Major Section: RELEASE-NOTES
NOTE! New users can ignore these release notes, because the documentation has been updated to reflect all changes that are recorded here.
Below we roughly organize the changes since Version 4.2 into the following categories of changes: existing features, new features, heuristic improvements, bug fixes, distributed books, Emacs support, and experimental versions. Each change is described in just one category, though of course many changes could be placed in more than one category.
CHANGES TO EXISTING FEATURES
The accumulated-persistence
utility can now do finer-grained tracking,
providing data for individual hypotheses and the conclusion of a rule.
See accumulated-persistence. To try this out, evaluate the form
(accumulated-persistence :all)
; then see accumulated-persistence for a
discussion of display options using show-accumulated-persistence
. Thanks
to Dave Greve for suggesting this new capability and collaborating on its
design and implementation.
The defattach
utility now permits the use of :
program
mode
functions, though this requires the use of a trust tag (see defttag).
See defattach and for discussion of the new capability, see defproxy,
which explains how part of this change involves allowing :
program
mode functions to be declared non-executable.
Redefinition (see ld-redefinition-action) is no longer permitted for
functions that have attachments (see defattach). In such cases, the
attachment must be removed first, e.g. with (defattach foo nil)
.
Made small changes to mv-nth
and defun-sk
in order to permit
guard verification of functions introduced with more than one quantified
variable in a defun-sk
form. The change to mv-nth
is to weaken
the guard by eliminating the requirement that the second argument
satisfy true-listp
, and replacing the call of endp
in the
definition body by a corresponding call of atom
. The new definition of
mv-nth
is thus logically equivalent to the old definition, but with a
weaker guard. Thanks to Sol Swords for sending the following example, for
which the final verify-guards
form had failed but now succeeds.
(defstub foo (a b c) nil) (defun-sk forall-a-b-foo (c) (forall (a b) (foo a b c)) :witness-dcls ((declare (Xargs :guard t :verify-guards nil)))) (verify-guards forall-a-b-foo)
The implementations of prog2$
, time$
,
with-prover-time-limit
, with-guard-checking
, mbe
(and
must-be-equal
), and ec-call
have changed. See the discussion
below of the new utility, return-last
. A consequence is that
trace$
is explicitly disallowed for these and related symbols, which
formerly could cause hard Lisp errors, because they are now macros. Tracing
of return-last is also disallowed. Another consequence is that time$ now
prints a more abbreviated message by default, but a version of the old
behavior can be obtained with :mintime nil
.
The following utilities no longer print an observation about raw-mode
transitions: set-raw-mode-on
, set-raw-mode-on!
, set-raw-mode
,
and set-raw-mode-off
. Thanks to Jared Davis for suggestion this change
in the case of include-book
(which proved awkward to restrict to that
case).
The system function translate-and-test
now permits its LAMBDA
form to
refer to the variable WORLD
, which is bound to the current ACL2 logical
world.
Modified abort handling to avoid talking about an interrupt when the error was caused by a Lisp error rather than an interrupt.
The value of the constant *acl2-exports*
, which is still a list, has been
extended significantly, though only with the addition of symbols that one
might reasonably have expected all along to belong to this list. A new
distributed book, books/misc/check-acl2-exports.lisp
, checks (at
certification time) that no documented constant, macro, or function symbol in
the "ACL2"
package has been accidentally omitted from
*acl2-exports*
. Thanks to Dave Greve for helpful discussions related to
this change.
Improved the built-in `untranslate
' functions to produce let*
expressions when appropriate (more to help with tools that call
untranslate
and the like, than to help with proof output).
The utility redo-flat
now works for certify-book
failures, just
as it continues to work for failures of encapsulate
and progn
.
The following only affects users who use trust tags to add to list values of
either of the state
global variables program-fns-with-raw-code
or
logic-fns-with-raw-code
. For functions that belong to either of the
above two lists, trace$
will supply a default value of :fncall
to
keyword :notinline
, to avoid discarding raw-Lisp code for the function.
The guard of the macro intern
has been strengthened so that its
second argument may no longer be either the symbol
*main-lisp-package-name*
or the string "COMMON-LISP"
. That change
supports another change, namely that the following symbols in the
"COMMON-LISP"
package are no longer allowed into ACL2: symbols in that
package that are not members of the list constant
*common-lisp-symbols-from-main-lisp-package*
yet are imported into the
"COMMON-LISP"
package from another package. See pkg-imports and
see symbol-package-name. To see why we made that change, consider for
example the following theorem, which ACL2 was able to prove when the host
Lisp is GCL.
