		Search-engine friendly clone of the ACL2 documentation.

Events

Defattach

Execute constrained functions using corresponding attached functions

General Forms:
(defattach f g)   ; single attach or, if g is nil, unattach
(defattach (f1 g1 :kwd val ...)
           ...
           (fk gk :kwd' val' ...)
           :kwd'' val'' ...)

where each indicated keyword-value pair is optional and each keyword is in the list (:hints :instructions :otf-flg :attach :skip-checks :system-ok). More details are in the ``Syntax and Semantics'' section below.

A related utility can cause a function call to be evaluated using an alternate, provably equal function. See memoize, option :INVOKE.

This documentation topic is organized into the following sections:

Introductory Example.
Syntax and Semantics of Defattach.
Three Primary Uses of Defattach.
Miscellaneous Remarks, with discussion of possible user errors.

Please see encapsulate if you intend to use defattach but are not already familiar with the use of encapsulate to introduce constrained functions. It may also be helpful to see evaluation.

See community book books/misc/defattach-example.lisp for a small example. it illustrates how defattach may be used to build something like ``higher-order'' programs, in which constrained functions may be refined to different executable functions. More uses of defattach may be found in the ACL2 source code, specifically, file boot-strap-pass-2-a.lisp.

Introductory Example.

We begin with a short log illustrating the use of defattach. Notice that after evaluating the event (defattach f g), a call of the constrained function f is evaluated by instead calling g on the arguments.

ACL2 !>(encapsulate
        ((f (x) t :guard (true-listp x)))
        (local (defun f (x) x))
        (defthm f-property
          (implies (consp x) (consp (f x)))))
[... output omitted ...]
 T
ACL2 !>(defun g (x)
         (declare (xargs :guard (or (consp x) (null x))))
         (cons 17 (car x)))
[... output omitted ...]
 G
ACL2 !>(f '(3 4)) ; undefined function error

ACL2 Error in TOP-LEVEL:  ACL2 cannot ev the call of undefined function
F on argument list:

((3 4))

To debug see :DOC print-gv, see :DOC trace, and see :DOC wet.

ACL2 !>(defattach f g)
[... output omitted ...]
 :ATTACHMENTS-RECORDED
ACL2 !>(f '(3 4)) ; f is evaluated using g
(17 . 3)
ACL2 !>(trace$ f g)
 ((F) (G))
ACL2 !>(f '(3 4)) ; f is evaluated using g
1> (ACL2_*1*_ACL2::F (3 4))
  2> (ACL2_*1*_ACL2::G (3 4))
    3> (G (3 4))
    <3 (G (17 . 3))
  <2 (ACL2_*1*_ACL2::G (17 . 3))
<1 (ACL2_*1*_ACL2::F (17 . 3))
(17 . 3)
ACL2 !>(defattach f nil) ; unattach f (remove its attachment)
[... output omitted ...]
 :ATTACHMENTS-RECORDED
ACL2 !>(f '(3 4)) ; undefined function error once again
1> (ACL2_*1*_ACL2::F (3 4))

ACL2 Error in TOP-LEVEL:  ACL2 cannot ev the call of undefined function
F on argument list:

((3 4))

To debug see :DOC print-gv, see :DOC trace, and see :DOC wet.

ACL2 !>

Syntax and Semantics of Defattach.

The log above shows that the event (defattach f g) allows g to be used for evaluating calls of f. From a logical perspective, the evaluation takes place in the addition to the current session of an ``attachment equation'' axiom (universally quantified over all x) for each defattach event:

(equal (f x) (g x)) ;;; attachment equation axiom for (defattach f g)

Below we explain defattach in some detail. But it is important to keep in mind that evaluation with the attachment equations takes place in an extension of the logical theory of the session. ACL2 guarantees that this so-called ``evaluation theory'' remains consistent, assuming the absence of defaxiom events from the user. This guarantee is a consequence of a more general guarantee: an ACL2 logical world exists in which (loosely speaking) the attachment equation for (defattach f g), as (defun f (...) (g ...)), takes the place of the original defining event for f, for each defattach event. This more general guarantee holds even if there are defaxiom events, though as explained below, no function symbol that syntactically supports a defaxiom formula is allowed to get an attachment. A deeper discussion of the logical issues is available (but not intended to be read by most users) in a long comment in the ACL2 source code labeled ``Essay on Defattach.''

