✩
✪
T H
E I
T
Y
O
F
E
D
I N B U
R
G
H
IJCAR-04 Tutorial
The Automation of Inductive
Theorem Proving
Alan Bundy
University of Edinburgh
–
1
✩
✪
The Need for Inductive Inference
Proof by mathematical induction required for reasoning about repetition, e.g. in:
• recursive datatypes: numbers, lists, sets, trees, etc;
• iterative or recursive computer programs;
• electronic circuits with loops or parameterisation.
So needed for proof obligations in formal methods.
–
2
✩
✪
Recursive Datatypes
Examples: natural numbers, lists, sets, trees.
Made From: base and step constructor functions.
Naturals: 0:nat and s : nat 7→ nat.
nat = {0, s(0), s(s(0)), s(s(s(0))), . . .}
Lists: nil:list(τ) and :: : τ × list(τ) 7→ list(τ).
list(τ) = {nil, α1 :: nil, α2 :: α1 :: nil, . . .}
where αi:τ.
Free Algebras: syntactic identity is equality. non-free: some non-identical terms are equal.
–
3
✩
✪
Recursive Definitions 1
Add Two Numbers:
0 + N = N
s(M) + N = s(M + N)
Even Numbers:
even(0) ¬even(s(0))
even(s(s(N))) ↔ even(N)
Append Two Lists:
nil <> L = L
(H :: T) <> L = H :: (T <> L)
–
4
✩
✪
Length of a List:
len(nil) = 0
len(H :: T) = s(len(T))
Reverse a List:
rev(nil) = nil
rev(H :: T) = rev(T) <> (H :: nil)
(Quickly) Reverse a List: (tail recursive)
qrev(nil, L) = L
qrev(H :: T, L) = qrev(T, H :: L)
Rotate a List:
rot(0, L) = L rot(s(N), nil) = nil
rot(s(N), H :: T) = rot(N, T <> (H :: nil))
–
5
✩
✪
Some Induction Rules
Natural Numbers – One-Step:
P(0), ∀n:nat. (P (n) → P(s(n)))
∀n:nat. P(n)
Natural Numbers – Two-Step:
P(0), P (s(0)), ∀n:nat. (P(n) → P (s(s(n))))
∀n:nat. P(n)
Lists – One-Step:
P(nil) ∀h:τ.∀t:list(τ). P(t) → P(h :: t)
∀l:list(τ). P(l)
–
6
✩
✪
Induction Formula:
∀n:nat.∀m:nat. Q(n, m)
Step Case:
∀n:nat. (∀m:nat. Q(n, m) → ∀m:nat. Q(s(n), m))
With Quantifiers Stripped:
Q(n, M) ⊢ Q(s(n), m)
NB – m becomes free variable in hypothesis; constant in conclusion!
This gives important freedom in inductive proof.
–
7
✩
✪
Theoretical Limitations of Inductive Inference
Incompleteness: (G¨odel)
formal theories exclude some theorems,
examples found by Kirby & Paris.
Undecidability of Halting Problem: (Turing)
no algorithmic test for termination.
Failure of Cut Elimination: (Kreisel).
need to generalise and introduce lemmas.
–
8
✩
✪
Gentzen’s Cut Rule:
A, Γ ⊢ ∆, Γ ⊢ A
Γ ⊢ ∆
lacks subformula property.
Cut Elimination Theorem:
Gentzen showed Cut Rule redundant in FOL.
Kreisel showed necessary in inductive theories.
Practical Consequences:
Need to generalise conjectures.
Need to introduce lemmas.
–
9
✩
✪
Need for Intermediate Lemmas
Conjecture:
∀l:list(τ). rev(rev(l)) = l
Rewrite Rules:
rev(nil) ⇒ nil
rev(H :: T ) ⇒ rev(T) <> (H :: nil)
Step Case:
rev(rev(t)) = t ⊢ rev(rev(h :: t)) = h :: t
⊢ rev(rev(t) <> (h :: nil))
| {z }
blocked
= h :: t
–
1
0
✩
✪
Introducing an Intermediate Lemma
Lemma Required:
rev(X <> Y ) ⇒ rev(Y ) <> rev(X)
Cut Rule: introduces this:
Original: Γ ⊢ rev(rev(l)) = l
New:
Γ, rev(X <> Y ) ⇒ rev(Y ) <> rev(X) ⊢ rev(rev(l)) = l
Justification: Γ ⊢ rev(X <> Y ) ⇒ rev(Y ) <> rev(X)
Heuristics needed: to speculate lemma.
