1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098 | ; array1.lisp -- a book about one-dimensional arrays
; Copyright (C) 1997 Computational Logic, Inc.
; This book is free software; you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation; either version 2 of the License, or
; (at your option) any later version.
; This book is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
; You should have received a copy of the GNU General Public License
; along with this book; if not, write to the Free Software
; Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
; Written by: Bishop Brock
; Computational Logic, Inc.
; 1717 West Sixth Street, Suite 290
; Austin, TX 78703-4776 U.S.A.
;;;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
;;;
;;; array1.lisp
;;;
;;; Characterization of 1-dimensional arrays.
;;;
;;; This book requires nothing more than the ACL2 boot-strap theory for
;;; its certification.
;;;
;;;
;;;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
;;;
;;; Note: This book was originally developed in a version of ACL2 where
;;; guards were part of the logic. It is technically possible to weaken
;;; the hypotheses of many of the lemmas, but time has not permitted us to
;;; do this.
(in-package "ACL2")
(include-book "doc-section")
(deflabel array1
:doc ":doc-section data-structures
A book of lemmas that characterize 1-dimensional arrays.
~/
Because many of the functions characterized by this book are non-recursive,
one should always DISABLE the theory ARRAY1-FUNCTIONS after including this
book, or the lemmas will not be applicable.
~/
The lemmas exported by this book should completely characterize
1-dimensional arrays for most purposes. Given the lemmas exported by this
book, it should not be necessary to ENABLE any of the 1-dimensional array
functions except under special circumstances.
This book defines a function RESET-ARRAY1 that clears an array, effectively
resetting each element of the array to the default value. This book also
includes a macro, DEFARRAY1TYPE, which defines recognizers and supporting
lemmas for 1-dimensional arrays whose elements are all of a fixed type.~/")
(defdoc array1-lemmas
":doc-section array1
A theory of all ENABLEd rules exported by the \"array1\" book.
~/
Note that in order for these rules to be applicable you will first need to
DISABLE the theory ARRAY1-FUNCTIONS. The following rules are found in this
theory:
~/~/ ")
�
;;;****************************************************************************
;;;
;;; These are general lemmas about ALISTs and ALIST functions. None of
;;; these lemmas are exported by this book. Perhaps someday they will
;;; appear in an ALIST book.
;;;
;;;****************************************************************************
;;; EQLABLE-ALISTP
(local
(defthm eqlable-alistp-implies-alistp
(implies
(eqlable-alistp l)
(alistp l))
:rule-classes (:rewrite :forward-chaining)))
;;; ASSOC
(local
(defthm assoc-properties
(implies
(and (eqlable-alistp l)
(assoc x l))
(and (consp (assoc x l))
(equal (car (assoc x l)) x)))))
(local
(defthm eqlablep-car-assoc
(implies
(and (eqlable-alistp l)
(assoc x l))
(eqlablep (car (assoc x l))))))
;;; ASSOC-EQ
(local
(defthm assoc-eq-properties
(implies
(and (alistp l)
(assoc-eq x l))
(and (consp (assoc-eq x l))
(equal (car (assoc-eq x l)) x)))))
;;; BOUNDED-INTEGER-ALISTP
(local
(defthm bounded-integer-alistp-eqlable-alistp
(implies
(bounded-integer-alistp l n)
(eqlable-alistp l))
:rule-classes (:rewrite :forward-chaining)))
(local
(defthm bounded-integer-alistp-car-assoc-properties
(implies
(and (bounded-integer-alistp l n)
(assoc i l)
(not (equal (car (assoc i l)) :header)))
(and (integerp (car (assoc i l)))
(>= (car (assoc i l)) 0)
(< (car (assoc i l)) n)))))
�
;;;****************************************************************************
;;;
;;; Local array1 events.
;;;
;;;****************************************************************************
;;; We prove a :FORWARD-CHAINING lemma for ARRAY1P and a couple of other
;;; LOCAL lemmas, then disable ARRAY1P. Note that for external consumption
;;; we provide a :FORWARD-CHAINING lemma written in terms of HEADER,
;;; DIMENSIONS, MAXIMUM-VALUE, etc. DON'T MESS WITH THIS ARRANGEMENT, or
;;; you'll be very frustrated and very sorry!
