Upload
harvey-bates
View
221
Download
1
Embed Size (px)
Citation preview
Induction Schemes
Math Foundations of Computer Science
Topics Induction Example
Induction scheme over the naturals Termination Reduction to equational reasoning ACL2 proof
General Induction Schemes Induction scheme over lists Induction over recursively defined data structures
nind
(defunc nind (n)
:input-contract (natp n)
:output-contract t
(if (equal n 0)
0
(nind (- n 1))))
This function is admissible. Given a natural number n it counts down to 0 and returns, therefore it is terminating.
Induction Scheme over Naturals
Every terminating function gives rise to an induction scheme1. (not (natp n)) ⇒ 2. (natp n) (equal n 0) ∧ ⇒ 3. (natp n) (not (equal n 0)) ∧ ∧ |((n n-1)) ⇒
(1) and (2) are base cases and (3) is the induction hypothesis
More powerful than case analysis since you can use assume the induction hypothesis
Why does Induction Work?
By (1) holds for (not (natp n)) By (2) |((n 0)) By (3)
(natp 1) (not (equal 1 0)) ∧ ∧ |((n 0)) ⇒ |((n 1))
(natp 2) (not (equal 2 0)) ∧ ∧ |((n 1)) ⇒ |((n 2))
(natp 3) (not (equal 3 0)) ∧ ∧ |((n 2)) ⇒ |((n 3)) …
sum
(defunc sum (n)
:input-contract (natp n)
:output-contract (integerp (sum n))
(if (equal n 0)
0
(+ n (sum (- n 1)))))
Conjecture. (sum n) = n*(n+1)/2
Induction Scheme for sum
Theorem. (natp n) (equal (sum n) (/ (* n ⇒(+ n 1)) 2)) {contract check}
1. (not (natp n)) (natp n) (equal (sum n) (/ (* ⇒ ⇒n (+ n 1)) 2))
2. (natp n) (equal n 0) ∧ ⇒ (natp n) (equal (sum ⇒n) (/ (* n (+ n 1)) 2))
3. (natp n) (not (equal n 0)) ∧ ∧ [(natp (- n 1) ⇒(equal (sum (- n 1) (/ (* (- n 1) n) 2))] [⇒ (natp n) (equal (sum n) (/ (* n (+ n 1)) 2))]⇒
Base Cases
1. (not (natp n)) (natp n) (equal (sum n) ⇒ ⇒(/ (* n (+ n 1)) 2))
A (A B) T False implies anything (A A) B F B F B T B T
Base Case
Use equational reasoning for case 2.2. (natp 0) (equal (sum 0) (/ (* 0 (+ 0 1)) 2))⇒
(sum 0) = (if (equal 0 0) 0 (+ n (sum (- n 1))))) {def of sum and
(natp 0)}= (if t 0 (+ n (sum (- n 1))))) {equal axiom}= 0 {if axiom} (/ (* 0 (+ 0 1)) 2)) = 0 {arithmetic}
General Case (IH)
3. (natp n) (not (equal n 0)) ∧ ∧ [(natp (- n 1) ⇒ (equal (sum (- n 1)) (/ (* (- n 1) n) 2))]
[⇒ (natp n) (equal (sum n) (/ (* n (+ n 1)) 2))]⇒
(natp n) (not (equal n 0)) ∧ ∧ [(natp (- n 1) ⇒ (equal (sum (- n 1)) (/ (* (- n 1) n) 2))] (equal ⇒(sum n) (/ (* n (+ n 1)) 2))
Context
(natp n) (not (equal n 0)) ∧ ∧ [(natp (- n 1) ⇒ (equal (sum (- n 1)) (/ (* (- n 1) n) 2))] (equal ⇒(sum n) (/ (* n (+ n 1)) 2))
C1. (natp n)
C2. (not (equal n 0))
C3. (natp (- n 1)) (equal (sum (- n 1)) (/ (* (- n 1) n) 2)) ⇒
C4. (natp (- n 1)) {C1, C2}
C5. (equal (sum (- n 1)) (/ (* (- n 1) n) 2)) {C3, C4, MP}
Proof of General Case
Theorem. (natp n) (not (equal n 0)) ∧ ∧ [(natp (- n 1) ⇒ (equal (sum (- n 1) (/ (* (- n 1) n) 2))] (equal (sum ⇒n) (/ (* n (+ n 1)) 2))
Proof.
