%

 \begin{isabellebody}%

 \def\isabellecontext{Itrev}%

 %

 \isamarkupsection{Induction Heuristics%

 }

 %

 \begin{isamarkuptext}%

 \label{sec:InductionHeuristics}

 The purpose of this section is to illustrate some simple heuristics for

 inductive proofs. The first one we have already mentioned in our initial

 example:

 \begin{quote}

 \emph{Theorems about recursive functions are proved by induction.}

 \end{quote}

 In case the function has more than one argument

 \begin{quote}

 \emph{Do induction on argument number $i$ if the function is defined by

 recursion in argument number $i$.}

 \end{quote}

 When we look at the proof of \isa{{\isachardoublequote}{\isacharparenleft}xs\ {\isacharat}\ ys{\isacharparenright}\ {\isacharat}\ zs\ {\isacharequal}\ xs\ {\isacharat}\ {\isacharparenleft}ys\ {\isacharat}\ zs{\isacharparenright}{\isachardoublequote}}

 in \S\ref{sec:intro-proof} we find (a) \isa{{\isacharat}} is recursive in

 the first argument, (b) \isa{xs} occurs only as the first argument of

 \isa{{\isacharat}}, and (c) both \isa{ys} and \isa{zs} occur at least once as

 the second argument of \isa{{\isacharat}}. Hence it is natural to perform induction

 on \isa{xs}.

 The key heuristic, and the main point of this section, is to

 generalize the goal before induction. The reason is simple: if the goal is

 too specific, the induction hypothesis is too weak to allow the induction

 step to go through. Let us illustrate the idea with an example.

 Function \isa{rev} has quadratic worst-case running time

 because it calls function \isa{{\isacharat}} for each element of the list and

 \isa{{\isacharat}} is linear in its first argument.  A linear time version of

 \isa{rev} reqires an extra argument where the result is accumulated

 gradually, using only \isa{{\isacharhash}}:%

 \end{isamarkuptext}%

 \isacommand{consts}\ itrev\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequote}{\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a\ list{\isachardoublequote}\isanewline

 \isacommand{primrec}\isanewline

 {\isachardoublequote}itrev\ {\isacharbrackleft}{\isacharbrackright}\ \ \ \ \ ys\ {\isacharequal}\ ys{\isachardoublequote}\isanewline

 {\isachardoublequote}itrev\ {\isacharparenleft}x{\isacharhash}xs{\isacharparenright}\ ys\ {\isacharequal}\ itrev\ xs\ {\isacharparenleft}x{\isacharhash}ys{\isacharparenright}{\isachardoublequote}%

 \begin{isamarkuptext}%

 \noindent

 The behaviour of \isa{itrev} is simple: it reverses

 its first argument by stacking its elements onto the second argument,

 and returning that second argument when the first one becomes

 empty. Note that \isa{itrev} is tail-recursive, i.e.\ it can be

 compiled into a loop.

 Naturally, we would like to show that \isa{itrev} does indeed reverse

 its first argument provided the second one is empty:%

 \end{isamarkuptext}%

 \isacommand{lemma}\ {\isachardoublequote}itrev\ xs\ {\isacharbrackleft}{\isacharbrackright}\ {\isacharequal}\ rev\ xs{\isachardoublequote}%

 \begin{isamarkuptxt}%

 \noindent

 There is no choice as to the induction variable, and we immediately simplify:%

 \end{isamarkuptxt}%

 \isacommand{apply}{\isacharparenleft}induct{\isacharunderscore}tac\ xs{\isacharcomma}\ simp{\isacharunderscore}all{\isacharparenright}%

 \begin{isamarkuptxt}%

 \noindent

 Unfortunately, this is not a complete success:

 \begin{isabelle}%

 \ {\isadigit{1}}{\isachardot}\ {\isasymAnd}a\ list{\isachardot}\isanewline

 \isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ }itrev\ list\ {\isacharbrackleft}{\isacharbrackright}\ {\isacharequal}\ rev\ list\ {\isasymLongrightarrow}\ itrev\ list\ {\isacharbrackleft}a{\isacharbrackright}\ {\isacharequal}\ rev\ list\ {\isacharat}\ {\isacharbrackleft}a{\isacharbrackright}%

