Starting ACL2 in Earnest

PollEverywhere Q

How many dots would we see in the “maximal dot” representation of the following expression:

(a (b c d) . e)

The dot/box notation of this structure.

Why did one of those “end in a dot”?

cons, car and cdr

What further questions do we have?

• Question from the reading?
• Question from the HW?
• Questions from lecture, things that don’t make sense now?
• Question from here?
• Question from the audience at home?

PollEverywhere atom question.

The recognizer atom, which is not like the others

All functions must terminate! (You gotta make’em!)

(defun countdown ), fails to terminate. Contracts!

car and cdr, revisited.

Check your understanding: How are left and right different from car and cdr? How are first and rest different from car and cdr?

Which of these do you think is the more important difference?

defunc functions

More powerful, because these permit us to define arbitrary contracts.

contracts: A simple and useful class of invariants about inputs and outputs

:input-contract ...
:output-contract ...

definec short-hand version of defunc

What about more complicated properties?

We still have the defunc bits when we want it!

NEW! in ACL2s / this course

In Fundies 1 these were specified as comments

Here: integrated as part of the language => can be checked statically by the compiler!

Invariants

An instantaneous property that is always satisfied in all executions of the program, at a certain location in the program

   k := 0 ; // assign 0 to k
   // k=0 is an invariant here

   // say “I love you” ten times:
   while (k < 10) {
	 // k<10 is an invariant here
	 // 0<=k<10 is another (stronger) invariant
	 printf(“I love you\n”) ;
	 k++ ;
	 // k<=10 is invariant here
	 assert(k<=10);  // assertion statement
   }

  (definec len (l :tl) :nat
	(if (endp {(tlp l)} l) 
	  0
	  (+ 1 (len (rest l)))))

Natural Recursion

(defun plus (x :nat y :nat) :nat
  (cond
    ((zp y) x)
	(t (1+ (plus x (1- y))))))
```lisp

## Contract Checking

This will be a topic of the whole course---we will revisit this. This
is a prelude.

```lisp
(definec tapp (x :tl y :tl) :tl
  (declare (xargs :mode :program))
  (if (lendp x)
    y
	(lcons (head x) (tapp (tail x) y))))

1. evaluating f’s input contract on any (well-formed) inputs whatsover will not lead to any contract violations, and

2. evaluating the body of f on any inputs that satisfy f’s input contract will never lead to a contract violation for any function that may be called during this evaluation,including functions that are called directly or indirectly, and

3. the evaluation of f’s body on any inputs that satisfy f’s input contract will terminate, and

4. the evaluation of f’s body on any inputs that satisfy f’s input contract will yield a value that satisfies f’s output contract. Therefore, for logic mode definitions, ACL2s only needs to check input contract for “top-level” forms.

quasiquote and unquote

Just the facts ma’am.