Open Collections

UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

Combining SMT with theorem proving for AMS verification : analytically verifying global convergence of… Peng, Yan 2015

Your browser doesn't seem to have a PDF viewer, please download the PDF to view this item.

Item Metadata


24-ubc_2015_september_peng_yan.pdf [ 3.08MB ]
JSON: 24-1.0166267.json
JSON-LD: 24-1.0166267-ld.json
RDF/XML (Pretty): 24-1.0166267-rdf.xml
RDF/JSON: 24-1.0166267-rdf.json
Turtle: 24-1.0166267-turtle.txt
N-Triples: 24-1.0166267-rdf-ntriples.txt
Original Record: 24-1.0166267-source.json
Full Text

Full Text

Combining SMT with TheoremProving for AMS VerificationAnalytically Verifying Global Convergenceof a Digital PLLbyYan PengB.Eng., Zhejiang University, 2012A THESIS SUBMITTED IN PARTIAL FULFILLMENT OFTHE REQUIREMENTS FOR THE DEGREE OFMASTER OF SCIENCEinThe Faculty of Graduate and Postdoctoral Studies(Computer Science)THE UNIVERSITY OF BRITISH COLUMBIA(Vancouver)April 2015© Yan Peng 2015AbstractUbiquitous computer technology is driving increasing integration of digitalcomputing with continuous, physical systems. Examples range from thewireless technology, cameras, motion sensors, and audio IO of mobile de-vices to sensors and actuators for robots to the analog circuits that regulatethe clocks, power supplies, and temperature of CPU chips. While combin-ing analog and digital brings ever increasing functionality, it also creates adesign verification challenge: the modeling frameworks for analog and digi-tal design are often quite different, and comprehensive simulations are oftenimpractical. This motivates the use of formal verification: constructingmathematically rigorous proofs that the design has critical properties.To support such verification, I integrated the Z3 ”satisfiability modulotheories” (SMT) solver into the ACL2 theorem prover. The capabilities ofthese two tools are largely complementary – Z3 provides fully automatedreasoning about boolean formulas, linear and non-linear systems of equal-ities, and simple data structures such as arrays. ACL2 provides a veryflexible framework for induction along with proof structuring facilities tocombine simpler results into larger theorems. While both ACL2 and Z3have been successfully used for large projects, my work is the first to bringthem together.I demonstrate this approach by verifying properties of a clock-generationcircuit (called a Phase-Locked Loop or PLL) that is commonly used in CPUsand wireless communication.iiPrefaceThe work presented in this thesis has been published as Yan Peng and MarkGreenstreet (2015). Integrating SMT with Theorem Proving for Analog/Mixed-Signal Circuit Verification. 7th NASA Formal Methods Symposium. April27-29, 2015, Pasadena, California, USA.Portions of the text in this thesis are modified with permission from Y.Peng and M. Greenstreet (2015) of which I am one of the authors. I amresponsible for designing and constructing all programs and proofs, carryingout performance and result analysis of the research data.Chapter 2, Program 2.1, Program 2.2, and Program 2.3 are adapted from theonline documentation of the open-source theorem prover ACL2. The pro-grams in chapter 2.2.5 are my authentic work and have not been publishedelsewhere.I am the lead researcher for the projects located in Chapters 3 and Chap-ter 4 where I am responsible for all program development, proof construc-tion, data collection and analysis, as well as the majority of manuscriptcomposition. Chapter 4, Figure 4.2 is provided by Yu Ge with permission.Equation 4.1 is modeled and derived by professor Greenstreet. The digitalPhase-Locked Loop example originated from my joint work with J. Wei, G.Yu and M. Greenstreet [110].iiiTable of ContentsAbstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiTable of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . ivList of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiList of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiList of Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . ixAcknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . x1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Related Work and Background . . . . . . . . . . . . . . . . . 62.1 AMS Design and Verification . . . . . . . . . . . . . . . . . . 72.1.1 Circuit Verification . . . . . . . . . . . . . . . . . . . 92.1.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . 162.2 Introduction to ACL2 and Z3 . . . . . . . . . . . . . . . . . 172.2.1 Theorem Proving Overview . . . . . . . . . . . . . . . 172.2.2 SMT Solver Overview . . . . . . . . . . . . . . . . . . 212.2.3 Integrating External Procedures to Theorem Provers 252.2.4 ACL2 and The Method . . . . . . . . . . . . . . . . . 262.2.5 Examples Using ACL2 and Z3 . . . . . . . . . . . . . 312.3 PLLs and Verification . . . . . . . . . . . . . . . . . . . . . . 35ivTable of Contents3 Combining SMT with Theorem Proving . . . . . . . . . . . 373.1 Clause Processor Architecture . . . . . . . . . . . . . . . . . 393.1.1 The Top-level Architecture . . . . . . . . . . . . . . . 393.1.2 Ensuring Soundness in Smtlink . . . . . . . . . . . . 413.2 Smtlink Architecture . . . . . . . . . . . . . . . . . . . . . . 423.2.1 Type Assertion . . . . . . . . . . . . . . . . . . . . . 453.2.2 Supported Logic . . . . . . . . . . . . . . . . . . . . . 503.2.3 Advanced Issues . . . . . . . . . . . . . . . . . . . . . 533.3 The Low-level Interface . . . . . . . . . . . . . . . . . . . . . 553.3.1 Z3 Interface . . . . . . . . . . . . . . . . . . . . . . . 553.3.2 Interpret the Result . . . . . . . . . . . . . . . . . . . 563.4 Conclusion: What’s Trusted? . . . . . . . . . . . . . . . . . . 573.5 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 583.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 Verifying Global Convergence of a Digital PLL . . . . . . . 614.1 The Digital PLL . . . . . . . . . . . . . . . . . . . . . . . . . 614.2 Modeling the Digital PLL . . . . . . . . . . . . . . . . . . . . 644.3 Proving Global Convergence . . . . . . . . . . . . . . . . . . 664.3.1 Proof in Parts . . . . . . . . . . . . . . . . . . . . . . 664.3.2 Detailed Proof for Fine Convergence . . . . . . . . . . 704.4 Summary and Future Work . . . . . . . . . . . . . . . . . . . 725 Conclusion and Future Work . . . . . . . . . . . . . . . . . . 745.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 745.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 755.2.1 Complete the Convergence Proof for the Digital PLL 755.2.2 Build a Better Tool . . . . . . . . . . . . . . . . . . . 765.2.3 Other Applications . . . . . . . . . . . . . . . . . . . 76Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78vTable of ContentsAppendicesA Example Proofs with ACL2 and Z3 . . . . . . . . . . . . . . 92A.1 Geometric Sum Proof with Raw ACL2 . . . . . . . . . . . . 92A.2 Geometric Sum Proof with Arithmetic Book . . . . . . . . . 97A.3 Geometric Sum Proof with Smtlink . . . . . . . . . . . . . . 98A.4 Polynomial Inequality Proof with Z3 . . . . . . . . . . . . . . 100A.5 Polynomial Inequality Proof with ACL2 . . . . . . . . . . . . 101A.6 Polynomial Inequality Proof with Smtlink . . . . . . . . . . 103B Smtlink Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105B.1 ACL2 Expansion, Translation and Interpretation . . . . . . . 105B.2 Z3 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . 155C Convergence Proof Code . . . . . . . . . . . . . . . . . . . . . 160C.1 Z3 Proof for Coarse Convergence . . . . . . . . . . . . . . . . 160C.2 ACL2 Proof for Fine Convergence . . . . . . . . . . . . . . . 167C.2.1 ACL2 Code . . . . . . . . . . . . . . . . . . . . . . . 167viList of Tables2.1 Geometric sum equation proof comparison using different setups 322.2 Polynomial inequality proof comparison using different setups 333.1 Type assertion translation . . . . . . . . . . . . . . . . . . . . 503.2 ACL2’s macro expansions . . . . . . . . . . . . . . . . . . . . 513.3 Z3 interface for each ACL2 primitives . . . . . . . . . . . . . 52viiList of Figures2.1 The Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272.2 The proof tree . . . . . . . . . . . . . . . . . . . . . . . . . . 282.3 Three polynomials . . . . . . . . . . . . . . . . . . . . . . . . 342.4 Zoom in the crossing part . . . . . . . . . . . . . . . . . . . . 353.1 Basic framework for the combination . . . . . . . . . . . . . . 383.2 Clause processor top architecture . . . . . . . . . . . . . . . . 403.3 Clause processor framework with another SMT . . . . . . . . 564.1 A Digital Phase-Locked Loop . . . . . . . . . . . . . . . . . . 634.2 Ring-oscillator response . . . . . . . . . . . . . . . . . . . . . 654.3 Global convergence big picture . . . . . . . . . . . . . . . . . 684.4 Fine convergence . . . . . . . . . . . . . . . . . . . . . . . . . 69viiiList of Programs2.1 Function definitions for rev and dupsp . . . . . . . . . . . . . 282.2 Example theorem statement . . . . . . . . . . . . . . . . . . . 282.3 Lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303.1 trusted tag theorem . . . . . . . . . . . . . . . . . . . . . . . 393.2 A SMT eligible theorem in ACL2 . . . . . . . . . . . . . . . . 423.3 A SMT theorem in Z3 . . . . . . . . . . . . . . . . . . . . . . 433.4 SMT-eligible ACL2 theorem format . . . . . . . . . . . . . . . 433.5 An example showing ACL2’s type recognizer . . . . . . . . . 453.6 Rewrite the theorem . . . . . . . . . . . . . . . . . . . . . . . 463.7 An example showing rational vs. reals problem in ACL2 . . . 493.8 An example showing rational vs. reals problem in Z3 . . . . . 493.9 Why need user provided substitution . . . . . . . . . . . . . . 54ixAcknowledgementsFirst of all, I wish to express my sincere thanks to Dr. Mark Greenstreet forhis delightful guidance in my Master’s study. It was Mark who introducedthe amazing world of formal verification and analog circuits to me. Dr. MarkGreenstreet’s great passion and enthusiasm in research keeps inspiring andstimulating me. Now that I’ve been prepared with motivation and skill, Ithink I am ready for continuing my Ph.D. study with Dr. Mark Greenstreetnow.Second, I would like to thank my second reader, professor Ronald Garciafor his insightful comments and valuable suggestions. Discussions with himabout programming language theories have given me a new perspective onmy thesis work.Third, I would like to thank professor Shahriar Mirabbasi and his studentYu Ge for instructions on how a Phase-Locked Loop works. Thanks to YuGe for helping with the Spectre® simulation.Fourth, I would like to thank my fellow lab mates: Jijie Wei, BradBingham, Shabab Hossain, Sam Bayless, Celina Val, Mike Enescu, JinzhuoLiu and Long Zhang for the fun time we spent together. Jijie has alwaysbeen a great friend of mine. I can’t imagine my first two years’ Master’sstudy without her companion. My limited model checking knowledge arelargely due to the stimulating discussions I had with Brad. Now that he hasbegun his career, I wish him all the best.Finally, I would like to thank my family for undivided love and supporton my foreign study and life. I miss them so much. I would also like tothank my boyfriend, Dongdong Li, for being a man after my own heart.xChapter 1IntroductionUbiquitous computer technology [111] is driving increasing integration ofdigital computing with continuous, physical systems. Examples range frommobile devices such as cell phones and tablets, through traditional comput-ers such as laptops, desktops, and servers, to embedded systems includingtoys, kitchen appliances, automobiles, and medical equipments. A commontheme in this technology is the integration of digital and analog capabili-ties. Analog functions include features that are apparent to the user such aswireless networking, cameras, displays, microphones, speakers, and motionsensors, along with system-level infrastructure such as circuits that regulatethe clocks, power supplies, and temperature of chips.Combining analog circuits, digital circuits, and software into systemsthat interact with physical systems presents many design and verificationchallenges. First, each of the design domains uses its own models and de-sign methods. For example, analog circuit designers use circuit simulatorsthat are based on numerically integrating non-linear differential equations;digital designers use models based on boolean logic and finite state ma-chines; and software developers use (for example) object-oriented languageswith extensive libraries that provide a much higher level of abstraction thanthose of analog or digital design. Furthermore, each of the relevant time-scales vary widely for each of these design domains: analog designers requiresimulations with sub-picosecond resolution; digital design works with clockperiods a thousand times longer ranging from hundreds of picoseconds totens of nanoseconds. Software works on time scales another thousand timeslonger ranging from microseconds to seconds. Finally, the aircraft, hospitalpatient, or toaster that depends on the computing device may respond intimes from seconds to minutes. It is impractical to perform simulations that1Chapter 1. Introductioncover timescales of seconds or minutes with picosecond resolution. Thus,abstractions are essential. Such abstractions are also a favorite hiding placefor bugs when an abstraction describes what the designer intended ratherthan what the implementation actually does.This thesis focuses on a particular class of designs, analog/mixed-signal(AMS) circuits. These circuits combine analog and digital modules to imple-ment functions that would have been purely analog in earlier designs. Thedesigner’s motivation for AMS design is that modern fabrication processesfor integrated circuits offer the designer billions of transistors that are opti-mized for digital applications but less-well suited for analog circuits. Thisreflects the reality that nearly all of the transistors on most chips are usedin digital circuits, but the remaining analog functions are critical for thesystem. Thus, traditional analog functions (e.g. integrators) are replacedby their digital equivalents (e.g. accumulators). The unavoidable analogblocks include circuits such as oscillators, level comparators, voltage reg-ulators, and RF amplifiers. Even these often include digitally controlledconfiguration settings to compensate for the large, statistical variation be-tween transistors and other circuit components that is inevitable with thevery small geometric features of integrated circuits. These AMS circuits aremixed analog and digital systems, typically consisting of multiple analogand digital feedback loops operating at much different time scales. Whilemy focus is on AMS, the issues that I address are common to those in mostcomputing devices.It is not practical to simulate AMS circuits for all possible device param-eters, initial conditions, inputs, and operating conditions. In fact, runningjust one such simulation may require more time than the design schedule.Most AMS circuits are intended to be correct for relatively simple reasons– errors occur because the designer’s informal reasoning overlooked somecritical case or had some simple error. My approach is to verify that theintuitive argument for correctness is indeed correct by reproducing the ar-gument in an automated, interactive theorem prover. The advantage of thetheorem prover is soundness and generality: by using a carefully designedand thoroughly tested theorem prover, we have high confidence in the theo-2Chapter 1. Introductionrems that it establishes. The critical limitation of using a theorem prover isthat formulating the proofs can require large amounts of very highly skilledeffort. My key contribution is to integrate a “satisfiability modulo theo-ries” (SMT) solver into a theorem prover. This allows many parts of theproof, especially those involving large amounts of tedious algebra, to beperformed automatically. As described in Chapter 2, several other researchprojects have integrated SMT solvers into theorem provers. However, weare not aware of any that have made extensive use of the real-arithmeticcapabilities of SMT solvers or that have applied them to realistic problemsfrom AMS design or hybrid systems. My focus on real arithmetic and AMSdesigns distinguishes the current research from prior work.Thesis StatementSMT solvers can be integrated into an interactive theorem prover in a soundand extensible way. This combination provides an effective tool for verifyingproperties of AMS designs including global convergence.ContributionsThis thesis presents my integration of the Z3 SMT solver [36] into the ACL2theorem prover [71]. With this approach, the theorem prover provides sup-port for high-level proof structuring and proof techniques such as induction,while the SMT solver discharges many tedious details of the proofs for verify-ing real-world designs. The implementation presented in this thesis supportsbooleans, integers, and reals, and my approach can be readily extended toother types including arrays, lists, strings, and more general algebraic datatypes. For soundness, my implementation replies on ACL2, Z3, and as littleother code as possible. To make Z3 easily used from within ACL2, my inter-face performs many, automatic transformations of ACL2 formulas to convertthem into the restricted form required by Z3. I resolve these seemingly con-flicting objectives with a software architecture that divides the ACL2-to-Z3translation process into two phases: most of the transformations are per-formed in the first phase, and the result is verified by ACL2. The second3Chapter 1. Introductionphase is a very simple direct translation from the s-expressions of ACL2 intotheir counterparts for Z3’s Python API.I demonstrate this approach by verifying global convergence for an all-digital phase-locked loop (PLL). The PLL is an example of an analog-mixedsignal (AMS) design. This thesis considers global convergence: showing thatan AMS circuit converges to the intended operating mode from all initialconditions. This requires modeling the large-scale, non-linear behavior ofthe analog components. If such non-linearities create an unintended basinof attraction, then the AMS circuit may fail to converge to the intendedoperating point. AMS circuits may make many mode changes per secondto minimize power consumption, adapt to changing loads, or changes inoperating conditions. Each of these mode changes requires the AMS circuitto converge to a new operating region. Once the AMS circuit is in the smalloperating region intended by the designer, small-signal analysis based onlinear-systems theory is sufficient to show correct operation [73, 76].The main contributions of this thesis are: The first integration of an SMT solver into the ACL2 theorem prover. A description of the challenges that arise when integrating a SMTsolver with a theorem prover and solutions to these issues with anarchitecture where the code that must be trusted for soundness isboth fairly small and very simple. A model for a state-of-the art digital PLL with recurrences using ratio-nal functions. This model can be used for evaluating other verificationapproaches. A proof of global convergence of the digital PLL.Thesis OrganizationThe rest of this thesis is organized as follows: Chapter 2 surveys prior research related to this thesis, including mod-ern AMS verification techniques, an introduction to theorem proving4Chapter 1. Introductionand SMT techniques, and why combining them is better than usingeither alone. The chapter also describes prior results for verificationof PLLs. Chapter 3 explains how to use the trusted clause processor construc-tion from ACL2 to integrate Z3 into ACL2. The Chapter describeschallenges that come up and presents my solutions to them. Chapter 4 describes the proof of global convergence for a state-of-the-art digital PLL using ACL2 with the clause-processor interface toZ3. The digital PLL is modeled with recurrence functions and applyanalytical proofs to prove its global convergence. The proof shows thebenefits of combining SMT techniques and theorem proving. Chapter 5 concludes the thesis and proposes opportunities for furtherresearch.5Chapter 2Related Work andBackgroundAnalog/Mixed-Signal (AMS) circuits are prevalent in integrated circuit de-signs. Chips require analog functionality for multimedia interfaces, sensorsand actuators, and on-chip infrastructure such as power and clock distribu-tion. The AMS approach replaces or augments traditional analog circuitswith digital ones. The AMS approach is motivated by several technologytrends including: Small geometric features lead to greater random variation between cir-cuit components. Intuitively, transistors and wires are now so smallthat variations of a few atoms impact circuit performance. Many tra-ditional analog circuits rely on having “matched pairs” of transistors,and such matching is no longer practical. Small devices and stringent power constraints mandate low operatingvoltages. Many traditional analog circuits rely on having a “voltageheadroom” (the ratio of the power supply voltage to the transistorthreshold voltage) that is not available in current processes. Digital circuits can exploit transistor scaling more effectively than ana-log ones. Smaller transistors lead to smaller logic gates and a greaterdensity of digital functions, while the inductors and capacitors of ana-log design do not shrink by nearly as much. Thus, a designer can savearea by replacing analog functions (such as an integrator that requiresa large capacitor) with digital ones (such as a 24-bit accumulator).62.1. AMS Design and Verification Replacing analog functions with digital counterparts makes the AMScircuit more programmable, allowing greater component re-use.The AMS design approach creates challenges for verification. For exam-ple, analog blocks operate on time-scales that require picosecond scale timesteps for accurate, transistor-level simulations, whereas digital adaptationloops may require times of microseconds to several milliseconds to converge.Formal approaches can verify circuit properties for a large class of inputsand device parameters and avoid the large compute times and incompletecoverage of simulation based approaches.In this work, I model AMS circuits as discrete time recurrences of con-tinuous values as proposed in [7]. The differential equation model for theanalog circuit is used to determine how the continuous state evolves over asingle period of the digital clock.When verifying a recurrence system, one usually needs to form an in-duction proof that proves a specific property on each step of a recurrencesystem starting from any initial state. Specifications can be translated intoarithmetic constraints, which can be non-linear. Theorem proving and SMTprovide complementary capabilities for reasoning about recurrences. Theo-rem proving supports induction proofs, and SMT automates reasoning aboutnon-linear equalities and inequalities.This chapter describes historical and recent works related to my research.Section 2.1 discusses similarity and differences between analog, digital andAMS design verification. Section 2.2 gives an introduction to interactivetheorem proving (specifically ACL2) and SMT methods (specifically Z3)and shows the motivation for combining the two. Section 2.3 discusses PLLverification.2.1 AMS Design and VerificationAMS (Analog/Mixed Signal) design, as indicated by its name, refers tocircuit designs that include both digital and analog circuitry. Traditionally,people would think of some circuits as being analog and others being digital.72.1. AMS Design and VerificationNowadays, nearly all circuits that would previously have been pure analogare implemented using mixed signal techniques.AMS designs bring up new verification challenges. Analog circuits inan AMS design are naturally modeled and specified in terms of continuousbehaviors. Thus, it is not possible to enumerate all possible initial statesand generate all trajectories. Even if one accepts that full test coverage isunachievable, simulation of AMS designs is difficult because the analog cir-cuits require detailed, short time-step modeling of non-linear circuits. AMSdesigners face a dilemma of missing deadlines, failing to eliminate cornercases, or using simplified abstractions that may hide real bugs. Digital con-trols in AMS designs exacerbate this situation. To approximate a smooth,continuous system, AMS designers tend to use digital control circuits thatonly make small changes to their outputs with each clock step. Thus, con-vergence can take hundreds to thousands or more clock cycles.Jang et al. [68] discuss this problem in traditional simulation-based meth-ods and propose an event-driven simulation method in SystemVerilog tosolve it. They use (nearly) linear models for the analog components inan AMS design and use Laplace transform techniques to find closed-formsolutions for the analog behaviours. From these they identify when ana-log signals cross switching criteria for the digital controller, and use thoseevents to drive an event-driven simulation. Like other simulation based ap-proaches, each simulation run only considers the behaviour from a singleinitial condition, with a single choice for any input stimulus functions, anda single choice of model parameters. The approach also relies on havingaccurate, linear models for the analog blocks in the AMS design. The ma-jor advantage of their approach is that it is much faster than performingdetailed, transistor-level simulation with a simulator such as SPICE [5]. Incomparison, formal approaches can reason about the whole system insteadof just specific execution traces. This offers both faster verification and morecomprehensive coverage than simulation methods.82.1. AMS Design and Verification2.1.1 Circuit VerificationTwo main verification problem exist in circuit design: equivalence checkingand model checking. This section discusses how these techniques are realizedin the digital, analog and AMS domains respectively.Digital CircuitsMathematical models that model the dynamics of digital circuits are basedon abstractions like the one below:s(i+ 1) = next(s(i), in(i)) (2.1)where s(i) are state vectors that have only elements 0 and 1; i and i+ 1 areindices for current step and next step; next stands for the discrete recurrenceformula for calculating next state from current state; in represents circuitinputs.Typically, model checking is performed using a next state relation fornext instead of a function; in other words, a state may have multiple possiblesuccessors for the same input. The need for non-determinism arises fromseveral directions including: To avoid the state-space explosion problem [96], model checking is usu-ally performed on abstractions. Thus, the actual hardware or softwarehas internal state that is not represented in the abstraction, and theeffects of the internal state appear as non-deterministic behaviours. The verification may be performed on a high-level design before all ofthe details have been determined. For example, a router may be de-scribed without specifying the exact order in which packets are routed.This gives the designer freedom to optimize the design later when thedetails are better understood. The specification may state assumptions about the allowed inputs.Often, such specifications are complied into state machines for the92.1. AMS Design and Verificationenvironment, and model checking algorithm is applied to the prod-uct automaton for the system and its environment. The actions ofthe environment may not be fully determined, and this leads to non-determinism in the product automaton. Some physical behaviours such as metastability [85] cannot be cap-tured by deterministic models.Thus, we will often treat next as a relation.A common approach to hardware design is to describe modules as statemachines. Each module has a state that is maintained in registers and anext state function that describes how the state is updated on each clockcycle according to the current state and external inputs to the module. Sucha description is typically written in a hardware description language such asVerilog [4] or VHDL [3] and is called a register transfer level (RTL) descrip-tion. Software refered to as logic synthesis [104] converts RTL descriptionsinto networks of logic gates and flip-flops. Such a network is called a netlist.The logic synthesis software can perform very aggressive optimizations. Onthe other hand, the number of hardware designs that are synthesized andmanufactured is much smaller than the number of software programs thatare compiled for a mainstream language such as Java or C++. Furthermore,errors in the hardware design are very expensive because of high fabrica-tion costs and the fabricate, test, and revise cycle can take several months.These considerations motivate using formal methods to verify the netlistsproduced by logic synthesis software. This is the motivating example forthe logic equivalence problem described below.There are two problems typically addressed by mature verification meth-ods for digital verification - equivalence checking and model checking. Bothof them have been widely adopted by the chip design industry. Equivalence checkingThe digital circuit equivalence checking problem is verifying that thenext state function described by the netlist is equivalent to the onedescribed by the register-transfer level (RTL). In other words, the102.1. AMS Design and Verificationequivalence checker shows that nextnetlist 6= nextRTL is unsatisfiable.Typically, the RTL description fully specifies the behavior of the de-vice; in this case, next is a function. A few examples of approaches todigital equivalence checking include [16, 26, 51, 75]. Model checkingDigital circuit model checking asks whether all possible sequences ofstates arising from the model (see Equation 2.1) have certain desiredproperties. The kinds of properties include:• Safety : show that s(i) is never bad; i.e. the state machine modelwill never go into states that violate certain constraints.• Liveness: show that s(i) is eventually good; will always go intostates that satisfy certain constraints.Burch et al. [28] propose a symbolic model checking method thatuses BDD to represent formulas symbolically and uses µ-calculus algo-rithm to derive efficient decision procedures for CTL model checking.[30] summarizes major breakthroughs in model checking. Most modelchecking has been based on BDDs because BDDs provide operationsfor composing function and relations, and a canonical representationthat aids in computing fix points. Recently, IC3 [25] has demonstratedthe feasibility of using SAT solvers for model checking by using inter-polation [88] and k-induction [103]. The IC3 approach has been verysuccessful on both benchmark problems and real-world examples.Analog CircuitsOrdinary differential equations, as shown below, are a natural model for thebehaviours of analog circuits.dxdt= f(x, in, u) (2.2)where x ∈ RN represents the state of the analog circuit; in ∈ RM repre-sents external inputs to the circuit; and u ∈ RK represents uncontrollable112.1. AMS Design and Verificationdisturbances. As with models for digital circuits, it can be convenient touse a differential inclusion that accounts for all possible disturbances. Sucha differential inclusion can have a form like the one shown belowX˙ = F (X, In) (2.3)where X ⊆ RN is a subset of the state space, and In ⊆ RM is a subset ofthe input space. Likewise, X˙ ⊆ Rn is the set of possible time derivatives forthese states and inputs. We note that it is common to have uncertainty inf , the circuit model itself. For example, we may not have an exact model fortransistor currents or node capacitances. Such uncertainties can be capturedusing inclusions. We omit the details of how such inclusions are constructed,and will assume that they are available for the purposes of verification inthe remainder of this thesis.Analog circuit verification problems can be cast as equivalence checkingand model checking problems as well. Equivalence checkingEquivalence checking for analog circuits aims at the same target asfor digital circuits. But analog circuit equivalence checking is muchmore tricky. Basically, one might ask the question “how close is closeenough” for an implementation and its specification, given the statespace is continuous. Different researchers give different answers to thisquestion.Hedrich and Barke [63] in 1995 proposed a procedure for calculatinga non-linear mapping from one non-linear system to another system.They first compute a linear mapping by doing an eigenvalue analysisthen adjust the mapping using quasi-newton optimization on the errorof the state derivatives. They argue the two system to be equivalent iffor each sampling point, the error of state derivatives and state valuesare within given ranges. Model checking122.1. AMS Design and VerificationBeing an analogy to digital circuit model checking, the typical modelchecking problem of an analog design is to look for reachable sets givenbounds on inputs. Safety and liveness properties can also be provenby looking at the intersection of reachable sets with bad or good sets.Formal verification of analog and AMS circuits is an emerging area. I’lldescribe some other prior work on analog verification and AMS verificationtogether in Section 2.1.1.AMS CircuitsAMS circuits combine analog and digital circuits. In this work, I model AMSdesigns using discrete time recurrences with both continuous and discretevalued variables:dxdt= fq(x)q(i+ 1) = d(q(i), th(x))(2.4)where x is a vector of continuous analog states, q is a vector of discretedigital states, t is time, i is the step index, fq stands for the derivative of xto time given state q, d stands for the next state relation for q and th is asampling function that samples the continuous states at time points wherethe discrete steps are.As with digital and analog circuits, I will roughly categorize prior workas equivalence checking and model checking.1. Equivalence checkingFor the same reason that equivalence checking of analog circuits isproblematic, to what extent can two models be called equivalent is amatter of choice.2. Model checkingThe model checking problem of an AMS circuit also looks at the prob-lem of whether all trajectories satisfy certain safety or liveness proper-ties. Three approaches exists to do model checking with AMS circuits.132.1. AMS Design and VerificationOne way involves state space discretization followed by discrete modelchecking methods. The second way uses a hybrid automata that mod-els the discrete behavior between states and models the continuousbehavior within a state. The third way uses the observation that theODE part of the recurrence model is usually simple. Then one can justsolve the linear model and then reason about the recurrences alone. DiscretizationThe earliest attempt to apply model checking to circuit verifica-tion is Kurshan and McMillan’s 1991 paper [77]. They partitionthe range of values for each continuous variable into intervals, andthus discretize the continuous state space as a finite set of hyper-rectangles. They compute bounds on the derivative function anduse these to obtain a next state relation. They demonstrate theirapproach by verifying the asynchronous arbiter circuit from [102]assuming that input transitions are instantaneous. They proposeheuristics on how to reduce from a continuous problem to a dis-crete one by properly choosing granularity of space discretization,time discretization, input value and input function discretization.Based on similar idea, Hartong et al. [61] proposed a methodthat automatically subdivides state space into boxes satisfyingcertain Lipschitz conditions. That way, they can sample pointsfrom a given box and argue that the proposed inclusion algorithmover-approximates the reachable states. They also introduced amodified CTL model checking technique for analog verification. Hybrid automata and reachabilityReachability analysis considers the problem of where the tra-jectories can go given a set of initial state points. It can bedistinguished from discretization-based method in that it rea-sons about the system in the continuous space. Greenstreet [56]presents a method of using Brockett annulus to verify that a tog-gle circuit modeled by a system of non-linear differential equa-tions satisfies a discrete specification. He uses numerical integra-142.1. AMS Design and Verificationtion to determine a manifold that contains all feasible trajecto-ries. Coho [57, 112] proposes a method called projectagon thatprojects high-dimensional objects onto two-dimensional planes.Reachable sets are calculated by integration and linear program-ming is used to bound reachable trajectories. d/dt [11] useshybrid automata to model AMS behaviour and uses orthogonalpolyhedra to over-approximate reachable sets for proving safetyproblems. Many other representations exists.All of these approaches face the challenge that representing arbi-trary polyhedra in a high-dimensional space is intractable. Thus,different approaches employ different simplified representationssuch as orthogonal polyhedra [11], convex polyhedra [44], projec-tion based methods [112], ellipsoids [78], zonotopes [50]. In gen-eral, there is a trade-off between the amount of over-approximationincurred by the representation and the time and memory requiredto perform the analysis. Transform to recurrencesAl-Sammane et al. [7] proposes a symbolic method that extractsa mathematical representation of any AMS system in terms of re-currence equations. They build an induction tool in Mathematicato prove correctness using the normalized equations. Note thatthe model in the example in Chapter 4.2 uses this idea to ab-stract the continuous dynamics of the phase difference variable.My example shows how their approach can be extended with morepowerful analysis tools to verify a state-of-the-art AMS design.3. Other analytical methods Interval based methodsTiwary et al. [108] proposed a method that starts from the tran-sistor level circuit netlist, using intervals to represent the differ-ential I-V characteristics of transistors. They then model verifi-cation problems in mainly linear inequalities and use SMT tech-152.1. AMS Design and Verificationniques to solve the linear inequalities. The paper didn’t state howthe transistor level intervals can be obtained. Theorem provingPrior work on using theorem proving methods to reason aboutdynamical systems includes [66] which uses the Isabelle theoremprover to verify bounds on solutions to simple ODEs from a sin-gle initial condition. In contrast, I verify properties that holdfrom all initial conditions. Harutunian [62] present a very gen-eral framework for reasoning about hybrid systems using ACL2and demonstrate the approach with some very simple examples.Here I demonstrate that by discharging arithmetic proof obliga-tions using a SMT solver, it is practical to reason about morerealistic designs.2.1.2 LimitationsThe methods described above have several limitations. First, many of theintroduced methods require the model of the system to be fixed, meaningthat the verification is for a specific choice of values for the circuit parame-ters. The circuits that are actually fabricated will have different parametersvalues than those used in the verification.With continuous state spaces, AMS circuits have an uncountably largenumber of states. Thus, tools must make approximations. If the approxima-tions are too course, the tools will over-approximate the reachable space andreport false-errors. On the other hand, if the approximations are too fine,then the run-time and memory requirements may be completely impracti-cal. Thus, most prior work on AMS verification has been limited to smallexamples. Furthermore, large amounts of manual effort are often needed,even with “automatic” tools, to tune the circuit models and verification al-gorithms to a sweet spot that allows the verification to complete. A fewlarger AMS verification examples have been published in the past few years,all looking at various phase-locked loop designs. I also use a phase-lockedloop as the case study in this work. Section 2.3 introduces phase-locked162.2. Introduction to ACL2 and Z3loops and prior verification efforts for such designs.2.2 Introduction to ACL2 and Z3This section gives a brief introduction to general theorem proving and SMTtechniques. I observe that theorem proving and SMT methods offer com-plementary capabilities for AMS verification.2.2.1 Theorem Proving OverviewTheorem proving means using computer program to prove mathematicaltheorems based upon mathematical logic rules. For the sake of organiz-ing the presentation, this section examines theorem provers in two majorgroups: those based on first-order logic, and those based on higher-orderlogic. First-order logic is distinguished from higher-order logic in the sensethat first-order logic only quantifies over individuals but higher-order logiccan quantify over sets, sets of sets, etc. [9]. Noting that a function can berepresented as a set of tuples mapping values in the function’s domain tovalues in its range, it can be observed that first order logic does not admitquantification over functions, but higher order logic allows such quantifica-tion. E.g. ∀P∀x(∃y.P (x, y)) would be a higher-order logic predicate butsimply ∀x(∃y.P (x, y)) would be a first-order logic predicate.Proponents of theorem provers for first-order logic often argue that firstorder logic is adequate for modeling verification problems [101]. In general,first-order logic is simpler, thus easier to model and manipulate than higher-order logic. Very sophisticated theorems can be built from first-order logicif enough translation and modeling is used.Conversely, proponents of theorem provers for higher-order logic oftenargue that modeling problem with higher-order logic is more natural and in-tuitive. Gordon [55] extensively discusses why higher-order logic should be agood formalism for hardware verification in his early paper. He argues in thepaper that higher-order logic are obvious modeling language for hardwareverification problems. Furthermore, higher-order logic enables the ability172.2. Introduction to ACL2 and Z3of reasoning about logic within the logic. Because one can position quan-tifiers ahead of predicates and functions, thus one can naturally prove thecorrectness of a proof method, or embed semantics for various programminglanguages within the logic by using higher-order logic.This section further discusses existing theorem provers in each category.As a representative example of higher-order theorem provers, I will examinethe HOL [54] family of theorem provers. Likewise, I will use the Boyer-Moore theorem prover [23] and its decendants, most notably ACL2 [71], asthe canonical example of a theorem prover for first-order logic. Many otherextensively