# Discovering Defining Equations for List Functions

In this tutorial, we will look at how test-driven development can be used to discover defining equations for list functions. We will start with a simple function, `sumlist`, which returns the sum of the elements in a list.  Let's start with some obvious unit tests:

    (sumlist '(1 2 3 4 5)) = 15
    (sumlist '(2 4 6 8))   = 20

Recall our approach when using TDD to discover defining equations for funtions over the natural numbers. The idea is to start with the unit tests for a fixed input and its "next smaller" input. So what is the next smaller input for lists?

It turns out that that there are many smaller lists. For example, the list =`'(1 2 3 4 5)` can be broken down in several ways:

    `(1 2 3 4 5) = `(1 2 3 4) & 5
    `(1 2 3 4 5) = 1 & `(2 3 4 5)
    `(1 2 3 4 5) = `(1 2 3) & '(4 5)
    `(1 2 3 4 5) = `(1 3 5) & '(2 4)

Which is the right "next smaller"? It's largely a matter of convenience, but since `first` and `rest` are built-in functions that directly support the second split, this is the one to start with! Notice that is the only reason to prefer the second split over the first.

> The last two splits are interesting, and even have names. The first two splits yield a single element and a list that is almost as big as the first one. This is similar to a for loop: Do something to the first element, then loop again to do it to the remaining elements. But splitting the list in half is a good strategy for designing parallel algorithms, because each half can be processed separately, e.g., in different cores. In fact, the third split is often used in merge sort implementations, and both the third and fourth are used (together) in implementations of the Fast Fourier Transform (FFT), which is used extensively in image processing and signal processing.

We have these unit tests, but none of them are the result of splitting up one of the other unit cases:

    (sumlist '(1 2 3 4 5)) = 15
    (sumlist '(2 4 6 8))   = 20

So let's add some more unit tests based on our "first+rest" split.

    (sumlist '(1 2 3 4 5)) = 15
    (sumlist '(2 3 4 5))   = 14
    (sumlist '(2 4 6 8))   = 20
    (sumlist '(4 6 8))     = 18

This is an important step, so let's capture our unit tests in the TDD Way:

In [1]:
(defsnapshot sumlist-definition)

(definec sumlist (l :nat-list) :nat
  (declare (ignorable l))
  0)

(check-expect (sumlist '(1 2 3 4 5)) 15)
(check-expect (sumlist '(2 3 4 5))   14)
(check-expect (sumlist '(2 4 6 8))   20)
(check-expect (sumlist '(4 6 8))     18)

ACL2S !>>(DEFSNAPSHOT SUMLIST-DEFINITION)

Summary
Form:  ( DEFLABEL SUMLIST-DEFINITION ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 SUMLIST-DEFINITION
ACL2S !>>(DEFINEC SUMLIST (L NAT-LIST)
                  NAT (DECLARE (IGNORABLE L))
                  0)

Form:  ( TEST-DEFINITION SUMLIST ... )
Form:  ( TEST-BODY-CONTRACTS SUMLIST... ) 
Form:  ( TEST-FUNCTION-CONTRACT SUMLIST ...) 
Testing: Done 
Elapsed Run Time: 0.12 seconds
Form:  ( ADMIT-DEFINITION SUMLIST ... )
Time:  0.01 seconds (prove: 0.00, print: 0.00, other: 0.01)
Form:  ( PROVE-FUNCTION-CONTRACT SUMLIST ... )
Time:  0.09 seconds (prove: 0.03, print: 0.00, other: 0.06)
Form:  ( PROVE-BODY-CONTRACTS SUMLIST ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Elapsed Run Time: 0.16 seconds
Function Name : SUMLIST 
Termination proven -------- [*] 
Function Contract proven -- [*] 
Body Contracts proven ----- [*]
 T
ACL2S !>>(CHECK-EXPECT (SUMLIST '(1 2 3 4 5)) 15)

Error in CHECK-E

As before we scrutinize related test cases to see how we can get from the result of the "next smaller" problem to the result of the bigger one. In this case, it is not too hard to see that

