; ACL2 Version 3.1  A Computational Logic for Applicative Common Lisp
; Copyright (C) 2006 University of Texas at Austin
; This version of ACL2 is a descendent of ACL2 Version 1.9, Copyright
; (C) 1997 Computational Logic, Inc. See the documentation topic NOTE20.
; This program is free software; you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation; either version 2 of the License, or
; (at your option) any later version.
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
; You should have received a copy of the GNU General Public License
; along with this program; if not, write to the Free Software
; Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
; Written by: Matt Kaufmann and J Strother Moore
; email: Kaufmann@cs.utexas.edu and Moore@cs.utexas.edu
; Department of Computer Sciences
; University of Texas at Austin
; Austin, TX 787121188 U.S.A.
(inpackage "ACL2")
; This file contains the functions that check the acceptable forms for
; the various classes of rules, the functions that generate the rules
; from the forms, and finally the functions that actually do the adding.
; It also contains various history management and command facilities whose
; implementation is intertwined with the storage of rules, e.g., :pr and
; some monitoring stuff.
; The structure of the file is that we first define the checkers and
; generators for each class of rule. Each such section has a header
; like that shown below. When we finish all the individual classes
; we enter the final sections, headed
; Section: Handling a List of Classes
; Section: More History Management and Command Stuff
; Section: The DEFAXIOM Event
; Section: The DEFTHM Event
; Section: Some Convenient Abbreviations for Defthm
;
; Section: :REWRITE Rules
; In this section we develop the function chkacceptable
; rewriterule, which checks that all the :REWRITE rules generated
; from a term are legal. We then develop addrewriterule which does
; the actual generation and addition of the rules to the world.
; We first tear up the user's term into a bunch of conjoined
; implications, with unprettyify.
(defun unprettyify/addhypstopairs (hyps lst)
; Each element of lst is a pair of the form (hypsi . concli), where hypsi
; is a list of terms. We append hyps to hypsi in each pair.
(cond ((null lst) nil)
(t (cons (cons (append hyps (caar lst)) (cdar lst))
(unprettyify/addhypstopairs hyps (cdr lst))))))
(defun unprettyify (term)
; This function returns a list of pairs (hyps . concl) such that the
; conjunction of all (implies (and . hyps) concl) is equivalent to
; term. Hyps is a list of hypotheses, implicitly conjoined. Concl
; does not begin with an AND (of course, its a macro, but concl
; doesn't begin with an IF that represents an AND) or IMPLIES.
; In addition concl doesn't begin with an open lambda.
; This function is used to extract the :REWRITE rules from a term.
; Lambdas are sort of expanded to expose the conclusion. They are not
; expanded in the hypotheses, or within an function symbol other than
; the toplevel IFs and IMPLIES. But toplevel lambdas (those enclosing
; the entire term) are blown away.
; Thus, if you have a proposed :REWRITE rule
; (implies (and p q) (let ((x a)) (equal (f x) b)))
; it will be converted to
; (implies (and p q) (equal (f a) b)).
; The rule
; (let ((x a)) (implies (and (p x) (q x)) (equal (f x) b))) [1]
; will become
; (implies (and (p a) (q a)) (equal (f a) b)). [2]
; But
; (implies (let ((x a)) (and (p x) (q x))) [3]
; (equal (let ((x a)) (f x)) b))
; stays untouched. In general, once you've moved the let into a
; hypothesis it is not seen or opened. Once you move it into the
; equivalence relation of the conclusion it is not seen or opened.
; Note that this processing of lambdas can cause terms to be duplicated
; and simplified more than once (see a in [2] compared to [3]).
(casematch term
(('if t1 t2 t3)
(cond ((equal t2 *nil*)
(append (unprettyify (dumbnegatelit t1))
(unprettyify t3)))
((equal t3 *nil*)
(append (unprettyify t1)
(unprettyify t2)))
(t (list (cons nil term)))))
(('implies t1 t2)
(unprettyify/addhypstopairs
(flattenandsinlit t1)
(unprettyify t2)))
((('lambda vars body) . args)
(unprettyify (subcorvar vars args body)))
(& (list (cons nil term)))))
(mutualrecursion
(defun removelambdas (term)
(if (or (variablep term)
(fquotep term))
term
(let ((args (removelambdaslst (fargs term)))
(fn (ffnsymb term)))
(if (flambdap fn)
(subcorvar (lambdaformals fn) args (removelambdas (lambdabody fn)))
(consterm fn args)))))
(defun removelambdaslst (termlist)
(if termlist
(cons (removelambdas (car termlist))
(removelambdaslst (cdr termlist)))
nil))
)
; We use the following function to determine the sense of the conclusion
; as a :REWRITE rule.
(defun interprettermasrewriterule (term ens wrld)
; This function returns four values. The first is an equivalence
; relation, eqv. The second two are terms, lhs and rhs, such that
; (eqv lhs rhs) is propositionally equivalent to term. The fourth is
; an 'assumptionfree ttree justifying the claim.
(let ((term (removelambdas term)))
(cond ((variablep term) (mv 'iff term *t* nil))
((fquotep term) (mv 'iff term *t* nil))
((membereq (ffnsymb term) *equalityaliases*)
(mv 'equal (fargn term 1) (fargn term 2) nil))
((equivalencerelationp (ffnsymb term) wrld)
(mvlet (equiv ttree)
(cond ((eq (ffnsymb term) 'iff)
(mvlet
(ts ttree)
(typeset (fargn term 1) nil nil nil nil ens wrld
nil
nil nil)
(cond ((tssubsetp ts *tsboolean*)
(mvlet
(ts ttree)
(typeset (fargn term 2) nil nil nil nil ens wrld
ttree
nil nil)
(cond ((tssubsetp ts *tsboolean*)
(mv 'equal ttree))
(t (mv 'iff nil)))))
(t (mv 'iff nil)))))
(t (mv (ffnsymb term) nil)))
(mv equiv (fargn term 1) (fargn term 2) ttree)))
((eq (ffnsymb term) 'not) (mv 'equal (fargn term 1) *nil* nil))
(t (mvlet (ts ttree)
(typeset term nil nil nil nil ens wrld nil
nil nil)
(cond ((tssubsetp ts *tsboolean*)
(mv 'equal term *t* ttree))
(t (mv 'iff term *t* nil))))))))
; We inspect the lhs and some hypotheses with the following function
; to determine if nonrecursive defuns will present a problem to the
; user.
(mutualrecursion
(defun nonrecursivefnnames (term ens wrld)
(cond ((variablep term) nil)
((fquotep term) nil)
((or (flambdaapplicationp term)
(let ((defbody (defbody (ffnsymb term) wrld)))
(and defbody
(enablednumep (access defbody defbody :nume)
ens)
(not (access defbody defbody :recursivep)))))
(addtoseteq (ffnsymb term)
(nonrecursivefnnameslst (fargs term) ens wrld)))
(t (nonrecursivefnnameslst (fargs term) ens wrld))))
(defun nonrecursivefnnameslst (lst ens wrld)
(cond ((null lst) nil)
(t (unioneq (nonrecursivefnnames (car lst) ens wrld)
(nonrecursivefnnameslst (cdr lst) ens wrld)))))
)
; The list just constructed is odd because it may contain some lambda
; expressions posing as function symbols. We use the following function
; to transform those into let's just for printing purposes...
(defun hidelambdas1 (formals)
; CLTL uses # as the "too deep to show" symbol. But if we use it, we
; print vertical bars around it. Until we modify the printer to support
; some kind of hiding, we'll use Interlisp's ampersand.
(cond ((null formals) nil)
(t (cons (list (car formals) '&)
(hidelambdas1 (cdr formals))))))
(defun hidelambdas (lst)
(cond ((null lst) nil)
(t (cons (if (flambdap (car lst))
(list 'let (hidelambdas1 (lambdaformals (car lst)))
(lambdabody (car lst)))
(car lst))
(hidelambdas (cdr lst))))))
; Now we develop the stuff to determine if we have a permutative :REWRITE rule.
(defun variantp (term1 term2)
; This function returns two values: A flag indicating whether the two
; terms are variants and the substitution which when applied to term1
; yields term2.
(mvlet (ans unifysubst)
(onewayunify term1 term2)
(cond
(ans
(let ((range (stripcdrs unifysubst)))
(mv (and (symbollistp range)
(noduplicatespequal range))
unifysubst)))
(t (mv nil nil)))))
(mutualrecursion
(defun surroundingfns1 (vars term fn acc)
; See surroundingfns for the definition of the notions used below.
; Vars is a list of variables. Term is a term that occurs as an argument in
; some (here unknown) application of the function fn. Acc is either a list of
; function symbols or the special token 'haslambda. Observe that if term is a
; var in vars, then fn surrounds some var in vars in whatever larger term
; contained the application of fn.
; If term is a var in vars, we collect fn into acc. If term is not a var, we
; collect into acc all the function symbols surrounding any element of vars.
; However, if we ever encounter a lambda application surrounding a var in vars
; (including fn), we set acc to the special token 'haslambda, and collections
; cease thereafter.
(cond
((variablep term)
(cond
((membereq term vars)
(if (or (eq acc 'haslambda)
(not (symbolp fn)))
'haslambda
(addtoseteq fn acc)))
(t acc)))
((fquotep term) acc)
(t (surroundingfnslst vars (fargs term) (ffnsymb term) acc))))
(defun surroundingfnslst (vars termlist fn acc)
(cond
((null termlist) acc)
(t (surroundingfnslst vars (cdr termlist) fn
(surroundingfns1 vars (car termlist) fn acc)))))
)
(defun surroundingfns (vars term)
; This function returns the list of all functions fn surrounding, in term, any
; var in vars, except that if that list includes a lambda expression we return
; nil.
; We make this precise as follows. Let us say a function symbol or lambda
; expression, fn, ``surrounds'' a variable v in term if there is a subterm of
; term that is an application of fn and v is among the actuals of that
; application. Thus, in the term (fn (g x) (h (d x)) y), g and d both surround
; x and fn surrounds y. Note that h surrounds no variable.
; Consider the set, s, of all functions fn such that fn surrounds a variable
; var in term, where var is a member of the list of variables var. If s
; contains a lambda expression, we return nil; otherwise we return s.
(cond
((or (variablep term)
(fquotep term))
nil)
(t
(let ((ans (surroundingfnslst vars (fargs term) (ffnsymb term) nil)))
(if (eq ans 'haslambda)
nil
ans)))))
(defun loopstopper1 (alist vars lhs)
(cond ((null alist) nil)
((membereq (car (car alist))
(cdr (membereq (cdr (car alist)) vars)))
(cons (list* (caar alist)
(cdar alist)
(surroundingfns (list (caar alist) (cdar alist)) lhs))
(loopstopper1 (cdr alist) vars lhs)))
(t (loopstopper1 (cdr alist) vars lhs))))
(defun loopstopper (lhs rhs)
; If lhs and rhs are variants, we return the "expansion" (see next
; paragraph) of the subset of the unifying substitution containing
; those pairs (x . y) in which a variable symbol (y) is being moved
; forward (to the position of x) in the print representation of the
; term. For example, suppose lhs is (foo x y z) and rhs is (foo y z
; x). Then both y and z are moved forward, so the loopstopper is the
; "expansion" of '((y . z) (x . y)). This function exploits the fact
; that allvars returns the set of variables listed in reverse
; printorder.
; In the paragraph above, the "expansion" of a substitution ((x1 .
; y1) ... (xn . yn)) is the list ((x1 y1 . fns1) ... (xn yn .
; fnsn)), where fnsi is the list of function symbols of subterms of
; lhs that contain xi or yi (or both) as a toplevel argument.
; Exception: If any such "function symbol" is a LAMBDA, then fnsi is
; nil.
; Note: John Cowles first suggested the idea that led to the idea of
; invisible function symbols as implemented here. Cowles observation
; was that it would be very useful if x and ( x) were moved into
; adjacency by permutative rules. His idea was to redefine termorder
; so that those two terms were of virtually equal weight. Our notion
; of invisible function symbols and the handling of loopstopper is
; meant to address Cowles original concern without complicating
; termorder, which is used in places besides permutative rewriting.
":DocSection Miscellaneous
limit application of permutative rewrite rules~/
~l[ruleclasses] for a discussion of the syntax of the
~c[:loopstopper] field of ~c[:]~ilc[rewrite] ruleclasses. Here we describe how
that field is used, and also how that field is created when the user
does not explicitly supply it.
For example, the builtin ~c[:]~ilc[rewrite] rule ~c[commutativityof+],
~bv[]
(implies (and (acl2numberp x)
(acl2numberp y))
(equal (+ x y) (+ y x))),
~ev[]
creates a rewrite rule with a loopstopper of ~c[((x y binary+))].
This means, very roughly, that the term corresponding to ~c[y] must be
``smaller'' than the term corresponding to ~c[x] in order for this rule
to apply. However, the presence of ~ilc[binary+] in the list means that
certain functions that are ``invisible'' with respect to ~ilc[binary+]
(by default, ~ilc[unary] is the only such function) are more or less
ignored when making this ``smaller'' test. We are much more precise
below.~/
Our explanation of loopstopping is in four parts. First we discuss
ACL2's notion of ``term order.'' Next, we bring in the notion of
``invisibility'', and use it together with term order to define
orderings on terms that are used in the loopstopping algorithm.
Third, we describe that algorithm. These topics all assume that we
have in hand the ~c[:loopstopper] field of a given rewrite rule; the
fourth and final topic describes how that field is calculated when
it is not supplied by the user.
ACL2 must sometimes decide which of two terms is syntactically
simpler. It uses a total ordering on terms, called the ``term
order.'' Under this ordering constants such as ~c['(a b c)] are simpler
than terms containing variables such as ~c[x] and ~c[(+ 1 x)]. Terms
containing variables are ordered according to how many occurrences
of variables there are. Thus ~c[x] and ~c[(+ 1 x)] are both simpler than
~c[(cons x x)] and ~c[(+ x y)]. If variable counts do not decide the order,
then the number of function applications are tried. Thus ~c[(cons x x)]
is simpler than ~c[(+ x (+ 1 y))] because the latter has one more
function application. Finally, if the number of function
applications do not decide the order, a lexicographic ordering on
Lisp objects is used. ~l[termorder] for details.
When the loopstopping algorithm is controlling the use of
permutative ~c[:]~ilc[rewrite] rules it allows ~c[term1] to be moved leftward over
~c[term2] only if ~c[term1] is smaller, in a suitable sense. Note: The
sense used in loopstopping is ~st[not] the above explained term order
but a more complicated ordering described below. The use of a total
ordering stops rules like commutativity from looping indefinitely
because it allows ~c[(+ b a)] to be permuted to ~c[(+ a b)] but not vice
versa, assuming ~c[a] is smaller than ~c[b] in the ordering. Given a set of
permutative rules that allows arbitrary permutations of the tips of
a tree of function calls, this will normalize the tree so that the
smallest argument is leftmost and the arguments ascend in the order
toward the right. Thus, for example, if the same argument appears
twice in the tree, as ~c[x] does in the ~ilc[binary+] tree denoted by the
term ~c[(+ a x b x)], then when the allowed permutations are done, all
occurrences of the duplicated argument in the tree will be adjacent,
e.g., the tree above will be normalized to ~c[(+ a b x x)].
Suppose the loopstopping algorithm used term order, as noted above,
and consider the ~ilc[binary+] tree denoted by ~c[(+ x y ( x))]. The
arguments here are in ascending term order already. Thus, no
permutative rules are applied. But because we are inside a
~c[+expression] it is very convenient if ~c[x] and ~c[( x)] could be given
virtually the same position in the ordering so that ~c[y] is not
allowed to separate them. This would allow such rules as
~c[(+ i ( i) j) = j] to be applied. In support of this, the
ordering used in the control of permutative rules allows certain
unary functions, e.g., the unary minus function above, to be
``invisible'' with respect to certain ``surrounding'' functions,
e.g., ~ilc[+] function above.
Briefly, a unary function symbol ~c[fn1] is invisible with respect to a
function symbol ~c[fn2] if ~c[fn2] belongs to the value of ~c[fn1] in
~ilc[invisiblefnstable]; also ~pl[setinvisiblefnstable], which
explains its format and how it can be set by the user. Roughly
speaking, ``invisible'' function symbols are ignored for the
purposes of the termorder test.
Consider the example above, ~c[(+ x y ( x))]. The translated version
of this term is ~c[(binary+ x (binary+ y (unary x)))]. The initial
~ilc[invisiblefnstable] makes ~ilc[unary] invisible with repect to ~ilc[binary+].
The commutativity rule for ~ilc[binary+] will attempt to swap ~c[y] and
~c[(unary x)] and the loopstopping algorithm is called to approve or
disapprove. If term order is used, the swap will be disapproved.
But term order is not used. While the loopstopping algorithm is
permuting arguments inside a ~ilc[binary+] expression, ~ilc[unary] is
invisible. Thus, insted of comparing ~c[y] with ~c[(unary x)], the
loopstopping algorithm compares ~c[y] with ~c[x], approving the swap
because ~c[x] comes before ~c[y].
Here is a more precise specification of the total order used for
loopstopping with respect to a list, ~c[fns], of functions that are to
be considered invisible. Let ~c[x] and ~c[y] be distinct terms; we specify
when ``~c[x] is smaller than ~c[y] with respect to ~c[fns].'' If ~c[x] is the
application of a unary function symbol that belongs to ~c[fns], replace
~c[x] by its argument. Repeat this process until the result is not the
application of such a function; let us call the result ~c[xguts].
Similarly obtain ~c[yguts] from ~c[y]. Now if ~c[xguts] is the same term as
~c[yguts], then ~c[x] is smaller than ~c[y] in this order iff ~c[x] is smaller than
~c[y] in the standard term order. On the other hand, if ~c[xguts] is
different than ~c[yguts], then ~c[x] is smaller than ~c[y] in this order iff
~c[xguts] is smaller than ~c[yguts] in the standard term order.
Now we may describe the loopstopping algorithm. Consider a rewrite
rule with conclusion ~c[(equiv lhs rhs)] that applies to a term ~c[x] in a
given context; ~pl[rewrite]. Suppose that this rewrite rule has
a loopstopper field (technically, the ~c[:heuristicinfo] field) of
~c[((x1 y1 . fns1) ... (xn yn . fnsn))]. (Note that this field can be
observed by using the command ~c[:]~ilc[pr] with the name of the rule;
~pl[pr].) We describe when rewriting is permitted. The
simplest case is when the loopstopper list is ~c[nil] (i.e., ~c[n] is ~c[0]);
in that case, rewriting is permitted. Otherwise, for each ~c[i] from 1
to ~c[n] let ~c[xi'] be the actual term corresponding to the variable ~c[xi]
when ~c[lhs] is matched against the term to be rewritten, and similarly
correspond ~c[yi'] with ~c[y]. If ~c[xi'] and ~c[yi'] are the same term for all ~c[i],
then rewriting is not permitted. Otherwise, let ~c[k] be the least ~c[i]
such that ~c[xi'] and ~c[yi'] are distinct. Let ~c[fns] be the list of all
functions that are invisible with respect to every function in
~c[fnsk], if ~c[fnsk] is nonempty; otherwise, let ~c[fns] be ~c[nil]. Then
rewriting is permitted if and only if ~c[yi'] is smaller than ~c[xi'] with
respect to ~c[fns], in the sense defined in the preceding paragraph.
It remains only to describe how the loopstopper field is calculated
for a rewrite rule when this field is not supplied by the user. (On
the other hand, to see how the user may specify the ~c[:loopstopper],
~pl[ruleclasses].) Suppose the conclusion of the rule is of
the form ~c[(equiv lhs rhs)]. First of all, if ~c[rhs] is not an instance
of the left hand side by a substitution whose range is a list of
distinct variables, then the loopstopper field is ~c[nil]. Otherwise,
consider all pairs ~c[(u . v)] from this substitution with the property
that the first occurrence of ~c[v] appears in front of the first
occurrence of ~c[u] in the print representation of ~c[rhs]. For each such ~c[u]
and ~c[v], form a list ~c[fns] of all functions ~c[fn] in ~c[lhs] with the property
that ~c[u] or ~c[v] (or both) appears as a toplevel argument of a subterm
of ~c[lhs] with function symbol ~c[fn]. Then the loopstopper for this
rewrite rule is a list of all lists ~c[(u v . fns)].~/"
(mvlet (ans unifysubst)
(variantp lhs rhs)
(cond (ans (loopstopper1 unifysubst (allvars lhs) lhs))
(t nil))))
(defun removeirrelevantloopstopperpairs (pairs vars)
(if pairs
(if (and (membereq (caar pairs) vars)
(membereq (cadar pairs) vars))
; Note that the use of loopstopper1 by loopstopper guarantees that
; machineconstructed loopstoppers only contain pairs (u v . fns) for
; which u and v both occur in the lhs of the rewrite rule. Hence, it
; is reasonable to include the test above.
(cons (car pairs)
(removeirrelevantloopstopperpairs (cdr pairs) vars))
(removeirrelevantloopstopperpairs (cdr pairs) vars))
nil))
(defun putmatchfreevalue (matchfreevalue rune wrld)
(cond
((eq matchfreevalue :all)
(globalset 'freevarrunesall
(cons rune (globalval 'freevarrunesall wrld))
wrld))
((eq matchfreevalue :once)
(globalset 'freevarrunesonce
(cons rune (globalval 'freevarrunesonce wrld))
wrld))
((null matchfreevalue)
wrld)
(t
(er hard 'putmatchfreevalue
"Internal ACL2 error (called putmatchfreevalue with ~
matchfreevalue equal to ~x0). Please contact the ACL2 implementors."
matchfreevalue))))
(defun freevarsinhyps (hyps boundvars wrld)
; Let hyps be a list of terms  the hypotheses to some :REWRITE rule.
; Let boundvars be a list of variables. We find all the variables that
; will be freevars in hyps when each variable in boundvars is bound.
; This would be just (setdifferenceeq (allvars1lst hyps) boundvars)
; were it not for the fact that relievehyps interprets the hypothesis
; (equal v term), where v is free and does not occur in term, as
; a "let v be term..." instead of as a genuine free variable to be found
; by search.
; Warning: Keep this function and freevarsinhypsconsideringbindfree
; in sync.
(cond ((null hyps) nil)
(t (mvlet
(forcep flg)
(bindinghypp (car hyps)
(pairlis$ boundvars boundvars)
wrld)
; The odd pairlis$ above just manufactures a substitution with boundvars as
; bound vars so we can use freevarsp to answer the question, "does
; the rhs of the equality contain any free variables?" The range of
; the subsitution is irrelevant. If the conjunction above is true, then
; the current hyp is of the form (equiv v term) and v will be chosen
; by rewriting term. V is not a "free variable".
(cond ((and flg (not forcep))
(freevarsinhyps (cdr hyps)
(cons (fargn (car hyps) 1)
boundvars)
wrld))
(t (let ((hypvars (allvars (car hyps))))
(unioneq
(setdifferenceeq hypvars boundvars)
(freevarsinhyps (cdr hyps)
(unioneq hypvars boundvars)
wrld)))))))))
(defun freevarsinhypssimple (hyps boundvars)
; This is a simpler variant of freevarsinhyps that does not give special
; treatment to terms (equal variable term).
(cond ((null hyps) nil)
(t (let ((hypvars (allvars (car hyps))))
(unioneq (setdifferenceeq hypvars boundvars)
(freevarsinhypssimple (cdr hyps)
(unioneq hypvars
boundvars)))))))
(defun freevarsinfchyps (triggers hyps concls)
; This function determines whether a rule has free variables, given the
; triggers, hyps and conclusions of the rule.
(if (endp triggers)
nil
(let ((vars (allvars (car triggers))))
(or (freevarsinhypssimple hyps vars)
(or (freevarsinhypssimple concls vars)
(freevarsinfchyps (cdr triggers) hyps concls))))))
(defun freevarsinhypsconsideringbindfree (hyps boundvars wrld)
; This function is similar to the above freevarsinhyps. It
; differs in that it takes into account the effects of bindfree.
; Note that a bindfree hypothesis expands to a call to synp in
; which the first arg denotes the vars that are potentially bound
; by the hyp. This first arg will be either a quoted list of vars
; or 't which we interpret to mean all the otherwise free vars.
; Vars that are potentially bound by a bindfree hyp are not considered
; to be free vars for the purposes of this function.
; Note that a syntaxp hypothesis also expands to a call of synp,
; but that in this case the first arg is 'nil.
; Warning: Keep this function and freevarsinhyps in sync.
(cond ((null hyps) nil)
(t (mvlet
(forcep flg)
(bindinghypp (car hyps)
(pairlis$ boundvars boundvars)
wrld)
; The odd pairlis$ above just manufactures a substitution with boundvars as
; bound vars so we can use freevarsp to answer the question, "does
; the rhs of the equality contain any free variables?" The range of
; the subsitution is irrelevant. If the conjunction above is true, then
; the current hyp is of the form (equiv v term) and v will be chosen
; by rewriting term. V is not a "free variable".
(cond
((and flg (not forcep))
(freevarsinhypsconsideringbindfree
(cdr hyps)
(cons (fargn (car hyps) 1) boundvars)
wrld))
((and (nvariablep (car hyps))
(not (fquotep (car hyps)))
(eq (ffnsymb (car hyps)) 'synp)
(not (equal (fargn (car hyps) 1) *nil*))) ; not syntaxp hyp
(cond
((equal (fargn (car hyps) 1) *t*)
; All free variables are potentially bound. The user will presumably not want
; to see a warning in this case.
nil)
((and (quotep (fargn (car hyps) 1))
(not (collectnonlegalvariableps
(cadr (fargn (car hyps) 1)))))
(freevarsinhypsconsideringbindfree
(cdr hyps)
(unioneq (cadr (fargn (car hyps) 1)) boundvars)
wrld))
(t (er hard 'freevarsinhypsconsideringbindfree
"We thought the first argument of synp in this context ~
was either 'NIL, 'T, or else a quoted true list of ~
variables, but ~x0 is not!"
(fargn (car hyps) 1)))))
(t (let ((hypvars (allvars (car hyps))))
(unioneq (setdifferenceeq hypvars boundvars)
(freevarsinhypsconsideringbindfree
(cdr hyps)
(unioneq hypvars boundvars)
wrld)))))))))
(defun allvarsinhyps (hyps)
; We return a list of all the vars mentioned in hyps or, if there is
; a synp hyp whose varlist is 't, we return t.
(cond ((null hyps)
nil)
((variablep (car hyps))
(addtoseteq (car hyps)
(allvarsinhyps (cdr hyps))))
((fquotep (car hyps))
(allvarsinhyps (cdr hyps)))
((eq (ffnsymb (car hyps)) 'synp)
(cond ((equal (fargn (car hyps) 1) *nil*)
(allvarsinhyps (cdr hyps)))
((equal (fargn (car hyps) 1) *t*)
t)
((and (quotep (fargn (car hyps) 1))
(not (collectnonlegalvariableps
(cadr (fargn (car hyps) 1)))))
(unioneq (cadr (fargn (car hyps) 1))
(allvarsinhyps (cdr hyps))))
(t (er hard 'freevarsinhypsconsideringbindfree
"We thought the first argument of synp in this context ~
was either 'NIL, 'T, or else a quoted true list of ~
variables, but ~x0 is not!"
(fargn (car hyps) 1)))))
(t
(unioneq (allvars (car hyps))
(allvarsinhyps (cdr hyps))))))
(defun matchfreevalue (matchfree hyps pat wrld)
(or matchfree
(and (freevarsinhyps hyps (allvars pat) wrld)
(or (matchfreedefault wrld)
; We presumably already caused an error if at this point we would find a value
; of t for state global matchfreeerror.
:all))))
(defun matchfreefcvalue (matchfree hyps concls triggers wrld)
; This function, based on matchfreevalue, uses freevarsinfchyps to
; determine whether freevars are present in a forwardchaining rule (if so it
; returns nil). If freevars are not present then it uses the matchfree value
; of the rule (given by the matchfree arg) or the matchfree default value of
; the world to determine the correct matchfree value for this particular rule.