developed theorem provers include the Coq [18] theorem prover,PVS [94], and nuPRL [67].The HOL FamilyHOL [54] is one of the earliest theorem provers for higher-order logic. HOLmeans Higher-Order Logic. The HOL family refers to a list of modern theo-rem provers based on the foundation of HOL [29], including HOL Light [58],HOL4 [106], Isabelle [95] etc. In a HOL-based theorem proving system, allproofs are derived from a small set of HOL axioms. The system supportsreasoning about higher-order functions and propositions. The proofs areconstructed in the forwards (bottom-up) style.There are a number of interesting verification results both from industryand academia using HOL family theorem provers. Pusch [98] uses Isabelleto verify soundness of the Java bytecode verifier that checks several secu-rity constraints in a Java Virtual Machine (JVM). Harrison [59] uses HOLlight for formalization of floating-point arithmetic, and the formal verifica-tion of several floating-point algorithms. Many mathematical results havebeen developed using HOL based theorem provers: [1] is a webpage showing100 well-known theorems from mathematics that have been formalized us-ing modern theorem provers. Of the 100 theorems, 86 have been formalizedand proven using HOL Light, significantly more than any other theoremprover. The QED project [22] aims at building a computer system to repre-sent all important knowledge and techniques in mathematics. These show182.2. Introduction to ACL2 and Z3theorem provers’ power in proving classical, mathematical results as well asestablishing useful properties of hardware and software designs.The Boyer-Moore Theorem ProverThe Boyer-Moore theorem prover [23], also known as NQTHM, is a theoremprover for first-order logic based on a dialect of Lisp. The key idea is todevelop a version of Lisp with a simple semantics axiomatized in the prover.Users write code in this Lisp dialect both to model and reason about targetsystems. ACL2 [71] is a direct descendant of the early Boyer-Moore theoremprover. ACL2 is short for A Computational Logic for Applicative CommonLisp.There are several defining features of ACL2. First, ACL2 reasons aboutLisp code within Lisp. Second, it’s defined to be both automatic and in-teractive. It is automatic because its automatic proof search engine is im-plemented for searching for a proof tree. The underling automatic proofengine follows a procedure called the “waterfall”. The waterfall tries tosolve each goal by passing it through a series of proof processes [72]. It isinteractive because the user needs to follow The Method [2] that developslemmas for unproved goals and iteratively follow this strategy until everylemma is proved. Collections of commonly used lemmas can be collectedinto books. ACL2 certifies these books, allowing such lemmas to be usedwithout repeating the proof each time. Many such books have been devel-oped that are carefully crafted to work with the ACL2 waterfall – this allowsACL2 to automatically perform long sequences of common proof steps suchas rewriting terms into canonical forms.The ACL2 community focuses on large verification problems arising fromindustry. Accordingly, ACL2 has a strong emphasis on speed and automa-tion. There has been a huge number of successful applications of NQTHMand ACL2 to both academic and industrial verification problems. Someexamples of proofs performed in ACL2 include:Concurrent programming:[91] proves correctness of a system of n processes each running a simple,192.2. Introduction to ACL2 and Z3non-blocking counter program: if the system runs longer than somegiven number of steps, then the counter will increase, which guaranteesprogress.Microprocessor verification: [41, 92] both apply ACL2 to real, large, indus-trial examples of processor designs.Security: [64] considers a security problem of information flow. Given aprogram that has been annotated with assertions about informationflow, their method uses ACL2 and operational semantics to generateand discharge asserted conditions.Floating point arithmetic: [100] describes a method for translating from asubset of Verilog language into the formal logic of ACL2 and provescorrectness of register-transfer level models of floating-point hardwaredesigns at AMD. [65] verifies the floating-point addition/subtractioninstructions for the media unit in Centaur’s microprocessor.Numerical algorithms: [99] describes how symbolic differentiation is intro-duced into ACL2(r) [46]. [47] presents a proof in ACL2(r) on theconvergence rate of the sequence of polynomials that approximate arc-tangent proposed by Medina [89].Suitability of Theorem Provers for AMS VerificationTheorem provers are suitable for AMS verification because: Theorem provers provide extensible capabilities for reasoning aboutlinear and non-linear inequalities. Theorem provers are designed to have strong support for reasoningabout sequences. This is essential for reasoning about AMS circuitsusing recurrences as described in 2.1.1. This is due to their powerfulinduction proof support. For example, in ACL2, every user-definedfunction must be defined with a proof of termination; in practice,these proofs are often found automatically by ACL2. Once a recursive202.2. Introduction to ACL2 and Z3function is defined, it defines a corresponding induction schema. Thus,introducing new induction schema in ACL2 is straightforward, andinductive reasoning is highly automated. Composibility and reusability of verification results are much moreobvious in a theorem prover because proved theorems are reusable.Once proved, all theorems will be stored in the system and can beused to prove new results. Often the results of tools such as reacha-bility checkers (see Section 2.1.1) only show one aspect of a completecorrectness argument. These lemmas need to be combined to prove thedesired claim. Theorem provers provide a natural and comprehensiveframework for composing these results.The common objection to using interactive theorem provers such asACL2 is that the proofs requires large amounts of manual effort and a levelof mathematical sophistication that puts them out of the reach of typicalprogrammers and hardware designers. Much of this is because theoremprovers require all claims to be reduced to a small set of axioms. Automatictools such as SAT and SMT solvers can automate much of this low-levelreasoning. Section 2.2.2 examines these solvers.2.2.2 SMT Solver OverviewResearcher have developed many techniques for solving decision problemsthat arise in hardware and software verification. Practical decision proce-dures now exist for many common problem domains. Boolean satisfiability(SAT) problems are the set of problems that ask if there exists a satisfyingassignment to a boolean formula. Although SAT problem is in general NP-Complete, modern SAT solvers manage to solve a large portion of the SATproblems that arise in practice quite efficiently by developing efficient searchalgorithms with useful heuristics. While SAT solvers can answer questionsphrased as boolean formulas, other decision procedures have been devel-oped for other domains. For example, the satisfiability of a system of linearequalities and inequalities can be determined using a linear program solver.Solvers exist for classes of non-linear constraints, reads and writes to arrays,212.2. Introduction to ACL2 and Z3and other domains. This motivates devising decision procedures that com-bine the results of domain specific solvers. When such combined solvers areimplemented as a generalized version of a SAT solver, the resulting approachis known as satisfiability modulo theories (SMT). This section describes re-search in SAT and SMT solvers and some of the modern heuristics used inthese solvers.Booleans and SATThe SAT problem has been studied since the early days of computer sci-ence [34], and is the classical example of a NP-complete problem [32, 70].From a verification perspective, SAT is interesting because many problemsthat arise in verification can be naturally expressed as SAT problems. Forexample, equivalence of an RTL specification and a gate-level netlist canbe expressed as a SAT problem [15]. The earliest work proposing an algo-rithm for solving SAT problems dates back to the 1960s. Davis, Putnamet al. [34, 35] developed the earliest Davis-Putnam-Logemann-and-Loveland(DPLL) algorithm framework that remains the foundation for many SATsolvers. The DP (Davis-Putnam) and DPLL algorithms work on formulaswritten in conjunctive normal form (CNF), i.e., the conjunction of clauses,where each clause is a disjunction of variables or their negations. The basicidea is that if a clause consists of a single variable (or negation of a variable),then that determines the value of the variable in any satisfying assignment.If all such one-literal clauses have been eliminated, then the solver picks avariable and performs case split on the value of that variable and simplifiesthe resulting formula. If a satisfying assignment is found, it is reported. Ifa contradiction is found, the solver backtracks. Eventually, either a solutionis found or the formula is shown to be unsatisfiable.Marques-Silva and Sakallah [86] further enhanced the DPLL algorithmby adding a conflict analysis procedure that provides information for moreefficient backtracking. Zhang et al. [114] survey various conflict driven learn-ing strategies and did a thorough experiment in comparing different learningschemes. Zhang and Malik [113] surveys big breakthroughs in SAT solving222.2. Introduction to ACL2 and Z3including branching heuristics, variation in deduction and conflict learningstrategies. Gomes et al. [53] summarizes key-features of modern DPLL-based SAT solvers and extended topics on quantified boolean formula (QBF)solving and model counting.SMTSMT solvers extend a SAT solver with procedures for solving problems inother domains. Typical domain specific procedures include procedures ininteger arithmetic, linear real-arithmetic, non-linear arithmetic and arraytheory. Closely related to AMS verification are the domain specific solversfor real arithmetic. The first work that gives a decision procedure for “el-ementary algebra”1 is by Tarski [107]. In his work, he gives a procedurethat proves the decidability of such problem, but the procedure is imprac-tical with a complexity, using Knuth’s up-arrow notation [74], of 2 ↑↑ n fora formula of size n. Buchberger developed Gro¨bner bases [27, 79] whichcan be used to solve systems of polynomial equalities. The cylindrical al-gebraic decomposition approach of Collins [31] can find satisfying solutionsto systems of polynomial equalities and inequalities, or show that no suchsolution exist. Both algorithms have doubly-exponential time complexity.Ben-Or et al. [17] showed that the decision problem for elementary algebra isexponential-space complete; so, the Collins algorithm is likely to be optimal.Nevertheless, these algorithms have found use in practice, especially whenaugmented with heuristics to simplify problems before attempting a generalsolution. Other related work includes Bledsoe et al. [21], and Shostak [105].Research on satisfiability solvers has been complemented by work oncombining decision procedures for various domains into a single, unifiedsolver. These solvers go by the name SMT (Satisfiability Modulo Theory)solvers. One of the earliest contributions in this area was the “cooperatingdecision procedure” approach of Nelson and Oppen [93]. They presented acombination of a theory of linear equalities and inequalities for real numbers,arrays, list structure and uninterpreted functions. They present a unifying1Elementary algebra comes from Tarski’s definition in [107].232.2. Introduction to ACL2 and Z3framework for combining different decision procedures. Their method re-quires that the separate theories only communicate by equality of termsand it only applies to convex theories. A theory is convex if for each con-junctive formula in the theory, if it implies a finite disjunction of equalities,then it also imply at least one of the equalities. Instead of coordinating twotheories, Bozzano et al. [24] propose a method called delayed theory combi-nation that first let the SAT solver propose a satisfying assignment for thecase splitting on equalities between theories, thus delayed the combinationof theories. Their work also works for non-convex theories. Examples ofmodern SMT solvers include Yices [40], Z3 [36] and CVC4 [14].There exist other works that focus on various aspects of SMT solving.HySAT [43] uses an algorithm that tightly integrates interval constraintpropagation with SAT algorithm to solve large systems of non-linear in-equalities. Gao et al. [49] formulated a theory of ODEs and proposed analgorithm under the interval constraint propagation (ICP) [52] frameworkto solve SMT problems with ODE constraints.Suitability of SMT Solvers for AMS VerificationFor the domain of AMS verification, SMT solvers compliment theoremprovers for following reasons: SMT solvers lack the extensive proof structuring and management ofinteractive theorem provers. SMT solvers are often used to solve piecesof the verification problem, and a more general framework is needed tomake sure that these lemmas are sufficient to prove the desired result. SMT solvers are weak at reasoning about infinite structures (i.e. lackof induction). Researchers are aware of it, and there exists preliminaryworks on extending SMT solver’s induction proof abilities.For example, Leino [82] proposed a mechanism for translating asser-tions about recursive functions into the proof obligations for an induc-tive proof of the claimed property. Leino implemented this approachas an extension to the Dafny [81] program verifier which translates the242.2. Introduction to ACL2 and Z3proof obligations to Boogie 2 [80] which uses the Z3 SMT solver [36].However, the induction ability such tools can provide is still limited incomparison to a theorem prover. SMT solvers are extremely good at solving systems of inequalities witha moderate number of variables. The AMS formula one wants to verifymight be too tedious for the user of a theorem prover, thus there’s aneed for combination of SMT technique into a theorem prover. As a fully-automated approach, SMT solvers are vulnerable to thecombinatorial explosion problems. By breaking a problem into lem-mas in the theorem prover, the SMT solver works on manageable sub-formulas. It is tempting to write a lemma that “tells the SMT solvereverything you know” and then ask it to prove the claim. This oftenleads to the SMT solver taking more time than the user has patience(typically a few hours, aka, a “time-out” failure) or requiring morememory than available on practical computers (aka a “mem-out” fail-ure). On the other hand, if the user identifies the hypotheses that arelikely to be needed and breaks the problem into a few smaller pieces,then the SMT approach succeeds much more often and still spares theuser from large amounts of tedious derivation.2.2.3 Integrating External Procedures to Theorem ProversThere has been extensive work in the past decade on integrating SAT andSMT solvers into theorem provers including [10, 19, 20, 37, 42, 87, 90]. Manyof these papers have followed Harrison and The´ry’s[60] “skeptical” approachand focused on methods for verifying SMT results within the theorem proverusing proof reconstruction, certificates, and similar methods. Several of thepapers showed how their methods could be used for the verification of con-current algorithms such as clock synchronization [42], and the Bakery andMemoir algorithms [90]. While [42] used the CVC-Lite [12] SMT solver toverify properties of simple quadratic inequalites, the use of SMT in the-orem provers has generally made light use of the arithmetic capability of252.2. Introduction to ACL2 and Z3such solvers. In fact [20] reported better results for SMT for several sets ofbenchmarks when the arithmetic theory solvers were disabled!The work that may be the most similar to this work is [37] which presentsa translation of Event-B sequents from Rodin [6] to the SMT-LIB for-mat [13]. Like my work, [37] verifies a claim by using a SMT solver toshow that its negation is unsatisfiable. They address issues of types andfunctions. They perform extensive rewriting using Event-B sequents, andthen have simple translations of the rewritten form into SMT-LIB. Whilenoting that proof reconstruction is possible in principle, they do not ap-pear to implement such measures. The main focus of [37] is supporting theset-theoretic constructs of Event-B. In contrast, my work shows how theprocedures for non-linear arithmetic of a modern SMT solver can be usedwhen reasoning about VLSI circuits.My work demonstrates the value of theorem proving combined with SMTsolvers for verifying properties that are characterized by functions on realnumbers and vector fields. Accordingly, the linear- and non-linear arith-metic theory solvers have a central role. As the concern is to bring thesetechniques to new problem domains, I deliberately take a pragmatic ap-proach to integration, and trust both the theorem prover and the SMTsolver.2.2.4 ACL2 and The MethodThis section serves as an introduction to how to use the theorem proverACL2 by following The Method [2]. Basically, The Method is a depth-firsttraversal over the derivation tree of the target theorem directed by ACL2.See Figure 2.1.Given a theorem statement, the user may first write it in ACL2 and checkif ACL2 can prove it by automatically applying its proof engine. If proved,then done. If not, the user can look at the checkpoint generated by the proofengine illustrating the point where the proof engine gets stuck. Then the usercan come up with a new lemma that should prove the checkpoint theoremstatement. Iteratively, the user can run the lemma statement in ACL2 and262.2. Introduction to ACL2 and Z3Theorem proved?Done NoYesState the theorem in ACL2Run ACL2 proof engineLemma proved?YesLook at the checkpoint and generate a lemmaUse The Method to prove the lemmaNoRun ACL2 proof engineFigure 2.1: The Methodcheck if it’s proved. If yes, try proving the original theorem again. If not,apply The Method to prove the lemma statement. The process is partiallyautomatic and partially interactive.I take an example from the ACL2 documentation to show how to applyThe Method. Suppose one wants to prove Theorem 2.1 below:Theorem 2.1 (Example theorem).A list contains no duplicated elements if and only if the reverse of the listcontains no duplicated elements.Suppose we have already define the function for reversing a list andchecking for duplicates as in Program 2.1. Program 2.2 shows the theoremstatement as written in ACL2.272.2. Introduction to ACL2 and Z3Program 2.1 Function definitions for rev and dupsp1 (defun rev (x)2 (if (endp x)3 nil4 (append (rev (cdr x)) (list (car x)))))56 (defun dupsp (x)7 (if (endp x)8 nil9 (if (member (car x) (cdr x))10 t11 (dupsp (cdr x)))))Program 2.2 Example theorem statement1 (defthm dupsp-rev2 (equal (dupsp (rev x)) (dupsp x)))Lemma1 . 1Lemma2Thm dupsp- revLemma1Figure 2.2: The proof treeTry proving the theorem in ACL2 using The Method, one will end upwith a proof tree as shown in Figure 2.2, where Lemma1, Lemma1.1 andLemma2 are shown in Program 2.3. Try proving theorem dupsp-rev in ACL2282.2. Introduction to ACL2 and Z3produces a checkpoint:(IMPLIES(AND; X is a non-empty list(CONSP X); the first element of X is not an element of the tail(NOT (MEMBER (CAR X) (CDR X))); the induction hypothesis(EQUAL (DUPSP (REV (CDR X)))(DUPSP (CDR X)))); the original claim with REV expanded once(EQUAL (DUPSP (APPEND (REV (CDR X)) (LIST (CAR X))))(DUPSP (CDR X))))which suggests lemma1. Attempting to prove lemma1, ACL2 produces acheckpoint that contains the term:(MEMBER (CAR X) (APPEND (CDR X) (LIST E)))We see that ACL2 needs to understand how MEMBER interacts with APPEND,which suggests Lemma 1.1. ACL2 proves Lemma 1.1 without any furtherassistance. After proving Lemma 1.1, we give Lemma 1 to ACL2, andACL2 proves Lemma 1 as well. We ask ACL2 to attempt to prove themain theorem, and it fails with a checkpoint of the same form as last one.Through some thinking, one can figure out that ACL2 gets stuck on proving(NOT (MEMBER (CAR X) (REV (CDR X))))even given that it knows(NOT (MEMBER (CAR X) (CDR X))).So we come up with lemma2, which points out that a member of a list isalso a member in the reverse of that list. This will lead to ACL2’s automaticreasoning for292.2. Introduction to ACL2 and Z3(IMPLIES (NOT (MEMBER (CAR X) (REV (CDR X))))(NOT (MEMBER (CAR X) (CDR X))))Finally, ACL2 accepts the initial theorem statement for dupsp-rev.Program 2.3 Lemmas1 ; e is an element of the concatenation of lists a and b2 ; iff e is an element of a or e is an element of b.3 (defthm lemma1.14 (iff (member e (append a b))5 (or (member e a)6 (member e b))))78 ; If e is not a member of x,9 ; then appending e to x does not change whether or not10 ; x has duplicate elements.11 (defthm lemma112 (implies (not (member e x))13 (equal (dupsp (append x (list e)))14 (dupsp x))))1516 ; e is an element of the reverse of x17 ; iff e is a member of x.18 (defthm lemma219 (iff (member e (rev x))20 (member e x)))In summary, using The Method to prove a theorem is an automatic andinteractive way of building the proof tree in ACL2. ACL2 automatically doesthe job of decomposing the theorem into subgoals, using rewriting and othertechniques on simplifying the main goal and subgoals and so forth. When itgets stuck somewhere in the traversal of the proof tree, user intervention isrequired to come up with the right lemma to resolve the stuck point. Thiscontinues until the original theorem statement is proved. When the proof iscomplete, the user has an ACL2 script that can be executed to perform thefull proof automatically, without user interaction. Note that The Method isa guideline for proving theorems in ACL2, but users may at times chooseother ways of identifying helpful lemmas and structuring their proofs. For302.2. Introduction to ACL2 and Z3example, there may be a better way of decomposing the initial theoremstatement than what is proposed by ACL2. The user can then provide ashint this decomposition to ACL2 so that ACL2 can use this intuitively betterproof suggested by the user.2.2.5 Examples Using ACL2 and Z3This section presents to examples to illustrate the use of the ACL2 theoremprover, the Z3 SMT solver, and their combination as implemented in thisthesis.I’ve specifically chosen ACL2 as the theorem prover and Z3 as the SMTsolver. The reason for these choices is somewhat coincidental. When Istarted out, I first tried HOL Light. My first experience with theorem prov-ing got stuck when I tried to figure out how to introduce an external decisionprocedure. My supervisor mistakenly believed that SMT solvers had beenintegrated into ACL2 already. So I then tried ACL2. Although no suchintegration existed at the time, thanks to the comprehensive documentationof ACL2 and constant help from the ACL2 development group, I was ableto devise an approach based on how SAT solvers get integrated. The reasonI’ve chosen Z3 is even simpler. First, it is a leading SMT solver. Second,it’s very easy to try out given the web-based interactive webpage and thez3py interface. Third, I had used Z3 to prove some simple properties of thedigital PLL, i.e. automatically deriving and verifying a ranking function forconvergence. This use of Z3 showed both the value of Z3, and the need fora more comprehensive collection of reasoning techniques.While I have implemented our approach using ACL2 and Z3, the ap-proach is largely independent of the choice of SMT solver and should workequally well with other SMT solvers or even other decision procedures. Like-wise, the approach presented Chapter 3 could be used with other theoremprovers, but I would not expect as much direct code reuse in that case.312.2. Introduction to ACL2 and Z3Example: Sum of Geometric SeriesThe first example demonstrates ACL2’s induction power, which is not na-tively available in Z3. The theorem I want to prove is the geometric sumformula as shown in Theorem 2.2.Theorem 2.2 (Geometric Sum). Suppose r ∈ R, n ∈ N, r > 0 and r 6= 1.Then,n∑i=0ri =1− rn+11− rI proved this theorem using three setups. The first setup uses raw ACL2without help from any books (see code in Appendix A.1). The second setupuses ACL2’s arithmetic book (see code in Appendix A.2). The third setupuses my combination of ACL2 and Z3 (see code in Appendix A.3). Table 2.1summarizes the effort required for the three approaches. The proof requiresinduction and thus cannot be completed using Z3 alone.Setup LOC # of theorems runtime(s) code timeraw Z3(can’t) - - - -raw ACL2(proved) 169 19 0.14 2 daysarithmetic-5(proved) 29 1 0.15 10 minACL2 & Z3(proved) 72 2 0.06 20 minTable 2.1: Geometric sum equation proof comparison using different setupsSeveral observations can be made. First, raw ACL2 is a poor choicefor this problem in nearly every sense. It requires one to implement everysingle lemma. This requires the most lines of code. It requires huge amountof human effort to complete. Of course, this is why users of ACL2 havedeveloped and use the extensive library of “books” (collections of ACL2theorems) that have been established to avoid this kind of low-level effort. Asan example of the efficacy of ACL2’s books, Theorem 2.2 is proven with noadditional effort by the user when the standard book of arithmetic theoremis included. The combined approach although takes longer code comparedto ACL2 with arithmetic book, but relieves the tedium when compared toraw ACL2.322.2. Introduction to ACL2 and Z3Example: Intersection of 3 Polynomial InequalitiesReasoning about the recurrence models for AMS circuits (see Eq 2.2) of-ten involves systems of non-linear equalities and inequalities with moderatenumbers of variables. To show how Z3 compliments ACL2, we’ll considerthe problem of showing the unsatisfiability of the conjunction of the threepolynomial inequalities given below in Theorem 2.3.Theorem 2.3 (Polynomial inequality). Suppose x ∈ R and y ∈ R, then theconjunction of1.125x2 + y2 ≤ 1x2 − y2 ≤ 13(x− 2.125)2 − 3 ≤ y(2.5)does not have a solution.Figure 2.3 depicts this system of inequalities. The green one is the ellipse,the blue one is the hyperbola and the red one is the parabola. The smallcircles indicates which side of the polynomials the inequalities are referringto. Zooming in at the crossing part, Figure 2.4 clearly shows why these threepolynomial inequalities have no solution. The experiment results show therelative power of ACL2 and Z3.I performed four experiments with four setups. The first setup uses Z3alone (see code in Appendix A.4). The second and third setups use rawACL2 and ACL2 with its arithmetic book (see code in Appendix A.5). Thefourth setup uses my ACL2 and Z3 combination (see code in Appendix A.6).Table 2.2 shows the results of these experiments.Setup LOC # of theorems runtime(s) code timeraw Z3(proved) 27 1 0.0004 10 minraw ACL2(failed) 40 - - 10 minarithmetic-5(failed) 41 - - 10 minACL2 & Z3(proved) 59 1 0.02 10 minTable 2.2: Polynomial inequality proof comparison using different setupsWe make three observations. First, Z3 by itself is somewhat faster than332.2. Introduction to ACL2 and Z3−3 −2 −1 0 1 2 3 4−4−2024681012XyFigure 2.3: Three polynomialswhen run within ACL2. This is because the current version of my codecreates a new Python process for each clause discharged by Z3. I believethat the time for the proof with the ACL2 and Z3 combination is dominatedby the time to create this Python process. Second, ACL2 failed to prove thetheorem even with the arithmetic book. Of course, one could, in principle,guide ACL2 through a sequence of theorems to prove the main result, butone can easily imagine how much more time it would take to identify, state,and prove all of the necessary lemmas. This can be shown by examiningthe global convergence proof in Appendix C.2.1. Part of the proof is usingpurely ACL2 and the theorems being proved are more complex than theone shown here. Third, the combination does not require significantly morecode or time by the user than using Z3 alone. By utilizing the SMT solver,our combination can readily prove the theorem without huge effort in fasterspeed.342.3. PLLs and Verification1 1.05 1.1 1.1500. 2.4: Zoom in the crossing part2.3 PLLs and VerificationThere have been several previously published reports of PLL verificationusing formal methods. The earliest verification that I know of was by Dhin-gra [38]. Dhingras design uses a fixed-frequency oscillator and adaptivelychooses edges to approximate the edges of the lower frequency reference. Iam not aware of any such PLLs in use for standard PLL applications suchas clock generation, clock-data-recovery, and wireless communication.PLLs and model checking Dong et al. [39] and Wang et al. [109] pro-posed using property checking for AMS verification, including PLLs. Shortlyafter the work by Dong et al., Jesser and Hedrich [69] described a model-checking result for a simple analog PLL. Althoff et al. [8] presented theverification of a charge-pump PLL using an approach that they refer to as352.3. PLLs and Verificationcontinuization. They use a purely linear model for the components of theirPLL, and their focus is on the switching activities of the phase-frequencydetector, in particular, uncertainties in switching delays. They use zono-topes [50] to conduct reachability analysis and their method works for rangesof parameters. In comparison, my work uses the non-linear recurrence modelwithout any linearizations and reasons directly about this model.PLLs and SMT More recently, Lin et al. [83, 84] developed an approachfor verifying a digital PLL using SMT techniques. To the best of my knowl-edge, they are the first to claim formal verification of a digital PLL. Theyconsider a purely linear, analog model and then reason about the discrep-ancies between this idealized model and a digital implementation. They usethe iSAT [43] SMT solver to verify bounds on this discrepancy. They verifybounds on the lock time of a digitally intensive PLL assuming that most ofthe digital variables are initialized to fixed values, and that only the oscil-lator phase is unknown. My work shows initialization for a different PLLdesign over the complete state space.PLLs and reachability Using the SpaceEx [44] reachability tool, Weiet al. [110] presented a verification of the same digital PLL as describedin this thesis. That work made an over-approximation of the reachablespace by over-approximating the recurrences of the digital PLL with linear,differential inclusions. As SpaceEx could not verify convergence property forthe entire space in a single run, [110] broke the problem into a collection oflemmas that were composed manually. There work demonstrated the needfor some kind of theorem proving tool to compose results. Furthermore,they could not show the limit cycles that my proof does; therefore theirproof does not provide as tight of bounds on PLL jitter and other propertiesas can be obtained with my techniques.36Chapter 3Combining SMT withTheorem ProvingChapter 2 makes the observation that theorem provers and SMT solvers offercomplementary capabilities for verifying AMS circuits. Theorem provers aregood at managing structured proofs and SMT solvers are, on the other side,good at automatically solving large non-linear inequalities. Accordingly, Ichoose to manage the proof in a theorem prover and invoke a SMT solveras directed by the user to discharge clauses that can be expressed in thetheories supported by the solver. The theorem prover takes the verificationresults from the SMT solver and stores the resulting theorem in the currenttheorem environment as one of the main results or as a lemma for futureuse.Figure 3.1 shows an example of how one might use a SMT solver withinACL2 while using The Method as described in Chapter 2.2.4. In Figure 3.1,a green theorem means “proved”, a yellow theorem means “currently beingproven”, a gray theorem means “pending for proof” and a red theoremmeans “proof failed”. Suppose in the theorem prover, initially we haveproven from Theorem 1 all the way until we reach Theorem smt problem,which we believe forms a nice SMT problem. The strategy is to take thenegation of the claim for Theorem smt problem and give it to the SMTsolver. The SMT solver automatically determines whether the negationis satisfiable or not. If the SMT solver shows the negation of the claimfor Theorem smt problem is UNSAT, this establishes the original theorem.Otherwise, ideally, if the SMT solver returns SAT and gives a satisfiableassignment, we know this is a counter-example to Theorem smt problem37Chapter 3. Combining SMT with Theorem ProvingSMT solver Verification resultSuccess proofTheorem 1Theorem 2Theorem smt_ problemTheorem nTheoremProverUNSAT Failed proofTheorem 1Theorem 2Theorem smt_ problemTheorem nTheoremProverSAT and suitable counter- exampleInitial proofTheorem 1Theorem 2Theorem smt_ problemTheorem nTheoremProverNegation of theorem smt_ problemFailed proofTheorem 1Theorem 2Theorem smt_ problemTheorem n ???TheoremProverUnsuitable counter - example or other errors e. g. time outFigure 3.1: Basic framework for the combination.and this disproves the theorem. If other errors, e.g. a time out happens, weare also given proof failure, but we can’t decide the truth value of Theoremsmt problem.This chapter describes Smtlink, my integration of the Z3 SMT solverinto the ACL2 theorem prover. As described in Chapter 2, both ACL2 andZ3 have been successfully used for a large variety of research and industrialproblems. Implementing the approach sketched above requires addressingnumerous issues to link the logics of ACL2 and Z3 while preserving sound-ness. This chapter presents these issues and describes my solutions.383.1. Clause Processor Architecture3.1 Clause Processor ArchitectureACL2 implements a computational logic for an applicative subset of Com-mon Lisp [97]. This computational logic is a set of proof rules includingrewriting, induction, and rules for basic Lisp operations such as cons, car,and cdr. These are applied automatically with guidance from the user in theform of prior theorems that are proven or in user provided hints. Typically,the user finds a sequence of simpler theorems that leads ACL2 to a proof ofthe main result.Much of the work for the user can be relieved through ACL2’s “clauseprocessor” mechanism. A clause processor takes an ACL2 clause (i.e. propo-sition) as an argument and returns a list of clauses with the interpretationthat the conjunction of the result clauses implies the original clause. In par-ticular, if the result clause is empty, then the clause processor is assertingthat the original clause is always true. ACL2 supports two types of user-defined clause processors: verified and trusted. A verified clause processoris written in the ACL2 subset of Common Lisp and proven correct by ACL2.A trusted clause processor does not require a correctness proof; instead, alltheorems are tagged to identify the trusted processors that they may dependon. Logically, the tag adds the soundness of the trusted clause processor asa hypothesis to any theorem that depends on the clause processor. In otherwords, a theorem that depends on a trusted clause processor effectively says:Program 3.1 trusted tag theorem1 (defthm trusted-tag-theorem2 (implies (and (the-hypotheses-given-by-the-user)3 (the-clause-processor-is-sound))4 (the-conclusion-holds)))3.1.1 The Top-level ArchitectureI incorporate Z3 into ACL2 as a trusted clause processor as shown in Fig-ure 3.2. I call the clause processor Smtlink. As directed by a user provided393.1. Clause Processor ArchitectureexpandedclauseACL2 (lisp) to smt−pytranslateSMT clause(python)clauseNot(clause)satisfiable?generatereturnclause Z3simplifyexpand &originalclauseACL2 (lisp)generatereturnclausestep 2translationlisp (ACL2) python (z3)(proven)yesstep 1translationoriginal expanded(impliesexpandedoriginal)false sat, unsat,unknownor?unsatnoacl2SMTreturnG GZ3G′, A1, A2, ..., AmA1 ∧ A2 ∧ ... ∧ Am ∧ (A1 ∧ A2 ∧ ... ∧ Am ∧G′ ⇒ G)¬GZ3Figure 3.2: Top-level architecture of Smtlinkhint, ACL2 can invoke Smtlink to discharge a particular goal or subgoal ofa proof. Let G denote this goal. As described in the subsequent sections,this formula is first transformed into an equivalent (or stronger) formula,G′ and a list of auxiliary claims denoted by A1, A2, ...Am. The secondphase of translation produces a z3py (Python) representation of G′, we’llcall this Gz3. ACL2 starts a Python process to run a script to test thesatisfiability of ¬Gz3. If Z3 establishes that ¬Gz3 is unsatisfiable, then Gz3and therefore G is a theorem. In this case, Smtlink returns the clauseA1 ∧A2 ∧ ...∧Am ∧ (A1 ∧A2 ∧ ...