Waverly% m6-demo
Welcome to Clozure Common Lisp Version 1.6-dev-r14316M-trunk (DarwinX8632)!
ACL2 Version 4.1 built October 1, 2010 14:31:52
then November 3, 2010 13:52:28.
Copyright (C) 2010 University of Texas at Austin
ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you
are welcome to redistribute it under certain conditions. For details,
see the GNU General Public License.
Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES*).
See the documentation topic note-4-1 for recent changes.
Note: We have modified the prompt in some underlying Lisps to further
distinguish it from the ACL2 prompt.
MODIFICATION NOTICE:
Pre-load of M6 Demo
ACL2 Version 4.1. Level 1. Cbd "/Users/moore/work/typer/".
Distributed books directory
"/Users/moore/work/v4-1/acl2-sources/books/".
Type :help for help.
Type (good-bye) to quit completely out of ACL2.
ACL2 >(defun ap (x y)
(if (endp x)
y
(cons (car x)
(ap (cdr x) y))))
The admission of AP is trivial, using the relation O<
(which is known to be well-founded on the domain recognized
by O-P) and the measure (ACL2-COUNT X). We observe
that the type of AP is described by the theorem
(OR (CONSP (AP X Y)) (EQUAL (AP X Y) Y)). We used primitive
type reasoning.
Summary
Form: ( DEFUN AP ...)
Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL))
Time: 0.04 seconds (prove: 0.00, print: 0.01, other: 0.03)
AP
ACL2 >(ap '(1 2 3) '(4 5 6))
(1 2 3 4 5 6)
ACL2 >(defthm ap-is-associative
(equal (ap (ap a b) c)
(ap a (ap b c))))
Name the formula above *1.
Perhaps we can prove *1 by induction. Three induction
schemes are suggested by this conjecture. Subsumption
reduces that number to two. However, one of these is
flawed and so we are left with one viable candidate.
We will induct according to a scheme suggested by (AP A B).
This suggestion was produced using the :induction rule
AP. If we let (:P A B C) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP A)) (:P (CDR A) B C))
(:P A B C))
(IMPLIES (ENDP A) (:P A B C))).
This induction is justified by the same argument used
to admit AP. When applied to the goal at hand the above
induction scheme produces two nontautological subgoals.
Subgoal *1/2
(IMPLIES (AND (NOT (ENDP A))
(EQUAL (AP (AP (CDR A) B) C)
(AP (CDR A) (AP B C))))
(EQUAL (AP (AP A B) C)
(AP A (AP B C)))).
By the simple :definition ENDP we reduce the conjecture
to
Subgoal *1/2'
(IMPLIES (AND (CONSP A)
(EQUAL (AP (AP (CDR A) B) C)
(AP (CDR A) (AP B C))))
(EQUAL (AP (AP A B) C)
(AP A (AP B C)))).
But simplification reduces this to T, using the :definition
AP, primitive type reasoning and the :rewrite rules
CAR-CONS and CDR-CONS.
Subgoal *1/1
(IMPLIES (ENDP A)
(EQUAL (AP (AP A B) C)
(AP A (AP B C)))).
By the simple :definition ENDP we reduce the conjecture
to
Subgoal *1/1'
(IMPLIES (NOT (CONSP A))
(EQUAL (AP (AP A B) C)
(AP A (AP B C)))).
But simplification reduces this to T, using the :definition
AP and primitive type reasoning.
That completes the proof of *1.
Q.E.D.
Summary
Form: ( DEFTHM AP-IS-ASSOCIATIVE ...)
Rules: ((:DEFINITION AP)
(:DEFINITION ENDP)
(:DEFINITION NOT)
(:FAKE-RUNE-FOR-TYPE-SET NIL)
(:INDUCTION AP)
(:REWRITE CAR-CONS)
(:REWRITE CDR-CONS))
Time: 0.03 seconds (prove: 0.02, print: 0.01, other: 0.00)
AP-IS-ASSOCIATIVE
ACL2 >(defun rev (x)
(if (endp x)
nil
(ap (rev (cdr x))
(list (car x)))))
The admission of REV is trivial, using the relation
O< (which is known to be well-founded on the domain
recognized by O-P) and the measure (ACL2-COUNT X).
We observe that the type of REV is described by the
theorem (OR (CONSP (REV X)) (EQUAL (REV X) NIL)). We
used primitive type reasoning and the :type-prescription
rule AP.
Summary
Form: ( DEFUN REV ...)
Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)
(:TYPE-PRESCRIPTION AP))
Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
REV
ACL2 >(rev '(1 2 3 4 5 6))
(6 5 4 3 2 1)
ACL2 >(defthm main
(equal (rev (ap a b))
(ap (rev b) (rev a))))
Name the formula above *1.
Perhaps we can prove *1 by induction. Three induction
schemes are suggested by this conjecture. Subsumption
reduces that number to two. However, one of these is
flawed and so we are left with one viable candidate.
We will induct according to a scheme suggested by (AP A B).