(or matchfree
(and (freevarsinfchyps triggers hyps concls)
(or (matchfreedefault wrld)
:all))))
(defun createrewriterule (rune nume hyps equiv lhs rhs loopstopperlst
backchainlimitlst matchfreevalue wrld)
; This function creates a :REWRITE rule of subclass 'backchain or
; 'abbreviation from the basic ingredients, preprocessing the hyps and
; computing the loopstopper. Equiv is an equivalence relation name.
(let ((hyps (preprocesshyps hyps))
(loopstopper (if loopstopperlst
(removeirrelevantloopstopperpairs
(cadr loopstopperlst)
(allvars lhs))
(loopstopper lhs rhs))))
(make rewriterule
:rune rune
:nume nume
:hyps hyps
:equiv equiv
:lhs lhs
:freevarsplhs (freevarsp lhs nil)
:rhs rhs
:subclass (cond ((and (null hyps)
(null loopstopper)
(abbreviationp nil
(allvarsbag lhs nil)
rhs))
'abbreviation)
(t 'backchain))
:heuristicinfo loopstopper
; If backchainlimitlst is given, then it is a keywordalist whose second
; element is a list of values of length (length hyps), and we use this value.
; Otherwise we use the default. This will be either nil  used directly  or
; an integer which we expand to a list of (length hyps) copies.
:backchainlimitlst
(cond (backchainlimitlst
(cadr backchainlimitlst))
(t (let ((limit (defaultbackchainlimit wrld)))
(and limit
(makelist (length hyps)
:initialelement
limit)))))
:matchfree matchfreevalue)))
; The next subsection of our code develops various checkers to help the
; user manage his collection of rules.
(defun hypsthatinstantiatefreevars (freevars hyps)
; We determine the hyps in hyps that will be used to instantiate
; the free variables, freevars, of some rule. Here, variables "bound" by
; calls of bindfree are not considered free in the case of rewrite and linear
; rules, so would not appear among freevars in those cases.
(cond ((null freevars) nil)
((intersectpeq freevars (allvars (car hyps)))
(cons (car hyps)
(hypsthatinstantiatefreevars
(setdifferenceeq freevars (allvars (car hyps)))
(cdr hyps))))
(t (hypsthatinstantiatefreevars freevars (cdr hyps)))))
(mutualrecursion
(defun maybeonewayunify (pat term alist)
; We return t if "it is possible" that pat matches term. More accurately, if
; we return nil, then (onewayunify1 pat term alist) definitely fails. Thus,
; the answer t below is always safe. The answer nil means there is no
; substitution, s extending alist such that pat/s is term.
(cond ((variablep pat)
(let ((pair (assoceq pat alist)))
(or (not pair)
(eq pat (cdr pair)))))
((fquotep pat) (equal pat term))
((variablep term) nil)
((fquotep term) t)
((equal (ffnsymb pat) (ffnsymb term))
(maybeonewayunifylst (fargs pat) (fargs term) alist))
(t nil)))
(defun maybeonewayunifylst (patlst termlst alist)
(cond ((endp patlst) t)
(t (and (maybeonewayunify (car patlst) (car termlst) alist)
(maybeonewayunifylst (cdr patlst) (cdr termlst)
alist)))))
)
(defun maybeonewayunifywithsome (pat termlst alist)
; If we return nil, then there is no term in termlst such that (onewayunify
; pat term alist). If we return t, then pat might unify with some member.
(cond ((endp termlst) nil)
((maybeonewayunify pat (car termlst) alist) t)
(t (maybeonewayunifywithsome pat (cdr termlst) alist))))
(defun maybesubsumes (cl1 cl2 alist)
; We return t if it is possible that the instance of cl1 via alist subsumes
; cl2. More accurately, if we return nil then cl1 does not subsume cl2.
; Recall what it means for (subsumes cl1 cl2 alist) to return t: cl1/alist' is
; a subset of cl2, where alist' is an extension of alist. Observe that the
; subset check would fail if cl1 contained a literal (P X) and there is no
; literal beginning with P in cl2. More generally, suppose there is a literal
; of cl1 (e.g., (P X)) that unifies with no literal of cl2. Then cl1 could not
; possibly subsume cl2.
; For a discussion of the origin of this function, see subsumesrewriterule.
; It was made more efficient after Version_3.0, by adding an alist argument to
; eliminate the possibility of subsumption in more cases.
(cond ((null cl1) t)
((maybeonewayunifywithsome (car cl1) cl2 alist)
(maybesubsumes (cdr cl1) cl2 alist))
(t nil)))
(defun subsumesrewriterule (rule1 rule2 wrld)
; We answer the question: does rule1 subsume rule2? I.e., can rule1
; (probably) be applied whenever rule2 can be? Since we don't check
; the loopstoppers, the "probably" is warranted. There may be other
; reasons it is warranted. But this is just a heuristic check performed
; as a service to the user.
; One might ask why we do the maybesubsumes. We do the subsumes
; check on the hyps of two rules with matching :lhs. In a hardware
; related file we were once confronted with a rule1 having :hyps
; ((BOOLEANP A0) (BOOLEANP B0) (BOOLEANP S0) (BOOLEANP C0_IN)
; (BOOLEANP A1) (BOOLEANP B1) (BOOLEANP S1) (BOOLEANP C1_IN)
; ...
; (S_REL A0 B0 C0_IN S0)
; ...)
; and a rule2 with :hyps
; ((BOOLEANP A0) (BOOLEANP B0) (BOOLEANP S0)
; (BOOLEANP A1) (BOOLEANP B1) (BOOLEANP S1)
; ...)
; The subsumes computation ran for over 30 minutes (and was eventually
; aborted). The problem is that the extra variables in rule1, e.g.,
; C0_IN, were matchable in many different ways, e.g., C0_IN < A0,
; C0_IN < B0, etc., all of which must be tried in a subsumption
; check. But no matter how you get rid of (BOOLEANP C0_IN) by
; choosing C0_IN, you will eventually run into the S_REL hypothesis in
; rule1 which has no counterpart in rule2. Thus we installed the
; relatively quick maybesubsumes check. The check scans the :hyps of
; the first rule and determines whether there is some hypothesis that
; cannot possibly be matched against the hyps of the other rule.
(and (refinementp (access rewriterule rule1 :equiv)
(access rewriterule rule2 :equiv)
wrld)
(mvlet (ans unifysubst)
(onewayunify (access rewriterule rule1 :lhs)
(access rewriterule rule2 :lhs))
(and ans
(maybesubsumes
(access rewriterule rule1 :hyps)
(access rewriterule rule2 :hyps)
unifysubst)
(eq (subsumes *initsubsumescount*
(access rewriterule rule1 :hyps)
(access rewriterule rule2 :hyps)
unifysubst)
t)))))
(defun findsubsumedrulenames (lst rule ens wrld)
; Lst is a list of rewriterules. Rule is a rewriterule. We return
; the names of those elements of lst that are subsumed by rule. We
; skip those rules in lst that are disabled in the global enabled structure
; and those that are META or DEFINITION rules.
(cond ((null lst) nil)
((and (enablednumep (access rewriterule (car lst) :nume)
ens)
(not (eq (access rewriterule (car lst) :subclass) 'meta))
(not (eq (access rewriterule (car lst) :subclass) 'definition))
(subsumesrewriterule rule (car lst) wrld))
(cons (basesymbol (access rewriterule (car lst) :rune))
(findsubsumedrulenames (cdr lst) rule ens wrld)))
(t (findsubsumedrulenames (cdr lst) rule ens wrld))))
(defun findsubsumingrulenames (lst rule ens wrld)
; Lst is a list of rewriterules. Rule is a rewriterule. We return
; the names of those elements of lst that subsume rule. We skip those
; rules in lst that are disabled and that are META or DEFINITION rules.
(cond ((null lst) nil)
((and (enablednumep (access rewriterule (car lst) :nume)
ens)
(not (eq (access rewriterule (car lst) :subclass) 'meta))
(not (eq (access rewriterule (car lst) :subclass) 'definition))
(subsumesrewriterule (car lst) rule wrld))
(cons (basesymbol (access rewriterule (car lst) :rune))
(findsubsumingrulenames (cdr lst) rule ens wrld)))
(t (findsubsumingrulenames (cdr lst) rule ens wrld))))
(defun forcedhyps (lst)
(cond ((null lst) nil)
((and (nvariablep (car lst))
(not (fquotep (car lst)))
(or (eq (ffnsymb (car lst)) 'force)
(eq (ffnsymb (car lst)) 'casesplit)))
(cons (car lst) (forcedhyps (cdr lst))))
(t (forcedhyps (cdr lst)))))
(defun striptoplevelnotsandforces (hyps)
(cond
((null hyps)
nil)
(t (mvlet (notflg atm)
(stripnot (if (and (nvariablep (car hyps))
(not (fquotep (car hyps)))
(or (eq (ffnsymb (car hyps)) 'force)
(eq (ffnsymb (car hyps)) 'casesplit)))
(fargn (car hyps) 1)
(car hyps)))
(declare (ignore notflg))
(cons atm (striptoplevelnotsandforces (cdr hyps)))))))
(defun freevariableerror? (token name ctx wrld state)
(if (and (null (matchfreedefault wrld))
(fgetglobal 'matchfreeerror state))
(er soft ctx
"The warning above has caused this error in order to make it clear ~
that there are free variables in ~s0 of a ~x1 rule generated from ~
~x2. This error can be suppressed for the rest of this ACL2 ~
session by submitting the following form:~~%~x3~~%However, you ~
are advised not to do so until you have read the documentation on ~
``free variables'' (see :DOC freevariables) in order to understand ~
the issues. In particular, you can supply a :matchfree value for ~
the :rewrite rule class (see :DOC ruleclasses) or a default for ~
the book under development (see :DOC setmatchfreedefault)."
(if (eq token :forwardchaining)
"some trigger term"
"the hypotheses")
token name '(setmatchfreeerror nil))
(value nil)))
(defun extendgeneqvalist (var geneqv alist wrld)
; For each pair (x . y) in alist, x is a variable and y is a geneqv. The
; result extends alist by assocating variable var with geneqv, thus extending
; the generated equivalence relation already associated with var in alist.
(putassoceq var
(uniongeneqv geneqv (cdr (assoceq var alist)) wrld)
alist))
(mutualrecursion
(defun coveredgeneqvalist (term geneqv alist wrld)
; Extends alist, an accumulator, as follows. The result associates, with each
; variable bound in term, a geneqv representing the list of all equivalence
; relations that are sufficient to preserve at one or more free occurrences of
; that variable in term, in order to preserve the given geneqv at term. This
; function creates the initial boundvarsalist for
; doublerewriteopportunities; see also the comment there.
; Alist is an accumulator with entries of the form (variable . geneqv).
(cond ((variablep term)
(extendgeneqvalist term geneqv alist wrld))
((fquotep term)
alist)
(t
(coveredgeneqvalistlst (fargs term)
(geneqvlst (ffnsymb term) geneqv nil wrld)
alist
wrld))))
(defun coveredgeneqvalistlst (termlist geneqvlst alist wrld)
(cond ((endp termlist)
alist)
(t (coveredgeneqvalistlst (cdr termlist)
(cdr geneqvlst)
(coveredgeneqvalist (car termlist) (car geneqvlst)
alist wrld)
wrld))))
)
(defun uncoveredequivs (geneqv coveredgeneqv wrld)
(cond ((endp geneqv) nil)
(t (let ((equiv (access congruencerule (car geneqv) :equiv))
(rst (uncoveredequivs (cdr geneqv) coveredgeneqv wrld)))
(cond ((geneqvrefinementp equiv coveredgeneqv wrld)
rst)
(t (cons equiv rst)))))))
(mutualrecursion
(defun uncoveredequivsalist (term geneqv vargeneqvalist vargeneqvalist0
objnot? accequivs acccounts wrld)
; Accumulator accequiv is an alist that associates variables with lists of
; equivalence relations, and accumulator acccounts associates variables with
; natural numbers. We are given a term whose value is to be maintained with
; respect to the given geneqv, along with vargeneqvalist, which associates
; variables with ilsts of equivalence relations. We return extensions of
; accequivs, acccounts, and vargeneqvalist as follows.
; Consider a bound (by vargeneqvalist) variable occurrence in term. Its
; context is known to preserve certain equivalence relations; but some of these
; may be "uncovered", i.e., not among the ones associated with this variable in
; vargeneqvalist. If that is the case, then add those "uncovered"
; equivalence relations to the list associated with this variable in
; accequivs, and increment the value of this variable in acccounts by 1.
; However, we skip the above analysis for the case that geneqv is *geneqviff*
; and we are at the top level of the IFstructure of the toplevel term (not
; including the tests). This function is used for creating warnings that
; suggest the use of doublerewrite, which however is generally not necessary
; in such situations; see rewritesolidifyplus.
; For a free variable occurrence in term, we leave accequivs and acccounts
; unchanged, and instead extend vargeneqvalist by associating this variable
; with the geneqv for its context. Vargeneqvalist0 is left unchanged by this
; process, for purposes of checking freeness.
(cond
((variablep term)
(let ((binding (assoceq term vargeneqvalist0)))
(cond ((null binding)
(mv accequivs
acccounts
(extendgeneqvalist term geneqv vargeneqvalist wrld)))
((and objnot?
(equal geneqv *geneqviff*))
; The call of rewritesolidifyplus in rewrite makes it unnecessary to warn
; when the objective is other than '? and the given geneqv is *geneqviff*.
(mv accequivs acccounts vargeneqvalist))
(t (let* ((coveredgeneqv (cdr binding))
(uncoveredequivs
(uncoveredequivs geneqv coveredgeneqv wrld)))
(cond (uncoveredequivs
(mv (putassoceq
term
(unioneq uncoveredequivs
(cdr (assoceq term accequivs)))
accequivs)
(putassoceq
term
(1+ (or (cdr (assoceq term acccounts))
0))
acccounts)
vargeneqvalist))
(t (mv accequivs acccounts vargeneqvalist))))))))
((or (fquotep term)
(eq (ffnsymb term) 'doublerewrite))
(mv accequivs acccounts vargeneqvalist))
((and objnot?
(eq (ffnsymb term) 'if))
(mvlet (accequivs acccounts vargeneqvalist)
(uncoveredequivsalist
(fargn term 3)
geneqv
vargeneqvalist
vargeneqvalist0
t
accequivs acccounts
wrld)
(mvlet (accequivs acccounts vargeneqvalist)
(uncoveredequivsalist
(fargn term 2)
geneqv
vargeneqvalist
vargeneqvalist0
t
accequivs acccounts
wrld)
(uncoveredequivsalist
(fargn term 1)
*geneqviff*
vargeneqvalist
vargeneqvalist0
nil
accequivs acccounts
wrld))))
(t (uncoveredequivsalistlst
(fargs term)
(geneqvlst (ffnsymb term) geneqv nil wrld)
vargeneqvalist vargeneqvalist0 accequivs acccounts wrld))))
(defun uncoveredequivsalistlst (termlist geneqvlst vargeneqvalist
vargeneqvalist0 accequivs
acccounts wrld)
(cond ((endp termlist)
(mv accequivs acccounts vargeneqvalist))
(t (mvlet (accequivs acccounts vargeneqvalist)
(uncoveredequivsalist (car termlist)
(car geneqvlst)
vargeneqvalist
vargeneqvalist0
nil
accequivs acccounts
wrld)
(uncoveredequivsalistlst (cdr termlist) (cdr geneqvlst)
vargeneqvalist
vargeneqvalist0
accequivs acccounts
wrld)))))
)
(defun doublerewriteopportunities (hypindex hyps vargeneqvalist
finalterm finallocation finalgeneqv
wrld)
; We return an alist having entries (location varequivalist
; . varcountalist), where location is a string identifying a term (either the
; hypindex_th member of the original hyps, or the finalterm), varequivalist
; associates variables of that term with their "uncovered equivs" as defined
; below, and varcountalist associates variables of that term with the number
; of occurrences of a given variable that have at least one "uncovered" equiv.
; This function is called only for the purpose of producing a warning when
; there is a missed opportunity for a potentially useful call of
; doublerewrite. Consider a variable occurrence in hyps, the hypotheses of a
; rule, in a context where it is sufficient to preserve equiv. If that
; variable occurs in the lefthand side of a rewrite rule (or the maxterm of a
; linear rule) in at least one context where it is sufficient to preserve
; equiv, that would give us confidence that the value associated with that
; occurrence (in the unifying substitution) had been fully rewritten with
; respect to equiv. But otherwise, we want to note this "uncovered" equiv for
; that variable in that hyp.
; We give similar treatment for the righthand side of a rewrite rule and
; conclusion of a linear rule, using the parameters finalxxx.
; Vargeneqvalist is an alist that binds variables to geneqvs. Initially, the
; keys are exactly the bound variables of the unifying substitution. Each key
; is associated with a geneqv that represents the equivalence relation
; generated by all equivalence relations known to be preserved for at least one
; variable occurrence in the pattern that was matched to give the unifying
; substitution (the left lefthand side of a rewrite rule or maxterm of a
; linear rule). As we move through hyps, we may encounter a hypothesis (equal
; var term) or (equiv var (doublerewrite term)) that binds a variable, var, in
; which case we will extend vargeneqvalist for var at that point. Note that
; we do not extend vargeneqvalist for other free variables in hypotheses,
; because we do not know the equivalence relations that were maintained when
; creating the rewritten terms to which the free variables are bound.
(cond ((endp hyps)
(mvlet (varequivsalist varcounts vargeneqvalist)
(uncoveredequivsalist finalterm finalgeneqv
vargeneqvalist vargeneqvalist
nil nil nil wrld)
(declare (ignore vargeneqvalist))
(if varequivsalist
(list (list* finallocation varequivsalist varcounts))
nil)))
(t
(mvlet
(forcep bindflg)
(bindinghypp (car hyps) vargeneqvalist wrld)
(let ((hyp (if forcep (fargn (car hyps) 1) (car hyps))))
(cond (bindflg
(let* ((equiv (ffnsymb hyp))
(var (fargn hyp 1))
(term0 (fargn hyp 2))
(term (if (and (nvariablep term0)
(not (fquotep term0))
(eq (ffnsymb term0)
'doublerewrite))
(fargn term0 1)
term0))
(newgeneqv (cadr (geneqvlst equiv
*geneqviff*
nil
wrld))))
(doublerewriteopportunities
(1+ hypindex)
(cdr hyps)
(coveredgeneqvalist term
newgeneqv
(assert$ (variablep var)
(extendgeneqvalist
var newgeneqv
vargeneqvalist wrld))
wrld)
finalterm finallocation finalgeneqv
wrld)))
(t (mvlet (varequivsalist varcounts vargeneqvalist)
(uncoveredequivsalist (car hyps)
*geneqviff*
vargeneqvalist
vargeneqvalist
t
nil nil
wrld)
(let ((cdrresult
(doublerewriteopportunities (1+ hypindex)
(cdr hyps)
vargeneqvalist
finalterm
finallocation
finalgeneqv
wrld)))
(if varequivsalist
(cons (list* (msg "the ~n0 hypothesis"
(list hypindex))
varequivsalist varcounts)
cdrresult)
cdrresult))))))))))
(defun showdoublerewriteopportunities1 (location varequivsalist
varcountalist token name
maxtermmsg ctx state)
; This should only be called in a context where we know that doublerewrite
; warnings are enabled. Otherwise we lose efficiency, and anyhow warning$ is
; called below with ("Doublerewrite").
(cond ((endp varequivsalist)
state)
(t (pprogn (let* ((var (caar varequivsalist))
(count (let ((pair (assoceq var varcountalist)))
(assert$ pair (cdr pair)))))
(warning$ ctx ("Doublerewrite")
"In a ~x0 rule generated from ~x1~@2, ~
equivalence relation~#3~[ ~&3~ is~/s ~&3 ~
are~] maintained at ~n4 problematic ~
occurrence~#5~[~/s~] of variable ~x6 in ~@7, ~
but not at any binding occurrence of ~x6. ~
Consider replacing ~#5~[that ~
occurrence~/those ~n4 occurrences~] of ~x6 in ~
~@7 with ~x8. See :doc doublerewrite for ~
more information on this issue."
token name
maxtermmsg
(cdar varequivsalist)
count
(if (eql count 1) 0 1)
var
location
(list 'doublerewrite var)))
(showdoublerewriteopportunities1
location (cdr varequivsalist) varcountalist
token name maxtermmsg ctx state)))))
(defun showdoublerewriteopportunities (hypvarequivscountsalistpairs
token name maxtermmsg ctx state)
; Hypvarequivscountsalistpairs is an alist as returned by
; doublerewriteopportunities; see the comment there. Finalterm,
; finallocation, finalvarequivsalist, and finalvarcountalist are the
; analog of one entry of that alist, but for the righthand side of a rewrite
; rule or the conclusion of a linear rule.
; For efficiency, check warningdisabledp before calling this function.
(cond ((endp hypvarequivscountsalistpairs)
state)
(t (pprogn (showdoublerewriteopportunities1
(caar hypvarequivscountsalistpairs)
(cadar hypvarequivscountsalistpairs)
(cddar hypvarequivscountsalistpairs)
token name maxtermmsg ctx state)
(showdoublerewriteopportunities
(cdr hypvarequivscountsalistpairs)
token name maxtermmsg ctx state)))))
(defun chkrewriterulewarnings (name matchfree rule ctx ens wrld state)
(let* ((token (if (eq (access rewriterule rule :subclass)
'definition)
:definition
:rewrite))
(hyps (access rewriterule rule :hyps))
(lhs (access rewriterule rule :lhs))
(nonrecfnslhs (nonrecursivefnnames lhs ens wrld))
(lhsvars (allvars lhs))
(rhsvars (allvars (access rewriterule rule :rhs)))
(freevars (freevarsinhypsconsideringbindfree
hyps
lhsvars
wrld))
(insthyps (hypsthatinstantiatefreevars freevars hyps))
(nonrecfnsinsthyps
(nonrecursivefnnameslst
(striptoplevelnotsandforces insthyps) ens wrld))
(subsumecheckenabled (not (warningdisabledp "Subsume")))
(subsumedrulenames
(and subsumecheckenabled
(findsubsumedrulenames (getprop (ffnsymb lhs) 'lemmas nil
'currentacl2world wrld)
rule ens wrld)))
(subsumingrulenames
(and subsumecheckenabled
(findsubsumingrulenames (getprop (ffnsymb lhs) 'lemmas nil
'currentacl2world wrld)
rule ens wrld)))
(equiv (access rewriterule rule :equiv))
(doublerewriteopportunities
(and (not (warningdisabledp "Doublerewrite"))
(doublerewriteopportunities
1
hyps
(coveredgeneqvalist
lhs
(cadr (geneqvlst equiv nil nil wrld)) ; geneqv
nil wrld)
(access rewriterule rule :rhs)
"the righthand side"
(cadr (geneqvlst (access rewriterule rule :equiv) nil nil wrld))
wrld))))
(pprogn
(cond (doublerewriteopportunities
(showdoublerewriteopportunities doublerewriteopportunities
token name "" ctx state))
(t state))
(cond
(nonrecfnslhs
(warning$ ctx "Nonrec"
"A ~x0 rule generated from ~x1 will be ~
triggered only by terms containing the nonrecursive ~
function symbol~#2~[ ~&2. Unless this function ~
is~/s ~&2. Unless these functions are~] disabled, ~
this rule is unlikely ever to be used."
token name (hidelambdas nonrecfnslhs)))
(t state))
(erprogn
(cond
((and freevars (null matchfree))
(pprogn
(warning$ ctx "Free"
"A ~x0 rule generated from ~x1 contains the free ~
variable~#2~[ ~&2. This variable~/s ~&2. These ~
variables~] will be chosen by searching for ~#3~[an ~
instance~/instances~] of ~*4 among the hypotheses of the ~
conjecture being rewritten. This is generally a severe ~
restriction on the applicability of a ~x0 rule. ~
See :DOC freevariables."
token name freevars
insthyps
(tilde*untranslatelstphrase insthyps t wrld))
(freevariableerror? token name ctx wrld state)))
(t (value nil)))
(pprogn
(cond
((and freevars
(forcedhyps insthyps))
(warning$ ctx "Free"
"For the forced ~#0~[hypothesis~/hypotheses~], ~*1, used to ~
instantiate free variables we will search for ~#0~[an ~
instance of the argument~/instances of the arguments~] ~
rather than ~#0~[an instance~/instances~] of the FORCE or ~
CASESPLIT ~#0~[term itself~/terms themselves~]. If a ~
search fails for such a hypothesis, we will cause a case ~
split on the partially instantiated hypothesis. Note that ~
this case split will introduce a ``free variable'' into ~
the conjecture. While sound, this will establish a goal ~
almost certain to fail since the restriction described by ~
this apparently necessary hypothesis constrains a variable ~
not involved in the problem. To highlight this oddity, we ~
will rename the free variables in such forced hypotheses ~
by prefixing them with ``???''. This is not guaranteed ~
to generate a new variable but at least it generates an ~
unusual one. If you see such a variable in a subsequent ~
proof (and did not introduce them yourself) you should ~
consider the possibility that the free variables of this ~
rewrite rule were forced into the conjecture."
(if (null (cdr (forcedhyps insthyps))) 0 1)
(tilde*untranslatelstphrase (forcedhyps insthyps) t
wrld)))
(t state))
(cond
((setdifferenceeq rhsvars lhsvars)
; Usually the above will be nil. If not, the recomputation below is no big
; deal.
(cond
((setdifferenceeq rhsvars
(allvars1lst hyps lhsvars))
(warning$ ctx "Free"
"A ~x0 rule generated from ~x1 contains the the free ~
variable~#2~[~/s~] ~&2 on the righthand side of the ~
rule, which ~#2~[is~/are~] not bound on the lefthand ~
side~#3~[~/ or in the hypothesis~/ or in any ~
hypothesis~]. This can cause new variables to be ~
introduced into the proof, which may surprise you."
token name
(setdifferenceeq rhsvars
(allvars1lst hyps lhsvars))
(zerooneormore hyps)))
(t state)))
(t state))
(cond
(nonrecfnsinsthyps
(warning$ ctx "Nonrec"
"As noted, we will instantiate the free ~
variable~#0~[~/s~], ~&0, of a ~x1 rule generated from ~
~x2, by searching for the ~#3~[hypothesis~/set of ~
hypotheses~] shown above. However, ~#3~[this hypothesis ~
mentions~/these hypotheses mention~] the function ~
symbol~#4~[ ~&4, which is~/s ~&4, which are~] defun'd ~
nonrecursively. Unless disabled, ~#4~[this function ~
symbol is~/these function symbols are~] unlikely to occur ~
in the conjecture being proved and hence the search for ~
the required ~#3~[hypothesis~/hypotheses~] will likely ~
fail."
freevars token name insthyps
(hidelambdas nonrecfnsinsthyps)))
(t state))
(cond
(subsumedrulenames
(warning$ ctx ("Subsume")
"A newly proposed ~x0 rule generated from ~x1 probably ~
subsumes the previously added :REWRITE rule~#2~[~/s~] ~
~&2, in the sense that the new rule will now probably be ~
applied whenever the old rule~#2~[~/s~] would have been."
token name subsumedrulenames))
(t state))
(cond
(subsumingrulenames
(warning$ ctx ("Subsume")
"The previously added rule~#1~[~/s~] ~&1 subsume~#1~[s~/~] ~
a newly proposed ~x0 rule generated from ~x2, in the ~
sense that the old rule~#1~[ rewrites a more general ~
target~/s rewrite more general targets~]. Because the ~
new rule will be tried first, it may nonetheless find ~
application."
token
subsumingrulenames
name))
(t state))
(value nil))))))
(defun chkacceptablerewriterule2 (name matchfree hyps concl ctx ens wrld
state)
; This is the basic function for checking that (IMPLIES (AND . hyps)
; concl) generates a useful :REWRITE rule. If it does not, we cause an
; error. If it does, we may print some warnings regarding the rule
; generated. The superior functions, chkacceptablerewriterule1
; and chkacceptablerewriterule just cycle down to this one after
; flattening the IMPLIES/AND structure of the user's input term. When
; successful, this function returns a ttree justifying the storage of
; the :REWRITE rule  it sometimes depends on typeset information.
(mvlet
(eqv lhs rhs ttree)
(interprettermasrewriterule concl ens wrld)
(cond
((or (variablep lhs)
(fquotep lhs)
(flambdaapplicationp lhs)
(eq (ffnsymb lhs) 'if))
(er soft ctx
"A :REWRITE rule generated from ~x0 is illegal because it rewrites ~
the ~@1 ~X23. See :DOC rewrite."
name
(cond ((variablep lhs) "variable symbol")
((fquotep lhs) "quoted constant")
((flambdaapplicationp lhs) "LETexpression")
(t "IFexpression"))
lhs
(defaultevisctuple state)))
(t (let ((badsynphypmsg (badsynphypmsg
hyps (allvars lhs) nil wrld)))
(cond
(badsynphypmsg
(er soft ctx
"A rewrite rule generated from ~x0 is illegal because ~@1"
name
badsynphypmsg))
(t
(let ((rewriterule
(createrewriterule *fakeruneforanonymousenabledrule*
nil hyps eqv lhs rhs nil nil nil wrld)))
; The :REWRITE rule created above is used only for subsumption checking and
; then discarded. The rune, nume, loopstopperlst, and matchfree used are
; irrelevant. The warning messages, if any, concerning subsumption report the
; name of the rule as name.
(erprogn
(chkrewriterulewarnings name matchfree rewriterule ctx ens
wrld state)
(value ttree))))))))))
(defun chkacceptablerewriterule1 (name matchfree lst ctx ens wrld state)
; Each element of lst is a pair, (hyps . concl) and we check that each
; such pair, when interpreted as the term (implies (and . hyps)
; concl), generates a legal :REWRITE rule. We return the accumulated
; ttrees.
(cond
((null lst) (value nil))
(t (erlet* ((ttree1
(chkacceptablerewriterule2 name matchfree
(caar lst) (cdar lst)
ctx ens wrld state))
(ttree
(chkacceptablerewriterule1 name matchfree
(cdr lst) ctx ens wrld state)))
(value (constagtrees ttree1 ttree))))))
(defun chkacceptablerewriterule (name matchfree term ctx ens wrld state)
; We strip the conjuncts out of term and flatten those in the
; hypotheses of implications to obtain a list of implications, each of
; the form (IMPLIES (AND . hyps) concl), and each represented simply
; by a pair (hyps . concl). For each element of that list we then
; determine whether it generates a legal :REWRITE rule. See
; chkacceptablerewriterule2 for the guts of this test. We either
; cause an error or return successfully. We may print warning
; messages without causing an error. On successful returns the value
; is a ttree that justifies the storage of all the :REWRITE rules.
(chkacceptablerewriterule1 name matchfree (unprettyify term) ctx ens wrld
state))
; So now we work on actually generating and adding the rules.
(defun addrewriterule2 (rune nume hyps concl loopstopperlst
backchainlimitlst matchfree ens wrld)
; This is the basic function for generating and adding a rule named
; rune from the formula (IMPLIES (AND . hyps) concl).
(mvlet (eqv lhs rhs ttree)
(interprettermasrewriterule concl ens wrld)
(declare (ignore ttree))
(let* ((matchfreevalue (matchfreevalue matchfree hyps lhs wrld))
(rewriterule (createrewriterule rune nume hyps eqv
lhs rhs
loopstopperlst
backchainlimitlst
matchfreevalue
wrld))
(wrld1 (putprop (ffnsymb lhs)
'lemmas
(cons rewriterule
(getprop (ffnsymb lhs) 'lemmas nil
'currentacl2world wrld))
wrld)))
(putmatchfreevalue matchfreevalue rune wrld1))))
(defun addrewriterule1 (rune nume lst loopstopperlst
backchainlimitlst matchfree ens wrld)
; Each element of lst is a pair, (hyps . concl). We generate and
; add to wrld a :REWRITE for each.
(cond ((null lst) wrld)
(t (addrewriterule1 rune nume (cdr lst)
loopstopperlst
backchainlimitlst
matchfree
ens
(addrewriterule2 rune nume
(caar lst)
(cdar lst)
loopstopperlst
backchainlimitlst
matchfree
ens
wrld)))))
(defun addrewriterule (rune nume loopstopperlst term
backchainlimitlst matchfree ens wrld)
; This function might better be called "addrewriterules" because we
; may get many :REWRITE rules from term. But we are true to our naming
; convention. "Consistency is the hobgoblin of small minds." Emerson?
(addrewriterule1 rune nume (unprettyify term)
loopstopperlst backchainlimitlst matchfree ens wrld))
;
; Section: :LINEAR Rules
; We now move on to :LINEAR class rules.
(deflabel linear
:doc
":DocSection RuleClasses
make some arithmetic inequality rules~/
~l[ruleclasses] for a general discussion of rule classes and how they are
used to build rules from formulas. An example ~c[:]~ilc[corollary] formula
from which a ~c[:linear] rule might be built is:
~bv[]
Example:
(implies (and (eqlablep e) if inequality reasoning begins to
(truelistp x)) consider how (length (member a b))
(<= (length (member e x)) compares to any other term, add to
(length x))) set of known inequalities the fact
that it is no larger than (length b),
provided (eqlablep a) and (truelistp b)
rewrite to t
General Form:
(and ...
(implies (and ...hi...)
(implies (and ...hk...)
(and ...
(rel lhs rhs)
...)))
...)
~ev[]
Note: One ~c[:linear] rule class object might create many linear
arithmetic rules from the ~c[:]~ilc[corollary] formula. To create the rules,
we first flatten the ~ilc[and] and ~ilc[implies] structure of the formula,
transforming it into a conjunction of formulas, each of the form
~bv[]
(implies (and h1 ... hn) (rel lhs rhs))
~ev[]
where no hypothesis is a conjunction and ~c[rel] is one of the
inequality relations ~ilc[<], ~ilc[<=], ~ilc[=], ~ilc[>], or ~ilc[>=]. If
necessary, the hypothesis of such a conjunct may be vacuous.
We create a ~c[:linear] rule for each such conjunct, if possible, and
otherwise cause an error.~/
Each rule has one or more ``trigger
terms'' which may be specified by the user using the ~c[:triggerterms]
field of the rule class or which may be defaulted to values chosen
by the system. We discuss the determination of trigger terms after
discussing how linear rules are used.
~c[:linear] rules are used by an arithmetic decision procedure
during rewriting. ~l[lineararithmetic] and
~pl[nonlineararithmetic]. Here we assume that the reader is
familiar with the material described in ~ilc[lineararithmetic].
Recall that we eliminate the unknowns of an inequality in
termorder, largest unknowns first. (~l[termorder].) In order to
facilitate this strategy, we store the inequalities in ``linear pots''.
For purposes of the present discussion, let us say that an inequality is
``about'' its largest unknown. Then, all of the inequalities about
a particular unknown are stored in the same linear pot, and the pot
is said to be ``labeled'' with that unknown. This storage layout
groups all of the inequalities which are potential candidates for
cancellation with each other into one place. It is also key to the
efficient operation of ~c[:linear] rules.
If the arithmetic decision procedure has stabilized and not yielded a
contradiction, we scan through the list of linear pots examining
each label as we go. If the trigger term of some ~c[:linear] rule
can be instantiated to match the label, we so instantiate that rule
and attempt to relieve the hypotheses with generalpurpose rewriting.
If we are successful, we add the rule's instantiated conclusion to
our set of inequalities. This may let cancellation continue.
Note: Problems may arise if you explicitly store a linear lemma
under a trigger term that, when instantiated, is not the largest
unknown in the instantiated concluding inequality. Suppose for
example you store the linear rule ~c[(<= (fn i j) (/ i (* j j)))] under
the trigger term ~c[(fn i j)]. Then when the system ``needs'' an
inequality about ~c[(fn a b)], (i.e., because ~c[(fn a b)] is the
label of some linear pot, and hence the largest unknown in some
inequality), it
will appeal to the rule and deduce ~c[(<= (fn a b) (/ a (* b b)))].
However, the largest unknown in this inequality is ~c[(/ a (* b b))] and
hence it will be stored in a linear pot labeled with ~c[(/ a (* b b))].
The original, triggering inequality which is in a pot about ~c[(fn a b)]
will therefore not be cancelled against the new one. It is generally
best to specify as a trigger term one of the ``maximal'' terms of the
polynomial, as described below.
We now describe how the trigger terms are determined. Most of the
time, the trigger terms are not specified by the user and are
instead selected by the system. However, the user may specify the
terms by including an explicit ~c[:triggerterms] field in the rule
class, e.g.,
~bv[]
General Form of a Linear Rule Class:
(:LINEAR :COROLLARY formula
:TRIGGERTERMS (term1 ... termk))
~ev[]
Each ~c[termi] must be a term and must not be a variable, quoted
constant, lambda application, ~c[letexpression] or ~c[ifexpression]. In
addition, each ~c[termi] must be such that if all the variables in the
term are instantiated and then the hypotheses of the corollary
formula are relieved (possibly instantiating additional free
variables), then all the variables in the concluding inequality are
instantiated. We generate a linear rule for each conjuctive branch
through the corollary and store each rule under each of the
specified triggers. Thus, if the corollary formula contains several
conjuncts, the variable restrictions on the ~c[termi] must hold for each
conjunct.
If ~c[:triggerterms] is omitted the system computes a set of trigger
terms. Each conjunct of the corollary formula may be given a unique
set of triggers depending on the variables that occur in the
conjunct and the addends that occur in the concluding inequality.
In particular, the trigger terms for a conjunct is the list of all
``maximal addends'' in the concluding inequality.
The ``addends'' of ~c[(+ x y)] and ~c[( x y)] are the union of the
addends of ~c[x] and ~c[y]. The addends of ~c[( x)] and ~c[(* n x)],
where ~c[n] is a rational constant, is just ~c[{x}]. The
addends of an inequality are the union of the addends of the left
and righthand sides. The addends of any other term, ~c[x], is
~c[{x}].
A term is maximal for a conjunct ~c[(implies hyps concl)] of the
corollary if (a) the term is a nonvariable, nonquote, nonlambda
application, non~ilc[let] and non~ilc[if] expression, (b) the term
contains enough variables so that when they are instantiated and the
hypotheses are relieved (which may bind some free variables;
~pl[freevariables]) then all the variables in ~c[concl] are
instantiated, and (c) no other addend is always ``bigger'' than the
term, in the technical sense described below.
The technical notion below depends on the notion of ~em[fncount],
the number of function symbols in a term, and ~em[pseudofncount],
which is the number of function symbols implicit in a constant (see
the comment on pseduofncount in the definition of varfncount in
the sources for details). We say ~c[term1] is always bigger than
~c[term2] if all instances of ~c[term1] have a larger fncount
(actually lexicographic order of fncount and pseudofncount) than
the corresponding instances of ~c[term2]. This is equivalent to
saying that the fncount of ~c[term1] is larger than that of
~c[term2] (by ``fncount'' here we mean the lexicographic order of
fncount and pseudofncount) and the variable bag for ~c[term2] is
a subbag of that for ~c[term1]. For example, ~c[(/ a (* b b))] is
always bigger than ~c[(fn a b)] because the first has two function
applications and ~c[{a b}] is a subbag of ~c[a b b], but
~c[(/ a (* b b))] is not always bigger than ~c[(fn a x)].")
(defun expandinequalityfncall1 (term)
; Term is a nonvariable, nonquotep term. If it is a call of one of
; the primitive arithmetic relations, <, =, and /=, we return a
; nearlyequivalent term using not, equal, and < in place of that
; toplevel call. Otherwise, we return term. We ignore the guards of
; arithmetic relations expanded!
; Warning: See the warning in expandinequalityfncall below. It is
; crucial that if (fn a b) is expanded here then the guards necessary
; to justify that expansion are implied by the rationalp assumptions
; produced during the linearization of the expanded term. In
; particular, (rationalp a) and (rationalp b) ought to be sufficient
; to permit (fn a b) to expand to whatever we produce below.
(let ((fn (ffnsymb term)))
(case
fn
(< term)
(= (mconsterm* 'equal (fargn term 1) (fargn term 2)))
(/= (mconsterm* 'not (mconsterm* 'equal (fargn term 1) (fargn term 2))))
(otherwise term))))
(defun expandinequalityfncall (term)
; If term is a (possibly negated) call of a primitive arithmetic
; relation, <, = and /=, we reexpress it in terms of
; not, equal, and < so that it can be linearized successfully.
; Otherwise, we return term.
; Warning: This function expands the definitions of the primitives
; above without considering their guards. This is unsound if the
; expanded form is used in place of the term. For example, (= x y)
; is here expanded to (equal x y), and in the case that the
; guards are violated the two terms are not equivalent. Do not call
; this function casually!
; What is the intended use of this function? Suppose the user has
; proved a theorem, (implies hyps (= a b)) and wants it stored as a
; :LINEAR rule. We instead store a rule concluding with (equal a b)!
; Note that the rule we store is not equivalent to the rule proved!
; We've ignored the acl2numberp guards on =. Isn't that scary? Yes.
; But how do :LINEAR rules get used? Let max be one of the maximal
; terms of the rule we store and suppose we encounter a term, max',
; that is an instance of max. Then we will instantiate the stored
; conclusion (equal a b) with the substitution derived from max' to
; obtain (equal a' b') and then linearize that. The linearization of
; an equality insists that both arguments be known rational  i.e.
; that their typesets are a subset of *tsrational*. Thus, in
; essence we are acting as though we had the theorem (implies (and
; (rationalp a) (rationalp b) hyps) (equal a b)) and use typeset to
; relieve the first two hyps. But this imagined theorem is an easy
; consequence of (implies hyps (= a b)) given that (rationalp a) and
; (rationalp b) let us reduce (= a b) to (equal a b).
(mvlet (negativep atm)
(stripnot term)
(let ((atm (cond ((variablep atm) atm)
((fquotep atm) atm)
(t (expandinequalityfncall1 atm)))))
(cond
(negativep (dumbnegatelit atm))
(t atm)))))
; Once we linearize the conclusion of a :LINEAR lemma, we extract all the
; linear variables (i.e., terms in the alist of the polys) and identify
; those that are "maximal."
(defun allvarsinpolylst (lst)
; Lst is a list of polynomials. We return the list of all linear variables
; used.
(cond ((null lst) nil)
(t (unionequal (stripcars (access poly (car lst) :alist))
(allvarsinpolylst (cdr lst))))))
; Part of the notion of maximal is "always bigger", which we develop here.
(defun subbagpeq (bag1 bag2)
(cond ((null bag1) t)
((null bag2) nil)
((membereq (car bag1) bag2)
(subbagpeq (cdr bag1) (remove1eq (car bag1) bag2)))
(t nil)))
(defun alwaysbiggerpdata (term)
; See alwaysbiggerp.
(mvlet (fncnt pfncnt)
(fncount term)
(cons term (cons fncnt (cons pfncnt (allvarsbag term nil))))))
(defun alwaysbiggerpdatalst (lst)
; See alwaysbiggerp.
(cond ((null lst) nil)
(t (cons (alwaysbiggerpdata (car lst))
(alwaysbiggerpdatalst (cdr lst))))))
(defun alwaysbiggerp (abd1 abd2)
; We say term1 is always bigger than term2 if all instances of term1
; have a larger fncount (actually lexicographic order of fncount and
; pseudofncount) than the corresponding instances of term2. This is
; equivalent to saying that the fncount of term1 is larger than that
; of term2 (by "fncount" here we mean the lexicographic order of
; fncount and pseudofncount) and the variable bag for term2 is a
; subbag of that for term1.
; Because we will be doing this check repeatedly across a list of terms
; we have converted the terms into "abd" (always bigger data)
; triples of the form (term fncnt . vars). Our two arguments are
; abd triples for term1 and term2.
(and (or (> (cadr abd1) (cadr abd2))
(and (eql (cadr abd1) (cadr abd2))
(> (caddr abd1) (caddr abd2))))
(subbagpeq (cdddr abd2) (cdddr abd1))))
; That completes the notion of alwaysbiggerp. We now complete the
; notion of "maximal term". It is probably best to read backwards from
; that defun.
(defun noelementalwaysbiggerp (abdlst abd)
; abdlst is a list of alwaysbiggerpdata triples. Abd is one such
; triple. If there is an element of the lst that is always bigger than
; abd, we return nil; else t.
(cond ((null abdlst) t)
((alwaysbiggerp (car abdlst) abd) nil)
(t (noelementalwaysbiggerp (cdr abdlst) abd))))
(defun maximalterms1 (abdlst abdlst0 neededvars)
; See maximalterms.
(cond ((null abdlst) nil)
((and (nvariablep (car (car abdlst)))
(not (fquotep (car (car abdlst))))
(not (flambdaapplicationp (car (car abdlst))))
(not (eq (ffnsymb (car (car abdlst))) 'if))
(subsetpeq neededvars (cdddr (car abdlst)))
(noelementalwaysbiggerp abdlst0 (car abdlst)))
(cons (car (car abdlst))
(maximalterms1 (cdr abdlst) abdlst0 neededvars)))
(t (maximalterms1 (cdr abdlst) abdlst0 neededvars))))
(defun maximalterms (lst hypvars conclvars)
; Lst is a list of terms. Hypvars and conclvars are the variables
; occurring in the hypothesis and conclusion, respectively, of some
; lemma. We wish to return the subset of "maximal terms" in lst.
; These terms will be used as triggers to fire the :LINEAR rule built
; from (implies hyps concl). A term is maximal if it is not a
; variable, quote, lambdaapplication or IF, its variables plus those
; of the hyps include those of the conclusion (so there are no free
; vars in the conclusion after we match on the maximal term and
; relieve the hyps) and there is no other term in lst that is "always
; bigger." Intuitively, the idea behind "always bigger" is that the
; fncount of one term is larger than that of the other, under all
; instantiations.
; The subroutine maximalterms1 does most of the work. We convert the
; list of terms into an abd list, containing triples of the form (term
; fncnt . vars) for each term in lst. Then we pass maximalterms1
; two copies of this; the first it recurs down so as to visit one term
; at a time and the second it holds fixed to use to search for bigger
; terms. Finally, a condition equivalent to the variable restriction
; above is that each maximal term contain at least those variables in
; the conclusion which aren't in the hyps, and so we compute that set
; here to avoid more consing.
(let ((abdlst (alwaysbiggerpdatalst lst)))
(maximalterms1 abdlst abdlst
(if (eq hypvars t)
nil
(setdifferenceeq conclvars hypvars)))))
; That finishes maximalterms. Onward.
; We now develop the functions to support the friendly user interface.
(defun collectwhenffnnamesp (fns lst)
; Return the subset of lst consisting of those terms that mention any
; fn in fns.
(cond ((null lst) nil)
((ffnnamesp fns (car lst))
(cons (car lst) (collectwhenffnnamesp fns (cdr lst))))
(t (collectwhenffnnamesp fns (cdr lst)))))
(defun makefreemaxtermsmsg1 (maxterms vars hyps)
; This function is used by makefreemaxtermsmsg1 and is building a
; list of pairs of the form (str . alist'). Each such pair is
; suitable for giving to the ~@ fmt directive, which will print the
; string str under the alist obtained by appending alist' to the
; current alist. The idea here is simply to identify those maxterms
; that give rise to freevars in the hyps and to comment upon them.
(cond ((null maxterms) nil)
((subsetpeq vars (allvars (car maxterms)))
(makefreemaxtermsmsg1 (cdr maxterms) vars hyps))
(t (cons
(cons
"When ~xN is triggered by ~xT the variable~#V~[~/s~] ~&V ~
will be chosen by searching for ~#H~[an ~
instance~/instances~] of ~&H among the hypotheses of the ~
conjecture being rewritten. "
(list (cons #\T (car maxterms))
(cons #\V (setdifferenceeq vars
(allvars (car maxterms))))
(cons #\H (hypsthatinstantiatefreevars
(setdifferenceeq vars
(allvars (car maxterms)))
hyps))))
(makefreemaxtermsmsg1 (cdr maxterms) vars hyps)))))
(defun makefreemaxtermsmsg (name maxterms vars hyps)
; We make a message suitable for giving to the ~* fmt directive that
; will print out a sequence of sentences of the form "When name is
; triggered by foo the variables u and v will be chosen by searching
; for the hypotheses h1 and h2. When ..." Vars is a list of the
; variables occurring in the hypotheses of the lemma named name.
; Hyps is the list of hyps. We always end with two spaces.
(list* ""
"~@*"
"~@*"
"~@*"
(makefreemaxtermsmsg1 maxterms vars hyps)
(list (cons #\N name))))
(defun externallinearize (term ens wrld state)
(linearize term
t ;positivep
nil ;typealist
ens
(oktoforceens ens)
wrld ;wrld
nil ;ttree
state))
(defun badsynphypmsgforlinear (maxterms hyps wrld)
(if (null maxterms)
(mv nil nil)
(let ((badsynphypmsg (badsynphypmsg hyps (allvars (car maxterms))
nil wrld)))
(if badsynphypmsg
(mv badsynphypmsg (car maxterms))
(badsynphypmsgforlinear (cdr maxterms) hyps wrld)))))
(defun showdoublerewriteopportunitieslinear (hyps maxterms finalterm name
ctx wrld state)
(cond ((endp maxterms)
state)
(t (pprogn (showdoublerewriteopportunities
(doublerewriteopportunities
1
hyps
(coveredgeneqvalist (car maxterms) nil nil wrld)
finalterm
"the conclusion"
*geneqviff* ; finalgeneqv
wrld)
:linear name
(msg " for trigger term ~x0"
(untranslate (car maxterms) nil wrld))
ctx state)
(showdoublerewriteopportunitieslinear
hyps (cdr maxterms) finalterm name ctx wrld
state)))))
(defun chkacceptablelinearrule2
(name matchfree triggerterms hyps concl ctx ens wrld state)
; This is the basic function for checking that (implies (AND . hyps)
; concl) generates a useful :LINEAR rule. If it does not, we cause an
; error. If it does, we may print some warnings regarding the rule
; generated. The superior functions, chkacceptablelinearrule1
; and chkacceptablelinearrule just cycle down to this one after
; flattening the IMPLIES/AND structure of the user's input term.
; The triggerterms above are those supplied by the user in the rule class. If
; nil, we are to generate the trigger terms automatically, choosing all of the
; maximal terms. If provided, we know that each element of triggerterms is a
; term that is a legal (if possibly silly) trigger for each rule.
(let* ((xconcl (expandinequalityfncall concl))
(lst (externallinearize xconcl ens wrld state)))
(cond ((null lst)
(er soft ctx
"No :LINEAR rule can be generated from ~x0. See :DOC linear."
name))
((not (null (cdr lst)))
(er soft ctx
"No :LINEAR rule can be generated from ~x0 because the ~
linearization of its conclusion, which in normal form is ~p1, ~
produces a disjunction of polynomial inequalities. See :DOC ~
linear."
name
(untranslate xconcl t wrld)))
(t (let* ((allvarshyps (allvarsinhyps hyps))
(potentialfreevars
(freevarsinhypsconsideringbindfree hyps nil wrld))
(allvarsinpolylst
(allvarsinpolylst (car lst)))
(maxterms
(or triggerterms
(maximalterms allvarsinpolylst
allvarshyps
(allvars concl))))
(nonrecfns (nonrecursivefnnameslst
maxterms ens wrld))
(badmaxterms (collectwhenffnnamesp
nonrecfns
maxterms))
(freemaxtermsmsg
(makefreemaxtermsmsg name
maxterms
potentialfreevars
hyps)))
(cond
((null maxterms)
(cond
((null allvarsinpolylst)
(er soft ctx
"No :LINEAR rule can be generated from ~x0 because ~
there are no ``maximal terms'' in the inequality ~
produced from its conclusion. In fact, the inequality ~
has simplified to one that has no variables."
name))
(t
(er soft ctx
"No :LINEAR rule can be generated from ~x0 because ~
there are no ``maximal terms'' in the inequality ~
produced from its conclusion. The inequality produced ~
from its conclusion involves a linear polynomial in ~
the unknown~#1~[~/s~] ~&1. No unknown above has the ~
three properties of a maximal term (see :DOC linear). ~
What can you do? The most direct solution is to make ~
this a :REWRITE rule rather than a :LINEAR rule. Of ~
course, you then have to make sure your intended ~
application can suffer it being a :REWRITE rule! A ~
more challenging (and sometimes more rewarding) ~
alternative is to package up some of your functions ~
into a new nonrecursive function (either in the ~
unknowns or the hypotheses) so as to create a maximal ~
term. Of course, if you do that, you have to arrange ~
to use that nonrecursive function in the intended ~
applications of this rule."
name allvarsinpolylst))))
(t
(mvlet (badsynphypmsg badmaxterm)
(badsynphypmsgforlinear maxterms hyps wrld)
(cond
(badsynphypmsg
(er soft ctx
"While checking the hypotheses of ~x0 and using ~
the trigger term ~x1, the following error message ~
was generated: ~% ~%~
~@2"
name
badmaxterm
badsynphypmsg))
(t
(pprogn
(if (warningdisabledp "Doublerewrite")
state
(showdoublerewriteopportunitieslinear
hyps maxterms concl name ctx wrld state))
(cond
((equal maxterms badmaxterms)
(warning$ ctx "Nonrec"
"A :LINEAR rule generated from ~x0 will be ~
triggered only by terms containing the ~
nonrecursive function symbol~#1~[ ~&1. Unless ~
this function is~/s ~&1. Unless these functions ~
are~] disabled, such triggering terms are ~
unlikely to arise and so ~x0 is unlikely to ever ~
be used."
name (hidelambdas nonrecfns)))
(badmaxterms
(warning$ ctx "Nonrec"
"A :LINEAR rule generated from ~x0 will be ~
triggered by the terms ~&1. ~N2 of these terms, ~
namely ~&3, contain~#3~[s~/~] the nonrecursive ~
function symbol~#4~[ ~&4. Unless this function ~
is~/s ~&4. Unless these functions are~] ~
disabled, ~x0 is unlikely to be triggered via ~
~#3~[this term~/these terms~]."
name
maxterms
(length badmaxterms)
badmaxterms
(hidelambdas nonrecfns)))
(t state))
(cond
((and (car (cddddr freemaxtermsmsg))
(null matchfree))
(pprogn
(warning$ ctx "Free"
"A :LINEAR rule generated from ~x0 will be ~
triggered by the term~#1~[~/s~] ~&1. ~*2This is ~
generally a severe restriction on the ~
applicability of the :LINEAR rule."
name
maxterms
freemaxtermsmsg)
(freevariableerror? :linear name ctx wrld state)))
(t (value nil))))))))))))))
(defun chkacceptablelinearrule1 (name matchfree triggerterms lst ctx ens
wrld state)
; Each element of lst is a pair, (hyps . concl) and we check that each
; such pair, when interpreted as the term (implies (and . hyps)
; concl), generates a legal :LINEAR rule.
(cond
((null lst) (value nil))
(t (erprogn
(chkacceptablelinearrule2 name matchfree triggerterms (caar lst)
(cdar lst)
ctx ens wrld state)
(chkacceptablelinearrule1 name matchfree triggerterms (cdr lst)
ctx ens wrld state)))))
(defun chkacceptablelinearrule (name matchfree triggerterms term ctx ens
wrld state)
; We strip the conjuncts out of term and flatten those in the
; hypotheses of implications to obtain a list of implications, each of
; the form (IMPLIES (AND . hyps) concl), and each represented simply
; by a pair (hyps . concl). For each element of that list we then
; determine whether it generates a legal :LINEAR rule. See
; chkacceptablelinearrule2 for the guts of this test. We either
; cause an error or return successfully. We may print warning
; messages without causing an error.
