Quiz 2

Reveal solutions

Grading scheme

+1 for correct answers
-0.5 for incorrect answers

Binary search trees

We define trees as in the lab:

Inductive tree :=
| Leaf
| Node (d: nat) (l r: tree).

A tree tr is a binary search tree if there exists an indicator predicate s: nat -> Prop such that bst tr s holds (bst is as defined in the lab).

BST invariant

There are many ways to define the binary search tree invariant.

We say that a candidate definition is_bst is sound if all trees that satisfy is_bst are binary search trees:

Definition sound (is_bst: tree -> Prop) :=
  forall tr, is_bst tr -> exists s, bst tr s.

We say that a definition is_bst is complete if all binary search trees satisfy is_bst:

Definition complete (is_bst: tree -> Prop) :=
  forall tr, (exists s, bst tr s) -> is_bst tr.

For each of the following definitions, indicate whether it is sound and whether it is complete.

Constants

Consider the following definition:

Definition is_bst_yes (tr: tree) :=
  True.

Consider the following definition:

Definition is_bst_no (tr: tree) :=
  False.

Fixpoints

Consider the following definition:

Fixpoint is_bst_fx (tr: tree) :=
  match tr with
  | Leaf | Node _ Leaf Leaf => True
  | Node d Leaf r =>
      match r with Leaf => True | Node dr _ _ => d < dr end
      /\ is_bst_fx r
  | Node d l Leaf =>
      match l with Leaf => True | Node dl _ _ => dl < d end
      /\ is_bst_fx l
  | Node d l r =>
      match r with Leaf => True | Node dr _ _ => d < dr end
      /\ match l with Leaf => True | Node dl _ _ => dl < d end
      /\ is_bst_fx l /\ is_bst_fx r
  end.

Exercise: Fixpoint completeness

Is is_bst_fx complete?

