Prove that it is enough to make at most 5 comparisons in order to merge two sorted sequences of lengths 2 and 5.
Suppose the input arrays are [a b c d e] and [x y]
We start by trying to insert x into the larger array. We do binary search but we take a chance: We don't start in the middle but slightly to the left: We check x < b.
If we're lucky x falls in the left (smaller) part of the array and we can compare x < a to figure out if the result should start with x a or a x. We then have 3 comparisons left for y which is sufficient to do a binary search.
If we're unlucky x falls in the right (larger) part of the array. In other words x should be in c d e. We continue the binary search by checking x < d.
If we're lucky this is false, because we then know that the result starts with a b c d and we can then check x < e and y < e to figure out the order of the last three elements.
If this is true, we check x < c to figure out if the sequence should start with a b c x or a b x. We then have 2 comparisons left which is enough to do a binary search for y since we know that it should be to the right of x.
This is of course just an outline of a solution and not a formal proof. However, it can easily be transformed to a formal proof using Hoare logic. It would look as follows:
{ a ≤ b ≤ c ≤ d ≤ e ∧ x ≤ y }
if (x < b) {
{ a ≤ b ≤ c ≤ d ≤ e ∧ x ≤ y ∧ x < b }
if (x < a) {
...
} else {
...
}
} else {
{ a ≤ b ≤ c ≤ d ≤ e ∧ x ≤ y ∧ b ≤ x }
if (x < d) {
...
} else {
...
}
}
Related
Suppose I already defined floor (from R to Z). Now I want to prove that n <= x implies n <= floor(x), where n : Z, x : R.
I tried:
Lemma l: forall (n:Z) (x:R), (IZR n) <= x -> n <= (floor x).
but I'm getting the error The term n has type Z while it is expected to have type R.
How should I write this? Is there a way that I can use <= for Z and R simultaneously?
In order to override the default interpretation of a notation, you can open a notation scope locally using %key:
Lemma l : forall n x, (IZR n <= x)%R -> (n <= floor x)%Z.
I have two natural numbers a & b. Third number is c which is greater or equal to b (c>=b). Now have following conditions for a & b and want to prove
c greater than a.
a < b->
c >= a->
c > a.
If you know c >= b and b > a then it's only logical that c > a. This kind of reasoning is easily taken care of by the lia tactic, which automates reasoning about linear integer arithmetic.
From Coq Require Import Lia.
Goal forall a b c : nat, a < b -> b <= c -> a <= c.
Proof.
intros.
lia.
Qed.
Suppose we have:
Require Import ZArith Program Omega.
Open Scope Z_scope.
Definition Z_to_nat (z : Z) (p : 0 <= z) : nat.
Proof.
dependent destruction z.
- exact (0%nat).
- exact (Pos.to_nat p).
- assert (Z.neg p < 0) by apply Zlt_neg_0.
contradiction.
Qed.
Now I would like to formulate something like this:
Lemma Z_to_nat_pred : forall x y p p', (Z_to_nat x p <= Z_to_nat y p')%nat <-> x <= y.
This doesn't seem quite right to me, because in x <= y, I can have negative x, y, and then I won't have proofs about their positivity. All in all, the dependent Z_to_nat seems extremely difficult to use. How does one formulate that it suffices to show x <= y to conclude (Z_to_nat x p <= Z_to_nat y p')%nat and the other way around?
I've given it a bash to inspect the way I could formulate the proof (although I am fairly sure it can't be proven with this formulation).
I've tried:
Lemma Z_to_nat_pred : forall x y p p',
(Z_to_nat x p <= Z_to_nat y p')%nat <-> x <= y.
Proof.
intros.
split; intros.
- dependent destruction x;
dependent destruction y; try easy; try omega.
Which leads me to the following goal:
p : positive
p0 : 0 <= Z.pos p
p' : 0 <= 0
H : (Z_to_nat (Z.pos p) p0 <= Z_to_nat 0 p')%nat
______________________________________(1/1)
Z.pos p <= 0
Could I here, for example, solve the goal by deriving contradiction from H, as Z.pos p cannot be <= 0? I can't really do much with the Z_to_nat definition.
here are several remarks that are related to your question:
In Coq when one defines functions using tactics and especially when we want to compute with, it is preferable to end the corresponding proof script with Defined., not Qed. (the notion at stake is "transparent definition" vs. "opaque definition", cf. the Coq ref man)
so if you replace Qed with Defined, the tactic simpl in H. will be applicable in your proof of Z_to_nat_pred
EDIT: another tactic that would have been useful in your goal is exfalso.
your function Z_to_nat is a partial function that takes a proof as argument. But in many practical cases, it is simpler to avoid dependent types, and just use a default value (making thus the function "total")
this latter strategy is already that of the two functions below that are available in the the standard library (that you have already imported with Require Import ZArith). These two functions can be viewed as two ways to define your function Z_to_nat in a non-dependently-typed way:
Print Z.abs_nat.