–
1
1
✩
✪
Step Case Unblocked
rev(rev(t)) = t
⊢ rev(rev(t) <> (h :: nil)) = h :: t
⊢ rev(h :: nil) <> rev(rev(t)) = h :: t
⊢ (rev(nil) <> (h :: nil)) <> rev(rev(t)) = h :: t
⊢ (nil <> (h :: nil)) <> rev(rev(t)) = h :: t
⊢ (h :: nil) <> rev(rev(t)) = h :: t
⊢ h :: (nil <> rev(rev(t))) = h :: t
⊢ h :: rev(rev(t)) = h :: t
⊢ h = h ∧ rev(rev(t)) = t fertilization now possible.
–
1
2
✩
✪
Prove the following lemma by induction.
rev(X <> Y ) = rev(Y ) <> rev(X)
1. What induction variable and induction rule will you use? 2. State the base case(s) and give its(their) proof(s)
3. State the step case(s) and give its(their) proof(s)
Assume the axioms of equality, the following recursive definitions of <> and
rev, plus the following two further lemmas.
nil <> L = L
(H :: T) <> L = H :: (T <> L)
rev(nil) = nil
rev(H :: T) = rev(T) <> (H :: nil)
L <> nil = L
X <> (Y <> Z) = (X <> Y ) <> Z
–
1
3
✩
✪
Solution to Exercise 1
1. The proof works best by induction on X and one-step induction on lists.
2. Base Case:
rev(nil <> y) = rev(y) <> rev(nil)
rev(y) = rev(y) <> nil rev(y) = rev(y)
3. Step Case:
rev(t <> Y ) = rev(Y ) <> rev(t)
⊢ rev((h :: t) <> y) = rev(y) <> rev(h :: t)
⊢ rev(h :: (t <> y)) = rev(y) <> (rev(t) <> (h :: nil))
⊢ rev(t <> y) <> (h :: nil) = (rev(y) <> rev(t)) <> (h :: nil)
⊢ rev(t <> y) = rev(y) <> rev(t)
–
1
4
✩
✪
Blocked Step Case:
rev(rev(t)) = t ⊢ rev(rev(t) <> (h :: nil))
| {z }
blocked
= h :: t
Weak Fertilization:
⊢ rev(rev(t) <> (h :: nil)) = h :: rev(rev(t))
New Step Case:
rev(rev(t′) <> (h :: nil)) = h :: rev(rev(t′))
⊢ rev(rev(h′ :: t′) <> (h :: nil)) = h :: rev(rev(h′ :: t′))
⊢ rev((rev(t′) <> (h′ :: nil)) <> (h :: nil))
| {z }
blocked
= h :: rev(rev(t′) <> (h′ :: nil))
| {z }
blocked
–
1
5
✩
✪
Generalising a Sub-Term
Generalisation Required:
rev(t′′ <> (h :: nil)) = h :: rev(t′′)
Step Case Unblocked:
rev(t′′ <> (h :: nil)) = h :: rev(t′′) ⊢
rev((h′′ :: t′′) <> (h :: nil)) = h :: rev(h′′ :: t′′)
rev(h′′ :: (t′′ <> (h :: nil))) = h :: (rev(t′′) <> (h′′ :: nil))
rev(t′′ <> (h :: nil)) <> (h′′ :: nil) = (h :: rev(t′′)) <> (h′′ :: nil)
rev(t′′ <> (h :: nil)) = h :: rev(t′′) ∧ h′′ :: nil = h′′ :: nil
NB – <> definition applied right to left.
–
1
6
✩
✪
Induction Strategy
Induction
Base Step
Ripple
Wave
Fertilization Symbolic
Evaluation
Preconditions
Declarative: Rippling must be possible in step cases.
Procedural: Look-ahead to choose induction rule that will permit rippling.
–
1
7
✩
✪
Annotated Step Case
t <> (Y <> Z) = (t <> Y ) <> Z
⊢ h :: t ↑ <> (y <> z) = ( h :: t ↑ <> y) <> z
⊢ h :: t <> (y <> z) ↑ = h :: t <> y ↑ <> z
⊢ h :: t <> (y <> z) ↑ = h :: (t <> y) <> z ↑
⊢ h = h ∧ t <> (y <> z) = (t <> y) <> z ↑
• changing bits in orange boxes ↑ (wave-fronts).