(let ((x "ALLOCATE") (y 'car)) (implies (and (stringp x) (symbolp y) (equal (symbol-package-name y) "COMMON-LISP")) (equal (symbol-package-name (intern-in-package-of-symbol x y)) "SYSTEM")))Now suppose that one includes a book with this theorem (with
:
rule-classes
nil
), using an ACL2 built on top of a different
host Lisp, say CCL, that does not import the symbol SYSTEM::ALLOCATE
into
the "COMMON-LISP"
package. Then then one can prove nil
by giving
this theorem as a :use
hint.The axioms introduced by defpkg
have changed. See the discussion of
pkg-imports
under ``NEW FEATURES'' below.
The error message for free variables (e.g., in definition bodies and guards) now supplies additional information when there are governing IF conditions. Thanks to Jared Davis for requesting this enhancement and collaborating in its design.
The command :
redef-
now turns off redefinition.
Improved proof output in the case of a :
clause-processor
hint that
proves the goal, so that the clause-processor function name is printed.
The proof-checker
command `then
' now stops at the first failure (if
any).
It is no longer permitted to submit definitions in :logic
mode for merely
part of an existing mutual-recursion
event. Such an action left the
user in an odd state and seemed a potential soundness hole.
The function break$
is now in :
logic
mode. Thanks to Jared
Davis for requesting this enhancement.
The macro verify-termination
now provides clearer output in the case
that it is redundant. More important perhaps, as a courtesy it now causes an
error when applied to a constrained function, since presumably such an
application was unintended (as the constrained function could never have been
in :
program
mode). Note that if one desires different behavior,
one can create one's own version of verify-termination
(but with a
different name).
Improved the guards for the following functions, often weakening them,
to reflect more precisely the requirements for calling eq
:
alist-difference-eq
, intersection-eq
, intersection1-eq
,
intersectp-eq
, not-in-domain-eq
, set-difference-assoc-eq
,
set-equalp-eq
, and union-eq
. Thanks to Jared Davis for pointing
out this issue for intersectp-eq
.
(CCL only) Made a change that can reduce the size of a compiled file produced
by certify-book
when the host Lisp is CCL, by discarding source
information (for example, discarding local
events).
NEW FEATURES
See the discussion above about new statistics that can be gathered by the
accumulated-persistence
utility.
A new hint, :
instructions
, allows use of the proof-checker at
the level of hints to the prover. Thanks to Pete Manolios for
requesting this feature (in 2001!). See instructions.
(For system hackers) There are new versions of system functions
translate1
and translate
, namely translate1-cmp
and
translate-cmp
respectively, that do not take or return state
. See
the Essay on Context-message Pairs for relevant information. Thanks to David
Rager for collaborating on this enhancement.
A new utility, return-last
, is now the unique ACL2 function that can
pass back a multiple value result from one of its arguments. Thus, now the
following are macros whose calls ultimately expand to calls of
return-last
: prog2$
, time$
, with-prover-time-limit
,
with-guard-checking
, mbe
(and must-be-equal
), and
ec-call
. With an active trust tag, an advanced user can now write code
that has side effects in raw Lisp; see return-last. Thanks to Jared Davis
for requesting this feature.
A new function, pkg-imports
, specifies the list of symbols imported
into a given package. The axioms for defpkg
have been strengthened,
taking advantage of this function. Now one can prove theorems using ACL2
that we believe could not previously be proved using ACL2, for example the
following.
(equal (symbol-package-name (intern-in-package-of-symbol str t)) (symbol-package-name (intern-in-package-of-symbol str nil)))Thanks to Sol Swords for a helpful report, which included the example above. See pkg-imports and see defpkg.
Added function no-duplicatesp-eq
.
Added a new hint keyword, :
backchain-limit-rw
, to control the level
of backchaining for rewrite, meta, and linear rules. This
overrides, for the current goal and (as with :
in-theory
hints)
descendent goals, the default backchain-limit
(see set-backchain-limit). Thanks to Jared Davis for requesting this
feature.
Support is now provided for creating and certifying books that do not depend
on trust tags, in the case that the only use of trust tags is during
make-event
expansion. See set-write-acl2x. Thanks to Sol Swords for
reporting a couple of bugs in a preliminary implementation.
Function (file-write-date$ filename state)
has been added, giving the
write date of the given file.
See forward-chaining-reports for how to get new reports on the forward chaining activity occurring in your proof attempts. Thanks to Dave Greve for inspiring the addition of this utility.
It is now possible to use ACL2's printing utilities to return strings, by
opening output channels to the keyword :STRING
rather than to filenames.
See io. Thanks to Jared Davis for a helpful conversation that led us to add
this feature.
