CSU2800 Lecture Notes 25 Oct 2010 (Adapted from Peter D)
Today, I will introduce a higher-level proof notation so that we don't
get bogged down in the details of complete formal proofs, but we should
be sure that each step we make could be filled in with a formal proof.
We will consider an example problem and use this definition
(defun app (x y)
(if (endp x)
y
(cons (car x)
(app (cdr x) y))))
which introduces the axiom
(equal (app x y)
(if (endp x)
y
(cons (car x)
(app (cdr x) y))))
We will also use these axioms:
; Consp-nil
(equal (consp nil)
nil)
; Consp-cons
(equal (consp (cons a b))
t)
; Car-cons
(equal (car (cons a b))
a)
; Cdr-cons
(equal (cdr (cons a b))
b)
; If-true
(implies x
(equal (if x y z)
y))
; If-false
(equal (if nil y z)
z)
Prove
(equal (app (cons a b) c)
(cons a (app b c)))
We will prove this by working backwards--starting with the original conjecture
and iteratively reduce the conjecture to simpler and simpler formulas. When
I write
<=
I am indicating that we can conclude the top formula from the bottom one by
some axioms and rules of inference. I describe with ones I used in the
curly braces. However, instantiation and equals for equals are going to be
used so often, that they don't really need to be mentioned, except when the
particular instantiation might be unclear.
(equal (app (cons a b) c)
(cons a (app b c)))
<= { Defn of APP }
(equal (if (endp (cons a b))
c
(cons (car (cons a b))
(app (cdr (cons a b)) c)))
(cons a (app b c)))
<= { Defn of ENDP, Car-cons, Cdr-cons }
(equal (if (not (consp (cons a b)))
c
(cons a (app b c)))
(cons a (app b c)))
<= { Consp-cons }
(equal (if (not t)
c
(cons a (app b c)))
(cons a (app b c)))
<= { Evaluate (not t) }
(equal (if nil
c
(cons a (app b c)))
(cons a (app b c)))
<= { If axiom }
(equal (cons a (app b c))
(cons a (app b c)))
<= { Equality axiom }
t
So now we have shown that in the current theory, T implies our original
conjecture. Recall from boolean logic that true -> p is the same as p.
Thus, if true -> p is true, p is true.
Note that in there, I appealed to a new rule of inference we can use:
Execution (or Evaluation). Suppose we want to prove that 1999 is a prime
number. If we have defined a predicate for prime numbers, PRIMEP, that
would be
(primep 1999)
But this conjecture has no free variables, we could determine whether
it is always true or not by just evaluating it. In fact, if we give
ACL2
(thm (primep 1999))
then it will prove it by evaluation. So if we encounter part of a
formula with no free variables, we can evaluate it to get it in its
simplest form. For example, we can evaluate (not t) to get nil.
It turns out we can adopt another strategy to prove the same theorem
above,
(equal (app (cons a b) c)
(cons a (app b c)))
by utilizing something we know about equality. ACL2 has axioms
(implies (and (equal a b) (Transitivity of equality)
(equal b c))
(equal a c))
(implies (equal a b) (Symmetry of equality)
(equal b a))
So in fact, if we show that (app (cons a b) c) is equal something,
which is equal to something, ..., which is equal to (cons a (app b c)),
then we know that (app (cons a b) c) equals (cons a (app b c)).
Here's how that proof would go:
(app (cons a b) c)
= { Defn of APP }
(if (endp (cons a b))
c
(cons (car (cons a b))
(app (cdr (cons a b)) c)))
= { Defn of ENDP, Car-cons, Cdr-cons }
(if (not (consp (cons a b)))
c
(cons a (app b c)))
= { Consp-cons }
(if (not t)
c
(cons a (app b c)))
= { Evaluate (not t) }
(if nil
c
(cons a (app b c)))
= { If axiom }
(cons a (app b c))
That allows us to conclude (app (cons a b) c) equals (cons a (app b c)).
Now let us prove
(implies (endp x)
(equal (app (app x y) z)
(app x (app y z))))
You might recognize the
(equal (app (app x y) z)
(app x (app y z)))
part as an associativity property. So we are proving a special case of the
associativity of APP.
Notice we are proving an equality, but an equality that is within an
implication (implies). The way we will typically prove an implies is to
make the hypotheses of the implication assumptions and use those in proving
the conclusion. Since in this case the conclusion is an equality, we will
follow our method of proving equalities. But first, let's write our
assumptions:
Assumptions: (endp x)
Then we would start by figuring out what
(app (app x y) z)
is equal to, etc. But let's talk a little more about assumptions & lemmas
first.