(sum n)
= (if (equal n 0) 0 (+ n (sum (- n 1))))) {by def of sum and C1}
= (if nil 0 (+ n (sum (- n 1))))) {by C2 and equal axiom}
= (+ n (sum (- n 1))) {by if axiom}
= (+ n (/ (* - n 1) n) 2) {by C5}
= (2n + (n-1)n)/2 = (n*n + n)/2 = n(n+1)/2 {arithmetic}
Induction in ACL2ACL2S B !>QUERY (thm (implies (natp n) (equal (sum n) (/ (* n (+ n 1)) 2))))
<< Starting proof tree logging >>Goal'Goal''^^^ Checkpoint Goal'' ^^^
([ A key checkpoint:
Goal''(IMPLIES (AND (INTEGERP N) (<= 0 N)) (EQUAL (SUM N) (COMMON-LISP::+ (COMMON-LISP::* 1/2 N) (COMMON-LISP::* 1/2 (COMMON-LISP::EXPT N 2)))))
*1 (Goal'') is pushed for proof by induction.
])
Perhaps we can prove *1 by induction. One induction scheme is suggested
by this conjecture.
We will induct according to a scheme suggested by (SUM N). This suggestion
was produced using the :induction rules SUM-INDUCTION-SCHEME and SUM-INDUCTION-SCHEME-FROM-DEFINITION. If we let (:P N) denote *1
abovethen the induction scheme we'll use is(AND (IMPLIES (NOT (NATP N)) (:P N)) (IMPLIES (AND (NATP N) (NOT (EQUAL N 0)) (:P (COMMON-LISP::+ -1 N))) (:P N)) (IMPLIES (AND (NATP N) (EQUAL N 0)) (:P N))).This induction is justified by the same argument used to admit SUM.When applied to the goal at hand the above induction scheme producesfive nontautological subgoals.^^^ Checkpoint *1 ^^^Subgoal *1/5Subgoal *1/4Subgoal *1/4'Subgoal *1/3Subgoal *1/2Subgoal *1/1Subgoal *1/1'
*1 is COMPLETED!Thus key checkpoint Goal'' is COMPLETED!
Q.E.D.
SummaryForm: ( THM ...)Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-
RECOGNIZER) (:DEFINITION *-DEFINITION-RULE) (:DEFINITION +-DEFINITION-RULE) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION SUM-DEFINITION-RULE) (:DEFINITION ACL2::SYNP) (:EXECUTABLE-COUNTERPART COMMON-LISP::<) (:EXECUTABLE-COUNTERPART ACL2S-BB-IDENTITY-BOOL-GUARD) (:EXECUTABLE-COUNTERPART ACL2::BINARY-*) (:EXECUTABLE-COUNTERPART ACL2::BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART COMMON-LISP::EXPT) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART SUM) (:EXECUTABLE-COUNTERPART ACL2::UNARY--) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION SUM-INDUCTION-SCHEME) (:INDUCTION SUM-INDUCTION-SCHEME-FROM-DEFINITION) (:REWRITE ACL2::|(* -1 x)|) (:REWRITE ACL2::|(* 0 x)|) (:REWRITE ACL2::|(* 1 x)|) (:REWRITE ACL2::|(* c (* d x))|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* x (- y))|) (:REWRITE ACL2::|(* x x)|) (:REWRITE ACL2::|(* y (* x z))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ (* c x) (* d x))|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ (- x) (* c x))|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(- (* c x))|) (:REWRITE ACL2::|(expt (+ x y) 2)|) (:REWRITE ACL2S-BB-IDENTITY-BOOL-GUARD-EQUAL) (:REWRITE ACL2::BUBBLE-DOWN-*-MATCH-1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::NORMALIZE-FACTORS-GATHER-EXPONENTS) (:REWRITE ACL2::PREFER-POSITIVE-ADDENDS-EQUAL) (:REWRITE ACL2::SIMPLIFY-SUMS-EQUAL) (:TYPE-PRESCRIPTION ACL2S-BB-IDENTITY-BOOL-GUARD) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-INTEGERP-
BASE) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-
NONNEGATIVE-BASE) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-POSITIVE-
BASE) (:TYPE-PRESCRIPTION SUM-CONTRACT-TYPE-PRESCRIPTION))Time: 0.30 seconds (prove: 0.16, print: 0.00, proof tree: 0.00, other:
0.14)Prover steps counted: 1129
Proof succeeded.
