This file is indexed.

/usr/share/acl2-7.2dfsg/books/system/termp.lisp is in acl2-books-source 7.2dfsg-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
; Verify Termination and Guards of Termp
; Copyright (C) 2015, ForrestHunt, Inc.
; Written by J Strother Moore, May, 2015
; License: A 3-clause BSD license.  See the LICENSE file distributed with ACL2.

(in-package "ACL2")

(include-book "legal-variablep")

(verify-termination plist-worldp-with-formals)

(verify-termination arity
  (declare (xargs :guard (and (or (and (consp fn)
                                       (consp (cdr fn))
                                       (true-listp (cadr fn)))
                                  (symbolp fn))
                              (plist-worldp-with-formals w)))))

; Before we can verify the guards of termp we must prove that termp implies
; pseudo-termp.  The reason is that termp calls all-vars1 on the body of lambda
; expressions, after checking that the body is recursively a termp.  But
; all-vars1 has a pseudo-termp guard.  So we first introduce termp, then prove
; that it implies pseudo-termp, and then verify its guards.

(verify-termination
 (termp
  (declare (xargs :guard (plist-worldp-with-formals w)
                  :guard-hints (("Goal" :in-theory (disable member-eq)))
                  :verify-guards nil)))
 (term-listp
  (declare (xargs :guard (plist-worldp-with-formals w)
                  :guard-hints (("Goal" :in-theory (disable member-eq)))
                  :verify-guards nil))))

; The function LEGAL-VARIABLE-OR-CONSTANT-NAMEP uses two very large constants
; that can cause stack overflow if member-eq is allowed to expand on them.  One
; could disable member-eq, but that would endanger many simple proofs having
; nothing to do with syntax checking.  So we will disable
; LEGAL-VARIABLE-OR-CONSTANT-NAMEP -- a strategy that also eliminates a lot of
; case splits in proofs about syntax.  But we sometimes need the fact that
; legal variables and constants are symbols, so we prove that first, as a
; :rewrite rule phrased in the contrapositive so that it fires only if
; legal-variable-or-constant-namep is in the problem.

(defthm legal-variable-or-constant-namep-implies-symbolp
  (implies (not (symbolp x))
           (not (legal-variable-or-constant-namep x)))
  :hints (("Goal" :in-theory (e/d (legal-variable-or-constant-namep)
                                  (member-eq)))))

(in-theory (disable legal-variable-or-constant-namep))

; Below we prove that termp implies pseudo-termp (and term-listp implies
; pseudo-term-listp).  The development is ugly because we introduce a flagged
; version of pseudo-termp and use it as a stepping stone.  But we don't
; configure things to reason always about the flagged version because we just
; export the two main theorems about the mutually recursive functions.  We need
; a few lemmas about subroutines too.

(encapsulate
 nil
 (local
  (defun pseudo-termp/pseudo-term-listp (flg x)
    (if (eq flg 'pseudo-termp)
        (cond ((atom x) (symbolp x))
              ((eq (car x) 'quote)
               (and (consp (cdr x))
                    (null (cdr (cdr x)))))
              ((not (true-listp x)) nil)
              ((not (pseudo-termp/pseudo-term-listp 'pseudo-term-listp (cdr x)))
               nil)
              (t (or (symbolp (car x))
                     (and (true-listp (car x))
                          (equal (length (car x)) 3)
                          (eq (car (car x)) 'lambda)
                          (symbol-listp (cadr (car x)))
                          (pseudo-termp/pseudo-term-listp 'pseudo-termp
                                                          (caddr (car x)))
                          (equal (length (cadr (car x)))
                                 (length (cdr x)))))))
        (cond ((atom x) (equal x nil))
              (t (and (pseudo-termp/pseudo-term-listp 'pseudo-termp (car x))
                      (pseudo-termp/pseudo-term-listp 'pseudo-term-listp
                                                      (cdr x))))))))

; Two simple lemmas...
 (local
  (defthm term-listp-implies-true-listp
    (implies (term-listp x w)
             (true-listp x))
    :rule-classes :forward-chaining))

 (local
  (defthm arglistp1-implies-symbol-listp
    (implies (arglistp1 x) (symbol-listp x))
    :hints (("Goal" :in-theory (enable arglistp1)))
    :rule-classes :forward-chaining))

 (local
  (defthm step-1-lemma
    (equal (pseudo-termp/pseudo-term-listp flg x)
           (if (eq flg 'pseudo-termp)
               (pseudo-termp x)
               (pseudo-term-listp x)))))
 (local
  (defthm step-2-lemma
    (implies (if (eq flg 'pseudo-termp) (termp x w) (term-listp x w))
             (pseudo-termp/pseudo-term-listp flg x))
    :hints (("Goal" :in-theory (enable arglistp))
            ("Subgoal *1/4''"
             :expand (termp x w)))))

 (defthm termp-implies-pseudo-termp
   (implies (termp x w)
            (pseudo-termp x))
   :hints (("Goal"
            :use ((:instance step-2-lemma (flg 'pseudo-termp)))))
   :rule-classes (:rewrite :forward-chaining))

 (defthm term-listp-implies-pseudo-term-listp
   (implies (term-listp x w)
            (pseudo-term-listp x))
   :hints (("Goal"
            :use ((:instance step-2-lemma (flg 'pseudo-term-listp)))))
   :rule-classes (:rewrite :forward-chaining)))

; To verify the guards of termp we need to know that (all-vars1 body nil) is a
; true-listp, to establish the guard of length which is used in the checking of
; lambda expressions.  To prove that we need the flagged version of all-vars1,
; which is introduced in a local ENCAPSULATE in axioms.lisp as
; ALL-VARS1/ALL-VARS1-LST.  In fact that same encapsulate proves that the
; output of all-vars1 is a symbol-list which implies true-listp.  So we just
; include that local encapsulate (again) below.