• unchanging bits in red (skeleton).
–
1
8
✩
✪
Annotated Rewrite Rules
H :: T ↑ <> L ⇒ H :: T <> L ↑
X1 :: X2 ↑ = Y1 :: Y2 ↑ ⇒ X1 = Y1 ∧ X2 = Y2 ↑
• Called wave-rules.
• Note outward movement of wave-fronts.
• We reason backwards, so implication direction inverse to rewrite direction, e.g.,
X1 = Y1 ∧ X2 = Y2 → X1 :: X2 = Y1 :: Y2
–
1
9
✩
✪
Another View of Rippling
✩
✪
Exhaustive Rewriting (without Rippling)
Rewrite Rule: (X + Y ) + Z ⇒ X + (Y + Z)
Given: a + b = 42
Goal: ((c + d) + a) + b = (c + d) + 42
Rewritings:
× ((c + d) + a) + b = c + (d + 42)
× (c + (d + a)) + b = (c + d) + 42 √
(c + d) + (a + b) = (c + d) + 42
–
2
1
✩
✪
Selective Rewriting (with Rippling)
Wave Rule: (X + Y ) ↑ + Z ⇒ X + (Y + Z) ↑
Given: a + b = 42
Goal: ((c + d) + a) ↑ + b = (c + d) + 42 ↑
Ripple: (c + d) + (a + b) ↑ = (c + d) + 42 ↑
Non-Ripples:
((c + d) + a)) ↑ + b = c + (d + 42) ↑
c + (d + a) ↑ + b = (c + d) + 42 ↑
–
2
2
✩
✪
Bi-Directional Rippling
Wave-Rules:
(H :: T ) ↑ <> L ⇒ H :: (T <> L) ↑
H :: (T <> L) ↑ ⇒ (H :: T ) <> L ↑
Rippling:
rev(t′ <> (h :: nil)) = h :: rev(t′)
⊢ rev( (h′ :: t′) ↑ <> (h :: nil)) = h :: rev( h′ :: t′ ↑ )
⊢ rev( h′ :: (t′ <> (h :: nil)) ↑ ) = h :: (rev(t′) <> (h′ :: nil)) ↑
⊢ rev(t′ <> (h :: nil)) <> (h′ :: nil) ↑ = (h :: rev(t′)) <> (h′ :: nil) ↑
⊢ rev(t′ <> (h :: nil)) = h :: rev(t′) ∧ h′ :: nil = h′ :: nil ↑
–
2
3
✩
✪
Rippling Sideways and In
rot(len(t), t <> K) = K <> t
⊢ rot(len( h :: t ↑ ), h :: t ↑ <> ⌊k⌋) = ⌊k⌋ <> h :: t ↑
⊢ rot( s(len(t)) ↑ , h :: t <> ⌊k⌋ ↑ ) = ⌊k⌋ <> h :: t ↑
⊢ rot(len(t), t <> ⌊k⌋ <> (h :: nil) ↓ ) = ⌊k⌋ <> ( h :: t ↑ )
⊢ rot(len(t), t <> ⌊k⌋ <> (h :: nil) ↓ ) = ⌊k⌋ <> (h :: nil) ↓ <> t
⊢ rot(len(t), t <> ⌊k <> (h :: nil)⌋) = ⌊k <> (h :: nil)⌋ <> t
• ⌊Sinks⌋ provide alternative wave-front destination, available when free variables are in hypothesis.
• Wave-fronts have directions: out ↑ / in ↓ .
–
2
4
✩
✪
Sideways and Inwards Wave-rules
rot( s(N ) ↑ , H :: T ↑ ) ⇒ rot(N, T <> (H :: nil) ↓ )
L <> ( H :: T ↑ ) ⇒ L <> (H :: nil) ↓ <> T
(X <> Y ) <> Z ↓ ⇒ X <> ( Y <> Z ↓ )
–
2
5
✩
✪
Sideways Rippling: Another View
✩
✪
The Preconditions of Rippling
1. The induction conclusion contains a wave-front,
e.g. rot( s(len(t)) ↑
, h :: t <> ⌊k⌋ ↑ ) = . . ..