(chkacceptablelinearrule1 name matchfree triggerterms
(unprettyify term)
ctx ens wrld state))
; And now, to adding :LINEAR rules...
(defun addlinearrule3 (rune nume hyps concl maxterms
backchainlimitlst matchfree putmatchfreedone
wrld)
(cond
((null maxterms) wrld)
(t (let* ((matchfreevalue
(matchfreevalue matchfree hyps (car maxterms) wrld))
(linearrule
(make linearlemma
:rune rune
:nume nume
:hyps hyps
:concl concl
:maxterm (car maxterms)
:backchainlimitlst
(cond (backchainlimitlst
(cadr backchainlimitlst))
(t (let ((limit (defaultbackchainlimit wrld)))
(and limit
(makelist (length hyps)
:initialelement
limit)))))
:matchfree matchfreevalue))
(wrld1 (putprop (ffnsymb (access linearlemma linearrule :maxterm))
'linearlemmas
(cons linearrule
(getprop (ffnsymb
(access linearlemma linearrule :maxterm))
'linearlemmas nil
'currentacl2world
wrld))
wrld)))
(addlinearrule3 rune nume hyps concl (cdr maxterms)
backchainlimitlst
matchfree
(or putmatchfreedone matchfreevalue)
(if putmatchfreedone
; In this case we have already added this rune to the appropriate world global,
; so we do not want to do so again.
wrld1
(putmatchfreevalue matchfreevalue rune wrld1)))))))
(defun addlinearrule2 (rune nume triggerterms hyps concl
backchainlimitlst matchfree ens wrld state)
(let* ((xconcl (expandinequalityfncall concl))
(lst (externallinearize xconcl ens wrld state))
(hyps (preprocesshyps hyps))
(allvarshyps (allvarsinhyps hyps))
(maxterms
(or triggerterms
(maximalterms (allvarsinpolylst (car lst))
allvarshyps
(allvars concl)))))
(addlinearrule3 rune nume hyps xconcl maxterms backchainlimitlst
matchfree nil wrld)))
(defun addlinearrule1 (rune nume triggerterms lst
backchainlimitlst matchfree ens wrld state)
(cond ((null lst) wrld)
(t (addlinearrule1 rune nume triggerterms (cdr lst)
backchainlimitlst
matchfree
ens
(addlinearrule2 rune nume
triggerterms
(caar lst)
(cdar lst)
backchainlimitlst
matchfree
ens wrld state)
state))))
(defun addlinearrule (rune nume triggerterms term
backchainlimitlst matchfree ens wrld state)
(addlinearrule1 rune nume triggerterms (unprettyify term)
backchainlimitlst matchfree ens wrld state))
;
; Section: :WELLFOUNDEDRELATION Rules
(deflabel wellfoundedrelation
:doc
":DocSection RuleClasses
show that a relation is wellfounded on a set~/
~l[ruleclasses] for a general discussion of rule classes and
how they are used to build rules from formulas. An example
~c[:]~ilc[corollary] formula from which a ~c[:wellfoundedrelation] rule might be
built is as follows. (Of course, the functions ~c[pairp], ~c[lex2p], and
~c[ordinate] would have to be defined first.)
~bv[]
Example:
(and (implies (pairp x) (op (ordinate x)))
(implies (and (pairp x)
(pairp y)
(lex2p x y))
(o< (ordinate x) (ordinate y))))
~ev[]
The above example establishes that ~c[lex2p] is a wellfounded
relation on ~c[pairp]s. We explain and give details below.~/
Exactly two general forms are recognized:
~bv[]
General Forms
(AND (IMPLIES (mp x) (OP (fn x))) ; Property 1
(IMPLIES (AND (mp x) ; Property 2
(mp y)
(rel x y))
(O< (fn x) (fn y)))),
~ev[]
or
~bv[]
(AND (OP (fn x)) ; Property 1
(IMPLIES (rel x y) ; Property 2
(O< (fn x) (fn y))))
~ev[]
where ~c[mp], ~c[fn], and ~c[rel] are function symbols, ~c[x] and ~c[y] are distinct
variable symbols, and no other ~c[:wellfoundedrelation] theorem about
~c[fn] has been proved. When the second general form is used, we act as
though the first form were used with ~c[mp] being the function that
ignores its argument and returns ~c[t]. The discussion below therefore
considers only the first general form.
Note: We are very rigid when checking that the submitted formula is
of one of these forms. For example, in the first form, we insist
that all the conjuncts appear in the order shown above. Thus,
interchanging the two properties in the toplevel conjunct or
rearranging the hyptheses in the second conjunct both produce
unrecognized forms. The requirement that each ~c[fn] be proved
wellfounded at most once ensures that for each wellfounded
relation, ~c[fn], there is a unique ~c[mp] that recognizes the domain on
which ~c[rel] is wellfounded. We impose this requirement simply so
that ~c[rel] can be used as a shorthand when specifying the
wellfounded relations to be used in definitions; otherwise the
specification would have to indicate which ~c[mp] was to be used.
~c[Mp] is a predicate that recognizes the objects that are supposedly
ordered in a wellfounded way by ~c[rel]. We call such an object an
``~c[mp]measure'' or simply a ``measure'' when ~c[mp] is understood.
Property 1 tells us that every measure can be mapped into an ACL2
ordinal. (~l[op].) This mapping is performed by ~c[fn].
Property 2 tells us that if the measure ~c[x] is smaller than the
measure ~c[y] according to ~c[rel] then the image of ~c[x] under ~c[fn] is a smaller
than that of ~c[y], according to the wellfounded relation ~ilc[o<].
(~l[o<].) Thus, the general form of a
~c[:wellfoundedrelation] formula establishes that there exists a
~c[rel]order preserving embedding (namely via ~c[fn]) of the ~c[mp]measures
into the ordinals. We can thus conclude that ~c[rel] is wellfounded on
~c[mp]measures.
Such wellfounded relations are used in the admissibility test for
recursive functions, in particular, to show that the recursion
terminates. To illustrate how such information may be used,
consider a generic function definition
~bv[]
(defun g (x) (if (test x) (g (step x)) (base x))).
~ev[]
If ~c[rel] has been shown to be wellfounded on ~c[mp]measures, then ~c[g]'s
termination can be ensured by finding a measure, ~c[(m x)], with the
property that ~c[m] produces a measure:
~bv[]
(mp (m x)), ; Defungoal1
~ev[]
and that the argument to ~c[g] gets smaller (when measured by ~c[m] and
compared by ~c[rel]) in the recursion,
~bv[]
(implies (test x) (rel (m (step x)) (m x))). ; Defungoal2
~ev[]
If ~c[rel] is selected as the ~c[:wellfoundedrelation] to be used in the
definition of ~c[g], the definitional principal will generate and
attempt to prove ~c[defungoal1] and ~c[defungoal2] to justify ~c[g]. We
show later why these two goals are sufficient to establish the
termination of ~c[g]. Observe that neither the ordinals nor the
embedding, ~c[fn], of the ~c[mp]measures into the ordinals is involved in
the goals generated by the definitional principal.
Suppose now that a ~c[:wellfoundedrelation] theorem has been proved
for ~c[mp] and ~c[rel]. How can ~c[rel] be ``selected as the
~c[:wellfoundedrelation]'' by ~ilc[defun]? There are two ways.
First, an ~ilc[xargs] keyword to the ~ilc[defun] event allows the
specification of a ~c[:wellfoundedrelation]. Thus, the definition
of ~c[g] above might be written
~bv[]
(defun g (x)
(declare (xargs :wellfoundedrelation (mp . rel)))
(if (test x) (g (step x)) (base x)))
~ev[]
Alternatively, ~c[rel] may be specified as the
~c[:defaultwellfoundedrelation] in ~ilc[acl2defaultstable] by
executing the event
~bv[]
(setdefaultwellfoundedrelation rel).
~ev[]
When a ~ilc[defun] event does not explicitly specify the relation in its
~ilc[xargs] the default relation is used. When ACL2 is initialized, the
default relation is ~ilc[o<].
Finally, though it is probably obvious, we now show that
~c[defungoal1] and ~c[defungoal2] are sufficient to ensure the
termination of ~c[g] provided ~c[property1] and ~c[property2] of ~c[mp] and ~c[rel]
have been proved. To this end, assume we have proved ~c[defungoal1]
and ~c[defungoal2] as well as ~c[property1] and ~c[property2] and we show
how to admit ~c[g] under the primitive ACL2 definitional principal
(i.e., using only the ordinals). In particular, consider the
definition event
~bv[]
(defun g (x)
(declare (xargs :wellfoundedrelation o<
:measure (fn (m x))))
(if (test x) (g (step x)) (base x)))
~ev[]
Proof that ~c[g] is admissible: To admit the definition of ~c[g] above we
must prove
~bv[]
(op (fn (m x))) ; *1
~ev[]
and
~bv[]
(implies (test x) ; *2
(o< (fn (m (step x))) (fn (m x)))).
~ev[]
But *1 can be proved by instantiating ~c[property1] to get
~bv[]
(implies (mp (m x)) (op (fn (m x)))),
~ev[]
and then relieving the hypothesis with ~c[defungoal1], ~c[(mp (m x))].
Similarly, *2 can be proved by instantiating ~c[property2] to get
~bv[]
(implies (and (mp (m (step x)))
(mp (m x))
(rel (m (step x)) (m x)))
(o< (fn (m (step x))) (fn (m x))))
~ev[]
and relieving the first two hypotheses by appealing to two
instances of ~c[defungoal1], thus obtaining
~bv[]
(implies (rel (m (step x)) (m x))
(o< (fn (m (step x))) (fn (m x)))).
~ev[]
By chaining this together with ~c[defungoal2],
~bv[]
(implies (test x)
(rel (m (step x)) (m x)))
~ev[]
we obtain *2. Q.E.D.")
(defun destructurewellfoundedrelationrule (term)
; We check that term is the translation of one of the two forms
; described in :DOC wellfoundedrelation. We return two results, (mv
; mp rel). If mp is nil in the result, then term is not of the
; required form. If mp is t, then term is of the second general form
; (i.e., we act as though t were the function symbol for (lambda (x)
; t)). With that caveat, if the mp is nonnil then term establishes
; that rel is a wellfounded relation on mpmeasures.
(casematch
term
(('IF ('IMPLIES (mp x) ('OP (fn x)))
('IMPLIES ('IF (mp x)
('IF (mp y) (rel x y) ''NIL)
''NIL)
('O< (fn x) (fn y)))
''NIL)
(cond ((and (symbolp mp)
(variablep x)
(symbolp fn)
(variablep y)
(not (eq x y))
(symbolp rel))
(mv mp rel))
(t (mv nil nil))))
(('IF ('OP (fn x))
('IMPLIES (rel x y)
('O< (fn x) (fn y)))
''NIL)
(cond ((and (variablep x)
(symbolp fn)
(variablep y)
(not (eq x y))
(symbolp rel))
(mv t rel))
(t (mv nil nil))))
(& (mv nil nil))))
(defun chkacceptablewellfoundedrelationrule (name term ctx wrld state)
(mvlet
(mp rel)
(destructurewellfoundedrelationrule term)
(cond
((null mp)
(er soft ctx
"No :WELLFOUNDEDRELATION rule can be generated for ~x0 ~
because it does not have either of the two general forms ~
described in :DOC wellfoundedrelation."
name))
((and (assoceq rel (globalval 'wellfoundedrelationalist wrld))
(not (eq (cadr (assoceq rel
(globalval 'wellfoundedrelationalist
wrld)))
mp)))
(er soft ctx
"~x0 was shown in ~x1 to be wellfounded~@2 We do not permit more ~
than one domain to be associated with a wellfounded relation. To ~
proceed in this direction, you should define some new function ~
symbol to be ~x0 and state your wellfoundedness in terms of the ~
new function."
rel
(cadr (cddr (assoceq rel
(globalval 'wellfoundedrelationalist
wrld))))
(if (eq (cadr (assoceq rel
(globalval 'wellfoundedrelationalist
wrld)))
t)
"."
(msg " on objects satisfying ~x0."
(cadr (assoceq rel
(globalval 'wellfoundedrelationalist
wrld)))))))
(t (value nil)))))
(defun addwellfoundedrelationrule (rune nume term wrld)
(declare (ignore nume))
(mvlet (mp rel)
(destructurewellfoundedrelationrule term)
(globalset 'wellfoundedrelationalist
(cons (cons rel (cons mp rune))
(globalval 'wellfoundedrelationalist wrld))
wrld)))
;
; Section: :BUILTINCLAUSE Rules
(deflabel builtinclauses
:doc
":DocSection RuleClasses
to build a clause into the simplifier~/
~l[ruleclasses] for a general discussion of rule classes and
how they are used to build rules from formulas. A ~c[:builtinclause]
rule can be built from any formula other than propositional
tautologies. Roughly speaking, the system uses the list of builtin
clauses as the first method of proof when attacking a new goal. Any
goal that is subsumed by a built in clause is proved ``silently.''~/
ACL2 maintains a set of ``builtin'' clauses that are used to
shortcircuit certain theorem proving tasks. We discuss this at
length below. When a theorem is given the rule class
~c[:builtinclause] ACL2 flattens the ~ilc[implies] and ~ilc[and] structure of the
~c[:]~ilc[corollary] formula so as to obtain a set of formulas whose
conjunction is equivalent to the given corollary. It then converts
each of these to clausal form and adds each clause to the set of
builtin clauses.
For example, the following ~c[:]~ilc[corollary] (regardless of the definition
of ~c[abl])
~bv[]
(and (implies (and (truelistp x)
(not (equal x nil)))
(< (acl2count (abl x))
(acl2count x)))
(implies (and (truelistp x)
(not (equal nil x)))
(< (acl2count (abl x))
(acl2count x))))
~ev[]
will build in two clauses,
~bv[]
{(not (truelistp x))
(equal x nil)
(< (acl2count (abl x)) (acl2count x))}
~ev[]
and
~bv[]
{(not (truelistp x))
(equal nil x)
(< (acl2count (abl x)) (acl2count x))}.
~ev[]
We now give more background.
Recall that a clause is a set of terms, implicitly representing the
disjunction of the terms. Clause ~c[c1] is ``subsumed'' by clause ~c[c2] if
some instance of ~c[c2] is a subset ~c[c1].
For example, let ~c[c1] be
~bv[]
{(not (consp l))
(equal a (car l))
(< (acl2count (cdr l)) (acl2count l))}.
~ev[]
Then ~c[c1] is subsumed by ~c[c2], shown below,
~bv[]
{(not (consp x))
; second term omitted here
(< (acl2count (cdr x)) (acl2count x))}
~ev[]
because we can instantiate ~c[x] in ~c[c2] with ~c[l] to obtain a subset of
~c[c1].
Observe that ~c[c1] is the clausal form of
~bv[]
(implies (and (consp l)
(not (equal a (car l))))
(< (acl2count (cdr l)) (acl2count l))),
~ev[]
~c[c2] is the clausal form of
~bv[]
(implies (consp l)
(< (acl2count (cdr l)) (acl2count l)))
~ev[]
and the subsumption property just means that ~c[c1] follows trivially
from ~c[c2] by instantiation.
The set of builtin clauses is just a set of known theorems in
clausal form. Any formula that is subsumed by a builtin clause is
thus a theorem. If the set of builtin theorems is reasonably
small, this little theorem prover is fast. ACL2 uses the ``builtin
clause check'' in four places: (1) at the top of the iteration in
the prover  thus if a builtin clause is generated as a subgoal it
will be recognized when that goal is considered, (2) within the
simplifier so that no builtin clause is ever generated by
simplification, (3) as a filter on the clauses generated to prove
the termination of recursively ~ilc[defun]'d functions and (4) as a
filter on the clauses generated to verify the guards of a function.
The latter two uses are the ones that most often motivate an
extension to the set of builtin clauses. Frequently a given
formalization problem requires the definition of many functions
which require virtually identical termination and/or guard proofs.
These proofs can be shortcircuited by extending the set of builtin
clauses to contain the most general forms of the clauses generated
by the definitional schemes in use.
The attentive user might have noticed that there are some recursive
schemes, e.g., recursion by ~ilc[cdr] after testing ~ilc[consp], that ACL2 just
seems to ``know'' are ok, while for others it generates measure
clauses to prove. Actually, it always generates measure clauses but
then filters out any that pass the builtin clause check. When ACL2
is initialized, the clause justifying ~ilc[cdr] recursion after a ~ilc[consp]
test is added to the set of builtin clauses. (That clause is ~c[c2]
above.)
Note that only a subsumption check is made; no rewriting or
simplification is done. Thus, if we want the system to ``know''
that ~ilc[cdr] recursion is ok after a negative ~ilc[atom] test (which, by the
definition of ~ilc[atom], is the same as a ~ilc[consp] test), we have to build
in a second clause. The subsumption algorithm does not ``know''
about commutative functions. Thus, for predictability, we have
built in commuted versions of each clause involving commutative
functions. For example, we build in both
~bv[]
{(not (integerp x))
(< 0 x)
(= x 0)
(< (acl2count (+ 1 x)) (acl2count x))}
~ev[]
and the commuted version
~bv[]
{(not (integerp x))
(< 0 x)
(= 0 x)
(< (acl2count (+ 1 x)) (acl2count x))}
~ev[]
so that the user need not worry whether to write ~c[(= x 0)] or ~c[(= 0 x)]
in definitions.
~c[:builtinclause] rules added by the user can be enabled and
disabled.")
(defun chkacceptablebuiltinclauserule2 (name hyps concl ctx wrld state)
; This is the basic function for checking that (IMPLIES (AND . hyps) concl)
; generates a useful builtin clause rule. If it does not, we cause an error.
; The superior functions, chkacceptablebuiltinclauserule1 and
; chkacceptablebuiltinclauserule just cycle down to this one after
; flattening the IMPLIES/AND structure of the user's input term.
(let* ((term (if (null hyps)
concl
(mconsterm* 'if (conjoin hyps) concl *t*)))
(clauses (clausify term nil t wrld)))
(cond ((null clauses)
(er soft ctx
"~x0 is an illegal :builtinclause rule because ~p1 clausifies ~
to nil, indicating that it is a propositional tautology. See ~
:DOC builtinclauses."
name
(untranslate
(cond ((null hyps) concl)
(t (mconsterm* 'implies (conjoin hyps) concl)))
t
wrld)))
(t (value nil)))))
(defun chkacceptablebuiltinclauserule1 (name lst ctx wrld state)
; Each element of lst is a pair, (hyps . concl) and we check that each such
; pair, when interpreted as the term (implies (and . hyps) concl), generates
; one or more clauses to be builtin.
(cond
((null lst) (value nil))
(t
(erprogn
(chkacceptablebuiltinclauserule2 name (caar lst) (cdar lst) ctx
wrld state)
(chkacceptablebuiltinclauserule1 name (cdr lst) ctx wrld state)))))
(defun chkacceptablebuiltinclauserule (name term ctx wrld state)
; We strip the conjuncts out of term and flatten those in the hypotheses of
; implications to obtain a list of implications, each of the form (IMPLIES (AND
; . hyps) concl), and each represented simply by a pair (hyps . concl). For
; each element of that list we then determine whether it generates one or more
; clauses. See chkacceptablebuiltinclauserule2 for the guts of this test.
; We either cause an error or return successfully.
(chkacceptablebuiltinclauserule1 name (unprettyify term) ctx
wrld state))
; So now we work on actually generating and adding :BUILTINCLAUSE rules.
(mutualrecursion
(defun fnandmaximallevelno (term wrld fn max)
; We explore term and return (mv fn max), where fn is an "explicit" function
; symbol of term, max is its getlevelno, and that level number is maximal in
; term. By an "explicit" function symbol of term we mean one not on
; *onewayunify1implicitfns*. We return the initial fn and max unless some
; explicit symbol of term actually betters it. If you call this with fn=nil
; and max=1 you will get back a legitimate function symbol if term contains at
; least one explicit symbol. Furthermore, it is always the maximal symbol
; occurring first in printorder.
(cond
((variablep term) (mv fn max))
((fquotep term) (mv fn max))
((flambdap (ffnsymb term))
(mvlet (fn max)
(fnandmaximallevelno (lambdabody (ffnsymb term)) wrld fn max)
(fnandmaximallevelnolst (fargs term) wrld fn max)))
((membereq (ffnsymb term) *onewayunify1implicitfns*)
(fnandmaximallevelnolst (fargs term) wrld fn max))
(t (let ((n (getlevelno (ffnsymb term) wrld)))
(cond
((> n max)
(fnandmaximallevelnolst (fargs term) wrld (ffnsymb term) n))
(t (fnandmaximallevelnolst (fargs term) wrld fn max)))))))
(defun fnandmaximallevelnolst (lst wrld fn max)
(cond
((null lst) (mv fn max))
(t (mvlet (fn max)
(fnandmaximallevelno (car lst) wrld fn max)
(fnandmaximallevelnolst (cdr lst) wrld fn max)))))
)
(defun builtinclausediscriminatorfn (cl wrld)
(mvlet (fn max)
(fnandmaximallevelnolst cl wrld nil 1)
(declare (ignore max))
fn))
(defun allfnnamessubsumer (cl wrld)
; Let cl be a clause which is about to be built in. Cl subsumes another
; clause, cla, if under some instantiation of cl, cl', the literals of cl' are
; a subset of those of cla. Thus, a necessary condition for cl to subsume cla
; is that the function symbols of cl be a subset of those of cla. However,
; onewayunify1 knows that (binary+ '1 x) can be instantiated to be '7, by
; letting x be '6. Thus, if by "the function symbols" of a clause we mean
; those that explicitly occur, i.e., allfnnameslst, then, contrary to what
; was just said, it is possible for cl to subsume cla without the function
; symbols of cl being a subset of those of cla: let cl contain (binary+ '1 x)
; where cla contains '7 and no mention of binary+. So we here compute the
; list of function symbols of cl which must necessarily occur in cla. It is
; always sound to throw out symbols from the list returned here. In addition,
; we make sure that the "discriminator function symbol" of cl occur first in
; the list. That symbol will be used to classify this subsumer into a bucket
; in the builtinclause list.
(let ((syms (setdifferenceeq (allfnnameslst cl)
*onewayunify1implicitfns*))
(discrimfn (builtinclausediscriminatorfn cl wrld)))
(cond ((null discrimfn) syms)
(t (cons discrimfn (remove1eq discrimfn syms))))))
(defun makebuiltinclauserules1 (rune nume clauses wrld)
; We build a builtinclause record for every element of clauses. We put the
; last literal of each clause first on the heuristic grounds that the last
; literal of a usersupplied clause is generally the most interesting and thus
; the one the subsumption check should look at first.
; Note: The :allfnnames computed here has the property that the discriminator
; function symbol is the car and the remaining functions are in the cdr. When
; a builtinclause record is stored into the builtinclauses alist, the
; record is changed; the discriminator is stripped out, leaving the remaining
; fns as the :allfnnames.
(cond ((null clauses) nil)
(t (let ((cl (cons (car (last (car clauses)))
(butlast (car clauses) 1))))
(cons (make builtinclause
:rune rune
:nume nume
:clause cl
:allfnnames (allfnnamessubsumer cl wrld))
(makebuiltinclauserules1 rune nume
(cdr clauses) wrld))))))
(defun chkinitialbuiltinclauses (lst wrld goodlst somebadp)
; This function sweeps down the list of initial builtin clause records and
; checks that the :allfnnames of each is set properly given the current wrld.
; The standard toplevel call of this function is (chkinitialbuiltinclauses
; *initialbuiltinclauses* wrld nil nil) where wrld is the world in which you
; wish to check the appropriateness of the initial setting. This function
; returns either nil, meaning that everything was ok, or a new copy of lst
; which is correct for the current wrld.
(cond
((null lst)
(cond
(somebadp (reverse goodlst))
(t nil)))
(t (let* ((clause (access builtinclause (car lst) :clause))
(fnnames1 (access builtinclause (car lst) :allfnnames))
(fnnames2 (allfnnamessubsumer clause wrld)))
(chkinitialbuiltinclauses
(cdr lst) wrld
(cons `(make builtinclause
:nume nil
:rune *fakeruneforanonymousenabledrule*
:clause ',clause
:allfnnames ',fnnames2)
goodlst)
(or somebadp
(not (equal fnnames1 fnnames2))))))))
(defun makebuiltinclauserules (rune nume lst wrld)
; Each element of lst is a pair, (hyps . concl). We generate and collect the
; clauses for each such pair.
(cond ((null lst) nil)
(t (let* ((hyps (caar lst))
(concl (cdar lst))
(clauses (clausify
(if (null hyps)
concl
(mconsterm* 'if (conjoin hyps) concl *t*))
nil t wrld)))
(append (makebuiltinclauserules1 rune nume clauses wrld)
(makebuiltinclauserules rune nume (cdr lst) wrld))))))
(defun classifyandstorebuiltinclauserules (lst pots wrld)
; Lst is a list of builtinclause records. Each record contains an
; :allfnnames field, which contains a (possibly empty) list of function
; symbols. The first symbol in the :allfnnames list is the "discriminator
; function symbol" of the clause, the heaviest function symbol in the clause.
; Pots is an alist in which each entry pairs a symbol, fn, to a list of
; builtinclause records; the list has the property that every clause in it
; has fn as its discriminator function symbol. We add each record in lst to
; the appropriate pot in pots.
; If a record has :allfnnames nil then it is most likely a primitive builtin
; clause, i.e., a member of *initialbuiltinclauses*. The nil is a signal to
; this function to compute the appropriate :allfnnames using the function
; allfnnamessubsumer which is what we use when we build a builtin clause
; record for the user with makebuiltinclauserules1. This is just a rugged
; way to let the list of implicit function symbols known to onewayunify1 vary
; without invalidating our *initialbuiltinclauses* setting.
; But it is possible, perhaps, for a usersupplied builtin clause to contain
; no function symbols of the kind returned by allfnnamessubsumer. For
; example, the user might prove 7 as a builtin clause. Perhaps a
; nonpathological example arises, but I haven't bothered to think of one.
; Instead, this is handled soundly, as follows. If the :allfnnames is nil we
; act like it hasn't been computed yet (as above) and compute it. Then we
; consider the discriminator function symbol to the car of the resulting list,
; which might be nil. There is a special pot for the nil "discriminator
; function symbol".
(cond ((null lst) pots)
(t (let* ((bic (car lst))
(fns (or (access builtinclause bic :allfnnames)
(allfnnamessubsumer
(access builtinclause bic :clause)
wrld)))
(fn (car fns))
(pot (cdr (assoceq fn pots))))
(classifyandstorebuiltinclauserules
(cdr lst)
(putassoceq fn
(cons (change builtinclause bic
:allfnnames (cdr fns))
pot)
pots)
wrld)))))
(defun addbuiltinclauserule (rune nume term wrld)
; We strip the conjuncts out of term and flatten those in the hypotheses of
; implications to obtain a list of implications and then clausify each and
; store each clause as a :BUILTINCLAUSE rule. We maintain the invariant
; that 'halflengthbuiltinclauses is equal to the (floor n 2), where n
; is the length of 'builtinclauses.
(let ((rules (makebuiltinclauserules rune nume (unprettyify term)
wrld)))
; Every rule in rules is stored (somewhere) into builtinclauses, so the
; number of clauses goes up by (length rules). Once we had a bug here: we
; incremented 'halflengthbuiltinclauses by half the length of rules. That
; was pointless since we're dealing with integers here: rules is most often of
; length 1 and so we would increment by 0 and never accumulate all those 1/2's!