(local
 (encapsulate
  ()

; We wish to prove symbol-listp-all-vars1, below, so that we can verify the
; guards on all-vars1.  But it is in a mutually recursive clique.  Our strategy
; is simple: (1) define the flagged version of the clique, (2) prove that it is
; equal to the given pair of official functions, (3) prove that it has the
; desired property and (4) then obtain the desired property of the official
; function by instantiation of the theorem proved in step 3, using the theorem
; proved in step 2 to rewrite the flagged flagged calls in that instance to the
; official ones.

; Note: It would probably be better to make all-vars1/all-vars1-lst local,
; since it's really not of any interest outside the guard verification of
; all-vars1.  However, since we are passing through this file more than once,
; that does not seem to be an option.

  (local
   (defun all-vars1/all-vars1-lst (flg lst ans)
     (if (eq flg 'all-vars1)
         (cond ((variablep lst) (add-to-set-eq lst ans))
               ((fquotep lst) ans)
               (t (all-vars1/all-vars1-lst 'all-vars-lst1 (cdr lst) ans)))
         (cond ((endp lst) ans)
               (t (all-vars1/all-vars1-lst
                   'all-vars-lst1 (cdr lst)
                   (all-vars1/all-vars1-lst 'all-vars1 (car lst) ans)))))))

  (local
   (defthm step-1-lemma
     (equal (all-vars1/all-vars1-lst flg lst ans)
            (if (equal flg 'all-vars1)
                (all-vars1 lst ans)
              (all-vars1-lst lst ans)))))

  (local
   (defthm step-2-lemma
     (implies (and (symbol-listp ans)
                   (if (equal flg 'all-vars1)
                       (pseudo-termp lst)
                       (pseudo-term-listp lst)))
              (symbol-listp (all-vars1/all-vars1-lst flg lst ans)))))

  (defthm symbol-listp-all-vars1
    (implies (and (symbol-listp ans)
                  (pseudo-termp lst))
             (symbol-listp (all-vars1 lst ans)))
    :hints (("Goal" :use (:instance step-2-lemma (flg 'all-vars1)))))))

; Essay On Why we Sometimes Must Reclassify :Forward-Chaining and :Rewrite
; Rules

; We sometimes have :forward-chaining rules that must be reclassified as
; :rewrite rules.  This problem arises often enough that I wanted to
; understand it.  So here I describe what is going on, in very generic
; terms.  Let a, b, and c be three successively weaker predicates on x,
; e.g., (keyword-listp x), (symbol-listp x), and (true-listp x).  So we have
; (a --> b) and (b --> c).  Suppose that you want to prove (a --> c).  But
; suppose (a --> b) is stored (only) as a :rewrite rule while (b --> c) is
; stored (only) as a :forward-chaining rule.  Then when the prover is trying
; to prove (a --> c), nothing suggests the consideration of b: we don't
; forward chain from a to b because (a --> b) is a :rewrite rule, and we
; don't backchain from c to b because (b --> c) is a :forward-chaining rule.
; To make the proof work, both have to be either :forward-chaining rules or
; :rewrite rules.  Now the situation is complicated by Tau.  Tau can chain
; together both rules, regardless of which :rule-classes they are.  But Tau
; only fires in preprocessing.  So if the inference that (a --> c) is needed
; outside preprocessing, the Tau proof is not found.  To make it even worse,
; if one of the predicates is not monadic then Tau doesn't treat it as a Tau
; predicate and so Tau doesn't catch these kinds of chains even though
; they're obvious.  For example, (term-listp x w) --> (pseudo-term-listp x)
; --> (true-listp x) but Tau can't prove the first implies the last.

; The following is proved in axioms under the name
; symbol-listp-forward-to-true-listp but stored only as a :forward-chaining
; lemma.  We need it as a :rewrite rule so we prove it again, locally.  It
; is an inefficient :rewrite rule.

(local
 (defthm symbol-listp-implies-true-listp
   (implies (symbol-listp x)
            (true-listp x))))

(local
 (defthm arglistp1-implies-true-listp
   (implies (arglistp1 x)
            (true-listp x))
   :hints (("Goal" :in-theory (enable arglistp1)))))

(verify-guards termp)

(verify-termination term-list-listp)

(verify-termination arities-okp)

(defthm arities-okp-implies-arity
  (implies (and (arities-okp user-table w)
                (assoc fn user-table))
           (equal (arity fn w) (cdr (assoc fn user-table)))))

(in-theory (disable arity arities-okp))