Example Forms:
(defattach f g)   ; call g in place of calling constrained function f
(defattach (f g)) ; same as just above
(defattach (f g :hints (("Goal" :in-theory (enable foo)))))
                  ; equivalent to first form above, except with hints for the
                  ; proof that the guard of f implies the guard of g
(defattach (f g :hints (("Goal" :in-theory (enable foo)))
                :otf-flg t))
                  ; as above, except with an :otf-flg of t for the proof that
                  ; the guard of f implies the guard of g
(defattach (f g)
           :hints (("Goal" :use my-thm)))
                  ; equivalent to first form above, except with hints for the
                  ; proof that the constraints on f hold for g
(defattach (f g)
           :hints (("Goal" :use my-thm))
           :otf-flg t)
                  ; as above, except with an :otf-flg of t for the proof that
                  ; the constraints on f hold for g
(defattach (f g)
           (h j)) ; Attach g to f and attach j to h
(defattach (f g :attach nil)
           (h j)) ; Same as just above, including the same proof obligations,
                  ; except for one difference: because of :attach nil, calls
                  ; of f will not be evaluated, i.e., there will be no
                  ; executable attachment of g to f
(defattach (f nil)
           (h j)) ; Attach j to h and unattach f
(defattach (f g :hints (("Goal" :in-theory (enable foo))))
           (h j :hints (("Goal" :in-theory (enable bar))))
           :hints (("Goal" :use my-thm)))
                  ; Attach g to f and attach j to h, with hints:
                  ; - For proving that the guard of f implies the guard of g,
                  ;   enable foo;
                  ; - For proving that the guard of h implies the guard of j,
                  ;   enable bar; and
                  ; - For proving that the constraints on f and h hold for
                  ;   g and j (respectively), use theorem my-thm.

(defattach f nil)   ; remove the attachment of f, if any (e.g., g above)
(defattach (f nil)) ; same as just above

General Forms:
(defattach f g)   ; single attach or, if g is nil, unattach
(defattach (f1 g1 :kwd11 val11 ...)
           ...
           (fk gk :kwdk1 valk1 ...)
           :kwd1 val1 ...)

where each indicated keyword-value pair is optional and each keyword is in the list (:hints :instructions :otf-flg :attach :skip-checks :system-ok). We distinguish between keywords within the (fi gi :kwdi1 vali1 ...), which we call guard keywords, and keywords at the top level, shown above as :kwd1 val1 ..., which we call top-level keywords.

The guard keywords are in the list (:hints :instructions :otf-flg :attach). The :hints, :instructions, and :otf-flg keywords in (fi gi ...) are used in the proofs of the guard proof obligation for the attachment of gi to fi. They have their usual values and meanings, as when used (for example) in defthm events. The value of each :attach keyword is either t or nil. We discuss the :attach keyword later in this documentation topic.
The top-level keywords :hints, :instructions, and :otf-flg are used in the constraint proof obligations just as described above for the guard proof obligations. When :attach is used as a top-level keyword, its value serves as a default for entries (fi gi ...) that do not specify :attach. :Skip-checks and :system-ok are described below.

No keyword may occur twice in the same context: that is, neither twice as a guard keyword in the same (fi gi ...) entry, nor twice as a top-level keyword. Moreover, :instructions may not occur in the same context with :hints or :otf-flg.

The argument :skip-checks t enables easy experimentation with defattach, by permitting use of :program mode functions and the skipping of semantic checks. Also permitted is :skip-checks nil (the default) and :skip-checks :cycles, which turns off only the update of the extended ancestor relation (defined below) and hence the check for cycles in this relation (which is discussed below). We do not make any logical claims when the value of :skip-checks is non-nil; indeed, a trust tag is then required (see defttag). Note that the interaction of memoization and attachments is not tracked for attachments introduced with a non-nil value of :skip-checks. For more discussion of :skip-checks t, see defproxy; we do not discuss :skip-checks further, here.

The argument :system-ok t allows attachment to system functions. Without this argument, the defattach event will fail if any fi is a built-in ACL2 function. Rather than supplying this argument directly, it is recommended to use defattach-system, which has the same syntax as defattach with two exceptions: it adds :system-ok t automatically, that is, :system-ok is implicit; and it expands to a local call of defattach. The latter is important so that the attachment does not affect system behavior outside a book containing the defattach event. Of course, if it is truly intended to affect such behavior, the argument :system-ok t may be given directly to defattach, without a surrounding use of local.

The first General Form above is simply an abbreviation for the form (defattach (f g)), which is an instance of the second General Form above. For the second General Form we say that gi is ``attached to'' fi (by the defattach event) if gi is not nil, and otherwise we say that fi is ``unattached'' (by the defattach event). It is also convenient to refer to <fi,gi> as an ``attachment pair'' (of the event) if gi is not nil. We may refer to the set of fi as the ``attachment nest'' of each fi.

We start with a brief introduction to the first General Form in the case that g is not nil. This form arranges that during evaluation, with exceptions noted below, every call of the constrained function symbol f will in essence be replaced by a call of the function symbol g on the same arguments. We may then refer to g as the ``attachment of'' f, or say that ``g is attached to f.'' Notable exceptions, where we do not use attachments during evaluation, are for macroexpansion, evaluation of defconst and defpkg terms, evaluation during table events, some stobj operations including all updates, and especially evaluation of ground terms (terms without free variables) during proofs. However, even for these cases we allow the use of attachments in the first argument of prog2$ and, more generally, the next-to-last (i.e., second) argument of return-last when its first argument is not of the form 'm for some macro, m.

To see why attachments are disallowed during evaluation of ground terms during proofs (except for the prog2$ and return-last cases mentioned above), consider the following example.

(defstub f (x) t)
(defun g (x) (+ 3 x))
(defattach f g)

If the form (f 2) is submitted at the ACL2 prompt, the result will be 5 because the attachment g of f is called on the argument, 2. However, during a proof the term (f 2) will not be simplified to 5, since that would be unsound, as there are no axioms about f that would justify such a simplification.

For the case that g is nil in the first General Form above, the result is the removal of the existing attachment to f, if any. After this removal, calls of f will once again cause errors saying that ``ACL2 cannot ev the call of undefined function f ...''. In this case not only is the previous attachment to f removed; moreover, for every function symbol f' in the attachment nest of f in the defattach event that introduced the existing attachment to f, then f' is unattached. (An example near the end of this documentation topic shows why this unattachment needs to be done.) Such removal takes place before the current defattach is processed, but is restored if the new event fails to be admitted.

We focus henceforth on the second General Form. There must be at least one attachment, i.e., i must be at least 1. All keywords are optional; their role is described below. The fi must be distinct constrained function symbols, that is, function symbols all introduced in signatures of encapsulate events (or macros such as defstub that generate encapsulate events). Each non-nil gi is a :logic-mode function symbol that has had its guards verified, with the same signature as fi (though formal parameters for fi and gi may have different names). (Note: The macro defattach!, defined in community book books/misc/defattach-bang, avoids this restriction.) This event generates proof obligations and an ordering check, both described below. The effect of this event is first to remove any existing attachments for all the function symbols fi, as described above for the first General Form, and then to attach each gi to fi.

Proof obligations must be checked before making attachments. For this discussion we assume that each gi is non-nil (otherwise first remove all attachment pairs <fi,gi> for which gi is nil). Let s be the functional substitution mapping each fi to gi. For any term u, we write u\s for the result of applying s to u; that is, u\s is the ``functional instance'' obtained by replacing each fi by gi in u. Let G_fi and G_gi be the guards of fi and gi, respectively. Let G_fi' be the result of replacing each formal of fi by the corresponding formal of gi in G_fi. ACL2 first proves, for each i (in order), the formula (implies G_fi' G_gi)\s. If this sequence of proofs succeeds, then the remaining formula to prove is the functional instance C\s of the conjunction C of the constraints on the symbols fi; see constraint. This last proof obligation is thus similar to the one generated by functional instantiation (see constraint). As with functional instantiation, ACL2 stores the fact that such proofs have been done so that they are avoided in future events (see lemma-instance). Thus, you will likely avoid some proofs with the sequence

(defattach f g)
(defattach f nil)
(defattach f g)
(defattach f nil)
...

rather than the sequence:

(defattach f g)
:u
(defattach f g)
:u
...

It remains to describe an ordering check. We begin with the following motivating example.

(defstub f (x) t) ; constrained function with no constraints
(defun g (x) (declare (xargs :guard t)) (not (f x)))
(defattach f g) ; ILLEGAL!

Were the above defattach event to succeed, the evaluation theory (discussed above) would be inconsistent: (f x) equals (g x) by the new attachment equation, which in turn equals (not (f x)) by definition of g. The evaluation would therefore be meaningless. Also, from a practical perspective, there would be an infinite loop resulting from any call of f.

We consider a function symbol g to be an extended immediate ancestor of a function symbol f if either of the following two criteria is met: (a) g occurs in the formula that introduces f (i.e., definition body or constraint) and g is introduced by an event different from (earlier than) the event introducing f; or (b) g is attached to f. We also consider g to be an extended immediate ancestor of f if there are function symbols f' and g' that are introduced in the same events as f and g, respectively (such as the same mutual-recursion or the same encapsulate with non-empty signatures), such that g' is an extended immediate ancestor of f' in the sense above. For a proposed defattach event, we check that the graph defined by this relation has no cycles, where for condition (b) we include all attachment pairs that would result, including those remaining from earlier defattach events.

Of course, a special case is that no function symbol may be attached to itself. Similarly, no function symbol may be attached to any of its ``siblings'' — function symbols introduced by the same event — as siblings are considered equivalent for purposes of the acyclicity check.

Three Primary Uses of Defattach.

We anticipate three uses of defattach:

Constrained function execution
Sound modification of the ACL2 system
Program refinement

We discuss these in turn.

The example at the beginning of this documentation illustrates constrained function execution.
ACL2 is written essentially in itself. Thus, there is an opportunity to attach to system functions. For example, encapsulated function too-many-ifs-post-rewrite, in the ACL2 source code, receives an attachment of too-many-ifs-post-rewrite-builtin, which implements a heuristic used in the rewriter. See system-attachments. To find all such examples, search the source code for the string `-builtin'.
Over time, we expect to continue replacing ACL2 source code in a similar manner. We invite the ACL2 community to assist in this ``open architecture'' enterprise; feel free to email the ACL2 implementors if you are interested in such activity.
Recall that for an attachment pair <f,g>, a proof obligation is (speaking informally) that g satisfies the constraint on f. Yet more informally speaking, g is ``more defined'' than f; we can think of g as ``refining'' f. With these informal notions as motivation, we can view defattach as providing refinement through the following formal observation: the evaluation theory extends the theory of the ACL2 session, specifically by the addition of all attachment equations. For the logic-inclined, it may be useful to think model-theoretically: The class of models of the evaluation theory is non-empty but is a subset of the class of models of the current session theory.

Miscellaneous Remarks, with discussion of possible user errors.

We conclude with remarks on some details.

A defattach event is never redundant (see redundant-events); in that sense it is analogous to in-theory.

As mentioned above, the use of attachments is disabled for evaluation of ground terms during proofs. However, attachments can be used on code during the proof process, essentially when the ``program refinement'' is on theorem prover code rather than on functions we are reasoning about. The attachment to too-many-ifs-post-rewrite described above provides one example of such attachments. Another example is that a meta function or clause-processor function can call functions that have attachments, with a restriction that those attached functions must not also be ancestral in a corresponding evaluator. See evaluator-restrictions for a discussion of that restriction, and see transparent-functions for a device that can relax the restriction (while imposing additional requirements on attachments).

For an attachment pair <f,g>, evaluation of f never consults the guard of f. Rather, control passes to g, whose guard is checked if necessary. The proof obligation related to guards, as described above, guarantees that any legal call of f is also a legal call of g. Thus for guard-verified code that results in calls of f in raw Lisp, it is sound to replace these calls with corresponding calls of g.

Defattach events are illegal inside any encapsulate event with a non-empty signature unless they are local to the encapsulate.

(Of interest only to users of apply$.) Special handling is applied when attempting to attach to a so-called warrant, which is produced by an application of defwarrant (or defun$). In that case it is legal to attach the function true-apply$-warrant to the warrant, without any proof obligation. This attachment is actually performed automatically by defwarrant, so users (even users of apply$) need not deal explicitly with such attachments. However, these attachments make warrants executable in the loop; for example, after (defwarrant foo), (warrant foo) will evaluate to t in the loop.

We next discuss a restriction based on a notion of a function symbol syntactically supporting an event. Function symbol f is ancestral in event E if either f occurs in E, or (recursively) f occurs in an event E' that introduces some function symbol g that is ancestral in E. We require that no function symbol ancestral in the formula of a defaxiom event may have an attachment. Theoretical reasons are discussed in comments in the ACL2 source code, but here we give a little example showing the need for some such restriction: without it, we show how to prove nil!

