Termination Analysis Math Foundations of Computer Science - PowerPoint Presentation

Slide1

Termination Analysis

Math Foundations of Computer Science

Slide2

TopicsDefinitional principle Soundness and terminationProving termination and measure functionsWell ordering and natural numbers Induction and termination Recursively defined data structuresUndecidability of termination

Slide3

Definitional Axiom(defunc f (x1 . . . xn) :input-contract ic :output-contract ocbody)If the function f is admissible Add definitional axiom for f: ic  [(f x1 . . . xn) = body]Add contract theorem for f: ic  oc

Slide4

Definitional Principle(defunc f (x1 . . . xn) :input-contract ic :output-contract ocbody)The function f is admissible f is a new function (no other axioms about f)xi’s are distinctbody is a term, possibly using f, but with no free variables other than xi’s f is terminatingic  oc is a theorembody contracts hold under assumption of ic

Slide5

Soundness and Global Variables(defunc f (x) :input-contract t :output-contract ty)The definitional axiom for f leads to unsound logic Substituting ((x 0) (y nil)) we get (f 0) = nilSubstituting ((x 0) (y t)) we get (f 0) = tWhich implies t = nil.

Slide6

Soundness and Termination(defunc f(x) :input-contract (natp x) :output-contract (natp (f x))(+ 1 (f x)))The definitional axiom for f leads to unsound logic (natp x)  x  x+1 [property of natural numbers](natp (f x))  (f x)  (+ 1 (f x)) [instantiate above](natp x)  (f x)  (+ 1 (f x)) [from ic  oc](natp x)  (f x) = (+ 1 (f x)) [from def axiom](natp x)  nil [from p p = nil]

Slide7

How do we Prove TerminationFor recursive functions show that the “size” of the inputs get smaller and eventually must hit a base caseSize is defined to be a function to the natural numbersUse the well ordering principle of the natural numbers to conclude that the number of recursive calls can not be infinite

Slide8

Well Ordering of Natural NumbersAny decreasing sequence of natural numbers is finite. I.E. it terminatesThis implies that any non-empty set of natural numbers has a minimum elementInduction works as long as we have termination

Slide9

sum(defunc sum (n) :input-contract (natp n) :output-contract (integerp (sum n))(if (equal n 0) 0 (+ n (sum (- n 1)))))The input to the recursive call (- n 1) is smaller than the input to sum and the decreasing sequence of natural numbers n, n-1, n-2,... must terminate (equal 0) after a finite number of stepsIf (integerp n) this would not be guaranteed

Slide10

app(defunc app (a b) :input-contract (and (listp a) (listp b)) :output-contract (and (listp (app a b))(if (endp a) b (cons (first a) (app (rest a) b))))This is a terminating function. Define the size of l to be (len l).(len l) is a natural number(len (rest l)) < (len l)Implies len must eventually equal zero, i.e. l = nil

Slide11

Measure FunctionsTechnically we measure size with a measure functionA measure function m for the function fm is an admissible function defined over the parameters of fm has the same input contract as fThe output contract for m is (natp (m … ))For every recursive call, m applied to the arguments decreases, under the conditions that led to the recursive call.

Slide12

Example Measure function(defunc app (a b) :input-contract (and (listp a) (listp b)) :output-contract (and (listp (app a b))(if (endp a) b (cons (first a) (app (rest a) b))))(defunc m (x y) :input-contract (and (listp x) (listp y)) :output-contract (natp (m x y))(len x)) (< (m (rest x) y) (m x y)) since (< (len (rest x)) (len x))

Slide13

Induction Depends on TerminationShow that the induction scheme for a non-terminating function can lead to unsoundness even when the definitional axiom does notAlternative proof for the induction principle that shows “termination” front and center

Slide14

General Induction Scheme(defunc foo (x1 . . . xn):input-contract ic:output-contract oc(cond (t1 c1) (t2 c2) . . . (tm cm) (t cm+1)))None of the ci’s should have ifs in them If ci has a recursive call to foo, it is called a recursive case otherwise a base case.

