In [1]:
(in-package "ACL2")

 "ACL2"


In [2]:
; map-inc: Increment every element in a list
(defun map-inc (l)
  (declare (xargs :guard (nat-listp l)))
  (if (endp l)
      nil
      (cons (+ 1 (car l))
            (map-inc (cdr l)))))


The admission of MAP-INC is trivial, using the relation O< (which is
known to be well-founded on the domain recognized by O-P) and the measure
(ACL2-COUNT L).  We observe that the type of MAP-INC is described by
the theorem (TRUE-LISTP (MAP-INC L)).  We used primitive type reasoning.

Computing the guard conjecture for MAP-INC....

The non-trivial part of the guard conjecture for MAP-INC, given the
:forward-chaining rules ACL2-NUMBER-LISTP-FORWARD-TO-TRUE-LISTP, 
INTEGER-LISTP-FORWARD-TO-RATIONAL-LISTP, NAT-LISTP-FORWARD-TO-INTEGER-LISTP
and RATIONAL-LISTP-FORWARD-TO-ACL2-NUMBER-LISTP and the :type-prescription
rules ACL2-NUMBER-LISTP, INTEGER-LISTP, NAT-LISTP and RATIONAL-LISTP,
is

Goal
(AND (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (ACL2-NUMBERP (CAR L)))
     (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (NAT-LISTP (CDR L)))).
Subgoal 2
Subgoal 1

Q.E.D.

That completes the proof of the guard theorem for MAP-INC.  MAP-INC
is compliant with Common Lisp.


In [3]:
; map-square: Square every element in a list
(defun map-square (l)
  (declare (xargs :guard (nat-listp l)))
  (if (endp l)
      nil
      (cons (* (car l) (car l))
            (map-square (cdr l)))))


The admission of MAP-SQUARE is trivial, using the relation O< (which
is known to be well-founded on the domain recognized by O-P) and the
measure (ACL2-COUNT L).  We observe that the type of MAP-SQUARE is
described by the theorem (TRUE-LISTP (MAP-SQUARE L)).  We used primitive
type reasoning.

Computing the guard conjecture for MAP-SQUARE....

The non-trivial part of the guard conjecture for MAP-SQUARE, given
the :forward-chaining rules ACL2-NUMBER-LISTP-FORWARD-TO-TRUE-LISTP,
INTEGER-LISTP-FORWARD-TO-RATIONAL-LISTP, NAT-LISTP-FORWARD-TO-INTEGER-LISTP
and RATIONAL-LISTP-FORWARD-TO-ACL2-NUMBER-LISTP and the :type-prescription
rules ACL2-NUMBER-LISTP, INTEGER-LISTP, NAT-LISTP and RATIONAL-LISTP,
is

Goal
(AND (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (ACL2-NUMBERP (CAR L)))
     (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (NAT-LISTP (CDR L)))).
Subgoal 2
Subgoal 1

Q.E.D.

That completes the proof of the guard theorem for MAP-SQUARE.  MAP-SQUARE
is complian

In [4]:
; filter-even: Keep only even numbers
(defun filter-even (l)
  (declare (xargs :guard (nat-listp l)))
  (if (endp l)
      nil
      (if (evenp (car l))
          (cons (car l) (filter-even (cdr l)))
          (filter-even (cdr l)))))


The admission of FILTER-EVEN is trivial, using the relation O< (which
is known to be well-founded on the domain recognized by O-P) and the
measure (ACL2-COUNT L).  We observe that the type of FILTER-EVEN is
described by the theorem (TRUE-LISTP (FILTER-EVEN L)).  We used primitive
type reasoning.

Computing the guard conjecture for FILTER-EVEN....

The non-trivial part of the guard conjecture for FILTER-EVEN, given
the :forward-chaining rules ACL2-NUMBER-LISTP-FORWARD-TO-TRUE-LISTP,
INTEGER-LISTP-FORWARD-TO-RATIONAL-LISTP, NAT-LISTP-FORWARD-TO-INTEGER-LISTP
and RATIONAL-LISTP-FORWARD-TO-ACL2-NUMBER-LISTP and the :type-prescription
rules ACL2-NUMBER-LISTP, INTEGER-LISTP, NAT-LISTP and RATIONAL-LISTP,
is

Goal
(AND (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (NAT-LISTP (CDR L)))
     (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (INTEGERP (CAR L)))).
Subgoal 2
Subgoal 1

Q.E.D.

