Induction Schemes

Math Foundations of Computer Science

Topics Induction Example

Induction scheme over the naturals Termination Reduction to equational reasoning ACL2 proof

General Induction Schemes Induction scheme over lists Induction over recursively defined data structures

nind

(defunc nind (n)

:input-contract (natp n)

:output-contract t

(if (equal n 0)

0

(nind (- n 1))))

This function is admissible. Given a natural number n it counts down to 0 and returns, therefore it is terminating.

Induction Scheme over Naturals

Every terminating function gives rise to an induction scheme1. (not (natp n)) ⇒ 2. (natp n) (equal n 0) ∧ ⇒ 3. (natp n) (not (equal n 0)) ∧ ∧ |((n n-1)) ⇒

(1) and (2) are base cases and (3) is the induction hypothesis

More powerful than case analysis since you can use assume the induction hypothesis

Why does Induction Work?

By (1) holds for (not (natp n)) By (2) |((n 0)) By (3)

(natp 1) (not (equal 1 0)) ∧ ∧ |((n 0)) ⇒ |((n 1))

(natp 2) (not (equal 2 0)) ∧ ∧ |((n 1)) ⇒ |((n 2))

(natp 3) (not (equal 3 0)) ∧ ∧ |((n 2)) ⇒ |((n 3)) …

sum

(defunc sum (n)

:input-contract (natp n)

:output-contract (integerp (sum n))

(if (equal n 0)

0

(+ n (sum (- n 1)))))

Conjecture. (sum n) = n*(n+1)/2

Induction Scheme for sum

Theorem. (natp n) (equal (sum n) (/ (* n ⇒(+ n 1)) 2)) {contract check}

1. (not (natp n)) (natp n) (equal (sum n) (/ (* ⇒ ⇒n (+ n 1)) 2))

2. (natp n) (equal n 0) ∧ ⇒ (natp n) (equal (sum ⇒n) (/ (* n (+ n 1)) 2))

3. (natp n) (not (equal n 0)) ∧ ∧ [(natp (- n 1) ⇒(equal (sum (- n 1) (/ (* (- n 1) n) 2))] [⇒ (natp n) (equal (sum n) (/ (* n (+ n 1)) 2))]⇒

Base Cases

1. (not (natp n)) (natp n) (equal (sum n) ⇒ ⇒(/ (* n (+ n 1)) 2))

A (A B) T False implies anything (A A) B F B F B T B T

Base Case

Use equational reasoning for case 2.2. (natp 0) (equal (sum 0) (/ (* 0 (+ 0 1)) 2))⇒

(sum 0) = (if (equal 0 0) 0 (+ n (sum (- n 1))))) {def of sum and

(natp 0)}= (if t 0 (+ n (sum (- n 1))))) {equal axiom}= 0 {if axiom} (/ (* 0 (+ 0 1)) 2)) = 0 {arithmetic}

General Case (IH)

3. (natp n) (not (equal n 0)) ∧ ∧ [(natp (- n 1) ⇒ (equal (sum (- n 1)) (/ (* (- n 1) n) 2))]

[⇒ (natp n) (equal (sum n) (/ (* n (+ n 1)) 2))]⇒

(natp n) (not (equal n 0)) ∧ ∧ [(natp (- n 1) ⇒ (equal (sum (- n 1)) (/ (* (- n 1) n) 2))] (equal ⇒(sum n) (/ (* n (+ n 1)) 2))

Context

(natp n) (not (equal n 0)) ∧ ∧ [(natp (- n 1) ⇒ (equal (sum (- n 1)) (/ (* (- n 1) n) 2))] (equal ⇒(sum n) (/ (* n (+ n 1)) 2))

C1. (natp n)

C2. (not (equal n 0))

C3. (natp (- n 1)) (equal (sum (- n 1)) (/ (* (- n 1) n) 2)) ⇒

C4. (natp (- n 1)) {C1, C2}

C5. (equal (sum (- n 1)) (/ (* (- n 1) n) 2)) {C3, C4, MP}

Proof of General Case

Theorem. (natp n) (not (equal n 0)) ∧ ∧ [(natp (- n 1) ⇒ (equal (sum (- n 1) (/ (* (- n 1) n) 2))] (equal (sum ⇒n) (/ (* n (+ n 1)) 2))

Proof.

