Theorem Proving Principles, Techniques, Applications Recursion

Size: px

Start display at page:

Download "Theorem Proving Principles, Techniques, Applications Recursion"

Clarence Perry
5 years ago
Views:

1 NICTA Advanced Course Theorem Proving Principles, Techniques, Applications Recursion 1

2 CONTENT Intro & motivation, getting started with Isabelle Foundations & Principles Lambda Calculus Higher Order Logic, natural deduction Term rewriting Proof & Specification Techniques Inductively defined sets, rule induction Datatypes, recursion, induction Calculational reasoning, mathematics style proofs Hoare logic, proofs about programs CONTENT 2

3 LAST TIME Sets in Isabelle LAST TIME 3

4 LAST TIME Sets in Isabelle Inductive Definitions LAST TIME 3-A

5 LAST TIME Sets in Isabelle Inductive Definitions Rule induction LAST TIME 3-B

6 LAST TIME Sets in Isabelle Inductive Definitions Rule induction Fixpoints LAST TIME 3-C

7 LAST TIME Sets in Isabelle Inductive Definitions Rule induction Fixpoints Isar: induct and cases LAST TIME 3-D

8 DATATYPES Example: datatype a list = Nil Cons a a list Properties: DATATYPES 4

9 DATATYPES Example: datatype a list = Nil Cons a a list Properties: Constructors: Nil :: a list Cons :: a a list a list DATATYPES 4-A

10 DATATYPES Example: datatype a list = Nil Cons a a list Properties: Constructors: Nil :: a list Cons :: a a list a list Distinctness: Nil Cons x xs DATATYPES 4-B

11 DATATYPES Example: datatype a list = Nil Cons a a list Properties: Constructors: Nil :: a list Cons :: a a list a list Distinctness: Injectivity: Nil Cons x xs (Cons x xs = Cons y ys) = (x = y xs = ys) DATATYPES 4-C

12 THE GENERAL CASE datatype (α 1,..., α n ) τ = C 1 τ 1,1... τ 1,n1... C k τ k,1... τ k,nk THE GENERAL CASE 5

13 THE GENERAL CASE datatype (α 1,..., α n ) τ = C 1 τ 1,1... τ 1,n1... C k τ k,1... τ k,nk Constructors: C i :: τ i,1... τ i,ni (α 1,..., α n ) τ THE GENERAL CASE 5-A

14 THE GENERAL CASE datatype (α 1,..., α n ) τ = C 1 τ 1,1... τ 1,n1... C k τ k,1... τ k,nk Constructors: C i :: τ i,1... τ i,ni (α 1,..., α n ) τ Distinctness: C i... C j... if i j THE GENERAL CASE 5-B

15 THE GENERAL CASE datatype (α 1,..., α n ) τ = C 1 τ 1,1... τ 1,n1... C k τ k,1... τ k,nk Constructors: C i :: τ i,1... τ i,ni (α 1,..., α n ) τ Distinctness: C i... C j... if i j Injectivity: (C i x 1... x ni = C i y 1... y ni ) = (x 1 = y 1... x ni = y ni ) THE GENERAL CASE 5-C

16 THE GENERAL CASE datatype (α 1,..., α n ) τ = C 1 τ 1,1... τ 1,n1... C k τ k,1... τ k,nk Constructors: C i :: τ i,1... τ i,ni (α 1,..., α n ) τ Distinctness: C i... C j... if i j Injectivity: (C i x 1... x ni = C i y 1... y ni ) = (x 1 = y 1... x ni = y ni ) Distinctness and Injectivity applied automatically THE GENERAL CASE 5-D

17 HOW IS THIS TYPE DEFINED? datatype a list = Nil Cons a a list internally defined using typedef HOW IS THIS TYPE DEFINED? 6

18 HOW IS THIS TYPE DEFINED? datatype a list = Nil Cons a a list internally defined using typedef hence: describes a set HOW IS THIS TYPE DEFINED? 6-A

19 HOW IS THIS TYPE DEFINED? datatype a list = Nil Cons a a list internally defined using typedef hence: describes a set set = trees with constructors as nodes HOW IS THIS TYPE DEFINED? 6-B

20 HOW IS THIS TYPE DEFINED? datatype a list = Nil Cons a a list internally defined using typedef hence: describes a set set = trees with constructors as nodes inductive definition to characterize which trees belong to datatype HOW IS THIS TYPE DEFINED? 6-C

