[ewsmith@gourd ~]$ [ewsmith@gourd ~]$ [ewsmith@gourd ~]$ [ewsmith@gourd ~]$ ~ewsmith/acl2-2.9.2/saved_acl2 GCL (GNU Common Lisp) 2.6.6 CLtL1 May 16 2005 14:38:25 Source License: LGPL(gcl,gmp), GPL(unexec,bfd) Binary License: GPL due to GPL'ed components: (READLINE BFD UNEXEC) Modifications of this banner must retain notice of a compatible license Dedicated to the memory of W. Schelter Use (help) to get some basic information on how to use GCL. ACL2 Version 2.9.2 built May 16, 2005 14:53:35. Copyright (C) 2005 University of Texas at Austin ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the GNU General Public License. Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES* NIL). See the documentation topic note-2-9-2 for recent changes. NOTE!! Proof trees are disabled in ACL2. To enable them in emacs, look under the ACL2 source directory in interface/emacs/README.doc; and, to turn on proof trees, execute :START-PROOF-TREE in the ACL2 command loop. Look in the ACL2 documentation under PROOF-TREE. ACL2 Version 2.9.2. Level 1. Cbd "/dryer/dill/ewsmith/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !> :pe zp V d -4918 (DEFUN ZP (X) (DECLARE (XARGS :MODE :LOGIC :GUARD (AND (INTEGERP X) (<= 0 X)))) "Documentation available via :doc" (IF (INTEGERP X) (<= X 0) T)) ACL2 !>(defun non-consp (x) (not (consp x))) Since NON-CONSP is non-recursive, its admission is trivial. We observe that the type of NON-CONSP is described by the theorem (OR (EQUAL (NON-CONSP X) T) (EQUAL (NON-CONSP X) NIL)). Summary Form: ( DEFUN NON-CONSP ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) NON-CONSP ACL2 !>(defun app (x y) (if (non-consp x) ;would normally use endp here y (cons (car x) (app (cdr x) y)))) For the admission of APP we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). The non-trivial part of the measure conjecture is Goal (IMPLIES (NOT (NON-CONSP X)) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). By the simple :definition NON-CONSP we reduce the conjecture to Goal' (IMPLIES (CONSP X) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). But we reduce the conjecture to T, by case analysis. Q.E.D. That completes the proof of the measure theorem for APP. Thus, we admit this function under the principle of definition. We observe that the type of APP is described by the theorem (OR (CONSP (APP X Y)) (EQUAL (APP X Y) Y)). We used primitive type reasoning. Summary Form: ( DEFUN APP ...) Rules: ((:DEFINITION NON-CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) APP ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP and primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.01) APP-ASSOCIATIVE ACL2 !>(defthm app-associative-again (equal (app (app x y) z) (app x (app y z)))) ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-AGAIN ...): The newly proposed :REWRITE rule APP-ASSOCIATIVE-AGAIN probably subsumes the previously added :REWRITE rule APP-ASSOCIATIVE, in the sense that APP-ASSOCIATIVE-AGAIN will now probably be applied whenever the old rule would have been. ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-AGAIN ...): The previously added rule APP-ASSOCIATIVE subsumes the newly proposed :REWRITE rule APP-ASSOCIATIVE-AGAIN, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE-AGAIN ...) Rules: ((:REWRITE APP-ASSOCIATIVE)) Warnings: Subsume Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) APP-ASSOCIATIVE-AGAIN ACL2 !>(defthm app-associative-bigger (equal (app (app x (app y w)) (app (app r (app (app jjj s) u)) '(hello 4000))) (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP U '(HELLO 4000)))))))) )) ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-BIGGER ...): The previously added rules APP-ASSOCIATIVE-AGAIN and APP-ASSOCIATIVE subsume the newly proposed :REWRITE rule APP-ASSOCIATIVE-BIGGER, in the sense that the old rules rewrite more general targets. Because the new rule will be tried first, it may nonetheless find application. But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE-AGAIN. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE-BIGGER ...) Rules: ((:REWRITE APP-ASSOCIATIVE-AGAIN)) Warnings: Subsume Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) APP-ASSOCIATIVE-BIGGER ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z)))) This event is redundant. See :DOC redundant-events. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT ACL2 !>:u [SGC for 11 STRING pages..(8103 writable)..(T=2).GC finished] [SGC for 11 STRING pages..(8103 writable)..(T=2).GC finished] 4:x(DEFTHM APP-ASSOCIATIVE-AGAIN ...) ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L 2 (DEFUN APP (X Y) ...) 3 (DEFTHM APP-ASSOCIATIVE ...) 4:x(DEFTHM APP-ASSOCIATIVE-AGAIN ...) ACL2 !>:ubt! 1 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>(defun non-consp (x) (not (consp x))) Since NON-CONSP is non-recursive, its admission is trivial. We observe that the type of NON-CONSP is described by the theorem (OR (EQUAL (NON-CONSP X) T) (EQUAL (NON-CONSP X) NIL)). Summary Form: ( DEFUN NON-CONSP ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) NON-CONSP ACL2 !>(defun app (x y) (if (non-consp x) ;would normally use endp here y (cons (car x) (app (cdr x) y)))) For the admission of APP we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). The non-trivial part of the measure conjecture is Goal (IMPLIES (NOT (NON-CONSP X)) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). By the simple :definition NON-CONSP we reduce the conjecture to Goal' (IMPLIES (CONSP X) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). But we reduce the conjecture to T, by case analysis. Q.E.D. That completes the proof of the measure theorem for APP. Thus, we admit this function under the principle of definition. We observe that the type of APP is described by the theorem (OR (CONSP (APP X Y)) (EQUAL (APP X Y) Y)). We used primitive type reasoning. Summary Form: ( DEFUN APP ...) Rules: ((:DEFINITION NON-CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) APP ACL2 !>Bye. Attempting to exit Lisp. If this fails to work, type :q and then try again. [ewsmith@gourd ~]$ [ewsmith@gourd ~]$ [ewsmith@gourd ~]$ [ewsmith@gourd ~]$ [ewsmith@gourd ~]$ [ewsmith@gourd ~]$ [ewsmith@gourd ~]$ [ewsmith@gourd ~]$ ~ewsmith/acl2-2.9.2/saved_acl2 GCL (GNU Common Lisp) 2.6.6 CLtL1 May 16 2005 14:38:25 Source License: LGPL(gcl,gmp), GPL(unexec,bfd) Binary License: GPL due to GPL'ed components: (READLINE BFD UNEXEC) Modifications of this banner must retain notice of a compatible license Dedicated to the memory of W. Schelter Use (help) to get some basic information on how to use GCL. ACL2 Version 2.9.2 built May 16, 2005 14:53:35. Copyright (C) 2005 University of Texas at Austin ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the GNU General Public License. Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES* NIL). See the documentation topic note-2-9-2 for recent changes. NOTE!! Proof trees are disabled in ACL2. To enable them in emacs, look under the ACL2 source directory in interface/emacs/README.doc; and, to turn on proof trees, execute :START-PROOF-TREE in the ACL2 command loop. Look in the ACL2 documentation under PROOF-TREE. ACL2 Version 2.9.2. Level 1. Cbd "/dryer/dill/ewsmith/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>(defun non-consp (x) (not (consp x))) Since NON-CONSP is non-recursive, its admission is trivial. We observe that the type of NON-CONSP is described by the theorem (OR (EQUAL (NON-CONSP X) T) (EQUAL (NON-CONSP X) NIL)). Summary Form: ( DEFUN NON-CONSP ...) Rules: NIL Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) NON-CONSP ACL2 !>(defun app (x y) (if (non-consp x) ;would normally use endp here y (cons (car x) (app (cdr x) y)))) For the admission of APP we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). The non-trivial part of the measure conjecture is Goal (IMPLIES (NOT (NON-CONSP X)) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). By the simple :definition NON-CONSP we reduce the conjecture to Goal' (IMPLIES (CONSP X) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). But we reduce the conjecture to T, by case analysis. Q.E.D. That completes the proof of the measure theorem for APP. Thus, we admit this function under the principle of definition. We observe that the type of APP is described by the theorem (OR (CONSP (APP X Y)) (EQUAL (APP X Y) Y)). We used primitive type reasoning. Summary Form: ( DEFUN APP ...) Rules: ((:DEFINITION NON-CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.01, other: 0.00) APP ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L 2:x(DEFUN APP (X Y) ...) ACL2 !>:pbt -10 -10 (IN-THEORY (DISABLE ALPHORDER)) -9 (DEFTHM LEXORDER-REFLEXIVE ...) -8 (DEFTHM LEXORDER-ANTI-SYMMETRIC ...) -7 (DEFTHM LEXORDER-TRANSITIVE ...) -6 (DEFTHM LEXORDER-TOTAL ...) -5 (IN-THEORY (DISABLE LEXORDER)) V -4 (DEFUN RESIZE-LIST (LST N DEFAULT-VALUE) ...) V -3 (DEFUN E/D-FN (THEORY E/D-LIST ENABLE-P) ...) v -2 (ENCAPSULATE NIL ...) -1 (DEFTHEORY GROUND-ZERO (CURRENT-THEORY :HERE) ...) 0 (EXIT-BOOT-STRAP-MODE) L 1 (DEFUN NON-CONSP (X) ...) L 2:x(DEFUN APP (X Y) ...) ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP and primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) APP-ASSOCIATIVE ACL2 !>:pe app L 2 (DEFUN APP (X Y) (IF (NON-CONSP X) Y (CONS (CAR X) (APP (CDR X) Y)))) ACL2 !>:pe car-cons -563 (DEFAXIOM CAR-CONS (EQUAL (CAR (CONS X Y)) X)) ACL2 !>:pe cdr-cons -562 (DEFAXIOM CDR-CONS (EQUAL (CDR (CONS X Y)) Y)) ACL2 !>(defthm app-associative-again (equal (app (app x y) z) (app x (app y z)))) ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-AGAIN ...): The newly proposed :REWRITE rule APP-ASSOCIATIVE-AGAIN probably subsumes the previously added :REWRITE rule APP-ASSOCIATIVE, in the sense that APP-ASSOCIATIVE-AGAIN will now probably be applied whenever the old rule would have been. ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-AGAIN ...): The previously added rule APP-ASSOCIATIVE subsumes the newly proposed :REWRITE rule APP-ASSOCIATIVE-AGAIN, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE-AGAIN ...) Rules: ((:REWRITE APP-ASSOCIATIVE)) Warnings: Subsume Time: 0.01 seconds (prove: 0.00, print: 0.01, other: 0.00) APP-ASSOCIATIVE-AGAIN ACL2 !>:pr APP-ASSOCIATIVE Rune: (:REWRITE APP-ASSOCIATIVE) Status: Enabled Lhs: (APP (APP X Y) Z) Rhs: (APP X (APP Y Z)) Hyps: T Equiv: EQUAL Backchain-limit-lst: NIL Subclass: ABBREVIATION ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L 2 (DEFUN APP (X Y) ...) 3 (DEFTHM APP-ASSOCIATIVE ...) 4:x(DEFTHM APP-ASSOCIATIVE-AGAIN ...) ACL2 !>:u [SGC for 11 STRING pages..(8102 writable)..(T=3).GC finished] [SGC for 11 STRING pages..(8102 writable)..(T=3).GC finished] 3:x(DEFTHM APP-ASSOCIATIVE ...) ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L 2 (DEFUN APP (X Y) ...) 3:x(DEFTHM APP-ASSOCIATIVE ...) ACL2 !>(in-theory (disable app-associative)) Summary Form: (IN-THEORY (DISABLE ...)) Rules: NIL Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) 1734 ACL2 !>(defthm app-associative-again (equal (app (app x y) z) (app x (app y z)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP and primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE-AGAIN ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.01, other: 0.01) APP-ASSOCIATIVE-AGAIN ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L 2 (DEFUN APP (X Y) ...) D 3 (DEFTHM APP-ASSOCIATIVE ...) 4 (IN-THEORY (DISABLE APP-ASSOCIATIVE)) 5:x(DEFTHM APP-ASSOCIATIVE-AGAIN ...) ACL2 !>:u 4:x(IN-THEORY (DISABLE APP-ASSOCIATIVE)) ACL2 !>:u 3:x(DEFTHM APP-ASSOCIATIVE ...) ACL2 !>:u L 2:x(DEFUN APP (X Y) ...) ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L 2:x(DEFUN APP (X Y) ...) ACL2 !>:ubT! 1 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>(certify-book "script") CERTIFICATION ATTEMPT FOR "/dryer/dill/ewsmith/script.lisp" ACL2 Version 2.9.2 * Step 1: Read "/dryer/dill/ewsmith/script.lisp" and compute its check sum. ACL2 Error in (CERTIFY-BOOK "script" ...): The first form in "/dryer/dill/ewsmith/script.lisp" was expected to be (IN-PACKAGE "pkg") where "pkg" is a known ACL2 package name. See :DOC book-contents. The first form was, in fact, (DEFUN NON-CONSP (X) (NOT (CONSP X))). Summary Form: (CERTIFY-BOOK "script" ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(certify-book "script") CERTIFICATION ATTEMPT FOR "/dryer/dill/ewsmith/script.lisp" ACL2 Version 2.9.2 * Step 1: Read "/dryer/dill/ewsmith/script.lisp" and compute its check sum. * Step 2: There were five forms in the file. The check sum is 264070911. We now attempt to establish that each form, whether local or non-local, is indeed an admissible embedded event form in the context of the previously admitted ones. Note that proof-tree output is inhibited during this check; see :DOC proof-tree. ACL2 >>(DEFUN NON-CONSP (X) (NOT (CONSP X))) Since NON-CONSP is non-recursive, its admission is trivial. We observe that the type of NON-CONSP is described by the theorem (OR (EQUAL (NON-CONSP X) T) (EQUAL (NON-CONSP X) NIL)). Summary Form: ( DEFUN NON-CONSP ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) NON-CONSP ACL2 >>(DEFUN APP (X Y) (IF (NON-CONSP X) Y (CONS (CAR X) (APP (CDR X) Y)))) For the admission of APP we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). The non-trivial part of the measure conjecture is Goal (IMPLIES (NOT (NON-CONSP X)) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). By the simple :definition NON-CONSP we reduce the conjecture to Goal' (IMPLIES (CONSP X) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). But we reduce the conjecture to T, by case analysis. Q.E.D. That completes the proof of the measure theorem for APP. Thus, we admit this function under the principle of definition. We observe that the type of APP is described by the theorem (OR (CONSP (APP X Y)) (EQUAL (APP X Y) Y)). We used primitive type reasoning. Summary Form: ( DEFUN APP ...) Rules: ((:DEFINITION NON-CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) APP ACL2 >>(DEFTHM APP-ASSOCIATIVE (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP and primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.01, other: 0.01) APP-ASSOCIATIVE ACL2 >>(DEFTHM APP-ASSOCIATIVE-AGAIN (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))) ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-AGAIN ...): The newly proposed :REWRITE rule APP-ASSOCIATIVE-AGAIN probably subsumes the previously added :REWRITE rule APP-ASSOCIATIVE, in the sense that APP-ASSOCIATIVE-AGAIN will now probably be applied whenever the old rule would have been. ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-AGAIN ...): The previously added rule APP-ASSOCIATIVE subsumes the newly proposed :REWRITE rule APP-ASSOCIATIVE-AGAIN, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE-AGAIN ...) Rules: ((:REWRITE APP-ASSOCIATIVE)) Warnings: Subsume Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) APP-ASSOCIATIVE-AGAIN * Step 3: That completes the admissibility check. Each form read was an embedded event form and was admissible. We now retract back to the initial world and try to include the book. This may expose local incompatibilities. [SGC for 20 CFUN pages..(8174 writable)..(T=2).GC finished] Summary Form: ( INCLUDE-BOOK "script" ...) Rules: NIL Warnings: None Time: 0.04 seconds (prove: 0.00, print: 0.00, other: 0.04) ACL2 Warning [Guards] in (CERTIFY-BOOK "script" ...): You have told certify-book to produce a compiled file for "/dryer/dill/ewsmith/script.lisp". However, the functions NON-CONSP and APP have not had their guards verified. A compiled file will be produced anyway, but all bets are off if you load it into raw Common Lisp and try to run the functions in it. See :DOC verify-guards. * Step 4: Write the certificate for "/dryer/dill/ewsmith/script.lisp" in "/dryer/dill/ewsmith/script.cert". The final check sum alist is (("/dryer/dill/ewsmith/script.lisp" "script" "script" ((:SKIPPED-PROOFSP) (:AXIOMSP)) . 264070911)). * Step 5: Compile the functions defined in "/dryer/dill/ewsmith/script.lisp". As noted above, two functions have not had their guards verified. A compiled file will be produced but you are advised not to use it in raw Common Lisp. See :DOC guard for a general discussion of the issues. Compiling /dryer/dill/ewsmith/script.lisp. End of Pass 1. End of Pass 2. OPTIMIZE levels: Safety=0 (No runtime error checking), Space=0, Speed=3 Finished compiling /dryer/dill/ewsmith/script.o. "/dryer/dill/ewsmith/script.o" Loading /dryer/dill/ewsmith/script.o start address -T 0x8976ed8 Finished loading /dryer/dill/ewsmith/script.o Summary Form: (CERTIFY-BOOK "script" ...) Rules: NIL Warnings: Guards and Subsume Time: 0.07 seconds (prove: 0.00, print: 0.01, other: 0.06) "/dryer/dill/ewsmith/script.lisp" ACL2 !>:u 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>:ubt 1 ACL2 Error in :UBT: The object 1 is not a legal command descriptor because it exceeds the current maximum command number, 0. ACL2 !>(include-book "script") Loading /dryer/dill/ewsmith/script.o start address -T 0x9243160 Finished loading /dryer/dill/ewsmith/script.o Summary Form: ( INCLUDE-BOOK "script" ...) Rules: NIL Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) "/dryer/dill/ewsmith/script.lisp" ACL2 !