HEURISTIC IMPROVEMENTS
We have slightly improved the handling of :
forward-chaining
rules that contain free variables. Formerly, such rules might fire only
once, when the first match for a free variable is discovered, and would
not fire again even if subsequent forward chaining made available another
match. This made it difficult to predict whether a rule with free
variables would fire or not, depending as it did on the order in which
newly derived conclusions were added. The new handling is a little
slower but more predictable. Thanks to Dave Greve for sending a helpful
example that led us to consider making such an improvement.
We have slightly improved the so-called ``type-set'' heuristics to work
a bit harder on terms of the form (rec term)
, where rec
is a
so-called ``compound-recognizer'' function, that is, a function with a
corresponding enabled :
compound-recognizer
rule. Thanks to Jared
Davis for sending a helpful example (found, in essence, in the modified
function type-set-rec
, source file type-set-b.lisp
).
We made three heuristic improvements in the way contexts (so-called ``type-alists'') are computed from goals (``clauses''). Although these changes did not noticeably affect timing results for the ACL2 regression suite, they can be very helpful for goals with many hypotheses. Thanks to Dave Greve for sending a useful example (one where we found a goal with 233 hypotheses!).
The algorithm for substituting alists into terms was modified. This change is unlikely to affect many users, but in one example it resulted in a speed-up of about 21%. Thanks to Dave Greve for supplying that example.
Sped up include-book
a bit by memoizing checksums of symbols. (This
change pertains to ``normal'' ACL2 only, not the hons
version
(see hons-and-memoization, where such memoization already occurred.) We
found about a 23% speed-up on an example from Dave Greve.
Made a small change to the algorithm used to prove hypotheses of
:
type-prescription
rules (ACL2 source function
type-set-relieve-hyps
). One change avoids a linear walk through the context
(the ``type-alist'' structure), while the other could avoid storing
unnecessary force
d assumptions (into the so-called ``tag-tree'').
BUG FIXES
Fixed a long-standing soundness bug caused by the interaction of force
d
hypotheses with destructor elimination. The fix was to avoid using
forcing when building the context (so-called ``type-alist'') when the goal is
considered for destructor elimination; those who are interested can see a
discussion in source function eliminate-destructors-clause1
, which
includes a proof of nil
that no longer succeeds. A similar fix was made
for generalization, though we have not exploited the previous code to prove
nil
in that case.
Fixed a bug that allowed book certification to ignore skip-proofs
around
encapsulate
events. Thus, a book could contain an event of the
form (skip-proofs (encapsulate ...))
, and a call of certify-book
on
that book could succeed even without supplying keyword
:skip-proofs-okp t
. This bug was introduced in Version 3.5 (May,
2009).
Fixed a bug that could occur when including a book that attempts to redefine
a function as a macro, or vice-versa. (For details of the issue, see the
comment in the definition of variable *hcomp-fn-macro-restore-ht*
in
source file other-events.lisp
.)
(Windows only) Fixed handling of the Windows drive so that an executable image saved on one machine can be used on another, even with a different drive. Thanks to Harsh Raju Chamarthi for reporting this issue and doing a lot of testing and collaboration to help us get this right.
Made a change to avoid possible low-level errors, such as bus errors, when
quitting ACL2 by calling good-bye
or its synonyms. This was occurring
in CCL, and we are grateful to Gary Byers for helping us find the source of
those errors (which basically was that ACL2 was attempting to quit while
already in the process of quitting).
Fixed a bug in with-guard-checking
, which was being ignored in function
bodies.
Fixed a bug in top-level
, which was not reverting the logical
world when an error resulted from evaluation of the given form. Thanks
to Jared Davis for bringing this bug to our attention.
Fixed a long-standing bug (back through Version 2.7) that was discarding
changes to the connected book directory (see cbd) when exiting and then
re-entering the top-level ACL2 loop (with lp
).
In some host Lisps, it has been possible to be in a situation where it is impossible to interrupt checkpoint printing during the summary. We had thought this solved when the host Lisp was CCL, but Sol Swords sent us an example (for which we are grateful) illustrating that this behavior could occur. This has been fixed.
Fixed a bug in a proof obligation generated for :
meta
and
:
clause-processor
rules, that the guard on the metafunction or
clause-processor function, fn
, holds under suitable assumptions. Those
assumptions include not only that the first argument of fn
satisfies
pseudo-termp
, but also that all stobj inputs satisfy the
corresponding stobj recognizer predicates. We had erroneously considered
stobj outputs of fn
instead of stobj inputs. Thanks to Sol Swords for
bringing this bug to our attention with a simple example, and correctly
pointing us to the bug in our code.
Fixed the following bugs in defattach
. We hadn't always been applying
the full functional substitution when generating guard proof obligations. We
had been able to hit an assertion when reattaching to more than one function.