Induction in ACL2*1 (Goal'') is pushed for proof by induction.])Perhaps we can prove *1 by induction. One induction scheme is
suggested by this conjecture.
We will induct according to a scheme suggested by (SUM N). This suggestion was produced using the :induction rules SUM-INDUCTION-SCHEME and SUM-INDUCTION-SCHEME-FROM-DEFINITION. If we let (:P N) denote *1 above then the induction scheme we'll use is
(AND (IMPLIES (NOT (NATP N)) (:P N)) (IMPLIES (AND (NATP N) (NOT (EQUAL N 0)) (:P (COMMON-LISP::+ -1 N))) (:P N)) (IMPLIES (AND (NATP N) (EQUAL N 0)) (:P N))).
Induction in ACL2This induction is justified by the same argument used to admit SUM.When applied to the goal at hand the above induction scheme producesfive nontautological subgoals.^^^ Checkpoint *1 ^^^Subgoal *1/5Subgoal *1/4Subgoal *1/4'Subgoal *1/3Subgoal *1/2Subgoal *1/1Subgoal *1/1'
*1 is COMPLETED!Thus key checkpoint Goal'' is COMPLETED!
Q.E.D.
Induction in ACL2SummaryForm: ( THM ...)Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-
RECOGNIZER) (:DEFINITION *-DEFINITION-RULE) (:DEFINITION +-DEFINITION-RULE) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION SUM-DEFINITION-RULE) (:DEFINITION ACL2::SYNP) (:EXECUTABLE-COUNTERPART COMMON-LISP::<) (:EXECUTABLE-COUNTERPART ACL2S-BB-IDENTITY-BOOL-GUARD) (:EXECUTABLE-COUNTERPART ACL2::BINARY-*) (:EXECUTABLE-COUNTERPART ACL2::BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART COMMON-LISP::EXPT) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT)
Induction in ACL2 (:EXECUTABLE-COUNTERPART SUM) (:EXECUTABLE-COUNTERPART ACL2::UNARY--) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION SUM-INDUCTION-SCHEME) (:INDUCTION SUM-INDUCTION-SCHEME-FROM-DEFINITION) (:REWRITE ACL2::|(* -1 x)|) (:REWRITE ACL2::|(* 0 x)|) (:REWRITE ACL2::|(* 1 x)|) (:REWRITE ACL2::|(* c (* d x))|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* x (- y))|) (:REWRITE ACL2::|(* x x)|) (:REWRITE ACL2::|(* y (* x z))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ (* c x) (* d x))|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ (- x) (* c x))|) (:REWRITE ACL2::|(+ 0 x)|)
Induction in ACL2 (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(- (* c x))|) (:REWRITE ACL2::|(expt (+ x y) 2)|) (:REWRITE ACL2S-BB-IDENTITY-BOOL-GUARD-EQUAL) (:REWRITE ACL2::BUBBLE-DOWN-*-MATCH-1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::NORMALIZE-FACTORS-GATHER-EXPONENTS) (:REWRITE ACL2::PREFER-POSITIVE-ADDENDS-EQUAL) (:REWRITE ACL2::SIMPLIFY-SUMS-EQUAL) (:TYPE-PRESCRIPTION ACL2S-BB-IDENTITY-BOOL-GUARD) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-INTEGERP-
BASE) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-
NONNEGATIVE-BASE).
