#|CS 2800 Homework 6 - Summer 2015This homework is done in groups. The r

1. #|
2.  
3. CS 2800 Homework 6 - Summer 2015
4.  
5. This homework is done in groups. The rules are:
6.  
7. * ALL group members must submit the homework file (this file)
8.  
9. * The file submitted must be THE SAME for all group members (we
10. use this to confirm that alleged group members agree to be
11. members of that group)
12.  
13. * You must list the names of ALL group members below using the
14. format below. If you fail to follow instructions, that costs
15. us time and it will cost you points, so please read carefully.
16.  
17. Names of ALL group members: Thomas Pedbereznak, Sean Johnsen, Brian Roth
18.  
19. Note: There will be a 10 pt penalty if your names do not follow
20. this format.
21.  
22. |#
23.  
24. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
25. ; A -- Conjecture Contract Checking / Contract Completion
26. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
27.  
28. #|
29.  
30. The following conjectures are incomplete (irrespective of whether they are
31. true or false): they are lacking hypotheses that make sure the functions
32. involved are called only on arguments that satisfy the functions' input
33. contracts. Make the conjectures meaningful by adding the necessary contract
34. hypotheses. For example, given a conjecture c, if you think hypotheses h1
35. and h2 (and nothing else) are necessary to ensure the input contracts of
36. all functions occurring in c are satisfied, your output should be
37.  
38. h1 /\ h2 => c
39.  
40. The added hypotheses should be minimal. Therefore:
41.  
42. - do not add any hypotheses that are enforced by the output contracts of
43. the participating functions. For instance, if the expression (f (g x))
44. appears in your conjecture, and g : type1 -> type2 and f : type2 -> type3,
45. then do not add (type2p (g x)) as a hypothesis: this is guaranteed by the
46. output contract of g.
47.  
48. - simplify the conjecture hypotheses as much as possible. In the above
49. example, suppose h1 => h2 is valid (say h1 = (equal x nil) and h2 = (listp x)).
50. Then the conjunction h1 /\ h2 is equivalent to h1 ; thus, simplify your
51. output to
52.  
53. h1 => c
54.  
55. The examples below may contain some unknown functions (whose signature will
56. be provided), and known functions such as + . The input contracts of _all_
57. functions need to be enforced by the hypotheses.
58.  
59. 1. Given
60.  
61. foo: List x List -> List
62. bar: All x List -> List
63.  
64. the conjecture c is
65.  
66. (foo (bar (+ x y) l) z) = (bar (+ y x) (foo l z))
67.  
68. Conjecture with hypotheses:
69.  
70. c1: (rationalp x)
71. c2: (rationapl y)
72. c3: (listp l)
73. c4: (listp z)
74.  
75. (rationalp x) /\ (rationalp y) /\ (listp l) /\ (listp z) => (foo (bar (+ x y) l) z) = (bar (+ y x) (foo l z))
76.  
77. 2. Consider the following two definitions, the first of which gives rise to
78. a recognizer natlistp:
79.  
80. |#
81.  
82. (defdata natlist (listof nat))
83.  
84. (defunc evenlistp (l)
85. :input-contract t
86. :output-contract (booleanp (evenlistp l))
87. (if (listp l)
88. (integerp (/ (len l) 2))
89. nil))
90.  
91. #|
92.  
93. For the following functions we only know the signature:
94.  
95. d: List -> All
96. m: Nat x List -> NatList
97. f: List -> Nat
98. s: EvenList -> List
99.  
100. the conjecture c is
101.  
102. (d (m x l)) = (f (s l))
103.  
104. Conjecture with hypotheses:
105.  
106. c1: (natp x)
107. c2: (evenlistp l)
108.  
109. (natp x) /\ (evenlistp x) => (d (m x l)) = (f (s l))
110.  
111. Now define four functions d, m, f, s (as simple as possible) with the above
112. signatures. The actual outputs of the functions are arbitrary, as long as
113. they satisfy the output contract. For example, for m, you may choose to
114. simply return the constant nil, which is a natlist.