(globalset 'halflengthbuiltinclauses
(floor (+ (length rules)
(length (globalval 'builtinclauses wrld)))
2)
(globalset 'builtinclauses
(classifyandstorebuiltinclauserules
rules
(globalval 'builtinclauses wrld)
wrld)
wrld))))
;
; Section: :COMPOUNDRECOGNIZER Rules
(deflabel compoundrecognizer
:doc
":DocSection RuleClasses
make a rule used by the typing mechanism~/
~l[ruleclasses] for a general discussion of rule classes and
how they are used to build rules from formulas. An example
~c[:]~ilc[corollary] formula from which a ~c[:compoundrecognizer] rule might be
built is:
~bv[]
Example:
(implies (alistp x) When (alistp x) is assumed true,
(truelistp x)) add the additional hypothesis that x
is of primitive type truelistp.~/
General Forms:
(implies (fn x) concl) ; (1)
(implies (not (fn x)) concl) ; (2)
(and (implies (fn x) concl1) ; (3)
(implies (not (fn x)) concl2))
(if (fn x) concl1 concl2) ; (4)
(iff (fn x) concl) ; (5)
(equal (fn x) concl) ; (6)
~ev[]
where ~c[fn] is a Boolean valued function of one argument, ~c[x] is a
variable symbol, and the system can deduce some restriction on the
primitive type of ~c[x] from the assumption that ~c[concl] holds. The third
restriction is vague but one way to understand it is to weaken it a
little to ``and ~c[concl] is a nontautological conjunction or
disjunction of the primitive type recognizers listed below.''
The primitive ACL2 types and a suitable primitive recognizing
expression for each are listed below.
~bv[]
type suitable primitive recognizer
zero (equal x 0)
negative integers (and (integerp x) (< x 0))
positive integers (and (integerp x) (> x 0))
negative ratio (and (rationalp x)
(not (integerp x))
(< x 0))
positive ratio (and (rationalp x)
(not (integerp x))
(> x 0))
complex rational (complexrationalp x)
nil (equal x nil)
t (equal x t)
other symbols (and (symbolp x)
(not (equal x nil))
(not (equal x t)))
proper conses (and (consp x)
(truelistp x))
improper conses (and (consp x)
(not (truelistp x)))
strings (stringp x)
characters (characterp x)
~ev[]
Thus, a suitable ~c[concl] to recognize the naturals would be
~c[(or (equal x 0) (and (integerp x) (> x 0)))] but it turns out that we
also permit ~c[(and (integerp x) (>= x 0))]. Similarly, the truelists
could be specified by
~bv[]
(or (equal x nil) (and (consp x) (truelistp x)))
~ev[]
but we in fact allow ~c[(truelistp x)]. When time permits we will
document more fully what is allowed or implement a macro that
permits direct specification of the desired type in terms of the
primitives.
There are essentially four forms of ~c[:compoundrecognizer] rules, as the
third and fourth forms are equivalent, as are the fifth and sixth. We
explain how such rules are used by considering the individual forms.
Consider a rule of the first form, ~c[(implies (fn x) concl)]. The
effect of such a rule is that when the rewriter assumes ~c[(fn x)] true,
as it would while diving through ~c[(if (fn x) xxx ...)] to rewrite ~c[xxx],
it restricts the type of ~c[x] as specified by ~c[concl]. However, when
assuming ~c[(fn x)] false, as necessary in ~c[(if (fn x) ... xxx)], the rule
permits no additional assumptions about the type of ~c[x]. For example,
if ~c[fn] is ~c[primep], i.e., the predicate that recognizes prime numbers,
then ~c[(implies (primep x) (and (integerp x) (>= x 0)))] is a compound
recognizer rule of the first form. When ~c[(primep x)] is assumed true,
the rewriter gains the additional information that ~c[x] is a natural
number. When ~c[(primep x)] is assumed false, no additional information
is gained ~[] since ~c[x] may be a nonprime natural or may not even be a
natural.
The second general form addresses itself to the symmetric case, when
assuming ~c[(fn x)] false permits type restrictions on ~c[x] but assuming
~c[(fn x)] true permits no such restrictions. For example, if we
defined ~c[exprp] to be the recognizer for wellformed expressions for
some language in which all symbols, numbers, character objects and
strings were wellformed ~[] e.g., the wellformedness rules only put
restrictions on expressions represented by ~ilc[consp]s ~[] then the
theorem ~c[(implies (not (exprp x)) (consp x))] is a rule of the second
form. Assuming ~c[(exprp x)] true tells us nothing about the type of ~c[x];
assuming it false tells us ~c[x] is a ~ilc[consp].
The third and fourth general forms, which are really equivalent, address
themselves to the case where one type may be deduced from ~c[(fn x)] and a
generally unrelated type may be deduced from its negation. If we modified
the expression recognizer above so that character objects are illegal, then
rules of the third and fourth forms are
~bv[]
(and (implies (exprp x) (not (characterp x)))
(implies (not (exprp x)) (or (consp x) (characterp x)))).
(if (exprp x)
(not (characterp x))
(or (consp x) (characterp x)))
~ev[]
Finally, rules of the fifth and sixth classes address the case where ~c[fn]
recognizes all and only the objects whose type is described. In
these cases, ~c[fn] is really just a new name for some ``compound
recognizers.'' The classic example is ~c[(booleanp x)], which is just a
handy combination of two primitive types:
~bv[]
(iff (booleanp x) (or (equal x t) (equal x nil))).
~ev[]
Often it is best to disable ~c[fn] after proving that it is a compound
recognizer, since ~c[(fn x)] will not be recognized as a compound
recognizer once it has been expanded.
Every time you prove a new compound recognizer rule about ~c[fn] it overrides
all previously proved compound recognizer rules about ~c[fn]. Thus, if you
want to establish the type implied by ~c[(fn x)] and you want to establish
the type implied by ~c[(not (fn x))], you must prove a compound recognizer
rule of the third, fourth, fifth, or sixth forms. Proving a rule of the
first form followed by one of the second only leaves the second fact in the
data base.
Compound recognizer rules can be disabled with the effect that older
rules about ~c[fn], if any, are exposed.
If you prove more than one compound recognizer rule for a function, you
may see a ~st[warning] message to the effect that the new rule is not as
``restrictive'' as the old. That is, the new rules do not give the
rewriter strictly more type information than it already had. The
new rule is stored anyway, overriding the old, if enabled. You may
be playing subtle games with enabling or rewriting. But two other
interpretions are more likely, we think. One is that you have
forgotten about an earlier rule and should merely print it out to
make sure it says what you know and then forget your new rule. The
other is that you meant to give the system more information and the
system has simply been unable to extract the intended type
information from the term you placed in the conclusion of the new
rule. Given our lack of specificity in saying how type information
is extracted from rules, you can hardly blame yourself for this
problem. Sorry. If you suspect you've been burned this way, you
should rephrase the new rule in terms of the primitive recognizing
expressions above and see if the warning is still given. It would
also be helpful to let us see your example so we can consider it as
we redesign this stuff.
Compound recognizer rules are similar to ~c[:]~ilc[forwardchaining] rules in
that the system deduces new information from the act of assuming
something true or false. If a compound recognizer rule were stored
as a forward chaining rule it would have essentially the same effect
as described, when it has any effect at all. The important point is
that ~c[:]~ilc[forwardchaining] rules, because of their more general and
expensive form, are used ``at the top level'' of the simplification
process: we forward chain from assumptions in the goal being proved.
But compound recognizer rules are built in at the bottommost level
of the simplifier, where type reasoning is done.
All that said, compound recognizer rules are a rather fancy,
specialized mechanism. It may be more appropriate to create
~c[:]~ilc[forwardchaining] rules instead of ~c[:compoundrecognizer]
rules.")
(defun destructurecompoundrecognizer (term)
; If term is one of the forms of a compound recognizer lemma we return
; its parity (TRUE, FALSE, WEAKBOTH or STRONGBOTH), the recognizer
; fn, its variablep argument in this term, and the type description
; term. In the case of WEAKBOTH the type description term is a pair
;  not a term  consisting of the true term and the false term.
; Otherwise we return four nils.
(casematch term
(('implies ('not (fn x)) concl)
(cond ((and (variablep x)
(symbolp fn))
(mv 'false fn x concl))
(t (mv nil nil nil nil))))
(('implies (fn x) concl)
(cond ((and (variablep x)
(symbolp fn))
(mv 'true fn x concl))
(t (mv nil nil nil nil))))
(('if ('implies (fn x) concl1)
('implies ('not (fn x)) concl2)
''nil)
(cond ((and (variablep x)
(symbolp fn))
(mv 'weakboth fn x (cons concl1 concl2)))
(t (mv nil nil nil nil))))
(('if (fn x) concl1 concl2)
(cond ((and (variablep x)
(symbolp fn))
(mv 'weakboth fn x (cons concl1 concl2)))
(t (mv nil nil nil nil))))
(('if ('implies ('not (fn x)) concl2)
('implies (fn x) concl1)
''nil)
(cond ((and (variablep x)
(symbolp fn))
(mv 'weakboth fn x (cons concl1 concl2)))
(t (mv nil nil nil nil))))
(('if ('implies ('not (fn x)) concl2)
('implies (fn x) concl1)
''nil)
(cond ((and (variablep x)
(symbolp fn))
(mv 'weakboth fn x (cons concl1 concl2)))
(t (mv nil nil nil nil))))
(('iff (fn x) concl)
(cond ((and (variablep x)
(symbolp fn))
(mv 'strongboth fn x concl))
(t (mv nil nil nil nil))))
(('equal (fn x) concl)
(cond ((and (variablep x)
(symbolp fn))
(mv 'strongboth fn x concl))
(t (mv nil nil nil nil))))
(& (mv nil nil nil nil))))
(defun makerecognizertuple (rune nume parity fn var term ens wrld)
; If parity is 'WEAKBOTH then term is really (tterm . fterm). We
; create a recognizertuple from our arguments. Nume is stored in
; the :nume and may be nil. We return two results, the
; recognizertuple and the ttree justifying the typeset(s) in it.
(case parity
(true
(mvlet (ts ttree)
(typesetimpliedbyterm var nil term ens wrld nil)
(mv (make recognizertuple
:rune rune
:nume nume
:fn fn
:truets ts
:falsets *tsunknown*
:strongp nil)
ttree)))
(false
(mvlet (ts ttree)
(typesetimpliedbyterm var nil term ens wrld nil)
(mv (make recognizertuple
:rune rune
:nume nume
:fn fn
:truets *tsunknown*
:falsets ts
:strongp nil)
ttree)))
(weakboth
(mvlet (tts ttree)
(typesetimpliedbyterm var nil (car term) ens wrld nil)
(mvlet (fts ttree)
(typesetimpliedbyterm var nil (cdr term) ens wrld ttree)
(mv (make recognizertuple
:rune rune
:nume nume
:fn fn
:truets tts
:falsets fts
:strongp (ts= tts (tscomplement fts)))
ttree))))
(otherwise
; Warning: We proved that (fn x) = term and one is tempted to build a
; :strongp = t rule. But since we do not guarantee that term is
; equivalent to the typeset we deduce from it, we cannot just get the
; typeset for term and complement it for the false branch. And we
; cannot guarantee to build a strong rule. Instead, we act more or
; less like we do for weakboth: we compute independent type sets from
; term and (not term) and just in the case that they are complementary
; do we build a strong rule.
(mvlet (tts ttree)
(typesetimpliedbyterm var nil term ens wrld nil)
(mvlet (fts ttree)
(typesetimpliedbyterm var t term ens wrld ttree)
(mv (make recognizertuple
:rune rune
:nume nume
:fn fn
:truets tts
:falsets fts
:strongp (ts= tts (tscomplement fts)))
ttree))))))
(defun commentonnewrecogtuple1 (newrecogtuple recognizeralist
ctx state)
; This function compares a newly proposed recognizer tuple to each of
; the tuples on the recognizeralist, expecting that it will be more
; restrictive than each of the existing tuples with the same :fn. Let
; tts', fts', and strongp' be the obvious fields from the new tuple,
; and let tts, fts, and strongp be from an existing tuple. Let ts' <=
; ts here mean (tssubsetp ts' ts) and let strongp' <= strongp be true
; if either strongp is nil or strongp' is t. Then we say the new
; tuple is ``more restrictive'' than the existing tuple iff
; (a) tts' <= tts & fts' <= fts & strongp' <= strongp, and
; (b) at least one of the three primed fields is different from its
; unprimed counterpart.
; For each old tuple that is at least as restrictive as the new tuple
; we print a warning. We never cause an error. However, we have
; coded the function and its caller so that if we someday choose to
; cause an error it will be properly handled. (Without more experience
; with compound recognizers we do not know what sort of checks would be
; most helpful.)
(cond
((null recognizeralist) (value nil))
((eq (access recognizertuple newrecogtuple :fn)
(access recognizertuple (car recognizeralist) :fn))
(cond
((and
(tssubsetp (access recognizertuple newrecogtuple :truets)
(access recognizertuple (car recognizeralist) :truets))
(tssubsetp (access recognizertuple newrecogtuple :falsets)
(access recognizertuple (car recognizeralist) :falsets))
(or (access recognizertuple newrecogtuple :strongp)
(null (access recognizertuple (car recognizeralist) :strongp)))
(or
(not (ts= (access recognizertuple newrecogtuple :falsets)
(access recognizertuple (car recognizeralist) :falsets)))
(not (ts= (access recognizertuple newrecogtuple :truets)
(access recognizertuple (car recognizeralist) :truets)))
(not (eq (access recognizertuple newrecogtuple :strongp)
(access recognizertuple (car recognizeralist) :strongp)))))
(commentonnewrecogtuple1 newrecogtuple (cdr recognizeralist)
ctx state))
(t (pprogn
(warning$ ctx ("Compoundrec")
"The newly proposed compound recognizer rule ~x0 is not as ~
restrictive as the old rule ~x1. See :DOC ~
compoundrecognizer."
(basesymbol (access recognizertuple newrecogtuple :rune))
(basesymbol (access recognizertuple (car recognizeralist)
:rune)))
(commentonnewrecogtuple1 newrecogtuple (cdr recognizeralist)
ctx state)))))
(t (commentonnewrecogtuple1 newrecogtuple (cdr recognizeralist)
ctx state))))
(defun commentonnewrecogtuple (newrecogtuple ctx ens wrld state)
; This function prints out a warning advising the user of the type
; information to be extracted from a newly proposed compound
; recognizer. We also print out a description of the lemmas used to
; derive this information. We also compare the new recognizer tuple
; to any old tuples we have for the same function and print a suitable
; message should it be less ``restrictive.''
; We never cause an error, but this function and its caller are coded
; so that if we someday choose to cause an error it will be properly
; handled. (Without more experience with compound recognizers we do
; not know what sort of checks would be most helpful.)
(let ((pred (fconsterm* (access recognizertuple newrecogtuple :fn) 'x)))
(mvlet
(ttsterm ttree)
(converttypesettoterm
'x (access recognizertuple newrecogtuple :truets) ens wrld nil)
(mvlet
(ftsterm ttree)
(converttypesettoterm
'x (access recognizertuple newrecogtuple :falsets) ens wrld ttree)
(let ((ttsterm (untranslate ttsterm t wrld))
(ftsterm (untranslate ftsterm t wrld)))
(erprogn
(if (and (ts= (access recognizertuple newrecogtuple :truets)
*tsunknown*)
(ts= (access recognizertuple newrecogtuple :falsets)
*tsunknown*))
(er soft ctx
"When ~x0 is assumed true, ~x1 will allow us to deduce ~
nothing about the type of X. Also, when ~x0 is assumed ~
false, ~x1 will allow us to deduce nothing about the type of ~
X. Thus this is not a legal compound recognizer rule. See ~
doc :compoundrecognizer if these observations surprise you."
pred
(basesymbol (access recognizertuple newrecogtuple :rune)))
(value nil))
(pprogn
(observation
ctx
"When ~x0 is assumed true, ~x1 will allow us to deduce ~#2~[nothing ~
about the type of X.~/~p3.~] When ~x0 is assumed false, ~x1 will ~
allow us to deduce ~#4~[nothing about the type of X.~/~p5.~] Note ~
that ~x0 is~#6~[ not~/~] a strong compound recognizer, according ~
to this rule. See doc :compoundrecognizer if these observations ~
surprise you. These particular expressions of the type ~
information are based on ~*7."
pred
(basesymbol (access recognizertuple newrecogtuple :rune))
(if (eq ttsterm t) 0 1)
ttsterm
(if (eq ftsterm t) 0 1)
ftsterm
(if (access recognizertuple newrecogtuple :strongp) 1 0)
(tilde*simpphrase ttree))
(if (warningdisabledp "Compoundrec")
(value nil)
(commentonnewrecogtuple1 newrecogtuple
(globalval 'recognizeralist wrld)
ctx state)))))))))
(defun chkacceptablecompoundrecognizerrule (name term ctx ens wrld state)
; If we don't cause an error, we return an 'assumptionfree ttree that
; justifies the type information extracted from term.
(mvlet
(parity fn var term1)
(destructurecompoundrecognizer term)
(cond
((null parity)
(er soft ctx
"No :COMPOUNDRECOGNIZER rule can be generated from ~x0 ~
because it does not have the form described in :DOC ~
compoundrecognizer."
name))
(t (mvlet
(ts ttree1)
(typeset (mconsterm* fn var) nil nil nil nil ens wrld nil nil nil)
(cond ((not (tssubsetp ts *tsboolean*))
; To loosen the Boolean restriction, we must change assumetruefalse
; so that when a compound recognizer is assumed true its typeset is
; not just set to *tst*. A comment at the defrec for
; recognizertuple also says that fn must be Boolean. It would be a
; good idea, before changing this, to inspect all code involved with
; recognizertuples.
(er soft ctx
"A function can be treated as a :COMPOUNDRECOGNIZER only ~
if it is Boolean valued. ~x0 is not known to be Boolean. ~
See :DOC compoundrecognizer."
fn))
(t
; Historical Note: We used to combine the new type information with
; the old. We do not do that anymore: we store exactly what the new
; rule tells us. The reason is so that we can maintain a 1:1
; relationship between what we store and rule names, so that it is
; meaningful to disable a compound recognizer rule.
(mvlet (recogtuple ttree2)
; Note: Below we counterfeit a rune based on name, simply so that the
; recogtuple we get back really looks like one. The actual rule
; created for term1 will have a different name (x will be specified).
; This tuple is only used for error reporting and we dig name out of
; its rune then.
(makerecognizertuple `(:COMPOUNDRECOGNIZER ,name . x)
nil parity fn var term1 ens wrld)
(erprogn
(commentonnewrecogtuple recogtuple ctx ens wrld
state)
(value (constagtrees ttree1 ttree2)))))))))))
; And to add :COMPOUNDRECOGNIZER rules...
(defun addcompoundrecognizerrule (rune nume term ens wrld)
; We construct the recongizertuple corresponding to term and just add
; it onto the front of the current recognizeralist. We used to merge
; it into the existing tuple for the same :fn, if one existed, but
; that makes disabling these rules complicated. When we retrieve
; tuples from the alist we look for the first enabled tuple about the
; :fn in question. So it is necessary to leave old tuples for :fn in
; place.
(mvlet (parity fn var term1)
(destructurecompoundrecognizer term)
(mvlet (recogtuple ttree)
(makerecognizertuple rune nume parity fn var term1 ens
wrld)
(declare (ignore ttree))
(globalset 'recognizeralist
(cons recogtuple (globalval 'recognizeralist wrld))
wrld))))
;
; Section: :FORWARDCHAINING Rules
(deflabel forwardchaining
:doc
":DocSection RuleClasses
make a rule to forward chain when a certain trigger arises~/
~l[ruleclasses] for a general discussion of rule classes and
how they are used to build rules from formulas. An example
~c[:]~ilc[corollary] formula from which a ~c[:forwardchaining] rule might be
built is:
~bv[]
Example:
(implies (and (p x) (r x)) when (p a) appears in a formula to be
(q (f x))) simplified, try to establish (r a) and
if successful, add (q (f a)) to the
known assumptions
~ev[]
To specify the triggering terms provide a nonempty list of terms
as the value of the ~c[:triggerterms] field of the rule class object.~/
~bv[]
General Form:
Any theorem, provided an acceptable triggering term exists.
~ev[]
Forward chaining rules are generated from the corollary term as
follows. If that term has the form ~c[(implies hyp concl)], then the
~ilc[let] expressions in ~c[concl] (formally, lambda expressions) are expanded
away, and the result is treated as a conjunction, with one forward
chaining rule with hypothesis ~c[hyp] created for each conjunct. In the
other case, where the corollary term is not an ~ilc[implies], we process
it as we process the conclusion in the first case.
The ~c[:triggerterms] field of a ~c[:forwardchaining] rule class object
should be a nonempty list of terms, if provided, and should have
certain properties described below. If the ~c[:triggerterms] field is
not provided, it defaults to the singleton list containing the
``atom'' of the first hypothesis of the formula. (The atom of
~c[(not x)] is ~c[x]; the atom of any other term is the term itself.) If
there are no hypotheses and no ~c[:triggerterms] were provided, an
error is caused.
A triggering term is acceptable if it is not a variable, a quoted
constant, a lambda application, a ~ilc[let]expression, or a
~ilc[not]expression, and every variable symbol in the conclusion of the
theorem either occurs in the hypotheses or occurs in the trigger.
~c[:Forwardchaining] rules are used by the simplifier before it begins
to rewrite the literals of the goal. (Forward chaining is thus carried
out from scratch for each goal.) If any term in the goal is an
instance of a trigger of some forward chaining rule, we try to
establish the hypotheses of that forward chaining theorem (from the
negation of the goal). To relieve a hypothesis we only use type
reasoning, evaluation of ground terms, and presence among our known
assumptions. We do not use rewriting. Socalled free variables in
hypotheses are treated specially; ~pl[freevariables]. If all hypotheses
are relieved, we add the instantiated conclusion to our known assumptions.
~em[Caution]. Forward chaining does not actually add terms to the goals
displayed during proof attempts. Instead, it extends an associated
~em[context], called ``assumptions'' in the preceding paragraph, that
ACL2 builds from the goal currently being proved. The context
starts out with ``obvious'' consequences of the negation of the
goal. For example, if the goal is
~bv[]
(implies (and (p x) (q (f x)))
(c x))
~ev[]
then the context notes that ~c[(p x)] and ~c[(q (f x))] are non~c[nil] and
~c[(c x)] is ~c[nil]. Forward chaining is then used to expand the context.
For example, if a forward chaining rule has ~c[(f x)] as a trigger term
and has body ~c[(implies (p x) (r (f x)))], then the context is extended
by binding ~c[(r (f x))] to non~c[nil]. Note however that since ~c[(r (f x))]
is put into the context, not the goal, it is ~em[not] further simplified.
If ~c[f] is an enabled nonrecursive function symbol then this forward
chaining rule may well be useless, since calls of ~c[f] may be expanded
away.
Another common misconception is this: Suppose that you forward
chain and put ~c[(< (f x) (g x))] into the context. Then does it go
into the linear arithmetic data base? Answer: no. Alternative
question: do we go looking for linear lemmas about ~c[(g x)]? Answer:
no. The linear arithmetic data base is built up by a process very
similar to but independent of forward chaining.")
(defun chktriggers (name matchfree hyps terms hypsvars conclsvars ctx ens
wrld state)
; Name is the name of a proposed forward chaining rule with hyps hyps
; and triggers terms. We verify that every trigger is a nonvariable,
; nonquote, nonlambda, nonNOT application. We also print the
; freevariable warning messages.
(cond ((null terms) (value nil))
((or (variablep (car terms))
(fquotep (car terms))
(flambdaapplicationp (car terms))
(eq (ffnsymb (car terms)) 'not))
(er soft ctx
"It is illegal to use a variable, a quoted constant, the ~
application of a lambdaexpression, a LETexpression, ~
or a NOTexpression as the trigger of a forward ~
chaining rule. Your proposed trigger, ~x0, violates ~
these restrictions. See :DOC forwardchaining."
(car terms)))
((not (subsetpeq conclsvars
(allvars1 (car terms) hypsvars)))
(er soft ctx
"We cannot use ~x0 as a forward chaining rule triggered ~
by ~x1 because the variable~#2~[ ~&2 is~/s ~&2 are~] ~
used in the conclusion but not in the ~#3~[~/hypothesis ~
or the ~/hypotheses or the ~]trigger. See :DOC ~
forwardchaining."
name
(car terms)
(setdifferenceeq conclsvars
(allvars1 (car terms) hypsvars))
(zerooneormore hyps)))
(t
(let* ((warnnonrec (not (warningdisabledp "Nonrec")))
(freevars (freevarsinhyps hyps (allvars (car terms)) wrld))
(insthyps (hypsthatinstantiatefreevars freevars hyps))
(nonrecfns (and warnnonrec
(nonrecursivefnnames (car terms) ens wrld)))
(nonrecfnsinsthyps
(and warnnonrec
(nonrecursivefnnameslst
(striptoplevelnotsandforces insthyps) ens wrld))))
(erprogn
(cond
((and freevars (null matchfree))
(pprogn
(warning$ ctx "Free"
"When the :FORWARDCHAINING rule generated from ~x0 ~
is triggered by ~x1 it contains the free ~
variable~#2~[ ~&2. This variable~/s ~&2. These ~
variables~] will be chosen by searching for ~#3~[an ~
instance~/instances~] of ~&3 among the hypotheses of ~
the conjecture being rewritten. This is generally a ~
severe restriction on the applicability of the ~
forward chaining rule."
name (car terms) freevars insthyps)
(freevariableerror? :forwardchaining name ctx wrld state)))
(t (value nil)))
(pprogn
(cond
(nonrecfns
(warning$ ctx ("Nonrec")
"The term ~x0 contains the nonrecursive function ~
symbol~#1~[ ~&1. Unless this function is~/s ~&1. ~
Unless these functions are~] disabled, ~x0 is ~
unlikely ever to occur as a trigger for ~x2."
(car terms)
(hidelambdas nonrecfns)
name))
(t state))
(cond
(nonrecfnsinsthyps
(warning$ ctx ("Nonrec")
"As noted, when triggered by ~x0, we will instantiate ~
the free variable~#1~[~/s~], ~&1, of the rule ~x2, ~
by searching for the ~#3~[hypothesis~/set of ~
hypotheses~] shown above. However, ~#3~[this ~
hypothesis mentions~/these hypotheses mention~] the ~
function symbol~#4~[ ~&4, which is~/s ~&4, which ~
are~] defun'd nonrecursively. Unless disabled, ~
~#4~[this function symbol is~/these function symbols ~
are~] unlikely to occur in the conjecture being ~
proved and hence the search for the required ~
~#3~[hypothesis~/hypotheses~] will likely fail."
(car terms) freevars name insthyps
(hidelambdas nonrecfnsinsthyps)))
(t state))
(chktriggers matchfree name hyps (cdr terms)
hypsvars conclsvars ctx ens wrld state)))))))
(defun destructureforwardchainingterm (term)
; We return two lists, hyps and concls, such that term is equivalent to
; (implies (and . hyps) (and . concls)).
(cond ((or (variablep term)
(fquotep term)
(not (eq (ffnsymb term) 'implies)))
(mv nil (flattenandsinlit (removelambdas term))))
(t (mv (flattenandsinlit (fargn term 1))
(flattenandsinlit (removelambdas (fargn term 2)))))))
(defun chkacceptableforwardchainingrule (name matchfree triggerterms term
ctx ens wrld state)
; Acceptable forward chaining rules are of the form
; (IMPLIES (AND . hyps)
; (AND . concls))
; We used to split term up with unprettyify as is done for REWRITE
; class rules. But that meant that we had to establish hyps
; once for each concl whenever the rule was triggered.
