Proving Properties of Recursive List Functions CS 270

Proving Properties of Recursive List Functions CS 270 Math Foundations of CS Jeremy Johnson 1

Objective v To provide simple semantics for a purely functional subset of racket and to use this semantics to prove properties of racket programs. v To use structural induction to prove properties of recursive list functions (append, reverse) 2

Outline v. Example v. Substitution semantics • Basic axioms • Definitional axiom • Equational reasoning v. Structural induction • Proving properties of recursive functions of lists

Append ; inputs: x, y are lists ; output: a list whose elements are those of x followed by y (define (append x y) (if (null? x) y (cons (first x) (append (rest x) y)))) v Properties 1. (append null y) = y 2. (append x null) = x 4

(append null y) = y (append null y) (if (null? null) y (cons (first null) (append (rest null) y)))) (if #t y (cons (first null) (append (rest null) y)))) y

(append x null) = x x = null (append x null) x = null (if (null? null) null (cons (first null) (append (rest null)))) (if #t null (cons (first null) (append (rest null)))) null = x

(append x null) = x x = ‘(x 0) (append x null) x = ‘(x 0) (if (null? ‘(x 0)) null (cons (first ‘(x 0)) (append (rest ‘(x 0)) null)))) (if #f null (cons (first ‘(x 0)) (append (rest ‘(x 0)) null)))) (cons x 0 (append null)) (cons x 0 null) ‘(x 0)

(append x null) = x x = ‘(x 0 x 1) (append x null) x = ‘(x 0 x 1) (if (null? ‘(x 0 x 1)) null (cons (first ‘(x 0 x 1)) (append (rest ‘(x 0 x 1)) null)))) (if #f null (cons (first ‘(x 0 x 1)) (append (rest ‘(x 0 x 1)) null)))) (cons x 0 (append ‘(x 1) null)) (cons x 0 ‘(x 1)) ‘(x 0 x 1)

(append x null) = x x = ‘(x 0 x 1 x 2) (append x null) x = ‘(x 0 x 1 x 2) (if (null? ‘(x 0 x 1 x 2)) null (cons (first ‘(x 0 x 1 x 2)) (append (rest ‘(x 0 x 1 x 2)) null)))) (if #f null (cons (first ‘(x 0 x 1 x 2)) (append (rest ‘(x 0 x 1 x 2)) null)))) (cons x 0 (append ‘(x 1 x 2) null)) (cons x 0 ‘(x 1 x 2)) ‘(x 0 x 1 x 2)

(append x null) = x x = ‘(x 0 x 1 x 2 x 3) v. Show (append x null) = x using structural induction v. Base case. x = null. In this case, (append null) returns null = x. v. By induction assume recursive call satisfies the property [note (rest x) is smaller than x] • I. E. (append (rest x) null) = (rest x) v. Thus (append x null) returns (cons (first x) (rest x)) = x

Substitution Model of Computation vfunction application corresponds to substituting the argument expressions into the formal parameters of the function body v. Order of evaluation • Applicative vs. normal order • Termination • Church-Rosser 11

Substitution Example v (define (sqr x) (* x x)) v (define (sum-of-squares x y) (+ (sqr x) (sqr y))) v (define (f a) (sum-of-squares (+ a 1) (* a 2))) [applicative order] v (f 5) (sum-of-squares (+ 5 1) (* 5 2)) (+ (square 6) (square 10)) (+ (* 6 6) (* 10 10)) (+ 36 100) 136 [normal order] v (f 5) (sum-of-squares (+ 5 1) (* 5 2)) (+ (square (+ 5 1)) (square (* 5 2)) ) (+ (* (+ 5 1)) (* (* 5 2))) (+ (* 6 6) (* 10 10)) (+ 36 100) 12

Order Matters (define (p)) (define (test x y) (if (= x 0) 0 y)) (test 0 (p)) 13

Equational Reasoning v. Prove equivalence of racket expressions by repeatedly replacing subexpressions by equivalent subexpressions until the two expressions are equal v. Axioms for built-in functions v. Definitional axiom v. Properties of equality 14

Equality v x = y ⇒ (equal? x y) = #t v x y ⇒ (equal? x y) = #f v = is an equivalence relation v Reflexive x = x v Symmetric x = y y = x v Transitive x = y y = z x = z (chain together a sequence of equations) v Equality Axiom Schema for Functions v (x 1 = y 1 ∧ ∧ xn = yn) ⇒ (f x 1 xn) = (f y 1 yn) v To reason about constants, we can use evaluation