>:pe app 1:x(INCLUDE-BOOK "script") \ [Included books, outermost to innermost: "/dryer/dill/ewsmith/script.lisp" ] \ >L (DEFUN APP (X Y) (IF (NON-CONSP X) Y (CONS (CAR X) (APP (CDR X) Y)))) ACL2 !>:pbt 1 1:x(INCLUDE-BOOK "script") ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z)))) This event is redundant. See :DOC redundant-events. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT ACL2 !>:u 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>(ld "script.lisp") ACL2 Version 2.9.2. Level 2. Cbd "/dryer/dill/ewsmith/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>> "ACL2" ACL2 !>> Since NON-CONSP is non-recursive, its admission is trivial. We observe that the type of NON-CONSP is described by the theorem (OR (EQUAL (NON-CONSP X) T) (EQUAL (NON-CONSP X) NIL)). [SGC for 20 CFUN pages..(8192 writable)..(T=2).GC finished] Summary Form: ( DEFUN NON-CONSP ...) Rules: NIL Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) NON-CONSP ACL2 !>> For the admission of APP we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). The non-trivial part of the measure conjecture is Goal (IMPLIES (NOT (NON-CONSP X)) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). By the simple :definition NON-CONSP we reduce the conjecture to Goal' (IMPLIES (CONSP X) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). But we reduce the conjecture to T, by case analysis. Q.E.D. That completes the proof of the measure theorem for APP. Thus, we admit this function under the principle of definition. We observe that the type of APP is described by the theorem (OR (CONSP (APP X Y)) (EQUAL (APP X Y) Y)). We used primitive type reasoning. Summary Form: ( DEFUN APP ...) Rules: ((:DEFINITION NON-CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) APP ACL2 !>> Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP and primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) APP-ASSOCIATIVE ACL2 !>> ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-AGAIN ...): The newly proposed :REWRITE rule APP-ASSOCIATIVE-AGAIN probably subsumes the previously added :REWRITE rule APP-ASSOCIATIVE, in the sense that APP-ASSOCIATIVE-AGAIN will now probably be applied whenever the old rule would have been. ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-AGAIN ...): The previously added rule APP-ASSOCIATIVE subsumes the newly proposed :REWRITE rule APP-ASSOCIATIVE-AGAIN, in the sense that the old rule rewrites a more general target. Because the new rule will be tried first, it may nonetheless find application. But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE-AGAIN ...) Rules: ((:REWRITE APP-ASSOCIATIVE)) Warnings: Subsume Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) APP-ASSOCIATIVE-AGAIN ACL2 !>>Bye. :EOF ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L 2 (DEFUN APP (X Y) ...) 3 (DEFTHM APP-ASSOCIATIVE ...) 4:x(DEFTHM APP-ASSOCIATIVE-AGAIN ...) ACL2 !>(defthm app-associative-bigger (equal (app (app x (app y w)) (app (app r (app (app jjj s) u)) '(hello 4000))) (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP U '(HELLO 4000)))))))) )) ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-BIGGER ...): The previously added rules APP-ASSOCIATIVE-AGAIN and APP-ASSOCIATIVE subsume the newly proposed :REWRITE rule APP-ASSOCIATIVE-BIGGER, in the sense that the old rules rewrite more general targets. Because the new rule will be tried first, it may nonetheless find application. But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE-AGAIN. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE-BIGGER ...) Rules: ((:REWRITE APP-ASSOCIATIVE-AGAIN)) Warnings: Subsume Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) APP-ASSOCIATIVE-BIGGER ACL2 !>:u 4:x(DEFTHM APP-ASSOCIATIVE-AGAIN ...) ACL2 !>(defthm app-associative-bigger (equal (app (app x (app y w)) (app (app r (app (app jjj s) u)) '(hello 4000))) blah )) ACL2 Warning [Free] in ( DEFTHM APP-ASSOCIATIVE-BIGGER ...): The :REWRITE rule generated from APP-ASSOCIATIVE-BIGGER contains the the free variable BLAH on the right-hand side of the rule, which is not bound on the left-hand side. This can cause new variables to be introduced into the proof, which may surprise you. ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-BIGGER ...): The previously added rules APP-ASSOCIATIVE-AGAIN and APP-ASSOCIATIVE subsume the newly proposed :REWRITE rule APP-ASSOCIATIVE-BIGGER, in the sense that the old rules rewrite more general targets. Because the new rule will be tried first, it may nonetheless find application. By the simple :rewrite rule APP-ASSOCIATIVE-AGAIN we reduce the conjecture to Goal' (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP U '(HELLO 4000)))))))) BLAH). Name the formula above *1. Perhaps we can prove *1 by induction. Seven induction schemes are suggested by this conjecture. We will choose arbitrarily among these. We will induct according to a scheme suggested by (APP U '(HELLO 4000)). This suggestion was produced using the :induction rule APP. If we let (:P BLAH JJJ R S U W X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP U)) (:P BLAH JJJ R S (CDR U) W X Y)) (:P BLAH JJJ R S U W X Y)) (IMPLIES (NON-CONSP U) (:P BLAH JJJ R S U W X Y))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT U) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP U)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP (CDR U) '(HELLO 4000)))))))) BLAH)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP U '(HELLO 4000)))))))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP U) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP (CDR U) '(HELLO 4000)))))))) BLAH)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP U '(HELLO 4000)))))))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1/2'' (IMPLIES (CONSP U) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S (CONS (CAR U) (APP (CDR U) '(HELLO 4000))))))))) (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP (CDR U) '(HELLO 4000)))))))))). The destructor terms (CAR U) and (CDR U) can be eliminated by using CAR-CDR-ELIM to replace U by (CONS U1 U2), (CAR U) by U1 and (CDR U) by U2. This produces the following goal. Subgoal *1/2''' (IMPLIES (CONSP (CONS U1 U2)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S (CONS U1 (APP U2 '(HELLO 4000))))))))) (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP U2 '(HELLO 4000)))))))))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S (CONS U1 (APP U2 '(HELLO 4000))))))))) (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP U2 '(HELLO 4000))))))))). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (NON-CONSP U) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP U '(HELLO 4000)))))))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP U)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP U '(HELLO 4000)))))))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1/1'' (IMPLIES (NOT (CONSP U)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S '(HELLO 4000))))))) BLAH)). We suspect that the term (NOT (CONSP U)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/1''' (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S '(HELLO 4000))))))) BLAH). Name the formula above *1.2. Perhaps we can prove *1.2 by induction. Six induction schemes are suggested by this conjecture. We will choose arbitrarily among these. We will induct according to a scheme suggested by (APP S '(HELLO 4000)). This suggestion was produced using the :induction rule APP. If we let (:P BLAH JJJ R S W X Y) denote *1.2 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP S)) (:P BLAH JJJ R (CDR S) W X Y)) (:P BLAH JJJ R S W X Y)) (IMPLIES (NON-CONSP S) (:P BLAH JJJ R S W X Y))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT S) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.2/2 (IMPLIES (AND (NOT (NON-CONSP S)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP (CDR S) '(HELLO 4000))))))) BLAH)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S '(HELLO 4000))))))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2/2' (IMPLIES (AND (CONSP S) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP (CDR S) '(HELLO 4000))))))) BLAH)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S '(HELLO 4000))))))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1.2/2'' (IMPLIES (CONSP S) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (CONS (CAR S) (APP (CDR S) '(HELLO 4000)))))))) (APP X (APP Y (APP W (APP R (APP JJJ (APP (CDR S) '(HELLO 4000))))))))). The destructor terms (CAR S) and (CDR S) can be eliminated by using CAR-CDR-ELIM to replace S by (CONS S1 S2), (CAR S) by S1 and (CDR S) by S2. This produces the following goal. Subgoal *1.2/2''' (IMPLIES (CONSP (CONS S1 S2)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (CONS S1 (APP S2 '(HELLO 4000)))))))) (APP X (APP Y (APP W (APP R (APP JJJ (APP S2 '(HELLO 4000))))))))). This simplifies, using primitive type reasoning, to Subgoal *1.2/2'4' (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (CONS S1 (APP S2 '(HELLO 4000)))))))) (APP X (APP Y (APP W (APP R (APP JJJ (APP S2 '(HELLO 4000)))))))). Name the formula above *1.2.1. Subgoal *1.2/1 (IMPLIES (NON-CONSP S) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S '(HELLO 4000))))))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2/1' (IMPLIES (NOT (CONSP S)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ (APP S '(HELLO 4000))))))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1.2/1'' (IMPLIES (NOT (CONSP S)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ '(HELLO 4000)))))) BLAH)). We suspect that the term (NOT (CONSP S)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1.2/1''' (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ '(HELLO 4000)))))) BLAH). Name the formula above *1.2.2. Perhaps we can prove *1.2.2 by induction. Five induction schemes are suggested by this conjecture. We will choose arbitrarily among these. We will induct according to a scheme suggested by (APP JJJ '(HELLO 4000)). This suggestion was produced using the :induction rule APP. If we let (:P BLAH JJJ R W X Y) denote *1.2.2 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP JJJ)) (:P BLAH (CDR JJJ) R W X Y)) (:P BLAH JJJ R W X Y)) (IMPLIES (NON-CONSP JJJ) (:P BLAH JJJ R W X Y))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT JJJ) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O-P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.2.2/2 (IMPLIES (AND (NOT (NON-CONSP JJJ)) (EQUAL (APP X (APP Y (APP W (APP R (APP (CDR JJJ) '(HELLO 4000)))))) BLAH)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ '(HELLO 4000)))))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2.2/2' (IMPLIES (AND (CONSP JJJ) (EQUAL (APP X (APP Y (APP W (APP R (APP (CDR JJJ) '(HELLO 4000)))))) BLAH)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ '(HELLO 4000)))))) BLAH)). [SGC for 25 FIXNUM pages..(8195 writable)..(T=3).GC finished] This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1.2.2/2'' (IMPLIES (CONSP JJJ) (EQUAL (APP X (APP Y (APP W (APP R (CONS (CAR JJJ) (APP (CDR JJJ) '(HELLO 4000))))))) (APP X (APP Y (APP W (APP R (APP (CDR JJJ) '(HELLO 4000)))))))). The destructor terms (CAR JJJ) and (CDR JJJ) can be eliminated by using CAR-CDR-ELIM to replace JJJ by (CONS JJJ1 JJJ2), (CAR JJJ) by JJJ1 and (CDR JJJ) by JJJ2. This produces the following goal. Subgoal *1.2.2/2''' (IMPLIES (CONSP (CONS JJJ1 JJJ2)) (EQUAL (APP X (APP Y (APP W (APP R (CONS JJJ1 (APP JJJ2 '(HELLO 4000))))))) (APP X (APP Y (APP W (APP R (APP JJJ2 '(HELLO 4000)))))))). This simplifies, using primitive type reasoning, to Subgoal *1.2.2/2'4' (EQUAL (APP X (APP Y (APP W (APP R (CONS JJJ1 (APP JJJ2 '(HELLO 4000))))))) (APP X (APP Y (APP W (APP R (APP JJJ2 '(HELLO 4000))))))). Name the formula above *1.2.2.1. Subgoal *1.2.2/1 (IMPLIES (NON-CONSP JJJ) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ '(HELLO 4000)))))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2.2/1' (IMPLIES (NOT (CONSP JJJ)) (EQUAL (APP X (APP Y (APP W (APP R (APP JJJ '(HELLO 4000)))))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1.2.2/1'' (IMPLIES (NOT (CONSP JJJ)) (EQUAL (APP X (APP Y (APP W (APP R '(HELLO 4000))))) BLAH)). We suspect that the term (NOT (CONSP JJJ)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1.2.2/1''' (EQUAL (APP X (APP Y (APP W (APP R '(HELLO 4000))))) BLAH). Name the formula above *1.2.2.2. Perhaps we can prove *1.2.2.2 by induction. Four induction schemes are suggested by this conjecture. We will choose arbitrarily among these. We will induct according to a scheme suggested by (APP R '(HELLO 4000)). This suggestion was produced using the :induction rule APP. If we let (:P BLAH R W X Y) denote *1.2.2.2 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP R)) (:P BLAH (CDR R) W X Y)) (:P BLAH R W X Y)) (IMPLIES (NON-CONSP R) (:P BLAH R W X Y))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT R) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.2.2.2/2 (IMPLIES (AND (NOT (NON-CONSP R)) (EQUAL (APP X (APP Y (APP W (APP (CDR R) '(HELLO 4000))))) BLAH)) (EQUAL (APP X (APP Y (APP W (APP R '(HELLO 4000))))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2.2.2/2' (IMPLIES (AND (CONSP R) (EQUAL (APP X (APP Y (APP W (APP (CDR R) '(HELLO 4000))))) BLAH)) (EQUAL (APP X (APP Y (APP W (APP R '(HELLO 4000))))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1.2.2.2/2'' (IMPLIES (CONSP R) (EQUAL (APP X (APP Y (APP W (CONS (CAR R) (APP (CDR R) '(HELLO 4000)))))) (APP X (APP Y (APP W (APP (CDR R) '(HELLO 4000))))))). The destructor terms (CAR R) and (CDR R) can be eliminated by using CAR-CDR-ELIM to replace R by (CONS R1 R2), (CAR R) by R1 and (CDR R) by R2. This produces the following goal. Subgoal *1.2.2.2/2''' (IMPLIES (CONSP (CONS R1 R2)) (EQUAL (APP X (APP Y (APP W (CONS R1 (APP R2 '(HELLO 4000)))))) (APP X (APP Y (APP W (APP R2 '(HELLO 4000))))))). This simplifies, using primitive type reasoning, to Subgoal *1.2.2.2/2'4' (EQUAL (APP X (APP Y (APP W (CONS R1 (APP R2 '(HELLO 4000)))))) (APP X (APP Y (APP W (APP R2 '(HELLO 4000)))))). Name the formula above *1.2.2.2.1. Subgoal *1.2.2.2/1 (IMPLIES (NON-CONSP R) (EQUAL (APP X (APP Y (APP W (APP R '(HELLO 4000))))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2.2.2/1' (IMPLIES (NOT (CONSP R)) (EQUAL (APP X (APP Y (APP W (APP R '(HELLO 4000))))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1.2.2.2/1'' (IMPLIES (NOT (CONSP R)) (EQUAL (APP X (APP Y (APP W '(HELLO 4000)))) BLAH)). We suspect that the term (NOT (CONSP R)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1.2.2.2/1''' (EQUAL (APP X (APP Y (APP W '(HELLO 4000)))) BLAH). Name the formula above *1.2.2.2.2. Perhaps we can prove *1.2.2.2.2 by induction. Three induction schemes are suggested by this conjecture. We will choose arbitrarily among these. We will induct according to a scheme suggested by (APP W '(HELLO 4000)). This suggestion was produced using the :induction rule APP. If we let (:P BLAH W X Y) denote *1.2.2.2.2 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP W)) (:P BLAH (CDR W) X Y)) (:P BLAH W X Y)) (IMPLIES (NON-CONSP W) (:P BLAH W X Y))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT W) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.2.2.2.2/2 (IMPLIES (AND (NOT (NON-CONSP W)) (EQUAL (APP X (APP Y (APP (CDR W) '(HELLO 4000)))) BLAH)) (EQUAL (APP X (APP Y (APP W '(HELLO 4000)))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2.2.2.2/2' (IMPLIES (AND (CONSP W) (EQUAL (APP X (APP Y (APP (CDR W) '(HELLO 4000)))) BLAH)) (EQUAL (APP X (APP Y (APP W '(HELLO 4000)))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1.2.2.2.2/2'' (IMPLIES (CONSP W) (EQUAL (APP X (APP Y (CONS (CAR W) (APP (CDR W) '(HELLO 4000))))) (APP X (APP Y (APP (CDR W) '(HELLO 4000)))))). The destructor terms (CAR W) and (CDR W) can be eliminated by using CAR-CDR-ELIM to replace W by (CONS W1 W2), (CAR W) by W1 and (CDR W) by W2. This produces the following goal. Subgoal *1.2.2.2.2/2''' (IMPLIES (CONSP (CONS W1 W2)) (EQUAL (APP X (APP Y (CONS W1 (APP W2 '(HELLO 4000))))) (APP X (APP Y (APP W2 '(HELLO 4000)))))). This simplifies, using primitive type reasoning, to Subgoal *1.2.2.2.2/2'4' (EQUAL (APP X (APP Y (CONS W1 (APP W2 '(HELLO 4000))))) (APP X (APP Y (APP W2 '(HELLO 4000))))). Name the formula above *1.2.2.2.2.1. Subgoal *1.2.2.2.2/1 (IMPLIES (NON-CONSP W) (EQUAL (APP X (APP Y (APP W '(HELLO 4000)))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2.2.2.2/1' (IMPLIES (NOT (CONSP W)) (EQUAL (APP X (APP Y (APP W '(HELLO 4000)))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1.2.2.2.2/1'' (IMPLIES (NOT (CONSP W)) (EQUAL (APP X (APP Y '(HELLO 4000))) BLAH)). We suspect that the term (NOT (CONSP W)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1.2.2.2.2/1''' (EQUAL (APP X (APP Y '(HELLO 4000))) BLAH). Name the formula above *1.2.2.2.2.2. Perhaps we can prove *1.2.2.2.2.2 by induction. Two induction schemes are suggested by this conjecture. We will choose arbitrarily among these. We will induct according to a scheme suggested by (APP Y '(HELLO 4000)). This suggestion was produced using the :induction rule APP. If we let (:P BLAH X Y) denote *1.2.2.2.2.2 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP Y)) (:P BLAH X (CDR Y))) (:P BLAH X Y)) (IMPLIES (NON-CONSP Y) (:P BLAH X Y))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT Y) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.2.2.2.2.2/2 (IMPLIES (AND (NOT (NON-CONSP Y)) (EQUAL (APP X (APP (CDR Y) '(HELLO 4000))) BLAH)) (EQUAL (APP X (APP Y '(HELLO 4000))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2.2.2.2.2/2' (IMPLIES (AND (CONSP Y) (EQUAL (APP X (APP (CDR Y) '(HELLO 4000))) BLAH)) (EQUAL (APP X (APP Y '(HELLO 4000))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1.2.2.2.2.2/2'' (IMPLIES (CONSP Y) (EQUAL (APP X (CONS (CAR Y) (APP (CDR Y) '(HELLO 4000)))) (APP X (APP (CDR Y) '(HELLO 4000))))). The destructor terms (CAR Y) and (CDR Y) can be eliminated by using CAR-CDR-ELIM to replace Y by (CONS Y1 Y2), (CAR Y) by Y1 and (CDR Y) by Y2. This produces the following goal. Subgoal *1.2.2.2.2.2/2''' (IMPLIES (CONSP (CONS Y1 Y2)) (EQUAL (APP X (CONS Y1 (APP Y2 '(HELLO 4000)))) (APP X (APP Y2 '(HELLO 4000))))). This simplifies, using primitive type reasoning, to Subgoal *1.2.2.2.2.2/2'4' (EQUAL (APP X (CONS Y1 (APP Y2 '(HELLO 4000)))) (APP X (APP Y2 '(HELLO 4000)))). Name the formula above *1.2.2.2.2.2.1. Subgoal *1.2.2.2.2.2/1 (IMPLIES (NON-CONSP Y) (EQUAL (APP X (APP Y '(HELLO 4000))) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2.2.2.2.2/1' (IMPLIES (NOT (CONSP Y)) (EQUAL (APP X (APP Y '(HELLO 4000))) BLAH)). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1.2.2.2.2.2/1'' (IMPLIES (NOT (CONSP Y)) (EQUAL (APP X '(HELLO 4000)) BLAH)). We suspect that the term (NOT (CONSP Y)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1.2.2.2.2.2/1''' (EQUAL (APP X '(HELLO 4000)) BLAH). Name the formula above *1.2.2.2.2.2.2. Perhaps we can prove *1.2.2.2.2.2.2 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (APP X '(HELLO 4000)). This suggestion was produced using the :induction rule APP. If we let (:P BLAH X) denote *1.2.2.2.2.2.2 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P BLAH (CDR X))) (:P BLAH X)) (IMPLIES (NON-CONSP X) (:P BLAH X))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.2.2.2.2.2.2/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (CDR X) '(HELLO 4000)) BLAH)) (EQUAL (APP X '(HELLO 4000)) BLAH)). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2.2.2.2.2.2/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (CDR X) '(HELLO 4000)) BLAH)) (EQUAL (APP X '(HELLO 4000)) BLAH)). This simplifies, using the :definitions APP and NON-CONSP and primitive type reasoning, to Subgoal *1.2.2.2.2.2.2/2'' (NOT (CONSP X)). We suspect that this conjecture is not a theorem. We might as well be trying to prove Subgoal *1.2.2.2.2.2.2/2''' NIL. Obviously, the proof attempt has failed. Summary Form: ( DEFTHM APP-ASSOCIATIVE-BIGGER ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE APP-ASSOCIATIVE-AGAIN)) Warnings: Subsume and Free Time: 0.18 seconds (prove: 0.12, print: 0.06, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm app-associative-bigger (equal (app (app x (app y w)) (app (app r (app (app jjj s) u)) '(hello 4000))) (APP X (APP Y (APP W (APP R (APP JJJ (APP S (APP U '(HELLO 4000)))))))) )) ACL2 Warning [Subsume] in ( DEFTHM APP-ASSOCIATIVE-BIGGER ...): The previously added rules APP-ASSOCIATIVE-AGAIN and APP-ASSOCIATIVE subsume the newly proposed :REWRITE rule APP-ASSOCIATIVE-BIGGER, in the sense that the old rules rewrite more general targets. Because the new rule will be tried first, it may nonetheless find application. But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE-AGAIN. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE-BIGGER ...) Rules: ((:REWRITE APP-ASSOCIATIVE-AGAIN)) Warnings: Subsume Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) APP-ASSOCIATIVE-BIGGER ACL2 !>:u 4:x(DEFTHM APP-ASSOCIATIVE-AGAIN ...) ACL2 !>:u 3:x(DEFTHM APP-ASSOCIATIVE ...) ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L 2 (DEFUN APP (X Y) ...) 3:x(DEFTHM APP-ASSOCIATIVE ...) ACL2 !>:u L 2:x(DEFUN APP (X Y) ...) ACL2 !>(in-theory (disable non-consp)) [SGC for 25 FIXNUM pages..(8197 writable)..(T=2).GC finished] Summary Form: (IN-THEORY (DISABLE ...)) Rules: NIL Warnings: None Time: 0.04 seconds (prove: 0.00, print: 0.00, other: 0.04) 1733 ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). This simplifies, using the :definition APP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/2' (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z))) (NON-CONSP (CONS (CAR X) (APP (CDR X) Y)))) (EQUAL Z (CONS (CAR X) (APP (APP (CDR X) Y) Z)))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following two goals. Subgoal *1/2.2 (IMPLIES (AND (NOT (CONSP X)) (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z))) (NON-CONSP (CONS (CAR X) (APP (CDR X) Y)))) (EQUAL Z (CONS (CAR X) (APP (APP (CDR X) Y) Z)))). This simplifies, using the :definition APP, the :executable-counterpart of NON-CONSP, primitive type reasoning and the :rewrite rules DEFAULT- CAR and DEFAULT-CDR, to Subgoal *1/2.2' (IMPLIES (AND (NOT (CONSP X)) (NOT (NON-CONSP X)) (NON-CONSP (CONS NIL Y))) (EQUAL Z (CONS NIL (APP Y Z)))). Name the formula above *1.1. Subgoal *1/2.1 (IMPLIES (AND (CONSP (CONS X1 X2)) (NOT (NON-CONSP (CONS X1 X2))) (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z))) (NON-CONSP (CONS X1 (APP X2 Y)))) (EQUAL Z (CONS X1 (APP (APP X2 Y) Z)))). This simplifies, using primitive type reasoning, to Subgoal *1/2.1' (IMPLIES (AND (NOT (NON-CONSP (CONS X1 X2))) (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z))) (NON-CONSP (CONS X1 (APP X2 Y)))) (EQUAL Z (CONS X1 (APP X2 (APP Y Z))))). We now use the second hypothesis by substituting (APP (APP X2 Y) Z) for (APP X2 (APP Y Z)) and throwing away the hypothesis. This produces Subgoal *1/2.1'' (IMPLIES (AND (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (CONS X1 (APP X2 Y)))) (EQUAL Z (CONS X1 (APP (APP X2 Y) Z)))). We generalize this conjecture, replacing (APP X2 Y) by AP. This produces Subgoal *1/2.1''' (IMPLIES (AND (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (CONS X1 AP))) (EQUAL Z (CONS X1 (APP AP Z)))). Name the formula above *1.2. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :type-prescription rule NON-CONSP. So we now return to *1.2, which is (IMPLIES (AND (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (CONS X1 AP))) (EQUAL Z (CONS X1 (APP AP Z)))). Perhaps we can prove *1.2 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (APP AP Z). This suggestion was produced using the :induction rule APP. If we let (:P AP X1 X2 Z) denote *1.2 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP AP)) (:P (CDR AP) X1 X2 Z)) (:P AP X1 X2 Z)) (IMPLIES (NON-CONSP AP) (:P AP X1 X2 Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT AP) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O-P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1.2/3 (IMPLIES (AND (NOT (NON-CONSP AP)) (EQUAL Z (CONS X1 (APP (CDR AP) Z))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (CONS X1 AP))) (EQUAL Z (CONS X1 (APP AP Z)))). This simplifies, using the :definition APP, to Subgoal *1.2/3' (IMPLIES (AND (NOT (NON-CONSP AP)) (EQUAL Z (CONS X1 (APP (CDR AP) Z))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (CONS X1 AP))) (EQUAL Z (LIST* X1 (CAR AP) (APP (CDR AP) Z)))). The destructor terms (CAR AP) and (CDR AP) can be eliminated by using CAR-CDR-ELIM to replace AP by (CONS AP1 AP2), (CAR AP) by AP1 and (CDR AP) by AP2. This produces the following two goals. Subgoal *1.2/3.2 (IMPLIES (AND (NOT (CONSP AP)) (NOT (NON-CONSP AP)) (EQUAL Z (CONS X1 (APP (CDR AP) Z))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (CONS X1 AP))) (EQUAL Z (LIST* X1 (CAR AP) (APP (CDR AP) Z)))). But simplification reduces this to T, using the :definition APP, the :executable-counterpart of NON-CONSP, primitive type reasoning and the :rewrite rule DEFAULT-CDR. Subgoal *1.2/3.1 (IMPLIES (AND (CONSP (CONS AP1 AP2)) (NOT (NON-CONSP (CONS AP1 AP2))) (EQUAL Z (CONS X1 (APP AP2 Z))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (LIST* X1 AP1 AP2))) (EQUAL Z (LIST* X1 AP1 (APP AP2 Z)))). This simplifies, using primitive type reasoning, to Subgoal *1.2/3.1' (IMPLIES (AND (NOT (NON-CONSP (CONS AP1 AP2))) (EQUAL Z (CONS X1 (APP AP2 Z))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (LIST* X1 AP1 AP2))) (EQUAL Z (LIST* X1 AP1 (APP AP2 Z)))). We now use the second hypothesis by cross-fertilizing (CONS X1 (APP AP2 Z)) for Z and throwing away the hypothesis. This produces Subgoal *1.2/3.1'' (IMPLIES (AND (NOT (NON-CONSP (CONS AP1 AP2))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (LIST* X1 AP1 AP2))) (EQUAL (CONS X1 (APP AP2 Z)) (LIST* X1 AP1 (APP AP2 Z)))). This simplifies, using primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1.2/3.1''' (IMPLIES (AND (NOT (NON-CONSP (CONS AP1 AP2))) (NOT (NON-CONSP (CONS X1 X2)))) (NOT (NON-CONSP (LIST* X1 AP1 AP2)))). Name the formula above *1.2.1. Subgoal *1.2/2 (IMPLIES (AND (NOT (NON-CONSP AP)) (NOT (NON-CONSP (CONS X1 (CDR AP)))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (CONS X1 AP))) (EQUAL Z (CONS X1 (APP AP Z)))). This simplifies, using the :definition APP, to Subgoal *1.2/2' (IMPLIES (AND (NOT (NON-CONSP AP)) (NOT (NON-CONSP (CONS X1 (CDR AP)))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (CONS X1 AP))) (EQUAL Z (LIST* X1 (CAR AP) (APP (CDR AP) Z)))). The destructor terms (CAR AP) and (CDR AP) can be eliminated by using CAR-CDR-ELIM to replace AP by (CONS AP1 AP2), (CAR AP) by AP1 and (CDR AP) by AP2. This produces the following two goals. Subgoal *1.2/2.2 (IMPLIES (AND (NOT (CONSP AP)) (NOT (NON-CONSP AP)) (NOT (NON-CONSP (CONS X1 (CDR AP)))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (CONS X1 AP))) (EQUAL Z (LIST* X1 (CAR AP) (APP (CDR AP) Z)))). This simplifies, using the :definition APP, the :executable-counterpart of NON-CONSP, primitive type reasoning and the :rewrite rules DEFAULT- CAR and DEFAULT-CDR, to Subgoal *1.2/2.2' (IMPLIES (AND (NOT (CONSP AP)) (NOT (NON-CONSP AP)) (NOT (NON-CONSP (LIST X1))) (NOT (NON-CONSP (CONS X1 X2)))) (NOT (NON-CONSP (CONS X1 AP)))). Name the formula above *1.2.2. Subgoal *1.2/2.1 (IMPLIES (AND (CONSP (CONS AP1 AP2)) (NOT (NON-CONSP (CONS AP1 AP2))) (NOT (NON-CONSP (CONS X1 AP2))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (LIST* X1 AP1 AP2))) (EQUAL Z (LIST* X1 AP1 (APP AP2 Z)))). This simplifies, using primitive type reasoning, to Subgoal *1.2/2.1' (IMPLIES (AND (NOT (NON-CONSP (CONS AP1 AP2))) (NOT (NON-CONSP (CONS X1 AP2))) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (LIST* X1 AP1 AP2))) (EQUAL Z (LIST* X1 AP1 (APP AP2 Z)))). Name the formula above *1.2.3. Subgoal *1.2/1 (IMPLIES (AND (NON-CONSP AP) (NOT (NON-CONSP (CONS X1 X2))) (NON-CONSP (CONS X1 AP))) (EQUAL Z (CONS X1 (APP AP Z)))). This simplifies, using the :definition APP, primitive type reasoning and the :type-prescription rule NON-CONSP, to Subgoal *1.2/1' (IMPLIES (AND (NON-CONSP AP) (NOT (NON-CONSP (CONS X1 X2)))) (NOT (NON-CONSP (CONS X1 AP)))). Name the formula above *1.2.4. No induction schemes are suggested by *1.2.4. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:ELIM CAR-CDR-ELIM) (:EXECUTABLE-COUNTERPART NON-CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE DEFAULT-CAR) (:REWRITE DEFAULT-CDR) (:TYPE-PRESCRIPTION NON-CONSP)) Warnings: None Time: 0.04 seconds (prove: 0.02, print: 0.02, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm non-consp-of-cons (equal (NON-CONSP (CONS x y)) nil)) By case analysis we reduce the conjecture to Goal' (NOT (NON-CONSP (CONS X Y))). Name the formula above *1. No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM NON-CONSP-OF-CONS ...) Rules: ((:DEFINITION NOT)) Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm non-consp-of-cons (equal (NON-CONSP (CONS x y)) nil) :hints (("Goal" :in-theory (enable non-consp)))) [Note: A hint was supplied for our processing of the goal above. Thanks!] By the simple :definition NON-CONSP we reduce the conjecture to Goal' (CONSP (CONS X Y)). But we reduce the conjecture to T, by primitive type reasoning. Q.E.D. Summary Form: ( DEFTHM NON-CONSP-OF-CONS ...) Rules: ((:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.01) NON-CONSP-OF-CONS ACL2 !>:pbt 1 L d 1 (DEFUN NON-CONSP (X) ...) L 2 (DEFUN APP (X Y) ...) 3 (IN-THEORY (DISABLE NON-CONSP)) 4:x(DEFTHM NON-CONSP-OF-CONS ...) ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :rewrite rules CAR-CONS, CDR-CONS and NON-CONSP- OF-CONS. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definition APP, primitive type reasoning and the :type-prescription rule NON-CONSP. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE NON-CONSP-OF-CONS) (:TYPE-PRESCRIPTION NON-CONSP)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.01, other: 0.00) APP-ASSOCIATIVE ACL2 !>:pbt 1 L d 1 (DEFUN NON-CONSP (X) ...) L 2 (DEFUN APP (X Y) ...) 3 (IN-THEORY (DISABLE NON-CONSP)) 4 (DEFTHM NON-CONSP-OF-CONS ...) 5:x(DEFTHM APP-ASSOCIATIVE ...) ACL2 !>:u 4:x(DEFTHM NON-CONSP-OF-CONS ...) ACL2 !>:u 3:x(IN-THEORY (DISABLE NON-CONSP)) ACL2 !>:u L 2:x(DEFUN APP (X Y) ...) ACL2 !>(in-theory (disable app)) [SGC for 452 CONS pages..(8197 writable)..(T=4).GC finished] Summary Form: (IN-THEORY (DISABLE ...)) Rules: NIL Warnings: None Time: 0.07 seconds (prove: 0.00, print: 0.00, other: 0.07) 1732 ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L d 2 (DEFUN APP (X Y) ...) 3:x(IN-THEORY (DISABLE APP)) ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z)))) Name the formula above *1. No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L d 2 (DEFUN APP (X Y) ...) 3:x(IN-THEORY (DISABLE APP)) ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z)))) Name the formula above *1. No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z))) :hints (("Goal" :in-theory (enable (:induction app))))) [Note: A hint was supplied for our processing of the goal above. Thanks!] Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/2'' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z)))) (EQUAL (APP (APP (CONS X1 X2) Y) Z) (APP (CONS X1 X2) (APP Y Z)))). This simplifies, using primitive type reasoning, to Subgoal *1/2''' (IMPLIES (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z))) (EQUAL (APP (APP (CONS X1 X2) Y) Z) (APP (CONS X1 X2) (APP Y Z)))). We generalize this conjecture, replacing (APP Y Z) by AP. This produces Subgoal *1/2'4' (IMPLIES (EQUAL (APP (APP X2 Y) Z) (APP X2 AP)) (EQUAL (APP (APP (CONS X1 X2) Y) Z) (APP (CONS X1 X2) AP))). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). Name the formula above *1.2. This formula is subsumed by one of its parents, *1, which we're in the process of trying to prove by induction. When an inductive proof gives rise to a subgoal that is less general than the original goal it is a sign that either an inappropriate induction was chosen or that the original goal is insufficiently general. In any case, our proof attempt has failed. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION NON-CONSP) (:DEFINITION NOT) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP)) Warnings: None Time: 0.04 seconds (prove: 0.01, print: 0.01, other: 0.02) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z))) :hints (("Goal" :expand (APP X Y) :in-theory (enable (:induction app))))) [Note: A hint was supplied for our processing of the goal above. Thanks!] This simplifies, using the :definitions APP and NON-CONSP, to the following two conjectures. Subgoal 2 (IMPLIES (CONSP X) (EQUAL (APP (CONS (CAR X) (APP (CDR X) Y)) Z) (APP X (APP Y Z)))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal 2' (IMPLIES (CONSP (CONS X1 X2)) (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (APP (CONS X1 X2) (APP Y Z)))). This simplifies, using primitive type reasoning, to Subgoal 2'' (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (APP (CONS X1 X2) (APP Y Z))). Normally we would attempt to prove this formula by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) [Note: Thanks again for the hint.] Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1/2'' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (CONS (CAR X) (APP (CDR X) Y)) Z) (APP X (APP Y Z)))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/2''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z)))) (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (APP (CONS X1 X2) (APP Y Z)))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (IMPLIES (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z))) (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (APP (CONS X1 X2) (APP Y Z)))). We generalize this conjecture, replacing (APP Y Z) by AP and (APP X2 Y) by AP0. This produces Subgoal *1/2'5' (IMPLIES (EQUAL (APP AP0 Z) (APP X2 AP)) (EQUAL (APP (CONS X1 AP0) Z) (APP (CONS X1 X2) AP))). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). This simplifies, using the :definitions APP and NON-CONSP, to Subgoal *1/1'' (IMPLIES (NOT (CONSP X)) (EQUAL (APP Y Z) (APP X (APP Y Z)))). We generalize this conjecture, replacing (APP Y Z) by AP. This produces Subgoal *1/1''' (IMPLIES (NOT (CONSP X)) (EQUAL AP (APP X AP))). Name the formula above *1.2. Perhaps we can prove *1.2 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (APP X AP). This suggestion was produced using the :induction rule APP. If we let (:P AP X) denote *1.2 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P AP (CDR X))) (:P AP X)) (IMPLIES (NON-CONSP X) (:P AP X))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1.2/3 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL AP (APP (CDR X) AP)) (NOT (CONSP X))) (EQUAL AP (APP X AP))). But we reduce the conjecture to T, by the simple :definition NON-CONSP. Subgoal *1.2/2 (IMPLIES (AND (NOT (NON-CONSP X)) (CONSP (CDR X)) (NOT (CONSP X))) (EQUAL AP (APP X AP))). But we reduce the conjecture to T, by primitive type reasoning. Subgoal *1.2/1 (IMPLIES (AND (NON-CONSP X) (NOT (CONSP X))) (EQUAL AP (APP X AP))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.2/1' (IMPLIES (NOT (CONSP X)) (EQUAL AP (APP X AP))). Name the formula above *1.2.1. This formula is subsumed by one of its parents, *1.2, which we're in the process of trying to prove by induction. When an inductive proof gives rise to a subgoal that is less general than the original goal it is a sign that either an inappropriate induction was chosen or that the original goal is insufficiently general. In any case, our proof attempt has failed. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP)) Warnings: None Time: 0.06 seconds (prove: 0.03, print: 0.02, other: 0.01) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(verify (equal (app (app x y) z) (app x (app y z)))) ->: p (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z))) ->: (dv 1 1) ->: p (APP X Y) ->: x #->: (EXPAND T) #->: (SUCCEED (S)) ##->: (S) ->: p (IF (CONSP X) (CONS (CAR X) (APP (CDR X) Y)) Y) ->: top ->: p (EQUAL (APP (IF (CONSP X) (CONS (CAR X) (APP (CDR X) Y)) Y) Z) (APP X (APP Y Z))) ->: (dv 1 1) ->: p (IF (CONSP X) (CONS (CAR X) (APP (CDR X) Y)) Y) ->: s *** NO CHANGE *** -- No simplification took place. ->: top ->: bash ***** Now entering the theorem prover ***** [Note: A hint was supplied for our processing of the goal above. Thanks!] This simplifies, using trivial observations, to the following two conjectures. Subgoal 2 (IMPLIES (CONSP X) (EQUAL (APP (CONS (CAR X) (APP (CDR X) Y)) Z) (APP X (APP Y Z)))). But we have been asked to pretend that this goal is subsumed by the as-yet-to-be-proved |PROOF-CHECKER Subgoal 2|. Subgoal 1 (IMPLIES (NOT (CONSP X)) (EQUAL (APP Y Z) (APP X (APP Y Z)))). But we have been asked to pretend that this goal is subsumed by the as-yet-to-be-proved |PROOF-CHECKER Subgoal 1|. Q.E.D. Creating two new goals: (MAIN . 1) and (MAIN . 2). The proof of the current goal, MAIN, has been completed. However, the following subgoals remain to be proved: (MAIN . 1) and (MAIN . 2). Now proving (MAIN . 1). ->: p (EQUAL (APP (CONS (CAR X) (APP (CDR X) Y)) Z) (APP X (APP Y Z))) ->: exit Exiting.... NIL ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z))) :hints (("Goal" :expand ((APP X Y) (APP X (APP Y Z))) :in-theory (enable (:induction app))))) [Note: A hint was supplied for our processing of the goal above. Thanks!] This simplifies, using the :definitions APP and NON-CONSP, to Goal' (IMPLIES (CONSP X) (EQUAL (APP (CONS (CAR X) (APP (CDR X) Y)) Z) (CONS (CAR X) (APP (CDR X) (APP Y Z))))). [SGC for 452 CONS pages..(8202 writable)..(T=2).GC finished] The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Goal'' (IMPLIES (CONSP (CONS X1 X2)) (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (CONS X1 (APP X2 (APP Y Z))))). This simplifies, using primitive type reasoning, to Goal''' (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (CONS X1 (APP X2 (APP Y Z)))). Normally we would attempt to prove this formula by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) [Note: Thanks again for the hint.] Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). This simplifies, using the :definitions APP and NON-CONSP and primitive type reasoning, to Subgoal *1/2'' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (CONS (CAR X) (APP (CDR X) Y)) Z) (CONS (CAR X) (APP (APP (CDR X) Y) Z)))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/2''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z)))) (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (CONS X1 (APP (APP X2 Y) Z)))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (IMPLIES (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z))) (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (CONS X1 (APP X2 (APP Y Z))))). We now use the hypothesis by substituting (APP (APP X2 Y) Z) for (APP X2 (APP Y Z)) and throwing away the hypothesis. This produces Subgoal *1/2'5' (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (CONS X1 (APP (APP X2 Y) Z))). We generalize this conjecture, replacing (APP X2 Y) by AP. This produces Subgoal *1/2'6' (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z))). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP and primitive type reasoning. So we now return to *1.1, which is (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z))). Perhaps we can prove *1.1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (APP AP Z). This suggestion was produced using the :induction rule APP. If we let (:P AP X1 Z) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP AP)) (:P (CDR AP) X1 Z)) (:P AP X1 Z)) (IMPLIES (NON-CONSP AP) (:P AP X1 Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT AP) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O-P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (AND (NOT (NON-CONSP AP)) (EQUAL (APP (CONS X1 (CDR AP)) Z) (CONS X1 (APP (CDR AP) Z)))) (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.1/2' (IMPLIES (AND (CONSP AP) (EQUAL (APP (CONS X1 (CDR AP)) Z) (CONS X1 (APP (CDR AP) Z)))) (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z)))). The destructor terms (CAR AP) and (CDR AP) can be eliminated by using CAR-CDR-ELIM to replace AP by (CONS AP1 AP2), (CAR AP) by AP1 and (CDR AP) by AP2. This produces the following goal. Subgoal *1.1/2'' (IMPLIES (AND (CONSP (CONS AP1 AP2)) (EQUAL (APP (CONS X1 AP2) Z) (CONS X1 (APP AP2 Z)))) (EQUAL (APP (LIST* X1 AP1 AP2) Z) (CONS X1 (APP (CONS AP1 AP2) Z)))). This simplifies, using primitive type reasoning, to Subgoal *1.1/2''' (IMPLIES (EQUAL (APP (CONS X1 AP2) Z) (CONS X1 (APP AP2 Z))) (EQUAL (APP (LIST* X1 AP1 AP2) Z) (CONS X1 (APP (CONS AP1 AP2) Z)))). Name the formula above *1.1.1. Subgoal *1.1/1 (IMPLIES (NON-CONSP AP) (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.1/1' (IMPLIES (NOT (CONSP AP)) (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z)))). Name the formula above *1.1.2. This formula is subsumed by one of its parents, *1.1, which we're in the process of trying to prove by induction. When an inductive proof gives rise to a subgoal that is less general than the original goal it is a sign that either an inappropriate induction was chosen or that the original goal is insufficiently general. In any case, our proof attempt has failed. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP)) Warnings: None Time: 0.09 seconds (prove: 0.06, print: 0.02, other: 0.01) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>:pbt 1 L 1 (DEFUN NON-CONSP (X) ...) L d 2 (DEFUN APP (X Y) ...) 3:x(IN-THEORY (DISABLE APP)) ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z))) :hints (("Goal" :expand ((APP X Y) (APP X (APP Y Z))) :in-theory (enable (:induction app))))) [Note: A hint was supplied for our processing of the goal above. Thanks!] This simplifies, using the :definitions APP and NON-CONSP, to Goal' (IMPLIES (CONSP X) (EQUAL (APP (CONS (CAR X) (APP (CDR X) Y)) Z) (CONS (CAR X) (APP (CDR X) (APP Y Z))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Goal'' (IMPLIES (CONSP (CONS X1 X2)) (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (CONS X1 (APP X2 (APP Y Z))))). This simplifies, using primitive type reasoning, to Goal''' (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (CONS X1 (APP X2 (APP Y Z)))). Normally we would attempt to prove this formula by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) [Note: Thanks again for the hint.] Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). This simplifies, using the :definitions APP and NON-CONSP and primitive type reasoning, to Subgoal *1/2'' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (CONS (CAR X) (APP (CDR X) Y)) Z) (CONS (CAR X) (APP (APP (CDR X) Y) Z)))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/2''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z)))) (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (CONS X1 (APP (APP X2 Y) Z)))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (IMPLIES (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z))) (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (CONS X1 (APP X2 (APP Y Z))))). We now use the hypothesis by substituting (APP (APP X2 Y) Z) for (APP X2 (APP Y Z)) and throwing away the hypothesis. This produces Subgoal *1/2'5' (EQUAL (APP (CONS X1 (APP X2 Y)) Z) (CONS X1 (APP (APP X2 Y) Z))). We generalize this conjecture, replacing (APP X2 Y) by AP. This produces Subgoal *1/2'6' (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z))). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP and primitive type reasoning. So we now return to *1.1, which is (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z))). Perhaps we can prove *1.1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (APP AP Z). This suggestion was produced using the :induction rule APP. If we let (:P AP X1 Z) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP AP)) (:P (CDR AP) X1 Z)) (:P AP X1 Z)) (IMPLIES (NON-CONSP AP) (:P AP X1 Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT AP) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O-P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (AND (NOT (NON-CONSP AP)) (EQUAL (APP (CONS X1 (CDR AP)) Z) (CONS X1 (APP (CDR AP) Z)))) (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.1/2' (IMPLIES (AND (CONSP AP) (EQUAL (APP (CONS X1 (CDR AP)) Z) (CONS X1 (APP (CDR AP) Z)))) (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z)))). The destructor terms (CAR AP) and (CDR AP) can be eliminated by using CAR-CDR-ELIM to replace AP by (CONS AP1 AP2), (CAR AP) by AP1 and (CDR AP) by AP2. This produces the following goal. Subgoal *1.1/2'' (IMPLIES (AND (CONSP (CONS AP1 AP2)) (EQUAL (APP (CONS X1 AP2) Z) (CONS X1 (APP AP2 Z)))) (EQUAL (APP (LIST* X1 AP1 AP2) Z) (CONS X1 (APP (CONS AP1 AP2) Z)))). This simplifies, using primitive type reasoning, to Subgoal *1.1/2''' (IMPLIES (EQUAL (APP (CONS X1 AP2) Z) (CONS X1 (APP AP2 Z))) (EQUAL (APP (LIST* X1 AP1 AP2) Z) (CONS X1 (APP (CONS AP1 AP2) Z)))). Name the formula above *1.1.1. Subgoal *1.1/1 (IMPLIES (NON-CONSP AP) (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.1/1' (IMPLIES (NOT (CONSP AP)) (EQUAL (APP (CONS X1 AP) Z) (CONS X1 (APP AP Z)))). Name the formula above *1.1.2. This formula is subsumed by one of its parents, *1.1, which we're in the process of trying to prove by induction. When an inductive proof gives rise to a subgoal that is less general than the original goal it is a sign that either an inappropriate induction was chosen or that the original goal is insufficiently general. In any case, our proof attempt has failed. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP)) Warnings: None Time: 0.06 seconds (prove: 0.01, print: 0.03, other: 0.02) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(thm (equal (APP (CONS x y) Z) (cons x (APP y Z)))) Name the formula above *1. No induction schemes are suggested by *1. Consequently, the proof attempt has failed. Summary Form: ( THM ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(thm (equal (APP (CONS x y) Z) (cons x (APP y Z))) :hints (("Goal" :in-theory (enable app)))) [Note: A hint was supplied for our processing of the goal above. Thanks!] But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Q.E.D. Summary Form: ( THM ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.02 seconds (prove: 0.01, print: 0.00, other: 0.01) Proof succeeded. ACL2 !>(defthm app-of-cons (equal (APP (CONS x y) Z) (cons x (APP y Z))) :hints (("Goal" :in-theory (enable app)))) [Note: A hint was supplied for our processing of the goal above. Thanks!] [SGC for 452 CONS pages..(8202 writable)..(T=3).GC finished] But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Q.E.D. Summary Form: ( DEFTHM APP-OF-CONS ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.05 seconds (prove: 0.03, print: 0.00, other: 0.02) APP-OF-CONS ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z))) :hints (("Goal" :expand ((APP X Y) (APP X (APP Y Z))) :in-theory (enable (:induction app))))) [Note: A hint was supplied for our processing of the goal above. Thanks!] This simplifies, using the :definitions APP and NON-CONSP, to Goal' (IMPLIES (CONSP X) (EQUAL (APP (CONS (CAR X) (APP (CDR X) Y)) Z) (CONS (CAR X) (APP (CDR X) (APP Y Z))))). By the simple :rewrite rule APP-OF-CONS we reduce the conjecture to Goal'' (IMPLIES (CONSP X) (EQUAL (CONS (CAR X) (APP (APP (CDR X) Y) Z)) (CONS (CAR X) (APP (CDR X) (APP Y Z))))). This simplifies, using primitive type reasoning and the :rewrite rule CONS-EQUAL, to Goal''' (IMPLIES (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Goal'4' (IMPLIES (CONSP (CONS X1 X2)) (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z)))). This simplifies, using primitive type reasoning, to Goal'5' (EQUAL (APP (APP X2 Y) Z) (APP X2 (APP Y Z))). Normally we would attempt to prove this formula by induction. However, we prefer in this instance to focus on the original input conjecture rather than this simplified special case. We therefore abandon our previous work on this conjecture and reassign the name *1 to the original conjecture. (See :DOC otf-flg.) [Note: Thanks again for the hint.] Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rule APP-OF-CONS. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP and primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE APP-OF-CONS)) Warnings: None Time: 0.04 seconds (prove: 0.03, print: 0.00, other: 0.01) APP-ASSOCIATIVE ACL2 !>:pl (APP (CONS x y) Z) 1. APP-OF-CONS New term: (CONS X (APP Y Z)) Hypotheses: ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z))) :hints (("Subgoal *1/2" :expand ((APP X Y) (APP X (APP Y Z)))) ("Goal" :in-theory (enable (:induction app))))) This event is redundant. See :DOC redundant-events. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) :REDUNDANT ACL2 !>:u 4:x(DEFTHM APP-OF-CONS ...) ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z))) :hints (("Subgoal *1/2" :expand ((APP X Y) (APP X (APP Y Z)))) ("Goal" :in-theory (enable (:induction app))))) [Note: A hint was supplied for our processing of the goal above. Thanks!] Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. [Note: A hint was supplied for our processing of the goal below. Thanks!] Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rule APP-OF-CONS. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). Name the formula above *1.1. This formula is subsumed by one of its parents, *1, which we're in the process of trying to prove by induction. When an inductive proof gives rise to a subgoal that is less general than the original goal it is a sign that either an inappropriate induction was chosen or that the original goal is insufficiently general. In any case, our proof attempt has failed. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE APP-OF-CONS)) Warnings: None Time: 0.03 seconds (prove: 0.02, print: 0.00, other: 0.01) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defthm app-of-non-consp (implies (not (consp x)) (equal (app x y) y)) :hints (("Goal" :in-theory (enable app non-consp)))) [Note: A hint was supplied for our processing of the goal above. Thanks!] But simplification reduces this to T, using the :definitions APP and NON-CONSP and primitive type reasoning. Q.E.D. Summary Form: ( DEFTHM APP-OF-NON-CONSP ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) APP-OF-NON-CONSP ACL2 !>(defthm app-associative (equal (app (app x y) z) (app x (app y z))) :hints (("Subgoal *1/2" :expand ((APP X Y) (APP X (APP Y Z)))) ("Goal" :in-theory (enable (:induction app))))) [Note: A hint was supplied for our processing of the goal above. Thanks!] Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. [Note: A hint was supplied for our processing of the goal below. Thanks!] Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rule APP-OF-CONS. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE APP-OF-CONS) (:REWRITE APP-OF-NON-CONSP)) Warnings: None Time: 0.03 seconds (prove: 0.02, print: 0.00, other: 0.01) APP-ASSOCIATIVE ACL2 !>Bye. Attempting to exit Lisp. If this fails to work, type :q and then try again. [ewsmith@gourd ~]$ ~ewsmith/acl2-2.9.2/saved_acl2 GCL (GNU Common Lisp) 2.6.6 CLtL1 May 16 2005 14:38:25 Source License: LGPL(gcl,gmp), GPL(unexec,bfd) Binary License: GPL due to GPL'ed components: (READLINE BFD UNEXEC) Modifications of this banner must retain notice of a compatible license Dedicated to the memory of W. Schelter Use (help) to get some basic information on how to use GCL. ACL2 Version 2.9.2 built May 16, 2005 14:53:35. Copyright (C) 2005 University of Texas at Austin ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the GNU General Public License. Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES* NIL). See the documentation topic note-2-9-2 for recent changes. NOTE!! Proof trees are disabled in ACL2. To enable them in emacs, look under the ACL2 source directory in interface/emacs/README.doc; and, to turn on proof trees, execute :START-PROOF-TREE in the ACL2 command loop. Look in the ACL2 documentation under PROOF-TREE. ACL2 Version 2.9.2. Level 1. Cbd "/dryer/dill/ewsmith/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>(certify-book "script") CERTIFICATION ATTEMPT FOR "/dryer/dill/ewsmith/script.lisp" ACL2 Version 2.9.2 * Step 1: Read "/dryer/dill/ewsmith/script.lisp" and compute its check sum. * Step 2: There were seven forms in the file. The check sum is 86863004. We now attempt to establish that each form, whether local or non-local, is indeed an admissible embedded event form in the context of the previously admitted ones. Note that proof-tree output is inhibited during this check; see :DOC proof-tree. ACL2 >>(DEFUN NON-CONSP (X) (NOT (CONSP X))) Since NON-CONSP is non-recursive, its admission is trivial. We observe that the type of NON-CONSP is described by the theorem (OR (EQUAL (NON-CONSP X) T) (EQUAL (NON-CONSP X) NIL)). Summary Form: ( DEFUN NON-CONSP ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) NON-CONSP ACL2 >>(DEFUN APP (X Y) (IF (NON-CONSP X) Y (CONS (CAR X) (APP (CDR X) Y)))) For the admission of APP we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). The non-trivial part of the measure conjecture is Goal (IMPLIES (NOT (NON-CONSP X)) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). By the simple :definition NON-CONSP we reduce the conjecture to Goal' (IMPLIES (CONSP X) (O< (ACL2-COUNT (CDR X)) (ACL2-COUNT X))). But we reduce the conjecture to T, by case analysis. Q.E.D. That completes the proof of the measure theorem for APP. Thus, we admit this function under the principle of definition. We observe that the type of APP is described by the theorem (OR (CONSP (APP X Y)) (EQUAL (APP X Y) Y)). We used primitive type reasoning. Summary Form: ( DEFUN APP ...) Rules: ((:DEFINITION NON-CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.01, other: 0.00) APP ACL2 >>(IN-THEORY (DISABLE APP)) Summary Form: (IN-THEORY (DISABLE ...)) Rules: NIL Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) 1732 ACL2 >>(DEFTHM APP-OF-CONS (EQUAL (APP (CONS X Y) Z) (CONS X (APP Y Z))) :HINTS (("Goal" :IN-THEORY (ENABLE APP)))) [Note: A hint was supplied for our processing of the goal above. Thanks!] But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Q.E.D. Summary Form: ( DEFTHM APP-OF-CONS ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.03 seconds (prove: 0.00, print: 0.01, other: 0.02) APP-OF-CONS ACL2 >>(DEFTHM APP-OF-NON-CONSP (IMPLIES (NOT (CONSP X)) (EQUAL (APP X Y) Y)) :HINTS (("Goal" :IN-THEORY (ENABLE APP NON-CONSP)))) [Note: A hint was supplied for our processing of the goal above. Thanks!] But simplification reduces this to T, using the :definitions APP and NON-CONSP and primitive type reasoning. Q.E.D. Summary Form: ( DEFTHM APP-OF-NON-CONSP ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) APP-OF-NON-CONSP ACL2 >>(DEFTHM APP-ASSOCIATIVE (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z))) :HINTS (("Subgoal *1/2" :EXPAND ((APP X Y) (APP X (APP Y Z)))) ("Goal" :IN-THEORY (ENABLE (:INDUCTION APP))))) [Note: A hint was supplied for our processing of the goal above. Thanks!] Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (APP X Y). This suggestion was produced using the :induction rule APP. If we let (:P X Y Z) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP X)) (:P (CDR X) Y Z)) (:P X Y Z)) (IMPLIES (NON-CONSP X) (:P X Y Z))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. [Note: A hint was supplied for our processing of the goal below. Thanks!] Subgoal *1/2 (IMPLIES (AND (NOT (NON-CONSP X)) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (APP (APP (CDR X) Y) Z) (APP (CDR X) (APP Y Z)))) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rule APP-OF-CONS. Subgoal *1/1 (IMPLIES (NON-CONSP X) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (APP (APP X Y) Z) (APP X (APP Y Z)))). But simplification reduces this to T, using primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM APP-ASSOCIATIVE ...) Rules: ((:DEFINITION APP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:REWRITE APP-OF-CONS) (:REWRITE APP-OF-NON-CONSP)) Warnings: None Time: 0.04 seconds (prove: 0.01, print: 0.01, other: 0.02) APP-ASSOCIATIVE [SGC for 11 STRING pages..(8109 writable)..(T=3).GC finished] * Step 3: That completes the admissibility check. Each form read was an embedded event form and was admissible. We now retract back to the initial world and try to include the book. This may expose local incompatibilities. Summary Form: ( INCLUDE-BOOK "script" ...) Rules: NIL Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.00, other: 0.02) ACL2 Warning [Guards] in (CERTIFY-BOOK "script" ...): You have told certify-book to produce a compiled file for "/dryer/dill/ewsmith/script.lisp". However, the functions NON-CONSP and APP have not had their guards verified. A compiled file will be produced anyway, but all bets are off if you load it into raw Common Lisp and try to run the functions in it. See :DOC verify-guards. * Step 4: Write the certificate for "/dryer/dill/ewsmith/script.lisp" in "/dryer/dill/ewsmith/script.cert". The final check sum alist is (("/dryer/dill/ewsmith/script.lisp" "script" "script" ((:SKIPPED-PROOFSP) (:AXIOMSP)) . 86863004)). * Step 5: Compile the functions defined in "/dryer/dill/ewsmith/script.lisp". As noted above, two functions have not had their guards verified. A compiled file will be produced but you are advised not to use it in raw Common Lisp. See :DOC guard for a general discussion of the issues. Compiling /dryer/dill/ewsmith/script.lisp. End of Pass 1. [SGC for 11 STRING pages..(8123 writable)..(T=3).GC finished] End of Pass 2. OPTIMIZE levels: Safety=0 (No runtime error checking), Space=0, Speed=3 Finished compiling /dryer/dill/ewsmith/script.o. "/dryer/dill/ewsmith/script.o" Loading /dryer/dill/ewsmith/script.o start address -T 0x8976ed8 Finished loading /dryer/dill/ewsmith/script.o Summary Form: (CERTIFY-BOOK "script" ...) Rules: NIL Warnings: Guards Time: 0.17 seconds (prove: 0.01, print: 0.03, other: 0.13) "/dryer/dill/ewsmith/script.lisp" ACL2 !>Bye. Attempting to exit Lisp. If this fails to work, type :q and then try again. [ewsmith@gourd ~]$ ls acl2-2.9.2 app.o notes~ script.cert stuff~ acl2-2.9.2.tar.gz gcl-2.6.6 rev.cert script.lisp test2.lisp app.cert gcl-2.6.6.tar.gz rev.lisp script.lisp~ test2.lisp~ app.lisp j.txt rev.lisp~ script.o #test.lisp# app.lisp~ notes rev.o stuff [ewsmith@gourd ~]$ ls -lrt total 13432 -rw-r--r-- 1 ewsmith async 8186053 May 16 11:00 gcl-2.6.6.tar.gz drwxr-x--- 28 ewsmith async 4096 May 16 14:38 gcl-2.6.6 -rw-r--r-- 1 ewsmith async 5352740 May 16 14:44 acl2-2.9.2.tar.gz drwxr-xr-x 7 ewsmith async 4096 May 16 15:45 acl2-2.9.2 -rw-r--r-- 1 ewsmith async 18 May 17 21:59 #test.lisp# -rw-r--r-- 1 ewsmith async 18 May 17 22:07 test2.lisp~ -rw-r--r-- 1 ewsmith async 99451 May 17 22:29 j.txt -rw-r--r-- 1 ewsmith async 230 May 18 07:45 notes~ -rw-r--r-- 1 ewsmith async 820 May 18 08:50 app.lisp~ -rw-r--r-- 1 ewsmith async 4186 May 18 08:51 test2.lisp -rw-r--r-- 1 ewsmith async 344 May 18 08:51 rev.lisp~ -rw-r--r-- 1 ewsmith async 394 May 18 08:53 rev.lisp -rw-r--r-- 1 ewsmith async 821 May 18 08:53 app.lisp -rw-r--r-- 1 ewsmith async 1561 May 18 08:53 app.o -rw-r--r-- 1 ewsmith async 196 May 18 08:53 app.cert -rw-r--r-- 1 ewsmith async 285 May 18 08:54 rev.cert -rw-r--r-- 1 ewsmith async 1943 May 18 08:54 rev.o -rw-r--r-- 1 ewsmith async 154 May 18 08:55 script.lisp~ -rw-r--r-- 1 ewsmith async 4186 May 18 08:55 stuff~ -rw-r--r-- 1 ewsmith async 249 May 18 09:31 notes -rw-r--r-- 1 ewsmith async 4188 May 18 09:53 stuff -rw-r--r-- 1 ewsmith async 702 May 18 10:18 script.lisp -rw-r--r-- 1 ewsmith async 1561 May 18 10:18 script.o -rw-r--r-- 1 ewsmith async 204 May 18 10:18 script.cert [ewsmith@gourd ~]$ ~ewsmith/acl2-2.9.2/saved_acl2 GCL (GNU Common Lisp) 2.6.6 CLtL1 May 16 2005 14:38:25 Source License: LGPL(gcl,gmp), GPL(unexec,bfd) Binary License: GPL due to GPL'ed components: (READLINE BFD UNEXEC) Modifications of this banner must retain notice of a compatible license Dedicated to the memory of W. Schelter Use (help) to get some basic information on how to use GCL. ACL2 Version 2.9.2 built May 16, 2005 14:53:35. Copyright (C) 2005 University of Texas at Austin ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the GNU General Public License. Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES* NIL). See the documentation topic note-2-9-2 for recent changes. NOTE!! Proof trees are disabled in ACL2. To enable them in emacs, look under the ACL2 source directory in interface/emacs/README.doc; and, to turn on proof trees, execute :START-PROOF-TREE in the ACL2 command loop. Look in the ACL2 documentation under PROOF-TREE. ACL2 Version 2.9.2. Level 1. Cbd "/dryer/dill/ewsmith/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>Bye. Attempting to exit Lisp. If this fails to work, type :q and then try again. [ewsmith@gourd ~]$ ~ewsmith/acl2-2.9.2/saved_acl2 GCL (GNU Common Lisp) 2.6.6 CLtL1 May 16 2005 14:38:25 Source License: LGPL(gcl,gmp), GPL(unexec,bfd) Binary License: GPL due to GPL'ed components: (READLINE BFD UNEXEC) Modifications of this banner must retain notice of a compatible license Dedicated to the memory of W. Schelter Use (help) to get some basic information on how to use GCL. ACL2 Version 2.9.2 built May 16, 2005 14:53:35. Copyright (C) 2005 University of Texas at Austin ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the GNU General Public License. Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES* NIL). See the documentation topic note-2-9-2 for recent changes. NOTE!! Proof trees are disabled in ACL2. To enable them in emacs, look under the ACL2 source directory in interface/emacs/README.doc; and, to turn on proof trees, execute :START-PROOF-TREE in the ACL2 command loop. Look in the ACL2 documentation under PROOF-TREE. ACL2 Version 2.9.2. Level 1. Cbd "/dryer/dill/ewsmith/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>(include-book "script") [SGC for 11 STRING pages..(8108 writable)..(T=2).GC finished] Loading /dryer/dill/ewsmith/script.o start address -T 0x8976ec8 Finished loading /dryer/dill/ewsmith/script.o Summary Form: ( INCLUDE-BOOK "script" ...) Rules: NIL Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) "/dryer/dill/ewsmith/script.lisp" ACL2 !>:pbt 1 d 1:x(INCLUDE-BOOK "script") ACL2 !>:pe app d 1:x(INCLUDE-BOOK "script") \ [Included books, outermost to innermost: "/dryer/dill/ewsmith/script.lisp" ] \ >L d (DEFUN APP (X Y) (IF (NON-CONSP X) Y (CONS (CAR X) (APP (CDR X) Y)))) ACL2 !>(defun rev (x) (if (endp x) x (app (rev (cdr x)) (list (car x))))) The admission of REV is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We could deduce no constraints on the type of REV. Summary Form: ( DEFUN REV ...) Rules: NIL Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) REV ACL2 !>(rev '(1 2 3 4)) (4 3 2 1) ACL2 !>(rev nil) NIL ACL2 !>(rev '(1 2 . 3)) ACL2 Error in TOP-LEVEL: The guard for the function symbol ENDP, which is (OR (CONSP X) (EQUAL X NIL)), is violated by the arguments in the call (ENDP 3). The guard is being checked because this function is a primitive and a "safe" mode is being used, perhaps for macroexpansion. See :DOC wet for how you might be able to get an error backtrace. ACL2 !>:set-guard-checking nil [SGC for 11 STRING pages..(8112 writable)..(T=2).GC finished] Turning guard checking off. That is, results will be given in the ACL2 logic. This raises a question: how should :program functions be evaluated? They have no logical definitions. Our decision is that calls of :program functions at the top level will continue to be evaluable but will continue to check their guards and signal errors when their guards are not satisfied. As with :logic functions, when a guard has been satisfied no subsidiary guard checking will be done. A few :logic functions that take STATE, including for example PRINC$, will also be treated this way. ACL2 >(rev '(1 2 . 3)) (2 1) ACL2 >(thm (equal (rev (rev x)) x)) Name the formula above *1. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (REV X). This suggestion was produced using the :induction rule REV. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X))) (:P X)) (IMPLIES (ENDP X) (:P X))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (REV (CDR X))) (CDR X))) (EQUAL (REV (REV X)) X)). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X))) (EQUAL (REV (REV X)) X)). This simplifies, using the :definition REV, to Subgoal *1/2'' (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X))) (EQUAL (REV (APP (REV (CDR X)) (LIST (CAR X)))) X)). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/2''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (REV X2)) X2)) (EQUAL (REV (APP (REV X2) (LIST X1))) (CONS X1 X2))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (IMPLIES (EQUAL (REV (REV X2)) X2) (EQUAL (REV (APP (REV X2) (LIST X1))) (CONS X1 X2))). We now use the hypothesis by cross-fertilizing (REV (REV X2)) for X2 and throwing away the hypothesis. This produces Subgoal *1/2'5' (EQUAL (REV (APP (REV X2) (LIST X1))) (CONS X1 (REV (REV X2)))). We generalize this conjecture, replacing (REV X2) by RV. This produces Subgoal *1/2'6' (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV))). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (ENDP X) (EQUAL (REV (REV X)) X)). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (REV (REV X)) X)). But simplification reduces this to T, using the :definition REV and primitive type reasoning. So we now return to *1.1, which is (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV))). Perhaps we can prove *1.1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (REV RV). This suggestion was produced using the :induction rule REV. If we let (:P RV X1) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP RV)) (:P (CDR RV) X1)) (:P RV X1)) (IMPLIES (ENDP RV) (:P RV X1))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT RV) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O-P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (AND (NOT (ENDP RV)) (EQUAL (REV (APP (CDR RV) (LIST X1))) (CONS X1 (REV (CDR RV))))) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1.1/2' (IMPLIES (AND (CONSP RV) (EQUAL (REV (APP (CDR RV) (LIST X1))) (CONS X1 (REV (CDR RV))))) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV)))). This simplifies, using the :definition REV, to Subgoal *1.1/2'' (IMPLIES (AND (CONSP RV) (EQUAL (REV (APP (CDR RV) (LIST X1))) (CONS X1 (REV (CDR RV))))) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (APP (REV (CDR RV)) (LIST (CAR RV)))))). The destructor terms (CAR RV) and (CDR RV) can be eliminated by using CAR-CDR-ELIM to replace RV by (CONS RV1 RV2), (CAR RV) by RV1 and (CDR RV) by RV2. This produces the following goal. Subgoal *1.1/2''' (IMPLIES (AND (CONSP (CONS RV1 RV2)) (EQUAL (REV (APP RV2 (LIST X1))) (CONS X1 (REV RV2)))) (EQUAL (REV (APP (CONS RV1 RV2) (LIST X1))) (CONS X1 (APP (REV RV2) (LIST RV1))))). By the simple :rewrite rule APP-OF-CONS we reduce the conjecture to Subgoal *1.1/2'4' (IMPLIES (AND (CONSP (CONS RV1 RV2)) (EQUAL (REV (APP RV2 (LIST X1))) (CONS X1 (REV RV2)))) (EQUAL (REV (CONS RV1 (APP RV2 (LIST X1)))) (CONS X1 (APP (REV RV2) (LIST RV1))))). But simplification reduces this to T, using the :definition REV, primitive type reasoning and the :rewrite rules APP-OF-CONS, CAR-CONS and CDR- CONS. Subgoal *1.1/1 (IMPLIES (ENDP RV) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1.1/1' (IMPLIES (NOT (CONSP RV)) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV)))). This simplifies, using the :definition REV, the :executable-counterpart of REV, primitive type reasoning and the :rewrite rules APP-OF-NON- CONSP, CAR-CONS, CDR-CONS and CONS-EQUAL, to Subgoal *1.1/1'' (IMPLIES (NOT (CONSP RV)) (NOT RV)). Name the formula above *1.1.1. No induction schemes are suggested by *1.1.1. Consequently, the proof attempt has failed. Summary Form: ( THM ...) Rules: ((:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:EXECUTABLE-COUNTERPART REV) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION REV) (:REWRITE APP-OF-CONS) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE CONS-EQUAL)) Warnings: None Time: 0.04 seconds (prove: 0.04, print: 0.00, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 >:pe true-listp -4242 (ENCAPSULATE NIL ...) \ >V (VERIFY-TERMINATION TRUE-LISTP) ACL2 >:props true-listp ACL2 Properties of TRUE-LISTP: ABSOLUTE-EVENT-NUMBER 779 BODY (IF (CONSP X) (TRUE-LISTP (CDR X)) (EQUAL X 'NIL)) COARSENINGS NIL CONGRUENCES NIL CONTROLLER-ALISTS (((TRUE-LISTP T))) FORMALS (X) INDUCTION-MACHINE ((TESTS-AND-CALLS ((CONSP X)) (TRUE-LISTP (CDR X))) (TESTS-AND-CALLS ((NOT (CONSP X))))) JUSTIFICATION (JUSTIFICATION (X) O-P O< (ACL2-COUNT X)) LEMMAS ((REWRITE-RULE (:DEFINITION TRUE-LISTP) 169 NIL EQUAL (TRUE-LISTP X) (IF (CONSP X) (TRUE-LISTP (CDR X)) (EQUAL X 'NIL)) DEFINITION ((TRUE-LISTP) ((TRUE-LISTP T))) NIL)) LEVEL-NO 1 PRIMITIVE-RECURSIVE-DEFUNP T QUICK-BLOCK-INFO (SELF-REFLEXIVE) RECURSIVEP (TRUE-LISTP) REDEFINED (:RECLASSIFYING-OVERWRITE TRUE-LISTP (X) (NIL) (NIL)) RUNIC-MAPPING-PAIRS ((169 :DEFINITION TRUE-LISTP) (170 :EXECUTABLE-COUNTERPART TRUE-LISTP) (171 :TYPE-PRESCRIPTION TRUE-LISTP) (172 :INDUCTION TRUE-LISTP)) STOBJS-IN (NIL) STOBJS-OUT (NIL) SYMBOL-CLASS :COMMON-LISP-COMPLIANT TYPE-PRESCRIPTIONS ((192 (171 TRUE-LISTP X) NIL (NIL :TYPE-PRESCRIPTION TRUE-LISTP) IF (EQUAL (TRUE-LISTP X) 'T) 'T (EQUAL (TRUE-LISTP X) 'NIL))) UNNORMALIZED-BODY (IF (CONSP X) (TRUE-LISTP (CDR X)) (EQ X 'NIL)) ACL2 >(true-listp 3) NIL ACL2 >(true-listp nil) T ACL2 >(true-listp '(1 2 3)) T ACL2 >(true-listp '(1 2 3 . 