prover steps counted: 6241 T M1 !>>(LOCAL (ACL2::DEFUN-NONEXEC PI-INV (X0 Y0 A0 S) (|PI-INV-arity-1| (LIST X0 Y0 A0 S)))) Since PI-INV is non-recursive, its admission is trivial. We could deduce no constraints on the type of PI-INV. Summary Form: ( DEFUN PI-INV ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) PI-INV M1 !>>(DEFTHM PI-INV-DEF (EQUAL (PI-INV X0 Y0 A0 S) (IF (MEMBER (PC S) '(0 2 14)) (AND (EQUAL (PROGRAM S) *PI*) (CASE (PC S) (0 (AND (INTEGERP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (2 (AND (INTEGERP X0) (INTEGERP (X S)) (<= (X S) X0) (EQUAL (Y S) Y0) (EQUAL (A S) (* Y0 (- X0 (X S)))))) (14 (AND (NATP X0) (EQUAL (TOP (RD :STACK S)) (* X0 Y0)))))) (PI-INV X0 Y0 A0 (STEP S)))) :HINTS (("Goal" :USE (:INSTANCE |PI-INV-arity-1-DEF| (ACL2::X (LIST X0 Y0 A0 S))))) :RULE-CLASSES :DEFINITION) ACL2 Warning [Non-rec] in ( DEFTHM PI-INV-DEF ...): A :DEFINITION rule generated from PI-INV-DEF will be triggered only by terms containing the non-recursive function symbol PI-INV. Unless this function is disabled, this rule is unlikely ever to be used. ACL2 Warning [Subsume] in ( DEFTHM PI-INV-DEF ...): A newly proposed :DEFINITION rule generated from PI-INV-DEF probably subsumes the previously added :REWRITE rule PI-INV, in the sense that the new rule will now probably be applied whenever the old rule would have been. ACL2 Warning [Subsume] in ( DEFTHM PI-INV-DEF ...): The previously added rule PI-INV subsumes a newly proposed :DEFINITION rule generated from PI-INV-DEF, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. Goal' Goal'' Q.E.D. Summary Form: ( DEFTHM PI-INV-DEF ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION A) (:DEFINITION EQL) (:DEFINITION LOI) (:DEFINITION MEMBER-EQUAL) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PI-INV) (:DEFINITION |PI-INV-arity-1-defpun-base|) (:DEFINITION |PI-INV-arity-1-defpun-test|) (:DEFINITION |PI-INV-arity-1-step|) (:DEFINITION PROGRAM) (:DEFINITION RETURN-LAST) (:DEFINITION SYNP) (:DEFINITION X) (:DEFINITION Y) (:EXECUTABLE-COUNTERPART CAR) (:EXECUTABLE-COUNTERPART CDR) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART MEMBER-EQUAL) (:EXECUTABLE-COUNTERPART NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* x (- y))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2)) Hint-events: ((:USE |PI-INV-arity-1-DEF|)) Warnings: Subsume and Non-rec Time: 0.03 seconds (prove: 0.03, print: 0.00, other: 0.00) Prover steps counted: 2593 PI-INV-DEF End of Encapsulated Events. Having verified that the encapsulated events validate the signatures of the ENCAPSULATE event, we discard the ephemeral theory and extend the original theory as directed by the signatures and the non-LOCAL events. The following constraint is associated with the function PI-INV: (EQUAL (PI-INV X0 Y0 A0 S) (IF (MEMBER-EQUAL (PC S) '(0 2 14)) (AND (EQUAL (PROGRAM S) '((ICONST 0) (ISTORE 2) (ILOAD 0) (IFEQ 10) (ILOAD 0) (ICONST 1) (ISUB) (ISTORE 0) (ILOAD 1) (ILOAD 2) (IADD) (ISTORE 2) (GOTO -10) (ILOAD 2) (HALT))) (LET ((ACL2::CASE-DO-NOT-USE-ELSEWHERE (PC S))) (CASE ACL2::CASE-DO-NOT-USE-ELSEWHERE (0 (AND (INTEGERP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (2 (AND (INTEGERP X0) (INTEGERP (X S)) (<= (X S) X0) (EQUAL (Y S) Y0) (EQUAL (A S) (* Y0 (+ X0 (- (X S))))))) (14 (AND (NATP X0) (EQUAL (TOP (RD :STACK S)) (* X0 Y0)))) (OTHERWISE NIL)))) (PI-INV X0 Y0 A0 (STEP S)))) Summary Form: ( ENCAPSULATE ((PI-INV ...) ...) ...) Rules: NIL Warnings: Subsume, Non-rec, Disable and Theory Time: 0.11 seconds (prove: 0.05, print: 0.01, other: 0.06) Prover steps counted: 8834 T M1 !