Axioms v (first (cons x y)) = x v (rest (cons x y)) = y • Otherwise null v (cons? (cons x y)) = #t • Otherwise #f v (null? null) = #t • Otherwise #f v x = #f ⇒ (if x y z) = z v x #f ⇒ (if x y z) = y

Contracts ; input-contract ic ; output-contract oc (define (f x 1. . . xn) body) v Input contract – input assumptions v Output contract – guarantees provided by outputs v Body contracts – input contracts must be satisfied for all function calls

Definitional Axiom ; input-contract ic ; output-contract oc (define (f x 1. . . xn) body) v. If the function f is admissible • Add definitional axiom for f: ic [(f x 1. . . xn) = body] • Add contract theorem for f: ic oc

Definitional Principle ; input-contract ic ; output-contract oc (define (f x 1. . . xn) body) v The function f is admissible • f is a new function (no other axioms about f) • xi’s are distinct • body is a term, possibly using f, but with no free variables other than xi’s • f is terminating • ic oc is a theorem • body contracts hold under assumption of ic

Soundness and Termination (define (f x) ; input-contract (natural? x) ; output-contract (natural? (f x)) (+ 1 (f x))) v The definitional axiom for f leads to unsound logic • • • (natural? x) x x+1 [property of natural numbers] (natural? (f x)) (f x) (+ 1 (f x)) [instantiate above] (natural? x) (f x) (+ 1 (f x)) [from ic oc] (natural x) (f x) = (+ 1 (f x)) [from def axiom] (natural x) #f [from p p = #f]

Structural Induction v When using induction on recursively defined data structures like lists you can induct on the size of the data structure = to the number of calls to the constructors. v When trying to show a property for a data structure of a given size, you can assume that the property holds when making a recursive call on a smaller data structure. You must make sure that the property holds for all constructors including base cases. v With lists (rest …) will return a smaller data structure (at least one fewer cons) v Structural induction allows you to induct on the recursive data structure without being explicit about the size provided the IH is applied to smaller objects.

Length ; Input: l is a list ; Output: a non-negative integer = length of l (define (length l) (if (null? l) 0 (+ 1 (length (rest l))) )) v Properties 1. (length null) = 0 2. (length (cons x y)) = (+ 1 (length y)) 22

Proof of Properties of Length v Proof • (length null) = (if (null? null) 0 (+ 1 (length (rest null)))) (if #t 0 (+ (length (rest null)))) 0 • (length (cons x y)) (if (null? (cons x y)) 0 (+ 1 (length (rest (cons x y))))) (if #f 0 (+ 1 (length (rest (cons x y))))) (+ 1 (length (rest (cons x y)))) (+ 1 (length y)) 23

Input Contract ; Input: l is a list ; Output: a non-negative integer = length of l (define (length l) (if (null? l) 0 (+ 1 (length (rest l))) )) (define (list? l) (cond [(null? l) #t] [(cons? l) (list? (rest l))] [else #f])) 24

Output Contract v (define (natural? x) (if (integer? x) (or (> x 0) (= x 0)) #f)) v (list? x) (natural? (length x)) • • • Proof by induction. Base case x = null. (length x) = 0 Assume (list? (rest x)) (natural? (length (rest x))) (natural? (length x)) (natural? (+ 1 (length (rest x)))) (and (natural? 1) (natural? (length (rest x)))) [(rest x) is a list since x is a list, hence, by IH and sum of two natural numbers is natural] 25

Append ; inputs: x, y are lists ; output: a list whose elements are those of x followed by y (define (append x y) (if (null? x) y (cons (first x) (append (rest x) y)))) v Properties 1. 2. 3. 4. 5. 6. (and (list? x) (list? y)) (list? (append x y)) (append null y) = y x null (first (append x y)) = (first x) (append x null) = x (length (append x y)) = (+ (length x) (length y)) (append x (append y z)) = (append x y) z) 26

Proof of Property 1 v. Show (and (list? x) (list? y)) (list? (append x y)) v. Base case. x = null. § (lists? (append null y)) § (list? y) [By def of append] § #t [By assumption]