4)) NIL ACL2 >(true-listp '(1 (1 . 5) 3 )) T ACL2 >(rev '(1 (1 . 5) 3)) (3 (1 . 5) 1) ACL2 >(defthm rev-rev (implies (true-listp x) (equal (rev (rev x)) x))) Name the formula above *1. Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. These merge into one derived induction scheme. We will induct according to a scheme suggested by (REV X). This suggestion was produced using the :induction rules REV and TRUE-LISTP. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X))) (:P X)) (IMPLIES (ENDP X) (:P X))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/3' (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). This simplifies, using the :definitions REV and TRUE-LISTP, to Subgoal *1/3'' (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP (CDR X))) (EQUAL (REV (APP (REV (CDR X)) (LIST (CAR X)))) X)). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/3''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (REV X2)) X2) (TRUE-LISTP X2)) (EQUAL (REV (APP (REV X2) (LIST X1))) (CONS X1 X2))). This simplifies, using primitive type reasoning, to Subgoal *1/3'4' (IMPLIES (AND (EQUAL (REV (REV X2)) X2) (TRUE-LISTP X2)) (EQUAL (REV (APP (REV X2) (LIST X1))) (CONS X1 X2))). We now use the first hypothesis by cross-fertilizing (REV (REV X2)) for X2 and throwing away the hypothesis. This produces Subgoal *1/3'5' (IMPLIES (TRUE-LISTP X2) (EQUAL (REV (APP (REV X2) (LIST X1))) (CONS X1 (REV (REV X2))))). We generalize this conjecture, replacing (REV X2) by RV. This produces Subgoal *1/3'6' (IMPLIES (TRUE-LISTP X2) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV)))). We suspect that the term (TRUE-LISTP X2) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/3'7' (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV))). Name the formula above *1.1. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (NOT (TRUE-LISTP (CDR X))) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). But we reduce the conjecture to T, by primitive type reasoning. Subgoal *1/1 (IMPLIES (AND (ENDP X) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (AND (NOT (CONSP X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). But simplification reduces this to T, using the :definition TRUE-LISTP, the :executable-counterparts of CONSP, EQUAL and REV and primitive type reasoning. So we now return to *1.1, which is (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV))). Perhaps we can prove *1.1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (REV RV). This suggestion was produced using the :induction rule REV. If we let (:P RV X1) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP RV)) (:P (CDR RV) X1)) (:P RV X1)) (IMPLIES (ENDP RV) (:P RV X1))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT RV) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O-P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (AND (NOT (ENDP RV)) (EQUAL (REV (APP (CDR RV) (LIST X1))) (CONS X1 (REV (CDR RV))))) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1.1/2' (IMPLIES (AND (CONSP RV) (EQUAL (REV (APP (CDR RV) (LIST X1))) (CONS X1 (REV (CDR RV))))) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV)))). This simplifies, using the :definition REV, to Subgoal *1.1/2'' (IMPLIES (AND (CONSP RV) (EQUAL (REV (APP (CDR RV) (LIST X1))) (CONS X1 (REV (CDR RV))))) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (APP (REV (CDR RV)) (LIST (CAR RV)))))). The destructor terms (CAR RV) and (CDR RV) can be eliminated by using CAR-CDR-ELIM to replace RV by (CONS RV1 RV2), (CAR RV) by RV1 and (CDR RV) by RV2. This produces the following goal. Subgoal *1.1/2''' (IMPLIES (AND (CONSP (CONS RV1 RV2)) (EQUAL (REV (APP RV2 (LIST X1))) (CONS X1 (REV RV2)))) (EQUAL (REV (APP (CONS RV1 RV2) (LIST X1))) (CONS X1 (APP (REV RV2) (LIST RV1))))). By the simple :rewrite rule APP-OF-CONS we reduce the conjecture to Subgoal *1.1/2'4' (IMPLIES (AND (CONSP (CONS RV1 RV2)) (EQUAL (REV (APP RV2 (LIST X1))) (CONS X1 (REV RV2)))) (EQUAL (REV (CONS RV1 (APP RV2 (LIST X1)))) (CONS X1 (APP (REV RV2) (LIST RV1))))). But simplification reduces this to T, using the :definition REV, primitive type reasoning and the :rewrite rules APP-OF-CONS, CAR-CONS and CDR- CONS. Subgoal *1.1/1 (IMPLIES (ENDP RV) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1.1/1' (IMPLIES (NOT (CONSP RV)) (EQUAL (REV (APP RV (LIST X1))) (CONS X1 (REV RV)))). This simplifies, using the :definition REV, the :executable-counterpart of REV, primitive type reasoning and the :rewrite rules APP-OF-NON- CONSP, CAR-CONS, CDR-CONS and CONS-EQUAL, to Subgoal *1.1/1'' (IMPLIES (NOT (CONSP RV)) (NOT RV)). Name the formula above *1.1.1. No induction schemes are suggested by *1.1.1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM REV-REV ...) Rules: ((:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION REV) (:DEFINITION TRUE-LISTP) (:ELIM CAR-CDR-ELIM) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART REV) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION REV) (:INDUCTION TRUE-LISTP) (:REWRITE APP-OF-CONS) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE CONS-EQUAL)) Warnings: None Time: 0.05 seconds (prove: 0.03, print: 0.02, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 >(defthm rev-rev (implies (true-listp x) (equal (rev (rev x)) x)) :hints (("Goal" :do-not '(generalize eliminate-destructors)))) [Note: A hint was supplied for our processing of the goal above. Thanks!] Name the formula above *1. Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. These merge into one derived induction scheme. We will induct according to a scheme suggested by (REV X). This suggestion was produced using the :induction rules REV and TRUE-LISTP. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X))) (:P X)) (IMPLIES (ENDP X) (:P X))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/3' (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). This simplifies, using the :definitions REV and TRUE-LISTP, to Subgoal *1/3'' (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP (CDR X))) (EQUAL (REV (APP (REV (CDR X)) (LIST (CAR X)))) X)). Name the formula above *1.1. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (NOT (TRUE-LISTP (CDR X))) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). But we reduce the conjecture to T, by primitive type reasoning. Subgoal *1/1 (IMPLIES (AND (ENDP X) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (AND (NOT (CONSP X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). But simplification reduces this to T, using the :definition TRUE-LISTP, the :executable-counterparts of CONSP, EQUAL and REV and primitive type reasoning. So we now return to *1.1, which is (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP (CDR X))) (EQUAL (REV (APP (REV (CDR X)) (LIST (CAR X)))) X)). No induction schemes are suggested by *1.1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM REV-REV ...) Rules: ((:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION REV) (:DEFINITION TRUE-LISTP) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART REV) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION REV) (:INDUCTION TRUE-LISTP)) Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.02, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 >(defthm rev-of-app (equal (REV (APP x y)) (app (rev y) (rev x))) ; :hints (("Goal" :in-theory (enable app))) ) Name the formula above *1. Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. We will choose arbitrarily among these. We will induct according to a scheme suggested by (REV Y). This suggestion was produced using the :induction rule REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP Y)) (:P X (CDR Y))) (:P X Y)) (IMPLIES (ENDP Y) (:P X Y))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT Y) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP Y)) (EQUAL (REV (APP X (CDR Y))) (APP (REV (CDR Y)) (REV X)))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP Y) (EQUAL (REV (APP X (CDR Y))) (APP (REV (CDR Y)) (REV X)))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definition REV and the :rewrite rules APP- ASSOCIATIVE, APP-OF-CONS and APP-OF-NON-CONSP, to Subgoal *1/2'' (IMPLIES (AND (CONSP Y) (EQUAL (REV (APP X (CDR Y))) (APP (REV (CDR Y)) (REV X)))) (EQUAL (REV (APP X Y)) (APP (REV (CDR Y)) (CONS (CAR Y) (REV X))))). The destructor terms (CAR Y) and (CDR Y) can be eliminated by using CAR-CDR-ELIM to replace Y by (CONS Y1 Y2), (CAR Y) by Y1 and (CDR Y) by Y2. This produces the following goal. Subgoal *1/2''' (IMPLIES (AND (CONSP (CONS Y1 Y2)) (EQUAL (REV (APP X Y2)) (APP (REV Y2) (REV X)))) (EQUAL (REV (APP X (CONS Y1 Y2))) (APP (REV Y2) (CONS Y1 (REV X))))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (IMPLIES (EQUAL (REV (APP X Y2)) (APP (REV Y2) (REV X))) (EQUAL (REV (APP X (CONS Y1 Y2))) (APP (REV Y2) (CONS Y1 (REV X))))). We generalize this conjecture, replacing (REV X) by RV and (REV Y2) by RV0. This produces Subgoal *1/2'5' (IMPLIES (EQUAL (REV (APP X Y2)) (APP RV0 RV)) (EQUAL (REV (APP X (CONS Y1 Y2))) (APP RV0 (CONS Y1 RV)))). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (ENDP Y) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP Y)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definition REV and the :rewrite rule APP- OF-NON-CONSP, to Subgoal *1/1'' (IMPLIES (NOT (CONSP Y)) (EQUAL (REV (APP X Y)) (REV X))). Name the formula above *1.2. Perhaps we can prove *1.2 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (REV X). This suggestion was produced using the :induction rule REV. If we let (:P X Y) denote *1.2 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X) Y)) (:P X Y)) (IMPLIES (ENDP X) (:P X Y))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.2/2 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (APP (CDR X) Y)) (REV (CDR X))) (NOT (CONSP Y))) (EQUAL (REV (APP X Y)) (REV X))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1.2/2' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (REV (CDR X))) (NOT (CONSP Y))) (EQUAL (REV (APP X Y)) (REV X))). This simplifies, using the :definition REV, to Subgoal *1.2/2'' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (REV (CDR X))) (NOT (CONSP Y))) (EQUAL (REV (APP X Y)) (APP (REV (CDR X)) (LIST (CAR X))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1.2/2''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (REV X2)) (NOT (CONSP Y))) (EQUAL (REV (APP (CONS X1 X2) Y)) (APP (REV X2) (LIST X1)))). By the simple :rewrite rule APP-OF-CONS we reduce the conjecture to Subgoal *1.2/2'4' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (REV X2)) (NOT (CONSP Y))) (EQUAL (REV (CONS X1 (APP X2 Y))) (APP (REV X2) (LIST X1)))). But simplification reduces this to T, using the :definition REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal *1.2/1 (IMPLIES (AND (ENDP X) (NOT (CONSP Y))) (EQUAL (REV (APP X Y)) (REV X))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1.2/1' (IMPLIES (AND (NOT (CONSP X)) (NOT (CONSP Y))) (EQUAL (REV (APP X Y)) (REV X))). This simplifies, using the :definition REV and the :rewrite rule APP- OF-NON-CONSP, to Subgoal *1.2/1'' (IMPLIES (AND (NOT (CONSP X)) (NOT (CONSP Y))) (EQUAL Y X)). We suspect that this conjecture is not a theorem. We might as well be trying to prove Subgoal *1.2/1''' NIL. Obviously, the proof attempt has failed. Summary Form: ( DEFTHM REV-OF-APP ...) Rules: ((:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION REV) (:REWRITE APP-ASSOCIATIVE) (:REWRITE APP-OF-CONS) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.03 seconds (prove: 0.02, print: 0.01, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 >(defthm rev-of-app (equal (REV (APP x y)) (app (rev y) (rev x))) :hints (("Goal" :in-theory (enable app))) ) [Note: A hint was supplied for our processing of the goal above. Thanks!] Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. These merge into two derived induction schemes. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (REV X), but modified to accommodate (APP X Y). These suggestions were produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X) Y)) (:P X Y)) (IMPLIES (ENDP X) (:P X Y))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP, NON-CONSP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/2'' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). [SGC for 452 CONS pages..(8121 writable)..(T=5).GC finished] The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/2''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/2'5' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE. Subgoal *1/1 (IMPLIES (ENDP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definition REV and the :rewrite rule APP- OF-NON-CONSP, to Subgoal *1/1'' (IMPLIES (NOT (CONSP X)) (EQUAL (REV Y) (APP (REV Y) X))). We generalize this conjecture, replacing (REV Y) by RV. This produces Subgoal *1/1''' (IMPLIES (NOT (CONSP X)) (EQUAL RV (APP RV X))). Name the formula above *1.1. Perhaps we can prove *1.1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (APP RV X). This suggestion was produced using the :induction rule APP. If we let (:P RV X) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP RV)) (:P (CDR RV) X)) (:P RV X)) (IMPLIES (NON-CONSP RV) (:P RV X))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT RV) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O-P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (AND (NOT (NON-CONSP RV)) (EQUAL (CDR RV) (APP (CDR RV) X)) (NOT (CONSP X))) (EQUAL RV (APP RV X))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.1/2' (IMPLIES (AND (CONSP RV) (EQUAL (CDR RV) (APP (CDR RV) X)) (NOT (CONSP X))) (EQUAL RV (APP RV X))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rule CAR-CDR-ELIM. Subgoal *1.1/1 (IMPLIES (AND (NON-CONSP RV) (NOT (CONSP X))) (EQUAL RV (APP RV X))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.1/1' (IMPLIES (AND (NOT (CONSP RV)) (NOT (CONSP X))) (EQUAL RV (APP RV X))). This simplifies, using the :rewrite rule APP-OF-NON-CONSP, to Subgoal *1.1/1'' (IMPLIES (AND (NOT (CONSP RV)) (NOT (CONSP X))) (EQUAL RV X)). We suspect that this conjecture is not a theorem. We might as well be trying to prove Subgoal *1.1/1''' NIL. Obviously, the proof attempt has failed. Summary Form: ( DEFTHM REV-OF-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION ENDP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE APP-ASSOCIATIVE) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CDR-ELIM) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.15 seconds (prove: 0.11, print: 0.02, other: 0.02) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 >(defthm rev-of-app (equal (REV (APP x y)) (if (consp x) (app (rev y) (rev x)) (rev y))) ; :hints (("Goal" :in-theory (enable app))) ) This simplifies, using trivial observations, to the following two conjectures. Subgoal 2 (IMPLIES (CONSP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). Name the formula above *1. Subgoal 1 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (REV Y))). But simplification reduces this to T, using primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. So we now return to *1, which is (IMPLIES (CONSP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. We will choose arbitrarily among these. We will induct according to a scheme suggested by (REV Y). This suggestion was produced using the :induction rule REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP Y)) (:P X (CDR Y))) (:P X Y)) (IMPLIES (ENDP Y) (:P X Y))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT Y) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP Y)) (EQUAL (REV (APP X (CDR Y))) (APP (REV (CDR Y)) (REV X))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP Y) (EQUAL (REV (APP X (CDR Y))) (APP (REV (CDR Y)) (REV X))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definition REV and the :rewrite rules APP- ASSOCIATIVE, APP-OF-CONS and APP-OF-NON-CONSP, to Subgoal *1/2'' (IMPLIES (AND (CONSP Y) (EQUAL (REV (APP X (CDR Y))) (APP (REV (CDR Y)) (REV