--> ========================================================== --> Proof scores for verifications of properties --> eq rev1(rev1(L:List) = L . --> eq rev1(L:List) = rev2(L) . --> kf151028 --> ========================================================== --> ========================================================== --> elements with equality predicate mod* TRIV= { [Elt] op _=_ : Elt Elt -> Bool {comm} . } --> ========================================================== --> parametrized list (i.e. generic list) mod! LIST (X :: TRIV=) { [List] op nil : -> List {constr} . op _|_ : Elt.X List -> List {constr} . -- variables declaration vars L L1 L2 : List . vars E1 E2 : Elt . -- equality on the sort List eq (nil = (E2 | L2)) = false . eq ((E1 | L1) = (E2 | L2)) = (E1 =.X E2) and (L1 = L2) . } --> ========================================================== --> append _@_ over List mod! LIST@(X :: TRIV=) { pr(LIST(X)) -- append operation over List op _@_ : List List -> List . var E : Elt . vars L1 L2 : List . eq [@1]: nil @ L2 = L2 . eq [@2]: (E | L1) @ L2 = E | (L1 @ L2) . } --> ========================================================== --> Property of LIST@: _@_ is associative (@assoc) --> eq[@assoc]: (L1:List @ L2:List) @ L3:List --> = L1 @ (L2 @ L3) . --> ========================================================== -- Proof: By induction on L1 --> I Induction Base select LIST@ . red (nil @ `l2:List) @ `l3:List = nil @ (`l2 @ `l3) . --> II Induction Step open LIST@ . -- induction hypothesis, op l1 : -> List . eq (l1 @ L2:List) @ L3:List = l1 @ (L2 @ L3) . -- check red ((`e:Elt | l1) @ `l2:List) @ `l3:List = (`e:Elt | l1) @ (`l2 @ `l3) . close --> QED --> ========================================================== --> ========================================================== --> Property of LIST@: --> nil is right-identity of _@_ (@ri) --> eq[@ri]: L:List @ nil = L . --> ========================================================== -- Proof: By induction on L --> I Induction Base select LIST@ . red (nil @ nil) = nil . --> II Induction Step open LIST@ . -- induction hypothesis op l : -> List . eq (l @ nil) = l . -- check red (`e:Elt | l) @ nil = (`e | l) . close --> QED --> ========================================================== --> ========================================================== --> LIST with associative append _@_ mod! LIST@a(X :: TRIV=) { pr(LIST(X)) -- notice that associativity {assoc} -- and right identity [@ri] are already proved op _@_ : List List -> List {assoc} . vars L1 L2 : List var E : Elt.X eq [@1]: nil @ L2 = L2 . eq [@2]: (E | L1) @ L2 = E | (L1 @ L2) . -- nil is right identity of _@_; already proved eq [@ri]: L1 @ nil = L1 . } --> ========================================================== --> LIST with reverse operations mod! LISTrev(X :: TRIV=) { pr(LIST@a(X)) -- variables vars L L1 L2 : List var E : Elt.X -- one argument reverse operation op rev1 : List -> List . eq rev1(nil) = nil . eq rev1(E | L) = rev1(L) @ (E | nil) . -- two arguments reverse operation op rev2 : List -> List . -- auxiliary function for rev2 op sr2 : List List -> List . eq rev2(L) = sr2(L,nil) . eq sr2(nil,L2) = L2 . eq sr2(E | L1,L2) = sr2(L1,E | L2) . } --> ========================================================== --> Property of LISTrev: --> rev1 distributes over _@_ reversely (rev1@) --> eq[rev1@]: rev1(L1:List @ L2:List) = rev1(L2) @ rev1(L1) . --> ========================================================== -- Proof: By induction on L1 --> I Induction Base select LISTrev . red rev1(nil @ `l2:List) = rev1(`l2) @ rev1(nil) . --> II Induction Step open LISTrev . -- induction hypothesis op l1 : -> List . eq rev1(l1 @ L2:List) = rev1(L2) @ rev1(l1) . -- check red rev1((`e:Elt | l1) @ `l2:List) = rev1(`l2) @ rev1(`e | l1) . close --> QED --> ========================================================== --> ========================================================== --> Property of LISTrev: --> rev1(rev1(_)) is identity function (rev1rev1) --> eq[rev1rev1]: rev1(rev1(L:List) = L . --> ========================================================== -- Proof: By induction on L --> I Induction Base select LISTrev . red rev1(rev1(nil)) = nil . --> II Induction Step open LISTrev . -- proved property eq[rev1@]: rev1(L1:List @ L2:List) = rev1(L2) @ rev1(L1) . -- induction hypothesis op l : -> List . eq rev1(rev1(l)) = l . -- check red rev1(rev1(`e:Elt | l)) = (`e | l) . close --> QED --> ========================================================== --> ========================================================== --> Property of LISTrev: sr2 with _@_ (sr2@) --> eq[sr2@]: sr2(L1:List,L2:List) @ L3:List --> = sr2(L1,L2 @ L3) . --> ========================================================== -- Proof: By induction on L1 --> I Base case select LISTrev . red sr2(nil,`l2:List) @ `l3:List = sr2(nil,`l2 @ `l3) . --> II Induction case open LISTrev . -- induction hypothesis op l1 : -> List . eq sr2(l1,L2:List) @ L3:List = sr2(l1,L2 @ L3) . -- check red sr2(`e:Elt | l1,`l2:List) @ `l3:List = sr2((`e | l1),`l2 @ `l3) . close --> QED --> ========================================================== --> ========================================================== --> Property of LISTrev: rev1 = rev2 (rev1=rev2) --> eq[rev1=rev2]: rev1(L:List) = rev2(L) . --> ========================================================== -- Proof: By induction on L --> I Induction Base select LISTrev . red rev1(nil) = rev2(nil) . --> II Induction Step open LISTrev . -- already proved property eq[sr2@]: sr2(L1:List,L2:List) @ L3:List = sr2(L1,L2 @ L3) . -- induction hypothesis op l : -> List . eq rev1(l) = rev2(l) . -- check red rev1(`e:Elt | l) = rev2(`e | l) . close --> QED --> ========================================================== -- ========================================================== -- end -- ==========================================================