Waverly% m6-demo Welcome to Clozure Common Lisp Version 1.6-dev-r14316M-trunk (DarwinX8632)! ACL2 Version 4.1 built October 1, 2010 14:31:52 then November 3, 2010 13:52:28. Copyright (C) 2010 University of Texas at Austin ACL2 comes with ABSOLUTELY NO WARRANTY. This is free software and you are welcome to redistribute it under certain conditions. For details, see the GNU General Public License. Initialized with (INITIALIZE-ACL2 'INCLUDE-BOOK *ACL2-PASS-2-FILES*). See the documentation topic note-4-1 for recent changes. Note: We have modified the prompt in some underlying Lisps to further distinguish it from the ACL2 prompt. MODIFICATION NOTICE: Pre-load of M6 Demo ACL2 Version 4.1. Level 1. Cbd "/Users/moore/work/typer/". Distributed books directory "/Users/moore/work/v4-1/acl2-sources/books/". Type :help for help. Type (good-bye) to quit completely out of ACL2. ACL2 >(defun ap (x y) (if (endp x) y (cons (car x) (ap (cdr x) y)))) The admission of AP is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of AP is described by the theorem (OR (CONSP (AP X Y)) (EQUAL (AP X Y) Y)). We used primitive type reasoning. Summary Form: ( DEFUN AP ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)) Time: 0.04 seconds (prove: 0.00, print: 0.01, other: 0.03) AP ACL2 >(ap '(1 2 3) '(4 5 6)) (1 2 3 4 5 6) ACL2 >(defthm ap-is-associative (equal (ap (ap a b) c) (ap a (ap b c)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (AP A B). This suggestion was produced using the :induction rule AP. If we let (:P A B C) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP A)) (:P (CDR A) B C)) (:P A B C)) (IMPLIES (ENDP A) (:P A B C))). This induction is justified by the same argument used to admit AP. When applied to the goal at hand the above induction scheme produces two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP A)) (EQUAL (AP (AP (CDR A) B) C) (AP (CDR A) (AP B C)))) (EQUAL (AP (AP A B) C) (AP A (AP B C)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP A) (EQUAL (AP (AP (CDR A) B) C) (AP (CDR A) (AP B C)))) (EQUAL (AP (AP A B) C) (AP A (AP B C)))). But simplification reduces this to T, using the :definition AP, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS. Subgoal *1/1 (IMPLIES (ENDP A) (EQUAL (AP (AP A B) C) (AP A (AP B C)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP A)) (EQUAL (AP (AP A B) C) (AP A (AP B C)))). But simplification reduces this to T, using the :definition AP and primitive type reasoning. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM AP-IS-ASSOCIATIVE ...) Rules: ((:DEFINITION AP) (:DEFINITION ENDP) (:DEFINITION NOT) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION AP) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Time: 0.03 seconds (prove: 0.02, print: 0.01, other: 0.00) AP-IS-ASSOCIATIVE ACL2 >(defun rev (x) (if (endp x) nil (ap (rev (cdr x)) (list (car x))))) The admission of REV is trivial, using the relation O< (which is known to be well-founded on the domain recognized by O-P) and the measure (ACL2-COUNT X). We observe that the type of REV is described by the theorem (OR (CONSP (REV X)) (EQUAL (REV X) NIL)). We used primitive type reasoning and the :type-prescription rule AP. Summary Form: ( DEFUN REV ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL) (:TYPE-PRESCRIPTION AP)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) REV ACL2 >(rev '(1 2 3 4 5 6)) (6 5 4 3 2 1) ACL2 >(defthm main (equal (rev (ap a b)) (ap (rev b) (rev a)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (AP A B). This suggestion was produced using the :induction rules AP and REV. If we let (:P A B) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP A)) (:P (CDR A) B)) (:P A B)) (IMPLIES (ENDP A) (:P A B))). This induction is justified by the same argument used to admit AP. When applied to the goal at hand the above induction scheme produces two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP A)) (EQUAL (REV (AP (CDR A) B)) (AP (REV B) (REV (CDR A))))) (EQUAL (REV (AP A B)) (AP (REV B) (REV A)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP A) (EQUAL (REV (AP (CDR A) B)) (AP (REV B) (REV (CDR A))))) (EQUAL (REV (AP A B)) (AP (REV B) (REV A)))). This simplifies, using the :definitions AP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/2'' (IMPLIES (AND (CONSP A) (EQUAL (REV (AP (CDR A) B)) (AP (REV B) (REV (CDR A))))) (EQUAL (AP (REV (AP (CDR A) B)) (LIST (CAR A))) (AP (REV B) (AP (REV (CDR A)) (LIST (CAR A)))))). The destructor terms (CAR A) and (CDR A) can be eliminated by using CAR-CDR-ELIM to replace A by (CONS A1 A2), (CAR A) by A1 and (CDR A) by A2. This produces the following goal. Subgoal *1/2''' (IMPLIES (AND (CONSP (CONS A1 A2)) (EQUAL (REV (AP A2 B)) (AP (REV B) (REV A2)))) (EQUAL (AP (REV (AP A2 B)) (LIST A1)) (AP (REV B) (AP (REV A2) (LIST A1))))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (IMPLIES (EQUAL (REV (AP A2 B)) (AP (REV B) (REV A2))) (EQUAL (AP (REV (AP A2 B)) (LIST A1)) (AP (REV B) (AP (REV A2) (LIST A1))))). We now use the hypothesis by substituting (AP (REV B) (REV A2)) for (REV (AP A2 B)) and throwing away the hypothesis. This produces Subgoal *1/2'5' (EQUAL (AP (AP (REV B) (REV A2)) (LIST A1)) (AP (REV B) (AP (REV A2) (LIST A1)))). But we reduce the conjecture to T, by the simple :rewrite rule AP-IS-ASSOCIATIVE. Subgoal *1/1 (IMPLIES (ENDP A) (EQUAL (REV (AP A B)) (AP (REV B) (REV A)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP A)) (EQUAL (REV (AP A B)) (AP (REV B) (REV A)))). This simplifies, using the :definitions AP and REV, to Subgoal *1/1'' (IMPLIES (NOT (CONSP A)) (EQUAL (REV B) (AP (REV B) NIL))). We generalize this conjecture, replacing (REV B) by RV. This produces Subgoal *1/1''' (IMPLIES (NOT (CONSP A)) (EQUAL RV (AP RV NIL))). We suspect that the term (NOT (CONSP A)) is irrelevant to the truth of this conjecture and throw it out. We will thus try to prove Subgoal *1/1'4' (EQUAL RV (AP RV NIL)). Name the formula above *1.1. Perhaps we can prove *1.1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (AP RV 'NIL). This suggestion was produced using the :induction rule AP. If we let (:P RV) denote *1.1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP RV)) (:P (CDR RV))) (:P RV)) (IMPLIES (ENDP RV) (:P RV))). This induction is justified by the same argument used to admit AP. When applied to the goal at hand the above induction scheme produces two nontautological subgoals. Subgoal *1.1/2 (IMPLIES (AND (NOT (ENDP RV)) (EQUAL (CDR RV) (AP (CDR RV) NIL))) (EQUAL RV (AP RV NIL))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1.1/2' (IMPLIES (AND (CONSP RV) (EQUAL (CDR RV) (AP (CDR RV) NIL))) (EQUAL RV (AP RV NIL))). But simplification reduces this to T, using the :definition AP, primitive type reasoning and the :rewrite rule CONS-CAR-CDR. Subgoal *1.1/1 (IMPLIES (ENDP RV) (EQUAL RV (AP RV NIL))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1.1/1' (IMPLIES (NOT (CONSP RV)) (EQUAL RV (AP RV NIL))). This simplifies, using the :definition AP and primitive type reasoning, to Subgoal *1.1/1'' (IMPLIES (NOT (CONSP RV)) (NOT RV)). Name the formula above *1.1.1. No induction schemes are suggested by *1.1.1. Consequently, the proof attempt has failed. Summary Form: ( DEFTHM MAIN ...) Rules: ((:DEFINITION AP) (:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION AP) (:INDUCTION REV) (:REWRITE AP-IS-ASSOCIATIVE) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE CONS-CAR-CDR)) Time: 0.08 seconds (prove: 0.06, print: 0.02, other: 0.00) --- The key checkpoint goals, below, may help you to debug this failure. See :DOC failure and see :DOC set-checkpoint- summary-limit. --- *** Key checkpoint at the top level: *** Goal (EQUAL (REV (AP A B)) (AP (REV B) (REV A))) *** Key checkpoint under a top-level induction: *** Subgoal *1/1'' (IMPLIES (NOT (CONSP A)) (EQUAL (REV B) (AP (REV B) NIL))) ACL2 Error in ( DEFTHM MAIN ...): See :DOC failure. ******** FAILED ******** ACL2 >(defthm lemma (equal (ap (rev a) nil) (rev a))) Name the formula above *1. Perhaps we can prove *1 by induction. Two induction schemes are suggested by this conjecture. Subsumption reduces that number to one. We will induct according to a scheme suggested by (REV A). This suggestion was produced using the :induction rule REV. If we let (:P A) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP A)) (:P (CDR A))) (:P A)) (IMPLIES (ENDP A) (:P A))). This induction is justified by the same argument used to admit REV. When applied to the goal at hand the above induction scheme produces two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP A)) (EQUAL (AP (REV (CDR A)) NIL) (REV (CDR A)))) (EQUAL (AP (REV A) NIL) (REV A))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP A) (EQUAL (AP (REV (CDR A)) NIL) (REV (CDR A)))) (EQUAL (AP (REV A) NIL) (REV A))). But simplification reduces this to T, using the :definitions AP and REV, the :executable-counterpart of AP, primitive type reasoning and the :rewrite rules AP-IS-ASSOCIATIVE, CAR-CONS and CDR-CONS. Subgoal *1/1 (IMPLIES (ENDP A) (EQUAL (AP (REV A) NIL) (REV A))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP A)) (EQUAL (AP (REV A) NIL) (REV A))). But simplification reduces this to T, using the :definition REV and the :executable-counterparts of AP and EQUAL. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM LEMMA ...) Rules: ((:DEFINITION AP) (:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION REV) (:EXECUTABLE-COUNTERPART AP) (:EXECUTABLE-COUNTERPART EQUAL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION REV) (:REWRITE AP-IS-ASSOCIATIVE) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS)) Time: 0.01 seconds (prove: 0.00, print: 0.00, other: 0.00) LEMMA ACL2 >(defthm main (equal (rev (ap a b)) (ap (rev b) (rev a)))) Name the formula above *1. Perhaps we can prove *1 by induction. Three induction schemes are suggested by this conjecture. Subsumption reduces that number to two. However, one of these is flawed and so we are left with one viable candidate. We will induct according to a scheme suggested by (AP A B). This suggestion was produced using the :induction rules AP and REV. If we let (:P A B) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ENDP A)) (:P (CDR A) B)) (:P A B)) (IMPLIES (ENDP A) (:P A B))). This induction is justified by the same argument used to admit AP. When applied to the goal at hand the above induction scheme produces two nontautological subgoals. Subgoal *1/2 (IMPLIES (AND (NOT (ENDP A)) (EQUAL (REV (AP (CDR A) B)) (AP (REV B) (REV (CDR A))))) (EQUAL (REV (AP A B)) (AP (REV B) (REV A)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/2' (IMPLIES (AND (CONSP A) (EQUAL (REV (AP (CDR A) B)) (AP (REV B) (REV (CDR A))))) (EQUAL (REV (AP A B)) (AP (REV B) (REV A)))). This simplifies, using the :definitions AP and REV, primitive type reasoning and the :rewrite rules CAR-CONS and CDR-CONS, to Subgoal *1/2'' (IMPLIES (AND (CONSP A) (EQUAL (REV (AP (CDR A) B)) (AP (REV B) (REV (CDR A))))) (EQUAL (AP (REV (AP (CDR A) B)) (LIST (CAR A))) (AP (REV B) (AP (REV (CDR A)) (LIST (CAR A)))))). The destructor terms (CAR A) and (CDR A) can be eliminated by using CAR-CDR-ELIM to replace A by (CONS A1 A2), (CAR A) by A1 and (CDR A) by A2. This produces the following goal. Subgoal *1/2''' (IMPLIES (AND (CONSP (CONS A1 A2)) (EQUAL (REV (AP A2 B)) (AP (REV B) (REV A2)))) (EQUAL (AP (REV (AP A2 B)) (LIST A1)) (AP (REV B) (AP (REV A2) (LIST A1))))). This simplifies, using primitive type reasoning, to Subgoal *1/2'4' (IMPLIES (EQUAL (REV (AP A2 B)) (AP (REV B) (REV A2))) (EQUAL (AP (REV (AP A2 B)) (LIST A1)) (AP (REV B) (AP (REV A2) (LIST A1))))). We now use the hypothesis by substituting (AP (REV B) (REV A2)) for (REV (AP A2 B)) and throwing away the hypothesis. This produces Subgoal *1/2'5' (EQUAL (AP (AP (REV B) (REV A2)) (LIST A1)) (AP (REV B) (AP (REV A2) (LIST A1)))). But we reduce the conjecture to T, by the simple :rewrite rule AP-IS-ASSOCIATIVE. Subgoal *1/1 (IMPLIES (ENDP A) (EQUAL (REV (AP A B)) (AP (REV B) (REV A)))). By the simple :definition ENDP we reduce the conjecture to Subgoal *1/1' (IMPLIES (NOT (CONSP A)) (EQUAL (REV (AP A B)) (AP (REV B) (REV A)))). But simplification reduces this to T, using the :definitions AP and REV, primitive type reasoning and the :rewrite rule LEMMA. That completes the proof of *1. Q.E.D. Summary Form: ( DEFTHM MAIN ...) Rules: ((:DEFINITION AP) (:DEFINITION ENDP) (:DEFINITION NOT) (:DEFINITION REV) (:ELIM CAR-CDR-ELIM) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION AP) (:INDUCTION REV) (:REWRITE AP-IS-ASSOCIATIVE) (:REWRITE CAR-CONS) (:REWRITE CDR-CONS) (:REWRITE LEMMA)) Time: 0.06 seconds (prove: 0.05, print: 0.02, other: 0.00) MAIN ACL2 >(quote (end of Demo 1)) (END OF DEMO 1) ----------------------------------------------------------------- Waverly% cat Fact.java class Fact { public static int fact(int n){ if (n>0) {return n*fact(n-1);} else return 1; } public static void main(String[] args){ int n = Integer.parseInt(args[0], 10); System.out.println(fact(n)); return; } } Waverly% javap -c Fact Compiled from "Fact.java" class Fact extends java.lang.Object{ Fact(); Code: 0: aload_0 1: invokespecial #1; //Method java/lang/Object."":()V 4: return public static int fact(int); Code: 0: iload_0 1: ifle 13 4: iload_0 5: iload_0 6: iconst_1 7: isub 8: invokestatic #2; //Method fact:(I)I 11: imul 12: ireturn 13: iconst_1 14: ireturn public static void main(java.lang.String[]); Code: 0: aload_0 1: iconst_0 2: aaload 3: bipush 10 5: invokestatic #3; //Method java/lang/Integer.parseInt:(Ljava/lang/String;I)I 8: istore_1 9: getstatic #4; //Field java/lang/System.out:Ljava/io/PrintStream; 12: iload_1 13: invokestatic #2; //Method fact:(I)I 16: invokevirtual #5; //Method java/io/PrintStream.println:(I)V 19: return } Waverly% java Fact 6 720 Waverly% java Fact 20 -2102132736 Waverly% ----------------------------------------------------------------- ACL2 >(in-package "M6") "M6" M6 >(class-by-name "Demo" (external-class-table *empty-state*)) (CLASS "Demo" "java.lang.Object" (JVM::CONSTANT_POOL) (FIELDS) (METHODS (METHOD "fact" (PARAMETERS INT) (RETURNTYPE INT) (ACCESSFLAGS *CLASS* *PUBLIC* *STATIC*) (CODE (MAX_STACK 3) (JVM::MAX_LOCALS 1) (CODE_LENGTH 15) (PARSEDCODE (0 (ILOAD_0)) (1 (IFLE 13)) (4 (ILOAD_0)) (5 (ILOAD_0)) (6 (ICONST_1)) (7 (ISUB)) (8 (INVOKESTATIC (METHODCP "fact" "Demo" (INT) INT))) (11 (IMUL)) (12 (IRETURN)) (13 (ICONST_1)) (14 (IRETURN)) (ENDOFCODE 15)) (EXCEPTIONS) (STACKMAP))) (METHOD "main" (PARAMETERS (ARRAY (CLASS "java.lang.String"))) (RETURNTYPE VOID) (ACCESSFLAGS *CLASS* *PUBLIC* *STATIC*) (CODE (MAX_STACK 2) (JVM::MAX_LOCALS 2) (CODE_LENGTH 20) (PARSEDCODE (0 (ALOAD_0)) (1 (ICONST_0)) (2 (AALOAD)) (3 (BIPUSH 10)) (5 (INVOKESTATIC (METHODCP "parseInt" "java.lang.Integer" ((CLASS "java.lang.String") INT) INT))) (8 (ISTORE_1)) (9 (GETSTATIC (JVM::FIELDCP "out" "java.lang.System" (CLASS "java.io.PrintStream")))) (12 (ILOAD_1)) (13 (INVOKESTATIC (METHODCP "fact" "Demo" (INT) INT))) (16 (INVOKEVIRTUAL (METHODCP "println" "java.io.PrintStream" (INT) VOID))) (19 (RETURN)) (ENDOFCODE 20)) (EXCEPTIONS) (STACKMAP))) (METHOD "" (PARAMETERS) (RETURNTYPE VOID) (ACCESSFLAGS *CLASS*) (CODE (MAX_STACK 1) (JVM::MAX_LOCALS 1) (CODE_LENGTH 5) (PARSEDCODE (0 (ALOAD_0)) (1 (INVOKESPECIAL (METHODCP "" "java.lang.Object" NIL VOID))) (4 (RETURN)) (ENDOFCODE 5)) (EXCEPTIONS) (STACKMAP)))) (INTERFACES) (ACCESSFLAGS *CLASS* *SUPER* *SYNCHRONIZED*)) M6 >(jvm-DemoFact "6") output from the stream at heap ref 91 is "720" output from the stream at heap ref 91 is "newline" ((CLASSES-LOADED "com.sun.cldc.i18n.uclc.DefaultCaseConverter" "java.io.PrintStream" "java.io.OutputStream" "java.lang.Character" "java.lang.Integer") (OUTPUT-STREAM . "720 ")) M6 >(! 