>>(DEFTHM PI-INV-OPENER (IMPLIES (AND (EQUAL PC (PC S)) (SYNTAXP (QUOTEP PC)) (NOT (MEMBER PC '(0 2 14)))) (EQUAL (PI-INV X0 Y0 A0 S) (PI-INV X0 Y0 A0 (STEP S))))) Goal' Q.E.D. Summary Form: ( DEFTHM PI-INV-OPENER ...) Rules: ((:DEFINITION MEMBER-EQUAL) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PI-INV-DEF) (:DEFINITION RETURN-LAST) (:EXECUTABLE-COUNTERPART CAR) (:EXECUTABLE-COUNTERPART CDR) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART SYNP) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.02 seconds (prove: 0.02, print: 0.00, other: 0.00) Prover steps counted: 1793 PI-INV-OPENER M1 !>>(DEFTHM PI-INV-STEP (IMPLIES (PI-INV X0 Y0 A0 S) (PI-INV X0 Y0 A0 (STEP S)))) Splitter note (see :DOC splitter) for Goal (5 subgoals). case-split: ((:REWRITE ACL2::SIMPLIFY-PRODUCTS-GATHER-EXPONENTS-<)) if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION MEMBER-EQUAL) (:DEFINITION NATP) (:DEFINITION PI-INV-DEF) (:REWRITE ACL2::|(* a (/ a))|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2)) Subgoal 5 Splitter note (see :DOC splitter) for Subgoal 5 (4 subgoals). if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION MEMBER-EQUAL) (:DEFINITION PI-INV-DEF) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::DEFAULT-TIMES-1)) Subgoal 5.4 Subgoal 5.3 Subgoal 5.2 Subgoal 5.1 Subgoal 4 Subgoal 3 Subgoal 3' Subgoal 2 Subgoal 1 Subgoal 1' Q.E.D. Summary Form: ( DEFTHM PI-INV-STEP ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION !LOI) (:DEFINITION !PC) (:DEFINITION !STACK) (:DEFINITION A) (:DEFINITION DO-INST) (:DEFINITION EXECUTE-GOTO) (:DEFINITION EXECUTE-IADD) (:DEFINITION EXECUTE-ICONST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION EXECUTE-ILOAD) (:DEFINITION EXECUTE-ISTORE) (:DEFINITION EXECUTE-ISUB) (:DEFINITION LOI) (:DEFINITION MEMBER-EQUAL) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION PC) (:DEFINITION PI-INV-DEF) (:DEFINITION PROGRAM) (:DEFINITION STACK) (:DEFINITION SYNP) (:DEFINITION X) (:DEFINITION Y) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ACL2-NUMBERP) (:EXECUTABLE-COUNTERPART ARG1) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CAR) (:EXECUTABLE-COUNTERPART CDR) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART KEYP) (:EXECUTABLE-COUNTERPART MEMBER-EQUAL) (:EXECUTABLE-COUNTERPART NATP) (:EXECUTABLE-COUNTERPART NFIX) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART OP-CODE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART UNARY-/) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(* 0 x)|) (:REWRITE ACL2::|(* 1 x)|) (:REWRITE ACL2::|(* a (/ a))|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* x (- y))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(- (+ x y))|) (:REWRITE ACL2::|(/ (/ x))|) (:REWRITE ACL2::|(< (if a b c) x)|) (:REWRITE ACL2::|(< x (if a b c))|) (:REWRITE ACL2::|(equal (/ x) c)|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-1) (:REWRITE ACL2::DEFAULT-PLUS-1) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE NTH-UPDATE-NTH) (:REWRITE PI-INV-OPENER) (:REWRITE POP-PUSH) (:REWRITE RD-WR) (:REWRITE ACL2::SIMPLIFY-PRODUCTS-GATHER-EXPONENTS-<) (:REWRITE STEP-OPENER) (:REWRITE TOP-PUSH) (:REWRITE UPDATE-NTH-UPDATE-NTH-DIFF) (:REWRITE WR-WR-DIFF) (:REWRITE WR-WR-SAME)) Splitter rules (see :DOC splitter): case-split: ((:REWRITE ACL2::SIMPLIFY-PRODUCTS-GATHER-EXPONENTS-<)) if-intro: ((:DEFINITION DO-INST) (:DEFINITION EXECUTE-IFEQ) (:DEFINITION MEMBER-EQUAL) (:DEFINITION NATP) (:DEFINITION PI-INV-DEF) (:REWRITE ACL2::|(* a (/ a))|) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::DEFAULT-TIMES-1) (:REWRITE ACL2::DEFAULT-TIMES-2)) Time: 0.12 seconds (prove: 0.12, print: 0.00, other: 0.00) Prover steps counted: 24529 PI-INV-STEP M1 !