A Using the ACL2 System A.l Introduction This appendix tells you the basics you need to know in order to use the ACL2 system. After some preliminaries, we explain the fundamental read­ eval-print nature of interaction with ACL2. We then describe how to give commands that update the state of the system, e.g., with definitions and theorems. We conclude by describing the structure of the documentation, illustrating its use with an example and presenting an abbreviated outline. A.I.1 Getting Started ACL2 is publicly available on the Web at http://www . cs . utexas . edu/­ users/moore/ac12/. You are encouraged to explore this page, which has links to introductory material, to useful email addresses including an ACL2 mailing list, to research papers, and to the system itself along with instruc­ tions on how to obtain and install it. A.I.2 Conventions ACL2 has extensive documentation which is organized by topics. When a topic occurs in this book, recall that we may call attention to its status as a documentation topic by underlining it in typewriter font. For example, documentation is itself such a topic. This appendix is not intended to require any prior knowledge of the programming language underlying ACL2. It suffices for now to understand that ACL2 syntax uses prefix notation: for function calls the operator ap­ pears before the operands, all within parentheses. For example, the sum of the numbers 5 and 7 is written (+ 5 7). In the following sample transcript, only the expression (+ 5 7) is typed in by the user. The rest is printed by the system, including the ACL2 prompt. ACL2 !>(+ 5 7) 224 Computer-Aided Reasoning: An Approach 12 ACL2 !> We will follow this convention throughout this appendix: user input immediately follows prompts, and everything else in the display is printed by the system. A.2 The Read-Eval-Print Loop This section describes the basics of interacting with ACL2. See also Id. A.2.1 Entering ACL2 When you follow the installation instructions, you will create an executable image. In some Lisps, you will then need to invoke the command (lp) ("loop") in order to enter the ACL2 read-eval-print loop that is described below. Here, for example, is how one starts up ACL2 using Allegro Common Lisp, assuming that the ACL2 executable is called acl2. In GCL and perhaps other Lisps, you will immediately see the ACL2 prompt, ACL2 ! >, in which case you should skip (lp). I. ac12 Allegro CL Enterprise Edition 5.0 [SPARC] (8/29/98 12:15) [[ additional output omitted ]] ACL2(1): (lp) ACL2 Version 2.5. Level 1. Cbd "/user/smith/". Type :help for help. ACL2 !> A.2.2 Read, Eval, and Print Here again is the example presented above. ACL2 !>(+ 5 7) 12 ACL2 !> This example illustrates interaction with ACL2, namely, using a read­ eval-print loop . • Read: The system reads the user's input expression, (+ 5 7) . • Eval: The system evaluates this input, adding 5 and 7. Using the ACL2 System 225 • Print: The system prints out the result returned by the evaluation, 12. Numerous operations are built into ACL2 besides the addition operator (+) shown above. In particular, the operator thin directs ACL2 to attempt the proof of a theorem. The transcript below shows a use of thin that causes ACL2 to prove the commutativity of addition: the sum of x and y, (+ x y), is equal to the sum of y and x, (+ y x). Again, only the expression following the prompt was supplied by the user. ACL2 !>(thm (equal (+ x y) (+ y x») But simplification reduces this to T, using linear arithmetic and primitive type reasoning. Q.E.D. Summary Form: (THM ... ) Rules: «:FAKE-RUNE-FOR-LINEAR NIL) (:FAKE-RUNE-FOR-TYPE-SET NIL» Warnings: None Time: 0.02 seconds (prove: 0.00, print: 0.01, other: 0.01) Proof succeeded. ACL2 !> We postpone discussion of the theorem prover, but the example above provides some idea of how to interact with the system. Notice that this example illustrates that printing can go on during evaluation. It also shows that the print phase of the read-eval-print loop is skipped for thin, as it is for a few other built-in operations. A.2.3 Exiting ACL2 The most direct way to quit ACL2, including the underlying Lisp, may be to issue the keyword command : good-bye. (Keyword commands in general are discussed in Section A.3.2.) ACL2 !