2. A wave-rule applies to this wave-front.
e.g. rot( s(N ) ↑
, H :: T ↑ ) ⇒ . . .. 3. Any condition is provable.
e.g. X 6= H → X ∈ H :: T
↑
⇒ X ∈ T .
4. Inserted inwards wave-fronts contain a sink or an outwards wave-front in their wave-hole.
e.g. rot(len(t), t <> ⌊k⌋ <> (h :: nil) ↓
) = . . ..
–
2
7
✩
✪
Alternate Annotations of Wave-Rules
X <> ( Y <> Z ↑ ) ⇒ (X <> Y ) <> Z ↑
X <> ( Y <> Z ↑ ) ⇒ (X <> Y ) ↓ <> Z
X <> (Y <> Z) ↓ ⇒ ( X <> Y ↓ ) <> Z
( X <> Y ↑ ) <> Z ⇒ X <> (Y <> Z) ↑
(X <> Y ) ↑ <> Z ⇒ X <> ( Y <> Z ↓ )
(X <> Y ) <> Z ↓ ⇒ X <> ( Y <> Z ↓ )
–
2
8
✩
✪
Well Annotated Terms
Normal form: one functor thick, e.g.
s(s(n)) ↑ 7→ s( s(n) ↑ )
↑
Absorption into sinks: of wave-fronts, e.g.
f(a, ⌊b⌋) ↓ 7→ ⌊f(a, b)⌋
Absorption of nested annotation: not in wave-holes, e.g.
f( g(a) ↑ , b)
↑
7→ f(g(a), b) ↑
–
2
9
✩
✪
Informal Definition of Wave-Rule Matching
LHS = term
Matching annotation: There are two conditions:
1. all annotation in LHS matches annotation in term.
2. all annotation in term matches annotation or variable in
LHS,
Matching variables: Variables match as in normal matching.
Matching term structure: as in normal matching.
–
3
0
✩
✪
Examples of Matches and Non-Matches
LHS of wave-rule Term subst
s(X) s(x) do match X = x
s(X) s( s(x) ↑ ) do match X = s(x) ↑
s(X) ↑ s( s(x) ↑ ) do not match
s(X) ↑ s(x) do not match
s(X) + Y
↑
s(x) ↑ +y
↑
do not match
s(X + Y ) ↑ s( s(a × b) ↑ + c) ↑
do match X = s(a × b) ↑ ,
Y = c
–
3
1
✩
✪
Skeletons: omit wave-fronts,
e.g. skel(rev( h :: t ↑ )) = {rev(t)}.
Multiple Skeletons: e.g.
skel(rev( X <> Y ↑ )) = {rev(X), rev(Y )}
Weakenings: absorb all but one skeleton,
e.g. rev( X <> Y ↑ )
Skeleton Preservation: in wave-rules, e.g.
X1 <> X2 ↑ = Y1 <> Y2 ↑ ⇒ X1 = Y1 ∧ X2 = Y2 ↑
skeleton of both sides: {X1 = Y1, X2 = Y2}
–
3
2
✩
✪
Termination of Rippling
Define measure: from annotated terms to well-founded set.
Define wave-rule: to be measure decreasing from LHS to
RHS,
(and skeleton preserving).
Show measure decreases: when wave-rules applied, because
preserved by substitution and subterm replacement.
–
3
3
✩
✪
Decrease of Wave Measure
+
+
s(x)✡✡↑ ❏❏y
☞☞ ▲▲
z
[1,0,0]
+
s(+) ↑
x
✂✂ ❇❇
y
✡ ✡ ❏❏
z
[0,1,0]
s(+) ↑
+
x
✂✂ ❇❇
y
☞☞ ▲▲
z
[0,0,1]
–
3
5
✩
✪
Multi-Hole Rule:
binom( s(X) ↑ , s(Y ) ↑ ) ⇒ binom(X, s(Y ) ↑ ) + binom(X, Y )
↑
Single-Hole Weakenings:
binom( s(X) ↑ , s(Y ) ↑ ) ⇒ binom(X, s(Y ) ↑ ) + binom(X, Y )
↑
binom( s(X) ↑ , s(Y ) ↑ ) ⇒ binom(X, s(Y )) + binom(X, Y ) ↑
Form Measure of Each Weakening:
binom(., .) + binom(X, Y ) ↑
X
✡ ✡ ❏❏
s(Y ) ↑
⇒ 1
0
✄✄ ❈❈
1
⇒
1
1
–
3
6
✩
✪
General Case 2
Combine Measures of Weakenings: using multi-sets,
out( binom(X, s(Y ) ↑ ) + binom(X, Y )
↑
) = {[1,1],[0,1]}
using multi-set ordering.