Proof of Property 1 v. Inductive hypothesis (and (list? (rest x)) (list? y) (list? (append (rest x) y)) v. Show (and (list? x) (list? y) (list? (append x y)) § (list? (append x y)) (list? (cons (first x) (append (rest x) y)) [By def of app] (list? (append (rest x) y)) [By def of list? ] #t [by IH since (list? x) (list? (rest x))]

Proof of Property 2 (append null y) (if (null? null) y (cons (first x) (append (rest x) y)))) (if #t y (cons (first x) (append (rest x) y)))) y

Proof of Property 3 (null? x) (first (append x y)) = (first x) (first (append x y)) (first (if (null? x) y (cons (first x) (append (rest x) y)))) (first (if #f y (cons (first x) (append (rest x) y)))) (first (cons (first x) (append (rest x) y))) (first x)

Proof of Property 4 v. Show (append x null) = x using structural induction v. Base case. x = null. In this case, (append null) returns null = x. v. By induction assume recursive call satisfies the property [note (rest x) is smaller than x] • I. E. (append (rest x) null) = (rest x) v. Thus (append x null) returns (cons (first x) (rest x)) = x

Proof of Property 5 v. Show (length (append x y) = (+ (length x) (length y)) using structural induction on x • Base case. x = null. (append null y) = y and (length y) = (+ (length null) (length y)) • By induction assume recursive call satisfies the property § (length (append (rest x) y) = (+ (length (rest x)) (length y)) • Thus (length (append x y)) = (length (cons (first x) (append (rest x) y)) = (+ 1 (+ (length (rest x)) (length y))) = (+ (length x) (length y))

Proof of Property 6 v. Show (append x (append y z)) = (append x y) z) • Base case. x = null. (append null (append y z)) = (append y z) = (append null y) z) • Assume property holds for (rest x) § (append x y) z) = (append (cons (first x) (append (rest x) y)) z) [by def] = (cons (first x) (append (rest x) y) z)) [by def] = (cons (first x) (append (rest x) (append y z))) [by IH] = (append (cons (first x) (rest x)) (append y z)) [by def] = (append x (append y z)) [by property of cons]

nth (define (nth n L) (cond [ (null? L) null ] [ (= n 1) (first L) ] [else (nth (- n 1) (rest L)) ] )) v Properties: Let L be a list of length t with L = (L 1 … Lt). 1. (and (list? L) (not (null? L))) (natural? (nth n L)) 2. 0 < n t (nth n L) = Ln 3. n > t (nth n L) = null. 34

Specification of Append ; inputs: x, y are lists ; output: see below (define (append x y) (if (null? x) y (cons (first x) (append (rest x) y)))) v Output contract 1. (and (list? x) (list? y)) (list? (append x y)) 2. (length (append x y)) = (+ (length x) (length y)) 3. 0 < i (length x) (nth i (append x y)) = (nth i x) (length x) < i (length x) + (length y) (nth i (append x y)) = (nth (- i (length x)) y) 35

Proof Property 3: First Case v. By induction on n. v. Base case. i = 1. § (nth 1 (append x y)) § (first (append x y)) [by def of nth and since n = 1] § (first x) [since 0 < i (length x), x null, and we can apply property 3 of append] § (nth 1 x) [by def of nth working backwards]

Proof of First Case v Induction – assume (nth (- i 1) (append x y)) = (nth (- i 1) x) and i>1. § (nth i (append x y)) § (nth i (if (null? x) y (cons (first x) (append (rest x) y)))) [by def of append] § (nth i (cons (first x) (append (rest x) y)))) [by def of null? and if axiom since 0 < (length x), x null] § (nth (- i 1) (rest (cons (first x) (append (rest x) y)))) [by def of nth and i >1. ] § (nth (- i 1) (append (rest x) y)) [by axiom for cons/rest] § (nth (- i 1) (rest x)) [by IH] § (nth i (cons (first x) (rest x)) [by def of nth – working backwards] § (nth i x) [by axiom for cons/rest]

Proof of Second Case v. By induction on x. v. Base case. x = null. § Since (length null) = 0, 0 < i (length y) § (nth i (append null y)) (nth i y) [by def of append]

Proof of Second Case v Induction – Assume (length z) < i (length z) + (length y) (nth i (append z y)) = (nth (- i (length z)) for (size z) < (size x). § (nth i (append x y)) § (nth i (cons (first x) (append (rest x) y)))) § § [by def of append since x null] (nth (- i 1) (rest (cons (first x) (append (rest x) y)))) [by def of nth since 1 (length x) < i] (nth (- i 1) (append (rest x) y)) [by cons/rest axiom] (nth (- (- i 1) (length (rest x))) y) [by IH since (size (rest x)) < (size x)] (nth (- i (length x)) y) [since (length (rest x)) = (length x) – 1]