6) 720 M6 >(jvm-DemoFact "20") output from the stream at heap ref 91 is "-2102132736" output from the stream at heap ref 91 is "newline" ((CLASSES-LOADED "com.sun.cldc.i18n.uclc.DefaultCaseConverter" "java.io.PrintStream" "java.io.OutputStream" "java.lang.Character" "java.lang.Integer") (OUTPUT-STREAM . "-2102132736 ")) M6 >(! 20) 2432902008176640000 M6 >(int-fix (! 20)) -2102132736 M6 >(set-gag-mode :goals) M6 >(defthm fact-is-correct (implies (poised-to-invoke-fact s n) (equal (simple-run s (fact-clock n)) (state-set-pc (+ 3 (pc s)) (pushStack (int-fix (! n)) (popStack s))))) :hints (("Goal" :induct (fact-induct n s)))) *1 (the initial Goal, a key checkpoint) is pushed for proof by induction. We have been told to use induction. One induction scheme is suggested by the induction hint. We will induct according to a scheme suggested by (FACT-INDUCT N S). This suggestion was produced using the :induction rule FACT-INDUCT. If we let (:P N S) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (AND (NOT (ZP N)) (:P (+ -1 N) (STATE-SET-PC 8 (PUSHSTACK (+ -1 (TOPSTACK S)) (PUSHSTACK (TOPSTACK S) (PUSHFRAME0 (MAKE-FRAME (+ 3 (PC S)) NIL (LIST (TOPSTACK S)) '(METHOD-PTR "Demo" "fact" (INT) INT) -1) (STATE-SET-PC (+ 3 (PC S)) (POPSTACKN 1 S)))))))) (:P N S)) (IMPLIES (ZP N) (:P N S))). This induction is justified by the same argument used to admit FACT-INDUCT. Note, however, that the unmeasured variable S is being instantiated. When applied to the goal at hand the above induction scheme produces two nontautological subgoals. Subgoal *1/2 Subgoal *1/2' Subgoal *1/2.11 Subgoal *1/2.10 Subgoal *1/2.10' Subgoal *1/2.9 Subgoal *1/2.9' Subgoal *1/2.8 Subgoal *1/2.8' Subgoal *1/2.8'' Subgoal *1/2.7 Subgoal *1/2.7' Subgoal *1/2.7'' Subgoal *1/2.6 Subgoal *1/2.6' Subgoal *1/2.6'' Subgoal *1/2.5 Subgoal *1/2.5' Subgoal *1/2.5'' Subgoal *1/2.4 Subgoal *1/2.4' Subgoal *1/2.4'' Subgoal *1/2.3 Subgoal *1/2.3' Subgoal *1/2.3'' Subgoal *1/2.2 Subgoal *1/2.2' Subgoal *1/2.2'' Subgoal *1/2.1 Subgoal *1/2.1' Subgoal *1/2.1'' Subgoal *1/1 Subgoal *1/1' Subgoal *1/1'' Subgoal *1/1.10 Subgoal *1/1.10' Subgoal *1/1.9 Subgoal *1/1.9' Subgoal *1/1.8 Subgoal *1/1.8' Subgoal *1/1.8'' Subgoal *1/1.7 Subgoal *1/1.7' Subgoal *1/1.7'' Subgoal *1/1.6 Subgoal *1/1.6' Subgoal *1/1.6'' Subgoal *1/1.5 Subgoal *1/1.5' Subgoal *1/1.5'' Subgoal *1/1.4 Subgoal *1/1.4' Subgoal *1/1.4'' Subgoal *1/1.3 Subgoal *1/1.3' Subgoal *1/1.3'' Subgoal *1/1.2 Subgoal *1/1.2' Subgoal *1/1.2'' Subgoal *1/1.1 Subgoal *1/1.1' Subgoal *1/1.1'' *1 is COMPLETED! Thus key checkpoint Goal is COMPLETED! Q.E.D. Summary Form: ( DEFTHM FACT-IS-CORRECT ...) Rules: ((:COMPOUND-RECOGNIZER INTP-IMPLIES-INTEGERP) (:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-RECOGNIZER) (:COMPOUND-RECOGNIZER ACL2::ZP-COMPOUND-RECOGNIZER) (:CONGRUENCE EQUIV-STATE-IMPLIES-EQUAL-CURRENT-THREAD-1) (:CONGRUENCE EQUIV-STATE-IMPLIES-EQUIV-FRAME-CURRENT-FRAME-1) (:CONGRUENCE EQUIV-STATE-IMPLIES-EQUIV-THREAD-TABLE-THREAD-TABLE-1) (:CONGRUENCE STATE-EQUIV-CLASS-TABLE-EQUAL-IMPLIES-EQUAL-INSTANCE-CLASS-TABLE-1) (:CONGRUENCE STATE-EQUIV-CLASS-TABLE-EQUAL-IMPLIES-EQUAL-NO-FATAL-ERROR?