# Flying Demo

This notebook is a demonstration for http://www.cs.utexas.edu/users/moore/publications/flying-demo/script.html

Jupyter Kernel is [acl2-kernel](https://github.com/tani/acl2-kernel) written by TANIGUCHI Masaya.

## Instruction

1. Requirements
    - ACL2 (version 8.2, or later)
    - Python 3 (version 3.6 or later)
2. Libraries: Install Jupyter environment
  ```bash
  $ pip install jupyter acl2-kernel
  ```
3. Usage: Launch Jupyter server
  ```
  $ jupyter notebook
  ```
4. After launching server, you can create new notebook!


## Introduction

We assume you know enough Lisp to evaluate this expression. What is its value? The function cons constructs an ordered pair of its two arguments. The function car returns the first component of an ordered pair; cdr, not used here, returns the other component. The function equal returns T or NIL (true or false) according to whether its two arguments are the same object.

In [1]:
(+ 3 4)

7


In [2]:
(equal (car (cons 1 '(2 3 4))) 1)

T


---
This is a command to prove the indicated theorem. The theorem states that the car of the cons of two things is the first one. If you click on the link you will see ACL2 prove this.

As you can see, ACL2's "proofs" are really descriptions of proofs or proof sketches, not formal mathematical proofs. But if ACL2 prints the "Q.E.D." then it has confirmed (behind the scenes) that a formal proof exists. ACL2 contains a lot of decision procedures and powerful simplification techniques. So it is not always obvious how the system gets from one goal to the next. Note the time taken to do the proof.

In [3]:
(thm (equal (car (cons x y)) x))


Q.E.D.

Summary
Form:  ( THM ...)
Rules: ((:REWRITE CAR-CONS))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Prover steps counted:  7

Proof succeeded.


---
The function endp recognizes the empty list.

In [4]:
(endp nil)

T


---
NIL is the symbol used by Lisp and ACL2 to denote the "false" truthvalue. NIL is also the "empty list." T denotes the "true" truthvalue. Case is unimportant here. So nil and NIL are the same thing.

In [5]:
(endp '(1 2 3 4))

NIL


---
Another simple theorem. Think about the proof. Then click on the link and see if you understand ACL2's proof.
When you click, the proof may overflow your browser's window. If so, scroll down to the next command prompt using your browser's scroll buttons. We recommend against using the slide bar!


In [1]:
(thm (implies (and (not (endp x))
                   (endp (cdr x))
                   (integerp n)
                   (<= 0 n)
                   (rationalp u))
              (< (* (len x) u) (+ u n 3))))

Goal'
Goal''

Q.E.D.

Summary
Form:  ( THM ...)
Rules: ((:DEFINITION ENDP)
        (:DEFINITION FIX)
        (:DEFINITION LEN)
        (:DEFINITION NOT)
        (:EXECUTABLE-COUNTERPART BINARY-+)
        (:EXECUTABLE-COUNTERPART TAU-SYSTEM)
        (:REWRITE COMMUTATIVITY-2-OF-+)
        (:REWRITE COMMUTATIVITY-OF-+)
        (:REWRITE UNICITY-OF-1))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Prover steps counted:  212

Proof succeeded.


## Insertion Sort
We next illustrate a few theorems about sorting. The plan of the demo is as follows.

- Define the Lisp functions insert and isort to do insertion sort.
- Prove isort produces ordered output.
- Prove isort produces a permutation of its input.
- Define a "buggy" version of insert and isort.
- Show that the buggy isort produces ordered output but not a permutation of its input.

Virtually every time we introduce a function we illustrate its behavior by executing it on a few examples.


In [1]:
(defun insert (e x)
        (cond ((endp x) (cons e x))
              ((< e (car x)) (cons e x))
              (t (cons (car x) (insert e (cdr x))))))


The admission of INSERT is trivial, using the relation O< (which is
known to be well-founded on the domain recognized by O-P) and the measure
(ACL2-COUNT X).  We observe that the type of INSERT is described by
the theorem (CONSP (INSERT E X)).  We used primitive type reasoning.

Summary
Form:  ( DEFUN INSERT ...)
Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 INSERT


---
Here we illustrate an application of insert to put 3 into its proper place in the ordered list (1 2 4 5).

In [2]:
(insert 3 '(1 2 4 5))

(1 2 3 4 5)


---
Another recursive definition. This is the Lisp program that sorts a list of numbers using the insert function just defined.

In [3]:
(defun isort (x)
    (if (endp x)
        nil
        (insert (car x)
                (isort (cdr x)))))


The admission of ISORT is trivial, using the relation O< (which is
known to be well-founded on the domain recognized by O-P) and the measure
(ACL2-COUNT X).  We observe that the type of ISORT is described by
the theorem (OR (CONSP (ISORT X)) (EQUAL (ISORT X) NIL)).  We used
the :type-prescription rule INSERT.

Summary
Form:  ( DEFUN ISORT ...)
Rules: ((:TYPE-PRESCRIPTION INSERT))
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 ISORT


In [4]:
(isort '(5 4 6 7 2 1 0 3))

(0 1 2 3 4 5 6 7)


---
This defines what we mean by a list being "ordered."

In [5]:
(defun ordered (x)
    (cond ((endp x) t)
          ((endp (cdr x)) t)
          (t (and (<= (car x) (car (cdr x)))
                  (ordered (cdr x))))))


The admission of ORDERED is trivial, using the relation O< (which is
known to be well-founded on the domain recognized by O-P) and the measure
(ACL2-COUNT X).  We observe that the type of ORDERED is described by
the theorem (OR (EQUAL (ORDERED X) T) (EQUAL (ORDERED X) NIL)).  