This suggestion was produced using the :induction rules
AP and REV. If we let (:P A B) denote *1 above then
the induction scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP A)) (:P (CDR A) B))
(:P A B))
(IMPLIES (ENDP A) (:P A B))).
This induction is justified by the same argument used
to admit AP. When applied to the goal at hand the above
induction scheme produces two nontautological subgoals.
Subgoal *1/2
(IMPLIES (AND (NOT (ENDP A))
(EQUAL (REV (AP (CDR A) B))
(AP (REV B) (REV (CDR A)))))
(EQUAL (REV (AP A B))
(AP (REV B) (REV A)))).
By the simple :definition ENDP we reduce the conjecture
to
Subgoal *1/2'
(IMPLIES (AND (CONSP A)
(EQUAL (REV (AP (CDR A) B))
(AP (REV B) (REV (CDR A)))))
(EQUAL (REV (AP A B))
(AP (REV B) (REV A)))).
This simplifies, using the :definitions AP and REV,
primitive type reasoning and the :rewrite rules CAR-CONS
and CDR-CONS, to
Subgoal *1/2''
(IMPLIES (AND (CONSP A)
(EQUAL (REV (AP (CDR A) B))
(AP (REV B) (REV (CDR A)))))
(EQUAL (AP (REV (AP (CDR A) B)) (LIST (CAR A)))
(AP (REV B)
(AP (REV (CDR A)) (LIST (CAR A)))))).
The destructor terms (CAR A) and (CDR A) can be eliminated
by using CAR-CDR-ELIM to replace A by (CONS A1 A2),
(CAR A) by A1 and (CDR A) by A2. This produces the
following goal.
Subgoal *1/2'''
(IMPLIES (AND (CONSP (CONS A1 A2))
(EQUAL (REV (AP A2 B))
(AP (REV B) (REV A2))))
(EQUAL (AP (REV (AP A2 B)) (LIST A1))
(AP (REV B) (AP (REV A2) (LIST A1))))).
This simplifies, using primitive type reasoning, to
Subgoal *1/2'4'
(IMPLIES (EQUAL (REV (AP A2 B))
(AP (REV B) (REV A2)))
(EQUAL (AP (REV (AP A2 B)) (LIST A1))
(AP (REV B) (AP (REV A2) (LIST A1))))).
We now use the hypothesis by substituting
(AP (REV B) (REV A2)) for (REV (AP A2 B)) and throwing
away the hypothesis. This produces
Subgoal *1/2'5'
(EQUAL (AP (AP (REV B) (REV A2)) (LIST A1))
(AP (REV B) (AP (REV A2) (LIST A1)))).
But we reduce the conjecture to T, by the simple :rewrite
rule AP-IS-ASSOCIATIVE.
Subgoal *1/1
(IMPLIES (ENDP A)
(EQUAL (REV (AP A B))
(AP (REV B) (REV A)))).
By the simple :definition ENDP we reduce the conjecture
to
Subgoal *1/1'
(IMPLIES (NOT (CONSP A))
(EQUAL (REV (AP A B))
(AP (REV B) (REV A)))).
This simplifies, using the :definitions AP and REV,
to
Subgoal *1/1''
(IMPLIES (NOT (CONSP A))
(EQUAL (REV B) (AP (REV B) NIL))).
We generalize this conjecture, replacing (REV B) by
RV. This produces
Subgoal *1/1'''
(IMPLIES (NOT (CONSP A))
(EQUAL RV (AP RV NIL))).
We suspect that the term (NOT (CONSP A)) is irrelevant
to the truth of this conjecture and throw it out. We
will thus try to prove
Subgoal *1/1'4'
(EQUAL RV (AP RV NIL)).
Name the formula above *1.1.
Perhaps we can prove *1.1 by induction. One induction
scheme is suggested by this conjecture.
We will induct according to a scheme suggested by
(AP RV 'NIL). This suggestion was produced using the
:induction rule AP. If we let (:P RV) denote *1.1 above
then the induction scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP RV)) (:P (CDR RV)))
(:P RV))
(IMPLIES (ENDP RV) (:P RV))).
This induction is justified by the same argument used
to admit AP. When applied to the goal at hand the above
induction scheme produces two nontautological subgoals.
Subgoal *1.1/2
(IMPLIES (AND (NOT (ENDP RV))
(EQUAL (CDR RV) (AP (CDR RV) NIL)))
(EQUAL RV (AP RV NIL))).
By the simple :definition ENDP we reduce the conjecture
to
Subgoal *1.1/2'
(IMPLIES (AND (CONSP RV)
(EQUAL (CDR RV) (AP (CDR RV) NIL)))
(EQUAL RV (AP RV NIL))).
But simplification reduces this to T, using the :definition
AP, primitive type reasoning and the :rewrite rule
CONS-CAR-CDR.
Subgoal *1.1/1
(IMPLIES (ENDP RV)
(EQUAL RV (AP RV NIL))).
