ACL2 !>(certify-book "rotate-proof")

Note: Writing .port file, /v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-
intro-2015-04/demos/rotate-proof.port.

CERTIFICATION ATTEMPT FOR 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate-proof.lisp"

ACL2 Version 7.0

* Step 1:  Read 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate-proof.lisp"
and compute its check sum.

* Step 2:  There were six forms in the file.  We now attempt to establish
that each form, whether local or non-local, is indeed an admissible
embedded event form in the context of the previously admitted ones.


ACL2 >>(DEFUN ROTATE (N X)
              (IF (ZP N)
                  X
                  (ROTATE (1- N)
                          (APPEND (CDR X) (LIST (CAR X))))))

The admission of ROTATE is trivial, using the relation O< (which is
known to be well-founded on the domain recognized by O-P) and the measure
(ACL2-COUNT N).  We observe that the type of ROTATE is described by
the theorem 
(OR (AND (CONSP (ROTATE N X))
         (TRUE-LISTP (ROTATE N X)))
    (EQUAL (ROTATE N X) X)).
We used primitive type reasoning and the :type-prescription rules 
BINARY-APPEND and TRUE-LISTP-APPEND.

Summary
Form:  ( DEFUN ROTATE ...)
Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)
        (:TYPE-PRESCRIPTION BINARY-APPEND)
        (:TYPE-PRESCRIPTION TRUE-LISTP-APPEND))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
ROTATE


ACL2 >>(DEFUN ROTATE-APPEND-INDUCTION (X Y)
              (IF (ATOM X)
                  Y
                  (ROTATE-APPEND-INDUCTION (CDR X)
                                           (APPEND Y (LIST (CAR X))))))

The admission of ROTATE-APPEND-INDUCTION is trivial, using the relation
O< (which is known to be well-founded on the domain recognized by O-P)
and the measure (ACL2-COUNT X).  We observe that the type of 
ROTATE-APPEND-INDUCTION is described by the theorem 
(OR (AND (CONSP (ROTATE-APPEND-INDUCTION X Y))
         (TRUE-LISTP (ROTATE-APPEND-INDUCTION X Y)))
    (EQUAL (ROTATE-APPEND-INDUCTION X Y)
           Y)).
We used primitive type reasoning and the :type-prescription rules 
BINARY-APPEND and TRUE-LISTP-APPEND.

Summary
Form:  ( DEFUN ROTATE-APPEND-INDUCTION ...)
Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)
        (:TYPE-PRESCRIPTION BINARY-APPEND)
        (:TYPE-PRESCRIPTION TRUE-LISTP-APPEND))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
ROTATE-APPEND-INDUCTION


ACL2 >>(DEFTHM APPEND-ASSOC
               (EQUAL (APPEND (APPEND X Y) Z)
                      (APPEND X Y Z)))

*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  Subsumption reduces that number to two.
However, one of these is flawed and so we are left with one viable
candidate.  

We will induct according to a scheme suggested by (BINARY-APPEND X Y).
This suggestion was produced using the :induction rule BINARY-APPEND.
If we let (:P X Y Z) denote *1 above then the induction scheme we'll
use is
(AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X) Y Z))
              (:P X Y Z))
     (IMPLIES (ENDP X) (:P X Y Z))).
This induction is justified by the same argument used to admit BINARY-APPEND.
When applied to the goal at hand the above induction scheme produces
two nontautological subgoals.
Subgoal *1/2
Subgoal *1/2'
Subgoal *1/1
Subgoal *1/1'

*1 is COMPLETED!
Thus key checkpoint Goal is COMPLETED!

Q.E.D.

Summary
Form:  ( DEFTHM APPEND-ASSOC ...)
Rules: ((:DEFINITION BINARY-APPEND)
        (:DEFINITION ENDP)
        (:DEFINITION NOT)
        (:FAKE-RUNE-FOR-TYPE-SET NIL)
        (:INDUCTION BINARY-APPEND)
        (:REWRITE CAR-CONS)
        (:REWRITE CDR-CONS))
Time:  0.01 seconds (prove: 0.01, print: 0.00, other: 0.00)
Prover steps counted:  435
APPEND-ASSOC


ACL2 >>(DEFTHM ROTATE-APPEND
               (IMPLIES (AND (TRUE-LISTP X) (TRUE-LISTP Y))
                        (EQUAL (ROTATE (LEN X) (APPEND X Y))
                               (APPEND Y X)))
               :HINTS (("Goal" :INDUCT (ROTATE-APPEND-INDUCTION X Y)))
               :RULE-CLASSES NIL)

*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

We have been told to use induction.  One induction scheme is suggested
by the induction hint.  

