?

Log in

No account? Create an account
Equivalent unzippers - Lindsey Kuper [entries|archive|friends|userinfo]
Lindsey Kuper

[ website | composition.al ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

Equivalent unzippers [Oct. 21st, 2010|11:50 pm]
Lindsey Kuper
[Tags|]

In an effort to become more familiar with Coq, I've been working my way through the Software Foundations book. So far, it's been more about proving things with Coq than it's been about programming with it (although the distinction is blurry). Yesterday, though, I got to this problem. As the text explains, combine, better known as zip, is a function that takes two lists and combines them into a list of pairs. (For instance, given [0, 1, 3, 18] and [true, false, false, true], it takes those two lists and "zips" them together, producing [(0, true), (1, false), (3, false), (18, true)].)

The problem asks you to do the inverse: given the list of pairs, unzip it to produce the pair of lists. At first, the only way I could think of to do it was with map:

Fixpoint map {X Y: Type} (fn : X -> Y) (lx : list X) : list Y :=
  match lx with
  | [] => []
  | x::tx => fn x :: map fn tx
  end.

Fixpoint split {X Y : Type} (lxy : list (X*Y)) 
          : (list X * list Y) :=
  (map fst lxy, map snd lxy).

Later, I realized that I could do it in one pass provided I have a couple of accumulator arguments:

Fixpoint split' {X Y : Type} (lxy : list (X*Y))
          : (list X * list Y) :=
  let fix f (res1 : list X) (res2 : list Y) (lxy : list (X*Y)) :=
    match lxy with
    | [] => (res1, res2)
    | xy::txy => f (res1 ++ [(fst xy)]) (res2 ++ [(snd xy)]) txy
    end
  in f [] [] lxy.

So, that was fun. But the larger point is that since I'm doing it in Coq, pretty soon I'll be able to do a machine-assisted proof that split and split' are equivalent, not to mention a proof that split (or split') actually is the inverse of combine. That will be even better.

LinkReply

Comments:
[User Picture]From: sstrickl
2010-10-22 07:55 pm (UTC)

Here's the interactions I had with ACL2 at the REPL, which will give you an idea of what that looks like (well, just the theorem proving part), since the rest puts it over the comment limit):

ACL2 !>
(defthm split1-split2
  (equal (split1 l) (split2 l)))

ACL2 Warning [Non-rec] in ( DEFTHM SPLIT1-SPLIT2 ...):  A :REWRITE
rule generated from SPLIT1-SPLIT2 will be triggered only by terms containing
the non-recursive function symbol SPLIT1.  Unless this function is
disabled, this rule is unlikely ever to be used.


This simplifies, using the :definition SPLIT1, to

Goal'
(EQUAL (CONS (STRIP-CARS L) (STRIP-CDRS L))
       (SPLIT2 L)).

Name the formula above *1.

Perhaps we can prove *1 by induction.  Three induction schemes are
suggested by this conjecture.  Subsumption reduces that number to one.

We will induct according to a scheme suggested by (SPLIT2 L).  This
suggestion was produced using the :induction rules SPLIT2, STRIP-CARS
and STRIP-CDRS.  If we let (:P L) denote *1 above then the induction
scheme we'll use is
(AND (IMPLIES (AND (NOT (ENDP L)) (:P (CDR L)))
              (:P L))
     (IMPLIES (ENDP L) (:P L))).
This induction is justified by the same argument used to admit SPLIT2.
When applied to the goal at hand the above induction scheme produces
two nontautological subgoals.

Subgoal *1/2
(IMPLIES (AND (NOT (ENDP L))
              (EQUAL (CONS (STRIP-CARS (CDR L))
                           (STRIP-CDRS (CDR L)))
                     (SPLIT2 (CDR L))))
         (EQUAL (CONS (STRIP-CARS L) (STRIP-CDRS L))
                (SPLIT2 L))).

By the simple :definition ENDP we reduce the conjecture to

Subgoal *1/2'
(IMPLIES (AND (CONSP L)
              (EQUAL (CONS (STRIP-CARS (CDR L))
                           (STRIP-CDRS (CDR L)))
                     (SPLIT2 (CDR L))))
         (EQUAL (CONS (STRIP-CARS L) (STRIP-CDRS L))
                (SPLIT2 L))).

This simplifies, using the :definitions SPLIT2, STRIP-CARS and STRIP-CDRS,
primitive type reasoning and the :rewrite rule CONS-EQUAL, to the following
two conjectures.

Subgoal *1/2.2
(IMPLIES (AND (CONSP L)
              (EQUAL (CONS (STRIP-CARS (CDR L))
                           (STRIP-CDRS (CDR L)))
                     (SPLIT2 (CDR L))))
         (EQUAL (STRIP-CARS (CDR L))
                (CAR (SPLIT2 (CDR L))))).

But simplification reduces this to T, using primitive type reasoning,
the :rewrite rule CAR-CONS and the :type-prescription rules SPLIT2
and STRIP-CDRS.

Subgoal *1/2.1
(IMPLIES (AND (CONSP L)
              (EQUAL (CONS (STRIP-CARS (CDR L))
                           (STRIP-CDRS (CDR L)))
                     (SPLIT2 (CDR L))))
         (EQUAL (STRIP-CDRS (CDR L))
                (CDR (SPLIT2 (CDR L))))).

But simplification reduces this to T, using primitive type reasoning
and the :rewrite rule CDR-CONS.

Subgoal *1/1
(IMPLIES (ENDP L)
         (EQUAL (CONS (STRIP-CARS L) (STRIP-CDRS L))
                (SPLIT2 L))).

By the simple :definition ENDP we reduce the conjecture to

Subgoal *1/1'
(IMPLIES (NOT (CONSP L))
         (EQUAL (CONS (STRIP-CARS L) (STRIP-CDRS L))
                (SPLIT2 L))).

But simplification reduces this to T, using the :definitions SPLIT2,
STRIP-CARS and STRIP-CDRS and the :executable-counterparts of CONS
and EQUAL.

That completes the proof of *1.

Q.E.D.

Summary
Form:  ( DEFTHM SPLIT1-SPLIT2 ...)
Rules: ((:DEFINITION ENDP)
        (:DEFINITION NOT)
        (:DEFINITION SPLIT1)
        (:DEFINITION SPLIT2)
        (:DEFINITION STRIP-CARS)
        (:DEFINITION STRIP-CDRS)
        (:EXECUTABLE-COUNTERPART CONS)
        (:EXECUTABLE-COUNTERPART EQUAL)
        (:FAKE-RUNE-FOR-TYPE-SET NIL)
        (:INDUCTION SPLIT2)
        (:INDUCTION STRIP-CARS)
        (:INDUCTION STRIP-CDRS)
        (:REWRITE CAR-CONS)
        (:REWRITE CDR-CONS)
        (:REWRITE CONS-EQUAL)
        (:TYPE-PRESCRIPTION SPLIT2)
        (:TYPE-PRESCRIPTION STRIP-CDRS))
Warnings:  Non-rec
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 SPLIT1-SPLIT2
ACL2 !>
(Reply) (Parent) (Thread)