By the simple :definition ENDP we reduce the conjecture
to
Subgoal *1.1/1'
(IMPLIES (NOT (CONSP RV))
(EQUAL RV (AP RV NIL))).
This simplifies, using the :definition AP and primitive
type reasoning, to
Subgoal *1.1/1''
(IMPLIES (NOT (CONSP RV)) (NOT RV)).
Name the formula above *1.1.1.
No induction schemes are suggested by *1.1.1. Consequently,
the proof attempt has failed.
Summary
Form: ( DEFTHM MAIN ...)
Rules: ((:DEFINITION AP)
(:DEFINITION ENDP)
(:DEFINITION NOT)
(:DEFINITION REV)
(:ELIM CAR-CDR-ELIM)
(:FAKE-RUNE-FOR-TYPE-SET NIL)
(:INDUCTION AP)
(:INDUCTION REV)
(:REWRITE AP-IS-ASSOCIATIVE)
(:REWRITE CAR-CONS)
(:REWRITE CDR-CONS)
(:REWRITE CONS-CAR-CDR))
Time: 0.08 seconds (prove: 0.06, print: 0.02, other: 0.00)
---
The key checkpoint goals, below, may help you to debug
this failure. See :DOC failure and see :DOC set-checkpoint-
summary-limit.
---
*** Key checkpoint at the top level: ***
Goal
(EQUAL (REV (AP A B))
(AP (REV B) (REV A)))
*** Key checkpoint under a top-level induction: ***
Subgoal *1/1''
(IMPLIES (NOT (CONSP A))
(EQUAL (REV B) (AP (REV B) NIL)))
ACL2 Error in ( DEFTHM MAIN ...): See :DOC failure.
******** FAILED ********
ACL2 >(defthm lemma
(equal (ap (rev a) nil)
(rev a)))
Name the formula above *1.
Perhaps we can prove *1 by induction. Two induction
schemes are suggested by this conjecture. Subsumption
reduces that number to one.
We will induct according to a scheme suggested by (REV A).
This suggestion was produced using the :induction rule
REV. If we let (:P A) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP A)) (:P (CDR A)))
(:P A))
(IMPLIES (ENDP A) (:P A))).
This induction is justified by the same argument used
to admit REV. When applied to the goal at hand the
above induction scheme produces two nontautological
subgoals.
Subgoal *1/2
(IMPLIES (AND (NOT (ENDP A))
(EQUAL (AP (REV (CDR A)) NIL)
(REV (CDR A))))
(EQUAL (AP (REV A) NIL) (REV A))).
By the simple :definition ENDP we reduce the conjecture
to
Subgoal *1/2'
(IMPLIES (AND (CONSP A)
(EQUAL (AP (REV (CDR A)) NIL)
(REV (CDR A))))
(EQUAL (AP (REV A) NIL) (REV A))).
But simplification reduces this to T, using the :definitions
AP and REV, the :executable-counterpart of AP, primitive
type reasoning and the :rewrite rules AP-IS-ASSOCIATIVE,
CAR-CONS and CDR-CONS.
Subgoal *1/1
(IMPLIES (ENDP A)
(EQUAL (AP (REV A) NIL) (REV A))).
By the simple :definition ENDP we reduce the conjecture
to
Subgoal *1/1'
(IMPLIES (NOT (CONSP A))
(EQUAL (AP (REV A) NIL) (REV A))).
But simplification reduces this to T, using the :definition
REV and the :executable-counterparts of AP and EQUAL.
That completes the proof of *1.
Q.E.D.
Summary
Form: ( DEFTHM LEMMA ...)
Rules: ((:DEFINITION AP)
(:DEFINITION ENDP)
(:DEFINITION NOT)
(:DEFINITION REV)
(:EXECUTABLE-COUNTERPART AP)
(:EXECUTABLE-COUNTERPART EQUAL)
(:FAKE-RUNE-FOR-TYPE-SET NIL)
(:INDUCTION REV)
(:REWRITE AP-IS-ASSOCIATIVE)
(:REWRITE CAR-CONS)
(:REWRITE CDR-CONS))
Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00)
LEMMA
ACL2 >(defthm main
(equal (rev (ap a b))
(ap (rev b) (rev a))))
Name the formula above *1.
Perhaps we can prove *1 by induction. Three induction
schemes are suggested by this conjecture. Subsumption
reduces that number to two. However, one of these is
flawed and so we are left with one viable candidate.
We will induct according to a scheme suggested by (AP A B).
This suggestion was produced using the :induction rules
AP and REV. If we let (:P A B) denote *1 above then
the induction scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP A)) (:P (CDR A) B))
(:P A B))
(IMPLIES (ENDP A) (:P A B))).
This induction is justified by the same argument used
to admit AP. When applied to the goal at hand the above
induction scheme produces two nontautological subgoals.
Subgoal *1/2
(IMPLIES (AND (NOT (ENDP A))
(EQUAL (REV (AP (CDR A) B))
(AP (REV B) (REV (CDR A)))))
(EQUAL (REV (AP A B))
(AP (REV B) (REV A)))).