(local
(defthm array1p-forward-local
(implies
(array1p name l)
(and
(symbolp name)
(alistp l)
(keyword-value-listp (cdr (assoc-eq :header l)))
(true-listp
(cadr (assoc-keyword :dimensions (cdr (assoc-eq :header l)))))
(equal
(length (cadr (assoc-keyword :dimensions (cdr (assoc-eq :header l)))))
1)
(integerp
(car (cadr (assoc-keyword :dimensions (cdr (assoc-eq :header l))))))
(integerp
(cadr (assoc-keyword :maximum-length (cdr (assoc-eq :header l)))))
(< 0
(car (cadr (assoc-keyword :dimensions (cdr (assoc-eq :header l))))))
(<= (car (cadr (assoc-keyword :dimensions (cdr (assoc-eq :header l)))))
(cadr (assoc-keyword :maximum-length (cdr (assoc-eq :header l)))))
(<= (cadr (assoc-keyword :maximum-length (cdr (assoc-eq :header l))))
*maximum-positive-32-bit-integer*)
(bounded-integer-alistp
l
(car (cadr (assoc-keyword :dimensions (cdr (assoc-eq :header l))))))))
:rule-classes :forward-chaining))
(local
(defthm array1p-header-exists
(implies
(array1p name l)
(assoc-eq :header l))))
; ARRAY1P-CONS (in a slightly different format) is part of the
; BOOT-STRAP-THEORY of ACL2.
(local
(defthm our-array1p-cons
(implies
(and (array1p name l)
(integerp n)
(>= n 0)
(< n (car (dimensions name l))))
(array1p name (cons (cons n x) l)))))
(local (in-theory (disable array1p)))
;;; Now, we prove everthing we need to know about COMPRESS11, and then use
;;; these lemmas to characterize COMPRESS1.
(local
(defthm eqlable-alistp-compress11
(implies
(and (array1p name l)
(integerp i)
(integerp n)
(<= i n))
(eqlable-alistp (compress11 name l i n default)))))
(local
(defthm bounded-integer-alistp-compress11
(implies
(and (array1p name l)
(integerp i)
(integerp n)
(>= i 0)
(<= i n))
(bounded-integer-alistp (compress11 name l i n default) n))))
(local
(defthm compress11-assoc-property-0
(implies
(and (array1p name l)
(integerp i)
(integerp n)
(<= i n)
(integerp j)
(assoc j l)
(assoc j (compress11 name l i n default)))
(equal (assoc j (compress11 name l i n default))
(assoc j l)))))
(local
(defthm compress11-assoc-property-1
(implies
(and (array1p name l)
(not (assoc j (compress11 name l i n default))) ;Free vars!
(integerp i)
(integerp n)
(<= i n)
(integerp j)
(<= i j)
(< j n)
(assoc j l))
(equal (cdr (assoc j l))
default))))
(local
(defthm compress11-assoc-property-2
(implies
(and (array1p name l)
(integerp i)
(integerp n)
(<= i n)
(integerp j)
(not (assoc j l)))
(not (assoc j (compress11 name l i n default))))))
; Start events added by Matt K. for Version 3.1, 7/1/06, to support proof of
; compress1-assoc-property-0 in light of addition of reverse-sorted and
; unsorted ACL2 arrays.
(local
(defthm assoc-revappend-1
(implies (not (member key (strip-cars alist1)))
(equal (assoc key (revappend alist1 alist2))
(assoc key alist2)))))
(local
(defthm assoc-revappend
(implies (and (force (no-duplicatesp (strip-cars alist1)))
(force (alistp alist1)))
(equal (assoc key (revappend alist1 alist2))
(or (assoc key alist1)
(assoc key alist2))))))
(local
(defun ordered-alistp (x)
(cond
((atom x)
(null x))
((atom (cdr x))
(and (consp (car x))
(rationalp (caar x))
(null (cdr x))))
(t (and (consp (car x))
(rationalp (caar x))
(< (caar x) (caadr x))
(ordered-alistp (cdr x)))))))
(local
(defthm no-duplicatesp-strip-cars-ordered-alistp-1
(implies (and (< key (caar x))
(ordered-alistp x))
(not (member key
(strip-cars x))))))
(local
(defthm no-duplicatesp-strip-cars-ordered-alistp
(implies (ordered-alistp x)
(no-duplicatesp (strip-cars x)))))
(local
(defthm consp-assoc-rewrite
(implies (and key
(assoc key alist))
(consp (assoc key alist)))))
(local
(defthm car-assoc
(implies (assoc key alist)
(equal (car (assoc key alist))
key))))
(local
(defthm <-caar-compress11
(implies (and (< i j)
(consp (compress11 name l j n default)))
(< i (caar (compress11 name l j n default))))))
(local
(defthm ordered-alistp-compress11
(implies (and (integerp i)
(integerp n))
(ordered-alistp (compress11 name l i n default)))))
(local
(defthm not-member-strip-cars-compress11
(implies
(< i j)
(not (member i
(strip-cars (compress11 name l j n default)))))))
(local
(defthm no-duplicatesp-strip-cars-compress11
(no-duplicatesp (strip-cars (compress11 name l i n default)))))
; End events added by Matt K. for Version 3.1, 7/1/06, to support proof of
; compress1-assoc-property-0 in light of addition of reverse-sorted and
; unsorted ACL2 arrays.
(local
(defthm compress1-assoc-property-0
(implies
(and (array1p name l)
(integerp n)
(>= n 0)
(< n (car (dimensions name l)))
(assoc n l)
(assoc n (compress1 name l)))
(equal (cdr (assoc n (compress1 name l)))
(cdr (assoc n l))))))
(local
(defthm compress1-assoc-property-1
(implies
(and (array1p name l)
(integerp n)
(>= n 0)
(< n (car (dimensions name l)))
(assoc n l)
(not (assoc n (compress1 name l))))
(equal (cdr (assoc n l))
(cadr (assoc-keyword :default (cdr (assoc-eq :header l))))))))
(local
(defthm compress1-assoc-property-2
(implies
(and (array1p name l)
(integerp n)
(>= n 0)
(< n (car (dimensions name l)))
(not (assoc n l)))
(not (assoc n (compress1 name l))))))
(local
(defthm header-compress1-crock
(implies
(array1p name l)
(equal (assoc-eq :header (compress1 name l))
(assoc-eq :header l)))))
�
;;;****************************************************************************
;;;
;;; Exported Events.
;;;
;;; When new lemmas are added their names must also be added to the theory
;;; ARRAY1-LEMMAS.
;;;
;;;****************************************************************************
; The following two events were added by Matt K. for Version 3.1, 7/1/06, to
; support proof of compress1-assoc-property-0 in light of addition of
; reverse-sorted and unsorted ACL2 arrays.
(local
(defthm alistp-revappend
(implies (alistp x)
(equal (alistp (revappend x y))
(alistp y)))))
(local
(defthm bounded-integer-alistp-revappend
(implies (bounded-integer-alistp x n)
(equal (bounded-integer-alistp (revappend x y) n)
(bounded-integer-alistp y n)))))
(defthm array1p-compress1
(implies
(array1p name l)
(array1p name (compress1 name l)))
:hints
(("Goal"
:in-theory (enable array1p)
:use array1p-header-exists))
:doc ":doc-section array1-lemmas
Rewrite: (ARRAY1P name (COMPRESS1 name l)).
~/~/~/")
(defthm array1p-compress1-properties
(implies
(array1p name l)
(and
(equal (header name (compress1 name l))
(header name l))
(equal (dimensions name (compress1 name l))
(dimensions name l))
(equal (maximum-length name (compress1 name l))
(maximum-length name l))
(equal (default name (compress1 name l))
(default name l))))
:doc ":doc-section array1-lemmas
Rewrite:
(HEADER name (COMPRESS1 name l)) = (HEADER name l).
(DIMENSIONS name (COMPRESS1 name l)) = (DIMENSIONS name l).
(MAXIMUM-LENGTH name (COMPRESS1 name l)) = (MAXIMUM-LENGTH name l).
(DEFAULT name (COMPRESS1 name l)) = (DEFAULT name l).
~/~/~/")
; COMPRESS1 is now fully characterized, so we DISABLE it and start proving
; the interesting theorems.
(local (in-theory (disable compress1)))
(defthm array1p-aset1
(implies
(and (array1p name l)
(integerp n)
(>= n 0)
(< n (car (dimensions name l))))
(array1p name (aset1 name l n val)))
:doc ":doc-section array1-lemmas
Rewrite: (ARRAY1P name (ASET1 name l n val)).