115.  
116. |#
117.  
118. ; d: List -> All
119. (defunc d (l)
120. :input-contract (listp l)
121. :output-contract t
122. 0)
123.  
124. (check= (d nil) 0)
125. (check= (d '(1)) 0)
126. (check= (d '(1 v)) 0)
127. (check= (d '(a b c)) 0)
128.  
129. ; m: Nat x List -> Natlist
130. (defunc m (n l)
131. :input-contract (and (natp n) (listp l))
132. :output-contract (natlistp (m n l))
133. nil)
134.  
135. (check= (m 0 nil) nil)
136. (check= (m 1 '(1)) nil)
137. (check= (m 1 '(a b 1)) nil)
138. (check= (m 11 '(11111)) nil)
139.  
140. ; f: List -> Nat
141. (defunc f (l)
142. :input-contract (listp l)
143. :output-contract (natp (f l))
144. 1)
145.  
146. (check= (f nil) 1)
147. (check= (f '(1)) 1)
148. (check= (f '(2 2)) 1)
149. (check= (f '(24 a b)) 1)
150.  
151. ; s: EvenList -> List
152. (defunc s (el)
153. :input-contract (evenlistp el)
154. :output-contract (listp (s el))
155. nil)
156.  
157. (check= (s nil) nil)
158. (check= (s '(1 2)) nil)
159. (check= (s '(1 1 b 1)) nil)
160. (check= (s '(a b d f g f)) nil)
161.  
162. ; Suppose we want to write a function that tests our conjecture:
163.  
164. (defunc dummy (x l)
165. :input-contract (and (natp x) (evenlistp l))
166. :output-contract (booleanp (dummy x l))
167. (equal (d (m x l)) (f (s l))))
168.  
169. (check= (dummy 1 '(1 1)) nil)
170. (check= (dummy 0 nil) nil)
171. (check= (dummy 2 '(a b c d)) nil)
172. (check= (dummy 8 '(a 1)) nil)
173.  
174. #|
175.  
176. Complete the function definition. That is, replace the first ... with the
177. hypotheses you found, and the second ... with an appropriate output
178. contract. Make sure this definition is accepted by ACL2! Test this function
179. on at least one input.
180.  
181. 3. Given function signatures for d, m, f, s as above in 2, the conjecture c
182. now is
183.  
184. (d (m x l)) = (f (s x))
185.  
186. Conjecture with hypotheses:
187.  
188. c1: (natp x)
189. c2: (listp l)
190. c3: (evenlistp x)
191.  
192. (natp x) /\ (listp l) /\ (evenlistp x) => (d (m x l)) = (f (s x))
193.  
194. Suppose again we want to write a function that tests our conjecture:
195.  
196. |#
197.  
198. (defunc dummy-new (x l)
199. :input-contract (and (listp l) (natp x) (evenlistp x))
200. :output-contract (booleanp (dummy-new x l))
201. (equal (d (m x l)) (f (s x))))
202.  
203. ;(check= (dummy-new nil nil) t)
204.  
205. #|
206.  
207. I wrote this check= and ACL2 yelled at me. This is because the input contract / hypotheses
208. will never be satified because it is impossible for an Any to be a nat and an evenlist at the same time.
209. This makes the conjecture true, due the the fact that we will never get valid input.
210.  
211. |#
212.  
213. #|
214.  
215. Using the same examples for d, m, f, s as above, complete the function
216. definition. That is, replace the first ... with the hypotheses you found,
217. and the second ... with an appropriate output contract. Make sure this
218. definition is accepted by ACL2! Test this function on at least one
219. input. Explain what happens. Is the conjecture true or false?
220.  
221. |#
222.  
223. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
224. ; B -- Equational reasoning
225. ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
226.  
227. #|
228.  
229. The following questions ask for "equational proofs" (the type of proofs we
230. have been doing to far) about ACL2s programs. When writing your proofs be
231. sure to justify each step in the style shown in class. You can use basic
232. arithmetic facts for free, but in the justification write "arithmetic",
233. e.g.,
234.  
