7 - Department of Computer Science
advertisement
Induction Schemes
Math Foundations of Computer
Science
Topics
Induction Example
Induction scheme over the naturals
Termination
Reduction to equational reasoning
ACL2 proof
General Induction Schemes
Induction scheme over lists
Induction over recursively defined data structures
nind
(defunc nind (n)
:input-contract (natp n)
:output-contract t
(if (equal n 0)
0
(nind (- n 1))))
This function is admissible. Given a natural number n it
counts down to 0 and returns, therefore it is terminating.
Induction Scheme over Naturals
Every terminating function gives rise to an
induction scheme
1. (not (natp n)) ⇒
2. (natp n) ∧ (equal n 0) ⇒
3. (natp n) ∧ (not (equal n 0)) ∧ |((n n-1)) ⇒
(1) and (2) are base cases and (3) is the
induction hypothesis
More powerful than case analysis since you
can use assume the induction hypothesis
Why does Induction Work?
By (1) holds for (not (natp n))
By (2) |((n 0))
By (3)
(natp 1) ∧ (not (equal 1 0)) ∧ |((n 0)) ⇒ |((n 1))
(natp 2) ∧ (not (equal 2 0)) ∧ |((n 1)) ⇒ |((n 2))
(natp 3) ∧ (not (equal 3 0)) ∧ |((n 2)) ⇒ |((n 3))
…
sum
(defunc sum (n)
:input-contract (natp n)
:output-contract (integerp (sum n))
(if (equal n 0)
0
(+ n (sum (- n 1)))))
Conjecture. (sum n) = n*(n+1)/2
Induction Scheme for sum
Theorem. (natp n) ⇒ (equal (sum n) (/ (* n
(+ n 1)) 2)) {contract check}
1. (not (natp n)) ⇒ (natp n) ⇒ (equal (sum n) (/ (*
n (+ n 1)) 2))
2. (natp n) ∧ (equal n 0) ⇒ (natp n) ⇒ (equal (sum
n) (/ (* n (+ n 1)) 2))
3. (natp n) ∧ (not (equal n 0)) ∧ [(natp (- n 1) ⇒
(equal (sum (- n 1) (/ (* (- n 1) n) 2))] ⇒ [(natp
n) ⇒ (equal (sum n) (/ (* n (+ n 1)) 2))]
Base Cases
1. (not (natp n)) ⇒ (natp n) ⇒ (equal (sum n)
(/ (* n (+ n 1)) 2))
A (A B) T
False implies anything
(A A) B F B F B T B T
Base Case
Use equational reasoning for case 2.
2. (natp 0) ⇒ (equal (sum 0) (/ (* 0 (+ 0 1)) 2))
(sum 0)
(if (equal 0 0) 0 (+ n (sum (- n 1))))) {def of sum and
(natp 0)}
(if t 0 (+ n (sum (- n 1))))) {equal axiom}
0 {if axiom}
(/ (* 0 (+ 0 1)) 2)) = 0 {arithmetic}
General Case (IH)
3. (natp n) ∧ (not (equal n 0)) ∧
[(natp (- n 1) ⇒ (equal (sum (- n 1)) (/ (* (- n 1) n) 2))]
⇒ [(natp n) ⇒ (equal (sum n) (/ (* n (+ n 1)) 2))]
(natp n) ∧ (not (equal n 0)) ∧
[(natp (- n 1) ⇒ (equal (sum (- n 1)) (/ (* (- n 1) n) 2))]
⇒ (equal (sum n) (/ (* n (+ n 1)) 2))
Context
(natp n) ∧ (not (equal n 0)) ∧
[(natp (- n 1) ⇒ (equal (sum (- n 1)) (/ (* (- n 1) n) 2))]
⇒ (equal (sum n) (/ (* n (+ n 1)) 2))
C1. (natp n)
C2. (not (equal n 0))
C3. (natp (- n 1)) ⇒ (equal (sum (- n 1)) (/ (* (- n 1) n) 2))
C4. (natp (- n 1)) {C1, C2}
C5. (equal (sum (- n 1)) (/ (* (- n 1) n) 2)) {C3, C4, MP}
Proof of General Case
Theorem. (natp n) ∧ (not (equal n 0)) ∧
[(natp (- n 1) ⇒ (equal (sum (- n 1) (/ (* (- n
1) n) 2))]
⇒ (equal (sum n) (/ (* n (+ n 1)) 2))
Proof.