That completes the proof of the guard theorem for FILTER-EVEN.  FILTER-EVEN
is compl

In [5]:
; filter-odd: Keep only odd numbers
(defun filter-odd (l)
  (declare (xargs :guard (nat-listp l)))
  (if (endp l)
      nil
      (if (oddp (car l))
          (cons (car l) (filter-odd (cdr l)))
          (filter-odd (cdr l)))))


The admission of FILTER-ODD is trivial, using the relation O< (which
is known to be well-founded on the domain recognized by O-P) and the
measure (ACL2-COUNT L).  We observe that the type of FILTER-ODD is
described by the theorem (TRUE-LISTP (FILTER-ODD L)).  We used primitive
type reasoning.

Computing the guard conjecture for FILTER-ODD....

The non-trivial part of the guard conjecture for FILTER-ODD, given
the :forward-chaining rules ACL2-NUMBER-LISTP-FORWARD-TO-TRUE-LISTP,
INTEGER-LISTP-FORWARD-TO-RATIONAL-LISTP, NAT-LISTP-FORWARD-TO-INTEGER-LISTP
and RATIONAL-LISTP-FORWARD-TO-ACL2-NUMBER-LISTP and the :type-prescription
rules ACL2-NUMBER-LISTP, INTEGER-LISTP, NAT-LISTP and RATIONAL-LISTP,
is

Goal
(AND (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (NAT-LISTP (CDR L)))
     (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (INTEGERP (CAR L)))).
Subgoal 2
Subgoal 1

Q.E.D.

That completes the proof of the guard theorem for FILTER-ODD.  FILTER-ODD
is compliant wi

In [6]:
; fold-sum: Sum all elements in a list (fold with + and 0)
(defun fold-sum (l)
  (declare (xargs :guard (nat-listp l)))
  (if (endp l)
      0
      (+ (car l) (fold-sum (cdr l)))))


The admission of FOLD-SUM is trivial, using the relation O< (which
is known to be well-founded on the domain recognized by O-P) and the
measure (ACL2-COUNT L).  We observe that the type of FOLD-SUM is described
by the theorem (ACL2-NUMBERP (FOLD-SUM L)).  We used primitive type
reasoning.

Computing the guard conjecture for FOLD-SUM....

The non-trivial part of the guard conjecture for FOLD-SUM, given the
:forward-chaining rules ACL2-NUMBER-LISTP-FORWARD-TO-TRUE-LISTP, 
INTEGER-LISTP-FORWARD-TO-RATIONAL-LISTP, NAT-LISTP-FORWARD-TO-INTEGER-LISTP
and RATIONAL-LISTP-FORWARD-TO-ACL2-NUMBER-LISTP and the :type-prescription
rules ACL2-NUMBER-LISTP, FOLD-SUM, INTEGER-LISTP, NAT-LISTP and 
RATIONAL-LISTP, is

Goal
(AND (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (NAT-LISTP (CDR L)))
     (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (ACL2-NUMBERP (CAR L)))).
Subgoal 2
Subgoal 1

Q.E.D.

That completes the proof of the guard theorem for FOLD-SUM.  FOLD-SUM
is complian

In [7]:
; fold-product: Multiply all elements in a list (fold with * and 1)
(defun fold-product (l)
  (declare (xargs :guard (nat-listp l)))
  (if (endp l)
      1
      (* (car l) (fold-product (cdr l)))))


The admission of FOLD-PRODUCT is trivial, using the relation O< (which
is known to be well-founded on the domain recognized by O-P) and the
measure (ACL2-COUNT L).  We observe that the type of FOLD-PRODUCT is
described by the theorem (ACL2-NUMBERP (FOLD-PRODUCT L)).  We used
primitive type reasoning.