Inwards Measure: similar, but order inverted, only well-founded due to skeleton preservation.
Overall Measure: lexicographic combination of outwards and inwards.
–
3
7
✩
✪
Ground Difference Unification Algorithm
Mismatching Terms Annotated
Term 1 Term 2 Term 1
rev(h :: (t <> l)) rev(t <> l) rev( h :: (t <> l) )
h :: (t <> l) t <> l h :: (t <> l)
(h <> t) <> l h <> l ( h <> t ) <> l
s(a) + b s(a) s(a) + b
(n × m) +m n × m (n × m) + m
• Difference unification algorithm similar regular unification,
but with option to hide mis-matching function symbols in wave-fronts.
• Ground difference unification does not instantiate variables.
–
3
8
✩
✪
Automatic Annotation of Wave-Rules 1
• Given equation, equivalence, etc., e.g.
X + (Y + Z) = (X + Y ) + Z
• Ground difference unify to get all possible wave annotations.
X + ( Y + Z ) = (X + Y ) + Z
X + ( Y + Z ) = ( X + Y ) + Z
... ... ...
–
3
9
✩
✪
• Calculate measures, e.g.
out(X + ( Y + Z )) = [1, 0] out( (X + Y ) + Z ) = [0, 1]
out(X + ( Y + Z )) = [1, 0] out(( X + Y ) + Z) = [1, 0]
• Determine wave-front directions and rule orientation to ensure decreasing measure, e.g.
X + ( Y + Z ↑ ) ⇒ (X + Y ) + Z ↑
X + ( Y + Z ↑ ) ⇒ ( X + Y ↓ ) + Z
( X + Y ↑ ) + Z ⇒ X + ( Y + Z ↓ )
... ... ...
–
4
0
✩
✪
Advantages of Rippling
Selective: not exhaustive rewriting.
Bi-directional: rewriting.
Termination: of any set of wave-rules, despite bidirectionality.
Heuristic basis: for choosing lemmas, generalisations and inductions.
–
4
1
✩
✪
Exercise 2
1. Annotate the following equation as a wave-rule in as many ways as you can.
sum(H :: T) = s(sum(T ))
2. Give the measure of each side one of your wave-rules.
–
4
2
✩
✪
1.
sum( H :: T ↑ ) ⇒ s(sum(T)) ↑ (1)
s(sum(T)) ↓ ⇒ sum( H :: T ↓ ) (2)
sum( H :: T ↑ ) ⇒ s(sum(T)) ↓ (3)
Wave-rule (3) is a bit of an aberration.
2.
Wave Outer Inner Rule LHS RHS LHS RHS
(1) [1, 0] [0,1] [0,0] [0, 0] (2) [0, 0] [0,0] [1,0] [0, 1] (3) [1, 0] [0,0] [0,0] [1, 0]
–
4
3
✩
✪
Ripple-Based Heuristics
Induction Rules:
choose induction
which best
supports rippling.
Lemmas:
design wave-rule
to unblock ripple.
Generalisation:
generalise goal
to allow wave-rule to
apply.
–
4
4
✩
✪
Induction Variable Selection
∀t, l, m:list(nat).
t <> (l <> m) = (t <> l) <> m
ւ ↓ ց
t ↑ <> (l <> m) = t <> ( l ↑ <> m) = t <> (l <> m ↑ ) = ( t ↑ <> l) <> m (t <> l ↑ ) <> m (t <> l) <> m ↑
–
4
5
✩
✪
. . . :: . . .
P(nil)
∀h:τ.∀t:list(τ). (P(t) → P( h :: t ↑ ))
∀l:list(τ). P(l)
. . . :: . . . :: . . .
P(nil)
∀h:τ. P(h :: nil)
∀h1, h2:τ.∀t:list(τ). (P(t) → P ( h1 :: h2 :: t ↑ ))
∀l:list(τ). P(l)
. . . <> . . .
P(nil)
∀h:τ. P(h :: nil)
∀t1, t2:list(τ). (P(t1) ∧ P (t2) → P( t1 <> t2 ↑ ))
∀l:list(τ). P(l)
... ...
