Major Section: STATE
This documentation section introduces some common techniques for programming using the ACL2 state object. A prerequisite is thus a basic understanding of that object; see state. We hope this section is useful, and we invite suggestions for improvements and additions.
A supplement to this section is the ACL2 source code, which uses most (and probably all) of the techniques discussed here. That code is thus a source of many examples, which can serve as ``templates'' to guide one's own programming with state.
Recall that ``ACL2'' stands for ``A Computational Logic for Applicative Common Lisp''. In particular, the language is applicative: there are no global variables or side effects. For many purposes this does not feel restrictive; for example, an ACL2 user who is programming in raw Lisp may well be more comfortable coding a factorial function applicatively, using recursion, rather than using iteration with repeated assignment to the same variable.
However, there are situations that call for reading or modifying the system state, such as performing input and output, signalling errors, saving information from one computation for use in a later one, or reading and updating system-level or environmental data. This section provides an introductory guide for writing functions that traffic in state. We emphasize that this guide is intended as an introduction; more complete documentation may often be found by following links to documentation of individual utilities, and again, more examples may be found by searching the ACL2 source code for uses of the functions and macros mentioned below. The rest of this section is organized as follows.
ENABLING PROGRAMMING WITH STATE STATE GLOBALS A REMARK ON GUARDS ERRORS AND ERROR TRIPLES SEQUENTIAL PROGRAMMING BINDING VARIABLES USING ERROR TRIPLES BINDING STATE GLOBAL VARIABLES INPUT AND OUTPUT TIMINGS ENVIRONMENT AND SYSTEM REMARKS ON EVENTS AND LD ADVANCED TOPICS
ENABLING PROGRAMMING WITH STATE
In order to submit a definition that takes state
as a formal parameter,
you must either declare state
as a :
stobj
(see xargs) or first
evaluate the following form at the top level: (set-state-ok t)
.
Consider for example the following trivial definition.
(defun foo (state) (mv 3 state))If you submit the above definition in a fresh ACL2 session, you will get this error message.
ACL2 Error in ( DEFUN FOO ...): The variable symbol STATE should not be used as a formal parameter of a defined function unless you are aware of its unusual status and the restrictions enforced on its use. See :DOC set-state-ok.If first you evaluate
(set-state-ok t)
, you can admit the above
definition. Alternatively, you can declare state
as a :
stobj
,
as follows.
(defun foo (state) (declare (xargs :stobjs state)) (mv 3 state))A difference in the two approaches is that for the latter, a guard proof obligation is generated by default. See the section below entitled ``A remark on guards''.
STATE GLOBALS
Recall (see state) that one of the fields of the ACL2 state object is the global-table, which logically is an alist associating symbols, known as ``state globals'' or ``state global variables'', with values. But no such alist actually exists in the implementation. Instead, ACL2 provides utilities for reading state globals -- see @ and see f-get-global -- and utilities for writing them -- see assign and see f-put-global. The following log shows how they work; further explanation follows below.
ACL2 !>(assign my-var (+ 3 4)) 7 ACL2 !>(@ my-var) 7 ACL2 !>(f-put-global 'my-var (+ 1 5) state) <state> ACL2 !>(f-get-global 'my-var state) 6 ACL2 !>Note that the first result is indented by one space. This is ACL2's way to indicate that the
assign
expression returned an ``error triple'' and
that no error was signalled. We discuss error triples in more detail below;
also see error-triples.As illustrated above, the output signatures of the utilities for assigning to
state globals differ from each other as follows: f-put-global
returns
state
, but assign
returns an error triple (mv nil val state)
where val
is the value assigned to the state global. The output
signatures of the utilities for reading, @
and f-get-global
, are
identical. In fact, the form (f-get-global 'my-var state)
is the
single-step macroexpansion of the form (@ my-var)
, as can be confirmed
using trans1
.
ACL2 !>:trans1 (@ my-var) (F-GET-GLOBAL 'MY-VAR STATE) ACL2 !>
State globals are useful for conveying persistent state information.
Consider for example the utility set-inhibit-output-lst
. The form
(set-inhibit-output-lst '(prove proof-tree))
is approximately equivalent
to (assign inhibit-output-lst '(prove proof-tree)). We say ``approximately''
because set-inhibit-output-lst
additionally does some error checking to
insure that all the tokens in the new list are legal. When deciding whether
to print output, the ACL2 system reads the value of state global variable
inhibit-output-lst
.