    (sumlist '(1 2 3 4 5)) = 1 + (sumlist '(2 3 4 5))
    (sumlist '(2 4 6 8))   = 2 + (sumlist '(4 6 8))

This immediately suggests this defining equation:

    (sumlist l) = (+ (first l) (sumlist (rest l)))

Of course, this is not a complete definition, since it uses `first` and `rest`, so it can't be used when `l` is anything other than a non-empty list. That's easy enough to fix, and it's the same solution we used on natural numbers:

    (sumlist l) = 0,                  if l=NIL or anything other than a non-empty list
    (sumlist l) = (+ (first l) 
                     (sumlist (rest l))),    otherwise

We can write this in ACL2 as follows, where we've chosen to use `endp` to check for the empty list:

In [2]:
(defsnapshot sumlist-definition)

(definec sumlist (l :nat-list) :nat
  (if (endp l)
      0
      (+ (first l)
         (sumlist (rest l)))))

(check-expect (sumlist '(1 2 3 4 5)) 15)
(check-expect (sumlist '(2 3 4 5))   14)
(check-expect (sumlist '(2 4 6 8))   20)
(check-expect (sumlist '(4 6 8))     18)

ACL2S !>>(DEFSNAPSHOT SUMLIST-DEFINITION)
          21:x(DEFLABEL FROM-THE-TOP)

Summary
Form:  ( DEFLABEL SUMLIST-DEFINITION ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 SUMLIST-DEFINITION
ACL2S !>>(DEFINEC SUMLIST (L NAT-LIST)
                  NAT
                  (IF (ENDP L)
                      0 (+ (FIRST L) (SUMLIST (REST L)))))

Form:  ( TEST-DEFINITION SUMLIST ... )
Form:  ( TEST-BODY-CONTRACTS SUMLIST... ) 
Form:  ( TEST-FUNCTION-CONTRACT SUMLIST ...) 
Testing: Done 
Elapsed Run Time: 0.63 seconds
Form:  ( ADMIT-DEFINITION SUMLIST ... )
Time:  0.01 seconds (prove: 0.00, print: 0.00, other: 0.01)
Form:  ( PROVE-FUNCTION-CONTRACT SUMLIST ... )
Time:  0.13 seconds (prove: 0.06, print: 0.00, other: 0.06)
Form:  ( PROVE-BODY-CONTRACTS SUMLIST ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Elapsed Run Time: 0.21 seconds
Function Name : SUMLIST 
Termination proven -------- [*] 
Function Contract proven -- [*] 
Body Contracts prov

Success! All the tests passed, and we should feel confident that the program works as intended. Normally, we should follow up with testing, maybe even proving, properties. But this tutorial is more focused on discovering the defining equations for functions that process lists. So let's move on to another example.

Let's write a function that adds up all the **even** numbers in a list, ignoring all other numbers. Again, we can use TDD to understand more fully the function we mean to write:

    (sumevens '(1 2 3 4 5)) = 6
    (sumevens '(2 4 6 8))   = 20 

As before, we consider the next smaller lists, notice that there are no unit tests for those, and add them:

    (sumevens '(1 2 3 4 5)) = 6
    (sumevens '(2 3 4 5))   = 6
    (sumevens '(2 4 6 8))   = 20 
    (sumevens '(4 6 8))     = 18 

Again, we scrutinize related test cases to see how we can use the results from the next smaller list to find the answer for the bigger problem. We can see that

    (sumevens '(1 2 3 4 5)) = (sumevens '(2 3 4 5))
    (sumevens '(2 4 6 8))   = 2 + (sumevens '(4 6 8))

This is less straightforward than before, because the pattern is different in these two cases. With a little reflection, we see that the difference is because one list starts with a negative number, which is therefore ignored. So we can conjecture that the defining equations should look like this:

    (sumevens l) = (+ (first l)
                      (sumevens (rest l)),  if l is list starting with an even number
    (sumevens l) = (sumevens (rest l)),     if l is a non-empty list not starting 
                                                 with an even number

Of course, these do not form a complete set of defining equations, but we know how to deal with that. 


