Proving Properties of Recursive List Functions September 4, 1997 Proving Properties of Recursive List Functions CS 270 Math Foundations of CS Jeremy Johnson

September 4, 1997 Objective To provide simple semantics for a purely functional subset of racket and to use this semantics to prove properties of racket programs. To use structural induction to prove properties of recursive list functions (append, reverse)

Outline Substitution semantics Structural induction Basic axioms Definitional axiom Equational reasoning Structural induction Proving properties of recursive functions of lists

Substitution Model of Computation September 4, 1997 Substitution Model of Computation function application corresponds to substituting the argument expressions into the formal parameters of the function body Order of evaluation Applicative vs. normal order Termination Church-Rosser

Substitution Example (define (sqr x) (* x x)) September 4, 1997 Substitution Example (define (sqr x) (* x x)) (define (sum-of-squares x y) (+ (sqr x) (sqr y))) (define (f a) (sum-of-squares (+ a 1) (* a 2))) [applicative order] (f 5)  (sum-of-squares (+ 5 1) (* 5 2))  (+ (square 6) (square 10))  (+ (* 6 6) (* 10 10))  (+ 36 100)  136 [normal order]  (+ (square (+ 5 1)) (square (* 5 2)) )  (+ (* (+ 5 1) (+ 5 1)) (* (* 5 2) (* 5 2)))  (+ (* 6 6) (* 10 10))  (+ 36 100)

Order Matters (define (p) (p)) (define (test x y) (if (= x 0) y)) September 4, 1997 Order Matters (define (p) (p)) (define (test x y) (if (= x 0) y)) (test 0 (p))

September 4, 1997 Equational Reasoning Prove equivalence of racket expressions by repeatedly replacing subexpressions by equivalent subexpressions until the two expressions are equal Axioms for built-in functions Definitional axiom Properties of equality

Equality x = y ⇒ (equal? x y) = #t x  y ⇒ (equal? x y) = #f = is an equivalence relation Reflexive x = x Symmetric x = y  y = x Transitive x = y  y = z  x = z (chain together a sequence of equations) Equality Axiom Schema for Functions (x1 = y1 ∧  ∧ xn = yn) ⇒ (f x1  xn) = (f y1  yn) To reason about constants, we can use evaluation

Axioms (first (cons x y)) = x (rest (cons x y)) = y Otherwise null (cons? (cons x y)) = #t Otherwise #f (null? null) = #t x = #f ⇒ (if x y z) = z x  #f ⇒ (if x y z) = y

Contracts ; input-contract ic ; output-contract oc (define (f x1 . . . xn) body) Input contract – input assumptions Output contract – guarantees provided by outputs Body contracts – input contracts must be satisfied for all function calls

Definitional Axiom If the function f is admissible ; input-contract ic ; output-contract oc (define (f x1 . . . xn) body) If the function f is admissible Add definitional axiom for f: ic  [(f x1 . . . xn) = body] Add contract theorem for f: ic  oc

Definitional Principle ; input-contract ic ; output-contract oc (define (f x1 . . . xn) body) The function f is admissible f is a new function (no other axioms about f) xi’s are distinct body is a term, possibly using f, but with no free variables other than xi’s f is terminating ic  oc is a theorem body contracts hold under assumption of ic

Soundness and Termination (define (f x) ;input-contract (natural? x) ;output-contract (natural? (f x)) (+ 1 (f x))) The definitional axiom for f leads to unsound logic (natural? x)  x  x+1 [property of natural numbers] (natural? (f x))  (f x)  (+ 1 (f x)) [instantiate above] (natural? x)  (f x)  (+ 1 (f x)) [from ic  oc] (natural x)  (f x) = (+ 1 (f x)) [from def axiom] (natural x)  #f [from p p = #f]

Structural Induction When using induction on recursively defined data structures like lists you can induct on the size of the data structure = to the number of calls to the constructors. When trying to show a property for a data structure of a given size, you can assume that the property holds when making a recursive call on a smaller data structure. You must make sure that the property holds for all constructors including base cases. With lists (rest …) will return a smaller data structure (at least one fewer cons) Structural induction allows you to induct on the recursive data structure without being explicit about the size provided the IH is applied to smaller objects.