Computing the guard conjecture for FOLD-PRODUCT....

The non-trivial part of the guard conjecture for FOLD-PRODUCT, given
the :forward-chaining rules ACL2-NUMBER-LISTP-FORWARD-TO-TRUE-LISTP,
INTEGER-LISTP-FORWARD-TO-RATIONAL-LISTP, NAT-LISTP-FORWARD-TO-INTEGER-LISTP
and RATIONAL-LISTP-FORWARD-TO-ACL2-NUMBER-LISTP and the :type-prescription
rules ACL2-NUMBER-LISTP, FOLD-PRODUCT, INTEGER-LISTP, NAT-LISTP and
RATIONAL-LISTP, is

Goal
(AND (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (NAT-LISTP (CDR L)))
     (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (ACL2-NUMBERP (CAR L)))).
Subgoal 2
Subgoal 1

Q.E.D.

That completes the proof of the guard theorem for FOLD-PROD

In [8]:
; fold-length: Count elements using fold pattern
(defun fold-length (l)
  (declare (xargs :guard (true-listp l)))
  (if (endp l)
      0
      (+ 1 (fold-length (cdr l)))))


The admission of FOLD-LENGTH is trivial, using the relation O< (which
is known to be well-founded on the domain recognized by O-P) and the
measure (ACL2-COUNT L).  We observe that the type of FOLD-LENGTH is
described by the theorem 
(AND (INTEGERP (FOLD-LENGTH L)) (<= 0 (FOLD-LENGTH L))).  We used primitive
type reasoning.

Computing the guard conjecture for FOLD-LENGTH....

The guard conjecture for FOLD-LENGTH is trivial to prove, given primitive
type reasoning and the :type-prescription rule FOLD-LENGTH.  FOLD-LENGTH
is compliant with Common Lisp.

Summary
Form:  ( DEFUN FOLD-LENGTH ...)
Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL)
        (:TYPE-PRESCRIPTION FOLD-LENGTH))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 FOLD-LENGTH


In [9]:
; Theorem: map preserves length
(defthm map-inc-preserves-length
  (equal (len (map-inc l))
         (len l)))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Two induction schemes are suggested
by this conjecture.  These merge into one derived induction scheme.

We will induct according to a scheme suggested by (LEN L), while ac-
commodating (MAP-INC L).

These suggestions were produced using the :induction rules LEN and
MAP-INC.  If we let (:P L) denote *1 above then the induction scheme
we'll use is
(AND (IMPLIES (NOT (CONSP L)) (:P L))
     (IMPLIES (AND (CONSP L) (:P (CDR L)))
              (:P L))).
This induction is justified by the same argument used to admit LEN.
When applied to the goal at hand the above induction scheme produces
two nontautological subgoals.
Subgoal *1/2
Subgoal *1/1

*1 is COMPLETED!
Thus key checkpoint Goal is COMPLETED!

Q.E.D.

Summary
Form:  ( DEFTHM MAP-INC-PRESERVES-LENGTH ...)
Rules: ((:DEFINITION LEN)
        (:DEFINITION MAP-INC)
        (:EXECUTABLE-COUNTERPART EQUAL)
        (:EXECUTABLE-C

In [10]:
(defthm map-square-preserves-length
  (equal (len (map-square l))
         (len l)))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Two induction schemes are suggested
by this conjecture.  These merge into one derived induction scheme.

We will induct according to a scheme suggested by (LEN L), while ac-
commodating (MAP-SQUARE L).

These suggestions were produced using the :induction rules LEN and
MAP-SQUARE.  If we let (:P L) denote *1 above then the induction scheme
we'll use is
(AND (IMPLIES (NOT (CONSP L)) (:P L))
     (IMPLIES (AND (CONSP L) (:P (CDR L)))
              (:P L))).
This induction is justified by the same argument used to admit LEN.
When applied to the goal at hand the above induction scheme produces
two nontautological subgoals.
Subgoal *1/2
Subgoal *1/1

*1 is COMPLETED!
Thus key checkpoint Goal is COMPLETED!