By the simple :definition ENDP we reduce the conjecture
to
Subgoal *1/2'
(IMPLIES (AND (CONSP A)
(EQUAL (REV (AP (CDR A) B))
(AP (REV B) (REV (CDR A)))))
(EQUAL (REV (AP A B))
(AP (REV B) (REV A)))).
This simplifies, using the :definitions AP and REV,
primitive type reasoning and the :rewrite rules CAR-CONS
and CDR-CONS, to
Subgoal *1/2''
(IMPLIES (AND (CONSP A)
(EQUAL (REV (AP (CDR A) B))
(AP (REV B) (REV (CDR A)))))
(EQUAL (AP (REV (AP (CDR A) B)) (LIST (CAR A)))
(AP (REV B)
(AP (REV (CDR A)) (LIST (CAR A)))))).
The destructor terms (CAR A) and (CDR A) can be eliminated
by using CAR-CDR-ELIM to replace A by (CONS A1 A2),
(CAR A) by A1 and (CDR A) by A2. This produces the
following goal.
Subgoal *1/2'''
(IMPLIES (AND (CONSP (CONS A1 A2))
(EQUAL (REV (AP A2 B))
(AP (REV B) (REV A2))))
(EQUAL (AP (REV (AP A2 B)) (LIST A1))
(AP (REV B) (AP (REV A2) (LIST A1))))).
This simplifies, using primitive type reasoning, to
Subgoal *1/2'4'
(IMPLIES (EQUAL (REV (AP A2 B))
(AP (REV B) (REV A2)))
(EQUAL (AP (REV (AP A2 B)) (LIST A1))
(AP (REV B) (AP (REV A2) (LIST A1))))).
We now use the hypothesis by substituting
(AP (REV B) (REV A2)) for (REV (AP A2 B)) and throwing
away the hypothesis. This produces
Subgoal *1/2'5'
(EQUAL (AP (AP (REV B) (REV A2)) (LIST A1))
(AP (REV B) (AP (REV A2) (LIST A1)))).
But we reduce the conjecture to T, by the simple :rewrite
rule AP-IS-ASSOCIATIVE.
Subgoal *1/1
(IMPLIES (ENDP A)
(EQUAL (REV (AP A B))
(AP (REV B) (REV A)))).
By the simple :definition ENDP we reduce the conjecture
to
Subgoal *1/1'
(IMPLIES (NOT (CONSP A))
(EQUAL (REV (AP A B))
(AP (REV B) (REV A)))).
But simplification reduces this to T, using the :definitions
AP and REV, primitive type reasoning and the :rewrite
rule LEMMA.
That completes the proof of *1.
Q.E.D.
Summary
Form: ( DEFTHM MAIN ...)
Rules: ((:DEFINITION AP)
(:DEFINITION ENDP)
(:DEFINITION NOT)
(:DEFINITION REV)
(:ELIM CAR-CDR-ELIM)
(:FAKE-RUNE-FOR-TYPE-SET NIL)
(:INDUCTION AP)
(:INDUCTION REV)
(:REWRITE AP-IS-ASSOCIATIVE)
(:REWRITE CAR-CONS)
(:REWRITE CDR-CONS)
(:REWRITE LEMMA))
Time: 0.06 seconds (prove: 0.05, print: 0.02, other: 0.00)
MAIN
ACL2 >(quote (end of Demo 1))
(END OF DEMO 1)
-----------------------------------------------------------------
Waverly% cat Fact.java
class Fact {
public static int fact(int n){
if (n>0)
{return n*fact(n-1);}
else return 1;
}
public static void main(String[] args){
int n = Integer.parseInt(args[0], 10);
System.out.println(fact(n));
return;
}
}
Waverly% javap -c Fact
Compiled from "Fact.java"
class Fact extends java.lang.Object{
Fact();
Code:
0: aload_0
1: invokespecial #1; //Method java/lang/Object."":()V
4: return
public static int fact(int);
Code:
0: iload_0
1: ifle 13
4: iload_0
5: iload_0
6: iconst_1
7: isub
8: invokestatic #2; //Method fact:(I)I
11: imul
12: ireturn
13: iconst_1
14: ireturn
public static void main(java.lang.String[]);
Code:
0: aload_0
1: iconst_0
2: aaload
3: bipush 10
5: invokestatic #3; //Method java/lang/Integer.parseInt:(Ljava/lang/String;I)I
8: istore_1
9: getstatic #4; //Field java/lang/System.out:Ljava/io/PrintStream;
12: iload_1
13: invokestatic #2; //Method fact:(I)I
16: invokevirtual #5; //Method java/io/PrintStream.println:(I)V
19: return
}
Waverly% java Fact 6
720
