• Top
    • Documentation
    • Books
    • Boolean-reasoning
    • Projects
    • Debugging
    • Std
    • Proof-automation
    • Macro-libraries
    • ACL2
      • Theories
      • Rule-classes
        • Type-prescription
        • Rewrite
        • Meta
        • Linear
        • Definition
        • Clause-processor
        • Tau-system
        • Forward-chaining
        • Equivalence
          • Congruence
          • Free-variables
          • Executable-counterpart
          • Induction
          • Type-reasoning
          • Compound-recognizer
          • Rewrite-quoted-constant
          • Elim
          • Well-founded-relation-rule
          • Built-in-clause
          • Well-formedness-guarantee
          • Patterned-congruence
          • Rule-classes-introduction
          • Guard-holders
          • Refinement
          • Type-set-inverter
          • Generalize
          • Corollary
          • Induction-heuristics
          • Backchaining
          • Default-backchain-limit
        • Proof-builder
        • Recursion-and-induction
        • Hons-and-memoization
        • Events
        • Parallelism
        • History
        • Programming
        • Operational-semantics
        • Real
        • Start-here
        • Debugging
        • Miscellaneous
        • Output-controls
        • Macros
        • Interfacing-tools
      • Interfacing-tools
      • Hardware-verification
      • Software-verification
      • Math
      • Testing-utilities
    • Rule-classes

    Equivalence

    Mark a relation as an equivalence relation

    See rule-classes for a general discussion of rule classes, including how they are used to build rules from formulas and a discussion of the various keywords in a rule class description.

    Example:
(defthm r-equal-is-an-equivalence ; assumes that r-equal has been defined
  (and (booleanp (r-equal x y))
       (r-equal x x)
       (implies (r-equal x y) (r-equal y x))
       (implies (and (r-equal x y)
                     (r-equal y z))
                (r-equal x z)))
  :rule-classes :equivalence)

    Also see defequiv.

    General Form:
(and (booleanp (equiv x y))
     (equiv x x)
     (implies (equiv x y) (equiv y x))
     (implies (and (equiv x y)
                   (equiv y z))
              (equiv x z)))

    except that the order of the conjuncts and terms and the choice of variable symbols is unimportant. The effect of such a rule is to identify equiv as an equivalence relation. Note that only Boolean 2-place function symbols can be treated as equivalence relations. See congruence and see refinement for closely related concepts.

    The macro form (defequiv equiv) is an abbreviation for a defthm of rule-class :equivalence that establishes that equiv is an equivalence relation. It generates the formula shown above. See defequiv.

    When equiv is marked as an equivalence relation, its reflexivity, symmetry, and transitivity are built into the system in a deeper way than via :rewrite rules. More importantly, after equiv has been shown to be an equivalence relation, lemmas about equiv, e.g.,

    (implies hyps (equiv lhs rhs)),

    when stored as :rewrite rules, cause the system to rewrite certain occurrences of (instances of) lhs to (instances of) rhs. Roughly speaking, an occurrence of lhs in the kth argument of some fn-expression, (fn ... lhs' ...), can be rewritten to produce (fn ... rhs' ...), provided the system ``knows'' that the value of fn is unaffected by equiv-substitution in the kth argument. Such knowledge is communicated to the system via ``congruence lemmas.''

    For example, suppose that r-equal is known to be an equivalence relation. The :congruence lemma

    (implies (r-equal s1 s2)
         (equal (fn s1 n) (fn s2 n)))

    informs the rewriter that, while rewriting the first argument of fn-expressions, it is permitted to use r-equal rewrite-rules. See congruence for details about :congruence lemmas. Interestingly, congruence lemmas are automatically created when an equivalence relation is stored, saying that either of the equivalence relation's arguments may be replaced by an equivalent argument. That is, if the equivalence relation is fn, we store congruence rules that state the following fact:

    (implies (and (fn x1 y1)
              (fn x2 y2))
         (iff (fn x1 x2) (fn y1 y2)))

    Another aspect of equivalence relations is that of ``refinement.'' We say equiv1 ``refines'' equiv2 iff (equiv1 x y) implies (equiv2 x y). :refinement rules permit you to establish such connections between your equivalence relations. The value of refinements is that if the system is trying to rewrite something while maintaining equiv2 it is permitted to use as a :rewrite rule any refinement of equiv2. Thus, if equiv1 is a refinement of equiv2 and there are equiv1 rewrite-rules available, they can be brought to bear while maintaining equiv2. See refinement.

    The system initially has knowledge of two equivalence relations, equality, denoted by the symbol equal, and propositional equivalence, denoted by iff. Equal is known to be a refinement of all equivalence relations and to preserve equality across all arguments of all functions.

    Typically there are five steps involved in introducing and using a new equivalence relation, equiv.

    (1) Define equiv,

    (2) prove the :equivalence lemma about equiv,

    (3) prove the :congruence lemmas that show where equiv can be used to maintain known relations,

    (4) prove the :refinement lemmas that relate equiv to known relations other than equal, and

    (5) develop the theory of conditional :rewrite rules that drive equiv rewriting.