We will induct according to a scheme suggested by 
(ROTATE-APPEND-INDUCTION X Y).  This suggestion was produced using
the :induction rule ROTATE-APPEND-INDUCTION.  If we let (:P X Y) denote
*1 above then the induction scheme we'll use is
(AND (IMPLIES (AND (NOT (ATOM X))
                   (:P (CDR X) (APPEND Y (LIST (CAR X)))))
              (:P X Y))
     (IMPLIES (ATOM X) (:P X Y))).
This induction is justified by the same argument used to admit 
ROTATE-APPEND-INDUCTION.  Note, however, that the unmeasured variable
Y is being instantiated.  When applied to the goal at hand the above
induction scheme produces two nontautological subgoals.
Subgoal *1/2
Subgoal *1/2'
Subgoal *1/1
Subgoal *1/1'

*1 is COMPLETED!
Thus key checkpoint Goal is COMPLETED!

Q.E.D.

Summary
Form:  ( DEFTHM ROTATE-APPEND ...)
Rules: ((:COMPOUND-RECOGNIZER ZP-COMPOUND-RECOGNIZER)
        (:DEFINITION ATOM)
        (:DEFINITION BINARY-APPEND)
        (:DEFINITION FIX)
        (:DEFINITION LEN)
        (:DEFINITION NOT)
        (:DEFINITION ROTATE)
        (:DEFINITION SYNP)
        (:DEFINITION TRUE-LISTP)
        (:EXECUTABLE-COUNTERPART BINARY-+)
        (:EXECUTABLE-COUNTERPART CONSP)
        (:EXECUTABLE-COUNTERPART LEN)
        (:EXECUTABLE-COUNTERPART ZP)
        (:FAKE-RUNE-FOR-TYPE-SET NIL)
        (:INDUCTION ROTATE-APPEND-INDUCTION)
        (:REWRITE APPEND-ASSOC)
        (:REWRITE APPEND-TO-NIL)
        (:REWRITE CAR-CONS)
        (:REWRITE CDR-CONS)
        (:REWRITE CONS-CAR-CDR)
        (:REWRITE FOLD-CONSTS-IN-+)
        (:REWRITE UNICITY-OF-0)
        (:TYPE-PRESCRIPTION BINARY-APPEND)
        (:TYPE-PRESCRIPTION LEN)
        (:TYPE-PRESCRIPTION TRUE-LISTP-APPEND))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Prover steps counted:  658
ROTATE-APPEND


ACL2 >>(DEFTHM ROTATE-LEN
               (IMPLIES (TRUE-LISTP X)
                        (EQUAL (ROTATE (LEN X) X) X))
               :HINTS (("Goal" :USE ((:INSTANCE ROTATE-APPEND (Y NIL))))))
Goal'
Goal''

Q.E.D.

Summary
Form:  ( DEFTHM ROTATE-LEN ...)
Rules: ((:DEFINITION BINARY-APPEND)
        (:DEFINITION NOT)
        (:EXECUTABLE-COUNTERPART CONSP)
        (:EXECUTABLE-COUNTERPART TRUE-LISTP)
        (:REWRITE APPEND-TO-NIL))
Hint-events: ((:USE ROTATE-APPEND))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Prover steps counted:  176
ROTATE-LEN

* Step 3:  That completes the admissibility check.  Each form read
was an embedded event form and was admissible.  No LOCAL forms make
it necessary to check for local incompatibilities, so we skip that
check.

ACL2 Warning [Guards] in (CERTIFY-BOOK "rotate-proof" ...):  The book
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate-proof.lisp"
defines the functions ROTATE and ROTATE-APPEND-INDUCTION, which have
not had their guards verified.  See :DOC guards.


* Step 4:  Write the certificate for 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate-proof.lisp"
in 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate-proof.cert"
, and compile the expansion file, /v/filer4b/v41q001/kaufmann/talks/acl2-
intro/acl2-intro-2015-04/demos/rotate-proof@expansion.lsp.

* Step 5:  Compile the functions defined in 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate-proof.lisp".


Writing book expansion file, /v/filer4b/v41q001/kaufmann/talks/acl2-
intro/acl2-intro-2015-04/demos/rotate-proof@expansion.lsp.