∧Am ∧G′ ⇒ G) to ACL2. By this mech-anism, ACL2 verifies that the transformations performed by the translatorwere sound. If Z3 finds a satisfying assignment to ¬Gz3, it is returned as acounter-example. Counter-examples are shown to the user in the printout.More technical issues about how one can make use of the counter-examplesare described in Section 3.5. If Z3 fails to determine the satisfiability of¬Gz3, Smtlink reports that it was unable to make progress. Each of thesesteps is described in more detail in the remaining sections of chapter.403.1. Clause Processor Architecture3.1.2 Ensuring Soundness in SmtlinkThe soundness (and vulnerabilities) of this approach can be understood fromthe following logical sequent:(∧mi=1Ai) ; each Ai verified by ACL2((∧mi=1Ai) ∧G′)⇒ G ; verified by ACL2GZ3 ⇒ G′ ; we trust translation step 2GZ3 ; verified by Z32G(3.1)This is easily shown to be a tautology. Note that the first translationstep has no impact on soundness; in other words, the sequent above is atautology for any choice of G′. Of course, if the first step is faulty, thenit is likely that either it will produce a G′ that is too strong and Z3 willbe unable to discharge it, or G′ will be too weak, and ACL2 will be unableto discharge ((∧mi=1Ai ∧ G′) ⇒ G. Thus, a correct implementation of thefirst translation step is important for Smtlink to be useful, but it has noimpact on soundness. Accordingly, I organized the code so that most of thecomplexity would be in the first translation step, and the second step justtranslates a small number of simple Lisp operations to their equivalent, the Python module that I wrote to provide a generic interfacebetween Smtlink and SMT solvers.SMT solvers use heuristics for domain specific problems and it is possiblethat Z3 may return ‘unknown’ because of the complexity of the problem.In this case, the SMT solver’s response does not help us determine thetruth of the original theorem. Furthermore, semantic gaps can exist betweenthe ACL2 formula and formulas that are within the theories supported bythe SMT solver. These issues are described in detail in Section 3.2. Thetranslator is written to ensure that the claim, G′ that is verified by Smtlink2For the purposes of the clause processor, determining the truth of G′ also depends oncorrectly invoking the Python program and properly interpreting the string output by theprogram to report the outcome from Z3. All of this code is simple, straightforward, andlargely based on code for other external clause processors (SAT solvers) that are alreadyin use with ACL2.413.2. Smtlink ArchitectureProgram 3.2 A SMT eligible theorem in ACL21 (defun foo (x y) (* x (+ 1 y)))2 (defthm test3 (implies (and (and (rationalp x)4 (integerp y)5 (integerp z))6 (and (not (<= x 0))7 (equal z (+ 3/2 4))8 (or (> x y) (> x (+ y 40/3)))))9 (> (foo x (foo x z)) (foo x y))))is at least as strong as the original claim, G. If G′ is stronger than G,then the SMT solver may find a counter-example to G′ that does not refutethe original claim, G. The goal for Smtlink is to ensure soundness, butcompleteness is not possible, nor is completeness required for Smtlink to beuseful in practice.3.2 Smtlink ArchitectureIn ACL2, theorems are written in a comprehensive, applicative subset ofCommon Lisp. The Smtlink translator produces Python programs that usethe acl2SMT API that I wrote. This API is specifically designed for Z3’sPython interface, z3py, but should be suitable for use with other SMT solversas well. To implement a full translator from ACL2 into Z3 is not possibledue to the asymmetry between the two logics. Therefore, Smtlink onlytranslates a subset of the ACL2 logic that is practical to express as a SMTproblem. With our emphasis on AMS verification, I designed Smtlink withan emphasis on using SMT to reason about systems of linear and non-linearequalities and inequalities.Program 3.2 shows a simplified example of an ACL2 theorem that issuitable for discharging with a SMT solver. Such a theorem consists offour parts: function definitions, type assertions, inequality constraints onthe variables and the inequality property to prove. Program 3.3 shows astatement of the same theorem using z3py. In general, the translator needs to423.2. Smtlink ArchitectureProgram 3.3 A SMT theorem in Z31 def foo(x,y):2 return x*(1+y)34 x=Real("x")5 y=Real("y")6 z=Real("z")78 hypothesis=And(Not(x <= 0), (z == (3/2 + 4)),9 Or((x > y), (x > (y + 40/3))))10 conclusion=foo(x,foo(x,z)) > foo(x,y)11 Prove(Implies(hypothesis, conclusion))Program 3.4 SMT-eligible ACL2 theorem format1 (defthm SMT-eligible-theorem2 (implies (and (and list-of-variable-type-assertions)3 (and other-hypothesis))4 conclusion))extract the type assertions for variables, the hypotheses, and the conclusionfrom the clause given to the clause processor. Furthermore, it should beable to identify and expand calls to user-defined functions.For simplicity, I require that the ACL2 clause to be proven using the SMTsolver has the structure shown in Program 3.4: For example, Program 3.2has this structure. Each type assertion is of the form (type-recognizervariable ), where type-recognizer is one of the ACL2 recognizer functions,booleanp, integerp, or rationalp, and variable is a symbolic variable ap-pearing in the clause. All variables must be declared in this fashion. Theterms other-hypotheses and conclusion can be any predicates supported bythe translator; in particular, these terms are quantifier free. Often, other-hypotheses is a conjunction of equality and/or inequality constraints on thevariables, and conclusion is the equality or inequality to be proven. Requir-ing this structure simplifies the implementation of the translator and hasnot been a serious restriction for the examples we have tried (see Chapter 4)433.2. Smtlink Architectureas ACL2 theorems about systems of real-valued inequalities are typicallywritten in a form very similar to the one we require.Several technical issues arose when I implemented the transformationand translation. Typed vs. untyped. ACL2 is untyped and Z3 is typed. Smtlink re-quires the user to provide a type assertion for every free variable oc-curring in the theorem. See Section 3.2.1 Rational vs. Reals. ACL2 only supports rationals and Z3 supports re-als. Smtlink strengthens the clause to be proven by replacing rationalassertions with real assertions. See Section 3.2.1 Richer logic in ACL2. ACL2 supports a much richer logic than is sup-ported by Z3. Smtlink supports clauses that are boolean combinationsof rational function equalities and inequalities. See Section 3.2.2 Function expansion. For user-defined functions and recursive func-tions, Smtlink expands them into a set of primitive functions. SeeSection 3.2.2 Non-polynomial expressions. Z3 only supports theories for polynomial(and rational function) inequalities. Smtlink provides a mechanismthat allows the user to replace non-polynomial expressions with vari-ables. See Section 3.2.3 Adding hypotheses. Smtlink allows the user to specify additionalhypotheses to be added to GZ3 and then verified by ACL2. Typically,these are instances of previously proven theorems, or constraints onvariables that the user introduced as replacements for non-polynomialexpressions. See Section 3.2.3 Forwarding hints. Clauses returned to ACL2 are supposed to be “easy”for ACL2 to prove. In fact, the “automatic” aspect of ACL2 requiresACL2 to discharge these clauses without further interaction from theuser; otherwise, the proof of the theorem fails. Occasionally, ACL2443.2. Smtlink ArchitectureProgram 3.5 An example showing ACL2’s type recognizer1 (defthm not-really-a-theorem2 (iff (equal x y) (zerop (- x y))) )fails to prove a user added hypothesis. In this case, the user canprovide hints. For example, using The Method (see Chapter 2.2.4),the user can prove a suitable lemma, and then give a hint that tellsACL2 how to instantiate this lemma to discharge the clause returnedby Smtlink. See Section 3.2.3Sections 3.2.1 through 3.2.3 present these challenges and my solutions toeach.3.2.1 Type AssertionA fundamental difference between the ACL2 and Z3 is that ACL2 uses anuntyped logic whereas the logic of Z3 is typed. For example, consider theputative ACL2 theorem 3.5. ACL2 is untyped and requires all functionsto be total. Thus, (- x y) is defined for all values for x and y, includingnon-numeric values. For example, x could be a Lisp atom and y could be alist. What is (- ’dog (list "hello", 2, ’world))? As implemented inACL2, arithmetic operators treat all non-numeric arguments as if they werezero. Thus,Expression Value(- ’dog (list "hello", 2, ’world)) 0(zerop (- ’dog (list "hello", 2, ’world))) t(equal ’dog (list "hello", 2, ’world)) nil(iff (equal ’dog (list "hello", 2, ’world)) nil(zerop (- ’dog (list "hello", 2, ’world))))On the other hand, Z3 uses a typed logic, and each variable must havean associated sort. If we treat x and y as real-valued variables, the z3pyequivalent to not-really-a-theorem is453.2. Smtlink ArchitectureProgram 3.6 Rewrite the theorem1 (defthm this-is-a-theorem2 (implies (and (rationalp x) (rationalp y))3 (iff (equal x y) (zerop (- x y))) ))>>> x, y = Reals([’x’, ’y’])>>> prove((x == y) == ((x - y) == 0))provedIn other words, not-really-a-theorem as expressed in the untyped logicof ACL2 is not a theorem, but the “best” approximation we can make inthe typed logic of Z3 is a theorem.Smtlink employs two methods to address these issues: type assertionsand type correspondence. With type assertions, the user indicates the in-tended type of each free variable in an ACL2 claim. If any variables havevalues outside of the asserted domains, Smtlink states the claim triviallyholds. With type correspondence, I wrote Smtlink to ensure that the Z3sorts for variables correspond to the types asserted in the ACL2 claim. Forbooleans and integers, this correspondence is immediate. On the other hand,we represent ACL2 rational numbers using Z3’s sort for reals. The remainderof this section describes these design decisions in more detail and presentsour justifications for their soundness.Typed vs. UntypedTheorems in ACL2 are written as terms in Common Lisp, an untyped lan-guage. Variables and expressions in Common Lisp, and hence in ACL2, donot have types. On the other hand, Common Lisp provides type recognizersfor values including integerp and rationalp. We can rewrite the previoususing type assertions as Program 3.6. ACL2 proves this theorem automat-ically. Note that with our previous example, if x is the atom ’dog and yis the list ("hello", 2, ’world)), then (rationalp x) and (rationalpy) are both false and the theorem holds trivially because the antecedent of463.2. Smtlink Architecturethe implication is false. In the case that x and y both have value that arerational numbers, then the theorem states the basic arithmetic result, whichwas (presumably) the user’s intention.Program 3.4 shows the structure that Smtlink requires. In particular,if a goal does not preserve the syntactic format illustrated here, Smtlinkwill produce an error and fail to prove the theorem. Smtlink maintainssoundness when translating from the untyped logic of ACL2 to the typedlogic of SMT solvers by enforcing the syntactic structure described aboveand by using SMT sorts that can represent all values recognized by thecorresponding ACL2 type recognizers. A bit more formally, let U be the setof all values in the ACL2 universe. Then, a theorem like the one depictedin Program 3.4 is equivalent to the logical formula:∀x1, x2, ..., xm ∈ U.m∧i=1Ti(xi) ∧n∧j=1hj(x)⇒ C(x) (3.2)where Ti is the type of the ith variable; hj is the jth “other” hypothesis; Cis the conclusion of the theorem; and the theorem has m free variables andn “other” hypotheses. The corresponding formula to be discharged by theSMT solver is:∀x1 ∈ S1, x2 ∈ S2, ..., xm ∈ Sm.n∧j=1h˜j(x)⇒ C˜(x) (3.3)where S1, S2, ..., Sm are the SMT sorts corresponding to the type recognizersT1, T2, ..., Tm; h˜j(x) is the translation of h(x); and C˜(x) is the translationof C(x). For soundness, we want to show that if the formula from Equa-tion 3.3 holds, then the formula from Equation 3.2 must hold as well. Thiscorrespondence is ensured if: ∀xi ∈ U. Ti(xi)⇒ xi ∈ Si ∀x1, x2, ..., xm ∈ U. (∧mi=1 Ti(xi))⇒ (hj(x)⇒ h˜j(x)) ∀x1, x2, ..., xm ∈ U. (∧mi=1 Ti(xi))⇒ (C˜(x)⇒ C(x))473.2. Smtlink ArchitectureThe first condition requires that every value that satisfies an ACL2 typerecognizer must be a value of the corresponding SMT sort. As currentlyimplemented, Smtlink supports booleans, integers, and rationals/reals asshown in Table 3.1. Z3’s booleans and integers match the same, standard,mathematical definitions as those used in ACL2. On the other hand, ACL2uses rational numbers where Z3 uses reals – this difference is discussed inmore detail below. The last two conditions given above require that Smtlinkmust preserve the meaning of terms. More specifically, the hypotheses astranslated by Smtlink must be no stronger than those of the ACL2 theorem,and the conclusion must be at least as strong.As shown in Figure 3.2, Smtlink performs translation in two phases,where the first phase is verified by ACL2 and the second is trusted. Typeassertion is handled in the second phase. This means that we are trust-ing Smtlink to correctly recognize the syntactic structure depicted in Pro-gram 3.4 and to declare SMT variables of the correct sorts correspondingto the ACL2 type recognizers. In both cases, the translation is simple, andthe code is easily inspected.In the current implementation, Smtlink does not check to make sure thatall free variables have type assertions nor does it check if there are multipletype-assertions for the same variable. If a user omits a type assertion, thenthe corresponding variable will be undeclared, and this will cause the Pythoncode to report an error. If there are duplicated type assertions for the samevariable, ACL2 will take the conjunction of the assertions as hypothesis andZ3 will use the last declaration. Thus, the Z3 hypothesis will be weaker thanthe ACL2 ones. It will be beneficial to check duplicated variable declarationin future work.Rationals vs. RealsAnother asymmetry comes from the fact that, due to implementation issues,every number in ACL2 must be either an integer, a rational number, or aninteger or rational complex number. In contrast, Z3 provides a sorts forintegers and real numbers, but no sort for rational numbers. While we could483.2. Smtlink ArchitectureProgram 3.7 An example showing rational vs. reals problem in ACL21 (defthm rational-vs-reals2 (implies (and (and (rationalp x))3 (and))4 (not (equal (* x x) 2))))Program 3.8 An example showing rational vs. reals problem in Z31 x = Real("x")2 prove(Not(x*x == 2))introduce a user-defined type for rational numbers (i.e. a pair of integers)and define arithmetic and comparison operations on such numbers, doingso would preclude using Z3’s decision procedures for non-linear arithmetic,and that is our primary motivation for integrating a SMT solver into ACL2.Z3 uses Gro¨bner bases combined with rewriting heuristics to reason aboutsystems of polynomial equalities and inequalities. These procedures apply toreal-valued variables. Some care is needed to handle this mismatch betweenreal-numbers and rationals. As an example, consider the theorem shownin Program 3.7. This theorem can be proven, albeit with some manualeffort, using ACL2 [45]. In English, the theorem states “2 does not have arational square root”. Smtlink translates Program 3.7 to the Python codethat is roughly equivalent to (but much more verbose than) that shown inProgram 3.8.Because Z3’s non-linear arithmetic procedures support real numbers, Z3finds the counter-example x =√2, but this is not a valid counter-example tothe original theorem. More generally, Smtlink may strengthen a theorem.In this case, the strengthening is because while (rationalp x) implies x ∈R, the converse does not hold. When Smtlink discharges a strengthenedtheorem, the original theorem must hold as well. As currently implemented,Smtlink does not provide counter-example generation, and if it refutes atranslated theorem, we can make no conclusions about the original version.Smtlink prints the counter-example to the ACL2 log for the user to examine,493.2. Smtlink Architecturebut ACL2 makes no further use of such results. Presumably, one could checkto see if a counter-example generated by Z3 only used booleans, integers andrational numbers. If so, then this will be a valid counter-example for theoriginal theorem in ACL2 and could be used as an existential witness. Morediscussion can be found in Section 3.5.ACL2 Z3integerp Intrationalp Realbooleanp BoolTable 3.1: Type assertion translation3.2.2 Supported LogicSmtlink minimizes the portion of code that needs to be trusted in trans-lation step 2 (as shown in Figure 3.2). It achieves such goal by defining asmall set of primitive functions to be translated in translation step 2. Allother functions (including user-defined functions and ACL2’s other built-infunctions) should be expanded and simplified into the small set of primitivefunctions. The expansion and simplification happen in translation step 1,which is ensured soundness by Smtlink’s software architecture 3.2.For our intended application, we focus on supporting arithmetic, com-parison, and boolean operations from ACL2 and translating these to theirSMT equivalents. As shown in Table 3.2,. most of these operators are Lispmacros in ACL2, and our translator sees the macro-expanded form. Ac-cordingly, our translator supports clauses consisting of the Lisp functionsappearing in the right column of Table 3.2. Table 3.3 shows how each suchLisp function has a corresponding method in the acl2SMT module. Chap-ter 3.3 discusses the Z3 interface class of Smtlink.2Note that macro expansions shown in the table are not exact definitions but exampleinstances. E.g. In ACL2, +, -, and and or are actually macro-expanded into a recursivefunction that takes an uncertain number of inputs.503.2. Smtlink ArchitectureBefore macro expansion After macro expansion(+ x y z) (binary-+ x (binary-+ y z))(- x y) (binary-+ x (unary-- y))(* x y z) (binary-* x (binary-* y z))(/ x y) (binary-* x (unary-/ y))(equal x y) (equal x y)(> x y) (> x y)(>= x y) (>= x y)(< x y) (< x y)(<= x y) (<= x y)(and x y z) (if x (if y z nil) nil)(or x y z) (if x t (if y t z))(not x) (not x)(nth listx) (nth listx)Table 3.2: ACL2’s macro expansionsFunction ExpansionFor user defined functions or other ACL2 built-in functions, Smtlink ex-pands them into the set of primitive functions. This approach has severalbenefits. First, we won’t need to worry about translation of a function defi-nition in ACL2 to Z3, which can be tedious. Second, for recursive functions,it’s not even possible to directly translate them into Z3, because recursivedefinitions can not be symbolically expanded in Z3. As shown in Chap-ter 3.1.1, clause G′ is the result clause after this expansion. Thus the expan-sion will be ensured correctness when the clause A1∧A2∧ ...∧Am∧G′ ⇒ Ggets returned back for ACL2 to prove.To see how the function expansion works, for example, given the functiondefinition of fun-example:(defun fun-example (a b c) (+ a b c))Suppose in some theorem, we encounter function call (foo (+ x y) x (/z x)). The first phase of translation expands this to:((lambda (VAR1 VAR2 VAR3) (+ VAR1 VAR2 VAR3)) (+ x y) x (/ z x))513.2. Smtlink ArchitectureACL2 primitives SMT interfacebinary-+ acl2SMT.plusunary– acl2SMT.negatebinary-* acl2SMT.timesunary-/ acl2SMT.reciprocalequal acl2SMT.equal><≥≤ acl2SMT.leif acl2SMT.ifxnot acl2SMT.notxnth acl2SMT.ntht acl2SMT.Truenil acl2SMT.FalseTable 3.3: Z3 interface for each ACL2 primitivesSmtlink requires the user to provide a list of functions that should be ex-panded. For each such function, the user also specifies the maximum depthof the expansion and the return type. The function expander traverses thes-expression and expands along each path for a fixed number of levels foreach function provided by the user. In a world without recursive functions,this expansion will be performed only once for any function along a specificpath.With recursive functions, functions along each path will be expanded un-til user specified levels are reached. Then, Smtlink replaces the remainingfunction calls with newly introduced variables and adds type assertions onthe new variables. To ensure correctness, Smtlink returns the correspondingtype specification theorems back to ACL2 as auxiliary theorems (as men-tioned in Chapter 3.1.1). Using this approach, the expansion strengthensthe original clause; thus, Smtlink asks the SMT solver to prove a strongertheorem. However, this approach can produce an over-strengthening of theoriginal theorem that causes Z3 to fail proving the translated theorem. Tosolve this issue, the user can provide additional hints to weaken the trans-lated theorem. This is discussed in Section Smtlink Architecture3.2.3 Advanced IssuesThe previous sections described the top-level structure and basic construc-tions of Smtlink. This section describes other features that makes theintegration more flexible and extensible.User provided substitutions make it possible to substitute part of theclause formula with a new variable. Furthermore, the user can providehypothesis predicates that constrain those variables or convey other infor-mation to the SMT solver that may be “obvious” within ACL2. Thesehypotheses can make a SMT based proof possible and/or more efficient.Smtlink returns the user provided predicates as clauses for ACL2 to prove.Therefore, ACL2 automatically checks if the hypothesis on the substitutionis valid. User provided hints help discharge some of the hard (auxiliary)theorems returned back to ACL2. The sections below describe each featurein detail.User Provided SubstitutionTo see why we need user provided substitutions, considering the followingclaim:∀a, b, γ ∈ R,∀m,n ∈ Z, 0 < γ < 1, 0 < m < n⇒ γm(a2 + b2) ≥ γn(2ab).Program 3.9 is the ACL2 code for this theorem. This theorem seems likea good candidate for proving using SMT methods. Given the function ex-pansion mechanism of Smtlink, the exponential functions in this theoremwill be expanded to a given level, and the last function call will be replacedwith a typed variable. However, this is an over-strengthening of the originaltheorem and Z3 fails to prove such theorem. Is this theorem impossible toprove using SMT techniques? Taking a closer look, one can see there is asimple reason why the theorem holds. A manual proof would observe thatbecause 0 < gamma < 1, 0 < m < n and gammam > gamman > 0. Fur-thermore, for any a, b ∈ R, a2 + b2 >= 2ab, and a2 + b2 >= 0. The claimfollows directly from these inequalities. All of these are within Z3s theoryof non-linear arithmetic except for deduction that gammam > gamman > 0this step requires a (trivial) proof by induction. Our strategy is to provide533.2. Smtlink ArchitectureProgram 3.9 Why need user provided substitution1 (defthm substitution2 (implies (and (and (rationalp a)3 (rationalp b)4 (rationalp gamma)5 (integerp m)6 (integerp n))7 (and (> gamma 0)8 (< gamma 1)9 (> m 0)10 (< m n)))11 (>= (* (expt gamma m)12 (+ (* a a) (* b b)))13 (* (expt gamma n)14 (* 2 a b)))))gammam > gamman and gamman > 0 to the SMT solver as hints, and letACL2 discharge those hints using its inductive reasoning capabilities.I implement this strategy using the mechanisms for substitutions andadding hypotheses described above. User defined substitutions direct Smtlinkto replace (expt gamma m) and (expt gamma n) with two newly introducedvariables expt-gamma-m and expt-gamma-n. Then, user provided hypothe-ses about those two variables are added: (< expt-gamma-n expt-gamma-m),(> expt-gamma-m 0) and (> expt-gamma-n 0). Smtlink sends the result-ing clause G′ to Z3. Z3 has no problem discharging this theorem. For eachuser provided hypothesis, Smtlink produces an auxiliary theorem and sendsit back to ACL2 to discharge.This mechanism greatly broadens the set of SMT problems Smtlinkcan handle. Especially when there exists limitations on Z3 that ACL2 canhandle, or when we want to build upon known theorems about sub-formulasof the original clause. User provided hypotheses can make it easy to provetheorems that would involve long, tedious derivations if done entirely withinACL2 and that would seem unsuitable for SMT alone given the limitations ofthe supported theories. Often, a small amount of human reasoning conveyedas simple hints can enable a large degree of proof automation.543.3. The Low-level InterfaceUser Provided HintsSmtlink allows several supposedly “easy” clauses to be sent back to ACL2.They are in the clause A1 ∧ A2 ∧ ... ∧ Am ∧ (A1 ∧ A2 ∧ ... ∧ Am ∧ G′ ⇒G). However, ACL2 may be unable to discharge some of these clausesautomatically. Thus hints are needed from human user.ACL2 has this feature called hints to help guide a proof. Basically, a hint,which is a theorem already proved in the system, is an antecedent added tothe intended proof. Consider the case where we want to prove theorem T ,and we recognize that T is a simple arithmetic transformation of an existingtheorem, H. Adding H as a hint to T is equivalent to constructing a newproof in the form H → T . Since the user has already proven H somewherein the ACL2 world, ACL2 knows the theorem T to be true. ACL2 has thehint feature for common theorem statements, but doesn’t have this featurefor discharging clauses returned by the clause processor. I added this featureto my construction.3.3 The Low-level InterfaceThe previous section described the translator part of the clause processorwhich is composed of clause transformation & simplification and a Lisp-to-Python translator. See Smtlink architecture 3.2. This section presentstwo other parts in the low-level interface: the Z3 interface, and the resultinterpreter.3.3.1 Z3 InterfaceMy current implementation of Smtlink uses the Z3 SMT solver. However,the code is written in a way that should make using other SMT solversstraightforward. In particular, all methods of the underlying SMT solverare invoked through methods of an object called acl2SMT. For example, provides the addition operator; acl2SMT.True provides theboolean constant for True; etc. I also wrote a module called acl2 Z3 thatprovides a class called to smt with a no-arg constructor that returns an553.3. The Low-level Interfaceobject with the methods described above. In this case, this object uses Z3sz3py API to implement these methods.This mechanism has one significant benefit. The acl2SMT interface pro-vides a very flexible interaction between ACL2 and other SMT solvers asshown in figure 3.3. Imagine we want to use another SMT solver, say Yices[40]. The only thing needed to be done is to develop a Yices interface forthe same set of primitive functions. It is likely that the functions will bevery similar to those for Z3. In a word, Smtlink should be easily extendedto connect to other SMT solvers.expandedclauseACL2 (lisp) to smttranslategeneratereturnclausesimplifyexpand &originalclauseACL2 (lisp)generatereturnclauseSMT clause(target language)clauseNot(clause)satisfiable?step 2translationlisp (ACL2) target SMT language(proven)yesstep 1translationoriginal expanded(impliesexpandedoriginal)false unsatnoreturn?SMTacl2SMTInterpret resultGG′, A1, A2, ..., AmA1 ∧ A2 ∧ ... ∧ Am ∧ (A1 ∧ A2 ∧ ... ∧ Am ∧G′ ⇒ G)¬GSMTGSMTFigure 3.3: Clause processor framework with another SMT.3.3.2 Interpret the ResultThe goal behind interpreting the returned result from SMT solver is toensure soundness. As shown in figure 3.2, there are three possible outcomesfrom a SMT solver. When it reports UNSAT, we know the original clauseis true. When it reports SAT and provides the counter-example, becauseSmtlink strengthens the theorem when doing clause transformation andtranslation, we don’t know if the counter-example is valid or not. The thirdcase is when the SMT solver reports timeout or other exceptions. We don’tknow whether the theorem is true or not as well.563.4. Conclusion: What’s Trusted?To see in detail how this works, ACL2 provides a function called tshell-call to call external procedures. This function can only be used when aprogram is properly tagged as “trusted”. This function takes the shell com-mand and returns the output from the command through one of the returnedvalues which is a list of strings. Smtlink interprets the result as in one ofthe three cases discussed above. For example, if Z3 output equals “proved”,then one knows the negation is UNSAT and the original theorem is proved.Otherwise, Smtlink simply prints the output and lets the user decide whatkind of error it is.3.4 Conclusion: What’s Trusted?This section examines which parts of the code need trust from the user. Inother words, these are the assumptions I’ve made in Smtlink. First, I assume that the clause processor can correctly recognize theproposed theorem statement structure. In particular, it looks for the-orem statement as in Program 3.4. This is a pattern matching thatcan be easily done in LISP. Second, I assume the method of weakening type hypotheses can strengthenthe theorem. In particular, I want Z3 sorts to be supersets (or equalto) their ACL2 counterparts: ACL2 Booleanp gets translated to Z3Bool, ACL2 Integerp gets tranlsated to Z3 Int and ACL2 Rationalpgets translated to Z3 Real, which is a superset of ACL2 Rationalp.This is illustrated in Table 3.1. Third, I assume the Z3 operators produced by Smtlink translatormatch the semantics of their ACL2 counterparts. Fourth, I assume that the code that writes the string generated by thetranslator to a file, invokes Python, and interprets the result will workcorrectly. Note that these operations are very simple and straightfor-ward. The high-complexity code only occurs for function expansion,user specified substitutions, and user added hypotheses. However,573.5. Future Worknone of this code requires trust, because this is done in the first stepof translation, and the result of that translation is verified by ACL2.3.5 Future WorkFor several design decisions I’ve made, more general solutions are possible.Due to thesis time limitation, I didn’t explore all of them. This sectiondiscusses what could be done differently and could potentially give betterresults.Guards instead of user-provided types: ACL2 provides a mechanismfor restricting inputs and outputs of a function to be in a particular do-main. This mechanism is called a “guard”. ACL2 users are encouragedto add guards to their modeling functions so that the functions are morewell-formed. Given that users of ACL2 might follow this mechanism, typeassertions can be retrieved from guards on each function, instead of beingretrieved from user provided type assertions. Smtlink can provide bothmethods and let the user decide which mechanism he/she wants to use.Returning counter-examples: Smtlink returns the potential counter-examples to ACL2 and prints them out for the user to check. In princi-ple, Smtlink could check to see if the counter-examples from Z3 are mean-ingful in ACL2 (i.e., all numbers have integer or rational values). Then,Smtlink could try that assignment with the original goal. If it satisfiesthe original goal, then Smtlink can report a valid counter-example. If itdoesn’t, Smtlink has an indeterminate result. In principle, one could usethis counter-example to refine the definition of G′, and try again.ACL2(r): There is a version of ACL2 called ACL2(r) [46]; the “r” standsfor reals. ACL2(r) has support for real number reasoning. When I begandeveloping Smtlink, ACL2(r) did not support the full collection of “books”of theorems that the mainstream ACL2 theorem prover did. There is anongoing effort to unify the two versions that is nearly complete. I have583.6. Summarysuccessfully used Smtlink with both ACL2 and ACL2(r) for the convergenceproof in the next chapter. Note that when ACL2(r) is used, then there isno semantic gap in the number representation between the theorem proverand the SMT solver.Function expansion with better automation: Smtlink can providebetter automation to function expansion. Smtlink could use a default modein which functions would always be expanded one level. It could maintaina “do-not-expand” list of functions that should not be expanded. Featurescan be added to allow a richer set of assertions about the return result forrecursive functions. Such assertions could be automatically obtained fromguard expressions for the function. Right now, the user can only assertreturn types, but the user might know more sophisticated properties ( inductive property) about a recursive function. Adding these featuresshould make Smtlink easier to use and enable writing more succinct proofs.3.6 SummaryThis chapter described the implementation of Smtlink, my interface be-tween ACL2 and SMT solvers, in particular Z3. A key principle I stickto is that all transformations and translations are only strengthening thetheorem; thus soundness is ensured.Smtlink consists of three parts: the translator, the low-level interfaceand the SMT solver. The translation is performed in two steps. The firststep takes an ACL2 theorem as input and transforms and simplifies thetheorem into a set of auxiliary theorems and a new goal. This new goal usesonly a very small subset of the Lisp functions provided in ACL2. The secondstep performs a straight forward translation from LISP to z3py on the newgoal. The architecture is trustworthy in practice because most complexityfalls in clause transformation and simplification code. The result of clausetransformation and simplification is returned for ACL2 to check correctness.In principle, one could use proof-reconstruction [60] and/or certificates [19]in which case the user would only need to trust ACL2 itself, but that would593.6. Summarybe a separate thesis topic. My focus has been on developing a useful tooland demonstrating it on a real example.The low-level interface makes it possible that one can extend Smtlinkwith different SMT solvers. This chapter also discusses a list of interestingissues that arise in Smtlink and proposes my solutions. From the discussionof what is trusted, one can see that Smtlink is reliable because it only relieson a limited set of things. Future work could include several improvementdirections including better type inference, better counter-examples, usingACL2(r) to get better support for reals and a better function expansionmechanism.60Chapter 4Verifying GlobalConvergence of a Digital PLLThis chapter demonstrates the value of Smtlink for AMS design by using itto verify the global convergence of a digital phase-locked loop (digital PLL).This experiment shows that one can employ an analytical approach for AMSverification, and how Smtlink supports this approach well. The analyticalapproach allows us to verify properties that cannot be shown by typicalreachability methods: in particular it can be shown that a convergenceis guaranteed with model parameters in ranges, rather than with specificvalues.In this chapter, Section 4.1 introduces phase-locked loops describing boththeir operation and their applications. The particular digital PLL that Iverify is described as well. Section 4.2 develops a mathematical model for thedigital PLL that is amenable to formal reasoning, and Section 4.3 presentsthe proof itself. I note that this proof shows the main result needed toestablish convergence, but there are still some details left that would beneeded for a complete verification. Section 4.4 summarizes what has beenproved in this convergence proof and discusses possible future work.4.1 The Digital PLLA PLL is a feedback control system that generates an output signal withthe same frequency as the input or with a frequency that is some multipleof the input frequency. A PLL also requires that the phase of output signalshould match that of the input. To control both the frequency and thephase of the oscillator, a PLL is a second order control system. PLLs are614.1. The Digital PLLubiquitous in a wide range of electronic devices. PLLs are used in computersfor clock generation and to ensure proper timing of high bandwidth interfacesto DRAM, graphics and network interfaces, etc. For wireless devices suchas mobile phones, PLLs are used to generate, modulate, and decode radiosignals. These are just a few examples of how PLLs are used.Traditionally, PLLs have been designed as purely or primarily analog sys-tems. As described in Chapter 2, analog modules are being largely replacedby digital counterparts due to the difficulties of analog design in state-of-the-art fabrication processes and the extra configurability offered by digitaldesigns. These observations apply to PLLs as well, leading to the dominanceof “all-digital” or “digitally intensive” PLL design today. Digital blocks inthe circuitry change the behavior of a circuit from continuous to partiallydiscrete. The designer’s intuition is that given the original analog circuitis strongly converging, proper discretization shouldn’t drive it too far fromconverging again. However, discretization can introduce unintended modesof operation. Furthermore, if designers could be confident that their designsdid behave as intended, then more aggressive techniques could be used toachieve higher performance, lower power consumption, smaller area, etc.Due to limitations with today’s AMS validation tools, we need formal ver-ification to make sure a PLL is functioning correctly. Section 2.3 gives adiscussion on related work of PLL verification research.Figure 4.1 shows the digital phase-locked-loop (PLL) verified in thisthesis; it is a simplified version of the design presented in [33]. The purposeof this PLL is to adjust the digitally-controlled oscillator (DCO) so that itsoutput, ΦDCO has a frequency that is N times that of the reference input,Φref and so that their phases match (i.e. each rising edge of Φref coincideswith a rising edge of ΦDCO). The three control-paths shown in the figuremake this a third-order digital control system. By design, the lower twopaths dominate the dynamics making the system effectively second-order.The DCO has three control inputs: φ, c, and v. The φ input is usedby a proportional control path: if Φref leads ΦDCO/N then the PFD willassert up, and the DCO will run faster for a time interval corresponding tothe phase difference. Conversely, if Φref lags ΦDCO/N , the dn signal will be624.1. The Digital PLLLinearPhaseControlBang−BangFrequencyControlΣFrefΣFrefDACBBPFD0:230:1415:230:7refΦ ΦDCOΦDCO/NPFD+−dnupCoarseControlFrequencydiscardedc v DCOφ÷N−(Centercode)Φref is the reference signal whose frequency is denoted by fref .ΦDCO is the output of the digitally controlled oscillator whose fre-quency is denoted by fdco .Labels of the form lo:hi denote bits lo through hi (inclusive) of a binaryvalue.Figure 4.1: A Digital Phase-Locked Loopasserted, and the DCO will run slower for a time interval corresponding tothe phase difference. If the frequencies of Φref and ΦDCO/N are not closelymatched, then the PFD simply outputs up (resp. dn) if the frequency ofΦDCO/N is lower (resp. higher) than that of Φref .The c input of the DCO is used by the integral control path. TheDCO in [33] is a ring-oscillator, and the c input controls switched capacitorloads on the oscillator – increasing the capacitive load decreases the oscilla-tor frequency. The bang-bang phase-frequency detector (BBPFD) controlswhether this capacitance is increased one step or decreased one step for eachcycle of Φref . The c input provides a fast tracking loop.The v input of the DCO is used to re-center c to restore tracking range.This input sets the operating voltage of the oscillator – the oscillator fre-quency increases with increasing v. The accumulator for this path is drivenby the difference between c and its target value ccenter .As a control system, the PLL converges to a switching surface where cand φ fluctuate near their ideal values. As presented in [33] these limit-cyclevariations are designed to be slightly smaller than the unavoidable thermal634.2. Modeling the Digital PLLand shot-noise of the oscillator. Furthermore, the time constants of thethree control loops are widely separated. This facilitates intuitive reasoningabout the system one loop at a time – it also introduces stiffness into thedynamics that must be considered by any simulation or reachability analysis.These characteristics of convergence to a switching surface and stiffness frommultiple control loops with widely separated tracking rates appear to becommon in digitally controlled physical systems. This motivates using thedigital PLL as a verification example and challenge.4.2 Modeling the Digital PLLFrom Spectre simulations (see Figure 4.2), I observe that the oscillator fre-quency is very nearly linear in v and nearly proportional to the inverse ofc for a wide range of each of these parameters. The phase error, φ is acontinuous quantity, but the values of c and v are determined by the dig-ital accumulators that are updated on each cycle of the reference clock,fref . This motivates modeling the PLL using a discrete-time recurrence forreal-valued variables:c(i+ 1) = saturate(c(i) + gc sgn(φ), cmin, cmax)v(i+ 1) = saturate(v(i) + gv(ccenter − c(i)), vmin, vmax)φ(i+ 1) = wrap(φ(i) + (fdco(c(i), v(i))− fref )− gφφ(i))fdco(c, v) = 1+αv1+βc f0saturate(x, lo, hi) = min(max(x, lo), hi)wrap(φ) = wrap(φ+ 1), if φ ≤ −1= φ, if −1 < φ < 1= wrap(φ− 1), if 1 ≤ φ(4.1)where gc, gv, and gφ are the gain coefficients for the bang-bang frequencycontrol, coarse frequency control, and linear phase paths respectively. Thecoefficient α is the slope of oscillator frequency with respect to v, and β isthe slope of oscillator period with respect to c; both are determined from644.2. Modeling the Digital PLL0.4 0.5 0.6 0.7 0.8 0.9 1 1.1 1.200.511.522.533.5operating voltage, v (volts)DCO frequency, f DCO (GHz)  00.511.522.533.5simulation datalinear fit(a) frequency vs. operating voltage1 2 3 4 5 6 7 8 9 1000.511.522.533.5load capacitance, c (pF)DCO frequency, f DCO (GHz)  00.511.522.533.5simulation datalinear fit for 1/fDCO(b) frequency vs. load capacitanceFigure 4.2: Ring-oscillator response654.3. Proving Global Convergencesimulation data. I measure phase leads or lags in cycles: φ = 0.1 meansthat ΦDCO/N leads Φref by 10% of the period of Φref . We say that c is“saturated” if,c = cmin ∧ (φ < 0)orc = cmax ∧ (φ > 0)Likewise, v is saturated if,v = vmin ∧ (c > ccenter )orv = vmax ∧ (c < ccenter )In this thesis, I scale fref to 1. With similar scaling, I choose gc = 1/3200,gv = −gc/5, and gφ = 0.8. I assume bounds for c of cmin = 0.9 and cmax =1.1 with ccenter = 1 and bounds for v of vmin = 0.2 and vmax = 2.5. Withthese parameters, the PLL is intended to converge to a small neighbourhoodof c = ccenter = 1; v = fref ccenter = 1 and φ = 0.4.3 Proving Global ConvergenceTo prove global convergence of this digital PLL, simulations have been con-ducted in order to get a sense of how things are moving in the state space.From this, I identified key points where I can break the proof up into pieces.By tackling each piece at a time and connecting them together, I form aproof of the global convergence.4.3.1 Proof in PartsI formalize the global convergence proof of this digital PLL into four theo-rems below. Suppose we use B to stand for the blue region, R to stand forthe red region, G to stand for the green region and Y to stand for the yellowregion in Figure 4.3,664.3. Proving Global ConvergenceTheorem 4.1. Global convergence of Digital PLL∃ small Y ∈ B, ∀[c(0), v(0), φ(0)] ∈ B, ∃N ≥ 0 ∀i ≥ N,s.t.[c(i), v(i), φ(i)] ∈ YFigure 4.3 shows how this Digital PLL converges into a small regionin the middle. My verification proceeds in three phases as depicted in thefigure. First I show that for all trajectory starting with c ∈ [cmin, cmax], v ∈[vmin, vmax], and φ ∈ [−1,+1] (the blue region in Figure 4.3),the trajectoryeventually reaches a relatively narrow stripe (the red and green regions) forwhich fdco ≈ fref . To do so, I construct a series of lemmas that form aranking function. When this PLL is far from lock, its convergence is strong.By proving this I have shown that the non-linearities of the global modeldo not create unintended stable modes. Theorem 4.1.1 formally states thisargument.Lemma 4.1.1. Coarse convergence∃δ > 0 and N1, ∀[c(0), v(0), φ(0)] ∈ B, and |fdco(0)− fref | > δ,s.t.∀i ≥ N1, |fdco(i)− fref | ≤ δ,where R ∪G = {[c(i), v(i), φ(i)] | |fdco(i)− fref | ≤ δ}Then the second part of the proof pertains to the small, red stripes wherefdco ≈ fref but c is close enough to cmin or cmax that saturation remains aconcern. Consider the red strip near c = cmin. Here, I show that v increasesand that c “tracks” v to keep fdco close to fref and φ small. Together, theseresults show that all trajectories eventually enter the region shown in greenin Figure 4.3 in Theorem 4.1.2.Lemma 4.1.2. Leaving the saturation∃N2,∀[c(0), v(0), φ(0)] ∈ R, s.t.∀i ≥ N2, [c(i), v(i), φ(i)] ∈ GThe final part of the proof shows convergence to the limit cycle region,shown in yellow in Figure 4.3. The key observation here is that φ repeatedly674.3. Proving Global ConvergenceVfdco= frefcminvmin cccenter cmaxvmaxvhivloThe light blue region denotes the entire space. Using the Lyapunovargument I generated for the blue region, I proved convergence into themiddle green region. Then I show convergence into the middle yellowregion using another theorem.Figure 4.3: Global convergence big picture684.3. Proving Global Convergence0ceqc1c2cc′1φFigure 4.4: Fine convergencealternates between positive and negative values. For any given value of v, Icalculate the value of c for which fdco(c, v) = fref , call this ceq(v). Figure 4.4depicts a trajectory from a rising zero-crossing of φ to a falling crossing. Letc1 be the value of c following a rising zero-crossing of φ, and let c2 be thevalue of c at the subsequent falling crossing. I note that c1 < ceq(v) < c2.The fine convergence theorem for the points in the stripe to converge intothe middle yellow region has been formally stated in Theorem 4.1.3.Lemma 4.1.3. Fine convergence∃Y,N3 and δ > 0, ∀[c(0), v(0), φ(0)] ∈ G, s.t.