a = b c . . . C ONTENT G ENERAL R ECURSION Intro & motivation, - PowerPoint PPT Presentation

L AST W EEK ➜ Constructive Logic & Curry-Howard-Isomorphism ➜ The Coq System NICTA Advanced Course ➜ The HOL4 system ➜ Before that: datatypes, recursion, induction Theorem Proving Slide 1 Slide 3 Principles, Techniques, Applications a = b ≤ c ≤ . . . C ONTENT G ENERAL R ECURSION ➜ Intro & motivation, getting started with Isabelle The Choice ➜ Foundations & Principles ➜ Limited expressiveness, automatic termination • Lambda Calculus • primrec • Higher Order Logic, natural deduction • Term rewriting Slide 2 Slide 4 ➜ High expressiveness, prove termination manually ➜ Proof & Specification Techniques • recdef • Inductively defined sets, rule induction • Datatypes, recursion, induction • More recursion, Calculational reasoning • Hoare logic, proofs about programs • Locales, Presentation L AST W EEK 1 RECDEF — EXAMPLES 2

RECDEF — EXAMPLES RECDEF — INDUCTION PRINCIPLE consts sep :: ”’a × ’a list ⇒ ’a list” ➜ Each recdef definition induces an induction principle recdef sep ”measure ( λ (a, xs). size xs)” ”sep (a, x # y # zs) = x # a # sep (a, y # zs)” ➜ For each equation: ”sep (a, xs) = xs” show that the property holds for the lhs provided it holds for each Slide 5 Slide 7 recursive call on the rhs consts ack :: ”nat × nat ⇒ nat” ➜ Example sep.induct : recdef ack ”measure ( λ m. m) < *lex* > measure ( λ n. n)” [ V a. P a []; [ ”ack (0, n) = Suc n” V a w. P a [ w ] V a x y zs. P a ( y # zs ) = ”ack (Suc m, 0) = ack (m, 1)” ⇒ P a ( x # y # zs ); ”ack (Suc m, Suc n) = ack (m, ack (Suc m, n))” ] ] = ⇒ P a xs T ERMINATION RECDEF Isabelle tries to prove termination automatically ➜ The definiton: ➜ For most functions and termination relations this works. • one parameter ➜ Sometimes not ⇒ error message with unsolved subgoal • free pattern matching, order of rules important ➜ You can give hints (additional lemmas) to the recdef package: • termination relation recdef quicksort ”measure length” ( measure sufficient for most cases) Slide 6 Slide 8 quicksort [] = [] ➜ Termination relation: quicksort ( x # xs ) = quicksort [ y ∈ xs.y ≤ x ]@[ x ]@ quicksort [ y ∈ xs.x < y ] • must decrease for each recursive call (hints recdef simp: less Suc eq le) • must be well founded For exploration: ➜ Generates own induction principle ➜ allow failing termination proof ➜ recdef (permissive) quicksort ”measure length” ➜ termination conditions as assumption in simp and induct rules RECDEF — INDUCTION PRINCIPLE 3 4

H OW DOES RECDEF WORK ? Why rec F = F ( rec F ) ? Because we want the recursion equations to hold. Example: λg. λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ g n F ≡ f ≡ rec F Slide 9 Slide 11 D EMO f 0 = rec F 0 . . . = F ( rec F ) 0 ( λg. λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ g n ) ( rec F ) 0 . . . = . . . = ( case 0 of 0 ⇒ 0 | Suc n ⇒ rec F n ) . . . = 0 H OW DOES RECDEF WORK ? W ELL F OUNDED O RDERS We need: general recursion operator Definition something like: rec F = F ( rec F ) < r is well founded if well founded induction holds ( F stands for the recursion equations) wf r ≡ ∀ P. ( ∀ x. ( ∀ y < r x.P y ) − → P x ) − → ( ∀ x. P x ) Example: Well founded induction rule: ➜ recursion equations: f = 0 f ( Suc n ) = fn � x. ( ∀ y < r x.Py ) = Slide 10 Slide 12 ⇒ Px wf r f = λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ f n ➜ as one λ -term: Pa F = λf. λn ′ . case n ′ of 0 ⇒ 0 | Suc n ⇒ f n ➜ functor: Alternative definition (equivalent): ➜ rec :: (( α ⇒ β ) ⇒ ( α ⇒ β )) ⇒ ( α ⇒ β ) like above cannot exist in there are no infi nite descending chains, or (equivalent): HOL (only total functions) every nonempty set has a minimal element wrt < r ➜ But ’guarded’ form possible: ≡ ∀ y ∈ Q. y � < r x min r Q x wfrec :: ( α × α ) set ⇒ (( α ⇒ β ) ⇒ ( α ⇒ β )) ⇒ ( α ⇒ β ) wf r = ( ∀ Q � = {} . ∃ m ∈ Q. min r Q m ) ➜ ( α × α ) set a well founded order, decreasing with execution H OW DOES RECDEF WORK ? 5 W ELL F OUNDED O RDERS : E XAMPLES 6

