Automated Reasoning Induction Alan Bundy Automated Reasoning - - PowerPoint PPT Presentation

Automated Reasoning Lecture 14, page 1 Induction

Automated Reasoning Induction

Alan Bundy

Automated Reasoning Lecture 14, page 2 Induction

A Summation Problem

• What is 1 + 2 + 3 + .... + 999 + 1000?
• Is there a formula for the general solution?
• Can we prove this? Automatically?

Automated Reasoning Lecture 14, page 3 Induction

A Summation Problem

• What is 1 + 2 + 3 + .... + 999 + 1000?
• Is there a formula for the general solution?
• Answer (due to Gauss):

1 + 2 + ... + n = ½ · n · (n + 1)

• Can we prove this? Automatically?

– Rewriting and model checking alone are not powerful

enough, as there are an infinite number of cases.

– We use the proof technique of induction (this lecture)

and the automation heuristic rippling (next lectures).

Automated Reasoning Lecture 14, page 4 Induction

Gauss' theorem can be proved using a technique known as mathematical induction. The simplest form of mathematical induction proves that a statement holds for all natural numbers and consists of two steps: Base case: Show the statement holds for 0 Step case: Show that if the statement holds for any natural number n then it must hold for n+1

Mathematical Induction

induction conclusion (IC) induction hypothesis (IH)

Automated Reasoning Lecture 14, page 5 Induction

Proving Gauss' Theorem

To prove Gauss' theorem using this form of induction it is useful to start our summation at 0 (rather than 1): 0 + 1 + 2 + ... + n = ½·n·(n + 1) Proof:

Base case: when n=0 we have 0 = ½ · 0 · 1 Step case: assume the formula holds for n; then 0 + 1 + 2 + ... + n + (n+1) = (0 + 1 + 2 + ... + n) + (n+1) = ½ ·n·(n + 1) + 1·(n+1) = (½·n + 1)·(n + 1) = (½)·(n+1)·(n+2) This shows that the formula holds for n+1 (QED).

by induction hypothesis

Automated Reasoning Lecture 14, page 6 Induction

Types of Mathematical Induction

• So far, we have looked at weak induction:
• Complete induction is stronger:

– Complete induction is used to prove the fundamental

theorem of arithmetic, that every natural number is a product of primes.

P0 ∀n:nat.PnPsn ∀n:nat.Pn P0 ∀n:nat.∀k :nat.k≤n PkPsn ∀ n:nat.Pn

Automated Reasoning Lecture 14, page 7 Induction

Recursive Functions

Functions are often defined recursively (in terms of themselves). Induction is a natural way to prove many properties of such functions, e.g.

even(0) = true even(s(0)) = false even(s(s(N))) = even(N) To prove even(2·n):

Base case n=0

even(2·0) = even(0) = true

Step case Assume induction hypothesis even(2·n) We need to show even(2·(n+1))

even(2·(n+1)) = even(s(s(2·n))) (by rewriting) = even(2·n) (by definition) = true (by hypothesis)

Automated Reasoning Lecture 14, page 8 Induction

Recursive Datatypes: Lists

• Datatypes, such as lists, sets and trees, are also defined

in a recursive manner. A list is defined as:

– either the empty list (denoted by nil or []), or – an element combined with a list

• call the element h (head) and the list t (tail)
• the combination is written h#t

(pronounced “h cons t”)

• Example:

[a, b, c] = a # [b, c] = a # (b # [c]) = a # (b # (c # [])))

• This is recursive: list is defined in terms of a list
• The function len can also be defined recursively:

len(nil) = 0 len(H#T)=s(len(T))

Automated Reasoning Lecture 14, page 9 Induction

Structural Induction

• To prove properties of recursive datatypes, we use a

generalised type of induction called structural induction: To prove that a property holds for any instance of a recursively-defined structure, it is sufficient to prove:

Base case: the property holds for the minimal structures in the definition Step case: if the property holds for the substructures of an arbitrary structure S then the property holds for S also.

Automated Reasoning Lecture 14, page 10 Induction

Well-Founded Orderings

• The induction argument uses the step case as follows:

P(n) is true because P(n') is true, for some n' < n; and P(n') is true because P(n'') is true, for some n'' < n'; ...

• To be valid, this argument cannot go on forever

– It requires an ordering; and – It must terminate (like our use of measures in lecture 8) – This is called a well-founded partial ordering

• Examples:

– For the naturals, the usual ordering (less than) works – For lists, say L' < L whenever list L' is the tail of list L.

Under this ordering, nil is the unique minimal element

Automated Reasoning Lecture 14, page 11 Induction

Structural Induction (II)

• For lists, a structural induction proof that some property

P P holds for all lists consists of two parts. We must prove: (1) P(nil) is true (2) if P(t) is true for any list t, then P(h#t) must be true for any h

• Our induction rule for lists can be written:

P(nil), ∀h:A.∀t:list(A). P(t) → P(h#t) ∀l:list(A). P(l)

Automated Reasoning Lecture 14, page 12 Induction

Recursive Definitions (I)

Append Two Lists:

nil @ L = L

(H # T) @ L = H # (T @ L)

List Membership:

X mem nil = False X mem (H # T) = (if H=X then True else X mem T)

Butlast of a List:

butlast nil= nil butlast (H # T) = (if T=nil then nil else H # butlast T)

Convention that upper case letters are free variables

Automated Reasoning Lecture 14, page 13 Induction

Recursive Definitions (II)

Length of a List:

len(nil) = 0 len(H # T) = s(len(T))

Reverse a List:

rev(nil) = nil rev(H # T) = rev(T) @ (H # nil)

(Quickly) Reverse a List:

qrev(nil, L) = L qrev(H # T, L) = qrev(T, H # L)

Rotate a List:

rot(0,L) = L

rot(s(N), nil) = nil rot(s(N), H # T) = rot(N, T @ (H # nil))

Automated Reasoning Lecture 14, page 14 Induction

Conjecture: ∀k,l,m:list (A). k @ (l @ m)

= (k @ l) @ m

We need to choose a variable to induct on. If we use h#t-induction on k we get:

Base Case: nil @ (l @ m)

= (nil @ l) @ m

Step Case:

t @ (L @ M) = (t @ L) @ M

(h # t) @ (l @ m) = ((h # t) @ l) @ m

Associativity of @

IH (L and M are free variables) IC

Convention that lower case letters are bound variables or constants

Automated Reasoning Lecture 14, page 15 Induction

Proving the Base Case

Rewrite rule:nil @ Y

⇒ Y (1)

Equality Axiom (reflexivity):

X=X

Proof:

nil @ (l @ m) = (nil @ l) @ m by (1)

⇔

l @ m = (nil @ l) @ m by (1)

⇔

l @ m = l @ m

reflexivity ⇔

true

no assumptions (the left of the sequent is empty) not to be confused with ⇔ which was used for bi-directional rewriting we use the convention that an underlined term is being rewritten to the purple term in the next line

Automated Reasoning Lecture 14, page 16 Induction

Rewrite rule: (X # Y) @ Z

X # ⇒ (Y @ Z) (2)

Proof:

t @ (L @ M) = (t @ L) @ M (h # t) @ (l @ m) = ((h # t) @ l) @ m by (2) twice

⇔ h # (t @ (l @ m)) = (h # (t @ l)) @ m

by (2)

⇔ h # (t @ (l @ m)) = h # ((t @ l) @ m)

replacement ⇔ h = h ∧ t @ (l @ m) = (t @ l) @ m by IH

⇔ h = h

by reflexivity ⇔ true

Proving the Step Case

Since every step is reversible the induction conclusion is true given the induction hypothesis. Thus we have proven the step case.

Automated Reasoning Lecture 14, page 17 Induction

Fertilization

• In proving the step case we aim to make the IC

resemble the IH

– we want an instance of the IH to appear in the IC

• We then use the IH to prove the IC: Strong

Fertilization

• Rewriting can get blocked before we reach an

instance of the IH in the IC

• However, we may have part of the IH in the IC
• In this situation can use the IH as a rewrite rule:

Weak Fertilization

Automated Reasoning Lecture 14, page 18 Induction

Theoretical Limitations

• f Inductive Inference

Incompleteness: (Gödel)

formal theories exclude some truths; examples found by Kirby & Paris.

Undecidability of Halting Problem: (Turing)

no algorithmic test for termination.

Failure of Cut Elimination: (Kreisel)

need to generalise and introduce lemmas.

Automated Reasoning Lecture 14, page 19 Induction

(Lack of) Cut Elimination

Gentzen's Cut Rule: lacks subformula property. Cut Elimination Theorem: Gentzen showed Cut Rule redundant in FOL. Kreisel showed necessary in inductive theories. Practical Consequences: Need to generalise conjectures. Need to introduce lemmas.

