ACL2 !>(defun g (x y a)
(if (zp x)
a
(g (- x 1) y (+ y a))))
The admission of G is trivial, using the relation O< (which is known
to be well-founded on the domain recognized by O-P) and the measure
(ACL2-COUNT X). We observe that the type of G is described by the
theorem (OR (ACL2-NUMBERP (G X Y A)) (EQUAL (G X Y A) A)). We used
primitive type reasoning.
Summary
Form: ( DEFUN G ...)
Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL))
Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
G
ACL2 !>(defthm generalized-g-lemma
(implies (and (natp x)
(natp y)
(natp a))
(equal (g x y a)
(+ a (* x y)))))
By the simple :definition NATP we reduce the conjecture to
Goal'
(IMPLIES (AND (INTEGERP X)
(<= 0 X)
(INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL (G X Y A) (+ A (* X Y)))).
Name the formula above *1.
Perhaps we can prove *1 by induction. One induction scheme is suggested
by this conjecture.
We will induct according to a scheme suggested by (G X Y A). This
suggestion was produced using the :induction rule G. If we let (:P A X Y)
denote *1 above then the induction scheme we'll use is
(AND (IMPLIES (AND (NOT (ZP X))
(:P (+ Y A) (+ -1 X) Y))
(:P A X Y))
(IMPLIES (ZP X) (:P A X Y))).
This induction is justified by the same argument used to admit G.
Note, however, that the unmeasured variable A is being instantiated.
When applied to the goal at hand the above induction scheme produces
six nontautological subgoals.
Subgoal *1/6
(IMPLIES (AND (NOT (ZP X))
(EQUAL (G (+ -1 X) Y (+ Y A))
(+ (+ Y A) (* (+ -1 X) Y)))
(INTEGERP X)
(<= 0 X)
(INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL (G X Y A) (+ A (* X Y)))).
By the simple :rewrite rule ASSOCIATIVITY-OF-+ we reduce the conjecture
to
Subgoal *1/6'
(IMPLIES (AND (NOT (ZP X))
(EQUAL (G (+ -1 X) Y (+ Y A))
(+ Y A (* (+ -1 X) Y)))
(INTEGERP X)
(<= 0 X)
(INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL (G X Y A) (+ A (* X Y)))).
This simplifies, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER,
the :definition G and the :rewrite rules COMMUTATIVITY-OF-* and
DISTRIBUTIVITY, to
Subgoal *1/6''
(IMPLIES (AND (NOT (ZP X))
(EQUAL (G (+ -1 X) Y (+ Y A))
(+ Y A (* -1 Y) (* X Y)))
(<= 0 X)
(INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL (G (+ -1 X) Y (+ Y A))
(+ A (* X Y)))).
But simplification reduces this to T, using the :compound-recognizer
rule ZP-COMPOUND-RECOGNIZER, linear arithmetic, primitive type reasoning
and the :type-prescription rule G.
Subgoal *1/5
(IMPLIES (AND (NOT (ZP X))
(< (+ Y A) 0)
(INTEGERP X)
(<= 0 X)
(INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL (G X Y A) (+ A (* X Y)))).
But we reduce the conjecture to T, by primitive type reasoning.
Subgoal *1/4
(IMPLIES (AND (NOT (ZP X))
(NOT (INTEGERP (+ Y A)))
(INTEGERP X)
(<= 0 X)
(INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL (G X Y A) (+ A (* X Y)))).
But we reduce the conjecture to T, by primitive type reasoning.
Subgoal *1/3
(IMPLIES (AND (NOT (ZP X))
(< (+ -1 X) 0)
(INTEGERP X)
(<= 0 X)
(INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL (G X Y A) (+ A (* X Y)))).
But we reduce the conjecture to T, by the :compound-recognizer rule
ZP-COMPOUND-RECOGNIZER and primitive type reasoning.
Subgoal *1/2
(IMPLIES (AND (NOT (ZP X))
(NOT (INTEGERP (+ -1 X)))
(INTEGERP X)
(<= 0 X)
(INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL (G X Y A) (+ A (* X Y)))).
But we reduce the conjecture to T, by the :compound-recognizer rule
ZP-COMPOUND-RECOGNIZER and primitive type reasoning.
Subgoal *1/1
(IMPLIES (AND (ZP X)
(INTEGERP X)
(<= 0 X)
(INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL (G X Y A) (+ A (* X Y)))).
This simplifies, using the :compound-recognizer rule ZP-COMPOUND-RECOGNIZER,
the :executable-counterparts of <, INTEGERP, NOT and ZP and linear
arithmetic, to
Subgoal *1/1'
(IMPLIES (AND (INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL (G 0 Y A) (+ A (* 0 Y)))).
This simplifies, using the :definition G and the :executable-counterpart
of ZP, to
Subgoal *1/1''
(IMPLIES (AND (INTEGERP Y)
(<= 0 Y)
(INTEGERP A)
(<= 0 A))
(EQUAL A (+ A (* 0 Y)))).
But simplification reduces this to T, using linear arithmetic and primitive
type reasoning.
That completes the proof of *1.
Q.E.D.
Summary
Form: ( DEFTHM GENERALIZED-G-LEMMA ...)
Rules: ((:COMPOUND-RECOGNIZER ZP-COMPOUND-RECOGNIZER)
(:DEFINITION G)
(:DEFINITION NATP)
(:DEFINITION NOT)
(:EXECUTABLE-COUNTERPART <)
(:EXECUTABLE-COUNTERPART INTEGERP)
(:EXECUTABLE-COUNTERPART NOT)
(:EXECUTABLE-COUNTERPART ZP)
(:FAKE-RUNE-FOR-LINEAR NIL)
(:FAKE-RUNE-FOR-TYPE-SET NIL)
(:INDUCTION G)
(:REWRITE ASSOCIATIVITY-OF-+)
(:REWRITE COMMUTATIVITY-OF-*)
(:REWRITE DISTRIBUTIVITY)
(:TYPE-PRESCRIPTION G))
Time: 0.01 seconds (prove: 0.00, print: 0.01, other: 0.00)
Prover steps counted: 735
GENERALIZED-G-LEMMA
ACL2 !>(defthm g-theorem
(implies (and (natp x)
(natp y))
(equal (g x y 0)
(* x y))))
By the simple :definition NATP we reduce the conjecture to
Goal'
(IMPLIES (AND (INTEGERP X)
(<= 0 X)
(INTEGERP Y)
(<= 0 Y))
(EQUAL (G X Y 0) (* X Y))).
But simplification reduces this to T, using the :compound-recognizer
rule NATP-COMPOUND-RECOGNIZER, the :definition FIX, primitive type
reasoning and the :rewrite rules GENERALIZED-G-LEMMA and UNICITY-OF-0.
Q.E.D.
Summary
Form: ( DEFTHM G-THEOREM ...)
Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER)
(:DEFINITION FIX)
(:DEFINITION NATP)
(:FAKE-RUNE-FOR-TYPE-SET NIL)
(:REWRITE GENERALIZED-G-LEMMA)
(:REWRITE UNICITY-OF-0))
Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Prover steps counted: 106
G-THEOREM
ACL2 !>