(sum n)

= (if (equal n 0) 0 (+ n (sum (- n 1))))) {by def of sum and C1}

= (if nil 0 (+ n (sum (- n 1))))) {by C2 and equal axiom}

= (+ n (sum (- n 1))) {by if axiom}

= (+ n (/ (* - n 1) n) 2) {by C5}

= (2n + (n-1)n)/2 = (n*n + n)/2 = n(n+1)/2 {arithmetic}

Induction in ACL2ACL2S B !>QUERY (thm (implies (natp n) (equal (sum n) (/ (* n (+ n 1)) 2))))

<< Starting proof tree logging >>Goal'Goal''^^^ Checkpoint Goal'' ^^^

([ A key checkpoint:

Goal''(IMPLIES (AND (INTEGERP N) (<= 0 N)) (EQUAL (SUM N) (COMMON-LISP::+ (COMMON-LISP::* 1/2 N) (COMMON-LISP::* 1/2 (COMMON-LISP::EXPT N 2)))))

*1 (Goal'') is pushed for proof by induction.

])

Perhaps we can prove *1 by induction. One induction scheme is suggested

by this conjecture.

We will induct according to a scheme suggested by (SUM N). This suggestion

was produced using the :induction rules SUM-INDUCTION-SCHEME and SUM-INDUCTION-SCHEME-FROM-DEFINITION. If we let (:P N) denote *1

abovethen the induction scheme we'll use is(AND (IMPLIES (NOT (NATP N)) (:P N)) (IMPLIES (AND (NATP N) (NOT (EQUAL N 0)) (:P (COMMON-LISP::+ -1 N))) (:P N)) (IMPLIES (AND (NATP N) (EQUAL N 0)) (:P N))).This induction is justified by the same argument used to admit SUM.When applied to the goal at hand the above induction scheme producesfive nontautological subgoals.^^^ Checkpoint *1 ^^^Subgoal *1/5Subgoal *1/4Subgoal *1/4'Subgoal *1/3Subgoal *1/2Subgoal *1/1Subgoal *1/1'

*1 is COMPLETED!Thus key checkpoint Goal'' is COMPLETED!

Q.E.D.

SummaryForm: ( THM ...)Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-

RECOGNIZER) (:DEFINITION *-DEFINITION-RULE) (:DEFINITION +-DEFINITION-RULE) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION SUM-DEFINITION-RULE) (:DEFINITION ACL2::SYNP) (:EXECUTABLE-COUNTERPART COMMON-LISP::<) (:EXECUTABLE-COUNTERPART ACL2S-BB-IDENTITY-BOOL-GUARD) (:EXECUTABLE-COUNTERPART ACL2::BINARY-*) (:EXECUTABLE-COUNTERPART ACL2::BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART COMMON-LISP::EXPT) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT) (:EXECUTABLE-COUNTERPART SUM) (:EXECUTABLE-COUNTERPART ACL2::UNARY--) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION SUM-INDUCTION-SCHEME) (:INDUCTION SUM-INDUCTION-SCHEME-FROM-DEFINITION) (:REWRITE ACL2::|(* -1 x)|) (:REWRITE ACL2::|(* 0 x)|) (:REWRITE ACL2::|(* 1 x)|) (:REWRITE ACL2::|(* c (* d x))|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* x (- y))|) (:REWRITE ACL2::|(* x x)|) (:REWRITE ACL2::|(* y (* x z))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ (* c x) (* d x))|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ (- x) (* c x))|) (:REWRITE ACL2::|(+ 0 x)|) (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(- (* c x))|) (:REWRITE ACL2::|(expt (+ x y) 2)|) (:REWRITE ACL2S-BB-IDENTITY-BOOL-GUARD-EQUAL) (:REWRITE ACL2::BUBBLE-DOWN-*-MATCH-1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::NORMALIZE-FACTORS-GATHER-EXPONENTS) (:REWRITE ACL2::PREFER-POSITIVE-ADDENDS-EQUAL) (:REWRITE ACL2::SIMPLIFY-SUMS-EQUAL) (:TYPE-PRESCRIPTION ACL2S-BB-IDENTITY-BOOL-GUARD) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-INTEGERP-

BASE) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-

NONNEGATIVE-BASE) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-POSITIVE-

BASE) (:TYPE-PRESCRIPTION SUM-CONTRACT-TYPE-PRESCRIPTION))Time: 0.30 seconds (prove: 0.16, print: 0.00, proof tree: 0.00, other:

0.14)Prover steps counted: 1129

Proof succeeded.

