Instantiation and substitution ====================================================================== We continue the topic of proofs, which we gently started about a week ago. Today we will look at an extremely important tool used in constructing proofs. ====================================================================== Is the following valid? (*) ~((x /\ y) /\ (r \/ s)) = ~(x /\ y) \/ ~(r \/ s) We could build a truth table, but this formula has four variables ... not the best idea. Better: this is really an application of de Morgan: it has the structure (**) ~(p /\ q) = ~p \/ ~q ====================================================================== What does it mean for (**) to be a theorem? It means that (**) holds no matter what p and q are. Since (**) holds for any p, q, it also holds when p, q are uniformly replaced by some other expression. So for instance we can choose p = (x /\ y) and q = (r \/ s) in (**) which gives us (*). Is it obvious now that (*) holds? Yes. We say it is an _instance_ of de Morgan's laws. An instance of a law, rule, or theorem is obtained by _instantiating_ it: by replacing variables in it uniformly by arbitrary terms. ====================================================================== So (*) can be viewed as a new theorem! But it is not economical to store this as a new theorem in our database of theorems. Why not? Because there are infinitely many theorems that can be obtained from (**) by instantiating it, and these theorems are all essentially the same. ====================================================================== How do we avoid having to store all these as new theorems (which would be impossible anyway)? How does ACL2 do it? Answer: using the notion of _substitution_, which formalizes the idea of instantiating theorems. A substitution sigma is a list of pairs of the form: sigma = ((var_1 term_1) . . . (var_n term_n)) where the var_i are "target variables" and the term_i are their "replacements". The var_i must be pairwise distinct. The _application_ of sigma to a formula f uniformly replaces every variable occurrence of each var_i in the original formula f by term_i. Examples and non-examples of substitutions. For the "no" cases, make sure you understand why they aren't substitutions. - ((p x) (q y)) : yes - ((p x) (q x)) : yes - ((p T) (q T)) : yes A substitution example. In the following we write f|sigma for the result of applying sigma to f. (p \/ q) | ((p T) (q T)) = T \/ T This result is equivalent to T. However, the (syntactic) result of the substitution is T \/ T. Substitution is a purely syntactic matter. - ((p T) (p F)) : no ! why not? - ((T p) (q F)) : no ! why not? - ((T T) (q F)) : no ! harmless, but still not a substitution - ((p p) (q q)) : yes, same effect as the "empty substitution" sigma: For every f, f|sigma = f. - ((p q) (q q)) : yes, same efect as ((p q)) (p \/ q) | ((p q) (q q)) = (q \/ q) - ((p q) (q p) : yes! what does it do? it _swaps_ p and q. To understand this, go back to definition, and observe "original". (p \/ q) | ((p q) (q p)) = (q \/ p) The result is equivalent to the original, but that is not always the case. For example: (p => q) | ((p q) (q p)) = (q => p) , which is not equivalent. - ((p (+ p 2)) (q (list a b))) : yes. "Term" can be any well-formed expression, such as in prop'l or in ACL2 logic. ====================================================================== Examples of applications of substitutions. - f = ( (~(p /\ q) = ~p \/ ~q ) , sigma = ((p (x /\ y)) (q (r \/ s))) f|sigma = ? valid? yes This is the example from above, now formally using a substitution. - f = p /\ q , sigma from above f|sigma = ? valid? no! what happened? f is not valid, and f|sigma is not valid. That is expected. - f = p \/ q , sigma = ((q ~p)) f|sigma = ? valid? yes! what happened? f is not valid, but f|sigma is. Look at the last two cases. We usually apply substitutions only to (valid) theorems, in order to obtain new theorems. If f is not valid, a substitution may or may not make it valid. It creates a special case of a formula, which may turn out to be valid. But again, the intent is to create instances of (valid) theorems. ====================================================================== Tricky cases of substitutions. Make sure you try these first, without looking at the solution. By definition "substitution", the target variables have to be pairwise different. The replacements can contain the target variables arbitrarily. This can cause some confusion. - (y = x + 1) | ((x (x + 1))) (y = (x + 1) + 1 . A term can contain the variable it replaces. No infinite replacing is going on!! - (y = x + 1) | ((x (x + 1)) (y (y + 1))) ((y + 1) = (x + 1) + 1 - (< y (* a b)) | (a (+ x y)) = (< y (* (+ x y) b)) ACL2's prefix notation. Here is the same in infix: (y < a*b) | (a x+y) = (y < x+y*b) Is this intended?? This cannot happen in LISP syntax, where every function application comes with (). In infix notation, prevent such "abuses" of substitution by putting parentheses around the term: (y < a*b) | (a (x+y)) = (y < (x+y)*b) - (f y (* a b)) | (f (+ y x)) = (f y (* a b)) Substitutions only replace occurrences of _variables_ ! If the symbol var_i (such as f here) occurs in the formula as a non-variable (such as f here), it is not replaced. This can get trickier yet when there are both variable and non-variable occurrences of the same symbol: - (f y (* f b)) | (f (+ y x)) = (f y (* (+ y x) b)) Note that the first occurrence of f is left alone, the second is replaced. - (f f (f f (+ f (f f f)))) | (f g) = (f g (f g (+ g (f g g)))) The algorithm is: walk through the formula from left to right. Any non-symbol is kept unchanged. For every symbol, if it is used as a variable (and only then), check if there is a replacement for it, and if so apply. The example from above is much easier to read when written as follows: (f f (f f (+ f (f f f)))) | (f g) = (f g (f g (+ g (f g g)))) - (f y (* f b) 'f) | (f (+ y x)) = (f y (* (+ y x) b) 'f) Symbols under the scope of a quote are not variables, in that they cannot take on different values -- they are not evaluated. Therefore, substitutions do not apply to them.