~/~/~/")
(defthm array1p-aset1-properties
(implies
(and (array1p name l)
(integerp n)
(>= n 0)
(< n (car (dimensions name l))))
(and
(equal (header name (aset1 name l n val))
(header name l))
(equal (dimensions name (aset1 name l n val))
(dimensions name l))
(equal (maximum-length name (aset1 name l n val))
(maximum-length name l))
(equal (default name (aset1 name l n val))
(default name l))))
:doc ":doc-section array1-lemmas
Rewrite:
(HEADER name (ASET1 name l n val)) = (HEADER name l).
(DIMENSIONS name (ASET1 name l n val)) = (DIMENSIONS name l).
(MAXIMUM-LENGTH name (ASET1 name l n val)) = (MAXIMUM-LENGTH name l).
(DEFAULT name (ASET1 name l n val)) = (DEFAULT name l).
~/~/~/")
(defthm aref1-compress1
(implies
(and (array1p name l)
(integerp n)
(>= n 0)
(< n (car (dimensions name l))))
(equal (aref1 name (compress1 name l) n)
(aref1 name l n)))
:doc ":doc-section array1-lemmas
Rewrite: (AREF1 name (COMPRESS1 name l) n) = (AREF name l n).
~/~/~/")
(defthm array1p-acons-properties
(implies
(integerp n)
(and
(equal (header name (cons (cons n val) l))
(header name l))
(equal (dimensions name (cons (cons n val) l))
(dimensions name l))
(equal (maximum-length name (cons (cons n val) l))
(maximum-length name l))
(equal (default name (cons (cons n val) l))
(default name l))))
:doc ":doc-section array1-lemmas
Rewrite:
(HEADER name (CONS n val) l) = (HEADER l) , for integers n.
(DIMENSIONS name (CONS n val) l) = (DIMENSIONS l) , for integers n.
(MAXIMUM-LENGTH name (CONS n val) l) = (MAXIMUM-LENGTH l), for integers n.
(DEFAULT name (CONS n val) l) = (DEFAULT l) , for integers n.
~/~/~/")
(defthm array1p-consp-header
(implies
(array1p name l)
(consp (header name l)))
:rule-classes :type-prescription
:doc ":doc-section array1-lemmas
Type-Prescription: (CONSP (HEADER name l)).
~/~/~/")
(defthm array1p-car-header
(implies
(array1p name l)
(equal (car (header name l))
:header))
:doc ":doc-section array1-lemmas
Rewrite: (CAR (HEADER name l)) = :HEADER.
~/~/~/")
; These two theorems for the AREF1-ASET1 cases are used to prove a
; combined result, and then exported DISABLEd.
(defthm aref1-aset1-equal
(implies
(and (array1p name l)
(integerp n)
(>= n 0)
(< n (car (dimensions name l))))
(equal (aref1 name (aset1 name l n val) n)
val))
:doc ":doc-section array1-lemmas
Rewrite: (AREF1 name (ASET1 name l n val) n) = val.~/
Note that this rule is exported DISABLEd by default in favor of
AREF1-ASET1.
~/~/")
(defthm aref1-aset1-not-equal
(implies
(and (array1p name l)
(integerp n1)
(>= n1 0)
(< n1 (car (dimensions name l)))
(integerp n2)
(>= n2 0)
(< n2 (car (dimensions name l)))
(not (equal n1 n2)))
(equal (aref1 name (aset1 name l n1 val) n2)
(aref1 name l n2)))
:doc ":doc-section array1-lemmas
Rewrite: (AREF1 name (ASET1 name l n1 val) n2) = (AREF1 name l n2),
when n1 /= n2.~/
Note that this rule is exported DISABLEd by default in favor of
AREF1-ASET1.
~/~/")
(defthm aref1-aset1
(implies
(and (array1p name l)
(integerp n1)
(>= n1 0)
(< n1 (car (dimensions name l)))
(integerp n2)
(>= n2 0)
(< n2 (car (dimensions name l))))
(equal (aref1 name (aset1 name l n1 val) n2)
(if (equal n1 n2)
val
(aref1 name l n2))))
:hints
(("Goal"
:in-theory (disable aref1 aset1)))
:doc ":doc-section array1-lemmas
Rewrite: (AREF1 name (ASET1 name l n1 val) n2) =
(IF (EQUAL n1 n2) val (AREF1 name l n2)).
~/
Note that this lemma forces the decision of the equality of n1 and n2. If
this causes problems, then DISABLE this lemma and
(ENABLE AREF1-ASET1-EQUAL AREF1-ASET1-NOT-EQUAL).~/~/")
(in-theory (disable aref1-aset1-equal aref1-aset1-not-equal))
;;; The final form of the :FORWARD-CHAINING lemma for ARRAY1P.
(defthm array1p-forward-modular
(implies
(array1p name l)
(and (symbolp name)
(alistp l)
(keyword-value-listp (cdr (header name l)))
(true-listp (dimensions name l))
(equal (length (dimensions name l)) 1)
(integerp (car (dimensions name l)))
(integerp (maximum-length name l))
(< 0 (car (dimensions name l)))
(<= (car (dimensions name l)) (maximum-length name l))
(<= (maximum-length name l) *maximum-positive-32-bit-integer*)
(bounded-integer-alistp l (car (dimensions name l)))))
:rule-classes :forward-chaining
:hints
(("Goal"
:in-theory (disable length)))
:doc ":doc-section array1-lemmas
Forward Chaining: A forward definition of (ARRAY1P name l), in terms of
HEADER, DIMENSIONS, and MAXIMUM-LENGTH.
~/
Note that ACL2 also defines a lemma ARRAY1P-FORWARD, but that lemma
is in terms of the expansions of HEADER, DIMENSIONS, and MAXIMUM-LENGTH.
~/
One should normaly DISABLE ARRAY1P in favor of this :FORWARD-CHAINING rule.
If allowed to open, ARRAY1P can cause severe performance degradation due to
its large size and many recursive functions. This lemma is designed to be
used with the ARRAY1-FUNCTIONS theory DISABLEd.~/")
�
;;;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
;;;
;;; RESET-ARRAY1 name l
;;;
;;;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
; The proofs for RESET-ARRAY1 require a few LOCAL facts.
(local
(defthm car-header
(implies
(array1p name l)
(equal (car (header name l))
:header))))
(local
(defthm array1p-list-header
(implies
(array1p name l)
(array1p name (list (header name l))))
:hints
(("Goal"
:in-theory (enable array1p)))))
(local
(defthm header-list-header
(implies
(array1p name l)
(equal (header name (list (header name l)))
(header name l)))))
(local
(defthm dimensions-list-header
(implies
(array1p name l)
(equal (dimensions name (list (header name l)))
(dimensions name l)))))
(local
(defthm default-cons-header
(implies
(array1p name l)
(equal (default name (cons (header name l) x))
(default name l)))))
(local
(defthm symbol-alistp-list-header
(implies
(array1p name l)
(symbol-alistp (list (header name l))))))
(local
(defthm symbol-alistp-not-assoc-integer
(implies
(and (symbol-alistp l)
(integerp i))
(not (assoc i l)))))
(local
(defthm symbol-alistp-not-compress11
(implies
(and (symbol-alistp l)
(integerp i)
(integerp n))
(not (compress11 name l i n default)))))
; HEADER, DEFAULT, and DIMENSIONS are characterized, so we DISABLE them.
(local (in-theory (disable header default dimensions)))
(defun reset-array1 (name l)
":doc-section array1
Clear an 1-dimensional array.
~/~/
The function (RESET-ARRAY1 name l) returns a 1-dimensional array whose
alist is simply the HEADER of l. This has the effect of resetting the
array, i.e., reading the new array at any address will return the default
value. The implementation is simply to redefine the array as the HEADER of
the old array. Thus all of the HEADER information is carried over to the
new array.
Note that an alternate definition is available as the lemma RESET-ARRAY1*.
~/"
(declare (xargs :guard (array1p name l)))
(compress1 name (list (header name l))))
(defthm reset-array1*
(implies
(array1p name l)
(equal (reset-array1 name l)
(list (header name l))))
:hints
(("Goal"
:in-theory (enable compress1 compress11)))
:doc ":doc-section reset-array1
Rewrite: (RESET-ARRAY1 name l) = (LIST (HEADER name l)).