A REMARK ON GUARDS
For a function definition (see defun), if state
is specified as a
stobj as with the form (declare (xargs :stobjs state))
, then the
guard for that function is considered to include the condition
(state-p state)
. By default, guard verification will then be
performed.
We can illustrate this point by modifying the example above as follows, to
read the value of state global gag-mode
.
(defun foo (state) (declare (xargs :stobjs state)) (f-get-global 'gag-mode state))If you try this in a fresh ACL2 session, the proof will fail with the following key checkpoint, which says that the state global
gag-mode
is
bound in the global-table of the state.
(IMPLIES (STATE-P1 STATE) (ASSOC-EQUAL 'GAG-MODE (NTH 2 STATE)))
How can we deal with this proof failure? One way is simply to ignore the
issue by defining the function in :
program
mode, as follows.
(defun foo (state) (declare (xargs :stobjs state :mode :program)) (f-get-global 'gag-mode state))Perhaps a better way is to strengthen the guard to assert that the indicated state global is bound, as follows.
(defun foo (state) (declare (xargs :guard (boundp-global 'gag-mode state) :stobjs state)) (f-get-global 'gag-mode state))Also see guard-miscellany for a discussion of how guards are generated from
xargs
fields of declare forms, specifically, for keywords
:guard
and :stobjs
.ERRORS AND ERROR TRIPLES
When evaluation returns three values, where the first two are ordinary
objects and the third is the ACL2 state, the result may be called an ``error
triple''. (Whether it is treated as an error triple depends on the
programmer.) Error triples are often denoted (mv erp val state)
, and
common ACL2 programming idioms treat erp
as a flag indicating whether an
error is being signalled and val
as the ``value'' computed. Also
see error-triples.
Even ACL2 users who are not programmers encounter error triples, because
these are the values returned by evaluation of ACL2 events. Consider
the following log, where the only user input is the defun
form
following the prompt.
ACL2 !>(defun foo (x) x) Since FOO is non-recursive, its admission is trivial. We observe that the type of FOO is described by the theorem (EQUAL (FOO X) X). Summary Form: ( DEFUN FOO ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) FOO ACL2 !>All output above results from explicit calls of output functions, except for the next-to-last line, which contains
FOO
. Notice the single-space
indentation preceding FOO
. That space indicates that in fact, the value
returned by evaluation of the defun
form is the error triple whose error
flag is nil
and whose computed value is FOO
. By default, ACL2 prints
any error triple (mv nil val state)
by inserting a space before printing
val
. You can change the default by setting state global
ld-post-eval-print
to t
; notice how the same result is printed
below.
ACL2 !>:u 0:x(EXIT-BOOT-STRAP-MODE) ACL2 !>(set-ld-post-eval-print t state) (NIL T <state>) ACL2 !>(defun foo (x) x) Since FOO is non-recursive, its admission is trivial. We observe that the type of FOO is described by the theorem (EQUAL (FOO X) X). Summary Form: ( DEFUN FOO ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) (NIL FOO <state>) ACL2 !>
The way error triples are printed by ld
is controlled not only by state
global ld-post-eval-print
, but also by state global ld-error-triples
.
These are examples of ``ld specials''; see ld, see ld-post-eval-print, and
see ld-error-triples.
It is so common to produce an error triple whose first (error flag) component
is nil
that ACL2 provides a handy macro, value
, for this purpose.
Thus, (value <expression>)
is equivalent to
(mv nil <expression> state)
. Also see value-triple for a similar
construct that is a legal event form.
We turn now to the topic of errors. The macro ER
``causes'' an error,
but there are really two quite different kinds of errors: ``soft'' and
``hard'' errors. We use the term ``soft error'' to refer to a form that
returns an error triple (mv erp val state)
for which erp
is
non-nil
. Soft errors do not interrupt the normal flow of evaluation: the
error triple is returned to the caller which interprets the erp
flag and
val
as directed by the programmer. Macros discussed below make it
convenient to think about soft errors as short-circuiting the computation.
Hard errors, on the other hand, do actually rip control away from the current
evaluation and return it to the top-level loop. Logically speaking,
expressions that cause hard errors return nil
in the error case, but the
nil
is never seen in actual evaluation because control does not return to
the caller.
Note that the function abort!
, which you can invoke by typing
:
a!
, always returns to the top level. Note that ACL2 can
prove that (abort!)
returns nil
but that this cannot be confirmed
by computation.