>>(DEFTHM PI-INV-RUN (IMPLIES (PI-INV X0 Y0 A0 S) (PI-INV X0 Y0 A0 (M1 S CLK))) :RULE-CLASSES NIL :HINTS (("Goal" :IN-THEORY (E/D (M1) (PI-INV-DEF))))) *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (M1 S CLK). This suggestion was produced using the :induction rule M1. If we let (:P A0 CLK S X0 Y0) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP CLK)) (:P A0 (+ -1 CLK) (STEP S) X0 Y0)) (:P A0 CLK S X0 Y0)) (IMPLIES (ZP CLK) (:P A0 CLK S X0 Y0))). This induction is justified by the same argument used to admit M1. Note, however, that the unmeasured variable S is being instantiated. When applied to the goal at hand the above induction scheme produces three nontautological subgoals. Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM PI-INV-RUN ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:DEFINITION M1) (:INDUCTION M1) (:REWRITE PI-INV-STEP)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) Prover steps counted: 340 PI-INV-RUN M1 !>>(DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI (LET* ((SK (M1 S0 CLK))) (IMPLIES (AND (LET ((S S0)) (AND (INTEGERP X0) (EQUAL (X S) X0) (EQUAL (Y S) Y0))) (EQUAL (PC S0) 0) (EQUAL (PROGRAM S0) *PI*) (EQUAL (PC SK) 14)) (LET ((S SK)) (AND (NATP X0) (EQUAL (TOP (RD :STACK S)) (* X0 Y0)))))) :HINTS (("Goal" :USE (:INSTANCE PI-INV-RUN (X0 X0) (Y0 Y0) (A0 A0) (S S0) (CLK CLK)))) :RULE-CLASSES NIL) Goal' Goal'' Q.E.D. Summary Form: ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PI-INV-DEF) (:DEFINITION PROGRAM) (:DEFINITION SYNP) (:DEFINITION X) (:DEFINITION Y) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART MEMBER-EQUAL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::DEFAULT-TIMES-2) (:REWRITE PROGRAM-NEVER-CHANGES)) Hint-events: ((:USE PI-INV-RUN)) Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) Prover steps counted: 708 PARTIAL-CORRECTNESS-OF-PROGRAM-PI M1 !>>(DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED (IMPLIES (AND (AND (INTEGERP X0) (EQUAL (X S0) X0) (EQUAL (Y S0) Y0)) (EQUAL (RD :PC S0) 0) (EQUAL (RD :PROGRAM S0) *PI*) (EQUAL SK (M1 S0 CLK)) (HALTEDP SK)) (AND (NATP X0) (EQUAL (TOP (RD :STACK SK)) (* X0 Y0)))) :HINTS (("Goal" :USE ((:INSTANCE PARTIAL-CORRECTNESS-OF-PROGRAM-PI) (:INSTANCE HALTING-PC (PROGRAM *PI*) (I (RD :PC (M1 S0 CLK)))))))) ACL2 Warning [Non-rec] in ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED ...): A :REWRITE rule generated from PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED will be triggered only by terms containing the non-recursive function symbol NATP. Unless this function is disabled, this rule is unlikely ever to be used. ACL2 Warning [Free] in ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED ...): A :REWRITE rule generated from PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED contains the free variables S0, Y0, CLK and SK. These variables will be chosen by searching for instances of (EQUAL (X S0) X0), (EQUAL (Y S0) Y0) and (EQUAL SK (M1 S0 CLK)) in the context of the term being rewritten. This is generally a severe restriction on the applicability of a :REWRITE rule. See :DOC free- variables. ACL2 Warning [Non-rec] in ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED ...): As noted, we will instantiate the free variables, S0, Y0, CLK and SK, of a :REWRITE rule generated from PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED, by searching for the set of hypotheses shown above. However, these hypotheses mention the function symbols X and Y, which are defun'd non-recursively. Unless disabled, these function symbols are unlikely to occur in the conjecture being proved and hence the search for the required hypotheses will likely fail. ACL2 Warning [Free] in ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED ...): A :REWRITE rule generated from PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED contains the free variables X0, S0, Y0 and CLK. These variables will be chosen by searching for instances of (INTEGERP X0), (EQUAL (X S0) X0), (EQUAL (Y S0) Y0) and (EQUAL SK (M1 S0 CLK)) in the context of the term being rewritten. This is generally a severe restriction on the applicability of a :REWRITE rule. See :DOC free-variables. ACL2 Warning [Non-rec] in ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED ...): As noted, we will instantiate the free variables, X0, S0, Y0 and CLK, of a :REWRITE rule generated from PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED, by searching for the set of hypotheses shown above. However, these hypotheses mention the function symbols X and Y, which are defun'd non-recursively. Unless disabled, these function symbols are unlikely to occur in the conjecture being proved and hence the search for the required hypotheses will likely fail. Goal' Goal'' Q.E.D. The storage of PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED depends upon the :compound-recognizer rule ACL2::NATP-COMPOUND-RECOGNIZER and the :type-prescription rule NATP. Summary Form: ( DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED ...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:DEFINITION HALTEDP) (:DEFINITION LOI) (:DEFINITION NATP) (:DEFINITION NEXT-INST) (:DEFINITION NFIX) (:DEFINITION NOT) (:DEFINITION PC) (:DEFINITION PROGRAM) (:DEFINITION SYNP) (:DEFINITION X) (:DEFINITION Y) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART FIND-PC) (:EXECUTABLE-COUNTERPART HOW-MANY) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE ACL2::|(equal (if a b c) x)|) (:REWRITE ACL2::DEFAULT-TIMES-2) (:REWRITE PROGRAM-NEVER-CHANGES) (:TYPE-PRESCRIPTION NATP)) Hint-events: ((:USE HALTING-PC) (:USE PARTIAL-CORRECTNESS-OF-PROGRAM-PI)) Warnings: Free and Non-rec Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.01) Prover steps counted: 832 PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED Summary Form: ( PROGN (DEFPUN PI-INV ...) ...) Rules: NIL Warnings: Free, Subsume, Non-rec, Disable and Theory Time: 0.30 seconds (prove: 0.20, print: 0.01, other: 0.08) Prover steps counted: 37036 PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED M1 !>(pe 'PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED) 8:x(DEFSPEC PI *PI* ...) \ > (DEFTHM PARTIAL-CORRECTNESS-OF-PROGRAM-PI-RESTATED (IMPLIES (AND (AND (INTEGERP X0) (EQUAL (X S0) X0) (EQUAL (Y S0) Y0)) (EQUAL (RD :PC S0) 0) (EQUAL (RD :PROGRAM S0) *PI*) (EQUAL SK (M1 S0 CLK)) (HALTEDP SK)) (AND (NATP X0) (EQUAL (TOP (RD :STACK SK)) (* X0 Y0)))) :HINTS (("Goal" :USE ((:INSTANCE PARTIAL-CORRECTNESS-OF-PROGRAM-PI) (:INSTANCE HALTING-PC (PROGRAM *PI*) (I (RD :PC (M1 S0 CLK)))))))) M1 !>(quote (the end)) (THE END) M1 !>Bye.