235. (first x) + (len (rest x)) + 0
236.  
237. = { Arithmetic }
238.  
239. (len (rest x)) + (first x)
240.  
241. You may use infix notation (like x+y+z) for arithmetic operators (as done
242. above), instead of the LISP style prefix notation (like (+ x (+ y z))).
243.  
244. Here are the common definitions used for the remainder of the questions.
245.  
246. (defunc len (x)
247. :input-contract t
248. :output-contract (natp (len x))
249. (if (atom x)
250. 0
251. (+ 1 (len (rest x)))))
252.  
253. (defunc atom (x)
254. :input-contract t
255. :output-contract (booleanp (atom x))
256. (not (consp a)))
257.  
258. (defunc not (a)
259. :input-contract (booleanp a)
260. :output-contract (booleanp (not a))
261. (if a nil t))
262.  
263. (defunc listp (l)
264. :input-contract t
265. :output-contract (booleanp (listp l))
266. (or (equal l ())
267. (consp l)))
268.  
269. (defunc endp (a)
270. :input-contract (listp a)
271. :output-contract (booleanp (endp a))
272. (not (consp a)))
273.  
274. (defunc twice (l)
275. :input-contract (listp l)
276. :output-contract (listp (twice l))
277. (if (endp l)
278. nil
279. (cons (first l) (cons (first l) (twice (rest l))))))
280.  
281. (defunc app (a b)
282. :input-contract (and (listp a) (listp b))
283. :output-contract (listp (app a b))
284. (if (endp a)
285. b
286. (cons (first a) (app (rest a) b))))
287.  
288. (defunc rev (x)
289. :input-contract (listp x)
290. :output-contract (and (listp (rev x)) (equal (len x) (len (rev x))))
291. (if (endp x)
292. nil
293. (app (rev (rest x)) (list (first x)))))
294.  
295. Recall that for each of the defunc's above we get both a definitional
296. axiom (ic => function application = function body), and a contract
297. theorem (ic => oc). Definitional axioms and contract theorems are there for
298. you to use, as ACL2s has accepted these functions.
299.  
300. For the following claims, run some tests to conjecture whether they are
301. true or false. In the former case, prove them using equational reasoning.
302. In the latter case, disprove them by means of a counterexample. A
303. counterexample is an assignment to ALL free variables in the conjecture
304. that makes the conjecture evaluate to false. Do not give "partial
305. counterexamples" (leaving it to us to complete them).
306.  
307. The Lecture Notes, section "3.1 Testing Conjectures" describes how to test
308. conjectures.
309.  
310. (a)
311.  
312. (implies (listp y)
313. (equal (len (rev (cons x y)))
314. (+ 1 (len (rev y)))))
315.  
316. Hint: output contract of rev. If you make use of that, make sure you quote
317. an appropriate theorem or axiom.
318.  
319.  
320. (test? (implies (listp y)
321. (equal (len (rev (cons x y)))
322. (+ 1 (len (rev y))))))
323.  
324. The test passed, here is the proof:
325.  
326. c1: (listp y)
327. c2: (listp (cons x y)) {c1, Def cons}
328.  
329. (len (rev (cons x y)))
330. = {Contract theorem Rev, c1, c2}
331. (len (cons x y))
332. = {Def len, instantiation}
333. (if (atom (cons x y)) 0 (+ 1 (len (rest (cons x y)))))
334. = {Def atom}
335. (if (not (consp (cons x y))) 0 (+ 1 (len (rest (cons x y)))))
336. = {if axioms, Def not, Def consp, c1, c2}
337. (+ 1 (len (rest (cons x y))))
338. = {first-rest axioms, Def Cons}
339. (+ 1 (len y))
340. = {Contract theorem Rev, c1}
341. (+ 1 (len (rev y)))
342.  
343. LHS = RHS Q.E.D.
344.  
345. (b)
346.  
347.  