    (sumevens l) = 0,                         if l is not a non-empty list
    (sumevens l) = (+ (first l)
                      (sumevens (rest l)),    if l is list starting with an even 
                                                   number
    (sumevens l) = (sumevens (rest l)),       if l is a non-empty list not starting 
                                                   with an even number

So let's translate these to ACL2 (using the built-in function `evenp` to test whether a number is even or not):

In [3]:
(defsnapshot sumevens-definition)

(definec sumevens (l :nat-list) :nat
  (if (endp l)
      0
      (if (evenp (first l))
          (+ (first l)
             (sumevens (rest l)))
          (sumevens (rest l)))))

(check-expect (sumevens '(1 2 3 4 5)) 6)
(check-expect (sumevens '(2 3 4 5))   6)
(check-expect (sumevens '(2 4 6 8))   20)
(check-expect (sumevens '(4 6 8))     18)

ACL2S !>>(DEFSNAPSHOT SUMEVENS-DEFINITION)

Summary
Form:  ( DEFLABEL SUMEVENS-DEFINITION ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 SUMEVENS-DEFINITION
ACL2S !>>(DEFINEC SUMEVENS (L NAT-LIST)
                  NAT
                  (IF (ENDP L)
                      0
                      (IF (EVENP (FIRST L))
                          (+ (FIRST L) (SUMEVENS (REST L)))
                          (SUMEVENS (REST L)))))

Form:  ( TEST-DEFINITION SUMEVENS ... )
Form:  ( TEST-BODY-CONTRACTS SUMEVENS... ) 
Form:  ( TEST-FUNCTION-CONTRACT SUMEVENS ...) 
Testing: Done 
Elapsed Run Time: 0.98 seconds
Form:  ( ADMIT-DEFINITION SUMEVENS ... )
Time:  0.01 seconds (prove: 0.00, print: 0.00, other: 0.01)
Form:  ( PROVE-FUNCTION-CONTRACT SUMEVENS ... )
Time:  0.15 seconds (prove: 0.08, print: 0.00, other: 0.07)
Form:  ( PROVE-BODY-CONTRACTS SUMEVENS ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Elapsed Run Time: 0.54 seconds
Function Name : SUME

Another success! The defining equations we found really did lead to a correct definition. Before moving on to another example, take a moment to reflect on this fact. We had three defining equations, so we needed two if statements, in order to cover all three cases. This holds true in general: $n$ defining equations lead to $n-1$ if statements. So be sure to cover all cases when you define your own functions!

Next, let's a write a function that returns a list. The input is a list of numbers, and the output is a similar list but with all negative numbers replaced by a `-` sign. Here are some unit tests to help us understand the function:

    (stripnegs '(1 2 3 4 5)) = '(1 2 3 4 5)
    (stripnegs '(-2 -4 -6))  = '(- - -)
    (stripnegs '(1 2 -3 4))  = '(1 2 - 4)

Again, we augment the unit tests to include the next smaller lists:

    (stripnegs '(1 2 3 4 5)) = '(1 2 3 4 5)
    (stripnegs '(2 3 4 5))   = '(2 3 4 5)
    (stripnegs '(-2 -4 -6))  = '(- - -)
    (stripnegs '(-4 -6))     = '(- -)
    (stripnegs '(1 2 -3 4))  = '(1 2 - 4)
    (stripnegs '(2 -3 4))    = '(2 - 4)

This looks similar to `sumposlist`, in that the pattern isn't the same: We will need to choose depending on the first element of the list. The big difference, though, is that this function returns a list, not a number. So we have to refresh the list primitives available in ACL2. In particular, we have to remember precisely how to create lists. The `cons` built-in function is made for this, and here are some examples from a previous tutorial:

    (CONS 1 NIL)             = '(1)
    (CONS 1 (LIST 2 3 4))    = '(1 2 3 4)
    (CONS 1 '(2 3 4))        = '(1 2 3 4)

Using `cons`, we can write the defining equations

    (stripnegs l) = NIL,                           if l is not a non-empty list
    (stripnegs l) = (cons '-
                          (stripnegs (rest l)),    if l is list starting with a 
                                                      negative number
    (stripnegs l) = (cons (first l)
                          (stripnegs (rest l)),    if l is list not starting with a
                                                      negative number

And that we can convert to ACL2 as follows:

In [5]:
(defsnapshot stripnegs-definition)

(defdata nat-or-dash-list
         (listof (oneof :nat '-)))

(definec stripnegs (l :integer-list) :nat-or-dash-list
  (if (endp l)
      NIL
      (if (< (first l) 0)
          (cons '-
                (stripnegs (rest l)))
          (cons (first l)
                (stripnegs (rest l))))))

(check-expect (stripnegs '(1 2 3 4 5)) '(1 2 3 4 5))
(check-expect (stripnegs '(2 3 4 5))   '(2 3 4 5))
(check-expect (stripnegs '(-2 -4 -6))  '(- - -))
(check-expect (stripnegs '(-4 -6))     '(- -))
(check-expect (stripnegs '(1 2 -3 4))  '(1 2 - 4))
(check-expect (stripnegs '(2 -3 4))    '(2 - 4))

ACL2S !>>(DEFSNAPSHOT STRIPNEGS-DEFINITION)
   d      25:x(DEFINEC SUMEVENS (L NAT-LIST) ...)

Summary
Form:  ( DEFLABEL STRIPNEGS-DEFINITION ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 STRIPNEGS-DEFINITION
ACL2S !>>(DEFDATA NAT-OR-DASH-LIST
                  (LISTOF (ONEOF NAT '-)))
 Predicate events...
Form:  ( DEFUN NAT-OR-DASH-LISTP ...)
Form:  ( IN-THEORY (DISABLE* ...))
Form:  ( IN-THEORY (ENABLE ...))
Form:  ( TABLE ACL2::RULESET-TABLE ...)
Form:  ( MAKE-EVENT (LET* ...))
 Listof theory events...
Form:  ( DEFTHM NAT-OR-DASH-LISTP-IMPLIES-TLP ...)
Form:  ( TABLE ACL2::RULESET-TABLE ...)
Form:  ( MAKE-EVENT (LET* ...))
 Tau characterization events...
 (NAT-OR-DASH-LISTP ACL2::V1) => body -- not complete. 
Reasons: 
("Multiple sig terms i.e. (P1 (f x1 ...)) OR (P2 (f x1 ...))
 not allowed in conclusion of signature rule")

Form:  ( DEFTHM DEF=>NAT-OR-DASH-LIST ...)
Form:  ( DEFTHM NAT-OR-DASH-LIST=>DEF ...)
 Enumerator events...
Form:  ( DEFUN NTH-N

A couple of things are worth pointing out. First, this function expencts the input list to contain some negative numbers, so we use the built-in type `integer-list` instead of `nat-list`. Second, this function returns a list that contain either numbers or dashes. There is no built-in type for these lists, so we used `defdata` to define this type.

All tests passed, so again it's time to move to another example. Let's define the function `contains` that checks whether a list contains a given element. Here are some tests we can use:

    (contains 6 '(2 4 6 8 10))   = T
    (contains 5 '(2 4 6 8 10))   = NIL

By now, you should be familiar with the approach. We start by adding unit tests for the next smaller lists:

    (contains 6 '(2 4 6 8 10))   = T
    (contains 6 '(4 6 8 10))     = T
    (contains 5 '(2 4 6 8 10))   = NIL
    (contains 5 '(4 6 8 10))     = NIL

In this case, no pattern immediately reveals itself. It seems that 

    (contains 6 '(2 4 6 8 10))   = (contains 6 '(4 6 8 10)) = T
    (contains 5 '(2 4 6 8 10))   = (contains 5 '(4 6 8 10)) = NIL

But there's nothing that indicates why the first one is `T` and the second `NIL`. It appears that the initial test cases were too big, so we need to explore the next smaller lists more carefully. To do so, we add more unit tests:

    (contains 6 '(2 4 6 8 10))   = T
    (contains 6 '(4 6 8 10))     = T
    (contains 6 '(6 8 10))       = T
    (contains 5 '(2 4 6 8 10))   = NIL
    (contains 5 '(4 6 8 10))     = NIL
    (contains 5 '(6 8 10))       = NIL

That's better! Now we can see why the first case is returning `T`: The element is right at the front of the list, where we can easily check for it. That suggests this defining equation:

    (contains e l) = T,                     if e = (first l)
    (contains e l) = (contains e (rest l)), if e is a list starting with 
                                                something other than e

As before, these are not a complete set of defining equations, so we have to add a rule for things that are not non-empty lists. In these cases, it's obvious that `l` cannot contain `e` (or any other element). So the final defining equations are

    (contains e l) = NIL,                   if l is not a non-empty list
    (contains e l) = T,                     if e = (first l)
    (contains e l) = (contains e (rest l)), if e is a list starting with 
                                                something other than e

We can translate this to ACL2 as follows:

In [6]:
(defsnapshot contains-definition)

(definec contains (e :nat l :nat-list) :bool
  (if (endp l)
      NIL
      (if (equal e (first l))
          T
          (contains e (rest l)))))

(check-expect (contains 6 '(2 4 6 8 10))   T)
(check-expect (contains 6 '(4 6 8 10))     T)
(check-expect (contains 6 '(6 8 10))       T)
(check-expect (contains 5 '(2 4 6 8 10))   NIL)
(check-expect (contains 5 '(4 6 8 10))     NIL)
(check-expect (contains 5 '(6 8 10))       NIL)

ACL2S !>>(DEFSNAPSHOT CONTAINS-DEFINITION)

Summary
Form:  ( DEFLABEL CONTAINS-DEFINITION ...)
Rules: NIL
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
 CONTAINS-DEFINITION
ACL2S !>>(DEFINEC CONTAINS (E NAT L NAT-LIST)
                  BOOL
                  (IF (ENDP L)
                      NIL
                      (IF (EQUAL E (FIRST L))
                          T (CONTAINS E (REST L)))))

Form:  ( TEST-DEFINITION CONTAINS ... )
Form:  ( TEST-BODY-CONTRACTS CONTAINS... ) 
Form:  ( TEST-FUNCTION-CONTRACT CONTAINS ...) 
Testing: Done 
Elapsed Run Time: 0.62 seconds
Form:  ( ADMIT-DEFINITION CONTAINS ... )
Time:  0.02 seconds (prove: 0.00, print: 0.00, other: 0.02)
Form:  ( PROVE-FUNCTION-CONTRACT CONTAINS ... )
Time:  0.12 seconds (prove: 0.04, print: 0.00, other: 0.08)
Form:  ( PROVE-BODY-CONTRACTS CONTAINS ... )
Time:  0.00 seconds (prove: 0.00, print: 0.00, other: 0.00)
Elapsed Run Time: 0.21 seconds
Function Name : CONTAINS 
Termination proven -------- [*] 
Functi

Success! Now it's time for you to try it!

## Exercises

Many problems are similar to `sumlist`, in that the function goes through a list and creates a single value that summarizes it. These pattern of functions is called the **reduce** pattern. Here are some examples of reduce that you can implement:

* Find the product of all elements in a list
* Find the number of elements in a list (from first principles)
* Find the largest element of a list (more challenging)
* The input is a list of lists of numbers, and the output is a list that contains all the numbers in order, but in a single list (more challenging)

Another common pattern is the `map` pattern, where the function creates a list by transforming each element of the input list, like `stripnegs`. Here are some examples of the `map` pattern you can implement:

* Return a list whose elements are twice those of the input list
* Return a list whose elements are the absolute value of the elements on the input list
* The input is a list of lists of numbers, and the function returns a list of the lengths on the lists in the input list
* Hybrid map/reduce: Return the sum of the absolute value of the elements in a list

The last major pattern is `filter`, which returns a list of elements that pass some test. For example, you can implement these functions:

* Return a list that contains only the even elements of an input list
* Return a list that contains only the positive elements of an input list