(mvlet
(hyps concls)
(destructureforwardchainingterm term)
(let ((hypsvars (allvars1lst hyps nil))
(conclsvars (allvars1lst concls nil)))
(chktriggers name matchfree hyps triggerterms
hypsvars conclsvars
ctx ens wrld state))))
(defun putpropforwardchainingruleslst
(rune nume triggers hyps concls matchfree wrld)
(cond ((null triggers)
(putmatchfreevalue matchfree rune wrld))
(t (putpropforwardchainingruleslst
rune nume
(cdr triggers)
hyps concls matchfree
(putprop (ffnsymb (car triggers))
'forwardchainingrules
(cons (make forwardchainingrule
:rune rune
:nume nume
:trigger (car triggers)
:hyps hyps
:concls concls
:matchfree matchfree)
(getprop (ffnsymb (car triggers))
'forwardchainingrules nil
'currentacl2world wrld))
wrld)))))
(defun addforwardchainingrule (rune nume triggerterms term matchfree wrld)
(mvlet
(hyps concls)
(destructureforwardchainingterm term)
(putpropforwardchainingruleslst rune nume
triggerterms
hyps concls
(matchfreefcvalue matchfree
hyps concls
triggerterms
wrld)
wrld)))
;
; Section: :META Rules
(deflabel meta
:doc
":DocSection RuleClasses
make a ~c[:meta] rule (a handwritten simplifier)~/
~l[ruleclasses] for a general discussion of rule classes and
how they are used to build rules from formulas. Meta rules extend
the ACL2 simplifier with handwritten code to transform certain
terms to equivalent ones. To add a meta rule, the ~c[:]~ilc[corollary]
formula must establish that the handwritten ``metafunction''
preserves the meaning of the transformed term.
Example ~c[:]~ilc[corollary] formulas from which ~c[:meta] rules might be
built are:
~bv[]
Examples:
(equal (evl x a) ; Modify the rewriter to use fn to
(evl (fn x) a)) ; transform terms. The :triggerfns
; of the :meta ruleclass specify
; the topmost function symbols of
; those x that are candidates for
; this transformation.
(implies (and (pseudotermp x) ; As above, but this illustrates
(alistp a)) ; that without loss of generality we
(equal (evl x a) ; may restrict x to be shaped like a
(evl (fn x) a))) ; term and a to be an alist.
(implies (and (pseudotermp x) ; As above (with or without the
(alistp a) ; hypotheses on x and a) with the
(evl (hypfn x) a)) ; additional restriction that the
(equal (evl x a) ; meaning of (hypfn x) is true in
(evl (fn x) a))) ; the current context. That is, the
; applicability of the transforma
; tion may be dependent upon some
; computed hypotheses.
~ev[]
A non~c[nil] list of function symbols must be supplied as the value
of the ~c[:triggerfns] field in a ~c[:meta] rule class object.~/
~bv[]
General Forms:
(implies (and (pseudotermp x) ; this hyp is optional
(alistp a) ; this hyp is optional
(ev (hypfn x ...) a)) ; this hyp is optional
(equiv (ev x a)
(ev (fn x ...) a)))
~ev[]
where ~c[equiv] is a known ~il[equivalence] relation, ~c[x] and
~c[a] are distinct variable names, and ~c[ev] is an evaluator
function (see below), and ~c[fn] is a function symbol, as is
~c[hypfn] when provided. The arguments to ~c[fn] and ~c[hypfn]
should be identical. In the most common case, both take a single
argument, ~c[x], which denotes the term to be simplified. If ~c[fn]
and/or ~c[hypfn] are ~il[guard]ed, their ~il[guard]s should be
(implied by) ~ilc[pseudotermp]. ~l[pseudotermp]. We say the
theorem above is a ``metatheorem'' or ``metalemma'' and ~c[fn] is a
``metafunction'', and ~c[hypfn] is a ``hypothesis metafunction''.
If ``~c[...]'' is empty, i.e., the metafunctions take just one argument,
we say they are ``vanilla flavored.'' If ``~c[...]'' is nonempty,
we say the metafunctions are ``extended.'' Extended
metafunctions can access ~ilc[state] and context sensitive information
to compute their results, within certain limits. We discuss vanilla
metafunctions here and recommend a thorough understanding of them
before proceeding (at which time
~pl[extendedmetafunctions]).
We defer discussion of the case in which there is a hypothesis
metafunction and for now address the case in which the other two
hypotheses are present.
In the discussion below, we refer to the argument, ~c[x], of ~c[fn]
and ~c[hypfn] as a ``term.'' When these metafunctions are executed
by the simplifier, they will be applied to (the quotations of)
terms. But during the proof of the metatheorem itself, ~c[x] may not
be the quotation of a term. If the ~ilc[pseudotermp] hypothesis is
omitted, ~c[x] may be any object. Even with the ~ilc[pseudotermp]
hypothesis, ~c[x] may merely ``look like a term'' but use
nonfunction symbols or function symbols of incorrect arity. In any
case, the metatheorem is stronger than necessary to allow us to
apply the metafunctions to terms, as we do in the discussion below.
We return later to the question of proving the metatheorem.
Suppose the general form of the metatheorem above is proved with the
~ilc[pseudotermp] and ~ilc[alistp] hypotheses. Then when the simplifier
encounters a term, ~c[(h t1 ... tn)], that begins with a function
symbol, ~c[h], listed in ~c[:triggerfns], it applies the
metafunction, ~c[fn], to the quotation of the term, i.e., it
evaluates ~c[(fn '(h t1 ... tn))] to obtain some result, which can be
written as ~c['val]. If ~c['val] is different from ~c['(h t1 ... tn)]
and ~c[val] is a term, then ~c[(h t1 ... tn)] is replaced by ~c[val],
which is then passed along for further rewriting. Because the
metatheorem establishes the correctness of ~c[fn] for all terms (even
nonterms!), there is no restriction on which function symbols are
listed in the ~c[:triggerfns]. Generally, of course, they should be
the symbols that head up the terms simplified by the metafunction
~c[fn]. ~l[termtable] for how one obtains some assistance
towards guaranteeing that ~c[val] is indeed a term.
The ``evaluator'' function, ~c[ev], is a function that can evaluate a
certain class of expressions, namely, all of those composed of
variables, constants, and applications of a fixed, finite set of
function symbols, ~c[g1], ..., ~c[gk]. Generally speaking, the set of
function symbols handled by ~c[ev] is chosen to be exactly the
function symbols recognized and manipulated by the metafunctions
being introduced. For example, if ~c[fn] manipulates expressions in
which ~c[']~ilc[equal] and ~c[']~ilc[binaryappend] occur as function
symbols, then ~c[ev] is generally specified to handle ~ilc[equal] and
~ilc[binaryappend]. The actual requirements on ~c[ev] become clear
when the metatheorem is proved. The standard way to introduce an
evaluator is to use the ACL2 macro ~ilc[defevaluator], though this is
not strictly necessary. ~l[defevaluator] for details.
Why are we justified in using metafunctions this way? Suppose
~c[(fn 'term1)] is ~c['term2]. What justifies replacing ~c[term1] by
~c[term2]? The first step is to assert that ~c[term1] is
~c[(ev 'term1 a)], where ~c[a] is an alist that maps ~c['var] to
~c[var], for each variable ~c[var] in ~c[term1]. This step is
incorrect, because ~c['term1] may contain function symbols other than
the ones, ~c[g1], ..., ~c[gk], that ~c[ev] knows how to handle. But we
can grow ~c[ev] to a ``larger'' evaluator, ~c[ev*], an evaluator for
all of the symbols that occur in ~c[term1] or ~c[term2]. We can prove
that ~c[ev*] satisfies the ~il[constraint]s on ~c[ev]. Hence, the
metatheorem holds for ~c[ev*] in place of ~c[ev], by functional
instantiation. We can then carry out the proof of the
~il[equivalence] of ~c[term1] and ~c[term2] as follows: Fix ~c[a] to be
an alist that maps the quotations of the variables of ~c[term1] and
~c[term2] to themselves. Then,
~bv[]
term1 = (ev* 'term1 a) ; (1) by construction of ev* and a
= (ev* (fn 'term1) a) ; (2) by the metatheorem for ev*
= (ev* 'term2 a) ; (3) by evaluation of fn
= term2 ; (4) by construction of ev* and a
~ev[]
Note that in line (2) above, where we appeal to the (functional
instantiation of the) metatheorem, we can relieve its (optional)
~ilc[pseudotermp] and ~ilc[alistp] hypotheses by appealing to the facts
that ~c[term1] is a term and ~c[a] is an alist by construction.
Finally, we turn to the second case, in which there is a hypothesis
metafunction. In that case, consider as before what happens when
the simplifier encounters a term, ~c[(h t1 ... tn)], where ~c[h] is
listed in ~c[:triggerfns]. This time, after it applies ~c[fn] to
~c['(h t1 ... tn)] to obtain the quotation of some new term, ~c['val],
it then applies the hypothesis metafunction, ~c[hypfn]. That is, it
evaluates ~c[(hypfn '(h t1 ... tn))] to obtain some result, which
can be written as ~c['hypval]. If ~c[hypval] is not in fact a term,
the metafunction is not used. Provided ~c[hypval] is a term, the
simplifier attempts to establish (by conventional backchaining) that
this term is non~c[nil] in the current context. If this attempt
fails, then the meta rule is not applied. Otherwise, ~c[(h t1...tn)]
is replaced by ~c[val] as in the previous case (where there was no
hypothesis metafunction).
Why is it justified to make this extension to the case of hypothesis
metafunctions? First, note that the rule
~bv[]
(implies (and (pseudotermp x)
(alistp a)
(ev (hypfn x) a))
(equal (ev x a)
(ev (fn x) a)))
~ev[]
is logically equivalent to the rule
~bv[]
(implies (and (pseudotermp x)
(alistp a))
(equal (ev x a)
(ev (newfn x) a)))
~ev[]
where ~c[(newfn x)] is defined to be
~c[(list 'if (hypfn x) (fn x) x)]. (If we're careful, we realize
that this argument depends on making an extension of ~c[ev] to an
evaluator ~c[ev*] that handles ~ilc[if] and the functions manipulated by
~c[hypfn].) If we write ~c['term] for the quotation of the present
term, and if ~c[(hypfn 'term)] and ~c[(fn 'term)] are both terms, say
~c[hyp1] and ~c[term1], then by the previous argument we know it is
sound to rewrite term to ~c[(if hyp1 term1 term)]. But since we have
established in the current context that ~c[hyp1] is non~c[nil], we
may simplify ~c[(if hyp1 term1 term)] to ~c[term1], as desired.
We now discuss the role of the ~ilc[pseudotermp] hypothesis.
~c[(Pseudotermp x)] checks that ~c[x] has the shape of a term.
Roughly speaking, it ensures that ~c[x] is a symbol, a quoted
constant, or a true list consisting of a ~c[lambda] expression or
symbol followed by some pseudoterms. Among the properties of terms
not checked by ~ilc[pseudotermp] are that variable symbols never begin
with ampersand, ~c[lambda] expressions are closed, and function
symbols are applied to the correct number of arguments.
~l[pseudotermp].
There are two possible roles for ~ilc[pseudotermp] in the development
of a metatheorem: it may be used as the ~il[guard] of the
metafunction and/or hypothesis metafunction and it may be used as a
hypothesis of the metatheorem. Generally speaking, the
~ilc[pseudotermp] hypothesis is included in a metatheorem only if it
makes it easier to prove. The choice is yours. (An extreme example
of this is when the metatheorem is invalid without the hypothesis!)
We therefore address ourselves the question: should a metafunction
have a ~ilc[pseudotermp] ~il[guard]? A ~ilc[pseudotermp] ~il[guard] for
a metafunction, in connection with other considerations described
below, improves the efficiency with which the metafunction is used
by the simplifier.
To make a metafunction maximally efficient you should (a) provide it
with a ~ilc[pseudotermp] ~il[guard] and exploit the ~il[guard] when
possible in coding the body of the function
(~pl[guardsandevaluation], especially the section on
efficiency issues), (b) verify the ~il[guard]s of the metafunction
(~pl[verifyguards]), and (c) compile the metafunction
(~pl[comp]). When these three steps have been taken the simplifier
can evaluate ~c[(fn 'term1)] by running the compiled ``primary code''
(~pl[guardsandevaluation]) for ~c[fn] directly in Common Lisp.
Before discussing efficiency issues further, let us review for a
moment the general case in which we wish to evaluate ~c[(fn `obj)]
for some ~c[:]~ilc[logic] function. We must first ask whether the
~il[guard]s of ~c[fn] have been verified. If not, we must evaluate
~c[fn] by executing its logic definition. This effectively checks
the ~il[guard]s of every subroutine and so can be slow. If, on the
other hand, the ~il[guard]s of ~c[fn] have been verified, then we can
run the primary code for ~c[fn], provided ~c['obj] satisfies the
~il[guard] of ~c[fn]. So we must next evaluate the ~il[guard] of
~c[fn] on ~c['obj]. If the ~il[guard] is met, then we run the primary
code for ~c[fn], otherwise we run the logic code.
Now in the case of a metafunction for which the three steps above
have been followed, we know the ~il[guard] is (implied by)
~ilc[pseudotermp] and that it has been verified. Furthermore, we know
without checking that the ~il[guard] is met (because ~c[term1] is a
term and hence ~c['term1] is a ~ilc[pseudotermp]). Hence, we can use
the compiled primary code directly.
We strongly recommend that you compile your metafunctions, as well
as all their subroutines. Guard verification is also recommended.
Finally, we present a very simple example of the use of ~c[:meta]
rules, based on one provided by Robert Krug. This example
illustrates a trick for avoiding undesired rewriting after applying
a metafunction or any other form of rewriting. To elaborate: in
general, the term ~c[t2] obtained by applying a metafunction to a
term ~c[t1] is then handed immediately to the rewriter, which
descends recursively through the arguments of function calls to
rewrite ~c[t2] completely. But if ~c[t2] shares a lot of structure
with ~c[t1], then it might not be worthwhile to rewrite ~c[t2]
immediately. (A rewrite of ~c[t2] will occur anyhow the next time a
goal is generated.) The trick involves avoiding this rewrite by
wrapping ~c[t2] inside a call of ~ilc[hide], which in turn is inside
a call of a userdefined ``unhiding'' function, ~c[unhide].
~bv[]
(defun unhide (x)
(declare (xargs :guard t))
x)
(defthm unhidehide
(equal (unhide (hide x))
x)
:hints ((\"Goal\" :expand ((hide x)))))
(intheory (disable unhide))
(defun myplus (x y)
(+ x y))
(intheory (disable myplus))
(defevaluator evl evllist
((myplus x y)
(binary+ x y)
(unhide x)
(hide x)))
(defun metafn (term)
(declare (xargs :guard (pseudotermp term)))
(if (and (consp term)
(equal (length term) 3)
(equal (car term) 'myplus))
`(UNHIDE (HIDE (BINARY+ ,(cadr term) ,(caddr term))))
term))
(defthm mymetalemma
(equal (evl term a)
(evl (metafn term) a))
:hints ((\"Goal\" :intheory (enable myplus)))
:ruleclasses ((:meta :triggerfns (myplus))))
~ev[]
Notice that in the following (silly) conjectre, ACL2 initially does
only does the simplification directed by the metafunction; a second
goal is generated before the commuativity of addition can be
applied. If the above calls of ~c[UNHIDE] and ~c[HIDE] had been
stripped off, then ~c[Goal'] would have been the term printed in
~c[Goal''] below.
~bv[]
ACL2 !>(thm
(equal (myplus b a)
ccc))
This simplifies, using the :meta rule MYMETALEMMA and the :rewrite
rule UNHIDEHIDE, to
Goal'
(EQUAL (+ B A) CCC).
This simplifies, using the :rewrite rule COMMUTATIVITYOF+, to
Goal''
(EQUAL (+ A B) CCC).
~ev[]
The discussion above probably suffices to make good use of this
~c[(UNHIDE (HIDE ...))] trick. However, we invite the reader who
wishes to understand the trick in depth to evaluate the following
form before submitting the ~ilc[thm] form above.
~bv[]
(trace$ (rewrite :entry (list (take 2 arglist))
:exit (list (car values)))
(rewritewithlemma :entry (list (take 2 arglist))
:exit (take 2 values)))
~ev[]
The following annotated subset of the trace output (which may appear
a bit different depending on the underlying Common Lisp
implementation) explains how the trick works.
~bv[]
2> (REWRITE ((MYPLUS B A) NIL))>
3> (REWRITEWITHLEMMA
((MYPLUS B A)
(REWRITERULE (:META MYMETALEMMA)
1822
NIL EQUAL METAFN NIL META NIL NIL)))>
We apply the meta rule, then recursively rewrite the result, which is the
(UNHIDE (HIDE ...)) term shown just below.
4> (REWRITE ((UNHIDE (HIDE (BINARY+ B A)))
((A . A) (B . B))))>
5> (REWRITE ((HIDE (BINARY+ B A))
((A . A) (B . B))))>
The HIDE protects its argument from being touched by the rewriter.
<5 (REWRITE (HIDE (BINARY+ B A)))>
5> (REWRITEWITHLEMMA
((UNHIDE (HIDE (BINARY+ B A)))
(REWRITERULE (:REWRITE UNHIDEHIDE)
1806 NIL EQUAL (UNHIDE (HIDE X))
X ABBREVIATION NIL NIL)))>
Now we apply UNHIDEHIDE, then recursively rewrite its righthand
side in an environment where X is bound to (BINARY+ B A).
6> (REWRITE (X ((X BINARY+ B A))))>
Notice that at this point X is cached, so REWRITE just returns
(BINARY+ B A).
<6 (REWRITE (BINARY+ B A))>
<5 (REWRITEWITHLEMMA T (BINARY+ B A))>
<4 (REWRITE (BINARY+ B A))>
<3 (REWRITEWITHLEMMA T (BINARY+ B A))>
<2 (REWRITE (BINARY+ B A))>
~ev[]")
(deflabel extendedmetafunctions
:doc
":DocSection Miscellaneous
state and context sensitive metafunctions~/
~bv[]
General Form of an Extended :Meta theorem:
(implies (and (pseudotermp x) ; this hyp is optional
(alistp a) ; this hyp is optional
(ev (hypfn x mfc state) a)) ; this hyp is optional
(equiv (ev x a)
(ev (fn x mfc state) a)))
~ev[]
where the restrictions are as described in the ~il[documentation] for
~ilc[meta] and, in addition, ~c[mfc] and ~c[state] are distinct variable
symbols (different also from ~c[x] and ~c[a]) and ~c[state] is literally the
symbol ~c[STATE]. A ~c[:meta] theorem of the above form installs ~c[fn] as a
metatheoretic simplifier with hypothesis function ~c[hypfn], exactly as for
vanilla metafunctions. The only difference is that when the metafunctions
are applied, some contextual information is passed in via the ~c[mfc]
argument and the ACL2 ~ilc[state] is made available.
~l[meta] for a discussion of vanilla flavored metafunctions. This
documentation assumes you are familiar with the simpler situation, in
particular, how to define a vanilla flavored metafunction, ~c[fn], and its
associated hypothesis metafunction, ~c[hypfn], and how to state and prove
metatheorems installing such functions. Defining extended metafunctions
requires that you also be familiar with many ACL2 implementation details.
This documentation is sketchy on these details; see the ACL2 source code or
email the ~il[acl2help] list if you need more help.~/
The metafunction context, ~c[mfc], is a list containing many different data
structures used by various internal ACL2 functions. We do not document the
form of ~c[mfc]. Your extended metafunction should just take ~c[mfc] as its
second formal and pass it into the functions mentioned below. The ACL2
~c[state] is welldocumented (~pl[state]). The following expressions may be
useful in defining extended metafunctions.
~c[(mfcclause mfc)]: returns the current goal, in clausal form. A clause is
a list of ACL2 terms, implicitly denoting the disjunction of the listed
terms. The clause returned by ~c[mfcclause] is the clausal form of the
translation (~pl[trans]) of the goal or subgoal on which the rewriter is
working. When a metafunction calls ~c[mfcclause], the term being rewritten
by the metafunction either occurs somewhere in this clause or, perhaps more
commonly, is being rewritten on behalf of some lemma to which the rewriter
has backchained while trying to rewrite a term in the clause.
~c[(mfcancestors mfc)]: returns the current list of the negations of the
backchaining hypotheses being pursued. In particular,
~c[(null (mfcancestors mfc))] will be true if and only if the term being
rewritten is part of the current goal; otherwise, that term is part of a
hypothesis from a rule currently being considered for use. Exception: An
ancestor of the form ~c[(:bindinghyp hyp unifysubst)] indicates that
~c[hyp] has been encountered as a hypothesis of the form ~c[(equal var term)]
or ~c[(equiv var (doublerewriteterm))] that binds variable ~c[var] to the
result of rewriting ~c[term] under ~c[unifysubst].
~c[(mfctypealist mfc)]: returns the typealist governing the occurrence of
the term, ~c[x], being rewritten by the metafunction. A typealist is an
association list, each element of which is of the form ~c[(term ts . ttree)].
Such an element means that the term ~c[term] has the ~il[typeset] ~c[ts].
The ~c[ttree] component is probably irrelevant here. All the terms in the
typealist are in translated form (~pl[trans]). The ~c[ts] are numbers
denoting finite Boolean combinations of ACL2's primitive types
(~pl[typeset]). The typealist includes not only information gleaned from the
conditions governing the term being rewritten but also that gleaned from
forward chaining from the (negations of the) other literals in the clause
returned by ~c[mfcclause].
~c[(w state)]: returns the ACL2 logical ~ilc[world].
~c[(mfcts term mfc state)]: returns the ~c[typeset] of ~c[term] in
the current context; ~pl[typeset].
~c[(mfcrw term obj equivinfo mfc state)]: returns the result of rewriting
~c[term] in the current context, ~c[mfc], with objective ~c[obj] and the
equivalence relation described by ~c[equivinfo]. ~c[Obj] should be ~c[t],
~c[nil], or ~c[?], and describes your objective: try to show that ~c[term] is
true, false, or anything. ~c[Equivinfo] is either ~c[nil], ~c[t], a
function symbol ~c[fn] naming a known equivalence relation, or a list of
congruence rules. ~c[Nil] means return a term that is ~c[equal] to ~c[term].
~c[T] means return a term that is propositionally equivalent (i.e., in the
~c[iff] sense) to ~c[term], while ~c[fn] means return a term
~c[fn]equivalent to ~c[term]. The final case, which is intended only for
advanced users, allows the specification of generated equivalence relations,
as supplied to the ~c[geneqv] argument of ~c[rewrite]. Generally, if you
wish to establish that ~c[term] is true in the current context, use the idiom
~bv[]
(equal (mfcrw term t t mfc state) *t*)
~ev[]
The constant ~c[*t*] is set to the internal form of the constant term ~c[t],
i.e., ~c['t].
~c[(mfcrw+ term alist obj equivinfo mfc state)]: if ~c[alist] is ~c[nil]
then this is equivalent to ~c[(mfcrw term obj equivinfo mfc state)].
However, the former takes an argument, ~c[alist], that binds variables to
terms, and returns the result of rewriting ~c[term] under that ~c[alist],
where this rewriting is as described for ~c[mfcrw] above. The function
~c[mfcrw+] can be more efficient than ~c[mfcrw], because the terms in the
binding alist have generally already been rewritten, and it can be
inefficient to rewrite them again. For example, consider a rewrite rule of
the following form.
~bv[]
(implies (and ...
(syntaxp (... (mfcrw `(bar ,x) ...) ...))
...)
(equal (... x ...) ...))
~ev[]
Here, ~c[x] is bound in the conclusion to the result of rewriting some term,
say, ~c[tm]. Then the above call of ~c[mfcrw] will rewrite ~c[tm], which is
probably unnecessary. So a preferable form of the rule above may be as
follows, so that ~c[tm] is not further rewritten by ~c[mfcrw+].
~bv[]
(implies (and ...
(syntaxp (... (mfcrw+ '(bar v) `((v . ,x)) ...) ...))
...)
(equal (... x ...) ...))
~ev[]
However, you may find that the additional rewriting done by ~c[mfcrw] is
useful in some cases.
~c[(mfcap term mfc state)]: returns ~c[t] or ~c[nil] according to whether
linear arithmetic can determine that ~c[term] is false. To the cognoscenti:
returns the contradiction flag produced by linearizing ~c[term] and adding it
to the ~c[linearpotlst].
During the execution of a metafunction by the theorem prover, the expressions
above compute the results specified. However, there are no axioms about the
~c[mfc] function symbols: they are uninterpreted function symbols. Thus, in
the proof of the correctness of a metafunction, no information is available
about the results of these functions. Thus,
~em[these functions can be used for heuristic purposes only.]
For example, your metafunction may use these functions to decide whether to
perform a given transformation, but the transformation must be sound
regardless of the value that your metafunction returns. We illustrate this
below. It is sometimes possible to use the hypothesis metafunction,
~c[hypfn], to generate a sufficient hypothesis to justify the
transformation. The generated hypothesis might have already been ``proved''
internally by your use of ~c[mfcts] or ~c[mfcrw], but the system will have
to prove it ``officially'' by relieving it. We illustrate this below also.
We conclude with a script that defines, verifies, and uses several extended
metafunctions. This script is based on one provided by Robert Krug, who was
instrumental in the development of this style of metafunction and whose help
we gratefully acknowledge.
~bv[]
; Here is an example. I will define (foo i j) simply to be (+ i j).
; But I will keep its definition disabled so the theorem prover
; doesn't know that. Then I will define an extended metafunction
; that reduces (foo i ( i)) to 0 provided i has integer type and the
; expression (< 10 i) occurs as a hypothesis in the clause.
; Note that (foo i ( i)) is 0 in any case.
(defun foo (i j) (+ i j))
(defevaluator eva evalst ((foo i j)
(unary i)
; I won't need these two cases until the last example below, but I
; include them now.
(if x y z)
(integerp x)))
(setstateok t)
(defun metafn (x mfc state)
(cond
((and (consp x)
(equal (car x) 'foo)
(equal (caddr x) (list 'unary (cadr x))))
; So x is of the form (foo i ( i)). Now I want to check some other
; conditions.
(cond ((and (tssubsetp (mfcts (cadr x) mfc state)
*tsinteger*)
(memberequal `(NOT (< '10 ,(cadr x)))
(mfcclause mfc)))
(quote (quote 0)))
(t x)))
(t x)))
(defthm metafncorrect
(equal (eva x a) (eva (metafn x mfc state) a))
:ruleclasses ((:meta :triggerfns (foo))))
(intheory (disable foo))
; The following will fail because the metafunction won't fire.
; We don't know enough about i.
(thm (equal (foo i ( i)) 0))
; Same here.
(thm (implies (and (integerp i) (< 0 i)) (equal (foo i ( i)) 0)))
; But this will work.
(thm (implies (and (integerp i) (< 10 i))
(equal (foo i ( i)) 0)))
; This won't, because the metafunction looks for (< 10 i) literally,
; not just something that implies it.
(thm (implies (and (integerp i) (< 11 i))
(equal (foo i ( i)) 0)))
; Now I will undo the defun of metafn and repeat the exercise, but
; this time check the weaker condition that (< 10 i) is provable
; (by rewriting it) rather than explicitly present.
(ubt 'metafn)
(defun metafn (x mfc state)
(cond
((and (consp x)
(equal (car x) 'foo)
(equal (caddr x) (list 'unary (cadr x))))
(cond ((and (tssubsetp (mfcts (cadr x) mfc state)
*tsinteger*)
(equal (mfcrw `(< '10 ,(cadr x)) t t mfc state)
*t*))
; The mfcrw above rewrites (< 10 i) with objective t and iffp t. The
; objective means the theorem prover will try to establish it. The
; iffp means the theorem prover can rewrite maintaining propositional
; equivalence instead of strict equality.
(quote (quote 0)))
(t x)))
(t x)))
(defthm metafncorrect
(equal (eva x a) (eva (metafn x mfc state) a))
:ruleclasses ((:meta :triggerfns (foo))))
(intheory (disable foo))
; Now it will prove both:
(thm (implies (and (integerp i) (< 10 i))
(equal (foo i ( i)) 0)))
(thm (implies (and (integerp i) (< 11 i))
(equal (foo i ( i)) 0)))
; Now I undo the defun of metafn and change the problem entirely.