X))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV (CDR Y)) (CONS (CAR Y) (REV X))))). The destructor terms (CAR Y) and (CDR Y) can be eliminated by using CAR-CDR-ELIM to replace Y by (CONS Y1 Y2), (CAR Y) by Y1 and (CDR Y) by Y2. This produces the following goal. Subgoal *1/2''' (IMPLIES (AND (CONSP (CONS Y1 Y2)) (EQUAL (REV (APP X Y2)) (APP (REV Y2) (REV X))) (CONSP X)) (EQUAL (REV (APP X (CONS Y1 Y2))) (APP (REV Y2) (CONS Y1 (REV X))))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (IMPLIES (AND (EQUAL (REV (APP X Y2)) (APP (REV Y2) (REV X))) (CONSP X)) (EQUAL (REV (APP X (CONS Y1 Y2))) (APP (REV Y2) (CONS Y1 (REV X))))). We generalize this conjecture, replacing (REV X) by RV and (REV Y2) by RV0. This produces Subgoal *1/2'5' (IMPLIES (AND (EQUAL (REV (APP X Y2)) (APP RV0 RV)) (CONSP X)) (EQUAL (REV (APP X (CONS Y1 Y2))) (APP RV0 (CONS Y1 RV)))). Name the formula above *1.1. Subgoal *1/1 (IMPLIES (AND (ENDP Y) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (AND (NOT (CONSP Y)) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definition REV and the :rewrite rule APP- OF-NON-CONSP, to Subgoal *1/1'' (IMPLIES (AND (NOT (CONSP Y)) (CONSP X)) (EQUAL (REV (APP X Y)) (REV X))). Name the formula above *1.2. Perhaps we can prove *1.2 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (REV X). This suggestion was produced using the :induction rule REV. If we let (:P X Y) denote *1.2 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X) Y)) (:P X Y)) (IMPLIES (ENDP X) (:P X Y))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1.2/3 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (APP (CDR X) Y)) (REV (CDR X))) (NOT (CONSP Y)) (CONSP X)) (EQUAL (REV (APP X Y)) (REV X))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1.2/3' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (REV (CDR X))) (NOT (CONSP Y))) (EQUAL (REV (APP X Y)) (REV X))). This simplifies, using the :definition REV, to Subgoal *1.2/3'' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (REV (CDR X))) (NOT (CONSP Y))) (EQUAL (REV (APP X Y)) (APP (REV (CDR X)) (LIST (CAR X))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1.2/3''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (REV X2)) (NOT (CONSP Y))) (EQUAL (REV (APP (CONS X1 X2) Y)) (APP (REV X2) (LIST X1)))). By the simple :rewrite rule APP-OF-CONS we reduce the conjecture to Subgoal *1.2/3'4' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (REV X2)) (NOT (CONSP Y))) (EQUAL (REV (CONS X1 (APP X2 Y))) (APP (REV X2) (LIST X1)))). But simplification reduces this to T, using the :definition REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal *1.2/2 (IMPLIES (AND (NOT (ENDP X)) (NOT (CONSP (CDR X))) (NOT (CONSP Y)) (CONSP X)) (EQUAL (REV (APP X Y)) (REV X))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1.2/2' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X))) (NOT (CONSP Y))) (EQUAL (REV (APP X Y)) (REV X))). This simplifies, using the :definition REV, to Subgoal *1.2/2'' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X))) (NOT (CONSP Y))) (EQUAL (REV (APP X Y)) (APP (REV (CDR X)) (LIST (CAR X))))). This simplifies, using the :definition REV and the :rewrite rule APP- OF-NON-CONSP, to Subgoal *1.2/2''' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X))) (NOT (CONSP Y))) (EQUAL (REV (APP X Y)) (LIST (CAR X)))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1.2/2'4' (IMPLIES (AND (CONSP (CONS X1 X2)) (NOT (CONSP X2)) (NOT (CONSP Y))) (EQUAL (REV (APP (CONS X1 X2) Y)) (LIST X1))). By the simple :rewrite rule APP-OF-CONS we reduce the conjecture to Subgoal *1.2/2'5' (IMPLIES (AND (CONSP (CONS X1 X2)) (NOT (CONSP X2)) (NOT (CONSP Y))) (EQUAL (REV (CONS X1 (APP X2 Y))) (LIST X1))). But simplification reduces this to T, using the :definition REV, primitive type reasoning and the :rewrite rules APP-OF-NON-CONSP, CAR-CONS and CDR-CONS. Subgoal *1.2/1 (IMPLIES (AND (ENDP X) (NOT (CONSP Y)) (CONSP X)) (EQUAL (REV (APP X Y)) (REV X))). But we reduce the conjecture to T, by case analysis. That completes the proof of *1.2. We therefore turn our attention to *1.1, which is (IMPLIES (AND (EQUAL (REV (APP X Y2)) (APP RV0 RV)) (CONSP X)) (EQUAL (REV (APP X (CONS Y1 Y2))) (APP RV0 (CONS Y1 RV)))). No induction schemes are suggested by *1.1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM REV-OF-APP ...) Rules: ((:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION REV) (:REWRITE APP-ASSOCIATIVE) (:REWRITE APP-OF-CONS) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.06 seconds (prove: 0.04, print: 0.02, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 >(defthm rev-of-app (equal (REV (APP x y)) (if (consp x) (app (rev y) (rev x)) (rev y))) :hints (("Goal" :in-theory (enable app))) ) [Note: A hint was supplied for our processing of the goal above. Thanks!] This simplifies, using trivial observations, to the following two conjectures. Subgoal 2 (IMPLIES (CONSP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). Name the formula above *1. Subgoal 1 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (REV Y))). But simplification reduces this to T, using primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. So we now return to *1, which is (IMPLIES (CONSP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. These merge into two derived induction schemes. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (REV X), but modified to accommodate (APP X Y). These suggestions were produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X) Y)) (:P X Y)) (IMPLIES (ENDP X) (:P X Y))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X)))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/3' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP, NON-CONSP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/3'' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/3''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/3'4' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/3'5' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (NOT (CONSP (CDR X))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X)))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP, NON-CONSP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/2'' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X)))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). But simplification reduces this to T, using the :definition REV, primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. Subgoal *1/1 (IMPLIES (AND (ENDP X) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). But we reduce the conjecture to T, by case analysis. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM REV-OF-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION ENDP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE APP-ASSOCIATIVE) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.05 seconds (prove: 0.04, print: 0.00, other: 0.01) REV-OF-APP ACL2 >:u [SGC for 452 CONS pages..(8122 writable)..(T=3).GC finished] L 2:x(DEFUN REV (X) ...) ACL2 >(defthm rev-of-app (equal (REV (APP x y)) (app (rev y) (rev x))) :hints (("Goal" :in-theory (enable app ))) ) [Note: A hint was supplied for our processing of the goal above. Thanks!] Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. These merge into two derived induction schemes. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (REV X), but modified to accommodate (APP X Y). These suggestions were produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X) Y)) (:P X Y)) (IMPLIES (ENDP X) (:P X Y))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP, NON-CONSP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/2'' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/2''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/2'5' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE. Subgoal *1/1 (IMPLIES (ENDP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definition REV and the :rewrite rule APP- OF-NON-CONSP, to Subgoal *1/1'' (IMPLIES (NOT (CONSP X)) (EQUAL (REV Y) (APP (REV Y) X))). We generalize this conjecture, replacing (REV Y) by RV. This produces Subgoal *1/1''' (IMPLIES (NOT (CONSP X)) (EQUAL RV (APP RV X))). Name the formula above *1.1. Perhaps we can prove *1.1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (APP RV X). This suggestion was produced using the :induction rule APP. If we let (:P RV X) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (NON-CONSP RV)) (:P (CDR RV) X)) (:P RV X)) (IMPLIES (NON-CONSP RV) (:P RV X))). This induction is justified by the same argument used to admit APP, namely, the measure (ACL2-COUNT RV) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O-P). When applied to the goal at hand the above induction scheme produces the following two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (AND (NOT (NON-CONSP RV)) (EQUAL (CDR RV) (APP (CDR RV) X)) (NOT (CONSP X))) (EQUAL RV (APP RV X))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.1/2' (IMPLIES (AND (CONSP RV) (EQUAL (CDR RV) (APP (CDR RV) X)) (NOT (CONSP X))) (EQUAL RV (APP RV X))). But simplification reduces this to T, using the :definitions APP and NON-CONSP, primitive type reasoning and the :rewrite rule CAR-CDR-ELIM. Subgoal *1.1/1 (IMPLIES (AND (NON-CONSP RV) (NOT (CONSP X))) (EQUAL RV (APP RV X))). By the simple :definition NON-CONSP we reduce the conjecture to Subgoal *1.1/1' (IMPLIES (AND (NOT (CONSP RV)) (NOT (CONSP X))) (EQUAL RV (APP RV X))). This simplifies, using the :rewrite rule APP-OF-NON-CONSP, to Subgoal *1.1/1'' (IMPLIES (AND (NOT (CONSP RV)) (NOT (CONSP X))) (EQUAL RV X)). We suspect that this conjecture is not a theorem. We might as well be trying to prove Subgoal *1.1/1''' NIL. Obviously, the proof attempt has failed. Summary Form: ( DEFTHM REV-OF-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION ENDP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE APP-ASSOCIATIVE) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CDR-ELIM) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.07 seconds (prove: 0.04, print: 0.01, other: 0.02) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 >(defthm rev-of-app (equal (REV (APP x y)) (if (consp x) (app (rev y) (rev x)) (rev y))) :hints (("Goal" :in-theory (enable app ))) ) [Note: A hint was supplied for our processing of the goal above. Thanks!] This simplifies, using trivial observations, to the following two conjectures. Subgoal 2 (IMPLIES (CONSP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). Name the formula above *1. Subgoal 1 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (REV Y))). But simplification reduces this to T, using primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. So we now return to *1, which is (IMPLIES (CONSP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. These merge into two derived induction schemes. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (REV X), but modified to accommodate (APP X Y). These suggestions were produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X) Y)) (:P X Y)) (IMPLIES (ENDP X) (:P X Y))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X)))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/3' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP, NON-CONSP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/3'' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/3''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/3'4' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/3'5' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (NOT (CONSP (CDR X))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X)))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP, NON-CONSP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/2'' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X)))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). But simplification reduces this to T, using the :definition REV, primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. Subgoal *1/1 (IMPLIES (AND (ENDP X) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). But we reduce the conjecture to T, by case analysis. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM REV-OF-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION ENDP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE APP-ASSOCIATIVE) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.06 seconds (prove: 0.04, print: 0.01, other: 0.01) REV-OF-APP ACL2 >:u L 2:x(DEFUN REV (X) ...) ACL2 >(/ 5 0) 0 ACL2 >(defthm rev-of-app (equal (REV (APP x y)) (if (consp x) (app (rev y) (rev x)) (rev y))) :hints (("Goal" :in-theory (enable app ))) ) [Note: A hint was supplied for our processing of the goal above. Thanks!] This simplifies, using trivial observations, to the following two conjectures. Subgoal 2 (IMPLIES (CONSP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). Name the formula above *1. Subgoal 1 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (REV Y))). But simplification reduces this to T, using primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. So we now return to *1, which is (IMPLIES (CONSP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. These merge into two derived induction schemes. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (REV X), but modified to accommodate (APP X Y). These suggestions were produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X) Y)) (:P X Y)) (IMPLIES (ENDP X) (:P X Y))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X)))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/3' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP, NON-CONSP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/3'' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/3''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/3'4' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/3'5' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (NOT (CONSP (CDR X))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X)))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP, NON-CONSP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/2'' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X)))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). But simplification reduces this to T, using the :definition REV, primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. Subgoal *1/1 (IMPLIES (AND (ENDP X) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). But we reduce the conjecture to T, by case analysis. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM REV-OF-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION ENDP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE APP-ASSOCIATIVE) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.08 seconds (prove: 0.05, print: 0.01, other: 0.02) REV-OF-APP ACL2 >(defthm rev-rev (implies (true-listp x) (equal (rev (rev x)) x)) :hints (("Goal" :do-not '(generalize eliminate-destructors)))) [Note: A hint was supplied for our processing of the goal above. Thanks!] Name the formula above *1. Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. These merge into one derived induction scheme. We will induct according to a scheme suggested by (REV X). This suggestion was produced using the :induction rules REV and TRUE-LISTP. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X))) (:P X)) (IMPLIES (ENDP X) (:P X))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/3' (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). This simplifies, using the :definitions REV and TRUE-LISTP, the :executable- counterpart of REV, primitive type reasoning and the :rewrite rules APP-OF-CONS, APP-OF-NON-CONSP, CAR-CDR-ELIM, CAR-CONS, CDR-CONS and REV-OF-APP, to Subgoal *1/3'' (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP (CDR X)) (NOT (CONSP (REV (CDR X))))) (EQUAL (LIST (CAR X)) X)). But simplification reduces this to T, using the :definitions REV and TRUE-LISTP, the :executable-counterparts of CONSP, EQUAL and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (NOT (TRUE-LISTP (CDR X))) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). But we reduce the conjecture to T, by primitive type reasoning. Subgoal *1/1 (IMPLIES (AND (ENDP X) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (AND (NOT (CONSP X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). But simplification reduces this to T, using the :definition TRUE-LISTP, the :executable-counterparts of CONSP, EQUAL and REV and primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM REV-REV ...) Rules: ((:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION REV) (:DEFINITION TRUE-LISTP) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART REV) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION REV) (:INDUCTION TRUE-LISTP) (:REWRITE APP-OF-CONS) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CDR-ELIM) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE REV-OF-APP)) Warnings: None Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) REV-REV ACL2 >Bye. Attempting to exit Lisp. If this fails to work, type :q and then try again. [ewsmith@gourd ~]$ ~ewsmith/acl2-2.9.2/saved_acl2 GCL (GNU Common Lisp) 2.6.6 CLtL1 May 16 2005 14:38:25 Source License: LGPL(gcl,gmp), GPL(unexec,bfd) Binary License: GPL due to GPL'ed components: (READLINE BFD UNEXEC) Modifications of this banner must retain notice of a compatible license Dedicated to the memory of W. Schelter Use (help) to get some basic information on how to use GCL. ACL2 Version 2.9.2 built May 16, 2005 14:53:35. Copyright (C) 2005 University of Texas at Austin ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the GNU General Public License. Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES* NIL). See the documentation topic note-2-9-2 for recent changes. NOTE!! Proof trees are disabled in ACL2. To enable them in emacs, look under the ACL2 source directory in interface/emacs/README.doc; and, to turn on proof trees, execute :START-PROOF-TREE in the ACL2 command loop. Look in the ACL2 documentation under PROOF-TREE. ACL2 Version 2.9.2. Level 1. Cbd "/dryer/dill/ewsmith/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 !>(certify-book "rev") CERTIFICATION ATTEMPT FOR "/dryer/dill/ewsmith/rev.lisp" ACL2 Version 2.9.2 * Step 1: Read "/dryer/dill/ewsmith/rev.lisp" and compute its check sum. * Step 2: There were five forms in the file. The check sum is 152865359. We now attempt to establish that each form, whether local or non-local, is indeed an admissible embedded event form in the context of the previously admitted ones. Note that proof-tree output is inhibited during this check; see :DOC proof-tree. ACL2 >>(INCLUDE-BOOK "script") [SGC for 11 STRING pages..(8109 writable)..(T=1).GC finished] Loading /dryer/dill/ewsmith/script.o start address -T 0x8976ec8 Finished loading /dryer/dill/ewsmith/script.o Summary Form: ( INCLUDE-BOOK "script" ...) Rules: NIL Warnings: None Time: 0.03 seconds (prove: 0.00, print: 0.00, other: 0.03) "/dryer/dill/ewsmith/script.lisp" ACL2 >>(DEFUN REV (X) (IF (ENDP X) X (APP (REV (CDR X)) (LIST (CAR X))))) The admission of REV is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We could deduce no constraints on the type of REV. Summary Form: ( DEFUN REV ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) REV ACL2 >>(DEFTHM REV-OF-APP (EQUAL (REV (APP X Y)) (IF (CONSP X) (APP (REV Y) (REV X)) (REV Y))) :HINTS (("Goal" :IN-THEORY (ENABLE APP)))) [Note: A hint was supplied for our processing of the goal above. Thanks!] This simplifies, using trivial observations, to the following two conjectures. Subgoal 2 (IMPLIES (CONSP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). Name the formula above *1. Subgoal 1 (IMPLIES (NOT (CONSP X)) (EQUAL (REV (APP X Y)) (REV Y))). But simplification reduces this to T, using primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. So we now return to *1, which is (IMPLIES (CONSP X) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. These merge into two derived induction schemes. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (REV X), but modified to accommodate (APP X Y). These suggestions were produced using the :induction rules APP and REV. If we let (:P X Y) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X) Y)) (:P X Y)) (IMPLIES (ENDP X) (:P X Y))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X)))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/3' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP, NON-CONSP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/3'' (IMPLIES (AND (CONSP X) (EQUAL (REV (APP (CDR X) Y)) (APP (REV Y) (REV (CDR X))))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). The destructor terms (CAR X) and (CDR X) can be eliminated by using CAR-CDR-ELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X) by X2. This produces the following goal. Subgoal *1/3''' (IMPLIES (AND (CONSP (CONS X1 X2)) (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2)))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). This simplifies, using primitive type reasoning, to Subgoal *1/3'4' (IMPLIES (EQUAL (REV (APP X2 Y)) (APP (REV Y) (REV X2))) (EQUAL (APP (REV (APP X2 Y)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1))))). We now use the hypothesis by substituting (APP (REV Y) (REV X2)) for (REV (APP X2 Y)) and throwing away the hypothesis. This produces Subgoal *1/3'5' (EQUAL (APP (APP (REV Y) (REV X2)) (LIST X1)) (APP (REV Y) (APP (REV X2) (LIST X1)))). But we reduce the conjecture to T, by the simple :rewrite rule APP- ASSOCIATIVE. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (NOT (CONSP (CDR X))) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X)))) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). This simplifies, using the :definitions APP, NON-CONSP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/2'' (IMPLIES (AND (CONSP X) (NOT (CONSP (CDR X)))) (EQUAL (APP (REV (APP (CDR X) Y)) (LIST (CAR X))) (APP (REV Y) (APP (REV (CDR X)) (LIST (CAR X)))))). But simplification reduces this to T, using the :definition REV, primitive type reasoning and the :rewrite rule APP-OF-NON-CONSP. Subgoal *1/1 (IMPLIES (AND (ENDP X) (CONSP X)) (EQUAL (REV (APP X Y)) (APP (REV Y) (REV X)))). But we reduce the conjecture to T, by case analysis. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM REV-OF-APP ...) Rules: ((:DEFINITION APP) (:DEFINITION ENDP) (:DEFINITION NON-CONSP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION APP) (:INDUCTION REV) (:REWRITE APP-ASSOCIATIVE) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Warnings: None Time: 0.06 seconds (prove: 0.02, print: 0.03, other: 0.01) REV-OF-APP ACL2 >>(DEFTHM REV-REV (IMPLIES (TRUE-LISTP X) (EQUAL (REV (REV X)) X)) :HINTS (("Goal" :DO-NOT '(GENERALIZE ELIMINATE-DESTRUCTORS)))) [Note: A hint was supplied for our processing of the goal above. Thanks!] Name the formula above *1. Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. These merge into one derived induction scheme. We will induct according to a scheme suggested by (REV X). This suggestion was produced using the :induction rules REV and TRUE-LISTP. If we let (:P X) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X))) (:P X)) (IMPLIES (ENDP X) (:P X))). This induction is justified by the same argument used to admit REV, namely, the measure (ACL2-COUNT X) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O- P). When applied to the goal at hand the above induction scheme produces the following three nontautological subgoals. Subgoal *1/3 (IMPLIES (AND (NOT (ENDP X)) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/3' (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). This simplifies, using the :definitions REV and TRUE-LISTP, the :executable- counterpart of REV, primitive type reasoning and the :rewrite rules APP-OF-CONS, APP-OF-NON-CONSP, CAR-CDR-ELIM, CAR-CONS, CDR-CONS and REV-OF-APP, to Subgoal *1/3'' (IMPLIES (AND (CONSP X) (EQUAL (REV (REV (CDR X))) (CDR X)) (TRUE-LISTP (CDR X)) (NOT (CONSP (REV (CDR X))))) (EQUAL (LIST (CAR X)) X)). But simplification reduces this to T, using the :definitions REV and TRUE-LISTP, the :executable-counterparts of CONSP, EQUAL and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP X)) (NOT (TRUE-LISTP (CDR X))) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). But we reduce the conjecture to T, by primitive type reasoning. Subgoal *1/1 (IMPLIES (AND (ENDP X) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (AND (NOT (CONSP X)) (TRUE-LISTP X)) (EQUAL (REV (REV X)) X)). But simplification reduces this to T, using the :definition TRUE-LISTP, the :executable-counterparts of CONSP, EQUAL and REV and primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM REV-REV ...) Rules: ((:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION REV) (:DEFINITION TRUE-LISTP) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART REV) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION REV) (:INDUCTION TRUE-LISTP) (:REWRITE APP-OF-CONS) (:REWRITE APP-OF-NON-CONSP) (:REWRITE CAR-CDR-ELIM) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE REV-OF-APP)) Warnings: None Time: 0.03 seconds (prove: 0.00, print: 0.03, other: 0.00) REV-REV * Step 3: That completes the admissibility check. Each form read was an embedded event form and was admissible. We now retract back to the initial world and try to include the book. This may expose local incompatibilities. [SGC for 11 STRING pages..(8116 writable)..(T=3).GC finished] Loading /dryer/dill/ewsmith/script.o start address -T 0x9cdd000 Finished loading /dryer/dill/ewsmith/script.o Summary Form: ( INCLUDE-BOOK "rev" ...) Rules: NIL Warnings: None Time: 0.05 seconds (prove: 0.00, print: 0.00, other: 0.05) ACL2 Warning [Guards] in (CERTIFY-BOOK "rev" ...): You have told certify- book to produce a compiled file for "/dryer/dill/ewsmith/rev.lisp". However, the functions NON-CONSP, APP and REV have not had their guards verified. A compiled file will be produced anyway, but all bets are off if you load it into raw Common Lisp and try to run the functions in it. See :DOC verify-guards. * Step 4: Write the certificate for "/dryer/dill/ewsmith/rev.lisp" in "/dryer/dill/ewsmith/rev.cert". The final check sum alist is (("/dryer/dill/ewsmith/rev.lisp" "rev" "rev" ((:SKIPPED-PROOFSP) (:AXIOMSP)) . 152865359) ("/dryer/dill/ewsmith/script.lisp" "script" "script" ((:SKIPPED-PROOFSP) (:AXIOMSP)) . 86863004)). * Step 5: Compile the functions defined in "/dryer/dill/ewsmith/rev.lisp". As noted above, three functions have not had their guards verified. A compiled file will be produced but you are advised not to use it in raw Common Lisp. See :DOC guard for a general discussion of the issues. Compiling /dryer/dill/ewsmith/rev.lisp. End of Pass 1. End of Pass 2. OPTIMIZE levels: Safety=0 (No runtime error checking), Space=0, Speed=3 Finished compiling /dryer/dill/ewsmith/rev.o. "/dryer/dill/ewsmith/rev.o" Loading /dryer/dill/ewsmith/rev.o start address -T 0x9cdd5c0 Finished loading /dryer/dill/ewsmith/rev.o Summary Form: (CERTIFY-BOOK "rev" ...) Rules: NIL Warnings: Guards Time: 0.17 seconds (prove: 0.02, print: 0.06, other: 0.09) "/dryer/dill/ewsmith/rev.lisp" ACL2 !>:u 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>(include-book "rev") [SGC for 20 CFUN pages..(8159 writable)..(T=3).GC finished] Loading /dryer/dill/ewsmith/script.o start address -T 0x9cdd140 Finished loading /dryer/dill/ewsmith/script.o Loading /dryer/dill/ewsmith/rev.o start address -T 0x9cdd9b0 Finished loading /dryer/dill/ewsmith/rev.o Summary Form: ( INCLUDE-BOOK "rev" ...) Rules: NIL Warnings: None Time: 0.04 seconds (prove: 0.00, print: 0.00, other: 0.04) "/dryer/dill/ewsmith/rev.lisp" ACL2 !>:pe rev d 1:x(INCLUDE-BOOK "rev") \ [Included books, outermost to innermost: "/dryer/dill/ewsmith/rev.lisp" ] \ >L (DEFUN REV (X) (IF (ENDP X) X (APP (REV (CDR X)) (LIST (CAR X))))) ACL2 !>:pe app d 1:x(INCLUDE-BOOK "rev") \ [Included books, outermost to innermost: "/dryer/dill/ewsmith/rev.lisp" "/dryer/dill/ewsmith/script.lisp" ] \ >L d (DEFUN APP (X Y) (IF (NON-CONSP X) Y (CONS (CAR X) (APP (CDR X) Y)))) ACL2 !>(defun fact (n) (if (equal n 0) 1 (* n (fact (- n 1))))) For the admission of FACT we will use the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT N). The non-trivial part of the measure conjecture is Goal (IMPLIES (NOT (EQUAL N 0)) (O< (ACL2-COUNT (+ -1 N)) (ACL2-COUNT N))). This simplifies, using the :definitions O-FINP and O< and the :type- prescription rule ACL2-COUNT, to Goal' (IMPLIES (NOT (EQUAL N 0)) (< (ACL2-COUNT (+ -1 N)) (ACL2-COUNT N))). Name the formula above *1. Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (ACL2-COUNT N). This suggestion was produced using the :induction rule ACL2-COUNT. If we let (:P N) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (NOT (STRINGP N))) (:P N)) (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (STRINGP N)) (:P N)) (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (COMPLEX-RATIONALP N) (:P (REALPART N)) (:P (IMAGPART N))) (:P N)) (IMPLIES (AND (NOT (CONSP N)) (RATIONALP N) (NOT (INTEGERP N))) (:P N)) (IMPLIES (AND (NOT (CONSP N)) (RATIONALP N) (INTEGERP N)) (:P N)) (IMPLIES (AND (CONSP N) (:P (CAR N)) (:P (CDR N))) (:P N))). This induction is justified by the same argument used to admit ACL2- COUNT, namely, the measure (ACL2-COUNT N) is decreasing according to the relation O< (which is known to be well-founded on the domain recognized by O-P). When applied to the goal at hand the above induction scheme produces the following twelve nontautological subgoals. Subgoal *1/12 (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N)) (NOT (STRINGP N)) (NOT (EQUAL N 0))) (< (ACL2-COUNT (+ -1 N)) (ACL2-COUNT N))). This simplifies, using the :definition ACL2-COUNT, the :executable- counterparts of <, ACL2-COUNT and FIX, primitive type reasoning and the :rewrite rule DEFAULT-+-2, to Subgoal *1/12' (IMPLIES (AND (NOT (CONSP N)) (NOT (RATIONALP N)) (NOT (COMPLEX-RATIONALP N))) (STRINGP N)). We suspect that this conjecture is not a theorem. We might as well be trying to prove Subgoal *1/12'' NIL. Obviously, the proof attempt has failed. Summary Form: ( DEFUN FACT ...) Rules: ((:DEFINITION ACL2-COUNT) (:DEFINITION O-FINP) (:DEFINITION O<) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART ACL2-COUNT) (:EXECUTABLE-COUNTERPART FIX) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION ACL2-COUNT) (:REWRITE DEFAULT-+-2) (:TYPE-PRESCRIPTION ACL2-COUNT)) Warnings: None Time: 0.01 seconds (prove: 0.01, print: 0.00, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** [SGC for 20 CFUN pages..(8160 writable)..(T=3).GC finished] ACL2 !>(defun fact (n) (if (zp 0) 1 (* n (fact (- n 1))))) ACL2 Error in ( DEFUN FACT ...): No :MEASURE was supplied with the definition of FACT. Our heuristics for guessing one have not made any suggestions. No argument of the function is tested along every branch and occurs as a proper subterm at the same argument position in every recursive call. You must specify a :MEASURE. See :DOC defun. Summary Form: ( DEFUN FACT ...) Rules: NIL Warnings: None Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ******** FAILED ******** See :DOC failure ******** FAILED ******** ACL2 !>(defun fact (n) (if (zp n) 1 (* n (fact (- n 1))))) The admission of FACT is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT N). We observe that the type of FACT is described by the theorem (AND (INTEGERP (FACT N)) (< 0 (FACT N))). We used the :compound- recognizer rule ZP-COMPOUND-RECOGNIZER and primitive type reasoning. Summary Form: ( DEFUN FACT ...) Rules: ((:COMPOUND-RECOGNIZER ZP-COMPOUND-RECOGNIZER) (:FAKE-RUNE-FOR-TYPE-SET NIL)) Warnings: None Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.01) FACT ACL2 !>(fact 10) 3628800 ACL2 !>:pe zp V d -4918 (DEFUN ZP (X) (DECLARE (XARGS :MODE :LOGIC :GUARD (AND (INTEGERP X) (<= 0 X)))) "Documentation available via :doc" (IF (INTEGERP X) (<= X 0) T)) ACL2 !>(fact 4) 24 ACL2 !>(fact 1000) 402387260077093773543702433923003985719374864210714632543799910429938512398629020592044208486969404800479988610197196058631666872994808558901323829669944590997424504087073759918823627727188732519779505950995276120874975462497043601418278094646496291056393887437886487337119181045825783647849977012476632889835955735432513185323958463075557409114262417474349347553428646576611667797396668820291207379143853719588249808126867838374559731746136085379534524221586593201928090878297308431392844403281231558611036976801357304216168747609675871348312025478589320767169132448426236131412508780208000261683151027341827977704784635868170164365024153691398281264810213092761244896359928705114964975419909342221566832572080821333186116811553615836546984046708975602900950537616475847728421889679646244945160765353408198901385442487984959953319101723355556602139450399736280750137837615307127761926849034352625200015888535147331611702103968175921510907788019393178114194545257223865541461062892187960223838971476088506276862967146674697562911234082439208160153780889893964518263243671616762179168909779911903754031274622289988005195444414282012187361745992642956581746628302955570299024324153181617210465832036786906117260158783520751516284225540265170483304226143974286933061690897968482590125458327168226458066526769958652682272807075781391858178889652208164348344825993266043367660176999612831860788386150279465955131156552036093988180612138558600301435694527224206344631797460594682573103790084024432438465657245014402821885252470935190620929023136493273497565513958720559654228749774011413346962715422845862377387538230483865688976461927383814900140767310446640259899490222221765904339901886018566526485061799702356193897017860040811889729918311021171229845901641921068884387121855646124960798722908519296819372388642614839657382291123125024186649353143970137428531926649875337218940694281434118520158014123344828015051399694290153483077644569099073152433278288269864602789864321139083506217095002597389863554277196742822248757586765752344220207573630569498825087968928162753848863396909959826280956121450994871701244516461260379029309120889086942028510640182154399457156805941872748998094254742173582401063677404595741785160829230135358081840096996372524230560855903700624271243416909004153690105933983835777939410970027753472000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ACL2 !>