-1) (:DEFINITION !) (:DEFINITION ADD-NO-DUP) (:DEFINITION APP) (:DEFINITION AREALIVETHREADS) (:DEFINITION BUILD-INITIAL-LOCAL) (:DEFINITION BUILD-INITIAL-LOCAL1) (:DEFINITION CALL_METHOD_GENERAL) (:DEFINITION CALL_STATIC_METHOD) (:DEFINITION DEMO-CLASS-LOADEDP) (:DEFINITION DISMANTLETHREAD) (:DEFINITION EXECUTE-ICONST_1) (:DEFINITION EXECUTE-IFLE) (:DEFINITION EXECUTE-ILOAD_0) (:DEFINITION EXECUTE-IMUL) (:DEFINITION EXECUTE-ISUB) (:DEFINITION EXECUTE-RETURN) (:DEFINITION EXECUTE-RETURN1) (:DEFINITION FACT-CLOCK) (:DEFINITION FIX) (:DEFINITION INST-BY-OFFSET) (:DEFINITION INST-EQUIV) (:DEFINITION INST-INST) (:DEFINITION INVOKESTATIC-FACTP) (:DEFINITION LEN) (:DEFINITION LOCAL-AT) (:DEFINITION MONO-THREADED-STATEP) (:DEFINITION MV-NTH) (:DEFINITION NEXT-INST) (:DEFINITION NOT) (:DEFINITION POISED-TO-INVOKE-FACT) (:DEFINITION POP) (:DEFINITION POPSTACKN) (:DEFINITION PUSHFRAME) (:DEFINITION PUSHFRAMEWITHPOP) (:DEFINITION RAISE-EXCEPTION) (:DEFINITION RESCHEDULE) (:DEFINITION REVAPPEND) (:DEFINITION REVERSE) (:DEFINITION SECONDSTACK) (:DEFINITION SET-THREAD-STATE-FLAG) (:DEFINITION SIGNALTIMETORESCHEDULE) (:DEFINITION STOPTHREAD) (:DEFINITION SUSPENDTHREAD) (:DEFINITION SUSPENDTHREAD1) (:DEFINITION TERMINATE) (:DEFINITION THREAD-SET-STATE) (:DEFINITION TOP) (:DEFINITION ZP) (:EQUIVALENCE STATE-EQUIV-CLASS-TABLE-EQUAL-IS-AN-EQUIVALENCE) (:EXECUTABLE-COUNTERPART !) (:EXECUTABLE-COUNTERPART <) (:EXECUTABLE-COUNTERPART APP) (:EXECUTABLE-COUNTERPART ARG) (:EXECUTABLE-COUNTERPART BINARY-+) (:EXECUTABLE-COUNTERPART CAR) (:EXECUTABLE-COUNTERPART CDR) (:EXECUTABLE-COUNTERPART CONS) (:EXECUTABLE-COUNTERPART CONSP) (:EXECUTABLE-COUNTERPART EQL) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART FACT-CLOCK) (:EXECUTABLE-COUNTERPART FILL-TOP) (:EXECUTABLE-COUNTERPART INST-BY-OFFSET) (:EXECUTABLE-COUNTERPART INST-EQUIV) (:EXECUTABLE-COUNTERPART INST-INST) (:EXECUTABLE-COUNTERPART INST-OPCODE) (:EXECUTABLE-COUNTERPART INST-SIZE) (:EXECUTABLE-COUNTERPART INT-FIX) (:EXECUTABLE-COUNTERPART INTP) (:EXECUTABLE-COUNTERPART LEN) (:EXECUTABLE-COUNTERPART MEM) (:EXECUTABLE-COUNTERPART METHOD-ACCESSFLAGS) (:EXECUTABLE-COUNTERPART METHOD-ARGS) (:EXECUTABLE-COUNTERPART METHOD-MAXLOCALS) (:EXECUTABLE-COUNTERPART METHOD-REP-TO-METHOD-PTR) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART NTH) (:EXECUTABLE-COUNTERPART REVERSE) (:EXECUTABLE-COUNTERPART SIZE-OF-PARAM) (:EXECUTABLE-COUNTERPART TYPE-SIZE) (:EXECUTABLE-COUNTERPART UNARY--) (:EXECUTABLE-COUNTERPART WFF-METHOD-PTR) (:EXECUTABLE-COUNTERPART ZP) (:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:FORWARD-CHAINING INT-LEMMA0) (:INDUCTION FACT-INDUCT) (:META ACL2::PREFER-POSITIVE-ADDENDS-<-THM) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(equal (if x y z) w)|) (:REWRITE CALL-OPENER-EXECUTE-INVOKE) (:REWRITE CAR-CONS) (:REWRITE CAR-OPERAND-STACK-CURRENT-FRAME-IS-TOPSTACK) (:REWRITE CDR-CONS) (:REWRITE ACL2::COLLECT-PLUS-1B) (:REWRITE CURRENT-FRAME-STATE-SET) (:REWRITE CURRENT-METHOD-PTR-PUSHFRAME0) (:REWRITE CURRENT-METHOD-PTR-PUSHSTACK) (:REWRITE CURRENT-METHOD-PTR-STATE-SET-PC) (:REWRITE CURRENT-THREAD-EXISTS-PREVSERVED-BY-PUSHSTACK) (:REWRITE CURRENT-THREAD-EXISTS?