; This time I will rewrite (integerp (foo i j)) to t. Note that
; this is true if i and j are integers. I can check this
; internally, but have to generate a hypfn to make it official.
(ubt 'metafn)
(defun metafn (x mfc state)
(cond
((and (consp x)
(equal (car x) 'integerp)
(consp (cadr x))
(equal (car (cadr x)) 'foo))
; So x is (integerp (foo i j)). Now check that i and j are
; ``probably'' integers.
(cond ((and (tssubsetp (mfcts (cadr (cadr x)) mfc state)
*tsinteger*)
(tssubsetp (mfcts (caddr (cadr x)) mfc state)
*tsinteger*))
*t*)
(t x)))
(t x)))
; To justify this transformation, I generate the appropriate hyps.
(defun hypfn (x mfc state)
(declare (ignore mfc state))
; The hypfn is run only if the metafn produces an answer different
; from its input. Thus, we know at execution time that x is of the
; form (integerp (foo i j)) and we know that metafn rewrote
; (integerp i) and (integerp j) both to t. So we just produce their
; conjunction. Note that we must produce a translated term; we
; cannot use the macro AND and must quote constants! Sometimes you
; must do tests in the hypfn to figure out which case the metafn
; produced, but not in this example.
`(if (integerp ,(cadr (cadr x)))
(integerp ,(caddr (cadr x)))
'nil))
(defthm metafncorrect
(implies (eva (hypfn x mfc state) a)
(equal (eva x a) (eva (metafn x mfc state) a)))
:ruleclasses ((:meta :triggerfns (integerp))))
(intheory (disable foo))
; This will not be proved.
(thm (implies (and (rationalp x) (integerp i)) (integerp (foo i j))))
; But this will be.
(thm (implies (and (rationalp x)
(integerp i)
(integerp j))
(integerp (foo i j))))
~ev[]
")
(defun evaluatorclause/arglist (evfn formals x)
; See evaluatorclause. We return a list of the form
; '((evfn (cadr x) a) (evfn (caddr x) a) ...) containing
; as many elements as there are in formals. The evfn and
; x we use are as provided in our arguments, but the variable
; symbol A in our answer is builtin below.
(cond ((null formals) nil)
(t (cons (mconsterm* evfn (mconsterm* 'car x) 'a)
(evaluatorclause/arglist evfn
(cdr formals)
(mconsterm* 'cdr x))))))
(defun evaluatorclause (evfn fnargs)
; Fnargs is of the form (fn v1 ... vn), a wellformed application of the
; function fn. We return a clause that expresses the theorem
; (implies (and (consp x)
; (equal (car x) 'fn))
; (equal (evfn x a)
; (fn (evfn (cadr x) a)
; ...
; (evfn (cad...dr x) a))))
; where evfn and fn are the function symbols provided. Note that the
; clause we return uses the variable symbols X and A. These symbols
; are built into this definition and that of evaluatorclause/arglist.
(list '(not (consp x))
(fconsterm*
'not
(fconsterm* 'equal '(car x) (kwote (car fnargs))))
(fconsterm*
'equal
(fconsterm* evfn 'x 'a)
(fconsterm (car fnargs)
(evaluatorclause/arglist evfn
(cdr fnargs)
'(cdr x))))))
(defun evaluatorclauses1 (evfn fnargslst)
(cond ((null fnargslst) nil)
(t (cons (evaluatorclause evfn (car fnargslst))
(evaluatorclauses1 evfn (cdr fnargslst))))))
(defun evaluatorclauses (evfn evfnlst fnargslst)
; We return the set of clauses that describe an evaluator, evfn, that
; knows about the function symbols listed in fnargslst. The
; mutually recursive function that evaluates a list of such terms is
; named evfnlst.
; The clauses that describe an evaluator include an evaluatorclause
; (q.v.) for each fn in fnargslst plus clauses describing evfn when
; x is a variable symbol, a quoted object, and a lambda application,
; plus clauses describing evfnlst on nil and on conses.
; Note: The function chkevaluator exploits the fact that if evfn is
; an evaluator, then the constraint on it will contain at least 4
; clauses. (One of the five fixed clauses below is about only
; evfnlst and not about evfn and hence wouldn't be among the
; constraints of evfn.) If this changes, change chkevaluatorp.
; The functions guessfnargslstforevfn and guessevfnlstforevfn take the
; known constraints on an evfn and guess the evfnlst and list of fns for which
; evfn might be an evaluator. These functions knows the structure of the
; clauses generated here, in particular, the structure of the clause describing
; evfnlst on a cons and the structure of the evaluatorclause for a given fn.
; If these structures change, change these two functions.
; WARNING: Don't change the clauses below without reading the Notes
; above!
(append (sublis (list (cons 'evfn evfn)
(cons 'evfnlst evfnlst))
'(((not (symbolp x))
(equal (evfn x a) (cdr (assoceq x a))))
((not (consp x))
(not (equal (car x) 'quote))
(equal (evfn x a) (car (cdr x))))
((not (consp x))
(not (consp (car x)))
(equal (evfn x a)
(evfn (car (cdr (cdr (car x))))
(pairlis$ (car (cdr (car x)))
(evfnlst (cdr x) a)))))
((consp xlst)
(equal (evfnlst xlst a) 'nil))
((not (consp xlst))
(equal (evfnlst xlst a)
(cons (evfn (car xlst) a)
(evfnlst (cdr xlst) a))))))
(evaluatorclauses1 evfn fnargslst)))
; The function above describes the constraints on an evaluator
; function. The user will define his own evfn and evfnlst and prove
; the constraint formulas. Later, when evfn is used in an alleged
; :META theorem, we will verify that it is an evaluator by getting its
; constraint, digging the clauses out of it, and comparing them to the
; list above. But in our statement of the constraints we use car/cdr
; nests freely. The user is liable to use cadr nests (or first,
; second, third, etc., which expand to cadr nests). We therefore take
; time out from our development of evaluators and define the functions
; for normalizing the user's cadr nests to car/cdr nests. The
; following code feels really clunky.
(defun cdrp (x term)
; We determine whether term is of the form (cdr (cdr ... (cdr x))),
; where there are 0 or more cdrs.
(cond ((equal x term) t)
((variablep term) nil)
((fquotep term) nil)
((eq (ffnsymb term) 'cdr) (cdrp x (fargn term 1)))
(t nil)))
; A source of confusion the user faces is that he may write
; (eq & 'fn) or (eq 'fn &) where we expect (equal & 'fn). So we
; normalize those too, at the toplevel of a clause. We call it
; a termlst rather than a clause for symmetry with the foregoing.
(defun expandeqandatomtermlst (lst)
; This function scans the clause lst and replaces literals of the
; form (not (eq x 'sym)), (not (eq 'sym x)), and (not (equal 'sym x))
; by (not (equal x 'sym)). It also replaces literals of the form
; (atom x) by (not (consp x)).
(cond ((null lst) nil)
(t (let ((rst (expandeqandatomtermlst (cdr lst)))
(lit (car lst)))
(casematch
lit
(('not ('eq x ('quote s)))
(cond ((symbolp s)
(cons (mconsterm* 'not
(mconsterm* 'equal
x
(list 'quote s)))
rst))
((and (quotep x)
(symbolp (cadr x)))
(cons (mconsterm* 'not
(mconsterm* 'equal
(list 'quote s)
x))
rst))
(t (cons lit rst))))
(('not ('eq ('quote s) x))
(cond ((symbolp s)
(cons (mconsterm* 'not
(mconsterm* 'equal
x
(list 'quote s)))
rst))
(t (cons lit rst))))
(('not ('equal ('quote s) x))
(cond ((and (symbolp s)
(not (and (quotep x)
(symbolp (cadr x)))))
(cons (mconsterm* 'not
(mconsterm* 'equal
x
(list 'quote s)))
rst))
(t (cons lit rst))))
(('atom x)
(cons (mconsterm* 'not (mconsterm* 'consp x))
rst))
(& (cons lit rst)))))))
; And here, at long last, is the function that massages a user's
; alleged evaluator constraint clause so as to unfold all the cadrs
; and cadars of the pseudoterm in question.
(defun normalizeallegedevaluatorclause (clause)
; Supposing clause is an evaluator clause, we make the likely
; transformations to remove minor syntactic variants introduced by the
; user. In particular, we eliminate the uses of atom and eq.
(expandeqandatomtermlst clause))
; And here is how we massage the list of user clauses.
(defun normalizeallegedevaluatorclauseset (lst)
(cond ((null lst) nil)
(t (cons (normalizeallegedevaluatorclause (car lst))
(normalizeallegedevaluatorclauseset (cdr lst))))))
(defun shallowclausify1 (lst)
; Lst is a list of pairs, each of the form (hyps . concl) as returned
; by unprettyify. We convert it to a list of clauses.
(cond ((null lst) nil)
(t (conjoinclausetoclauseset
(addliteral
(cdar lst)
(dumbnegatelitlst (caar lst))
t)
(shallowclausify1 (cdr lst))))))
(defun shallowclausify (term)
; We extract a set of clauses from term whose conjunction is is
; propositionally equivalent to term. This is like clausify except
; that we are very shallow and stupid.
; Note: Why on earth do we have this function? The intended use for
; this function is to clausify the constraint on an alleged evaluator
; function evfn. The idea is to convert the user's constraint to a
; set of clauses and compare that set to the cannonical evaluator
; clauses. Why not just use clausify? If one of the functions
; interpretted by evfn is 'if then our fullblown clausify will break
; that clause apart into two unrecognizable pieces.
(shallowclausify1 (unprettyify term)))
; We next turn to guessing the evfnlst and list of fns for which evfn
; is an evaluator. Our guesses key on the structure of the clauses
; that constrain evfn.
(defun findevfnlstinclause (evfn cl)
; We are looking for the clause that specifies how evfn evaluates
; a lambda application. That clause will mention evfnlst, the
; function that evaluates a list of terms. In particular, we scan
; cl looking for the literal
; (equal (evfn x a)
; (evfn (caddar x)
; (pairlis$ (cadar x)
; (evfnlst (cdr x) a))))
; except we know that the cadr nests are in car/cdr form if this is a
; good clause. If we find such a literal we use evfnlst as our
; guess. Otherwise we return nil
(cond
((null cl) nil)
(t (let ((lit (car cl)))
(casematch
lit
(('equal (!evfn x a)
(!evfn ('car ('cdr ('cdr ('car x))))
('pairlis$ ('car ('cdr ('car x)))
(evfnlst ('cdr x) a))))
(cond ((and (variablep x)
(variablep a))
evfnlst)
(t (findevfnlstinclause evfn (cdr cl)))))
(& (findevfnlstinclause evfn (cdr cl))))))))
(defun guessevfnlstforevfn (evfn clset)
; We look through clset for the clause that specifies how evfn
; evaluates lambda applications. That clause mentions evfnlst and if
; we find it we return the evfnlst mentioned. Otherwise nil.
; We insist that the clause be of length 3.
(cond ((null clset) nil)
((and (int= (length (car clset)) 3)
(findevfnlstinclause evfn (car clset))))
(t (guessevfnlstforevfn evfn (cdr clset)))))
(defun findfninclause (cl wrld)
(cond ((null cl) nil)
(t (let ((lit (car cl)))
(casematch
lit
(('not ('equal ('car x) ('quote fn)))
(cond ((and (variablep x)
(symbolp fn)
(not (eq fn 'quote))
(functionsymbolp fn wrld))
fn)
(t (findfninclause (cdr cl) wrld))))
(& (findfninclause (cdr cl) wrld)))))))
(defun guessfnargslstforevfn (clset wrld)
; We return a list of ``fnargs'', terms of the form (fn v1 ... vn) where the
; vi are the formals of fn. The list contains a fnarg for each function
; symbol fn such that some 3 literal clause in clset contains a literal of the
; form (not (equal (car x) 'fn)).
(cond ((null clset) nil)
(t (let ((fn (and (int= (length (car clset)) 3)
(findfninclause (car clset) wrld))))
(cond (fn (cons (mconsterm fn (formals fn wrld))
(guessfnargslstforevfn (cdr clset) wrld)))
(t (guessfnargslstforevfn (cdr clset) wrld)))))))
(defun chkevaluator (evfn wrld ctx state)
; Evfn must be a function symbol. We check that evfn is an evaluator
; function in wrld, or else we cause an error. To be an evaluator
; function evfn must be a function symbol and there must exist another
; symbol, evfnlst, and a list of function symbols, fns, such that the
; constraints on evfn and evfnlst are equivalent to the evaluator
; clauses for evfn, evfnlst and fns.
; What do we mean by the constraints being "equivalent" to the evaluator
; clauses? We convert the two constraint formulas to sets of clauses
; with shallowclausify. Then we expand the cadrs in the user's set.
; Then we do a bidirectional subsumption check on the evaluator clauses.
; By doing a subsumption check we permit the user to use any variable
; names he wishes and to order his clauses and the literals within his
; clauses any way he wishes.
; However, before we can do that we have to decide what evfnlst and
; fns we will use. We guess, by inspecting the constraints of evfn.
; If our guess is wrong we'll just end up saying that evfn is not an
; evaluator fn. If our guess is right, we'll confirm it by the subsumption
; check. So the guessing method is technically unimportant. However, we
; believe it is complete: if there exist suitable evfnlst and fns,
; we find them.
(let ((clset0 (normalizeallegedevaluatorclauseset
(shallowclausify (constraint evfn wrld))))
(str
"The symbol ~x0, playing the role of an evaluator in your ~
alleged metatheorem, does not pass the test for an ~
evaluator. See :DOC meta and :DOC defevaluator. The ~
constraint on ~x0 is in fact ~P12. ~@3"))
(cond
((< (length clset0) 4)
(er soft ctx str
evfn
(prettyifyclauseset clset0 nil wrld)
nil
"This constraint has fewer than four conjuncts."))
(t (let ((evfnlst (guessevfnlstforevfn evfn clset0)))
(cond
((null evfnlst)
(er soft ctx str
evfn
(prettyifyclauseset clset0 nil wrld)
nil
"We cannot find the formula describing how to ~
evaluate lambda applications."))
(t (let* ((fnargslst (guessfnargslstforevfn clset0 wrld))
(clset1
(conjoinclausesets
clset0
(normalizeallegedevaluatorclauseset
(shallowclausify (constraint evfnlst wrld)))))
(clset2
(evaluatorclauses evfn evfnlst fnargslst)))
(cond
((not (and (clausesetsubsumes nil clset1 clset2)
(clausesetsubsumes nil clset2 clset1)))
(er soft ctx
"If ~x0 is an evaluator then it recognizes ~
~#1~[no function symbols~/only the function ~
symbol ~&2~/the function symbols ~&2~] and its ~
mutually recursive counterpart for lists of ~
terms must be ~x3. The constraints on ~x0 and ~
~x3 must therefore be ~P45.~~%We would ~
recognize ~x0 and ~x3 as evaluators if the ~
constraints on them subsumed and were subsumed ~
by the constraints above. But, in fact, the ~
constraints on ~x0 and ~x3 are ~P65 and the ~
bidirectional subsumption check fails. See ~
:DOC defevaluator."
evfn
(zerooneormore fnargslst)
(stripcars fnargslst)
evfnlst
(prettyifyclauseset clset2 nil wrld)
nil
(prettyifyclauseset clset1 nil wrld)))
(t (value nil)))))))))))
; To make it easier to introduce an evaluator, we define the following
; macro.
(defun defevaluatorform/defthms (pkgwitness prefix i clauses)
(cond ((null clauses) nil)
(t (cons (list 'defthm
(genvar pkgwitness prefix i nil)
(prettyifyclause (car clauses) nil nil))
(defevaluatorform/defthms pkgwitness prefix (1+ i) (cdr clauses))))))
(defun defevaluatorform/fnsclauses (evfn fnargslst)
; We return a list of cond clauses,
; (
; ((equal (car x) 'fn1)
; (fn1 (evfn (cadr x) a) ... (evfn (cad...dr x) a)))
; ((equal (car x) 'fn2)
; (fn2 (evfn (cadr x) a) ... (evfn (cad...dr x) a)))
; ...
; (t nil))
; containing a clause for each fni in fns plus a final t clause.
(cond ((null fnargslst) '((t nil)))
(t (cons
(list (list 'equal '(car x) (kwote (caar fnargslst)))
(cons (caar fnargslst)
(evaluatorclause/arglist evfn
(cdar fnargslst)
'(cdr x))))
(defevaluatorform/fnsclauses evfn (cdr fnargslst))))))
(defconst *defevaluatorformbasetheory*
(append *definitionminimaltheory*
'(carcdrelim
carcons cdrcons
o< ofinp ofirstexpt ofirstcoeff orst natp posp
acl2count alistp
(:typeprescription acl2count))))
(defun defevaluatorform (evfn evfnlst fnargslst)
(let* ((clauses (evaluatorclauses evfn evfnlst fnargslst))
(fnsclauses (defevaluatorform/fnsclauses evfn fnargslst))
(defthms (defevaluatorform/defthms
evfn
(symbolname (pack2 evfn 'constraint))
1
clauses)))
`(encapsulate
(((,evfn * *) => *)
((,evfnlst * *) => *))
(setinhibitwarnings "theory")
(local (intheory *defevaluatorformbasetheory*))
,@(sublis
(list (cons 'evfn evfn)
(cons 'evfnlst evfnlst)
(cons 'fnsclauses fnsclauses)
(cons 'defthms defthms))
'((local
(mutualrecursion
(defun evfn (x a)
(declare (xargs :verifyguards nil
:measure (acl2count x)
:wellfoundedrelation o<
:mode :logic))
(cond
((symbolp x) (cdr (assoceq x a)))
((atom x) nil) ; added in v28
((eq (car x) 'quote) (car (cdr x)))
((consp (car x))
(evfn (car (cdr (cdr (car x))))
(pairlis$ (car (cdr (car x)))
(evfnlst (cdr x) a))))
.
fnsclauses))
(defun evfnlst (xlst a)
(declare (xargs :measure (acl2count xlst)
:wellfoundedrelation o<))
(cond ((endp xlst) nil)
(t (cons (evfn (car xlst) a)
(evfnlst (cdr xlst) a)))))))
. defthms)))))
(defmacro defevaluator (&whole x evfn evfnlst fnargslst)
; Note: It might be nice to allow defevaluator a :DOC string, but that would
; require allowing encapsulate such a string!
":DocSection Events
introduce an evaluator function~/
~bv[]
Example:
(defevaluator evl evllist
((length x) (member x y)))
~ev[]
~l[meta].~/
~bv[]
General Form:
(defevaluator ev evlist
((g1 x1 ... xn_1)
...
(gk x1 ... xn_k))
~ev[]
where ~c[ev] and ~c[ev]list are new function symbols and ~c[g1], ..., ~c[gk] are
old function symbols with the indicated number of formals, i.e.,
each ~c[gi] has ~c[n_i] formals.
This function provides a convenient way to constrain ~c[ev] and ~c[evlist]
to be mutuallyrecursive evaluator functions for the symbols ~c[g1],
..., ~c[gk]. Roughly speaking, an evaluator function for a fixed,
finite set of function symbols is a restriction of the universal
evaluator to terms composed of variables, constants, lambda
expressions, and applications of the given functions. However,
evaluator functions are constrained rather than defined, so that the
proof that a given metafunction is correct visavis a particular
evaluator function can be lifted (by functional instantiation) to a
proof that it is correct for any larger evaluator function.
~l[meta] for a discussion of metafunctions.
~c[Defevaluator] executes an ~ilc[encapsulate] after generating the
appropriate ~ilc[defun] and ~ilc[defthm] events. Perhaps the easiest way to
understand what ~c[defevaluator] does is to execute the keyword command
~bv[]
:trans1 (defevaluator evl evllist ((length x) (member x y)))
~ev[]
and inspect the output. This trick is also useful in the rare case
that the event fails because a hint is needed. In that case, the
output of ~c[:]~ilc[trans1] can be edited by adding hints, then
submitted directly.
Formally, ~c[ev] is said to be an ``evaluator function for ~c[g1],
..., ~c[gk], with mutuallyrecursive counterpart ~c[evlist]'' iff
~c[ev] and ~c[evlist] are constrained functions satisfying just the
~il[constraint]s discussed below.
~c[Ev] and ~c[evlist] must satisfy ~il[constraint]s (1)(4) and (k):
~bv[]
(1) How to ev a variable symbol:
(implies (symbolp x)
(equal (ev x a) (cdr (assoceq x a))))
(2) How to ev a constant:
(implies (and (consp x)
(equal (car x) 'quote))
(equal (ev x a) (cadr x)))
(3) How to ev a lambda application:
(implies (and (consp x)
(consp (car x)))
(equal (ev x a)
(ev (caddar x)
(pairlis$ (cadar x)
(evlist (cdr x) a)))))
(4) How to ev an argument list:
(implies (consp xlst)
(equal (evlist xlst a)
(cons (ev (car xlst) a)
(evlist (cdr xlst) a))))
(implies (not (consp xlst))
(equal (evlist xlst a)
nil))
(k) For each i from 1 to k, how to ev an application of gi,
where gi is a function symbol of n arguments:
(implies (and (consp x)
(equal (car x) 'gi))
(equal (ev x a)
(gi (ev x1 a)
...
(ev xn a)))),
where xi is the (cad...dr x) expression equivalent to (nth i x).
~ev[]
~c[Defevaluator] defines suitable witnesses for ~c[ev] and ~c[evlist], proves
the theorems about them, and constrains ~c[ev] and ~c[evlist]
appropriately. We expect ~c[defevaluator] to work without assistance
from you, though the proofs do take some time and generate a lot of
output. The proofs are done in the context of a fixed theory,
namely the value of the constant ~c[*defevaluatorformbasetheory*].
(Aside: (3) above may seem surprising, since the bindings of ~c[a] are not
included in the environment that is used to evaluate the lambda body,
~c[(caddar x)]. However, ACL2 lambda expressions are all ~em[closed]:
in ~c[(lambda (v1 ... vn) body)], the only free variables in ~c[body] are
among the ~c[vi]. ~l[term].)"
; This function executes an encapsulate that defines an evaluator
; evfn (with mutually recursive counterpart evfnlst for lists of
; terms) that recognizes the functions in fns.
(cond
((not (and (symbolp evfn)
(symbolp evfnlst)
(symbollistlistp fnargslst)))
`(er soft '(defevaluator . ,evfn)
"The form of a defevaluator event is (defevaluator evfn ~
evfnlst fnargslst), where evfn and evfnlst are symbols ~
and fnargslst is a true list of lists of symbols. ~
However, ~x0 does not have this form."
',x))
(t
(defevaluatorform evfn evfnlst fnargslst))))
(deflabel termtable
:doc
":DocSection Events
a table used to validate meta rules~/
~bv[]
Example:
(table termtable t '((binary+ x y) '3 'nil (car x)))
~ev[]~/
~l[table] for a general discussion of tables and the ~c[table]
event used to manipulate tables.
The ``~c[termtable]'' is used at the time a meta rule is checked for
syntactic correctness. Each proposed metafunction is run on each
term in this table, and the result in each case is checked to make
sure that it is a ~c[termp] in the current world. In each case where
this test fails, a warning is printed.
Whenever a metafunction is run in support of the application of a
meta rule, the result must be a term in the current world. When the
result is not a term, a hard error arises. The ~c[termtable] is simply
a means for providing feedback to the user at the time a meta rule
is submitted, warning of the definite possibility that such a hard
error will occur at some point in the future.
The key used in ~c[termtable] is arbitrary. The topmost value is
always the one that is used; it is the entire list of terms to be
considered. Each must be a ~c[termp] in the current ACL2 world.~/")
(table termtable nil nil
:guard
(termlistp val world))
(table termtable t '((binary+ x y) (binary* '0 y) (car x)))
(defun metarulehypothesisfunction (hyp ev x a mfcsymbol)
; Here hyp is the hypothesis of the proposed meta rule (or, *t* if
; there is none). We want to identify the hypothesis metafunction
; (see :DOC meta) of that rule. We return nil if the hyp is
; unacceptable, t if there is no extra hypothesis, and otherwise the
; hypothesis function. Note that we allow, but do not require, the
; hypotheses (pseudotermp x) and (alistp a) to be among the
; hypotheses, in which case we delete them before returning the
; result.
; If mfcsymbol is nonnil, this is an extended metafunction and we
; insist that the hyp function be extended also. All extended
; functions take three arguments, the term, the context, and STATE, in
; that order. The value of mfcsymbol is the variable symbol used to
; denote the context.
(let ((hyps (flattenandsinlit hyp)))
(let* ((resthyps (remove1equal
(fconsterm* 'pseudotermp x)
(remove1equal (fconsterm* 'alistp a) hyps)))
(hyp3 (car resthyps))
(extendedargs
(if mfcsymbol (cons mfcsymbol '(STATE)) nil)))
(cond
((null resthyps)
t)
(t
(and (null (cdr resthyps))
(casematch
hyp3
((!ev (fn !x . !extendedargs) !a)
fn)
(t nil))))))))
(defun metafnargs (term extendedp ens state)
(cond
(extendedp
(list term
(make metafunctioncontext
:typealist nil
:obj '?
:geneqv nil
:wrld (w state)
:fnstack nil
:ancestors nil
:simplifyclausepotlst nil
:rcnst
(makercnst ens
(w state)
:forceinfo t
:topclause (list term)
:currentclause (list term))
:gstack nil
:ttree nil)
(coercestatetoobject state)))
(t (list term))))
(defun chkmetafunction (metafn name triggerfns extendedp
termlist ctx ens state)
; If extendedp is nil we call metafn on only one term arg. Otherwise, we call
; it on args of the type: (term context state). We manufacture a trivial
; context. We don't care what nonnil value extendedp is.
(cond
((null termlist)
(value nil))
((or (variablep (car termlist))
(fquotep (car termlist))
(flambdaapplicationp (car termlist))
(not (membereq (ffnsymb (car termlist)) triggerfns)))
(chkmetafunction metafn name triggerfns extendedp
(cdr termlist) ctx ens state))
(t
(let ((args (metafnargs (car termlist) extendedp ens state)))
(pprogn
(cond
((warningdisabledp "Meta")
state)
(t
(mvlet (erp val latches)
(evfncallmeta metafn args state)
(declare (ignore latches))
(cond
(erp
; We use warnings rather than errors when the checks fail, partly so
; that we can feel free to change the checks without changing what the
; prover will accept. Put differently, we don't want usermanaged
; tables to affect what the prover is able to prove.
(warning$ ctx ("Meta")
"An error occurred upon running the metafunction ~
~x0 on the term ~x1. This does not bode well ~
for the utility of this metafunction for the ~
meta rule ~x2. See :DOC termtable."
metafn (car termlist) name))
((termp val (w state))
state)
(t
(warning$ ctx ("Meta")
"The value obtained upon running the ~
metafunction ~x0 on the term ~x1 is ~x2, which ~
is NOT a termp in the current ACL2 world. This ~
does not bode well for the utility of this ~
metafunction for the meta rule ~x3. See :DOC ~
termtable."
metafn (car termlist) val name))))))
(chkmetafunction
metafn name triggerfns extendedp (cdr termlist) ctx ens state))))))
(defun chkacceptablemetarule (name triggerfns term ctx ens wrld state)
(if (membereq 'IF triggerfns)
(er soft ctx
"The function symbol IF is not an acceptable member of ~
:triggerfns, because the ACL2 simplifier is not set up to apply ~
:meta rules to calls of IF.")
(let ((str "No :META rule can be generated from ~x0 because ~p1 does not ~
have the form of a metatheorem. See :DOC meta.")
(guardstr
"The ~s0 of a :META rule must have a guard that obviously holds ~
whenever its argument is known to be a pseudotermp. However, ~
the guard for ~x1 is ~p2. See :DOC meta."))
