1 % |
|
2 \begin{isabellebody}% |
|
3 \def\isabellecontext{Itrev}% |
|
4 % |
|
5 \isadelimtheory |
|
6 % |
|
7 \endisadelimtheory |
|
8 % |
|
9 \isatagtheory |
|
10 % |
|
11 \endisatagtheory |
|
12 {\isafoldtheory}% |
|
13 % |
|
14 \isadelimtheory |
|
15 % |
|
16 \endisadelimtheory |
|
17 % |
|
18 \isamarkupsection{Induction Heuristics% |
|
19 } |
|
20 \isamarkuptrue% |
|
21 % |
|
22 \begin{isamarkuptext}% |
|
23 \label{sec:InductionHeuristics} |
|
24 \index{induction heuristics|(}% |
|
25 The purpose of this section is to illustrate some simple heuristics for |
|
26 inductive proofs. The first one we have already mentioned in our initial |
|
27 example: |
|
28 \begin{quote} |
|
29 \emph{Theorems about recursive functions are proved by induction.} |
|
30 \end{quote} |
|
31 In case the function has more than one argument |
|
32 \begin{quote} |
|
33 \emph{Do induction on argument number $i$ if the function is defined by |
|
34 recursion in argument number $i$.} |
|
35 \end{quote} |
|
36 When we look at the proof of \isa{{\isaliteral{28}{\isacharparenleft}}xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}ys{\isaliteral{40}{\isacharat}}zs{\isaliteral{29}{\isacharparenright}}} |
|
37 in \S\ref{sec:intro-proof} we find |
|
38 \begin{itemize} |
|
39 \item \isa{{\isaliteral{40}{\isacharat}}} is recursive in |
|
40 the first argument |
|
41 \item \isa{xs} occurs only as the first argument of |
|
42 \isa{{\isaliteral{40}{\isacharat}}} |
|
43 \item both \isa{ys} and \isa{zs} occur at least once as |
|
44 the second argument of \isa{{\isaliteral{40}{\isacharat}}} |
|
45 \end{itemize} |
|
46 Hence it is natural to perform induction on~\isa{xs}. |
|
47 |
|
48 The key heuristic, and the main point of this section, is to |
|
49 \emph{generalize the goal before induction}. |
|
50 The reason is simple: if the goal is |
|
51 too specific, the induction hypothesis is too weak to allow the induction |
|
52 step to go through. Let us illustrate the idea with an example. |
|
53 |
|
54 Function \cdx{rev} has quadratic worst-case running time |
|
55 because it calls function \isa{{\isaliteral{40}{\isacharat}}} for each element of the list and |
|
56 \isa{{\isaliteral{40}{\isacharat}}} is linear in its first argument. A linear time version of |
|
57 \isa{rev} reqires an extra argument where the result is accumulated |
|
58 gradually, using only~\isa{{\isaliteral{23}{\isacharhash}}}:% |
|
59 \end{isamarkuptext}% |
|
60 \isamarkuptrue% |
|
61 \isacommand{primrec}\isamarkupfalse% |
|
62 \ itrev\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline |
|
63 {\isaliteral{22}{\isachardoublequoteopen}}itrev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ ys\ {\isaliteral{3D}{\isacharequal}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline |
|
64 {\isaliteral{22}{\isachardoublequoteopen}}itrev\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}xs{\isaliteral{29}{\isacharparenright}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ itrev\ xs\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}ys{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}% |
|
65 \begin{isamarkuptext}% |
|
66 \noindent |
|
67 The behaviour of \cdx{itrev} is simple: it reverses |
|
68 its first argument by stacking its elements onto the second argument, |
|
69 and returning that second argument when the first one becomes |
|
70 empty. Note that \isa{itrev} is tail-recursive: it can be |
|
71 compiled into a loop. |
|
72 |
|
73 Naturally, we would like to show that \isa{itrev} does indeed reverse |
|
74 its first argument provided the second one is empty:% |
|
75 \end{isamarkuptext}% |
|
76 \isamarkuptrue% |
|
77 \isacommand{lemma}\isamarkupfalse% |
|
78 \ {\isaliteral{22}{\isachardoublequoteopen}}itrev\ xs\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs{\isaliteral{22}{\isachardoublequoteclose}}% |
|
79 \isadelimproof |
|
80 % |
|
81 \endisadelimproof |
|
82 % |
|
83 \isatagproof |
|
84 % |
|
85 \begin{isamarkuptxt}% |
|
86 \noindent |
|
87 There is no choice as to the induction variable, and we immediately simplify:% |
|
88 \end{isamarkuptxt}% |
|
89 \isamarkuptrue% |
|
90 \isacommand{apply}\isamarkupfalse% |
|
91 {\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}% |
|
92 \begin{isamarkuptxt}% |
|
93 \noindent |
|
94 Unfortunately, this attempt does not prove |
|
95 the induction step: |
|
96 \begin{isabelle}% |
|
97 \ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline |
|
98 \isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ itrev\ list\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}% |
|
99 \end{isabelle} |
|
100 The induction hypothesis is too weak. The fixed |
|
101 argument,~\isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, prevents it from rewriting the conclusion. |
|
102 This example suggests a heuristic: |
|
103 \begin{quote}\index{generalizing induction formulae}% |
|