(sum n)
= (if (equal n 0) 0 (+ n (sum (- n 1))))) {by def of sum and C1}
= (if nil 0 (+ n (sum (- n 1))))) {by C2 and equal axiom}
= (+ n (sum (- n 1))) {by if axiom}
= (+ n (/ (* - n 1) n) 2) {by C5}
= (2n + (n-1)n)/2 = (n*n + n)/2 = n(n+1)/2 {arithmetic}
Induction in ACL2
ACL2S B !>QUERY
(thm (implies (natp n)
(equal (sum n) (/ (* n (+ n 1)) 2))))
<< Starting proof tree logging >>
Goal'
Goal''
^^^ Checkpoint Goal'' ^^^
([ A key checkpoint:
Goal''
(IMPLIES
(AND (INTEGERP N) (<= 0 N))
(EQUAL (SUM N)
(COMMON-LISP::+ (COMMON-LISP::* 1/2 N)
(COMMON-LISP::* 1/2 (COMMON-LISP::EXPT N 2)))))
Induction in ACL2
*1 (Goal'') is pushed for proof by induction.
])
Perhaps we can prove *1 by induction. One induction scheme is
suggested by this conjecture.
We will induct according to a scheme suggested by (SUM N). This
suggestion was produced using the :induction rules SUM-INDUCTIONSCHEME and SUM-INDUCTION-SCHEME-FROM-DEFINITION. If we let
(:P N) denote *1 above then the induction scheme we'll use is
(AND (IMPLIES (NOT (NATP N)) (:P N))
(IMPLIES (AND (NATP N)
(NOT (EQUAL N 0))
(:P (COMMON-LISP::+ -1 N)))
(:P N))
(IMPLIES (AND (NATP N) (EQUAL N 0))
(:P N))).
Induction in ACL2
This induction is justified by the same argument used to admit SUM.
When applied to the goal at hand the above induction scheme produces
five nontautological subgoals.
^^^ Checkpoint *1 ^^^
Subgoal *1/5
Subgoal *1/4
Subgoal *1/4'
Subgoal *1/3
Subgoal *1/2
Subgoal *1/1
Subgoal *1/1'
*1 is COMPLETED!
Thus key checkpoint Goal'' is COMPLETED!
Q.E.D.
Induction in ACL2
Summary
Form: ( THM ...)
Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUNDRECOGNIZER)
(:DEFINITION *-DEFINITION-RULE)
(:DEFINITION +-DEFINITION-RULE)
(:DEFINITION NATP)
(:DEFINITION NOT)
(:DEFINITION SUM-DEFINITION-RULE)
(:DEFINITION ACL2::SYNP)
(:EXECUTABLE-COUNTERPART COMMON-LISP::<)
(:EXECUTABLE-COUNTERPART ACL2S-BB-IDENTITY-BOOL-GUARD)
(:EXECUTABLE-COUNTERPART ACL2::BINARY-*)
(:EXECUTABLE-COUNTERPART ACL2::BINARY-+)
(:EXECUTABLE-COUNTERPART EQUAL)
(:EXECUTABLE-COUNTERPART COMMON-LISP::EXPT)
(:EXECUTABLE-COUNTERPART INTEGERP)
(:EXECUTABLE-COUNTERPART NOT)
Induction in ACL2
(:EXECUTABLE-COUNTERPART SUM)
(:EXECUTABLE-COUNTERPART ACL2::UNARY--)
(:FAKE-RUNE-FOR-TYPE-SET NIL)
(:INDUCTION SUM-INDUCTION-SCHEME)
(:INDUCTION SUM-INDUCTION-SCHEME-FROM-DEFINITION)
(:REWRITE ACL2::|(* -1 x)|)
(:REWRITE ACL2::|(* 0 x)|)
(:REWRITE ACL2::|(* 1 x)|)
(:REWRITE ACL2::|(* c (* d x))|)
(:REWRITE ACL2::|(* x (+ y z))|)
(:REWRITE ACL2::|(* x (- y))|)
(:REWRITE ACL2::|(* x x)|)
(:REWRITE ACL2::|(* y (* x z))|)
(:REWRITE ACL2::|(* y x)|)
(:REWRITE ACL2::|(+ (* c x) (* d x))|)
(:REWRITE ACL2::|(+ (+ x y) z)|)
(:REWRITE ACL2::|(+ (- x) (* c x))|)
(:REWRITE ACL2::|(+ 0 x)|)
Induction in ACL2
(:REWRITE ACL2::|(+ c (+ d x))|)
(:REWRITE ACL2::|(+ x (- x))|)
(:REWRITE ACL2::|(+ y (+ x z))|)
(:REWRITE ACL2::|(+ y x)|)
(:REWRITE ACL2::|(- (* c x))|)
(:REWRITE ACL2::|(expt (+ x y) 2)|)
(:REWRITE ACL2S-BB-IDENTITY-BOOL-GUARD-EQUAL)
(:REWRITE ACL2::BUBBLE-DOWN-*-MATCH-1)
(:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3)
(:REWRITE ACL2::NORMALIZE-ADDENDS)
(:REWRITE ACL2::NORMALIZE-FACTORS-GATHER-EXPONENTS)
(:REWRITE ACL2::PREFER-POSITIVE-ADDENDS-EQUAL)
(:REWRITE ACL2::SIMPLIFY-SUMS-EQUAL)
(:TYPE-PRESCRIPTION ACL2S-BB-IDENTITY-BOOL-GUARD)
(:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-INTEGERPBASE)
(:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTIONNONNEGATIVE-BASE)
.