Length Properties ; Input: l is a list ; Output: a non-negative integer = length of l (define (length l) (if (null? l) (+ 1 (length (rest l))) )) Properties (length null) = 0 (length (cons x y)) = (+ 1 (length y))

Proof of Properties of Length (length null) = (if (null? null) 0 (+ 1 (length (rest null)))) (if #t 0 (+ (length (rest null)))) (length (cons x y)) (if (null? (cons x y)) 0 (+ 1 (length (rest (cons x y))))) (if #f 0 (+ 1 (length (rest (cons x y))))) (+ 1 (length (rest (cons x y)))) (+ 1 (length y))

Input Contract ; Input: l is a list ; Output: a non-negative integer = length of l (define (length l) (if (null? l) (+ 1 (length (rest l))) )) (define (list? l) (cond [(null? l) #t] [(cons? l) (list? (rest l))] [else #f]))

Output Contract (define (natural? x) (if (integer? x) (or (> x 0) (= x 0)) #f)) (list? x)  (natural? (length x)) Proof by induction. Base case x = null. (length x) = 0 Assume (list? (rest x))  (natural? (length (rest x))) (natural? (length x)) (natural? (+ 1 (length (rest x)))) (and (natural? 1) (natural? (length (rest x)))) [(rest x) is a list since x is a list, hence, by IH and sum of two natural numbers is natural]

Append ; inputs: x, y are lists ; output: a list whose elements are those of x followed by y (define (append x y) (if (null? x) y (cons (first x) (append (rest x) y)))) Properties (and (list? x) (list? y))  (list? (append x y)) (append null y) = y x  null  (first (append x y)) = (first x) (append x null) = x (length (append x y)) = (+ (length x) (length y)) (append x (append y z)) = (append (append x y) z)

Proof of Property 1 Show (and (list? x) (list? y))  (list? (append x y)) Base case. x = null. (lists? (append null y)) (list? y) [By def of append] #t [By assumption]

Proof of Property 1 Inductive hypothesis (and (list? (rest x)) (list? y)  (list? (append (rest x) y)) Show (and (list? x) (list? y)  (list? (append x y)) (list? (append x y)) (list? (cons (first x) (append (rest x) y)) [By def of app] (list? (append (rest x) y)) [By def of list?] #t [by IH since (list? x)  (list? (rest x))]

Proof of Property 2 (append null y) (if (null? null) y (cons (first x) (append (rest x) y)))) (if #t y (cons (first x) (append (rest x) y)))) y

Proof of Property 3  (null? x)  (first (append x y)) = (first x) (first (if (null? x) y (cons (first x) (append (rest x) y)))) (first (if #f y (cons (first x) (append (rest x) y)))) (first (cons (first x) (append (rest x) y))) (first x)

Proof of Property 4 Show (append x null) = x using structural induction Base case. x = null. In this case, (append null null) returns null = x. By induction assume recursive call satisfies the property [note (rest x) is smaller than x] I.E. (append (rest x) null) = (rest x) Thus (append x null) returns (cons (first x) (rest x)) = x

Proof of Property 5 Show (length (append x y) = (+ (length x) (length y)) using structural induction on x Base case. x = null. (append null y) = y and (length y) = (+ (length null) (length y)) By induction assume recursive call satisfies the property (length (append (rest x) y) = (+ (length (rest x)) (length y)) Thus (length (append x y)) = (length (cons (first x) (append (rest x) y)) = (+ 1 (length (rest x)) + (length y)) = (+ (length x) (length y))

Proof of Property 6 Show (append x (append y z)) = (append (append x y) z) Base case. x = null. (append null (append y z)) = (append y z) = (append (append null y) z) Assume property holds for (rest x) (append (append x y) z) (append (cons (first x) (append (rest x) y)) z) [by def] (cons (first x) (append (append (rest x) y) z)) [by def] (cons (first x) (append (rest x) (append y z))) [by IH] (append (cons (first x) (rest x)) (append y z)) [by def] (append x (append y z)) [by property of cons]

nth (define (nth n L) (cond [ (null? L) null ] [ (= n 1) (first L) ] [else (nth (- n 1) (rest L)) ] )) Properties: Let L be a list of length t with L = (L1 … Lt). (and (list? L) (not (null? L)))  (natural? (nth n L)) 0 < n  t  (nth n L) = Ln n > t  (nth n L) = null.

Specification of Append ; inputs: x, y are lists ; output: see below (define (append x y) (if (null? x) y (cons (first x) (append (rest x) y)))) Output contract (and (list? x) (list? y))  (list? (append x y)) (length (append x y)) = (+ (length x) (length y)) 0 < i  (length x)  (nth i (append x y)) = (nth i x)  (length x) < i  (length x) + (length y)  (nth i (append x y)) = (nth (- i (length x)) y)

Proof Property 3: First Case By induction on n. Base case. i = 1. (nth 1 (append x y)) (first (append x y)) [by def of nth and since n = 1] (first x) [since 0 < i  (length x), x  null, and we can apply property 3 of append] (nth 1 x) [by def of nth working backwards]