Induction in ACL2*1 (Goal'') is pushed for proof by induction.])Perhaps we can prove *1 by induction. One induction scheme is

suggested by this conjecture.

We will induct according to a scheme suggested by (SUM N). This suggestion was produced using the :induction rules SUM-INDUCTION-SCHEME and SUM-INDUCTION-SCHEME-FROM-DEFINITION. If we let (:P N) denote *1 above then the induction scheme we'll use is

(AND (IMPLIES (NOT (NATP N)) (:P N)) (IMPLIES (AND (NATP N) (NOT (EQUAL N 0)) (:P (COMMON-LISP::+ -1 N))) (:P N)) (IMPLIES (AND (NATP N) (EQUAL N 0)) (:P N))).

Induction in ACL2This induction is justified by the same argument used to admit SUM.When applied to the goal at hand the above induction scheme producesfive nontautological subgoals.^^^ Checkpoint *1 ^^^Subgoal *1/5Subgoal *1/4Subgoal *1/4'Subgoal *1/3Subgoal *1/2Subgoal *1/1Subgoal *1/1'

*1 is COMPLETED!Thus key checkpoint Goal'' is COMPLETED!

Q.E.D.

Induction in ACL2SummaryForm: ( THM ...)Rules: ((:COMPOUND-RECOGNIZER ACL2::NATP-COMPOUND-

RECOGNIZER) (:DEFINITION *-DEFINITION-RULE) (:DEFINITION +-DEFINITION-RULE) (:DEFINITION NATP) (:DEFINITION NOT) (:DEFINITION SUM-DEFINITION-RULE) (:DEFINITION ACL2::SYNP) (:EXECUTABLE-COUNTERPART COMMON-LISP::<) (:EXECUTABLE-COUNTERPART ACL2S-BB-IDENTITY-BOOL-GUARD) (:EXECUTABLE-COUNTERPART ACL2::BINARY-*) (:EXECUTABLE-COUNTERPART ACL2::BINARY-+) (:EXECUTABLE-COUNTERPART EQUAL) (:EXECUTABLE-COUNTERPART COMMON-LISP::EXPT) (:EXECUTABLE-COUNTERPART INTEGERP) (:EXECUTABLE-COUNTERPART NOT)

Induction in ACL2 (:EXECUTABLE-COUNTERPART SUM) (:EXECUTABLE-COUNTERPART ACL2::UNARY--) (:FAKE-RUNE-FOR-TYPE-SET NIL) (:INDUCTION SUM-INDUCTION-SCHEME) (:INDUCTION SUM-INDUCTION-SCHEME-FROM-DEFINITION) (:REWRITE ACL2::|(* -1 x)|) (:REWRITE ACL2::|(* 0 x)|) (:REWRITE ACL2::|(* 1 x)|) (:REWRITE ACL2::|(* c (* d x))|) (:REWRITE ACL2::|(* x (+ y z))|) (:REWRITE ACL2::|(* x (- y))|) (:REWRITE ACL2::|(* x x)|) (:REWRITE ACL2::|(* y (* x z))|) (:REWRITE ACL2::|(* y x)|) (:REWRITE ACL2::|(+ (* c x) (* d x))|) (:REWRITE ACL2::|(+ (+ x y) z)|) (:REWRITE ACL2::|(+ (- x) (* c x))|) (:REWRITE ACL2::|(+ 0 x)|)

Induction in ACL2 (:REWRITE ACL2::|(+ c (+ d x))|) (:REWRITE ACL2::|(+ x (- x))|) (:REWRITE ACL2::|(+ y (+ x z))|) (:REWRITE ACL2::|(+ y x)|) (:REWRITE ACL2::|(- (* c x))|) (:REWRITE ACL2::|(expt (+ x y) 2)|) (:REWRITE ACL2S-BB-IDENTITY-BOOL-GUARD-EQUAL) (:REWRITE ACL2::BUBBLE-DOWN-*-MATCH-1) (:REWRITE ACL2::BUBBLE-DOWN-+-MATCH-3) (:REWRITE ACL2::NORMALIZE-ADDENDS) (:REWRITE ACL2::NORMALIZE-FACTORS-GATHER-EXPONENTS) (:REWRITE ACL2::PREFER-POSITIVE-ADDENDS-EQUAL) (:REWRITE ACL2::SIMPLIFY-SUMS-EQUAL) (:TYPE-PRESCRIPTION ACL2S-BB-IDENTITY-BOOL-GUARD) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-INTEGERP-

BASE) (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-

NONNEGATIVE-BASE).