∀i ≥ N2, [c(0), v(0), φ(0)] ∈ YThe next section discusses the details on how I proved the fine conver-gence proof part using the clause-processor combination. Seeing the proof694.3. Proving Global Convergencemight give one a better idea of how this proof cannot practically be done byany single tool on itself.4.3.2 Detailed Proof for Fine ConvergenceIn the green region of Figure 4.3, it is straightforward to show that c andφ settle into an oscillating behavior. The damping term, −gφφ(i) causessuch oscillations to diminish, but they don’t die out completely due to thequantization of c. The proof formalizes this intuition.For any value of v, we can define ceq so that fdco(ceq, v) = fref . Asobserved above, the value of c will roughly oscillate around ceq while φoscillates around 0. As shown in Figure 4.4, let c1 be the value of c when φcrosses 0 in a rising direction, and let c2 be the value of c at the subsequentcrossing of 0 by φ in the falling direction. Our proof shows that if |c1−ceq| issufficiently large, then |c2−ceq| < |c1−ceq|−g1. A similar argument appliesif we consider a trajectory starting φ crossing 0 in the falling direction andgoing until φ crossing 0 in the the rising direction. This shows that if|c1 − ceq| is sufficiently large, its value will decrease. In our proof, we showthis convergence for |c1 − ceq| > 3g1. This shows that any trajectory in thegreen region stays in the green region and moves to region very close to thefdco(c, v) = fref line. Separately, we can show that if such a cycle occurswith c < ccenter at all points, then v must eventually increase. Likewise, ifc > ccenter at all points of the cycle, the v must eventually decrease. Theseresults together show convergence to the yellow region of Figure 4.3.The obvious way to show convergence is to show that c2 is closer to ceqthan c1 is. However, this involves calculating the recurrence step at whichφ makes its falling crossing of zero, and that involves solving a non-linearsystem of equations. Although Z3 has a non-linear arithmetic solver, it doesnot support induction as would be required with an arbitrary choice for c1.Instead, I extrapolate the sequence to the last point to the right of ceqthat is closer to ceq than c1 is. I use formula from Eq. 4.1 for computingc(i + 1) assuming that sgn(φ) = 1; either this assumption is valid for thewhole sequence, or φ had a falling crossing even earlier. Either is sufficient704.3. Proving Global Convergenceto show convergence.I stated this theorem in ACL2 and proved it using Smtlink. The proofinvolves solving the recurrence, and rewriting the resulting formula. Thekey inequality has exponential terms of the form (1 − gφ)n multiplied byrational function terms of the other model parameters. I use the substitutiontechnique from Section 3.2.3 to replace these non-polynomial terms, and adda :hypothesize hint that 0 < (1− gφ)n < 1. ACL2 readily discharges thisadded hypothesis using a trivial induction.The fine convergence proof is based on a 13-page, hand-written proof.The ACL2 version consists of 75 lemmas, 10 of which were discharged usingthe SMT solver. Of those ten, one was the key, polynomial inequality fromthe manual proof. The others discharged steps in the manual derivation thatwere not handled by the standard books of rewrite rules for ACL2. ACL2completes the proof in a few minutes running on a laptop computer. I foundone error in the process of transcribing the hand-written proof to ACL2.The ACL2 formulation enabled making generalizations that I would notconsider making to the manual proof. In particular, the manual proof as-sumed that ceq−c1 was an integer multiple of g1. After verifying the manualproof, I removed this restriction – this took about 12 hours of human time,most of which was to introduce an additional variable 0 ≤ dc < 1 to accountfor the non-integer part (see Appendix C.2). I also generalized the proof toallow v to an interval whose width is a small multiple of |g2(cmax − cmin)|.This did not require any new operators and took about 3 hours of humantime. The interval can be anywhere in [vlo, vhi]. This shows that the con-vergence of c and φ continues to hold as v progresses toward fref ccenter . Italso sets the foundation for verifying the PLL with a more detailed modelincluding the ∆Σ modulator in the c path, an additional low-pass filter inthe v path, and adding error terms in the formula for fdco(c, v).I completed much of the proof using ACL2 alone while implementingSmtlink. I plan to rewrite the proof to take more advantage of the SMTsolver and believe that the resulting proof will be simpler, focus more onthe high-level issues, and be easer to write and understand. When facedwith proving a complicated derivation, one can guide ACL2 through the714.4. Summary and Future Worksteps of the derivation, or just check the relationship of the original formulato the final one using the SMT solver. The latter approach allows noviceusers (including the author of this thesis) to quickly discharge claims thatwould otherwise take a substantial amount of time even for an expert. Asnoted before, if Z3 finds a counter-example, the tool does not return it as awitness for ACL2. However, the clause processor prints the counter-example(in its Z3 representation) to the ACL2 proof log. The user can examine thiscounter-example; in practice, it often points directly to the problem thatneeds to be addressed.4.4 Summary and Future WorkIn my proof, Lemma 4.1.1 and Lemma 4.1.2 are proven using raw Z3 (seeAppendix C.1) and Lemma 4.1.3 is proven using ACL2 with Smtlink (seeAppendix C.2). Smtlink greatly simplified the amount of work in prov-ing inequalities of large arithmetic formulas. I can’t imagine proving thislemma in raw ACL2 with reasonable small amount of effort. The analyticalapproach I’m taking gives the benefit of flexible and extensible proofs whensmall changes are made to the design. It also shows the limit cycle behavior.However, future work needs to be done to fulfill the proof. More specif-ically, following directions are possible directions.1. A liveness property about Lemma 4.1.2 is left for future proof. Tobe specific, my proof proves the liveness property that all trajectoryon the left wall will finally leave the wall. However, in order to provethe behavior of leaving the saturation, I need to prove all trajectorieswill eventually left the small saturation region, which means they willnever hit the wall again. I can potentially use Z3 as a bounded modelchecker for fulfilling this lemma.2. Eventually, I want to translate Z3 proofs for Lemma 4.1.1 and Lemma 4.1.2into ACL2 and let Smtlink call Z3 as a bounded model checker.3. The main theorem, Theorem 4.1, still needs to be stated in ACL2 andverified. It seems to require reasoning with an existential quantifier as724.4. Summary and Future Workshown in Theorem 4.1. ACL2 supports proofs with existential quanti-fiers. Proving this theorem statement will require connecting the threelemmas together.73Chapter 5Conclusion and Future WorkThis thesis demonstrates that SMT techniques and theorem proving providecomplementary power for AMS verification problems. It proposes a way ofcombining a SMT solver and a theorem prover by building an architecturethat provides soundness in practice without proof reconstruction. While anerror in Z3 or our interface code could, in principle, lead to an unsoundtheorem, we believe that the likelihood of finding real bugs by applyingour tools to real designs is much greater than the risk of an incorrect theo-rem slipping through our tools. Of course, nothing we have done precludesadding proof reconstruction and/or certificates for those who need that levelof soundness. The thesis further applies this combination to proving globalconvergence for a state-of-the-art digital PLL. Experiment results show howthis combination is suitable for AMS design verification.In this Chapter, Section 5.1 points out the differences between this workand other published AMS verification results. The comparison brings upseveral strengths that can be provided with this method. Section 5.2 dis-cusses a list of future directions that are enabled by the demonstrated thesiswork.5.1 ConclusionsI presented the integration of the Z3 SMT solver into the ACL2 theoremprover and demonstrated its application for the verification of global con-vergence for a digital PLL. The proof involves reasoning about systems ofpolynomial and rational function equalities and inequalities, which is greatlysimplified by using Z3’s non-linear arithmetic capabilities. ACL2 comple-ments Z3 by providing a versatile induction capability along with a mature745.2. Future Workenvironment for proof development and structuring. Chapter 3 describedtechnical issues that must be addressed to ensure the soundness, of the in-tegrated prover, usability issues that are critical for the tool to be practical,and my solutions to these challenges.Chapter 4 showed how this integrated prover can be used to verify globalconvergence for a digital phase-locked loop from all initial states to the finallimit-cycle behaviours. The analysis of the limit cycle behaviour requiresmodeling the PLL with recurrences. Such limit cycles are not capturedby continuous approximations used in [8, 110]. My approach allowed un-certainty in the model parameters and not just in the signal values. Myapproach shows strong promise for verification that accounts for device vari-ability and other uncertainties.Prior work on integrating SMT solvers into theorem provers has focusedon using the non-numerical decision procedures of an SMT solver. My workdemonstrates the value of bringing an SMT solver into a theorem prover forreasoning about systems where a digital controller interacts with a contin-uous, analog, physical system. The analysis of such systems often involveslong, tedious, and error-prone derivations that primarily use linear algebraand polynomials. I have shown that these are domains where SMT solversaugmented with induction and proof structuring have great promise.5.2 Future WorkThere are three possible directions that are opened up by this work.5.2.1 Complete the Convergence Proof for the Digital PLLThe digital PLL model is a simplified model. The digital PLL in the originalpaper [33] also contains a delta-sigma modulator and a low-pass filter. Iomitted them because they are not critical components of the PLL in thesense of global convergence.However, adding those two parts and proving convergence under thisnew model would still be beneficial. Then I could analyze how this method755.2. Future Workadapts to new models. By analyzing how much more time and code I devoteto proving the expanded version, I’ll have more evidence of the scalabilityof the method.5.2.2 Build a Better ToolAs discussed in Chapter 3.5, there are several aspects in which I can im-prove the tool architecture. These include using guards to infer types, pro-viding useful counter-example, using ACL2r, and increasing the automationof function expansion.There are other things I can implement to extend proof methods andautomation. For example, my supervisor is my first “user” for Smtlink.We have tried some experiments to automatically identify commonly usedsubstitutions using uninterpreted functions, the syntactic structure of theclauses, and the “fast” theories of Z3 (e.g. linear arithmetic) to identifyuseful hypotheses. Preliminary results suggest that approaches like thiscould greatly simplify the proof for the digital PLL and would be useful forother problems as well.Adding the “hooks” so the user can manipulate the clauses creates newtrade-offs between soundness and ease of use. These can be tracked usingACL2s trust-tag mechanism. This opens up the opportunity to try an ideawithout investing a huge effort to ensure soundness. If it turns out to beuseful, then we can go back and progressively remove the need for trust-assumptions.5.2.3 Other ApplicationsI am interested in investigating how this combination of theorem provingand SMT solving can be applied to other dynamical physical systems thatshare common features with AMS designs. Interesting applications includemachine learning proofs and other mathematical proofs, medical system andother cyber-physical system verification problems.Machine learning problems are interesting problems to try because theyalso make intense use of non-linear arithmetic. In addition to what is already765.2. Future Worksupported by the tool, machine learning problems require more heavy useof linear algebra theories. Other mathematical proofs with similar structurecould also benefit from the combination.Some biomedical devices are naturally modeled as hybrid systems. There’sa huge need in medical systems for correctness verification. For example, [48]presents an anaesthetizing system that automatically adjusts the amount ofanaesthetic to give to a patient. The system should make sure no overdoseor underdose will occur in the feedback control system.Cyber-physical systems and other physical dynamical systems that de-mand verification tasks are also interesting problems to try.I am currently exploring using my methods to verify other AMS designsas well as similar problems that arise in hybrid control systems and machinelearning. Trying out these new applications not only helps further justifymy belief that this combination is useful, it also gives us a chance to look atwhat’s common in these problems. Those observations might leads to betterautomation. For example, common modeling blocks could be implementedso that new problems can be composed using these library model blocks.Specification languages could be implemented so that new specificationscan be easily expressed and get processed by the tool automatically.77Bibliography[1] Formalizing 100 theorems. Ac-cessed: 2015-01-16. → pages 18[2] The Method. Accessed:2015-02-22. → pages 19, 26[3] Vhdl analysis and standardization group (vasg). Accessed: 2015-04-22. →pages 10[4] 1364-2005 - IEEE standard for Verilog hardware descriptionlanguage. Accessed: 2015-04-22. → pages 10[5] The SPICE page. Accessed: 2015-04-07. → pages 8[6] Jean-Raymond Abrial, Michael Butler, Stefan Hallerstede, and Lau-rent Voisin. An open extensible tool environment for Event-B. InFormal Methods and Software Engineering, pages 588–605. Springer,2006. → pages 26[7] Ghiath Al-Sammane, Mohamed H Zaki, and Sofie`ne Tahar. A sym-bolic methodology for the verification of analog and mixed signal de-signs. In Proceedings of the conference on Design, automation and testin Europe, pages 249–254. EDA Consortium, 2007. → pages 7, 15[8] Matthias Althoff, Akshay Rajhans, Bruce H Krogh, Soner Yaldiz, XinLi, and Larry Pileggi. Formal verification of phase-locked loops using78Bibliographyreachability analysis and continuization. Communications of the ACM,56(10):97–104, 2013. → pages 35, 75[9] Peter B Andrews. An introduction to mathematical logic and typetheory, volume 27. Springer Science & Business Media, 2002. → pages17[10] Michae¨l Armand, Germain Faure, Benjamin Gre´goire, Chantal Keller,Laurent The´ry, and Benjamin Werner. A modular integration ofSAT/SMT solvers to Coq through proof witnesses. In Certified Pro-grams and Proofs, pages 135–150. Springer, 2011. → pages 25[11] Eugene Asarin, Thao Dang, and Oded Maler. The d/dt tool for ver-ification of hybrid systems. In Computer Aided Verification, pages365–370. Springer, 2002. → pages 15[12] Clark Barrett and Sergey Berezin. CVC Lite: a new implementationof the cooperating validity checker. In Computer Aided Verification,pages 515–518. Springer, 2004. → pages 25[13] Clark Barrett, Aaron Stump, and Cesare Tinelli. The SMT-LIB stan-dard: version 2.0. In A. Gupta and D. Kroening, editors, Proceedingsof the 8th International Workshop on Satisfiability Modulo Theories(Edinburgh, UK), 2010. → pages 26[14] Clark Barrett, Christopher L Conway, Morgan Deters, LianaHadarean, Dejan Jovanovic´, Tim King, Andrew Reynolds, and Ce-sare Tinelli. CVC4. In Computer aided verification, pages 171–177.Springer, 2011. → pages 24[15] Jason Baumgartner, Hari Mony, Viresh Paruthi, Robert Kanzelman,and Geert Janssen. Scalable sequential equivalence checking acrossarbitrary design transformations. In Computer Design, 2006. ICCD2006. International Conference on, pages 259–266. IEEE, 2007. →pages 2279Bibliography[16] Bernd Becker and Christoph Scholl. Checking equivalence for partialimplementations. In Equivalence Checking of Digital Circuits, pages145–167. Springer, 2004. → pages 11[17] Michael Ben-Or, Dexter Kozen, and John Reif. The complexity of ele-mentary algebra and geometry. In Proceedings of the 16th Annual ACMSymposium on Theory of Computing, pages 457–464. ACM, 1984. →pages 23[18] Yves Bertot. A short presentation of Coq. In Theorem Proving inHigher Order Logics, pages 12–16. Springer, 2008. → pages 18[19] Fre´de´ric Besson. Fast reflexive arithmetic tactics the linear case andbeyond. In Types for Proofs and Programs, pages 48–62. Springer,2007. → pages 25, 59[20] Jasmin Christian Blanchette, Sascha Bo¨hme, and Lawrence C Paulson.Extending sledgehammer with SMT solvers. Journal of automatedreasoning, 51(1):109–128, 2013. → pages 25, 26[21] Woody W Bledsoe, Robert S Boyer, and William H Henneman. Com-puter proofs of limit theorems. Artificial Intelligence, 3:27–60, 1972.→ pages 23[22] Robert Boyer et al. The QED manifesto. Automated Deduction–CADE, 12:238–251, 1994. → pages 18[23] Robert S Boyer and J Strother Moore. A theorem prover for a com-putational logic. In 10th International Conference on Automated De-duction, pages 1–15. Springer, 1990. → pages 18, 19[24] Marco Bozzano, Roberto Bruttomesso, Alessandro Cimatti, TommiJunttila, Silvio Ranise, Peter Van Rossum, and Roberto Sebastiani.Efficient satisfiability modulo theories via delayed theory combination.In Computer Aided Verification, pages 335–349. Springer, 2005. →pages 2480Bibliography[25] Aaron R Bradley. Understanding IC3. In Theory and Applications ofSatisfiability Testing–SAT 2012, pages 1–14. Springer, 2012. → pages11[26] Randal E Bryant. Symbolic boolean manipulation with OrderedBinary-Decision Diagrams. ACM Computing Surveys (CSUR), 24(3):293–318, 1992. → pages 11[27] Bruno Buchberger. An algorithm for finding the basis elements ofthe residue class ring of a zero dimensional polynomial ideal. Journalof symbolic computation, 41(3):475–511, 2006. English translation ofBruno Buchberger’s 1965 PhD thesis. → pages 23[28] Jerry R Burch, Edmund M Clarke, Kenneth L McMillan, David LDill, and Lain-Jinn Hwang. Symbolic model checking: 1020 states andbeyond. In Logic in Computer Science, 1990. LICS’90, Proceedings.,Fifth Annual IEEE Symposium on Logic in Computer Science, pages428–439. IEEE, 1990. → pages 11[29] Alonzo Church. A formulation of the simple theory of types. Thejournal of symbolic logic, 5(02):56–68, 1940. → pages 18[30] Edmund M Clarke, E Allen Emerson, and Joseph Sifakis. Model check-ing: algorithmic verification and debugging. Communications of theACM, 52(11):74–84, 2009. → pages 11[31] George E. Collins. Quantifier elimination for real closed fields by cylin-drical algebraic decompostion. In H. Brakhage, editor, Automata The-ory and Formal Languages 2nd GI Conference Kaiserslautern, May203, 1975, volume 33 of Lecture Notes in Computer Science, pages134–183. Springer Berlin Heidelberg, 1975. ISBN 978-3-540-07407-6.doi: 10.1007/3-540-07407-4 17. URL → pages 23[32] Stephen A Cook. The complexity of theorem-proving procedures. InProceedings of the 3rd Annual ACM Symposium on Theory of Com-puting, pages 151–158. ACM, 1971. → pages 2281Bibliography[33] J. Crossley, E. Naviasky, and E. Alon. An energy-efficient ring-oscillator digital PLL. In Custom Integrated Circuits Conference(CICC), 2010 IEEE, pages 1–4, Sept 2010. doi: 10.1109/CICC.2010.5617417. URL→ pages 62, 63, 75[34] Martin Davis and Hilary Putnam. A computing procedure for quan-tification theory. Journal of the ACM (JACM), 7(3):201–215, 1960.→ pages 22[35] Martin Davis, George Logemann, and Donald Loveland. A machineprogram for theorem-proving. Communications of the ACM, 113(2):156–161, 1962. → pages 22[36] Leonardo De Moura and Nikolaj Bjørner. Z3: an efficient SMT solver.In Tools and Algorithms for the Construction and Analysis of Systems,pages 337–340. Springer, 2008. → pages 3, 24, 25[37] David De´harbe, Pascal Fontaine, Yoann Guyot, and Laurent Voisin.Integrating SMT solvers in Rodin. Science of Computer Programming,94:130–143, 2014. → pages 25, 26[38] Inderpreet Singh Dhingra. Formalising an integrated circuit designstyle in higher order logic. PhD thesis, University of Cambridge, 1988.→ pages 35[39] Zhi Jie Dong, Mohamed H Zaki, Ghiath Al Sammane, Sofiene Tahar,and Guy Bois. Checking properties of PLL designs using run-timeverification. In Microelectronics, 2007. ICM 2007. Internatonal Con-ference on, pages 125–128. IEEE, 2007. → pages 35[40] Bruno Dutertre. Yices 2.2. In Computer Aided Verification, pages737–744. Springer, 2014. → pages 24, 56[41] Arthur Flatau, Matt Kaufmann, David F Reed, D Russinoff,EW Smith, and Rob Sumners. Formal verification of microproces-82Bibliographysors at AMD. In 4th International Workshop on Designing CorrectCircuits (DCC 2002), Grenoble, France, 2002. → pages 20[42] Pascal Fontaine, Jean-Yves Marion, Stephan Merz, Leonor Prensa Ni-eto, and Alwen Tiu. Expressiveness+ automation+ soundness: to-wards combining SMT solvers and interactive proof assistants. InTools and Algorithms for the Construction and Analysis of Systems,pages 167–181. Springer, 2006. → pages 25[43] Martin Fra¨nzle and Christian Herde. HySAT: an efficient proof enginefor bounded model checking of hybrid systems. Formal Methods inSystem Design, 30(3):179–198, 2007. → pages 24, 36[44] Goran Frehse, Colas Le Guernic, Alexandre Donze´, Scott Cotton, Ra-jarshi Ray, Olivier Lebeltel, Rodolfo Ripado, Antoine Girard, ThaoDang, and Oded Maler. SpaceEx: scalable verification of hybrid sys-tems. In Computer Aided Verification, pages 379–395. Springer, 2011.→ pages 15, 36[45] Ruben Gamboa. Square roots in ACL2: a study in sonata form. Tech-nical report, Citeseer, 1996. → pages 49[46] Ruben Gamboa and Robert S Boyer. Mechanically verifying real-valued algorithms in ACL2. PhD thesis, Citeseer, 1999. → pages20, 58[47] Ruben Gamboa and John Cowles. Formal verification of Medina’ssequence of polynomials for approximating arctangent. arXiv preprintarXiv:1406.1561, 2014. → pages 20[48] Victor Gan, Guy A Dumont, and Ian M Mitchell. Benchmark problem:a PK/PD model and safety constraints for anesthesia delivery. 2014.→ pages 77[49] Sicun Gao, Soonho Kong, and Edmund M Clarke. Satisfiability mod-ulo odes. In Formal Methods in Computer-Aided Design (FMCAD),2013, pages 105–112. IEEE, 2013. → pages 2483Bibliography[50] Antoine Girard. Reachability of uncertain linear systems using zono-topes. In Hybrid Systems: Computation and Control, pages 291–305.Springer, 2005. → pages 15, 36[51] Evgueni Goldberg, Mukul Prasad, and Robert Brayton. Using SAT forcombinational equivalence checking. In Proceedings of the conferenceon Design, automation and test in Europe, pages 114–121. IEEE Press,2001. → pages 11[52] Alexandre Goldsztejn, Olivier Mullier, Damien Eveillard, and HiroshiHosobe. Including ordinary differential equations based constraints inthe standard CP framework. In Principles and Practice of ConstraintProgramming–CP 2010, pages 221–235. Springer, 2010. → pages 24[53] Carla P Gomes, Henry Kautz, Ashish Sabharwal, and Bart Selman.Satisfiability solvers. Handbook of Knowledge Representation, 3:89–134, 2008. → pages 23[54] Michael JC Gordon and Tom F Melham. Introduction to HOL: a theo-rem proving environment for higher order logic. Cambridge UniversityPress, 1993. → pages 18[55] Mike Gordon. Why higher-order logic is a good formalism for specify-ing and verifying hardware. In Formal Aspects of VLSI Design, 1986.→ pages 17[56] Mark R Greenstreet. Verifying safety properties of differential equa-tions. In Computer Aided Verification, pages 277–287. Springer, 1996.→ pages 14[57] Mark R Greenstreet and Ian Mitchell. Reachability analysis usingpolygonal projections. In Hybrid Systems: Computation and Control,pages 103–116. Springer, 1999. → pages 15[58] John Harrison. HOL Light: a tutorial introduction. In Formal Methodsin Computer-Aided Design, pages 265–269. Springer, 1996. → pages1884Bibliography[59] John Harrison. Floating-point verification. In FM 2005: Formal Meth-ods, pages 529–532. Springer, 2005. → pages 18[60] John Harrison and Laurent The´ry. A skeptic’s approach to combiningHOL and Maple. Journal of Automated Reasoning, 21(3):279–294,1998. → pages 25, 59[61] Walter Hartong, Lars Hedrich, and Erich Barke. Model checking al-gorithms for analog verification. In Proceedings of the 39th annualDesign Automation Conference, pages 542–547. ACM, 2002. → pages14[62] Shant Harutunian. Formal Verification of Computer Con-trolled Systems. PhD thesis, University of Texas, Austin,May 2007. URL → pages 16[63] Lars Hedrich and Erich Barke. A formal approach to nonlinear ana-log circuit verification. In Proceedings of the 1995 IEEE/ACM inter-national conference on Computer-aided design, pages 123–127. IEEEComputer Society, 1995. → pages 12[64] Warren A Hunt, Robert Bellarmine Krug, Sandip Ray, and William DYoung. Mechanized information flow analysis through inductive as-sertions. In Formal Methods in Computer-Aided Design, 2008. FM-CAD’08, pages 1–4. IEEE, 2008. → pages 20[65] Warren A Hunt Jr and Sol Swords. Centaur technology media unitverification. In Computer Aided Verification, pages 353–367. Springer,2009. → pages 20[66] Fabian Immler. Formally verified computation of enclosures of solu-tions of ordinary differential equations. In NASA Formal Methods,pages 113–127. Springer, 2014. → pages 16[67] PB Jackson. The Nuprl proof development system. Reference manualand Users’s Guide (Version 4.1), 1994. → pages 1885Bibliography[68] Ji-Eun Jang, Myeong-Jae Park, Dongyun Lee, and Jaeha Kim.True event-driven simulation of analog/mixed-signal behaviors in Sys-temVerilog: A decision-feedback equalizing (DFE) receiver example.In Custom Integrated Circuits Conference (CICC), 2012 IEEE, pages1–4. IEEE, 2012. → pages 8[69] Alexander Jesser and Lars Hedrich. A symbolic approach for mixed-signal model checking. In Proceedings of the 2008 Asia and South Pa-cific Design Automation Conference, pages 404–409. IEEE ComputerSociety Press, 2008. → pages 35[70] Richard M Karp. Reducibility among combinatorial problems.Springer, 1972. → pages 22[71] Matt Kaufmann and J Strother Moore. ACL2: an industrial strengthversion of Nqthm. In Computer Assurance, 1996. COMPASS’96, Sys-tems Integrity. Software Safety. Process Security. Proceedings of theEleventh Annual Conference on, pages 23–34. IEEE, 1996. → pages3, 18, 19[72] Matt Kaufmann and J Strother Moore. An ACL2 tutorial. In TheoremProving in Higher Order Logics, pages 17–21. Springer, 2008. → pages19[73] Jaeha Kim, Metha Jeeradit, Byongchan Lim, and Mark A Horowitz.Leveraging designer’s intent: a path toward simpler analog CAD tools.In Custom Integrated Circuits Conference, 2009. CICC’09. IEEE,pages 613–620. IEEE, 2009. → pages 4[74] Donald Ervin Knuth. Mathematics and computer science: coping withfiniteness. Science (New York, NY), 194(4271):1235–1242, 1976. →pages 23[75] Andreas Kuehlmann and Florian Krohm. Equivalence checking usingcuts and heaps. In Proceedings of the 34th annual Design AutomationConference, pages 263–268. ACM, 1997. → pages 1186Bibliography[76] Kenneth S Kundert. Introduction to RF simulation and its applica-tion. IEEE Journal of Solid-State Circuits, 34(9):1298–1319, 1999. →pages 4[77] Robert P Kurshan and Kenneth L McMillan. Analysis of digital cir-cuits through symbolic reduction. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 10(11):1356–1371,1991. → pages 14[78] Alexander B. Kurzhanski and Istva´n Va´lyi. Ellipsoidal Calculus forEstimation and Control. International Institute for Applied SystemsAnalysis, Austria, 1997. → pages 15[79] Daniel Lazard. Thirty years of polynomial system solving, and now?Journal of symbolic computation, 44(3):222–231, 2009. → pages 23[80] K Rustan M Leino. This is Boogie 2. Manuscript KRML, 178:131,2008. → pages 25[81] K Rustan M Leino. Dafny: an automatic program verifier for func-tional correctness. In Logic for Programming, Artificial Intelligence,and Reasoning, pages 348–370. Springer, 2010. → pages 24[82] K Rustan M Leino. Automating induction with an SMT solver. InVerification, Model Checking, and Abstract Interpretation, pages 315–331. Springer, 2012. → pages 24[83] Honghuang Lin and Peng Li. Parallel hierarchical reachability analy-sis for analog verification. In Design Automation Conference (DAC),2014 51st ACM/EDAC/IEEE, pages 1–6, 2014. doi: 10.1145/2593069.2593178. URL → pages 36[84] Honghuang Lin, Peng Li, and Chris J Myers. Verification of digitally-intensive analog circuits via kernel ridge regression and hybrid reacha-bility analysis. In Proceedings of the 50th Annual Design AutomationConference, page 66. ACM, 2013. → pages 3687Bibliography[85] Leonard R. Marino. General theory of metastable operation. IEEETransactions on Computers, 100(2):107–115, 1981. → pages 10[86] Joa˜o P Marques-Silva and Karem A Sakallah. GRASP: a search algo-rithm for propositional satisfiability. IEEE Transactions on Comput-ers, 48(5):506–521, 1999. → pages 22[87] Sean McLaughlin, Clark Barrett, and Yeting Ge. Cooperating theoremprovers: a case study combining HOL-Light and CVC Lite. ElectronicNotes in Theoretical Computer Science, 144(2):43–51, 2006. → pages25[88] Kenneth L McMillan. Interpolation and SAT-based model checking.In Computer Aided Verification, pages 1–13. Springer, 2003. → pages11[89] Herbert A. Medina. A sequence of polynomials for approximatingarctangent. The American Mathematical Monthly, 113(2):pp. 156–161, 2006. ISSN 00029890. URL → pages 20[90] Stephan Merz and Herna´n Vanzetto. Automatic verification of TLA+proof obligations with SMT solvers. In Logic for Programming, Arti-ficial Intelligence, and Reasoning, pages 289–303. Springer, 2012. →pages 25[91] J Strother Moore. A mechanically checked proof of a multiprocessorresult via a uniprocessor view. Formal Methods in System Design, 14(2):213–228, 1999. → pages 19[92] J. Strother Moore, Thomas W. Lynch, and Matt Kaufmann. A me-chanically checked proof of the AMD5 K 86 TM floating-point divisionprogram. Computers, IEEE Transactions on, 47(9):913–926, 1998. →pages 2088Bibliography[93] Greg Nelson and Derek C Oppen. Simplification by cooperating deci-sion procedures. ACM Transactions on Programming Languages andSystems (TOPLAS), 1(2):245–257, 1979. → pages 23[94] Sam Owre, John M Rushby, and Natarajan Shankar. PVS: a prototypeverification system. In 11th International Conference on AutomatedDeduction (CADE), pages 748–752. Springer, 1992. → pages 18[95] Lawrence C Paulson. Isabelle: a generic theorem prover, volume 828.Springer, 1994. → pages 18[96] Radek Pela´nek. Fighting state space explosion: review and evalua-tion. In Formal Methods for Industrial Critical Systems, pages 37–52.Springer, 2009. → pages 9[97] Kent Pitman and Kathy Chapman. Information Technology–Programming Language–Common Lisp, 1994. → pages 39[98] Cornelia Pusch. Proving the soundness of a Java bytecode verifierspecification in Isabelle/HOL. In Tools and Algorithms for the Con-struction and Analysis of Systems, pages 89–103. Springer, 1999. →pages 18[99] Peter Reid and Ruben Gamboa. Automatic differentiation in ACL2.Springer, 2011. → pages 20[100] David Russinoff, Matt Kaufmann, Eric Smith, and Robert Sumners.Formal verification of floating-point RTL at AMD using the ACL2theorem prover. Proceedings of the 17th IMACS World Congrress onScientific Computation, Applied Mathematics and Simulation, Paris,France, 2005. → pages 20[101] Jun Sawada and Warren A Hunt Jr. Hardware modeling using functionencapsulation. In Formal Methods in Computer-Aided Design, pages271–282. Springer, 2000. → pages 17[102] Charles L Seitz. System timing. Introduction to VLSI systems, pages218–262, 1980. → pages 1489Bibliography[103] Mary Sheeran, Satnam Singh, and Gunnar St˚almarck. Checking safetyproperties using induction and a SAT-solver. In Formal Methods inComputer-Aided Design, pages 127–144. Springer, 2000. → pages 11[104] Naveed A Sherwani. Algorithms for VLSI physical design automation.Kluwer academic publishers, 1995. → pages 10[105] Robert E Shostak. On the SUP-INF method for proving Presburgerformulas. Journal of the ACM (JACM), 24(4):529–543, 1977. → pages23[106] Konrad Slind and Michael Norrish. A brief overview of HOL4. InTheorem Proving in Higher Order Logics, pages 28–32. Springer, 2008.→ pages 18[107] Alfred Tarski. A decision method for elementary algebra and geometry.Springer, 1998. → pages 23[108] Saurabh K Tiwary, Anubhav Gupta, Joel R Phillips, Claudio Pinello,and Radu Zlatanovici. First steps towards SAT-based formal analogverification. In Computer-Aided Design-Digest of Technical Papers,2009. ICCAD 2009. IEEE/ACM International Conference on, pages1–8. IEEE, 2009. → pages 15[109] Zhiwei Wang, Naeem Abbasi, Rajeev Narayanan, Mohamed H Zaki,Ghiath Al Sammane, and Sofiene Tahar. Verification of analog andmixed signal designs using online monitoring. In Mixed-Signals, Sen-sors, and Systems Test Workshop, 2009. IMS3TW’09. IEEE 15th In-ternational, pages 1–8. IEEE, 2009. → pages 35[110] Jijie Wei, Yan Peng, Ge Yu, and Mark Greenstreet. Verifying globalconvergence for a digital phase-locked loop. In Formal Methods inComputer-Aided Design (FMCAD), 2013, pages 113–120. IEEE, 2013.→ pages iii, 36, 75[111] Mark Weiser. The computer for the 21st century. Scientific american,265(3):94–104, 1991. → pages 190[112] Chao Yan and Mark Greenstreet. Faster projection based methodsfor circuit level verification. In Design Automation Conference, 2008.ASPDAC 2008. Asia and South Pacific, pages 410–415. IEEE, 2008.→ pages 15[113] Lintao Zhang and Sharad Malik. The quest for efficient boolean satisfi-ability solvers. In Computer Aided Verification, pages 17–36. Springer,2002. → pages 22[114] Lintao Zhang, Conor F Madigan, Matthew H Moskewicz, and SharadMalik. Efficient conflict driven learning in a boolean satisfiabilitysolver. In Proceedings of the 2001 IEEE/ACM international confer-ence on Computer-aided design, pages 279–285. IEEE Press, 2001. →pages 2291Appendix AExample Proofs with ACL2and Z3A.1 Geometric Sum Proof with Raw ACL2This program is successfully proved in 0.14 seconds. Note that in order tomake it easier, we made a further constraint that r should be an integer inthis proof. To make it work for arbitrary real number, it will take muchmore theorems and time.1 ;; Basic structure of this file:2 ;; To avoid reasoning about division throughout the proof, Ifirst show:3 ;; (sum_{i=0}^N r^i)*(r-1) = r^(i+1) - 14 ;; I then divide both sides by r-1 to get the main result.5 ;; This file starts with lots of definitions:6 ;; (my-expt-pos r n): r to the n^th power, for n >= 0.7 ;; (lhs r n): sum_{i=0}^n r^i8 ;; (rhs r n): (r^(i+1) - 1)/(r-1)9 ;; lhs-no-div and rhs-no-div are the lhs*(r-1) and rhs*(r-1)respectively.10 ;;11 ;; The proofs in this file are roughly in the following order:12 ;; my-expt-pos and lhs are integer valued.13 ;; some trivial algebra results.14 ;; a lemma for the induction step for the no-div version of theformula15 ;; the no-div version of the formula16 ;; the main formula.92A.1. Geometric Sum Proof with Raw ACL21718 (encapsulate ()19 (defun my-expt-pos (r n)20 (declare (xargs :guard (and (natp n) (integerp r))))21 (if (zp n) 1 (* r (my-expt-pos r (1- n)))))2223 (defthm my-expt-pos-integerp24 (implies (and (integerp r) (integerp n) (<= 0 n))25 (integerp (my-expt-pos r n))))2627 ;; the summation form for a geometric sum28 (defun lhs (r n)29 (declare (xargs :guard (and (integerp r) (integerp n) (<= 0n))))30 (if (and (natp n) (< 0 n))31 (+ (my-expt-pos r n) (lhs r (1- n)))32 1))3334 (local (defthm |(integerp (+ a (* b c)))|35 (implies (and (integerp a) (integerp b) (integerp c))36 (integerp (+ a (* b c))))37 :rule-classes nil))3839 (encapsulate ()40 (local (defthm lhs-integerp-lemma-141 (implies (and (integerp r) (integerp n) (< 0 n))42 (integerp (my-expt-pos r (+ -1 n))))43 :rule-classes nil))4445 (local (defthm lhs-integerp-lemma-246 (implies (and (integerp n)47 (< 0 n)48 (integerp (lhs r (+ -1 n)))49 (integerp r))50 (integerp (+ (lhs r (+ -1 n))51 (* r (my-expt-pos r (+ -1 n))))))93A.1. Geometric Sum Proof with Raw ACL252 :hints (("Goal" :use ( (:instance lhs-integerp-lemma-1 (n n)(r r))53 (:instance |(integerp (+ a (* bc)))|54 (a (lhs r (+ -1 n)))55 (b r)56 (c (my-expt-pos r (+ -1n)))))))))5758 (defthm lhs-integerp59 (implies (and (integerp r) (integerp n) (<= 0 n))60 (integerp (lhs r n))))61 )626364 (local (defun lhs-no-div (r n)65 (declare (xargs :guard (and (integerp n) (<= 0 n) (integerpr))))66 (* (lhs r n) (1- r))))6768 (defun rhs-no-div (r n)69 (declare (xargs :guard (and (integerp r) (integerp n) (<= 0n))))70 (1- (my-expt-pos r (+ n 1))))7172 (defun rhs (r n)73 (declare (xargs :guard (and (integerp r) (integerp n) (<= 0n))))74 (if (equal r 1) (1+ n) (/ (rhs-no-div r n) (1- r))))7576 (defun geo-hyps (r n)77 (and (integerp r) (natp n) (> r 0) (not (equal r 1))))7879 (local (defthm lemma-plus-minus-one80 (implies (integerp n) (equal (+ 1 -1 n) n))))8182 (local (defthm lemma-minus-plus-one ;; simplify (+ -1 1 n)94A.1. Geometric Sum Proof with Raw ACL283 (implies (integerp n) (equal (+ -1 1 n) n))))8485 (local (defthm unexpand-my-expt-pos ;; simplify (* r (my-expt r(1- n)))86 (implies (and (geo-hyps r n) (< 0 n))87 (equal (* r (my-expt-pos r (1- n))) (my-expt-pos rn)))88 :rule-classes nil))8990 (local (defthm expand-lhs91 (implies (and (geo-hyps r n) (< 0 n))92 (equal (lhs r n)93 (+ (my-expt-pos r n) (lhs r (1- n)))))))9495 (local (encapsulate ()96 (local (defthm expand-lhs-no-div-lemma-197 (implies (and (integerp a) (integerp b) (integerp c))98 (equal (* (+ a b) c) (+ (* a c) (* b c))))))99100 (local (defthm expand-lhs-no-div-lemma-2101 (implies (and (integerp b) (integerp r))102 (equal (* (+ -1 r) r b) (+ (* -1 r b) (* r rb))))))103104 (defthm expand-lhs-no-div105 (implies (and (geo-hyps r n) (< 0 n))106 (equal (* (lhs r n) (1- r))107 (+ (* (1- r) (my-expt-pos r n)) (lhs-no-divr (1- n))))))108 ))109110 (local (encapsulate ()111 (local (defthm expand-rhs-no-div-lemma112 (implies (and (integerp b) (integerp c) (integerp r)113 (equal c (* r b)))114 (equal (+ -1 b (* (+ -1 r) b)) (+ -1 c))115 )95A.1. Geometric Sum Proof with Raw ACL2116 :rule-classes nil))117118 (defthm expand-rhs-no-div119 (implies (and (geo-hyps r n) (< 0 n))120 (equal (1- (my-expt-pos r (+ n 1)))121 (+ (* (1- r) (my-expt-pos r n)) (1-(my-expt-pos r n)))))122 :hints (("Goal"123 :do-not-induct t124 :hands-off (my-expt-pos)125 :use ( (:instance unexpand-my-expt-pos (n (1+ n)))126 (:instance lemma-minus-plus-one (n n))127 (:instance lemma-plus-minus-one (n n))128 (:instance expand-rhs-no-div-lemma129 (b (my-expt-pos r n))130 (c (my-expt-pos r (1+ n)))131 (r r))132 )))133 :rule-classes nil)))134135 (local (defthm no-div-induct136 (implies (and (geo-hyps r n) (< 0 n) (equal (lhs-no-div r n)(rhs-no-div r n)))137 (equal (* (lhs r n) (1- r))138 (1- (my-expt-pos r (+ n 1)))139 ))140 :hints (("Goal" :do-not-induct t))))141142 (local (defthm geo-lemma-no-div143 (implies (geo-hyps r n)144 (equal (* (lhs r n) (1- r))145 (1- (my-expt-pos r (+ n 1)))))))146147 (local (defthm div-eq-by-eq148 (implies (and (integerp a) (integerp b) (integerp c) (not(equal a 0)) (equal b c))149 (equal (/ b a) (/ c a)))))96A.2. Geometric Sum Proof with Arithmetic Book150151 (local (defthm geo-lemma-1152 (implies (and (integerp r) (integerp n) (<= 0 n))153 (integerp (+ -1 (* r (my-expt-pos r n)))))154 :hints (("Goal"155 :do-not-induct t156 :use ( (:instance my-expt-pos-integerp (r r) (n n))157 (:instance |(integerp (+ a (* b c)))|158 (a -1) (b r) (c (my-expt-pos rn))))))))159160 ;; The main theorem.161 (defthm geo162 (implies (geo-hyps r n) (equal (lhs r n) (rhs r n)))163 :hints (("Goal" :do-not-induct t164 :use ( (:instance div-eq-by-eq165 (a (1- r))166 (b (* (lhs r n) (1- r)))167 (c (1- (my-expt-pos r (+ n 1)))))168 (:instance geo-lemma-no-div (r r) (n n)) ))))169 )A.2 Geometric Sum Proof with Arithmetic BookThis program is successfully proved in 0.15 seconds. This is assuming thebook has already been loaded.1 ;; This is a program proving the geometric sum equation2 ;; using arithmetic-5.3 ;; Arithmetic-5 is tuned for this kind of problem.4 ;; So it passed easily.5 ;;6 ;; by Yan Peng (2015-02-25)7 ;;89 (in-package "ACL2")97A.3. Geometric Sum Proof with Smtlink10 (include-book "arithmetic-5/top" :dir :system)1112 ;; define left hand side13 (defun lhs (r n)14 (if (zp n)15 116 (+ (expt r n) (lhs r (1- n)))))1718 (defun rhs (r n)19 (/ (- 1 (expt r (+ n 1)))20 (- 1 r)))2122 (defthm geo23 (implies (and (natp n)24 (rationalp r)25 (> r 0)26 (not (equal r 1))27 )28 (equal (lhs r n)29 (rhs r n))))A.3 Geometric Sum Proof with SmtlinkThis program is successfully proved in 0.06 seconds. This is assuming thebook has already been loaded.1 ;;; This is a program proving the geometric sum equation2 ;; using my clause processor.3 ;;4 ;; by Yan Peng (2015-02-25)5 ;;67 (in-package "ACL2")8 ;; set up directories to clause processor dir9 (add-include-book-dir :cp"/ubc/cs/home/y/yanpeng/project/ACL2/smtlink")98A.3. Geometric Sum Proof with Smtlink10 (include-book "SMT-connect" :dir :cp)111213 ;; define left hand side14 (defun lhs (r n)15 (if (zp n)16 117 (+ (expt r n) (lhs r (1- n)))))1819 (defun rhs (r n)20 (/ (- 1 (expt r (+ n 1)))21 (- 1 r)))2223 (defthm geo-cp-lemma24 (implies (and (and (integerp n)25 (rationalp r))26 (and (< 0 n)27 (equal (lhs r (+ -1 n))28 (+ (/ (+ 1 (- r)))29 (* (/ (+ 1 (- r)))30 (- (* r (expt r (+ -1 n)))))))31 (<= 0 n)32 (< 0 r)33 (not (equal r 1))))34 (equal (+ (lhs r (+ -1 n))35 (* r (expt r (+ -1 n))))36 (+ (/ (+ 1 (- r)))37 (* (/ (+ 1 (- r)))38 (- (* r r (expt r (+ -1 n))))))))39 :hints (("Goal"40 :clause-processor41 (my-clause-processor clause42 ’((:expand ((:functions ())43 (:expansion-level 1)))44 (:python-file "geo_cp_2")45 (:let ((lhs_n_minus_1 (lhs r (+-1 n)) rationalp)99A.4. Polynomial Inequality Proof with Z346 (expt_r_n_minus_1 (expt r (+ -1n)) rationalp)))47 (:hypothesize ())48 (:use ((:let ())49 (:hypo (()))50 (:main ()))))51 )))52 )5354 (defthm geo-cp55 (implies (and (natp n)56 (rationalp r)57 (> r 0)58 (not (equal r 1)) )59 (equal (lhs r n)60 (rhs r n)))61 :hints (("Subgoal *1/1’’"62 :clause-processor63 (my-clause-processor clause64 ’((:expand ((:functions ())65 (:expansion-level 1)))66 (:python-file "geo_cp_1")67 (:let ())68 (:hypothesize ())69 (:use ((:let ())70 (:hypo (()))71 (:main ()))))72 ))))A.4 Polynomial Inequality Proof with Z3This program is successfully proved in 0.0004 seconds.1 # This program check if below theorem can be proven2 # by Z3 directly. The theorem basically says a set3 # of polynomial inequalities has no solution.100A.5. Polynomial Inequality Proof with ACL24 #5 # The three polynomials:6 # 1. hyperbola: x*x - y*y <= 17 # 2. parabola: y >= 3*(x - 2.125)*(x-2.125) - 38 # 3. ellipse: 1.125*x*x + y*y <= 19 #10 # by Yan Peng (2015-02-25)1112 # define the hyperbola13 def hyperbola(x, y):14 return x*x - y*y <= 115 # define the parabola16 def parabola(x, y):17 return y >= 3*(x - 2.125)*(x-2.125) - 318 # define the ellipse19 def ellipse(x, y):20 return 1.125*x*x + y*y <= 12122 from z3 import *2324 x = Real("x")25 y = Real("y")2627 print prove(Not(And(hyperbola(x,y), parabola(x,y), ellipse(x,y))))A.5 Polynomial Inequality Proof with ACL2ACL2 failed to prove this program. It stops at 0.09 seconds.1 ;; This program check if below theorem can be proven2 ;; by ACL2’s arithmetic5 book directly. The theorem3 ;; basically says a set of polynomial inequalities4 ;; has no solution.5 ;;6 ;; The three polynomials:7 ;; 1. hyperbola: x*x - y*y <= 1101A.5. Polynomial Inequality Proof with ACL28 ;; 2. parabola: y >= 3*(x - 2.125)*(x - 2.125) - 39 ;; 3. ellipse: 1.125*x*x + y*y <= 110 ;;11 ;; by Yan Peng (2015-02-25)1213 (in-package "ACL2")14 (include-book "arithmetic-5/top" :dir :system)1516 ;; define the hyperbola17 (defun hyperbola (x y)18 (<= (- (* x x)19 (* y y))20 1))21 ;; define the parabola22 (defun parabola (x y)23 (>= y24 (- (* 325 (- x 17/8)26 (- x 17/8))27 3)))28 ;; define the ellipse29 (defun ellipse (x y)30 (<= (+ (* 9/8 x x)31 (* y y))32 1))3334 ;; prove the theorem using arithmetic-535 (defthm prove-with-arithmetic-536 (implies (and (and (realp x) (realp y)))37 (not (and (hyperbola x y)38 (parabola x y)39 (ellipse x y))))40 :rule-classes nil)102A.6. Polynomial Inequality Proof with SmtlinkA.6 Polynomial Inequality Proof with SmtlinkThis program is successfully proved in 0.02 seconds.1 ;; This program check if below theorem can be proven2 ;; by our clause processor directly. The theorem3 ;; basically says a set of polynomial inequalities4 ;; has no solution.5 ;;6 ;; The three polynomials:7 ;; 1. hyperbola: x*x - y*y <= 18 ;; 2. parabola: y >= 3*(x - 2.125)*(x - 2.125) - 39 ;; 3. ellipse: 1.125*x*x + y*y <= 110 ;;11 ;; by Yan Peng (2015-02-26)1213 (in-package "ACL2")14 ;; set up directories to clause processor dir15 (add-include-book-dir :cp"/ubc/cs/home/y/yanpeng/project/ACL2/smtlink")16 (include-book "SMT-connect" :dir :cp)171819 ;; define the hyperbola20 (defun hyperbola (x y)21 (<= (- (* x x)22 (* y y))23 1))24 ;; define the parabola25 (defun parabola (x y)26 (>= y27 (- (* 328 (- x 17/8)29 (- x 17/8))30 3)))31 ;; define the ellipse32 (defun ellipse (x y)103A.6. Polynomial Inequality Proof with Smtlink33 (<= (+ (* 9/8 x x)34 (* y y))35 1))3637 (defthm prove-with-cp38 (implies (and (and (rationalp x) (rationalp y))39 (and ))40 (not (and (hyperbola x y)41 (parabola x y)42 (ellipse x y))))43 :hints (("Goal"44 :do-not ’(simplify)45 :clause-processor46 (my-clause-processor clause47 ’((:expand ((:functions ((hyperbolarationalp)48 (parabolarationalp)49 (ellipserationalp)))50 (:expansion-level 1)))51 (:python-file "prove_with_cp")52 (:let ())53 (:hypothesize ())54 (:use ((:let ())55 (:hypo (()))56 (:main ()))))57 )58 ))59 :rule-classes nil)104Appendix BSmtlink CodeB.1 ACL2 Expansion, Translation andInterpretation1 (in-package "ACL2")23 (include-book "config")4 (include-book "helper")5 (include-book "SMT-extract")6 (include-book "SMT-formula")7 (include-book "SMT-function")8 (include-book "SMT-translator")9 (include-book "SMT-interpreter")10 (include-book "SMT-run")11 (include-book "SMT-z3")12 (include-book "SMT-connect")1 ;;2 ;; This file is adapted from :doc define-trusted-clause-processor3 ;; The dependent files, instead of being in raw Lisp, are in ACL2.4 ;; That makes me doubt if I really need to do defstub, progn,5 ;; progn!, and push-untouchable...6 ;;7 ;; However, I’m using them right now in case if there are8 ;; behaviours with those constructs that are not known to me.9 ;;10 (in-package "ACL2")11 (include-book "tools/bstar" :dir :system)12 (set-state-ok t)105B.1. ACL2 Expansion, Translation and Interpretation1314 (defstub acl2-my-prove15 (term fn-lst fn-level fname let-expr new-hypo let-hintshypo-hints main-hints state)16 (mv t nil nil nil nil state))1718 (program)19 (defttag :Smtlink)2021 (include-book "SMT-z3")22 (value-triple (tshell-ensure))2324 (progn2526 ; We wrap everything here in a single progn, so that the entireform is27 ; atomic. That’s important because we want the use ofpush-untouchable to28 ; prevent anything besides my-clause-processor from callingacl2-my-prove.2930 (progn!3132 (set-raw-mode-on state) ;; conflict with assoc, should useassoc-equal, not assoc-eq3334 (defun acl2-my-prove (term fn-lst fn-level fname let-exprnew-hypo let-hints hypo-hints main-hints state)35 (my-prove term fn-lst fn-level fname let-expr new-hypolet-hints hypo-hints main-hints state))36 )3738 (defun Smtlink-arguments (hint)39 (b* ((fn-lst (cadr (assoc ’:functions40 (cadr (assoc ’:expand hint)))))41 (fn-level (cadr (assoc ’:expansion-level42 (cadr (assoc ’:expand hint)))))106B.1. ACL2 Expansion, Translation and Interpretation43 (fname (cadr (assoc ’:python-file hint)))44 (let-expr (cadr (assoc ’:let hint)))45 (new-hypo (cadr (assoc ’:hypothesize hint)))46 (let-hints (cadr (assoc ’:type47 (cadr (assoc ’:use hint)))))48 (hypo-hints (cadr (assoc ’:hypo49 (cadr (assoc ’:use hint)))))50 (main-hints (cadr (assoc ’:main51 (cadr (assoc ’:use hint))))))52 (mv fn-lst fn-level fname let-expr new-hypo let-hints hypo-hintsmain-hints))53 )5455 (defun Smtlink (cl hint state)56 (declare (xargs :guard (pseudo-term-listp cl)57 :mode :program))58 (prog2$ (cw "Original clause(connect): ~q0" (disjoin cl))59 (b* (((mv fn-lst fn-level fname let-expr new-hypo let-hintshypo-hints main-hints)60 (Smtlink-arguments hint)))61 (mv-let (res expanded-cl type-related-theorem hypo-theoremfn-type-theorem state)62 (acl2-my-prove (disjoin cl) fn-lst fn-level fname let-exprnew-hypo let-hints hypo-hints main-hints state)63 (if res64 (let ((res-clause (append (append (append fn-type-theoremtype-related-theorem) hypo-theorem)65 (list (append expanded-cl cl))66 )))67 (prog2$ (cw "Expanded clause(connect): ~q0 ~% Success!