ACL2 !>(thm (equal (abort!) nil)) Q.E.D. Summary Form: ( THM ...) Rules: ((:FAKE-RUNE-FOR-TYPE-SET NIL) (:TYPE-PRESCRIPTION ABORT!)) Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) Proof succeeded. ACL2 !>(equal (abort!) nil) Abort to ACL2 top-level ... ACL2 !>
(What actually happens with a hard error, including non-default cases, is a
bit subtle; most readers will probably want to skip this paragraph. The
read-eval-print loop implemented by ld
is implemented by a call of the
ACL2 evaluator function, trans-eval
, on each input form. If a hard
error occurs during evaluation of an input form, its trans-eval
call will
return with a soft error. Ld
, in turn handles that soft error
appropriately; see ld-error-action.)
The most common way to signal errors is the macro er
, which prints a
formatted error message and returns a soft or hard error as specified by the
call. Note however that soft errors are signalled using :
program
mode functions.
Since the output signatures of soft and hard errors are different -- hard errors ``return'' a single value while soft errors return a triple -- mixing them in an expression requires embedding the hard error form in (an irrelevant) triple, as illustrated below. All branches of the expression must produce an error triple if any branch does.
ACL2 !>(defun chk-find-or-abort (e x state) (declare (xargs :mode :program)) (if (endp x) (value ; Note use of VALUE! (er hard 'chk-find-or-abort "Did not find ~x0!" e)) (if (not (integerp (car x))) (er soft 'chk-find-or-abort "Non-integer, ~x0, in list!" (car x)) (if (eql (car x) e) (value x) (chk-find-or-abort e (cdr x) state))))) Summary Form: ( DEFUN CHK-FIND-OR-ABORT ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) CHK-FIND-OR-ABORT ACL2 !>(chk-find-or-abort 3 '(1 2 3 4 5) state) (3 4 5) ACL2 !>(chk-find-or-abort 3 '(1 A 3 4 5) state) ACL2 Error in CHK-FIND-OR-ABORT: Non-integer, A, in list! ACL2 !>(chk-find-or-abort 3 '(1 2 4 5) state) HARD ACL2 ERROR in CHK-FIND-OR-ABORT: Did not find 3! ... ACL2 !>
See er for further discussion of errors. For some other individual topics related to errors see assert$, see break-on-error, see error1, see hard-error, see illegal, and see ld-error-triples.
In the next section we discuss soft errors further, in the context of programming.
SEQUENTIAL PROGRAMMING
This section describes handy ways to modify state in steps, using macros that
implement a sequence of let
or mv-let
bindings. For example,
suppose you want to assign the values 1 and 2 to two state globals
one-var
and two-var
, respectively. Because of ACL2's syntactic
restrictions on state
, it is not legal simply to write
(f-put-global 'two-var 2 (f-put-global 'one-var 1 state))
. However,
let
comes to the rescue as follows.
(let ((state (f-put-global 'one-var 1 state))) (let ((state (f-put-global 'two-var 2 state))) state))It is so common to bind state successively in such a manner that ACL2 provides a macro,
pprogn
, for this purpose. Thus, an equivalent
solution to the problem above is
(pprogn (f-put-global 'one-var 1 state) (f-put-global 'two-var 2 state) state)or, more simply, as follows.
(pprogn (f-put-global 'one-var 1 state) (f-put-global 'two-var 2 state))See pprogn. Note that the last form is allowed to return multiple values; the only requirement on the last form is that its value include
state
.It is also common to update the state using a sequence of forms such that
each returns an error triple, where the intention is for evaluation to
short-circuit immediately if a soft error is encountered. Suppose
<expr1>
and <expr2>
are expressions that return error triples, where
the state
components of the error triples might be updated, and one
wishes to evaluate <expr1>
and then <expr2>
, returning the (multiple)
values returned by <expr2>
unless the error triple returned by
<expr1>
is a soft error, in which case that error triple is returned.
One can of course do so as follows.
(mv-let (erp val state) <expr1> (cond (erp (mv erp val state)) (t <expr2>)))But ACL2 provides a handy macro,
er-progn
, for this purpose. The
following code is equivalent to the code just above.
(er-progn <expr1> <expr2>)See er-progn for more details. Note that unlike
pprogn
, the return
signature for the last expression must be the same as that of the
others: an error triple.Let's consider how to use pprogn
and er-progn
together. In the
following example f1
and f2
both return state
, while each of
g1
and g2
returns an error triple. The following code modifies state
by executing these in the order f1
, g1
, f2
, and finally g2
,
returning (mv nil val state)
where val
is the value component of the
error triple returned by g2
-- except we return a soft error if g1
or g2
returns a soft error.