Attachment was permitted in the case of an untouchable function
(see remove-untouchable). Finally, the guard proof obligation could fail in
the case that the two functions have different formal parameter lists, as in
the following example.
(encapsulate ((foo (x) x :guard (symbolp x))) (local (defun foo (x) x))) (defun bar (x2) (declare (xargs :guard (symbolp x2))) x2) (defattach foo bar)
Fixed a raw Lisp error that could be caused by including a book using
make-event
to define a function symbol in a locally-introduced package.
An example appears in a comment in ACL2 source function
write-expansion-file
.
Made a change that can prevent an error near the end of book certification
when the underlying Host Lisp is Allegro Common Lisp, in the case that
environment variable ACL2_SYSTEM_BOOKS
has been set to the name of a
directory with a parent that is a soft link. Thanks to Dave Greve for
supplying an example to led us to this fix, which involves avoiding Allegro
CL's implementation of the Common Lisp function, truename
.
Fixed a bug that was failing to substitute fully using bindings of free
variables in force
d hypotheses. A related change is that instead of
binding such a free variable to a new variable of the form ???-Y
, the new
variable is now of the form UNBOUND-FREE-Y
.
Fixed a bug that could inhibit the printing of certain theory warnings (and probably, in the other direction, cause inappropriate such printing).
We eliminated excessive "Raw-mode"
warnings about
add-include-book-dir
that could be generated by the use of raw-mode
during include-book
. Thanks to Dave Greve for bringing this issue to
our attention.
Fixed the printing of results from forms within an encapsulate
, so that
they are abbreviated according to the ld-evisc-tuple
.
It is now possible to evaluate stobj-related forms after evaluating
:
set-guard-checking
:none
or :
set-guard-checking
nil
, even in cases where such evaluation formerly caused a guard
violation due to a bug in ACL2. Here is an example of an error that no
longer occurs.
ACL2 !>(defstobj st fld) Summary Form: ( DEFSTOBJ ST ...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, other: 0.00) ST ACL2 !>(set-guard-checking :none) Turning off guard checking entirely. To allow execution in raw Lisp for functions with guards other than T, while continuing to mask guard violations, :SET-GUARD-CHECKING NIL. See :DOC set-guard-checking. ACL2 >(fld st) ACL2 Error in TOP-LEVEL: The guard for the function call (FLD ST), which is (STP ST), is violated by the arguments in the call (FLD ST). [... etc. ...]You can understand how things now work by imagining that when a function introduced by
defstobj
is called, guard
-checking values of
:none
or nil
are temporarily converted to t
. Thanks to Pete
Manolios, Ian Johnson, and Harsh Raju Chamarthi for requesting this
improvement.Fixed a bug in which the wrong attachment could be made when the same
function has an attachment in a book and another in the certification world
of that book (possibly even built into ACL2), if the load of a compiled file
is aborted because a sub-book's compiled file is missing. The bug has been
present since the time that defattach
was added (Version_4.0). An
example may be found in a comment in the deflabel
for note-4-2
(ACL2 source file ld.lisp
).
The :
doc
and related utilities now cause a clean error when
provided other than a symbol. Thanks to Jared Davis for pointing out the raw
Lisp error that had occurred in such cases.
It had been the case that in raw-mode (see set-raw-mode), it was possible to
confuse include-book
when including a book in a directory different
from the current directory. This has been fixed. Thanks to Hanbing Liu for
bringing this problem to our attention with a small example.
NEW AND UPDATED BOOKS AND RELATED INFRASTRUCTURE
Many changes have been made to the distributed books, thanks to an active
ACL2 community. You can contribute books and obtain updates between ACL2
releases by visiting the acl2-books
project web page,
http://acl2-books.googlecode.com/.
There is new Makefile
support for certifying just some of the distributed
books. See books-certification-classic, in particular discussion of the
variable ACL2_BOOK_DIRS
. Thanks to Sandip Ray for requesting this
enhancement.
The documentation for make-event
now points to a new book,
books/make-event/defrule.lisp
, that shows how make-event
can be used to
do macroexpansion before generating events. Thanks to Carl Eastlund for
useful interaction on the acl2-help mailing list that led us to add this
example.
EMACS SUPPORT
Incorporated a version of changes from Jared Davis to the control-t f
emacs utility (distributed file emacs/emacs-acl2.el
), so that one can
fill a format string from anywhere within the string.
EXPERIMENTAL VERSIONS
We refrain from listing changes here to experimental versions, other than an
enhancement to the HONS version that can reduce sizes of
certificate files, by applying hons-copy
to introduce structure
sharing (ACL2 source function make-certificate-file1
).