~/~/
This definition of RESET-ARRAY1 is logically equivalent to the actual
definition. The actual definition, which includes a COMPRESS1 call, has the
run-time side-effect of re-installing the new array. The COMPRESS1 is
logically redundant, however.
This lemma is exported DISABLED, however this is the preferred definition
to use to reason about RESET-ARRAY1. ~/ ")
; We can now reason with the simple definition RESET-ARRAY1*.
(local (in-theory (disable reset-array1)))
(defthm array1p-reset-array1
(implies
(array1p name l)
(array1p name (reset-array1 name l)))
:doc ":doc-section array1-lemmas
Rewrite: (ARRAY1P name (RESET-ARRAY1 name l)).
~/~/~/")
(defthm array1p-reset-array1-properties
(implies
(array1p name l)
(and
(equal (header name (reset-array1 name l))
(header name l))
(equal (dimensions name (reset-array1 name l))
(dimensions name l))
(equal (maximum-length name (reset-array1 name l))
(maximum-length name l))
(equal (default name (reset-array1 name l))
(default name l))))
:doc ":doc-section array1-lemmas
Rewrite:
(HEADER name (RESET-ARRAY1 name l)) = (HEADER name l).
(DIMENSIONS name (RESET-ARRAY1 name l)) = (DIMENSIONS name l).
(MAXIMUM-LENGTH name (RESET-ARRAY1 name l)) = (MAXIMUM-LENGTH name l).
(DEFAULT name (RESET-ARRAY1 name l)) = (DEFAULT name l).
~/~/~/")
(defthm aref1-reset-array1
(implies
(and (array1p name l)
(integerp index))
(equal (aref1 name (reset-array1 name l) index)
(default name l))))
(in-theory (disable reset-array1*))
�
;;;****************************************************************************
;;;
;;; Theories
;;;
;;;****************************************************************************
(deftheory array1-functions
'(array1p aset1 aref1 compress1 header dimensions maximum-length
default reset-array1)
:doc ":doc-section array1
A theory of all functions specific to 1-dimensional arrays.
~/
This theory must be DISABLEd in order for the lemmas exported by the
\"array1\" book to be applicable.~/~/")
(deftheory array1-lemmas
'(array1p-compress1
array1p-compress1-properties
array1p-aset1 array1p-aset1-properties
aref1-compress1 array1p-acons-properties
array1p-consp-header array1p-car-header
aref1-aset1 array1p-forward-modular
array1p-reset-array1 array1p-reset-array1-properties
aref1-reset-array1))
(deftheory array1-disabled-lemmas
'(aref1-aset1-equal aref1-aset1-not-equal reset-array1*)
:doc ":doc-section array1
A theory of all rules exported DISABLEd by the \"array1\" book.
~/
Note that in order for these rules to be applicable you will first need to
(DISABLE ARRAY1-FUNCTIONS). Look at the :DOC for each lemma for an
explanation of why the lemma is exported DISABLEd. The following rules are
found in this theory:~/~/
:cite aref1-aset1-equal
:cite aref1-aset1-not-equal
:cite reset-array1*")
�
;;;****************************************************************************
;;;
;;; DEFARRAY1TYPE
;;;
;;;****************************************************************************
(defmacro defarray1type
(recognizer predicate &key
size doc
(aref1-lemma-rule-classes ':REWRITE)
(aset1-lemma-rule-classes ':REWRITE))
":doc-section array1
Characterize 1-dimensional arrays with a fixed element type.
~/
Example form:
(DEFARRAY1TYPE INTEGERP-ARRAY1P INTEGERP)
The above example defines a recognizer, INTEGERP-ARRAYP, for 1-dimensional
arrays whose elements are all INTEGERP.~/
General form:
(DEF1ARRAYTYPE recognizer predicate
&key size doc
(aref1-lemma-rule-classes ':REWRITE)
(aset1-lemma-rule-classes ':REWRITE))
DEFARRAY1TYPE defines a recognizer for 1-dimensional arrays whose elements
are all of a single type. The recognizer argument is a symbol that is used
as the name of the recognizer. The predicate argument should be a
1-argument, unguarded Boolean function that recognizes objects of the
desired type. The predicate may either be a symbol (the name of the
predicate), or a LAMBDA expression.
If :SIZE is specified it should be a variable-free term that will evaluate
to a positive integer. If specified, then the recognizer will only
recognize 1-dimensional arrays of the given type and of a fixed size.