Waverly% java Fact 20
-2102132736
Waverly%
-----------------------------------------------------------------
ACL2 >(in-package "M6")
"M6"
M6 >(class-by-name "Demo" (external-class-table *empty-state*))
(CLASS
"Demo"
"java.lang.Object" (JVM::CONSTANT_POOL)
(FIELDS)
(METHODS
(METHOD
"fact" (PARAMETERS INT)
(RETURNTYPE INT)
(ACCESSFLAGS *CLASS* *PUBLIC* *STATIC*)
(CODE
(MAX_STACK 3)
(JVM::MAX_LOCALS 1)
(CODE_LENGTH 15)
(PARSEDCODE
(0 (ILOAD_0))
(1 (IFLE 13))
(4 (ILOAD_0))
(5 (ILOAD_0))
(6 (ICONST_1))
(7 (ISUB))
(8 (INVOKESTATIC (METHODCP "fact" "Demo" (INT) INT)))
(11 (IMUL))
(12 (IRETURN))
(13 (ICONST_1))
(14 (IRETURN))
(ENDOFCODE 15))
(EXCEPTIONS)
(STACKMAP)))
(METHOD
"main"
(PARAMETERS (ARRAY (CLASS "java.lang.String")))
(RETURNTYPE VOID)
(ACCESSFLAGS *CLASS* *PUBLIC* *STATIC*)
(CODE
(MAX_STACK 2)
(JVM::MAX_LOCALS 2)
(CODE_LENGTH 20)
(PARSEDCODE
(0 (ALOAD_0))
(1 (ICONST_0))
(2 (AALOAD))
(3 (BIPUSH 10))
(5 (INVOKESTATIC
(METHODCP "parseInt" "java.lang.Integer"
((CLASS "java.lang.String") INT)
INT)))
(8 (ISTORE_1))
(9 (GETSTATIC
(JVM::FIELDCP "out" "java.lang.System"
(CLASS "java.io.PrintStream"))))
(12 (ILOAD_1))
(13 (INVOKESTATIC (METHODCP "fact" "Demo" (INT) INT)))
(16
(INVOKEVIRTUAL
(METHODCP "println" "java.io.PrintStream" (INT)
VOID)))
(19 (RETURN))
(ENDOFCODE 20))
(EXCEPTIONS)
(STACKMAP)))
(METHOD
"" (PARAMETERS)
(RETURNTYPE VOID)
(ACCESSFLAGS *CLASS*)
(CODE
(MAX_STACK 1)
(JVM::MAX_LOCALS 1)
(CODE_LENGTH 5)
(PARSEDCODE
(0 (ALOAD_0))
(1
(INVOKESPECIAL
(METHODCP "" "java.lang.Object" NIL VOID)))
(4 (RETURN))
(ENDOFCODE 5))
(EXCEPTIONS)
(STACKMAP))))
(INTERFACES)
(ACCESSFLAGS *CLASS* *SUPER* *SYNCHRONIZED*))
M6 >(jvm-DemoFact "6")
output from the stream at heap ref 91 is "720"
output from the stream at heap ref 91 is "newline"
((CLASSES-LOADED
"com.sun.cldc.i18n.uclc.DefaultCaseConverter"
"java.io.PrintStream"
"java.io.OutputStream"
"java.lang.Character"
"java.lang.Integer")
(OUTPUT-STREAM . "720
"))
M6 >(! 6)
720
M6 >(jvm-DemoFact "20")
output from the stream at heap ref 91 is "-2102132736"
output from the stream at heap ref 91 is "newline"
((CLASSES-LOADED
"com.sun.cldc.i18n.uclc.DefaultCaseConverter"
"java.io.PrintStream"
"java.io.OutputStream"
"java.lang.Character"
"java.lang.Integer")
(OUTPUT-STREAM . "-2102132736
"))
M6 >(! 20)
2432902008176640000
M6 >(int-fix (! 20))
-2102132736
M6 >(set-gag-mode :goals)
M6 >(defthm fact-is-correct
(implies (poised-to-invoke-fact s n)
(equal
(simple-run s (fact-clock n))
(state-set-pc (+ 3 (pc s))
(pushStack (int-fix (! n))
(popStack s)))))
:hints (("Goal" :induct (fact-induct n s))))
*1 (the initial Goal, a key checkpoint) is pushed for
proof by induction.
We have been told to use induction. One induction scheme
is suggested by the induction hint.
We will induct according to a scheme suggested by
(FACT-INDUCT N S). This suggestion was produced using
the :induction rule FACT-INDUCT. If we let (:P N S)
denote *1 above then the induction scheme we'll use
is
(AND
(IMPLIES
(AND
(NOT (ZP N))
(:P
(+ -1 N)
(STATE-SET-PC
8
(PUSHSTACK
(+ -1 (TOPSTACK S))
(PUSHSTACK
(TOPSTACK S)
(PUSHFRAME0
(MAKE-FRAME (+ 3 (PC S))
NIL (LIST (TOPSTACK S))
'(METHOD-PTR "Demo" "fact" (INT) INT)
-1)
(STATE-SET-PC (+ 3 (PC S))
(POPSTACKN 1 S))))))))
(:P N S))
(IMPLIES (ZP N) (:P N S))).