21 HOW IS THIS TYPE DEFINED? datatype a list = Nil Cons a a list internally defined using typedef hence: describes a set set = trees with constructors as nodes inductive definition to characterize which trees belong to datatype More detail: Datatype Universe.thy HOW IS THIS TYPE DEFINED? 6-D

22 DATATYPE LIMITATIONS Must be definable as set. DATATYPE LIMITATIONS 7

23 DATATYPE LIMITATIONS Must be definable as set. Infinitely branching ok. DATATYPE LIMITATIONS 7-A

24 DATATYPE LIMITATIONS Must be definable as set. Infinitely branching ok. Mutually recursive ok. DATATYPE LIMITATIONS 7-B

25 DATATYPE LIMITATIONS Must be definable as set. Infinitely branching ok. Mutually recursive ok. Stricly positive (left of function arrow) occurence ok. DATATYPE LIMITATIONS 7-C

26 DATATYPE LIMITATIONS Must be definable as set. Infinitely branching ok. Mutually recursive ok. Stricly positive (left of function arrow) occurence ok. Not ok: datatype t = C (t bool) DATATYPE LIMITATIONS 7-D

27 DATATYPE LIMITATIONS Must be definable as set. Infinitely branching ok. Mutually recursive ok. Stricly positive (left of function arrow) occurence ok. Not ok: datatype t = C (t bool) D ((bool t) bool) DATATYPE LIMITATIONS 7-E

28 DATATYPE LIMITATIONS Must be definable as set. Infinitely branching ok. Mutually recursive ok. Stricly positive (left of function arrow) occurence ok. Not ok: datatype t = C (t bool) D ((bool t) bool) E ((t bool) bool) Because: Cantor s theorem (α set is larger than α) DATATYPE LIMITATIONS 7-F

29 CASE Every datatype introduces a case construct, e.g. (case xs of []... y #ys... y... ys...) CASE 8

30 CASE Every datatype introduces a case construct, e.g. (case xs of []... y #ys... y... ys...) In general: one case per constructor CASE 8-A

31 CASE Every datatype introduces a case construct, e.g. (case xs of []... y #ys... y... ys...) In general: one case per constructor Same order of cases as in datatype CASE 8-B

32 CASE Every datatype introduces a case construct, e.g. (case xs of []... y #ys... y... ys...) In general: one case per constructor Same order of cases as in datatype No nested patterns (e.g. x#y#zs) CASE 8-C

33 CASE Every datatype introduces a case construct, e.g. (case xs of []... y #ys... y... ys...) In general: one case per constructor Same order of cases as in datatype No nested patterns (e.g. x#y#zs) (But nested cases) CASE 8-D

34 CASE Every datatype introduces a case construct, e.g. (case xs of []... y #ys... y... ys...) In general: one case per constructor Same order of cases as in datatype No nested patterns (e.g. x#y#zs) (But nested cases) Needs () in context CASE 8-E

35 CASES apply (case tac t) CASES 9

36 CASES apply (case tac t) creates k subgoals [t = C i x 1... x p ;... ] =... one for each constructor C i CASES 9-A

37 DEMO 10

38 RECURSION 11

39 WHY NONTERMINATION CAN BE HARMFUL How about f x = f x + 1? WHY NONTERMINATION CAN BE HARMFUL 12

40 WHY NONTERMINATION CAN BE HARMFUL How about f x = f x + 1? Subtract f x on both sides. WHY NONTERMINATION CAN BE HARMFUL 12-A

41 WHY NONTERMINATION CAN BE HARMFUL How about f x = f x + 1? Subtract f x on both sides. = 0 = 1 WHY NONTERMINATION CAN BE HARMFUL 12-B

42 WHY NONTERMINATION CAN BE HARMFUL How about f x = f x + 1? Subtract f x on both sides. = 0 = 1! All functions in HOL must be total! WHY NONTERMINATION CAN BE HARMFUL 12-C

43 PRIMITIVE RECURSION primrec guarantees termination structurally Example primrec def: PRIMITIVE RECURSION 13

44 PRIMITIVE RECURSION primrec guarantees termination structurally Example primrec def: consts app :: a list a list a list primrec app Nil ys = ys app (Cons x xs) ys = Cons x (app xs ys) PRIMITIVE RECURSION 13-A