If :DOC is specified it should be a string, and it will be inserted as the
documentation string in the recognizer.
DEFARRAY1TYPE defines a recognizer:
(recognizer NAME L),
and proves 4 useful theorems about it. If the :SIZE is not specified then
the three theorems will be:
1. (IMPLIES
(recognizer NAME L)
(ARRAY1P NAME L))
2. (IMPLIES
(AND (recognizer NAME L)
(INTEGERP N))
(predicate (AREF1 NAME L N)))
3. (IMPLIES
(AND (recognizer NAME L)
(< N (CAR (DIMENSIONS NAME L)))
(INTEGERP N)
(>= N 0)
(predicate VAL))
(recognizer NAME (ASET1 NAME L N VAL)))
4. (IMPLIES
(recognizer NAME l)
(recognizer NAME (RESET-ARRAY1 name l)))
If :SIZE is specified then the first and third theorems become:
1. (IMPLIES
(recognizer NAME L)
(AND (ARRAY1P NAME L)
(EQUAL (CAR (DIMENSIONS name l))
size)))
3. (IMPLIES
(AND (recognizer NAME L)
(< N size)
(INTEGERP N)
(>= N 0)
(predicate VAL))
(recognizer NAME (ASET1 NAME L N VAL)))
The first theorem is stored as both :REWRITE and :FORWARD-CHAINING rules.
The :RULE-CLASSES of the second and third lemmas default to :REWRITE, but
are selectable by the user by means of the :AREF1-LEMMA-RULE-CLASSES and
:ASET1-LEMMA-RULE-CLASSSES arguments to DEFARRAY1TYPE (respectively). If
using :RULE-CLASSES other than :REWRITE the user should bear in mind the
documented restrictions on the applicability of :TYPE-PRESCRIPTION and
:FORWARD-CHAINING rules. The fourth rule is always a :REWRITE rule.
Note the the recognizer is a very strong recognizer that specifies that the
array alist is a BOUNDED-INTEGER-ALISTP whose elements all satisfy the type
predicate. The recognizer also specifies that the default element of the
array satisfies the predicate as well.
WARNING: The recognizer is defined in terms of a recursive recoignizer,
named <recognizer>-FN. THE RECURSIVE RECOGNIZER SHOULD BE COMPILED BEFORE
YOU TRY TO EXECUTE IT, OR IT MAY CAUSE A STACK OVERFLOW. Also note that
the recognizer will be DISABLEd after execution of this macro. The user
must insure that the recognizer remains DISABLEd, otherwise the above
lemmas will never be applied.
DEFARRAY1TYPE proves the generated lemmas in a minimal, ENCAPSULATEd theory
that should guarantee that the proofs always succeed. If one should
encounter a case where a proof fails (as opposed to a translation or other
syntax failure), please notify the author.~/"
(declare (xargs :guard (and (symbolp recognizer)
(pseudo-termp predicate)
(implies doc (stringp doc)))))
;; A form for the size, and function and lemma names.
(let
((size-form (if size size '(CAR (DIMENSIONS NAME L))))
(recognizer-fn
(intern-in-package-of-symbol
(coerce (packn1 (list recognizer '-fn)) 'string)
recognizer))
(recognizer-lemma
(intern-in-package-of-symbol
(coerce (packn1 (list recognizer '-array1p)) 'string)
recognizer))
(aref1-lemma
(intern-in-package-of-symbol
(coerce (packn1 (list recognizer '-aref1)) 'string)
recognizer))
(aset1-lemma
(intern-in-package-of-symbol
(coerce (packn1 (list recognizer '-aset1)) 'string)
recognizer))
(reset-array1-lemma
(intern-in-package-of-symbol
(coerce (packn1 (list recognizer '-reset-array1)) 'string)
recognizer)))
`(ENCAPSULATE ()
;; Set up a theory guaranteed to admit the functions and prove the
;; lemmas. We assume that the "array1" book has been loaded!
(LOCAL (IN-THEORY (THEORY 'GROUND-ZERO)))
(LOCAL (IN-THEORY (DISABLE ARRAY1-FUNCTIONS)))
(LOCAL (IN-THEORY (ENABLE ARRAY1-LEMMAS)))
;; The recursive recognizer.