Yes

Proof

Goal complete is_bst_fx.complete is_bst_fx
Proof.complete is_bst_fx
  unfold complete; induction tr; intros [s Ht].s: nat -> Prop
Ht: bst Leaf s
is_bst_fx Leaf
d: nat
tr1, tr2: tree
IHtr1: (exists s : nat -> Prop, bst tr1 s) -> is_bst_fx tr1
IHtr2: (exists s : nat -> Prop, bst tr2 s) -> is_bst_fx tr2
s: nat -> Prop
Ht: bst (Node d tr1 tr2) s
is_bst_fx (Node d tr1 tr2)
  -s: nat -> Prop
Ht: bst Leaf s
is_bst_fx Leaf reflexivity.
  -d: nat
tr1, tr2: tree
IHtr1: (exists s : nat -> Prop, bst tr1 s) -> is_bst_fx tr1
IHtr2: (exists s : nat -> Prop, bst tr2 s) -> is_bst_fx tr2
s: nat -> Prop
Ht: bst (Node d tr1 tr2) s
is_bst_fx (Node d tr1 tr2) simpl in *.d: nat
tr1, tr2: tree
IHtr1: (exists s : nat -> Prop, bst tr1 s) -> is_bst_fx tr1
IHtr2: (exists s : nat -> Prop, bst tr2 s) -> is_bst_fx tr2
s: nat -> Prop
Ht: s d /\
bst tr1 (fun x : nat => s x /\ x < d) /\
bst tr2 (fun x : nat => s x /\ d < x)
match tr1 with
| Leaf =>
    match tr2 with
    | Leaf => True
    | Node _ _ _ =>
        match tr2 with
        | Leaf => True
        | Node dr _ _ => d < dr
        end /\ is_bst_fx tr2
    end
| Node _ _ _ =>
    match tr2 with
    | Leaf =>
        match tr1 with
        | Leaf => True
        | Node dl _ _ => dl < d
        end /\ is_bst_fx tr1
    | Node _ _ _ =>
        match tr2 with
        | Leaf => True
        | Node dr _ _ => d < dr
        end /\
        match tr1 with
        | Leaf => True
        | Node dl _ _ => dl < d
        end /\ is_bst_fx tr1 /\ is_bst_fx tr2
    end
end
    destruct Ht as (Hd & H1 & H2).d: nat
tr1, tr2: tree
IHtr1: (exists s : nat -> Prop, bst tr1 s) -> is_bst_fx tr1
IHtr2: (exists s : nat -> Prop, bst tr2 s) -> is_bst_fx tr2
s: nat -> Prop
Hd: s d
H1: bst tr1 (fun x : nat => s x /\ x < d)
H2: bst tr2 (fun x : nat => s x /\ d < x)
match tr1 with
| Leaf =>
    match tr2 with
    | Leaf => True
    | Node _ _ _ =>
        match tr2 with
        | Leaf => True
        | Node dr _ _ => d < dr
        end /\ is_bst_fx tr2
    end
| Node _ _ _ =>
    match tr2 with
    | Leaf =>
        match tr1 with
        | Leaf => True
        | Node dl _ _ => dl < d
        end /\ is_bst_fx tr1
    | Node _ _ _ =>
        match tr2 with
        | Leaf => True
        | Node dr _ _ => d < dr
        end /\
        match tr1 with
        | Leaf => True
        | Node dl _ _ => dl < d
        end /\ is_bst_fx tr1 /\ is_bst_fx tr2
    end
end
    specialize (IHtr1 ltac:(eauto)).d: nat
tr1, tr2: tree
IHtr1: is_bst_fx tr1
IHtr2: (exists s : nat -> Prop, bst tr2 s) -> is_bst_fx tr2
s: nat -> Prop
Hd: s d
H1: bst tr1 (fun x : nat => s x /\ x < d)
H2: bst tr2 (fun x : nat => s x /\ d < x)
match tr1 with
| Leaf =>
    match tr2 with
    | Leaf => True
    | Node _ _ _ =>
        match tr2 with
        | Leaf => True
        | Node dr _ _ => d < dr
        end /\ is_bst_fx tr2
    end
| Node _ _ _ =>
    match tr2 with
    | Leaf =>
        match tr1 with
        | Leaf => True
        | Node dl _ _ => dl < d
        end /\ is_bst_fx tr1
    | Node _ _ _ =>
        match tr2 with
        | Leaf => True
        | Node dr _ _ => d < dr
        end /\
        match tr1 with
        | Leaf => True
        | Node dl _ _ => dl < d
        end /\ is_bst_fx tr1 /\ is_bst_fx tr2
    end
end
    specialize (IHtr2 ltac:(eauto)).d: nat
tr1, tr2: tree
IHtr1: is_bst_fx tr1
IHtr2: is_bst_fx tr2
s: nat -> Prop
Hd: s d
H1: bst tr1 (fun x : nat => s x /\ x < d)
H2: bst tr2 (fun x : nat => s x /\ d < x)
match tr1 with
| Leaf =>
    match tr2 with
    | Leaf => True
    | Node _ _ _ =>
        match tr2 with
        | Leaf => True
        | Node dr _ _ => d < dr
        end /\ is_bst_fx tr2
    end
| Node _ _ _ =>
    match tr2 with
    | Leaf =>
        match tr1 with
        | Leaf => True
        | Node dl _ _ => dl < d
        end /\ is_bst_fx tr1
    | Node _ _ _ =>
        match tr2 with
        | Leaf => True
        | Node dr _ _ => d < dr
        end /\
        match tr1 with
        | Leaf => True
        | Node dl _ _ => dl < d
        end /\ is_bst_fx tr1 /\ is_bst_fx tr2
    end
end
    destruct tr1, tr2; simpl in *; intuition.
Qed.

Inductives

Consider the following definition:

Inductive is_bst_ind' : forall (tr: tree) (s: nat -> Prop), Prop :=
| is_bst_ind_Leaf s
    (Hs: forall x, s x <-> False):
  is_bst_ind' Leaf s
| is_bst_ind_Node d l r sl sr s
    (Hl: is_bst_ind' l sl)
    (Hr: is_bst_ind' r sr)
    (Hlt: forall xl, sl xl -> xl < d)
    (Hgt: forall xr, sr xr -> d < xr)
    (Hs: forall x, s x <-> x = d \/ sl x \/ sr x):
  is_bst_ind' (Node d l r) s.

Definition is_bst_ind (tr: tree) :=
  exists s, is_bst_ind' tr s.

Exercise: Inductive soundness

Is is_bst_ind sound?

