Recursion and Induction Illustrates foundations of theorem proving Kinds of activity that systems like HOL, NQTHM, LARCH, PVS indulge in. Handware Verification. cs776 (Prasad) L13Induction

Define sets by induction n  N  succ(n)  N zero  N n  N  succ(n)  N Define functions on sets by recursion  n  N : plus(zero, n) = n  m, n  N : plus(succ(m), n) = succ(plus(m,n)) Prove properties about the defined functions using principle of structural induction. Data structures are usually defined using seed elements and constructor functions (closure operations). E.g., Lists, Trees, etc. In the context of imperative programming, we introduce pre-post conditions to formalize the intent of the program and use loop invariants and induction on the number of iterations to prove properties of iterative code. Measure of complexity : structure cs776 (Prasad) L13Induction

Example 0 + n = n (obvious) n + 0 = n (not so obvious!) Prove that the two rules for “+” are adequate to rewrite (n+0) to n. (Induction on the structure of the first argument) Show that “+” is commutative, that is, (x + y) = (y + x). Motivation To ensure that sufficient relevant information has been encoded for automated reasoning. Have we encoded relevant and sufficient information for the symbol manipulation system to run and for us to rely on the conclusions generated by the automated system? Even though + is commutative, the amount of computation necessary for evaluating 5+1 is not the same as that for 1+5. This asymmetry becomes explicit in the proof. cs776 (Prasad) L13Induction

Induction Proof Definition of “+” 0 + m = m s(n) + m = s(n+m) Proof that 0 is the identity w.r.t. + 0+m = m+0 = m Basis: 0 + 0 = 0 Induction Hypothesis:  k >= 0: k + 0 = k Induction Step: Show s(k) + 0 = s(k) s(k) + 0 = s(k + 0) (*rule 2*) = s(k) (*ind hyp*) Conclusion: By principle of mathematical induction m N: m + 0 = m sound and complete ; termination Commutativity dependence: 0 + 2 = 2 : Axiom 2 + 0 = s(1 + 0) = 2 Dependence 2 + 0 requires 1 + 0 etc previous row, which is the induction hypothesis cs776 (Prasad) L13Induction

Induction Hypothesis: Induction Step: s(k)+n = n+s(k) s(k)+n Basis: n : n + 0 = n n : 0 + n = n n: n + 0 = n + 0 Induction Hypothesis:  k >= 0, n : k + n = n + k Induction Step: s(k)+n = n+s(k) s(k)+n = (*rule2*) s(k+n) = (*ind. hyp.*) s(n+k) = (*rule2*) s(n)+k (* STUCK!!! our goal: n+s(k) *) So prove the auxiliary result. s(k)+n = k+s(n) n The proof does not strictly proceed row by row because the problem does not simplify that way. However, the auxiliary result captures the precise dependence. rule1 and rule2 refer to the definition of “+”. 2 + 2 = s(1 + 2) = s(s(0 + 2)) = s(3) = 4 Dependence: 2 + 2 requires 1 + 2, 0 + 2, etc 2 + 10 = s(1 + 10) = s(10+1) induction hypothesis creates a sub-problem with large row number. Moving one … Proof proceeds row by row m cs776 (Prasad) L13Induction

=(*ind.hyp.*) s(j+s(m)) =(*rule2*) s(j)+s(m) Overall result s(k) + n Auxiliary result s(i)+ m = i+s(m) Basis: s(0) + m = (*rule2*) s(0 + m) = (*rule1*) s(m) = (*rule1*) 0 + s(m) Induction step: s(s(j)) + m =(*rule2*) s(s(j)+m) =(*ind.hyp.*) s(j+s(m)) =(*rule2*) s(j)+s(m) Overall result s(k) + n =(*auxiliary result*) k + s(n) =(*induction hyp.*) s(n) + k n + s(k) (* End of proof of commutativity *) Semi-automatic approach to theorem proving: manual generation of hypothesis automation of mundane labor intensive, monotonous steps cs776 (Prasad) L13Induction

Motivation for formal proofs In mathematics, proving theorems enhances our understanding of the domain of discourse and our faith in the formalization. In automated theorem proving, these results demonstrate the adequacy of the formal description and the symbol manipulation system. These properties also guide the design of canonical forms for (optimal) representation of expressions and for proving equivalence. associativity: parenthesis unnecessary (lists) commutativity: permutation invariant (sort) identity: delete elements zero : collapse Ensure that formalization faithfully captures the relevant aspects of the domain of discourse. cs776 (Prasad) L13Induction

Semantic Equivalence vs Syntactic Identity Machines can directly test only syntactic identity. Several distinct expressions can have the same meaning (value) in the domain of discourse. To formally establish their equivalence, the domain is first axiomatized, by providing axioms (equations) that characterize (are satisfied by) the operations. In practice, an equational specification is transformed into a set of rewrite rules, to normalize expressions (into a canonical form). (Cf. Arithmetic Expression Evaluation) cs776 (Prasad) L13Induction

Induction Principle for Lists P(xs) holds for any finite list xs if: P([]) holds, and Whenever P(xs) holds, it implies that for every x, P(x::xs) also holds. Prove: filter p (map f xs) = map f (filter (p o f) xs) Structural Induction on lists is related to traditional Mathematical Induction on the length of the list. cs776 (Prasad) L13Induction

Basis: Induction Step: then x:: (filter (p o f) xs) filter p (map f []) = filter p [] = [] map f(filter (p o f) []) = map f []= [] Induction Step: map f (filter (p o f) (x::xs)) = map f (if ((p o f) x) then x:: (filter (p o f) xs) else filter (p o f) xs ) case 1: (p o f) x = true case 2: (p o f) x = false cs776 (Prasad) L13Induction

case 1: case 2: map f ( x:: (filter (p o f) xs) ) = f x :: map f (filter (p o f) xs) = f x :: filter p (map f xs) (* induction hypothesis *) = filter p (f x :: map f xs) (* p (f x) holds *) = filter p (map f (x::xs)) case 2: filter p (map f (x::xs)) (* p (f x) does not hold *) = filter p (map f xs) = map f ( filter (p o f) xs ) cs776 (Prasad) L13Induction

Tailoring Induction Principle fun interval m n = if m > n then [] else m:: interval (m+1) n (* Quantity (n-m) reduces at each recursive call. *) Basis: P(m,n) holds for m > n Induction step: P(m,n) holds for m <= n, given that P(m+1,n) holds. cs776 (Prasad) L13Induction

Induction Proof with Auxiliaries fun [] @ xs = xs | (y::ys) @ xs = y:: (ys@xs); fun rev [] = [] | rev (x::xs) = (rev xs) @ [x]; Prove : rev (rev xs) = xs Basis: rev (rev []) = rev [] = [] Induction step: rev(rev (y::ys)) = rev ( (rev ys) @ [y] ) = (* via auxiliary result *) y :: ( rev (rev ys) ) = y :: ys (* ind. hyp. *) cs776 (Prasad) L13Induction

Auxiliary result rev ( zs @ [z] ) = z:: rev zs Induction Step: rev ((u::us) @ [z]) = rev ( u :: (us @ [z])) (* @ def *) = (rev (us @ [z])) @ [u] (* rev def*) = (z :: (rev us)) @ [u] (* ind hyp *) = z :: ((rev us) @ [u]) (* @ def *) = z :: rev (u::us) (* rev def*) (*Creativity required in guessing a suitable auxiliary result.*) Use grid to better appreciate how the computation simplifies expression. cs776 (Prasad) L13Induction

Weak Induction vs Strong Induction datatype exp = Var of string | Op of exp * exp; Prove that the number of occurrences of the constructors in a legal exp are related thus: #Var(e) = #Op(e) + 1 To show this result, we need the result on all smaller exps, not just the exps whose “node count” or “height” is one less. Motivates Strong/Complete Induction Principle. cs776 (Prasad) L13Induction

McCarthy’s 91-function fun f x = if x > 100 then x - 10 else f(f(x+11)) else 91 Need well-founded induction; To show the equivalence of the two definitions, we need to understand how the recursion unwinds. (In a typical definition, the complexity of a definition (in terms of the number of steps to rewrite a call to the primitive values) is obvious from the structure. In this example, that ordering is unintuitive.) cs776 (Prasad) L13Induction

Is f total? fun f x = if (x mod 2) = 0 then x div 2 else f(f(3*x+1)) View integers as (2i + 1) 2^k - 1?? That is, ODD*2^k - 1 let x = (2i + 1) 2^k - 1 f(f(3*x + 1)) = f(f(3*(2i+1)*2^k -3 +1)) = f(3*(2i+1)*2^{k-1}-1) That is, OTHER_ODD*2^(k-1) - 1 (ind. hyp.) (basis) k=0: even numbers (2*i+1)-1 => terminates View int x as (2i + 1) 2^k - 1 cs776 (Prasad) L13Induction