Proof of First Case Induction – assume (nth (- i 1) (append x y)) = (nth (- i 1) x) and i>1. (nth i (append x y)) (nth i (if (null? x) y (cons (first x) (append (rest x) y)))) [by def of append] (nth i (cons (first x) (append (rest x) y)))) [by def of null? and if axiom since 0 < (length x), x  null] (nth (- i 1) (rest (cons (first x) (append (rest x) y)))) [by def of nth and i >1.] (nth (- i 1) (append (rest x) y)) [by axiom for cons/rest] (nth (- i 1) (rest x)) [by IH] (nth i (cons (first x) (rest x)) [by def of nth – working backwards] (nth i x) [by axiom for cons/rest]

Proof of Second Case By induction on x. Base case. x = null. Since (length null) = 0, 0 < i  (length y) (nth i (append null y))  (nth i y) [by def of append]

Proof of Second Case Induction – Assume (length z) < i  (length z) + (length y)  (nth i (append z y)) = (nth (- i (length z)) for (size z) < (size x). (nth i (append x y)) (nth i (cons (first x) (append (rest x) y)))) [by def of append since x  null] (nth (- i 1) (rest (cons (first x) (append (rest x) y)))) [by def of nth since 1  (length x) < i] (nth (- i 1) (append (rest x) y)) [by cons/rest axiom] (nth (- (- i 1) (length (rest x))) y) [by IH since (size (rest x)) < (size x)] (nth (- i (length x)) y) [since (length (rest x)) = (length x) – 1]

Reverse (define (reverse l) (if (null? l) null (append (reverse (rest l)) (cons (first l) null)))) Properties (list? l)  (list? (reverse l)) (length (reverse x)) = (length x) (reverse (append x y)) = (append (reverse y) (reverse x)) (reverse (reverse x)) = x Let L = (L1 … Ln) and R = (reverse L). n > 0 . Ri = Ln+1-i

Exercise (define (reverse l) (if (null? l) null (append (reverse (rest l)) (cons (first l) null)))) Prove the following properties of reverse (list? l)  (list? (reverse l)) (length (reverse x)) = (length x) (reverse (append x y)) = (append (reverse y) (reverse x)) (reverse (reverse x)) = x

Proof of Property 2 Show (length (rev x)) = (length x) Base case. x = null. (length (rev null))  (length null) Assume property holds for (rest x) (length (rev x)) (length (append (rev (rest x)) (cons (first x) null))) [def rev] (length (rev (rest x)) + (length (cons (first x) null)) [prop 5 of app] (length (rest x)) + (length (cons (first x) null)) [IH] (length (rest x)) + 1 [evaluation] (length (cons (first x) (rest x)) [prop 2 of length] (length x) [axiom for cons]

Proof of Property 3 Show (rev (append x y)) = (append (rev y) (rev x)) Base case. x = null. (rev (append null y)) = (rev y) = (append (rev y) null) = (append (rev y) (rev null)) Assume property holds for (rest x) (rev (append x y)) (rev (cons (first x) (append (rest x) y)) [def apppend] (append (rev (append (rest x) y)) (cons (first x) null)) [def rev] (append (append (rev y) (rev (rest x))) (cons (first x) null)) [IH] (append (rev y) (append (rev (rest x)) (cons (first x) null))) [prop app] (append (rev y) (rev x)) [def of rev]

Proof of Property 4 Show (rev (rev x)) = x Base case. x = null. (rev (rev null)) = (rev null) = null Assume property holds for (rest x) (rev (rev x)) (rev (append (rev (rest x)) (cons (first x) null))) [def rev] (append (rev (cons (first x) null)) (rev (rev (rest x)))) [property 2 of rev] (append (cons (first x) null) (rev (rev (rest x)))) [def of rev] (append (cons (first x) null) (rest x)) [IH] (cons (first x) (append null (rest x))) [def of app] (cons (first x) (rest x)) = x [def of app and prop of cons]

Proof of Property 5 By induction on n. Base case: n=1. (reverse ‘(L1)) = (append ‘() (cons (first ‘(L1)) null) = ‘(L1) and R1=L1+1-1= L1. Induction Hypothesis Let L’ = (rest L) and R’ = (reverse (rest L)). Note that the length of L’ = n-1 and by property 2 of reverse, the length of R’ = length of L’. R’i = L’n-i. Show Ri = Ln+1-I (reverse L) = (append (reverse L’) (cons L1 null)) [By def of reverse]

Proof of Property 5 Show Ri = Ln+1-I (reverse L) = (append (reverse L’) (cons L1 null)) [By def of reverse] By property 6 of append there are two cases. 0 < i  n-1. Ri = R’i = L’n-i = Ln+1-i. [by IH and since the ith element of L’ is the (i+1)-st element of L] i=n. Rn = L1 = Ln+1-n.