Induction in ACL2 (:TYPE-PRESCRIPTION ACL2::EXPT-TYPE-PRESCRIPTION-POSITIVE-

BASE) (:TYPE-PRESCRIPTION SUM-CONTRACT-TYPE-PRESCRIPTION))Time: 0.30 seconds (prove: 0.16, print: 0.00, proof tree: 0.00, other:

0.14)Prover steps counted: 1129

Proof succeeded.

General Induction Scheme

(defunc foo (x1 . . . xn)

:input-contract ic

:output-contract oc

(cond (t1 c1)

(t2 c2)

. . .

(tm cm)

(t cm+1)))

None of the ci’s should have ifs in them

If ci has a recursive call to foo, it is called a recursive case otherwise a base case.

General Induction Scheme Case1 = t1

Case2 = t2 t1

… Casei = ti t1 ti-1

… Casem+1 = t t1 tm

If ci is a recursive case with Ri calls to foo with the jth call, 1 j Ri, obtained by the substitution (foo x1 . . . xn)|sij

General Induction Scheme

To prove prove the followingic

[ic Casei] For all ci’s that are base cases

[ic Casei 1 i Ri |sij] For all ci’s that are recursive cases

listp

(defunc listp (l)

:input-contract t

:output-contract (booleanp (listp l))

(if (consp l)

(listp (rest l))

(equal l ())))

This function is admissible.

app

(defunc app (a b)

:input-contract (and (listp a) (listp b))

:output-contract (listp (app a b))

(if (endp a)

b

(cons (first a) (app (rest a) b))))

rev

(defunc rev (a)

:input-contract (listp a)

:output-contract (listp (rev a))

(if (endp a)

nil

(app (rev (rest a)) (cons (first a) nil))))

Conjecture

After contract checking1. (implies (and (listp a) (listp b) (listp c)) (equal

(app a (app b c)) (app (app a b) c)))

2. (implies (and (listp a) (listp b)) (equal (len (app a b)) (+ (len a) (len b))))

3. (implies (listp a) (equal (rev (rev a)) a))

Induction Scheme Base Case

[(listp x) (listp y) (listp z)] ⇒ (app (app x y) z) = (app x (app y z)) (endp x) (listp x) (listp y) (listp z) ⇒ (app (app x y) z) = (app x

(app y z))

Induction Step [(consp x) (listp x) (listp y) (listp z) ∧ ∧

[(listp (rest x)) (listp y) (listp z)∧ ∧

⇒ (app (app (rest x) y) z) = (app (rest x) (app y z))]]

⇒ (app (app x y) z) = (app x (app y z))

Conclude (app (app x y) z) = (app x (app y z))

Failed Proof

Proof failure(implies (listp a) (equal (rev (rev x)) x))Proof gets stuck - Try it!When proof gets stuck, it may suggest a lemma

which should be proved before proceedingNeed two additional lemmas

(implies (and (listp a) (listp b)) (equal (rev (app a b)) (app (rev b) (rev a))))

(implies (listp a) (equal (app a nil) a))

Exercise

1. Write down the induction schemes for conjectures (2) and (3).

2. Use equational reasoning and the above induction scheme to prove (2).

3. Use ACL2s to prove (2).

4. Try to prove (3) by hand and using ACL2s. Where do you get stuck

5. Write down induction schemes and prove the lemmas needed for (3).

6. Complete the proof by hand and using ACL2s of (3)

Data Function Trinity

1. Data definitions give rise to predicates recognizing such definitions. These predicates must be shown to terminate. Their bodies give rise to a recursion scheme

2. Functions over these data types are defined by using the recursion scheme as a template. Templates allow us to define correct functions by assuming that the function we are defining works correctly in the recursive case.

Data Function Trinity

3. Proofs by induction involving such functions and data definitions should use the same recursion scheme to generate proof obligations. Nonrecursive cases are proven directly. For each recursive case, we assume the theorem under any substitutions that map the formals to arguments in that recursive call.