This induction is justified by the same argument used
to admit FACT-INDUCT. Note, however, that the unmeasured
variable S is being instantiated. When applied to the
goal at hand the above induction scheme produces two
nontautological subgoals.
Subgoal *1/2
Subgoal *1/2'
Subgoal *1/2.11
Subgoal *1/2.10
Subgoal *1/2.10'
Subgoal *1/2.9
Subgoal *1/2.9'
Subgoal *1/2.8
Subgoal *1/2.8'
Subgoal *1/2.8''
Subgoal *1/2.7
Subgoal *1/2.7'
Subgoal *1/2.7''
Subgoal *1/2.6
Subgoal *1/2.6'
Subgoal *1/2.6''
Subgoal *1/2.5
Subgoal *1/2.5'
Subgoal *1/2.5''
Subgoal *1/2.4
Subgoal *1/2.4'
Subgoal *1/2.4''
Subgoal *1/2.3
Subgoal *1/2.3'
Subgoal *1/2.3''
Subgoal *1/2.2
Subgoal *1/2.2'
Subgoal *1/2.2''
Subgoal *1/2.1
Subgoal *1/2.1'
Subgoal *1/2.1''
Subgoal *1/1
Subgoal *1/1'
Subgoal *1/1''
Subgoal *1/1.10
Subgoal *1/1.10'
Subgoal *1/1.9
Subgoal *1/1.9'
Subgoal *1/1.8
Subgoal *1/1.8'
Subgoal *1/1.8''
Subgoal *1/1.7
Subgoal *1/1.7'
Subgoal *1/1.7''
Subgoal *1/1.6
Subgoal *1/1.6'
Subgoal *1/1.6''
Subgoal *1/1.5
Subgoal *1/1.5'
Subgoal *1/1.5''
Subgoal *1/1.4
Subgoal *1/1.4'
Subgoal *1/1.4''
Subgoal *1/1.3
Subgoal *1/1.3'
Subgoal *1/1.3''
Subgoal *1/1.2
Subgoal *1/1.2'
Subgoal *1/1.2''
Subgoal *1/1.1
Subgoal *1/1.1'
Subgoal *1/1.1''
*1 is COMPLETED!
Thus key checkpoint Goal is COMPLETED!
Q.E.D.
Summary
Form: ( DEFTHM FACT-IS-CORRECT ...)
Rules: ((:COMPOUND-RECOGNIZER INTP-IMPLIES-INTEGERP)
(:COMPOUND-RECOGNIZER
ACL2::NATP-COMPOUND-RECOGNIZER)
(:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER)
(:CONGRUENCE
EQUIV-STATE-IMPLIES-EQUAL-CURRENT-THREAD-1)
(:CONGRUENCE
EQUIV-STATE-IMPLIES-EQUIV-FRAME-CURRENT-FRAME-1)
(:CONGRUENCE
EQUIV-STATE-IMPLIES-EQUIV-THREAD-TABLE-THREAD-TABLE-1)
(:CONGRUENCE
STATE-EQUIV-CLASS-TABLE-EQUAL-IMPLIES-EQUAL-INSTANCE-CLASS-TABLE-1)
(:CONGRUENCE
STATE-EQUIV-CLASS-TABLE-EQUAL-IMPLIES-EQUAL-NO-FATAL-ERROR?-1)
(:DEFINITION !)
(:DEFINITION ADD-NO-DUP)
(:DEFINITION APP)
(:DEFINITION AREALIVETHREADS)
(:DEFINITION BUILD-INITIAL-LOCAL)
(:DEFINITION BUILD-INITIAL-LOCAL1)
(:DEFINITION CALL_METHOD_GENERAL)
(:DEFINITION CALL_STATIC_METHOD)
(:DEFINITION DEMO-CLASS-LOADEDP)
(:DEFINITION DISMANTLETHREAD)
(:DEFINITION EXECUTE-ICONST_1)
(:DEFINITION EXECUTE-IFLE)
(:DEFINITION EXECUTE-ILOAD_0)
(:DEFINITION EXECUTE-IMUL)
(:DEFINITION EXECUTE-ISUB)
(:DEFINITION EXECUTE-RETURN)
(:DEFINITION EXECUTE-RETURN1)
(:DEFINITION FACT-CLOCK)
(:DEFINITION FIX)
(:DEFINITION INST-BY-OFFSET)
(:DEFINITION INST-EQUIV)
(:DEFINITION INST-INST)
(:DEFINITION INVOKESTATIC-FACTP)
(:DEFINITION LEN)
(:DEFINITION LOCAL-AT)
(:DEFINITION MONO-THREADED-STATEP)
(:DEFINITION MV-NTH)
(:DEFINITION NEXT-INST)
(:DEFINITION NOT)
(:DEFINITION POISED-TO-INVOKE-FACT)
(:DEFINITION POP)
(:DEFINITION POPSTACKN)
(:DEFINITION PUSHFRAME)
(:DEFINITION PUSHFRAMEWITHPOP)
(:DEFINITION RAISE-EXCEPTION)
(:DEFINITION RESCHEDULE)
(:DEFINITION REVAPPEND)
(:DEFINITION REVERSE)
(:DEFINITION SECONDSTACK)
(:DEFINITION SET-THREAD-STATE-FLAG)
(:DEFINITION SIGNALTIMETORESCHEDULE)
(:DEFINITION STOPTHREAD)
(:DEFINITION SUSPENDTHREAD)
(:DEFINITION SUSPENDTHREAD1)
(:DEFINITION TERMINATE)
(:DEFINITION THREAD-SET-STATE)
(:DEFINITION TOP)
(:DEFINITION ZP)
(:EQUIVALENCE
STATE-EQUIV-CLASS-TABLE-EQUAL-IS-AN-EQUIVALENCE)
(:EXECUTABLE-COUNTERPART !)