(pprogn (f1 x state) (er-progn (g1 x state) (pprogn (f2 x state) (g2 x state))))
Finally, consider the events progn
and progn!
. These have
similar behavior to that of er-progn
. However, progn
and
progn!
may only be used in event contexts, for example at the top level
or immediately underneath a call of encapsulate
or progn
, while
er-progn
has no such restriction. So when writing code, use
er-progn
rather than progn
or progn!
. In particular, the
body of a defun
must not have any calls of progn
(or of progn!
either), and the same restriction holds for any code to be executed, such as
the body of a make-event
form.
BINDING VARIABLES USING ERROR TRIPLES
In this section we discuss the macro er-let*
, which is a variant of the
special form, let*
, that is useful when programming with state.
The macro er-let*
is useful when binding variables to the value
components of error triples. It is actually quite similar to er-progn
,
described above, except that er-let*
binds variables. First consider the
following example.
(er-let* ((x1 (f1 state)) (x2 (f2 x1 state))) (value (cons x1 x2)))The code just above is essentially equivalent to writing the following.
(mv-let (erp x1 state) (f1 state) (cond (erp (mv erp x1 state)) (t (mv-let (erp x2 state) (f2 x1 state) (cond (erp (mv erp x2 state)) (t (value (cons x1 x2))))))))
As suggested by the example above, er-let*
has the same syntax as
let*
, except that declarations are not supported. (But note that
ignore
declarations are not needed; all variables that are bound are also
used, at least in the error case. Consider replacing (cons x1 x2)
by
nil
in the example displayed immediately above, and note that x1
and
x2
are still used.) However, unlike let*
, er-let*
requires that
for each binding (var expr)
, the expression expr
must evaluate to an
error triple and, moreover, it requires that the second argument (the
``body'') of er-let*
must evaluate to an error triple. If one of the
variable expressions (e.g., the f1
and f2
calls above) signals an
error, its error triple is returned as the value of the er-let*
.
Of course, soft errors can be ``caught'' by using mv-let
instead of
er-let*
and simply ignoring the error flag or, more generally, by
returning a non-erroneous error triple even if the error flag was on.
BINDING STATE GLOBAL VARIABLES
In this section we introduce a utility, state-global-let*
, that is an
analogue of let*
for state global variables. Consider the following
example.
(state-global-let* ((inhibit-output-lst (add-to-set-eq 'summary (@ inhibit-output-lst)))) (thm (equal x x)))This form binds state global variable
inhibit-output-lst
to the result of
adding the symbol, summary
, to the current value of that state global.
Thus (see set-inhibit-output-lst), the usual summary is not printed when
evaluating this call of thm
.See state-global-let* for more complete documentation.
INPUT AND OUTPUT
In ACL2, most input and output involves the ACL2 state. See io.
TIMINGS
For how to obtain the runtime elapsed since the start of the ACL2 session, see read-run-time.
For a utility for saving times into the ACL2 state and for printing those
saved times, see the community book misc/save-time.lisp
.
To time an evaluation (though this really isn't about state), see time$.
ENVIRONMENT AND SYSTEM
Next, we mention briefly some ways in which ACL2 interacts with its environment using the ACL2 state.
For how to read and write environment variables, see getenv$ and see setenv$.
For how to run a command in the host operating system, see sys-call.
REMARKS ON EVENTS AND LD
In general, undefined or surprising behavior may occur when using ACL2
events or calling ld in your programs. In some cases ACL2 enforces
restrictions against these uses. We strongly discourage using ld
in
programs, as it has been designed to be called only at the top level of a
read-eval-print loop.
There is also a restriction on contexts in which make-event
may be
called: it may only be called in a context where an event is expected, such
as the top level, in a book, or as an argument of encapsulate
or
progn
. The reason is that ACL2 does very subtle and careful tracking
of make-event
expansions; and it is only able to do this in event
contexts, where it is able to carry out such tracking accurately.
ADVANCED TOPICS
ACL2 provides the function trans-eval
to evaluate an arbitrary form
(after translating it to a term, i.e., into internal form). For more
information, we refer to reader to comments in the definition of
trans-eval
in the ACL2 source code. There are also many examples of its
use in the ACL2 sources.
For a function that provides the true absolute filename, with soft links resolved, see canonical-pathname.
For a function that returns a check-sum on the characters in a channel, see check-sum.
To obtain a random number, see random$.
If you are programming in raw-mode (see set-raw-mode) or in raw Lisp, use
the variable *the-live-state*
in place of the variable state
.
We invite suggestions for additional advanced topics.