Q.E.D.

Summary
Form:  ( DEFTHM MAP-SQUARE-PRESERVES-LENGTH ...)
Rules: ((:DEFINITION LEN)
        (:DEFINITION MAP-SQUARE)
        (:EXECUTABLE-COUNTERPART EQUAL)
        (:

In [11]:
; Theorem: map distributes over append
(defthm map-inc-append
  (equal (map-inc (append l1 l2))
         (append (map-inc l1) (map-inc l2))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  Subsumption reduces that number to two.
However, one of these is flawed and so we are left with one viable
candidate.  

We will induct according to a scheme suggested by (APPEND L1 L2), while
accommodating (MAP-INC L1).

These suggestions were produced using the :induction rules BINARY-APPEND
and MAP-INC.  If we let (:P L1 L2) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L1)) (:P (CDR L1) L2))
              (:P L1 L2))
     (IMPLIES (ENDP L1) (:P L1 L2))).
This induction is justified by the same argument used to admit BINARY-APPEND.
When applied to the goal at hand the above induction scheme produces
two nontautological subgoals.
Subgoal *1/2
Subgoal *1/2'
Subgoal *1/1
Subgoal *1/1'

*1 is COMPLETED!
Thus key checkpoint Goal is COMPLETED!

Q.E.D.

Summary
Form:  ( DEFTHM MAP

In [12]:
(defthm map-square-append
  (equal (map-square (append l1 l2))
         (append (map-square l1) (map-square l2))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  Subsumption reduces that number to two.
However, one of these is flawed and so we are left with one viable
candidate.  

We will induct according to a scheme suggested by (APPEND L1 L2), while
accommodating (MAP-SQUARE L1).

These suggestions were produced using the :induction rules BINARY-APPEND
and MAP-SQUARE.  If we let (:P L1 L2) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L1)) (:P (CDR L1) L2))
              (:P L1 L2))
     (IMPLIES (ENDP L1) (:P L1 L2))).
This induction is justified by the same argument used to admit BINARY-APPEND.
When applied to the goal at hand the above induction scheme produces
two nontautological subgoals.
Subgoal *1/2
Subgoal *1/2'
Subgoal *1/1
Subgoal *1/1'

*1 is COMPLETED!
Thus key checkpoint Goal is COMPLETED!

Q.E.D.

Summary
Form:  ( DEFT

In [13]:
; Helper: map-inc distributes over revappend
(defthm map-inc-revappend
  (equal (map-inc (revappend l1 l2))
         (revappend (map-inc l1) (map-inc l2))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  Subsumption reduces that number to two.
However, one of these is flawed and so we are left with one viable
candidate.  

We will induct according to a scheme suggested by (REVAPPEND L1 L2),
while accommodating (MAP-INC L1).

These suggestions were produced using the :induction rules MAP-INC
and REVAPPEND.  If we let (:P L1 L2) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L1))
                   (:P (CDR L1) (CONS (CAR L1) L2)))
              (:P L1 L2))
     (IMPLIES (ENDP L1) (:P L1 L2))).
This induction is justified by the same argument used to admit REVAPPEND.
Note, however, that the unmeasured variable L2 is being instantiated.
When applied to the goal at hand the above induction scheme produces
two nontautological subgoals.
Subgoal *1/2
Subgoal *1/2'
Subgoal *1/1
Subgoal

In [14]:
(defthm map-inc-rev
  (equal (map-inc (reverse l))
         (reverse (map-inc l))))


generated from MAP-INC-REV will be triggered only by terms containing
the function symbol REVERSE, which has a non-recursive definition.
Unless this definition is disabled, this rule is unlikely ever to be
used.


Splitter note (see :DOC splitter) for Goal (2 subgoals).
  if-intro: ((:DEFINITION REVERSE))

Subgoal 2
Subgoal 1

Q.E.D.

