theorem-proving - 不同的 "sorted"谓词在 Dafny 中应该是等效的

Question

根据Automating Induction with an SMT Solver以下应该适用于 Dafny:

ghost method AdjacentImpliesTransitive(s: seq<int>)
requires ∀ i • 1 ≤ i < |s| ==> s[i-1] ≤ s[i];
ensures ∀ i,j {:induction j} • 0 ≤ i < j < |s| ==> s[i] ≤ s[j];
{ }

但是 Dafny 拒绝了它(至少在我的桌面和 Dafny 在线中)。也许有些事情发生了变化。

问题:

问题1。为什么？

Q2.是否真的需要对 j 或 i 和 j 进行归纳？我认为对 seq 长度的归纳应该足够了。

无论如何，我对以下内容更感兴趣:我想通过手动归纳来证明这一点，以供学习。在纸面上，我认为对 seq 长度的归纳就足够了。现在我正在尝试在 Dafny 上执行此操作:

lemma {:induction false} AdjacentImpliesTransitive(s: seq<int>)
   ensures forall i :: 0 <= i <= |s|-2 ==> s[i] <= s[i+1] ==> forall l, r :: 0 <= l < r <= |s|-1 ==> s[l] <= s[r]
   decreases s
{
   if |s| == 0
   { 
     //explicit calc proof, not neccesary
     calc {
        (forall i :: 0 <= i <= 0-2 ==> s[i] <= s[i+1]) ==> (forall l, r :: 0 <= l < r <= 0-1 ==> s[l] <= s[r]);
     ==
        (forall i :: false ==> s[i] <= s[i+1])  ==>  (forall l, r :: false ==> s[l] <= s[r]);
     ==
        true ==> true;
     == 
        true;
     }
   } 
   else if |s| == 1
   { 
     //trivial for dafny
   }  
   else {

     AdjacentImpliesTransitive(s[..|s|-1]);
     assert (forall i :: 0 <= i <= |s|-3 ==> s[i] <= s[i+1]) ==> (forall l, r :: 0 <= l < r <= |s|-2 ==> s[l] <= s[r]);
    //What??

   }
}

我陷入了最后一个案例。我不知道如何将计算证明风格(如基本情况中的证明风格)与归纳炒作结合起来。

也许这就是棘手的含义。在纸面上(“非正式”证明)，当我们需要通过归纳法证明蕴涵 p(n) ==> q(n) 时，我们有这样的东西:

Hyp:p(k-1) ==> q(k-1)

Tesis:p(k) ==> q(k)

但这证明了:

(p(k-1) ==> q(k-1) && p(k)) ==> q(k)

Q3.我的方法有意义吗？我们如何在 dafny 中进行这种归纳？

Answer 1

我不知道Q1和Q2的答案。但是，如果您添加 assert s[|s|-2] <= s[|s|-1]，您的归纳证明就会通过。在归纳案例中(您不需要其他断言)。这是完整的证明:

lemma {:induction false} AdjacentImpliesTransitive(s: seq<int>)
   requires forall i :: 0 <= i <= |s|-2 ==> s[i] <= s[i+1]
   ensures forall l, r :: 0 <= l < r <= |s|-1 ==> s[l] <= s[r]
   decreases s
{
   if |s| == 0
   { 
     //explicit calc proof, not neccesary
     calc {
        (forall i :: 0 <= i <= 0-2 ==> s[i] <= s[i+1]) ==> (forall l, r :: 0 <= l < r <= 0-1 ==> s[l] <= s[r]);
     ==
        (forall i :: false ==> s[i] <= s[i+1])  ==>  (forall l, r :: false ==> s[l] <= s[r]);
     ==
        true ==> true;
     == 
        true;
     }
   } 
   else if |s| == 1
   { 
     //trivial for dafny
   }  
   else {

     AdjacentImpliesTransitive(s[..|s|-1]);
     assert s[|s|-2] <= s[|s|-1];

   }
}

出于某种原因，我不得不将您的 ensures 分开条款进入 requires和ensures条款。否则，达夫尼提示undeclared identifier: _t#0#0 。我不知道这意味着什么。

而且，如果有趣的话，这里有一个更短的证明:

lemma AdjacentImpliesTransitive(s: seq<int>)
requires forall i | 1 <= i < |s| :: s[i-1] <= s[i]
ensures forall i,j | 0 <= i < j < |s| :: s[i] <= s[j]
decreases s
{
  if |s| < 2
  {
    assert forall i,j | 0 <= i < j < |s| :: s[i] <= s[j];
  } else {
    AdjacentImpliesTransitive(s[..|s|-1]);
    assert s[|s|-2] <= s[|s|-1];
  }
}