W ELL F OUNDED O RDERS : E XAMPLES T HE R ECURSION O PERATOR Admissible recursion ➜ < on I N is well founded ➜ recursive call for x only depends on parameters y < R x well founded induction = complete induction ➜ describes exactly one function if R is well founded ➜ > and ≤ on I N are not well founded adm wf R F ≡ ∀ f g x. ( ∀ z. ( z, x ) ∈ R − → f z = g z ) − → F f x = F g x ➜ x < r y = x dvd y ∧ x � = 1 on I N is well founded the minimal elements are the prime numbers Slide 13 Slide 15 Definition of wf rec : again fi rst by induction, then by epsilon ➜ ( a, b ) < r ( x, y ) = a < 1 x ∨ a = x ∧ b < 1 y is well founded ∀ z. ( z, x ) ∈ R − → ( z, g z ) ∈ wfrec rel R F if < 1 and < 2 are ( x, F g x ) ∈ wfrec rel R F ➜ A < r B = A ⊂ B ∧ finite B is well founded wfrec R F x ≡ THE y. ( x, y ) ∈ wfrec rel R ( λf x. F ( cut f R x ) x ) ➜ ⊆ and ⊂ in general are not well founded More: John Harrison, Inductive definitions: automation and application More about well founded relations: Term Rewriting and All That T HE R ECURSION O PERATOR Back to recursion: rec F = F ( rec F ) not possible Idea: have wfrec R F where R is well founded Cut: ➜ only do recursion if parameter decreases wrt R ➜ otherwise: abort Slide 14 Slide 16 D EMO ➜ arbitrary :: α cut :: ( α ⇒ β ) ⇒ ( α × α ) set ⇒ α ⇒ ( α ⇒ β ) cut G R x ≡ λy. if ( y, x ) ∈ R then G y else arbitrary wf R = ⇒ wfrec R F x = F ( cut ( wfrec R F ) R x ) x T HE R ECURSION O PERATOR 7 8

C HAINS OF EQUATIONS The Problem a = b . . . = c . . . = d shows a = d by transitivity of = Slide 17 Slide 19 C ALCULATIONAL R EASONING Each step usually nontrivial (requires own subproof) Solution in Isar: ➜ Keywords also and finally to delimit steps ➜ . . . : predefined schematic term variable, refers to right hand side of last expression ➜ Automatic use of transitivity rules to connect steps T HE G OAL ALSO / FINALLY x · x − 1 = 1 · ( x · x − 1 ) have ” t 0 = t 1 ” [proof] calculation register . . . = 1 · x · x − 1 also ” t 0 = t 1 ” . . . = ( x − 1 ) − 1 · x − 1 · x · x − 1 . . . = ( x − 1 ) − 1 · ( x − 1 · x ) · x − 1 have ” . . . = t 2 ” [proof] . . . = ( x − 1 ) − 1 · 1 · x − 1 also ” t 0 = t 2 ” . . . = ( x − 1 ) − 1 · (1 · x − 1 ) . . . . . . Slide 18 Slide 20 . . . = ( x − 1 ) − 1 · x − 1 also ” t 0 = t n − 1 ” . . . = 1 have ” · · · = t n ” [proof] Can we do this in Isabelle? t 0 = t n finally ➜ Simplifier: too eager show P ➜ Manual: difficult in apply stile — ’fi nally’ pipes fact ” t 0 = t n ” into the proof ➜ Isar: with the methods we know, too verbose C HAINS OF EQUATIONS 9 M ORE ABOUT ALSO 10

M ORE ABOUT ALSO ➜ Works for all combinations of = , ≤ and < . ➜ Uses all rules declared as [trans] . Slide 21 Slide 23 ➜ To view all combinations in Proof General: D EMO Isabelle/Isar → Show me → Transitivity rules D ESIGING [ TRANS ] R ULES W E HAVE SEEN TODAY ... calculation = ” l 1 ⊙ r 1 ” have ” . . . ⊙ r 2 ” [proof] ➜ Recdef also ⇐ = ➜ More induction Anatomy of a [trans] rule: ➜ Well founded orders ➜ Usual form: plain transitivity [ [ l 1 ⊙ r 1 ; r 1 ⊙ r 2 ] ] = ⇒ l 1 ⊙ r 2 ➜ Well founded recursion ➜ More general form: [ [ P l 1 r 1 ; Q r 1 r 2 ; A ] ] = ⇒ C l 1 r 2 Slide 22 Slide 24 ➜ Calculations: also/finally Examples: ➜ [ trans ] -rules ➜ pure transitivity: [ [ a = b ; b = c ] ] = ⇒ a = c ➜ mixed: [ [ a ≤ b ; b < c ] ] = ⇒ a < c ➜ substitution: [ [ P a ; a = b ] ] = ⇒ P b ➜ antisymmetry: [ [ a < b ; b < a ] ] = ⇒ P [ a = f b ; b < c ; V x y. x < y = ➜ monotonicity: [ ⇒ f x < f y ] ] = ⇒ a < f c 11 E XERCISES 12

E XERCISES ➜ Define a predicate sorted over lists ➜ Show that sorted (quicksort xs ) holds ➜ Look at http://isabelle.in.tum.de/library/HOL/ Wellfounded_Recursion.html Slide 25 ➜ Show that in groups, the left-one is also a right-one: x · 1 = x (you can use the right inv lemma from the demo) ➜ Take an algebra textbook and formalize a simple theorem over groups in Isabelle. E XERCISES 13