A,   A

 ∇ ∇

Automated Reasoning Lecture 14, page 20 Induction

Need for Intermediate Lemmas

Conjecture: Rewrite rules: Step Case:

∀l:list(A). rev(rev(l)) = l rev(nil) ⇒ nil (3) rev(H # T) ⇒ rev(T) @ (H # nil) (4) rev(rev(t)) = t rev(rev(h # t)) = h # t

by (4) ⇔ rev(rev(t) @ (h # nil)) = h # t

blocked

Automated Reasoning Lecture 14, page 21 Induction

Introducing an Intermediate Lemma

Lemma Required: Cut Rule: introduces this Original:  rev(rev(l)) = l New:

, rev(X @ Y) = rev(Y) @ rev(X) rev(rev(l))=l

Justification:  rev(X @ Y) = rev(Y) @ rev(X)

Heuristics are needed to speculate the lemma.

rev(X @ Y) = rev(Y) @ rev(X) (5)

Automated Reasoning Lecture 14, page 22 Induction

Step Case Unblocked

rev(rev(t)) = t rev(rev(h # t)) = h # t

by (4)

⇔rev(rev(t) @ (h # nil)) = h # t

by (5)

⇔rev(h # nil) @ rev(rev(t)) = h # t

by (4)

⇔(rev(nil) @ (h # nil)) @ rev(rev(t)) = h # t

by (3)

⇔(nil @ (h # nil)) @ rev(rev(t)) = h # t

by (1)

⇔(h # nil) @ rev(rev(t)) = h # t

by (2)

⇔h # (nil @ rev(rev(t))) = h # t

by (3)

⇔h # rev(rev(t)) = h # t

replacement ⇔h = h

∧ rev(rev(t)) = t

fertilization now possible.

(previously blocked)

Automated Reasoning Lecture 14, page 23 Induction

Reverse Example Revisited

rev(rev(t)) = t rev(rev(t) @ (h # nil)) = h # t

Blocked Step Case: Instead of speculating a lemma to overcome the blocked step case, we could try weak fertilization. Weak Fertilization uses the IH to rewrite part of our blocked conclusion. In the example above our conclusion becomes: Unfortunately, we are still blocked with this new

• conclusion. We need to launch another inductive proof

to show the truth of (♠).

rev(rev(t) @ (h # nil)) = h # rev(rev(t)) (♠)

blocked

Automated Reasoning Lecture 14, page 24 Induction

Proving New Conclusion

rev(rev(t) @ (h # nil)) = h # rev(rev(t)) (♠)

To prove (♠) we can try and induct on t. In this case we have the following step case:

rev(rev(t') @ (h # nil)) = h # rev(rev(t')) rev(rev(h' # t') @ (h # nil)) = h # rev(rev(h' # t'))

by (4) ⇔

rev( rev(t') @ (h' # nil)) @ (h # nil))

twice

= h # rev(rev(t') @ (h' # nil))

blocked blocked

Automated Reasoning Lecture 14, page 25 Induction

Generalising a Sub-Term

The blocked step case requires a generalisation: rev(t' @ (h # nil)) = h # rev(t')

Again we can try to prove this using induction (on t').

Step Case:

rev(t'' @ (h # nil)) = h # rev(t'') rev((h'' # t'') @ (h # nil)) = h # rev(h'' # t'')

by (2)+(4)⇔ rev(h'' # (t'' @ (h # nil))) = h # (rev(t'') @ (h'' # nil))

(2)* ⇔ rev(t'' @ (h # nil)) @ (h'' # nil) = (h # rev(t'')) @ (h'' # nil)

• replace. ⇔

rev(t'' @ (h # nil)) = h # rev(t'') ∧ h'' # nil = h'' # nil *: @ definition applied right to left.

fertilization now possible.

Automated Reasoning Lecture 14, page 26 Induction

A Method for Inductive Proof

• 1. Symbolic_Evaluation ORELSE
• 2. Induction THEN

base_cases Symbolic_Evaluation ⇒ step_cases (Symbolic_Evaluation THEN ⇒ Fertilization) Symbolic evaluation may need lemmas

Automated Reasoning Lecture 14, page 27 Induction

Summary

• Recursive functions and datatypes
• Inductive proofs

– may need to generalise conjecture to be proven – may need to speculate and prove additional

lemmas

• Next time: a heuristic to guide inductive proofs

known as Rippling