Yes

Proof

Lemma bst_iff :
  forall tr s1 s2,
    (forall x, s1 x <-> s2 x) ->
    (bst tr s1 <-> bst tr s2).forall (tr : tree) (s1 s2 : nat -> Prop),
(forall x : nat, s1 x <-> s2 x) ->
bst tr s1 <-> bst tr s2
Proof.forall (tr : tree) (s1 s2 : nat -> Prop),
(forall x : nat, s1 x <-> s2 x) ->
bst tr s1 <-> bst tr s2
  induction tr; simpl; intros s1 s2 Ht.s1, s2: nat -> Prop
Ht: forall x : nat, s1 x <-> s2 x
(forall x : nat, ~ s1 x) <-> (forall x : nat, ~ s2 x)
d: nat
tr1, tr2: tree
IHtr1: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr1 s1 <-> bst tr1 s2
IHtr2: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr2 s1 <-> bst tr2 s2
s1, s2: nat -> Prop
Ht: forall x : nat, s1 x <-> s2 x
s1 d /\
bst tr1 (fun x : nat => s1 x /\ x < d) /\
bst tr2 (fun x : nat => s1 x /\ d < x) <->
s2 d /\
bst tr1 (fun x : nat => s2 x /\ x < d) /\
bst tr2 (fun x : nat => s2 x /\ d < x)
  -s1, s2: nat -> Prop
Ht: forall x : nat, s1 x <-> s2 x
(forall x : nat, ~ s1 x) <-> (forall x : nat, ~ s2 x) firstorder.
  -d: nat
tr1, tr2: tree
IHtr1: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr1 s1 <-> bst tr1 s2
IHtr2: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr2 s1 <-> bst tr2 s2
s1, s2: nat -> Prop
Ht: forall x : nat, s1 x <-> s2 x
s1 d /\
bst tr1 (fun x : nat => s1 x /\ x < d) /\
bst tr2 (fun x : nat => s1 x /\ d < x) <->
s2 d /\
bst tr1 (fun x : nat => s2 x /\ x < d) /\
bst tr2 (fun x : nat => s2 x /\ d < x) rewrite Ht, IHtr1, IHtr2.d: nat
tr1, tr2: tree
IHtr1: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr1 s1 <-> bst tr1 s2
IHtr2: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr2 s1 <-> bst tr2 s2
s1, s2: nat -> Prop
Ht: forall x : nat, s1 x <-> s2 x
s2 d /\ bst tr1 ?Goal /\ bst tr2 ?Goal2 <->
s2 d /\
bst tr1 (fun x : nat => s2 x /\ x < d) /\
bst tr2 (fun x : nat => s2 x /\ d < x)
d: nat
tr1, tr2: tree
IHtr1: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr1 s1 <-> bst tr1 s2
IHtr2: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr2 s1 <-> bst tr2 s2
s1, s2: nat -> Prop
Ht: forall x : nat, s1 x <-> s2 x
forall x : nat, s1 x /\ d < x <-> ?Goal2 x
d: nat
tr1, tr2: tree
IHtr1: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr1 s1 <-> bst tr1 s2
IHtr2: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr2 s1 <-> bst tr2 s2
s1, s2: nat -> Prop
Ht: forall x : nat, s1 x <-> s2 x
forall x : nat, s1 x /\ x < d <-> ?Goal x
    reflexivity.d: nat
tr1, tr2: tree
IHtr1: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr1 s1 <-> bst tr1 s2
IHtr2: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr2 s1 <-> bst tr2 s2
s1, s2: nat -> Prop
Ht: forall x : nat, s1 x <-> s2 x
forall x : nat,
s1 x /\ d < x <-> (fun x0 : nat => s2 x0 /\ d < x0) x
d: nat
tr1, tr2: tree
IHtr1: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr1 s1 <-> bst tr1 s2
IHtr2: forall s1 s2 : nat -> Prop,
(forall x : nat, s1 x <-> s2 x) ->
bst tr2 s1 <-> bst tr2 s2
s1, s2: nat -> Prop
Ht: forall x : nat, s1 x <-> s2 x
forall x : nat,
s1 x /\ x < d <-> (fun x0 : nat => s2 x0 /\ x0 < d) x
    all: simpl; intros; rewrite Ht; reflexivity.
Qed.