 \end{isabelle}

 Just as predicted above, the overall goal, and hence the induction

 hypothesis, is too weak to solve the induction step because of the fixed

 argument, \isa{{\isacharbrackleft}{\isacharbrackright}}.  This suggests a heuristic:

 \begin{quote}

 \emph{Generalize goals for induction by replacing constants by variables.}

 \end{quote}

 Of course one cannot do this na\"{\i}vely: \isa{itrev\ xs\ ys\ {\isacharequal}\ rev\ xs} is

 just not true --- the correct generalization is%

 \end{isamarkuptxt}%

 \isacommand{lemma}\ {\isachardoublequote}itrev\ xs\ ys\ {\isacharequal}\ rev\ xs\ {\isacharat}\ ys{\isachardoublequote}%

 \begin{isamarkuptxt}%

 \noindent

 If \isa{ys} is replaced by \isa{{\isacharbrackleft}{\isacharbrackright}}, the right-hand side simplifies to

 \isa{rev\ xs}, just as required.

 In this particular instance it was easy to guess the right generalization,

 but in more complex situations a good deal of creativity is needed. This is

 the main source of complications in inductive proofs.

 Although we now have two variables, only \isa{xs} is suitable for

 induction, and we repeat our above proof attempt. Unfortunately, we are still

 not there:

 \begin{isabelle}%

 \ {\isadigit{1}}{\isachardot}\ {\isasymAnd}a\ list{\isachardot}\isanewline

 \isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ }itrev\ list\ ys\ {\isacharequal}\ rev\ list\ {\isacharat}\ ys\ {\isasymLongrightarrow}\isanewline

 \isaindent{\ {\isadigit{1}}{\isachardot}\ \ \ \ }itrev\ list\ {\isacharparenleft}a\ {\isacharhash}\ ys{\isacharparenright}\ {\isacharequal}\ rev\ list\ {\isacharat}\ a\ {\isacharhash}\ ys%

 \end{isabelle}

 The induction hypothesis is still too weak, but this time it takes no

 intuition to generalize: the problem is that \isa{ys} is fixed throughout

 the subgoal, but the induction hypothesis needs to be applied with

 \isa{a\ {\isacharhash}\ ys} instead of \isa{ys}. Hence we prove the theorem

 for all \isa{ys} instead of a fixed one:%

 \end{isamarkuptxt}%

 \isacommand{lemma}\ {\isachardoublequote}{\isasymforall}ys{\isachardot}\ itrev\ xs\ ys\ {\isacharequal}\ rev\ xs\ {\isacharat}\ ys{\isachardoublequote}%

 \begin{isamarkuptext}%

 \noindent

 This time induction on \isa{xs} followed by simplification succeeds. This

 leads to another heuristic for generalization:

 \begin{quote}

 \emph{Generalize goals for induction by universally quantifying all free

 variables {\em(except the induction variable itself!)}.}

 \end{quote}

 This prevents trivial failures like the above and does not change the

 provability of the goal. Because it is not always required, and may even

 complicate matters in some cases, this heuristic is often not

 applied blindly.

 The variables that require generalization are typically those that 

 change in recursive calls.

 A final point worth mentioning is the orientation of the equation we just

 proved: the more complex notion (\isa{itrev}) is on the left-hand

 side, the simpler one (\isa{rev}) on the right-hand side. This constitutes

 another, albeit weak heuristic that is not restricted to induction:

 \begin{quote}

   \emph{The right-hand side of an equation should (in some sense) be simpler

     than the left-hand side.}

 \end{quote}

 This heuristic is tricky to apply because it is not obvious that

 \isa{rev\ xs\ {\isacharat}\ ys} is simpler than \isa{itrev\ xs\ ys}. But see what

 happens if you try to prove \isa{rev\ xs\ {\isacharat}\ ys\ {\isacharequal}\ itrev\ xs\ ys}!

 In general, if you have tried the above heuristics and still find your

 induction does not go through, and no obvious lemma suggests itself, you may

 need to generalize your proposition even further. This requires insight into

 the problem at hand and is beyond simple rules of thumb.  You

 will need to be creative. Additionally, you can read \S\ref{sec:advanced-ind}

 to learn about some advanced techniques for inductive proofs.%

 \end{isamarkuptext}%

 \end{isabellebody}%

 %%% Local Variables:

 %%% mode: latex

 %%% TeX-master: "root"

 %%% End: