		Search-engine friendly clone of the ACL2 documentation.

Annotated-ACL2-scripts

Tutorial2-eights-problem

The Eights Problem Example

This example was written almost entirely by Bill Young of Computational Logic, Inc.

This simple example was brought to our attention as one that Paul Jackson has solved using the NuPrl system. The challenge is to prove the theorem:

for all n > 7, there exist naturals i and j such that: n = 3i + 5j.

In ACL2, we could phrase this theorem using quantification. However we will start with a constructive approach, i.e., we will show that values of i and j exist by writing a function that will construct such values for given n. Suppose we had a function (split n) that returns an appropriate pair (i . j). Our theorem would be as follows:

(defthm split-splits
  (let ((i (car (split n)))
        (j (cdr (split n))))
    (implies (and (integerp n)
                  (< 7 n))
             (and (integerp i)
                  (<= 0 i)
                  (integerp j)
                  (<= 0 j)
                  (equal (+ (* 3 i) (* 5 j))
                         n)))))

That is, assuming that n is a natural number greater than 7, (split n) returns values i and j that are in the appropriate relation to n.

Let's look at a few cases:

 8 = 3x1 + 5x1;    11 = 3x2 + 5x1;     14 = 3x3 + 5x1;   ...
 9 = 3x3 + 5x0;    12 = 3x4 + 5x0;     15 = 3x5 + 5x0;   ...
10 = 3x0 + 5x2;    13 = 3x1 + 5x2;     16 = 3x2 + 5x2;   ...

Maybe you will have observed a pattern here; any natural number larger than 10 can be obtained by adding some multiple of 3 to 8, 9, or 10. This gives us the clue to constructing a proof. It is clear that we can write split as follows:

(defun bump-i (x)
  ;; Bump the i component of the pair
  ;; (i . j) by 1.
  (cons (1+ (car x)) (cdr x)))

(defun split (n)
  ;; Find a pair (i . j) such that
  ;; n = 3i + 5j.
  (if (or (zp n) (< n 8))
      nil ;; any value is really reasonable here
    (if (equal n 8)
        (cons 1 1)
      (if (equal n 9)
          (cons 3 0)
        (if (equal n 10)
            (cons 0 2)
          (bump-i (split (- n 3))))))))

Notice that we explicitly compute the values of i and j for the cases of 8, 9, and 10, and for the degenerate case when n is not a natural or is less than 8. For all naturals greater than n, we decrement n by 3 and bump the number of 3's (the value of i) by 1. We know that the recursion must terminate because any integer value greater than 10 can eventually be reduced to 8, 9, or 10 by successively subtracting 3.

Let's try it on some examples:

ACL2 !>(split 28)
(6 . 2)

ACL2 !>(split 45)
(15 . 0)

ACL2 !>(split 335)
(110 . 1)

Finally, we submit our theorem split-splits, and the proof succeeds. In this case, the prover is ``smart'' enough to induct according to the pattern indicated by the function split.

For completeness, we'll note that we can state and prove a quantified version of this theorem. We introduce the notion split-able to mean that appropriate i and j exist for n.

(defun-sk split-able (n)
  (exists (i j)
          (equal n (+ (* 3 i) (* 5 j)))))

Then our theorem is given below. Notice that we prove it by observing that our previous function split delivers just such an i and j (as we proved above).

(defthm split-splits2
  (implies (and (integerp n)
                (< 7 n))
           (split-able n))
  :hints (("Goal" :use (:instance split-able-suff
                                  (i (car (split n)))
                                  (j (cdr (split n)))))))

Unfortunately, understanding the mechanics of the proof requires knowing something about the way defun-sk works. See defun-sk or see Tutorial4-Defun-Sk-Example for more on that subject.