Lemma is_bst_ind'_sound tr s:
  is_bst_ind' tr s ->
  bst tr s.tr: tree
s: nat -> Prop
is_bst_ind' tr s -> bst tr s
Proof.tr: tree
s: nat -> Prop
is_bst_ind' tr s -> bst tr s
  induction 1; simpl.s: nat -> Prop
Hs: forall x : nat, s x <-> False
forall x : nat, ~ s x
d: nat
l, r: tree
sl, sr, s: nat -> Prop
H: is_bst_ind' l sl
H0: is_bst_ind' r sr
Hlt: forall xl : nat, sl xl -> xl < d
Hgt: forall xr : nat, sr xr -> d < xr
Hs: forall x : nat, s x <-> x = d \/ sl x \/ sr x
IHis_bst_ind'1: bst l sl
IHis_bst_ind'2: bst r sr
s d /\
bst l (fun x : nat => s x /\ x < d) /\
bst r (fun x : nat => s x /\ d < x)
  -s: nat -> Prop
Hs: forall x : nat, s x <-> False
forall x : nat, ~ s x firstorder.
  -d: nat
l, r: tree
sl, sr, s: nat -> Prop
H: is_bst_ind' l sl
H0: is_bst_ind' r sr
Hlt: forall xl : nat, sl xl -> xl < d
Hgt: forall xr : nat, sr xr -> d < xr
Hs: forall x : nat, s x <-> x = d \/ sl x \/ sr x
IHis_bst_ind'1: bst l sl
IHis_bst_ind'2: bst r sr
s d /\
bst l (fun x : nat => s x /\ x < d) /\
bst r (fun x : nat => s x /\ d < x) rewrite (bst_iff l), (bst_iff r), Hs.d: nat
l, r: tree
sl, sr, s: nat -> Prop
H: is_bst_ind' l sl
H0: is_bst_ind' r sr
Hlt: forall xl : nat, sl xl -> xl < d
Hgt: forall xr : nat, sr xr -> d < xr
Hs: forall x : nat, s x <-> x = d \/ sl x \/ sr x
IHis_bst_ind'1: bst l sl
IHis_bst_ind'2: bst r sr
(d = d \/ sl d \/ sr d) /\ bst l ?Goal /\ bst r ?Goal1
d: nat
l, r: tree
sl, sr, s: nat -> Prop
H: is_bst_ind' l sl
H0: is_bst_ind' r sr
Hlt: forall xl : nat, sl xl -> xl < d
Hgt: forall xr : nat, sr xr -> d < xr
Hs: forall x : nat, s x <-> x = d \/ sl x \/ sr x
IHis_bst_ind'1: bst l sl
IHis_bst_ind'2: bst r sr
forall x : nat, s x /\ d < x <-> ?Goal1 x
d: nat
l, r: tree
sl, sr, s: nat -> Prop
H: is_bst_ind' l sl
H0: is_bst_ind' r sr
Hlt: forall xl : nat, sl xl -> xl < d
Hgt: forall xr : nat, sr xr -> d < xr
Hs: forall x : nat, s x <-> x = d \/ sl x \/ sr x
IHis_bst_ind'1: bst l sl
IHis_bst_ind'2: bst r sr
forall x : nat, s x /\ x < d <-> ?Goal x
    +d: nat
l, r: tree
sl, sr, s: nat -> Prop
H: is_bst_ind' l sl
H0: is_bst_ind' r sr
Hlt: forall xl : nat, sl xl -> xl < d
Hgt: forall xr : nat, sr xr -> d < xr
Hs: forall x : nat, s x <-> x = d \/ sl x \/ sr x
IHis_bst_ind'1: bst l sl
IHis_bst_ind'2: bst r sr
(d = d \/ sl d \/ sr d) /\ bst l ?Goal /\ bst r ?Goal1 intuition eauto.
    +d: nat
l, r: tree
sl, sr, s: nat -> Prop
H: is_bst_ind' l sl
H0: is_bst_ind' r sr
Hlt: forall xl : nat, sl xl -> xl < d
Hgt: forall xr : nat, sr xr -> d < xr
Hs: forall x : nat, s x <-> x = d \/ sl x \/ sr x
IHis_bst_ind'1: bst l sl
IHis_bst_ind'2: bst r sr
forall x : nat, s x /\ d < x <-> sr x firstorder lia.
    +d: nat
l, r: tree
sl, sr, s: nat -> Prop
H: is_bst_ind' l sl
H0: is_bst_ind' r sr
Hlt: forall xl : nat, sl xl -> xl < d
Hgt: forall xr : nat, sr xr -> d < xr
Hs: forall x : nat, s x <-> x = d \/ sl x \/ sr x
IHis_bst_ind'1: bst l sl
IHis_bst_ind'2: bst r sr
forall x : nat, s x /\ x < d <-> sl x firstorder lia.
Qed.

Goal sound is_bst_ind.sound is_bst_ind
Proof.sound is_bst_ind
  intros tr [s Hs%is_bst_ind'_sound]; eauto.
Qed.

Exercise: Inductive completeness

Is is_bst_ind complete?