-POPSTACK) (:REWRITE CURRENT-THREAD-EXISTS?-PUSHFRAME) (:REWRITE CURRENT-THREAD-EXISTS?-STATE-SET-PC) (:REWRITE CURRENT-THREAD-PUSHFRAME) (:REWRITE DEREF-METHOD-FACT-PTR) (:REWRITE DO-INST-OPENER) (:REWRITE JVM::FRAME-ACCESSOR) (:REWRITE INSTANCE-CLASS-TABLE-POPSTACK) (:REWRITE INSTANCE-CLASS-TABLE-PUSHFRAME0) (:REWRITE INT-LEMMA3) (:REWRITE INT-LEMMA4A) (:REWRITE INT-LEMMA6) (:REWRITE LOCAL-AT-ACCESSOR-1) (:REWRITE JVM::MONITOREXIT-PRESERVE-WFF-THREAD-TABLE-THREAD-EXIST-CURRENT-TH) (:REWRITE NO-FATAL-ERROR-POPSTACK) (:REWRITE NO-FATAL-ERROR-PUSHFRAME0) (:REWRITE NO-FATAL-ERROR-STATE-SET-PC) (:REWRITE NO-FATAL-ERROR?-DEMO-STATE) (:REWRITE NO-FATAL-ERROR?-STATE-SET) (:REWRITE NTH-0-CONS) (:REWRITE OPSTACK-LOCAL-PRIMITIVES-PRESERVE-EQUIV-STATE-2) (:REWRITE PC-PUSHFRAME0) (:REWRITE PC-PUSHSTACK) (:REWRITE PC-STATE-SET-PC) (:REWRITE POPFRAME-OPSTACK-PRIMITVES) (:REWRITE POPFRAME-PUSHFRAME0-IS) (:REWRITE POPSTACK-PUSHSTACK-IS) (:REWRITE POPSTACKN-STATE-SET-PC-NORMALIZE) (:REWRITE PUSHFRAME0-CURRENT-FRAME) (:REWRITE PUSHSTACK-NO-CHANGE-INSTANCE-CLASS-TABLE) (:REWRITE SIMPLE-RUN-C+) (:REWRITE SIMPLE-RUN-OPENER-J) (:REWRITE JVM::STATE-ACCESSOR-SET-CURRENT-THREAD) (:REWRITE JVM::STATE-ACCESSOR-SET-PC) (:REWRITE JVM::STATE-ACCESSOR-SET-THREAD-TABLE) (:REWRITE STATE-EQUIV-CLASS-TABLE-EQUAL-POPSTACK) (:REWRITE STATE-EQUIV-CLASS-TABLE-EQUAL-PUSHFRAME0) (:REWRITE STATE-EQUIV-CLASS-TABLE-EQUAL-PUSHSTACK-2) (:REWRITE STATE-EQUIV-CLASS-TABLE-EQUAL-SET-PC) (:REWRITE STATE-SET-PC-STATE-SET-PC) (:REWRITE STATE-SET-PC-STATE-SET-THREAD-TABLE-NORMALIZE) (:REWRITE THREAD-PRIMITIVES-STATE-SET-PC) (:REWRITE TOPSTACK-OF-PUSHSTACK) (:REWRITE TOPSTACK-STATE-SET-PC) (:REWRITE ACL2::UN-HIDE-PLUS) (:REWRITE UNIQUE-ID-THREAD-TABLE-POPSTACK) (:REWRITE UNIQUE-ID-THREAD-TABLE-PUSHFRAME0) (:REWRITE UNIQUE-ID-THREAD-TABLE-PUSHSTACK) (:REWRITE WFF-CALL-FRAME-CURRENT-FRAME-PREVSERVED-BY-PUSHSTACK) (:REWRITE WFF-CALL-FRAME-REGULAR-MAKE-FRAME) (:REWRITE WFF-STATE-REGULAR-POPSTACK) (:REWRITE WFF-STATE-REGULAR-PUSHFRAME) (:REWRITE WFF-STATE-REGULAR-PUSHSTACK) (:REWRITE WFF-STATE-REGULAR-STATE-SET-PC) (:REWRITE WFF-THREAD-TABLE-REGULAR-IMPLIES-WFF-THREAD-TABLE) (:REWRITE WFF-THREAD-TABLE-REGULAR-POPSTACK) (:REWRITE WFF-THREAD-TABLE-REGULAR-PUSHFRAME0) (:REWRITE WFF-THREAD-TABLE-REGULAR-PUSHSTACK) (:TYPE-PRESCRIPTION !) (:TYPE-PRESCRIPTION C+) (:TYPE-PRESCRIPTION FACT-CLOCK) (:TYPE-PRESCRIPTION MONITOREXIT) (:TYPE-PRESCRIPTION STATE-EQUIV-CLASS-TABLE-EQUAL) (:TYPE-PRESCRIPTION UNIQUE-ID-THREAD-TABLE) (:TYPE-PRESCRIPTION WFF-STATE-REGULAR) (:TYPE-PRESCRIPTION WFF-THREAD-TABLE-REGULAR)) Time: 1.89 seconds (prove: 1.88, print: 0.01, other: 0.00) FACT-IS-CORRECT M6 >