(:EXECUTABLE-COUNTERPART <)
(:EXECUTABLE-COUNTERPART APP)
(:EXECUTABLE-COUNTERPART ARG)
(:EXECUTABLE-COUNTERPART BINARY-+)
(:EXECUTABLE-COUNTERPART CAR)
(:EXECUTABLE-COUNTERPART CDR)
(:EXECUTABLE-COUNTERPART CONS)
(:EXECUTABLE-COUNTERPART CONSP)
(:EXECUTABLE-COUNTERPART EQL)
(:EXECUTABLE-COUNTERPART EQUAL)
(:EXECUTABLE-COUNTERPART FACT-CLOCK)
(:EXECUTABLE-COUNTERPART FILL-TOP)
(:EXECUTABLE-COUNTERPART INST-BY-OFFSET)
(:EXECUTABLE-COUNTERPART INST-EQUIV)
(:EXECUTABLE-COUNTERPART INST-INST)
(:EXECUTABLE-COUNTERPART INST-OPCODE)
(:EXECUTABLE-COUNTERPART INST-SIZE)
(:EXECUTABLE-COUNTERPART INT-FIX)
(:EXECUTABLE-COUNTERPART INTP)
(:EXECUTABLE-COUNTERPART LEN)
(:EXECUTABLE-COUNTERPART MEM)
(:EXECUTABLE-COUNTERPART METHOD-ACCESSFLAGS)
(:EXECUTABLE-COUNTERPART METHOD-ARGS)
(:EXECUTABLE-COUNTERPART METHOD-MAXLOCALS)
(:EXECUTABLE-COUNTERPART METHOD-REP-TO-METHOD-PTR)
(:EXECUTABLE-COUNTERPART NOT)
(:EXECUTABLE-COUNTERPART NTH)
(:EXECUTABLE-COUNTERPART REVERSE)
(:EXECUTABLE-COUNTERPART SIZE-OF-PARAM)
(:EXECUTABLE-COUNTERPART TYPE-SIZE)
(:EXECUTABLE-COUNTERPART UNARY--)
(:EXECUTABLE-COUNTERPART WFF-METHOD-PTR)
(:EXECUTABLE-COUNTERPART ZP)
(:FAKE-RUNE-FOR-LINEAR NIL)
(:FAKE-RUNE-FOR-TYPE-SET NIL)
(:FORWARD-CHAINING INT-LEMMA0)
(:INDUCTION FACT-INDUCT)
(:META ACL2::PREFER-POSITIVE-ADDENDS-<-THM)
(:REWRITE ACL2::|(* y x)|)
(:REWRITE ACL2::|(+ 0 x)|)
(:REWRITE ACL2::|(+ y x)|)
(:REWRITE ACL2::|(equal (if x y z) w)|)
(:REWRITE CALL-OPENER-EXECUTE-INVOKE)
(:REWRITE CAR-CONS)
(:REWRITE
CAR-OPERAND-STACK-CURRENT-FRAME-IS-TOPSTACK)
(:REWRITE CDR-CONS)
(:REWRITE ACL2::COLLECT-PLUS-1B)
(:REWRITE CURRENT-FRAME-STATE-SET)
(:REWRITE CURRENT-METHOD-PTR-PUSHFRAME0)
(:REWRITE CURRENT-METHOD-PTR-PUSHSTACK)
(:REWRITE CURRENT-METHOD-PTR-STATE-SET-PC)
(:REWRITE
CURRENT-THREAD-EXISTS-PREVSERVED-BY-PUSHSTACK)
(:REWRITE CURRENT-THREAD-EXISTS?-POPSTACK)
(:REWRITE CURRENT-THREAD-EXISTS?-PUSHFRAME)
(:REWRITE CURRENT-THREAD-EXISTS?-STATE-SET-PC)
(:REWRITE CURRENT-THREAD-PUSHFRAME)
(:REWRITE DEREF-METHOD-FACT-PTR)
(:REWRITE DO-INST-OPENER)
(:REWRITE JVM::FRAME-ACCESSOR)
(:REWRITE INSTANCE-CLASS-TABLE-POPSTACK)
(:REWRITE INSTANCE-CLASS-TABLE-PUSHFRAME0)
(:REWRITE INT-LEMMA3)
(:REWRITE INT-LEMMA4A)
(:REWRITE INT-LEMMA6)
(:REWRITE LOCAL-AT-ACCESSOR-1)