Yes

Proof

Lemma is_bst_ind'_complete tr: forall s,
    bst tr s ->
    is_bst_ind' tr s.tr: tree
forall s : nat -> Prop, bst tr s -> is_bst_ind' tr s
Proof.tr: tree
forall s : nat -> Prop, bst tr s -> is_bst_ind' tr s
  induction tr; simpl.forall s : nat -> Prop,
(forall x : nat, ~ s x) -> is_bst_ind' Leaf s
d: nat
tr1, tr2: tree
IHtr1: forall s : nat -> Prop, bst tr1 s -> is_bst_ind' tr1 s
IHtr2: forall s : nat -> Prop, bst tr2 s -> is_bst_ind' tr2 s
forall s : nat -> Prop,
s d /\
bst tr1 (fun x : nat => s x /\ x < d) /\
bst tr2 (fun x : nat => s x /\ d < x) ->
is_bst_ind' (Node d tr1 tr2) s
  -forall s : nat -> Prop,
(forall x : nat, ~ s x) -> is_bst_ind' Leaf s econstructor; firstorder.
  -d: nat
tr1, tr2: tree
IHtr1: forall s : nat -> Prop, bst tr1 s -> is_bst_ind' tr1 s
IHtr2: forall s : nat -> Prop, bst tr2 s -> is_bst_ind' tr2 s
forall s : nat -> Prop,
s d /\
bst tr1 (fun x : nat => s x /\ x < d) /\
bst tr2 (fun x : nat => s x /\ d < x) ->
is_bst_ind' (Node d tr1 tr2) s intros s (Hd & H1 & H2).d: nat
tr1, tr2: tree
IHtr1: forall s : nat -> Prop, bst tr1 s -> is_bst_ind' tr1 s
IHtr2: forall s : nat -> Prop, bst tr2 s -> is_bst_ind' tr2 s
s: nat -> Prop
Hd: s d
H1: bst tr1 (fun x : nat => s x /\ x < d)
H2: bst tr2 (fun x : nat => s x /\ d < x)
is_bst_ind' (Node d tr1 tr2) s
    econstructor; eauto; simpl; try lia.d: nat
tr1, tr2: tree
IHtr1: forall s : nat -> Prop, bst tr1 s -> is_bst_ind' tr1 s
IHtr2: forall s : nat -> Prop, bst tr2 s -> is_bst_ind' tr2 s
s: nat -> Prop
Hd: s d
H1: bst tr1 (fun x : nat => s x /\ x < d)
H2: bst tr2 (fun x : nat => s x /\ d < x)
forall x : nat,
s x <-> x = d \/ s x /\ x < d \/ s x /\ d < x
    intros x; assert (x = d \/ x < d \/ d < x) by lia.d: nat
tr1, tr2: tree
IHtr1: forall s : nat -> Prop, bst tr1 s -> is_bst_ind' tr1 s
IHtr2: forall s : nat -> Prop, bst tr2 s -> is_bst_ind' tr2 s
s: nat -> Prop
Hd: s d
H1: bst tr1 (fun x : nat => s x /\ x < d)
H2: bst tr2 (fun x : nat => s x /\ d < x)
x: nat
H: x = d \/ x < d \/ d < x
s x <-> x = d \/ s x /\ x < d \/ s x /\ d < x
    intuition (subst; eauto).
Qed.

Goal complete is_bst_ind.complete is_bst_ind
Proof.complete is_bst_ind
  intros tr [s Hs%is_bst_ind'_complete]; red; eauto.
Qed.

BST operations

Consider the following operation defined on trees:

Fixpoint member (a: nat) (tr: tree) : bool :=
  match tr with
  | Leaf => false
  | Node v l r =>
      match a ?= v with
      | Lt => member a l
      | Gt => member a r
      | Eq => true
      end
  end.

For each of the following trees, indicate whether member 4 returns the correct result (i.e., returns true when 4 is in the tree, and false when 4 is not in the tree):

Exercise: tree1

Definition tree1 :=
  Node 3 (Node 4 Leaf Leaf)
    (Node 5 (Node 2 Leaf Leaf) Leaf).

Does member 4 tree1 return the right result?

Yes

Proof

Goal member 4 tree1 = false.member 4 tree1 = false Proof.member 4 tree1 = false reflexivity. Qed.

Exercise: tree2

Definition tree2 :=
  Node 3 (Node 4 Leaf Leaf)
    (Node 2 Leaf (Node 4 Leaf Leaf)).

Does member 4 tree2 return the right result?

Yes

Proof

Goal member 4 tree2 = true.member 4 tree2 = true Proof.member 4 tree2 = true reflexivity. Qed.

Exercise: tree3

Definition tree3 :=
  Node 3 Leaf (Node 5 Leaf Leaf).

Does member 4 tree3 return the right result?

Yes

Proof

Goal member 4 tree3 = false.member 4 tree3 = false Proof.member 4 tree3 = false reflexivity. Qed.

Systems and
Formalisms Lab

Quiz 2

Grading scheme

Binary search trees

BST examples

BST invariant

Constants

Fixpoints

Inductives

BST operations