~%"res-clause)68 (mv nil res-clause state)))69 (prog2$ (cw "~|~%NOTE: Unable to prove goal with ~70 my-clause-processor and indicatedhint.~|")71 (mv t (list cl) state)))))))72107B.1. ACL2 Expansion, Translation and Interpretation73 (push-untouchable acl2-my-prove t)74 )7576 (define-trusted-clause-processor77 Smtlink78 nil79 :ttag Smtlink)1 ;; SMT-extract extracts the declarations, hypotheses and conclusionfrom a SMT formula in ACL2.2 ;; A typical SMT formula is in below format:3 ;; (implies (and <decl-list>4 ;; <hypo-list>)5 ;; <concl-list>)67 (in-package "ACL2")8 (include-book "./helper")910 ;; get-orig-param11 (defun get-orig-param (decl-list)12 "get-orig-param: given a declaration list of a SMT formula,return a list of variables appearing in the declaration list"13 (if (atom decl-list)14 (cond ((or (equal decl-list ’if)15 (equal decl-list ’nil)16 (equal decl-list ’rationalp)17 (equal decl-list ’integerp)18 (equal decl-list ’quote))19 nil)20 (t decl-list))21 (combine (get-orig-param (car decl-list))22 (get-orig-param (cdr decl-list)))))2324 ;; SMT-extract25 (defun SMT-extract (term)26 "extract decl-list, hypo-list and concl from a ACL2 term"27 (let ((decl-list (cadr (cadr term)))108B.1. ACL2 Expansion, Translation and Interpretation28 (hypo-list (caddr (cadr term)))29 (concl-list (caddr term)))30 (mv decl-list hypo-list concl-list)))1 ;; SMT-function2 (in-package "ACL2")3 (include-book "std/strings/top" :dir :system)4 (include-book "./helper")5 (include-book "./SMT-extract")6 (set-state-ok t)7 (set-ignore-ok t)89 ;; create-name10 (defun create-name (num)11 "create-name: creates a name for a new function"12 (let ((index (STR::natstr num)))13 (if (stringp index)14 (mv (intern-in-package-of-symbol15 (concatenate ’string "var" index) ’ACL2)16 (1+ num))17 (prog2$ (cw "Error(function): create name failed: ~q0!" index)18 (mv nil num)))))1920 ;; replace-var21 (defun replace-var (body var-pair)22 "replace-var: replace all appearance of a function symbol in thebody with the var-pair"23 (if (atom body)24 (if (equal body (car var-pair))25 (cadr var-pair)26 body)27 (cons (replace-var (car body) var-pair)28 (replace-var (cdr body) var-pair))))2930 ;; set-fn-body31 (defun set-fn-body (body var-list)32 "set-fn-body: set the body for let expression"109B.1. ACL2 Expansion, Translation and Interpretation33 (if (endp var-list)34 body35 (set-fn-body36 (replace-var body (car var-list))37 (cdr var-list))))3839 ;; make-var-list40 (defun make-var-list (formal num)41 "make-var-list: make a list of expressions for replacement"42 (if (endp formal)43 (mv nil num)44 (mv-let (var-name res-num1)45 (create-name num)46 (mv-let (res-expr res-num2)47 (make-var-list (cdr formal) res-num1)48 (mv (cons (list (car formal) var-name) res-expr)res-num2)))))4950 ;; assoc-fetch-key51 (defun assoc-fetch-key (assoc-list)52 "assoc-fetch-key: fetching keys from an associate list"53 (if (endp assoc-list)54 nil55 (cons (caar assoc-list) (assoc-fetch-key (cdr assoc-list)))))5657 ;; assoc-fetch-value58 (defun assoc-fetch-value (assoc-list)59 "assoc-fetch-value: fetching values from an associate list"60 (if (endp assoc-list)61 nil62 (cons (cadr (car assoc-list)) (assoc-fetch-value (cdrassoc-list)))))6364 ;; decrease-level-by-165 (defun decrease-level-by-1 (fn fn-level-lst)66 "decrease-level-by-1: decrease a function’s expansion level by 1."67 (if (endp fn-level-lst)110B.1. ACL2 Expansion, Translation and Interpretation68 nil69 (if (equal (car (car fn-level-lst)) fn)70 (cons (list fn (1- (cadr (car fn-level-lst))))71 (cdr fn-level-lst))72 (cons (car fn-level-lst)73 (decrease-level-by-1 fn (cdr fn-level-lst))))))7475 ;; expand-a-fn76 ;; e.g.(defun double (x y) (+ (* 2 x) y))77 ;; (double a b) -> (let ((var1 a) (var2 b)) (+ (* 2 var1) var2))78 ;; (double a b) -> ((lambda (var1 var2) (+ (* 2 var1) var2)) ab)79 ;; 2014-07-0180 ;; added code for decreasing level for function expanded81 (defun expand-a-fn (fn fn-level-lst fn-waiting fn-extended numstate)82 "expand-a-fn: expand an expression with a function definition,num should be accumulated by 1. fn should be stored as a symbol"83 (let ((formal (cdr (cadr (meta-extract-formula fn state))))84 ;; the third element is the formalss85 (body (end (meta-extract-formula fn state)))86 ;; the last element is the body87 )88 (if (endp formal)89 (mv body90 (my-delete fn-waiting fn)91 (cons fn fn-extended)92 (decrease-level-by-1 fn fn-level-lst)93 num)94 (mv-let (var-list num1)95 (make-var-list formal num)96 (mv (list ’lambda (assoc-fetch-value var-list)97 (set-fn-body body var-list))98 (my-delete fn-waiting fn)99 (cons fn fn-extended)100 (decrease-level-by-1 fn fn-level-lst)101 num1)))))111B.1. ACL2 Expansion, Translation and Interpretation102103 ;; lambdap104 (defun lambdap (expr)105 "lambdap: check if a formula is a valid lambda expression"106 (if (not (equal (len expr) 3))107 nil108 (let ((lambdax (car expr))109 (formals (cadr expr)))110 ;;(body (caddr expr)))111 (if (and (equal lambdax ’lambda)112 (listp formals)) ;; I can add a check for no113 ;; occurance of free variable in thefuture114 t115 nil))))116117 (skip-proofs118 (mutual-recursion119 ;; expand-fn-help-list120 (defun expand-fn-help-list (expr fn-lst fn-level-lst fn-waitingfn-extended num state)121 "expand-fn-help-list"122 (declare (xargs :measure (list (acl2-count (len fn-waiting))(acl2-count expr))))123 (if (endp expr)124 (mv nil num)125 (mv-let (res-expr1 res-num1)126 (expand-fn-help (car expr) fn-lst fn-level-lst fn-waitingfn-extended num state)127 (mv-let (res-expr2 res-num2)128 (expand-fn-help-list (cdr expr) fn-lst fn-level-lstfn-waiting fn-extended res-num1 state)129 (mv (cons res-expr1 res-expr2) res-num2)))))130131 ;; expand-fn-help132 ;; This function should keep three lists of function names.133 ; First one stores all functions possible for expansion.112B.1. ACL2 Expansion, Translation and Interpretation134 ; Second one is for functions to be expanded135 ; and the third one is for functions already expanded.136 ;; They should be updated accordingly:137 ; when one function is expanded along a specific path138 ; that function should be deleted from fn-waiting and added139 ; into fn-expanded.140 ;; Resursion detection:141 ; When one function call is encountered142 ; we want to make sure that function is valid for expansion143 ; by looking at fn-lst. Then we expand it, delete it from144 ; fn-waiting and add it onto fn-expanded. The we want to make145 ; sure that fn-waiting and fn-expaned is changing as we walk146 ; through the tree of code.147 ;; Another way of recursion detection:148 ; One might want to use this simpler way of handling recrusion149 ; detection. We note the length of fn-lst, then we want to150 ; count down the level of expansion. Any path exceeding this151 ; length is a sign for recursive call.152 (defun expand-fn-help (expr fn-lst fn-level-lst fn-waitingfn-extended num state)153 "expand-fn-help: expand an expression"154 (declare (xargs :measure (list (acl2-count (len fn-waiting))(acl2-count expr))))155 (cond ((atom expr) ;; base case, when expr is an atom156 (mv expr num))157 ((consp expr)158 (let ((fn0 (car expr)) (params (cdr expr)))159 (cond160 ((and (atom fn0) (exist fn0 fn-lst)) ;; function exists inthe list161 (if (> (cadr (assoc fn0 fn-level-lst)) 0) ;; if fn0’slevel number is still larger than 0162 (mv-let (res fn-w-1 fn-e-1 fn-l-l-1 num2)163 (expand-a-fn fn0 fn-level-lst fn-waiting fn-extendednum state) ;; expand a function164 (mv-let (res2 num3)113B.1. ACL2 Expansion, Translation and Interpretation165 (expand-fn-help res fn-lst fn-l-l-1 fn-w-1 fn-e-1num2 state)166 (if (endp params)167 (mv res2 num3)168 (mv-let (res3 num4)169 (expand-fn-help-list params fn-lstfn-level-lst fn-waiting fn-extended num3 state)170 (mv (cons res2 res3) num4)))))171 (prog2$ (cw "Recursive function expansion level hasreached 0: ~q0" fn0)172 (mv expr num))))173 ((atom fn0) ;; when expr is a un-expandable function174 (mv-let (res num2)175 (expand-fn-help-list (cdr expr) fn-lst fn-level-lstfn-waiting fn-extended num state)176 (mv (cons (car expr) res) num2)))177 ((lambdap fn0) ;; function is a lambda expression, expandthe body178 (let ((lambdax fn0) (params (cdr expr)))179 (let ((formals (cadr lambdax)) (body (caddr lambdax)))180 (mv-let (res num2)181 (expand-fn-help body fn-lst fn-level-lst fn-waitingfn-extended num state)182 (mv-let (res2 num3)183 (expand-fn-help-list params fn-lst fn-level-lstfn-waiting fn-extended num2 state)184 (mv (cons (list ’lambda formals res) res2)num3))))))185 ((and (not (lambdap fn0)) (consp fn0))186 (mv-let (res num2)187 (expand-fn-help fn0 fn-lst fn-level-lst fn-waitingfn-extended num state)188 (mv-let (res2 num3)189 (expand-fn-help-list params fn-lst fn-level-lstfn-waiting fn-extended num2 state)190 (mv (cons res res2) num3))))114B.1. ACL2 Expansion, Translation and Interpretation191 (t (prog2$ (cw "Error(function): can not pattern match:~q0" expr)192 (mv expr num)))193 )))194 (t (prog2$ (cw "Error(function): strange expression == ~q0"expr)195 (mv expr num)))))196 )197 )198199 (mutual-recursion200201 ;; rewrite-formula-params202 (defun rewrite-formula-params (expr let-expr)203 "rewrite-formula-params: a helper function for dealing with theparam list of rewrite-formula function"204 (if (endp expr)205 nil206 (cons (rewrite-formula (car expr) let-expr)207 (rewrite-formula-params (cdr expr) let-expr))))208209 ;; rewrite-formula210 ;; rewrite the formula according to given hypothesis andlet-expression211 (defun rewrite-formula (expr let-expr)212 "rewrite-formula rewrites an expression by replacingcorresponding terms in the let expression"213 (cond ((atom expr) ;; if expr is an atom214 (let ((res-pair (assoc-equal expr let-expr)))215 (if (equal res-pair nil)216 expr217 (cadr res-pair))))218 ;; if expr is a consp219 ((consp expr)220 (let ((fn (car expr))221 (params (cdr expr)))222 (if (listp fn)115B.1. ACL2 Expansion, Translation and Interpretation223 ;; if first elem of expr is a list224 (cond225 ;; if it is a lambda expression226 ((lambdap fn)227 (let ((lambda-params (cadr fn))228 (lambda-body (caddr fn)))229 (let ((res-pair (assoc-lambda230 lambda-body231 (create-assoc lambda-params params)232 let-expr)))233 (if (not (equal res-pair nil))234 (cadr res-pair)235 (cons (list ’lambda lambda-params (rewrite-formulalambda-body let-expr))236 (rewrite-formula-params params let-expr))))))237 ;; if it is a only a list, for handling nested list238 (t239 (cons (rewrite-formula fn let-expr)240 (rewrite-formula-params params let-expr))))241 ;; if first elem of expr is an atom242 (let ((res-pair (assoc-equal expr let-expr)))243 (if (not (equal res-pair nil))244 (cadr res-pair)245 (cons fn (rewrite-formula-params params let-expr)))))))246 ;; if expr is nil247 (t (cw "Error(function): nil expression."))))248 )249250 ;; extract-orig-param251 (defun extract-orig-param (expr)252 (mv-let (decl-list hypo-list concl-list)253 (SMT-extract expr)254 (get-orig-param decl-list)))255256 ;; augment-formula257 (defun augment-formula (expr new-decl let-type new-hypo)116B.1. ACL2 Expansion, Translation and Interpretation258 "augment-formula: for creating a new expression with hypothesisaugmented with new-hypo, assuming new-hypo only adds to thehypo-list"259 (mv-let (decl-list hypo-list concl-list)260 (SMT-extract expr)261 (list ’implies262 (list ’if263 (append-and-decl decl-list new-decl let-type)264 (append-and-hypo hypo-list new-hypo)265 ’’nil)266 concl-list267 )))268269 ;; reform-let270 (defun reform-let (let-expr)271 "reform-let: reforms a let expression for convenient fetch"272 (let ((inverted-let-expr (invert-assoc let-expr)))273 (if (assoc-no-repeat inverted-let-expr)274 inverted-let-expr275 (cw "Error(function): there’s repetition in the associatelist’s values ~q0" let-expr))))276277 ;; initial-level-help278 (defun initial-level-help (fn-lst fn-level)279 "initial-level-help: binding a level to each function forexpansion. fn-lst is a list of functions, fn-level is thenumber of levels we want to expand the functions."280 (if (endp fn-lst)281 nil282 (cons (list (car fn-lst) fn-level)283 (initial-level-help (cdr fn-lst) fn-level))))284285 ;; initial-level286 (defun initial-level (fn-lst fn-level)287 "initial-level: binding a level to each function for expansion"288 (if (not (integerp fn-level))289 (initial-level-help fn-lst 1)117B.1. ACL2 Expansion, Translation and Interpretation290 (initial-level-help fn-lst fn-level)))291292 ;; split-fn-from-type293 (defun split-fn-from-type (fn-lst-with-type)294 ""295 (if (endp fn-lst-with-type)296 nil297 (cons (caar fn-lst-with-type)298 (split-fn-from-type (cdr fn-lst-with-type)))))299300 ;; replace-a-rec-fn301 (defun replace-a-rec-fn (expr fn-lst-with-type fn-var-decl num)302 ""(mv-let (name res-num)303 (create-name num)304 (prog2$ (cw "~q0" name305 ;;(cons (list name306 ;; expr307 ;; (cadr (assoc (car expr) fn-lst-with-type)))308 ;; fn-var-decl)309 ;;res-num310 )311 (mv name312 (cons (list name313 expr314 (cadr (assoc (car expr) fn-lst-with-type)))315 fn-var-decl)316 res-num))))317318 (mutual-recursion319320 ;; replace-rec-fn-params321 (defun replace-rec-fn-params (expr fn-lst-with-type fn-var-decl num)322 ""323 (if (endp expr)324 (mv expr fn-var-decl num)325 (mv-let (res-expr1 res-fn-var-decl1 res-num1)326 (replace-rec-fn (car expr) fn-lst-with-type fn-var-decl num)118B.1. ACL2 Expansion, Translation and Interpretation327 (mv-let (res-expr2 res-fn-var-decl2 res-num2)328 (replace-rec-fn-params (cdr expr) fn-lst-with-typeres-fn-var-decl1 res-num1)329 (mv (cons res-expr1 res-expr2)330 res-fn-var-decl2331 res-num2)))))332333 ;; replace-rec-fn334 ;; 2014-07-04335 ;; added function for postorder traversal336 (defun replace-rec-fn (expr fn-lst-with-type fn-var-decl num)337 ""338 (cond ((atom expr)339 (mv expr fn-var-decl num))340 ((consp expr)341 (let ((fn0 (car expr)) (params (cdr expr)))342 (cond343 ((and (atom fn0) (not (endp (assoc fn0fn-lst-with-type)))) ;; function exists in the list344 (prog2$ (cw "fn-lst-with-type: ~q0" fn-lst-with-type)345 (mv-let (res fn-var-decl2 num2)346 (replace-a-rec-fn expr fn-lst-with-type fn-var-declnum)347 (prog2$ (cw "res: ~q0 fn-var-decl2: ~q1, num2: ~q2"res fn-var-decl2 num2)348 (mv res fn-var-decl2 num2)))))349 ((atom fn0) ;; when expr is a un-expandable function350 (mv-let (res fn-var-decl2 num2)351 (replace-rec-fn-params params fn-lst-with-typefn-var-decl num)352 (mv (cons fn0 res) fn-var-decl2 num2)))353 ((lambdap fn0) ;; function is a lambda expression, expandthe body354 (let ((lambdax fn0) (params (cdr expr)))355 (let ((formals (cadr lambdax)) (body (caddr lambdax)))356 (mv-let (res fn-var-decl2 num2)357 (replace-rec-fn body fn-lst-with-type fn-var-decl num)119B.1. ACL2 Expansion, Translation and Interpretation358 (mv-let (res2 fn-var-decl3 num3)359 (replace-rec-fn-params params fn-lst-with-typefn-var-decl2 num2)360 (mv (cons (list ’lambda formals res) res2)361 fn-var-decl3362 num3))))363 ))364 ((and (not (lambdap fn0)) (consp fn0))365 (mv-let (res fn-var-decl2 num2)366 (replace-rec-fn fn0 fn-lst-with-type fn-var-decl num)367 (mv-let (res2 fn-var-decl3 num3)368 (replace-rec-fn-params params fn-lst-with-typefn-var-decl2 num2)369 (mv (cons res res2) fn-var-decl3 num3))))370 (t (prog2$ (cw "Error(function): Can not pattern match,~q0" expr)371 (mv expr fn-var-decl num)))372 )))373 (t (prog2$ (cw "Error(function): Strange expr, ~q0" expr)374 (mv expr fn-var-decl num)))))375376 )377378 ;; expand-fn379 (defun expand-fn (expr fn-lst-with-type fn-level let-expr let-typenew-hypo state)380 "expand-fn: takes an expr and a list of functions, unroll theexpression. fn-lst is a list of possible functions forunrolling."381 (let ((fn-lst (split-fn-from-type fn-lst-with-type)))382 (let ((reformed-let-expr (reform-let let-expr)))383 (let ((fn-level-lst (initial-level fn-lst fn-level)))384 (mv-let (res-expr1 res-num1)385 (expand-fn-help (rewrite-formula expr reformed-let-expr)386 fn-lst fn-level-lst fn-lst nil 0 state)387 (mv-let (res-expr res-fn-var-decl res-num)388 (replace-rec-fn res-expr1 fn-lst-with-type nil res-num1)120B.1. ACL2 Expansion, Translation and Interpretation389 (let ((rewritten-expr390 (augment-formula (rewrite-formula res-exprreformed-let-expr)391 (assoc-get-value reformed-let-expr)392 let-type393 new-hypo)))394 (let ((res (rewrite-formula res-expr1reformed-let-expr)))395 (let ((expr-return ;; (augment-formula res396 ;; (assoc-get-value reformed-let-expr)397 ;; let-type398 ;; new-hypo)399 res400 )401 (orig-param (extract-orig-param res)))402 (prog2$ (cw "~q0~%~q1~%" rewritten-expr expr-return)403 (mv rewritten-expr expr-return res-num orig-paramres-fn-var-decl)))))))))))1 ;; SMT-formula contains functions for constructing a SMT formula inACL22 (in-package "ACL2")34 ;; -------------- SMT-operator -----------:5 (defun operator-list (opr)6 "operator-list: an associate list with possible SMT operators"7 (assoc opr ’((binary-+ binary-+ 0)8 (binary-- binary-- 2)9 (binary-* binary-* 0)10 (unary-/ unary-/ 1)11 (unary-- unary-- 1)12 (equal equal 2)13 (> > 2)14 (>= >= 2)15 (< < 2)16 (<= <= 2)17 (if if 3)121B.1. ACL2 Expansion, Translation and Interpretation18 (not not 1)19 (lambda lambda 2)20 ;; (list list 0)21 ;; (nth nth 2)22 (implies implies 2)23 (integerp integerp 1)24 (rationalp rationalp 1)25 (booleanp booleanp 1)26 (my-floor my-floor 1))))2728 (defun is-SMT-operator (opr)29 "is-SMT-operator: given an operator in ACL2 format, check if it’svalid"30 (if (equal (operator-list opr) nil)31 nil32 t))3334 ;; SMT-operator35 (defun SMT-operator (opr)36 "SMT-operator: given an operator in ACL2 format, establish itsACL2 format by looking up the associated list"37 (if (is-SMT-operator opr)38 (cadr (operator-list opr))39 (prog2$ (cw "Error(formula): Operator ~q0 does not exist!" opr)40 nil)))4142 ;; --------------------- SMT-type -------------------------:4344 ;; is-SMT-type45 (defun is-SMT-type (type)46 "SMT-type: given a type in ACL2 format, check if it’s valid"47 (if (or (equal type ’RATIONALP)48 (equal type ’INTEGERP)49 (equal type ’BOOLEANP))50 t51 nil))52122B.1. ACL2 Expansion, Translation and Interpretation53 ;; SMT-type54 (defun SMT-type (type)55 "SMT-type: given a type in ACL2 format, establish its ACL2 formatby looking up the associated list"56 (if (is-SMT-type type)57 type58 (prog2$ (cw "Error(formula): Type ~q0 not supported!" type)59 nil)))6061 ;; --------------------- SMT-number -------------------------:6263 ;; is-SMT-rational64 (defun is-SMT-rational (number)65 "is-SMT-rational: Check if this is a SMT rational number"66 (if (and (rationalp number)67 (not (integerp number)))68 t69 nil))7071 ;; is-SMT-integer72 (defun is-SMT-integer (number)73 "is-SMT-integer: Check if this is a SMT integer number"74 (if (integerp number)75 t76 nil))7778 ;; is-SMT-number79 (defun is-SMT-number (number)80 "is-SMT-number: Check if this is a SMT number"81 (if (or (is-SMT-rational number)82 (is-SMT-integer number))83 t84 nil))8586 ;; SMT-number87 (defun SMT-number (number)88 "SMT-number: This is a SMT number"123B.1. ACL2 Expansion, Translation and Interpretation89 (if (is-SMT-number number)90 number91 (cw "Error(formula): This is not a valid SMT number: ~q0"number)))9293 ;; --------------------- SMT-variable -------------------------:94 ;; Q: I want to add a check on possible SMT-variables.9596 ;; is-SMT-variable97 (defun is-SMT-variable (var)98 "is-SMT-variable: check if a variable is a SMT var"99 (if (symbolp var) t nil))100101 ;; SMT-variable102 (defun SMT-variable (var)103 "SMT-variable: This is a SMT variable name"104 (if (is-SMT-variable var)105 var106 (cw "Error(formula): This is not a valid SMT variable name:~q0" var)))107108 ;; --------------------- SMT-constant -------------------------:109110 ;; is-SMT-constant-name111 (defun is-SMT-constant-name (name)112 "is-SMT-constant-name: Check if this is a SMT constant name"113 (if (symbolp name) t nil))114115 ;; SMT-constant-name116 (defun SMT-constant-name (name)117 "SMT-constant-name: This is a SMT constant name"118 (if (is-SMT-constant-name name)119 name120 (cw "Error(formula): This is not a valid SMT constant name:~q0" name)))121122 ;; SMT-constant124B.1. ACL2 Expansion, Translation and Interpretation123 (defun SMT-constant (constant)124 "SMT-constant: This is a SMT constant declaration"125 (if (not (equal (len constant) 2))126 (cw "Error(formula): Wrong number of elements in a constantdeclaration list: ~q0" constant)127 (let ((name (car constant))128 (value (cadr constant)))129 (list (SMT-constant-name name) (SMT-number value)))))130131 ;; SMT-constant-list-help132 (defun SMT-constant-list-help (constant-list)133 "SMT-constant-list: This is a list of SMT constant declarations,the helper function"134 (if (consp constant-list)135 (cons (SMT-constant (car constant-list))(SMT-constant-list-help (cdr constant-list)))136 nil))137138 ;; SMT-constant-list139 (defun SMT-constant-list (constant-list)140 "SMT-constant-list: This is a list of SMT constant declarations"141 (if (not (listp constant-list))142 (cw "Error(formula): The SMT constant list is not in theright form: ~q0" constant-list)143 (SMT-constant-list-help constant-list)))144145 ;; --------------------- SMT-declaration -------------------------:146147 ;; SMT-declaration148 (defun SMT-declaration (decl)149 "SMT-declaration: This is a SMT variable declaration"150 (if (not (equal (len decl) 2))151 (cw "Error(formula): Wrong number of elements in a variabledeclaration list: ~q0" decl)152 (let ((type (car decl))153 (name (cadr decl)))154 (list (SMT-type type) (SMT-variable name)))))125B.1. ACL2 Expansion, Translation and Interpretation155156 ;; SMT-declaration-list-help157 (defun SMT-declaration-list-help (decl-list)158 "SMT-declaration-list-help: This is a list of SMT variabledeclarations, the helper function"159 (if (consp decl-list)160 (cond ((equal (car decl-list) ’if)161 (cons (SMT-declaration (cadr decl-list))162 (SMT-declaration-list-help (caddr decl-list))))163 (t (cons (SMT-declaration decl-list)164 nil)))165 nil))166167 ;; SMT-declaration-list168 (defun SMT-declaration-list (decl-list)169 "SMT-decl-list: This is a list of SMT variable declarations"170 (if (not (listp decl-list))171 (cw "Error(formula): The SMT declaration list is not in theright form: ~q0" decl-list)172 (SMT-declaration-list-help decl-list)))173174 ;; --------------------- SMT-expression -------------------------:175176 (mutual-recursion177178 ;; SMT-lambda-formal179 (defun SMT-lambda-formal (formal)180 "SMT-lambda-formal: check if it’s a valid formal list for alambda expression"181 (if (endp formal)182 nil183 (if (symbolp (car formal))184 (cons (car formal)185 (SMT-lambda-formal (cdr formal)))186 (cw "Error(formula): not a valid symbol in a formal list ~q0"(car formal)))))187126B.1. ACL2 Expansion, Translation and Interpretation188 ;; SMT-expression-long189 (defun SMT-expression-long (expression)190 "SMT-expression-long: recognize a SMT expression, in a SMTexpression’s parameters"191 (if (consp expression)192 (cons (SMT-expression (car expression))193 (SMT-expression-long (cdr expression)))194 nil))195196 ;; SMT-expression197 (defun SMT-expression (expression)198 "SMT-expression: a SMT expression in ACL2"199 (if (consp expression)200 (cond ((and (consp (car expression))201 (is-SMT-operator (caar expression))202 (equal (caar expression) ’lambda))203 (cons (list (SMT-operator204 (car (car expression)))205 (SMT-lambda-formal206 (cadr (car expression)))207 (SMT-expression208 (caddr (car expression))))209 (SMT-expression-long (cdr expression))))210 ((is-SMT-operator (car expression))211 (cons (SMT-operator (car expression))212 (SMT-expression-long (cdr expression))))213 ;; for handling a list214 ((equal (car expression) ’QUOTE)215 (if (consp (cadr expression))216 (cons ’list217 (SMT-expression-long (cadr expression)))218 (SMT-expression (cadr expression))))219 (t (cw "Error(formula): This is not a valid operator: ~q0"expression)))220 (cond ((is-SMT-number expression) (SMT-number expression))221 ((is-SMT-variable expression) (SMT-variable expression))127B.1. ACL2 Expansion, Translation and Interpretation222 (t (cw "Error(formula): Invalid number or variable: ~q0"expression)))))223 )224225 ;; --------------------- SMT-hypothesis -------------------------:226227 ;; SMT-hypothesis-list228 (defun SMT-hypothesis-list (hyp-list)229 "SMT-hypothesis-list: This is a SMT hypothesis list"230 (if (not (listp hyp-list))231 (cw "Error(formula): The SMT hypothesis list is not in theright form: ~q0" hyp-list)232 (SMT-expression hyp-list)))233234 ;; --------------------- SMT-conclusion -------------------------:235236 ;; SMT-conclusion-list237 (defun SMT-conclusion-list (concl-list)238 "SMT-conclusion-list: This is a SMT conclusion list"239 (if (not (listp concl-list))240 (cw "Error(formula): The SMT conclusion list is not in theright form: ~q0" concl-list)241 (SMT-expression concl-list)))242 ;; --------------------- SMT-formula ----------------------------:243244 ;; SMT-formula245 (defun SMT-formula (const-list246 decl-list247 hyp-list248 concl-list)249 "SMT-formula: This is a SMT formula"250 (list (SMT-constant-list const-list)251 (SMT-declaration-list decl-list)252 (SMT-hypothesis-list hyp-list)253 (SMT-conclusion-list concl-list))254 )255128B.1. ACL2 Expansion, Translation and Interpretation256 ;; SMT-formula-top257 (defmacro SMT-formula-top (&key const-list258 decl-list259 hyp-list260 concl-list)261 "SMT-formula-top: This is a macro for fetching parameters of aSMT formula"262 (list ’quote (SMT-formula const-list263 decl-list264 hyp-list265 concl-list))266 )1 ;; translate-SMT-formula translate a SMT formula in ACL2 into Z3python code2 (in-package "ACL2")3 (include-book "SMT-formula")4 (include-book "helper")56 ;; -------------- translate operator -----------:78 ;; translate-operator-list9 (defun translate-operator-list (opr)10 "translate-operator-list: look up an associate list for thetranslation"11 (assoc opr ’((binary-+ "" 0)12 (binary-- "s.minus" 2)13 (binary-* "s.times" 0)14 (unary-/ "s.reciprocal" 1)15 (unary-- "s.negate" 1)16 (equal "s.equal" 2)17 (> "" 2)18 (>= "" 2)19 (< "" 2)20 (<= "s.le" 2)21 (if "s.ifx" 3)22 (not "s.notx" 1)129B.1. ACL2 Expansion, Translation and Interpretation23 (lambda "lambda" 2)24 ;; (nth "s.nth" 2)25 ;; (list "s.array" 0)26 (implies "s.implies" 2)27 (integerp "s.integerp" 1)28 (rationalp "s.rationalp" 1)29 (booleanp "s.booleanp" 1)30 (my-floor "s.floor" 1))))3132 ;; translate-operator33 (defun translate-operator (opr)34 "translate-operator: given an operator in ACL2 format, translateinto its Z3 format by looking up the associated list"35 (let ((result (translate-operator-list opr)))36 (if (equal result nil)37 (prog2$ (cw "Error(translator): Operator ~q0 does not exist!"opr)38 nil)39 (cadr result))))4041 ;; ----------------------- translate-type-----------------------------:4243 ;; translate-type-list44 (defun translate-type-list (type)45 "translate-type-list: look up an associate list for thetranslation"46 (assoc type ’((RATIONALP "s.isReal")47 (INTEGERP "s.isReal")48 (BOOLEANP "s.isBool"))))4950 ;; translate-type51 (defun translate-type (type)52 "translate-type: translates a type in ACL2 SMT-formula into Z3type" ;; all using reals because Z3 is not very good atmixed types53 (let ((result (translate-type-list type)))130B.1. ACL2 Expansion, Translation and Interpretation54 (if (equal result nil)55 (prog2$ (cw "Error(translator): Type ~q0 does not exist!" type)56 nil)57 (cadr result))))5859 ;; ----------------------- translate-number-----------------------------:6061 ;; translate-number62 (defun translate-number (num)63 "translate-number: translates ACL2 SMT-number into a Z3 number"64 (if (is-SMT-rational num)65 (list "Q(" (numerator num) "," (denominator num) ")")66 (if (is-SMT-integer num)67 num68 (cw "Error(translator): Cannot translate an unrecognizednumber: ~q0" num))))6970 ;; ----------------------- translate-variable---------------------------:7172 ;; translate-variable73 (defun translate-variable (var)74 "translate-variable: transalte a SMT variable into Z3 variable"75 (if (is-SMT-variable var)76 var77 (cw "Error(translator): Cannot translate an unrecognizedvariable: ~q0" var)))7879 ;; ----------------------- translate-constant---------------------------:8081 ;; translate-const-name82 (defun translate-const-name (const-name)83 "translate-const-name: translate a SMT constant name into Z3"84 (subseq85 (coerce (symbol-name const-name) ’list)131B.1. ACL2 Expansion, Translation and Interpretation86 1 (1- (len const-name))))8788 ;; translate-constant89 (defun translate-constant (const)90 "translate-constant: translate a SMT constant definition into Z3code"91 (list (translate-const-name (car const)) ’= (translate-number(cadr const))))9293 ;; translate-constant-list94 (defun translate-constant-list (const-list)95 "translate-constant-list: translate a SMT constant list in ACL2into a Z3 line of code"96 (if (consp const-list)97 (cons (translate-constant (car const-list))98 (cons #\Newline (translate-constant-list (cdr const-list))))99 nil))100101 ;; ;; check-const102 ;; (defun check-const (expr)103 ;; "check-const: check to see if an expression is a constant"104 ;; (if (and (atom expr)105 ;; (let ((expr-list (coerce (symbol-name expr) ’list)))106 ;; (and (equal #\* (car expr-list))107 ;; (equal #\* (nth (1- (len expr-list)) expr-list)))))108 ;; t109 ;; nil))110111 ;; ;; get-constant-list-help112 ;; (defun get-constant-list-help (expr const-list)113 ;; "get-constant-list-help: check all constants in a clause"114 ;; (cond115 ;; ( (consp expr)116 ;; (let ((const-list-2 (get-constant-list-help (car expr)const-list)))117 ;; (get-constant-list-help (cdr expr) const-list-2))118 ;; )132B.1. ACL2 Expansion, Translation and Interpretation119 ;; ( (check-const expr)120 ;; (mv-let (keyword name value)121 ;; (pe expr) ;; pe will not be working for this122 ;; (cons (list expr (translate-number value)) const-list))123 ;; )124 ;; ( (atom expr)125 ;; (get-constant-list-help (cdr expr) const-list)126 ;; )127 ;; ( t128 ;; const-list129 ;; )130 ;; )131 ;; )132133 ;; ;; get-constant-list134 ;; (defun get-constant-list (expr)135 ;; "get-constant-list: get the list of constants in an associatelist"136 ;; (get-constant-list-help expr ’()))137138139 ;; ----------------------- translate-declaration---------------------------:140141 ;; translate-declaration142 (defun translate-declaration (decl)143 "translate-declaration: translate a declaration in ACL2 SMTformula into Z3 declaration"144 (let ((type (car decl))145 (name (cadr decl)))146 (list (translate-variable name) ’= (translate-type type) ’\(’\" (translate-variable name) ’\" ’\))))147148 ;; translate-declaration-list149 (defun translate-declaration-list (decl-list)150 "translate-declaration-list: translate a list of SMT-formuladeclarations into Z3 code"133B.1. ACL2 Expansion, Translation and Interpretation151 (if (consp decl-list)152 (cons (translate-declaration (car decl-list))153 (cons #\Newline (translate-declaration-list (cdrdecl-list))))154 nil))155156 ;; ----------------------- translate-expression--------------------------:157158 ;; make-lambda-list159 (defun make-lambda-list (lambda-list)160 "make-lambda-list: translating the binding list of a lambdaexpression"161 (if (endp (cdr lambda-list))162 (car lambda-list)163 (cons (car lambda-list)164 (cons ’\, (make-lambda-list (cdr lambda-list))))))165166 (skip-proofs167 (mutual-recursion168169 ;; translate-expression-long170 (defun translate-expression-long (expression)171 "translate-expression-long: translate a SMT expression’sparameters in ACL2 into Z3 expression"172 (if (endp (cdr expression))173 (translate-expression (car expression))174 (cons (translate-expression (car expression))175 (cons ’\,176 (translate-expression-long177 (cdr expression))))))178179 ;; stuff.let([’x’, 2.0], [’y’, v(’a’)*v(’b’) + v(’c’)], [’z’,...]).inn(2*v(’x’) - v(’y’))180 ;; translate-expression181 (defun translate-expression (expression)134B.1. ACL2 Expansion, Translation and Interpretation182 "translate-expression: translate a SMT expression in ACL2 to Z3expression"183 (if (and (not (equal expression nil))184 (consp expression)185 (not (equal expression ’’1)))186 (cond ((and (consp (car expression))187 (is-SMT-operator (caar expression))188 ;; special treatment for let expression189 (equal (caar expression) ’lambda))190 (list ’\(191 (translate-operator (caar expression))192 #\Space193 (if (endp (cadr (car expression)))194 #\Space195 (make-lambda-list (cadr (car expression))))196 ’\:197 (translate-expression (caddr (car expression)))198 ’\) ’\(199 (if (endp (cdr expression))200 #\Space201 (translate-expression-long (cdr expression)))202 ’\)))203 ;; ((and (is-SMT-operator (car expression))204 ;; (equal (car expression) ’list))205 ;; (list (translate-operator (car expression))206 ;; ’\( ’\[207 ;; (translate-expression-long (cdr expression))208 ;; ’\] ’\)))209 ((is-SMT-operator (car expression))210 (list (translate-operator (car expression))211 ’\(212 (translate-expression-long (cdr expression))213 ’\)))214 (t (list "s.unknown" ’\( (translate-expression-long (cdrexpression)) ’\))))215 (cond ((is-SMT-number expression)216 (translate-number expression))135B.1. ACL2 Expansion, Translation and Interpretation217 ((equal expression ’nil) "False") ;; what if when ’nil is alist?218 ((equal expression ’t) "True")219 ((is-SMT-variable expression)220 (translate-variable expression))221 (t (cw "Error(translator): Invalid number or variable: ~q0"expression)))))222 )223 )224 ;; ----------------------- translate-hypothesis--------------------------:225226 ;; translate-hypothesis-list227 (defun translate-hypothesis-list (hyp-list)228 "translate-hypothesis-list: translate a SMT-formula hypothesisstatement into Z3"229 (list (cons "hypothesis"230 (cons ’= (translate-expression hyp-list))) #\Newline))231232 ;; ----------------------- translate-conclusion--------------------------:233 ;; translate-conclusion-list234 (defun translate-conclusion-list (concl-list)235 "translate-conclusion-list: translate a SMT-formula conclusionstatement into Z3"236 (list (cons "conclusion"237 (cons ’= (translate-expression concl-list))) #\Newline))238239 ;; ----------------------- translate-theorem--------------------------:240 ;; translate-theorem241 (defun translate-theorem ()242 "translate-theorem: construct a theorem statement for Z3"243 (list "s.prove(hypothesis, conclusion)" #\Newline))244245 ;; ----------------------- translate-SMT-formula--------------------------:136B.1. ACL2 Expansion, Translation and Interpretation246247 ;; translate-SMT-formula248 (defun translate-SMT-formula (formula)249 "translate-SMT-formula: translate a SMT formula into its Z3 code"250 (let (;(const-list (car formula))251 (decl-list (cadr formula))252 (hypo-list (caddr formula))253 (concl-list (cadddr formula)))254 (list ;;(translate-constant-list255 ;; (get-constant-list formula))256 (translate-declaration-list decl-list)257 (translate-hypothesis-list hypo-list)258 (translate-conclusion-list concl-list)259 (translate-theorem))))1 (in-package "ACL2")2 (include-book "./helper")3 (include-book "./SMT-run")4 (include-book "./SMT-interpreter")5 (include-book "./SMT-function")6 (include-book "./SMT-translator")7 (defttag :tshell)8 (value-triple (tshell-ensure))9 (set-state-ok t)10 (set-ignore-ok t)11 (program)1213 (mutual-recursion14 ;; lisp-code-print-help15 (defun lisp-code-print-help (lisp-code-list indent)16 "lisp-code-print-help: make a printable lisp code list"17 (if (endp lisp-code-list)18 nil19 (list #\Space20 (lisp-code-print (car lisp-code-list) indent)21 (lisp-code-print-help (cdr lisp-code-list) indent))))22137B.1. ACL2 Expansion, Translation and Interpretation23 ;; lisp-code-print: make printable lisp list24 (defun lisp-code-print (lisp-code indent)25 "lisp-code-print: make a printable lisp code list"26 (cond ((equal lisp-code ’nil) "nil") ;;27 ((equal lisp-code ’quote) "’") ;; quote28 ((atom lisp-code) lisp-code)29 ((and (equal 2 (length lisp-code))30 (equal (car lisp-code) ’quote))31 (cons "’"32 (lisp-code-print (cadr lisp-code)33 (cons #\Space34 (cons #\Space indent)))))35 (t36 (list #\Newline indent ’\(37 (cons (lisp-code-print (car lisp-code)38 (cons #\Space39 (cons #\Space indent)))40 (lisp-code-print-help (cdr lisp-code)41 (cons #\Space42 (cons #\Space indent))))43 ’\) ))))44 )4546 ;; my-prove-SMT-formula47 (defun my-prove-SMT-formula (term)48 "my-prove-SMT-formula: check if term is a valid SMT formula"49 (let ((decl-list (cadr (cadr term)))50 (hypo-list (caddr (cadr term)))51 (concl-list (caddr term)))52 (SMT-formula ’()53 decl-list54 hypo-list55 concl-list)))5657 ;; my-prove-write-file58 (defun my-prove-write-file (term fdir state)59 "my-prove-write-file: write translated term into a file"138B.1. ACL2 Expansion, Translation and Interpretation60 (write-SMT-file fdir61 (translate-SMT-formula62 (my-prove-SMT-formula term))63 state))6465 ;; my-prove-write-expander-file66 (defun my-prove-write-expander-file (expanded-term fdir state)67 "my-prove-write-expander-file: write expanded term into a logfile"68 (write-expander-file fdir69 expanded-term70 state))7172 ;; create-level73 (defun create-level (level index)74 "create-level: creates a name for a level"75 (intern-in-package-of-symbol76 (concatenate ’string level (str::natstr index)) ’ACL2))7778 ;; my-prove-build-log-file79 (defun my-prove-build-log-file (expanded-term-list index)80 "my-prove-build-log-file: write the log file for expanding thefunctions"81 (if (endp expanded-term-list)82 nil83 (cons (list (create-level "level " index) ’\:84 (lisp-code-print85 (car expanded-term-list) ’())86 #\Newline #\Newline)87 (my-prove-build-log-file88 (cdr expanded-term-list) (1+ index)))))8990 ;; translate added hypothesis to underling representation91 (defun translate-hypo (hypo state)92 "translate-hypo: translate added hypothesis to underlingrepresentation"93 (if (endp hypo)139B.1. ACL2 Expansion, Translation and Interpretation94 (mv nil state)95 (mv-let (res1 state)96 (translate-hypo (cdr hypo) state)97 (mv-let (erp res state)98 (translate (car hypo) t nil t nil (w state) state)99 (if (endp res)100 (mv (cons (car hypo) res1) state)101 (mv (cons res res1) state)))102 )))103104 ;; translate a let binding for added hypothesis105 (defun translate-let (let-expr state)106 "translate-let: translate a let binding for added hypo"107 (if (endp let-expr)108 (mv nil state)109 (mv-let (res1 state)110 (translate-let (cdr let-expr) state)111 (mv-let (erp res state)112 (translate (cadar let-expr) t nil t nil (w state) state)113 (if (endp res)114 (mv (cons (list (caar let-expr) (cadar let-expr) (caddarlet-expr)) res1) state)115 (mv (cons (list (caar let-expr) res (caddar let-expr))res1) state)))116 )))117118 ;; get-hint-formula119 (defun get-hint-formula (name state)120 "get-hint-formula: get the formula by a hint’s name"121 (formula name t (w state)))122123 ;; add-hints124 (defun add-hints (hints clause state)125 "add-hints: add a list of hint to a clause, in the form of ((nothint3) ((not hint2) ((not hint1) clause)))"126 (if (endp hints)127 clause140B.1. ACL2 Expansion, Translation and Interpretation128 (add-hints (cdr hints)129 (cons (list ’not (get-hint-formula (car hints) state))clause)130 state)))131132 ;; construct augmented result133 (defun augment-hypothesis-helper (rewritten-term let-exprorig-param main-hints state)134 "augment-hypothesis: augment the returned clause with \135 new hypothesis in lambda expression"136 (cond ((and (endp let-expr) (endp main-hints))137 (list (list ’not rewritten-term)))138 ((and (endp main-hints) (not (endp let-expr)))139 (list (list ’not140 (cons (list ’lambda (append (assoc-get-key let-expr)orig-param) rewritten-term)141 (append (assoc-get-value let-expr) orig-param)))))142 ((and (not (endp main-hints)) (endp let-expr))143 (add-hints main-hints (list (list ’not rewritten-term)) state))144 (t145 (add-hints main-hints146 (list (list ’not147 (cons (list ’lambda (append (assoc-get-key let-expr)orig-param) rewritten-term)148 (append (assoc-get-value let-expr) orig-param))))149 state))150 ))151152 (defun add-aux (clause aux-thms)153 (if (endp aux-thms)154 clause155 (add-aux (let ((thm (car aux-thms)))156 (cons (list ’not157 (list ’implies (cadar thm) (cadr thm)))158 clause))159 (cdr aux-thms)160 )))141B.1. ACL2 Expansion, Translation and Interpretation161162 (defun augment-hypothesis (rewritten-term let-expr orig-parammain-hints aux-thms state)163 (prog2$ (cw "aux-thms: ~q0~%" aux-thms)164 (let ((res (augment-hypothesis-helper rewritten-term let-exprorig-param main-hints state)))165 (add-aux res aux-thms))))166167 ;;separate-type168 (defun separate-type (let-expr)169 "separate-type: separate let expression types from letexpression, I do it in this way for convenience. I might wantto use them as a whole in the future."170 (if (endp let-expr)171 (mv nil nil)172 (mv-let (res-let-expr res-let-type)173 (separate-type (cdr let-expr))174 (mv (cons (list (caar let-expr) (cadar let-expr))175 res-let-expr)176 (cons (caddar let-expr)177 res-let-type)))))178179 (defun create-type-theorem-helper-no-hints (decl-hypo-list let-exprlet-type)180 (if (endp let-expr)181 nil182 (cons (list (list ’not183 (list ’if (cadr decl-hypo-list)184 (append-and-hypo (caddr decl-hypo-list)185 (list (list ’equal (caar let-expr) (cadarlet-expr))))186 ’’nil))187 (list (car let-type) (caar let-expr)))188 (create-type-theorem-helper-no-hints decl-hypo-list (cdrlet-expr) (cdr let-type)))))189142B.1. ACL2 Expansion, Translation and Interpretation190 (defun create-type-theorem-helper-with-hints (decl-hypo-listlet-expr let-type let-hints state)191 (if (endp let-expr)192 nil193 (cons (add-hints (car let-hints)194 (list (list ’not195 (list ’if (cadr decl-hypo-list)196 (append-and-hypo (caddr decl-hypo-list)197 (list (list ’equal (caar let-expr) (cadarlet-expr))))198 ’’nil))199 (list (car let-type) (caar let-expr)))200 state)201 (create-type-theorem-helper-with-hints decl-hypo-list (cdrlet-expr) (cdr let-type) (cdr let-hints) state))))202203204 ;; create-type-theorem205 (defun create-type-theorem (decl-hypo-list let-expr let-typelet-hints state)206 "create-type-theorem"207 (if (endp let-hints)208 (create-type-theorem-helper-no-hints decl-hypo-list let-exprlet-type)209 (create-type-theorem-helper-with-hints decl-hypo-listlet-expr let-type let-hints state)))210211 (defun create-hypo-theorem-helper-no-hints (decl-hypo-list let-exprhypo-expr orig-param)212 (if (endp hypo-expr)213 nil214 (cons (list (list ’not decl-hypo-list)215 (cons (list ’lambda (append (assoc-get-key let-expr)orig-param) (car hypo-expr))216 (append (assoc-get-value let-expr) orig-param)))217 (create-hypo-theorem-helper-no-hints decl-hypo-list let-expr(cdr hypo-expr) orig-param))))143B.1. ACL2 Expansion, Translation and Interpretation218219 (defun create-hypo-theorem-helper-with-hints (decl-hypo-listlet-expr hypo-expr orig-param hypo-hints state)220 (if (endp hypo-expr)221 nil222 (cons (add-hints (car hypo-hints)223 (list (list ’not decl-hypo-list)224 (cons (list ’lambda (append (assoc-get-key let-expr)orig-param) (car hypo-expr))225 (append (assoc-get-value let-expr) orig-param)))226 state)227 (create-hypo-theorem-helper-with-hints decl-hypo-listlet-expr (cdr hypo-expr) orig-param (cdr hypo-hints) state))))228229 ;; create-hypo-theorem230 (defun create-hypo-theorem (decl-hypo-list let-expr hypo-exprorig-param hypo-hints state)231 "create-hypo-theorem: create a theorem for proving user addedhypothesis"232 (if (endp hypo-hints)233 (create-hypo-theorem-helper-no-hints decl-hypo-list let-exprhypo-expr orig-param)234 (create-hypo-theorem-helper-with-hints decl-hypo-listlet-expr hypo-expr orig-param hypo-hints state)))235236 ;;create-fn-type-theorem237 (defun create-fn-type-theorem (decl-hypo-list fn-var-decl)238 ""239 (if (endp fn-var-decl)240 nil241 (cons (list (list ’not242 (list ’if (cadr decl-hypo-list)243 (append-and-hypo (caddr decl-hypo-list)244 (list (list ’equal (caar fn-var-decl) (cadarfn-var-decl))))245 ’’nil))246 (list (caddar fn-var-decl) (caar fn-var-decl)))144B.1. ACL2 Expansion, Translation and Interpretation247 (create-fn-type-theorem decl-hypo-list (cdr fn-var-decl)))))248249 ;;add-fn-var-decl-helper250 (defun add-fn-var-decl-helper (decl-term fn-var-decl)251 ""252 (if (endp fn-var-decl)253 decl-term254 (list ’if255 (list (caddar fn-var-decl) (caar fn-var-decl))256 (add-fn-var-decl-helper decl-term (cdr fn-var-decl))257 ’’nil)))258259 ;;add-fn-var-decl260 (defun add-fn-var-decl (term fn-var-decl)261 ""262 (list (car term)263 (list (caadr term)264 (add-fn-var-decl-helper (cadadr term) fn-var-decl)265 (caddr (cadr term))266 (cadddr (cadr term)))267 (caddr term)))268269 ;; my-prove270 (defun my-prove (term fn-lst fn-level fname let-expr new-hypolet-hints hypo-hints main-hints state)271 "my-prove: return the result of calling SMT procedure"272 (let ((file-dir (concatenate ’string273 *dir-files*274 "/"275 fname276 ".py"))277 (expand-dir (concatenate ’string278 *dir-expanded*279 "/"280 fname281 "\_expand.log")))282 (mv-let (hypo-translated state)145B.1. ACL2 Expansion, Translation and Interpretation283 (translate-hypo new-hypo state)284 (mv-let (let-expr-translated-with-type state)285 (translate-let let-expr state)286 (mv-let (let-expr-translated let-type)287 (separate-type let-expr-translated-with-type)288 (mv-let (expanded-term-list-1 expanded-term-list-2 numorig-param fn-var-decl)289 (expand-fn term fn-lst fn-level let-expr-translatedlet-type hypo-translated state)290 (let ((expanded-term-list291 (add-fn-var-decl expanded-term-list-1 fn-var-decl)))292 (prog2$ (cw "Expanded(SMT-z3): ~q0 Final indexnumber: ~q1" expanded-term-list num)293 (let ((state (my-prove-write-expander-file294 (my-prove-build-log-file295 (cons term expanded-term-list) 0)296 expand-dir297 state)))298 (let ((state (my-prove-write-file299 expanded-term-list300 file-dir301 state)))302 (let ((type-theorem (create-type-theorem (cadrterm)303 let-expr-translated304 let-type305 let-hints306 state))307 (hypo-theorem (create-hypo-theorem (cadrterm)308 let-expr-translated309 hypo-translated310 orig-param311 hypo-hints312 state))313 (fn-type-theorem (create-fn-type-theorem(cadr term)146B.1. ACL2 Expansion, Translation and Interpretation314 fn-var-decl)))315 (let ((aug-theorem (augment-hypothesisexpanded-term-list-2316 let-expr-translated317 orig-param318 main-hints319 (append fn-type-theorem320 (append hypo-theorem321 (append type-theorem)))322 state)))323 (if (car (SMT-interpreter file-dir))324 (mv t aug-theorem type-theorem hypo-theoremfn-type-theorem state)325 (mv nil aug-theorem type-theoremhypo-theorem fn-type-theorem state))))))))))))))1 ;; SMT-run writes to Z3, invoke Z3 and gets the result2 (in-package "ACL2")34 (include-book "./config")5 (include-book "std/io/top" :dir :system)6 (include-book "centaur/misc/tshell" :dir :system)7 (defttag :tshell)8 (value-triple (tshell-ensure))910 ;;(set-print-case :downcase state)1112 (set-state-ok t)13 (defttag :writes-okp)1415 ;; princ$-list-of-strings16 (defun princ$-list-of-strings (alist channel state)17 "princ$-list-of-strings: the real function to print the Z3program."18 (if (consp alist)19 (let ((state (princ$-list-of-strings (car alist) channelstate)))147B.1. ACL2 Expansion, Translation and Interpretation20 (princ$-list-of-strings (cdr alist) channel state))21 (if (and (not (equal alist nil))22 (not (acl2-numberp alist))) ;; if alist is a number,should be treated seperately23 (princ$ (string alist) channel state)24 (if (acl2-numberp alist)25 (princ$ alist channel state)26 state))))2728 ;; coerce a list of strings and characters into a string29 (defun coerce-str-and-char-to-str (slist)30 "coerce-str-and-char-to-str: coerce a list of strings andcharacters into a string"31 (if (endp slist)32 nil33 (cond ((stringp (car slist))34 (concatenate ’string35 (car slist)36 (coerce-str-and-char-to-str (cdr slist))))37 ((characterp (car slist))38 (concatenate ’string39 (coerce (list (car slist)) ’STRING)40 (coerce-str-and-char-to-str (cdr slist))))41 (t (cw "Error(run): Invalid list ~q0." (car slist))))))4243 ;; write-head44 (defun write-head ()45 "write-head: writes the head of a z3 file"46 (coerce-str-and-char-to-str47 (list "from sys import path"48 #\Newline49 "path.insert(0,\"" *dir-interface* "\")"50 #\Newline51 "from " *z3-module* " import " *z3-class* ", Q"52 #\Newline53 "s = " *z3-class* "()"54 #\Newline)))148B.1. ACL2 Expansion, Translation and Interpretation5556 ;; write-SMT-file57 (defun write-SMT-file (filename translated-formula state)58 "write-SMT-file: writes the translated formula into a pythonfile, it opens and closes the channel and write the includingof Z3 inteface"59 (mv-let60 (channel state)61 (open-output-channel! filename :character state)62 (let ((state (princ$-list-of-strings63 (write-head) channel state)))64 (let ((state (princ$-list-of-strings translated-formulachannel state)))65 (close-output-channel channel state)))))6667 ;; write-expander-file68 (defun write-expander-file (filename expanded-term state)69 "write-expander-file: write expanded term to a file"70 (mv-let71 (channel state)72 (open-output-channel! filename :character state)73 (let ((state74 (princ$-list-of-strings75 expanded-term channel state)))76 (close-output-channel channel state))))7778 ;; SMT-run79 (defun SMT-run (filename)80 "SMT-run: run the external SMT procedure from ACL2"81 (let ((cmd (concatenate ’string *smt-cmd* " " filename)))82 (time$ (tshell-call cmd83 :print t84 :save t)85 :msg "; Z3: ‘~s0‘: ~st sec, ~sa bytes~%"86 :args (list cmd))))1 ;;SMT-interpreter formats the results149B.1. ACL2 Expansion, Translation and Interpretation23 (in-package "ACL2")4 (include-book "SMT-run")5 (defttag :tshell)678 ;; SMT-interpreter9 (defun SMT-interpreter (filename)10 "SMT-intepreter: get the result returned from calling SMTprocedure"11 (mv-let (finishedp exit-status lines)12 (SMT-run filename)13 (cond ((equal finishedp nil)14 (cw "Warning: the command was interrupted."))15 ((not (equal exit-status 0))16 (cw "Z3 failure: ~q0" lines))17 (t (if (equal (car lines) "proved")18 t19 (cw "~q0" lines))))))1 ;; This file configs the path to below directories:2 ;; 1. Z3_interface3 ;; 2. Z3_files4 ;; 3. name of z3 class5 ;; 4. SMT command6 (in-package "ACL2")7 (defconst *dir-interface*"/ubc/cs/home/y/yanpeng/project/ACL2/smtlink/z3\_interface")8 (defconst *dir-files* "z3\_files")9 (defconst *z3-module* "ACL2\_translator")10 (defconst *z3-class* "to_smt")11 (defconst *smt-cmd* "python")12 (defconst *dir-expanded* "expanded")1 ;; helper functions for basic data structure manipulation2 (in-package "ACL2")3150B.1. ACL2 Expansion, Translation and Interpretation4 ;; exist5 (defun exist (elem lista)6 "exist: check if an element exist in a list"7 (if (endp lista)8 nil9 (if (equal elem (car lista))10 t11 (exist elem (cdr lista)))))1213 ;; end14 (defun end (lista)15 "end: return the last element in a list"16 (if (endp (cdr lista))17 (car lista)18 (end (cdr lista))))1920 ;; my-last21 (defun my-last (listx)22 "my-last: fetch the last element from list"23 (car (last listx)))2425 ;; my-delete26 (defun my-delete (listx elem)27 "my-delete: delete an element from the list. If there’reduplicates, this function deletes the first one in the list."28 (if (endp listx) ;; elem does not exist in the list29 listx30 (if (equal (car listx) elem)31 (cdr listx)32 (cons (car listx)33 (my-delete (cdr listx) elem)))))3435 (defthm delete-must-reduce36 (implies (exist a listx)37 (< (len (my-delete listx a)) (len listx))))3839 ;; dash-to-underscore-char151B.1. ACL2 Expansion, Translation and Interpretation40 (defun dash-to-underscore-char (charx)41 (if (equal charx ’-)42 ’_43 charx))4445 ;; dash-to-underscore-helper46 (defun dash-to-underscore-helper (name-list)47 (if (endp name-list)48 nil49 (cons (dash-to-underscore-char (car name-list))50 (dash-to-underscore-helper (cdr name-list)))))5152 ;; dash-to-underscore53 (defun dash-to-underscore (name)54 (intern-in-package-of-symbol55 (coerce56 (dash-to-underscore-helper57 (coerce (symbol-name name)’list))58 ’string)59 ’ACL2))6061 ;; append-and-decl62 (defun append-and-decl (listx listy let-type)63 "append-and-decl: append two and lists together in the underneathrepresentation"64 (if (endp listy)65 listx66 (append-and-decl67 (list ’if (list (car let-type) (car listy)) listx ’’nil)68 (cdr listy)69 (cdr let-type))))7071 ;; append-and-hypo72 (defun append-and-hypo (listx listy)73 "append-and-hypo: append two and lists together in the underneathrepresentation"74 (if (endp listy)152B.1. ACL2 Expansion, Translation and Interpretation75 listx76 (append-and-hypo77 (list ’if (car listy) listx ’’nil)78 (cdr listy))))7980 ;; assoc-get-value81 (defun assoc-get-value (listx)82 "assoc-get-value: get all values out of an associate list"83 (if (endp listx)84 nil85 (cons (cadar listx)86 (assoc-get-value (cdr listx)))))8788 ;; assoc-get-key89 (defun assoc-get-key (listx)90 "assoc-get-key: get all keys out of an associate list"91 (if (endp listx)92 nil93 (cons (caar listx)94 (assoc-get-key (cdr listx)))))9596 ;; assoc-no-repeat97 (defun assoc-no-repeat (assoc-list)98 "assoc-no-repeat: check if an associate list has repeated keys"99 (if (endp assoc-list)100 t101 (if (equal (assoc-equal (caar assoc-list) (cdr assoc-list))nil)102 (assoc-no-repeat (cdr assoc-list))103 nil)))104105 ;; invert-assoc106 (defun invert-assoc (assoc-list)107 "invert-assoc: invert the key and value pairs in an associatelist"108 (if (endp assoc-list)109 nil153B.1. ACL2 Expansion, Translation and Interpretation110 (cons (list (cadar assoc-list) (caar assoc-list))111 (invert-assoc (cdr assoc-list)))))112113 ;; create-assoc-helper114 (defun create-assoc-helper (list-keys list-values)115 (if (endp list-keys)116 nil117 (cons (list (car list-keys) (car list-values))118 (create-assoc-helper (cdr list-keys) (cdr list-values)))))119120 ;; create-assoc121 (defun create-assoc (list-keys list-values)122 "create-assoc: combines two lists together to form an associatelist"123 (if (equal (len list-keys) (len list-values))124 (create-assoc-helper list-keys list-values)125 (cw "Error(helper): list-keys and list-values should be ofthe same len.")))126127 ;; replace-lambda-params128 (defun replace-lambda-params (expr lambda-params-mapping)129 "replace-lambda-params: replace params in the expression usingthe mapping"130 (if (atom expr)131 (let ((res (assoc-equal expr lambda-params-mapping)))132 (if (equal res nil)133 expr134 (cadr res)))135 (cons (replace-lambda-params (car expr)lambda-params-mapping)136 (replace-lambda-params (cdr expr) lambda-params-mapping))))137138 ;; assoc-lambda139 (defun assoc-lambda (expr lambda-params-mapping assoc-list)140 "assoc-lambda: replacing params in expression usinglambda-params-mapping \154B.2. Z3 Interface141 and check if the resulting term exist in assoc-list keys. Returnthe resulting \142 pair from assoc-list."143 (let ((new-expr (replace-lambda-params exprlambda-params-mapping)))144 (assoc-equal new-expr assoc-list)))145146 ;; combine147 (defun combine (lista listb)148 "combine: takes two items, either atoms or lists, then combinethem together according to some rule. E.g. if either element isnil, return the other one; if a is atom and b is list, do cons;if both are lists, do append; if a is list and b is atom,attach b at the end; if both are atoms, make a list"149 (cond ((and (atom lista) (atom listb) (not (equal lista nil))(not (equal listb nil)))150 (list lista listb))151 ((and (atom lista) (listp listb) (not (equal lista nil)))152 (cons lista listb))153 ((and (listp lista) (atom listb) (not (equal listb nil)))154 (append lista (list listb)))155 ((and (listp lista) (listp listb))156 (append lista listb))))B.2 Z3 Interface1 from z3 import Solver, Bool, Int, Real, BoolSort, IntSort,RealSort, And, Or, Not, Implies, sat, unsat, Q, Array, Select,Store, ToInt23 def sort(x):4 if type(x) == bool: return BoolSort()5 elif type(x) == int: return IntSort()6 elif type(x) == float: return RealSort()7 elif hasattr(x, ’sort’):8 if x.sort() == BoolSort(): return BoolSort()9 if x.sort() == IntSort(): return IntSort()155B.2. Z3 Interface10 if x.sort() == RealSort(): return RealSort()11 else:12 raise Exception(’unknown sort for expression’)1314 class to_smt:15 class status:16 def __init__(self, value):17 self.value = value1819 def __str__(self):20 if(self.value is True): return ’QED’21 elif(self.value.__class__ == ’msg’.__class__):return self.value22 else: raise Exception(’unknown status?’)2324 def isThm(self):25 return(self.value is True)2627 def __init__(self, solver=0):28 if(solver != 0): self.solver = solver29 else: self.solver = Solver()30 self.nameNumber = 03132 def newVar(self):33 varName = ’$’ + str(self.nameNumber)34 self.nameNumber = self.nameNumber+135 return varName3637 def isBool(self, who):38 return Bool(who)3940 def isInt(self, who):41 return Int(who)4243 def isReal(self, who):44 return Real(who)45156B.2. Z3 Interface46 def floor(self, x):47 return ToInt(x)4849 def plus(self, *args):50 return reduce(lambda x, y: x+y, args)5152 def times(self, *args):53 return reduce(lambda x, y: x*y, args)5455 def andx(self, *args):56 return reduce(lambda x, y: And(x,y), args)5758 def orx(self, *args):59 return reduce(lambda x, y: Or(x,y), args)6061 def minus(self, x,y): return x-y6263 # special care for reciprocal because64 # in ACL2 3/0 = 0 and in z3 3/0 == 065 # will return a counter-example66 def reciprocal(self, x):67 if(type(x) is int): return(Q(1,x))68 elif(type(x) is float): return 1.0/x69 elif(x.sort() == IntSort()): return 1/(Q(1,1)*x)70 else: return 1/x7172 def negate(self, x): return -x73 def div(self, x, y): return times(self,x,reciprocal(self,y))74 def gt(self, x,y): return x>y75 def lt(self, x,y): return x<y76 def ge(self, x,y): return x>=y77 def le(self, x,y): return x<=y78 def equal(self, x,y): return x==y79 def notx(self, x): return Not(x)8081 def implies(self, x, y): return Implies(x,y)82157B.2. Z3 Interface83 # type related functions84 def integerp(self, x): return x.sort() == IntSort()85 def rationalp(self, x): return x.sort() == RealSort()86 def booleanp(self, x): return x.sort() == BoolSort()8788 def ifx(self, condx, thenx, elsex):89 v = 090 if sort(thenx) == sort(elsex):91 if sort(thenx) == BoolSort(): v = Bool(self.newVar())92 if sort(thenx) == IntSort(): v = Int(self.newVar())93 if sort(thenx) == RealSort(): v = Real(self.newVar())94 if v is 0: raise Exception(’mixed type forif-expression’)95 self.solver.add(And(Implies(condx, v == thenx),Implies(Not(condx), v == elsex)))96 return(v)9798 # # array99 # def array(self, mylist):100 # if not mylist:101 # raise("Can’t determine type of an empty list.")102 # else:103 # ty = sort(mylist[0])104 # a = Array(self.newVar(), IntSort(), ty)105 # n = len(mylist)106 # for i in range(0,n):107 # j = Int(self.newVar())108 # self.solver.add(j == i)109 # self.solver.add(Select(a, j) == mylist[i])110 # return a111112 # # nth113 # def nth(self, i, a):114 # return Select(a, i)115116 # usage prove(claim) or prove(hypotheses, conclusion)117 def prove(self, hypotheses, conclusion=0):158B.2. Z3 Interface118 if(conclusion is 0): claim = hypotheses119 else: claim = Implies(hypotheses, conclusion)120121 self.solver.add(Not(claim))122 res = self.solver.check()123124 if res == unsat:125 print "proved"126 return self.status(True) # It’s a theorem127 elif res == sat:128 print "counterexample"129 m = self.solver.model()130 print m131 # return an counterexample??132 return self.status(False)133 else:134 print "failed to prove"159Appendix CConvergence Proof CodeC.1 Z3 Proof for Coarse Convergence1 from z3 import *2 from DPLL import DPLL_model34 def leave(dpll=DPLL_model()):5 c = [Real(’c[0]’), Real(’c[1]’), Real(’c[2]’)]6 v = [Real(’v[0]’), Real(’v[1]’), Real(’v[2]’)]7 phi = [Real(’phi[0]’), Real(’phi[1]’), Real(’phi[2]’)]8 s = Solver()9 s.add(And(initialRegion(dpll, c[0], v[0], phi[0]),[:2], v[:2], phi[:2])))1011 # show that the initial region is an invariant12 prove(s, initialRegion(dpll, c[1], v[1], phi[1]), ’initial regionis invariant’)1314 # find bound on v when c=c_min and fDCO crosses fref15 s.push()16 s.add([1:], v[1:], phi[1:]))17 s.add(And(c[0] == dpll.cmin, dpll.fDCO(c[0], v[0]) < dpll.fref,phi[0] == 0, phi[2] >= 0))18 ch = s.check()19 if(ch == sat):20 print ’phi can change sign’21 print str(s.model())22 else:23 print "phi is stuck (how’d that happen?)"160C.1. Z3 Proof for Coarse Convergence24 print "ch =", str(ch)252627 def initialRegion(dpll, c, v, phi):28 return And(dpll.cmin <= c, c <= dpll.cmax,29 dpll.vmin <= v, v <= dpll.vmax,30 -1 <= phi, phi <= +1)3132 def prove(s, claim, what):33 s.push()34 s.add(Not(claim))35 ch = s.check()36 if(ch == unsat):37 print ’Proven’, what38 s.pop()39 else:40 print ’FAILED TO PROVE:’, what41 if(ch == sat):42 print "Here’s a counter-example:"43 print str(s.model())44 else: print "Z3 couldn’t decide"45 s.pop()46 raise Exception(’Proof failed’);1 from DPLL import *2 from z3 import *3 import time45 def my_prove(what, hyp, concl):6 s = Solver()7 s.add(hyp)8 s.add(Not(concl))9 p = s.check()10 if(p == unsat):11 print ’PROOF! ’, what12 return "proved"13 elif(p == sat):161C.1. Z3 Proof for Coarse Convergence14 print ’Failed to prove: ’, what15 print "Here’s a counter-example: ", str(s.model())16 print ":("17 return "can’t prove"18 else:19 print what + ’? -- I dunno’20 return "stuck"2122 c = Reals(["c", "c’"])23 v = Reals(["v", "v’"])24 phi = Reals(["phi", "phi’"])25 dpll = DPLL_model()26 s = Solver()27 s.push()28 s.add(And(c[0] == 1.05, v[0] == 0.8, phi[0] == 0.25,,v, phi)))29 print ’Is the model satisfiable? ’, str(s.check())30 if(s.check() == sat):31 print "Here’s a solution: ", str(s.model())32 s.pop()3334 # All c v phi will stay in valid region35 hyp = And(dpll.valid(c[0], v[0], phi[0]), \36, v, phi))37 concl = dpll.valid(c[1], v[1], phi[1])38 my_prove(’invariance of valid states’, hyp, concl)3940 # When f_dco < 0.9*fref, positive phi decreases41 hyp = And(dpll.fDCO(c[0], v[0])/dpll.N < 0.9*dpll.fref, \42 0 <= phi[0], \43 dpll.valid(c[0], v[0], phi[0]), \44, v, phi))45 concl = phi[1] < phi[0] - dpll.eps46 my_prove(’Positive phi decreases for f_dco/N < 0.9*f_ref’, hyp,concl)4748 # When f_dco < 0.9*fref and phi < 0, phi stays negative162C.1. Z3 Proof for Coarse Convergence49 hyp = And(dpll.fDCO(c[0], v[0])/dpll.N < 0.9*dpll.fref, \50 phi[0] < 0, \51 dpll.valid(c[0], v[0], phi[0]), \52, v, phi))53 concl = phi[1] < 054 my_prove(’invariance of negative phi for f_dco/N < 0.9*f_ref’, hyp,concl)5556 # When f_dco < 0.9*fref and phi < 0, c >= cmin+gc, c decreases atleast for some amount57 hyp = And(dpll.fDCO(c[0], v[0])/dpll.N < 0.9*dpll.fref, \58 phi[0] < 0, \59 c[0] >= dpll.cmin + dpll.gc, \60 dpll.valid(c[0], v[0], phi[0]), \61, v, phi))62 concl = c[1] == c[0] - dpll.gc63 my_prove(’c decrease by gc for f_dco/N < 0.9*f_fref when phi<0 andc >= cmin + gc’, hyp, concl)6465 # When f_dco < 0.9*fref and phi < 0, c < cmin+gc, c collapse to cmin66 hyp = And(dpll.fDCO(c[0], v[0])/dpll.N < 0.9*dpll.fref, \67 phi[0] < 0, \68 c[0] < dpll.cmin + dpll.gc, \69 dpll.valid(c[0], v[0], phi[0]), \70, v, phi))71 concl = c[1] == dpll.cmin72 my_prove(’c collapses to cmin for f_dco/N < 0.9*f_fref when phi<0and c < cmin + gc’, hyp, concl)7374 # How to prove c will crawl up??75 # When f_dco < 0.9*fref and phi < 0, c == cmin, v increases76 hyp = And(dpll.fDCO(c[0], v[0])/dpll.N < 0.9*dpll.fref, \77 phi[0] < 0, \78 c[0] >= dpll.cmin, \79 c[0] <= dpll.cmin + dpll.gc, \80 dpll.valid(c[0], v[0], phi[0]), \81, v, phi))163C.1. Z3 Proof for Coarse Convergence82 concl = v[1] > v[0] + dpll.eps83 my_prove(’v increases for f_dco/N < 0.9*f_fref when phi<0 and cmin+ gc >= c >= cmin’, hyp, concl)8485 # How to prove in the middle stripe, when at saturation?86 # First prove when f_dco >= 0.9*fref and f_dco <= 1.0*fref87 # and phi < 0, c == cmin, v will increase c will stay cmin and phiwill stay negative88 hyp = And(dpll.fDCO(c[0],v[0])/dpll.N <= 1.0*dpll.fref, \89 dpll.fDCO(c[0],v[0])/dpll.N >= 0.9*dpll.fref, \90 phi[0] < 0, \91 c[0] == dpll.cmin, \92 dpll.valid(c[0],v[0],phi[0]), \93,v,phi))94 concl = And(v[1] > v[0], phi[1] < 0, c[1] == dpll.cmin)95 my_prove("v will increase, c and phi will stay when0.9*fref<=fdco<=1.0*fref, phi < 0 and c == cmin", hyp, concl)969798 # Find the next points leave the wall99 # v in range [arg_v(fdco/N == fref), arg_v(fdco/N == fref)+gv]100 # phi in range [-1,0)101 # c = cmin102 # ask if after i steps all state will become phi >= 0103 def newVar(nameList,indexList):104 res = []105 for j in range(0,len(nameList)):106 arg = nameList[j]+" = Reals(["107 for i in range(0,len(indexList[j])-1):108 arg = arg + "\""+ nameList[j]+"_"+str(indexList[j][i])+"\","109 arg = arg + "\""+ nameList[j]+"_"+str(indexList[j][i+1])+ "\"])"110 res.append(arg)111 return res112113 def OrPos(argList):114 res = False115 for item in argList:164C.1. Z3 Proof for Coarse Convergence116 res = Or(res, item > 0)117 return res118119 def OrNeg(argList):120 res = False121 for item in argList:122 res = Or(res, item > 0)123 return res124125 def OrEql(argList, v):126 res = False127 for item in argList:128 res = Or(res, item == v)129 return res130131 def Inc(argList):132 res = True133 for i in range(0,len(argList)-1):134 res = And(res, argList[i]<argList[i+1])135 return res136137 # All points leave the wall after 7 steps.138 start = time.time()139 steps = 0140 for i in range(2,10):141 decl = newVar(["c","v","phi"], [range(0,i),range(0,i),range(0,i)])142 for stmt in decl:143 exec(stmt)144145 tmp = Real("tmp")146 hyp = And(phi[0] < 0, \147 phi[0] >= -1.0, \148 c[0] == dpll.cmin, \149 dpll.fDCO(c[0],tmp)/dpll.N == dpll.fref, \150 v[0] >= tmp, \151 v[0] < tmp - dpll.gv, \152 dpll.valid(c[0],v[0],phi[0]), \165C.1. Z3 Proof for Coarse Convergence153 dpll.unwind(c,v,phi))154 concl = OrPos(phi)155 if my_prove("All points leave wall after "+str(i-1)+"steps",hyp,concl) == "proved":156 steps = i-1157 break158159 end = time.time()160 print "Time elapsed: " + str(end - start) + "s"161162 # If can prove for all points leaving the wall, they will go backbefore163 # hitting onto the other wall, then done.164165166 # ======================================================= #167 #168 # FOR THE UPPER HALF169 # When f_dco > 1.1*fref, negative phi increases170 hyp = And(dpll.fDCO(c[0], v[0])/dpll.N > 1.1*dpll.fref, \171 0 >= phi[0], \172 dpll.valid(c[0], v[0], phi[0]), \173, v, phi))174 concl = phi[1] > phi[0]-dpll.eps175 my_prove(’Negative phi increases for f_dco/N > 1.1*f_ref’, hyp,concl)176177 # When f_dco > 1.1*fref and phi > 0, phi stays positive178 hyp = And(dpll.fDCO(c[0], v[0])/dpll.N > 1.1*dpll.fref, \179 phi[0] > 0, \180 dpll.valid(c[0], v[0], phi[0]), \181, v, phi))182 concl = phi[1] > 0183 my_prove(’invariance of positive phi for f_dco/N > 1.1*f_ref’, hyp,concl)184166C.2. ACL2 Proof for Fine Convergence185 # When f_dco > 1.1*fref and phi > 0, c <= cmax-gc, c increases atleast for some amount186 hyp = And(dpll.fDCO(c[0], v[0])/dpll.N > 1.1*dpll.fref, \187 phi[0] > 0, \188 c[0] <= dpll.cmax - dpll.gc, \189 dpll.valid(c[0], v[0], phi[0]), \190, v, phi))191 concl = c[1] == c[0] + dpll.gc192 my_prove(’c increase by gc for f_dco/N > 1.1*f_fref when phi>0 andc <= cmax - gc’, hyp, concl)193194 # When f_dco > 1.1*fref and phi > 0, c > cmax-gc, c collapse to cmax195 hyp = And(dpll.fDCO(c[0], v[0])/dpll.N > 1.1*dpll.fref, \196 phi[0] > 0, \197 c[0] > dpll.cmax - dpll.gc, \198 dpll.valid(c[0], v[0], phi[0]), \199, v, phi))200 concl = c[1] == dpll.cmax201 my_prove(’c collapses to cmax for f_dco/N > 1.1*f_fref when phi>0and c > cmax - gc’, hyp, concl)202203 # When f_dco > 1.1*fref and phi > 0, c == cmax, v decreases204 hyp = And(dpll.fDCO(c[0], v[0])/dpll.N > 1.1*dpll.fref, \205 phi[0] > 0, \206 c[0] <= dpll.cmax, \207 c[0] >= dpll.cmax - dpll.gc, \208 dpll.valid(c[0], v[0], phi[0]), \209, v, phi))210 concl = v[1] < v[0] - dpll.eps211 my_prove(’v decreases for f_dco/N > 1.1*f_fref when phi>0 and cmax- gc <= c <= cmax’, hyp, concl)C.2 ACL2 Proof for Fine ConvergenceC.2.1 ACL2 Code Definitions:167C.2. ACL2 Proof for Fine Convergence1 ;; There are two files for the proof of recurrence model of the2 ;; DPLL: global.lisp, DPLL_functions.lisp andDPLL_theorems.lisp.3 ;; global.lisp4 ;; global.lisp defines global variables that are repeatedly5 ;; called in a lot of the functions.67 (in-package "ACL2")8 ;; (defconst *g1* 1/3200)9 (defconst *g2* (- (/ 1/3200 5)))10 (defconst *ccode* 1)11 (defconst *Kt* 4/5)12 (defconst *N* 1)13 (defconst *fref* 1)14 (defconst *alpha* 1)15 (defconst *beta* 1)16 (defconst *f0* 1)17 (defconst *vcenter* 1)18 ;; (defconst *v0* 1)1920 ; Define intermediate variables21 (defun equ-c (v0)22 (- (* *f0* (+ 1 (* *alpha* v0)) (/ (* *beta* *N* *fref*)))23 (/ *beta*)))24 (defun gamma ()25 (- 1 *Kt*))26 ;;(defun gamma () (/ 1 2))27 (defun mu ()28 (/ *f0* (* *N* *fref*)))29 (defun m (n v0 g1)30 (- (/ (equ-c v0) g1) n))31 ;; (defun m-constraint (n v0 g1)32 ;; (and (> m (- (- (/ (equ-c v0) g1) n) 1))33 ;; (< m (- (/ (equ-c v0) g1) n))))34 (defun dv0 ()35 (* -2 *g2*))168C.2. ACL2 Proof for Fine Convergence Original proof:1 (in-package "ACL2")2 (include-book "global")34 ;;(add-include-book-dir :book"/ubc/cs/research/isd/users/software/ACL2/acl2-7.0/books")5 (deftheory before-arith (current-theory :here))6 (include-book "arithmetic/top-with-meta" :dir :system)7 (deftheory after-arith (current-theory :here))89 (deftheory arithmetic-book-only (set-difference-theories(theory ’after-arith) (theory ’before-arith)))1011 ;; for the clause processor to work12 (add-include-book-dir :cp"/ubc/cs/home/y/yanpeng/project/ACL2/smtlink")13 (include-book "top" :dir :cp)14 (logic)15 :set-state-ok t16 :set-ignore-ok t17 (tshell-ensure)1819 ;;:start-proof-tree2021 ;; (encapsulate ()2223 ;; (local (include-book "arithmetic-5/top" :dir :system))2425 ;; (defun my-floor (x) (floor (numerator x) (denominator x)))2627 ;; (defthm my-floor-type28 ;; (implies (rationalp x)29 ;; (integerp (my-floor x)))30 ;; :rule-classes :type-prescription)3132 ;; (defthm my-floor-lower-bound169C.2. ACL2 Proof for Fine Convergence33 ;; (implies (rationalp x)34 ;; (> (my-floor x) (- x 1)))35 ;; :rule-classes :linear)3637 ;; (defthm my-floor-upper-bound38 ;; (implies (rationalp x)39 ;; (<= (my-floor x) x))40 ;; :rule-classes :linear)4142 ;; (defthm my-floor-comparison43 ;; (implies (rationalp x)44 ;; (< (my-floor (1- x)) (my-floor x)))45 ;; :hints (("Goal"46 ;; :use ((:instance my-floor-upper-bound (x (1- x)))47 ;; (:instance my-floor-lower-bound))))48 ;; :rule-classes :linear)49 ;; )5051 ;; functions52 ;; n can be a rational value when c starts from non-integervalue53 (defun fdco (n v0 dv g1)54 (/ (* (mu) (+ 1 (* *alpha* (+ v0 dv)))) (+ 1 (* *beta* ng1))))5556 (defun B-term-expt (h)57 (expt (gamma) (- h)))5859 (defun B-term-rest (h v0 dv g1)60 (- (* (mu) (/ (+ 1 (* *alpha* (+ v0 dv))) (+ 1 (* *beta* (+(* h g1) (equ-c v0)))))) 1))6162 (defun B-term (h v0 dv g1)63 (* (B-term-expt h) (B-term-rest h v0 dv g1)))6465 (defun B-sum (h_lo h_hi v0 dv g1)66 (declare (xargs :measure (if (or (not (integerp h_hi)) (not170C.2. ACL2 Proof for Fine Convergence(integerp h_lo)) (< h_hi h_lo))67 068 (1+ (- h_hi h_lo)))))69 (if (or (not (integerp h_hi)) (not (integerp h_lo)) (> h_loh_hi)) 070 (+ (B-term h_hi v0 dv g1) (B-term (- h_hi) v0 dv g1)(B-sum h_lo (- h_hi 1) v0 dv g1))))7172 (defun B-expt (n)73 (expt (gamma) (- n 2)))7475 (defun B (n v0 dv g1)76 (* (B-expt n)77 (B-sum 1 (- n 2) v0 dv g1)))7879 ;; parameter list functions80 (defmacro basic-params-equal (n n-value &optional (v0 ’nil)(dv ’nil) (g1 ’nil) (phi0 ’nil) (other ’nil))81 (list ’and82 (append83 (append84 (append85 (append (list ’and86 (list ’integerp n))87 (if (equal g1 ’nil) nil (list (list ’rationalp g1))))88 (if (equal v0 ’nil) nil (list (list ’rationalp v0))))89 (if (equal phi0 ’nil) nil (list (list ’rationalp phi0))))90 (if (equal dv ’nil) nil (list (list ’rationalp dv))))91 (append92 (append93 (append94 (append95 (append96 (append97 (append98 (append99 (list ’and171C.2. ACL2 Proof for Fine Convergence100 (list ’equal n n-value))101 (if (equal g1 ’nil) nil (list (list ’equal g1 ’1/3200))))102 (if (equal v0 ’nil) nil (list (list ’>= v0 ’9/10))))103 (if (equal v0 ’nil) nil (list (list ’<= v0 ’11/10))))104 (if (equal dv ’nil) nil (list (list ’>= dv (list ’-(list ’dv0))))))105 (if (equal dv ’nil) nil (list (list ’<= dv (list’dv0)))))106 (if (equal phi0 ’nil) nil (list (list ’>= phi0 ’0))))107 (if (equal phi0 ’nil) nil (list (list ’< phi0 (list ’-(list ’fdco (list ’1+ (list ’m ’640 v0 g1)) v0 dv g1)’1)))))108 (if (equal other ’nil) nil (list other)))))109110 (defmacro basic-params (n nupper &optional (v0 ’nil) (dv ’nil)(g1 ’nil) (phi0 ’nil) (other ’nil))111 (list ’and112 (append113 (append114 (append115 (append (list ’and116 (list ’integerp n))117 (if (equal g1 ’nil) nil (list (list ’rationalp g1))))118 (if (equal v0 ’nil) nil (list (list ’rationalp v0))))119 (if (equal dv ’nil) nil (list (list ’rationalp dv))))120 (if (equal phi0 ’nil) nil (list (list ’rationalp phi0))))121 (append122 (append123 (append124 (append125 (append126 (append127 (append128 (append129 (append (list ’and130 (list ’>= n nupper))131 (list (list ’<= n ’640)))172C.2. ACL2 Proof for Fine Convergence132 (if (equal g1 ’nil) nil (list (list ’equal g1’1/3200))))133 (if (equal v0 ’nil) nil (list (list ’>= v0 ’9/10))))134 (if (equal v0 ’nil) nil (list (list ’<= v0 ’11/10))))135 (if (equal dv ’nil) nil (list (list ’>= dv (list ’-(list ’dv0))))))136 (if (equal dv ’nil) nil (list (list ’<= dv (list’dv0)))))137 (if (equal phi0 ’nil) nil (list (list ’>= phi0 ’0))))138 (if (equal phi0 ’nil) nil (list (list ’< phi0 (list ’-(list ’fdco (list ’1+ (list ’m ’640 v0 g1)) v0 dv g1)’1)))))139 (if (equal other ’nil) nil (list other)))))140141 (encapsulate ()142143 (local (in-theory (disable arithmetic-book-only)))144145 (local146 (include-book "arithmetic-5/top" :dir :system)147 )148149 (local150 (defthm B-term-neg-lemma1151 (implies (basic-params h 1 v0 dv g1)152 (< (+ (* (B-term-expt h) (B-term-rest h v0 dv g1))153 (* (B-term-expt (- h)) (B-term-rest (- h) v0 dv g1)))154 0)155 )156 :hints157 (("Goal"158 :clause-processor159 (Smtlink clause160 ’( (:expand ((:functions ((B-term-rest rationalp)161 (gamma rationalp)162 (mu rationalp)163 (equ-c rationalp)173C.2. ACL2 Proof for Fine Convergence164 (dv0 rationalp)))165 (:expansion-level 1)))166 (:python-file "B-term-neg-lemma1") ;;mktemp167 (:let ((expt_gamma_h (B-term-expt h) rationalp)168 (expt_gamma_minus_h (B-term-expt (- h))rationalp)))169 (:hypothesize ((<= expt_gamma_minus_h (/ 1 5))170 (> expt_gamma_minus_h 0)171 (equal (* expt_gamma_minus_h expt_gamma_h)1)))172 (:use ((:let ())173 (:hypo (()))174 (:main ()))))175 state)176 ))177 )178 )179180 (defthm B-term-neg181 (implies (basic-params h 1 v0 dv g1)182 (< (+ (B-term h v0 dv g1) (B-term (- h) v0 dv g1)) 0))183 :hints (("Goal"184 :use ( (:instance B-term)185 (:instance B-term-neg-lemma1)186 )))187 :rule-classes :linear)188 )189190 (defthm B-sum-neg191 (implies (basic-params n-minus-2 1 v0 dv g1)192 (< (B-sum 1 n-minus-2 v0 dv g1) 0))193 :hints (("Goal"194 :in-theory (disable B-term)195 :induct ())))196197 (encapsulate ()198174C.2. ACL2 Proof for Fine Convergence199 (local ;; B = B-expt*B-sum200 (defthm B-neg-lemma1201 (implies (basic-params n 3 v0 dv g1)202 (equal (B n v0 dv g1)203 (* (B-expt n)204 (B-sum 1 (- n 2) v0 dv g1))))))205206 (local207 (defthm B-expt->-0208 (implies (basic-params n 3)209 (> (B-expt n) 0))210 :rule-classes :linear))211212 (local213 (defthm B-neg-lemma2214 (implies (and (rationalp a)215 (rationalp b)216 (> a 0)217 (< b 0))218 (< (* a b) 0))219 :rule-classes :linear))220221 (local222 (defthm B-neg-type-lemma3223 (implies (and (and (rationalp n-minus-2) (rationalp v0)(rationalp g1) (rationalp dv)))224 (rationalp (B-sum 1 n-minus-2 v0 dv g1)))225 :rule-classes :type-prescription))226227 (local228 (defthm B-neg-type-lemma4229 (implies (basic-params n 3)230 (rationalp (B-expt n)))231 :rule-classes :type-prescription))232233 (defthm B-neg234 (implies (basic-params n 3 v0 dv g1)175C.2. ACL2 Proof for Fine Convergence235 (< (B n v0 dv g1) 0))236 :hints (("Goal"237 :do-not-induct t238 :in-theory (disable B-expt B-sum B-sum-neg B-expt->-0)239 :use ((:instance B-sum-neg (n-minus-2 (- n 2)))240 (:instance B-expt->-0)241 (:instance B-neg-type-lemma3 (n-minus-2 (- n 2)))242 (:instance B-neg-type-lemma4)243 (:instance B-neg-lemma2 (a (B-expt n))244 (b (B-sum 1 (+ -2 n) v0 dv g1)))))))245 )246247 (defun A (n phi0 v0 dv g1)248 (+ (* (expt (gamma) (- (* 2 n) 1)) phi0)249 (* (expt (gamma) (- (* 2 n) 2))250 (- (fdco (m n v0 g1) v0 dv g1) 1))251 (* (expt (gamma) (- (* 2 n) 3))252 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1))))253254 (defun phi-2n-1 (n phi0 v0 dv g1)255 (+ (A n phi0 v0 dv g1) (B n v0 dv g1)))256257 (defun delta (n v0 dv g1)258 (+ (- (* (expt (gamma) (* 2 n))259 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))260 (* (expt (gamma) (* 2 n))261 (- (fdco (m n v0 g1) v0 dv g1) 1)))262 (- (* (expt (gamma) (- (* 2 n) 1))263 (- (fdco (m n v0 g1) v0 dv g1) 1))264 (* (expt (gamma) (- (* 2 n) 1))265 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1)))266 (* (expt (gamma) (1- n))267 (+ (* (expt (gamma) (1+ (- n)))268 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))269 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0)))))270 1))271 (* (expt (gamma) (1- n))176C.2. ACL2 Proof for Fine Convergence272 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))273 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0)))))274 1))))))275276 (defun delta-1 (n v0 dv g1)277 (+ (* (expt (gamma) (* 2 n))278 (- (fdco (1- (m n v0 g1)) v0 dv g1)279 (fdco (m n v0 g1) v0 dv g1)))280 (* (expt (gamma) (- (* 2 n) 1))281 (- (fdco (m n v0 g1) v0 dv g1)282 (fdco (1+ (m n v0 g1)) v0 dv g1)))283 (* (* (expt (gamma) (1- n)) (expt (gamma) (1+ (- n))))284 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))285 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0))))) 1))286 (* (* (expt (gamma) (1- n)) (expt (gamma) (1- n)))287 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))288 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0))))) 1))))289290 (defun delta-2 (n v0 dv g1)291 (+ (* (expt (gamma) (* 2 n))292 (- (fdco (1- (m n v0 g1)) v0 dv g1)293 (fdco (m n v0 g1) v0 dv g1)))294 (* (expt (gamma) (- (* 2 n) 1))295 (- (fdco (m n v0 g1) v0 dv g1)296 (fdco (1+ (m n v0 g1)) v0 dv g1)))297 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))298 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0))))) 1)299 (* (expt (gamma) (+ -1 n -1 n))300 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))301 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0))))) 1))))302303 (defun delta-3 (n v0 dv g1)304 (* (expt (gamma) (+ -1 n -1 n))305 (+ (* (expt (gamma) 2)306 (- (fdco (1- (m n v0 g1)) v0 dv g1)307 (fdco (m n v0 g1) v0 dv g1)))308 (* (expt (gamma) 1)177C.2. ACL2 Proof for Fine Convergence309 (- (fdco (m n v0 g1) v0 dv g1)310 (fdco (1+ (m n v0 g1)) v0 dv g1)))311 (* (expt (gamma) (- 2 (* 2 n)))312 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))313 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0))))) 1))314 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))315 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0))))) 1))))316317 (defun delta-3-inside (n v0 dv g1)318 (+ (* (expt (gamma) 2)319 (- (fdco (1- (m n v0 g1)) v0 dv g1)320 (fdco (m n v0 g1) v0 dv g1)))321 (* (expt (gamma) 1)322 (- (fdco (m n v0 g1) v0 dv g1)323 (fdco (1+ (m n v0 g1)) v0 dv g1)))324 (* (expt (gamma) (- 2 (* 2 n)))325 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))326 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0))))) 1))327 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))328 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0))))) 1)))329330 (defun delta-3-inside-transform (n v0 dv g1)331 (/332 (+ (* (expt (gamma) 2)333 (- (fdco (1- (m n v0 g1)) v0 dv g1)334 (fdco (m n v0 g1) v0 dv g1)))335 (* (expt (gamma) 1)336 (- (fdco (m n v0 g1) v0 dv g1)337 (fdco (1+ (m n v0 g1)) v0 dv g1)))338 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))339 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0))))) 1))340 (- 1341 (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))342 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0))))))))343344 ;; rewrite delta term345 (encapsulate ()178C.2. ACL2 Proof for Fine Convergence346347 (local348 ;; considering using smtlink for the proof, probably simpler349 (defthm delta-rewrite-1-lemma1350 (implies (basic-params n 3 v0 dv g1)351 (equal (+ (- (* (expt (gamma) (* 2 n))352 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))353 (* (expt (gamma) (* 2 n))354 (- (fdco (m n v0 g1) v0 dv g1) 1)))355 (- (* (expt (gamma) (- (* 2 n) 1))356 (- (fdco (m n v0 g1) v0 dv g1) 1))357 (* (expt (gamma) (- (* 2 n) 1))358 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1)))359 (* (expt (gamma) (1- n))360 (+ (* (expt (gamma) (1+ (- n)))361 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))362 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0)))))363 1))364 (* (expt (gamma) (1- n))365 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))366 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0)))))367 1)))))368 (+ (* (expt (gamma) (* 2 n))369 (- (fdco (1- (m n v0 g1)) v0 dv g1)370 (fdco (m n v0 g1) v0 dv g1)))371 (* (expt (gamma) (- (* 2 n) 1))372 (- (fdco (m n v0 g1) v0 dv g1)373 (fdco (1+ (m n v0 g1)) v0 dv g1)))374 (* (* (expt (gamma) (1- n)) (expt (gamma) (1+ (-n))))375 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))376 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0))))) 1))377 (* (* (expt (gamma) (1- n)) (expt (gamma) (1- n)))378 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))379 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0)))))1)))))380 :hints179C.2. ACL2 Proof for Fine Convergence381 (("Goal"382 :clause-processor383 (Smtlink clause384 ’( (:expand ((:functions ((m integerp)385 (gamma rationalp)386 (mu rationalp)387 (equ-c rationalp)388 (fdco rationalp)389 (dv0 rationalp)))390 (:expansion-level 1)))391 (:python-file "delta-rewrite-1-lemma1") ;;mktemp392 (:let ((expt_gamma_2n393 (expt (gamma) (* 2 n))394 rationalp)395 (expt_gamma_2n_minus_1396 (expt (gamma) (- (* 2 n) 1))397 rationalp)398 (expt_gamma_n_minus_1399 (expt (gamma) (1- n))400 rationalp)401 (expt_gamma_1_minus_n402 (expt (gamma) (1+ (- n)))403 rationalp)404 ))405 (:hypothesize ()))406 state)407 )))408 )409410 (local411 (defthm delta-rewrite-1412 (implies (basic-params n 3 v0 dv g1)413 (equal (delta n v0 dv g1)414 (delta-1 n v0 dv g1))))415 )416417 (local180C.2. ACL2 Proof for Fine Convergence418 (defthm delta-rewrite-2-lemma1419 (implies (basic-params n 3)420 (equal (* (expt (gamma) (1- n))421 (expt (gamma) (1+ (- n))))422 1))423 :hints (("Goal"424 :use ((:instance expt-minus425 (r (gamma))426 (i (- (1+ (- n))))))427 )))428 )429430 (local431 (defthm delta-rewrite-2-lemma2432 (implies (basic-params n 3)433 (equal (* (expt (gamma) (1- n))434 (expt (gamma) (1- n)))435 (expt (gamma) (+ -1 n -1 n))))436 :hints (("Goal"437 :do-not-induct t438 :use ((:instance exponents-add-for-nonneg-exponents439 (i (1- n))440 (j (1- n))441 (r (gamma))))442 :in-theory (disable exponents-add-for-nonneg-exponents)443 ))444 )445 )446447 (local448 (defthm delta-rewrite-2-lemma3449 (implies (basic-params n 3)450 (equal (+ A451 B452 (* (* (expt (gamma) (1- n))453 (expt (gamma) (1+ (- n))))454 C)181C.2. ACL2 Proof for Fine Convergence455 (* (* (expt (gamma) (1- n))456 (expt (gamma) (1- n)))457 D))458 (+ A B C459 (* (expt (gamma) (+ -1 n -1 n)) D))))460 :hints (("Goal"461 :use ((:instance delta-rewrite-2-lemma1)462 (:instance delta-rewrite-2-lemma2)))))463 )464465 (local466 (defthm delta-rewrite-2467 (implies (basic-params n 3 v0 dv g1)468 (equal (delta-1 n v0 dv g1)469 (delta-2 n v0 dv g1)))470 :hints (("Goal"471 :use ((:instance delta-rewrite-2-lemma3472 (A (* (expt (gamma) (* 2 n))473 (- (fdco (1- (m n v0 g1)) v0 dv g1)474 (fdco (m n v0 g1) v0 dv g1))))475 (B (* (expt (gamma) (- (* 2 n) 1))476 (- (fdco (m n v0 g1) v0 dv g1)477 (fdco (1+ (m n v0 g1)) v0 dv g1))))478 (C (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))479 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0)))))1))480 (D (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))481 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-cv0))))) 1)))))))482 )483484 (local485 (defthm delta-rewrite-3-lemma1-lemma1486 (implies (basic-params n 3)487 (equal (expt (gamma) (+ (+ -1 n -1 n) 2))488 (* (expt (gamma) (+ -1 n -1 n))489 (expt (gamma) 2))))182C.2. ACL2 Proof for Fine Convergence490 :hints (("Goal"491 :use ((:instance exponents-add-for-nonneg-exponents492 (i (+ -1 n -1 n))493 (j 2)494 (r (gamma))))495 :in-theory (disable exponents-add-for-nonneg-exponents496 delta-rewrite-2-lemma2))))497 )498499 (local500 (defthm delta-rewrite-3-lemma1-stupidlemma501 (implies (basic-params n 3)502 (equal (* 2 n) (+ (+ -1 n -1 n) 2))))503 )504505 (local506 (defthm delta-rewrite-3-lemma1507 (implies (basic-params n 3)508 (equal (expt (gamma) (* 2 n))509 (* (expt (gamma) (+ -1 n -1 n))510 (expt (gamma) 2))))511 :hints (("Goal"512 :use ((:instance delta-rewrite-3-lemma1-lemma1)513 (:instance delta-rewrite-3-lemma1-stupidlemma)))))514 )515516 (local517 (defthm delta-rewrite-3-lemma2-lemma1-lemma1518 (implies (basic-params n 3)519 (>= (+ n n) 2))))520521 (local522 (defthm delta-rewrite-3-lemma2-lemma1-stupidlemma523 (implies (basic-params n 3)524 (>= (+ -1 n -1 n) 0))525 :hints (("GOal"526 :use ((:instance183C.2. ACL2 Proof for Fine Convergencedelta-rewrite-3-lemma2-lemma1-lemma1))))))527528 (local529 (defthm delta-rewrite-3-lemma2-lemma1-lemma2530 (implies (basic-params n 3)531 (integerp (+ -1 n -1 n)))532 ))533534 (local535 (defthm delta-rewrite-3-lemma2-lemma1-lemma3536 (implies (basic-params n 3)537 (>= (+ -1 n -1 n) 0))538 :hints (("Goal"539 :use ((:instancedelta-rewrite-3-lemma2-lemma1-stupidlemma))))))540541 (local542 (defthm delta-rewrite-3-lemma2-lemma1543 (implies (basic-params n 3)544 (equal (expt (gamma) (+ (+ -1 n -1 n) 1))545 (* (expt (gamma) (+ -1 n -1 n))546 (expt (gamma) 1))))547 :hints (("Goal"548 :use ((:instance delta-rewrite-3-lemma2-lemma1-lemma2)549 (:instance delta-rewrite-3-lemma2-lemma1-lemma3)550 (:instance exponents-add-for-nonneg-exponents551 (i (+ -1 n -1 n))552 (j 1)553 (r (gamma))))554 )))555 )556557 (local558 (defthm delta-rewrite-3-lemma2-stupidlemma559 (implies (basic-params n 3)560 (equal (- (* 2 n) 1)561 (+ (+ -1 n -1 n) 1))))184C.2. ACL2 Proof for Fine Convergence562 )563564 (local565 (defthm delta-rewrite-3-lemma2566 (implies (basic-params n 3)567 (equal (expt (gamma) (- (* 2 n) 1))568 (* (expt (gamma) (+ -1 n -1 n))569 (expt (gamma) 1))))570 :hints (("Goal"571 :use ((:instance delta-rewrite-3-lemma2-lemma1)572 (:instance delta-rewrite-3-lemma2-stupidlemma))573 :in-theory (disable delta-rewrite-2-lemma2)))574 )575 )576577 (local578 (defthm delta-rewrite-3-lemma3579 (implies (basic-params n 3)580 (equal (* (expt (gamma) (- 2 (* 2 n)))581 (expt (gamma) (+ -1 n -1 n)))582 1))583 :hints (("Goal"584 :use ((:instance expt-minus585 (r (gamma))586 (i (- (- 2 (* 2 n)))))))))587 )588589 (local590 (defthm delta-rewrite-3591 (implies (basic-params n 3 v0 dv g1)592 (equal (+ (* (expt (gamma) (* 2 n))593 (- (fdco (1- (m n v0 g1)) v0 dv g1)594 (fdco (m n v0 g1) v0 dv g1)))595 (* (expt (gamma) (- (* 2 n) 1))596 (- (fdco (m n v0 g1) v0 dv g1)597 (fdco (1+ (m n v0 g1)) v0 dv g1)))598 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))185C.2. ACL2 Proof for Fine Convergence599 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0))))) 1)600 (* (expt (gamma) (+ -1 n -1 n))601 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))602 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0)))))1)))603 (* (expt (gamma) (+ -1 n -1 n))604 (+ (* (expt (gamma) 2)605 (- (fdco (1- (m n v0 g1)) v0 dv g1)606 (fdco (m n v0 g1) v0 dv g1)))607 (* (expt (gamma) 1)608 (- (fdco (m n v0 g1) v0 dv g1)609 (fdco (1+ (m n v0 g1)) v0 dv g1)))610 (* (expt (gamma) (- 2 (* 2 n)))611 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))612 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0))))) 1))613 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))614 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0)))))1)))))615 :hints616 (("Goal"617 :in-theory (disable delta-rewrite-2-lemma1)618 :do-not-induct t619 :clause-processor620 (Smtlink clause621 ’( (:expand ((:functions ((m integerp)622 (gamma rationalp)623 (mu rationalp)624 (equ-c rationalp)625 (fdco rationalp)626 (dv0 rationalp)))627 (:expansion-level 1)))628 (:python-file "delta-rewrite-3")629 (:let ((expt_gamma_2n630 (expt (gamma) (* 2 n))631 rationalp)632 (expt_gamma_2n_minus_1633 (expt (gamma) (- (* 2 n) 1))186C.2. ACL2 Proof for Fine Convergence634 rationalp)635 (expt_gamma_2n_minus_2636 (expt (gamma) (+ -1 n -1 n))637 rationalp)638 (expt_gamma_2639 (expt (gamma) 2)640 rationalp)641 (expt_gamma_1642 (expt (gamma) 1)643 rationalp)644 (expt_gamma_2_minus_2n645 (expt (gamma) (- 2 (* 2 n)))646 rationalp)647 ))648 (:hypothesize ((equal expt_gamma_2n649 (* expt_gamma_2n_minus_2 expt_gamma_2))650 (equal expt_gamma_2n_minus_1651 (* expt_gamma_2n_minus_2 expt_gamma_1))652 (equal (* expt_gamma_2_minus_2nexpt_gamma_2n_minus_2)653 1)))654 (:use ((:type ())655 (:hypo ((delta-rewrite-3-lemma1)656 (delta-rewrite-3-lemma2)657 (delta-rewrite-3-lemma3)))658 (:main ()))))659 state))))660 )661662 (local663 (defthm delta-rewrite-4664 (implies (basic-params n 3 v0 dv g1)665 (equal (delta-2 n v0 dv g1)666 (delta-3 n v0 dv g1)))667 :hints (("Goal"668 :use ((:instance delta-rewrite-3)))))669 )187C.2. ACL2 Proof for Fine Convergence670671 (defthm delta-rewrite-5672 (implies (basic-params n 3 v0 dv g1)673 (equal (delta n v0 dv g1)674 (delta-3 n v0 dv g1)))675 :hints (("Goal"676 :use ((:instance delta-rewrite-1)677 (:instance delta-rewrite-2)678 (:instance delta-rewrite-3)679 (:instance delta-rewrite-4)))))680 )681682 (encapsulate ()683684 (local685 (defthm delta-<-0-lemma1-lemma686 (implies (basic-params n 3 v0 dv g1)687 (implies (< (+ (* (expt (gamma) 2)688 (- (fdco (1- (m n v0 g1)) v0 dv g1)689 (fdco (m n v0 g1) v0 dv g1)))690 (* (expt (gamma) 1)691 (- (fdco (m n v0 g1) v0 dv g1)692 (fdco (1+ (m n v0 g1)) v0 dv g1)))693 (* (expt (gamma) (- 2 (* 2 n)))694 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))695 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0)))))1))696 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))697 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0))))) 1))698 0)699 (< (* (expt (gamma) (+ -1 n -1 n))700 (+ (* (expt (gamma) 2)701 (- (fdco (1- (m n v0 g1)) v0 dv g1)702 (fdco (m n v0 g1) v0 dv g1)))703 (* (expt (gamma) 1)704 (- (fdco (m n v0 g1) v0 dv g1)705 (fdco (1+ (m n v0 g1)) v0 dv g1)))188C.2. ACL2 Proof for Fine Convergence706 (* (expt (gamma) (- 2 (* 2 n)))707 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))708 (1+ (* *beta* (+ (* g1 (1- n)) (equ-cv0))))) 1))709 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))710 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0)))))1)))711 0)))712 :hints (("Goal"713 :clause-processor714 (Smtlink clause715 ’( (:expand ((:functions ((m integerp)716 (gamma rationalp)717 (mu rationalp)718 (equ-c rationalp)719 (fdco rationalp)720 (dv0 rationalp)))721 (:expansion-level 1)))722 (:python-file"delta-smaller-than-0-lemma1-lemma")723 (:let ((expt_gamma_2n724 (expt (gamma) (* 2 n))725 rationalp)726 (expt_gamma_2n_minus_1727 (expt (gamma) (- (* 2 n) 1))728 rationalp)729 (expt_gamma_2n_minus_2730 (expt (gamma) (+ -1 n -1 n))731 rationalp)732 (expt_gamma_2733 (expt (gamma) 2)734 rationalp)735 (expt_gamma_1736 (expt (gamma) 1)737 rationalp)738 (expt_gamma_2_minus_2n739 (expt (gamma) (- 2 (* 2 n)))189C.2. ACL2 Proof for Fine Convergence740 rationalp)741 ))742 (:hypothesize ((> expt_gamma_2n_minus_2 0))))743 state))))744 )745746 (local747 (defthm delta-<-0-lemma1748 (implies (basic-params n 3 v0 dv g1)749 (implies (< (delta-3-inside n v0 dv g1) 0)750 (< (delta-3 n v0 dv g1) 0))))751 )752753 (local754 (defthm delta-<-0-lemma2-lemma755 (implies (basic-params n 3 v0 dv g1)756 (implies (< (/ (+ (* (expt (gamma) 2)757 (- (fdco (1- (m n v0 g1)) v0 dv g1)758 (fdco (m n v0 g1) v0 dv g1)))759 (* (expt (gamma) 1)760 (- (fdco (m n v0 g1) v0 dv g1)761 (fdco (1+ (m n v0 g1)) v0 dv g1)))762 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))763 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0)))))1))764 (- 1765 (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))766 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0)))))))767 (expt (gamma) (- 2 (* 2 n))))768 (< (+ (* (expt (gamma) 2)769 (- (fdco (1- (m n v0 g1)) v0 dv g1)770 (fdco (m n v0 g1) v0 dv g1)))771 (* (expt (gamma) 1)772 (- (fdco (m n v0 g1) v0 dv g1)773 (fdco (1+ (m n v0 g1)) v0 dv g1)))774 (* (expt (gamma) (- 2 (* 2 n)))775 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))190C.2. ACL2 Proof for Fine Convergence776 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0)))))1))777 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))778 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0))))) 1))779 0)))780 :hints (("Goal"781 :clause-processor782 (Smtlink clause783 ’( (:expand ((:functions ((m integerp)784 (gamma rationalp)785 (mu rationalp)786 (equ-c rationalp)787 (fdco rationalp)788 (dv0 rationalp)))789 (:expansion-level 1)))790 (:python-file"delta-smaller-than-0-lemma2-lemma")791 (:let ((expt_gamma_2n792 (expt (gamma) (* 2 n))793 rationalp)794 (expt_gamma_2n_minus_1795 (expt (gamma) (- (* 2 n) 1))796 rationalp)797 (expt_gamma_2n_minus_2798 (expt (gamma) (+ -1 n -1 n))799 rationalp)800 (expt_gamma_2801 (expt (gamma) 2)802 rationalp)803 (expt_gamma_1804 (expt (gamma) 1)805 rationalp)806 (expt_gamma_2_minus_2n807 (expt (gamma) (- 2 (* 2 n)))808 rationalp)809 ))810 (:hypothesize ((> expt_gamma_2_minus_2n 0))))191C.2. ACL2 Proof for Fine Convergence811 state))))812 )813814 (local815 (defthm delta-<-0-lemma2816 (implies (basic-params n 3 v0 dv g1)817 (implies (< (delta-3-inside-transform n v0 dv g1)818 (expt (gamma) (- 2 (* 2 n))))819 (< (delta-3-inside n v0 dv g1) 0)))820 :hints (("Goal"821 :use ((:instance delta-<-0-lemma2-lemma)))))822 )823824 (local825 ;; This is for proving 2n < gamma^(2-2n)826 (defthm delta-<-0-lemma3-lemma1827 (implies (and (integerp k)828 (>= k 6))829 (< k (expt (/ (gamma)) (- k 2)))))830 )831832 (local833 (defthm delta-<-0-lemma3-lemma2-stupidlemma834 (implies (basic-params n 3)835 (>= n 3))))836837 (local838 (defthm delta-<-0-lemma3-lemma2-stupidlemma-omg839 (implies (and (rationalp a) (rationalp b) (>= a b))840 (>= (* 2 a) (* 2 b)))))841842 (local843 (defthm delta-<-0-lemma3-lemma2-lemma1844 (implies (basic-params n 3)845 (>= (* 2 n) 6))846 :hints (("Goal"847 :use ((:instance delta-<-0-lemma3-lemma2-stupidlemma)192C.2. ACL2 Proof for Fine Convergence848 (:instance delta-<-0-lemma3-lemma2-stupidlemma-omg849 (a n)850 (b 3))851 ))))852 )853854 (local855 (defthm delta-<-0-lemma3-lemma2856 (implies (basic-params n 3)857 (< (* 2 n)858 (expt (/ (gamma)) (- (* 2 n) 2))))859 :hints (("Goal"860 :use ((:instance delta-<-0-lemma3-lemma1861 (k (* 2 n)))862 (:instance delta-<-0-lemma3-lemma2-lemma1))))863 :rule-classes :linear)864 )865866 (local867 (defthm delta-<-0-lemma3-lemma3-stupidlemma868 (equal (expt a n) (expt (/ a) (- n))))869 )870871 (local872 (defthm delta-<-0-lemma3-lemma3873 (implies (basic-params n 3)874 (equal (expt (/ (gamma)) (- (* 2 n) 2))875 (expt (gamma) (- 2 (* 2 n)))))876 :hints (("Goal"877 :use ((:instance delta-<-0-lemma3-lemma3-stupidlemma878 (a (/ (gamma)))879 (n (- (* 2 n) 2))))880 :in-theory (disabledelta-<-0-lemma3-lemma3-stupidlemma))))881 )882883 (local193C.2. ACL2 Proof for Fine Convergence884 (defthm delta-<-0-lemma3-lemma4-stupidlemma885 (implies (and (< a b) (equal b c)) (< a c)))886 )887888 (local889 (defthm delta-<-0-lemma3-lemma4890 (implies (basic-params n 3)891 (< (* 2 n)892 (expt (gamma) (- 2 (* 2 n)))))893 :hints (("Goal"894 :do-not ’(preprocess simplify)895 :use ((:instance delta-<-0-lemma3-lemma2)896 (:instance delta-<-0-lemma3-lemma3)897 (:instance delta-<-0-lemma3-lemma4-stupidlemma898 (a (* 2 n))899 (b (expt (/ (gamma)) (- (* 2 n) 2)))900 (c (expt (gamma) (- 2 (* 2 n))))))901 :in-theory (disable delta-<-0-lemma3-lemma2902 delta-<-0-lemma3-lemma3903 delta-<-0-lemma3-lemma4-stupidlemma)))904 :rule-classes :linear)905 )906907 (local908 (defthm delta-<-0-lemma3909 (implies (basic-params n 3 v0 dv g1)910 (implies (< (/ (+ (* (expt (gamma) 2)911 (- (fdco (1- (m n v0 g1)) v0 dv g1)912 (fdco (m n v0 g1) v0 dv g1)))913 (* (expt (gamma) 1)914 (- (fdco (m n v0 g1) v0 dv g1)915 (fdco (1+ (m n v0 g1)) v0 dv g1)))916 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))917 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0)))))1))918 (- 1919 (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))194C.2. ACL2 Proof for Fine Convergence920 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0)))))))921 (* 2 n))922 (< (/ (+ (* (expt (gamma) 2)923 (- (fdco (1- (m n v0 g1)) v0 dv g1)924 (fdco (m n v0 g1) v0 dv g1)))925 (* (expt (gamma) 1)926 (- (fdco (m n v0 g1) v0 dv g1)927 (fdco (1+ (m n v0 g1)) v0 dv g1)))928 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))929 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0)))))1))930 (- 1931 (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))932 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0)))))))933 (expt (gamma) (- 2 (* 2 n))))))934 :hints (("Goal"935 :clause-processor936 (Smtlink clause937 ’( (:expand ((:functions ((m integerp)938 (gamma rationalp)939 (mu rationalp)940 (equ-c rationalp)941 (fdco rationalp)942 (dv0 rationalp)))943 (:expansion-level 1)))944 (:python-file "delta-smaller-than-0-lemma3")945 (:let ((expt_gamma_2n946 (expt (gamma) (* 2 n))947 rationalp)948 (expt_gamma_2n_minus_1949 (expt (gamma) (- (* 2 n) 1))950 rationalp)951 (expt_gamma_2n_minus_2952 (expt (gamma) (+ -1 n -1 n))953 rationalp)954 (expt_gamma_2955 (expt (gamma) 2)195C.2. ACL2 Proof for Fine Convergence956 rationalp)957 (expt_gamma_1958 (expt (gamma) 1)959 rationalp)960 (expt_gamma_2_minus_2n961 (expt (gamma) (- 2 (* 2 n)))962 rationalp))963 )964 (:hypothesize ((< (* 2 n)expt_gamma_2_minus_2n)))965 (:use ((:type ())966 (:hypo ((delta-<-0-lemma3-lemma4)))967 (:main ())))968 )969 state)970 :in-theory (disable delta-<-0-lemma3-lemma1971 delta-<-0-lemma3-lemma3-stupidlemma972 delta-<-0-lemma3-lemma2973 delta-<-0-lemma3-lemma3974 delta-<-0-lemma3-lemma4-stupidlemma)975 )))976 )977978 (local979 (defthm delta-<-0-lemma4980 (implies (basic-params n 3 v0 dv g1)981 (< (/ (+ (* (expt (gamma) 2)982 (- (fdco (1- (m n v0 g1)) v0 dv g1)983 (fdco (m n v0 g1) v0 dv g1)))984 (* (expt (gamma) 1)985 (- (fdco (m n v0 g1) v0 dv g1)986 (fdco (1+ (m n v0 g1)) v0 dv g1)))987 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))988 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0))))) 1))989 (- 1990 (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))991 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0)))))))196C.2. ACL2 Proof for Fine Convergence992 (* 2 n)))993 :hints (("Goal"994 :clause-processor995 (Smtlink clause996 ’( (:expand ((:functions ((m integerp)997 (gamma rationalp)998 (mu rationalp)999 (equ-c rationalp)1000 (fdco rationalp)1001 (dv0 rationalp)))1002 (:expansion-level 1)))1003 (:python-file "delta-smaller-than-0-lemma4")1004 (:let ((expt_gamma_2n1005 (expt (gamma) (* 2 n))1006 rationalp)1007 (expt_gamma_2n_minus_11008 (expt (gamma) (- (* 2 n) 1))1009 rationalp)1010 (expt_gamma_2n_minus_21011 (expt (gamma) (+ -1 n -1 n))1012 rationalp)1013 (expt_gamma_21014 (expt (gamma) 2)1015 rationalp)1016 (expt_gamma_11017 (expt (gamma) 1)1018 rationalp)1019 (expt_gamma_2_minus_2n1020 (expt (gamma) (- 2 (* 2 n)))1021 rationalp))1022 )1023 (:hypothesize ((equal expt_gamma_1 1/5)1024 (equal expt_gamma_2 1/25))))1025 state)1026 :in-theory (disable delta-<-0-lemma3-lemma11027 delta-<-0-lemma3-lemma3-stupidlemma1028 delta-<-0-lemma3-lemma2197C.2. ACL2 Proof for Fine Convergence1029 delta-<-0-lemma3-lemma31030 delta-<-0-lemma3-lemma4-stupidlemma1031 delta-<-0-lemma3-lemma4))))1032 )103310341035 (defthm delta-<-01036 (implies (basic-params n 3 v0 dv g1)1037 (< (delta n v0 dv g1) 0))1038 :hints (("Goal"1039 :use ((:instance delta-rewrite-5)1040 (:instance delta-<-0-lemma4)1041 (:instance delta-<-0-lemma3)1042 (:instance delta-<-0-lemma2)1043 (:instance delta-<-0-lemma1))1044 :in-theory (disable delta-<-0-lemma3-lemma11045 delta-<-0-lemma3-lemma3-stupidlemma1046 delta-<-0-lemma3-lemma21047 delta-<-0-lemma3-lemma31048 delta-<-0-lemma3-lemma4-stupidlemma1049 delta-<-0-lemma3-lemma4)1050 )))1051 ) ;; delta < 0 thus is proved10521053 ;; prove phi(2n+1) = gamma^2*A+gamma*B+delta1054 (encapsulate ()10551056 (local1057 (defthm split-phi-2n+1-lemma1-lemma11058 (implies (basic-params n 3 v0 dv g1 phi0)1059 (equal (A (+ n 1) phi0 v0 dv g1)1060 (+ (* (expt (gamma) (+ (* 2 n) 1)) phi0)1061 (* (expt (gamma) (* 2 n))1062 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))1063 (* (expt (gamma) (- (* 2 n) 1))1064 (- (fdco (m n v0 g1) v0 dv g1) 1))))))1065 )198C.2. ACL2 Proof for Fine Convergence10661067 (local1068 (defthm split-phi-2n+1-lemma1-lemma21069 (implies (basic-params n 3 v0 dv g1 phi0)1070 (equal (+ (* (expt (gamma) (+ (* 2 n) 1)) phi0)1071 (* (expt (gamma) (* 2 n))1072 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))1073 (* (expt (gamma) (- (* 2 n) 1))1074 (- (fdco (m n v0 g1) v0 dv g1) 1)))1075 (+ (* (+ (* (expt (gamma) (- (* 2 n) 1)) phi0)1076 (* (expt (gamma) (- (* 2 n) 2))1077 (- (fdco (m n v0 g1) v0 dv g1) 1))1078 (* (expt (gamma) (- (* 2 n) 3))1079 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1)))1080 (expt (gamma) 2))1081 (- (* (expt (gamma) (* 2 n))1082 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))1083 (* (expt (gamma) (* 2 n))1084 (- (fdco (m n v0 g1) v0 dv g1) 1)))1085 (- (* (expt (gamma) (- (* 2 n) 1))1086 (- (fdco (m n v0 g1) v0 dv g1) 1))1087 (* (expt (gamma) (- (* 2 n) 1))1088 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1))))))1089 )1090 )10911092 (local1093 (defthm split-phi-2n+1-lemma1-A1094 (implies (basic-params n 3 v0 dv g1 phi0)1095 (equal (A (+ n 1) phi0 v0 dv g1)1096 (+ (* (A n phi0 v0 dv g1) (gamma) (gamma))1097 (- (* (expt (gamma) (* 2 n))1098 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))1099 (* (expt (gamma) (* 2 n))1100 (- (fdco (m n v0 g1) v0 dv g1) 1)))1101 (- (* (expt (gamma) (- (* 2 n) 1))1102 (- (fdco (m n v0 g1) v0 dv g1) 1))199C.2. ACL2 Proof for Fine Convergence1103 (* (expt (gamma) (- (* 2 n) 1))1104 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1)))))))1105 )11061107 (local1108 (defthm split-phi-2n+1-lemma2-lemma11109 (implies (basic-params n 3 v0 dv g1)1110 (equal (B (+ n 1) v0 dv g1)1111 (* (expt (gamma) (- n 1))1112 (B-sum 1 (- n 1) v0 dv g1)))))1113 )11141115 (local1116 (defthm split-phi-2n+1-lemma2-lemma21117 (implies (basic-params n 3 v0 dv g1)1118 (equal (B (+ n 1) v0 dv g1)1119 (* (expt (gamma) (- n 1))1120 (+ (B-term (- n 1) v0 dv g1)1121 (B-term (- (- n 1)) v0 dv g1)1122 (B-sum 1 (- n 2) v0 dv g1))))))1123 )11241125 (local1126 (defthm split-phi-2n+1-lemma2-lemma31127 (implies (basic-params n 3 v0 dv g1)1128 (equal (B (+ n 1) v0 dv g1)1129 (+ (* (expt (gamma) (- n 1))1130 (B-sum 1 (- n 2) v0 dv g1))1131 (* (expt (gamma) (- n 1))1132 (B-term (- n 1) v0 dv g1))1133 (* (expt (gamma) (- n 1))1134 (B-term (- (- n 1)) v0 dv g1))))))1135 )11361137 (local1138 (defthm split-phi-2n+1-lemma2-lemma41139 (implies (basic-params n 3 v0 dv g1)200C.2. ACL2 Proof for Fine Convergence1140 (equal (B (+ n 1) v0 dv g1)1141 (+ (* (gamma) (expt (gamma) (- n 2))1142 (B-sum 1 (- n 2) v0 dv g1))1143 (* (expt (gamma) (- n 1))1144 (+ (B-term (- n 1) v0 dv g1)1145 (B-term (- (- n 1)) v0 dv g1)))))))1146 )11471148 (local1149 (defthm split-phi-2n+1-lemma2-lemma51150 (implies (basic-params n 3 v0 dv g1)1151 (equal (B (+ n 1) v0 dv g1)1152 (+ (* (gamma) (B n v0 dv g1))1153 (* (expt (gamma) (- n 1))1154 (+ (B-term (- n 1) v0 dv g1)1155 (B-term (- (- n 1)) v0 dv g1)))))))1156 )11571158 (local1159 (defthm split-phi-2n+1-lemma2-B1160 (implies (basic-params n 3 v0 dv g1)1161 (equal (B (+ n 1) v0 dv g1)1162 (+ (* (gamma) (B n v0 dv g1))1163 (* (expt (gamma) (- n 1))1164 (+ (* (expt (gamma) (- (- n 1)))1165 (B-term-rest (- n 1) v0 dv g1))1166 (* (expt (gamma) (- n 1))1167 (B-term-rest (- (- n 1)) v0 dv g1))))))))1168 )11691170 (local1171 (defthm split-phi-2n+1-lemma3-delta-stupidlemma1172 (implies (basic-params n 3 v0 dv g1)1173 (equal (+ (- (* (expt (gamma) (* 2 n))1174 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))1175 (* (expt (gamma) (* 2 n))1176 (- (fdco (m n v0 g1) v0 dv g1) 1)))201C.2. ACL2 Proof for Fine Convergence1177 (- (* (expt (gamma) (- (* 2 n) 1))1178 (- (fdco (m n v0 g1) v0 dv g1) 1))1179 (* (expt (gamma) (- (* 2 n) 1))1180 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1)))1181 (* (expt (gamma) (- n 1))1182 (+ (* (expt (gamma) (- (- n 1)))1183 (B-term-rest (- n 1) v0 dv g1))1184 (* (expt (gamma) (- n 1))1185 (B-term-rest (- (- n 1)) v0 dv g1)))))1186 (+ (- (* (expt (gamma) (* 2 n))1187 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))1188 (* (expt (gamma) (* 2 n))1189 (- (fdco (m n v0 g1) v0 dv g1) 1)))1190 (- (* (expt (gamma) (- (* 2 n) 1))1191 (- (fdco (m n v0 g1) v0 dv g1) 1))1192 (* (expt (gamma) (- (* 2 n) 1))1193 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1)))1194 (* (expt (gamma) (1- n))1195 (+ (* (expt (gamma) (1+ (- n)))1196 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))1197 (1+ (* *beta* (+ (* g1 (1- n)) (equ-c v0)))))1))1198 (* (expt (gamma) (1- n))1199 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))1200 (1+ (* *beta* (+ (* g1 (- 1 n)) (equ-c v0)))))1))))))))1201 )12021203 (local1204 (defthm split-phi-2n+1-lemma3-delta1205 (implies (basic-params n 3 v0 dv g1)1206 (equal (+ (- (* (expt (gamma) (* 2 n))1207 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))1208 (* (expt (gamma) (* 2 n))1209 (- (fdco (m n v0 g1) v0 dv g1) 1)))1210 (- (* (expt (gamma) (- (* 2 n) 1))1211 (- (fdco (m n v0 g1) v0 dv g1) 1))202C.2. ACL2 Proof for Fine Convergence1212 (* (expt (gamma) (- (* 2 n) 1))1213 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1)))1214 (* (expt (gamma) (- n 1))1215 (+ (* (expt (gamma) (- (- n 1)))1216 (B-term-rest (- n 1) v0 dv g1))1217 (* (expt (gamma) (- n 1))1218 (B-term-rest (- (- n 1)) v0 dv g1)))))1219 (delta n v0 dv g1)))1220 :hints (("Goal"1221 :use ((:instance split-phi-2n+1-lemma3-delta-stupidlemma)1222 (:instance delta)))))1223 )12241225 (local1226 (defthm split-phi-2n+1-lemma41227 (implies (basic-params n 3 v0 dv g1 phi0)1228 (equal (phi-2n-1 (1+ n) phi0 v0 dv g1)1229 (+ (A (+ n 1) phi0 v0 dv g1)1230 (B (+ n 1) v0 dv g1)))))1231 )12321233 (local1234 (defthm split-phi-2n+1-lemma51235 (implies (basic-params n 3 v0 dv g1 phi0)1236 (equal (phi-2n-1 (1+ n) phi0 v0 dv g1)1237 (+ (+ (* (A n phi0 v0 dv g1) (gamma) (gamma))1238 (- (* (expt (gamma) (* 2 n))1239 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))1240 (* (expt (gamma) (* 2 n))1241 (- (fdco (m n v0 g1) v0 dv g1) 1)))1242 (- (* (expt (gamma) (- (* 2 n) 1))1243 (- (fdco (m n v0 g1) v0 dv g1) 1))1244 (* (expt (gamma) (- (* 2 n) 1))1245 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1))))1246 (+ (* (gamma) (B n v0 dv g1))1247 (* (expt (gamma) (- n 1))1248 (+ (* (expt (gamma) (- (- n 1)))203C.2. ACL2 Proof for Fine Convergence1249 (B-term-rest (- n 1) v0 dv g1))1250 (* (expt (gamma) (- n 1))1251 (B-term-rest (- (- n 1)) v0 dv g1))))))))1252 :hints (("Goal"1253 :use ((:instance split-phi-2n+1-lemma1-A)1254 (:instance split-phi-2n+1-lemma2-B)))))1255 )12561257 (local1258 (defthm split-phi-2n+1-lemma61259 (implies (basic-params n 3 v0 dv g1 phi0)1260 (equal (phi-2n-1 (1+ n) phi0 v0 dv g1)1261 (+ (* (A n phi0 v0 dv g1) (gamma) (gamma))1262 (* (gamma) (B n v0 dv g1))1263 (+ (- (* (expt (gamma) (* 2 n))1264 (- (fdco (1- (m n v0 g1)) v0 dv g1) 1))1265 (* (expt (gamma) (* 2 n))1266 (- (fdco (m n v0 g1) v0 dv g1) 1)))1267 (- (* (expt (gamma) (- (* 2 n) 1))1268 (- (fdco (m n v0 g1) v0 dv g1) 1))1269 (* (expt (gamma) (- (* 2 n) 1))1270 (- (fdco (1+ (m n v0 g1)) v0 dv g1) 1)))1271 (* (expt (gamma) (- n 1))1272 (+ (* (expt (gamma) (- (- n 1)))1273 (B-term-rest (- n 1) v0 dv g1))1274 (* (expt (gamma) (- n 1))1275 (B-term-rest (- (- n 1)) v0 dv g1)))))))))1276 )12771278 (defthm split-phi-2n+11279 (implies (basic-params n 3 v0 dv g1 phi0)1280 (equal (phi-2n-1 (1+ n) phi0 v0 dv g1)1281 (+ (* (gamma) (gamma) (A n phi0 v0 dv g1))1282 (* (gamma) (B n v0 dv g1)) (delta n v0 dv g1))))1283 :hints (("Goal"1284 :use ((:instance split-phi-2n+1-lemma6)1285 (:instance split-phi-2n+1-lemma3-delta)))))204C.2. ACL2 Proof for Fine Convergence12861287 )12881289 ;; prove gamma^2*A + gamma*B < 01290 (encapsulate ()12911292 (local1293 (defthm except-for-delta-<-0-lemma11294 (implies (and (and (rationalp c)1295 (rationalp a)1296 (rationalp b))1297 (and (> c 0)1298 (< c 1)1299 (< (+ A B) 0)1300 (< B 0)))1301 (< (+ (* c c A) (* c B)) 0))1302 :hints (("Goal"1303 :clause-processor1304 (Smtlink clause1305 ’( (:expand ((:function ())1306 (:expansion-level 1)))1307 (:python-file"except-for-delta-smaller-than-0-lemma1")1308 (:let ())1309 (:hypothesize ()))1310 state)))1311 :rule-classes :linear)1312 )13131314 (defthm except-for-delta-<-01315 (implies (basic-params n 3 v0 dv g1 phi0 (< (phi-2n-1 n phi0v0 dv g1) 0))1316 (< (+ (* (gamma) (gamma) (A n phi0 v0 dv g1))1317 (* (gamma) (B n v0 dv g1)))1318 0))1319 :hints (("Goal"1320 :do-not-induct t205C.2. ACL2 Proof for Fine Convergence1321 :use ((:instance except-for-delta-<-0-lemma11322 (c (gamma))1323 (A (A n phi0 v0 dv g1))1324 (B (B n v0 dv g1)))1325 (:instance B-neg)))))1326 )13271328 ;; for induction step1329 (encapsulate ()13301331 (defthm phi-2n+1-<-0-inductive1332 (implies (basic-params n 3 v0 dv g1 phi0 (< (phi-2n-1 n phi0v0 dv g1) 0))1333 (< (phi-2n-1 (1+ n) phi0 v0 dv g1) 0))1334 :hints (("Goal"1335 :use ((:instance split-phi-2n+1)1336 (:instance delta-<-0)1337 (:instance except-for-delta-<-0)))))13381339 (defthm phi-2n+1-<-0-inductive-corollary1340 (implies (basic-params (- i 1) 3 v0 dv g1 phi01341 (< (phi-2n-1 (- i 1) phi0 v0 dv g1) 0))1342 (< (phi-2n-1 i phi0 v0 dv g1) 0))1343 :hints (("Goal"1344 :use ((:instance phi-2n+1-<-0-inductive1345 (n (- i 1)))))))13461347 (defthm phi-2n+1-<-0-inductive-corollary-21348 (implies (basic-params (- i 1) 3 v0 dv g1 phi01349 (< (phi-2n-1 (- i 1) phi0 v0 dv g1) 0))1350 (< (+ (A i phi0 v0 dv g1)1351 (* (B-expt i)1352 (B-sum 1 (- i 2) v0 dv g1))) 0))1353 :hints (("Goal"1354 :use ((:instance phi-2n+1-<-0-inductive-corollary)))))13551356 (defthm phi-2n+1-<-0-base206C.2. ACL2 Proof for Fine Convergence1357 (implies (basic-params-equal n 2 v0 dv g1 phi0)1358 (< (phi-2n-1 (1+ n) phi0 v0 dv g1) 0))1359 :hints (("Goal’’"1360 :clause-processor1361 (Smtlink clause1362 ’( (:expand ((:function ())1363 (:expansion-level 1)))1364 (:python-file "phi-2n+1-smaller-than-0-base")1365 (:let ())1366 (:hypothesize ()))1367 state)))1368 )13691370 (defthm phi-2n+1-<-0-base-new1371 (implies (basic-params-equal (- i 2) 1 v0 dv g1 phi0)1372 (< (phi-2n-1 (- i 1) phi0 v0 dv g1) 0))1373 :hints (("Goal’’"1374 :clause-processor1375 (Smtlink clause1376 ’( (:expand ((:function ())1377 (:expansion-level 1)))1378 (:python-file "phi-2n+1-smaller-than-0-base-new")1379 (:let ())1380 (:hypothesize ()))1381 state)))1382 )13831384 (defthm phi-2n+1-<-0-base-corollary1385 (implies (basic-params-equal (1- i) 2 v0 dv g1 phi0)1386 (< (phi-2n-1 i phi0 v0 dv g1) 0))1387 :hints (("Goal"1388 :use ((:instance phi-2n+1-<-0-base1389 (n (- i 1))))))1390 )13911392 (defthm phi-2n+1-<-0-base-corollary-21393 (implies (basic-params-equal (1- i) 2 v0 dv g1 phi0)207C.2. ACL2 Proof for Fine Convergence1394 (< (+ (A i phi0 v0 dv g1)1395 (* (B-expt i)1396 (B-sum 1 (- i 2) v0 dv g1))) 0))1397 :hints (("Goal"1398 :use ((:instance phi-2n+1-<-0-base-corollary))))1399 )14001401 (defthm stupid-proof1402 (implies (and (equal a f)1403 (equal a i)1404 (implies (and m l) l)1405 (implies l (and c h))1406 (implies (and c h) (and c j))1407 (implies (and a b c d) e)1408 (implies (and f b c d) g)1409 (implies (and f b h d e) g)1410 i1411 m1412 (implies (and a b j d) e)1413 f1414 b1415 l1416 d)1417 g)1418 :rule-classes nil)14191420 (defthm phi-2n+1-<-0-lemma-lemma11421 (implies1422 (and1423 (implies1424 (and (and (integerp (+ -2 i))1425 (rationalp g1)1426 (rationalp v0)1427 (rationalp phi0)1428 (rationalp dv))1429 (equal (+ -2 i) 1)1430 (equal g1 1/3200)208C.2. ACL2 Proof for Fine Convergence1431 (<= 9/10 v0)1432 (<= v0 11/10)1433 (<= -1/8000 dv)1434 (<= dv 1/8000)1435 (<= 0 phi0)1436 (< phi01437 (+ -11438 (* (fix (+ 1 (fix (+ v0 dv))))1439 (/ (+ 11440 (fix (* (+ 11441 (* (+ (fix (* (+ 1(fix v0)) 1)) -1)1442 (/ g1))1443 -640)1444 g1))))))))1445 (< (phi-2n-1 (+ -1 i) phi0 v0 dv g1) 0))1446 (implies1447 (and (and (integerp (+ -1 i))1448 (rationalp g1)1449 (rationalp v0)1450 (rationalp phi0)1451 (rationalp dv))1452 (equal (+ -1 i) 2)1453 (equal g1 1/3200)1454 (<= 9/10 v0)1455 (<= v0 11/10)1456 (<= -1/8000 dv)1457 (<= dv 1/8000)1458 (<= 0 phi0)1459 (< phi01460 (+ -11461 (* (fix (+ 1 (fix (+ v0 dv))))1462 (/ (+ 11463 (fix (* (+ 11464 (* (+ (fix (* (+ 1(fix v0)) 1)) -1)1465 (/ g1))209C.2. ACL2 Proof for Fine Convergence1466 -640)1467 g1))))))))1468 (< (+ (a i phi0 v0 dv g1)1469 (* (/ (expt 5 (+ -2 i)))1470 (b-sum 1 (+ -2 i) v0 dv g1)))1471 0))1472 (implies1473 (and (and (integerp (+ -1 i))1474 (rationalp g1)1475 (rationalp v0)1476 (rationalp dv)1477 (rationalp phi0))1478 (<= 3 (+ -1 i))1479 (<= (+ -1 i) 640)1480 (equal g1 1/3200)1481 (<= 9/10 v0)1482 (<= v0 11/10)1483 (<= -1/8000 dv)1484 (<= dv 1/8000)1485 (<= 0 phi0)1486 (< phi01487 (+ -11488 (* (fix (+ 1 (fix (+ v0 dv))))1489 (/ (+ 11490 (fix (* (+ 11491 (* (+ (fix (* (+ 1(fix v0)) 1)) -1)1492 (/ g1))1493 -640)1494 g1)))))))1495 (< (phi-2n-1 (+ -1 i) phi0 v0 dv g1) 0))1496 (< (+ (a i phi0 v0 dv g1)1497 (* (/ (expt 5 (+ -2 i)))1498 (b-sum 1 (+ -2 i) v0 dv g1)))1499 0))1500 (not (or (not (integerp i)) (< i 1)))1501 (implies210C.2. ACL2 Proof for Fine Convergence1502 (and (and (integerp (+ -1 -1 i))1503 (rationalp g1)1504 (rationalp v0)1505 (rationalp dv)1506 (rationalp phi0))1507 (<= 2 (+ -1 -1 i))1508 (<= (+ -1 -1 i) 640)1509 (equal g1 1/3200)1510 (<= 9/10 v0)1511 (<= v0 11/10)1512 (<= -1/8000 dv)1513 (<= dv 1/8000)1514 (<= 0 phi0)1515 (< phi01516 (+ -11517 (* (fix (+ 1 (fix (+ v0 dv))))1518 (/ (+ 11519 (fix (* (+ 11520 (* (+ (fix (* (+ 1(fix v0)) 1)) -1)1521 (/ g1))1522 -640)1523 g1))))))))1524 (< (+ (a (+ -1 i) phi0 v0 dv g1)1525 (* (/ (expt 5 (+ -2 -1 i)))1526 (b-sum 1 (+ -2 -1 i) v0 dv g1)))1527 0))1528 (integerp (+ -1 i))1529 (rationalp g1)1530 (rationalp v0)1531 (rationalp dv)1532 (rationalp phi0)1533 (<= 2 (+ -1 i))1534 (<= (+ -1 i) 640)1535 (equal g1 1/3200)1536 (<= 9/10 v0)1537 (<= v0 11/10)211C.2. ACL2 Proof for Fine Convergence1538 (<= -1/8000 dv)1539 (<= dv 1/8000)1540 (<= 0 phi0)1541 (< phi01542 (+ -11543 (* (fix (+ 1 (fix (+ v0 dv))))1544 (/ (+ 11545 (fix (* (+ 11546 (* (+ (fix (* (+ 1 (fix v0))1)) -1)1547 (/ g1))1548 -640)1549 g1))))))))1550 (< (+ (a i phi0 v0 dv g1)1551 (* (/ (expt 5 (+ -2 i)))1552 (b-sum 1 (+ -2 i) v0 dv g1)))1553 0))1554 :hints (("Goal"1555 :use ((:instance stupid-proof1556 (a (integerp (+ -1 -1 i)))1557 (b (and (rationalp g1)1558 (rationalp v0)1559 (rationalp dv)1560 (rationalp phi0)))1561 (c (equal (+ -2 i) 1))1562 (d (and (equal g1 1/3200)1563 (<= 9/10 v0)1564 (<= v0 11/10)1565 (<= -1/8000 dv)1566 (<= dv 1/8000)1567 (<= 0 phi0)1568 (< phi01569 (+ -11570 (* (fix (+ 1 (fix (+ v0 dv))))1571 (/ (+ 11572 (fix (* (+ 11573 (* (+ (fix (* (+ 1 (fix v0)) 1)) -1)212C.2. ACL2 Proof for Fine Convergence1574 (/ g1))1575 -640)1576 g1)))))))))1577 (e (< (+ (a (+ -1 i) phi0 v0 dv g1)1578 (* (/ (expt 5 (+ -2 -1 i)))1579 (b-sum 1 (+ -2 -1 i) v0 dv g1)))1580 0))1581 (f (integerp (+ -1 i)))1582 (g (< (+ (a i phi0 v0 dv g1)1583 (* (/ (expt 5 (+ -2 i)))1584 (b-sum 1 (+ -2 i) v0 dv g1)))1585 0))1586 (h (and (<= 3 (+ -1 i))1587 (<= (+ -1 i) 640)))1588 (i (integerp i))1589 (j (and (<= 2 (+ -1 -1 i))1590 (<= (+ -1 -1 i) 640)))1591 (l (and (<= 2 (+ -1 i))1592 (<= (+ -1 i) 640)1593 ))1594 (m (>= i 1)))))))15951596 (defthm phi-2n+1-<-0-lemma-lemma21597 (implies (and (or (not (integerp i)) (< i 1))1598 (integerp (+ -1 i))1599 (rationalp g1)1600 (rationalp v0)1601 (rationalp dv)1602 (rationalp phi0)1603 (<= 2 (+ -1 i))1604 (<= (+ -1 i) 640)1605 (equal g1 1/3200)1606 (<= 9/10 v0)1607 (<= v0 11/10)1608 (<= -1/8000 dv)1609 (<= dv 1/8000)1610 (<= 0 phi0)213C.2. ACL2 Proof for Fine Convergence1611 (< phi01612 (+ -11613 (* (fix (+ 1 (fix (+ v0 dv))))1614 (/ (+ 11615 (fix (* (+ 11616 (* (+ (fix (* (+ 1(fix v0)) 1)) -1)1617 (/ g1))1618 -640)1619 g1))))))))1620 (< (+ (a i phi0 v0 dv g1)1621 (* (/ (expt 5 (+ -2 i)))1622 (b-sum 1 (+ -2 i) v0 dv g1)))1623 0))1624 :rule-classes nil)16251626 (defthm phi-2n+1-<-0-lemma1627 (implies (basic-params (1- i) 2 v0 dv g1 phi0)1628 (< (+ (A i phi0 v0 dv g1)1629 (* (B-expt i)1630 (B-sum 1 (- i 2) v0 dv g1))) 0))1631 :hints (("Goal"1632 :do-not ’(simplify)1633 :induct (B-sum 1 i v0 dv g1))1634 ("Subgoal *1/2"1635 :use ((:instance phi-2n+1-<-0-base-new)1636 (:instance phi-2n+1-<-0-base-corollary-2)1637 (:instance phi-2n+1-<-0-inductive-corollary-2)1638 ))1639 ("Subgoal *1/2’’"1640 :use ((:instance phi-2n+1-<-0-lemma-lemma1)))1641 ("Subgoal *1/1’"1642 :use ((:instance phi-2n+1-<-0-lemma-lemma2)))1643 )1644 )16451646 (defthm phi-2n+1-<-0214C.2. ACL2 Proof for Fine Convergence1647 (implies (basic-params (1- i) 2 v0 dv g1 phi0)1648 (< (phi-2n-1 i phi0 v0 dv g1) 0))1649 :hints (("Goal"1650 :use ((:instance phi-2n+1-<-0-lemma))1651 ))1652 )16531654 (defthm phi-2n-1-<-01655 (implies (basic-params n 3 v0 dv g1 phi0)1656 (< (phi-2n-1 n phi0 v0 dv g1) 0))1657 :hints (("Goal"1658 :use ((:instance phi-2n+1-<-01659 (i n))))))1660 ) Augmented proof with arbitrary c:1 (in-package "ACL2")2 (include-book "global")34 (deftheory before-arith (current-theory :here))5 (include-book "arithmetic/top-with-meta" :dir :system)6 (deftheory after-arith (current-theory :here))78 (deftheory arithmetic-book-only (set-difference-theories(theory ’after-arith) (theory ’before-arith)))910 ;; for the clause processor to work11 (add-include-book-dir :cp"/ubc/cs/home/y/yanpeng/project/ACL2/smtlink")12 (include-book "top" :dir :cp)13 (logic)14 :set-state-ok t15 :set-ignore-ok t16 (tshell-ensure)1718 ;;:start-proof-tree215C.2. ACL2 Proof for Fine Convergence1920 ;; (encapsulate ()2122 ;; (local (include-book "arithmetic-5/top" :dir :system))2324 ;; (defun my-floor (x) (floor (numerator x) (denominator x)))2526 ;; (defthm my-floor-type27 ;; (implies (rationalp x)28 ;; (integerp (my-floor x)))29 ;; :rule-classes :type-prescription)3031 ;; (defthm my-floor-lower-bound32 ;; (implies (rationalp x)33 ;; (> (my-floor x) (- x 1)))34 ;; :rule-classes :linear)3536 ;; (defthm my-floor-upper-bound37 ;; (implies (rationalp x)38 ;; (<= (my-floor x) x))39 ;; :rule-classes :linear)4041 ;; (defthm my-floor-comparison42 ;; (implies (rationalp x)43 ;; (< (my-floor (1- x)) (my-floor x)))44 ;; :hints (("Goal"45 ;; :use ((:instance my-floor-upper-bound (x (1- x)))46 ;; (:instance my-floor-lower-bound))))47 ;; :rule-classes :linear)48 ;; )4950 ;; functions51 ;; n can be a rational value when c starts from non-integervalue52 (defun fdco (n v0 dv g1 dc)53 (/ (* (mu) (+ 1 (* *alpha* (+ v0 dv)))) (+ 1 (* *beta* (+ ndc) g1))))216C.2. ACL2 Proof for Fine Convergence5455 (defun B-term-expt (h)56 (expt (gamma) (- h)))5758 (defun B-term-rest (h v0 dv g1 dc)59 (- (* (mu) (/ (+ 1 (* *alpha* (+ v0 dv))) (+ 1 (* *beta* (+(* (+ h dc) g1) (equ-c v0)))))) 1))6061 (defun B-term (h v0 dv g1 dc)62 (* (B-term-expt h) (B-term-rest h v0 dv g1 dc)))6364 (defun B-sum (h_lo h_hi v0 dv g1 dc)65 (declare (xargs :measure (if (or (not (integerp h_hi)) (not(integerp h_lo)) (< h_hi h_lo))66 067 (1+ (- h_hi h_lo)))))68 (if (or (not (integerp h_hi)) (not (integerp h_lo)) (> h_loh_hi)) 069 (+ (B-term h_hi v0 dv g1 dc) (B-term (- h_hi) v0 dv g1dc) (B-sum h_lo (- h_hi 1) v0 dv g1 dc))))7071 (defun B-expt (n)72 (expt (gamma) (- n 2)))7374 (defun B (n v0 dv g1 dc)75 (* (B-expt n)76 (B-sum 1 (- n 2) v0 dv g1 dc)))7778 ;; parameter list functions79 (defmacro basic-params-equal (n n-value &optional (dc ’nil)(v0 ’nil) (dv ’nil) (g1 ’nil) (phi0 ’nil) (other ’nil))80 (list ’and81 (append82 (append83 (append84 (append85 (append (list ’and217C.2. ACL2 Proof for Fine Convergence86 (list ’integerp n))87 (if (equal dc ’nil) nil (list (list ’rationalp dc))))88 (if (equal g1 ’nil) nil (list (list ’rationalp g1))))89 (if (equal v0 ’nil) nil (list (list ’rationalp v0))))90 (if (equal phi0 ’nil) nil (list (list ’rationalp phi0))))91 (if (equal dv ’nil) nil (list (list ’rationalp dv))))92 (append93 (append94 (append95 (append96 (append97 (append98 (append99 (append100 (append101 (append102 (list ’and103 (list ’equal n n-value))104 (if (equal dc ’nil) nil (list (list ’>= dc ’0))))105 (if (equal dc ’nil) nil (list (list ’< dc ’1))))106 (if (equal g1 ’nil) nil (list (list ’equal g1 ’1/3200))))107 (if (equal v0 ’nil) nil (list (list ’>= v0 ’9/10))))108 (if (equal v0 ’nil) nil (list (list ’<= v0 ’11/10))))109 (if (equal dv ’nil) nil (list (list ’>= dv (list ’-(list ’dv0))))))110 (if (equal dv ’nil) nil (list (list ’<= dv (list’dv0)))))111 (if (equal phi0 ’nil) nil (list (list ’>= phi0 ’0))))112 (if (equal phi0 ’nil) nil (list (list ’< phi0 (list ’-(list ’fdco (list ’1+ (list ’m ’640 v0 g1)) v0 dv g1 dc)’1)))))113 (if (equal other ’nil) nil (list other)))))114115 (defmacro basic-params (n nupper &optional (dc ’nil) (v0 ’nil)(dv ’nil) (g1 ’nil) (phi0 ’nil) (other ’nil))116 (list ’and117 (append218C.2. ACL2 Proof for Fine Convergence118 (append119 (append120 (append121 (append (list ’and122 (list ’integerp n))123 (if (equal dc ’nil) nil (list (list ’rationalp dc))))124 (if (equal g1 ’nil) nil (list (list ’rationalp g1))))125 (if (equal v0 ’nil) nil (list (list ’rationalp v0))))126 (if (equal dv ’nil) nil (list (list ’rationalp dv))))127 (if (equal phi0 ’nil) nil (list (list ’rationalp phi0))))128 (append129 (append130 (append131 (append132 (append133 (append134 (append135 (append136 (append137 (append138 (append (list ’and139 (list ’>= n nupper))140 (list (list ’<= n ’640)))141 (if (equal dc ’nil) nil (list (list ’>= dc ’0))))142 (if (equal dc ’nil) nil (list (list ’< dc ’1))))143 (if (equal g1 ’nil) nil (list (list ’equal g1 ’1/3200))))144 (if (equal v0 ’nil) nil (list (list ’>= v0 ’9/10))))145 (if (equal v0 ’nil) nil (list (list ’<= v0 ’11/10))))146 (if (equal dv ’nil) nil (list (list ’>= dv (list ’-(list ’dv0))))))147 (if (equal dv ’nil) nil (list (list ’<= dv (list’dv0)))))148 (if (equal phi0 ’nil) nil (list (list ’>= phi0 ’0))))149 (if (equal phi0 ’nil) nil (list (list ’< phi0 (list ’-(list ’fdco (list ’1+ (list ’m ’640 v0 g1)) v0 dv g1 dc)’1)))))150 (if (equal other ’nil) nil (list other)))))219C.2. ACL2 Proof for Fine Convergence151152 (encapsulate ()153154 (local (in-theory (disable arithmetic-book-only)))155156 (local157 (include-book "arithmetic-5/top" :dir :system)158 )159160 (local161 (defthm B-term-neg-lemma1162 (implies (basic-params h 1 dc v0 dv g1)163 (< (+ (* (B-term-expt h) (B-term-rest h v0 dv g1 dc))164 (* (B-term-expt (- h)) (B-term-rest (- h) v0 dv g1dc)))165 0)166 )167 :hints168 (("Goal"169 :clause-processor170 (Smtlink clause171 ’( (:expand ((:functions ((B-term-rest rationalp)172 (gamma rationalp)173 (mu rationalp)174 (equ-c rationalp)175 (dv0 rationalp)))176 (:expansion-level 1)))177 (:python-file "B-term-neg-lemma1") ;;mktemp178 (:let ((expt_gamma_h (B-term-expt h) rationalp)179 (expt_gamma_minus_h (B-term-expt (- h))rationalp)))180 (:hypothesize ((<= expt_gamma_minus_h (/ 1 5))181 (> expt_gamma_minus_h 0)182 (equal (* expt_gamma_minus_h expt_gamma_h)1)))183 (:use ((:let ())184 (:hypo (()))220C.2. ACL2 Proof for Fine Convergence185 (:main ()))))186 state)187 ))188 )189 )190191 (defthm B-term-neg192 (implies (basic-params h 1 dc v0 dv g1)193 (< (+ (B-term h v0 dv g1 dc) (B-term (- h) v0 dv g1 dc))0))194 :hints (("Goal"195 :use ( (:instance B-term)196 (:instance B-term-neg-lemma1)197 )))198 :rule-classes :linear)199 )200201 (defthm B-sum-neg202 (implies (basic-params n-minus-2 1 dc v0 dv g1)203 (< (B-sum 1 n-minus-2 v0 dv g1 dc) 0))204 :hints (("Goal"205 :in-theory (disable B-term)206 :induct ())))207208 (encapsulate ()209210 (local ;; B = B-expt*B-sum211 (defthm B-neg-lemma1212 (implies (basic-params n 3 dc v0 dv g1)213 (equal (B n v0 dv g1 dc)214 (* (B-expt n)215 (B-sum 1 (- n 2) v0 dv g1 dc))))))216217 (local218 (defthm B-expt->-0219 (implies (basic-params n 3)220 (> (B-expt n) 0))221C.2. ACL2 Proof for Fine Convergence221 :rule-classes :linear))222223 (local224 (defthm B-neg-lemma2225 (implies (and (rationalp a)226 (rationalp b)227 (> a 0)228 (< b 0))229 (< (* a b) 0))230 :rule-classes :linear))231232 (local233 (defthm B-neg-type-lemma3234 (implies (and (and (rationalp n-minus-2) (rationalp v0)(rationalp g1) (rationalp dv) (rationalp dc)))235 (rationalp (B-sum 1 n-minus-2 v0 dv g1 dc)))236 :rule-classes :type-prescription))237238 (local239 (defthm B-neg-type-lemma4240 (implies (basic-params n 3)241 (rationalp (B-expt n)))242 :rule-classes :type-prescription))243244 (defthm B-neg245 (implies (basic-params n 3 dc v0 dv g1)246 (< (B n v0 dv g1 dc) 0))247 :hints (("Goal"248 :do-not-induct t249 :in-theory (disable B-expt B-sum B-sum-neg B-expt->-0)250 :use ((:instance B-sum-neg (n-minus-2 (- n 2)))251 (:instance B-expt->-0)252 (:instance B-neg-type-lemma3 (n-minus-2 (- n 2)))253 (:instance B-neg-type-lemma4)254 (:instance B-neg-lemma2 (a (B-expt n))255 (b (B-sum 1 (+ -2 n) v0 dv g1dc)))))))222C.2. ACL2 Proof for Fine Convergence256 )257258 (defun A (n phi0 v0 dv g1 dc)259 (+ (* (expt (gamma) (- (* 2 n) 1)) phi0)260 (* (expt (gamma) (- (* 2 n) 2))261 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))262 (* (expt (gamma) (- (* 2 n) 3))263 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1))))264265 (defun phi-2n-1 (n phi0 v0 dv g1 dc)266 (+ (A n phi0 v0 dv g1 dc) (B n v0 dv g1 dc)))267268 (defun