Note: Deleting book expansion file,
/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate-
proof@expansion.lsp.

Summary
Form:  (CERTIFY-BOOK "rotate-proof" ...)
Rules: NIL
Warnings:  Guards
Time:  0.04 seconds (prove: 0.01, print: 0.00, other: 0.03)
Prover steps counted:  1269
 "/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate-proof.lisp"
ACL2 !>:pbt 0
           0  (EXIT-BOOT-STRAP-MODE)
           1:x(CERTIFY-BOOK "rotate-proof")
ACL2 !>:u
           0:x(EXIT-BOOT-STRAP-MODE)
ACL2 !>(certify-book "rotate")

Note: Writing .port file, /v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-
intro-2015-04/demos/rotate.port.

CERTIFICATION ATTEMPT FOR 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate.lisp"

ACL2 Version 7.0

* Step 1:  Read 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate.lisp"
and compute its check sum.

* Step 2:  There were four forms in the file.  We now attempt to establish
that each form, whether local or non-local, is indeed an admissible
embedded event form in the context of the previously admitted ones.


ACL2 >>(DEFUN ROTATE (N X)
              (IF (ZP N)
                  X
                  (ROTATE (1- N)
                          (APPEND (CDR X) (LIST (CAR X))))))

The admission of ROTATE is trivial, using the relation O< (which is
known to be well-founded on the domain recognized by O-P) and the measure
(ACL2-COUNT N).  We observe that the type of ROTATE is described by
the theorem 
(OR (AND (CONSP (ROTATE N X))
         (TRUE-LISTP (ROTATE N X)))
    (EQUAL (ROTATE N X) X)).
We used primitive type reasoning and the :type-prescription rules 
BINARY-APPEND and TRUE-LISTP-APPEND.

Summary
Form:  ( DEFUN ROTATE ...)
Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)
        (:TYPE-PRESCRIPTION BINARY-APPEND)
        (:TYPE-PRESCRIPTION TRUE-LISTP-APPEND))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
ROTATE


ACL2 >>(LOCAL (INCLUDE-BOOK "rotate-proof"))

Summary
Form:  ( INCLUDE-BOOK "rotate-proof" ...)
Rules: NIL
Time:  0.01 seconds (prove: 0.00, print: 0.00, other: 0.01)
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate-proof.lisp"


ACL2 >>(DEFTHM ROTATE-LEN
               (IMPLIES (TRUE-LISTP X)
                        (EQUAL (ROTATE (LEN X) X) X)))

The event ( DEFTHM ROTATE-LEN ...) is redundant.  See :DOC redundant-
events.

Summary
Form:  ( DEFTHM ROTATE-LEN ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
:REDUNDANT

* Step 3:  That completes the admissibility check.  Each form read
was an embedded event form and was admissible.  We now retract back
to the world created by admitting the first event after the initial
IN-PACKAGE form and try to include the remainder of the book.  This
may expose local incompatibilities.

Summary
Form:  ( INCLUDE-BOOK "rotate" ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)

ACL2 Warning [Guards] in (CERTIFY-BOOK "rotate" ...):  The book 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate.lisp"
defines the function ROTATE, which has not had its guards verified.
See :DOC guards.


* Step 4:  Write the certificate for 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate.lisp"
in 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate.cert"
, and compile the expansion file, /v/filer4b/v41q001/kaufmann/talks/acl2-
intro/acl2-intro-2015-04/demos/rotate@expansion.lsp.

* Step 5:  Compile the functions defined in 
"/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate.lisp".


Writing book expansion file, /v/filer4b/v41q001/kaufmann/talks/acl2-
intro/acl2-intro-2015-04/demos/rotate@expansion.lsp.


Note: Deleting book expansion file,
/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate@e\
xpansion.lsp.

Summary
Form:  (CERTIFY-BOOK "rotate" ...)
Rules: NIL
Warnings:  Guards
Time:  0.04 seconds (prove: 0.00, print: 0.00, other: 0.04)
 "/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate.lisp"
ACL2 !>:u
           0:x(EXIT-BOOT-STRAP-MODE)
ACL2 !>(include-book "rotate")

Summary
Form:  ( INCLUDE-BOOK "rotate" ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 "/v/filer4b/v41q001/kaufmann/talks/acl2-intro/acl2-intro-2015-04/demos/rotate.lisp"
ACL2 !>