Lemma: a theorem (which might be an axiom) that is used in another proof.
Assumption: a formula that we assume is true in proving something concerning
the same variables.
The key difference is that when an assumption refers to a variable such as
x, that must refer to the same x as in the formula we're proving--if it has
an x. For example, in the proof we're about to work on, the (endp x)
assumption is clearly not a theorem--because it's not true for all x--but we
can use it as an assumption in showing
(equal (app (app x y) z)
(app x (app y z)))
so that we can overall conclude that that formula is true under the assumption:
(implies (endp x)
(equal (app (app x y) z)
(app x (app y z))))
On the other hand, a lemma such as
(equal (endp x)
(not (consp x)))
holds for all x. Thus,
THE PRACTICAL DIFFERENCE BETWEEN ASSUMPTIONS AND LEMMAS IS THAT WE CAN
INSTANTIATE LEMMAS BUT NOT ASSUMPTIONS.
So we can use an instantiation of the ENDP definitions, such as
(equal (endp (cons a b))
(not (consp (cons a b))))
but we cannot instantiate the assumption (endp x) to conclude
(endp (cons a b))
because that would allow us to conclude NIL, which (if you know your
boolean logic well enough) would allow us to use propositional deduction to
conclude anything! (false -> anything is true. Thus, it's valid to
deduce anything from NIL.)
Let's end the digression and get back to solving the problem:
Assumptions: (endp x)
(app (app x y) z)
= { Defn of APP }
(app (if (endp x)
y
(cons (car x) (app (cdr x) y)))
z)
= { Assumption (endp x) & IF axiom }
(app y z)
At this point, there doesn't seem to be much to do, because if we open up the
definition of this APP, we would need to know something about y to make
progress. It turns out it's possible for us to complete the proof from here,
but it would involve going from something simple to something more
complicated, which is unnatural. Let us now work from the other side of the
conjectured equality, with the same assumption:
(app x (app y z))
= { Defn of APP } ; Be sure you use the right instantiation!
(if (endp x)
(app y z)
(cons (car x)
(app (cdr x) (app y z))))
= { Assumption (endp x) & IF axiom }
(app y z)
Ok. To complete the proof, I will connect the dots:
(implies (endp x)
(and (equal (app (app x y) z) ; first equality proof above
(app y z))
(equal (app x (app y z)) ; second equality proof above
(app y z))))
=> { Equality }
(implies (endp x)
(equal (app (app x y) z)
(app x (app y z))))
=============================================================================
Now for another proof:
(implies (and (consp x)
(equal (app (app (cdr x) y) z)
(app (cdr x) (app y z))))
(equal (app (app x y) z)
(app x (app y z))))
Assumptions: (consp x)
(equal (app (app (cdr x) y) z)
(app (cdr x) (app y z))))
Start with left side of equality:
(app (app x y) z)
= { Defn APP }
(app (if (endp x)
y
(cons (car x)
(app (cdr x) y)))
z)
= { Defn endp }
(app (if (not (consp x))
y
(cons (car x)
(app (cdr x) y)))
z)
= { Assumption (consp x), Not, IF axiom }
(app (cons (car x)
(app (cdr x) y))
z)
Now we will leave that as is and work on the right side of the equality:
(app x (app y z))
= { Defn APP }
(if (endp x)
(app y z)
(cons (car x)
(app (cdr x) (app y z))))
= { Defn endp }
(if (not (consp x))
(app y z)
(cons (car x)
(app (cdr x) (app y z))))
= { Assumption (consp x), Not, IF axiom }
(cons (car x)
(app (cdr x) (app y z)))
= { Assumption (equal (app (app ...)) (app (cdr ...))) }
(cons (car x)
(app (app (cdr x) y) z))
Now how to we show that
(app (cons (car x)
(app (cdr x) y)) z)
is equal to
(cons (car x)
(app (app (cdr x) y) z))
thus making (app x (app y z)) equal to (app (app x y) z) under the assumptions?
Do you recall us proving that
(equal (app (cons a b) c)
(cons a (app b c)))
? Let us call this theorem Lemma 1. We can use an instance of this to
finish:
(cons (car x)
(app (app (cdr x) y) z))
= { Lemma 1 }
(app (cons (car x)
(app (cdr x) y)) z)
Now under the assumptions, we have shown
(equal (app (app x y) z)
(app (cons (car x)
(app (cdr x) y)) z))
and
(equal (app x (app y z))
(app (cons (car x)
(app (cdr x) y)) z))
Therefore,
(implies (and (consp x)
(equal (app (app (cdr x) y) z)
(app (cdr x) (app y z))))
(equal (app (app x y) z)
(app x (app y z))))