–
4
6
✩
✪
Ripple Analysis 1
Wave Rule:
( X :: Y ↑ ) <> Z ⇒ X :: (Y <> Z) ↑
Wave Occurrences:
∀t, l, m:list(nat). t ↑ <> ( l ↑ <> m) = ( t ↑ <> l) <> m
Choice of Induction Variable:
variable occurrences
t all unflawed
l some unflawed, some flawed
m all flawed
t is best choice since it has the fewest flaws.
–
4
7
✩
✪
Wave Rule:
( X :: Y ↑ ) <> Z ⇒ X :: (Y <> Z) ↑
Induction Conclusion Needed:
h :: t ↑ <> (l <> m) = ( h :: t ↑ <> l) <> m
Choice of Induction Rule:
wave-front induction rule
X :: . . . ↑ . . . :: . . . X1 :: X2 :: . . . ↑ . . . :: . . . :: . . .
. . . <> . . . ↑ . . . <> . . .
X :: . . . ↑ suggests . . . :: . . . induction rule.
–
4
8
✩
because only one-level look-ahead.
–
4
9
✩
✪
• Precondition 1 is true:
1. The induction conclusion contains a wave-front.
even( s(len(t <> l)) ↑ ) ↔ . . .
(other side similar)
• Precondition 2 is false:
2. A wave-rule applies to this wave-front.
however, there is a near miss (only wave-fronts mismatch):
even( s(s(X)) ↑ ) ⇒ even(X)
• Preconditions 3 and 4 are inapplicable. 3. Any condition is provable.
4. Inserted inwards wave-fronts contain a sink or an outwards wave-front.
–
5
0
✩
✪
Induction Revision Critic: Invocation
Ind_Strat 1
Induction
Base Step
Ripple
Wave Blocked
Induction Critic
Ind_Strat 2
–
5
1
✩
✪
Induction Revision Critic: Application
Ind_Strat 1
(now abandoned)
Ind_Strat 2
Base Step
Induction
–
5
2
✩
Calculation of New Induction Term:
✩
✪
Conjecture:
∀n:nat. even(n + n)
Wave-Rules:
s(X) ↑ + Y ⇒ s(X + Y ) ↑
even( s(s(X)) ↑ ) ⇒ even(X)
Induction Conclusion:
even( s(n) ↑ + s(n) ↑ )
even( s(n + s(n) ↑ )
↑
)
| {z }
blocked
–
5
5
✩
✪
Failure of Ripple Preconditions
• Precondition 1 is true:
1. The induction conclusion contains a wave-front.
even( s(n + s(n) ↑ )
↑
)
(in fact, two)
• Precondition 2 is false:
2. A wave-rule applies to this wave-front. (to neither of them)
• Preconditions 3 and 4 are inapplicable. 3. Any condition is provable.
4. Inserted inwards wave-fronts contain a sink or an outwards wave-front.
–
5
6
✩
✪
Lemma Speculation Critic: Invocation
Ind_Strat 1
Induction
Base Step
Ripple
Wave Blocked
Lemma Critic
–
5
7
✩
✪
Lemma Speculation Critic: Application
Ind_Strat 1
Induction
Base Step
Ripple
Wave Unblocked
Cut
Lemma
–
5
8
✩
✪
Blocked Goal:
even( s(n + s(n) ↑ )
↑
)
focus on innermost wave-front.
Schematic Wave-Rule:
X + s(Y ) ↑ ⇒ F(X + Y ) ↑
Continued Ripple:
even( s(F(n + n)) ↑ ) even(n + n)
where F = s.
Final Wave-Rule:
X + s(Y ) ↑ ⇒ s(X + Y ) ↑ which must now be proved.
–
5
9
✩
✪
Exercise 3
Apply the lemma speculation critic to the step case of the proof of:
rev(X <> Y ) = rev(Y ) <> rev(X)
in the context where only the equality axioms and recursive definitions of
<> and rev are available.
nil <> L = L
(H :: T) <> L = H :: (T <> L)
rev(nil) = nil
rev(H :: T) = rev(T) <> (H :: nil)
Specify the blocked goal, schematic wave-rule, continued ripple and final wave-rule.