Summary
Form:  ( DEFUN ORDERED ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 ORDERED


In [6]:
(ordered '(1 2 3 4))

T


In [7]:
(ordered '(1 2 3 3 4))

T


In [8]:
(ordered '(1 3 2 4))

NIL


---
Here is our first interesting theorem: isort produces ordered output. Can you prove it? After you click on the next link, scroll through the proof using your browser's scroll buttons. We have noted, in blue, an interesting proof step made by the system.


In [9]:
(defthm ordered-isort
  (ordered (isort x)))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  One induction scheme is suggested
by this conjecture.  

We will induct according to a scheme suggested by (ISORT X).  This
suggestion was produced using the :induction rule ISORT.  If we let
(:P X) denote *1 above then the induction scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP X)) (:P (CDR X)))
              (:P X))
     (IMPLIES (ENDP X) (:P X))).
This induction is justified by the same argument used to admit ISORT.
When applied to the goal at hand the above induction scheme produces
two nontautological subgoals.
Subgoal *1/2
Subgoal *1/2'
Subgoal *1/2''
Subgoal *1/2'''
Subgoal *1/2'4'
Subgoal *1/2'5'

([ A key checkpoint while proving *1 (descended from Goal):

Subgoal *1/2''
(IMPLIES (AND (CONSP X)
              (ORDERED (ISORT (CDR X))))
         (ORDERED (INSERT (CAR X) (ISORT (CDR X)))))

*1.1 (Subgoal *1/2'5') is pushed for proof b

---
We cannot be sure that isort is correct just because it produces ordered output. It might always return nil!

We next prove that it produces a permutation of its input.
How would you define perm? We have already loaded a definition into the system in this session. This command will show you that definition. Read it and see whether it agrees with your ideas.

(The following code is not same as the original demonstration. However, as we need to load book, I added an external book.)

In [10]:
;(certify-book "isort")
(include-book "isort")


Summary
Form:  ( INCLUDE-BOOK "isort" ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 "/home/masaya/Documents/acl2-kernel/isort.lisp"


---
This strange output means that the definition of perm was contained in a book called "isort" which was included as the second command in the session. (That command happened before the demo began.)

To read the definition above, think of it trying to determine whether x is a permutation of y. If x is a cons, then the first element of x must be a member of y and the rest of x must be a permutation of the result of deleting the first element of x from y. If, on the other hand, x is not a cons, i.e., if x is empty, then y must be empty also.



In [11]:
(pe 'perm)

           5:x(INCLUDE-BOOK "isort")
              \
              [Included books, outermost to innermost:
               "/home/masaya/Documents/acl2-kernel/isort.lisp"
              ]
              \
>L             (DEFUN PERM (X Y)
                      (IF (CONSP X)
                          (AND (MEM (CAR X) Y)
                               (PERM (CDR X) (DEL (CAR X) Y)))
                          (NOT (CONSP Y))))


In [12]:
(perm '(1 2 3 3 4) '(4 3 1 2 3))

T


In [13]:
(perm '(1 2 3 3 4) '(4 3 1 2 2))

NIL


In [14]:
(thm (perm x x))


*1 (the initial Goal, a key checkpoint) is pushed for proof by induction.

Perhaps we can prove *1 by induction.  One induction scheme is suggested
by this conjecture.  

We will induct according to a scheme suggested by (PERM X X).  This
suggestion was produced using the :induction rule PERM.  If we let
(:P X) denote *1 above then the induction scheme we'll use is
(AND (IMPLIES (NOT (CONSP X)) (:P X))
     (IMPLIES (AND (CONSP X) (NOT (MEM (CAR X) X)))
              (:P X))
     (IMPLIES (AND (CONSP X)
                   (MEM (CAR X) X)
                   (:P (CDR X)))
              (:P X))).
This induction is justified by the same argument used to admit PERM.
When applied to the goal at hand the above induction scheme produces
three nontautological subgoals.
Subgoal *1/3
Subgoal *1/2
Subgoal *1/2'
Subgoal *1/1
Subgoal *1/1'

*1 is COMPLETED!
Thus key checkpoint Goal is COMPLETED!

Q.E.D.

Summary
Form:  ( THM ...)
Rules: ((:DEFINITION DEL)
        (:

In [27]:
(thm (implies (consp x) (perm x (insert (car x) (cdr x)))))

Goal'

Splitter note (see :DOC splitter) for Goal' (2 subgoals).
  if-intro: ((:DEFINITION MEM) (:DEFINITION PERM))

Subgoal 2

([ A key checkpoint:

Goal
(IMPLIES (CONSP X)
         (PERM X (INSERT (CAR X) (CDR X))))

Normally we would attempt to prove Subgoal 2 by induction.  However,
we prefer in this instance to focus on the original input conjecture
rather than this simplified special case.  We therefore abandon our
previous work on this conjecture and reassign the name *1 to the original
conjecture.  (See :DOC otf-flg.)

])

Perhaps we can prove *1 by induction.  One induction scheme is suggested
by this conjecture.  

We will induct according to a scheme suggested by 
(PERM X (INSERT (CAR X) (CDR X))).  This suggestion was produced using
the :induction rule PERM.  If we let (:P X) denote *1 above then the
induction scheme we'll use is
(AND (IMPLIES (NOT (CONSP X)) (:P X))
     (IMPLIES (AND (CONSP X)
                   (NOT (MEM (CAR X) (INSERT (CAR