(DEFUN ,recognizer-fn (L N)
(DECLARE (XARGS :GUARD T))
(COND
((ATOM L) (NULL L))
(T (AND (CONSP (CAR L))
(LET ((KEY (CAAR L))
(VAL (CDAR L)))
(AND (OR (EQ KEY :HEADER)
(AND (INTEGERP KEY)
(INTEGERP N)
(>= KEY 0)
(< KEY N)
(,predicate VAL)))
(,recognizer-fn (CDR L) N)))))))
;; The recognizer.
(DEFUN ,recognizer (NAME L)
,@(if doc (list doc) nil)
(DECLARE (XARGS :GUARD T))
(AND (ARRAY1P NAME L)
(,recognizer-fn L (CAR (DIMENSIONS NAME L)))
(,predicate (DEFAULT NAME L))
,@(if size (list `(EQUAL (CAR (DIMENSIONS NAME L)) ,size))
NIL)))
;; Lots of crocks.
(LOCAL
(DEFTHM DEFARRAY1TYPE-ASSOC-PROPERTIES
(IMPLIES
(AND (,recognizer-fn L N)
(ASSOC I L)
(INTEGERP I))
(AND (CONSP (ASSOC I L))
(INTEGERP (CAR (ASSOC I L)))
(>= (CAR (ASSOC I L)) 0)
(< (CAR (ASSOC I L)) N)
(,predicate (CDR (ASSOC I L)))))))
(LOCAL
(DEFTHM DEFARRAY1TYPE-CONS-HEADER
(IMPLIES
(ARRAY1P NAME L)
(EQUAL (,recognizer-fn (CONS (HEADER NAME L) X) MAX)
(,recognizer-fn X MAX)))))
(LOCAL
(DEFTHM DEFARRAY1TYPE-COMPRESS11
(IMPLIES
(AND (,recognizer-fn L N)
(INTEGERP I)
(INTEGERP N))
(,recognizer-fn (COMPRESS11 NAME L I N DEFAULT)
N))))
(LOCAL
(DEFTHM DEFARRAY1TYPE-ASET1
(IMPLIES
(AND (ARRAY1P NAME L)
(EQUAL SIZE (CAR (DIMENSIONS NAME L)))
(,recognizer-fn L SIZE)
(,predicate (DEFAULT NAME L))
(INTEGERP N)
(,predicate VAL)
(NOT (< N 0))
(< N SIZE))
(,recognizer-fn (ASET1 NAME L N VAL) SIZE))
:HINTS
(("GOAL"
:IN-THEORY (ENABLE COMPRESS1 ASET1)))))
(LOCAL
(DEFTHM DEFARRAY1TYPE-RESET-ARRAY1
(IMPLIES
(ARRAY1P NAME L)
(,recognizer-fn (RESET-ARRAY1 NAME L) N))
:HINTS
(("Goal"
:IN-THEORY (ENABLE RESET-ARRAY1*)))))
;; The recognizer lemma.
(DEFTHM ,recognizer-lemma
(IMPLIES
(,recognizer NAME L)
(AND (ARRAY1P NAME L)
,@(if size (list `(EQUAL (CAR (DIMENSIONS NAME L)) ,size))
NIL)))
:RULE-CLASSES (:REWRITE :FORWARD-CHAINING))
;; AREF1 returns objects of the proper type.
(DEFTHM ,aref1-lemma
(IMPLIES
(AND (,recognizer NAME L)
(INTEGERP N))
(,predicate (AREF1 NAME L N)))
:RULE-CLASSES ,aref1-lemma-rule-classes
:HINTS
(("Goal"
:IN-THEORY (ENABLE AREF1))))
;; ASET1 returns arrays of the proper type.
(DEFTHM ,aset1-lemma
(IMPLIES
(AND (,recognizer NAME L)
(< N ,size-form)
(INTEGERP N)
(>= N 0)
(,predicate VAL))
(,recognizer NAME (ASET1 NAME L N VAL)))
:RULE-CLASSES ,aset1-lemma-rule-classes)
;; RESET-ARRAY1 returns arrays of the proper type.
(defthm ,reset-array1-lemma
(implies
(,recognizer name l)
(,recognizer name (reset-array1 name l))))
;; DISABLE the recognizer.
(IN-THEORY (DISABLE ,recognizer)))))
|