Z.abs_nat =
fun z : Z => match z with
| 0 => 0%nat
| Z.pos p => Pos.to_nat p
| Z.neg p => Pos.to_nat p
end
: Z -> nat
Print Z.to_nat.
Z.to_nat =
fun z : Z => match z with
| 0 => 0%nat
| Z.pos p => Pos.to_nat p
| Z.neg _ => 0%nat
end
: Z -> nat
Finally it appears that for each of these two functions, lemmas similar to yours are available in ZArith:
SearchAbout Z.abs_nat Z.le iff.
Zabs2Nat.inj_le: forall n m : Z, 0 <= n -> 0 <= m -> n <= m <-> (Z.abs_nat n <= Z.abs_nat m)%nat
Zabs2Nat.inj_lt: forall n m : Z, 0 <= n -> 0 <= m -> n < m <-> (Z.abs_nat n < Z.abs_nat m)%nat
SearchAbout Z.to_nat Z.le iff.
Z2Nat.inj_iff: forall n m : Z, 0 <= n -> 0 <= m -> Z.to_nat n = Z.to_nat m <-> n = m
Z2Nat.inj_le: forall n m : Z, 0 <= n -> 0 <= m -> n <= m <-> (Z.to_nat n <= Z.to_nat m)%nat
Z2Nat.inj_lt: forall n m : Z, 0 <= n -> 0 <= m -> n < m <-> (Z.to_nat n < Z.to_nat m)%nat
Best regards
I am working on a lemma that shows that the degree of a sum of monomials is always less or equal to n if the exponent of each monomial is less or equal to n.
lemma degree_poly_smaller:
fixes a :: "('a::comm_ring_1 poly)" and n::nat
shows "degree (∑x∷nat | x ≤ n . monom (coeff a x) x) ≤ n"
sorry
What I have to so far is the following (please mind that I am a beginner in Isabelle):
lemma degree_smaller:
fixes a :: "('a::comm_ring_1 poly)" and n::nat
shows "degree (∑x∷nat | x ≤ n . monom (coeff a x) x) ≤ n"
proof-
have th01: "⋀k. k ≤ n ⟹
degree (setsum (λ x . monom (coeff a x) k) {x∷nat. x ≤ n}) ≤ n"
by (metis degree_monom_le monom_setsum order_trans)
have min_lemma1: "k∈{x∷nat. x ≤ n} ⟹ k ≤ n" by simp
from this th01 have th02:
"⋀k. k∈{x∷nat. x ≤ n} ⟹
degree (setsum (λ x . monom (coeff a x) k) {x∷nat. x ≤ n}) ≤ n"
by (metis mem_Collect_eq)
have min_lemma2: "(SOME y . y ≤ n) ≤ n" by (metis (full_types) le0 some_eq_ex)
from this have th03:
"degree (∑x∷nat | x ≤ n . monom (coeff a x) (SOME y . y ≤ n)) ≤ n"
by (metis th01)
from min_lemma1 min_lemma2 have min_lemma3:
"(SOME y . y∈{x∷nat. x ≤ n}) ≤ n" by (metis (full_types) mem_Collect_eq some_eq_ex)
from this th01 th02 th03 have th04:
"degree (∑x∷nat | x ≤ n . monom (coeff a x) (SOME y . y∈{x∷nat. x ≤ n}) ) ≤ n"
by presburger
Here is the problem, I don't understand why the following lemma is not sufficient to finish the proof. In particular, I would expect the last part (where the sorry is) to be simple enough for sledgehammer to find a proof:
from this th01 th02 th03 th04 have th05:
"degree
(setsum (λ i . monom (coeff a i) (SOME y . y∈{x∷nat. x ≤ n})) {x∷nat. x ≤ n})
≤ n"
by linarith
(* how can I prove this last step ? *)
from this have
"degree (setsum (λ i . monom (coeff a i) i) {x∷nat. x ≤ n}) ≤ n" sorry
from this show ?thesis by auto
qed
.