–
6
0
✩
✪
Blocked Goal:
rev(t <> y) <> (h :: nil) ↑ = rev(y) <> (rev(t) <> (h :: nil)) ↑
| {z }
blocked
Schematic Wave-Rule:
U <> (V <> W) ↑ ⇒ F(U <> V , W) ↑
Continued Ripple:
rev(t <> y) <> (h :: nil) ↑ = F(rev(y) <> rev(t), h :: nil) ↑
rev(t <> y) = rev(y) <> rev(t)
where F ≡<>.
Final Wave-Rule:
U <> (V <> W) ↑ ⇒ U <> V <> W ↑
–
6
1
✩
✪
Conjecture:
∀t:list(τ). rev(t) = qrev(t, nil)
Wave-Rules:
rev( H :: T ↑ ) ⇒ rev(T ) <> H :: nil ↑
qrev( H :: T ↑ , L) ⇒ qrev(T , H :: L ↓ )
Induction Conclusion:
rev( h :: t ↑ ) =qrev( h :: t ↑ , nil)
rev(t) <> h :: nil ↑ = qrev( h :: t ↑ , nil)
| {z }
missing sink
–
6
2
✩
✪
Failure of Ripple Preconditions
1. The induction conclusion contains a wave-front.
. . . = qrev( h :: t ↑ , nil)
2. A wave-rule applies to this wave-front.
qrev( H :: T ↑ , L) ⇒ qrev(T , H :: L ↓ )
3. Any condition is provable — trivially, no condition.
Precondition 4 is false:
4. Inserted inwards wave-fronts contain a sink or an outwards wave-front.
. . . = qrev(t, h :: nil ↓ )
–
6
3
✩
✪
Generalisation Critic: Invocation
Ind_Strat 1
Induction
Base Step
Ripple
Wave Blocked
Gen Critic
Ind_Strat 2 General-isation
–
6
4
✩
✪
Generalisation Critic: Application
Ind_Strat 1
(now abandoned)
Ind_Strat 2 Generalisation
Cut
Justification Generalised Conjecture
–
6
5
✩
✪
Original Conjecture:
∀t:list(τ). rev(t) = qrev(t, nil)
Disallowed Ripple:
. . . = qrev(t, h :: nil ↓ )
Schematic Conjecture:
∀t:list(τ).∀l:list(τ). F(rev(t), l) = qrev(t, G(l))
Induction Hypothesis:
F(rev(t), L) = qrev(t, G(L))
where F, G and L are meta-variables.
–
6
6
✩
✪
New Step Case:
F(rev( h :: t ↑ ),⌊l⌋) = qrev( h :: t ↑ , G(⌊l⌋))
F( rev(t) <> h :: nil
↑
,⌊l⌋) = qrev(t, h :: G(⌊l⌋) ↓ )
rev(t) <> ( h :: nil <> F′( rev(t) <> (h :: nil) ↑ ,⌊l⌋)
↓
) = qrev(t, h :: G(⌊l⌋) ↓ )
rev(t) <> ( h :: F′( rev(t) <> (h :: nil)
↑
,⌊l⌋)
↓
) = qrev(t, h :: G(⌊l⌋)
↓
)
rev(t) <> (⌊h :: l⌋) = qrev(t,⌊h :: l⌋)
where F =<>, F′ = λX.λY. Y and G = λX. X.