delta (n v0 dv g1 dc)269 (+ (- (* (expt (gamma) (* 2 n))270 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))271 (* (expt (gamma) (* 2 n))272 (- (fdco (m n v0 g1) v0 dv g1 dc) 1)))273 (- (* (expt (gamma) (- (* 2 n) 1))274 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))275 (* (expt (gamma) (- (* 2 n) 1))276 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1)))277 (* (expt (gamma) (1- n))278 (+ (* (expt (gamma) (1+ (- n)))279 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))280 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-c v0)))))281 1))282 (* (expt (gamma) (1- n))283 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))284 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-c v0)))))285 1))))))286287 (defun delta-1 (n v0 dv g1 dc)288 (+ (* (expt (gamma) (* 2 n))289 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)290 (fdco (m n v0 g1) v0 dv g1 dc)))291 (* (expt (gamma) (- (* 2 n) 1))292 (- (fdco (m n v0 g1) v0 dv g1 dc)223C.2. ACL2 Proof for Fine Convergence293 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))294 (* (* (expt (gamma) (1- n)) (expt (gamma) (1+ (- n))))295 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))296 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-c v0)))))1))297 (* (* (expt (gamma) (1- n)) (expt (gamma) (1- n)))298 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))299 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-c v0)))))1))))300301 (defun delta-2 (n v0 dv g1 dc)302 (+ (* (expt (gamma) (* 2 n))303 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)304 (fdco (m n v0 g1) v0 dv g1 dc)))305 (* (expt (gamma) (- (* 2 n) 1))306 (- (fdco (m n v0 g1) v0 dv g1 dc)307 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))308 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))309 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-c v0))))) 1)310 (* (expt (gamma) (+ -1 n -1 n))311 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))312 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-c v0)))))1))))313314 (defun delta-3 (n v0 dv g1 dc)315 (* (expt (gamma) (+ -1 n -1 n))316 (+ (* (expt (gamma) 2)317 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)318 (fdco (m n v0 g1) v0 dv g1 dc)))319 (* (expt (gamma) 1)320 (- (fdco (m n v0 g1) v0 dv g1 dc)321 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))322 (* (expt (gamma) (- 2 (* 2 n)))323 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))324 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-c v0))))) 1))325 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))326 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-c v0)))))224C.2. ACL2 Proof for Fine Convergence1))))327328 (defun delta-3-inside (n v0 dv g1 dc)329 (+ (* (expt (gamma) 2)330 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)331 (fdco (m n v0 g1) v0 dv g1 dc)))332 (* (expt (gamma) 1)333 (- (fdco (m n v0 g1) v0 dv g1 dc)334 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))335 (* (expt (gamma) (- 2 (* 2 n)))336 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))337 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-c v0))))) 1))338 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))339 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-c v0)))))1)))340341 (defun delta-3-inside-transform (n v0 dv g1 dc)342 (/343 (+ (* (expt (gamma) 2)344 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)345 (fdco (m n v0 g1) v0 dv g1 dc)))346 (* (expt (gamma) 1)347 (- (fdco (m n v0 g1) v0 dv g1 dc)348 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))349 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))350 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-c v0)))))1))351 (- 1352 (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))353 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-c v0))))))))354355 ;; rewrite delta term356 (encapsulate ()357358 (local359 ;; considering using smtlink for the proof, probably simpler360 (defthm delta-rewrite-1-lemma1225C.2. ACL2 Proof for Fine Convergence361 (implies (basic-params n 3 dc v0 dv g1)362 (equal (+ (- (* (expt (gamma) (* 2 n))363 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))364 (* (expt (gamma) (* 2 n))365 (- (fdco (m n v0 g1) v0 dv g1 dc) 1)))366 (- (* (expt (gamma) (- (* 2 n) 1))367 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))368 (* (expt (gamma) (- (* 2 n) 1))369 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1)))370 (* (expt (gamma) (1- n))371 (+ (* (expt (gamma) (1+ (- n)))372 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))373 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0)))))374 1))375 (* (expt (gamma) (1- n))376 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))377 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0)))))378 1)))))379 (+ (* (expt (gamma) (* 2 n))380 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)381 (fdco (m n v0 g1) v0 dv g1 dc)))382 (* (expt (gamma) (- (* 2 n) 1))383 (- (fdco (m n v0 g1) v0 dv g1 dc)384 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))385 (* (* (expt (gamma) (1- n)) (expt (gamma) (1+ (-n))))386 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))387 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0))))) 1))388 (* (* (expt (gamma) (1- n)) (expt (gamma) (1- n)))389 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))390 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1)))))391 :hints392 (("Goal"226C.2. ACL2 Proof for Fine Convergence393 :clause-processor394 (Smtlink clause395 ’( (:expand ((:functions ((m integerp)396 (gamma rationalp)397 (mu rationalp)398 (equ-c rationalp)399 (fdco rationalp)400 (dv0 rationalp)))401 (:expansion-level 1)))402 (:python-file "delta-rewrite-1-lemma1") ;;mktemp403 (:let ((expt_gamma_2n404 (expt (gamma) (* 2 n))405 rationalp)406 (expt_gamma_2n_minus_1407 (expt (gamma) (- (* 2 n) 1))408 rationalp)409 (expt_gamma_n_minus_1410 (expt (gamma) (1- n))411 rationalp)412 (expt_gamma_1_minus_n413 (expt (gamma) (1+ (- n)))414 rationalp)415 ))416 (:hypothesize ()))417 state)418 )))419 )420421 (local422 (defthm delta-rewrite-1423 (implies (basic-params n 3 dc v0 dv g1)424 (equal (delta n v0 dv g1 dc)425 (delta-1 n v0 dv g1 dc))))426 )427428 (local429 (defthm delta-rewrite-2-lemma1227C.2. ACL2 Proof for Fine Convergence430 (implies (basic-params n 3)431 (equal (* (expt (gamma) (1- n))432 (expt (gamma) (1+ (- n))))433 1))434 :hints (("Goal"435 :use ((:instance expt-minus436 (r (gamma))437 (i (- (1+ (- n))))))438 )))439 )440441 (local442 (defthm delta-rewrite-2-lemma2443 (implies (basic-params n 3)444 (equal (* (expt (gamma) (1- n))445 (expt (gamma) (1- n)))446 (expt (gamma) (+ -1 n -1 n))))447 :hints (("Goal"448 :do-not-induct t449 :use ((:instance exponents-add-for-nonneg-exponents450 (i (1- n))451 (j (1- n))452 (r (gamma))))453 :in-theory (disable exponents-add-for-nonneg-exponents)454 ))455 )456 )457458 (local459 (defthm delta-rewrite-2-lemma3460 (implies (basic-params n 3)461 (equal (+ A462 B463 (* (* (expt (gamma) (1- n))464 (expt (gamma) (1+ (- n))))465 C)466 (* (* (expt (gamma) (1- n))228C.2. ACL2 Proof for Fine Convergence467 (expt (gamma) (1- n)))468 D))469 (+ A B C470 (* (expt (gamma) (+ -1 n -1 n)) D))))471 :hints (("Goal"472 :use ((:instance delta-rewrite-2-lemma1)473 (:instance delta-rewrite-2-lemma2)))))474 )475476 (local477 (defthm delta-rewrite-2478 (implies (basic-params n 3 dc v0 dv g1)479 (equal (delta-1 n v0 dv g1 dc)480 (delta-2 n v0 dv g1 dc)))481 :hints (("Goal"482 :use ((:instance delta-rewrite-2-lemma3483 (A (* (expt (gamma) (* 2 n))484 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)485 (fdco (m n v0 g1) v0 dv g1 dc))))486 (B (* (expt (gamma) (- (* 2 n) 1))487 (- (fdco (m n v0 g1) v0 dv g1 dc)488 (fdco (1+ (m n v0 g1)) v0 dv g1 dc))))489 (C (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))490 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0))))) 1))491 (D (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))492 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1)))))))493 )494495 (local496 (defthm delta-rewrite-3-lemma1-lemma1497 (implies (basic-params n 3)498 (equal (expt (gamma) (+ (+ -1 n -1 n) 2))499 (* (expt (gamma) (+ -1 n -1 n))500 (expt (gamma) 2))))501 :hints (("Goal"229C.2. ACL2 Proof for Fine Convergence502 :use ((:instance exponents-add-for-nonneg-exponents503 (i (+ -1 n -1 n))504 (j 2)505 (r (gamma))))506 :in-theory (disable exponents-add-for-nonneg-exponents507 delta-rewrite-2-lemma2))))508 )509510 (local511 (defthm delta-rewrite-3-lemma1-stupidlemma512 (implies (basic-params n 3)513 (equal (* 2 n) (+ (+ -1 n -1 n) 2))))514 )515516 (local517 (defthm delta-rewrite-3-lemma1518 (implies (basic-params n 3)519 (equal (expt (gamma) (* 2 n))520 (* (expt (gamma) (+ -1 n -1 n))521 (expt (gamma) 2))))522 :hints (("Goal"523 :use ((:instance delta-rewrite-3-lemma1-lemma1)524 (:instance delta-rewrite-3-lemma1-stupidlemma)))))525 )526527 (local528 (defthm delta-rewrite-3-lemma2-lemma1-lemma1529 (implies (basic-params n 3)530 (>= (+ n n) 2))))531532 (local533 (defthm delta-rewrite-3-lemma2-lemma1-stupidlemma534 (implies (basic-params n 3)535 (>= (+ -1 n -1 n) 0))536 :hints (("GOal"537 :use ((:instancedelta-rewrite-3-lemma2-lemma1-lemma1))))))230C.2. ACL2 Proof for Fine Convergence538539 (local540 (defthm delta-rewrite-3-lemma2-lemma1-lemma2541 (implies (basic-params n 3)542 (integerp (+ -1 n -1 n)))543 ))544545 (local546 (defthm delta-rewrite-3-lemma2-lemma1-lemma3547 (implies (basic-params n 3)548 (>= (+ -1 n -1 n) 0))549 :hints (("Goal"550 :use ((:instancedelta-rewrite-3-lemma2-lemma1-stupidlemma))))))551552 (local553 (defthm delta-rewrite-3-lemma2-lemma1554 (implies (basic-params n 3)555 (equal (expt (gamma) (+ (+ -1 n -1 n) 1))556 (* (expt (gamma) (+ -1 n -1 n))557 (expt (gamma) 1))))558 :hints (("Goal"559 :use ((:instance delta-rewrite-3-lemma2-lemma1-lemma2)560 (:instance delta-rewrite-3-lemma2-lemma1-lemma3)561 (:instance exponents-add-for-nonneg-exponents562 (i (+ -1 n -1 n))563 (j 1)564 (r (gamma))))565 )))566 )567568 (local569 (defthm delta-rewrite-3-lemma2-stupidlemma570 (implies (basic-params n 3)571 (equal (- (* 2 n) 1)572 (+ (+ -1 n -1 n) 1))))573 )231C.2. ACL2 Proof for Fine Convergence574575 (local576 (defthm delta-rewrite-3-lemma2577 (implies (basic-params n 3)578 (equal (expt (gamma) (- (* 2 n) 1))579 (* (expt (gamma) (+ -1 n -1 n))580 (expt (gamma) 1))))581 :hints (("Goal"582 :use ((:instance delta-rewrite-3-lemma2-lemma1)583 (:instance delta-rewrite-3-lemma2-stupidlemma))584 :in-theory (disable delta-rewrite-2-lemma2)))585 )586 )587588 (local589 (defthm delta-rewrite-3-lemma3590 (implies (basic-params n 3)591 (equal (* (expt (gamma) (- 2 (* 2 n)))592 (expt (gamma) (+ -1 n -1 n)))593 1))594 :hints (("Goal"595 :use ((:instance expt-minus596 (r (gamma))597 (i (- (- 2 (* 2 n)))))))))598 )599600 (local601 (defthm delta-rewrite-3602 (implies (basic-params n 3 dc v0 dv g1)603 (equal (+ (* (expt (gamma) (* 2 n))604 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)605 (fdco (m n v0 g1) v0 dv g1 dc)))606 (* (expt (gamma) (- (* 2 n) 1))607 (- (fdco (m n v0 g1) v0 dv g1 dc)608 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))609 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))610 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-c232C.2. ACL2 Proof for Fine Convergencev0))))) 1)611 (* (expt (gamma) (+ -1 n -1 n))612 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))613 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1)))614 (* (expt (gamma) (+ -1 n -1 n))615 (+ (* (expt (gamma) 2)616 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)617 (fdco (m n v0 g1) v0 dv g1 dc)))618 (* (expt (gamma) 1)619 (- (fdco (m n v0 g1) v0 dv g1 dc)620 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))621 (* (expt (gamma) (- 2 (* 2 n)))622 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))623 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0))))) 1))624 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))625 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1)))))626 :hints627 (("Goal"628 :in-theory (disable delta-rewrite-2-lemma1)629 :do-not-induct t630 :clause-processor631 (Smtlink clause632 ’( (:expand ((:functions ((m integerp)633 (gamma rationalp)634 (mu rationalp)635 (equ-c rationalp)636 (fdco rationalp)637 (dv0 rationalp)))638 (:expansion-level 1)))639 (:python-file "delta-rewrite-3")640 (:let ((expt_gamma_2n641 (expt (gamma) (* 2 n))642 rationalp)643 (expt_gamma_2n_minus_1233C.2. ACL2 Proof for Fine Convergence644 (expt (gamma) (- (* 2 n) 1))645 rationalp)646 (expt_gamma_2n_minus_2647 (expt (gamma) (+ -1 n -1 n))648 rationalp)649 (expt_gamma_2650 (expt (gamma) 2)651 rationalp)652 (expt_gamma_1653 (expt (gamma) 1)654 rationalp)655 (expt_gamma_2_minus_2n656 (expt (gamma) (- 2 (* 2 n)))657 rationalp)658 ))659 (:hypothesize ((equal expt_gamma_2n660 (* expt_gamma_2n_minus_2 expt_gamma_2))661 (equal expt_gamma_2n_minus_1662 (* expt_gamma_2n_minus_2 expt_gamma_1))663 (equal (* expt_gamma_2_minus_2nexpt_gamma_2n_minus_2)664 1)))665 (:use ((:type ())666 (:hypo ((delta-rewrite-3-lemma1)667 (delta-rewrite-3-lemma2)668 (delta-rewrite-3-lemma3)))669 (:main ()))))670 state))))671 )672673 (local674 (defthm delta-rewrite-4675 (implies (basic-params n 3 dc v0 dv g1)676 (equal (delta-2 n v0 dv g1 dc)677 (delta-3 n v0 dv g1 dc)))678 :hints (("Goal"679 :use ((:instance delta-rewrite-3)))))234C.2. ACL2 Proof for Fine Convergence680 )681682 (defthm delta-rewrite-5683 (implies (basic-params n 3 dc v0 dv g1)684 (equal (delta n v0 dv g1 dc)685 (delta-3 n v0 dv g1 dc)))686 :hints (("Goal"687 :use ((:instance delta-rewrite-1)688 (:instance delta-rewrite-2)689 (:instance delta-rewrite-3)690 (:instance delta-rewrite-4)))))691 )692693 (encapsulate ()694695 (local696 (defthm delta-<-0-lemma1-lemma697 (implies (basic-params n 3 dc v0 dv g1)698 (implies (< (+ (* (expt (gamma) 2)699 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)700 (fdco (m n v0 g1) v0 dv g1 dc)))701 (* (expt (gamma) 1)702 (- (fdco (m n v0 g1) v0 dv g1 dc)703 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))704 (* (expt (gamma) (- 2 (* 2 n)))705 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))706 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0))))) 1))707 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))708 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1))709 0)710 (< (* (expt (gamma) (+ -1 n -1 n))711 (+ (* (expt (gamma) 2)712 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)713 (fdco (m n v0 g1) v0 dv g1 dc)))714 (* (expt (gamma) 1)235C.2. ACL2 Proof for Fine Convergence715 (- (fdco (m n v0 g1) v0 dv g1 dc)716 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))717 (* (expt (gamma) (- 2 (* 2 n)))718 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))719 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0))))) 1))720 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))721 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1)))722 0)))723 :hints (("Goal"724 :clause-processor725 (Smtlink clause726 ’( (:expand ((:functions ((m integerp)727 (gamma rationalp)728 (mu rationalp)729 (equ-c rationalp)730 (fdco rationalp)731 (dv0 rationalp)))732 (:expansion-level 1)))733 (:python-file"delta-smaller-than-0-lemma1-lemma")734 (:let ((expt_gamma_2n735 (expt (gamma) (* 2 n))736 rationalp)737 (expt_gamma_2n_minus_1738 (expt (gamma) (- (* 2 n) 1))739 rationalp)740 (expt_gamma_2n_minus_2741 (expt (gamma) (+ -1 n -1 n))742 rationalp)743 (expt_gamma_2744 (expt (gamma) 2)745 rationalp)746 (expt_gamma_1747 (expt (gamma) 1)748 rationalp)236C.2. ACL2 Proof for Fine Convergence749 (expt_gamma_2_minus_2n750 (expt (gamma) (- 2 (* 2 n)))751 rationalp)752 ))753 (:hypothesize ((> expt_gamma_2n_minus_2 0))))754 state))))755 )756757 (local758 (defthm delta-<-0-lemma1759 (implies (basic-params n 3 dc v0 dv g1)760 (implies (< (delta-3-inside n v0 dv g1 dc) 0)761 (< (delta-3 n v0 dv g1 dc) 0))))762 )763764 (local765 (defthm delta-<-0-lemma2-lemma766 (implies (basic-params n 3 dc v0 dv g1)767 (implies (< (/ (+ (* (expt (gamma) 2)768 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)769 (fdco (m n v0 g1) v0 dv g1 dc)))770 (* (expt (gamma) 1)771 (- (fdco (m n v0 g1) v0 dv g1 dc)772 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))773 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))774 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1))775 (- 1776 (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))777 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0)))))))778 (expt (gamma) (- 2 (* 2 n))))779 (< (+ (* (expt (gamma) 2)780 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)781 (fdco (m n v0 g1) v0 dv g1 dc)))782 (* (expt (gamma) 1)783 (- (fdco (m n v0 g1) v0 dv g1 dc)237C.2. ACL2 Proof for Fine Convergence784 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))785 (* (expt (gamma) (- 2 (* 2 n)))786 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))787 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0))))) 1))788 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))789 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1))790 0)))791 :hints (("Goal"792 :clause-processor793 (Smtlink clause794 ’( (:expand ((:functions ((m integerp)795 (gamma rationalp)796 (mu rationalp)797 (equ-c rationalp)798 (fdco rationalp)799 (dv0 rationalp)))800 (:expansion-level 1)))801 (:python-file"delta-smaller-than-0-lemma2-lemma")802 (:let ((expt_gamma_2n803 (expt (gamma) (* 2 n))804 rationalp)805 (expt_gamma_2n_minus_1806 (expt (gamma) (- (* 2 n) 1))807 rationalp)808 (expt_gamma_2n_minus_2809 (expt (gamma) (+ -1 n -1 n))810 rationalp)811 (expt_gamma_2812 (expt (gamma) 2)813 rationalp)814 (expt_gamma_1815 (expt (gamma) 1)816 rationalp)817 (expt_gamma_2_minus_2n238C.2. ACL2 Proof for Fine Convergence818 (expt (gamma) (- 2 (* 2 n)))819 rationalp)820 ))821 (:hypothesize ((> expt_gamma_2_minus_2n 0))))822 state))))823 )824825 (local826 (defthm delta-<-0-lemma2827 (implies (basic-params n 3 dc v0 dv g1)828 (implies (< (delta-3-inside-transform n v0 dv g1 dc)829 (expt (gamma) (- 2 (* 2 n))))830 (< (delta-3-inside n v0 dv g1 dc) 0)))831 :hints (("Goal"832 :use ((:instance delta-<-0-lemma2-lemma)))))833 )834835 (local836 ;; This is for proving 2n < gamma^(2-2n)837 (defthm delta-<-0-lemma3-lemma1838 (implies (and (integerp k)839 (>= k 6))840 (< k (expt (/ (gamma)) (- k 2)))))841 )842843 (local844 (defthm delta-<-0-lemma3-lemma2-stupidlemma845 (implies (basic-params n 3)846 (>= n 3))))847848 (local849 (defthm delta-<-0-lemma3-lemma2-stupidlemma-omg850 (implies (and (rationalp a) (rationalp b) (>= a b))851 (>= (* 2 a) (* 2 b)))))852853 (local854 (defthm delta-<-0-lemma3-lemma2-lemma1239C.2. ACL2 Proof for Fine Convergence855 (implies (basic-params n 3)856 (>= (* 2 n) 6))857 :hints (("Goal"858 :use ((:instance delta-<-0-lemma3-lemma2-stupidlemma)859 (:instance delta-<-0-lemma3-lemma2-stupidlemma-omg860 (a n)861 (b 3))862 ))))863 )864865 (local866 (defthm delta-<-0-lemma3-lemma2867 (implies (basic-params n 3)868 (< (* 2 n)869 (expt (/ (gamma)) (- (* 2 n) 2))))870 :hints (("Goal"871 :use ((:instance delta-<-0-lemma3-lemma1872 (k (* 2 n)))873 (:instance delta-<-0-lemma3-lemma2-lemma1))))874 :rule-classes :linear)875 )876877 (local878 (defthm delta-<-0-lemma3-lemma3-stupidlemma879 (equal (expt a n) (expt (/ a) (- n))))880 )881882 (local883 (defthm delta-<-0-lemma3-lemma3884 (implies (basic-params n 3)885 (equal (expt (/ (gamma)) (- (* 2 n) 2))886 (expt (gamma) (- 2 (* 2 n)))))887 :hints (("Goal"888 :use ((:instance delta-<-0-lemma3-lemma3-stupidlemma889 (a (/ (gamma)))890 (n (- (* 2 n) 2))))891 :in-theory (disable240C.2. ACL2 Proof for Fine Convergencedelta-<-0-lemma3-lemma3-stupidlemma))))892 )893894 (local895 (defthm delta-<-0-lemma3-lemma4-stupidlemma896 (implies (and (< a b) (equal b c)) (< a c)))897 )898899 (local900 (defthm delta-<-0-lemma3-lemma4901 (implies (basic-params n 3)902 (< (* 2 n)903 (expt (gamma) (- 2 (* 2 n)))))904 :hints (("Goal"905 :do-not ’(preprocess simplify)906 :use ((:instance delta-<-0-lemma3-lemma2)907 (:instance delta-<-0-lemma3-lemma3)908 (:instance delta-<-0-lemma3-lemma4-stupidlemma909 (a (* 2 n))910 (b (expt (/ (gamma)) (- (* 2 n) 2)))911 (c (expt (gamma) (- 2 (* 2 n))))))912 :in-theory (disable delta-<-0-lemma3-lemma2913 delta-<-0-lemma3-lemma3914 delta-<-0-lemma3-lemma4-stupidlemma)))915 :rule-classes :linear)916 )917918 (local919 (defthm delta-<-0-lemma3920 (implies (basic-params n 3 dc v0 dv g1)921 (implies (< (/ (+ (* (expt (gamma) 2)922 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)923 (fdco (m n v0 g1) v0 dv g1 dc)))924 (* (expt (gamma) 1)925 (- (fdco (m n v0 g1) v0 dv g1 dc)926 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))927 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))241C.2. ACL2 Proof for Fine Convergence928 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1))929 (- 1930 (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))931 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0)))))))932 (* 2 n))933 (< (/ (+ (* (expt (gamma) 2)934 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)935 (fdco (m n v0 g1) v0 dv g1 dc)))936 (* (expt (gamma) 1)937 (- (fdco (m n v0 g1) v0 dv g1 dc)938 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))939 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))940 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1))941 (- 1942 (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))943 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0)))))))944 (expt (gamma) (- 2 (* 2 n))))))945 :hints (("Goal"946 :clause-processor947 (Smtlink clause948 ’( (:expand ((:functions ((m integerp)949 (gamma rationalp)950 (mu rationalp)951 (equ-c rationalp)952 (fdco rationalp)953 (dv0 rationalp)))954 (:expansion-level 1)))955 (:python-file "delta-smaller-than-0-lemma3")956 (:let ((expt_gamma_2n957 (expt (gamma) (* 2 n))958 rationalp)959 (expt_gamma_2n_minus_1960 (expt (gamma) (- (* 2 n) 1))242C.2. ACL2 Proof for Fine Convergence961 rationalp)962 (expt_gamma_2n_minus_2963 (expt (gamma) (+ -1 n -1 n))964 rationalp)965 (expt_gamma_2966 (expt (gamma) 2)967 rationalp)968 (expt_gamma_1969 (expt (gamma) 1)970 rationalp)971 (expt_gamma_2_minus_2n972 (expt (gamma) (- 2 (* 2 n)))973 rationalp))974 )975 (:hypothesize ((< (* 2 n)expt_gamma_2_minus_2n)))976 (:use ((:type ())977 (:hypo ((delta-<-0-lemma3-lemma4)))978 (:main ())))979 )980 state)981 :in-theory (disable delta-<-0-lemma3-lemma1982 delta-<-0-lemma3-lemma3-stupidlemma983 delta-<-0-lemma3-lemma2984 delta-<-0-lemma3-lemma3985 delta-<-0-lemma3-lemma4-stupidlemma)986 )))987 )988989 (local990 (defthm delta-<-0-lemma4991 (implies (basic-params n 3 dc v0 dv g1)992 (< (/ (+ (* (expt (gamma) 2)993 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc)994 (fdco (m n v0 g1) v0 dv g1 dc)))995 (* (expt (gamma) 1)996 (- (fdco (m n v0 g1) v0 dv g1 dc)243C.2. ACL2 Proof for Fine Convergence997 (fdco (1+ (m n v0 g1)) v0 dv g1 dc)))998 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))999 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1))1000 (- 11001 (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))1002 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0)))))))1003 (* 2 n)))1004 :hints (("Goal"1005 :clause-processor1006 (Smtlink clause1007 ’( (:expand ((:functions ((m integerp)1008 (gamma rationalp)1009 (mu rationalp)1010 (equ-c rationalp)1011 (fdco rationalp)1012 (dv0 rationalp)))1013 (:expansion-level 1)))1014 (:python-file "delta-smaller-than-0-lemma4")1015 (:let ((expt_gamma_21016 (expt (gamma) 2)1017 rationalp)1018 (expt_gamma_11019 (expt (gamma) 1)1020 rationalp))1021 )1022 (:hypothesize ((equal expt_gamma_1 1/5)1023 (equal expt_gamma_2 1/25)1024 )1025 ))1026 state)1027 :in-theory (disable delta-<-0-lemma3-lemma11028 delta-<-0-lemma3-lemma3-stupidlemma1029 delta-<-0-lemma3-lemma21030 delta-<-0-lemma3-lemma31031 delta-<-0-lemma3-lemma4-stupidlemma244C.2. ACL2 Proof for Fine Convergence1032 delta-<-0-lemma3-lemma4))))1033 )103410351036 (defthm delta-<-01037 (implies (basic-params n 3 dc v0 dv g1)1038 (< (delta n v0 dv g1 dc) 0))1039 :hints (("Goal"1040 :use ((:instance delta-rewrite-5)1041 (:instance delta-<-0-lemma4)1042 (:instance delta-<-0-lemma3)1043 (:instance delta-<-0-lemma2)1044 (:instance delta-<-0-lemma1))1045 :in-theory (disable delta-<-0-lemma3-lemma11046 delta-<-0-lemma3-lemma3-stupidlemma1047 delta-<-0-lemma3-lemma21048 delta-<-0-lemma3-lemma31049 delta-<-0-lemma3-lemma4-stupidlemma1050 delta-<-0-lemma3-lemma4)1051 )))1052 ) ;; delta < 0 thus is proved10531054 ;; prove phi(2n+1) = gamma^2*A+gamma*B+delta1055 (encapsulate ()10561057 (local1058 (defthm split-phi-2n+1-lemma1-lemma11059 (implies (basic-params n 3 dc v0 dv g1 phi0)1060 (equal (A (+ n 1) phi0 v0 dv g1 dc)1061 (+ (* (expt (gamma) (+ (* 2 n) 1)) phi0)1062 (* (expt (gamma) (* 2 n))1063 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))1064 (* (expt (gamma) (- (* 2 n) 1))1065 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))))))1066 )10671068 (local245C.2. ACL2 Proof for Fine Convergence1069 (defthm split-phi-2n+1-lemma1-lemma21070 (implies (basic-params n 3 dc v0 dv g1 phi0)1071 (equal (+ (* (expt (gamma) (+ (* 2 n) 1)) phi0)1072 (* (expt (gamma) (* 2 n))1073 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))1074 (* (expt (gamma) (- (* 2 n) 1))1075 (- (fdco (m n v0 g1) v0 dv g1 dc) 1)))1076 (+ (* (+ (* (expt (gamma) (- (* 2 n) 1)) phi0)1077 (* (expt (gamma) (- (* 2 n) 2))1078 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))1079 (* (expt (gamma) (- (* 2 n) 3))1080 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1)))1081 (expt (gamma) 2))1082 (- (* (expt (gamma) (* 2 n))1083 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))1084 (* (expt (gamma) (* 2 n))1085 (- (fdco (m n v0 g1) v0 dv g1 dc) 1)))1086 (- (* (expt (gamma) (- (* 2 n) 1))1087 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))1088 (* (expt (gamma) (- (* 2 n) 1))1089 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1))))))1090 )1091 )10921093 (local1094 (defthm split-phi-2n+1-lemma1-A1095 (implies (basic-params n 3 dc v0 dv g1 phi0)1096 (equal (A (+ n 1) phi0 v0 dv g1 dc)1097 (+ (* (A n phi0 v0 dv g1 dc) (gamma) (gamma))1098 (- (* (expt (gamma) (* 2 n))1099 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))1100 (* (expt (gamma) (* 2 n))1101 (- (fdco (m n v0 g1) v0 dv g1 dc) 1)))1102 (- (* (expt (gamma) (- (* 2 n) 1))1103 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))1104 (* (expt (gamma) (- (* 2 n) 1))1105 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1)))))))246C.2. ACL2 Proof for Fine Convergence1106 )11071108 (local1109 (defthm split-phi-2n+1-lemma2-lemma11110 (implies (basic-params n 3 dc v0 dv g1)1111 (equal (B (+ n 1) v0 dv g1 dc)1112 (* (expt (gamma) (- n 1))1113 (B-sum 1 (- n 1) v0 dv g1 dc)))))1114 )11151116 (local1117 (defthm split-phi-2n+1-lemma2-lemma21118 (implies (basic-params n 3 dc v0 dv g1)1119 (equal (B (+ n 1) v0 dv g1 dc)1120 (* (expt (gamma) (- n 1))1121 (+ (B-term (- n 1) v0 dv g1 dc)1122 (B-term (- (- n 1)) v0 dv g1 dc)1123 (B-sum 1 (- n 2) v0 dv g1 dc))))))1124 )11251126 (local1127 (defthm split-phi-2n+1-lemma2-lemma31128 (implies (basic-params n 3 dc v0 dv g1)1129 (equal (B (+ n 1) v0 dv g1 dc)1130 (+ (* (expt (gamma) (- n 1))1131 (B-sum 1 (- n 2) v0 dv g1 dc))1132 (* (expt (gamma) (- n 1))1133 (B-term (- n 1) v0 dv g1 dc))1134 (* (expt (gamma) (- n 1))1135 (B-term (- (- n 1)) v0 dv g1 dc))))))1136 )11371138 (local1139 (defthm split-phi-2n+1-lemma2-lemma41140 (implies (basic-params n 3 dc v0 dv g1)1141 (equal (B (+ n 1) v0 dv g1 dc)1142 (+ (* (gamma) (expt (gamma) (- n 2))247C.2. ACL2 Proof for Fine Convergence1143 (B-sum 1 (- n 2) v0 dv g1 dc))1144 (* (expt (gamma) (- n 1))1145 (+ (B-term (- n 1) v0 dv g1 dc)1146 (B-term (- (- n 1)) v0 dv g1 dc)))))))1147 )11481149 (local1150 (defthm split-phi-2n+1-lemma2-lemma51151 (implies (basic-params n 3 dc v0 dv g1)1152 (equal (B (+ n 1) v0 dv g1 dc)1153 (+ (* (gamma) (B n v0 dv g1 dc))1154 (* (expt (gamma) (- n 1))1155 (+ (B-term (- n 1) v0 dv g1 dc)1156 (B-term (- (- n 1)) v0 dv g1 dc)))))))1157 )11581159 (local1160 (defthm split-phi-2n+1-lemma2-B1161 (implies (basic-params n 3 dc v0 dv g1)1162 (equal (B (+ n 1) v0 dv g1 dc)1163 (+ (* (gamma) (B n v0 dv g1 dc))1164 (* (expt (gamma) (- n 1))1165 (+ (* (expt (gamma) (- (- n 1)))1166 (B-term-rest (- n 1) v0 dv g1 dc))1167 (* (expt (gamma) (- n 1))1168 (B-term-rest (- (- n 1)) v0 dv g1 dc))))))))1169 )11701171 (local1172 (defthm split-phi-2n+1-lemma3-delta-stupidlemma1173 (implies (basic-params n 3 dc v0 dv g1)1174 (equal (+ (- (* (expt (gamma) (* 2 n))1175 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))1176 (* (expt (gamma) (* 2 n))1177 (- (fdco (m n v0 g1) v0 dv g1 dc) 1)))1178 (- (* (expt (gamma) (- (* 2 n) 1))1179 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))248C.2. ACL2 Proof for Fine Convergence1180 (* (expt (gamma) (- (* 2 n) 1))1181 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1)))1182 (* (expt (gamma) (- n 1))1183 (+ (* (expt (gamma) (- (- n 1)))1184 (B-term-rest (- n 1) v0 dv g1 dc))1185 (* (expt (gamma) (- n 1))1186 (B-term-rest (- (- n 1)) v0 dv g1 dc)))))1187 (+ (- (* (expt (gamma) (* 2 n))1188 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))1189 (* (expt (gamma) (* 2 n))1190 (- (fdco (m n v0 g1) v0 dv g1 dc) 1)))1191 (- (* (expt (gamma) (- (* 2 n) 1))1192 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))1193 (* (expt (gamma) (- (* 2 n) 1))1194 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1)))1195 (* (expt (gamma) (1- n))1196 (+ (* (expt (gamma) (1+ (- n)))1197 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))1198 (1+ (* *beta* (+ (* g1 (+ (1- n) dc)) (equ-cv0))))) 1))1199 (* (expt (gamma) (1- n))1200 (- (/ (* (mu) (1+ (* *alpha* (+ v0 dv))))1201 (1+ (* *beta* (+ (* g1 (+ (- 1 n) dc)) (equ-cv0))))) 1))))))))1202 )12031204 (local1205 (defthm split-phi-2n+1-lemma3-delta1206 (implies (basic-params n 3 dc v0 dv g1)1207 (equal (+ (- (* (expt (gamma) (* 2 n))1208 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))1209 (* (expt (gamma) (* 2 n))1210 (- (fdco (m n v0 g1) v0 dv g1 dc) 1)))1211 (- (* (expt (gamma) (- (* 2 n) 1))1212 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))1213 (* (expt (gamma) (- (* 2 n) 1))1214 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1)))249C.2. ACL2 Proof for Fine Convergence1215 (* (expt (gamma) (- n 1))1216 (+ (* (expt (gamma) (- (- n 1)))1217 (B-term-rest (- n 1) v0 dv g1 dc))1218 (* (expt (gamma) (- n 1))1219 (B-term-rest (- (- n 1)) v0 dv g1 dc)))))1220 (delta n v0 dv g1 dc)))1221 :hints (("Goal"1222 :use ((:instance split-phi-2n+1-lemma3-delta-stupidlemma)1223 (:instance delta)))))1224 )12251226 (local1227 (defthm split-phi-2n+1-lemma41228 (implies (basic-params n 3 dc v0 dv g1 phi0)1229 (equal (phi-2n-1 (1+ n) phi0 v0 dv g1 dc)1230 (+ (A (+ n 1) phi0 v0 dv g1 dc)1231 (B (+ n 1) v0 dv g1 dc)))))1232 )12331234 (local1235 (defthm split-phi-2n+1-lemma51236 (implies (basic-params n 3 dc v0 dv g1 phi0)1237 (equal (phi-2n-1 (1+ n) phi0 v0 dv g1 dc)1238 (+ (+ (* (A n phi0 v0 dv g1 dc) (gamma) (gamma))1239 (- (* (expt (gamma) (* 2 n))1240 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))1241 (* (expt (gamma) (* 2 n))1242 (- (fdco (m n v0 g1) v0 dv g1 dc) 1)))1243 (- (* (expt (gamma) (- (* 2 n) 1))1244 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))1245 (* (expt (gamma) (- (* 2 n) 1))1246 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1))))1247 (+ (* (gamma) (B n v0 dv g1 dc))1248 (* (expt (gamma) (- n 1))1249 (+ (* (expt (gamma) (- (- n 1)))1250 (B-term-rest (- n 1) v0 dv g1 dc))1251 (* (expt (gamma) (- n 1))250C.2. ACL2 Proof for Fine Convergence1252 (B-term-rest (- (- n 1)) v0 dv g1 dc))))))))1253 :hints (("Goal"1254 :use ((:instance split-phi-2n+1-lemma1-A)1255 (:instance split-phi-2n+1-lemma2-B)))))1256 )12571258 (local1259 (defthm split-phi-2n+1-lemma61260 (implies (basic-params n 3 dc v0 dv g1 phi0)1261 (equal (phi-2n-1 (1+ n) phi0 v0 dv g1 dc)1262 (+ (* (A n phi0 v0 dv g1 dc) (gamma) (gamma))1263 (* (gamma) (B n v0 dv g1 dc))1264 (+ (- (* (expt (gamma) (* 2 n))1265 (- (fdco (1- (m n v0 g1)) v0 dv g1 dc) 1))1266 (* (expt (gamma) (* 2 n))1267 (- (fdco (m n v0 g1) v0 dv g1 dc) 1)))1268 (- (* (expt (gamma) (- (* 2 n) 1))1269 (- (fdco (m n v0 g1) v0 dv g1 dc) 1))1270 (* (expt (gamma) (- (* 2 n) 1))1271 (- (fdco (1+ (m n v0 g1)) v0 dv g1 dc) 1)))1272 (* (expt (gamma) (- n 1))1273 (+ (* (expt (gamma) (- (- n 1)))1274 (B-term-rest (- n 1) v0 dv g1 dc))1275 (* (expt (gamma) (- n 1))1276 (B-term-rest (- (- n 1)) v0 dv g1 dc)))))))))1277 )12781279 (defthm split-phi-2n+11280 (implies (basic-params n 3 dc v0 dv g1 phi0)1281 (equal (phi-2n-1 (1+ n) phi0 v0 dv g1 dc)1282 (+ (* (gamma) (gamma) (A n phi0 v0 dv g1 dc))1283 (* (gamma) (B n v0 dv g1 dc)) (delta n v0 dv g1dc))))1284 :hints (("Goal"1285 :use ((:instance split-phi-2n+1-lemma6)1286 (:instance split-phi-2n+1-lemma3-delta)))))1287251C.2. ACL2 Proof for Fine Convergence1288 )12891290 ;; prove gamma^2*A + gamma*B < 01291 (encapsulate ()12921293 (local1294 (defthm except-for-delta-<-0-lemma11295 (implies (and (and (rationalp c)1296 (rationalp a)1297 (rationalp b))1298 (and (> c 0)1299 (< c 1)1300 (< (+ A B) 0)1301 (< B 0)))1302 (< (+ (* c c A) (* c B)) 0))1303 :hints (("Goal"1304 :clause-processor1305 (Smtlink clause1306 ’( (:expand ((:function ())1307 (:expansion-level 1)))1308 (:python-file"except-for-delta-smaller-than-0-lemma1")1309 (:let ())1310 (:hypothesize ()))1311 state)))1312 :rule-classes :linear)1313 )13141315 (defthm except-for-delta-<-01316 (implies (basic-params n 3 dc v0 dv g1 phi0 (< (phi-2n-1 nphi0 v0 dv g1 dc) 0))1317 (< (+ (* (gamma) (gamma) (A n phi0 v0 dv g1 dc))1318 (* (gamma) (B n v0 dv g1 dc)))1319 0))1320 :hints (("Goal"1321 :do-not-induct t1322 :use ((:instance except-for-delta-<-0-lemma1252C.2. ACL2 Proof for Fine Convergence1323 (c (gamma))1324 (A (A n phi0 v0 dv g1 dc))1325 (B (B n v0 dv g1 dc)))1326 (:instance B-neg)))))1327 )13281329 ;; for induction step1330 (encapsulate ()13311332 (defthm phi-2n+1-<-0-inductive1333 (implies (basic-params n 3 dc v0 dv g1 phi0 (< (phi-2n-1 nphi0 v0 dv g1 dc) 0))1334 (< (phi-2n-1 (1+ n) phi0 v0 dv g1 dc) 0))1335 :hints (("Goal"1336 :use ((:instance split-phi-2n+1)1337 (:instance delta-<-0)1338 (:instance except-for-delta-<-0)))))13391340 (defthm phi-2n+1-<-0-inductive-corollary1341 (implies (basic-params (- i 1) 3 dc v0 dv g1 phi01342 (< (phi-2n-1 (- i 1) phi0 v0 dv g1 dc) 0))1343 (< (phi-2n-1 i phi0 v0 dv g1 dc) 0))1344 :hints (("Goal"1345 :use ((:instance phi-2n+1-<-0-inductive1346 (n (- i 1)))))))13471348 (defthm phi-2n+1-<-0-inductive-corollary-21349 (implies (basic-params (- i 1) 3 dc v0 dv g1 phi01350 (< (phi-2n-1 (- i 1) phi0 v0 dv g1 dc) 0))1351 (< (+ (A i phi0 v0 dv g1 dc)1352 (* (B-expt i)1353 (B-sum 1 (- i 2) v0 dv g1 dc))) 0))1354 :hints (("Goal"1355 :use ((:instance phi-2n+1-<-0-inductive-corollary)))))13561357 (defthm phi-2n+1-<-0-base1358 (implies (basic-params-equal n 2 dc v0 dv g1 phi0)253C.2. ACL2 Proof for Fine Convergence1359 (< (phi-2n-1 (1+ n) phi0 v0 dv g1 dc) 0))1360 :hints (("Goal’’"1361 :clause-processor1362 (Smtlink clause1363 ’( (:expand ((:function ())1364 (:expansion-level 1)))1365 (:python-file "phi-2n+1-smaller-than-0-base")1366 (:let ())1367 (:hypothesize ()))1368 state)))1369 )13701371 (defthm phi-2n+1-<-0-base-new1372 (implies (basic-params-equal (- i 2) 1 dc v0 dv g1 phi0)1373 (< (phi-2n-1 (- i 1) phi0 v0 dv g1 dc) 0))1374 :hints (("Goal’’"1375 :clause-processor1376 (Smtlink clause1377 ’( (:expand ((:function ())1378 (:expansion-level 1)))1379 (:python-file "phi-2n+1-smaller-than-0-base-new")1380 (:let ())1381 (:hypothesize ()))1382 state)))1383 )13841385 (defthm phi-2n+1-<-0-base-corollary1386 (implies (basic-params-equal (1- i) 2 dc v0 dv g1 phi0)1387 (< (phi-2n-1 i phi0 v0 dv g1 dc) 0))1388 :hints (("Goal"1389 :use ((:instance phi-2n+1-<-0-base1390 (n (- i 1))))))1391 )13921393 (defthm phi-2n+1-<-0-base-corollary-21394 (implies (basic-params-equal (1- i) 2 dc v0 dv g1 phi0)1395 (< (+ (A i phi0 v0 dv g1 dc)254C.2. ACL2 Proof for Fine Convergence1396 (* (B-expt i)1397 (B-sum 1 (- i 2) v0 dv g1 dc))) 0))1398 :hints (("Goal"1399 :use ((:instance phi-2n+1-<-0-base-corollary))))1400 )14011402 (defthm stupid-proof1403 (implies (and (equal a f)1404 (equal a i)1405 (implies (and m l) l)1406 (implies l (and c h))1407 (implies (and c h) (and c j))1408 (implies (and a b c d) e)1409 (implies (and f b c d) g)1410 (implies (and f b h d e) g)1411 i1412 m1413 (implies (and a b j d) e)1414 f1415 b1416 l1417 d)1418 g)1419 :rule-classes nil)14201421 (defthm phi-2n+1-<-0-lemma-lemma11422 (implies1423 (and1424 (implies1425 (and (and (integerp (+ -2 i))1426 (rationalp g1)1427 (rationalp v0)1428 (rationalp phi0)1429 (rationalp dv)1430 (rationalp dc))1431 (equal (+ -2 i) 1)1432 (equal g1 1/3200)255C.2. ACL2 Proof for Fine Convergence1433 (>= dc 0)1434 (< dc 1)1435 (<= 9/10 v0)1436 (<= v0 11/10)1437 (<= -1/8000 dv)1438 (<= dv 1/8000)1439 (<= 0 phi0)1440 (< phi01441 (+ -11442 (* (fix (+ 1 (fix (+ v0 dv))))1443 (/ (+ 11444 (fix (* (+ 11445 (* (+ (fix (* (+ 1(fix v0)) 1)) -1)1446 (/ g1))1447 -640 dc)1448 g1))))))))1449 (< (phi-2n-1 (+ -1 i) phi0 v0 dv g1 dc) 0))1450 (implies1451 (and (and (integerp (+ -1 i))1452 (rationalp g1)1453 (rationalp v0)1454 (rationalp phi0)1455 (rationalp dv)1456 (rationalp dc))1457 (equal (+ -1 i) 2)1458 (equal g1 1/3200)1459 (>= dc 0)1460 (< dc 1)1461 (<= 9/10 v0)1462 (<= v0 11/10)1463 (<= -1/8000 dv)1464 (<= dv 1/8000)1465 (<= 0 phi0)1466 (< phi01467 (+ -11468 (* (fix (+ 1 (fix (+ v0 dv))))256C.2. ACL2 Proof for Fine Convergence1469 (/ (+ 11470 (fix (* (+ 11471 (* (+ (fix (* (+ 1(fix v0)) 1)) -1)1472 (/ g1))1473 -640 dc)1474 g1))))))))1475 (< (+ (a i phi0 v0 dv g1 dc)1476 (* (/ (expt 5 (+ -2 i)))1477 (b-sum 1 (+ -2 i) v0 dv g1 dc)))1478 0))1479 (implies1480 (and (and (integerp (+ -1 i))1481 (rationalp g1)1482 (rationalp v0)1483 (rationalp dv)1484 (rationalp phi0)1485 (rationalp dc))1486 (<= 3 (+ -1 i))1487 (<= (+ -1 i) 640)1488 (>= dc 0)1489 (< dc 1)1490 (equal g1 1/3200)1491 (<= 9/10 v0)1492 (<= v0 11/10)1493 (<= -1/8000 dv)1494 (<= dv 1/8000)1495 (<= 0 phi0)1496 (< phi01497 (+ -11498 (* (fix (+ 1 (fix (+ v0 dv))))1499 (/ (+ 11500 (fix (* (+ 11501 (* (+ (fix (* (+ 1(fix v0)) 1)) -1)1502 (/ g1))1503 -640 dc)257C.2. ACL2 Proof for Fine Convergence1504 g1)))))))1505 (< (phi-2n-1 (+ -1 i) phi0 v0 dv g1 dc) 0))1506 (< (+ (a i phi0 v0 dv g1 dc)1507 (* (/ (expt 5 (+ -2 i)))1508 (b-sum 1 (+ -2 i) v0 dv g1 dc)))1509 0))1510 (not (or (not (integerp i)) (< i 1)))1511 (implies1512 (and (and (integerp (+ -1 -1 i))1513 (rationalp g1)1514 (rationalp v0)1515 (rationalp dv)1516 (rationalp phi0)1517 (rationalp dc))1518 (<= 2 (+ -1 -1 i))1519 (<= (+ -1 -1 i) 640)1520 (>= dc 0)1521 (< dc 1)1522 (equal g1 1/3200)1523 (<= 9/10 v0)1524 (<= v0 11/10)1525 (<= -1/8000 dv)1526 (<= dv 1/8000)1527 (<= 0 phi0)1528 (< phi01529 (+ -11530 (* (fix (+ 1 (fix (+ v0 dv))))1531 (/ (+ 11532 (fix (* (+ 11533 (* (+ (fix (* (+ 1(fix v0)) 1)) -1)1534 (/ g1))1535 -640 dc)1536 g1))))))))1537 (< (+ (a (+ -1 i) phi0 v0 dv g1 dc)1538 (* (/ (expt 5 (+ -2 -1 i)))1539 (b-sum 1 (+ -2 -1 i) v0 dv g1 dc)))258C.2. ACL2 Proof for Fine Convergence1540 0))1541 (integerp (+ -1 i))1542 (rationalp g1)1543 (rationalp v0)1544 (rationalp dv)1545 (rationalp phi0)1546 (rationalp dc)1547 (<= 2 (+ -1 i))1548 (<= (+ -1 i) 640)1549 (>= dc 0)1550 (< dc 1)1551 (equal g1 1/3200)1552 (<= 9/10 v0)1553 (<= v0 11/10)1554 (<= -1/8000 dv)1555 (<= dv 1/8000)1556 (<= 0 phi0)1557 (< phi01558 (+ -11559 (* (fix (+ 1 (fix (+ v0 dv))))1560 (/ (+ 11561 (fix (* (+ 11562 (* (+ (fix (* (+ 1 (fix v0))1)) -1)1563 (/ g1))1564 -640 dc)1565 g1))))))))1566 (< (+ (a i phi0 v0 dv g1 dc)1567 (* (/ (expt 5 (+ -2 i)))1568 (b-sum 1 (+ -2 i) v0 dv g1 dc)))1569 0))1570 :hints (("Goal"1571 :use ((:instance stupid-proof1572 (a (integerp (+ -1 -1 i)))1573 (b (and (rationalp g1)1574 (rationalp v0)1575 (rationalp dv)259C.2. ACL2 Proof for Fine Convergence1576 (rationalp phi0)1577 (rationalp dc)))1578 (c (equal (+ -2 i) 1))1579 (d (and (>= dc 0)1580 (< dc 1)1581 (equal g1 1/3200)1582 (<= 9/10 v0)1583 (<= v0 11/10)1584 (<= -1/8000 dv)1585 (<= dv 1/8000)1586 (<= 0 phi0)1587 (< phi01588 (+ -11589 (* (fix (+ 1 (fix (+ v0 dv))))1590 (/ (+ 11591 (fix (* (+ 11592 (* (+ (fix (* (+ 1 (fix v0)) 1)) -1)1593 (/ g1))1594 -640 dc)1595 g1)))))))))1596 (e (< (+ (a (+ -1 i) phi0 v0 dv g1 dc)1597 (* (/ (expt 5 (+ -2 -1 i)))1598 (b-sum 1 (+ -2 -1 i) v0 dv g1 dc)))1599 0))1600 (f (integerp (+ -1 i)))1601 (g (< (+ (a i phi0 v0 dv g1 dc)1602 (* (/ (expt 5 (+ -2 i)))1603 (b-sum 1 (+ -2 i) v0 dv g1 dc)))1604 0))1605 (h (and (<= 3 (+ -1 i))1606 (<= (+ -1 i) 640)))1607 (i (integerp i))1608 (j (and (<= 2 (+ -1 -1 i))1609 (<= (+ -1 -1 i) 640)))1610 (l (and (<= 2 (+ -1 i))1611 (<= (+ -1 i) 640)1612 ))260C.2. ACL2 Proof for Fine Convergence1613 (m (>= i 1)))))))16141615 (defthm phi-2n+1-<-0-lemma-lemma21616 (implies (and (or (not (integerp i)) (< i 1))1617 (integerp (+ -1 i))1618 (rationalp g1)1619 (rationalp v0)1620 (rationalp dv)1621 (rationalp phi0)1622 (rationalp dc)1623 (<= 2 (+ -1 i))1624 (<= (+ -1 i) 640)1625 (>= dc 0)1626 (< dc 1)1627 (equal g1 1/3200)1628 (<= 9/10 v0)1629 (<= v0 11/10)1630 (<= -1/8000 dv)1631 (<= dv 1/8000)1632 (<= 0 phi0)1633 (< phi01634 (+ -11635 (* (fix (+ 1 (fix (+ v0 dv))))1636 (/ (+ 11637 (fix (* (+ 11638 (* (+ (fix (* (+ 1(fix v0)) 1)) -1)1639 (/ g1))1640 -640 dc)1641 g1))))))))1642 (< (+ (a i phi0 v0 dv g1 dc)1643 (* (/ (expt 5 (+ -2 i)))1644 (b-sum 1 (+ -2 i) v0 dv g1 dc)))1645 0))1646 :rule-classes nil)16471648 (defthm phi-2n+1-<-0-lemma261C.2. ACL2 Proof for Fine Convergence1649 (implies (basic-params (1- i) 2 dc v0 dv g1 phi0)1650 (< (+ (A i phi0 v0 dv g1 dc)1651 (* (B-expt i)1652 (B-sum 1 (- i 2) v0 dv g1 dc))) 0))1653 :hints (("Goal"1654 :do-not ’(simplify)1655 :induct (B-sum 1 i v0 dv g1 dc))1656 ("Subgoal *1/2"1657 :use ((:instance phi-2n+1-<-0-base-new)1658 (:instance phi-2n+1-<-0-base-corollary-2)1659 (:instance phi-2n+1-<-0-inductive-corollary-2)1660 ))1661 ("Subgoal *1/2’’"1662 :use ((:instance phi-2n+1-<-0-lemma-lemma1)))1663 ("Subgoal *1/1’"1664 :use ((:instance phi-2n+1-<-0-lemma-lemma2)))1665 )1666 )16671668 (defthm phi-2n+1-<-01669 (implies (basic-params (1- i) 2 dc v0 dv g1 phi0)1670 (< (phi-2n-1 i phi0 v0 dv g1 dc) 0))1671 :hints (("Goal"1672 :use ((:instance phi-2n+1-<-0-lemma))1673 ))1674 )16751676 (defthm phi-2n-1-<-01677 (implies (basic-params n 3 dc v0 dv g1 phi0)1678 (< (phi-2n-1 n phi0 v0 dv g1 dc) 0))1679 :hints (("Goal"1680 :use ((:instance phi-2n+1-<-01681 (i n))))))1682 )262


Citation Scheme:


Citations by CSL (citeproc-js)

Usage Statistics



Customize your widget with the following options, then copy and paste the code below into the HTML of your page to embed this item in your website.
                            <div id="ubcOpenCollectionsWidgetDisplay">
                            <script id="ubcOpenCollectionsWidget"
                            async >
IIIF logo Our image viewer uses the IIIF 2.0 standard. To load this item in other compatible viewers, use this url:


Related Items