Induction Schemes. Math Foundations of Computer Science

Transcription

1 Induction Schemes Math Foundations of Computer Science

2 Topics Induction Example Induction scheme over the naturals Termination Reduction to equational reasoning ACL2 proof General Induction Schemes Induction scheme over lists Induction over recursively defined data structures

3 nind (defunc nind (n) :input-contract (natp n) :output-contract t (if (equal n 0) 0 (nind (- n 1)))) This function is admissible. Given a natural number n it counts down to 0 and returns, therefore it is terminating.

4 Induction Scheme over Naturals Every terminating function gives rise to an induction scheme 1. (not (natp n)) ϕ 2. (natp n) (equal n 0) ϕ 3. (natp n) (not (equal n 0)) ϕ ((n n-1)) ϕ (1) and (2) are base cases and (3) is the induction hypothesis More powerful than case analysis since you can use assume the induction hypothesis

5 Why does Induction Work? By (1) ϕ holds for (not (natp n)) By (2) ϕ ((n 0)) By (3) (natp 1) (not (equal 1 0)) ϕ ((n 0)) ϕ ((n 1)) (natp 2) (not (equal 2 0)) ϕ ((n 1)) ϕ ((n 2)) (natp 3) (not (equal 3 0)) ϕ ((n 2)) ϕ ((n 3))

6 sum (defunc sum (n) :input-contract (natp n) :output-contract (integerp (sum n)) (if (equal n 0) 0 (+ n (sum (- n 1))))) Conjecture. (sum n) = n*(n+1)/2

7 Induction Scheme for sum Theorem. (natp n) (equal (sum n) (/ (* n (+ n 1)) 2)) {contract check} 1. (not (natp n)) (natp n) (equal (sum n) (/ (* n (+ n 1)) 2)) 2. (natp n) (equal n 0) (natp n) (equal (sum n) (/ (* n (+ n 1)) 2)) 3. (natp n) (not (equal n 0)) [(natp (- n 1) (equal (sum (- n 1) (/ (* (- n 1) n) 2))] [(natp n) (equal (sum n) (/ (* n (+ n 1)) 2))]

8 Base Cases 1. (not (natp n)) (natp n) (equal (sum n) (/ (* n (+ n 1)) 2)) A (A B) T False implies anything ( A A) B F B F B T B T

9 Base Case Use equational reasoning for case (natp 0) (equal (sum 0) (/ (* 0 (+ 0 1)) 2)) (sum 0) = (if (equal 0 0) 0 (+ n (sum (- n 1))))) {def of sum and (natp 0)} = (if t 0 (+ n (sum (- n 1))))) {equal axiom} = 0 {if axiom} (/ (* 0 (+ 0 1)) 2)) = 0 {arithmetic}

10 General Case (IH) 3. (natp n) (not (equal n 0)) [(natp (- n 1) (equal (sum (- n 1)) (/ (* (- n 1) n) 2))] [(natp n) (equal (sum n) (/ (* n (+ n 1)) 2))] (natp n) (not (equal n 0)) [(natp (- n 1) (equal (sum (- n 1)) (/ (* (- n 1) n) 2))] (equal (sum n) (/ (* n (+ n 1)) 2))

11 Context (natp n) (not (equal n 0)) [(natp (- n 1) (equal (sum (- n 1)) (/ (* (- n 1) n) 2))] (equal (sum n) (/ (* n (+ n 1)) 2)) C1. (natp n) C2. (not (equal n 0)) C3. (natp (- n 1)) (equal (sum (- n 1)) (/ (* (- n 1) n) 2)) C4. (natp (- n 1)) {C1, C2} C5. (equal (sum (- n 1)) (/ (* (- n 1) n) 2)) {C3, C4, MP}

12 Proof of General Case Theorem. (natp n) (not (equal n 0)) [(natp (- n 1) (equal (sum (- n 1) (/ (* (- n 1) n) 2))] (equal (sum n) (/ (* n (+ n 1)) 2)) Proof. (sum n) = (if (equal n 0) 0 (+ n (sum (- n 1))))) {by def of sum and C1} = (if nil 0 (+ n (sum (- n 1))))) {by C2 and equal axiom} = (+ n (sum (- n 1))) {by if axiom} = (+ n (/ (* - n 1) n) 2) {by C5} = (2n + (n-1)n)/2 = (n*n + n)/2 = n(n+1)/2 {arithmetic}