(defn g1 () 1)
(defn g2 () 2)
(defstub f1 () t)
(defstub f2 () t)
(defund p (x)
  (declare (ignore x))
  t)
(defevaluator evl evl-list
  ((p x)))
(defaxiom f1-is-f2
  (equal (f1) (f2)))
(defun meta-fn (x)
  (cond ((equal (f1) (f2))
         x)
        (t *nil*)))
(defthm bad-meta-rule
  (equal (evl x a)
         (evl (meta-fn x) a))
  :rule-classes ((:meta :trigger-fns (p))))
(defattach f1 g1)
(defattach f2 g2)
(defthm contradiction
  nil
  :hints (("Goal" :use ((:instance (:theorem (not (p x)))
                                   (x t)))))
  :rule-classes nil)

The form (all-attachments (w state)) evaluates to the list of all attachments except in two cases: warrants, and attachments introduced with a non-nil value of :skip-checks. To obtain the attachment to a function symbol FN, without the above restrictions and with value nil if there is no attachment to FN: (cdr (attachment-pair 'FN (w state))).

Next we discuss the :ATTACH keyword. There is rarely if ever a reason to specify :ATTACH T, but the following (admittedly contrived) example shows why it may be necessary to specify :ATTACH NIL. First we introduce three new function symbols.

(defstub f (x) t)

(defun g (x)
  (f x))

(encapsulate ((h (x) t))
  (local (defun h (x) (g x)))
  (defthm h-prop
    (equal (h x) (g x))))

Now suppose we want to attach the function ACL2-numberp to both f and h.

(defattach (f acl2-numberp) (h acl2-numberp))

Such an attempt fails, because the following constraint is generated but is not a theorem: (EQUAL (ACL2-NUMBERP X) (G X)). Clearly we also need to attach to g as well.

(defattach (f acl2-numberp) (h acl2-numberp) (g acl2-numberp))

But this fails for a different reason, as explained by the error message:

ACL2 Error in ( DEFATTACH (F ACL2-NUMBERP) ...):  It is illegal to
attach to function symbol G, because it was introduced with DEFUN.
See :DOC defattach.

That is: logically, we need to attach acl2-numberp to g, but we cannot actually attach to g because it was not introduced with encapsulate (it was introduced with defun). So we specify :ATTACH NIL for the attachment to g, saying that no actual attachment should be made to the code for g, even though for logical purposes we should consider that g has been given the indicated attachment.

(defattach (f acl2-numberp) (h acl2-numberp) (g acl2-numberp :attach nil))

Finally, we can check that f, g, and h execute as expected.

ACL2 !>(assert-event (and (f 3)
                   (not (f t))
                   (g 3)
                   (not (g t))
                   (h 3)
                   (not (h t))))
 :PASSED
ACL2 !>

The advanced feature, with-global-stobj, imposes certain restrictions on a defattach event. You can probably ignore this point unless you get an error pertaining to with-global-stobj. For relevant documentation see with-global-stobj, specifically the section on ``Constrained Functions and Defattach''.

We conclude with an example promised above, showing why it is necessary in general to unattach all function symbols in an existing attachment nest when unattaching any one of those function symbols. Consider the following example.

(defstub f1 () t)
(encapsulate ((f2 () t))
  (local (defun f2 () (f1)))
  (defthm f2=f1 (equal (f2) (f1))))
(encapsulate ((f3 () t))
  (local (defun f3 () (f1)))
  (defthm f3=f1 (equal (f3) (f1))))
(defun four () (declare (xargs :guard t)) 4)
(defun five () (declare (xargs :guard t)) 5)
(defattach (f1 four) (f2 four))
(defattach (f1 five) (f3 five))

The second defattach erases the existing attachment pair <f1,four> before installing the new attachment pairs <f1,five> and <f3,five>. After the second defattach, both (f1) and (f3) evaluate to 5. Now suppose that the attachment pair <f2,four> were not erased. Then we would have (f1) evaluating to 5 and (f2) evaluating to 4, contradicting the constraint f2=f1. The evaluation theory would thus be inconsistent, and at a more concrete level, the user might well be surprised by evaluation results if the code were written with the assumption specified in the constraint f2=f1.

Subtopics

System-attachments: System-level algorithms that users can modify with attachments
Ignored-attachment: Why attachments are sometimes not used
Defattach-system: Attach to built-in, system-level, constrained functions