45 THE GENERAL CASE If τ is a datatype (with constructors C 1,..., C k ) then f :: τ τ can be defined by primitive recursion: f (C 1 y 1,1... y 1,n1 ) = r 1. f (C k y k,1... y k,nk ) = r k THE GENERAL CASE 14

46 THE GENERAL CASE If τ is a datatype (with constructors C 1,..., C k ) then f :: τ τ can be defined by primitive recursion: f (C 1 y 1,1... y 1,n1 ) = r 1. f (C k y k,1... y k,nk ) = r k The recursive calls in r i must be structurally smaller (of the form f a 1... y i,j... a p ) THE GENERAL CASE 14-A

47 Example: HOW DOES THIS WORK? primrec just fancy syntax for a recursion operator HOW DOES THIS WORK? 15

48 Example: HOW DOES THIS WORK? primrec just fancy syntax for a recursion operator list rec :: b ( a a list b b) a list b list rec f 1 f 2 Nil = f 1 list rec f 1 f 2 (Cons x xs) = f 2 x xs (list rec f 1 f 2 xs) HOW DOES THIS WORK? 15-A

49 Example: HOW DOES THIS WORK? primrec just fancy syntax for a recursion operator list rec :: b ( a a list b b) a list b list rec f 1 f 2 Nil = f 1 list rec f 1 f 2 (Cons x xs) = f 2 x xs (list rec f 1 f 2 xs) app list rec (λys. ys) (λx xs xs. λys. Cons x (xs ys)) HOW DOES THIS WORK? 15-B

50 Example: HOW DOES THIS WORK? primrec just fancy syntax for a recursion operator list rec :: b ( a a list b b) a list b list rec f 1 f 2 Nil = f 1 list rec f 1 f 2 (Cons x xs) = f 2 x xs (list rec f 1 f 2 xs) app list rec (λys. ys) (λx xs xs. λys. Cons x (xs ys)) Defined: automatically, first inductively (set), then by epsilon HOW DOES THIS WORK? 15-C

51 Example: HOW DOES THIS WORK? primrec just fancy syntax for a recursion operator list rec :: b ( a a list b b) a list b list rec f 1 f 2 Nil = f 1 list rec f 1 f 2 (Cons x xs) = f 2 x xs (list rec f 1 f 2 xs) app list rec (λys. ys) (λx xs xs. λys. Cons x (xs ys)) Defined: automatically, first inductively (set), then by epsilon (Nil, f 1 ) list rel f 1 f 2 (xs, xs ) list rel f 1 f 2 (Cons x xs, f 2 x xs xs ) list rel f 1 f 2 list rec f 1 f 2 xs SOME y. (xs, y) list rel f 1 f 2 HOW DOES THIS WORK? 15-D

52 PREDEFINED DATATYPES 16

53 NAT IS A DATATYPE datatype nat = 0 Suc nat NAT IS A DATATYPE 17

54 NAT IS A DATATYPE datatype nat = 0 Suc nat Functions on nat definable by primrec! primrec f 0 =... f (Suc n) =... f n... NAT IS A DATATYPE 17-A

55 OPTION datatype a option = None Some a Important application: b a option partial function: OPTION 18

56 OPTION datatype a option = None Some a Important application: b a option partial function: None no result Some a result a Example: consts lookup :: k ( k v) list v option primrec OPTION 18-A

57 OPTION datatype a option = None Some a Important application: b a option partial function: None no result Some a result a Example: consts lookup :: k ( k v) list v option primrec lookup k [] = None lookup k (x #xs) = OPTION 18-B

58 OPTION datatype a option = None Some a Important application: b a option partial function: None no result Some a result a Example: consts lookup :: k ( k v) list v option primrec lookup k [] = None lookup k (x #xs) = (if fst x = k then Some (snd x) else lookup k xs) OPTION 18-C

59 DEMO: PRIMREC 19

60 INDUCTION 20

61 STRUCTURAL INDUCTION P xs holds for all lists xs if P Nil and for arbitrary x and xs, P xs = P (x#xs) STRUCTURAL INDUCTION 21

62 STRUCTURAL INDUCTION P xs holds for all lists xs if P Nil and for arbitrary x and xs, P xs = P (x#xs) Induction theorem list.induct: [P []; V a list. P list = P (a#list)] = P list STRUCTURAL INDUCTION 21-A

63 STRUCTURAL INDUCTION P xs holds for all lists xs if P Nil and for arbitrary x and xs, P xs = P (x#xs) Induction theorem list.induct: [P []; V a list. P list = P (a#list)] = P list General proof method for induction: (induct x) x must be a free variable in the first subgoal. type of x must be a datatype. STRUCTURAL INDUCTION 21-B

64 BASIC HEURISTICS Theorems about recursive functions are proved by induction Induction on argument number i of f if f is defined by recursion on argument number i BASIC HEURISTICS 22

65 EXAMPLE A tail recursive list reverse: consts itrev :: a list a list a list primrec itrev [] ys = EXAMPLE 23

66 EXAMPLE A tail recursive list reverse: consts itrev :: a list a list a list primrec itrev [] ys = ys itrev (x#xs) ys = EXAMPLE 23-A

67 EXAMPLE A tail recursive list reverse: consts itrev :: a list a list a list primrec itrev [] ys = ys itrev (x#xs) ys = itrev xs (x#ys) EXAMPLE 23-B

68 EXAMPLE A tail recursive list reverse: consts itrev :: a list a list a list primrec itrev [] ys = ys itrev (x#xs) ys = itrev xs (x#ys) lemma itrev xs [] = rev xs EXAMPLE 23-C

69 DEMO: PROOF ATTEMPT 24

70 GENERALISATION Replace constants by variables lemma itrev xs ys = rev xs@ys GENERALISATION 25

71 GENERALISATION Replace constants by variables lemma itrev xs ys = rev xs@ys Quantify free variables by (except the induction variable) GENERALISATION 25-A

72 GENERALISATION Replace constants by variables lemma itrev xs ys = rev xs@ys Quantify free variables by (except the induction variable) lemma ys. itrev xs ys = rev xs@ys GENERALISATION 25-B

73 ISAR 26

74 proof (cases term) case Constructor 1. next. next case (Constructor k x) x qed DATATYPE CASE DISTINCTION DATATYPE CASE DISTINCTION 27

75 proof (cases term) case Constructor 1. next. next case (Constructor k x) x qed DATATYPE CASE DISTINCTION case (Constructor i x) fix x assume Constructor i : term = Constructor i x DATATYPE CASE DISTINCTION 27-A

76 STRUCTURAL INDUCTION FOR TYPE NAT show P n proof (induct n) case 0 let?case = P 0... show?case next case (Suc n) fix n assume Suc: P n... let?case = P (Suc n) n show?case qed STRUCTURAL INDUCTION FOR TYPE NAT 28

77 STRUCTURAL INDUCTION WITH = AND show x. A n = P n proof (induct n) case 0 fix x assume 0: A 0... let?case = P 0 show?case next case (Suc n) fix n and x... assume Suc: x. A n = P n n A (Suc n)... let?case = P (Suc n) show?case qed STRUCTURAL INDUCTION WITH = AND V 29

78 DEMO 30

79 WE HAVE SEEN TODAY... Datatypes WE HAVE SEEN TODAY... 31

80 WE HAVE SEEN TODAY... Datatypes Primite Recursion WE HAVE SEEN TODAY A

81 WE HAVE SEEN TODAY... Datatypes Primite Recursion Case distinction WE HAVE SEEN TODAY B

82 WE HAVE SEEN TODAY... Datatypes Primite Recursion Case distinction Induction WE HAVE SEEN TODAY C

83 EXERCISES look at Datatype_Universe.html define a primitive recursive function listsum :: nat list nat that returns the sum of the elements in a list. show 2 listsum [0..n] = n (n + 1) show listsum (replicate n a) = n a define a function listsumt using a tail recursive version of listsum. show that the two functions are equivalent: listsum xs = listsumt xs EXERCISES 32

84 NEXT LECTURE Nicolas Magaud on The Coq System Monday 15:00 16:30 NEXT LECTURE 33

Isabelle s meta-logic. p.1

Isabelle s meta-logic. p.1 Isabelle s meta-logic p.1 Basic constructs Implication = (==>) For separating premises and conclusion of theorems p.2 Basic constructs Implication = (==>) For separating premises and conclusion of theorems