(:REWRITE
JVM::MONITOREXIT-PRESERVE-WFF-THREAD-TABLE-THREAD-EXIST-CURRENT-TH)
(:REWRITE NO-FATAL-ERROR-POPSTACK)
(:REWRITE NO-FATAL-ERROR-PUSHFRAME0)
(:REWRITE NO-FATAL-ERROR-STATE-SET-PC)
(:REWRITE NO-FATAL-ERROR?-DEMO-STATE)
(:REWRITE NO-FATAL-ERROR?-STATE-SET)
(:REWRITE NTH-0-CONS)
(:REWRITE
OPSTACK-LOCAL-PRIMITIVES-PRESERVE-EQUIV-STATE-2)
(:REWRITE PC-PUSHFRAME0)
(:REWRITE PC-PUSHSTACK)
(:REWRITE PC-STATE-SET-PC)
(:REWRITE POPFRAME-OPSTACK-PRIMITVES)
(:REWRITE POPFRAME-PUSHFRAME0-IS)
(:REWRITE POPSTACK-PUSHSTACK-IS)
(:REWRITE POPSTACKN-STATE-SET-PC-NORMALIZE)
(:REWRITE PUSHFRAME0-CURRENT-FRAME)
(:REWRITE PUSHSTACK-NO-CHANGE-INSTANCE-CLASS-TABLE)
(:REWRITE SIMPLE-RUN-C+)
(:REWRITE SIMPLE-RUN-OPENER-J)
(:REWRITE JVM::STATE-ACCESSOR-SET-CURRENT-THREAD)
(:REWRITE JVM::STATE-ACCESSOR-SET-PC)
(:REWRITE JVM::STATE-ACCESSOR-SET-THREAD-TABLE)
(:REWRITE STATE-EQUIV-CLASS-TABLE-EQUAL-POPSTACK)
(:REWRITE STATE-EQUIV-CLASS-TABLE-EQUAL-PUSHFRAME0)
(:REWRITE STATE-EQUIV-CLASS-TABLE-EQUAL-PUSHSTACK-2)
(:REWRITE STATE-EQUIV-CLASS-TABLE-EQUAL-SET-PC)
(:REWRITE STATE-SET-PC-STATE-SET-PC)
(:REWRITE
STATE-SET-PC-STATE-SET-THREAD-TABLE-NORMALIZE)
(:REWRITE THREAD-PRIMITIVES-STATE-SET-PC)
(:REWRITE TOPSTACK-OF-PUSHSTACK)
(:REWRITE TOPSTACK-STATE-SET-PC)
(:REWRITE ACL2::UN-HIDE-PLUS)
(:REWRITE UNIQUE-ID-THREAD-TABLE-POPSTACK)
(:REWRITE UNIQUE-ID-THREAD-TABLE-PUSHFRAME0)
(:REWRITE UNIQUE-ID-THREAD-TABLE-PUSHSTACK)
(:REWRITE
WFF-CALL-FRAME-CURRENT-FRAME-PREVSERVED-BY-PUSHSTACK)
(:REWRITE WFF-CALL-FRAME-REGULAR-MAKE-FRAME)
(:REWRITE WFF-STATE-REGULAR-POPSTACK)
(:REWRITE WFF-STATE-REGULAR-PUSHFRAME)
(:REWRITE WFF-STATE-REGULAR-PUSHSTACK)
(:REWRITE WFF-STATE-REGULAR-STATE-SET-PC)
(:REWRITE
WFF-THREAD-TABLE-REGULAR-IMPLIES-WFF-THREAD-TABLE)
(:REWRITE WFF-THREAD-TABLE-REGULAR-POPSTACK)
(:REWRITE WFF-THREAD-TABLE-REGULAR-PUSHFRAME0)
(:REWRITE WFF-THREAD-TABLE-REGULAR-PUSHSTACK)
(:TYPE-PRESCRIPTION !)
(:TYPE-PRESCRIPTION C+)
(:TYPE-PRESCRIPTION FACT-CLOCK)
(:TYPE-PRESCRIPTION MONITOREXIT)
(:TYPE-PRESCRIPTION STATE-EQUIV-CLASS-TABLE-EQUAL)
(:TYPE-PRESCRIPTION UNIQUE-ID-THREAD-TABLE)
(:TYPE-PRESCRIPTION WFF-STATE-REGULAR)
(:TYPE-PRESCRIPTION WFF-THREAD-TABLE-REGULAR))
Time: 1.89 seconds (prove: 1.88, print: 0.01, other: 0.00)
FACT-IS-CORRECT
M6 >