# Introduction to ACL2

## A Better Way to Define Functions

You should already know how to define functions using `defun`. That's a great way to define functions, and people have been using `defun` since the 50s (really). But one problem with `defun` is that it introduces variables, but it doesn't make it very clear what values those variables can have. It doesn't even make it clear what the function should return! Is the value of this function an integer, a rational, what? In Java or C++, variables and functions have *types*, but there is no way to talk about types with `defun`. I have seen many students struggle writing programs im ACL2 simply because they get confused about the types of the expressions in their programs.

That is why you should user `definec` instead of `defun` to define functions. The syntax of `definec` is like this

    (definec name (arg1 :type1 arg2 :type2 ... argn :typen) :ftype
      ...expression...)

And this has the same meaning as `defun`, namely

    (name arg1 arg2 ... argn) = ...expression...

but it also states that `arg1` is of type `type1`, ... `argn` is of type `argn`, and the function returns a value of type `ftype`.

To illustrate how this works, here are some types that ACL2 understands:

| Type       | Description                                |
|:-----------|:-------------------------------------------|
| `int`      | an integer                                 |
| `pos`      | a positive integer                         |
| `neg`      | a negative integer                         |
| `nat`      | a natural number, or non-negative integer  |
| `rational` | a rational number                          |
| `boolean`  | a boolean value (`T` or `NIL`)             |

> You were probably expecting a type of `float`, but there isn't such a type in ACL2. Don't worry, though! All floating-point numbers are actually rational numbers, and `rational` is a valid ACL2 type.

Let's put this to work. Here is a definition of the function `double` which doubles an integer. Go ahead and submit this definition to ACL2.

In [2]:
(definec double (x :int) :int
  (* 2 x))

ACL2S !>>(DEFINEC DOUBLE (X INT) INT (* 2 X))

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

Form:  ( TEST-DEFINITION DOUBLE ... )
Form:  ( TEST-BODY-CONTRACTS DOUBLE... ) 

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
Form:  ( TEST-FUNCTION-CONTRACT DOUBLE ...) 

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
Testing: Done 
Elapsed Run Time: 0.13 seconds
Form:  ( ADMIT-DEFINITION DOUBLE ... )
Time:  0.01 seconds (prove: 0.00, print: 0.00, other: 0.01)
Form:  ( PROVE-FUNCTION-CONTRACT DOUBLE ... )

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
Time:  0.08 seconds (prove: 0.03, print: 0.00, other: 0.05)
Form:  ( PROVE-BODY-CONTRACTS DOUBLE ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Elapsed Run Time: 0.13 seconds
Function Name : DOUBLE 
Termination proven -------- [*] 
Function Contract proven -- [*] 
Body Contracts proven ----- [*]
 T



When you define this function in ACL2, you should see output similar to this:

    TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

    Form:  ( TEST-DEFINITION DOUBLE ... )
    Form:  ( TEST-BODY-CONTRACTS DOUBLE... ) 

    TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
    Form:  ( TEST-FUNCTION-CONTRACT DOUBLE ...) 

    TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
    Testing: Done 
    Elapsed Run Time: 0.13 seconds
    Form:  ( ADMIT-DEFINITION DOUBLE ... )
    Time:  0.01 seconds (prove: 0.00, print: 0.00, other: 0.01)
    Form:  ( PROVE-FUNCTION-CONTRACT DOUBLE ... )

    TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
    Time:  0.08 seconds (prove: 0.03, print: 0.00, other: 0.05)
    Form:  ( PROVE-BODY-CONTRACTS DOUBLE ... )
    Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
    Elapsed Run Time: 0.13 seconds
    Function Name : DOUBLE 
    Termination proven -------- [*] 
    Function Contract proven -- [*] 
    Body Contracts proven ----- [*]
     T

This seems like a lot, so let's walk through it. First of all, ignore all the lines that start with `TTAG NOTE`. The remaining output is split into different sections:

* `TEST-BODY-CONTRACTS` tests (using random values) that any function calls in the body of the definition meet the type specification (called "contracts") of the functions they call. In this case, ACL2 tested that if `x` is an integer, then `(* 2 x)` has numeric arguments, which is true since `2` is a number and so is (the integer) `x`
* `TEST-FUNCTION-CONTRACT` tests (using random values) that the function will return the correct type. In this case, ACL2 tested that if `x` is an integer, so is `double(x)`
* `ADMIT-DEFINITION` actually defines the function in ACL2, including a proof that the function terminates for any value of `x`. Remember that ACL2 only accepts functions that it can prove will never fall into an infinite loop
* `PROVE-FUNCTION-CONTRACT` proves (not just tests, but actually proves) that the function will return the correct type
* `PROVE-BODY-CONTRACTS` proves (not just tests, but actually proves) that any function calls in the body of the definition meet the type specification of the functions they call

The last section shows that the three proofs mentioned above succeeded: the function terminates, the function meets its contract (type specification), and the function definition meets the contract of any functions it calls.

Now let's try a different function. This time, let's define `halve` which returns half of its input:

In [4]:
(definec halve (x :int) :int
  (/ x 2))

ACL2S !>>(DEFINEC HALVE (X INT) INT (/ X 2))

Form:  ( TEST-DEFINITION HALVE ... )
Form:  ( TEST-BODY-CONTRACTS HALVE... ) 

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
Form:  ( TEST-FUNCTION-CONTRACT HALVE ...) 

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

**Summary of Cgen/testing**
We tested 5 examples across 1 subgoals, of which 5 (5 unique) satisfied
the hypotheses, and found 3 counterexamples and 2 witnesses.

We falsified the conjecture. Here are counterexamples:
 [found in : "top"]
 -- ((X -5))
 -- ((X 1))
 -- ((X -1))

Cases in which the conjecture is true include:
 [found in : "top"]
 -- ((X 194))
 -- ((X 16))

Test? found a counterexample.


When you submit that definition to ACL2, you should see output like the following:

    Form:  ( TEST-DEFINITION HALVE ... )
    Form:  ( TEST-BODY-CONTRACTS HALVE... ) 

    TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
    Form:  ( TEST-FUNCTION-CONTRACT HALVE ...) 

    TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

    **Summary of Cgen/testing**
    We tested 5 examples across 1 subgoals, of which 5 (5 unique) satisfied
    the hypotheses, and found 3 counterexamples and 2 witnesses.

    We falsified the conjecture. Here are counterexamples:
     [found in : "top"]
     -- ((X -5))
     -- ((X 1))
     -- ((X -1))

    Cases in which the conjecture is true include:
     [found in : "top"]
     -- ((X 194))
     -- ((X 16))

    Test? found a counterexample.

What this shows is that ACL2 executed the section `TEST-BODY-CONTRACTS` and that went fine, but that when it tried to execute the section `TEST-FUNCTION-CONTRACT`, something went wrong. Specifically, the contract worked just fine when `X` was equal to `194` and `16`, but the contract did not work when `X` was `-5`, `1`, or `-1`. Remember that the "function contract" is that the function should return the given type when its inputs have the right type. What ACL2 is saying is that the function is returning a value of the wrong type for the inputs `-5`, `1`, or `-1`. Using that fact, fix the definition and enter it below:

In [6]:
(definec halve (x :int) :rational
  (/ x 2))

ACL2S !>>(DEFINEC HALVE (X INT) BOOLEAN (/ X 2))

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

Form:  ( TEST-DEFINITION HALVE ... )
Form:  ( TEST-BODY-CONTRACTS HALVE... ) 

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
Form:  ( TEST-FUNCTION-CONTRACT HALVE ...) 

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

**Summary of Cgen/testing**
We tested 3 examples across 1 subgoals, of which 3 (3 unique) satisfied
the hypotheses, and found 3 counterexamples and 0 witnesses.