13 Induction in ACL2 ACL2S B!>QUERY (thm (implies (natp n) (equal (sum n) (/ (* n (+ n 1)) 2)))) << Starting proof tree logging >> Goal' Goal'' ^^^ Checkpoint Goal'' ^^^ ([ A key checkpoint: Goal'' (IMPLIES (AND (INTEGERP N) (<= 0 N)) (EQUAL (SUM N) (COMMON-LISP::+ (COMMON-LISP::* 1/2 N) (COMMON-LISP::* 1/2 (COMMON-LISP::EXPT N 2)))))

14 Induction in ACL2 *1 (Goal'') is pushed for proof by induction. ]) Perhaps we can prove *1 by induction. One induction scheme is suggested by this conjecture. We will induct according to a scheme suggested by (SUM N). This suggestion was produced using the :induction rules SUM-INDUCTION- SCHEME and SUM-INDUCTION-SCHEME-FROM-DEFINITION. If we let (:P N) denote *1 above then the induction scheme we'll use is (AND (IMPLIES (NOT (NATP N)) (:P N)) (IMPLIES (AND (NATP N) (NOT (EQUAL N 0)) (:P (COMMON-LISP::+ -1 N))) (:P N)) (IMPLIES (AND (NATP N) (EQUAL N 0)) (:P N))).

15 Induction in ACL2 This induction is justified by the same argument used to admit SUM. When applied to the goal at hand the above induction scheme produces five nontautological subgoals. ^^^ Checkpoint *1 ^^^ Subgoal *1/5 Subgoal *1/4 Subgoal *1/4' Subgoal *1/3 Subgoal *1/2 Subgoal *1/1 Subgoal *1/1' *1 is COMPLETED! Thus key checkpoint Goal'' is COMPLETED! Q.E.D.

16 Induction in ACL2 Summary Form: ( THM...) Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND- RECOGNIZER) (:DEFINITION *-DEFINITION-RULE) (:DEFINITION +-DEFINITION-RULE) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION SUM-DEFINITION-RULE) (:DEFINITION ACL2::SYNP) (:EXECUTABLE-COUNTERPART COMMON-LISP::<) (:EXECUTABLE-COUNTERPART ACL2S-BB-IDENTITY-BOOL-GUARD) (:EXECUTABLE-COUNTERPART ACL2::BINARY-*) (:EXECUTABLE-COUNTERPART ACL2::BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART COMMON-LISP::EXPT) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT)

17 Induction in ACL2 (:EXECUTABLE-COUNTERPART SUM) (:EXECUTABLE-COUNTERPART ACL2::UNARY--) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION SUM-INDUCTION-SCHEME) (:INDUCTION SUM-INDUCTION-SCHEME-FROM-DEFINITION) (:REWRITE ACL2:: (* -1 x) ) (:REWRITE ACL2:: (* 0 x) ) (:REWRITE ACL2:: (* 1 x) ) (:REWRITE ACL2:: (* c (* d x)) ) (:REWRITE ACL2:: (* x (+ y z)) ) (:REWRITE ACL2:: (* x (- y)) ) (:REWRITE ACL2:: (* x x) ) (:REWRITE ACL2:: (* y (* x z)) ) (:REWRITE ACL2:: (* y x) ) (:REWRITE ACL2:: (+ (* c x) (* d x)) ) (:REWRITE ACL2:: (+ (+ x y) z) ) (:REWRITE ACL2:: (+ (- x) (* c x)) ) (:REWRITE ACL2:: (+ 0 x) )

18 . Induction in ACL2 (:REWRITE ACL2:: (+ c (+ d x)) ) (:REWRITE ACL2:: (+ x (- x)) ) (:REWRITE ACL2:: (+ y (+ x z)) ) (:REWRITE ACL2:: (+ y x) ) (:REWRITE ACL2:: (- (* c x)) ) (:REWRITE ACL2:: (expt (+ x y) 2) ) (:REWRITE ACL2S-BB-IDENTITY-BOOL-GUARD-EQUAL) (:REWRITE ACL2::BUBBLE-DOWN-*-MATCH-1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::NORMALIZE-FACTORS-GATHER-EXPONENTS) (:REWRITE ACL2::PREFER-POSITIVE-ADDENDS-EQUAL) (:REWRITE ACL2::SIMPLIFY-SUMS-EQUAL) (:TYPE-PRESCRIPTION ACL2S-BB-IDENTITY-BOOL-GUARD) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-INTEGERP- BASE) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION- NONNEGATIVE-BASE)