    More will be written about this as we develop the techniques. For now, here is an example that shows how to make use of equivalence relations in rewriting.

    Among the theorems proved below is

    (defthm insert-sort-is-id
  (perm (insert-sort x) x))

    Here perm is defined as usual with delete and is proved to be an equivalence relation and to be a congruence relation for cons and member.

    Then we prove the lemma

    (defthm insert-is-cons
  (perm (insert a x) (cons a x)))

    which you must think of as you would (insert a x) = (cons a x).

    Now prove (perm (insert-sort x) x). The base case is trivial. The induction step is

       (consp x)
 & (perm (insert-sort (cdr x)) (cdr x))

-> (perm (insert-sort x) x).

    Opening insert-sort makes the conclusion be

    (perm (insert (car x) (insert-sort (cdr x))) x).

    Apply insert-is-cons to get

    (perm (cons (car x) (insert-sort (cdr x)) x)).

    Note that we have proved that perm is a congruence relation for cons. That allows us to apply the induction hypothesis (rewriting (insert-sort (cdr x)) to (cdr x)), to make the conclusion be

    (perm (cons (car x) (cdr x)) x).

    But we know that (cons (car x) (cdr x)) is x, so we get (perm x x) which is trivial, since perm is an equivalence relation. An exercise left to the reader is how this proof will change had we also proved that perm is a congruence relation for insert.

    Here are the events.

    (encapsulate (((lt * *) => *))
  (local (defun lt (x y) (declare (ignore x y)) nil))
  (defthm lt-non-symmetric (implies (lt x y) (not (lt y x)))))

(defun insert (x lst)
  (cond ((atom lst) (list x))
        ((lt x (car lst)) (cons x lst))
        (t (cons (car lst) (insert x (cdr lst))))))

(defun insert-sort (lst)
  (cond ((atom lst) nil)
        (t (insert (car lst) (insert-sort (cdr lst))))))

(defun del (x lst)
  (cond ((atom lst) nil)
        ((equal x (car lst)) (cdr lst))
        (t (cons (car lst) (del x (cdr lst))))))

(defun mem (x lst)
  (cond ((atom lst) nil)
        ((equal x (car lst)) t)
        (t (mem x (cdr lst)))))

(defun perm (lst1 lst2)
  (cond ((atom lst1) (atom lst2))
        ((mem (car lst1) lst2)
         (perm (cdr lst1) (del (car lst1) lst2)))
        (t nil)))

(defthm perm-reflexive
  (perm x x))

(defthm perm-cons
  (implies (mem a x)
           (equal (perm x (cons a y))
                  (perm (del a x) y)))
  :hints (("Goal" :induct (perm x y))))

(defthm perm-symmetric
  (implies (perm x y) (perm y x)))

(defthm mem-del
  (implies (mem a (del b x)) (mem a x)))

(defthm perm-mem
  (implies (and (perm x y)
                (mem a x))
           (mem a y)))

(defthm mem-del2
  (implies (and (mem a x)
                (not (equal a b)))
           (mem a (del b x))))

(defthm comm-del
  (equal (del a (del b x)) (del b (del a x))))

(defthm perm-del
  (implies (perm x y)
           (perm (del a x) (del a y))))

(defthm perm-transitive
  (implies (and (perm x y) (perm y z)) (perm x z)))

(defequiv perm)

(in-theory (disable perm
                    perm-reflexive
                    perm-symmetric
                    perm-transitive))

(defcong perm perm (cons x y) 2)

(defcong perm iff (mem x y) 2)

(defthm atom-perm
  (implies (not (consp x)) (perm x nil))
  :rule-classes :forward-chaining
  :hints (("Goal" :in-theory (enable perm))))

(defthm insert-is-cons
  (perm (insert a x) (cons a x)))

(defthm insert-sort-is-id
  (perm (insert-sort x) x))

(defun app (x y) (if (consp x) (cons (car x) (app (cdr x) y)) y))

(defun rev (x)
  (if (consp x) (app (rev (cdr x)) (list (car x))) nil))

(defcong perm perm (app x y) 2)

(defthm app-cons
  (perm (app a (cons b c)) (cons b (app a c))))

(defthm app-commutes
  (perm (app a b) (app b a)))

(defcong perm perm (app x y) 1
  :hints (("Goal" :induct (app y x))))

(defthm rev-is-id (perm (rev x) x))

(defun == (x y)
  (if (consp x)
      (if (consp y)
          (and (equal (car x) (car y))
               (== (cdr x) (cdr y)))
          nil)
      (not (consp y))))

(defthm ==-reflexive (== x x))

(defthm ==-symmetric (implies (== x y) (== y x)))

(defequiv ==)

(in-theory (disable ==-symmetric ==-reflexive))

(defcong == == (cons x y) 2)

(defcong == iff (consp x) 1)

(defcong == == (app x y) 2)

(defcong == == (app x y) 1)

(defthm rev-rev (== (rev (rev x)) x))