We falsified the conjecture. Here are counterexamples:
 [found in : "top"]
 -- ((X -25))
 -- ((X -434))
 -- ((X 204))

Test? found a counterexample.


Much better, huh? Isn't it nice that ACL2 doesn't just tell you that the function fails to satisfy the contract, but that it also gives you some examples that illustrate when the contract isn't satisfied? This should help you find bugs in your program sooner.

## Symbols

We've seen numeric and Boolean types. ACL2 supports other data types, so let's take a brief look at **symbols** in ACL2. These look the same as variable names in ACL2. In fact, variable names **are** symbols, but a symbol doesn't hold a value. Instead, a symbol is its own value. You may want to think of symbols as being similar to strings in other languages. So how can you tell the difference between the symbol `X` (which should just be equal to "X") and the variable `X` (which could hold a number, say 3)?  The answer is, like in other languages, symbols must be quoted.

To quote a symbol in ACL2, place a single quotation mark before the symbol. So `'X` is the symbol which is a literal `X`. But if you write `X` in a program, that is the variable `X` with some value, e.g., `3`. Don't let this confuse you. It is the same as the difference between `n + 1` and `"n" + 1` in other programming languages.

Here is a function that returns the symbols `positive`, `negative`, or `zero` depending on the value of its argument:

In [8]:
(definec sign (x :rational) :symbol
  (if (< x 0)
    'negative
    (if (= x 0)
      'zero
      'positive)))

ACL2S !>>(DEFINEC SIGN (X RATIONAL)
                  SYMBOL
                  (IF (< X 0)
                      'NEGATIVE
                      (IF (= X 0) 'ZERO 'POSITIVE)))

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

Form:  ( TEST-DEFINITION SIGN ... )
Form:  ( TEST-BODY-CONTRACTS SIGN... ) 

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
Form:  ( TEST-FUNCTION-CONTRACT SIGN ...) 

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
Testing: Done 
Elapsed Run Time: 0.17 seconds
Form:  ( ADMIT-DEFINITION SIGN ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Form:  ( PROVE-FUNCTION-CONTRACT SIGN ... )

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.
Time:  0.07 seconds (prove: 0.02, print: 0.00, other: 0.05)
Form:  ( PROVE-BODY-CONTRACTS SIGN ... )
Time:  0.00 seconds (prove: 0.00, print: 

## Exercise

Define a function in ACL2 called `shape` that accepts three arguments which should be the lengths of the sides of a triangle and returns one of the atoms `equilateral`, `isosceles`, or `scalene`. Recall that a triangle is
* equilateral if all sides are equal
* isosceles if two (but not three) sides are equal
* scalene if no sides are equal

For example, `(shape 1 1 1) = 'equilateral` and `(shape 1 2 1) = 'isosceles`.

In [12]:
(definec shape (a :rational b :rational c :rational) :symbol
  (if (and (= a b) (= b c))
      'equilateral
      (if (or (= a b) (= b c) (= a c))
          'isosceles
          'scalene)))

(shape 1 1 1)
(shape 1 2 1)
(shape 1 2 3)

ACL2S !>>:UBT SHAPE
   d      27:x(DEFINEC SIGN (X RATIONAL) ...)
ACL2S !>>(DEFINEC SHAPE (A RATIONAL B RATIONAL C RATIONAL)
                  SYMBOL
                  (IF (AND (= A B) (= B C))
                      'EQUILATERAL
                      (IF (OR (= A B) (= B C) (= A C))
                          'ISOSCELES
                          'SCALENE)))

Form:  ( TEST-DEFINITION SHAPE ... )
Form:  ( TEST-BODY-CONTRACTS SHAPE... ) 

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

TTAG NOTE: Adding ttag :CGEN-TESTING-DRIVER-LOOP from the top level loop.

TTAG NOTE: Adding ttag :CGEN-TESTING