Induction in ACL2
(:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-POSITIVEBASE)
(:TYPE-PRESCRIPTION SUM-CONTRACT-TYPE-PRESCRIPTION))
Time: 0.30 seconds (prove: 0.16, print: 0.00, proof tree: 0.00, other:
0.14)
Prover steps counted: 1129
Proof succeeded.
General Induction Scheme
(defunc foo (x1 . . . xn)
:input-contract ic
:output-contract oc
(cond (t1 c1)
(t2 c2)
...
(tm cm)
(t cm+1)))
None of the ci’s should have ifs in them
If ci has a recursive call to foo, it is called a recursive case
otherwise a base case.
General Induction Scheme
Case1 = t1
Case2 = t2 t1
…
Casei = ti t1 ti-1
…
Casem+1 = t t1 tm
If ci is a recursive case with Ri calls to foo with the jth call,
1 j Ri, obtained by the substitution (foo x1 . . . xn)|sij
General Induction Scheme
To prove prove the following
ic
[ic Casei]
For all ci’s that are base cases
[ic Casei 1 i Ri |sij]
For all ci’s that are recursive cases
listp
(defunc listp (l)
:input-contract t
:output-contract (booleanp (listp l))
(if (consp l)
(listp (rest l))
(equal l ())))
This function is admissible.
app
(defunc app (a b)
:input-contract (and (listp a) (listp b))
:output-contract (listp (app a b))
(if (endp a)
b
(cons (first a) (app (rest a) b))))
rev
(defunc rev (a)
:input-contract (listp a)
:output-contract (listp (rev a))
(if (endp a)
nil
(app (rev (rest a)) (cons (first a) nil))))
Conjecture
After contract checking
1. (implies (and (listp a) (listp b) (listp c)) (equal
(app a (app b c)) (app (app a b) c)))
2. (implies (and (listp a) (listp b)) (equal (len
(app a b)) (+ (len a) (len b))))
3. (implies (listp a) (equal (rev (rev a)) a))
Induction Scheme
Base Case
[(listp x) (listp y) (listp z)] ⇒ (app (app x y) z) = (app x (app y
z))
(endp x) (listp x) (listp y) (listp z) ⇒ (app (app x y) z) = (app x
(app y z))
Induction Step
[(consp x) (listp x) ∧ (listp y) ∧ (listp z)
[(listp (rest x)) ∧ (listp y) ∧ (listp z)
⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))]]
⇒ (app (app x y) z) = (app x (app y z))
Conclude
(app (app x y) z) = (app x (app y z))
Failed Proof
Proof failure
(implies (listp a) (equal (rev (rev x)) x))
Proof gets stuck - Try it!
When proof gets stuck, it may suggest a
lemma which should be proved before
proceeding
Need two additional lemmas
(implies (and (listp a) (listp b)) (equal (rev (app
a b)) (app (rev b) (rev a))))
(implies (listp a) (equal (app a nil) a))
Exercise
1. Write down the induction schemes for conjectures (2)
and (3).
2. Use equational reasoning and the above induction
scheme to prove (2).
3. Use ACL2s to prove (2).
4. Try to prove (3) by hand and using ACL2s.
Where do you get stuck
5. Write down induction schemes and prove the lemmas
needed for (3).
6. Complete the proof by hand and using ACL2s of (3)
Data Function Trinity
1. Data definitions give rise to predicates
recognizing such definitions. These predicates
must be shown to terminate. Their bodies give
rise to a recursion scheme
2. Functions over these data types are defined by
using the recursion scheme as a template.
Templates allow us to define correct functions
by assuming that the function we are defining
works correctly in the recursive case.
Data Function Trinity
3. Proofs by induction involving such functions and
data definitions should use the same recursion
scheme to generate proof obligations.
Nonrecursive cases are proven directly. For each
recursive case, we assume the theorem under
any substitutions that map the formals to
arguments in that recursive call.