>:good-bye dork.cs.utexas.edu'l. The : good-bye command works when the underlying Lisp is GCL or (starting with ACL2 Version 2.5) Allegro CL. It may not work with other Lisps. How else can you exit an ACL2 session? You can probably quit ACL2, including the underlying Lisp, entirely from inside the ACL2 loop by typing control-d one or more times. In 226 Computer-Aided Reasoning: An Approach Emacs, use the combination eontrol-c eontrol-d instead of control-d. In MacIntosh Common Lisp (MCL), use eommand-q. But here is a more reliable approach than the one of the preceding paragraph. You can always leave the ACL2 loop by typing: 9" as follows. ACL2 !>:q Exiting the ACL2 read-eval-print loop. To re-enter, execute (LP) • ACL2> You could alternatively evaluate (value :q). In either case, you are left at the Lisp prompt, in what we sometimes refer to as raw Lisp. Each Lisp pro­ vides its own quit command to execute in raw Lisp, including (user: :bye) in GCL, (exel: :exit) in Allegro Common Lisp, (user: : quit) in CMU Common Lisp, and (eel: :quit) in MCL. A.2.4 Dealing with Interrupts and Breaks In many Common Lisps, an ACL2 session can be interrupted by typing eontrol-e (in Emacs, two eontrol-e characters). In MCL, use com­ mand-, (the comma character while holding down the command key). When the interrupt is seen, you are left in a break loop in raw Lisp. Certain input errors (as illustrated below) can also leave you in breaks. Your Lisp provides a way to abort the break and return to the top-level. In some Lisps, this will take you all the way out to raw Lisp and you must type (lp) to get back into the ACL2 command loop. In other Lisps, it will take you back into the ACL2 command loop. You can often get from the break loop back to the ACL2 read-eval-print loop by typing the token '#. ' followed by a carriage return, which implements the command (abort!). Here is an illustration of the user being accidentally thrown into a break loop because of a typo (the comma), followed by recovery using '#. '. The break prompt of your Lisp may resemble the ACL2 prompt; pay attention to the prompt. ACL2 !>(+ 3,245 7) Error: Illegal comma encountered by READ. Fast links are on: do (si::use-fast-links nil) for debugging Error signalled by CONDo Broken at CONDo Type:H for Help. ACL2»#. Abort to ACL2 top-level ACL2 Version 2.5. Levell. Cbd "/user/smith/". Type :help for help. ACL2 !> Using the ACL2 System 227 Occasionally, '#.' may not work, in particular when there are stack overflows. 1 In that case, follow these steps. 1. Return from the break using : q for GCL, : reset for Allegro, and q for CMU Lisp. This should put you in the ACL2 loop. 2. Exit the ACL2 loop using: q. 3. Re-enter the ACL2 loop using (lp). Note: We include Steps 2 and 3 because we have seen cases in which the underlying Lisp has had insufficient stack for further processing unless one first returns to the top level of raw Lisp. A.3 Managing ACL2 Sessions The example using thIn above shows that ACL2 comes with a built-in logical data base that is sufficiently rich to allow ACL2 to prove that addition is commutative. However, the utility of ACL2 derives largely from the ability to extend that logical data base, which we call a logical world or world, with new definitions and theorems. When the user's input causes the logical world to be changed, that input is called a command. A single command can generate several events that extend the logical world. The following command defines two functions: one named add3 that adds 3 to its input, x, and one named sub3 that subtracts 3 from its input, x. These two definition (defun) events will be used in examples below. This is a contrived example, since one rarely uses the sequencing operator progn in ACL2, but it illustrates the distinction between the notions of command (user input that creates at least one world-changing event) and event (a form that updates the ACL2 world when successfully evaluated). (progn (defun add3 (x) (+ x 3» (defun sub3 (x) (- x 3» Once this command has been submitted to ACL2, the functions defined can be tested, for example as follows. ACL2 !>(add3 9) 12 ACL2 !>(sub3 12) 9 ACL2 !> 1 For Lisp experts: The problem is that Lisp can reset the variable *readtable*. 228 Computer-Aided Reasoning: An Approach A.3.1 Viewing the ACL2 Logical World The ACL2 user's goal is generally the extension of the built-in logical world, by defining functions and by proving theorems that express desired prop­ erties of those functions. Logical worlds are extended using commands such as the one shown above. In this section we give an idea of how to obtain views of the current logical world. The simplest view of the current logical world is obtained using :pbt ("print back through"), which shows the current command history.