(mvlet
(hyp eqv ev x a fn mfcsymbol)
(casematch term
(('implies hyp
(eqv (ev x a) (ev (fn x) a)))
(mv hyp eqv ev x a fn nil))
((eqv (ev x a) (ev (fn x) a))
(mv *t* eqv ev x a fn nil))
(('implies hyp
(eqv (ev x a)
(ev (fn x mfcsymbol 'STATE)
a)))
(mv hyp eqv ev x a fn mfcsymbol))
((eqv (ev x a)
(ev (fn x mfcsymbol 'STATE)
a))
(mv *t* eqv ev x a fn mfcsymbol))
(& (mv *t* nil nil nil nil nil nil)))
(cond ((null eqv)
(er soft ctx str name (untranslate term t wrld)))
((not (and (not (flambdap eqv))
(equivalencerelationp eqv wrld)
(variablep x)
(variablep a)
(not (eq x a))
(not (eq fn 'quote))
(not (flambdap fn))
(or (null mfcsymbol)
(and (variablep mfcsymbol)
(noduplicatesp (list x a mfcsymbol 'STATE))))))
; Note: Fn must be a symbol, not a lambda expression. That is because
; in rewritewithlemma, when we apply the metafunction, we use evfncallmeta.
(er soft ctx str name (untranslate term t wrld)))
((not (memberequal (stobjsin fn wrld)
'((nil)
(nil nil state))))
(er soft ctx
"Metafunctions cannot take singlethreaded object names ~
other than STATE as formal parameters. The function ~x0 ~
may therefore not be used as a metafunction."
fn))
((let ((guard (guard fn nil wrld)))
(not (or (equal guard *t*)
(tautologyp
(fconsterm*
'implies
(fconsterm 'pseudotermp
(list (car (formals fn wrld))))
guard)
wrld))))
(er soft ctx guardstr "metafunction" fn
(untranslate (guard fn nil wrld) t wrld)))
(t (let ((hypfn (metarulehypothesisfunction hyp ev x a mfcsymbol)))
(cond
((null hypfn)
(er soft ctx str name (untranslate term t wrld)))
((and (not (eq hypfn t))
(let ((guard (guard hypfn nil wrld)))
(not (or (equal guard *t*)
(tautologyp
(fconsterm*
'implies
(fconsterm 'pseudotermp
(list
(car (formals hypfn wrld))))
guard)
wrld)))))
(er soft ctx guardstr
"hypothesis function" hypfn
(untranslate (guard hypfn nil wrld) t wrld)))
((and (not (eq hypfn t))
(not (memberequal (stobjsin hypfn wrld)
'((nil)
(nil nil state)))))
; It is tempting to avoid the check here that hypfn does not take
; stobjs in. After all, we have already checked this for fn, and fn
; and hypfn have the same actuals. But our defun warts allow certain
; functions to traffic in stobjs even though they do not use STATE (or
; another stobj name) as a formal. So, we play it safe and check.
(er soft ctx
"Hypothesis metafunctions cannot take single threaded ~
object names as formal parameters. The function ~x0 ~
may therefore not be used as a hypothesis ~
metafunction."
hypfn))
(t (let ((termlist
(cdar (tablealist 'termtable (w state)))))
(erprogn (chkevaluator ev wrld ctx state)
; In the code below, mfcsymbol is used merely as a Boolean indicating
; that this is an extended metafunction.
(chkmetafunction
fn name triggerfns mfcsymbol
termlist ctx ens state)
(if (eq hypfn t)
(value nil)
(chkmetafunction
hypfn name triggerfns mfcsymbol
termlist ctx ens state)))))))))))))
; And to add a :META rule:
(defun addmetarule1 (lst rule wrld)
; Fn is a function symbol, not a lambda expression.
(cond ((null lst) wrld)
(t (addmetarule1 (cdr lst) rule
(putprop (car lst)
'lemmas
(cons rule
(getprop (car lst)
'lemmas nil
'currentacl2world wrld))
wrld)))))
(defun addmetarule (rune nume triggerfns term backchainlimit wrld)
(mvlet
(hyp eqv ev x a fn mfcsymbol)
(casematch term
(('implies hyp
(eqv (ev x a) (ev (fn x) a)))
(mv hyp eqv ev x a fn nil))
((eqv (ev x a) (ev (fn x) a))
(mv *t* eqv ev x a fn nil))
(('implies hyp
(eqv (ev x a)
(ev (fn x mfcsymbol 'STATE)
a)))
(mv hyp eqv ev x a fn mfcsymbol))
((eqv (ev x a)
(ev (fn x mfcsymbol 'STATE)
a))
(mv *t* eqv ev x a fn mfcsymbol))
(& (mv *t* nil nil nil nil nil nil)))
(let ((hypfn (metarulehypothesisfunction hyp ev x a mfcsymbol)))
(cond
((or (null hypfn) (null eqv))
(er hard 'addmetarule
"Addmetarule broke on args ~x0! It seems to be out of sync with ~
chkacceptablemetarule."
(list rune nume triggerfns term)))
(t
(addmetarule1 triggerfns
(make rewriterule
:rune rune
:nume nume
:hyps (if (eq hypfn t) nil hypfn)
:equiv eqv
:lhs fn
:freevarsplhs nil ; unused
:rhs (if mfcsymbol 'extended nil)
:subclass 'meta
:heuristicinfo nil
:backchainlimitlst backchainlimit)
wrld))))))
;
; Section: Destructor :ELIM Rules
(deflabel elim
:doc
":DocSection RuleClasses
make a destructor elimination rule~/
~l[ruleclasses] for a general discussion of rule classes and how they are
used to build rules from formulas. Here we describe the class of ~c[:elim]
rules, which is fundamentally quite different from the more common class of
~c[:]~ilc[rewrite] rules. Briefly put, a ~c[:rewrite] rule replaces
instances of its lefthand side with corresponding instances of its
righthand side. But an ~c[:elim] rule, on the other hand, has the effect of
generalizing socalled ``destructor'' function applications to variables. In
essence, applicability of a ~c[:rewrite] rule is based on matching its
lefthand side, while applicability of an ~c[:elim] rule is based on the
presence of at least one destructor term.
For example, a conjecture about ~c[(car x)] and ~c[(cdr x)] can be replaced
by a conjecture about new variables ~c[x1] and ~c[x2], as shown in the
following example. (Run the command ~c[:miniproveall] and search for
~c[CARCDRELIM] to see the full proof containing this excerpt.)
~bv[]
Subgoal *1/1'
(IMPLIES (AND (CONSP X)
(TRUELISTP (REV (CDR X))))
(TRUELISTP (APP (REV (CDR X)) (LIST (CAR X))))).
The destructor terms (CAR X) and (CDR X) can be eliminated by using
CARCDRELIM to replace X by (CONS X1 X2), (CAR X) by X1 and (CDR X)
by X2. This produces the following goal.
Subgoal *1/1''
(IMPLIES (AND (CONSP (CONS X1 X2))
(TRUELISTP (REV X2)))
(TRUELISTP (APP (REV X2) (LIST X1)))).
This simplifies, using primitive type reasoning, to
Subgoal *1/1'''
(IMPLIES (TRUELISTP (REV X2))
(TRUELISTP (APP (REV X2) (LIST X1)))).
~ev[]
The resulting conjecture is often simpler and hence more amenable to proof.
The application of an ~c[:elim] rule thus replaces a variable by a term that
contains applications of socalled ``destructor'' functions to that variable.
The example above is typical: the variable ~c[x] is replaced by the term
~c[(cons (car x) (cdr x))], which applies a socalled ``constructor''
function, ~ilc[cons], to applications ~c[(car x)] and ~c[(cdr x)] of
destructor functions ~ilc[car] and ~ilc[cdr] to that same variable, ~c[x].
But that is only part of the story. ACL2 then generalizes the destructor
applications ~c[(car x)] and ~c[(cdr x)] to new variables ~c[x1] and ~c[x2],
respectively, and ultimately the result is a simpler conjecture.
More generally, the application of an ~c[:elim] rule replaces a variable by a
term containing applications of destructors; there need not be a clearcut
notion of ``constructor.'' But the situation described above is typical, and
we will focus on it, giving full details when we introduce the ``General
Form'' below.
The example above employs the following builtin ~c[:elim] rule named
~c[carcdrelim].
~bv[]
Example:
(implies (consp x) when (car v) or (cdr v) appears
(equal (cons (car x) (cdr x)) in a conjecture, and v is a
x)) variable, consider replacing v by
(cons a b), for two new variables
a and b.
Notice that the situation is complicated a bit by the fact that this
replacement is only valid if the variable being replaced a cons structure.
Thus, when ACL2 applies ~c[carcdrelim] to replace a variable ~c[v], it will
split into two cases: one case in which ~c[(consp v)] is true, in which ~c[v]
is replaced by ~c[(cons (car v) (cdr v))] and then ~c[(car v)] and
~c[(cdr v)] are generalized to new variables; and one case in which
~c[(consp v)] is false. In practice, ~c[(consp v)] is often provable,
perhaps even literally present as a hypotheses; then of course there is no
need to introduce the second case. That is why there is no such second case
in the example above.
You might find ~c[:elim] rules to be useful whenever you have in mind a data
type that can be built up from its fields with a ``constructor'' function and
whose fields can be accessed by corresponding ``destructor'' functions. So
for example, if you have a ``house'' data structure that represents a house
in terms of its address, price, and color, you might have a rule like the
following.
~bv[]
Example:
(implies (housep x)
(equal (makehouse (address x)
(price x)
(color x))
x))
~ev[]
The application of such a rule is entirely analogous to the application of
the rule ~c[carcdrelim] discussed above. We discuss such rules and their
application more carefully below.~/
General Form:
(implies hyp (equiv lhs x))
~ev[]
where ~c[equiv] is a known equivalence relation (~pl[defequiv]); ~c[x]
is a variable symbol; and ~c[lhs] contains one or more terms (called
``destructor terms'') of the form ~c[(fn v1 ... vn)], where ~c[fn] is
a function symbol and the ~c[vi] are distinct variable symbols,
~c[v1], ..., ~c[vn] include all the variable symbols in the formula,
no ~c[fn] occurs in ~c[lhs] in more than one destructor term, and all
occurrences of ~c[x] in ~c[lhs] are inside destructor terms.
To use an ~c[:elim] rule, the theorem prover waits until a conjecture has
been maximally simplified. It then searches for an instance of some
destructor term ~c[(fn v1 ... vn)] in the conjecture, where the instance for
~c[x] is some variable symbol, ~c[vi], and every occurrence of ~c[vi] outside
the destructor terms is in an ~c[equiv]hittable position. If such an
instance is found, then the theorem prover instantiates the ~c[:elim] formula
as indicated by the destructor term matched; splits the conjecture into two
goals, according to whether the instantiated hypothesis, ~c[hyp], holds; and
in the case that it does hold, generalizes all the instantiated destructor
terms in the conjecture to new variables and then replaces ~c[vi] in the
conjecture by the generalized instantiated ~c[lhs]. An occurrence of ~c[vi]
is ``~c[equiv]hittable'' if sufficient congruence rules (~pl[defcong]) have
been proved to establish that the propositional value of the clause is not
altered by replacing that occurrence of ~c[vi] by some ~c[equiv]equivalent
term.
If an ~c[:elim] rule is not applied when you think it should have been,
and the rule uses an equivalence relation, ~c[equiv], other than ~c[equal],
it is most likely that there is an occurrence of the variable that is not
~c[equiv]hittable. Easy occurrences to overlook are those in
the governing hypotheses. If you see an unjustified occurrence of the
variable, you must prove the appropriate congruence rule to allow the
~c[:elim] to fire.
Further examples of how ACL2 ~c[:elim] rules are used may be found in the
corresponding discussion of ``Elimation of Destructors'' for Nqthm, in
Section 10.4 of A Computational Logic Handbook.")
(mutualrecursion
(defun destructors (term ans)
; Unionequal into ans all of the subterms of term of the form (fn v1
; ... vn) where fn is a symbol and the vi are distinct variables.
(cond ((or (variablep term)
(fquotep term)
(flambdaapplicationp term))
ans)
(t (destructorslst (fargs term)
(cond ((and (fargs term)
(allvariablep (fargs term))
(noduplicatespequal (fargs term)))
(addtosetequal term ans))
(t ans))))))
(defun destructorslst (lst ans)
(cond ((null lst) ans)
(t (destructorslst (cdr lst)
(destructors (car lst) ans)))))
)
(defun stripffnsymbs (lst)
(cond ((null lst) nil)
(t (cons (ffnsymb (car lst))
(stripffnsymbs (cdr lst))))))
(defun chkacceptableelimrule1 (name vars dests ctx wrld state)
(cond
((null dests) (value nil))
((not (subsetpeq vars (fargs (car dests))))
(er soft ctx
"~x0 is an unacceptable destructor elimination rule because ~
the destructor term ~x1 does not mention ~&2. See :DOC elim."
name
(car dests)
(setdifferenceeq vars (fargs (car dests)))))
((getprop (ffnsymb (car dests)) 'eliminatedestructorsrule nil
'currentacl2world wrld)
(er soft ctx
"~x0 is an unacceptable destructor elimination rule because ~
we already have a destructor elimination rule for ~x1, ~
namely ~x2, and we do not support more than one elimination rule ~
for the same function symbol."
name
(ffnsymb (car dests))
(getprop (ffnsymb (car dests)) 'eliminatedestructorsrule nil
'currentacl2world wrld)))
(t (chkacceptableelimrule1 name vars (cdr dests) ctx wrld state))))
(defun chkacceptableelimrule (name term ctx wrld state)
(let ((lst (unprettyify term)))
(casematch
lst
(((& . (equiv lhs rhs)))
(cond
((not (equivalencerelationp equiv wrld))
(er soft ctx
"~x0 is an unacceptable destructor elimination rule ~
because ~x1 is not a known equivalence relation. See ~
:DOC elim."
name equiv))
((nvariablep rhs)
(er soft ctx
"~x0 is an unacceptable destructor elimination rule ~
because the righthand side of its conclusion, ~x1, is ~
not a variable symbol. See :DOC elim."
name rhs))
(t
(let ((dests (destructors lhs nil)))
(cond
((null dests)
(er soft ctx
"~x0 is an unacceptable destructor elimination rule ~
because the lefthand side of its conclusion, ~x1, ~
does not contain any terms of the form (fn v1 ... ~
vn), where fn is a function symbol and the vi are ~
all distinct variables. See :DOC elim."
name lhs))
((not (noduplicatespequal (stripffnsymbs dests)))
(er soft ctx
"~x0 is an unacceptable destructor elimination rule ~
because the destructor terms, ~&1, include more than ~
one occurrence of the same function symbol. See :DOC ~
elim."
name dests))
((occur rhs (sublisexpr (pairlisx2 dests *t*) lhs))
(er soft ctx
"~x0 is an unacceptable destructor elimination rule ~
because the righthand side of the conclusion, ~x1, ~
occurs in the lefthand side, ~x2, in places other ~
than the destructor term~#3~[~/s~] ~&3. See :DOC ~
elim."
name rhs lhs dests))
(t (chkacceptableelimrule1 name (allvars term)
dests ctx wrld state)))))))
(&
(er soft ctx
"~x0 is an unacceptable destructor elimination rule because ~
its conclusion is not of the form (equiv lhs rhs). See ~
:DOC elim."
name)))))
; and to add an :ELIM rule:
(defun addelimrule1 (rune nume hyps equiv lhs rhs lst dests wrld)
; Lst is a tail of dests and contains the destructor terms for which we
; have not yet added a rule. For each destructor in lst we add an elim
; rule to wrld.
(cond ((null lst) wrld)
(t (let* ((dest (car lst))
(rule (make elimrule
:rune rune
:nume nume
:hyps hyps
:equiv equiv
:lhs lhs
:rhs rhs
:crucialposition
( (length (fargs dest))
(length (membereq rhs (fargs dest))))
:destructorterm dest
:destructorterms dests)))
(addelimrule1 rune nume hyps equiv lhs rhs (cdr lst) dests
(putprop (ffnsymb dest)
'eliminatedestructorsrule
rule wrld))))))
(defun addelimrule (rune nume term wrld)
(let* ((lst (unprettyify term))
(hyps (caar lst))
(equiv (ffnsymb (cdar lst)))
(lhs (fargn (cdar lst) 1))
(rhs (fargn (cdar lst) 2))
(dests (reverse (destructors lhs nil))))
(addelimrule1 rune nume hyps equiv lhs rhs dests dests wrld)))
;
; Section: :GENERALIZE Rules
(deflabel generalize
:doc
":DocSection RuleClasses
make a rule to restrict generalizations~/
~l[ruleclasses] for a general discussion of rule classes and
how they are used to build rules from formulas. An example
~c[:]~ilc[corollary] formula from which a ~c[:generalize] rule might be built is:
~bv[]
Example:
any theorem~/
General Form:
any theorem
~ev[]
To use such a ~c[:generalize] rule, the system waits until it has
decided to generalize some term, ~c[term], by replacing it with some new
variable ~c[v]. If any ~c[:generalize] formula can be instantiated so that
some nonvariable subterm becomes ~c[term], then that instance of the
formula is added as a hypothesis.
At the moment, the best description of how ACL2 ~c[:generalize] rules
are used may be found in the discussion of ``Generalize Rules,'' page
248 of A Computational Logic Handbook, or ``Generalization,'' page
132 of ``ComputerAided Reasoning: An Approach.''")
(defun chkacceptablegeneralizerule (name term ctx wrld state)
; This function is really a noop. It exists simply for regularity.
(declare (ignore name term ctx wrld))
(value nil))
(defun addgeneralizerule (rune nume term wrld)
(globalset 'generalizerules
(cons (make generalizerule
:rune rune
:nume nume
:formula term)
(globalval 'generalizerules wrld))
wrld))
;
; Section: :TYPEPRESCRIPTION Rules
(deflabel typeprescription
:doc
":DocSection RuleClasses
make a rule that specifies the type of a term~/
~l[ruleclasses] for a general discussion of rule classes and
how they are used to build rules from formulas. Some example
~c[:]~ilc[corollary] formulas from which ~c[:typeprescription] rules might be
built are:
~bv[]
Examples:
(implies (nth n lst) is of type characterp
(and (characterlistp lst) provided the two hypotheses can
(< n (length lst))) be established by type reasoning
(characterp (nth n lst))).
(implies (demodulize a lst 'value ans) is
(and (atom a) either a nonnegative integer or
(truelistp lst) of the same type as ans, provided
(memberequal a lst)) the hyps can be established by type
(or (and reasoning
(integerp
(demodulize a lst 'value ans))
(>= (demodulize a lst 'value ans) 0))
(equal (demodulize a lst 'value ans) ans))).
~ev[]
To specify the term whose type (~pl[typeset]) is described by
the rule, provide that term as the value of the ~c[:typedterm] field
of the rule class object.~/
~bv[]
General Form:
(implies hyps
(or typerestriction1onpat
...
typerestrictionkonpat
(equal pat var1)
...
(equal pat varj)))
~ev[]
where ~c[pat] is the application of some function symbol to some
arguments, each ~c[typerestrictionionpat] is a term involving ~c[pat] and
containing no variables outside of the occurrences of ~c[pat], and each
~c[vari] is one of the variables of ~c[pat]. Generally speaking, the
~c[typerestriction] terms ought to be terms that inform us as to the
type of ~c[pat]. Ideally, they should be ``primitive recognizing
expressions'' about ~c[pat]; ~pl[compoundrecognizer].
If the ~c[:typedterm] is not provided in the rule class object, it is
computed heuristically by looking for a term in the conclusion whose
type is being restricted. An error is caused if no such term is
found.
Roughly speaking, the effect of adding such a rule is to inform the
ACL2 typing mechanism that ~c[pat] has the type described by the
conclusion, when the hypotheses are true. In particular, the type
of ~c[pat] is within the union of the types described by the several
disjuncts. The ``type described by'' ~c[(equal pat vari)] is the type
of ~c[vari].
More operationally, when asked to determine the type of a term that
is an instance of ~c[pat], ACL2 will first attempt to establish the
hypotheses. ~st[This is done by type reasoning alone, not rewriting!]
Of course, if some hypothesis is to be forced, it is so
treated; ~pl[force] and ~pl[casesplit]. Socalled free variables in
hypotheses are treated specially; ~pl[freevariables]. Provided the
hypotheses are established by type reasoning, ACL2 then unions the
types described by the ~c[typerestrictionionpat] terms together
with the types of those subexpressions of ~c[pat] identified by the
~c[vari]. The final type computed for a term is the intersection of
the types implied by each applicable rule. Type prescription rules
may be disabled.
Because only type reasoning is used to establish the hypotheses of
~c[:typeprescription] rules, some care must be taken with the
hypotheses. Suppose, for example, that the nonrecursive function
~c[mystatep] is defined as
~bv[]
(defun mystatep (x)
(and (truelistp x)
(equal (length x) 2)))
~ev[]
and suppose ~c[(mystatep s)] occurs as a hypothesis of a
~c[:typeprescription] rule that is being considered for use in the
proof attempt for a conjecture with the hypothesis ~c[(mystatep s)].
Since the hypothesis in the conjecture is rewritten, it will become
the conjunction of ~c[(truelistp s)] and ~c[(equal (length s) 2)].
Those two terms will be assumed to have type ~c[t] in the context in
which the ~c[:typeprescription] rule is tried. But type reasoning will
be unable to deduce that ~c[(mystatep s)] has type ~c[t] in this
context. Thus, either ~c[mystatep] should be disabled
(~pl[disable]) during the proof attempt or else the occurrence
of ~c[(mystatep s)] in the ~c[:typeprescription] rule should be
replaced by the conjunction into which it rewrites.
While this example makes it clear how nonrecursive predicates can
cause problems, nonrecursive functions in general can cause
problems. For example, if ~c[(mitigate x)] is defined to be
~c[(if (rationalp x) (1 x) x)] then the hypothesis
~c[(pred (mitigate s))] in the conjecture will rewrite, opening
~c[mitigate] and splitting the conjecture into two subgoals, one in
which ~c[(rationalp s)] and ~c[(pred (1 x))] are assumed and the
other in which ~c[(not (rationalp s))] and ~c[(pred x)] are assumed.
But ~c[(pred (mitigate s))] will not be typed as ~c[t] in either of
these contexts. The moral is: beware of nonrecursive functions
occuring in the hypotheses of ~c[:typeprescription] rules.
Because of the freedom one has in forming the conclusion of a
typeprescription, we have to use heuristics to recover the pattern,
~c[pat], whose type is being specified. In some cases our heuristics
may not identify the intended term and the ~c[:typeprescription]
rule will be rejected as illegal because the conclusion is not of
the correct form. When this happens you may wish to specify the ~c[pat]
directly. This may be done by using a suitable rule class token.
In particular, when the token ~c[:typeprescription] is used it means
ACL2 is to compute pat with its heuristics; otherwise the token
should be of the form ~c[(:typeprescription :typedterm pat)], where
~c[pat] is the term whose type is being specified.
The defun event may generate a ~c[:typeprescription] rule. Suppose
~c[fn] is the name of the function concerned. Then
~c[(:typeprescription fn)] is the rune given to the
typeprescription, if any, generated for ~c[fn] by ~ilc[defun]. (The
trivial rule, saying ~c[fn] has unknown type, is not stored, but
~ilc[defun] still allocates the rune and the corollary of this rune is
known to be ~c[t].)~/")
(defun findtypeprescriptionpat (term ens wrld)
; Suppose term is the translation of a legal typeprescription lemma
; conclusion, e.g.,
; (or (rationalp (fn x x y))
; (and (symbolp (fn x x y))
; (not (equal (fn x x y) nil)))
; (consp (fn x x y))
; (equal (fn x x y) y)).
; In general, term will be some IF expression giving type or equality
; information about some function application, e.g., (fn x x y) in the
; example above. This function attempts to identify the term whose
; type is described. The function is merely heuristic in that if it
; fails (returns nil) the user will have to tell us what term to use.
(cond ((variablep term) nil)
((fquotep term) nil)
((flambdaapplicationp term) nil)
((eq (ffnsymb term) 'if)
(or (findtypeprescriptionpat (fargn term 1) ens wrld)
(findtypeprescriptionpat (fargn term 2) ens wrld)
(findtypeprescriptionpat (fargn term 3) ens wrld)))
((eq (ffnsymb term) 'not)
(findtypeprescriptionpat (fargn term 1) ens wrld))
((eq (ffnsymb term) '<)
(if (quotep (fargn term 1))
(fargn term 2)
(fargn term 1)))
((eq (ffnsymb term) 'equal)
(cond ((or (variablep (fargn term 1))
(fquotep (fargn term 1)))
(fargn term 2))
((or (variablep (fargn term 2))
(fquotep (fargn term 2)))
(fargn term 1))
(t nil)))
((mostrecentenabledrecogtuple (ffnsymb term)
(globalval 'recognizeralist wrld)
ens)
(fargn term 1))
(t term)))
(defun typeprescriptiondisjunctp (var term)
; Warning: Keep this function in sync with
; substnilintotypeprescriptiondisjunct.
; Var is a variable and term is a term. Essentially we are answering
; the question, ``is term a legal disjunct in the conclusion of a
; typeprescription about pat'' for some term pat. However, by this
; time all occurrences of the candidate pat in the conclusion have
; been replaced by some new variable symbol and that symbol is var.
; Furthermore, we will have already checked that the resulting
; generalized concl contains no variables other than var and the
; variables occurring in pat. So what this function actually checks
; is that term is either (equal var othervar), (equal othervar var),
; or else is some arbitrary term whose allvars is identically the
; singleton list containing var.
; If term is one of the two equality forms above, then we know
; othervar is a variable in pat and that term is one of the disjuncts
; that says ``pat sometimes returns this part of its input.'' If term
; is of the third form, then it might have come from a
; typerestriction on pat, e.g., (and (rationalp pat) (<= pat 0)) or
; (compoundrecognizerp pat), or it might be some pretty arbitrary
; term. However, we at least know that it contains no variables at
; all outside the occurrences of pat and that means that we can trust
; typesetimpliedbyterm to tell us what this term implies about
; pat.
(cond ((variablep term)
; This could be a typeprescription disjunct in the generalized concl
; only if term is var, i.e., the original disjunct was equivalent to
; (not (equal pat 'nil)).
(eq term var))
((fquotep term) nil)
((flambdaapplicationp term) nil)
(t (or (and (eq (ffnsymb term) 'equal)
(or (and (eq var (fargn term 1))
(variablep (fargn term 2))
(not (eq (fargn term 1) (fargn term 2))))
(and (eq var (fargn term 2))
(variablep (fargn term 1))
(not (eq (fargn term 2) (fargn term 1))))))
(equal (allvars term) (list var))))))
(defun typeprescriptionconclp (var concl)
; Warning: Keep this function in sync with
; substnilintotypeprescriptionconcl.
; Var is a variable and concl is a term. We recognize those concl
; that are the macroexpansion of (or t1 ... tk) where every ti is a
; typeprescriptiondisjunctp about var.
; In the grand scheme of things, concl was obtained from the
; conclusion of an alleged :TYPEPRESCRIPTION lemma about some term,
; pat, by replacing all occurrences of pat with some new variable,
; var. We also know that concl involves no variables other than var
; and those that occurred in pat.
(cond ((variablep concl) (typeprescriptiondisjunctp var concl))
((fquotep concl) nil)
((flambdaapplicationp concl) nil)
((eq (ffnsymb concl) 'if)
(cond ((equal (fargn concl 1) (fargn concl 2))
(and (typeprescriptiondisjunctp var (fargn concl 1))
(typeprescriptionconclp var (fargn concl 3))))
(t (typeprescriptiondisjunctp var concl))))
(t (typeprescriptiondisjunctp var concl))))
(defun substnilintotypeprescriptiondisjunct (var term)
; Warning: Keep this function in sync with typeprescriptiondisjunctp.
; We assume var and term are ok'd by typeprescriptiondisjunctp.
; If term is of the form (equal var othervar) or (equal othervar var)
; we replace it by nil, otherwise we leave it alone.
(cond ((variablep term) t