Induction in ACL2 (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-POSITIVE-
BASE) (:TYPE-PRESCRIPTION SUM-CONTRACT-TYPE-PRESCRIPTION))Time: 0.30 seconds (prove: 0.16, print: 0.00, proof tree: 0.00, other:
0.14)Prover steps counted: 1129
Proof succeeded.
General Induction Scheme
(defunc foo (x1 . . . xn)
:input-contract ic
:output-contract oc
(cond (t1 c1)
(t2 c2)
. . .
(tm cm)
(t cm+1)))
None of the ci’s should have ifs in them
If ci has a recursive call to foo, it is called a recursive case otherwise a base case.
General Induction Scheme Case1 = t1
Case2 = t2 t1
… Casei = ti t1 ti-1
… Casem+1 = t t1 tm
If ci is a recursive case with Ri calls to foo with the jth call, 1 j Ri, obtained by the substitution (foo x1 . . . xn)|sij
General Induction Scheme
To prove prove the followingic
[ic Casei] For all ci’s that are base cases
[ic Casei 1 i Ri |sij] For all ci’s that are recursive cases
listp
(defunc listp (l)
:input-contract t
:output-contract (booleanp (listp l))
(if (consp l)
(listp (rest l))
(equal l ())))
This function is admissible.
app
(defunc app (a b)
:input-contract (and (listp a) (listp b))
:output-contract (listp (app a b))
(if (endp a)
b
(cons (first a) (app (rest a) b))))
rev
(defunc rev (a)
:input-contract (listp a)
:output-contract (listp (rev a))
(if (endp a)
nil
(app (rev (rest a)) (cons (first a) nil))))
Conjecture
After contract checking1. (implies (and (listp a) (listp b) (listp c)) (equal
(app a (app b c)) (app (app a b) c)))
2. (implies (and (listp a) (listp b)) (equal (len (app a b)) (+ (len a) (len b))))
3. (implies (listp a) (equal (rev (rev a)) a))
Induction Scheme Base Case
[(listp x) (listp y) (listp z)] ⇒ (app (app x y) z) = (app x (app y z)) (endp x) (listp x) (listp y) (listp z) ⇒ (app (app x y) z) = (app x
(app y z))
Induction Step [(consp x) (listp x) (listp y) (listp z) ∧ ∧
[(listp (rest x)) (listp y) (listp z)∧ ∧
⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))]]
⇒ (app (app x y) z) = (app x (app y z))
Conclude (app (app x y) z) = (app x (app y z))
Failed Proof
Proof failure(implies (listp a) (equal (rev (rev x)) x))Proof gets stuck - Try it!When proof gets stuck, it may suggest a lemma
which should be proved before proceedingNeed two additional lemmas
(implies (and (listp a) (listp b)) (equal (rev (app a b)) (app (rev b) (rev a))))
(implies (listp a) (equal (app a nil) a))
Exercise
1. Write down the induction schemes for conjectures (2) and (3).
2. Use equational reasoning and the above induction scheme to prove (2).
3. Use ACL2s to prove (2).
4. Try to prove (3) by hand and using ACL2s. Where do you get stuck
5. Write down induction schemes and prove the lemmas needed for (3).
6. Complete the proof by hand and using ACL2s of (3)
Data Function Trinity
1. Data definitions give rise to predicates recognizing such definitions. These predicates must be shown to terminate. Their bodies give rise to a recursion scheme
2. Functions over these data types are defined by using the recursion scheme as a template. Templates allow us to define correct functions by assuming that the function we are defining works correctly in the recursive case.
Data Function Trinity
3. Proofs by induction involving such functions and data definitions should use the same recursion scheme to generate proof obligations. Nonrecursive cases are proven directly. For each recursive case, we assume the theorem under any substitutions that map the formals to arguments in that recursive call.