SOLUTION from Brian Huffman's excellent answer:
.
lemma degree_setsum_smaller:
"finite A ⟹ ∀x∈A. degree (f x) ≤ n ⟹ degree (∑x∈A. f x) ≤ n"
apply(induct rule: finite_induct)
apply(auto)
by (metis degree_add_le)
lemma finiteSetSmallerThanNumber:
"finite {x∷nat. x ≤ n}"
by (metis finite_Collect_le_nat)
lemma degree_smaller:
fixes a :: "('a::comm_ring_1 poly)" and n::nat
shows "degree (∑x∷nat | x ≤ n . monom (coeff a x) x) ≤ n"
apply (rule degree_setsum_smaller)
apply(simp add: finiteSetSmallerThanNumber)
by (metis degree_0 degree_monom_eq le0 mem_Collect_eq monom_eq_0_iff) (* from sledgehammer *)
The last step does not follow from your th05. The problem is that you seem to want to unify (SOME y. y∈{x∷nat. x ≤ n}) with the bound variable i. However, in HOL (SOME y. y∈{x∷nat. x ≤ n}) has a single value that depends only on n and not on i. Furthermore, you don't get to choose the value; a theorem using SOME is not the same as a theorem with a universally quantified variable.
My advice is to avoid using SOME altogether, and instead try to prove a generalization of your theorem first:
lemma degree_setsum_smaller:
"finite A ⟹ ∀x∈A. degree (f x) ≤ n ⟹ degree (∑x∈A. f x) ≤ n"
You should be able to prove degree_setsum_smaller by induction over A (use induct rule: finite_induct), and then use it to prove degree_poly_smaller. Lemma degree_add_le from the polynomial library should be useful.
It is generally considered bad style to use auto as anything other than the last method in an apply script, because such proofs tend to be quite fragile. I would eliminate the "finiteSetSmallerThanNumber" lemma completely, it is a needlessly specific special case of Collect_le_nat. Also, camel case names for theorems are usually not used in Isabelle.
At any rate, this is my suggestion of how to make the proofs nicer:
lemma degree_setsum_smaller:
"finite A ⟹ ∀x∈A. degree (f x) ≤ n ⟹ degree (∑x∈A. f x) ≤ n"
by (induct rule: finite_induct, simp_all add: degree_add_le)
lemma degree_smaller:
fixes a :: "('a::comm_ring_1 poly)" and n::nat
shows "degree (∑x∷nat | x ≤ n . monom (coeff a x) x) ≤ n"
proof (rule degree_setsum_smaller)
show "finite {x. x ≤ n}" using finite_Collect_le_nat .
{
fix x assume "x ≤ n"
hence "degree (monom (coeff a x) x) ≤ n"
by (cases "coeff a x = 0", simp_all add: degree_monom_eq)
}
thus "∀x∈{x. x≤ n}. degree (monom (coeff a x) x) ≤ n" by simp
qed
I have the following goal:
∀x ∈ {0,1,2,3,4,5}. P x
I want to break this goal down into the six subgoals P 0, P 1, P 2, P 3, P 4 and P 5. This is easily done by apply auto. But what is the relevant rule that auto is using to do this? I ask because my actual goal looks more like this:
∀x ∈ {0..<6}. P x
and apply auto doesn't break that goal down in the same way (it gives me
⋀x. 0 ≤ x ⟹ x < 6 ⟹ P x
instead).
The rule that auto is using is ballI (bounded all introduction). This transforms ∀x ∈ S. P x into x ∈ S ==> P x.
The issue of transforming x ∈ {0,1,2,3,4,5} into 6 separate subgoals is a separate one. Basically, auto transforms the explicit enumeration into a disjunction and then splits that.
You could use a lemma such as the following to split out a single goal:
lemma expand_ballI: "⟦ (n :: nat) > 0; ∀x ∈ {0..< (n - 1)}. P x; P (n - 1) ⟧ ⟹ ∀x ∈ {0..< n}. P x"
by (induct n, auto simp: less_Suc_eq)
which could then be repeatedly applied to your rule as follows:
lemma "∀x ∈ {0..< 6 :: nat}. P x"
apply (rule expand_ballI, fastforce)+
apply simp_all
resulting in the goals split out as follows:
goal (6 subgoals):
1. P 0
2. P (Suc 0)
3. P 2
4. P 3
5. P 4
6. P 5
Using a [simp] lemma to transform sets into more convenient versions of the set is very convenient. E.g. {0..<6} = {0,1,2,3,4,5}