Key Wave-Rule: ( X <> Y ↑ ) <> Z ⇒ X <> ( Y <> Z ↓ )
Generalised Conjecture: ∀t:list(τ).∀l:list(τ). rev(t) <> l = qrev(t, l)
–
6
7
✩
✪
Pattern of Failure Suggests Patch
Precondition Generalization Case analyse Induction Lemma revision discovery
1 ⋆ ⋆ ⋆ ⋆
2 ⋆ ⋆ ◦ •
3 ⋆ •
4 •
⋆ = success ◦ = partial success • = failure
–
6
8
✩
✪
No Conjecture (i) (ii)
T3 len(X <> Y) = len(Y) +len(X) L1
T4 len(X <> X) = double(len(X)) L2
T5 len(rev(X)) = len(X) L3
T8 nth(X, nth(Y, Z)) = nth(Y, nth(X, Z)) L4, L5
T10 rev(rev(X)) = X L8
T11 rev(rev(X) <> rev(Y)) = Y <> X L9, L10
T12 qrev(X, Y) = rev(X) <> Y L11
T13 half(X +X) = X L1
T14 ordered(isort(X)) L12
T16 even(X +X) L1
T21 rotate(len(X), X <> Y ) = Y <> X L11, L13
T22 even(len(X <> Y)) ↔ even(len(Y <> X)) ⋆ L14
T23 half(len(X <> Y)) = half(len(Y <> X)) ⋆ L15
T26 half(X +Y) = half(Y +X) ⋆ L17
(i) induction revision, (ii) lemma discovery
–
6
9
✩
✪
No Conjecture (ii) (iii) (iv)
T27 rev(X) = qrev(X, nil) G1
T29 rev(qrev(X, nil)) = X G3,G4
T30 rev(rev(X) <> nil) = X G5,G6
T32 rotate(len(X), X) = X G9
T33 f ac(X) = qf ac(X,1) G10
T35 exp(X, Y) = qexp(X, Y,1) G12
T36 X ∈ Y → X ∈ (Y <> Z) ⋆
T39 X ∈ nth(Y, Z) → X ∈ Z ⋆
T40 X ⊂ Y → (X ∪ Y = Y) ⋆
T42 X ∈ Y → X ∈ (Y ∪ Z) ⋆
T45 X ∈ insert(X, Y) ⋆
T48 len(isort(X)) = len(X) L18 ⋆
T49 X ∈ isort(Y) → X ∈ Y L19 ⋆
T50 count(X, isort(Y)) = count(X, Y) L20, L21 ⋆
(ii) lemma discovery, (iii) generalization, (iv) casesplit
–
7
0
✩
✪
No Lemma
L1 X +s(Y) = s(X +Y)
L3 len(X <> Y :: nil) = s(len(X))
L8 rev(X <> (Y :: nil)) = Y :: rev(X)
L10 rev((X <> Y :: nil) <> nil) = Y :: rev(X <> nil)
L11 (X <> (Y :: nil)) <> Z = X <> (Y :: Z)
L12 ordered(Y) → ordered(insert(X, Y))
L14 even(len(W <> Z)) → even(len(W <> X :: Y :: Z))
L15 len(X <> Y :: Z :: nil) = s(s(len(X)))
L17 half(X +s(s(Y))) = s(half(X +Y))
L18 len(insert(X, Y)) = s(len(Y))
L19 X 6= Y → (X ∈ insert(Y, Z) → X ∈ Z)
L20 count(X, insert(X, Y)) = s(count(X, Y))
L21 X 6= Y → (count(X, insert(Y, Z)) = count(X, Z))
L22 (X <> Y) <> Z = X <> (Y <> Z)
L23 (X ∗Y )∗Z = X ∗(Y ∗Z)
L24 (X +Y) +Z = X + (Y +Z)
–
7
1
✩
✪
Results: Generalizations
No Generalization Lemmata
G1 rev(X) <> Y = qrev(X, Y ) L22
G2 revf lat(X) <> Y = qrevf lat(X, Y ) L22
G3 rev(qrev(X, Y )) = rev(Y ) <> X L11
G4 rev(qrev(X, rev(Y))) = Y <> X L8,L11
G5 rev(rev(X) <> Y ) = rev(Y ) <> X L11
G6 rev(rev(X) <> rev(Y)) = Y <> X L8,L11
G7 qrev(qrev(X, Y ), nil) = rev(Y ) <> X L11
G8 qrev(qrev(X, rev(Y )), nil) = Y <> X L8,L11
G9 rotate(len(X), X <> Y ) = Y <> X L11, L22
G10 f ac(X)∗ Y = qf ac(X, Y ) L23
G11 (X ∗ Y ) +Z = mult(X, Y, Z) L24
G12 exp(X, Y ) ∗ Z = qexp(X, Y, Z) L23
–
7
2
✩
✪
• Negative theoretical results create special search problems.
• These problems common in practice:
induction rule choice, lemmas & generalisations.
• Proof plan for induction based on rippling.
• Rippling: selective; bidirectional; terminating and offers heuristic solution to special problems.
– Ripple analysis: Induction rules chosen to suit rippling.
– Different patterns of proof breakdown suggest different
patches.
– Ripple breakdowns suggest: induction revision; lemma
speculation or generalisation.
– Implemented via proof planning with critics.
–
7
3
✩
✪
Practical Session
• Attempt to prove theorems with XBarnacle and
IsaPlanner systems.
• XBarnacle rather old but easier to use.
Interactive gui on old Clam proof planner.
• IsaPlanner latest experimental version, but functionality
not yet complete.
Proof planner built on Isabelle prover.
–
7
4