Summary
Form:  ( DEFTHM MAP-INC-REV ...)
Rules: ((:DEFINITION MAP-INC)
        (:DEFINITION REVERSE)
        (:EXECUTABLE-COUNTERPART EQUAL)
        (:EXECUTABLE-COUNTERPART MAP-INC)
        (:EXECUTABLE-COUNTERPART REVAPPEND)
        (:FAKE-RUNE-FOR-TYPE-SET NIL)
        (:REWRITE MAP-INC-REVAPPEND)
        (:TYPE-PRESCRIPTION MAP-INC))
Splitter rules (see :DOC splitter):
  if-intro: ((:DEFINITION REVERSE))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Prover steps counted:  177
 MAP-INC-REV


In [15]:
; Helper: map-square distributes over revappend
(defthm map-square-revappend
  (equal (map-square (revappend l1 l2))
         (revappend (map-square l1) (map-square l2))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  Subsumption reduces that number to two.
However, one of these is flawed and so we are left with one viable
candidate.  

We will induct according to a scheme suggested by (REVAPPEND L1 L2),
while accommodating (MAP-SQUARE L1).

These suggestions were produced using the :induction rules MAP-SQUARE
and REVAPPEND.  If we let (:P L1 L2) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L1))
                   (:P (CDR L1) (CONS (CAR L1) L2)))
              (:P L1 L2))
     (IMPLIES (ENDP L1) (:P L1 L2))).
This induction is justified by the same argument used to admit REVAPPEND.
Note, however, that the unmeasured variable L2 is being instantiated.
When applied to the goal at hand the above induction scheme produces
two nontautological subgoals.
Subgoal *1/2
Subgoal *1/2'
Subgoal *1/1
S

In [16]:
(defthm map-square-rev
  (equal (map-square (reverse l))
         (reverse (map-square l))))


rule generated from MAP-SQUARE-REV will be triggered only by terms
containing the function symbol REVERSE, which has a non-recursive definition.
Unless this definition is disabled, this rule is unlikely ever to be
used.


Splitter note (see :DOC splitter) for Goal (2 subgoals).
  if-intro: ((:DEFINITION REVERSE))

Subgoal 2
Subgoal 1

Q.E.D.

Summary
Form:  ( DEFTHM MAP-SQUARE-REV ...)
Rules: ((:DEFINITION MAP-SQUARE)
        (:DEFINITION REVERSE)
        (:EXECUTABLE-COUNTERPART EQUAL)
        (:EXECUTABLE-COUNTERPART MAP-SQUARE)
        (:EXECUTABLE-COUNTERPART REVAPPEND)
        (:FAKE-RUNE-FOR-TYPE-SET NIL)
        (:REWRITE MAP-SQUARE-REVAPPEND)
        (:TYPE-PRESCRIPTION MAP-SQUARE))
Splitter rules (see :DOC splitter):
  if-intro: ((:DEFINITION REVERSE))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Prover steps counted:  183
 MAP-SQUARE-REV


In [17]:
; Theorem: filter preserves or reduces length
(defthm filter-even-length-bound
  (<= (len (filter-even l)) (len l))
  :rule-classes :linear)


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Two induction schemes are suggested
by this conjecture.  These merge into one derived induction scheme.

We will induct according to a scheme suggested by (FILTER-EVEN L),
while accommodating (LEN L).

These suggestions were produced using the :induction rules FILTER-EVEN
and LEN.  If we let (:P L) denote *1 above then the induction scheme
we'll use is
(AND (IMPLIES (AND (NOT (ENDP L))
                   (NOT (EVENP (CAR L)))
                   (:P (CDR L)))
              (:P L))
     (IMPLIES (AND (NOT (ENDP L))
                   (EVENP (CAR L))
                   (:P (CDR L)))
              (:P L))
     (IMPLIES (ENDP L) (:P L))).
This induction is justified by the same argument used to admit FILTER-EVEN.
When applied to the goal at hand the above induction scheme produces
three nontautological subgoals.
Subgoal *1/3
Subgoal *1/3'
Subgoal *1/3''
Subgoal *1/2
Subgoal *1/

In [18]:
(defthm filter-odd-length-bound
  (<= (len (filter-odd l)) (len l))
  :rule-classes :linear)


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Two induction schemes are suggested
by this conjecture.  These merge into one derived induction scheme.