19 Induction in ACL2 (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-POSITIVE- BASE) (:TYPE-PRESCRIPTION SUM-CONTRACT-TYPE-PRESCRIPTION)) Time: 0.30 seconds (prove: 0.16, print: 0.00, proof tree: 0.00, other: 0.14) Prover steps counted: 1129 Proof succeeded.

20 General Induction Scheme (defunc foo (x 1... x n ) :input-contract ic :output-contract oc (cond (t 1 c 1 ) (t 2 c 2 )... (t m c m ) (t c m+1 ))) None of the c i s should have ifs in them If c i has a recursive call to foo, it is called a recursive case otherwise a base case.

21 General Induction Scheme Case 1 = t 1 Case 2 = t 2 t 1 Case i = t i t 1 t i-1 Case m+1 = t t 1 t m If c i is a recursive case with R i calls to foo with the jth call, 1 j R i, obtained by the substitution (foo x 1... x n ) s ij

22 General Induction Scheme To prove ϕ prove the following ic ϕ [ic Case i ] ϕ For all c i s that are base cases [ic Case i 1 i R i ϕ sij ] ϕ For all c i s that are recursive cases

23 listp (defunc listp (l) :input-contract t :output-contract (booleanp (listp l)) (if (consp l) (listp (rest l)) (equal l ()))) This function is admissible.

24 app (defunc app (a b) :input-contract (and (listp a) (listp b)) :output-contract (listp (app a b)) (if (endp a) b (cons (first a) (app (rest a) b))))

25 rev (defunc rev (a) :input-contract (listp a) :output-contract (listp (rev a)) (if (endp a) nil (app (rev (rest a)) (cons (first a) nil))))

26 Conjecture After contract checking 1. (implies (and (listp a) (listp b) (listp c)) (equal (app a (app b c)) (app (app a b) c))) 2. (implies (and (listp a) (listp b)) (equal (len (app a b)) (+ (len a) (len b)))) 3. (implies (listp a) (equal (rev (rev a)) a))

27 Induction Scheme Base Case [(listp x) (listp y) (listp z)] (app (app x y) z) = (app x (app y z)) (endp x) (listp x) (listp y) (listp z) (app (app x y) z) = (app x (app y z)) Induction Step [(consp x) (listp x) (listp y) (listp z) [(listp (rest x)) (listp y) (listp z) (app (app (rest x) y) z) = (app (rest x) (app y z))]] (app (app x y) z) = (app x (app y z)) Conclude (app (app x y) z) = (app x (app y z))

28 Failed Proof Proof failure (implies (listp a) (equal (rev (rev x)) x)) Proof gets stuck - Try it! When proof gets stuck, it may suggest a lemma which should be proved before proceeding Need two additional lemmas (implies (and (listp a) (listp b)) (equal (rev (app a b)) (app (rev b) (rev a)))) (implies (listp a) (equal (app a nil) a))

29 Exercise 1. Write down the induction schemes for conjectures (2) and (3). 2. Use equational reasoning and the above induction scheme to prove (2). 3. Use ACL2s to prove (2). 4. Try to prove (3) by hand and using ACL2s. Where do you get stuck 5. Write down induction schemes and prove the lemmas needed for (3). 6. Complete the proof by hand and using ACL2s of (3)

30 Data Function Trinity 1. Data definitions give rise to predicates recognizing such definitions. These predicates must be shown to terminate. Their bodies give rise to a recursion scheme 2. Functions over these data types are defined by using the recursion scheme as a template. Templates allow us to define correct functions by assuming that the function we are defining works correctly in the recursive case.

31 Data Function Trinity 3. Proofs by induction involving such functions and data definitions should use the same recursion scheme to generate proof obligations. Nonrecursive cases are proven directly. For each recursive case, we assume the theorem under any substitutions that map the formals to arguments in that recursive call.