104 \emph{Generalize goals for induction by replacing constants by variables.} |
|
105 \end{quote} |
|
106 Of course one cannot do this na\"{\i}vely: \isa{itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs} is |
|
107 just not true. The correct generalization is% |
|
108 \end{isamarkuptxt}% |
|
109 \isamarkuptrue% |
|
110 % |
|
111 \endisatagproof |
|
112 {\isafoldproof}% |
|
113 % |
|
114 \isadelimproof |
|
115 % |
|
116 \endisadelimproof |
|
117 \isacommand{lemma}\isamarkupfalse% |
|
118 \ {\isaliteral{22}{\isachardoublequoteopen}}itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}% |
|
119 \isadelimproof |
|
120 % |
|
121 \endisadelimproof |
|
122 % |
|
123 \isatagproof |
|
124 % |
|
125 \begin{isamarkuptxt}% |
|
126 \noindent |
|
127 If \isa{ys} is replaced by \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, the right-hand side simplifies to |
|
128 \isa{rev\ xs}, as required. |
|
129 |
|
130 In this instance it was easy to guess the right generalization. |
|
131 Other situations can require a good deal of creativity. |
|
132 |
|
133 Although we now have two variables, only \isa{xs} is suitable for |
|
134 induction, and we repeat our proof attempt. Unfortunately, we are still |
|
135 not there: |
|
136 \begin{isabelle}% |
|
137 \ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline |
|
138 \isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline |
|
139 \isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ ys% |
|
140 \end{isabelle} |
|
141 The induction hypothesis is still too weak, but this time it takes no |
|
142 intuition to generalize: the problem is that \isa{ys} is fixed throughout |
|
143 the subgoal, but the induction hypothesis needs to be applied with |
|
144 \isa{a\ {\isaliteral{23}{\isacharhash}}\ ys} instead of \isa{ys}. Hence we prove the theorem |
|
145 for all \isa{ys} instead of a fixed one:% |
|
146 \end{isamarkuptxt}% |
|
147 \isamarkuptrue% |
|
148 % |
|
149 \endisatagproof |
|
150 {\isafoldproof}% |
|
151 % |
|
152 \isadelimproof |
|
153 % |
|
154 \endisadelimproof |
|
155 \isacommand{lemma}\isamarkupfalse% |
|
156 \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}ys{\isaliteral{2E}{\isachardot}}\ itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}% |
|
157 \isadelimproof |
|
158 % |
|
159 \endisadelimproof |
|
160 % |
|
161 \isatagproof |
|
162 % |
|
163 \endisatagproof |
|
164 {\isafoldproof}% |
|
165 % |
|
166 \isadelimproof |
|
167 % |
|
168 \endisadelimproof |
|
169 % |
|
170 \begin{isamarkuptext}% |
|
171 \noindent |
|
172 This time induction on \isa{xs} followed by simplification succeeds. This |
|
173 leads to another heuristic for generalization: |
|
174 \begin{quote} |
|
175 \emph{Generalize goals for induction by universally quantifying all free |
|
176 variables {\em(except the induction variable itself!)}.} |
|
177 \end{quote} |
|
178 This prevents trivial failures like the one above and does not affect the |
|
179 validity of the goal. However, this heuristic should not be applied blindly. |
|
180 It is not always required, and the additional quantifiers can complicate |
|
181 matters in some cases. The variables that should be quantified are typically |
|
182 those that change in recursive calls. |
|
183 |
|
184 A final point worth mentioning is the orientation of the equation we just |
|
185 proved: the more complex notion (\isa{itrev}) is on the left-hand |
|
186 side, the simpler one (\isa{rev}) on the right-hand side. This constitutes |
|
187 another, albeit weak heuristic that is not restricted to induction: |
|
188 \begin{quote} |
|
189 \emph{The right-hand side of an equation should (in some sense) be simpler |
|
190 than the left-hand side.} |
|
191 \end{quote} |
|
192 This heuristic is tricky to apply because it is not obvious that |
|
193 \isa{rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys} is simpler than \isa{itrev\ xs\ ys}. But see what |
|
194 happens if you try to prove \isa{rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ itrev\ xs\ ys}! |
|
195 |
|
196 If you have tried these heuristics and still find your |
|
197 induction does not go through, and no obvious lemma suggests itself, you may |
|
198 need to generalize your proposition even further. This requires insight into |
|
199 the problem at hand and is beyond simple rules of thumb. |
|
200 Additionally, you can read \S\ref{sec:advanced-ind} |
|
201 to learn about some advanced techniques for inductive proofs.% |
|
202 \index{induction heuristics|)}% |
|
203 \end{isamarkuptext}% |
|
204 \isamarkuptrue% |
|
205 % |
|
206 \isadelimtheory |
|
207 % |
|
208 \endisadelimtheory |
|
209 % |
|
210 \isatagtheory |
|
211 % |
|
212 \endisatagtheory |
|
213 {\isafoldtheory}% |
|
214 % |
|
215 \isadelimtheory |
|
216 % |
|
217 \endisadelimtheory |
|
218 \end{isabellebody}% |
|
219 %%% Local Variables: |
|
220 %%% mode: latex |
|
221 %%% TeX-master: "root" |
|
222 %%% End: |
|