Slide15

General Induction SchemeCase1 = t1 Case2 = t2  t1…Casei = ti  t1    ti-1…Casem+1 = t  t1    tmIf ci is a recursive case with Ri calls to foo with the jth call, 1  j  Ri, obtained by the substitution (foo x1 . . . xn

)|

s

i

j

Slide16

General Induction SchemeTo prove  prove the followingic  [ic  Casei]  For all ci’s that are base cases[ic  Casei  1 i  Ri |sij]   For all ci’s that are recursive cases

Slide17

Induction Scheme for Non-terminating Function(defunc f (x) :input-contract t :output-contract t(f x))The definitional axiom, i.e. (f x) = (f x) is okThe induction scheme for f is unsound(not t)    nil    tt          tUsing this scheme we can derive  for any In particular, we can derive nil

Slide18

Induction Scheme over NaturalsEvery terminating function gives rise to an induction scheme(not (natp n)) ⇒ (natp n) ∧ (equal n 0) ⇒ (natp n) ∧ (not (equal n 0)) ∧ |((n n-1)) ⇒ (1) and (2) are base cases and (3) is the induction hypothesisMore powerful than case analysis since you can use assume the induction hypothesis

Slide19

Proof by ContradictionAssume the conclusion is false and show that that leads to a contradiction.1    n    1    n    F Proof. A  B  C  A  C  B (show this is valid)Apply to (1    n)  T  

Slide20

Why does Induction Work?Suppose we prove the three cases in the induction scheme but  is not valid.Let S be the set of ACL2 objects for which  is false. By (1) and (2), S is a set of natural numbers not equal to 0.Since S is a set of natural numbers it has a smallest element s  0 for which |((n s)). This implies by (3) that |((n s-1)) is false and s-1  S which is a contradiction

Slide21

Non-terminating Function(defunc f (x) :input-contract t :output-contract f(f x))The induction scheme associated with f leads to unsoundness (i.e. we can derive nil)

Slide22

Termination for Recursively Defined Data StructuresFor recursively defined data structures like lists, trees, expression trees, etc. we can use the number of constructors for the sizeNumber of cons’s for listsNumber of nodes for treesNumber of +’s, -’s, *’s and /’s for expression trees

Slide23

23

Boolean Expressions

BExpr :=

Constant: T|F [t | nil]

Variable [symbol]

Negation:  BExpr [(not BExpr)]

And: BExpr  BExpr [(and BExpr BExpr)

Or: BExpr  Bexpr [(or BExpr BExpr)]

Slide24

Predicate(defunc booleanexprp (expr):input-contract t:output-contract (booleanp (booleanexprp expr)) (cond ( (is-constant expr) t ) ( (is-variable expr) t ) ( (is-not expr) (booleanexprp (op1 expr)) ) ( (is-or expr) (and (booleanexprp (op1 expr)) (booleanexprp (op2 expr))) ) ( (is-and expr) (and (booleanexprp (op1 expr)) (booleanexprp (op2 expr))) ) ( t nil) ))

Slide25

Evaluation(defunc bool-eval (expr env) :input-contract (and (booleanexprp expr) (environmentp env) (all-variables-defined expr env)) :output-contract (booleanp (bool-eval expr env)) (cond ( (is-constant expr) expr ) ( (is-variable expr) (lookup expr env) ) ( (is-not expr) (not (bool-eval (op1 expr) env)) ) ( (is-or expr) (or (bool-eval (op1 expr) env) (bool-eval (op2 expr) env)) ) ( (is-and expr) (and (bool-eval (op1 expr) env) (bool-eval (op2 expr) env)) ) ))

Slide26

Measure Function(defun m (expr env) :input-contract (and (booleanexprp expr) (environmentp env) (all-variables-defined expr env)) :output-contract (natp (m expr env))(cond ( (is-constant expr) 0 ) ( (is-variable expr) 0 ) ( (is-not expr) (+ 1 (m (op expr) env)) ) ( (is-or expr) (+ 1 (m (op1 expr) env) (m (op2 expr) env)) ) ( (is-and expr) (+ 1 (m (op1 expr) env) (m (op2 expr) env)) ) ))

Slide27

Halting ProblemWe can prove that many functions terminateIn general determining if an arbitrary function will terminate is undecidableWhat about the following function?(defun 3np1 (n) (cond ((equal n 1) 1 ) ((evenp n) (3np1 (/ n 2)) ) ((oddp n) (3np1 (+ (* 3 n) 1)) ) ))