We will induct according to a scheme suggested by (FILTER-ODD L), while
accommodating (LEN L).

These suggestions were produced using the :induction rules FILTER-ODD
and LEN.  If we let (:P L) denote *1 above then the induction scheme
we'll use is
(AND (IMPLIES (AND (NOT (ENDP L))
                   (NOT (ODDP (CAR L)))
                   (:P (CDR L)))
              (:P L))
     (IMPLIES (AND (NOT (ENDP L))
                   (ODDP (CAR L))
                   (:P (CDR L)))
              (:P L))
     (IMPLIES (ENDP L) (:P L))).
This induction is justified by the same argument used to admit FILTER-ODD.
When applied to the goal at hand the above induction scheme produces
three nontautological subgoals.
Subgoal *1/3
Subgoal *1/3'
Subgoal *1/3''
Subgoal *1/2
Subgoal *1/2'
Su

In [19]:
; Theorem: filtering twice is idempotent
(defthm filter-even-idempotent
  (implies (nat-listp l)
           (equal (filter-even (filter-even l))
                  (filter-even l))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  Subsumption reduces that number to two.
These merge into one derived induction scheme.  

We will induct according to a scheme suggested by (FILTER-EVEN L),
while accommodating (NAT-LISTP L) and (FILTER-EVEN L).

These suggestions were produced using the :induction rules FILTER-EVEN
and NAT-LISTP.  If we let (:P L) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L))
                   (NOT (EVENP (CAR L)))
                   (:P (CDR L)))
              (:P L))
     (IMPLIES (AND (NOT (ENDP L))
                   (EVENP (CAR L))
                   (:P (CDR L)))
              (:P L))
     (IMPLIES (ENDP L) (:P L))).
This induction is justified by the same argument used to admit FILTER-EVEN.
When applied to the goal at hand the above induction scheme produces
five nontautological s

In [20]:
(defthm filter-odd-idempotent
  (implies (nat-listp l)
           (equal (filter-odd (filter-odd l))
                  (filter-odd l))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  Subsumption reduces that number to two.
These merge into one derived induction scheme.  

We will induct according to a scheme suggested by (FILTER-ODD L), while
accommodating (NAT-LISTP L) and (FILTER-ODD L).

These suggestions were produced using the :induction rules FILTER-ODD
and NAT-LISTP.  If we let (:P L) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L))
                   (NOT (ODDP (CAR L)))
                   (:P (CDR L)))
              (:P L))
     (IMPLIES (AND (NOT (ENDP L))
                   (ODDP (CAR L))
                   (:P (CDR L)))
              (:P L))
     (IMPLIES (ENDP L) (:P L))).
This induction is justified by the same argument used to admit FILTER-ODD.
When applied to the goal at hand the above induction scheme produces
five nontautological subgoal

In [21]:
; Theorem: filter and append
(defthm filter-even-append
  (equal (filter-even (append l1 l2))
         (append (filter-even l1) (filter-even l2))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  These merge into two derived induction
schemes.  However, one of these is flawed and so we are left with one
viable candidate.  

We will induct according to a scheme suggested by (FILTER-EVEN L1),
while accommodating (APPEND L1 L2).

These suggestions were produced using the :induction rules BINARY-APPEND
and FILTER-EVEN.  If we let (:P L1 L2) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L1))
                   (NOT (EVENP (CAR L1)))
                   (:P (CDR L1) L2))
              (:P L1 L2))
     (IMPLIES (AND (NOT (ENDP L1))
                   (EVENP (CAR L1))
                   (:P (CDR L1) L2))
              (:P L1 L2))
     (IMPLIES (ENDP L1) (:P L1 L2))).
This induction is justified by the same argument used to admit FILTER-EVEN.
When applied to the goal at hand the

In [22]:
(defthm filter-odd-append
  (equal (filter-odd (append l1 l2))
         (append (filter-odd l1) (filter-odd l2))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  These merge into two derived induction
schemes.  However, one of these is flawed and so we are left with one
viable candidate.  

We will induct according to a scheme suggested by (FILTER-ODD L1),
while accommodating (APPEND L1 L2).

These suggestions were produced using the :induction rules BINARY-APPEND
and FILTER-ODD.  If we let (:P L1 L2) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L1))
                   (NOT (ODDP (CAR L1)))
                   (:P (CDR L1) L2))
              (:P L1 L2))
     (IMPLIES (AND (NOT (ENDP L1))
                   (ODDP (CAR L1))
                   (:P (CDR L1) L2))
              (:P L1 L2))
     (IMPLIES (ENDP L1) (:P L1 L2))).
This induction is justified by the same argument used to admit FILTER-ODD.
When applied to the goal at hand the abov

In [23]:
; Theorem: fold-length is equivalent to built-in len
(defthm fold-length-correct
  (implies (true-listp l)
           (equal (fold-length l)
                  (len l))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  Subsumption reduces that number to two.
These merge into one derived induction scheme.  

We will induct according to a scheme suggested by (FOLD-LENGTH L),
while accommodating (LEN L) and (TRUE-LISTP L).

These suggestions were produced using the :induction rules FOLD-LENGTH,
LEN and TRUE-LISTP.  If we let (:P L) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L)) (:P (CDR L)))
              (:P L))
     (IMPLIES (ENDP L) (:P L))).
This induction is justified by the same argument used to admit FOLD-LENGTH.
When applied to the goal at hand the above induction scheme produces
three nontautological subgoals.
Subgoal *1/3
Subgoal *1/3'
Subgoal *1/2
Subgoal *1/1
Subgoal *1/1'

*1 is COMPLETED!
Thus key checkpoint Goal is COMPLETED!

Q.E.D.

Summary
Form:  ( DEFTHM FOLD-LENGTH-CORREC

In [24]:
; Theorem: fold-sum of append is sum of fold-sums
(defthm fold-sum-append
  (implies (and (nat-listp l1)
                (nat-listp l2))
           (equal (fold-sum (append l1 l2))
                  (+ (fold-sum l1) (fold-sum l2)))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Five induction schemes are suggested
by this conjecture.  Subsumption reduces that number to four.  These
merge into two derived induction schemes.  However, one of these is
flawed and so we are left with one viable candidate.  

We will induct according to a scheme suggested by (APPEND L1 L2), while
accommodating (NAT-LISTP L1) and (FOLD-SUM L1).

These suggestions were produced using the :induction rules BINARY-APPEND,
FOLD-SUM and NAT-LISTP.  If we let (:P L1 L2) denote *1 above then
the induction scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L1)) (:P (CDR L1) L2))
              (:P L1 L2))
     (IMPLIES (ENDP L1) (:P L1 L2))).
This induction is justified by the same argument used to admit BINARY-APPEND.
When applied to the goal at hand the above induction scheme produces
three nontautological subgoals.
Subgoal *1/3
Subgoal *1/3'
Subgoal *1/2
Subgoal *1/2'
Subgoal *

In [25]:
; Theorem: Folding after mapping
(defthm fold-sum-map-inc
  (implies (nat-listp l)
           (equal (fold-sum (map-inc l))
                  (+ (fold-sum l) (len l)))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Four induction schemes are suggested
by this conjecture.  Subsumption reduces that number to three.  These
merge into one derived induction scheme.  

We will induct according to a scheme suggested by (LEN L), while ac-
commodating (FOLD-SUM L), (NAT-LISTP L) and (MAP-INC L).

These suggestions were produced using the :induction rules FOLD-SUM,
LEN, MAP-INC and NAT-LISTP.  If we let (:P L) denote *1 above then
the induction scheme we'll use is
(AND (IMPLIES (NOT (CONSP L)) (:P L))
     (IMPLIES (AND (CONSP L) (:P (CDR L)))
              (:P L))).
This induction is justified by the same argument used to admit LEN.
When applied to the goal at hand the above induction scheme produces
three nontautological subgoals.
Subgoal *1/3
Subgoal *1/2
Subgoal *1/1

*1 is COMPLETED!
Thus key checkpoint Goal is COMPLETED!

Q.E.D.

Summary
Form:  ( DEFTHM FOLD-SUM-MAP-INC ...)
Rules: ((:DE

In [26]:
; flat-map-repeat: Map each element to a list of copies
(defun repeat (n x)
  (declare (xargs :guard (natp n)))
  (if (zp n)
      nil
      (cons x (repeat (- n 1) x))))


The admission of REPEAT is trivial, using the relation O< (which is
known to be well-founded on the domain recognized by O-P) and the measure
(ACL2-COUNT N).  We observe that the type of REPEAT is described by
the theorem (TRUE-LISTP (REPEAT N X)).  We used primitive type reasoning.

Computing the guard conjecture for REPEAT....

The guard conjecture for REPEAT is trivial to prove, given the :compound-
recognizer rules NATP-COMPOUND-RECOGNIZER and ZP-COMPOUND-RECOGNIZER
and primitive type reasoning.  REPEAT is compliant with Common Lisp.

Summary
Form:  ( DEFUN REPEAT ...)
Rules: ((:COMPOUND-RECOGNIZER NATP-COMPOUND-RECOGNIZER)
        (:COMPOUND-RECOGNIZER ZP-COMPOUND-RECOGNIZER)
        (:FAKE-RUNE-FOR-TYPE-SET NIL))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 REPEAT


In [27]:
(defun flat-map-repeat (l)
  (declare (xargs :guard (nat-listp l)))
  (if (endp l)
      nil
      (append (repeat (car l) (car l))
              (flat-map-repeat (cdr l)))))


The admission of FLAT-MAP-REPEAT is trivial, using the relation O<
(which is known to be well-founded on the domain recognized by O-P)
and the measure (ACL2-COUNT L).  We observe that the type of FLAT-MAP-REPEAT
is described by the theorem (TRUE-LISTP (FLAT-MAP-REPEAT L)).  We used
the :type-prescription rules BINARY-APPEND and TRUE-LISTP-APPEND.

Computing the guard conjecture for FLAT-MAP-REPEAT....

The non-trivial part of the guard conjecture for FLAT-MAP-REPEAT, given
the :forward-chaining rules ACL2-NUMBER-LISTP-FORWARD-TO-TRUE-LISTP,
INTEGER-LISTP-FORWARD-TO-RATIONAL-LISTP, NAT-LISTP-FORWARD-TO-INTEGER-LISTP
and RATIONAL-LISTP-FORWARD-TO-ACL2-NUMBER-LISTP and the :type-prescription
rules ACL2-NUMBER-LISTP, INTEGER-LISTP, NAT-LISTP, RATIONAL-LISTP and
REPEAT, is

Goal
(AND (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (NATP (CAR L)))
     (IMPLIES (AND (NAT-LISTP L) (NOT (ENDP L)))
              (NAT-LISTP (CDR L)))).
Subgoal 2
Subgoal 1

Q.E.D.

That completes the p

In [28]:
; Theorem about flat-map
(defthm flat-map-repeat-append
  (equal (flat-map-repeat (append l1 l2))
         (append (flat-map-repeat l1)
                 (flat-map-repeat l2))))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  Subsumption reduces that number to two.
However, one of these is flawed and so we are left with one viable
candidate.  

We will induct according to a scheme suggested by (APPEND L1 L2), while
accommodating (FLAT-MAP-REPEAT L1).

These suggestions were produced using the :induction rules BINARY-APPEND
and FLAT-MAP-REPEAT.  If we let (:P L1 L2) denote *1 above then the
induction scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L1)) (:P (CDR L1) L2))
              (:P L1 L2))
     (IMPLIES (ENDP L1) (:P L1 L2))).
This induction is justified by the same argument used to admit BINARY-APPEND.
When applied to the goal at hand the above induction scheme produces
two nontautological subgoals.
Subgoal *1/2
Subgoal *1/2'
Subgoal *1/2''
Subgoal *1/2'''
Subgoal *1/2'4'
Subgoal *1/2'5'
Subgoal *1/2'6'

([ A key checkpoint whil