Reverse (define (reverse l) (if (null? l) null (append (reverse (rest l)) (cons (first l) null)))) v Properties 1. 2. 3. 4. 5. (list? l) (list? (reverse l)) (length (reverse x)) = (length x) (reverse (append x y)) = (append (reverse y) (reverse x)) = x Let L = (L 1 … Ln) and R = (reverse L). n > 0 . Ri = Ln+1 -i 40

Exercise (define (reverse l) (if (null? l) null (append (reverse (rest l)) (cons (first l) null)))) v Prove the following properties of reverse 1. 2. 3. 4. (list? l) (list? (reverse l)) (length (reverse x)) = (length x) (reverse (append x y)) = (append (reverse y) (reverse x)) = x 41

Proof of Property 1 v. Show (list? x) (list? (rev x)) • Base case. x = null. • (list? (rev null)) (list? null) #t • Assume (list? x) and x null • IH: (list? (rest x)) (list? (rev (rest x))) § (list? (rev x)) (list? (append (rev (rest x)) (cons (first x) null))) [def rev] (list? (rev (rest x)) and (list? (cons (first x) null)) [prop 1 of app] (list? (rest x)) and (list? (cons (first x) null)) [IH] (list? (cons (first x) null)) [(list? x) (list? (rest x)) ] (list? null) [def of list? ]

Proof of Property 2 v. Show (length (rev x)) = (length x) • Base case. x = null. • (length (rev null)) (length null) • Assume property holds for (rest x) § (length (rev x)) (length (append (rev (rest x)) (cons (first x) null))) [def rev] (length (rev (rest x)) + (length (cons (first x) null)) [prop 5 of app] (length (rest x)) + (length (cons (first x) null)) [IH] (length (rest x)) + 1 [evaluation] (length (cons (first x) (rest x)) [prop 2 of length] (length x) [axiom for cons]

Proof of Property 3 v. Show (rev (append x y)) = (append (rev y) (rev x)) ØBase case. x = null. (rev (append null y)) = (rev y) = (append (rev y) null) = (append (rev y) (rev null)) ØAssume property holds for (rest x) § = = = (rev (append x y)) (rev (cons (first x) (append (rest x) y)) [def apppend] (append (rev (append (rest x) y)) (cons (first x) null)) [def rev] (append (rev y) (rev (rest x))) (cons (first x) null)) [IH] (append (rev y) (append (rev (rest x)) (cons (first x) null))) [prop app] (append (rev y) (rev x)) [def of rev]

Proof of Property 4 v. Show (rev x)) = x ØBase case. x = null. (rev null)) = (rev null) = null ØAssume property holds for (rest x) § (rev x)) = (rev (append (rev (rest x)) (cons (first x) null))) [def rev] = (append (rev (cons (first x) null)) (rev (rest x)))) [property 2 of rev] = (append (cons (first x) null) (rev (rest x)))) [def of rev] = (append (cons (first x) null) (rest x)) [IH] = (cons (first x) (append null (rest x))) [def of app] = (cons (first x) (rest x)) = x [def of app and prop of cons]

Proof of Property 5 v. By induction on n. v. Base case: n=1. (reverse ‘(L 1)) = (append ‘() (cons (first ‘(L 1)) null) = ‘(L 1) and R 1=L 1+1 -1= L 1. v. Induction Hypothesis v. Let L’ = (rest L) and R’ = (reverse (rest L)). Note that the length of L’ = n-1 and by property 2 of reverse, the length of R’ = length of L’. R’i = L’n-i. v. Show Ri = Ln+1 -I v(reverse L) = (append (reverse L’) (cons L 1 null)) [By def of reverse]

Proof of Property 5 v. Show Ri = Ln+1 -I v(reverse L) = (append (reverse L’) (cons L 1 null)) [By def of reverse] v. By property 6 of append there are two cases. 1. 0 < i n-1. Ri = R’i = L’n-i = Ln+1 -i. [by IH and since the ith element of L’ is the (i+1)-st element of L] 2. i=n. Rn = L 1 = Ln+1 -n.