348. (implies (and (listp x)
349. (listp y)
350. (listp z))
351. (implies (equal (twice (app x z)) (app (twice x ) (twice z)))
352. (equal (twice (app (cons x y) z)) (app (twice (cons x y)) (twice y)))))
353.  
354. Can be rewriten to:
355.  
356. (implies (and (listp x)
357. (listp y)
358. (listp z)
359. (equal (twice (app x z)) (app (twice x) (twice z))))
360. (equal (twice (app (cons x y) z)) (app (twice (cons x y)) (twice y))))
361.  
362.  
363. (test? (implies (and (listp x)
364. (listp y)
365. (listp z))
366. (implies (equal (twice (app x z)) (app (twice x) (twice z)))
367. (equal (twice (app (cons x y) z)) (app (twice (cons x y)) (twice y))))))
368.  
369.  
370.  
371. ACL2 Showed this conjecture to be false througha counter example.
372.  
373. One such example we will show through instantation:
374.  
375. (equal (twice (app (cons x y) z)) (app (twice (cons x y)) (twice y)))
376. = {Instantation ((x nil) (y nil) (z '(1 2 3)))}
377. (equal (twice (app (cons nil nil) '(1 2 3))) (app (twice (cons nil nil)) (twice nil)))
378. = {Def twice, Def app, if axioms}
379. (equal '(1 1 2 2 3 3) nil)
380. = {Def equal}
381. false
382.  
383.  
384. (c)
385.  
386. (implies (listp x)
387. (and (implies (endp x)
388. (equal (len (twice x))
389. (* 2 (len x))))
390. (implies (and (not (endp x))
391. (equal (len (twice (rest x)))
392. (* 2 (len (rest x)))))
393. (equal (len (twice x))
394. (* 2 (len x))))))
395.  
396.  
397. (test? (implies (listp x)
398. (and (implies (endp x)
399. (equal (len (twice x))
400. (* 2 (len x))))
401. (implies (and (not (endp x))
402. (equal (len (twice (rest x)))
403. (* 2 (len (rest x)))))
404. (equal (len (twice x))
405. (* 2 (len x)))))))
406.  
407. The test passed, here is the proof:
408.  
409. Part 1:
410.  
411. (implies (and (listp x)
412. (endp x))
413. (equal (len (twice x))
414. (* 2 (len x))))
415.  
416. c1: (listp x)
417. c2: (endp x)
418. c3 x = nil {c1, c2, def list, def endp}
419.  
420. (len (twice x))
421. = {Def twice, if axioms, c3}
422. (len nil)
423. = {Def len, if axioms}
424. 0
425. = {Arithmetic}
426. (* 2 0)
427. = {Def len, if axioms}
428. (* 2 (len nil))
429. = {c3}
430. (* 2 (len x))
431.  
432. RHS = LHS
433.  
434. Part 2:
435.  
436. (implies (and (listp x)
437. (not (endp x))
438. (equal (len (twice (rest x)))
439. (* 2 (len (rest x))))))
440.  
441. c1: (listp x)
442. c2: (not (endp x))
443. c3: (equal (len (twice x))
444. (*2 (len x)))
445.  
446.  
447. (len (twice x))
448. = {Def twice, c2}
449. (len (cons (first x) (cons (first x) (twice (rest x)))))
450. = {Def len, cons axiom, def atom, if axioms}
451. (+ 1 (len (cons (first x) (twice (rest x)))))
452. = {Def len, cons axiom, def atom, if axioms}
453. (+ 1 (+ 1 (len (twice (rest x)))))
454. = {Arithmetic}
455. (+ 2 (len (twice (rest x))))
456. = {c3}
457. (+ 2 (* 2 (rest x)))
458. = {Arithmetic}
459. (* 2 (+ 1 (len (rest x))))
460. = {c1, c2, Def len, if axioms, Def atom}
461. (* 2 (len x))
462.  
463. RHS = LHS
464.  
465. (Part 1) /\ (Part 2) == True
466.  
467. Q.E.D.
468.  
469.  
470. |#